***************************************************************************************************** This is always a work in progress. Check back, and there might be new things. Last updated: 8/12/2021 ***************************************************************************************************** The Super Happy ThoughtPhreaker Guide to Identifying North American Phone Switches! [don't laugh! It's a working title! xD] Whether you're just bored and looking for some trivia, want to learn how to identify a switch from a mile away, or just want to obsess and compulse over tiny details, get comfortable! One of the things that makes phreaking way more fun is being able to know exactly what equipment you're hitting, and this textfile is stuffed to the brim with plenty of crap to let you do just that. So, er, enjoy! **************************************** A note about the numbers that just ring: **************************************** One of the best kept, hiding in plain view secrets of the modern phone switch is that no two models types ring alike. The difference is pretty simple; when the ring is generated, something (probably a DSP chip) is looping a pre-rendered waveform with ringback on it. These loops are all slightly different in tiny little ways; some are shorter, some are smoother sounding, and so on. So while it might sound absolutely insane, with a little practice you can be the guy who squeezes blood from rocks at a party! Er, well, if you go to the sort of parties where people talk about phone switches. Before we start, just make sure you're using a decent phone. If you're using something like a DECT phone that compresses the call as ADPCM, that's fine. A basic WECo desk phone on a POTS line in a quiet room or something that sounds equally good is probably the best starting point, though. Linear predictive codecs, such as the ones cell phones/Skype/etc use take out way too much data to be useful. Things like Google Voice like to superimpose fake ring over unsupervised audio (though JCSwishman has noticed the mobile Hangouts dialer doesn't do this. The drawback though, is they use some weird codec to compress the call with this client), and since most rings don't go offhook, obviously that's out for this sort of technique as well. With that out of the way, let's start with an example that you'll probably come across a lot; 5ESSes and DMS-100s. These are actually two of the easiest to tell apart, coincidentally. Nice how these things work out. So go ahead and call 202-986-9992. If you're like the other phreak I gave this to, your first question is probably "Uhh, is this a queue recording or a porno?". By the time you're done asking yourself that, the recording will probably have stopped, and you'll be sitting on a trunk that just plays ring forever. Get a good sense for what it sounds like; 5ESS ring is really smooth sounding - there's no clear noise it makes when it loops, but the phase of the ring slowly changes, like a warbly tape. If it helps, don't just hold the receiver flush against your ear; with one end of the earpiece resting against your ear, let the other end fall (the left part if you were to hold it straight up, facing you) ever so slightly so there's a gap shaped like this between your ear and the receiver: |/ . Or if you're a little fuzzy on what I mean, just pull it half an inch away from your ear or something. Sounds good? Great! Now try calling one of the DMS-100 ringout numbers. Unlike the 5ESS, whenever the sample loops, you can very clearly hear it repeating over and over. I don't think there's a lot of ways to describe different rings, but the audible looping gives it a very rough sound when you're comparing it. Some rings, like the AXE-10's, are so distinct sounding that it's almost cheating to compare it to anything. Then there's the Redcoms, the DMS-10, and type two EWSD. Actually, try calling them right now. Really tough to tell apart, aren't they? Don't feel too bad - I have trouble with these too sometimes. If you're ever in a position to call them frequently (I'd say scan, but they typically don't ring to error recordings. Maybe pick an exchange with weird stuff on a lot of analog lines if you know of one), it'll make it much easier. ****** 5ESS ****** The result of twenty years and 100 million lines of source code, the 5ESS is Western Electric's take on a digital switch. Though it wasn't always this way, the 5ESS in its current state seems to have an answer for everything; most of my experiences trying to give the 5ESS some form of unorthodox input seem to end with it giving the most normal possible responses. This contrasts starkly with the DMS-100, which seems to love behaving strangely at any given opportunity. In all fairness, the DMS-100 also has been explored far more thoroughly. * 5ESS line cards are pretty distinct sounding. They'll make weird noises whenever you go offhook, have a slightly higher noise floor then most line cards, and a very strange frequency response. This doesn't necessarily apply if you're using a line served out of a channel bank or something, but the line cards can give a very different experience on the phone network sometimes. According to Aloha, the noises are a result of the 5ESS setting up a link through an analog switching fabric. Though the 5ESS is a digital switch, an analog cross point switch is used to connect your line to a codec instead of having one permanently associated with your line. * Supports revertive pulse trunks, a signaling system designed in the twenties to directly drive DC motors in Panel switches. To this day, the reports on a ROP (read only printer) include a spot for the number of revertive pulse calls placed on the switch, in spite of the hardware to do this probably only existing in a dust-covered box near some of the oldest 5Es, having not even existed until the twilight days of these systems. * Supports both drum and AIS-style announcements, but the vast majority use drum-style. For that reason, you'll see some very strange arrangements sometimes. AT&T CLEC/Teleport for example, rolled out APMaxes for their 5Es, but configured them in drum mode(they also have Cognitronics MCIASes in AIS mode, so they definitely know how to do it). This is the only place in the network where you'll hear error messages ring for an absurdly long time (with TTYs, the recording is pretty long) before starting up. * If you make a large number of unsuccessful call attempts (can be something as simple as just picking up and hanging up, but partial dial works too), it'll pull your line out of service for 100 seconds, and if you're not on loop carrier, remove power from your line as well. Assuming you don't have voicemail, the 5ESS will spit back an unusual SS7 disconnect message at anyone calling you under this condition. Use your best judgement with this; the switch will print a message on the console saying your line is having trouble if you do it. Probably not an issue, but a responsible operating company (read: none of them) might call you and ask if everything is okay if it happens multiple times. * Has an unusually large, 16-bit internal frame size on its TDM bus; the most significant eight bits are the content from the corresponding channel (digitized output from a POTS line/a T1 timeslot/etc), followed by four signaling bits (likely meant to transparently send the A/B/C/D bits associated with E1s and ESF-framed T1s; D4 framing only contains A and B bits), a supervisory (off-hook/on-hook) bit, a TMS buffer bit, followed by framing and parity. * With the exception of the VCDX, which emulates the administration module on a SPARC machine, the 5ESS has become perhaps the champion of custom architectures, being the last known switch to use a custom CPU for any components. In this case, the administration module - largely a terminal to manage the switching and communication modules (though some systems use it for SS7 as well) runs on a 3B21D, utilizing the bizarre WE32100 processor. * Earlier switching modules - largely what you interact with at dialtone - are based on Motorola 68K processors. Newer SMs were redesigned to use PowerPC CPUs, and support a greatly expanded capacity. * Some 5ESSes will terminate a call immediately if it sees the slightest blip of on-hook supervision from a trunk - like for example, the Redcom supe test later in this article. Strangely, using a vertical service code like *67 will make it wait a bit longer for off-hook supervision before deciding it should tear down the call. * Known to, at least in one specific instance, drop you directly onto the trunk to an ANAC with nothing dialed! You can feed it MFs. Try KP + 3 (other digits get more interesting behavior) + 7 digits + ST. I've seen another 5ESS (the Teleport one in Omaha specifically, OMAHNEXODS0) exhibit this behavior too. * Was known in early generics to have some very amusing bugs; one allowed you to cause an ANI fail on outgoing calls, another let you "service observe" someone's line by creating a notest trunk via a management terminal, and forwarding it to a victim. * Allows you to mix touchtone and rotary dialing on the same call, but once you start rotary dialing it'll lose its ability to hear * and #. For example, if you dial 1167 with mixed tone/pulse, they won't even break the new dialtone. * Gives short burst of dialtone after dialing a rotary digit, but ONLY after dialing a vertical service code. Straight from the dialtone, there's no burst. * Some RBOC 5ESSes (mostly non-ex-US West ones) allow you to originate calls onto the 0110 carrier access code, a workaround code that places calls onto the trunk group for local calls. RBOC DMS-100s on the other hand, never, ever do this. * Seemingly incapable of giving any sort of DISA to anyone outside the switch without external hardware. This changes the dynamics of things you'll find in the wild when hand scanning a 5ESS. * While this is far rarer than on a DMS-100, some 5ESSes can enter a condition that resets you back to dialtone without hanging up. Most switches in incumbent AT&T regions will demonstrate this behavior with a CAC + 0-710 and any seven digits. For example, 101-0288-0-710-222-2222. A strange recording from hardware that doesn't typically play announcements on that switch should start up. In theory, resetting to dialtone without hanging up is a really serious security hole when dealing with PBXes, COCOTs or other things that're supposed to log/restrict/bill/whatever calls that go out on POTS lines. And on a DMS-100, it is since there's nothing to tell whatever sits on the phone line that the call is done. Unfortunately for anyone fixing to do some security "audits" (the 0+ example call should be programmed as free in most things), the 5ESS pulls battery on its lines for a second before giving you dialtone again. Anything listening for that (and not everything is) will accurately see the interruption in loop current as the end of the call. Remote call forwarding prompt: 608-819-0018 Ringout via some sort of call queue script: 202-986-9992 ANAC trunk, goes offhook and waits for MFs: 503-697-0053 Something to do with ANAC? Gives high tone (480 hz) if call comes in via external trunk, quickly heads to reorder: 813-386-9170 ************************* DMS-100/200/250/300/500 ************************* One of the most popular switches in the US and Canada, this thing was Nortel's love child for pretty much the company's entire existence. As a consequence, it holds the title of being not just one of the most feature packed, but one of the funnest to play with - or maybe just the most explored. Though it's been around for decades, the DMS-100 hardware has evolved considerably since it was first made. For example, the original processor was something Nortel (Northern Electric at the time) concocted themselves; an NT-40 core made out of discrete logic chips, also used in their SP-1 processor controlled crossbar switch. In the 1980s, they ported the software to a redundant pair of 68000s. By the next decade, that became a pair of 88000s. Finally, around 2000, the new processor cards began operating with three PowerPC 604s (XA-Core as they call it for some reason) and only contain a single spare, with a final evolution to G4 chips not long after. So why all the different names, you might ask? Marketing mostly; they're all DMS-100 family switches with software to do different things. 100 is an end office, 200 is a local tandem, 250 a toll tandem, 300 an international gateway, and 500 combination end office/toll tandem. * Supports revertive pulse trunks * EDRAMs. What the hell is an EDRAM, you ask? The EDRAM is Nortel's crazy announcement machine, or Enhanced Digital Recorded Announcement Machine as they call it. As far as underground (or just plain questionable) telephone scientists can determine, Nortel went out of their way to make their own ADPCM format for these things. Information, as well as the stock announcement set (complete with Nortel's weird container format) are available in random places on the internet. These are an evolution of the DRAM, which perform more or less the same function, but have lower capacity and took up a whole shelf instead of a single card. * Ringout conference bridges (internally called MMCONF) * Able to give DISA dialtone via software! This is very frequently used to give remote access to centrex and other non-standard dialplans, along with other goodies in test ranges. Being done in software, people who set these up tend to forget about them once they're there. * In cases where the switch is bridging together multiple calls, such as three- way or an MMCONF, the DMS-100 uses some sort of secondary, different sounding source for all its tones. It's still not known why this is, or where the primary or secondary tone sources are coming from. The DRAM/EDRAM cards are capable of generating some of them however, such as milliwatt and off-hook. The off-hook tone's susceptibility to this has been confirmed, but other DRAM generated tones such as SITs don't seem to be affected by this. Maybe the DRAM is the secondary source? Very old offices had actual hardware oscillators on a card for offhook/milliwatt/etc. While these are rarely if ever still in use, a DMS still using these cards could potentially answer this. * Some offices will occasionally have very strange sounding reorders * Some lines on some switches will make a soft tick sound when the switch stops waiting for digits, and starts processing a call. No correlation is known yet, but I think this may only be done on lines using loop carrier arrangements. Newer generation DMSes possibly don't do this altogether? * Late in its development life, Nortel wound up porting the Linux kernel to the DMS-100 * Internally, the system likes to send data in a format called DS-30 and DS-512. Basically, just a lopsided E-carrier format (E1 and E3) that uses 10-bit frames instead of the traditional 8-bit ones. The first and 16th channel of a DS-30, like an E1, are reserved for signaling purposes. The eight most significant bits are passed transparently from the source channel, while the last is used to indicate parity, and the second to last supervision on every 6th frame conversion. * On analog E&M trunks (namely the one your ANAC is on if it doesn't just read off digits with the EDRAM), you can flash at just the right time, flash back, and hold the unit up indefinitely * As a consequence of possibly the exact same bug, you can stop another caller from flashing on intra-office calls by flashing; the other line won't be able to use it until you return to its call. Great for centrex auto-attendants? Some ex-GTE regions (most notably, parts of Ziply and Frontier territory) run voicemail on a uReach Oryx system sitting on analog centrex lines. Unsurprisingly, in almost all cases except a few in Florida, it flashes when it transfers you to something. How the system reacts to this is a question I'm itching to answer. * Some (most notably, historically independent DMS-100s, like the ones operated by United Telephone, Alltel, GTE, etcetera. Ex-Bell switches typically won't do this) have dialplan errors; they'll let you dial 0xx and 1xx codes, nine digit numbers and other weird things if a CAC is put in front of the destination. For example, 101-0288-1-208-038-1152 will go through, but 1-208- 038-1152 gets an error recording. In that particular case, while 0288/AT&T is capable of routing 0xx traffic, you'll probably just get a recording from a tandem switch instead from a normal phone line (the Bell Canada network will put up with this behavior just fine - use that to your advantage if you can). If your DMS is cool enough to allow this, there's ways to use that to your advantage, but that's a whole other topic. * Pacific Bell, and possibly Nevada Bell DMSes are setup in a particularly funny way; if you dial * as one of the last three digits, it'll stop in the middle of the intercept recording, and give you reorder. Alternatively, if it's generating SIT tones (the EDRAM units loop uLaw PCM samples to do this instead of play ADPCM) or a reorder when it stops, you'll just go to dead silence. * Always has a burst of dialtone after dialing the first rotary digit * Some SS7 disconnect messages have q.850 cause codes that make most DMS-100s reset back to dialtone. If the number listed at the bottom doesn't work for you on the first time, try it again; on some offices, the likelyhood of working is less than others for whatever reason; it might have something to do with the hardware handling the call. * Standard busy/reorder always go for exactly 30/60 impulses * Occasionally you'll run across a DMS that for whatever reason, has a different pitch in its reorder tone, but also weird timing. * Will often, but not always send back an all circuits busy message via SS7 when disconnecting after a recording. Some long distance carriers respond to this by assuming the route is busy, and if there are any, cycling through to the next route in the leas cost routing list. Though it's definitely not sending an all circuits busy message back, a switch in Washington, DC will send something just as strange after playing three bursts of dialtone. * Like the CS-2000, has I/O processors capable of encapsulating data over ATM delivered via OC-3 links * DMS-100 call forwarding translations are quite literal; for example, if 1-958 and your last seven digits will forward you to the ringback program, calling your own number will still get it for you. Consequently, this means other good fun can be had though; if you have a silent switchman test (plays a distinct tone - in the case of a DMS, a slow busy tone, and then pulls your line out of service temporarily) on a seven digit number, you can forward your calls to that, and anybody on the same switch calling you _will_ get their line yanked for 100 seconds. Sadly, this behavior only lasts until the DMS-100 releases your line from the great void. Perhaps even better though, selective call forwarding can be established on a permanent basis to these things. And it'll still give your phone a single ring to inform you when someone has been unfortunate enough to have taken the bait. * Flashing during SIT tone generation on your local switch (even when you have another call ready to be three-wayed in) WILL make it dump all your calls. * Flashing during some local announcements, even if you have a line without three-way calling (it usually won't let you get a stutter dialtone at all if this is the case. Some DMSes only allow this without three-way when dealing with certain cause codes when a call releases), will get you a stutter dialtone you can't get rid of. Not much is known about this exception, but vertical service codes (*67, *82, etc) never, ever work on it. With a little further observation, this looks to be a completely separate dialplan! The most obvious thing to indicate this is on resold lines; resold POTS on AT&T switches are locked down in a way that prevents people from using ringback for whatever reason. When on the mysterious stutter dialtone, this restriction goes away! * Many SBC-derived DMS-100s are programmed to reset to dialtone when 101-9017-0 is called. 9017 is a workaround CAC similar to 0110 on some switches; any calls originated using this will only go over the local network. DMS-500 with 480 hertz reorder: 702-310-0012 DMS-100 with weird reorder timing: 303-781-0008, 336-789-0000 MMCONF bridge/ringing number: 510-940-0102 Remote call forwarding prompt: 707-539-0099 Custom IVR: 414-227-0033 (if you press nothing, it'll give you an electromechanical low tone recording) Unknown, but consistently on DMS-100s: 415-622-0000. Some noises will make this circuit go offhook. For whatever reason, this only accepts one simultaneous call. Unknown: 386-364-1103 No audio, immediately sends dialtone resettable SS7 disconnect message back: 866-202-9985 DISA dialtone: 212-889-9998 (NY Metro centrex) EDRAM annoucement, disconnects w/all circuits busy SS7 message: 434-975-9999 EDRAM generated milliwatt: 801-578-0012 (normally milliwatts are as interesting as dry paint, but one of the EDRAM cards on this switch mixed up its offhook and milliwatt tone samples. Give it a call a few times for ear-piercing lulz) Three bursts of dialtone, and unknown (47?/resource unavailable, unspecified) SS7 disconnect reason: 202-484-0000 (this makes sketchy long distance routes act really weirdly) ***** DCO ***** * The red headed step child of the switching world; there's really no other way to put it. Siemens bought it, discontinued it in the early nineties as an end office (it survived a little longer in production as a long distance switch), and gave the EWSD the capability to interface with DCO line frames and remotes. Genband bought the DCO and EWSD designs, and made their softswitches do the same thing! * To this day, the maintenance processor for every DCO in the network is a DEC LSI-11, as were the original call processors for the system. As a result, Siemens kept an original PDP-11/70 in service for software development until 2000 before replacing it with a Mentec clone. At some point, newer call processors (as in, the ones you get when you pick up your phone rather than hit a key on the switch's serial consoles) were ported to a more recent hardware architecture. Given the lifespan of telecom gear, it's likely that in some parts of the US, you can pick up your phone and still get a PDP-11 at the other end. * Won't support GR-303 loop carrier without a third party add-on * Early incarnations supported the strange coin detect feature the ESC used without pulling line current. For whatever reason, this was dropped later in its life. * Commonly (almost exclusively) does AIS-style announcements. * There's two different models of DCO; CS (toll tandem) and SE (Small Exchange). Both are relatively low capacity switches, so for that reason, you'll most likely find the DCO-SE when you're wandering around the very rural parts of ex-Contel/GTE territory. As for the CS, a lot of small long distance carriers bought these in the nineties. If you can dig up some small toll providers, they might still be using them. * DCOs have a stutter dialtone with six bursts of dialtone instead of three. * Has a tone used for confirmation/partyline ringback/etc consisting of short, 100 millisecond pulses of high tone. No other switch type seems to use this. * When pulsing your first rotary digit, there's no burst of dialtone when you're done. * Completely ignores fourth column (A, B, C, D) tones * Much like when dialing with the switch's predecessor - the ESC - dialing * in certain places lends itself to odd circumstances. As the final digit as a CAC+0 call (as in, say, 101-0288-0-212-555-121*. It's important that it be the last digit), it appears to put the call through! What it's sending isn't entirely clear. In SS7, a destination phone number is sent using binary coded decimal, as opposed to plain ASCII in ISDN-derived protocols, so the only possible combinations to send are 0 through 9 and A through F. With a * as the final digit of a local call, strange recordings will occasionally play, such as permanent signal (if you'd like to make a call..., etc). * Like the GTD-5, its processing of the # key isn't entirely clear. For example, 101-0288-0# won't tell a DCO to stop waiting for digits and to put the call through. Instead, it generally seems to keep waiting for digits, as if considering it part of the destination. Unfortunately, this makes CAC + # (as in, just the carrier access code; no called party number) impossible to call, severely limiting some fun things that can be done with long distance tandems. * Flash behavior on coin (and possibly home) phones isn't entirely clear either. For example, on a CO-controlled coin line, flashing after the switch releases a call will make it send coin return voltage, but only keep someone on silence. * Really hard to find! Playing with a DCO up close is a rewarding experience for anyone keen on introducing unorthodox input into the phone network. Considering many of them only serve far-flung rural areas, this requires planning, the willingness to drive a considerable distance, and the ability to find a payphone once you get there. Streetview is your friend, kids... Ringing number: 337-666-9009 (CNAM returns CENTURYLINK; likely unused pair in the central office) Remote call forwarding prompt: 218-834-9934 (ETC Digicept providing voice samples) ****** EWSD ****** * Outside the US, the EWSD, Siemens' pride and joy, is everywhere - from Argentina to Iran. Inside the US? It just comes up here and there. What it's like depends pretty heavily on who runs it, though. AT&T has trouble understanding how to run it, and it's occasionally poked at by their techs for that reason. In any case, their dialplans aren't exactly bulletproof. Verizon tends to be a little better about dialplans (some of them even have custom prompts on their Cognitronics machines!), but they have their own weirdness; in this case, a CAC - 0110. Instead of sending you to a long distance carrier, it originates whatever you put next locally. * In a strange gesture of switch apathy, AT&T's EWSDs do pretty much no checking of your destination numbers. As a result, you can route calls to almost anything of your choosing like 0xx codes, and it'll put it right through! No weird routings, no CACs needed, no workarounds. Let it be known that nothing good ever came from talking shit about your phone switches. * The 0110 CAC seems to be a thing on all North American EWSDs, even the independent ones. Curiously, on most other switch types, the ability for someone to take advantage of this is hit and miss at best. * The EWSD stands as one of the only switches (the DMS-100 being the other) to have two different types of ringback tones. As far as I can tell, this has to do with the generation of hardware. Paul Timmins, the guy who runs Telcodata, was nice enough to post the install dates for most of the Ameritech EWSDs in Michigan. On that list, one clear pattern starts to come up; all the Type 1s were installed sometime before 1995 with the first Type 2 showing up in 1993. Unlike some of the more common switches, the EWSD never really became popular until the mid nineties, so the vast majority, partly thanks to DCO conversions and CLECs, are Type 2s. Type 1s only seem to occasionally up in RBOC exchanges near the midwest and eastern parts of the US. * While EWSDs seem perfectly capable of generating milliwatts (they can all do more complex 105-type tests), almost none of them do. Instead, they have a test set that sits on an analog line, and answers with a 102-type milliwatt. In between the silence, if you send it touchtones, you'll get all sorts of weird tones. * When getting an error recording, the default behavior is to let an announcement play once, and quickly hang up * The digit 'D', typically rejected by most switches in one way or another, will translate to 0 on an EWSD * Like the DMS, some EWSDs have been noted to make soft clicking noises as calls progress. In this case, they tend to be less subtle than the DMS's. While nobody seems to know for sure what causes this, I have a pretty strong suspicion it's caused by how the EWSD handles lines on loop carrier systems. * Our resident EWSD resident, JmanA9, was kind enough to get some information on the EWSD's test functions. The ringback circuit, surprisingly, is an actual, physical test device that physically removes you from the line card, and takes over the function of running your phone line. This function is used very rarely, but is especially unusual on a switch that's preferred for all-ISDN networks, like some in Europe. * Since the EWSD ringback circuit is less than intuitive, Jman was nice enough to record what each button does: - 1 returns dialtone burst, DTMF test, dial 1-0, two high pitched beeps if successful, one long high pitched beep if unsuccessful - 2 returns dialtone burst, you hang up, Ringback test - 3 returns dialtone burst, Rotary Test, dial 0 - 4 returns dialtone burst, clicks then beeps twice - 5 returns dialtone burst, you hang up, it does things, it rings you back, beeps twice - 6 returns dialtone burst, you hang up, it does things, it rings you back, beeps twice - 7 returns dialtone burst, flash, clicks and whines, drops battery, you hang up for a while, then pick up, beeps twice - 7 returns dialtone burst, you hang up, it does things, it rings you back, beeps twice - 8 nothing - 9 returns dialtone burst, you hang up, it does things, it rings you back, beeps twice - 0 nothing - * nothing - # nothing - If you flash, it clicks, you hang up, it does things, it rings you back, beeps twice - MF 4, clicks, returns dialtone burst, you hang up, it immediately rings you back - MF 7, clicks, returns dialtone burst, you hang up, it drops (Type 1) Ringback tone: 203-453-0994 (Type 2) EWSD Milliwatt: 541-384-0100 Ringback tone: 608-663-0126 Reorder tone: 608-663-0130 Remote call forwarding prompt: 888-345-8672, pick any switch from the IVR ******** AXE-10 ******** Like the metric system or a sensibly sized pickup truck, what's common to the rest of the world is somewhat uncommon to the United States. The AXE-10 is no exception; while it holds the title of being the world's most popular phone switch, it's little more than a footnote in the North American network, with many being replaced by their more popular counterparts as quickly as the early nineties. In former US West and Southwestern Bell regions however, a moderate but persistent crop of AXE-10s stands firmly in place. A certain Greek AXE-10 running part of Vodafone's network holds a particularly unique place in telephone folklore, having been host to a rootkit written in PLEX, the switch's proprietary programming language, that concealed the wiretapping of the Greek prime minister and several other officials. Wikipedia's write-up of the story gives an air of mystery to the incident, as well as the cringeworthy opsec failure that led to a suspect being identified in the case. * Quite a few of the ones in the US are near the Mexican border. This may be because Mexico uses so much Ericsson gear; AT&T will occasionally call on Mexican switch techs to help them fix stuff. * Unlike other manufacturers, Ericsson appears to have stuck to developing in-house CPUs until a relatively late date, with off the shelf components being introduced into APZ (main CPU) designs towards the late nineties. * Like the DMS-100, it seems to be married to an announcement machine. As far as most non-softswitch designs are concerned though, they stick out like a sore thumb; unlike a lot of the non-AIS announcements, they never, ever ring, and they're always very clean sounding; Ericsson made it fairly easy to let you directly upload recordings. * Impatient! Only has a five second waiting time for partial dial conditions. * Reorder timing is slightly faster than most American switches, but not as fast as a DEX-450/600, one of the toll switches occasionally found in the ex-MCI (0222; the non-Worldcom one) network. * When dialing, the fourth column DTMF digits A, B, and C mostly seem to react as if you dialed a *, depending on where it's inserted. D, however, is another story. * Can drop you to an announcement FAST; in the fraction of a second that most switches can bring you to reorder, the AXE-10 can start up a recording. * Typically is filled with a bunch of strange tones in it's test ranges, like out of spec milliwatts (next to real ones, no less) and seemingly arbitrary 815 hertz tones. * AT&T AXE-10s allow NPA-0xx-xxxx Ringback tone: 970-887-0051 Busy tone: 405-382-9154 Announcement: 405-382-9137 Weird tone: 325-235-0500 Off frequency milliwatt?: 325-235-0514 ******** DMS-10 ******** One of the long-standing champions of phone lines in rural America, having withstood even Nortel's attempt to kill it in favor of small DMS-100s. Despite the similar names however, the two systems have led a lifetime of nearly no common hardware or software, and not surprisingly, sound completely different. * A direct descendant of the SL-1 PBX; some of the cards are even interchangable * Can support drum and AIS-style announcements. Older installations tend to have a DMS-10 DRAM (not to be confused with the DMS-100 DRAMs/EDRAMs; they're much lower capacity - only four simultaneous channels, only support shorter announcements, and are all around less sophisticated) stashed in them somewhere. These cards have a very distinctive feedback noise to them during recording/playback - really cool to listen to, and sometimes given they're just cards, can sit in the switch forgotten for many years, even after something like an APMax is supposed to have replaced it. That's often the case; a lot of DMS-10s have been fitted with more modern announcement devices (the 68k/pSOS-based Cognitronics MCIAS is still common in some installations, mostly by larger companies; tiny, cooperative telcos use the PowerQUICC/Linux- based Innovative Systems APMax almost exclusively), so you might have to hunt around in test ranges or dial something unusual from the dialtone itself to get these. * One of the few switches to support looparound test lines in software. Possibly for this reason, most of those in service today will be on DMS-10s. * Occasionally has test numbers for all of its call progress tones * Starting in the 500 series of releases, Nortel began porting the DMS-10 software to ChorusOS 3.2.1. Most switches (even the CS-1500s) in service today run a generic with this OS. The lion's share of DMS-10s running pre-ChorusOS releases are owned by the Citizens Communications (think: rural Minnesota) arm of Frontier, and possibly some ex-Centurytel or Embarq (as opposed to ex-US West; those are all recent releases) Centurylink exchanges. * DMS-10 offhook tone has a strange, modulated sound to it * Stutter dialtone from the switch is considerably slower than other models. See the remote call forwarding number for an example. * Like the DMS-100, uses DS-30/DS-512 internally * Licensing for the switch is based on thousand blocks. For example, a rural phone company serving a town of 500 people might've bought a software license that lets them assign 311-555-0xxx and 1xxx numbers, but nothing else. Because independent telcos can be slippery, unpredictable bastards, this can save you a lot of trouble. If a thousand block is locked, you'll typically get a cannot be completed as dialed recording (or sometimes a reorder) on literally every number in the block instead of the standard not in service one. * On some DMS-10s, flashing on lines without three-way calling might make it throw you onto a permanent signal recording. Or a reorder. Or other weird things. Loop line: 904-845-1104/1106. 1106 is reorder via the DMS-10 until 1104 is called. Hanging up on 1106 when on 1104 will get rid of the tone for the duration of your call, but still accept new callers on 1106. Remote call forwarding prompt: 207-657-9999 DMS-10 DRAM: 641-394-1255 High tone: 303-652-0020 Low tone: 303-652-0080 Dial tone: 303-652-0035 Offhook tone: 303-652-0039 Double ringback: 303-652-0042 Solid ringback: 303-652-0043 ************* CS-1500/C15 ************* What do you get when you put a DMS-10 CPU in a 2U rackmount box and slap some ethernet interfaces on it? A CS-1500! Not much more to say really. * Like the GTD-5 and the EWSD, this switch is married to an AIS; pretty much all installs come with an Innovative Systems APMax. The increasing number of APMaxes being paired with DMS-10s has made telling the two apart has made an already tough exercise even harder. * Telling a DMS-10 and a CS-1500/C15 apart can be really hard; they use very similar software, CPUs, and even the same line frames. As far as I know, the only way to tell them apart is to try finding a 105 type test, or possibly a loop; independents, where you'll most likely run into this scenario, will likely put a 105-type test in a place like 9105 or 1105. 9108/9109+1108/1109 is a good place for loops. * The stutter dialtone you get on a CS-1500 when dialing *67, *82, etc will be normal speed; the DMS-10's is noticeably slower than the speed most switches play it at * Does not have the offhook tone with the weird modulation sound in it like the DMS-10's * Cannot support dialpulse trunks, among a few other trunking arrangements the DMS-10 does Remote call forwarding prompt: 828-297-9999 ?Reorder tone: 906-524-9966 ************* CS-2000/C20 ************* The CS-2000, as Nortel's internal hardware guide puts it, isn't a new product, but effectively a new hardware revision for the DMS-100. The software was ported from SOS (Switch Operating System; Nortel's proprietary RTOS) to Linux, and a virtual machine layer took the place of some of the hardware. The CS-2000 also runs on PowerPC 750 and 7410 CPUs, much like the newest DMSes. The C20 is a redesign of this hardware by Genband to fit into an ATCA blade chassis, along with a completely different source of call progress tones. * In ATM mode, this switch is quite literally indistinguishable sounding from a DMS-100. Supports many of the line frames and peripherals of the switch as well. Despite being ATM, internal signalling channels will still be done via IPoATM cells. * In IP mode, the CS-2000 uses the same tone set as the DMS-100 in three-way mode. While it still supports DMS-100 hardware, some installations will do weird things, like fade out as it disconnects - as if there was some sort of packet loss concealment. Other installations have a subtle, but still noticeable level of latency. Remote call forwarding prompt: 610-799-9900 (this isn't the best reference; the exchange itself is a DMS-100, the CS-2000 seems to be for an affiliated cable company) Non-working number recording: 620-371-6111 (uses DMS-100 EDRAM circuit pack, stock annouecment) Non-working number recording: 702-722-6222 (uses CS exclusive Audio Server, stock announcement. Note that very new Genband C20s may use a different announcement) *********** Safari C3 *********** * This switch pops up occasionally in small patches. Some west coast Comcast, some Charter, some Atlantic Broadband. The switch is optimized for voice over packetcable networks, and can be identified by a fairly distinct ring, and its breathy voiced stock announcements. * This was very hastily thrown together by Cedar Point, a headend equipment manufacturing company, before eventually being acquired by Ribbon/Genband. This will occasionally result in weird feature limitations; for example, it'll support ISDN PRIs natively, but only NI-2 flavor PRIs. Or, as its manual cautions, if you insert a high density media gateway card into the last slot on the chassis, the switch will overheat. * As of 2021, while Ribbon appears to fully back the product, it's unclear who continues to run these; changes in LERG, audible ringback, recordings, and other factors appear to suggest major cable companies are phasing these out. This would be consistent with the relatively short lifespan (< 20 years, whereas some DMSes have continually run since the seventies, albeit with severely evolved/upgraded hardware) softswitches seem to encounter. A cursory search for some press releases suggests South American cable operators might still be using them. A search on Shodan revealed one on the public internet operated by TV Rey (as in, TV King. I can't say it with a straight face either), a Mexican cable operator. When I first started writing this, this is where I put numbers for the C3. Today, any secrets these awkward boxes of overheating breathy voices held were taken to the grave along with the example numbers I wanted to give out. ***************** Taqua T7000/OCX ***************** One of the many designs from the telecom boom (and bust) of the early 2000s. The switch was initially embraced by small companies, but seems to have fallen flat on its face, like a lot of other switches introduced at the time. What differentiates it from products like the Coppercom CSX and Gluon CLX is it survived, still retaining an audience within Sonus/Ribbon's halls. ANAC: 229-236-0102 Remote call forwarding prompt: 760-928-5900 Remote call forwarding prompt: 806-350-0099 (alternate prompt set) * The call forwarding prompt sounds very close to the DMS-10 and CS-1500 call forward dialtone, but listen closely to the way it comes on. There's two bursts of stutter dialtone, a (relatively) long pause, and another of those two bursts. There's also a few other differences, like stock recordings and its reaction to keys like *. * Stock recordings sound weird and fucked up for some reason. Some iterations of this switch seem to have a completely different prompt set. * Incorporates a SPARC machine running Solaris, though its role isn't entirely clear. * Really hard to distinguish T7000 and 5ESS ring * Architecturally, all cards on the T7000 (or OCX; same thing) are designed to be functionally independent of each other - the resources needed for billing, features, switching, etc, are all self-contained. * Typically run in small patches by Paetec/US LEC, Allstream/Electric Lightwave CLEC properties (the former apparently only for IP traffic; they appear to be run alongside 5ESSes), but relatively rare overall, with a handful already being replaced by the early 2020s. Getting a chance to fondle T7000 dialtone has been anything but easy. ********************** MDX384/IGX/HDX/SLICE ********************** * Built to be very modular, and because of their unusual design, wind up in very strange places. Their very low capacity (IGX supports 96 lines per shelf, MDX- 384 supports 384 lines) is ideal for places like ghost towns, and fanless operation makes them ideal for extreme parts of Alaska and the Yukon. They're popular as military PBXes as well, having survived a number of tours in Iraq. The SLICE, seemingly a 1U version of the IGX/HDX - or at least running the same software, has gotten its rite of passage into the US military. In some places where HDXes have historically been used, they've been swapped out with SLICEs for portability reasons. Some FTTH deployments in the middle of nowhere are done with SLICE hardware too. * Despite their age and different generations of CPU cards (the IGX is believed to run on a 68k), the IGX, SLICE, MDX and HDX appear to be all be running ports of remarkably similar software. * Card stock between the HDX, IGX and MDX are interchangeable * Each shelf in an HDX switch can have a maximum of 512 timeslots assigned to it, with additional shelves being connected together with a ribbon cable to allocate up to 4096 channels on the system's TDM bus to up to 32 shelves. This limitation is suspiciously similar to the H.100 bus used in hardware- accelerated telephony cards for computers, with its maximum of 4096 timeslots, 32 independent serial data streams, and its big, IDE-like ribbon cable used to link cards together. * The HDX has been described as both a softswitch and circuit switch before. Redcom's marketing tards need to make up their damn minds. Both generations work on circuit packs, the 90's generation of which look like they're using a few *very* old designs with hand-woven PCBs. It appears the presence of a TRANSip (media gateway) card is what qualifies it as a, uh, 'soft' switch, an increasingly hilarious misnomer that switch manufacturers seem intent on abusing. By definition, a softswitch, such as Asterisk or Callmanager, runs on off the shelf hardware. Nothing here, carrying a 'next-generation' moniker for over 20 years or otherwise, meets this definition in the slightest. * Has a BASIC interpreter on it! No, seriously xD . * One of the few switches in the world to still support magneto phones * The integrated AIS sounds like the voiceover person had a stroke. This is apparently a design choice associated more with newer Redcom systems, though not absolute. While an IGX can still sound like it lost all feeling in its throat, it's far more common to use a scratchy sounding announcement card. More often than not, with the voice of the switch tech in some far flung place with an equally scratchy carbon mic. Supervision test: 831-389-9103 AIS report: 831-389-9108 Loop: 907-293-1108/1109 Announcement via older IGX hardware: 907-293-9990 ******* GTD-5 ******* What do you get when an obscure phone company designs obscure hardware? The GTD- 5 EAX! That's a "General Telephone Digital #5 Electronic Automatic Exchange" for those of you who actually pay attention to acronyms. There's a certain saying in telecom; "one is good, two is great". Just to show they really were a phone company, GTE duplicated *everything* in the processor complex not just once, but twice. A single card has two processors running the exact same instructions and comparing them, while an identical card does the exact same thing. All the digital trunk cards on the system are likewise duplicated. Internally, the system communicates using 12-bit PCM words over a parallel bus, and runs on software written in a custom version of Pascal. Like some of the other designs like the EWSD, the system has no announcement cards, and leans entirely on external equipment to generate any recordings. For that reason, most of these were sold with units from the Cognitronics company to make this happen. Random facts: * Around 2000, Lucent completely redesigned the GTD-5 switching network. Little is known about it other than, well, it exists and it's different. * Like any good obscure switch, the GTD-5 will almost always let you dial 0xx codes. You don't need to put a CAC in front unlike on a DMS-100, but probably won't be able to dial nine digit numbers. The tradeoff is the alternate dialplan for vertical service codes such as *67 on GTD-5s *will* generally block 0xx. * The GTD-5 is more or less married to an AIS to provide any recordings in most configurations. Typically, these are run of the mill Cognitronics machines, but occasionally will be an ETC Digicept, a really old Cognitronics machine, or in some really recent cases, an Innovative Systems AP or APMax. However, some very old GTD-5s have actual, drum-style announcements. Mount Olive (217-999) is one of two I've ever heard equipped this way, and is living proof that the hardware even allows this. * Some switches - most notably the GTD-5 in Logan, Iowa (712-644) - seem to have strange, newer retrofits used to generate recordings with text to speech. This is incredibly rare, but might be a sign of things to come if more of the older Cognitronics boxes fail. * Sometimes, this switch will have a noticeable pause between certain tones, like offhook or stutter dialtone, even during off-peak times like 4 in the morning. It's unclear what causes this, but it might imply tone cadences are generated by non-dedicated hardware. * Has a strange way of handling permanent signal (not dialing anything at the dialtone) conditions. Some have the announcement machine play something, some just give reorder, others a solid high (480) or low (480+620) tone, or even just silence. Sometimes you'll get a combination of all four. Always stay on after the reorder to be sure. * According to Chuck, a seasoned GTD-5 tech, it may be possible to gain some insight into what software version a GTD-5 is running by the way it handles someone leaving their phone off the hook. It can be any combination of reorder, high tone, low tone, offhook tone, or all of the above. Supposedly though, there is no way to change what combination of these it uses in software. The most common way of doing things currently is to use all four (reorder -> low tone -> high tone -> offhook tone) * Outgoing voicemail system trunks, some of the most locked down outgoing trunks you'll find, tend to get ANAC, directory assistance, and other things most switches never, ever allow. This switch is *not* good at toll restricting xD . Some GTD-5s have adopted the peculiar behavior of sending offhook tone down voicemail trunks when presented with an SS7 message indicating all circuits are busy. * The behavior of the # key as the first digit of a phone number is unclear; where most switches assume you're using a speed calling code, the GTD-5 seems to wait for an unusually long string of digits, so long as the first or second digit isn't 1 in most cases. Notable exceptions to this are 0, 2, 3, 6, and 8; with 1 as the second digit, they'll keep listening. * One of the few large CO switches to be designed (at least originally) for fanless operation. Newer hardware doesn't necessarily follow this trend. Unknown older hardware generating offhook tone for a GTD-5: 712-374-1256 Feature recording via weird TTS thing: 712-644-1275 Remote call forwarding prompt via ETC Digicept: 906-341-9983 Remote dialtone. For unknown purpose; doesn't look for destination number: 231-773-9996 ************************************ Softswitches I know nothing about: ************************************ Metaswitch [early/mid 2000s ATM + IP core Compact PCI softswitch; popular with the rural telcos who change their switch as often as their underwear. Later systems use an ATCA chassis rather than cPCI. Very common within larger LECs as a voicemail system or for IP trunking]: 406-347-4800 (voicemail), 503-266-1021 (ANAC) Coppercom CSX [early 2000s softswitch design. Few survive now] 517-436-9000 (ANAC) Special thanks to: Scott from the Socal bridge The people who wrote the Wikipedia switch articles dmine45, maintainer of telephoneworld.org Evan Doorbell Paul Timmins JmanA9 Jim Somerville's LinkedIn profile Shadytel, for keeping it as real as it gets You guys seriously know your stuff! This file would've been a lot less interesting without your bits of wisdom to stick in here.