Protel COCOTs

by HeadTrip

I have spent a few years investigating Protel COCOTs and have some useful info for anyone interested in hacking and/or phreaking these puppies.  Protel COCOTs are the ones that answer with a 1200 bps modem set to old Bell mode instead of CCITT.  Anyway, on to the good parts.

First, the Protel's have some features from the keypad that you will need to know in order to hack them.  Here is a list:

  • *#61 - Gives the payphone's number (as programmed in the system flags).
  • *#62 - Gives the program info (we will go over this later).
  • *#65 - Gives the number the phone calls for EEPROM updates.
  • *#2 - Forces the phone to get an EEPROM update and new flag settings.

This is a very short list but it is all that is needed.

The first step to backing a Protel COCOT is getting the service password.  Sounds hard, right?  Well, it's not.  The provider's network has to send it in order to send a new EEPROM.  (Catching on?)  What equipment will you need?  A dirt cheap laptop (like a Compaq LTE286 or something - I got mine for $10 at a flea market) and an old Bell A202 or compatible modem (even cheaper).

Telephone cable and alligator clips are also a must.  Find the telephone network interface and crack it open.  The fun begins!  Clip your Bell modem on the line.  Set it to receive only - some have this on the dial, others you have to clip the TX line on the modulator.  Open your comm program on the laptop.  Go to the phone and punch *#2.  Log the input in your comm program.

When you go back and look at the capture, you will see the four-digit numerical passcode.  Now the hard part: search and scrounge the Internet for a copy of ExpressNet III or PROPRO.EXE (ExpressNet is the commercial programming utility for the Protels that supports dial-in stuff and PROPRO.EXE is the bare "call the phone and program it" version that comes free when you buy one from Protel).

Now go home and run your program util, call the phone, and enter your password and program that COCOT however you want: free long distance, 900 service, $100 per minute local calls... whatever.  And for even more fun after jacking that rate up, set the 411 service cloak to another payphone, set the "0" cloak to another one.. then wait at the other payphone and play operator.

When a call comes in to the operator:

  • 91 - Returns the coins.
  • 92 - Clears the hopper and collects the coins.
  • 93 - Makes the next call free.

Play with it and figure out all the cool things you can do as the operator of that payphone.  Oh yeah, and you can put pricing on the "free" services too, like 911, 411, 0, 211, 800, and stuff like that.  All of the x11 stuff can be cloaked to whatever number you want it to dial, like 911 = 1-800-BUT-LOVE.  This one I don't suggest because messing with an emergency service of any type is a felony, not to mention downright immoral.  Be creative, but remember it is illegal so don't get caught.