Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Phreaking General Information :: ex_scan.txt

Exchange Scanning




// Exchange Scanning
//
// by decoder
//
// http://www.oldskoolphreak.com

August 7th, 2003

This is not a complete guide to exchange scanning.  There are plenty of
files on the topic of scanning the full 10,000 block.  I will be focusing
on the 'test' areas, most commonly found on the 'high end' (99xx) and 'low
end'(00xx) of an exchange, as well as 'special' exchanges.  This should be
a useful guide for the beginner, but also interesting and informative for
even the most seasoned phreak.


Note: Many people say that the telco has equipment in every central
      office to detect sequential dialing and excessive calls to toll-
      free numbers.  I do all of my scanning from home, by hand. I
      encourage everyone to use their own discretion.


Introduction.
-------------

I happen to live in New York, where exchange scanning is pretty easy.  All
of the test numbers can usually be found without too much time and effort,
which is good because I am lazy.  My regional calling area consists of the
following NPA's:

212 Manhattan
917 originally NYC wireless, now also includes land lines in Manhattan
646 new Manhattan land lines and wireless
718 Brooklyn, Queens, the Bronx and Staten Island
347 overlap for 718
516 Nassau County (Long Island)
631 Suffolk County (Long Island) *(home of 2600)
914 Westchester County *(where the X-Men are from)
845 Rockland & Putnam Counties (and the southern part of Orange County)
203 Greenwich & Byram Connecticut


*[phreak phact: three of these NPA's (212, 914, & 203) are original 
  area codes from 1947. back then, customers didn't use the area codes,
  they were only for operators.]


The most commonly know test number in these area codes is the 'verification'
number, which can be found on (NPA)NXX-9901.  Keep in mind that this format
only applies to Verizon owned, land-line exchanges.  (although there are a
few exceptions)  These verification numbers give you the location of the
central office, and usually list most of the exchanges handled by that
particular c.o.  Many people know of the 'Elvis' verification number
(718 238-9901).  If you've never heard it, give it a call, it's always good
for a laugh.  There is also a verification number that lists an exchange
that begins with a one (914 375-9901), which is apparently some kind of
'inward' exchange. (when you call it, the first exchange listed is 146!)

Most of these recordings are pretty old so some exchanges listed may not
work anymore and, of course there are some new ones as well.  Sometimes, in
places where there has been an area code change, the verification message
will still give the old one.

When the exchanges are listed in non-sequential order, the first ones listed
are usually the oldest.  This is what should be of interest.  I have noticed
that in my area that the oldest exchanges in a c.o. are where you will find
most of the test messages, tones, payphone recordings, DATU's, etc.  In New
York, these are found in the 'high end' (99xx) of an exchange, although
sometimes they hide the good stuff.  There is a list of DATU's in NPA 718
making its way around the net, and they are not located in the 'high end',
they're all on random numbers.  The list has been out for a while and all of
the numbers and codes still work. (most codes in 718 are NOT default, but
the codes are kind of simple anyway)  This information originated on the PLA
(phonelosers) forums, and was posted by an ex-employee of Verizon.  But
finding a DATU shouldn't be the main objective of exchange scanning.  There
are many other cool things you can find.


Other areas.
------------

New York isn't the only place where the test numbers are in the 'high end'
of the exchange.  Michigan, D.C., Maryland and many other places work the
same way.  There are also areas where you should scan the 'low end'(00xx).
This seems to be the format in California and Pennsylvania.  In Illinois, a
good place to look is in 12xx, and I've even found an exchange in Texas
where the tests are in 31xx.  Although the 'high end' and 'low end' are the
most common, don't hesitate to check other sections.  If you find a 1000 hz.
tone on NXX-6715, then scan out 67xx.

If you want to know all the exchanges in your central office, I'm sure that
there are websites where you can find such information.  If you can't find
one, read a file on how to use a search engine.  Sometimes you can just open
up your local phone book, and if you're lucky, the information will be in
there.  One trick I use to find out which exchanges are the oldest is to
check what the Government numbers are. (police station, court house, library,
etc.)  It stands to reason that these places will have their numbers on the
oldest exchange.  After all, the police station has obviously been there for
a while, and I'm sure they wouldn't ever need to change their phone number.
If you live in a small town and your central office only has one or two
exchanges, then you don't have much work to do at all.


The Scan.
---------

I was inspired to do this scan when reading an old text file on exchange
scanning. (it can be found in 'BIOC's Guide to Basic Telecommunications vol.
one', as well as many other places)  First of all, the area code has changed
since the file was written.(1980's?)  Also, some of the numbers worked, but
most didn't, so I decided to scan the 100 numbers myself.  I found that a few
of the original recordings were still there, but on different numbers.  I
also found a few other cool things, so here is the updated and expanded
version of that old text-file. (find the old scan, you'll see it's not much
different than mine)  This should prove that 15 or 20 year old text files are
still worth reading, not only to know your history, but they can also be
semi-useful.  The old skool is alive and well.

1(845)268-99xx:

9901 welcome to the Congers DMS-100 central office, using codes 268,
     267, 261 and 979. (261 and 979 don't seem to work anymore)
9903 rings once, then plays six DTMF tones
9909 we're sorry, your call did not go through. will you please hang up
     and try your call again? this is a recording. (repeats, then rings
     again...) please hang up and try your call again. if you need
     assistance, dial your operator. please hang up now. this is a
     recording.
     *this is the most common recording on this number, but if you call
      it a few times, you'll get a few different things. try it out.
9910 DATU (default user code)
9911 DATU (default user code)
9922 excuse me, please deposit five cents for the next two minutes or
     your call will be terminated. this is a recording.
9926 (914) 268, 267, 261 Congers DMS-100 verification. (also will play
     the message on 9901 sometimes) *note the old NPA
9933 {sit tones} we're sorry, the long distance company access code you
     dialed must be preceded by the digits 950. please hang up and try
     your call again. (I don't think they even use 950 anymore)
9940 {sit tones} we're sorry. private calls are not accepted by this
     number. to complete your call, hang up, pick up again, dial *82 or
     on rotary phones 1182, then dial the number. if call id or call id
     with name are in use, your name and number may be displayed. this
     message is free. (this one was very informative. I'm surprised that
     they didn't tell me which end of the phone I should speak into)
9947 {sit tones} we're sorry, you call cannot be completed as dialed.
     please check the number and dial again, or call your operator to
     help you. (also plays a similar message in a different voice)
9960 loud tone (1000? hz.)
9963 loud tone (1000? hz.)
9967 rings once, then silence
9977 {sit tones} we're sorry, your call cannot be completed as dialed
     from the phone you are using. please read the instruction card and
     dial again.
9978 the call you have made requires a coin deposit. check the
     instructions on the payphone for the appropriate rate, and dial
     your call again.
9999 rings, then low hum (weird)


Comments.
---------

Now lets see what I've found.  Two different verification numbers, a number
that plays DTMF tones, a few of payphone recordings, some old error messages,
tones, and two DATU's.  Don't ask me why there are two DATU's, I'm assuming
that they don't do anything different.  I usually find twice as many test
recordings in a New York 'high end' scan, but that old 'call id' message was
something I haven't encountered before.  Even when you don't find much, you
find something.

All numbers not listed either ring out, are a fast busy, or play the regular
disconnect message. (we're sorry,...268-99xx has been disconnected or is no
longer in service...)  I usually do my scans at night, well after business
hours, but I have reason to believe that 9900 is the direct number to the
central office.  Sometimes when I scan during the day, someone will answer at
9900 and say the name of the central office (as in where it is located,
268=Congers, NY)  I've only encountered this a few times.  I never talked to
them because I'm usually about to scan out the next 99 numbers, and I'm not
looking for trouble.  Maybe one day when I'm bored, I'll try to social them.


Special Exchanges.
------------------

Most of the time, numbers such as the ANAC, time and weather, ringback and
various other things are kept on special exchanges.  Almost all special
exchanges can only be reached from that particular area, except for time and
weather numbers, which can usually be reached from anywhere.  In New York,
958-xxxx and 990-xxxx are ANAC's and 660+ your 7-digit phone number is the
ringback.  In New Jersey, the ringback is 550.  Many states use 200 for the
ANAC, from what I have heard. In California, you can get the time by dialing
767-xxxx (which most people call 'popcorn', 767-2676 spells popcorn), or
853-xxxx.  The 767 exchange is used in Northern California NPA's, and the 853
is for Southern Cali.  There are a lot of places, like Boston and D.C., that
still use 936 for time and weather.  976, 540, and 550 are also special
exchanges, but they are all premium pay services, kind of like 900 numbers,
so I wouldn't suggest scanning them unless you are beige boxing.  You're
probably not going to find anything that interesting, but you never know.
The time and weather numbers in NY are on the 976 exchange, so If I want to
know the current weather conditions, it'll cost me 99 cents. What a bargain!

There is also the little known 959 exchange, which is very different from
other special exchanges.  It is owned by AT&T, and it is accessible from
almost any area code. (except NY for some reason)  If you get lucky, you might
hear things like test messages and different tones, just like you would when
scanning the high and low end of any other exchange.  Try common numbers such
as 1000, 1111, 1234, etc.  Sometimes the test numbers will be different in
different area codes and sometimes they're the same.  I think that 959-1000 is
the same everywhere.  Because these are AT&T's numbers, they can only be
reached through AT&T.  The way to do this is to use AT&T's dial-around,
10-10-288. (another one is 10-16-111, which also works the same for
op-diverting, by the way)  Simply dial 10-10-288+ 1(NPA)959-xxxx.  You will
not be charged for this call because it is a test exchange.  I can personally
attest to the fact that it is free, but I can also personally attest to the
fact that AT&T might get pissed off if you do it too much because they blocked
my use of 10-10-288.  Don't feel too bad for me.  I can still use 10-10-288-0
to op-divert to toll-free numbers, I just can't use it to make long distance
calls or to call 959 numbers. Oh well.


Conclusion.
-----------

Exchange scanning is fun and most of the time, it's free!  The telco doesn't
charge you when you reach an error message, so you can call these numbers
from a payphone without paying for it.  If you're scanning your exchange from
home, then it's either free or just the price of a local call,(if you get the
odd business or residence here and there).  I do strongly suggest getting an
unlimited long distance plan so you can scan exchanges all over the country.
(not to mention call up all the 'l33t phreaker confs)  It's always cool to be
able to tell your friend who lives 1000 miles from you what his DATU and ANAC
numbers are.


Appendix.
---------

I was planning on adding a few scans to this file, but I thought it would be a
better idea to give people the chance to do some scanning for themselves.  To
give you guys a starting point, I've added some numbers from scans I have done
in the past.  If you take a look around in these exchanges, you will find many
interesting things.


(313)849-9906  due to weather conditions, all Ameritech circuits are
		busy. please try your call again later.
(313)324-9901  you have reached AT&T local services. DT RT MI BA DS0
(570)387-0000  thank you for calling Bell Atlantic. due to an emergency
		condition, we are operating with a reduced staff, and if
		you stay on the line you may experience a delay. you may
		find it more convenient to call us back at another time
		for assistance.
(570)387-0083  DATU (default codes) *(this one has a different voice, so
		far it's the only one I have found like it)
(202)965-9970  you have just de-activated this feature
(916)440-0017  we're sorry, your service has been interrupted. for
		fire, medical and police emergencies, dial 911. to
		discuss your account, please contact you local service
		provider. thank you.
(916)440-0031  {sit tones) we're sorry. due to telephone company
		facility trouble, your call cannot be completed at this
		time. will you try your call again later.
(212)967-9999  this is a test announcement. this is a test announcement
		for use at anytime in emergency cases. thank you.
		(this will also play a citibank message sometimes)
(646)674-9901  you have reached Bell Atlantic office of west 36th st.,
		serving codes (646)674, (212)594, (917) 339.
(914)345-9935  excuse me, please deposit 5 cents for the next two
		minutes or your call will be terminated. thank you for
		using Nynex. this is a recording.
(415)499-0091  DATU (default user code)
(618)654-1206  ANAC (this can be reached from anywhere, but it only
		reads back your 7-digit number)
(409)724-3137  {sit tones} the call you have made requires an initial
		deposit. please hang up momentarily, listen for
		dialtone, deposit the amount specified on the
		instruction card, and dial your call again.
(215)979-0045  (AT 629) welcome to the ATX long distance network.
		please contact customer service at 1(800)220-4900 to
		activate service.
(215)979-0028 -(hold music)- thank you for calling Bell Atlantic. all
		of our lines are busy right now, but your call is
		important to us. please hold on, our next available
		representative will be with you shortly.
		-(more horrible hold music with singing!)-


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH