The Complete Guide to the Elcotel Payphone ¥ By: The Clone ¥ Updated: February 5, 2003 ¥ Written: March 31, 2000 ¥ http://www.nettwerked.net ¥ theclone@hackcanada.com _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ _ -_- _________________ Table of Contents _________________ * Introduction * Elcotel's International Corporate Customers * Elcotel Payphone Investment [Canada] * Hardware Details [9520C] * Physical Administration * Elcotel 9520C Phone Seizing Problems * Remote Administration * Central Administration Computer(s) [9520C] * Web-site References * Credits * Conclusion _ -_- - Introduction - It's the year 2003 and I can say that without a doubt we are finally in the midst of a payphone revolution. For a greater majority of the 90's, there have been dozens of so-called "break-throughs" in the tele- communications industry's payphone sector. Some of these breakthroughs helped to shape the way we live by finding simple solutions to our complex problems by making the way we communicate convenient, easier, and more efficient. One key player in the innovation of the international payphone market is a company by the name of Elcotel Corporation (NASDAQ: ECTL). Elcotel, based in Sarasota Florida (recently bought out by Quortech Solutions of Calgary Alberta, Canada), has rewired the Digital Age and the rules of marketing by creating one-on-one relationships between businesses and the consumers they are trying to reach. In this document I will be lecturing on a wide variety of subjects concerning Elcotel's products, ranging from the basics to the more advanced information. All the information contained in this document has been either researched and/or discovered by myself or my associate, RT. Please Note: I've made every attempt possible to be accurate, so if for some reason I made an error please let me know by e-mailing me the details - I'll try to take every e-mail into consideration. -- - Elcotel's International Corporate Customers - Elcotel has a wide variety of Corporate Customers it deals with on a regular basis, and not a hell of a lot of people are really aware of who these customers are. In this section I've listed off every Corporation that currently has an account with Elcotel, including their account numbers all in alphabetical order. Use this information in any way you wish, but use it responsibly and legally. ----------------------------------------------------------------------------- Account Account # ....... ....... ADITEL 1570101 AEC – SAUDI 1671701 AFRIC – MOROCCO 1500701 AMERICAN SAMOA 1682001 BARAINVER S.A. 1753001 BELIZE TELECOM 1505301 BERMUDA 1437501 CANADA PAYPHONE 1557701 CIMEX 1729501 COMTEL 1469701 CONECELL 1748801 DAEBONG 1760101 DATELCO 1738401 ENTEL 1682201 ERICSSON 1771701 GENESIS 1675601 ITG GROUP (IRELAND) 1739001 MKTC 1765801 MULTI-LINE 1612701 PALMETTO 1751101 PHILCOM 1628301 P T & T 1623601 QUADRUM 1246302 TELCEL 1751701 TELECTRONIC 1557401 TELEFONICA (MYSTIC) 1689401 TORTEL 1778001 TELEFONICA DEL SUR 1580301 TPPR 1729401 TRANSDATA 1520701 WCVC (Telefectivo) 1626301 [TOTAL = 31 International Corporate Customers (ICC)] --- - Elcotel Payphone Investment [Canada] - So you want to invest in an Elcotel payphone -- well you've came to the right place. In my humble opinion, Northern Telecom has somewhat of a monopoly on payphones/data terminals throughout Canada and I'd like to see some more competition from Canada Payphone Corporation. Available on Canada Payphones' web-site is a form that anyone (company) interested in purchasing an Elcotel series phone can do so by correctly filling it out. The form makes an inquiry about the following information: First Name: ____________________ Last Name: ____________________ Employer Name: ____________________ Employer Address: ____________________ Street: ____________________ City: ____________________ Postal: __________ Province: ____________________ How did you hear of us? +*******************+ * Magazine * * Newspaper * * Television * * Referral * * URL/Search Engine * * Viewed product * +*******************+ How would you like us to contact you? +********+ * E-mail * * Phone * * Fax * * Mail * +********+ Please indicate telephone number where we can reach you: ____________________ At what time of day should we call you? +***********+ * Morning * * Afternoon * * Evening * +***********+ If you prefer to be contacted by fax, please indicate the number: ____________________ If you prefer e-mail correspondence, please provide your e-mail address: ____________________ Site Description: __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ # of payphones required: ______ When do you require these to be installed? ____________________ How many payphones are currently at your location? ______ Would you like information on our Public Internet Terminals? ( )Yes (*)No Are you presently in a contract with your payphone provider? ( )Yes ( )No (*)Unsure Please list any specific questions or comments below: __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ A CPC representative will respond to your request within 72 hours. NOTE: Required fields are followed by a check mark. Reset Send This form can be accessed at the following URL: http://www.canadapayphone.com/contact/request.htm - Hardware Details [9520C] - [_ Full Size Image: http://www.nettwerked.net/attsilver.jpg _] 9520C Features: Stand-alone operation, no expensive platform fees Line-powered High speed modem decreases transmission time, thereby reducing polling and programming costs Supported by Elcotel's state-of-the-art, PNM Plus (Default software; PollQuest) LCD (line-powered) display augments audible (bi-lingual) instructions Speed dial buttons offer convenience and additional revenues when prompted to service providers Multiple payment methods accept coin, credit card, debit card, prepaid card and coinless transactions Digitally recorded, bi-lingual voice prompts provide user-friendly instructions in culturally diverse locations such as airports Standard integrated volume control button ensures ADA compliance Remotely downloadable operating system and site operational files Call diagnostic events recorder enable remote diagnostics and troubleshooting Flexible call routing One year warranty Handles unique call situations using priority parsing Internal Alarm reports (coin jam, vandalism, handset, inactivity, cash box level, etc.) Detailed call records management Full spectrum of answer supervision Modem telemetry for programming and cash box/alarm monitoring via computer Voice telemetry for programming and monitoring through the phone's keypad Specifications: --------------- Power: Telephone line-powered; 48 VDC line voltage (on hook), 23 mA loop current (off hook) FCC Registered Ringer Equivalency: 0.7B Chassis Weight: 2 lbs. Phone Weight: 49 lbs. 14.4 modem Handset: Hearing aid compatible Nine Button "Matrix" speed dial keypad Japanese Model Chips Motherboard Protected by Cash Box IDE Interface ABA magnetic Strip Card Reader Miscellaneous Hardware Information: ----------------------------------- Component Movement ------------------ Q: "What's that crazy noise I hear when I hang up the 9520C?" A: That noise you hear when you hang up the phone, is simply the Physical Component Switch (PCS) resetting the line after recognizing a dialtone. In addition, if you were to open up a 9520C model Elcotel and look inside, you would see a button which operates the Physical Component Switch labeled 'do not press'. I've always wondered what would happen if I were to press it. Ring Back --------- All Elcotel 9520C payphones have a built in ringer, though only approximately 10% of them actually ring when you call them up. A simple way to test if the 9520C phone you're using is part of the "10% ringing bracket" is to call it (number located on the phone) from another payphone next to it. If there isn't another payphone close to the Elcotel, which is not uncommon (marketing reasons), just use your cell phone and call the line up to test if the 9520C phones will indeed ring. How many Nortel Millenniums do you know of that ring, let alone answer with a modem carrier when you call them up? NONE. (Unless they're privately owned & maintained, in which case you're in luck.) .. _-_ - Physical Administration - Physical Administration of the Elcotel Payphone has got to be the most exhilarating experiences in the Research and Development of the Elcotel Payphone. Using this brand new hi-tech equipment, learning the ins and outs, hacking it, and documenting it all as a pioneer explorer is absolutely incredible. As noted in the 'Hardware Details' section above, the Elcotel 9520C contains two alarms to help detect vandalism and help discourage theft of the equipment. The main alarm is within the actual phone itself, and if set off for a various reason will send a distress message to the central NCC computer at Canada Payphone Corporation. Canada Payphone if you don't know, is our country's lovely distributors of Elcotel Payphones. Canada Payphone, located in Burnaby British Columbia, will receive this distress message on their computers which then automatically register everything about the phone (including the location). Canada Payphone will then contact either a security company which was contracted by them, or AT&T security who run their data/voice lines. Several minutes later, either the contracted security company or AT&T will take a stroll on by to the premises and investigate the matter. Big trouble for the person who sets it off. -- Hired contractors for Canada Payphone routinely do physical administration on the phones - installing, programming them, collecting the money, and everything and anything that they are required to do in their job description. Because these contractors are usually lonely guys who have to run around all the time working with machines, they long for human interaction. That is how my associate RT was able to snag some useful information. All he did was walk up to the guy fixing the phone and started a conversation with him. In a calm manner, RT asked several questions about the phones which the contractor was glad to share with him. The information he gave RT has been added to various sections of this document, and for that we THANK HIM. :) -- Alarm PIN Information --------------------- Disabling the alarm on the Elcotel series phones, is relatively simple. What you're required to enter is a three digit PIN, which if correctly entered, will turn off the local alarm in the phone. This means that the static connection from the phone to Canada Payphone's NCC computer in Burnaby BC will be cut off. However, if you enter an incorrect PIN you'll get an error message on the display. (1) How do I disable the alarm? --------------------------- By picking up the receiver on the phone, pressing #, and entering the correct three digit PIN. (2) How do I know I'm doing it correctly? ------------------------------------- You'll know you're doing it correctly when you see ### on the display... the ### represent the PIN. If you entered the right PIN, the display message will say "OK". (3) What is the PIN? ---------------- Canada Payphone, (being the obvious guys that they are) decided to choose a PIN code that would be easy to remember so they picked 'CPC' as the PIN code. CPC standing for Canada Payphone Corporation, wh00p. It's been changed in most areas since this article has been updated, but may still work in your area. If it does work in your area, please contact me and let me know. Thanks! (4) How do I enable the alarm again? -------------------------------- Pick up the receiver (if it was hung up) and type #CPC (or other working pin), then hang up the receiver and try to wait for at least twenty seconds before using the phone again. Why? You have to give the phone some time to reconfigure itself. You'll know you can use the phone again when the components in the Elcotel shift. -- Administration PIN Information ------------------------------ The benefit of Physical Administration over Remote Administration is that you're not required to enter an ID of some sort before entering the PIN. What you're required to enter is an eight digit PIN, which if correctly entered, will allow you to open the phone's case granting you full access to the Elcotel's remote administration system. Giving you the ability to: - empty out the cash box - change screen messages - administrate rate tables - see how many calls were made with the phone in a given time period - see how many days the phone has not been in use - debit card information - several security parameters - etcetera -- - Elcotel 9520C Phone Seizing Problems - 9520C Phone Seizing Problem #1 ------------------------------ On the Elcotel 9520C model phones which haven't been upgraded with the new "fool-proof chip" (they think we're fools :( ) have a severe flaw; Recently Canada Payphone decided that it would have its calls routed through AT&T's switching system instead of their own. The reason for this may be due to AT&T's size and ability to handle several calls without getting the 'bottle-neck' problem like Canada Payphone may have had. Now due to this change-over, a problem occurred with the 9520C model Elcotel's causing a line-seizing problem. With the combination of the switch over, and inherent flaws with the talk-battery in the Elcotel 9520C, these payphones will will allow a phreaker to exploit it to make an unlimited amount free local calls. This is how it's done: - Pick up the receiver - Enter 25¢ for the call - Call someone, and be sure they hang up the telephone after the call is completed. - The line will not be seized at this time, the mouthpiece will not be muted, but the keypad will be disabled. - With the receiver still in your hand, place your tone dialer on the mouth piece and begin to punch in a phone number or play the pre-programmed DTMF tones. Either way should work successfully. Remember that this trick will not work on ALL 9520C series Elcotel payphones. ONLY the 9520C's that haven't had their chip upgraded to prevent this type of fraud will work. You're better off exploiting the Unrestricted Dial Tone Exploit on 'Eclipse' models. ++ Note: Sometimes when dialing a number with the 9520C phone you will get a number that is either 'Not In Service' or 'Cannot Be Completed', the line might not hang itself up. In this case, you could use the same techniques documented above to exploit the seizing problem and make free local calls. ++ 9520C Phone Seizing Problem #2 ------------------------------ - On the Elcotel 9520C model phones which have been upgraded with the the new "fool-proof chip" have a severe flaw; The new chips in the Elcotel 9520C's apparently fixed 30% of the phones in Canada which allow the use of a tone-dialer to make "free local calls" when a line doesn't seize properly. The newer chips apparently do not allow the use of a keypad or DTMF tones in the chance that the line does not seize after a call is completed, thus securing the flaw. However, there is a way around the newer chips' "security features". If done correctly, the trick will allow a phreaker to exploit a different type of line seizing problem unknown by the Telco and unrecognized by the newer 9520C chips. This is how it's done: - Pick up the receiver - Dial '611' (don't worry it's free) - Immediately after, press the bi-lingual button (English to French) located next to the phones' keypad. If done correctly, the payphone will reset causing the connection through to AT&T's trunk to "seize", dropping you to a dialtone - At this point you can use the keypad to dial any local number you wish. - Or use a tone-dialer by placing it on the mouth piece of the receiver and begin to punch in a local phone number, or simply play the pre-programmed DTMF tones. The only explanation I have for why the Elcotel 9520C resets the line causing a seizing problem, is due to Elcotel's inability to develop a chip that prevents various types of fraud, and by not having a working talk-battery in the phone. If Elcotel can simply keep its promise of developing so-called "fraud resistant" payphones by having regular security audits before they ship their products to their corporate customers, then they wouldn't have to worry about lost revenue caused by phreakers who abuse these vulnerabilities. It's only common sense. :) A separate paper on this flaw is available at: www.nettwerked.net/cocot_exploit.txt -- - Remote Administration - In my previous document titled 'CPC; Elcotel Eclipse Smart Phone' I gave mention about how one could remotely administer a payphone as long as they had the proper knowledge to do so. I briefly explained that you'd be required to have the payphones' uniquely assigned number, the software to administer it and the ID/PIN to do so. In the document I mentioned that once inside the system you'd have the ability to change rate tables, change scrolling messages, turn the payphone on, etc. What have I discovered/accomplished since then: - Payphone Numbers - I now have a list of several Elcotel 9520C payphone numbers which several people have helped me compile. At the moment I have Canadian payphone numbers from Calgary, Edmonton, Kitchener, Montreal, St.Catharines, Quebec City, Vancouver, and Victoria. The number of payphones listed so far is in the 80+ mark and continues to grow with more and more contribution. The document (Elcotel CPC 9520C; National Payphone Number Compilation) can be seen by visiting: http://www.nettwerked.net/elcotel_compilation.txt - Software - In December of 1999, I started to get into the software side of it all and posted several different Remote Administration programs on Nettwerked for download. The programs made it easier for the phreak and hacker to get into the core of the Elcotel system without worrying about having to search for them... PNM Plus is a simple Administration Tool which can be used on the Elcotel. Details: http://www.quortech.com/htmldocs/sitedocs/us_software.html - PollQuest Version 1.6.0 (Commercial Release) or 'International Payphone Network Management System' is a nice full software package (beta) used for administering the Elcotel, and is the default program used on the 9520C's. Details: http://www.quortech.com/htmldocs/sitedocs/international_software.html - Other software packages to look for: * Expressnet - http://www.protelinc.com * Pronet - http://www.protelinc.com/PROTELInt/pronet/fpronet.htm * Telelink - available for download at http://www.ernesttelecom.com - Remote Administration - ID: When connected to the Elcotel Payphone remotely, you'll be prompted for an Identification number. Now from what we're aware of, the ID numbers are assigned differently in accordance to the location of the payphone. Also, from what we were told by Elcotel installers (they're great for insider information) the Elcotel Remote Identification numbers range from 8000 and up. Knowing this, we can presumably say that all ID's are programmed to be four digits - or at least four digits by default. PIN: One hunch I have is that the PIN alpha-numeric codes used for Remotely Adminis- tering the Elcotel payphones are exactly the same number of digits (8) one would be required to enter if they wanted to carry out Physical Administration. Remote Administration PIN codes using a Canada wide default, are programmed into all Elcotel Payphones? Perhaps, and the assumption isn't too broad either if we consider there is a default PIN used for physically disabling the Elcotel alarm (see Physical Administration). - Software Options - Previously I gave reference to Rate Tables, but the information given was a tad too general and didn't talk in enough detail to help the reader clearly understand what they'd be in for once they connected to the payphone remotely. Below is the actual table options from one of the many Remote Admin Software C programs accessible and are are available on my preliminary archive: http://www.nettwerked.net/c_scripts.html Option info OPTION FILE ........=############ (####) Next Date Phone Call In =!%%/%%/%%! RATE FILE ..........=############ (####) Next Time Phone Call In =!%%:%%! EXCEPTION TABLE .....=############ (####) No. Days Bump Call In =## LOOKUP TABLE .......=############ (####) POLL INTERRUPT DISABLE ..<->#### DIAL STRINGS .......=############ (####) Enable History logging ..<->#### RATE OVERRIDE ......=############ (####) Enable CDR [UP+CLEAR] ...<->#### CCR TABLE ..........=############ (####) Cash Box records to save ..=## VOICE FILE .........=############ (####) Days for no activity ......=## IPIN TABLE .........=############ (####) Nickel equiv. for full CB =## SECURITY PARAMETERS =############ (####) DEBIT CARD TABLE ...=############ (####) DISPLAY option on ph.....<->#### Browsing over this table, we see there are so many different options. Not only that, but the options available are surely useful for anyone wishing to collect information on Canada Payphone customers. Aww :( - Central Administration Computer(s) [9520C] - All Elcotel 9520C series phones are pre-programmed to collect statistics about the amount of money they made, how many calls were placed (and for how long), how many days the phone has gone without use, etc. You'd wonder how Canada Payphone would get this information, no? What they have done is programmed all the 9520C Elcotel's to directly send all its statistical information to the headquarters of Canada Payphone via modem - 14.4 data-transmission twice or more a month. The headquarters, in Burnaby British Columbia (NPA 604), have a central admin computer (or computers) which store the history every 9520C payphone statistic ever generated within Canada. When you call that number up with the Elcotel 9520C phone, you are given a credit of between 5-20 cents - on the display timer which usually counts the number of minutes a user is on the phone was instead counting down from 40 minutes. Which brings me to the assumption that the maximum amount of time it takes for the 9520C to send all of its statistical information to the headquarters is approx 40 minutes in length. - Web-site References - Useful Sites: Canada Payphone Corporation: http://www.canadapayphone.com/ Elcotel Coinless Services: http://ecs.elcotel.com/ Elcotel Coinless Services Overview: http://ecs.elcotel.com/overview/index.htm Elcotel Telecommunications: http://www.elcotel.com/ Hack Canada (Our Local Telco): http://www.hackcanada.com/telco/index.html Nettwerked (Elcotel Research [and Development]): http://www.nettwerked.net/files.html#ELCOTEL -- - Credits - I'd like to personally thank my associate 'RT' for working with me to learn everything there is to know about the Elcotel series phones, and of course for his very useful contributions to this document. - Conclusion - In conclusion, I'd just like to note that this document will be updated periodically as I learn more about the Elcotel payphones' architecture and its security parameters. As Elcotel (Quortech) develops more technically advanced communication devices, you can rest assured I will be the one of the few out there hacking it and writing another document to share with the rest of the Canadian phreaking community. A N E T T W E R K E D P R O D U C T