Phreaking the NEC i-Series phone systems
by war



The i-Series of desktop fones are manufactured by NEC. The 
i-Series includes the 28i, 124i and 384i phones. These phones 
were built by NEC for use in an office environment, and they 
perform satisfactorily in that role. NEC i-Series phones are 
used by a number of small and large businesses in North 
America. 

This article might, possibly, hopefully, give you some insight 
into power-use (or phreaking, whatever) of the i-Series fones.
That's the idea, anways. I'm assuming a previous basic knowledge 
of how PBX systems work.

The i-Series phones have quite a large array of features, too 
large to explain every feature in detail in one article. 

A quick overview of some of the i-Series features:

Alarm
Automated Attendent (Voice Announcer)
Background Music
Barge In (Emergency Interrupt-ish)
Call Forwarding
  Follow-me
  Off-Premise
  DND Override
Call Waiting/Camp On
Conferencing
  MeetMe Internal/External Conferencing
  MeetMe Internal/External Paging
Directory Dialing
Internal/External Paging
Programmable Function Keys
Soft Keys (on select models)
Reverse Voice Over
Room Monitoring
Tandem Trunking
Voice Mail


Physical Access

As the topic says, let's first assume you have physical access 
to the actual phone. So, you may ask, "How do I gain physical access?"
It's not that hard, really. If you spot an i-Series phone in a shop, 
you could simply ask them, "Can I use your phone?" It's not hard.

So. Let's look at a couple useful features of the wonderful i-Series 
fone system.



Call Forwarding


Probably one of the most useful (in-my-opinion) options on the 
i-Series phones is the "Call-Forwarding" feature and Call-Forwarding
Off-Premise feature. The i-Series phones have quite a few options 
when it comes to call-forwarding. You can forward your calls to 
voicemail, forward your calls to another extension, or forward to 
an external number. Call-forwarding also ties in with the 
Do-Not-Disturb (DND) functions of the phone. 

Call-Forwarding

There are a couple call-forwarding modes. They are:

Call-Forwarding when Busy or Not-Answered

Call-Forwarding Immediate
  -immediately forwards your call using the given method
   without ringing the line at all

Call-Forwarding when Not Answered

Call-Forwarding Immediate with Both Ringing
  -immediately forwards your call using the given method, but still 
   rings your line.

Call-Forwarding to Voice Mail


If you needed to active call-forwarding on a i-Series phone (once 
again assuming physical access), simply dial:

1.	[*] + [2]

2.	Dial Call Forwarding condition:
	 1 - VoiceMail
	 2 - Busy or Not Answered
	 4 - Immediate
	 6 - Not Answered
	 7 - Immediate with Both Ringing
	 0 - Cancel Call-Forwarding

3.	Then dial the extension, Voice Mail master number, or 
	simply press the [Voice Mail] programmable key (if there
	is one.)

4.	Dial Call Forwarding Type
	2 - All calls
	3 - Outside calls only
	4 - Intercom calls only


So, overall, if you wanted to say...forward all your calls 
immediately to extension 555, you would dial:


[*][2] + [4] + [5][5][5] + [2] + hangup




Call-Forwarding Off-Premise


Call-Forwarding Off-Premise can be used to forward your calls to 
another number. There are quite a few different ways to exploit 
this feature, assuming local access at an i-Series fone.

To turn on Call-Forwarding Off-Premise, dial:


1. 	[*] + [2]

2. 	[6] + Dial line access code


{    Line access codes are:

[9]   Automatic Route Selection (ARS) / Trunk Group Routing
  Dialing "9" for an outside line is probably the most common 
  way known by people using PBX systems to get an outside line.
  "9" is the extension commonly designated for Automatic Route
  Selection - the fone system chooses what line you are going 
  to use for you.

[8][0][4] + Line Group (1-9 , 01-99, 001-128) 
  804x dialing is Line Group Selection dialing. You can manually 
  select the outgoing trunk group that you want your call to be 
  placed via. For example, if there is more than one business at 
  in your office, you might have a trunk group "1" for the "ABC 
  Packaging Corp", and a trunk group "2" for the "BCD Shipping Co."
  If you were calling out using "9" on a phone belonging to the 
  "BCD Shipping Co., you would be actualliny dialing "8042". That 
  would route you onto the BCD Shipping Co. trunk group. But, you 
  could also theoretically dial "8041" to make an outgoing call 
  over the trunk group assigned to ABC Packaging. (I hope that 
  makes sense).

[#][9]	+ Line Number Selection 
  You can select an absolute line using "#9". You could dial 
  "#9" + "05" to get line number 05.
}


3.	Then dial the external number where you want your calls 
	to be forwarded.

4.	Hangup.




Call-Forwarding Off-Premises is a quick-n-dirty way to get an overnight 
extender. If you were to walk up to a Future Shop employee, and ask them 
to use their phone, you might be able to set it to Call-Forward 
Off-Premises. But, chances are that it would be noticed the next day.

If you want to maximize the length of time before the Call-Forwarding is 
removed, there are options to be considered.


Forward to the Operator.
  If you're forwarding to the operator, and then getting him/her to 
  place the call, you aren't going to be endangering your favorite bridge 
  or your friend. 

Find a remote phone that rarely receives calls.
  In large retail outlets (Future Shop, Best Buy, Canadian Tire, etc) 
  there are often departments that are lower traffic then others. For 
  example, appliances. How many people go to Future Shop to buy 
  appliances? None, you say? Well then, if you're going to pick a fone 
  to set up as an extender, might I suggest you use a phone in the 
  appliance department? Chances are, it's going to recive less traffic 
  which means less chance of your extender getting taken down.


+++


Forced Trunk Disconnection

While still on the physical access topic...Force Trunk Disconnection. 
If for any unknown reason, you needed to release a line, simply dial up the 
line using:

[#][9] + line number (ie 01, 02, 03, 005, whatever) + [*][3]

That will disconnect (read abruptly terminate) the connection. I'm sure 
you can figure out a good use for that. 



+++



Night Service Mode

Ever find a nice afterhours voicemail system that you just can't wait until 
the evening to play with? Even if it means cutting off legitimate users? No, 
me either. But, with Night Service Mode, you can do just that. Switching to 
Night Service Mode during the daylight hours, especially in a busy store, 
usually makes incoming callers upset. People calling in get voicemail. 
And such. But, it's a convenient (for you) way in a pinch to get access to 
an afterhours system. To physically turn on Night Service Mode from a phone, 
just dial:

1. 	[8][1][8] + Night Service Password
  	  The default Night Service Password is "0000".

2. 	Dial the Night Service Mode
	  0	Day mode
	  1	Night mode
	  2	Midnight mode
	  3	Rest mode
	  4	Day 2 mode
	  5	Night 2 mode
	  6	Midnight 2 mode
	  7	Rest 2 mode

So, to turn on Night Service Night Mode during the day at your (least?) 
favorite local Staples (or whatever uses i-Series) simply dial:

[8][1][8] + [0][0][0][0] + [1]

That is, of course, assuming the password is default.



+++


Outgoing Calls


Some i-Series phone systems have toll restrictions. To override toll
restrictions, simply dial:

[8][7][5] + Password

As well, some systems that use ARS (Automatic Route Selection) are 
coded. Many larger companies like Nortel that have high volumes of 
calling often code their PBX systems so that calls can be catalogued 
effectively, and to discourage over-use and fraudulent use.

If the systems you are using is using coded ARS, when you dial "9", 
you'll get a dialtone and can dial your number as normal. But, after 
you have dialed the number, you will be dropped to another dialtone 
and will have to enter the ARS code.


+++


Bridging and Social Engineering


Bridging is the act of placing two outside callers in a 
conference call, and then dropping out of the call.

Let's say that two of your phreak buddies decide that they want to talk.
But, maybe they don't want to pay for it. Simple enough. You just walk 
down to your local K-Mart, and find an remote phone. Then, wait for 
one of your buddies to call up the local K-Mart's 800 number and ring your 
phone. When he does, simply press the [Conf] button on your i-Series 
phone. Then, wait for your second buddy to ring your line. When he does, 
press [Conf] twice. This will connect the two parties. To drop out of the 
conference and leave the two parties talking, simply press [HOLD] + 
[#][8]. 

Now on the other side of the coin. Many companies set up conferences to 
allow outside employees such as service technicians or other field workers 
to talk to each other. You could social engineer a secretary into creating 
a bridging line to talk on. If she doesn't know how, now you can walk her 
through it, since you know. In my experience, many secretaries also refer 
to bridging conferences as "Tandem Conferences", "Tandem Trunking Lines", 
or something similar to that.

[  BlackRatchet wants to remind you that a 'Tandem Trunking Line' is not 
  a technical term. A trunk and a line are different. Not the same. He 
  really, REALLY wanted me to note that. So here it is. ]


+++


That's about it. 

2005-09-23


                        - an original distro via -

                          _0_1_0_1_0_1_0_1_0_1_

                            WWW.HACKCANADA.COM
                           _ _ _ _ _ _ _ _ _ _ _
                            l 0 l 0 l 0 l 0 l 0