TUCoPS :: Phreaking Public Phones :: mill_i~3.txt

The Nortel Millennium Payphone, by Twiggy




                     The Nortel Millenium Payphone 
                     -----------------------------
                               by twiggy


Anyone in Canada (or at least Ontario) not living in a cave for 
the last few years has a passing familiarity with the Nortel Millenium 
Payphone. Nortel's promotional material tells us this is the phone of 
the future, and it sort of looks like one. The bright blue scrolling 
display is the most noticeable feature, and the phones have a yellow
card reader mounted on the lower right, which reads Bell's "Quickchange" 
smart cards. The old blue card readers, which used to only read mag 
stripe cards (Calling Cards and Credit Cards, the latter validated
directly with the Canadian ACCS database), have been widely replaced 
with the yellow readers for Bell's promotion of their Quickchange 
smart cards. The rest of the phone is a black shell with an aluminum 
face for the display and keypad, and a gloss blue top panel. These phones 
are markedly different in appearance than our old standby, the Centurion 
phone, which are totally brown, less modular, and less modern.

What makes the Millenium truly different from the Centurion is the
fact that the "Millenium" product is a two-component system comprised
of the payphone units and NCC computers that monitor the phones.
Milleniums are well-known for their restraint in activating the 
handset mic, fake dialtones, and enhanced control over your
interaction with the phone system. Milleniums come in two types --
the "Universal" (with a coin slot) and the "Card phone" (without
coin slot). These are the first Canadian payphones to operate
entirely without physical currency. Even newer are "desktop" Card
phones, often seen in hotels, which are the size of a regular set.

There are several myths about the Millenium phones, some of which
contradict themselves. I hope to clear up a few of those myths here.
Some rumours about these phones stem from a general lack of knowledge
about them, as Bell and Nortel certainly do consider these phones to
be an extremely valuable tool against "phone fraud" and "abuse" and
don't throw a lot of information about the Millenium around. In any
case, let's try to clear up a few myths about these phones.


Myth #1: Millenium phones physically cannot ring and/or lack bells.
-------

Millenium phones do in fact have an internal bell and can be made to
ring. Most people have never heard one of these phones actually ring,
however, and have concluded they lack the function. Milleniums can,
for example, be made to ring by an operator. One night, a Bell operator
became so infuriated with an individual who had been repeatedly dialing 
0 from a Millenium (and harrassing, to some extent, said operator) that 
she called the phone back and it indeed rang. While there may be some 
Millenium phones that have never rung, they all do have an internal 
ringer, so it's always possible. Operators always know when you're 
calling from a Millenium phone, as well. A special 0(+) MIL_CARD or 
0(+) MIL_UNIV flag denotes your call and subjects you to restrictions;
for example, an operator won't allow you to dial 0 and use a Calling
Card number to call overseas when they see a "MIL" flag on your call.
Operators (to my knowledge) are the only people who can call back
a Millenium phone and actually make it ring.


Myth #2: You can change the display contents from the keypad.
-------

Bzzzt. Wrong. The top/front quarter has to be unlocked and lifted up
and back first. Inside you'll find a port that a small portable
keyboard can be plugged into, and at that point you can truly go
about the alteration of the screen contents. I am still researching
this to determine 1) who produces the terminal/keyboard units (most
likely Nortel), 2) what protocols are involved, and 3) what jacks 
are required. Anyway the point is that you can't write custom 
messages from the keypad to the scrolling display.


Myth #3: You cannot change the display contents from the keypad.
-------

Bzzzt. Wrong again. There are several pre-set, unchangable, but most
certainly different messages you can make appear on the Millenium's
screen from the keypad. You know at this point that you can't just
add whatever you want (sorry, "THiS P4YpH0n3 iS 0WnED bY _______") is
out of the question), but you *can* change a number of other things,
and alter the operation of the phone in general.

To do this we have to get into a little bit of Millenium programming,
involving what Bell calls Opcodes. Opcodes are short numerical strings
that are preset functions for the Millenium, and perform common types
of functions that Bell's service people aren't going to want to rip
the whole top off the phone to perform (or that must be done *before*
the phone is opened). First, however, you must correctly access the
phone and enter a PIN before you'll have the option to input Opcodes.

In 416/905, what worked for some time was to dial 2541965, but only
with the hook down. Another (but unconfirmed) number was 2727378.
After dialing, you would be asked for your PIN number. One of the 
correct PIN numbers (I am assuming there is more than one) was 25563. 
Inputting this PIN allowed you to enter Opcodes at will, and you were 
asked to input one. At this point you could try one of the following, 
or try to scan out something new:

 267	# Answer detect
 274	# Display brightness control (down?)
 277	# Display brightness control (up?)
 349	# Unknown - Someone know this one?
 636	# Memory Access
 688	# Unknown - Possibly the "Out of Service" message
 66666	# Motor sound, prompts to open phone - Probably coin removal
 996	# "Error has occurred"

There are many other Opcodes that perform other functions and
servicing tasks. With this, you do in fact have the ability to 
change screen content - and the function of the entire phone in 
general - directly from the Millenium keypad.

However, the first known "config" number cited above, 2541965, fails 
to work now. I am unsure if the PIN will still work on another number, 
it may well. What I do know is that the Opcodes will continue to work 
on Millenium phones provided the phone has been accessed properly.
We are currently working to determine the new "configuration" 
number, and to obtain more information on Opcodes and Opcode entry.


Myth #4: You cannot redbox/tone-dial/send anything from the handset.
-------

I won't actually try to prove that you can redbox from a Millenium,
as I haven't bothered to find out. What *is* possible, however, is 
tone-dialing from the Millenium handset. Sure, when you pick up a 
Millenium, you hear a completely fake and useless dialtone. The
Milleniums have a dialing pre-processor, and won't let you hear a 
real dialtone until you have stuck in your card or your money. But 
even at that people wondered if the Millenium ever really lets the 
handset mic interact with a live dialtone. Surely enough, pausing 
until after an operator message allows the tones to work -- the 
handset mic DOES work prior to a completed call, which a lot of 
people didn't believe. I've made calls from Nortel Millenium phones 
(the ones beside Starbucks on Queen St. West, actually) without ever 
touching the keypad, which in and of itself is not a big deal, but 
it is something we weren't sure could be done with these phones.


Outro:
-----

I hope I've cleared up a few long-standing myths about these phones.
Obviously, further exploration of the Opcode functions is needed and 
could prove to be powerful, or at least interesting to those that
walk by a payphone and actually wonder how it works. What is still 
not known, and deserves some research:

1) Are there different "Configuration" numbers for each NPA?
2) Are the PIN's static, or do they change? Do they vary by NPA?
3) How many Opcodes are there? Are any extremely powerful?
4) Are "MIL" calls to Chile, Iran, India, or Pakistan allowed yet?
5) Has *anyone* else heard a Millenium ring?   ;)

The following numbers may be of interest, and may provide some
insight to those that know how to use them, but please remember
to be careful and not abuse anything. This a good prefix guide 
as well, if you're trying to scan out any interesting Bell 800 
numbers (in addition to 465 and 861). Relevant to the topic are:

 1-800-263-7412		# Bell Canada Millenium (Help Line)
 1-800-567-2448		# Bell Canada Millenium (Test Line)
 1-800-461-1747		# Bell Canada Millenium (Voice Test)
 1-800-461-1879		# Bell Canada Millenium (Data Test)
 1-800-772-2141		# Bell Canada Millenium (Setshop)
 1-800-668-4862		# Bell Canada Millenium (Coin)
 1-800-668-6851		# Bell Canada Millenium (Alarm)
 1-800-461-1760		# Bell Canada Millenium (Unknown)
 1-800-361-7874		# Bell Canada Millenium (Unknown)

Hope everyone that seeks, finds. Good luck. Play safe. Peace to 613,
705, 905, 416, shout-outs to 416/905/613 2600, EFnet #2600, and many 
others. Special thanks go to mannikin and hexnix as some of their
research appears in this article.


1998

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH