Protel 8000 spyware

[AL_as_needed]

Al does your protel also make the dial up modem sounds after it dials?

In regard to the mystery number it tries to call; I have not been able to hear anything it does over the line. As soon as I pick up another set on the same line, it drops what it is doing.

What gets me is that it never did this, then it suddenly performed this move only twice. I wonder if there was a momentary condition on the line (possibly caused by the X-Link) that the phone mistook as a fault with itself. Like a computer trying to run an error report?

[5415551212]

In regard to the mystery number it tries to call; I have not been able to hear anything it does over the line. As soon as I pick up another set on the same line, it drops what it is doing.

What gets me is that it never did this, then it suddenly performed this move only twice. I wonder if there was a momentary condition on the line (possibly caused by the X-Link) that the phone mistook as a fault with itself. Like a computer trying to run an error report?

Interesting, and you did not change any of the programing recently?
I am assuming you can't program the Xlink to resolve that incomplete number and send it to something that can record.

[AL_as_needed]

Interesting, and you did not change any of the programing recently?
I am assuming you can't program the Xlink to resolve that incomplete number and send it to something that can record.

I programmed it for the first time about three, maybe four months ago now. I have owned this phone for several years but never got around to working on it till this summer. It has been on the line since (via xlink) and hasn't had any issues till these two episodes.

The Xlink itself is not really programable. It basically act as both a wireless NID / bluetooth adapter, and a pulse to DTMF adapter. It simply repeats what ever a land line phone puts out and sends that out via my cell phone.

The incomplete number dialing seems to be something the payphone control board is doing on its own. Any DTMF tests I run on the line show everything to be 100% with a number of known to be good phones.

[Famicoman]

Completely forgot to see if any of my Protel boards exhibit this behavior. I'll see if I have an 8000-series board tonight.

[Famicoman]

I do have an 8000 board, but didn't have many of the components to interface with it. Waiting for everything to arrive and I'll hook it all together.

[5415551212]

I do have an 8000 board, but didn't have many of the components to interface with it. Waiting for everything to arrive and I'll hook it all together.

If you have a PBX and a spare dial up modem, program in 1-800-644-555 as a valid extension so the payphone can dial up to a line with another modem.

[Famicoman]

Why do I only visit this thread every few months?

Anyway, I had an issue with the last keypad I got, seems that it is wired incorrectly so on-hook was actually off-hook and vice versa but it was more temperamental than that. Then I was working on a talk we were giving on Protel Programming so that's fresh on my mind.

Just got the phone programmed and asterisk is set up to do a full log, so if something happens I'll catch it. If I can confirm some funky calling then I'll see about hooking up a modem and trying to debug further

[peterc]

Okay so I was about to conclude OP is getting crazy or has something else dialing on the line. But...
1. About a month ago I switched my backyard phone from Protel 7000 to 8000. Same firmware as OP is using. I programmed it with Expressnet. No issues at all.
2. To be sure, I just logged in to my FreePBX and checked reports. Searched for a destination=18006445551 (and without leading 1 but nothing found):

Wed, 25 Sep 2024 0:12
Caller ID: "Test" <6025550000>
Destnation: 18006445551
Duration: 0:29

So there was one call and this was NOT my backyard phone. For a little background: line 6025550000 is my test bench, runs on Cisco IAD. I test bunch of just decommissioned boards / payphones to essentially fix and program them for either a future use or resale.

Could this be me calling? NO, big no - not at midnight. With a little baby and wake ups at 5-6am, no. Also looking back the only time I looked at this thread and posted, was Jul.18 (that I would possibly want to test the number).

So this number is legit. Also this is NOT a number that would be in use by the company that I decommission those phones for. We have four Protel server numbers and none of them starts with 1-800. Also there's some crappy sales currently on that number.

My conclusion is: this is most likely NOT the number that we program with expressnet. Two hypothesis:
1. it is a number that pops up when the board is defaulted and not programmed properly yet (that's how mine would possibly dial out but not the OP's)
2. it is some special hidden number that only dials out under some very special circumstances and it would belong to Protel back then. But as someone stated, that wouldn't make a lot of sense. We all use the same Expressnet copy (well ok there are maybe 3 versions circulating). I tested and programmed a lot of Protel boards, one is 24/7 connected for a couple of months now. So really it would have to be some special circumstances.
3. Very unlikely it is (as I suspected in Jul.) a way for the board to charge the batteries. Thru the summer (Arizona here) my battery went sh*t and would multiple times need to charge for minutes to just return the coin. And it would never call that number.

Quick search on the firmware, nothing found by the text search or hex. Might be obfuscated or otherwise encoded. Interesting, but we'll probably never find out.

I would reinitialize the board again, program, make sure the battery voltage is at least 4.8V (typically would be around 5 or more) and keep checking.

[ka1axy]

Curiouser and curiouser.

If the number were encoded in the firmware, would it not be as 4-bit "nibbles", rather than bytes? Did you search the code that way?

Still, without the source coede, finding out *why* it's calling that number will be challenging.

[Famicoman]

The 8000 board I've been running since October doesn't seem to have any hits so far.

Wonder if the number isn't in the firmware but is in the RAM when programmed. Wonder if there is a reliable way to sniff the data lines on a programming call and what that data looks like.

[5415551212]

It would be pretty interesting and possibly not that hard to emulate the CPU in a protel 8000 on a linux box modifying somthing like i8086emu
https://i8086emu.sourceforge.net/
I believe Protel used a California Mirco Devices (CMD) G65SCXXX series micro-controller.
Its a 8-bit microprocessor which executes the complete G65SC00 series instruction set with something tiny like 2K bytes of ROM and 64 bytes of RAM, which is compatible with the i8086 instruction set.
https://web.archive.org/web/20201127170812if_/http://archive.6502.org/datasheets/cmd_g65scxxx_mpu_family.pdf


With an emulator the rom could be run and examined even new roms created.

[kevinocious]

I worked for tech support for over 17 Years, and since it isn't the reporting number, it sounds like our automatic battery charge routine kicking in. It is set for off peak time to come off hook, and slowly trickle the 1800644555 and then hang up and slowly start dialing it again for some time until it thinks the battery is up to level. It is not anything nefarious and Protel has scrapped a long time ago anything to do with payphones, and it was rare for us to have payphone dial into any of our systems. If anyone doubts the reporting number thing, simply enter the program mode on the chassis (On hook, hold program button come off hook and listen for a beep in the handset. Release the program button and dial 25* and hear a single beep and then hang up. This removes the call back (Reporting) number. The Protel chassis likes to have a strong battery and uses the current from the phone line to charge it while it is off hook. No on hook drain since this is against regulations. Not sure if the new phone lines provide enough to charge very well since we need 20 ma to charge off hook.

[MaximRecoil]

I worked for tech support for over 17 Years, and since it isn't the reporting number, it sounds like our automatic battery charge routine kicking in. It is set for off peak time to come off hook, and slowly trickle the 1800644555 and then hang up and slowly start dialing it again for some time until it thinks the battery is up to level.

If that's what it's doing then it must do it regardless of whether the batteries need it or not, at least my chassis does. Mine does it every night even with freshly-charged batteries. I recharge the batteries once a year (with a standalone battery charger), but I could go longer, because even after a year, each AA battery measures about 1.28 VDC, which is higher than the nominal voltage for NiMH (which is 1.2 VDC; 4.8 VDC for 4 of them in series). The battery test code (*#67) always reports it as good (1 beep).

If its only purpose is to go off-hook to charge the battery pack, why does it dial anything at all? It could just keep going on-hook every time the line times out and then back off-hook again, for as long as it wants.

[Rob C.]

I worked for tech support for over 17 Years, and since it isn't the reporting number, it sounds like our automatic battery charge routine kicking in. It is set for off peak time to come off hook, and slowly trickle the 1800644555 and then hang up and slowly start dialing it again for some time until it thinks the battery is up to level. It is not anything nefarious and Protel has scrapped a long time ago anything to do with payphones, and it was rare for us to have payphone dial into any of our systems. If anyone doubts the reporting number thing, simply enter the program mode on the chassis (On hook, hold program button come off hook and listen for a beep in the handset. Release the program button and dial 25* and hear a single beep and then hang up. This removes the call back (Reporting) number. The Protel chassis likes to have a strong battery and uses the current from the phone line to charge it while it is off hook. No on hook drain since this is against regulations. Not sure if the new phone lines provide enough to charge very well since we need 20 ma to charge off hook.

I've noticed the same thing. i had mine hooked up to a V810V 4G LTE Home Phone Connect (POTS Replacement) - Certified on Verizon and noticed after midnight my time it would dial. I have since decided to employ a different battery pack like the example at https://www.classicrotaryphones.com/forum/index.php?topic=7631.60 It has not happened since.