SS7 hacks

I'm using Septel stack mostly for good things, but sometimes it’s too boring to be good. And if you know nuances of GSM signaling, then you can spend your time with fun.
It could be that some of you already sent SMSes to your friends with their on numbers as sender address. If no, then I'll tell you how to do this in latest articles. But today I'm going to more "disastrous" - I'll disable all incoming calls to friend of mine. Actually we won't disable calls, but will route them through another switch (MSC).
This can be easily done if you know how registration procedure in GSM occurs. Every registration starts with MAP SAI (sendAuthInfo), which isn't interesting for us. But next message, called MAP updateLocation is quite interesting. This message contains subscriber's IMSI and MSC/VLR addresses. This is not a news and you can get this info from open sources (e.g., MAP specifications). The news is that once UL reached HLR, it changes serving MSC/VLR address in subscriber's profile. It's not necessary to complete whole UL-ISD-ISDAck-ULAck transaction! Once we sent UL, HLR will use MSC/VLR addresses from it as addresses of real MSC/VLR. It will also send MAP cancelLocation message to serving MSC/VLR to delete subscriber's information from it.
So what will happens if create some Dummy UL with MSC/VLR addresses of another MSC/VLR? This will result in failure of all incoming calls to the particular IMSI. Because once someone try to call "victim", it's MSC will fire SRI (sendRoutingInfo) to HLR. HLR will check victim's profile, gets VLR address and send PRN (provideRoamingNumber) to that VLR. But that VLR doesn't know anything about victim! So it won't provide MSRN and call will be dropped. Victim will be unavailable until it make outgoing call from it's mobile or move from one MSC area to another (new VLR will fire new UL). Actually, the first outgoing call from "victim" also could be failed, because VLR will request data from HLR.
You could say, that this is quite theoretical. But believe me - it works! All you need is working Septel stack connected to SS7 network. Yes, this is exacting requirements, but who knows - may be you have access to some GSM systems which uses Septel as SS7 stack.
Once you got the access you need to create small txt file and call it ul.ms7. The contains of this file really depends on your network configuration, so all I can do is to explain format of that file:

"M-tcf00-i0000-f33-d81-p" is the standard beginning of all messages that you need to send to network (source SCCP, destination MTP2)
HEX_DATA is the whole SS7 message (MTP3, SCCP, TCAP, MAP). Let me know if you need an example and I'll give it to you (I can't share it here because all examples I have were taken from real GSM networks).