$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$ L L O The legion of Doom presents O D D $ Central Office Operations $ $ Western Electric 1ESS,1AESS, $ $ The end office network environment $ L L O Written by Agent Steal 07/89 O D Edited 03/90 D $LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$LOD$ WARNING! This files contains copyrighted proprietary information sole property of AT+T. Distribution of this material way be hazardous to your freedom. Topics covered in this file will be. Call tracing RCMAC Input/output messages SCC and SCCS COSMOS and LMOS BLV, (REMOB) and "No test trunks" Recent change messages Equal Access Did I get your attention? Good, everyone should read this. With the time effort and balls it has taken me compile this knowledge it is certainly worth your time. I hope you appreciate me taken the time to write this. I should point out that the information in this file is correct to the best of my knowledge. I'm sure there are going to be people that disagree with me on some of it, particularly the references to tracing. However, I have been involved in telecommunications and computers for 12+ years. I'm basing this file around the 1AESS since it is the most common switch in use. ** OUTSIDE PLANT ** This is the wiring between your telephone and the central office. That is another file in itself so if you are interested read Phucked Agent 04's file on outside loop in LOD tech. journal. The file explains those green boxes you see on street corners, aerial cables, manholes etc. So where that file stops, this file starts. ** CABLE VAULT ** All of the cables from other offices and from subscribers enter the central office underground. They enter into a room called the cable vault. This is a room generally in the basement located at one end or another of the building. The width of the room varies but runs the entire length of the building. Outside cables appear though holes in the wall. The cables then run up through holes in the ceiling to the frame room. Understand that these cables consist of an average of 3600 pairs of wires. That's 3600 telephone line. The amount of cables obviously depends on the size of the office. All cables, interoffice, local lines, fiber optic, coaxial enter through the cable vault. ** FRAME ROOM ** The frame is where the cable separates to individual pairs and attach to connectors. The frame runs the length of the building, from floor to ceiling. There are two sides to the frame, the horizontal side and the vertical side. The vertical side is where the outside wiring attaches and the protector fuses reside. The horizontal side is where the connectors to the switching system reside. Multi-conductor cables run from the connectors to actual switching equipment. So what we have is a large frame called the Main distribution frame (MDF) running the entire length of the building, floor to ceiling 5 feet thick. The MDF consists of two sides, the VDF and the HDF. Cables from outside connect on one side and cables from the switching equipment connect to the other. Now, jumper wires connect the two. This way any piece of equipment can be connected to any incoming "cable pair" These jumper wires are simply 2 conductor twisted pair running between the VDF and HDF. What does all this mean? Well if you had access to COSMOS you would see information regarding cable and pair and "OE" or origanating equipment. With this you could find your line on the frame and on the switch. The VDF side is clearly marked by cable and pair at the top of the frame, however the HDF side is a little more complicated and varies in format from frame to frame and from one switch to another. Since I am writing this file around the 1AESS, I will describe the OE format used for that switch. OE ABB-CDD-EFF Where.. A = Control group (when more than one switch exists in that C.O.) B = LN Line Link Network C = LS Line Switching Frame D = CONC or concentrator E = Switch (individual not the big one) F = Level There is one more frame designation called LOC or location. This gives the location of the connector block on the HDF side. Very simply, looking at the frame. H --------------------------------------------------------------------- G --------------------------------------------------------------------- F --------------------------------------------------------------------- E --------------------------------------------------------------------- D --------------------------------------------------------------------- C --------------------------------------------------------------------- B --------------------------------------------------------------------- A --------------------------------------------------------------------- 123456789 etc. Please note that what you are looking at here represents the HDF side of the MDF, being up to 100 feet long, and 20 feet high. Each "-" represents a connector block containing connections for 4X24 or 96 pairs. So far I've covered how the wires get from you to the switching equipment. Now we get to the switching system itself. ** SWITCHING SYSTEMS ** Writing a file that covers them all would be lengthy indeed. So I am only going to list the major ones and a brief description of each. - Step by Step Strowger 1889 First automatic, required no operators for local calls. No custom calling or touch tone Manufactured by many different companies in different versions Hard wire routing instructions, could not chose an alternate route if programed route was busy Each dial pulse tripped a "stepper" type relay to find its path - No.1 Crossbar 1930 - No.5 Crossbar 1947 (faster, more capacity) Western Electric First ability to find idle trunks for call routing No custom calling, or equal access Utilized a 10x20 cross point relay switches Hard wired common control logic for program control Also copied by other manufactures - No.4 Crossbar Used as a toll switch for AT+Ts' long line network 4 wire tandem switching Not usually used for local loop switching - No.1ESS 1966 - No.1AESS 1973 Western Electric Described in detail later in file - No.1EAX GTE Automatic Electric GTEs' version of the 1AEES Slower, louder - No.2ESS 1967 - No.2BESS 1974 Western Electric Analog switching under digital control Very similar to the No.1ESS and No.1AESS Downsized for smaller applications _ No.3ESS Western Electric Analog switching under digital control Even smaller version of No.1AESS Rural applications up to 4500 lines - No.2EAX GTE Automatic Electric Smaller version of 1EAX Analog switch under digital control - No.4ESS Western Electric Toll switch, 4 wire tandem Digital switching Uses the 1AESS processor - No.3EAX Gee is there a pattern here? No GTE Digital Toll switch 4 wire tandem switching - No.5ESS AT+T Network Systems Full scale computerized digital switching ISDN compatibility Utilizes time sharing technology Toll or end office - DMS 100 Digital Matrix Switch Northern Telecom Similar to 5ESS Runs slower considerably less expensive - DMS 200 Toll and Access Tandem Optional operator services - DMS 250 Toll switch designed for common carriers - DMS 300 Toll switch for international gateways - No.5EAX GTE Automatic Electric Same as 5ESS How much does a switch cost? A fully equipped 5ESS for a 40,000 subscriber end office can cost well over 3 million dollars. Now you know why your phone bill is so much. Well...maybe you parents bill. And now on to..... ** The 1ESS and 1AESS ** This was the first switch of it's type placed into widespread use by Bell. Primarily an analog switch under digital control, the switch is no longer being manufactured. The 1ESS has been replaced by the 5ESS and other full scale digital switches, however, it is still by far the most common switch used in todays class 5 end offices. The #1 and 1A use a crosspoint switching matrix similar to the X-bar. The primary switch used in the matrix is the fereed ( remreed in the 1A ). It is a two state magnetic alloy switch. It is basically a magnetic switch that does not require voltage to stay in it's present position. A voltage is only required to change the state of the switch. The No. 1 utilized a computer style common control and memory. Memory used by the #1 changed with technology, but most have been upgraded to RAM. Line scanners monitor the status of customer lines, crosspoint switches, and all internal, outgoing, and incoming trunks, reporting their status to the central control. The central control then either calls upon program or call store memories to chose which crosspoints to activate for processing the call. The crosspoint matrixes are controlled via central pulse distributors which in turn are controlled by the central control via data buses. All of the scanners, AMA tape controllers, pulse distro, x-point matrix, etc., listen to data buses for their address and command or report their information on the buses. The buses are merely cables connecting the different units to the central control. The 1E was quickly replaced by the 1A due to advances in technology. So 1A's are more common, also many of the 1E's have been upgraded to a 1A. This meant changing the fereed to the remreed relay, adding additional peripheral component controllers (to free up central controller load) and implementation of the 1A processor. The 1A processor replaced older style electronics with integrated circuits. Both switches operate similarly. The primary differences were speed and capacity. The #1ESS could process 110,000 calls per hour and serve 128,000.00 lines. Most of the major common control elements are either fully or partially duplicated to ensure reliability. Systems run simultaneously and are checked against each other for errors. When a problem occurs the system will double check, reroute or switch over to auxiliary to continue system operation. Alarms are also reported to the maintenance console and are in turn printed out on a printer near the control console. Operation of the switch is done through the Master Control Center (MCC) panel and or a terminal. Remote operation is also done through input/output channels. These channels have different functions and therefore receive different types of output messages and have different abilities as far what type of commands they are allowed to issue. Here is a list of the commonly used TTY channels. Maintenance Primary chan. for testing, enable, disable etc. Recent Change Changes in class of service, calling features etc. Administrative Traffic information and control Supplementary Traffic information supplied to automatic network control SCC Maint. Switching control centers interface Plant Serv.Cent. Reports testing information to test facilities At the end of this file you will find a list of the most frequently seen Maintenance channel output messages and a brief description of it's meaning. You will also find a list of frequently used input messages. There are other channels as well as back ups but the only ones to be concerned with are Recent Change and SCC maint. These are the two channels you will most likely want to get access to. The Maintenance chan. doesn't leave the C.O. and is used by switch engineers as the primary way of controlling the switch. During off hours and weekends the control of the switch is transferred to the SCC. The SCC is a centrally located bureau that has up to 16 switches reporting to it via their SCC maint. channel. The SCC has a mini computer running SCCS that watches the output of all these switches for trouble conditions that require immediate attention. The SCC personnel then has the ability to input messages to that particular switch to try and correct the problem. If necessary, someone will be dispatched to the C.O. to correct the problem. I should also mention that the SCC mini, SCCS has dialups and access to SCCS means access to all the switches connected to it. The Recent Change channels also connect to a centrally located bureau referred to as RCMAC. These bureaus are responsible for activating lines, changing class of service etc. RCMAC has been automated to a large degree by computer systems that log into COSMOS and look for pending orders. COSMOS is basically a order placement and record keeping system for central office equipment, but you should know that already, right? So this system, called MIZAR logs into COSMOS, pulls orders requiring recent change work, then in one batch several times a day, transmits the orders to the appropriate switch via it's Recent Change Channel. Testing of the switch is done by many different methods. Bell Labs has developed a number of systems, many accomplishing the same functions. I will only attempt to cover the ones I know fairly well. The primary testing system is the trunk test panels located at the switch itself. There are three and they all pretty much do the same thing, test trunk and line paths through the switch. Trunk and Line Test Panel Supplementary Trunk Test Panel Manual Trunk Test Panel MLT Mechanized Loop Testing is another popular one. This system often available through the LMOS data base can give very specific measurements of line levels and loses. The "TV Mask" is also popular giving the user the ability to monitor lines via a call back number. DAMT Direct Access Mechanized Testing is used by line repairman to put tone on numbers to help them find lines. This was previously done by Frame personnel, so this automated that task. DAMT can also monitor lines, however the audio is scrambled in a manor that allows one only to tell what type of signal is present on the line, or whether it is busy or not. All of these testing systems have one thing in common, they access the line through a "No Test Trunk". This is a relay (in the 1ESS) which can drop in on a specific path or line and connect it to the testing device. The test trunks are part of the switch itself and act like a telephone line into the switch. The function of this line is strictly for access and testing of subscriber lines.It depends on the device connected to the trunk, but there is usually a noticeable click heard on the tested line when the No Test Trunk drops in. Also the testing devices I have mentioned here will seize the line, busying it out. This will present problems when trying to monitor calls, you would need to drop in on calls during the call. The No Test Trunk is also the method in which operator consoles due verifications and interrupts. ** INTEROFFICE SIGNALLING Calls coming into and leaving the switch are routed via trunks. The switches selects which trunk will route the call most effectively and then retransmits the dialed number to the distant switch. There are several different ways this is done. The two most common are Loop Signaling and CCIS, Common Channel Interoffice signaling. The predecessor to both of these is the famous and almost extinct "SF Signaling". This utilized the presence of 2600hz to indicate trunk in use. If one winks 2600hz down one of these trunks, the distant switch would think you hung up. Remove the 2600, and you have control of the trunk and you could then MF your own number. This worked great for years. Assuming you had dialed a toll free number to begin with, there was no billing generated at all. The 1AESS does have a program called SIGI that looks for any 2600 winks after the original connection of a toll call. It then proceeds to record on AMA and output any MF digits received. However due to many long distant carriers using signaling that can generate these messages it is often overlooked and "SIG IRR" output messages are quite common. Loop signaling still uses MF to transmit the called number to distant switch, however, the polarity of the voltage on the trunk is reversed to indicate trunk use. CCIS sometimes referred to CCS#6 uses a separate data link sending packets of data containing information regarding outgoing calls. The distant switch monitors the information and connects the correct trunk to correct path. This is a faster and more efficient way of call processing and is being implemented all over. The protocol that AT+T uses is CCS7 and is currently being accepted as the industry standard. CCS6 and CCS7 are somewhat similar. Interoffice trunks are multiplexed together onto one pair. The standard is 24 channels per pair. This is called T-1 in it's analog format and D-1 in its digital format. This is often referred to as carrier or CXR. The terms frame error and phase jitter are part of this technology which is often a world in itself. This type of transmission is effective for only a few miles on twisted pair. It is often common to see interoffice repeaters in manholes or special huts. Repeaters can also be found within C.O.s, amplifying trunks between offices. This equipment is usually handled by the "carrier" room. Often on another floor. Carrier also handles special circuits, private lines and foreign exchange circuits. After a call reaches a Toll Switch, the transmit and receive paths of the calling and called party are separated and transmitted on separate channels. This allows better transmission results and allows more calls to be placed on any given trunk. This is referred to as 4 wire switching. This also explains why during a call, one person can hear crosstalk and the other can't. Crosstalk is bleed over from other channels on the multiplexed T-Carrier transmission lines used between switches. ** CALL TRACING So with Loop signaling standard format there is no information being transmitted regarding the calling number between switches. This therefore causes the call tracing routine to be at least a two step method. This is assuming you are trying to trace an anticipated call, not one in progress. When call trace "CLID" is placed on a number, a message is output every time someone calls that number. The message shows up on most of the ESS output channels and gives information regarding the time and the number of the incoming trunk group. If the call came from within that office, then the calling number is printed in the message. Once the trunk group is known, it can usually be determined what C.O. the calls are coming from. This is also assuming that the calls are coming from within that Bell company and not through a long distance carrier (IEC). So if Bell knows what C.O. the calls are coming from, they simply put the called number on the C.I. list of that C.O. Anytime anyone in that C.O. calls the number in question another message is generated showing all the pertinent information. Now if this where a real time trace, it would only require the assistance of the SCC and a few commands sent to the appropriate switches (i.e. NET-LINE). This would give them the path and trunk group numbers of the call in progress. Naturally the more things the call is going through, the more people that will need to be involved in the trace. There seems to be a common misconception about the ability to trace a call through some of the larger packet networks i.e. Telenet. Well I can assure you, Telenet can track a call through there network in seconds and all that is needed is the cooperation of the Bell companies. Call tracing in itself it not that difficult these days. What is difficult is getting the different organizations together to cooperate. You have to be doing something relatively serious to warrant tracing in most cases, however, not always. So if tracing is a concern, I would recommend using as many different companies at one time as you think is necessary, especially US sprint, they can't even bill people on time much less trace a call. But..it is not recommended to call sprint direct, more in the equal access section. ** EQUAL ACCESS The first thing you need to understand is that every IEC Inter Exchange Carrier (long distance company) needs to have an agreement with every LEC Local Exchange Carrier (your local phone company) that they want to have access to and from. They have to pay the LEC for the type of service they receive and the amount of trunks, and trunk use. The cost is high and the market is a zoo. The LECs have the following options. - Feature Group A - This was the first access form offered to the IECs by the LECs. Basically whenever you access a IEC by dialing a regular 7 digit number (POTS line) this is FGA. The IECs' equipment would answer the line interpret your digits and route your call over their own network. Then they would pick up an outgoing telephone line in the city you were calling and dial your number locally. Basically a dial in, dial out situation similar to PC pursuit. - Feature Group B - FGB is 950-xxxx. This is a very different setup from FGA. When you dial 950, your local switch routes the call to the closest Access Tandem (Toll Switch) in your area. There the IECs have direct trunks connected between the AT and their equipment. These trunks usually use a form of multiplexing like T-1 carrier with wink start (2600hz). On the incoming side, calls coming in from the IEC are basically connected the same way. The IEC MFs into the AT and the AT then connects the calls. There are alot of deferent ways FGB is technically setup, but this is the most common. Tracing on 950 calls has been an area of controversy and I would like to clear it up. The answer is yes, it is possible. But like I mentioned earlier, it would take considerable manpower which equals expensive to do this. It also really depends on how the IEC interface is set up. Many IECs have trunks going directly to class 5 end offices. So, if you are using a small IEC, and they figure out what C.O. you are calling from, it wouldn't be out of the question to put CLID on the 950 number. This is highly unlikely and I have not heard from reliable sources of it ever being done. Remember, CLID generates a message every time a call is placed to that number. Excessive call trace messages can crash a switch. However, I should mention that brut force hacking of 950s is easily detected and relatively easy to trace. If the IEC is really have a problem in a particular area they will pursue it. - Feature Group C - FGC is reserved for and used exclusively by AT+T. - Feature Group D - FGD is similar to FGB with the exception that ANI is MFed to the IEC. The end office switch must have Equal Access capability in order to transmit the ANI. Anything above a X-bar can have it. I guess I should mention that it is possible for a X-bar to have it with modifications.FGD can only be implemented on 800 numbers and if an IEC wants it, they have to buy the whole prefix. For a list of FGD prefixes see LOD tech journal. You should also be aware that MCI, Sprint and AT+T are offering a service where they will transmit the ANI to the customer as well. You will find this being used as a security or marketing tool by an increasing amount of companies. A good example would be 800-999-CHAT. 1AESS COMMON OUTPUT MESSAGES -------------------------------------- MSG. DESCRIPTION ---------------------------------------------------------------- ** ALARM ** AR01 Office alarm AR02 Alarm retired or transferred AR03 Fuse blown AR04 Unknown alarm scan point activated AR05 Commercial power failure AR06 Switchroom alarm via alarm grid AR07 Power plant alarm AR08 Alarm circuit battery loss AR09 AMA bus fuse blown AR10 Alarm configuration has been changed (retired,inhibited) AR11 Power converter trouble AR13 Carrier group alarm AR15 Hourly report on building and power alarms ** AUTOMATIC TRUNK TEST ** AT01 Results of trunk test ** CARRIER GROUP ** CG01 Carrier group in alarm CG03 Reason for above ** COIN PHONE ** CN02 List of pay phones with coin disposal problems CN03 Possible Trouble CN04 Phone taken out of restored service because of possible coin fraud ** COPY ** COPY Data copied from one address to another ** CALL TRACE ** CT01 Manually requested trace line to line, information follows CT02 Manually requested trace line to trunk, information follows CT03 Intraoffice called placed to a number with CLID CT04 Interoffice called placed to a number with CLID CT05 Called placed to number on the CI list CT06 Contents of the CI list CT07 ACD related trace CT08 ACD related trace CT09 ACD related trace ** DIGITAL CARRIER TRUNK ** DCT COUNTS Count of T carrier errors ** MEMORY DIAGNOSTICS ** DGN Memory failure in cs/ps diagnostic program ** DIGITAL CARRIER "FRAME" ERRORS ** FM01 DCT alarm activated or retired FM02 Possible failure of entire, bank not just frame FM03 Error rate of specified digroup FM04 Digroup out of frame more than indicated FM05 Operation or release of the loop terminal relay FM06 Result of digroup circuit diagnostics FM07 Carrier group alarm status of specific group FM08 Carrier group alarm count for digroup FM09 Hourly report of carrier group alarms FM10 Public switched digital capacity failure FM11 PUC counts of carrier group errors ** MAINTENANCE ** MA02 Status requested, print out of MACII scratch pad MA03 Hourly report of system circuits and units in trouble MA04 Reports condition of system MA05 Maintenance interrupt count for last hour MA06 Scanners,network and signal distributors in trouble MA07 Successful switch of duplicated unit (program store etc.) MA08 Excessive error rate of named unit MA09 Power should not be removed from named unit MA10 OK to remove paper MA11 Power manually removed from unit MA12 Power restored to unit MA13 Indicates central control active MA15 Hourly report of # of times interrupt recovery program acted MA17 Centrex data link power removed MA21 Reports action taken on MAC-REX command MA23 4 min. report, emerg. action phase triggers are inhibited ** MEMORY ** MN02 List of circuits in trouble in memory ** NETWORK TROUBLE ** NT01 Network frame unable to switch off line after fault detection NT02 Network path trouble Trunk to Line NT03 Network path trouble Line to Line NT04 Network path trouble Trunk to Trunk NT06 Hourly report of network frames made busy NT10 Network path failed to restore ** OPERATING SYSTEM STATUS ** OP:APS-0 OP:APSTATUS OP:CHAN OP:CISRC Source of critical alarm, automatic every 15 minutes OP:CSSTATUS Call store status OP:DUSTATUS Data unit status OP:ERAPDATA Error analysis database output OP:INHINT Hourly report of inhibited devices OP:LIBSTAT List of active library programs OP:OOSUNITS Units out of service OP:PSSTATUS Program store status ** PLANT MEASUREMENTS ** PM01 Daily report PM02 Monthly report PM03 Response to a request for a specific section of report PM04 Daily summary of IC/IEC irregularities ** REPORT ** REPT:ADS FUNCTION Reports that a ADS function is about to occur REPT:ADS FUNCTION DUPLEX FAILED No ADS assigned REPT:ADS FUNCTION SIMPLEX Only one tape drive is assigned REPT:ADS FUNCTION STATE CHANGE Change in state of ADS REPT:ADS PROCEDURAL ERROR You fucked up REPT:LINE TRBL Too many permanent off hooks, may indicate bad cable REPT:PROG CONT OFF-NORMAL System programs that are off or on REPT:RC CENSUS Hourly report on recent changes REPT:RC SOURCE Recent change system status (RCS=1 means RC Chan. inhibited) ** RECENT CHANGE ** RC18 RC message response ** REMOVE ** RMV Removed from service ** RESTORE ** RST Restored to service status ** RINGING AND TONE PLANT ** RT04 Status of monitors ** SOFTWARE AUDIT ** SA01 Call store memory audit results SA03 Call store memory audit results ** SIGNAL IRREGULARITY ** SIG IRR Blue box detection SIG IRR INHIBITED Detector off SIG IRR TRAF Half hour report of traffic data ** TRAFFIC CONDITION ** TC15 Reports overall traffic condition ** TL02 Reason test position test was denied TL03 Same as above ** TRUNK NETWORK ** TN01 Trunk diagnostic found trouble TN02 Dial tone delay alarm failure TN04 Trunk diag request from test panel TN05 Trunk test procedural report or denials TN06 Trunk state change TN07 Response to a trunk type and status request TN08 Failed incoming or outgoing call TN09 Network relay failures TN10 Response to TRK-LIST input, usually a request from test position TN11 Hourly, status of trunk undergoing tests TN16 Daily summary of precut trunk groups ** TRAFFIC OVERLOAD CONDITION ** TOC01 Serious traffic condition TOC02 Reports status of less serious overload conditions ** TRANSLATION ** (shows class of service,calling features etc.) TR01 Translation information, response to VFY-DN TR03 Translation information, response to VFY-LEN TR75 Translation information, response to VF:DNSVY ** ** TW02 Dump of octal contents of memory 1AESS COMMON INPUT MESSAGES ------------------------------------- Messages always terminate with ". ctrl d " x=number or trunk network # MSG. DESCRIPTION ------------------------------------------------------------------------ NET-LINE-xxxxxxx0000 Trace of path through switch NET-TNN-xxxxxx Same as above for trunk trace T-DN-MBxxxxxxx Makes a # busy TR-DEACTT-26xxxxxxx Deactivates call forwarding VFY-DNxxxxxxx Displays class of service,calling features etc. VFY-LENxxxxxxxx Same as above for OE VFY-LIST-09 xxxxxxx Displays speed calling 8 list ************************************************************************ There are many things I didn't cover in this file and many of the things I covered, I did so very briefly. My intention was to write a file that explains the big picture, how everything fits together. I hope I helped. Special thanks to all the stupid people, for without them some of us wouldn't be so smart and might have to work for a living. Also special thanks to John and Dave. For without their guidance, this file would have never been written. Yes people their are great hackers out their that no one has ever heard of. You just have to know where to find them.And all the usual Bell Labs, AT+T bla bla bla etc. etc. I can usually be reached on any respectable board, ha! Agent Steal Inner (C)ircle 1990