==Phrack Inc.== Volume Two, Issue 20, File 7 of 12 Metal Shop Private's -- Phreak/Hack Sub ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This subboard contained all technical questions and conversations about phreaking and hacking. If something was illegal on it (occasionally some idiot would post codes and then soon after be deleted), it was removed as soon as I saw it. 1/70: Red Box...... Name: The Disk Jockey 13 Date: 4:24 am Sun Apr 26, 1987 Back at the private school I went to, everyone lived pretty much out of state, and would always be calling their girlfriends back at home, thus making a pretty big investment into the local payphones. After reading the files on how a red box worked, took my little dictation recorder and went to a payphone and found that I could record the tones that were made when you dropped quarters in. I recorded about $4 worth of quarters, and it worked great. Every time the computerized voice would say "Please deposit $1.70 for the past 5 minutes" you could just play the tape via a pair of sony walkman headphones into the mouthpiece, and the phone would think that you deposited money in it. It was pretty neat back then (several years ago.....) but every now and then you would get the regular operator on instead of that synthasized voice. -The Disk Jockey Yes, not really important, but I saw "red box" in that last message and it reminded me of that. Those were the days when there were lots of extenders with 3 and 4 digit codes, and PBX's with NO codes..... 2/70: Since Name: The Leftist 71 Date: 5:26 am Mon Apr 27, 1987 Since non-sup seems to be popular these days 404-289-0000-0009 test recordings, non-supd.. I beleive 0004 is deposit coin.. anyway, these are fun to forward to when you dont want people to be able to reach you.. Ltist 3/70: Teleco numbers Name: Mad Hatter 51 Date: 5:36 pm Mon Apr 27, 1987 Would most(all) of the Teleco numbers(i.e. 99xx series) be non-suped? That would seem at semi-logical atleast, eh? -Hatter 4/70: Tuning Fork Name: Knight Lightning 2 Date: 7:34 pm Mon Apr 27, 1987 How succesful would you be if you tried to use a tuning fork to simulate 2600 Hertz? And if so, what would be good to use for MF? Fun, no? Heh! Also, what does anyone know about the 508 NPA. :Knight Lightning 5/70: Supvision Xlation Name: Doom Prophet 21 Date: 10:13 pm Mon Apr 27, 1987 The best way to box is to pull a cat's tail after making a call, then get a rubber band and twang it in your teeth like Snoopy for MF. Since we were talking about supervision a little bit, I went through some stuff I had on translations. What I think makes a number unsupervised (besies the fact that there is no return of supervision, or reverse battery signalling) is the charging translation in the terminating office. The screening code of a chart class (charges and route are determined by the chart class I believe) that denotes the call charge type would register to not make either a detailed or bulk AMA entry at the toll office (if the number is 1+ for someone), since it as if the number never answered. A 'detailed' AMA entry shows the calling and called numbers, whereas a bulk AMA entry shows only the calling number. Something else about translations, it doesn't mean an 800 to POTS or special BTN when people talk about ESS translations, but the information on particular Directory Numbers that finds and identifies the line equipment of the called number (calling also I believe) that would provide any special info that is needed by the switch to process the call, for example, whether a call is coming from one or two party lines, or whether it is a four party line with full selective ringing (which can't be tested by MLT equipment which is why I remember it). If no translation influenced the way the call is processed, then how would the switch know to route tthe calling party to an operator for ONI if the calling line was more than two party (with the specifications talkd about earlier about the R and T leads status determining the billing also taken into consideration). Anyway, this post is basically correct but if anyone finds any errors then please correct me. Doom 6/70: Things Name: Phantom Phreaker 46 Date: 10:41 pm Mon Apr 27, 1987 Well, RC's on an ESS are called translations too, at least when done by an RC-MAC clerk. RC data involving a line that is changed can be called translations. Don't ask me why this is so, but it's what I've heard. Does anyone here know what an ANIF-7 is? As far as I can tell, it is an ANI failure to TSPS, but that's all I know about it...it can probably happen anytime, but I do know that it was a specific problem with an early 5ESS generic. Oh yeah, another unsuped signusoid is at (618)235+0090..this was found by Syntax Error a long time ago. A neat thing about these 'tone sweeps' is that if you call through an OCC that uses an OUTWATS line that is set up on an inband signalling trunk, the OUTWATS linne will be trunked from the other end. This happens as the tone gets near 2600Hz, but it is more sensitive on an OCC switch, as something like 2710 and 2500 will also reset or trunk their equipment, or at least that's what I've found. Phantom 7/70: FALFALAFL Name: Taran King 1 Date: 11:01 pm Mon Apr 27, 1987 I'd like to congradulate Doom Prophet on his extremely witty response to KL's absolutely out-of-place post. REFRAIN Question...Most test numbers are unsuped, but I have at least one tone sweep that I can think of off-hand that is suped. What would be the purpose either way? Later -TK 8/70: repair number Name: The Scanner 20 Date: 2:34 pm Tue Apr 28, 1987 Would the repair number used for a payphone be the same as a residence repair number? Also, Doesnt the place that houses the phone (say a gas station) don't they get a cut of the profits from the phone? If they do, wouldnt they have the repair number? _-The Scanner 9/70: 2 Q's Name: Circuit Breaker 5 Date: 12:11 pm Wed Apr 29, 1987 Why are there PBXs that give a loud tone before the code. And does anyone know what the difference is between the ANI-D jack and regular ANI is? 10/70: Red-boxing Name: Icarus 15 Date: 11:32 am Thu Apr 30, 1987 I saw before that someone mentioned that the amount of money entered into a payphone of some kind is not kept track of. If this is true then it would seem impossible for MA DUMBELL to ever catch on to red-boxing. That is if AT&T phones don't have a money counter in them. TK-When the money was collected from the payphone, did you notice whether he had the amount of money that was "supposed" to be in there? Or whether he even checked it? If the money is counted then it is possible that the person who collects the coins would get in trouble for not reporting all the money that was registered. The money not being there because of redboxing. It is also possible to red box off of blue AT&T payphones (without a money slot). I am curious whether that can EVER be found out, since there is no money counter (obviously) to check. Icarus 11/70: Well... Name: Taran King 1 Date: 2:41 pm Thu Apr 30, 1987 Next time I see the guy there, I'll ask him, but I did see him write a few things down. None that I could decipher meant anything related to money so I'm not sure if there was a counter in it. I'll have to check it out though -TK 12/70: Payfone Mutin Name: Jester Sluggo 31 Date: 6:49 pm Thu Apr 30, 1987 That was supposed to be "Payfone Muting". In anycase, on most new payfones, they have what is called "Muting" which "mutes"-out any red box tones from entering through the Mouthpiece. Those new non-coin-slot payfones should have those, but I've never tried. / \ / luggo !! 13/70: DNR/Pen Registers Name: Knight Lightning 2 Date: 7:04 pm Thu Apr 30, 1987 Are there any noticable effects from having one of these on your line? Static, a low hum in the background, or line noise where there shouldn't be? :Knight Lightning 14/70: well... Name: Lucifer 666 43 Date: 7:40 pm Thu Apr 30, 1987 about the tuning fork...it does work.. i've used a harmonica.. also, how exactly do the bandwiths switch in multiplexing... L666 15/70: From what I've heard Name: The Scanner 20 Date: 8:30 am Fri May 01, 1987 That there isnt any way to detect a Pen register. No humm, buzz, or any thing else. But hey, what do I know? Dont answer that. Anyway, 2 more questions, Im sure momma bell knows all about red box tones and stuff like that. But, what about those independent co's that make pay telephones and just kinda hook them up to normal lines in stores and stuff. Wouldnt they be easy to box off of or do they work in a different way altogether? Well, that was only one but an answer is appreciated. _-The Scanner 16/70: 'Round here... Name: Taran King 1 Date: 2:41 pm Fri May 01, 1987 In this region, you can't just play the tones into the mouthpiece and get cred (credit) for whatever you've played into the phone...you CAN, though, dial a long distance number, it will then say, "Please deposit $x.xx". You put in (play the tones for) the money and it says something like, "Thank you for using AT&T." Ta da -TK 17/70: Muxing, Etc Name: Doom Prophet 21 Date: 4:56 pm Fri May 01, 1987 Lucifer, I think what you mean about the bandwidths changing in Multiplexing, you are referring to voice frequency bandwidths. Multiplexing is just a method of sending more than one converstation down the same transmission path. In analog and older switches the method is called Frequency Division Multiplexing, or FDM, when the signals are seperated on basis of frequency, as opposed to newer switches which do it on a Time division basis (TDM). There's also something called Space DM but I don't think it has a whole lot to do with telephones (maybe stuff like digital Xmission). But anyway, a normal VF voice bandwidth goes from 300 to 3000 Hz which is SF in band, although the VF channel goes from 0 to 4000 Hz. Anything above 3000 is out of band signalling (like 3700 Hz). CCIS uses a seperate nettwork composed of STP's and varioius links and channels for independent signalling methods. About the red boxing, the circuits that keep track of the coins that have been entered are called Coin Detection & Announcement circuits (if the fortress is in an ACTS serving area), which are a part of the Station Signalling Announcement Subsystem which work out of local offices and in conjunction with TSPS (not TOPS as far as I have seenn, a flash of the switchook anytime during the initial charge announcements and an operator is connected. Playing the tones to a live operator wouldn't be a good idea as they can obviously tell the difference. Something else, there was a little discussion about AMA and all (isn't there everywhere?) a while back. The way a local office (LAMA) would keep track of the billing data is to use a few AMA circuits (there are always two, AMA0 and AMA1 but can be more for big offices) that reverse positions (from an active to standby mode at midnight when the datta in the buffer is recorded onto the actual tapes). So the AMARC computers can format the data to where it is recognnized by the RAO, the tapes have to be specially customized for that particular officere. A header label on the tape (put on at the beginning of each new tape entry (12)) tells the originating NPA, the office number, date and tape transport dates. A tape trailer is added on at the end of the tape entry for that day, which has the info about how many total calls were AMA recorded. The tape mark is some digit (?) that tells the RAO that the useful info (that they need to look at) is ended. The billing data itself is in a binary coded decimal form (0's and 1's) along with check and dummy codes. A noncheck dummy code fills the spaces on the tape to signigy that there wasn't a problem, but the space is supposed tobe there. A check dummy code is because the info wasn't received or sent from the Peripheral Adress bus or from the originating register into the charge buffer. If you ever come across AMA records (like in the call store section of SCCS) it won't look like anything that can determine billing (AMARC and RAO do that). They aren't too hard to read though, just takes a while. Doom Read:(1-70,^17),T,R,Q,P,A,? : 18/70: Correction Name: Doom Prophet 21 Date: 5:52 pm Fri May 01, 1987 Damn, what I got that I thought was some type of AMA records are not AMA records (I think), so that means that I haven't been reading AMA records. Shit, that's something that I want to do. Have to get some. Doom 19/70: well... Name: Sir Francis Drake 56 Date: 8:15 pm Fri May 01, 1987 You mentioned the third time of multiplexing as Stad DM or something, I believe what you mean is Stattistcal Time Division (STDM). A STDM is just a normal TDM improved so that empty bandwiths (which occur on TDM) are used by busy ones. This allows a hell of alot more efficient use of the line then TDM's. STDM is mainly used when you have alot of terminals/whatever that wont always be being used. Hmm, I have some good stuff on pay phone accounting somewhere.... sfd 20/70: Payf0nez Name: Phantom Phreaker 46 Date: 10:57 pm Sat May 02, 1987 There are some types of payphones that are attached to a normal cable pair, a normal line, and in this case the payphone like usage would be determined in the phone and not in an office. I can't remember the exact type, or even where I read it but if I should find it by any chance then I'll put it p. Phantom 21/70: P-Phones Name: Jester Sluggo 31 Date: 12:19 pm Sun May 03, 1987 Well, there are several manufacturers of payfones that make several different type of payfones. If someone could call up the factory, or a salesman, or dealer of these products, and pose as a perspective buyer, then that'd solve these questions.. (shit..) It perhaps might make a good file for Phrack. But I don't have the time do to do those things.) / \ / luggo !! 22/70: AMA Name: Circuit Breaker 5 Date: 10:43 pm Sun May 03, 1987 There is some AMA info on LMOS. The audit file is under /dev/smlog /smlog. I got a list for two different streams ST1 and ST2. You should see, office id days until expiration process start time stop time the ama default ama teleprocessing its also will have some stuff such as HOC password and a backup HOC password, Also look under /dev/unixabf /unixa/users, this will give you the termination codes after the stream code like: S# (#)=termination code + date + time Circuit Breaker 23/70: audit file Name: Circuit Breaker 5 Date: 10:49 pm Sun May 03, 1987 One more thing to check on the audit file dump /no5text/rcv/aimrc. I would think the audit file is like audit on a VAX it just checks your access level if your insuficient you can't read that file. 24/70: Circuit Breaker Name: Phantom Phreaker 46 Date: 1:11 am Mon May 04, 1987 (Trying hard to leave an intelligble post) Circuit Breaker, what LMOS system do you have access to? Do you (it looks like it to me) have access to only the unix Front End system, or do you have the IBM VM370 host processor? Anyway, not all front ends are the same, try accessing the Cross Front End (XFE) via the Network Manager program (/usr/lbin, I think) nmx or the NMstatus program and checking for those specific files you posted about. I'll have to check the LMOS I have access to and see if those particular files you posted about exist. You also might want to look at the CRSAB RSA's help files for asyncronous terminal connections in the help directories. You are probably already good at unix, but try this to locate those help dirs: $ cd / $ du *>/dev/du.txt& Then in a few minutes, do $ cd /dev $ cat du.txt That will give you a listing of all the directories on that system, and if you see any that resemble help files then go there and cat everything... Phantom 25/70: Payphones (again) Name: Icarus 15 Date: 3:08 am Mon May 04, 1987 If the wires are exposed leading up to the payphone, and you hooked up handset to the appropriate wires, can you make direct calls? If the case is that you can, there are many phones I know of that do not have the metal encasing around the wires. I have to try it. I am pretty sure that bypassing the simple hardware of the payphone console itself does not grant open access to all outside lines. Or does it? 26/70: LMOS/Unix Name: Evil Jay 26 Date: 4:18 am Mon May 04, 1987 Could someone print out some commands to do on LMOS? What exactly can be done on the system. Please explain. Also, how do you turn off the log when logging into a Unix, and if possible, could someone leave me a C prg to give my account root priveledges. Terminus was playing around, and letting me check out one of these prgs but I never got a chance to save/copy it. Thanks/... -Jay 27/70: Payphone Wires..... Name: The Disk Jockey 13 Date: 7:33 am Mon May 04, 1987 At the school in Indiana that I went to, there were tunnels that connected every building in the school together and dated back to the early 1900's, so we would get drunk and cruise down there and check out old crap that you find laying around in the basements that some of these tunnels went to. ANYWAYS, in one of these tunnels there was a HUGE phone block with hundreds of cable pair. I brought the dandy test-set one night and started trying different connectors to get a dialtone. When I did get a dialtone, I tried to dial a local number, only to get a "please deposit 20 cents" recording, so my guess from that experiance would be that the phone doesn't make much of a difference, and that you would NOT be able to dial direct calls on it. I have a driver's license that says I'm like 24, and I look it, so I too can buy for any who need it. Michigan licenses are the easiest to change, just as (ask) any Michigan person who was born in 1967. -The Disk Jockey 28/70: Fortresses/LMOS commands Name: Phantom Phreaker 46 Date: 7:22 pm Mon May 04, 1987 Come to think of it, it is the actual line and not the phone in most cases, take a look at the Class of Service or Universal Service Order Code in an ISVH (ISH) or an INQ from COSMOS or get it via an Basic Output Report (BOR). Now, if you really wanted to go out of your way to 'fix' a payphone to where you could dial out normally, you might be able to accomplish this via RC-MAC, or maybe an SCC. But if you did do this it would almost certainly die when the bill came. Phantom PS-I will post up pertinent data from an ISH upon various payphones next time I log on, if anyone would like to see it. 29/70: Payphone ISH Name: Phantom Phreaker 46 Date: 7:43 pm Mon May 04, 1987 Ok, I ISHed a few payphones and here's the results: The STatus was (of course) WK (Working), the TYPE was C (Coin), the Class of Service (CS) is CN (CoiN), the Universal Service Order Code (US) is 1PC, which means single party something.. can't remember. The Line Class Code (LCC) field contained CDF, I don't know what CDF means though. On older post-pay telephones (the kind where it either gives you a loud annoying 'buzz' when the calling party answers, or the kind that allows you to hear them but them not hear you until you put your coins in) probably have a US of 1PP (Single party, Post Pay), and Coin First phones (the kind that you must put money in to get a dialtone) have a US of 1CF (Single party, Coin First). Hope that helped, Phantom 30/70: Question Name: Cap'N Crax 10 Date: 3:43 am Tue May 05, 1987 Does anyone know why, and how, it is allowable to place collect calls to loop lines. I know that this does work, as I have done it. I was wondering how it (loop) is classified, why it passes the billing verify, and to whom is the billing allocated? It is obviously recorded on AMA, and it apparently pissed off Bell. No more loop... C^2 31/70: -------- Name: Circuit Breaker 5 Date: 10:25 pm Tue May 05, 1987 Phantom what do you mean 'trying for an inteligible post'? I was telling Doom how to get some AMA data from LMOS. I am sure the LMOS you have access to has an AMA audit file, its just a security feature. 32/70: Call Blocking.... Name: The Mad Hacker 47 Date: 7:06 pm Wed May 06, 1987 What Is Call Blocking? It has something to do with a condition in ANI/ONI. I read it in My Cama Manual and It was vague. Any Help? -TMH 33/70: A few LMOS commands Name: Control C 8 Date: 8:46 pm Wed May 06, 1987 Here's some /FOR commands TV - Trouble Verification RJR and DMLR are jepordary reports.. Shit I had some more, but I can't rember.. Control 34/70: datakits... Name: Slave Driver 58 Date: 11:56 am Thu May 07, 1987 Does anyone have any experience hacking datakits? NODE dkeasta blah blah NETWORK ACCESS PASSWORD: any ideas on the password? Anyone have -any- idea of the format, length etc? any help appreciated.. Steve Driver ps. I know what they do, I just need to get on famous last words| 35/70: More LMOS Name: Doom Prophet 21 Date: 8:28 pm Thu May 07, 1987 Ok, I hadn't seen that in LMOS yet, CB, thanks for the info. There are other ways to access the info in an intermediate call store section/buffer of sorts from SCCS, and of course the AMARC systems. On another board, Phantom asked what AMASE was, I would think that it could be an abbreviated form of 'AMA Sensor', you know, BDT's, CDA's, and ESS software format sensors, or special VSS sensors maybe. On LMOS..some of the things are common knowledge (in BSTJ's and all) but I will post a few and what they do. Let's see, to screen status troubles, ttry /FOR MSCR. You may have to know employee codes of the screener and the MC code, it's been a while since I've been on. The different actions in the Mechanized Screener transactions are run an MLT test, get job and work info, run RST transaction, read mail, clear the mask (indicating no action), review desk items, return to original status, put item on the Local Test Desk (used to test lines that the MLT/LTS equipment can't for some reason, such as selective ringing multiparty lines), put screener in the off duty status (returning work items into the pool I believe). Others are /Te (Trouble Entry), DISP, etc. Something somewhat interesting, in the /tmp direcoty for an FE, look at the Console/log0 file, which contains countters and info on how many certain transactions have been done for a certain time period (RBOR is in there but I'm not sure about the rest). Other commands do things like add changes to LMOS tables, look at work summaries, check all jobs related to a certain CTTN (cable trouble ticket number) or TTN, and review all work items for specific FE's. If anyone wants anything specific about some of these commands leave ma (me) a letter or post since it seems the discussion is going good. I'm sure Marauder or others could proably correct me on a few points, but oh well. Doom 36/70: Call Blocking/Loops/etc. Name: Phantom Phreaker 46 Date: 11:09 pm Thu May 07, 1987 Circuit Breaker, what I meant was that I was fucked up, and having a hard time typing legibly. That's all. Call blocking is a vague term, can you tell us what it relates to, CAMA, ANI, PBX's, or what? A basic description is that it is what happens when the network is operating at peak, and all trunks are busy, and thus the caller gets a re-order or is left sitting there. Be more specific if you can, because there is also a thing called 'blocking' on PBX's which is similar but on a smaller scale. To whoever asked about the collect call to the loop, well loop-around numbers are probably either an Official or a Test line, at least the ones I have seen. So unless they set some type of screening to it so it can't accept collect calls then you could collect call a loop, but hope that you didn't dial direct from your home because your number would be on their phone bill. Control C, since you seem to have a manual or something on ESS, could you tell me what a RC15 report is, I am very confused about them. Thanks... Phantom 37/70: Coin Tests... Name: The Mad Hacker 47 Date: 12:07 am Fri May 08, 1987 SFD posted in the previous sub abour coin tests. I ask you this. The CO, upon completion of a call, removes -48 volts from the ring, ground from the tip and either a -130 volts(Refund) or +130 Volts(Collect) is applied to the tip to operate the cion relay in the phone. If Someone were to have acces to the exposed wires outside of the phone, wouldn't they be able to simulate the voltage necessary to refund their own money(Theoretically speaking if they could simulate the voltage in a Phone Booth of course)? Would that Be Possible? I also broke out my testboard, Station, and network Manuals and Found that their is some significance in turning the handset of the payphone upside down. I can't find out exactly why yet, but it is all over the "Coin Maintenance Check Booklet" that bell uses as reference for Coin Stations. I will search more through the book and see what I can find. The Mad Hacker 38/70: Collect call Name: Icarus 15 Date: 12:52 am Fri May 08, 1987 If you hack a mailphone system of some kind that only requires the number to be called and the initia message will be played, then you can have the message say, "Hello?........Sure. hangup|" This will enable you to make a third party billing call to anyone and use the mailphone system as the party paying for the call. The operator will cal up the mailphone, the msg will play and she'll hear the person being billed say, "Sure." when asked if they accept the charge. In any case if you want to make a call bill it to 312-410-7132, and it will go straight through. Icarus 39/70: Call blocking Name: Lotus 38 Date: 3:44 am Fri May 08, 1987 I know that in parts of Florida that a new system uses the term "call blocking" simply to stop someone in your co's area from calling you. You would do something like "*80+number to block" and when that number calls you , a "You can not dial XXX-XXXX at this time. Try again later" Other features include immediate call back. This allows you to hit a few keys on the phone and call back whomever just called you (again, only if they are in your local co). Anyone else have info on this? 40/70: Collect Calls..... Name: The Disk Jockey 13 Date: 6:55 am Fri May 08, 1987 A few years ago, in school (out of state) everyone had their ways making free calls, someone had a number to a recording, something like that VMS, and it said "This number accepts all collect and 3rd party billing calls" and it worked all the time. Another way is to make a collect call to an out-of-state extender. Let me say it this way.... I'm calling from 219 (Indiana) and I call the local MCI node in Chicago collect. The operator asks "your name" and you say in a fem voice "Brenda"....the call will go through, and you will here the usual MCI tone. RIGHT AWAY, you press a number on t touch tone pad, this will silent the MCI tone. Then you say in your own voice "Hello?" for all the operator knows, you are the one that answered! The only problem is that you have to work fast, else you get a re-order in about 15 seconds. -The Disk Jockey 41/70: Call Blocking... Name: The Mad Hacker 47 Date: 9:19 am Fri May 08, 1987 I will get more specific on the Call Blocking I am refering to. It isn't what Lotus suggested. That Sounds more like DMS-100 Options(Sounds Exactly like them, in fact). I thought that the FCC wouldn't allow AT&T to use those options, though. Maybe I was mistaken. I think that the call blocking I was refering to is more towards the overload on any paticular circuit as was mentioned before. The Mad Hacker 42/70: toll phone Name: Circuit Breaker 5 Date: 10:46 pm Fri May 08, 1987 In most areas in Europe, the wire to payphones hang out below the phone if you splice those wires to you handset, you can dial direct without any imitation tones. 43/70: Call Blocking Name: Phantom Phreaker 46 Date: 2:23 am Sat May 09, 1987 Call Blocking is indeed a feature of (C)LASS....but that CLASS feature is LATA based around LCCIS, not upon a CO and intraoffice calls. For more info read any CLASS file, or check out LOD/H TJ 1, file 1, CLASS, by Videosmith. It explains it pretty clearly. There was a PBX test number in 305 (the testing grounds of CLASS) that I had gotten somewhere that had a demo of CLASS features on it, such as Call trace, selective call forwarding, call blocking, etc. It was called Touch-Star, I think, or maybe Touch-Tel, one of the two. Anyway, LASS is used in the 717 (Harrisburg, PA) NPA. Phantom 44/70: Addition. Name: Phantom Phreaker 46 Date: 2:32 am Sat May 09, 1987 (I forgot something) DMS-100 does have something like it's own call blocking. It can be used to restrict certain types of lines from calling other types. The destination switch checks the information sent in from the (intraoffice) DN, (I think the Screening Code, probably) or from an INC (incoming trunk). This can be done to restrict access to official lines and such. Phantom 45/70: i thought Name: Lucifer 666 43 Date: 2:26 am Sun May 10, 1987 none of the DMS features blocking other people from calling you, etc| were not implemented.... I thought that the user-choice stuff was never put in... was I wrong? L666 46/70: RC15? Name: Control C 8 Date: 11:17 am Sun May 10, 1987 Phantom, Are you sure the RC15 exists? RC's start at 16 and end at 29.. Maby I'm just screwed... 47/70: FACS Name: Mad Hatter 51 Date: 5:57 pm Tue May 12, 1987 Can anyone fill me in on FACS? I got the file by Sharp Razor and Doom Prophet has told me about it somewhat, but can anyone explain detailed info on it? Thanks (d00d)... -Hatter .s 48/70: TC15 Name: Phantom Phreaker 46 Date: 7:21 pm Tue May 12, 1987 Actually, it's a TC15 report on a 1AESS... not RC15. Sorry about that. A TC15 is very long and has a few acronyms in it that I don't recognize. About the only one I can remember right now was PUC, Peripheral Unit Controller. For those of you who have problems with the acronyms posted here, you might want to check the N)eed acronyms option from the main menu on this board. This is an acronym list that I made a while back and gave to TK, and he put a few in himself. It's basically correct as far as I know, so please let's not add one unless you are sure. Phantom 49/70: Carot, etc. Name: Doom Prophet 21 Date: 4:41 pm Fri May 15, 1987 Well, I don't know that much about FACS, although I don't believe that it really acts as a replacement for COSMOS, more like an integration/mini datakit sort of thing for the different systems related to cosmos. Mad Hatter was asking about CAROT in mail, and I looked through some stuff and here is some info about the system. It consists of the two processors for the CAROT (database section), the data and the test processor. The TP controls and directs the ROTL's and the Circuit Maintenance System (I've seen CMS-1B and also CMS-3A, don't know what the current version is). CMS 3A is used with TIRKS also. Anyway, the CAROT controller (which is supported by the two processors) can do something like 14 tests at the same time (at night when their is less traffic on the trunks). The CC also analyzes and sends out the test results to the appropriate departments or offices (the CO, an SCC or a CTTU station). The ROTL is accessed just by the technician dialing it, which is why anyone can dial them. The ROTL is controlled by MF input of the trunk group and network numbers. I have seen TNN's as being three digits, but I guess it depends upon the office size. The ROTL seizes the trunk to be tested. The ATMS responder (Automated Trunk Measurement System) is connected to the ends of the tested trunk to receive tthe test measurements. The ROTL somehow attaches test equipment to the origiinating end of the trunk. Other test lins are used for the terminating end (going into another CO or switch)...I'm sure everyone knows there are dialups to CAROT, these are from the Remote User Multiplex, the ports for remote terminals to call in through (unless the dialup serves for some type of diagnostics testing upon the test equimpment itself). 16 people can be on the same RUM....I don't know if that means 16 people can dial the same dialup and somehow still connect (highly improbable). Lex would probably know more about it. Doom 50/70: Advanced 800 Name: Taran King 1 Date: 5:00 pm Fri May 15, 1987 Well, I know that many people have been told that to get translations for 800 numbers, they should call an office that has access to the NCP database. I just read a bit about it in CO which I thought was sort of interesting. It's part of DSDC (Direct Services Dialing Capabilities). The subscriber dials the 800 number which is then routed to a 4E. From there, it goes to the ACP (Action Control Point or is it ACtion Point?|) which is software that determines the special type of call (toll free/976/etc.). The ACP gets it's (its) information from the NCP which is the Network Control Point. The NCP database receives the call information through CCS and checks on the customer service information that the call information goes with, thereby determining how to route the call and sends the info back to the ACP. The SMS (Service Management System) is used to update information and for definition of that information. The NCP database can contain various information such as where the translation routes determined by origin of call or time of day too. I have a question about CCS. What is signifigant about the number version? I mean, is the information transmitted done differently (different protocol or manner of sending) or is it just updates to the way it's wired up? McBlah -TK 51/70: CCS Name: Mad Hatter 51 Date: 6:02 pm Fri May 15, 1987 Randy- I can't seem to find that ancronym or any mention of it. I've followed your post all they way up to that. The Advanced 800 Service you read had to do with the SPC Network? The paragraph you typed was the same(not word for word) as the one here in the Tech on SPC Net. ACP stands for ACtion Point. -Hatter Excuse the time/date of this call.. 52/70: CCS Name: Taran King 1 Date: 11:05 pm Fri May 15, 1987 The CCS that I mentioned (CCS7 presently) is like the modern term for CCIS. I'm not sure why they changed it, but that's the accepted acronym now. The information that I got from CO magazine was discussing the BOCs' involvement in 800 services now. It's highly possible (and probable) that they use the same method of signaling for this. Hmm...Oh well, still, I want to know about the different versions of CCS. Later -TK 53/70: CCS Name: Phantom Phreaker 46 Date: 12:52 pm Sat May 16, 1987 Ok, the international version of CCS is known as as CCITT6, (or 'the CCITT signalling system No. 6) which are centered around an International Switching Center (ISC). CCITT No. 6 can identify 2048 trunks (CCS can ID 8192 trunks). I have some pages from an old BSTJ on CCIS in front of me, they have a good amount of information about CCITT6 in here. One interesting table inn here is Calling parties categries, which are in bits 13-16 of a CCITT No. 6 'message', there are provisions for operators in French, English, German, Russian, and Spanish, and other user selectable languages, data call, test call, spare, etc. I'll have to read more about this, it would be interesting to find out how you could make an int'l call over CCITT No. 6 (or maybe 7 now as someone said) as a test call. Phantom 54/70: Badgers... Name: Taran King 1 Date: 7:38 pm Sat May 16, 1987 A long, long time ago, Jester Sluggo found some stuff about Badgers while trashing. Just today, in conversation, I found out a bit about what these are. It is a piece of machinery (Badger is the brand name) which is located in the SCC (supposedly). It is used for remote trunk testing and it grabs the circuit to be tested and runs whatever on it. I have a feeling this is more for the independant telcos but I couldn't say for sure. Later -TK 55/70: Here's...... Name: The Disk Jockey 13 Date: 12:40 am Mon May 18, 1987 ..an employee numthat I guess is sort of a Sprint Newsline. It was LEECHED off of another board, so it remains ted: 8-332-0111 56/70: Anyone know? Name: Cap'N Crax 10 Date: 2:22 am Mon May 18, 1987 Does anyone know if either/both 900's and 976's terminate in POTS number? (Ever?) Something tells me that they probably do.. C^2 57/70: 976/900s Name: Taran King 1 Date: 6:35 am Mon May 18, 1987 I believe that I asked someone that already and neither of them did. They both were arranged really strangely and didn't have POTS numbers (or at least not standard POTS numbers). If you could log onto the switch for the 900 or 976 number, you could probably find out, anyway, if it's got a POTS translation, but then again, that's a whole different baby. I'll ask again and repost when I find out unless Phantom and DP beat me to it (likely). Later -TK 58/70: 900 and 976 Name: Kerrang Khan 34 Date: 4:37 pm Mon May 18, 1987 Do not terminate in POTS numbers. k 59/70: I think.. Name: Slave Driver 58 Date: 10:21 am Tue May 19, 1987 that 900s as in the kind you see on TV, like voting things| terminate in a 4e office. There is some special device that totals the calls if needed| and then the people who are using it just call and ask about the numbers... Steve 60/70: 900 numbers explained Name: Phantom Phreaker 46 Date: 9:35 pm Tue May 19, 1987 I was really interested in how 900 numbers worked, it is not common phreak knowledge, so I researched via a BSTJ and a little bit of engineering. Actually, I wrote a file on the Mass Announcement System (MAS) that is about 80 sectors, but I never released it because I thought no one gave a fuck. If anyone here wants this file, mail me and I'll get it to you somehow, or upload it here. 900 numbers do terminate in a Number 4 ESS, the 4E that has been allocated as your MAS node. As of 1980 (old info, I know) there were 7 No. 4 ESS switches that were MAS nodes. That number might be more now, butt the nodes were in Atlanta, Chicago, Dallas, Denver, LA, Newar, and Philly. Each one of these covers a particular part of the country. (oops, that 'Newar' up there is supposed to be 'Newark'). For instance, if Randy dialed 1-900-555-1212 (the Dial it 900 service information line) his call would be sent to the Atlanta No. 4 ESS MAS node. If Mad Hatter dialed the same number, his call would be sent to the Philly MAS node. (Oh, Alaska and Hawaii are also included in this). Back to the original question by Crax, 900 numbers can terminate in a POTS number, but I have never seen it done, so I would guess that it's not a common occurance. This is called cut through calling, or technically, Media Stimulated Calling (MSC). MSC basically sends one call per some unit of time to a DDD number. The place that handles the maintenance and administration of all No. 4 ESS MAS offices is called ONAC, Operations Network Administration Center. I think the ODAC are centralized in Kansas City, Mo, which seems kind of strange because there isn't a MAS node there (that I know of). One interesting thing about MAS services is the way Recent Changes are done, through an RCRRT2 (Remote Recent Change, don't ask me why the acronym doesn't match) channel, which is hardwired to ONAC. If one ever trashed ONAC or a 4E MAS node, you could probably find some actual switch output messages. Those would be interesting to see. So if anyone ever does any trashing like this then let me know. Phantom 61/70: UNIX logs... Name: Ax Murderer 7 Date: 5:33 pm Wed May 20, 1987 I haven't been on for awhile, but anyways, whoever was questioning UNIX's, which log are you talking about, the one of Berkley (HIST?). There's quite a few logs. To get superuser privs on some systems, first go into the /dev/ section and scan through the files. Almost always there will be a program in there which will be UNPROTECTED and allow even the lowest scum to use it. The main point is, in case for some emergency reason, he must log on from a remote location, and has difficulties, he may process another account. Ax Murderer Also, I got TONS of "C" programs. I also am pretty fluent in this. 62/70: Unix Name: Phantom Phreaker 46 Date: 9:02 pm Fri May 22, 1987 Does anyone know a way to implement something similar to some common unix commands on a cosnix OS? For instance, the grep command, the find comma the file command, and a few others. What I wanted to do was list the ascii files in a cosnix directory (assume the /usr/cosmos directory, where COSMOS three letter command source is kept, but there couldcii or English Text in it). I would do it like this on unix: $ ls -a on Centrex, or maybe someone out there knows a few things about it that could post?? Centrex in the home is pretty nice thing to have..only costs about 10 bucks to have it installed, but its well worth it... more info later.. 66/70: WELL... Name: Sir Francis Drake 56 Date: 7:05 pm Mon May 25, 1987 I HAVE SOME NON TECH CENTREX MANUALS SOMEWHERE... I dont think its all that great right now but when the RBOC's are allowed to do all their software stuff it will be pretty cool. There are allread some keen centrex packages for voice mail and stuff. Ill go look for them. sfd 67/70: Centrex Name: Phantom Phreaker 46 Date: 5:59 pm Sat May 30, 1987 Leftist, what do you want to know about centrex? I know a bit about the workings of them, the general description, how they are set up in a CO, etc. Be more specific in your question... Phantom 68/70: Blue boxing Name: Icarus 15 Date: 3:28 am Sun May 31, 1987 I have found that kp and st are not necessary when dialing off of a trunk. After seizing the trunk, ac+ is all that is needed to call out. This seems strange. Any comments? Icarus 69/70: Reply^ Name: The Executioner 19 Date: 4:15 pm Sun May 31, 1987 You are not seizing an interoffice trunk. What you are doing is kind of pseudo-boxing, which is what we used to do here in New Jersey. What would happen is that we would use MCI, get a destination and then blow 2600. Since there were no restrictions on the band width, and no filters, we would blow back a dial tone that was possible to make international as well as alliance calls with crystal clarity. I don't know the exact name of this but just that we weren't seizing a trunk. Ex y ^ nice space 70/70: DP Boxing Name: Phantom Phreaker 46 Date: 8:41 am Mon Jun 01, 1987 Icarus, what you are talking about sounds like boxing using a DP (Dial Pulse) trunk. DP 'boxing' doesn't use KP and ST, they use a time-out feature. DP is made up of short bursts of 2600Hz tone. It isn't all that common as far as I know, but some older SxS offices supposedly use it for outpulsing on interoffice calls and to CAMA for billing. This means that either the homing CAMA office can record dial pulse trunk signalling, or there is some sort of sensor to translate it to MF before reception by the CAMA MF digit recievers. Phantom Post on Phreak/Hack Sub? No ^*^ =========================================================================