Сборники Художественной, Технической, Справочной, Английской, Нормативной, Исторической, и др. литературы.

                       The Official Phreaker's Manual

                    The Official Phreaker's Manual   V2.5
                               Updated 11/01/93
                Compiled, Wordprocessed, and Distributed by:
                                 The Jammer
                               Jack the Ripper

                                   Page 1

                       The Official Phreaker's Manual


Congratulations, now you have again a new update of "official phreakers manual".
This is still the informative file the authors from which I have gathered info.

We are still alive. This publication is not released on any schedule. Past
attempts at scheduling issues have failed miserably. The editors refuse to
release issues which are not up to our self-defined standards. We have in the
past, and will continue in the future, to accept articles from anyone as long
as the articles adhere to our basic format and style. The editors review all
articles to verify accuracy and integrity however it may not be  possible in
all cases to check every fact. Plagiarized material is not acceptable and we
make every attempt to verify an article's originality.  The more articles we
receive the sooner each issue is released. There is a minimum 2 month review
and editing period for each article. If you want to contribute articles
contact any member and they will forward articles to the editors.

   Warning: Use of this material may shorten your life in the free world! :)

  Ok enough of the bullshit, I readily admit that this is mainly a compilation
of available phreak material and public resources.  What I have done is to
gather it all together and edit, compile, check for errors, put in a readable
form, and finally to write what I know without echoing what others have said.
I have set this up that it is good for all levels of phreaks, going from novice
to advanced, and references and tables for easy reference in the back.
  This manual is constantly being updated!  If you have any contributions or
corrections or comments, please leave messages to me (Jack the Ripper) on any
BBS's I am on (probably where you got it).  Thanks!

                                   Page 2

                       The Official Phreaker's Manual


                              Table of Contents


I....... 004 Chapter 1
I.1..... 004 Glossary of Phreaking terms

II...... 008 Chapter 2
II.1.... 008 Custom Local Area Signalling Services (CLASS)

III..... 014 Chapter 3
III.1... 014 The Traffic Service Position System (TSPS)

IV...... 023 Chapter 4
IV.1.... 023 Building your own Blue Box (Includes Schematic)

V....... 030 Chapter 5
V.1..... 030 The Outside Loop Distribution Plant:  Part A
V.2..... 034 The Outside Loop Distribution Plant:  Part B

VI...... 043 Chapter 6
VI.1.... 043 Step By Step (SXS) Switching System Notes

VII..... 047 Chapter 7
VII.1... 047 Understanding Automatic Message Accounting Part A
VII.2... 054 Understanding Automatic Message Accounting Part B

VIII.... 063 Chapter 8
VIII.1.. 063 An Introduction to Teradyne's 4TEL System

IX...... 068 Chapter 9
IX.1.... 068 A Guide to Coin Control Systems

X....... 071 Chapter 10
X.1..... 071 War against the phone hacking

XI...... 075 Chapter 11
XI.1.... 075 The AT&T BILLDATS Collector System

XII..... 082 Chapter 12
XII.1... 082 Central Office Operations

XIII.... 096 Chapter 13
XIII.1.. 096 The personal Thanx to autors!

                                   Page 3

                       The Official Phreaker's Manual

                                  Chapter 1

                             The Bell Glossary

                               by Mad Marvin

ACD: Automatic Call Distributor - A system that automatically distributes calls
to operator pools (providing services such as intercept and directory
assistance), to airline ticket agents, etc.

Administration: The tasks of record-keeping, monitoring, rearranging,
prediction need for growth, etc.

AIS: Automatic Intercept System - A system employing an audio-response unit
under control of a processor to automatically provide pertinent info to callers
routed to intercept.

Alert: To indicate the existence of an incoming call, (ringing).

ANI: Automatic Number Identification - Often pronounced "Annie," a facility for
automatically identify the number of the calling party for charging purposes.

Appearance: A connection upon a network terminal, as in "the line has two
network appearances."

Attend: The operation of monitoring a line or an incoming trunk for off-hook or
seizure, respectively.

Audible: The subdued "image" of ringing transmitted to the calling party during
ringing; not derived from the actual ringing signal in later systems.

Backbone Route: The route made up of final-group trunks between end offices in
different regional center areas.

BHC: Busy Hour Calls - The number of calls placed in the busy hour.

Blocking: The ratio of unsuccessful to total attempts to use a facility;
expresses as a probability when computed a priority.

Blocking Network: A network that, under certain conditions, may be unable to
form a transmission path from one end of the network to the other. In general,
all networks used within the Bell Systems are of the blocking type.

Blue Box: Equipment used fraudulently to synthesize signals, gaining access to
the toll network for the placement of calls without charge.

BORSCHT Circuit: A name for the line circuit in the central office. It
functions as a mnemonic for the functions that must be performed by the
circuit: Battery, Overvoltage, Ringing, Supervision, Coding, Hybrid, and

                                   Page 4

                       The Official Phreaker's Manual

Busy Signal: (Called-line-busy) An audible signal which, in the Bell System,
comprises 480hz and 620hz interrupted at 60IPM.

Bylink: A special high-speed means used in crossbar equipment for routing calls

incoming from a step-by-step office. Trunks from such offices are often
referred to as "bylink" trunks even when incoming to noncrossbar offices; they
are more properly referred to as "dc incoming trunks." Such high-speed means
are necessary to assure that the first incoming pulse is not lost.

Cable Vault: The point which phone cable enters the Central Office building.

CAMA: Centralized Automatic Message Accounting - Pronounced like Alabama.

CCIS: Common Channel Interoffice Signaling - Signaling information for trunk
connections over a separate, nonspeech data link rather that over the trunks

CCITT: International Telegraph and Telephone Consultative Committee- An
International committee that formulates plans and sets standards for
intercountry communication means.

CDO: Community Dial Office - A small usually rural office typically served by
step-by-step equipment.

CO: Central Office - Comprises a switching network and its control and support
equipment. Occasionally improperly used to mean "office code."

Centrex: A service comparable in features to PBX service but implemented with
some (Centrex CU) or all (Centrex CO) of the control in the central office. In
the later case, each station's loop connects to the central office.

Customer Loop: The wire pair connecting a customer's station to the central

DDD: Direct Distance Dialing - Dialing without operator assistance over the
nationwide intertoll network.

Direct Trunk Group: A trunk group that is a direct connection between a given
originating and a given terminating office.

EOTT: End Office Toll Trunking - Trunking between end offices in different toll
center areas.

ESB: Emergency Service Bureau - A centralized agency to which 911 "universal"
emergency calls are routed.

ESS: Electronic Switching System - A generic term used to identify as a class,
stored-program switching systems such as the Bell System's No.1 No.2, No.3,
No.4, or No.5.

ETS: Electronic Translation Systems - An electronic replacement for the card
translator in 4A Crossbar systems. Makes use of the SPC 1A Processor.

                                   Page 5

                       The Official Phreaker's Manual

False Start: An aborted dialing attempt.

Fast Busy: (often called reorder) - An audible busy signal interrupted at twice
the rate of the normal busy signal; sent to the originating station to indicate
that the call blocked due to busy equipment.

Final Trunk Group: The trunk group to which calls are routed when available
high-usage trunks overflow; these groups generally "home" on an office next
highest in the hierarchy.

Full Group: A trunk group that does not permit rerouting off-contingent foreign
traffic; there are seven such offices.

Glare: The situation that occurs when a two-way trunk is seized more or less
simultaneously at both ends.

High Usage Trunk Group: The appellation for a trunk group that has alternate
routes via other similar groups, and ultimately via a final trunk group to a
higher ranking office.

Intercept: The agency (usually an operator) to which calls are routed when made
to a line recently removed from a service, or in some other category requiring
explanation. Automated versions (ASI) with automatic voiceresponse units are
growing in use.

Interrupt: The interruption on a phone line to disconnect and connect with
another station, such as an Emergence Interrupt.

MF: Multifrequency - The method of signaling over a trunk making use of the
simultaneous application of two out of six possible frequencies.

NPA: Numbering Plan Area.

ONI: Operator Number Identification - The use of an operator in a CAMA office
to verbally obtain the calling number of a call originating in an office not
equipped with ANI.

PBX: Private Branch Exchange - (PABX: Private Automatic Branch Exchange) An
telephone office serving a private customer, Typically , access to the outside
telephone network is provided.

POTS: Plain Old Telephone Service - Basic service with no extra "frills".

ROTL: Remote Office Test Line - A means for remotely testing trunks.

RTA: Remote Trunk Arrangement - An extension to the TSPS system permitting its
services to be provided up to 200 miles from the TSPS site.

SF: Single Frequency. A signaling method for trunks: 2600hz is impressed upon
idle trunks.

SxS: (Step-by-Step or Strowger switch) - An electromechanical office type
utilizing a gross-motion stepping switch as a combination network and
distributed control.

Talkoff: The phenomenon of accidental synthesis of a machine-intelligible

                                   Page 6

                       The Official Phreaker's Manual

signal by human voice causing an unintended response. "whistling a tone".

Trunk: A path between central offices; in general 2-wire for interlocal, 4-wire
for intertoll.

TSPS: Traffic Service Position System - A system that provides, under stored-
program control, efficient operator assistance for toll calls. It does not
switch the customer, but provides a bridge connection to the operator.

X-bar: (Crossbar) - An electromechanical office type utilizing a "fine-motion"
coordinate switch and a multiplicity of central controls (called markers).
There are four varieties:
       No.1 Crossbar: Used in large urban office application; (1938)
       No 3 Crossbar: A small system started in (1974).
       No.4A/4M Crossbar: A 4-wire toll machine; (1943).
       No.5 Crossbar: A machine originally intended for relatively small
suburban applications; (1948)
       Crossbar Tandem: A machine used for interlocal office switching.

                                   Page 7

                       The Official Phreaker's Manual

                                  Chapter 2

                   Custom Local Area Signalling Services

This article will explain the newly developed LASS system (AT&T Bell Labs),
and how it may affect us in the near future. Note that the service as it
appears for customers is called "CLASS", the C standing for Custom. I
assume this is just for looks.


   The telephone was destined to become a well used and powerful tool for
otherwise tedious tasks. Gas meters and other metered services would be
surveyed through the use of automatic data retrieval employing telephone
communications. All in all, some have big plans for the uses one could put
the telephone system up to, and CLASS is one plan that is going to drop
an innovative bombshell on the telecommunicating world.
   At this moment, a local CCIS network feature is being developed by
Bell Laboratories. This feature will change the way people use fones, and
will also change the attitude in which they use them. It will give far
more control of the telephone to the user than ever before. This feature
is called CLASS (Custom Local Area Signalling Services).
   Everyone will find something useful in this newly developed telephone
   What are all these fantastic features?  These features will
include call back of the last caller, regardless of whether you have their
telephone number or not. Another will be distinct call waiting tones, and
preselected call forwarding (only those people whom you wish to speak to
will be forwarded). This is a rudimentary list of CLASS features to come.
It is a very powerful system, and it all relys on LCCIS (Local Common
Channel Interoffice Signalling), an intra-LATA version of the ever-popular

CCIS Background

   CCIS was originally introduced in 1976 as, basically, the signalling
system to end all signalling systems. Instead of using the voice grade
trunks to carry signalling information on, a data network would be used. This
network is comprised of data links from each TO [involved with CCIS] to
the appropriate STP (signal transfer point). Signalling information is sent
through these links at 4800 bps to the STPs (Note that baud rates may increase
due to the economic availability of faster data communications hardware),
where stored program control routes the signalling information to the needed
offices in order to open and complete the call path. SPC checks automatically
for on-hook/off-hook status before opening the path, and if the status is
off-hook (in this case the customer does not have the call waiting custom
calling feature), returns information to the originating CO to apply a busy
signal to the customer. This is but one of many features toll CCIS provides
the network with.
   Since this text is not centered on the topic of toll CCIS, technical
aspects aren't as important (except for the comparison between the local
and toll networks for observational purposes): yet it is important to
notice how automated and flexible this type of signalling method is, as well
as its speed and efficiency. All the software control involved with local
and toll networks is called, fittingly, the "stored program control network."
or ISDN (Integrated Services Digital Network). LCCIS will be addressed in a
future article.
                                   Page 8

                       The Official Phreaker's Manual


LCCIS would look like this:

                    |             X--/             |
                    |               |              |
                    |             LCCIS            |
                    |               |              |
                    |          ----------          |
                  CO-1         ----------         CO-3
                  ESS#                            ESS#
                  -1A----interoffice trunk group---1A-
NPA - Dial 1223           213 NPA (GTE) - Dial 114

SPC = Stored Program Control (Network control and Signal Transfer Point)
ITG = Interoffice Trunk Group

   Using a high-speed data link between local offices creates a much more
flexible and more effecient way for intra-LATA central offices to communi-
cate. Instead of using per-trunk signalling (using the same trunk used for
voice transmission to send routing and billing information), such data would
be sent thru a 2400 bps dedicated data link, which interacts with a local
signal processing and transfer point. From that point, signalling information
is distributed to appropriate central offices or tandem switches.

   At the during which this article was being initially researched, CLASS was
   only being developed for the #1A ESS switch due to the flexibility of it's
memory handling, it's speed and what Bell Labs called 'cost efficiency'. At
the end of the research involved with this article, CLASS was already
implemented in data stage on ESS#5.

   LCCIS will work with the local switches using stored program con-
trol, keeping track of call data. The 1A switches will use what
is called "scratch pad" memory (also known as call store), in conjuction
with LCCIS's database, to accomplish all the features that LASS provides.
This memory will hold such data as "line history", and a "screening list".
That information will make it possible for autoredial, selective call
forwarding, nuisance call rejection, and distinctive call waiting tones.

                                   Page 9

                       The Official Phreaker's Manual

Selective CF

   Selective call forwarding is defined by the subscriber (the sub-
scriber must have conventional call forwarding to request this service).
Using call store, or more specifically the screening list, one will
be able to selectively forward a call to another directory number by
executing a few simple commands on the friendly home-bound telephone
(unlike migrating telephones most frequently found in hotel rooms). An
access code (a list will appear at the end of the file) will be entered,
and a special tone will be issued from the subscriber's CO. The cus-
tomer will then dial in the numbers he wants forwarded to the particular
number. After each number, a tone will sound indicating the acceptance
of the number. Individual BOC's (Bell Operating Companies) will be
able to define the amount of numbers which may be screened. Once this is
done, the cusomter hangs up and the ESS takes over. Now, whenever some
one calls this particular customer, the customer's switch will compare
the calling line's directory number with those stored in scratch pad
memory. If the CLID matches one of the numbers in 1A memory associated with
the called directory number, the number is forwarded. If not, the phone will
ring at the original destination. This in particular could make it very
difficult on system hackers, as you could probably imagine. A company can
subscribe to this CLASS feature, and enter only the numbers of authorized
users to be forwarded to a computer. Bureaus inside the various telephone
companies and other sensitive operations can screen calls to particular
numbers by using this service.

   This is a security that's hard to beat, but of course there is a way
(simple law of nature: nothing is fail-safe). There will always be the
obvious way of finding numbers which are being forwarded to, like auto-
dialing entire exchanges (one after the other). Unfortunetly, CLASS will
be providing other services which might make "scanning" seem less

Distinctive Ringing

   Distinctive ringing is handled in the same fashion as selective call
forwarding is: the screen list in scratch pad memory. The customer may
enter numbers which the ESS should give special precedence to, and when-
ever a call is placed to this particular customer's number, ESS checks
to see whether the CLID matches a directory number listed in the
switch's memory. If a match is made, the subscriber's CO gives the off-hook
line a special call waiting tone, or the on-hook phone a distinctive ring
(possibly using abnormally timed ringing voltage... some readers may picture
a British Telecom ring as an example, although many foreign audible rings
tend to be different).

                                   Page 10

                       The Official Phreaker's Manual

Call Rejection

   Nuisance call rejection, a feature making it possible to block certain
idiots from ringing your fone (a feature we can all benefit from at
one time or another... or all the time), uses the information retrieved
from LCCIS (CLID).  Let's say customer A calls customer B:

                    A ---> CO<             >CO ---> B

   Customer B happens to despise customer A, and keys in a special *##
code. ESS again takes over and looks at the CLID information, and stores
the calling line directory number in a special screen list associated with
with customer B. The next time customer A tries calling customer B, the
terminating office will reroute the call to a local (the originating CO)
digitized recording telling customer A that the call he made cannot be
completed due to customer B's request ("I'm sorry, but the customer you
have tried to reach wishes you were eaten by a rabid canibal on drugs").

Dial Back

   To create such a feature as "dial back" (for called or calling party),
the ESS scratch pad memory is used again. The same principles are
used as are employed in the already established custom calling feature,
auto-redial. CLID will be used in this way:

                                    (received from CLID)
                  last-called-mem     last-caller-mem
                     ----------          ----------
                     |###-####|          |###-####|
                     ----------          ----------

   Your ESS switch will keep track of who you called last, and who called
you last, thru the retrieval of calling line information provided by
LCCIS in conjunction with your switch (Your switch will know what number
you called last by directly storing the digits you dialed previously. Local
signalling will provide calling line information via LCCIS call
information forwarding using the data link mentioned). This way, with your
access code (*##), you will have total re-dial service.

                                   Page 11

                       The Official Phreaker's Manual

Customer Trace

   This type of memory handling and signalling method will also allow the
feature that everyone was afraid would abolish "phreaking". Subscriber
initiated tracing, using the last caller directory number stored at your CO,
will be available as far as Bell Laboratories is concerned. There seems to be
two types of "customer originated trace". One will forward the number to local
authorities, at  which it will be handled through the police. The other
feature AT&T/Bell Labs is working on will be a display module that will sit by
your fone, and will display calling directory numbers. All other CLASS
features that use the calling line information are used at the descretion of
the caller. The customer originated trace, however, using the individual or
bulk calling line identification features ("trace") allow the customer to view
the calling number. The world is not ending... yet, in any case. Individual
customers will be able to employ a special "privacy code", which when dialed,
tells the far-end switch not to forward the calling number to a desk display.
Whether there will be a way to override this or not is obvious: of course.
The police, the military and government agencies are all likely to have a
higher priority level than your privacy. It seems that long distance
carriers could benefit greatly from CLASS. Why Bell/AT&T should give any type
of special services to OCCs not given to other non-telephone companies,
especially after equal access is fully implemented, I don't know (but then
again, it is EQUAL access). It's always possible. It is also possible that
there will be no desk display. There are those phone phreaks who feel that
BOC's will never give the end party the priviledge of retrieving the calling
party's number directly, if not due to plain old Bell policy on the issue of
privacy. We'll have to wait and see about that point: the desk display is, in
fact, operational and is being used in test stage. Whether Bell Labs feels
that this feature can and will be used in a full scale non-beta stage BOC
situation is a different story. The economic feasability is questionable.

                                   Page 12

                       The Official Phreaker's Manual

End Notes

   CLASS, using local CCIS, will not function on inter-LATA calls. The
local CCIS network is exactly that: local, and does not extend into the
realm of "toll network". This will eventually be corrected (allowing toll
CCIS to interact with LCCIS as far as CLID information is concerned). How
the various long distance networks will exchange information with the local
BOC network has not been determined [by the writer of this article]. It
would seem like a monumental task to try to integrate the emerging long
distance companies into the AT&T/BOC ISDN, be it because of equipment
inconsistancies or lack of cooperation on the part of the OCC, etc. This
will be discussed in an upcoming article dealing with toll CCIS.
Although CLASS has been built around the ESS #1A switch, it has, as has been
mentioned, been co-developed for use with the ESS #5 switching machine.

   CLASS is going to cause problems, as well as create a new environment
for telephone users. Of course, those problems are only problems to people
who will generally be reading this article, but the more you know about CLASS
the more comfortable you'll feel about the service. It can be used to
one's advantage, even as a telecommunications hobbyist. Just as a
corporation will be able to set up a complete history of who is calling their
system, and eventually keep people off the system using the screen list in
memory, the same features can be applied to bulletin board systems and the
like. Imagine being able to keep all the local bozos off your board, or
being able to screen all but your private local users (making your system
completely inaccessible through the PSTN network from any telephone but
that of one of your users). It would seem to be a useful feature, if nothing
else but an easy feature, to implement.

   It is a little difficult, if not plain awkward, to write an article about
a topic which is subject to change at the researcher's ignorance. I think
that CLASS is enough of a momentous issue that at least some text by a
hobbyist should be released for public knowledge purposes.  Yet my awareness
of the fact that some of this text may be outdated, or inaccurate, by the
time CLASS is released as a BOC service, is in itself the explanation of why
there is a version number at the head of this article. Most likely, when CLASS
becomes public, the second version will be released with update notes
(if need be...most probably so). I hope you enjoyed it.

Test stage defaults for some features:
NPA - Dial 760       914 NPA - Dial 990
DTMF ! Pulse ! Description of Service
 *66 !  1166 ! Reconnect last caller
 *63 !  1163 ! Selective Call Forward
 *60 !  1160 ! Nuisance Call Blocking
 *57 !  1157 ! Customer "Trace"

Note: These command codes may vary from BOC to BOC. The codes listed above
were found in a general description of CLASS and did not specify a particular
implementation of these services.

                                   Page 13

                       The Official Phreaker's Manual

                                  Chapter 3

          Understanding the Traffic Services Position System (TSPS)

                            Part I - The Console

                              By The Marauder

* Special thanks to Bill from RNOC, Phucked Agent 04, and The (602) Scorpion
 for their help in acquiring & compiling this information.

    In this article I will discuss the basic layout description, and use of
the keys, found on the standard AT&T 100-B TSPS Console. Possible uses for the
information contained herein (besides for just wanting to know about the TSPS
Console) are primarily for social engineering purposes. The more you know about
operators and their jobs, the more you can get them to do things for you...

                                   Page 14

                       The Official Phreaker's Manual

I.                          Basic Console layout

!  +---------------------+       +-------------------------------------+    !
!  !   (Ticket Box)      !       !            ( Display )              !    !
!  +---------------------+       +-------------------------------------+    !
!                                                                           !
!                          (NonCoin)    (--- Coin 1-----)    (-- Hotel --)  !
!  VFY OVR SCN INW EMR     Sta 0+ 0-    Sta 0+ 0- Pst Tne    Sta 0+ 0- Gst  !
!      SES         INT                            Pay                       !
!                                                                           !
!  (Outgoing trunk)     (--- Ring Designation --- )  (Release)              !
!  DA  R&R  SWB  OGT    BAK FWD CAL T&C Nfy Chg Key   BAK FWD  SR MB Mt PT  !
!                               BAK         due clg                         !
!                                                                           !
! +-----+     Cw                  (Station)  PA CL SP SP AT DDD             !
! ! M B !                                          CG CD CT                 !
! ! u u !                                                                   !
! ! l l !                         (Person )  PA CL SP SP    NO              !
! ! t l !                                          CG CD    AMA             !
! ! i e !                                                                   !
! !   t !    (Coin 2)  (AMA Timing)   (Loop Ctl)                            !
! ! L i !    COL  RET  CA   ST        Cg Cg Cg                              !
! ! e n !              TMG  TMG                  (Kpls key)  (Num pad)      !
! ! a   !                             Cd Cd Cd   KP KP KP    1  2  3        !
! ! f T !              CA   REC                  TB RT HO                   !
! !   r !              CAL  MSG       HD HD HD               4  5  6   ST   !
! !   a !                                           KP KP                   !
out - 54"H x 40"W x12"D), with some newer size F, H, and some 3M series-
! !     !    RLS                                                            !
! !     !        (Display Ctrl)                     KP KP       0           !
! +-----+    tim chg CLG CLD SPL                    BK FD          +--------!
!                min NUM NUM NUM                                   ! Number !
!                                                                  ! Plate  !
                    Figure 1. 100-B TSPS Console layout

      (Due to 80 col width, picture is a little distorted vertically)
        o Abbreviations in all capital letters are ILLUMINATED KEYS
        o Abbreviations in all lower case letters are NON-ILLUMINATED KEYS
        o Abbreviations in upper & lower case letters are LAMPS ONLY

ie: VFY = Lighted VERIFY key, tim = Unlighted TIME key, Cg = CALLING Lamp

                                   Page 15

                       The Official Phreaker's Manual

--  Above is the standard AT&T 100-B console layout, while there may be
additional or different keys on the various  consoles, they will generally
resemble the above layout closely.  In the lower right hand corner you will
notice the numbers 0-9 laid out into what resembles a keypad, this is exactly
what it appears to be. The TSPS Operator uses this keypad for keying in not
only routing information (Phone numbers, Inward routings, etc..) but as a multi
purpose tool for entering various numeric codes recognized by the TSPS software
itself. Routing information applied onto the trunks from the TSPS position is
of course in MF (Multi-Frequency). When a TSO keys in a number or routing, the
console buffers the KP+INFORMATION DIGITS until the ST key is pressed, at which
time it plays the buffered KP+INFO DIGITS+ST onto the trunk in a uniformly
spaced sequence. So if you were somehow able to listen in on a TSO actually
routing a call, it would not sound like someone placing a call on a standard
Touch-Tone telephone (or homemade blue box), but more like someone pressing a
"Redial key" on a Touch-Tone (TT) phone. The duration of the tone and space
between the tones are a network-wide standard, although the network in most
cases is quite tolerant to deviations of this standard. (This "loose" tolerance
is what allows us to simulate In-band signalling with our blue boxes).

--   At the upper left hand side of the diagram you will see the Ticket box,
This box has 4 slots marked New, Cancel, Scratch and Completed. I believe this
is used for manually filled out trouble and/or time tickets. As far as I know
manually filled time tickets are a thing of the past, however in case of
equipment failure the tickets are available I assume.  TSO would manually fill
out a trouble ticket to report trouble reaching a number out of her LAN (Local
Area Network - or, The area directly served by her particular TSPS position),
whereas to report trouble with a number in her LAN she would simply key in a
trouble code (utilizing the KP-TRBL (Trouble) key). to automatically place a
trouble report.

--   To the right of the Ticket box you will see the DISPLAY. The display works
in conjunction with certain keys on the console, and is used to display timing
information (hours, mins, sec's), Cost per minute, Calling number
identification (what most people refer to as TSPS ANI), numbers called, and
various special codes. The console display can be in one of two states, either
1) displaying digits, or 2) displaying nothing (dark). Both of which have
different meanings when resulting from certain procedures attempted by a TSO.
LIGHTED KEYS, and LAMPS on the console can be in one of three states either 1)
NOT ILLUMINATED (dark), 2) ILLUMINATED, or 3) FLASHING. Again the state of a
lamp/lamp-key meaning different things under different conditions.

                                   Page 16

                       The Official Phreaker's Manual

II.                        KEY DESCRIPTIONS & USES

--   Below the Ticket box you will see a row of 5 keys starting with the key
labeled "VFY" (Verify), these are various special purpose keys used by TSPS
that have no real "grouping" unlike the other "Key groups". These are:

(VFY) - Verify, Illuminated key. Used in conjunction with the keypad, allows
the TSO to verify (listen in) on a telephone call that is in progress, although
any conversation taking place on that call is scrambled to the TSO, and despite

(OVR SES) - Over Seas, Illuminated key. Used in overseas call completion
through an Overseas Toll Completion Center/Server (IOCC). I believe it also
allows the TSO to key in more than 10 digits (standard POTS) for IDDD call

(SCN) - Screen, Illuminated key - Lights to notify TSO that incoming call has
an associated screening code, (ie: 74=collect calls only, 93=special billing).
Depressing this key causes the code to show on display, and it's up to the TSO
to decipher the code and explain its meaning to the customer if he/she is
attempting something forbidden by his associated screening code. (ie: Prison
phones have a screening code of 74, allowing them to place collect calls only.)

(INW) - Inward, Illuminated key - Lights to notify the TSO that the incoming
call is "Operator to Operator", therefore she answers by pressing the key and
answering "Inward!". In most cases Inward Operators are actually TSPS, with
their INWARD lamps lit.

(EMR INT) - Emergency Interrupt, Illuminated key. Used in conjunction with
the VFY key, to interrupt a call in progress while a line Verification is being
done, pressing this key causes an audible "beep" to be applied to the line, and
de-activates the console scrambling (for roughly 30 seconds) , allowing the TSO
to talk to the parties being verified/interrupted. Use of this key & the VFY
key, is constantly kept track of via various security & maintenance TTY's and
any abuse/misuse will set off alarms.

--   To the right of the above set of keys you will see three groups of
LAMPS/Keys labled "Non-coin", "Coin 1", and "Hotel".  The TSO utilizes the
condition of these lamps to identify the status of incoming calls. There are
three lamps that are common to each of the three groups, these are: "Sta",
"0+", and "0-" their meaning is identical in each case as you will see below.

(Sta) - Lamp, NON-COIN STA lamp lights when a non-coin caller requires TSPS
assistance in placing an otherwise direct-dialable call (in some rural areas
that have limited DDD features).  COIN STA lamp lights on direct dialed coin
calls that are sent to TSPS for payment collection. HOTEL STA lights on Hotel
originated DDD calls, TSPS also receives room number call is being originated

                                   Page 17

                       The Official Phreaker's Manual

(0+) - Lamp, Lights to signify that the incoming call was originated by a
customer dialing a "0+telephone number" for an operator assisted call in each
of the three groups (coin, non-coin, hotel/motel).  (ie. if a customer were to
place a "person to person (op assisted) call from a payphone, this would cause
the "0+" lamp in the "coin" group to light, one placed from a residential phone
would cause the "0+" lamp in the "non-coin" group to light, etc..)

(0-) - aka "Dial Zero", Lamp. Lights to signify that the incoming call was
originated by a customer simply dialing 0 (zero), in each of the three
categories (non-coin, coin, hotel/motel).

(PST PAY) - Post Pay, Illuminated key. Coin group only, Depressed by TSPS when
a customer requests a "post pay" call from a payphone, allowing him to deposit
the full charge at the completion of the call.

(Tne) - Tone, Lamp. I believe this lamp lights to inform the TSO that a coin
customer has flashed his/her switchook during a call in progress, requesting
operator assistance, although I'm not positive of this.

(GST) - Guest, Illuminated key lights on all hotel originated calls.

--   Below the above rows of keys and to the far left you will see a row of
keys labled "Outgoing Trunks". TSPS utilizes this group of keys to select
various outgoing trunk groups the keys are used as follows:

(DA) - Directory Assistance, Illuminated key. Used by TSO to place calls to the
directory assistance group.

(R&R) - Rate & Route, Illuminated key. Used to place calls to rate and route, I
believe TSPS now goes to the Universal Rate and Route position known to all you
boxers to be found at KP+800+141+1212+ST.

(SWB) - Switchboard, Illuminated key. I believe this key is used to reach a
cord-board position, although I have no evidence of this.

(OGT) - Outgoing Trunk, Illuminated key. Depressed by TSO to select an outgoing
trunk to be used to place operator assisted calls, special purpose calls (ie.
Inward), etc..

--   To the right of this row of keys you will find the group labled "Ring",
these keys are utilized by TSPS to activate special purpose ring features and
line handling.

(BAK) - Ring Back, Illuminated key. Used by TSO to ring the originating party's
line while holding the forward line in the event that the originating party
looses his connection

(FWD) - Ring Forward, Illuminated Key. Exactly the opposite of ring back.

(CAL BAK) - Call Back, Illuminated key. Used in special operator call back
situations on person to person calls where the called party is not available
but a message is left anyway, I really don't understand it's full potential and
most positions I have spoken with don't either.

                                   Page 18

                       The Official Phreaker's Manual

(T&C) - Time and Charges, Illuminated key.

(Nfy) - Lamp.  Used in Non-ACTS (Automatic Coin Toll Service) originated calls,
lights to inform TSPS to notify caller of expiration if initial n minute period
(n = number of minutes entered via the KP NFY key at the origination of the

(Chg Due) - Lamp. Lights to inform TSO that more money is needed at the
completion of a TSO assisted coin call, the usual procedure is to ring the coin
station back and attempt to frighten the customer into making the proper
deposit ("If you don't pay we'll bill the called party...").

(Key Clg) - Key Calling, Lamp. This lamp is used by TSPS to determine the
status of an incoming "Operator Number Identification" (ONI) marked caller or
an incoming caller that was routed to TSPS due to an "ANI Failure" (ANIF) Both
call conditions come to as a "0+" call (hotel, non-coin, coin - see above), if
the calling party is marked as "ONI Required" the appropriate "0+" lamp will
light, and the "Key Calling" lamp will be LIT STEADY. If the incoming call was
due to an ANIF, the "0+" lamp will be lit, and the "Key Calling" lamp will be

--   Directly to the right of the "Ring" group of key's you will find the
RELEASE set of key's, these two Illuminated key's allow the TSO to selectively
release (disconnect from) either the calling, or called parties by pressing
either the "Release Back" (BAK), or "Release Forward" (FWD) key respectively.

--   To the right of the release set, you will see a group of four key's with
no particular "group designation", these again are various multi-purpose key's
that serve the following:

(SR) - Service (assistance) Required, Illuminated Key. Pressed by TSO to
Forward calling party to a supervisory console (ie. Irate Customers demanding
supervisor), can also be used if she is confused and needs assistance.

(MB) - Make Busy, Illuminated key. Used to "Busy out" her console, lights when
pressed, console will not take any incoming calls until it is pressed again.
(ie: Useful when gabbing, doing nails, or filling out time/trouble tickets).

(Mt) - Maintenance, Lamp. This lamp Illuminates to warn the TSO that her
console has been placed into remote maintenance/testing mode.  A flashing MTNC
lamp indicates a faulty console.

(PT) - Position Transfer, Illuminated Key. A TSO depresses this key to transfer
the call in progress from her console (position) to another console.

--   Below the "Outgoing Trunk" keygroup, you will see a Lamp marked "Cw" Call
Waiting - This lamp lights on every active console to inform a TSO that there
are incoming calls waiting.

                                   Page 19

                       The Official Phreaker's Manual

--   To the far right of the "Cw" lamp, you will find the AMA group of keys,
broken into two sub-groups, which are "Station" and "Person", a complete
description of each key in this group would require more room than I have
available here, so if there's sufficient interest I will devote another article
to the use of these key's.  Basically these key's are used in conjunction with
the "KP" and "AMA Timing" groups of key's (see below), for attaching the
appropriate class of charge to the call being originated. The keys in the
"Station" sub-class from left to right are "Paid" (PA), which is used to attach
a "Station to Station" originating caller paid class of charge, "Collect" (COL)
to attach "Station to Station" Collect Call. "Special Calling" (SP CG), and
"Special Called" (SC CD) which are both used in "Special" Station to Station
billing procedures, such as third party, or credit card calls. "Auto Collect"
(AT CT), used in coin billing procedures and "Direct Distance Dialing" (DDD),
Attaches a DDD class of charge in cases where you have trouble dialing a number
and require operator assistance in completing a call.  Below this row of keys
you will find the "Person" sub-group of AMA keys, their uses are identical to
those in the "Station to Station" group only they attach a "Person to Person"
rate of charge. The "No AMA" (NO AMA), key is pressed to eliminate a charge for
a person to person call where the called party is unavailable.  Although all
the key's in this group can take on different meanings under different
conditions, the above definitions are suitable for the sake of this article.
All key's in this group are Illuminated keys.

--   Below the "Cw" lamp you will find two keys under the heading "Coin 2",
their uses on "Coin originated (payphone)" calls are: "Coin Collect" (COL) -
which causes the payphone to collect coin, and the "Coin Return" (RET), causes
it to return a coin. Both are Illuminated Key's.

--   To the right of the "Coin 2" group, you will find the "AMA Timing" group.
These key's are used in conjunction with the "AMA", and "KP" groups for:

(CA TMG) - Cancel Timing, Illuminated Key. Cancels AMA timing charges and also
allows TSO to change the class of charge on a call.

(ST TMG) - Start Timing, Illuminated Key. Used to start AMA timing after
appropriate class of charge has been entered, and the calling party has reached
the called party in person to person calls (or in station to station DDD calls,
destination ring has been established).

(CA CAL) - Cancel Call, Illuminated Key. Used in conjunction with the Cancel
Timing key to Cancel a call and mark a "NON-COMPLETED" call on the AMA tapes
(ie. A person to person call where the called party is not available).

(REC MSG) - Record (AMA) Message, Illuminated Key. Used at the completion of
(completion meaning calling & called party are done talking), to record the
time of the call and the appropriate class of charge onto the AMA tapes and
releases their forward connection. --   To the right of the AMA timing group
you will see three columns of four buttons under the heading of Loop Control.
These allow the TSO to access any of the three loops available to her for
placing calls. The keys have identical meaning in each set they are used in the
following manner:

                                   Page 20

                       The Official Phreaker's Manual

(CLG) - Calling Party, Lamp. Lights to signify person on said loop is a calling

(CLD) - Called Party, Lamp. Lights to signify that person on loop is a called

(HLD) - Hold, Illuminated key. Places a loop into a hold state, the calling and
called party can talk to each other, and AMA timing can be started. The call is
held at the console.

(ACS) - Access, Illuminated key. Used by TSO to initially access a loop.
Pressing this key selects an outgoing loop, and readies the console for placing
a call onto it. It is also used to allow TSO back into a loop(s) in a HOLD

--   To the right of the loop control group you will see the "Keypulse Key"
group, these key's are pressed by the TSO to initialize the keypad parser into
the proper mode for entering information, which is completed/entered by
pressing the ST (START) key (to right of keypad). Their uses are as follows:

(KP TB) - KP Trouble, Illuminated key. Used to enter various TSO encountered
trouble codes such as noisy line, customer(s) were cut off, couldn't complete
call, etc. I believe the format for entering a trouble code is as follows: "KP
TBL + TC + NTE + CN + ST" where KP TBL = KP Trouble Key, TC = 2 Digit Trouble
code, NTE = Number of times Trouble was encountered (1 Digit), CN = Callers
(phone) Number, and ST = the START key. a record of the trouble is made on the
AMA tapes and the calling party is usually given credit.

(KP RT) - KP Rate, Illuminated. Used to enter and display Rate (Charge)
information. Can also be used to display rate information at a customer

(KP HO) - KP Hotel, Illuminated Key. Used for manually entering a verbally
requested room number on  Hotel/Motel originated calls.

(KP NY) - KP Notify, Illuminated key. Used for entering time in Minutes on a
NON-ACTS originated Coin call, when entered time duration is up, it causes the
NFY Lamp (See above) to Flash.

(KP SP) - KP Special, Illuminated Key. Used for entering Special numbers such
as credit card id's and third party billing numbers, causes TSPS software to
automatically query the BVA (Billing Validation) database to check validity of
number/CC, will flash if billing to an illegal card or number is attempted.

(KP BK) - KP Back, Illuminated Key. Used in entering the calling number in ANI
failures (ANIF), and ONI (Operator Number Identification) required situations.

(KP FD) - KP Forward, Illuminated. Most commonly used KP Key. Used to enter
called party's number on all TSO assisted calls. Pressing the ST (START) key
causes the entered number to be applied onto the accessed trunks in MF.

                                   Page 21

                       The Official Phreaker's Manual

(ST) - Start, Illuminated Key (Found to the right of the keypad). Used in
completing all KP+number sequences listed above.

-- Below the "Coin 2" set of key's you will see the (POS RLS) - Position
Release key, this key is used by the TSO to release her position from the call.
She would hit POS RLS after completing a call, and also to release a person
calling to ask her questions and not actually requesting a call be placed (ie.
Name/place requests, etc..)

-- Below the Position Release key you will see a set of 5 key's labeled
"Display Control", these key's are used to make the console display show
various information. Their use is as follows:

(TIM) - Time, Unlighted Key. Displays time of day in Military format.

(CHG MIN) - Charge per Minute, Unlighted Key. Displays the $ charge per minute
on a call in progress.

(CLG NUM) - Calling Number, Illuminated Key. Displays the number of the calling

(CLD NUM) - Called number, Illuminated Key. Displays the number of the called

(SPL NUM) - Special Number, Illuminated Key. Display's various special numbers
such as Calling Card numbers, and third party billed numbers. Use of this key
in displaying Calling Card numbers is as follows:  Press it once you get first
10 digits of 16 digit Calling Card, press it a second time and get the second 6
digits of the Calling Card, press it again and it darkens the display.

-- That's it for the key's on the console, on the left hand side of the diagram
you will see the "Multi Leaf Bulletin Tray", this is an all purpose holder for
information leaflets that contain information on special numbers, Rate & Route
information, special non-standard assistance routes, and various other TSPS
related information. At the lower right hand side of the console is the "Number
Plate", this is simply the console's Position number and ID number. It is a
stamped metal plate, I haven't figured out any way to abuse it yet, other than
scaring a TSO by knowing of it's existence.

** That's about it for this article, if there is sufficient interest in TSPS I
will write further articles with more detail on the actual procedures used by
the TSPS operator in call handling and such, I will also be writing an article
on the BOC TOPS (Toll Operator Position Service) operators that have begun to
pop up since the divestiture when I get some better information on the position
itself. It seems that AT&T inwards no longer handle only long distance
assistance in TOPS services areas and the TOPS op's handle all local area

                                   Page 22

                       The Official Phreaker's Manual

                                  Chapter 4

                         Building Your Own Blue Box

    This Blue Box is based on the Exar 2207 Voltage Controlled Oscillator.
There are other ways to build Blue Boxes, some being better and some not as
good, but I chose to do it this way.  My reason for doing so: because at the
time I started this project, about the only schematic available on BBS's was
the one written by Mr. America and Nickie Halflinger.  Those plans soon (in
about 90 seconds) became very vague in their context with a couple in-
consistencies, but I decided to "rough it out" using those plans (based on the
Exar 2207 VCO) and build the Blue Box using that as my guide.  During the
construction of the Blue Box, I decided to type-up a "more complete and clear"
set of Blue Box schematics than the file that I based mine on, in order to help
others who may be trying/thinking of building a Blue Box.  I hope these help.

    Note:  You should get a copy of the Mr. America/Nickie Halflinger Blue Box
plans.  Those plans may be of help to anyone who may have difficulty
understanding these plans.  Also, these plans currently do not support CCITT.

Why should I build a Blue Box ?

   Many of you may have that question, and here's my answer. Blue Boxing was
the origin of phreaking (excluding whistling). Without the advent of Blue
Boxes, I feel that some of the advances in the telecommunications industry
would've taken longer to develop (The need to stop the phone phreaks forced
AT+T Bell Laboratories to "step up" their development to stop those thieves!).
    There is no harm in building a Blue Box (except the knowledge you will
gain in the field of electronics).  Although there are software programs (Soft
Blue Boxes) available for many micro's that will produce the Blue Box
Multi-Frequency (MF) tones, they are not as portable as an actual Blue Box (you
can't carry your computer to a telephone, so you must use it from home which
could possibly lead to danger).
    Many phreaks are announcing the end of the Blue Box Era, but due to
discoveries I have made (even on ESS 1A and possibly ESS 5), I do not believe
this to be true.  Although many people consider Blue Boxing "a pain in the
ass", I consider Blue Boxing to be "phreaking in its' purest form".  There is
much to learn on the current fone network that has not been written about, and
Blue Boxes are necessary for some of these discoveries.  The gift of free fone
calls tends to be a bonus.

    Note: Blue Boxes also make great Christmas gifts!

                                   Page 23

                       The Official Phreaker's Manual

Items needed to construct a Blue Box.

    Here is the list of items you will need and where you can get them.  It
may be a good idea to gather some of the key parts (the chips, and especially
the potentiometers, they took about 6 months to back order through Digi-key.  A
whole 6 fucking months!) before you start this project.  Also, basic
electronics tools will be necessary, and you might want to test the circuit on
a bread board, then wire-wrap the final project. Also, you will need a box of
some sort to put it in (like the blue plastic kind at Radio Shack that cost
around $5.00).

    Note: An oscilliscope should be used when tuning in the
          potentiometers because the Bell system allows
          only a 7-10% tolerance in the precision of the

Qty.  Item                 Part No.      Place
1  | 4 x 4 Keypad       |             | Digi-Key
6  | Inverter Chip      | 74C04       |
32 | Potentiometer      |             |
1  | 4-16 Converter Chip| 74LS154     |
1  | 16 Key Decoder     | 74C922      |
2  | 2207 VCO           | XR2207CP    | Exar Corp.
3  | .01 uf Capacitor   | 272-1051    | Radio Shack
5  | .1 uf Capacitor    | 272-135     | Radio Shack
2  | 1.5K Ohn Resistor  |             | Radio Shack
2  | 1.0K Ohm Resistor  |             | Radio Shack
1  | Speaker            |             | From an old Autovon fone.
1  | 9 Volt Battery     |             | Anywhere

    The resistors should be a +/- 5% tolerance.
    The speaker can be from a regular telephone (mine just happened to be from
an old Autovon phone).  But make sure that you remove the diode.
    The Potentiometers should have a 100K Ohm range (but you may want to make
the calculations yourself to double check).
    The 9-volt battery can be obtained for free if you use your Radio Shack
Free Battery Club card.
    The Exar 2207 VCO can be found if you call the Exar Corp. located in
Sunnyvale, California.  Call them, and tell them the state you live in, and
they'll give the name and phone number to the distributor that is located
closest to you. The 2207 will vary from about $3.00 for the silicon-grade
(which is the one you'll want to use) to about $12.00 for the high-grade
Military chip.
    Note:  When you call Exar, you may want to ask them to send you the
spec-sheets that gives greater detail as to the operation and construction of
the chip.

                                   Page 24

                       The Official Phreaker's Manual

                              Schematic Diagram

            +--------------+            +-------------+
            |  1  2  3  A  |            |  Figure #1  |
            |  4  5  6  B  |            +-------------+
            |  7  8  9  C  |            | Logic Side  |
            |  *  0  #  D  |            +-------------+
             1 | 3 | 5 | 7 |           (VCC)
             | 2 | 4 | 6 | 8           (+5 Volts)    +----+
             | | | | | | | |             [+]         |   _|_
             | | | | | | | |              |          |   X_/GND
          +--+-+-+-+-+-+-+-+----+      +--+----------+---+
          |  2 | 11| 10| 7 |    |      |  14         7   |
  (.01C)  |  | 3 | 4 | 8 | 1  12+------+1                |
  +--||---+5                  13+------+2   (*74C04*)    |
 _|_      |                     |      |                 |
 X_/GND   |     (*74C922*)      |      +-----------------+
    +--||-+6                    |
    |(.1C)|                     |
   _|_    |                     |
   X_/GND |   9  17 16 15 14  18|
             |  |  |  |  |   |
            _|_ A  B  C  D   |
         GNDX_/ |  |  |  |  [+] (VCC)      [+] (VCC)
                |  |  |  |      (+5 volts)  |  (+5 volts)
                |  |  |  |                  |
         |      23 22 21 20                 24             18+-+
   +-----+12                                                 | +--+
   |     |                 (*74LS154*)                     19+-+ _|_
  _|_    |                                                   |   X_/
  X_/GND |  1  2  3  4  5  6  7  8  9 10 11 13 14 15 16 17   |   GND
            1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16
            |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |
                                                        |    (Connects)
                                                        | +---------->
                               +------------------------+ |  (Figure 2)
                               |       +--+       +-------+
                               |       |  |       |
                            |  3--|>o--4  5--|>o--6   |
                            |   (Invtr.)   (Invtr.)   |
            +---------------+7                        |
           _|_              |        (*74C04*)        |
        GNDX_/   (VCC) [+]--+14                       |
               (+5 volts)   |                         |

                                   Page 25

                       The Official Phreaker's Manual

   +-------------+                                  _
   |  Figure #2  |                                 / |
+---+-------------+----+          +----------------+  |
| Tone Generation Side |         _|_               |  | SPKR
+----------------------+      GNDX_/    +---+--+---+  |
                                       |   |       X_|
                                       |   |
                                       |   |  +---------------+
          +-------+                    |   |  |               |
          |      _|_                   |   +--+14             |
          |      X_/GND                |      |  (Repeat of)  |
          |                            |      |    (First)    |
        ----- (.1C)                    |      |   (Circuit)   |
        -----                          |      |               |
          |                            |      | (*XR2207CP*)  |
          |       +-----------------+  |   +--+6              |
          |       |                 |  |   |  |               |
  [+]-----+-------+1              14+--+   |  +---------------+
 (VCC)            |                 |      +--------------------+
(+9 Volts)   +----+2                |                           |
             |    |               12+---------------------+     |
    (.01C) -----  |                 |                    _|_    |
           -----  |  (*XR2207CP*)   |                    X_/GND |
             |    |                 |       1.5K Ohms           |
             +----+3              11+---+---X/XRx/X/---+--+     |
                  |                 |   |              | _|_    |
                  |                 |   +---X/XRx/X/---+ X_/GND |
                  |                 |       1.0K Ohms           |
                  |               10+----+                      |
    +-------------+6               9+----+---+                  |
    |             |                8+----+   |                  |
    |             |                 |      ----- (.1C)          |
    |             +-----------------+      -----                |
    +---------+                             _|_      +----------+
    |         | Pot.                     GNDX_/ Pot. |          |
    |        X/X/X/X/--+-----------------------X/X/X/X/         |
    |         1400 Hz. |                        1600 Hz.        |
    +---------+        |                             +----------+
    |         | Pot.   |                        Pot. |          |
    |        X/X/X/X/--+----------------+------X/X/X/X/         |
    |         1500 Hz. |                |       900 Hz.         |
    |                  |                |                       |
    |     14 more      |                |       14 More         |
    |   Potentiometers |                |     Potentiometers    |
    |     in this      |                |       in this         |
    |   area left out  |                |     area left out     |
    |   for simplicity |                |     for simplicity    |
    |                  |                |                       |
    |                  |                |                       |
           (Connects)  |
           (Figure 1)

                                   Page 26

                       The Official Phreaker's Manual

Multiplex Keypad System

    First, the multiplex pattern used in the 4x4 keypad layout. I suggest that
keys 0-9 be used as the Blue Box's 0-9 keys, and then you can assign A-D, *, #
keys to your comfort (ie. * = Kp, # = St, D = 2600, and A-C as Kp1, Kp2   or
however you want).

    Note: On your 2600 Hz. key (The D key in example above)
          it may be a good idea to tune in a second
          potentiometer to 3700 Hz. (Pink Noise).

   Keypad      Key Assignments   Multiplex Pattern
 +---------+   +-------------+    +------------+
 | 1 2 3 A |   | 1  2  3  4  |    | 1  2  3  A |----Y1=8   X1=3
 | 4 5 6 B |   | 5  6  7  8  |    | 4  5  6  B |----Y2=1   X2=5
 | 7 8 9 C |   | 9  10 11 12 |    | 7  8  9  C |----Y3=2   X3=6
 | * 0 # D |   | 13 14 15 16 |    | *  0  #  D |----Y4=4   X4=7
 +---------+   +-------------+    +------------+
                                    |  |  |  |
                                    X1 X2 X3 X4

Blue Box Frequencies

    This section is taken directly from Mark Tabas's "Better Homes and Blue
Boxing" file Part 1.

Frequenies (Hz)  Domestic  Int'l
700+900            1        1
700+1100           2        2
900+1100           3        3
700+1300           4        4
900+1300           5        5
1100+1300           6        6
700+1500           7        7
900+1500           8        8
1100+1500           9        9
1300+1500           0        0

700+1700          ST3p     Code 11
900+1700          STp      Code 12
1100+1700          KP       KP1
1300+1700          ST2p     KP2
1500+1700          ST       ST
2600+3700      *Trunking Frequency*

    Note: For any further information about the uses or duration of the
frequencies, read the Mark Tabas files.

                                   Page 27

                       The Official Phreaker's Manual

Schematic Help

    This is the Key to the diagrams in the schematic.  I hope that they help
more then they might hurt.

   X_/GND   is the Ground symbol

    | |
 ---| |--   is the Capacitor symbol
    | |     (.1C)  stands for a .1 uf Capacitor
            (.01C) stands for a .01 uf Capacitor
  -----     is another Capacitor symbol

--X/XRx/X/-- is the Resistor symbol (The 1.5K Ohm and 1.0K Ohm
                                    Resistors are at +/- 5% )
 X/X/X/X/-- is the Potentiometer symbol (The frequncies I supplied
                                         above are just examples.)
--|>o--     is the Inverter symbol


    This is just one way to build a Blue Box.  If you choose this way, then I
hope this file is adequate enough to aid you in the construction.  Although
these are not the best plans, they do work. This file does not tell you how to
use it or what to do once it's built.  For that information I mention that you
read Mark Tabas's "Better Homes and Blue Boxing" files, or any other files/BBS
subboards that deal with that realm.

                                   Page 28

                       The Official Phreaker's Manual


    At last, this article would not be possible without the help of the
following people/places whom contributed to it in one way or another (it may
not be apparent to them, but every minute bit helps).

Deserted Surfer   (Who helped immensly from Day 1 of this project.)
                 (Without his help this file would not be.)
Mark Tabas        (For the BHBB files which inspired my interests.)
Nickie Halflinger (For the original Blue Box plans I used.)
Mr. America       (For the original Blue Box plans I used.)
Lex Luthor
Cheap Shades
Exar Corp.

Lastly, I would like to thank the United States government for furnishing
federal grants to this project. Without their financial help, I would have had
to dish out the money from my own pocket (Approximately $80.00. Egads!)

                                   Page 29

                       The Official Phreaker's Manual

                                  Chapter 5

                       Outside Loop Distribution Plant


       Basically, the outside local loop distribution plant consists of all
of the facilities necessary to distribute telephone service from the central
office (CO) out to the subscribers.  These facilities include all wire, cable,
and terminal points along the distribution path.  In this article, we shall
follow this path from the CO to the subscriber, examining in depth each major
point along the route and how it is used. This is especially useful for
checking if any 'unauthorized equipment' is attached to your line, which would
not be attached at the Central Office. I suppose this article can also be
interpreted to allow someone to do just the opposite of its intended purpose...

       Note that this article is intended as a reference guide for use by
persons familiar with the basics of either LMOS/MLT or the operation of the
ARSB/CRAS (or hopefully both), because several references will be made to
information pertaining to the above systems/bureaus. I have no manuals on this
topic, all information has been obtained through practical experience and
social engineering.

                                   Page 30

                       The Official Phreaker's Manual

Serving Area Concepts (SAC) plan

       In order to standardize the way loop distribution plants are set up in
the Bell System of the U.S. (and to prevent chaos), a reference standard design
was created.  For urban and suburban areas, this plan was called the Serving
Area Concepts (SAC) plan.  Basically, in the SAC plan, each city is divided
into one or more Wire Centers (WC) which are each handled by a local central
office switch.  A typical WC will handle 41,000 subscriber lines. Each WC is
divided into about 10 or so Serving Areas (depending on the size and population
of the city), with an average size of 12 square miles each (compare this to the
RAND (Rural Area Network Design) plan where often a rural Serving Area may
cover 130 square miles with only a fraction of the number of lines).  Each
Serving Area may handle around 500-1000 lines or more for maybe 200-400 hous-
ing units (typically a tract of homes).
       From the CO, a feeder group goes out to each Serving Area.  This con-
sists of cable(s) which contain the wire pairs for each line in the SA, and
it is almost always underground (unless it is physically impossible). These
feeder cables surface at a point called the Serving Area Interface (SAI) in a
pedestal cabinet (or "box").  From the SAI, the pairs (or individual phone
lines) are crossed over into one or several distribution cables which handle
different sections of the SA (ie. certain streets).  These distribution cables
are either of the aerial or underground type.  The modern trend is to use
buried distribution cables all the way to the subscriber premises, but there
are still a very large number of existing loop plants using aerial distribu-
tion cables (which we will concentrate mainly upon in this article).  These
distribution cables are then split up into residence aerial drop wires (one
per phone line) at a pole closure (in aerial plant), or at a cable pair to
service wire cross box (in buried plant).  The cable pairs then end up at the
station protector at the customer's premises, where they are spliced into the
premise "inside wire" (IW) which services each phone in the customer's premi-
ses (and is also the customer's responsibility).
       Although this is the "standard" design, it is by no means the only
one!  Every telco makes it's own modifications to this standard, depending
on the geographic area or age of the network, so it's good to keep your eyes
and your mind open.

At this point, we will detail each point along the Loop Distribution Plant.

                                   Page 31

                       The Official Phreaker's Manual

Cable Facility F1 - CO Feeder

       The F1 cable is the feeder cable which originates at the Main Distribu-
tion Frame (MDF) and cable vault at the local CO and terminates at the SAI.
This cable can contain from 600 to over 2000 pairs, and often more than one
physical F1 cable is needed to service a single Serving Area (at an SAI).
The F1 is almost always located underground, because the size, weight, and
number of feeders leaving the CO makes it impossible to put them on normal
telephone poles.  Since is is also impractical to use one single piece of
cable, the F1 usually consists of several pieces of large, pressurized or
armored cable spliced together underground (this will be covered later) into
a single cable.

Cable Numbering

       In order to make locating cables and pairs easier (or possible, for
that matter), all of the cables in the loop distribution plant are numbered,
and these numbers are stored in databases such as LMOS at the ARSB or other
records at the LAC (Loop Assignment Center) or maintenance center. When trying
to locate someone's cable pair, it helps a great deal to know these numbers
(although it can be done without them with experience and careful observa-
tion).  Probably the most common place to find these numbers is on a BOR,
in the "Cable & Assignment Data" block.  The F1 is usually assigned a number
from 00 to 99 (although 000-999 is sometimes used in large offices).  Cable
>pair< numbering is different however, especially in older offices; typical F1
pair numbers range from 0000 to 9999.  Keep in mind that the pair number is not
concrete -- it is merely nominal, it can change, and it doesn't necessarily
have any special meaning (in some well organized offices, however, the cables
and pairs may be arranged in a certain way where you can determine what area
it serves by its number (such as in my area...heh heh); in any case, it's up
to you to figure out your area's layout).  Anyway, the cable-pair number is
usually written in a format such as 02-1495, where 02 is the cable and 1495 is
the pair (incidentally, since this is the CO Feeder cable pair that is connect-
ed to the MDF, it is the one that will be listed in COSMOS).

F1 Access Points

       Although the F1 is run underground, there is really not a standard
access point down there where a certain pair in a cable can be singled out
and accessed (as will be explained next).  There is, however, a point above
ground where all the pairs in the F1 can be accessed -- this point is known
as the Serving Area Interface (SAI), and it will be detailed later.  In LMOS
or other assignment records, the address of the SAI will be listed as the
TErminal Address (TEA) for the F1 cable handling a certain pair in question;
therefore, it is where facility F1 stops.

                                   Page 32

                       The Official Phreaker's Manual

Underground Plant

       The term "Underground Plant" refers to any facilities located below
the surface of the earth; this includes truly "buried" cables, which are
located 6-or-so feet underground surrounded basically by a conduit and dirt,
as well as cables placed in underground cement tunnels along with other
"below-ground" equipment (such as seen in most urban areas).  Whereas the
first type is really impossible to access (unless, of course, you want
to dig for a day or so and then hack into an armored, jelly-filled PIC cable--
then you should take a bit of advice from our resident Icky-PIC "Goo" advisor,
The Marauder), the latter type can be accessed through manholes which lead to
the underground tunnel.


       Bell System manholes are usually found along a main street or area
where a feeder cable group passes through.  Using an underground cable
location map is the best method for locating cable paths and manhole appear-
ances, although it may not always be available.  These maps can be acquired
from the Underground Service Alert (USA) (at 800-422-4133), but often a
"cable locator" will be dispatched instead (usually he will just mark off
how far down or where you can dig without hitting a cable), so this is not
a very practical method.  Of course, you can always follow the warning signs
on telephone poles ("call before you dig", etc) and the spans between SAI
bridging heads until you find a manhole.  The F1 for the SAI nearest the
manhole should be found down there along with others en route to the areas
they serve.
       There are several types of manhole covers, both round and rectangular.
The rectangular ones are sometimes just hinged metal plates covering an under-
ground terminal or cable closure, and these are easily opened by one person.
A non-hinged one may require two people.  Round manhole covers (which, by the
way, are round so that a lineman can't accidentally drop the cover down the
hole) are basically all the same, except for the types known as "C" and "D"
type manhole covers which utilize locking bolts (these can be removed using a
standard crescent or hex socket wrench).  These covers are the same as the
order.  This is aided even further by the fact that since F1's usually last
longer than F2 facilities, there are often more spare provisional F2 facili-
ties in the loop plant (ie. 100 feeders in, 300 F2 out (200 aren't cross-
connected to F1's)). So there is a good chance that you will find one that is
distributed to your area.  Other spare facilities include "floaters", which
are like spare feeder pairs, except they are ACTIVE lines.  Often, a telco will
extend whole feeder groups to more than one SAI in provision for future expan-
sion, including active cable pairs.  If you find a working pair on a feeder
panel which is not cross-connected to a distribution pair, that pair is a
floater.  This is by far the best way to covertly access a certain pair,
because most linemen will probably not be aware of the pair's presence (it
looks unused on the surface).  Beware! If you think you can hook up to
someone's floater and get free service, you're probably wrong (so many other
people have been wrong, in fact, that Pacific Bell has a special "Form K-33"
to report this type of fraud), because the telco is more aware of this than
you may think.  Obviously any toll call you make will show up on the bill for
that line.  A do-it-yourself spare pair activation can avoid this problem, if
done correctly.

End of First half, attach second half here.

                                   Page 33

                       The Official Phreaker's Manual

*** Second half of The Outside Loop Distribution Plant starts here. ***

Cable Facility F2 - Distribution

       The F2 distribution cable is the cable which originates from the F1
feeder in the SAI and distributes individual cable pairs to each subscriber.
This cable can be one of two types: aerial or buried.  The most common is the
aerial distribution cable, although buried cable is the modern trend.  In the
case of aerial F2, the cable or cables leave the SAI underground, and at the
first telephone pole on the distribution span, the cable is routed up the pole.
It then is suspended on the span, such as down a street, and at each group of
houses there is a terminal on the span. This terminal is the aerial drop split-
ter, and it's purpose is to break off several pairs from the distribution cable
in order to distribute them (in the form of aerial drop wires) to each house or
premise.  The location or address of the premise nearest this aerial drop
splitter is the TErminal Address of the F2 serving a certain pair (each group
of pairs in the F2 will have it's own terminal address, unlike the one address
for the F1 terminal (SAI)).  The F2 cable is always the lowest cable on the
telephone pole, and it is usually a great deal larger than the electric power
distribution cables above it.  Often more than one F2 can be seen on a single
pole span.  In this case, the top F2 will usually be the one which is being
distributed to the subscribers on that street, and the lower (and most often
larger) cables are other F2's coming from an SAI and going to the streets
which they service:  These cables consist of multiple spliced spans, and they
will not have any drop wires coming off them (they are marked every few poles
or so at a splicing point called a "bullet closure" which is fully enclosed
and can be quite large (ie. 6" dia, 20" long) as compared to the normal drop
splitters (ie. or similar 4"w x 5"h x 12"l) -- these closures are clamp press-
urized and are not meant to be opened unless the cable is being replaced or
splicing work is being done.  They are not standard cable/pair access points).
       Buried F2 plant is similar to aerial, except that the cable is not
visible because it is underground.  Instead of going to a pole from the SAI,
the cable continues underground.  The drop wires are also underground, and the
method of breaking them from the distribution cable is similar to that of the
aerial drop splitter, except it is a small pedestal or box located on the
ground near the houses it serves.  This address closest to this pedestal is
the TEA for the F2.

                                   Page 34

                       The Official Phreaker's Manual

F2 Cable Numbering

       The F2 distribution cable is usually given a 4 or 5 digit number,
depending on the office.  The first 2 or 3 digits should be the number of
the F1 that the F2 was branched off of, and the last 2 or 3 digits identify
the distribution cable. Example-

     F1   Cable                   F2   Cable
            25                          2531
      This F2 cable came from feeder #25^^

       The cable >pair< numbers may be set in a similar way, with the last 3
or 4 digits identifying the pair, and the first digit (usually a 1) identifying
the pair as a feeder or a distribution pair. Example -

     F1   Cable    Pair            F2   Cable    Pair
            25     1748                  2531     748
                   ^--signifies F1 (feeder) cable pair

       Generally, the F1 cable pairs are numbered higher than the F2 cable
pairs, due to the fact that a feeder cable may contain several distribution
cables' worth of cable pairs.  Note once again that all of this numbering
plan is the STANDARD, and it may be far from real life!  As soon as one dist-
ribution pair is replaced, crossed over to another feeder pair, or taken from
service, the set order is interrupted.  In real life, it is most always nece-
ssary to get both F1 and F2 cable assignment data.

                                   Page 35

                       The Official Phreaker's Manual

Facilities F3-F5, Rural Area Interface (RAI)

       Although cable facilities F3, F4, and F5 may be specified in any loop
plant, they are rarely seen anywhere except in rural areas under the RAND
plan (Rural Area Network Design).  Basically, plants using these extra
facilities are similar to F1/F2 plants, except there are extra cable spans
and/or terminals in the path.  When locating cables, the highest numbered
facility will be at the end of the path, terminating near the subscriber's end
(like a "normal" F2), and the lowest numbered facility will be the feeder from
the CO (like a "normal" F1).  The extra spans will be somewhere in between,
like an intermediate feeder or extra distribution cable with separate cable
access terminals.  One such facility is the Rural Area Interface (RAI), which
can be used in a "feeder-in, feeder-out" arrangement.  This is usually seen on
cable routes of 50 pairs or greater, with a length of longer than 30 kft
(about 6 miles).  In this case, there will be two terminal cabinets in the
feeder path, labelled RAI-A and RAI-B.  The RAI-A is special because it has a
two-part terminal block:  the top has switching panels with 108-type connectors
which cross-connect feeder-in and feeder-out pairs using jumper plugs, and the
bottom has standard 76-type binding posts which cross-connect feeders to
distribution cables for subscribers in the local area of the RAI-A.  The jumper
plugs can only be connected in one way to the switching panels, so random
cross-connection of feeder-in/feeder-out pairs is prevented. In this way, the
cable and pair numbers stay the same as if the feeder cable was uninterrupted.
This is used a lot in rural areas; it allows part of a feeder group to be split
off at the RAI-A like a distribution cable near a town along the route, and
the rest of the feeder group continues on to a town further away, to the RAI-B
where it is terminated as in a "normal" SAI.  In order to access a pair, just
use the last RAI in the span (whichever it is) and treat it just like an SAI.
If the pair terminates at RAI-B, you can also access it at RAI-A! (if you
can locate the pair using color code, BP number, or (ughh) ANI, there should
be test terminals on top of the jumper plugs connecting the 108's on the
switching panel where you can hook your test set -- you can't hook onto a raw
108 connector very easily).  Anyway, the RAI terminal is usually a ground
pedestal with a cabinet such as a 40-type, but it can be aerial mounted on a
pole (hard to access).

                                   Page 36

                       The Official Phreaker's Manual

Pair-Gain, Carried Derived Feeder

       Another common facility in rural areas (and in cities or suburbs, es-
pecially near large housing complexes, etc.) is the pair-gain system.  It is
basically a system which consists of a digital link which is distributed,
almost like a normal cable pair, out to a terminal cabinet called a Remote
Terminal (RT) which contains equipment which demultiplexes the digital line
into many "normal" metallic analog telephone lines which go to each subscriber
in the area.  Because the digital line can transmit the audio from several
separate lines and multiplex them onto one cable, only one special cable
pair is needed to come from the CO as a feeder, instead of several separate
ones; this is why it is called a "pair gain" system.  The remote terminal (RT)
contains both the demultiplexing electronics as well as a small "SAI" type
terminal block for connecting the pairs to distribution cables on the side
of the path toward the subscriber.  Because the "feeder" is not a multipair
cable but a digital link (ie. T-carrier), this arrangement is known as a
"carrier-derived feeder."  The SAI part of the RT is used just like a normal
SAI on the distribution side (BLUE), but the feeder side will be slightly
different.  Carrier-derived feeders are always marked with YELLOW labels, and
their pairs will be crossed over to distribution cables just like in an SAI.
So, in order to access a pair in a system like this, you must do so on the
DISTRIBUTION side, because you can't hook an analog test set to a 1.544 Mbps
digital T-carrier line! (or worse yet, a fiber optic cable).  This may be
difficult, because these cabinets are always locked (with few exceptions), so
you'll have to find a terminal closer to the subscriber -- also be aware that
many RT's are equipped with silent intrusion alarms.  Anyway, some common
pair-gain systems are the Western Electric SLC-8, 40, 96, and GTE's MXU,
ranging in size from 8 to over 96 lines.  RT cabinets can often be identified
by the ventillation grilles (with or without a fan inside) which are not
present on SAI's or other non-RT cabinets.

Aerial Distribution Splice Closure,
      Drop Wire Splitter

       This terminal is the point where the individual cable pair for a
certain subscriber is split from the F2 distribution cable and spliced onto
an aerial drop or "messenger" wire which goes to the subscriber's premises.
In an aerial distribution plant, 2 types of this terminal are common:

1> Western Electric 49-type Ready Access Closure / Cable Terminal

2> Western Electric 53A4, N-type Pole Mount Cable Terminals

                                   Page 37

                       The Official Phreaker's Manual

Type 1>  The 49-type, 1A1, 1B1, and 1C1 closures are all functionally similar.
        This terminal is a semi-rectangular closure, about 15"L x 3"W x 5"H,
        usually black, which is connected directly to the aerial cable itself;
        it is coaxial with the cable, so the cable passes straight through it.
        It splits up to 12 pairs from the distribution cable to a small bin-
        ding post terminal block inside the closure.  Aerial drop wires are
        then connected to these binding posts, and the wires exit the term-
        inal through holes on the bottom.  These wires are strung via strain
        relief clamps on the pole down to the subscriber's site.  The terminal
        closure is opened by pulling out and lifting either the whole cover
        or the front panel after removing the cover fasteners on the bottom
        and/or the sides (the closure is a thick neoprene cover over an alum-
        inum frame).  Inside the case, there is a terminal block and there
        may be some sort of loading coil as well.  The cable and this coil are
        not openable, but the terminal block is.  Since the F2 pair terminates
        in this closure, the F2 BP number (cable/assignment data) corresponds
        to a binding post on this terminal block.  As mentioned earlier, this
        terminal will also contain spare pairs, in case a subscriber wants
        another line.  In order to use one of these pairs, you must either get
        an F2 (and then F1) CP number from LAC using the BP, or you can put a
        trace tone on the pair at the aerial closure and then locate the pair
        at the SAI.  Then a cross-connect would have to be made to an active
        F1 pair, and a drop wire (ughh) would have to be added back at the
        aerial closure.  Anyway, both the binding posts as well as the holes
        (inside + out) are numbered left to right, so you may not even have
        to open the closure if you are just looking for an F2 BP number --
        just trace the drop wire from the house into the numbered hole on the
        closure. The TErminal Address for the F2 is the address of the house
        or premise closest to the pole near this closure.  These terminals
        (esp. 1A1, etc) are also used for straight and branch splices for
        aerial cables, so you may see one cable in / two out;  also, the
        closure can be used for splicing only, so there may not be drop wires
        (in this case, it wont be listed in LMOS because it is not a terminal
        point).  There is generally one of these every pole near a quad of
        houses or so, mounted on the cable about an arm's length from the
Type 2>  Both the 53A4 and the N-type terminals serve the same function as
        the 49-type just described, except they are used in situations where
        there are more than 4 houses (8 lines, including provisional pairs).
        This terminal is mounted directly on the pole, about a foot down from
        the aerial cable.  It is not connected in line with the cable, so
        there is no F2 splicing area in the cabinet (rather, a cable stub
        comes from the terminal block and is spliced onto the span close to
        where it touches the pole). It is about 22"H x 9"W x 4"D, rectan-
        gular, and silver (unpainted).  The door is similar to that of a 40-
        type cabinet, but it's much smaller; it is opened using a 7/16" tool
        in the same manner as before, except that the door must be lifted
        before it can be opened or closed.  In this way, the door slides down
        on it's hinges when opened, so it locks in the open position and you
        wont have to worry about it (especially nice because hanging onto a
        pole is enough of a problem).  The terminal block can handle from 25
        to 50 pairs, with 32 holes in the back for aerial drop wires.  Just
        as in the Ready Access Closure, this is the F2 terminal, and the
        numbered binding posts and holes correspond to F2 BP numbers.  The
        TEA will be the address nearest the terminal (just as before).  This
        terminal is common at the first pole on a street, on cul-de-sacs,
        apartments, marinas & harbors, or anywhere there are many drop wires.

                                   Page 38

                       The Official Phreaker's Manual

Buried Distribution Cross Box and Other Pedestals

       This terminal serves the same function as the aerial closures, except
it is used in areas with a buried distribution plant.  This cable assignment
for this terminal will be the F2 terminal, and the BP numbers and TEA will
be the same as for the aerial terminals.  Probably the most common cross-boxes
are the PC4,6, and 12; these are around 50" tall by 4, 6, or 12" square respec-
tively, and they are painted gray-green like SAI cabinets.  These are the
smallest pedestals in the distribution plant, and they don't have doors (they
look like waist-high square poles).  In order to open one of these pedestals,
the two bolts on either side half way down the pedestal must be loosened with
a 7/16 hex wrench; then the front cover can be lifted up, out, and off the
rest of the closure.  These terminals are located generally near small groups
of houses (up to about 12 lines usually) on the ground, often near other
utility cabinets (such as electric power transformers, etc).  These are
becoming more common as the new housing tracts use buried distribution plant.
The F2 cable will enter as a cable stub, and it is split into service wires
which go back underground to the subscribers.
       All small pedestals are not necessarily the above type of terminal;
these pedestal closures are often used for other purposes, such as splicing
points in underground distribution, loading coil mounting, and even used as
temporary wire storage containers.  If the terminal contains a terminal
block or it is a significant point on the line, however, it will be listed in
LMOS.  An example of this is a distribution path found by Mark Tabas in a
Mountain Bell area --  there was a small PC12-type closure on the ground near
a street in a remote suburb, and it was serving as a terminal point for a
whole F1 cable.  It was listed as the F1 terminal, and it was at the right
TEA; however, there was no terminal block because it was a splicing point
(just a bunch of pairs connected with Scotchlok plastic connectors which are
hung on a bar in the pedestal closure), so LMOS had no BP number.  Instead,
a color code was listed (see appendix) for the pair in the splice.  Anyway,
the WHOLE F1 went up to an N-type closure on a pole and was split into drop

                                   Page 39

                       The Official Phreaker's Manual

Multi-Line Building Entrance Terminals

       This terminal takes the aerial drop or service wires and cross-connects
them over to the Inside Wire (IW) in the subscriber's building (hotels, busi-
nesses, etc).  There are many different types of terminal blocks for this
terminal, although by far the most common is the Western Electric 66 block.
The 66-type terminal uses a block of metal clips; the wire is pushed onto the
clip with a punch-down tool which also strips the wire.  The block is divided
into horizontal rows which can have from 2 to over 6 clips each.  Since each
row group terminates one pair, two rows are needed for x-connect, one on top of
the other.  The service or drop wire usually enters on the left, and the
inside wire is connected to the far right.  In order to locate a pair, usually
you can visually trace either the service wire or the inside wire to the
block, and often the inside wire side wil be numbered or labelled with an
address, phone number, etc.  It is also possible for this terminal to serve
as an F2 terminal point, if there are a lot of lines.  In this case, LMOS will
list the TEA usually with some physical direction as to where to find it. The
left side will then be numbered as F2 BP's. This terminal is also the demarca-
tion point which separates the customer's equipment from the telco's.  The new
terminals often have an RJ-21 connector on the service wire side, such as a
25-pair for PABX or a Bell 1A2 Key, etc.  There are also "maintenance termina-
ting units" (MTU) which are electronic units connected to the line(s) at the
entrance protector; these are sometimes seen in some telcos.  Basically, they
provide functions such as party ANI on multi-party lines, remote disconnect
(for testing or (click!) non-payment), or half ringers (the most common --
they prevent ringing continuity failures on switches like ESS when there are
no phones hooked to the line when it rings).  MTU terminals are often locked.

Single Pair Station Protector

       There's really not much to say about this terminal.  Basically, it
takes the service or drop wire and connects it to the inside wire in a single
line residence (houses with 2 lines will have 2 of these).  These are at every
house on an outside wall or basement, and there are two main types: the Western
Electric 123 (with a "150-type" rubber cover), and the old WE 305 and new AT&T
200 Network interface (metal and plastic, respectively). These terminals have
one binding post pair and they will have either gas discharge tubes or carbon
blocks to protect the line from lightning or excess current.  Obviously, there
is no BP number (you just have to visually trace the drop wire to find the
protector). This is also the demarcation point marking the end of the telco's
responsibility, as well as the end of our tour.

                                   Page 40

                       The Official Phreaker's Manual

Bell System Standard Color Code      Use:
-----------------------------------        Take the #, and find it's closest
Pair #             Tip        Ring   multiple of 5.  Use that number to find
-----------------------------------  the Tip color, and the remainder to find
01-05           White      Blue    the Ring color (remainder 0 = Slate).
06-10           Red        Orange  (e.g. Pair #1 = White/Brown, Pair #14 =
11-15           Black      Green    Black/Brown, Pair #24 = Violet/Brown).
16-20           Yellow     Brown
21-25           Violet     Slate

Usually if a color code is needed (such as in a splice case) you can get it
from LAC or the testboard; if it's really essential, it will be in LMOS as
well.  This color code is also used a lot on cable ties (usually with white
stripes and ring colors only), although these are often used randomly.

Test Sets

      This is the "right hand" of both the professional and the amatuer
lineman.  Basically, it is a customized portable telephone which is designed
to be hooked onto raw cable terminals in the field and used to monitor the
line, talk, or dial out.  The monitor function is usually the main difference
between the "butt-in" test set and the normal phone.  If you don't have a
real test set already, the following circuit can convert a normal $4 made-in-
taiwan phone into a working test set.  The "all-in-one" handset units without
bases are the best (I tend to like QUIK's and GTE Flip Phone II's). Anyway-

OFFICIAL Agent 04 Generic Test Set Modification (tm)

 Ring >---------------------------------> to "test set" phone
  Tip >------!  SPST Switch    !-------->
             !-----/ ----------!
>from         !-------/!/!/!/!--!    C = 0.22 uF  200 WVDC Mylar
cable pair    !   C       R     !    R = 10 kOhm 1/2 W
(alligators)  !--! (------------! SPST = Talk / Monitor

       When SPST is closed, you are in talk mode; when you lift the switch-
hook on the "test set" phone, you will get a dial tone as if you were a
standard extension of the line you are on.  You will be able to dial out and
receive calls.  When the SPST is opened, the resistor and capacitor are no
longer shunted, and they become part of the telephone circuit.  When you lift
the switchhook on the test set, you will not receive dial tone, due to the fact
that the cap blocks DC, and the resistor passes less than 4 mA nominally (far
below the amount necessary to saturate the supervisory ferrod on ESS or close
the line relay on any other switch).  However, you will be able to silently
monitor all audio on the line.  The cap reactance + the phone's impedance
insure that you won't cut the signal too much on the phone line, which might
cause a noticeable change (..expedite the shock force, SOMEONE'S ON MY LINE!!).
It's also good to have a VOM handy when working outside to rapidly check for
active lines or supervision states.  Also, you can buy test equipment from
these companies:

Techni Tool - 5 Apollo Road, Box 368. Plymouth Meeting, PA. 19462.
Specialized Products Company - 2117 W. Walnut Hill Lane, Irving, TX. 75229.

                                   Page 41

                       The Official Phreaker's Manual

       I am not going to include a disclaimer, because a true communications
hobbyist does not abuse nor does he tamper with something he doesn't under-
stand.  This article is intended as a reference guide for responsible people.

       Also, this article was written mainly from first-hand experience and
information gained from maintenance technicians, test boards, as well as
technical literature, so it is as accurate as possible.  Keep in mind that
it is mainly centered upon the area served by Pacific Telephone, so there may
be some differences in the loop plant of your area.  I would be happy to
answer the questions of anyone interested, so feel free to contact me c/o the
Technical Journal regarding anything in this article or on related topics such
as ESS, loop electronics, telephone surveillance / countersurveillance, etc.
I hope the article was informative.

                                   Page 42

                       The Official Phreaker's Manual

                                  Chapter 6

                        STEP BY STEP SWITCHING NOTES

                             BY PHANTOM PHREAKER

   The following research was done on a class 5 Step By Step switching system.
Items mentioned in this article are not guaranteed to work with your particular
office.  The following interesting topics about Step By Step switching are for
informational and educational purposes only. This article is aimed at people
who wish to learn more about telephone switching systems.

   I realize step-by-step switching is dwindling every day, with many
electromechanical SxS offices being replaced with newer electronic/digital
switches and Remote Switching Systems (RSS's). However, rural areas of the U.S.
still use Step, so if you are ever in an area served by a SxS CO you may be
able to use this information.

   1:ANI Failure/ONI

   To understand this technique, you must understand how ANI functions in the
Step-by-Step switching system. Your CO sends ANI, with your number, in MF or DP
to recievers that collect the ANI information and store it, along with the
called number, on the appropriate form of AMA tape. ANI outpulsing in MF can
use either LAMA (Local Automatic Message Accounting) or CAMA (Centralized
Automatic Message Accounting). ANI sent in DP type signalling can also be used,
but is rare. DP vs MF trunk signalling is similar to the difference between
DTMF and pulse dialing, except on a trunk. DP signalling sends all information
in short bursts of 2600Hz tones.

   Causing ANIF's/ONI is an easy task in SxS (and some versions of Xbar),
because the customer's link to the CO will allow the customer to input MF tones
to influence a calls completion. This can be done by dialing a long distance
number and listening to the clicks that follow. After the first click when you
are done dialing, you will hear a few more. They will be timed very close to
one another, and the last click occurs right before the called telephone rings.
The number and speed of the clicks probably varies. Basically what these clicks
are is the Toll Office that serves your CO setting up a route for your call. In
order to abuse this knowledge, you need access to a MF source, whether it be a
blue box, a computer with a good sound chip, tape recording, etc. Right before
you hear the series of clicks, send one of the following sequences in MF:

KP+1 (Repeatedly) For Automatic Number Identification Failure (ANIF)


KP+2 (Repeatedly) For Operator Number Identification (ONI)

(Note:these will not work if your CO uses DP signalling.)

                                   Page 43

                       The Official Phreaker's Manual

Play these tones into the phone at a sufficient volume so that they 'drown out'
the series of clicks. Do not send an ST signal, as you are not actually dialing
on a trunk. You must send these MF sequences quickly for this method to work
correctly. After you have played your 'routing' a few times, you will hear a
TSPS operator intercept your call and ask for the number you are calling FROM.
When an ANIF is recognized, the call is cut through to a TSPS site that serves
your area. Now, you can give the operator any number in your exchange and she
will enter the billing information manually, and put the call through. The toll
charges will appear on the customer who owns the number you gave. You can also
accomplish a similar feat by merely flashing the switchook during the series of
clicks. This will send DC pulses that scramble the ANI outpulsing and cause
your call to be sent to a TSPS operator before the dialed number. Be sure to
stop sending the MF 'routing' after the operator attaches or she may know that
something's up. Use this method sparingly and with caution. It would also be a
good idea not to use the same number for billing more than one time. Don't use
this method in excess, because a toll office report will list the number of ANI
failures for a specific time period. The ONI method works better because it is
assumed ONI is needed to identify a caller's DN upon a multi-party line. Too
many ANI failures will generate a report upon a security/maintenance TTY, so if
you plan on using this method, use the ONI method instead of just ANI Failure.
The basic idea behind the ANIF is to scrramble your ANI information by using MF
(or the switchhook) to send your LD call to a TSPS operator for Operator Number
Identification (ONI) due to ANI Failure. The idea behind the ONI method is that
you are fooling the switch into thinking you are calling from a multi-party
line and ONI is needed to identify your DN.

   2:Test numbers

   Some other interesting things in the Step By Step system can be found by
dialing test numbers. Test numbers in SxS switching systems are usually hidden
in the XX99 area, as opposed to 99XX, which is common for other types of
switching systems. These types of numbers are possibly physical limitations of
a SxS switch, and thus a milliwatt tone or other test numbers will be placed
there, because a normal DN can't be assigned such a number. However, these XX99
numbers are usually listed in COSMOS as test numbers. Another interesting note
about XX99 numbers is that they seem (at least in some offices) to be on the
same circuit. (That is, if one person calls an XX99 number and recieves a test
tone, and another person calls any other XX99 number in that same prefix, the
second caller will recieve a busy signal).

   Here we must examine the last four digits of a telephone number in detail.

XXXX=WXYZ             W=Thousands digit
                     X=Hundreds digit
                     Y=Tens digit
                     Z=Units digit

   Dialing your prefix followed by an XX99 may result in a busy signal test
number, a network overflow (reorder), miilliwatt tones, or other type of error
messages encountered when dialing.

                                   Page 44

                       The Official Phreaker's Manual

   Not every XX99 number is a test number, but many are. Try looking for these
in a known Step by Step office.

   The numbers that return a busy signal are the ones that incoming callers
are connected to when the Sleeve lead of the called Directory Number is in a
voltage present state, which means the line is in use or off-hook. More about
this in the next topic.

   3:Busy signal confrencing

   Another interesting feature of the Step-By-Step system is the way busy
tones (60 IPM) are generated. In ESS and DMS central offices, busy signals that
are sent by the terminating switch are computer generated and sound very even
and clear with no signal irregularity. In SxS, all calls to a particular DN are
sent to the same busy signal termination number, which can be reached most of
the time by a POTS number. These busy tones are not computer generated and the
voice path is not cut-off.

   You can take advantage of this and possibly have a 'busy signal confrence'.
This can be achieved by having several people dial the same busy DN that is
served by a Step office, or by dialing an always-busy termination number. When
you are connected to the busy signal, you will also be able to hear anyone else
who has dialed the same busy number. Connection quality is very poor however,
so this is not a good way to communicate.
   As an added bonus, answering supervision is not returned on busy numbers,
and thus the call will be toll-free for all parties involved. However, you must
be using AT&T as your inter-LATA carrier if the call to the busy number is an
inter-LATA call for you. So if your IC is US Sprint, you must first dial the
AT&T Carrier Access Code (10ATT) before the busy number. If your IC doesn't
detect answer supervision, and begins billing immediately or after a certain
amount of time, then you will be billed for the length of the call.

   4:Temporarily 'freezing' a line

   A SxS switching system that operates on the direct control principle is
controlled directly by what the subscriber dials. Jamming a line on SxS to
prevent service is possible by simply flashing the switchook a number of times.
Or you may find after serveral aborted dialing attempts, the line will freeze
until it is reset, either manually or by some time-out mechanism. Usually the
time the line is out of action is only a few minutes. The line will return a
busy signal to all callers, and the subscriber who has a 'dead' phone will not
even hear sidetone. This happens when one of the elements in the switch train
gets jammed. The switch train consists of the linefinder, which sends a dial
tone to the subscriber who lifted his telephone, and places voltage on the S
(Sleeve) lead as to mark that given DN as busy. Next in the switch train are
the selectors. The selectors are what recieve the digits you dial and move
accordingly. The last step in the switch train is the connector. The connector
is what connects calls that are intraoffie, and sends calls to a Toll office
when necessary. Other types of devices can be used in the switch train, such as
Digit Absorbing Selectors, where needed.

                                   Page 45

                       The Official Phreaker's Manual

   5:Toll/Operator assisted dialing

   You may be able to dial 1/0+ numbers with your prefix included in some
areas. You can dial any call that you could normally reach by dialing 1+ or 0+.
For example, to dial an operator-assisted call to a number in Chicago, you
could dial NXX+0312+555+1000 where NXX is your prefix, and you would recieve
the usual TSPS bong tone, and the number you dialed, 312+555+1000, would show
up on the TSPS consoles LED readout board. You can also use a 1 in place of the
0 in the above example to put the call through as a normal toll call.
   This method does not bypass any type of billing, so don't get your hopes
up high.
   The reason this works is twofold. The first reason is that the thousandths
digit in many SxS offices determines the type of call. A 0 or a 1 in place of
another number (which would represent a local call) is handled accordingly. The
other reason is due to a Digit Absorbing Selector that can be installed in some
SxS offices to 'absorb' the prefix on intraoffice calls when it is not needed
to process the call. A DAS can absorb either two or three digits, depending
on whether the CO needs any prefix digit(s) for intraoffice call completion.

   6:Hunting prefixes

   SxS switches may also translate an improperly dialed local call and send
it to the right area over interoffice trunks. Take for instance, you need to
make a local call to 492-1000. You could dial 292-1000 and reach the exact
same number, provided that there is no 292 prefix within your local calling
area. However, only the first digit of a prefix may be modified or the call
will not go through correctly unless you happen to have dialed a valid local
prefix. You also cannot use a 1 or a 0 in place of the first prefix digit,
because the switch would interpet that as either dialing a toll or an operator
assisted call.


   Step by Step switching system incoming and outgoing trunks are very likely
to use In-band supervisory signalling. This means you could possibly use
numbers served by a SxS CO to blue box off of. But, some older step areas may
not use MF signalling, but DP signalling. DP signalling uses short bursts of
2600Hz to transfer information as opposed to Multi-Frequency tones. In DP
signalling, there are no KP or ST equivalents. Boxing may be accomplished from
DP trunks by sending short bursts of 2600Hz (2 bursts would be the digit 2).
Acceptablepulse rates are 7.5 to 12 pulses per second, but the normal rate is
10 pulsesper second. A pulse consists of an 'on hook' (2600Hz) tone and an
off-hook (no tone). So, at 10 pulses per second, a digit might be .04 seconds
of tone and .06 seconds of silence. DP is rarely used today, but some
direct-control Step offices still use it. Common Control Step offices are much
more likely to use MF trunk signalling.

   As said at the start of this file, some of the things mentioned here may
have no practical use, but are being exposed to the public and to those who did
not know about any one of the procedures mentioned here previously.

                       References and acknowledgements
    Basic Telephone Switching Systems-By David Talley, Hayden publishers
              No. 1 AMARC-Bell System Technical Journal
 Mark Tabas for information about CAMA and DP, The Marauder, and Doom Prophet.

                                   Page 46

                       The Official Phreaker's Manual

                                  Chapter 7

                        AUTOMATIC MESSAGE ACCOUNTING


                                 An overview

                        Written by Phantom Phreaker


   This article is meant to provide an explanation of Automatic Message
Accounting (AMA) and how it was/is used in the past and present.

   All information included in this file is correct to my knowledge, however,
if anyone notices any errors or has anything interesting to add, try to get in
touch with me one way or another and let me know.

   Hopefully this article will clear up any misconceptions about AMA that
have been circulating around on bulletin boards and by word of mouth. Keep in
mind, however, that the information here may not be applicable to your
specific area or telco. The information contained herein generally applies to
the BOC's, and if you are served by an independent telco, your method of
billing may differ.

   This article is aimed more towards the more experienced telecommunications
enthusiast. People with limited knowledge may have a hard time understanding
the information presented here. However, if you can contact me I will try to
answer any questions or clarify anything included in this article that isn't

   Information will be included in this article concerning the use of AMA in
the past. This is being done for people in older areas or areas served by an
independent telco that may still be using the old technology.


   In the past, Call Detail Record (CDR) information was collected and
recorded by cordboard operators in a process known as manual ticketing. The
operator recorded this information by writing it down manually upon a
formatted record called a ticket. These tickets were sent to the appropriate
office where billing was handled. This manual ticketing process was
time-consuming, and was phased out with the introduction of electromechanical

                                   Page 47

                       The Official Phreaker's Manual

   Before the advent of AMA, a magnetically operated counter called a message
register was associated with each subscribers line in a given central office.
This counter was responsible for counting the number of calls that each
subscriber made, for billing purposes. This message register was caused to
operate one or more times when the called party answered the telephone. The
way this works is when the called party answers, a reverse battery signal was
sent back over the trunk circuit to activate a relay in the originating office
which was responsible for the application of a 48-volt battery to advance the
message register the appropriate number of units. A local call is/was usually
one message unit, regardless of how long the call lasted.  Local calls to
further away areas were/are usually two message units.  Long distance calls
were handled either by cordboard operators, using manual ticketing, or by a
method not involving operators known as zone registration. With zone
registration, calls to different zones would cause the message register to
operate two or more times per time period. This would make the cost higher for
longer calls, and less for shorter calls.

   At the end of the billing period, each message register had to be manually
photographed to keep track of the number of calls made by that specific
subscriber. These photos were taken by a 35 millimeter camera that was known
as a Traffic Usage Recorder, and then sent to the same place that manual
tickets (prepared by operators) were.  However, this method of billing soon
grew costly and inefficient, so a new method, LAMA (Local Automatic Message
Accounting) was developed. Additional and more specific information shall be
included later in the article.

   In the late 1940's, the Bell System developed LAMA, which recorded the
billing information in a much more efficient manner. However, some end offices
did not have enough call traffic to warrant the installation of LAMA
equipment.  To solve this problem, CAMA (Centralized Automatic Message
Accounting) was developed in the mid 1950's. CAMA was different from LAMA in
that it was based in a toll or tandem office and could record the AMA
information for every end office that it served. More on LAMA and CAMA will be
included later in the article.

   Another development concerning AMA is the computerization of the system,
named LAMA-C or CAMA-C, for 'LAMA-Computerized' or 'CAMA-Computerized'. CAMA
had used paper tape perforators for a time before the magnetic tape method was
introduced with CAMA-C. LAMA-C is a computerized version of LAMA which also
uses magnetic tape (LAMA-C is still used today). LAMA and LAMA-A (previous
versions) used paper tape, although LAMA-A was more efficient.

   LAMA, LAMA-A, CAMA, and CAMA-C were all part of the AMARS, the Automatic
Message Accounting Recording System. However, a newer term for more modern
setups is the AMACS, for Automatic Message Accounting Collection System. The
AMACS includes end office AMA systems, a recent introduction called the AMARC
(AMA Recording Center), AMARC sensors from end offices to the AMARC, the data
links used to transmit billing information, and data recievers located at the
AMARC site. The AMARC is a product of the new age of computerized technology
as it applies to the telecommunications systems used in our society.  Still,
LAMA and CAMA and their different versions shall be described and explained to
help people understand how they were/are used.

                                   Page 48

                       The Official Phreaker's Manual


   LAMA is described by Notes on the Network (1983) as 'A process using
equipment located in a local office for automatically recording billing data
for message rate calls and for customer-dialed station to station toll
calls'.  What this is means is that if your CO uses LAMA, and you are on a
single party line (most people are), all 1+ toll calls will be billable by
LAMA equipment, and all calls coming from message rate lines. A message rate
line, for those of you not familiar with the term, is a telephone line that
has the ability to receive incoming calls, but all outgoing calls will cost
the subscriber. The subscriber pays for basic service (the ability to receive
calls) with the consideration that all other calls (even local ones) will cost
a certain amount of money per call. Many subscribers in several major cities
get this feature automatically, and thus phone bills are generally higher in
these areas.

   LAMA originally recorded billing information on punched paper tape, in a
version known as LAMA-A, but now magnetic tape is generally the format used in
places where LAMA-C equipment is used.  The paper tape perforators that
recorded the CDR data in LAMA-A were noisy, and they needed maintenance due to
their electromechanical construction. The magnetic tape method is much more
reliable, and quieter as well.

   If a persons End Office uses LAMA, then all toll calls from all lines and
all local calls from metered rate lines are recorded on the LAMA tape, with a
few exceptions. LAMA can only be used to record AMA information for one and
two party lines. On other party lines such as three and four party, the
originating caller has his/her number identified by an operator via the ONI
(Operator Number Identification) method. It is not been determined by the
author if the BOC (Bell Operating Company) operators such as TOPS (Traffic
Operator Position System, made by Northen Telecom Inc. of Canada) or MPOW
(Multi-Purpose Operator Workstation, by US West) operators would be used for
this ONI or not. I would guess that AT&T TSPS operators would handle an
inter-LATA toll call, and that the BOC TOPS/MPOW operators would handle the
ONI for an intra-LATA call (my reasoning behind this statement is the fact
that whenever I have had an ONI due to equipment failure, which is similar to
ONI needed, only the ANI outpulsing was garbled, the called number was still
transmitted in the correct fashion.  I am assuming that the end office
switching system would route the call to the correct operator position by
matching the NPA-NXX with some sort of internal table which makes a
distinction between intra and inter-LATA calls). Anyway, these calls had their
AMA information sent from the appropriate operator position to the toll office
that served the 3+ party line, onto CAMA tape.  Another instance in which a
LAMA office may use CAMA instead is when an ANIF (ANI Failure) occurs. If the
ANIF is sent to TSPS, then that TSPS will record billing information upon CAMA
tape by using ONI. It seems that AMA information that has been recorded by an
operator is buffered and stored until it is time to send the information to
the appropriate places for processing. In the case of AT&T TSPS operators, the
TSPS had it's own magnetic tape which was sent to the RAO (Regional Accounting
Office, formerly called Revenue Accounting Office) on a regular basis. I am
not sure if this method is still used or if TSPS AMA has been updated or
enhanced in some way.

                                   Page 49

                       The Official Phreaker's Manual


   The following is the call flow procedure in a LAMA-A (paper tape) system.

   After a customer completes dialing, the dialed number (the called number),
the originating class of service, Line Equipment Number (LEN), and call type
are sent from the switch to the AMA equipment.  Translations, such as figuring
the billing telephone number from the Line Equipment Number, are done. The
information that comes from the translations procedures determines which paper
tape perforator shall be used to record the data for this specific call. A
record of the initial information gathered is called the initial entry. The
last line of the initial entry contains a two digit code called a Call
Identity Index, which identifies telco equipment such as the trunk or district
junctor that will be used for that call.

   When the call is answered, another entry is made, called the answer
entry.  This entry is a single line on the paper tape and has the CII and the
exact time that the call was answered on it.

   The last entry on the paper tape is known as the disconnect entry.  This
entry contains the CII and the exact time that the call ended.

   The CII is important because it is what the RAO used to group together all
the data about a given call. Entries are recorded at different times in a LAMA
system, they are not in sequential order, so the CII makes it easier to find
all three entries for a specific call.

   This method of recording AMA information required the RAO to 'unshuffle
the deck' when it came time to organize the AMA information. The variations in
the AMA recording formats used by different switching systems eventually led
Bellcore to develop a standard AMA format, named the Bellcore AMA Format
(BAF).  More information will be included about this format later in the

   In a No. 5 Crossbar switching system, the AMA setup used special purpose 3
inch wide paper tape on which AMA records were recorded by CO equipment. This
method of recording is for the stone ages, as it has been phased out by almost
every BOC. Similar to the LAMA-A call flow, this method of AMA used three AMA
entries. The first one was the customers service information, which included
the calling and called telephone numbers, the second one was recorded when the
telephone was answered, and the third one was recorded at disconnect.  This
also made the job at the RAO a bit harder, as again, they had to 'unshuffle
the deck'.

   The No. 2 ESS introduced the latest magnetic tape recording technology
that was available at that time. The 2E used 200 BPI, 7 track mag tapes, and
it introduced special data coding conventions.  It's technology and
conventions are still in use today, but I think that the BPI and number of
tracks have been increased. The 2E mimics the No. 5 Crossbar AMA method by
recording three entries and interleaving them on the magnetic tape. Data
common to all calls on a tape (such as date, CO info, etc.) are recorded in
special tape headers. The No. 2B ESS was introduced with the same AMA
technology as the 2E, but a 2B that provides equal access capabilities for
interexchange carriers adds a new data entry to the three used by the 2E. This
new entry reports the time of connection of a carrier to the local network,
which is needed for carrier access billing.

                                   Page 50

                       The Official Phreaker's Manual

   The No. 1 ESS modernized the AMA process even more. The 1E used 200 BPI,
nine track tape. The 1E provides data collection memory registers for AMA
information on applicable calls. A register is assigned to an AMA call and
kept open for the call's duration. This register collected most of the billing
data that was needed. The AMA information was then written to magtape at the
time of disconnect.  This made it easier for the RAO to process. The AMA
format used by the 1E uses variable length records whose fields occur for the
most part in a general, preset pattern. Eventually, though, even the 1E AMA
method was found to be slightly faulty. This was due to high processing costs
at the RAO and the problem of tape headers getting erased from the tape. The
BAF was made to solve the problems that are associated with other AMA setups.
An update to the BAF is called the EBAF, or Extended Bellcore AMA Format. The
main difference between the BAF and EBAF is that EBAF is more flexible and can
be used easier, as the BAF uses a defined structure for storing data. The EBAF
can append other information to the end of an AMA record, and this makes it
more flexible.


   The ANI formats outpulsed in a LAMA arrangement are as follows (assume
that the call being shown for an example is being dialed from a home
telephone, as dialing from coinphones would cause different ST signals to be
sent; also the type of signaling in this case is SF in-band):

                     CALLED number:KP+(NPA)+NXX+XXXX+ST

                      CALLING number:KP+I+NXX+XXXX+ST

   The second format is the ANI associated with LAMA and is sent to the LAMA
equipment after the ANI receiving trunk winks. The NPA included in this
example is optional and only needed if the subscriber is making a call to a
Foreign NPA (FNPA). The complete called number is not included in all cases,
as when an AMA setup is configured for bulk-billing. In bulk-billing, the
entire called number is not recorded, but just enough for billing purposes.
The CALLING number is the number that the subscriber is dialing from.  These
two numbers are sent in Multi Frequency (MF) tones to MF receivers located
within a CO. The I in the ANI is an information digit, and these shall be
explained later in the article.

   One may wonder how a CO knows which lines it serves are message rate lines
and which are flat rate. On electromechanical switches such as Step by Step,
No. 1 and No. 5 Crossbar (it should be noted that there are no remaining panel
switches within the Bell System), there is an electronic line card associated
with each Directory Number which holds information relevant to that line.
These cards have to have any type of change hardwired into them. However, in
digital/ electronic switching systems, there are Line Class Codes which
reflect information about each subscribers line. There are many, many of these
codes.  Some of the more common and interesting ones are listed below:

                                   Page 51

                       The Official Phreaker's Manual

   LCC                                          EXPLANATION
   ---                                          -----------

   1FR                         Single party Flat rate Residential

   1MR                         Single party Metered rate residential

   1CF                         Single party Coin First coin

   1OF                         Single party Official (telco) line

   1FB                         Single party Flat rate Business line

   1MB                         Single party Metered rate Business

   These codes can be found for a line in several places, such as certain
fields in telco computer output reports. COSMOS and LMOS are two such
computers that hold this information. If you find COSMOS printouts or have
access to COSMOS, these Line Class Codes will be listed under the 'LCC' field
in an ISH, INQ, or other inquiry.  Sometimes the data in the LCC field will
match or be similar to the data in the US field, which is a USOC (Universal
Service Order Code).  A USOC and an LCC aren't the same thing though.


   CAMA operates along the same basic principle that LAMA does, except that
CAMA is based in a toll or tandem office (class 4). CAMA is made to be used in
areas where it would be costly to implement a LAMA arrangement for each and
every class 5 office. This is because some end offices did not have enough
traffic to warrant the cost and work required to install LAMA equipment. LAMA
setups can/could be found in abundance in rural areas near large cities.

   The first letter in each of the acronyms (L)AMA and (C)AMA describes the
usage of each. (L)AMA, for Localized, in a local central office, and (C)AMA
for Centralized, in a toll office.

   The outpulsing formats to CAMA are similar to the LAMA ANI outpulsing. The
outgoing trunk to the serving CAMA office from the end office sends the called
DN in the format of KP+(NPA)+NXX+XXXX+ST.  Next, the incoming CAMA trunk
requests the end office to send the calling number. This is sent as
KP+I+(NPA)+NXX+XXXX+ST, where the I is an information digit which gives
information about the status of the process, and the NPA may or may not be
needed, depending upon the setup. The information digits that follow are used
in ANI outpulsing to Local and Centralized AMA. They are:

                                  Page 52

                       The Official Phreaker's Manual

   0-Automatic Identification (a normal call, with no special

   1-Operator Identification (ONI-call is sent to an operator who
     requests the customer to give the number they are calling from);

   2-Identification Failure (ANI Failure, handled the same way as

   The ONI due to ANIF and normal ONI which is used on certain party lines
are kept track of. If too many ANI Failures happen, then a report will be
generated indicating this fact. ONI needed is more standard and ordinary, and
thus safer for the telecommunications enthusiast. This information can be put
to a good use, as if you find an outgoing CAMA trunk when you are boxing, you
can place calls over it by using the above CAMA formats. The only limiting
factor is that the NXX of the calling number that you sent for ANI must be an
office that is served by the particular CAMA offices trunk that you are using.

   Note that CAMA is not used much anymore, it was mainly used with Electro-
Mechanical toll switches such as the No. 4A Crossbar, and the Crossbar Tandem
(XBT). I don't think there are any XBTs or 4As in operation in the AT&T toll
network, but CAMA may be used by independent telcos, or by telcos in rural
areas that serve only a small number of central offices. In an independent
telco setup, a CAMA arrangement may be used, but not in the same way as AT&T
has used it. The centralized location may not be a toll office, it may just be
the largest CO in that companies network. There can be several variations.
CAMA was originally introduced to work with and in conjunction with ANI, thus
the original term for the process, CAMA/ANI. For a complete description of ANI
in electromechanical switching systems, see one of the older issues of Phrack
Inc. newsletter for a file written by Doom Prophet and myself, titled
'Automatic Number Identification'. I have seen CAMA mentioned in recent telco
information, so I assume that CAMA is still in use, at least in some places.
Supposedly a way to determine if you are on CAMA is to dial local numbers, and
send 2600Hz.  If you can seize a trunk, then it is likely that you are served
by CAMA. You can then pick local exchange codes, (NXX), dial them, seize a
trunk, and then MF using the CAMA format included above, sending a false ANI
for one of the local exchanges. If you do this, I suggest that you don't send
the ANI of a resident. Use non-working numbers, disconnected numbers, payphone
numbers. I am not sure if there is any check done upon the number sent in ANI
by the toll office or not, but it is probable that the local switch is
responsible for screening out invalid numbers and such. So if you can get on a
CAMA trunk then you have the power to bill calls to anyone else who is served
by a CO that homes in on the same toll office and uses the same CAMA

                                   Page 53

                       The Official Phreaker's Manual

                        AUTOMATIC MESSAGE ACCOUNTING


                                 An overview

                         Written by Phantom Phreaker


    The standard AT&T Toll office switch, the No. 4 ESS, is also equipped to
handle CAMA if necessary. The CAMA procedure is as follows: Call data for the
CAMA call is kept in a buffer (technically called an Accounting Block (AB))
which then stores the entry upon a nine track 800-bpi (bits per inch) AMA tape
(note: the information used in research for this part of the article was
rather old, so the bits per inch has probably increased). The data that are
kept in this buffer and put on the tape are as follows: the calling DN, the
called DN, answer and disconnect times accurate to 0.1 second, and other misc.
information. The callers DN can be entered into the 4ESS in two ways, ANI or
ONI. ANI is of course the normal method for identifying a callers DN for
billing purposes. ONI is used when there is an ANIF, or when it is needed (the
other equipment cannot get the DN with ANI). When the 4E gets an ANIF or an
ONI needed, it sends the call to a TSPS operator, who should ask the caller
for their number. When an operator gets an ONI situation 'from' a 4E, she uses
two types of trunks, a talking trunk, and a keying trunk. The talking trunk is
what the subscriber comes in upon and is the line over which the operator asks
for the callers DN. The keying trunk originates at the 4E and terminatates at
TSPS, and is what is used to send the callers DN (in MF) to the 4ESS office.
The operator has access to both trunks at the same time, thus she can enter
the number in a quick and orderly fashion.

   When a line classification does not fit into the 'one information digit'
(KP+I+NNX+XXXX+ST) category, two information digits are used. When two are
used, they are called screening codes. Screening codes are outpulsed along
with the ANI for certain types of telephone lines, and when ANI is being sent
to an alternate carrier via 'Equal Access' (Feature Group D, 1+ dialing).
These screening codes are two digits and precede the subscribers DN. An
example of screening code outpulsing is as follows:


   The II represents two information digits that precede the callers number.
Some of the more common screening codes are as follows:

     KP+00+NXX+XXXX+ST     Normal telephone call, identified POTS line;
     KP+01+NXX+XXXX+ST     ONI needed on a multiparty line;
     KP+02+NXX+XXXX+ST     ONI needed due to ANI Failure;
     KP+07+NXX+XXXX+ST     Hospital, inmate type telephone;
     KP+08+NXX+XXXX+ST     Line restricted from dialing inter-LATA;
     KP+10+NNX+XXXX+ST     Telco test call;
     KP+20+NNX+XXXX+ST     Automatic Identified Outward Dialing centrex call;
     KP+27+NNX+XXXX+ST     Coin telephone call.

                                   Page 54

                       The Official Phreaker's Manual

   These double digit outpulsing formats are used in Equal Access areas, and
a similar method of outpulsing is used when customers deal with TSPS
   For more information, see the July, 1987 issue of 2600 Magazine, an article
entitled 'How phreaks are caught'.


   The AMARC, or Automatic Message Accounting Recording Center, is a fairly
modern development toward recording billing information. It offers the telco
several advantages to the older electromechanical setups, such as increased
revenue (always a plus in their eyes), reduced RAO processing costs, a new
computerized format that stores data on 1600 bpi, industry compatible magnetic
tape, elimination of loss due to paper tapes being destroyed, and elimination
of per-office paper tape pickup and delivery.


   The first version of the AMARC was the No. 1 AMARC, which received billing
data on a real-time basis over dedicated data links. It was based on two DEC
PDP-11/40 minicomputers. The No. 1 AMARC controls and recieves data from a
maximum of thirty dedicated channels. A channel consisted of a dedicated line
(probably a Private Line service) equipped with a 202T data set, operating
asynchronously at 1.2 kbps. The No. 1 AMARC had a feature which allowed it to
call, over the DDD network, a backup channel in case one of the normal
channels experienced a failure. This backup channel could be reached by anyone
who had the phone number. It has not been determined by the author if there
was/is any security on these backup channels.


   Eventually, it was decided that more data channels were needed, and that
the AMARC computer could be centralized, and not clustered in administrative
centers, as was the procedure. The No. 1A AMARC fulfilled the telco's needs.
The No. 1A AMARC uses a higher capacity minicomputer, the DEC PDP-11/70, and
Western Electric peripheral equipment to provide ninety input channels,
improved maintenance capabilities, and room for growth in several areas. The
first No. 1A AMARC began operation in 1981 in the Chicago area.

   An important feature common to both the No. 1 and No. 1A AMARC was the
ability to recieve billing information electronically over dedicated lines
from central office switches. Equipment located in central offices called
sensors send this data. There are different types of sensors for different
types of switching equipment, but the most common AMARC sensors shall be
listed here.

                                   Page 55

                       The Official Phreaker's Manual

   The Call Data Transmitter (CDT). The newest AMARC sensor. The CDT is a
microprocessor based system which is used to collect data from No. 5 crossbar
offices. It is designed to be used in systems that do not have LAMA-A and do
not have enough traffic to warrant the expense of installing the No. 5 ETS.
It can be used with other sensors, and is not the only kind used in No. 5
crossbars. The first one was cut over in Illinois in 1980.

   The Call Data Accumulator (CDA). Similar to the CDT, but uses wired logic
control. The CDA, which collects AMA information from SxS switches, was the
first sensor to be made for use with the AMARC. This sensor is connected to
the ring, tip, and sleeve leads in a SxS switch, probably at the MDF. The
first CDA was cut over into service in New York in 1975.

   The Billing Data Transmitter (BDT). Used in electromechanical offices,
such as the Nos. 1, 5, 4, and 4A Crossbar, SxS CAMA, and the Crossbar Tandem
(XBT).  The BDT replaced up to 10 paper tape perforators that were previously
used.  Provides a newer alternative to LAMA-A. The BDT recieves billing data
from the older LAMA-A paper tape recorder circuits and sends them to the
AMARC. The first BDT was cut over in New York in 1976.

   The No. 5 Electronic Translator System (ETS). The No. 5 ETS was added to
No. 5 Crossbar systems to provide some electronic switching functions that
were not present before. These functions are things such as line, trunk, and
routing translations provided by software methods rather than wired cross
connections.  The No. 5 ETS consists of duplicated Western Electric 3A
auxillary processors with associated scanners and distributors. The first No.
5 ETS was installed in Ohio in 1977.

   VIDAR, a special sensor used in Crossbar No. 1 offices. VIDAR does not
interface with the AMARC but instead sends data to it's own tape. This tape is
then sent to the RAO on a regular basis.

   These various sensors are specially designed electronic units which are
part of or connected to class 5 offices. These sensors collect and generate
billing data from the office they are used with. The billing data consist of
answer and disconect times, call type, and the amount of measured local and
toll calls made.

   Some offices have added sensors, but exceptions include several ESS
systems which use SPC (Stored Program Control) to send data to the AMARC. SPC
means that the sensor is built into the switch software and that no other
equipment is needed. An example of this is the NTI DMS-100 switch. Nos. 2, 2B,
3, 3B, and No. 5 ESS also do not have special AMARC sensors, but send data to
the AMARC over a synchronous connection via a SPUC/DL (Serial Peripheral Unit
Controller /Data Link) at speeds of 2.4 and 4.8 kbps. There is another part in
the 2B ESS AMARC data link, called the AMARC Protocol Converter (APC). The APC
is a medium between the SPUC/DL and the AMARC.
   The No. 4 ESS, TSPS, 1ESS, 1AESS, and 2ESS switches don't have AMARC
sensors, and aren't even connected to the AMARC. These switches all have their
own AMA systems, from which the data is sent to the RAO regularly. Another
exception is the DMS-10 Remote Switch, which is connected to a device at the
RAO called a collector.
   There are other options possible when dealing with AMA collection, such as
the Distributed Call Measurement System (DCMS) made by a telco equipment
vendor, which acts like a mini-AMARC, and Northern Telecom's Distributed
Processing Peripheral system, which is used to collect billing data from NTI's
DMS switches. These systems can be used where applicable.

                                   Page 56

                       The Official Phreaker's Manual


   In places where magnetic tape has been phased out, a new method of storing
the AMA data called AMA TeleProcessing Systems (AMATPS) has been implemented.
AMATPS overcomes the disadvantages of magnetic tape (such as the sequential
way the data is recorded, the high-density data losses that may happen, and
the sometimes unseen problems with the tape unit) by using random access disk
drives. AMATPS also adds some new system parts which can make the job easier.
Still, some AMATPS are not used to their full capability and can still present
problems to the telco.

   One of the parts that AMATPS adds to the overall AMACS is the use of AMA
Transmitters (AMAT's). These transmitters are added to the sensors, and
increase the power of the overall setup by providing things such as temporary
storage areas and programming applications. AMAT's are generally PC-sized
machines with two disk drives, and 50-150 megabyte hard disks.

   The second important addition is the collector. The collector acts like
the AMARC by polling the AMAT over data links. The collector, like AMARC, is a
centrally located computer system, usuallly running on an IBM Series 1, an
HP-1000, or an AT&T 3B5.

   Teleprocessing systems are made to understand a common AMA language format
made by Bellcore, the Bellcore AMA Format and Extended Bellcore AMA Format.
These were mentioned in part A of this article.

                                   Page 57

                       The Official Phreaker's Manual


   Since the majority of people are served by AT&T, one may wonder how inter-
LATA call data gets to the given Inter-LATA Carrier (IC), in this case, AT&T.
AT&T has its own AMA collection system, which is called BILDATS (BILling DATa
System), and this is what collects the AT&T data. I would guess that each AT&T
toll office has some sort of interface with this computer system, but I have
no solid proof of this. It has also been suggested to me from a reliable
source that AT&T sends each BOC their own magnetic tapes, which the BOC's then
fill with AT&T's billing information. I am not sure which of these methods is

   The BOC billing information takes a different route, however. On a regular
basis (I believe each day), AMARC tapes are sent to the Regional Accounting
Office (RAO) or billing office, where each customers intra-LATA traffic is
calculated and their telephone bill printed and mailed. The customer then
recieves the bill and goes about whatever method of payment he chooses.
Telephone bills can usually be paid in person in many different places in
large cities, or they can be mailed in directly if the customer wishes. In my
area, the customer pays once, which is a total of his AT&T and BOC bill. This
is payable to the BOC, and AT&T then gets their payment from the BOC. In the
case of independent carriers such as US Sprint, MCI, ALC Communications, and
the like, I cannot say for sure what they all do as there seems to be no
standard procedure for this interaction, but in two instances, two specific
RBOC's (US West and BellSouth) handle FG-D Equal Access style billing for MCI
throughout their serving areas. There is a computer system involved in this
alternate carrier billing cycle, called the Carrier Access Billing System
(CABS). This system calculates the prices bases on tariffs in use, and bills
the carriers on a monthly basis accordingly. I am not sure how widespread the
use of this sytem is, though. When the customer receives his MCI bill along
with his BOC bill he can pay them both at once. I would imagine that the
larger long distance services would be able to afford getting this service
from the RBOC's, while the smaller ones with less money would do it by
themselves, which would probably be a slow, drawn out process. In some cases,
dialing via an alternate carrier (other then your primary one) will cause the
billing cycle to take anywhere up to three months to complete, or even more.
Another interesting note about alternate carrier dialing, some carriers do not
start billing until a specific amount of time has elapsed. This is known as
buffer-zone billing. I know of one company that uses a 45 second buffer zone,
but I am not sure what the other companies use. You can find this information
out by talking to a customer service department, however some companies CS
departments either don't know, or they do not wish to tell the customer (or
'potential' customer). With buffer zone billing (assume 45 seconds in this
case), you will be billed for the call if you let the phone ring, listen to a
busy signal, etc. if the duration of the call is greater than or equal to 45
seconds. Many of the ICs that use this type of billing do not have the
equipment to detect answer supervision, so if you can keep a conversation very
short, you may get away with a free call, without breaking any laws.

                                   Page 58

                       The Official Phreaker's Manual


   When you receive credit for improperly placed long distance calls from an
operator or a telco business office (after you receive your phone bill)
certain things happen.

  Operator crediting involves the operator entering a special flag on an AMA
tape to deduct the specific amount of given charge from the subscriber's
telephone number. I believe that this process involves (with AT&T TSPS) the KP
TRBL key, and (with NTI's TOPS) the KP TRBL and the CHG ADJ (charge adjust)

  Business office crediting happens when you call the business office and
talk to a BOC 'service representative'. This person will then enter your
telephone number into a terminal, using the DOE (Direct Order Entry) system,
which is in use in my area. The billing record information comes from a
computer called CRIS (Customer Record Information System), which is accessed
by BOSS (Billing and Order Support System). BOSS has a link to computer
systems at the RAO, as this is how the customer's toll data gets to the
business office. A service representative can then pull up your toll charges
and correct them with appropriate credit entries.


   There have been several rumors going around about AMA and it's relation to
people who commit toll fraud, and I will attempt to clarify these rumors. It
is possible that a billing tape could be used to try to find out who called a
certain number at a given time. Another way AMA tapes/disks could be used as a
record of someone committing toll fraud would be if this person would happen
to be under a newer switch, such as the DMS-100, and they attempted to use a
blue box without knowing the dangers of it (I will speak only on the DMS-100
because when a older switching system is replaced with a new one, the most
common replacements are the AT&T No. 5 ESS and the Northern Telecom DMS-100
Family of switching systems). DMS-100 does indeed have the capability to
record a blue boxer's MF tones in an AMA record if the boxer doesn't know what
he is doing.  1AESS also has blue box detection features. I am not sure about
other switching systems, but I would guess that most of the newer switches
have some sort of blue box fraud detection features, of course the end user of
these switches (the telco) does not have to use them. However it is difficult
to find out if your CO uses anything of this nature unless you are a good
social engineer or have access in some way to the switch or switch output
messages and know what to look for. For instance on the Northern Telecom
DMS-100 switching system, there are a series of reports known as BLUEBOX
reports which (if in use) will inform the telco of blue boxing activity. The
DMS-100 also has AMA options that can detect certain forms of electronic toll
fraud, such as black and blue boxing. These options can be set any way the
telco wants. These AMA options can be printed on a DMS-100 switching
system,onto hardcopy terminals, or onto a data channel which may send the
Output  Messages (OMs) to a telco computer system such as the Switching
Control Center System (SCCS). These options are printed in an AMA118 OM at
midnight. If an AMA option is in use by that particular switching system,
after the name of the option will be a data field that says ACTIVE. If the
option is not in use, the field will say INACTIVE. An example of an AMA118 OM
is reproduced here.

                                   Page 59

                       The Official Phreaker's Manual

 AMA118 JUL23 12:00:00 2234 INFO AMA-OPTIONS
    AUDIT:       ACTIVE
    CDAR:        INACTIVE
    CHG411:      ACTIVE
    CHG555:      ACTIVE
    COIN:        INACTIVE
    DA411:       ACTIVE
    LNID:        INACTIVE
    SST:         ACTIVE
    TWC:         INACTIVE

                                   Page 60

                       The Official Phreaker's Manual

   The most important ones for phreaks to know about are INWATS, LONGCALL,
SST, UNANS-LOCAL, and UNANS-TOLL. INWATS means that calls to 800 numbers are
noted in an AMA record. As far as I know, this option is a required one, at
least since Bulk Change Supplement 23 (BCS23). LONGCALL will flag long calls
in an AMA record. So if it seems to the switch that someone has been on the
phone for a long time, this will be logged. A possible use for this would be
to detect trouble conditions. This option, used in past switching systems, may
have been the cause of many blue box busts. Someone would box for several
hours using the same number (for instance, Directory Assistance) and this may
have been noted by the switch. Another way I think old time boxers may have
been nailed is from boxing off of DA. As you can see in the above listing,
there are several options that probably make AMA entries for calls to DA. If
the length of a call to DA lasts longer than a certain amount of time, the
telco could possibly detect this and attach a monitoring device upon the
suspected persons telephone line. The AMA option 'SST' may also be responsible
for blue box busts in the recent past. SST stands for Short Supervisory
Transition, and an SST is known to the phreak world as a wink. SSTs are
generated when a blue boxer seizes a trunk. The switch can detect these and
log them in an AMA record if the option is set to ACTIVE. SSTs are not solely
caused by boxers, though, as equal access offices can generate a lot of SSTs
in normal operation. I believe that trunking arrangements with ICs (InterLATA
Carriers) are often responsible for triggering these. One toll office I knew
of had thousands of SSTs on a plant measurement report, so if this option is
ACTIVE, it may not be EXTREMELY dangerous, but it can't hurt to know about
this. One possible way around the SST detect is to make your 2600Hz tone last
several seconds. I do not remember the exact figure, but after a certain
number of seconds an SST ceases to be an SST ceases to be an SST. I am not
sure if these longer transitions are logged or not, or if there is even an
option for this. However I believe that the BLUEBOX feature could not be
fooled by doing this. BLUEBOX, if activated, will detect any foreign winks
after a necessary one (necessary for call completion) occurs. Of course you
can always avoid having your DN associated with anything like this by
re-directing your call flow, which can be accomplished easily.

   Another AMA option that could be used to catch black boxers is the
UNANS-TOLL option. When this option is ACTIVE, toll calls ringing longer than
a specific period of time can be logged in an AMA record. Someone calling toll
from a DMS-100 to a person using a black box (does anyone still use devices
like the black box anyway?) in a no. 5 crossbar may trigger this option to be
logged. I say 'may' because I am not positive about this, the option could
also be used in other ways, I imagine.

   The ENFIA-B-C option is one that could possibly present a problem to a
telecom enthusiast. I have seen the term ENFIA (Exchange Network Features for
Interstate Access) associated with a Feature Group A (POTS dialup) long
distance service. ENFIA-B and C mean FG-B and FG-C service. FG-A and B (POTS
and 950+1/0xxx respectively) could possibly be used to record information
concerning toll fraud. For instance, I know of one service (FG-D and FG-B)
that has the ability to check a telcos' magnetic tape to see what numbers have
been accessing their service. If a large amount of fraud became a problem, the
carrier could get the AMA information to try and determine who is committing
toll fraud. I'm not sure if other companies have this option, I would guess
that almost all of the major companies (MCI, Sprint, Allnet, etc.) have the
ability to use something of this nature to track down security problems.

                                   Page 61

                       The Official Phreaker's Manual

   Have you ever wondered why many of the old blue boxers were caught? It is
due to the use of AMA. AMA records can reveal boxing patterns, and this info
can be used by the telco to track down blue/red/black box users. So if you are
a person who practices any of these methods, be aware of what you are up
against. Boxing has been around for a very long time and the telco knows all
about what goes on and the different methods that people use. So use care. An
informed phreak is a free phreak.


   Hopefully this article has helped clear up any misconceptions about AMA
that anyone might have had, as well as provide a reference to be looked back
on. The information contained in this article can also be used for social
engineering purposes, if you so desire. However, I do not intend for any of
this information to go into harmful purposes, such as billing calls to other
people, or causing confusion and disorder at any internal points in the telco.
Such actions do not make a person a phone phreak. However, if you find out
anything interesting concerning AMA that isn't included here, or anything
about independent telcos billing systems, feel free to let me know.

   If you wish to contact me concerning this article, you can find me on a
few BBS's. I will attempt to answer any questions anyone might have, and would
like to hear from anyone who has a valid interest in the workings of the phone

Thanks go out to all the people (too many to mention) who have contributed any
information (no matter how small or large) to this article. Other information
for this article has been taken from switching system messages, Bell System
Technical Journals, Bell Labs RECORDs, Bellcore documents, and various other
technical literature and information. I hope someone likes this article
because it took a very long time to complete.

                                   Page 62

                       The Official Phreaker's Manual

                                  Chapter 8

                   An Overview of the Teradyne 4Tel System

   4TEL is a loop testing system mainly used by General Telephone (GTE) that
consists of a Voice Response System and a Craft Dispatch Section as well as
the facilities and equipment used for testing functions. The following text
will attempt to dispell many of the 4TEL myths that have been created in the
past years, such as the idea that it can be used to eavesdrop on lines within
its serving area. The information provided has been gained from company
publications and from personal experience. A 4TEL is not the same thing as a
REMOBS, which stands for REmote service OBservation System.

   The portion of the system that some of the phreak/hack population is
familiar with is the Voice Response System, which has normal POTS dialups.
This system greets the user with an announcement message and then asks for a
password, which is entered in DTMF tones. The legitimate use of these dialups
are for outside craft personnel (linemen) to call in, perform tests and
receive the results for subscribers' lines. The VRS is provided so craft
personnel can access the 4TEL system at times when no one is at the testboard
(at nights or weekends). Through the VRS, up to 8 craft/technicians can access
4TEL at the same time, enabling them to get more done in a smaller amount of

   After a password has been accepted by the system, the electronic voice
will ask for the line number that the user wishes to be tested. The number
entered will be read back to ensure correct entry. The system will then ask
for the user to enter the mode. The modes are:

   1: Calling on other line
   2: Calling on test line
   3: Line test results

                                   Page 63

                       The Official Phreaker's Manual

   It is possible on some VRS's to get a listing of the modes by dialing 0
when the voice prompts. Line tests are possible from both modes 1 and 2 by
dialing the octothorpe (#) key. The results of the test will be announced
along with the length of the cable in miles. Bridged ringers, if any, will
also be noted. Mode 3, the line test results section, will tell the user there
are no test results available unless they have beeen previously entered. The 7
key is the monitor command from both test modes. If there is speech on the
line, it will be detected electronically but will NOT be heard by the user.
The monitor command is not 'REMOBS' (Remote Observation) but a method of
determining if the line is busy due to normal means (conversation) or due to
some trouble condition at the switch. When the system asks for the ID code for
a monitor command, the system will accept the line number as well as the
initial password, and even a secondary password before dialing, but it has not
been determined by the author if this is a standard for every 4TEL. Not just
anything will work for the monitor password however as it will announce if the
ID code entered is invalid or not.

   If mode 1 is entered, these commands are available:


   1-Fault location
   2-Other Testing
   7-Test OK, monitor
   8-Hang up
   9-Enter next line number

   If option 7 is chosen, another menu will be available if the line tests

   2-Monitor test
   3-Overide and test
   4-Wait for idle

   If suboption one (Fault location), mode one, is chosen, these commands are

   1-Open location
   3-Short location
   4-Cross location
   5-Ground location
   8-Hang up

                                   Page 64

                       The Official Phreaker's Manual

   If suboption two (Other testing), mode one, is chosen, these commands are

   2-Loop ground Ohms
   3-Dial tone test
   4-Pair ID
   8-Hang up


   2-Other testing
   7-Test OK, monitor
   8-Hang up
   9-Enter next line number

   If suboption 2 (Other testing), mode two, is selected, these commands are

   2-Loop ground Ohms
   8-Hang up

   The 4TEL system's main use is for standard testing, which is done nightly
upon every line in an exchange. This locates faults and problems before they
have to be reported by customers. All lines that have trouble detected upon
them are printed out in a report at the repair center the next morning where
the proper fault location and dispatching can be done. The measurement and
test unit of the 4TEL system is called a COLT, Central Office Line Tester,
which performs all nightly and on demand testsupon the exchange through local
test trunks.

   There are a few different types of COLTs. The standard version will serve
any CO for up to 10,000 subscribers. The COLT RS is used in rural step by step
offices (referred to as 'steppers' also) for up to 1,300 lines. The Digital
COLT is used for digital Central Offices. These can have remote Colt
Measurement Units (CMU's) for remote switches which are controlled by the Colt
Computer Unit (CCU) at the host switch. The CMU speed calls the CCU at night
to start the testing and direct the operations. The CMUs in regular end
offices have digital links (over the normal telephone network) with the SAC,
which is how the line test results are distributed to the repair center.

                                   Page 65

                       The Official Phreaker's Manual

   The 4TEL system can also test lines upon command by a human operator at
the SAC (Service Area Computer). The CRT operator enters the line number in
the proper field and 4TEL runs a full series of tests as well as displaying
past line history, fault summary, volts and current information, and the cable
length. The results of the testing are displayed in plain english, as opposed
to decimal or other format, on the screen. A dispatch decision is also
displayed after every line test to determine if a dispatch is needed.


   The SAC is the centralized focal point for 4TEL control and reporting.
This computer is located in the repair center and distributes test/work
information between CRT's and COLT's. The SAC formats the results of routine
testing into a daily advisory report as mentioned earlier.

   There are several types of 4TEL reports that are worth noting. The
DISPATCH report lists troubles that can  have an immediate dispatch for them.
These also tell the location of the fault (cable, CO, station, etc.) and are
classified into two types, moderate and severe, relating to how service
affecting the problem may be. The CABLE report lists all new cable faults. A
Plant Status report summarizes the condition of the outside plant and totals
them per individual exchange. In these reports, trouble conditions can be
listed in a variety of ways. CROSSES and WETS refer to line insulation faults
and may indicate water penetration of the cable. SHORTS and GROUNDS are
insulation faults at the station set. OPENS refer to a broken, or 'open' Ring
or Tip lead in a Cable Pair. BACKGROUND refers to electrical noise caused by
power lines being nearby. ABNORMAL VOLTAGE indicates high voltage conditions.
There are others, but the reader will hopefully get the idea from the ones
listed above.


   Another major part of the 4TEL system is the Craft Dispatch System, which
is a DTMF and speech response setup used to exchange report and schedule
information between the repair center staff and outside craftspersons. Linemen
call in to get dispatch information that has been previously entered by the
dispatcher. CDS plays back the info one field at a time. When the craft
personnel is ready to receive the next field of information, he simply says
'Go' and the system continues. A printer at the repair center informs the
dispatcher when a craftsperson has received a report. When the trouble is
taken care of, a completion report is done on the CDS in which it asks for the
closeout and schedule one field at a time to be entered in DTMF and in speech.
The clerk at the repair center then closes the trouble on the SAC/4TEL system
after the line is tested a final time to ensure proper operation.

                                   Page 66

                       The Official Phreaker's Manual

   CDS may also have audit trails of every transaction for a certain time
period. So to summarize the work flow for involving the CDS: Irate customer
calls the clerk at the repair center. The information is forwarded to the
dispatcher who enters it into CDS. Craft personnel call in and receive the
messages, do the required work, then file a completion report. The clerk then
closes out the trouble in SAC/4TEL.

   The Digital Concentrator Measurement Unit is another component of the 4TEL
testing equipment that is used to test lines in digital concentrators such as
the GTE MXU and the NTI-OPM. They are located inside Digital Loop Carrier
system remote terminals or huts and consist of a circuit board and measuring
system. It provides AC and DC measurements of subscriber loops, as well as all
the normal test/measurement functions such as fault description and location ,
dispatch messages, and special tests. The DCMU can test the lines of an
individual DLC remote terminal, or a group of terminals that are located
together. The capacity of terminals that the DCMU can test is determined by
analysis of test traffic and economic factors as well. Both the CRT at the SAC
and the VRS are compatible with the DCMU. These units are self calibrating,
unlike the PMU's of an LMOS supported Loop Testing System. The 4TEL CCU is
linked to the DCMU via either a 1200 baud dial up or a dedicated link,
depending upon the size of the office.

   Some of the tests that 4TEL performs are loop and ground resistance (which
detects resistance faults and sheath ground problems), dial tone test (in
which the number of times dial tone can be drawn during a certain period is
recorded) , busy line monitoring (not BLV or REMOBS), coin station tests
(totalizer, coin relay, etc), as well as all the standard tests which were
covered above. A pair identification can also be done, in which a tone is
placed on the pair to help those at terminal cabinets locate that specific
one, similar to the LMOS/MLT tone applique function.

   Miscellaneous notes

   If a user enters the number of the 4TEL system they have dialed in upon,
the system will announce an intercept. A user cannot monitor/test Directory
Assistance through 4TEL. Lines that are out of the system's NPA can be tested
also, but a 1 has to be dialed before the number just like an ordinary toll
call. The 4TEL VRS will give the user a 'beep' tone after a few seconds of
waiting for input. If the user doesn't enter anything, the VRS will
disconnect.  A version of 4TEL is also used by Rochester Telephone in New
York, and there may be other independent companies that  use the system. Try
to find out what system you're served by. If you're in a Bell area, it will
most likely not be 4TEL, but LMOS.

I  hope that this article has helped readers to better understand the way the
4TEL system operates. Again, there may be some differences depending upon the
area and the company. Thanks go to Taran King, Phantom Phreaker, and Lucifer
666 for supplying information in one way or another that contributed to this

                                   Page 67

                       The Official Phreaker's Manual

                                  Chapter 9

                  Coin Service, The Central Office, and You

    In this file I will attempt to give a basic overview of how various
central offices handle coin service.  If you feel your interest grows due to
this file there are other good technical documents about coin service, i.e.
Bell System Practices, CDs, PDs ect..

    Coin service is differentiated from other services by a special class of
service.  All switching systems give -48 volt battery toward the coin phone on
the ring side of the line.  Coin-First lines have an open TIP during a normal
receiver-on-hook condition.  When a line goes off hook the central office
takes no action and in fact can not detect the off hook condition due to the
line's conditioning-for-ground start.   When the customer deposits money the
coin ground is extended to the ring side of the line. The ground signals the
line equipment in the central office as a to give a dial tone.
    Dial-Tone First offices give both the battery and ground to the coin
station, thus providing a dial tone equivalent to a POTS phone.  All coin
service is super current sensitive. (The central office must give at least 23
milliamps of line current and 41 milliamps of coin control current to the
farthest coin station.)

    The switching systems differ in the method which calls are handled.

No. 5 Crossbar

    The No. 5 crossbar coin-first offices must have a dual wound line relay
with both windings in series when dealing with a coin first situation.  If any
Coin-First lines are served in a No. 5 crossbar office the originating
registers must be able to desensitize the (pulsing) L relay by providing a
resistive ground throgh its tertiary winding via the coin class of service
    Crossbar offices can give coin return from Originating Registers,
TSPS/Cordboard trunks, Ring and Tone trunks, Announcement trunks, and Coin
Supervisory circuits.  Coin collect current is only given through
TSPS/Cordboard trunks and Coin Supervisory circuits.  The only circuit that
can handle a stuck coin test is the coin supervisory circuit.

                                   Page 68

                       The Official Phreaker's Manual

    Crossbar offices handle coin actions on locally completed calls in the
coin supervisory circuit (CS).  All trunks must have access to the CS circuit
or use coin junctors or coin 1A0 trunks that have such access.  The use of
coin junctors or coin 1A0 trunks elimnate the need for other trunks to be hard
wired to the Coin Supervisory Link.  When the trunk's supervisory relays show
a coin action is needed the trunk searches for an idle Coin Supervisory
Circuit through the Coin Supervisory Link.  The bridged connection allows the
Coin Supervisory Circuit to give the proper collect or return current toward
the coin telephone and test to see if the action was successful.
    Crossbar offices handle coin actions required by DDD calls or TSPS
operators in the No. 5 crossbar TSPS trunk.  The TSPS base unit signals the
No. 5 office by either frequencies or multiwinks.  The No. 5 office receives
these signals and the trunk applies one pulse of coin collect or return or
ring back.  The No. 5 TSPS trunk dose not make a test to see if the required
coin action is successful.  If the coin is still present the call is dropped
and the coin remains in the trap.


    ESS offices provide all coin control actions from the Coin Control
Circuit.  The Coin Control Circuit is switched to a customers line under
program control.  The Coin Control Circuits always make a stuck coin test at
the end of a call.
    ESS offices handle coin actions required by DDD or TSPS operators by
scanning the TSPS trunk looking for any control signals from the TSPS base
unit.  When the ESS office sees a request on the TSPS trunk the ESS office
opens the talking path and attaches a multifrequency (MF) reciever.  The MF
reciever looks at the tones being sent from the TSPS base unit transmitter and
checks if the signal requested is a  coin collect, coin return, ring back, or
operator attached.
    Dial-Tone First (DTF) offices not equipped with expanded In-Band
Signaling give +48V talk battery during operator attached and 48V talk
batttery during the rest of the call.  If the TSPS signals for coin return the
ESS office will open the talk path again, release the MF receiver and switch
the line to the Coin Control Circuit which applies  -130V  coin return
potential.  After the coin control function is finished the system will make
on recycle attempt if the coin ground is still present.
    Local calls are handled within the ESS machine.  When a coin control
function is required the program momentarily opens the talk path and switches
the line to a Coin Control C  cuit which applies the required current.

Step By Step
    Coin lines in a Step By Step area are served on dedicated Line Finder
groups.  The Line Finders are hardwired to a coin box trunk and then cabled to
a first selector appearance.
    Step By Step offices can give coin return from coin box trunks,
TSPS/Cordboard trunks, and other miscellaneous trunks. (My knowledge of Step
By Step is vague, it's kind of like trying to research dinosaurs.)

                                   Page 69

                       The Official Phreaker's Manual

    Step By Step offices handle coin actions on local calls in the coin box
trunks.  The coin box trunk applies the coin control current through the
winding of a relay to the coin station hopper trigger ground.   When the coin
station ground disappears, the coin box trunk relay releases and allows the
connection to restore to normal.  Some Step By Step offices have a timed
release circuit that will time out after about eight attempts of coin control
action, peg the stuck coin register, then release.  If the timed release
circuit is not provided and a coin ground can not be removed, the circuit must
be manually released.
    Step By Step offices handle coin actions required by DDD calls or TSPS
operators in the Step By Step TSPS trunk.  The TSPS base unit signals the Step
office by either frequencies or multiwinks.  The Step office trunk recicves
these signals and trunk applies one pulse of coin collect, coin return or ring
back.  The trunk does not make a test to see if the action was successful.
    If a DDD call was completed to a busy number the Step By Step TSPS trunk
will apply one quick pu  e of coin return toward the coin station,  then the
coin box will check to see if the coin ground has disappeared.  If the ground
is still present the coin box trunk will repeat the attempt to collect the

                                   Page 70

                       The Official Phreaker's Manual

                                  Chapter 10


Computer break-ins are no longer viewed as harmless pranks.  For example,
unauthorized computer access is a misdemeanor under 502PC of the California
Penal Code if you just trespass and browse around -- and if it's your first
But:  "Any person who maliciously accesses, alters, deletes, damages, destroys
or disrupts the operation of any computer system, computer network, computer
program or data is guilty of public offense" -- a felony under Section C of
that code.  Even changing a password to "Gotcha" is a felony if it can be
proven that it was a "malicious access."
In California, the maximum punishment is state imprisonment, a $10,000 fine and
having your equipment confiscated.  The penalty depends on who you are, your
prior record and the seriousness of the crime.
And you don't have to, for instance, breach national security to be guilty of a
felony.  Accessing even a simple system of a small company could damage vital
data for more than a year's worth of business, especially if that company
didn't properly back up its data.
There are all kinds of computer crime.  Stealing an automated teller machine
card and withdrawing money from an account is a computer crime because you're
using a computer to get money out of a system.  But simply trespassing in a
system and not doing any damage is normally a misdemeanor, according to Sgt.
John McMullen of the Stanford University Police Services.  This kind of crime
has become very common. "Every kid with a computer is tempted," he said.
Unfortunately, it can take months to complete an investigation.  For instance,
the so-called "LEGION OF DOOM" case, beginning in September, 1986, took 10
months to solve and involved people in Maryland, New York, Pennsylvania, Oregon
and California.
If someone breaks into the computers of, for example, California's Pacific
Bell, and the break-in is severe, Pacific Bell Security gets warrants issued,
and then, with the police, confiscates computers, manuals, telephone lists and
directories -- all related equipment.  It's common for the computer to be tied
up for a few months as evidence. (And by the time Pacific Bell Security does
get involved, the evidence is usually overwhelming -- the conviction rate is
extremely high.)
"Whenever I'm involved in a case," said McMullen, "I ask the judge for
permission to confiscate the equipment.  That's one big incentive for hackers
not to do this kind of stuff. I haven't had any repeaters, but I know of one
case where the guy probably WILL do it again when he gets out.
"Usually the shock of what happens to a juvenile's parents -- who bought the
equipment and watched it get confiscated -- is enough to make them stop. But we
don't really have enough cases to know what the parents do."

                                   Page 71

                       The Official Phreaker's Manual


"It's easy for hackers to find company phone numbers," said Daniel Suthers,
Atari user and operations manager at Pacific Bell in Concord, California.
"Most large companies have a block of 500 to 1,000 phone numbers set aside for
their own use.  At least one line will have a modem.
"People post messages on hacker/phreaker bases on some BBS's and say 'I don't
know who this phone number belongs to, but it's a business, judging by the
prefix, and has a 1200-baud tone.' Then it's open season for the hackers and

Phreakers aren't much different than hackers -- they're just specifically
telephone-oriented.  In "CompuTalk: Texas-Sized BBS" (Antic, August 1987),
sysop Kris Meier discussed phreakers who appear to have called from phone
numbers other than the ones they were actually using.  A computer isn't needed
to do this -- it's usually done with a "blue box."

"The blue boxes were used mostly in the late 1960s and early '70s," said
McMullen.  "They fool the network and let people make free long distance calls
-- a tone generator simulates the signalling codes used by long distance
operators.  The boxes were phased out a couple of years ago, though:  they no
longer let hackers access AT&T, but Sprint and MCI can be accessed by something
similar.  However, computer programs are normally used now."

To get long-distance phone service, hackers now use one of several programs
passed among other hackers (on bulletin boards, for example).  They find the
local access number for Sprint or MCI and then run the program -- perhaps for a
few days.  It generates and dials new phone numbers, and the hackers can check
to see how many new or free codes they've turned up.

They can post the codes on a BBS, and their friends will use them until they
get stopped by the long-distance company -- depending on how long it takes the
company to realize that these numbers hadn't been issued yet -- or until the
customers discover that their numbers have been accessed by someone who isn't

Bulletin boards can be especially easy prey.  "If a hacker knew your BBS
program intimately, he could probably figure it out, but that's messy," said
Suthers.  "If he can find a back door, it's easier.  Sysops are notorious for
putting in their own back doors because, though they have all the security
under the sun on the FRONT doors, they still want to get in without problems.
It's just like what happened in the films Tron and Wargames -- which probably
taught a whole generation a lot of things."

Meier had said in the August, 1987 issue of Antic that someone once called his
board COLLECT.  Simply put, the caller fooled the operator.  McMullen says
that's been around for a long time.  "It's common in prisons and situations
where the phones are restricted." McMullen also said that if the timing is just
right, as soon as the modem answers, the phreaker can wait for an operator to
say "Will you accept the charges," then say "Yes."  The operator can't tell
which end said yes, and if the modem has a long delay before the connect tone,
the phreaker can get away with it.  It couldn't be done entirely electronically
-- the voice contact is needed.

                                   Page 72

                       The Official Phreaker's Manual

"I've never run across people accessing online services such as CompuServe in
this way, but I'm sure it happens," said McMullen.  "People suddenly get
strange charges on their phone bills. "The hackers I've dealt with are very
brilliant and good at what they do. Of course, when you do something all day
that you're really interested in, you're
GOING to be good at it."


McMullen's most recent hacker case at Stanford University dealt with the Legion
of Doom, an elite group of hackers who broke into computers -- some containing
national defense-related items. "As I understand it, they're supposed to be the
top hackers in the nation," McMullen said.  "I started investigating the case
when it began crossing state lines, getting a bit too big.  I contacted the
FBI, who said that because of the Secret Service's jurisdiction over credit
card and telephone access fraud, they'd taken over computer crime
investigations that go across state lines -- actually, anything involving a
telephone access code.  This case, of course, involved access codes, because
the Sprint and AT&T systems were used, and it was the Secret Service, not the
FBI, that made the arrests. "I think that the publicity from this case will
scare people, and there'll be a lot less hacking for a while.  Some hackers are
afraid to do anything: they're afraid that the Secret Service is watching them,


AT&T, Sprint and MCI now have ANI -- Automatic Number Identification -- as does
Pacific Bell.  It aids a great deal in detecting hackers.  Pacific Bell usually
just assists in this type of investigation and identifies the hackers. "It's
easy to trace a call if the caller logs in more than once," said Suthers. "The
moment they dial in, a message is printed out -- before the phone even answers
-- pinpointing where it came from, where it went to, the whole shmeer.

"A blue box made it much harder to detect, but if a hacker used it
consistently, we could eventually trace it back.  So if someone is in
California and makes it look as if he'd called from New York, we can trace it
across the country one way, and then back across.  Generally, though if the
call IS billed to a New York number, the caller is actually somewhere like
Florida.  But we can back-trace the call itself, especially if it's extremely

But recently someone broke into Pacific Bell "through a fluke of
circumstances."  Suthers said, "We closed down that whole area, so they can't
get back in that way, but if they dial the number again, they're in trouble."
If Pacific Bell Security detects a break-in, the area is secured immediately.
Sometimes hackers are steered toward a kind of "pseudo-system" that makes them
THINK they've broken in -- but in fact they're being monitored and traced.
As to how many hackers there are, who knows?  There's a lot of misuse and
inside work that's never detected or reported.

                                   Page 73

                       The Official Phreaker's Manual


Security systems are expensive, but someone with a lot of data and an important
system should seriously look into one.  Very few hackers are caught, simply
because few corporations have good security systems. "Passwords should never be
names, places or anything that can be found in a dictionary," said Suthers.
"People shouldn't be able to just write a program to send words from their
AtariWriter Plus dictionary disk.  Normally there should be a letter here, a
few numbers there -- garbage. Thus, if someone writes a program to generate
random symbols and keeps calling back until he breaks in, he'll probably be
traced. "Some corporations aren't very computer literate and don't worry about
things like passwords until they've been hit, which is a shame.  But it's all
out there in the books. TRICKS OF THE UNIX MASTER (by Russell Sage, published
by SAMS Publications, $22.95) is a beautiful book that tells you exactly what
to do to avoid break-ins."

McMullen said that Stanford is trying to tighten up security by emphasizing the
importance of better passwords. "When researchers want to do their work,
however, they don't want to mess with passwords and codes," he said.
"Universities seem to want to make their systems easier for researchers to use.
The more accessible it is, obviously, the less security there is in terms of
passwords.  It's easier to use your name as a password than some complicated
character string. "So any hacker worth his salt can go onto any computer system
and pull out an account.  Especially with UNIX, it's very easy to access it,
entering as the password the first name of the person who has the account.
These Legion of Doom hackers used a program that actually found out what the
passwords were: it began by just checking the names.  They were very successful
-- it was just unbelievable."

But McMullen feels that security fell way behind the advances made in
computers, and several avenues were left open for people to explore.  "Often
these hackers don't mean to be malicious or destructive," he said, "but I think
they really feel triumphant at getting on.  Sometimes they do damage without
realizing it, just by tramping through the system:  shutting down phone lines,
programs and accounting systems." However, the strides made in security since
then have accounted for arrests, confiscations and convictions all over the
country -- but there are still many more to come.

                                   Page 74

                       The Official Phreaker's Manual

                                  Chapter 11

                         The AT&T BILLDATS Collector

NOTES: This article will hopefully give you a better understanding of how
the billing process occurs. BILLDATS is just one part of the billing picture.
Before I began working for the government, I was a Telco employee and thus,
the information within this article has been learned through experience.
Unfortunately, I was only employed for a few months (including training on
BILLDATS) and am still learning more about the many systems that a telco uses.
There are however, a couple of lists that were compiled and slightly modified
from what little reference material I could smuggle out and my notes from the
training class. This article does require a cursory knowledge of telco and
computer operations (ie. switching, SCCS, UNIX).



BILLDATS can be explained in a nutshell by the acronym listed above. If it's
one thing telecommunications providers do well, it's creating acronyms.
Basically, BILLDATS collects billing information (that's why they call it a
Collector) from AMATs (Automatic Message Accounting Transmitters). The AMATs
are situated in or close to switching offices and are connected to BILLDATS
either through dedicated or dial-up lines. BILLDATS can be considered as
the "middleman" in the billing process. The system collects, validates, and
adds identification information regarding origination and destination. This
is then transferred to tape (or transmitted directly) to the RPC (Regional
Processing Center) or the RAO (Revenue Accounting Office). The RPC/RAO
actually processes the billing information. Typically the BILLDATS system is
located in the same or adjoining building (but can be across town) to
the RPC/RAO.

BILLDATS is similar to many other phone company systems (ie. SCCS) as it uses
a combination of software. The software base is UNIX and the BILLDATS Generic
program runs on it. The hardware used is an AT&T 3B20 (this is what 5ESS
switches use).

Some of the more interesting features BILLDATS possesses are:

*        Can be accessed via dialup (always a plus).
*        Runs under UNIX (another plus).
*        Interface with SCCS (yet another plus).
*        Can store about 12 million calls for the first two disks and about
        8 million calls for each additional disk. A total of 6 (675 MB) disks
        can be used.
*        Inserts the sensor type and ID and recording office type and ID onto
        every AMA record that it collects.
*        Capable of collecting information from nearly 600 AMATs.

                                   Page 75

                       The Official Phreaker's Manual

To better understand how/why you get a bill after making long distance phone
calls, I have delineated the steps involved.

You call Hacker X and tell him all about the latest busts that have occurred,
he exclaims "Oh Shit!" hangs up on you and throws all his hacking information
into the fireplace. The actual call is referred to as a call event. As each
event happens (upon termination of the call) the event is recorded by the
switch. This information is then sent via an AMA Transmitter which formats the
information and then sends it to BILLDATS (commonly called a "Host
Collector"). BILLDATS then provides the information to the RAO/RPC. The
billing computer is located at the RAO/RPC. Do not confuse the actual billing
system with BILLDATS! The billing computer:

*   Contains customer records
*   Credit ratings (in some telcos)
*   Totals and prints the bill
*   Generates messages when customers do not pay (ie. last chance and
   temporary termination of service)

When the billing period is over, (typically 25-30 days), many events (it
depends on how many calls you have made) have accumulated. A bill is then
generated and mailed to you.


BILLDATS collects information in two ways:

1.       AMATs
2.       Users

AMAT input

BILLDATS collects data from the AMAT either directly from the switch, or from
a front end which performs some processing on the data before giving it to
BILLDATS. The data I am talking about here is usually AMA billing information.
The information is in the usual AMA format. As I said earlier, the recording
office and sensor types and IDs have to be added by BILLDATS. The other
information that is transmitted is usually maintenance data.

The data that is transferred between BILLDATS and an AMAT is accomplished
over either dedicated or dialup lines using the BX.25 protocol. This protocol
has been adopted by the telecommunications industry as a whole. It is
basically a modified version of X.25.

User input

This is simply sysadmin and sysop information.

                                   Page 76

                       The Official Phreaker's Manual


Once the information is collected, additional data (mentioned earlier)
must be inserted. The information that BILLDATS inserts into the AMA records
it receives depends on whether the AMAT is a single or multi-switch AMAT.
Either way, the data is passed through the DEP. The DEP is a module which
is part of the LHS (Link Handler Subsystem) that actually inserts the
additional data. It also performs other functions which are rather
uninteresting to the hacker. The LHS manages the x-mission of all the
collected information. This is either through dedicated or dialup lines. The
LHS is responsible for:

*   Logging of statistics as related to the performance of links.
*   Polling of remote switches for maintenance and billing information.
*   Passing information to the DEP in which additional information is
*   Storing billing information.
*   Other boring stuff.


Basically an AMAT is a front end to the switch. The AMAT:

*   Gets AMA information from the switch.
*   Formats and processes the information.
*   Transmits it to BILLDATS.
*   An AMAT can also store information for up to 1 week.

The following is a list of switches and their related AMAT equipment that
BILLDATS obtains billing information from:

1A ESS: This is usually connected to a 3B APS (Attached Processor System) or
2ESS:   This is connected to an IBM Series 1 AMAT.
2BESS:  Connected to a BILLDATS AMAT.
4ESS:   Connects to 3B APS.
5ESS:   Direct connection.
TSPS 3B:Direct connection.
DMS-10: Connects to IBM Series 1 AMAT.

There are other AMATs/Switches but they must be compatible with the BILLDATS

                                   Page 77

                       The Official Phreaker's Manual


Even though a system is UNIX based, that doesn't mean that it is a piece of
cake to get into. Surprisingly (when you think about the average Intelligence
Quotient of telco personnel) but not surprisingly (when you consider that the
information contained on the system is BILLING information--the life blood of
the phone company) BILLDATS is a little more secure than your average telco
system, except for the fact the all login IDs are 5 lower case characters or
less. BILLDATS can usually be identified by:

bcxxxx 3bunix SV_R2+


bc = B(ILLDATS) C(ollector).
xxxx = The node suffix. This is entered when the current Generic is installed.
3bunix = This simply indicates that UNIX is running on an AT&T 3Bxx system.
SV_R2+ = Software Version.

The good news is that there is a default username when the system is
installed. The bad news is that upon logon, the system forces you to choose a
password. The default username is not passworded initially. The added security
feature is simply that the system forces all usernames to have passwords. If
it doesn't have an associated password, the system will give you the message:

"Your password has expired. Choose a new one"

A 6-8 character password must then be entered. After this you will be asked
to enter the terminal type. The ones provided are AT&T terminals (615, 4425,
and 5420 models). Once entered a welcome message will probably be displayed:

"Welcome to the South Western Bell BILLDATS Collector"
"Generic 3, Issue 1"
"Tuesday 01 Aug 1989 12:44:44 PM"


The BILLDATS prompt was displayed "dallas>" where dallas is the node name.

There are 3 privilege levels within BILLDATS:

1.       Administrator
2.       Operator
3.       UUCP

*   Administrator privs are basically root privs.
*   An account with Operator privs can still do about anything an Admin can do
   except make data base changes.
*   UUCP privs are the lowest and allow file transfer.

                                   Page 78

                       The Official Phreaker's Manual


Just like SCCS, UNIX commands can be entered while using BILLDATS. The format

dallas>run-unx:$unix cmd;

All unix commands must be preceded by "run-unx:" and end with a semicolon ";".
The semicolon is the command terminator character (just like Carriage Return).

BILLDATS isn't exactly user friendly, but it does have on-line help. There are
a number of ways that it can be obtained:

dallas> help-?;  or  help-??;  or  ?-help;  or  ??-help;

If you want specific help:

dallas> help-(command name);

I can list commands forever, but between UNIX (commands every hacker should
be familiar with) and help (any moron can use it), you can figure out which
ones are important.

Error Messages

Just like SCCS, BILLDATS has some rather cryptic error messages. There are
thousands of error messages, once you know a little about the format they
are easier to understand. When a mistake is made, something similar to
the following will appear:

UI0029      (attempted command) is not a valid input string.

 ^                   ^- error message information
 |--  This is the subsystem and error message number

                                   Page 79

                       The Official Phreaker's Manual

The following is a brief description of subsystem abbreviations:

BD: BILLDATS system utilities. Errors associated with the use of utility
   programs will be displayed.
DB: Data Base manager. These messages are generated when accessing or
   attempting to access the various Data Bases (explained later) within
DM: Disk Manager. Basically, information pertaining to the system disk(s).
EA: Error and Alarm. As the name implies, system errors and alarms.
LH: Link Handler. Messages related to data link activity, either between
   BILLDATS and the AMAT or BILLDATS and the RAO/RPC.
SC: Scheduler. The scheduler is BILLDATS' version of the UNIX cron daemon.
   BILLDATS uses cron to schedule things like when to access remote systems.
TW: Tape Writer. Messages related to storing billing information on tapes
   which will then be transported to the RAO/RPC.
UI: User Interface. This was used in the above example. Displays syntax,
   range or status errors when entering commands.
DL: Direct Link. Instead of BILLDATS information being written to tape, a
   direct link to the RPC/RAO mainframe (the actual billing system computer)
   can be accomplished. This is usually done when BILLDATS is located far
   away from the RPC/RAO office as there is always some risk involved in
   transporting tapes, and that risk increases the farther away the two
   offices are. Another neat thing about Direct Link is that the billing data
   can be sent across a LAN (Local Area Network) also. Obviously this incurs
   some concerns regarding security, but from what I have heard and seen,
   AT&T and the BOC's typically choose to ignore the security of their
   systems which suits me just fine. The Direct Link is an optional BILLDATS
   feature and if it is in use, messages related to its operation are
   displayed with the DL prefix.


The databases contain all kinds of useful information such as usernames,
switch types, scheduled polling times, etc.

The AMAT Data Base contains:

*   Type of switch
*   Sensor type and identification
*   AMAT phone number
*   Channel and port number/group
*   Other boring information

The Port Data Base contains:

*   Communications information (like L-Dialers on UNIX Sys. V)
*   Channel and port information
*   Other boring information

                                   Page 80

                       The Official Phreaker's Manual

The Collector Data Base contains:

*   Collector office ID
*   Version number of the Data Base
*   Number and speed of any remote terminals
*   When reports are scheduled for output
*   Other boring information


If you are not technically oriented, I hope this article helped you understand
how you get your bill. I assumed that you would skip over the commands for
using BILLDATS and similar information.

If you are technically oriented, I hope I not only helped you understand more
about the billing process, but also increased your awareness of how detailed
the whole process is. And if you do happen to stumble onto a BILLDATS system,
you have been pointed in the right direction as far as using it correctly is

I tried to leave out all the boring details, but some may have slipped by me.
I reserved the right to omit specific details and instructions regarding any
alteration or deletion of calls/charges for my own use/abuse.

                                   Page 81

                       The Official Phreaker's Manual

                                  Chapter 12

                         Central Office Operations
                        Western Electric 1ESS,1AESS,
                     The end office network environment

    Topics covered in this article will be:

       Call tracing
       Input/output messages
       SCC and SCCS
       COSMOS and LMOS
       BLV, (REMOB) and "No test trunks"
       Recent change messages
       Equal Access

   Did I get your attention? Good, everyone should read this. With the time,
effort, and balls it has taken me compile this knowledge it is certainly worth
your time. I hope you appreciate me taking the time to write this.

   I should point out that the information in this article is correct to the
best of my knowledge. I'm sure there are going to be people that disagree
with me on some of it, particularly the references to tracing. However, I
have been involved in telecommunications and computers for 12+ years.

   I'm basing this article around the 1AESS since it is the most common
switch in use today.


   This is the wiring between your telephone and the central office. That is
another topic in itself.

    ** CABLE VAULT **

    All of the cables from other offices and from subscribers enter the
central office underground. They enter into a room called the cable vault.
This is a room generally in the basement located at one end or another of the
building. The width of the room varies but runs the entire length of the
building. Outside cables appear through holes in the wall. The cables then run
up through holes in the ceiling to the frame room.

                                   Page 82

                       The Official Phreaker's Manual

    Understand that each of these cables consist of an average of 3600 pairs
of wires. That's 3600 telephone lines. The amount of cables obviously depends
on the size of the office. All cables (e.g. interoffice, local lines, fiber
optic, coaxial) enter through the cable vault.

    ** FRAME ROOM **

    The frame is where the cable separates into individual pairs and attach
to connectors. The frame runs the length of the building, from floor to
ceiling. There are two sides to the frame, the horizontal side and the
vertical side. The vertical side is where the outside wiring attaches and the
protector fuses reside. The horizontal side is where the connectors to the
switching system reside. Multi-conductor cables run from the connectors to
actual switching equipment. So what we have is a large frame called the Main
Distribution Frame (MDF) running the entire length of the building. From floor
to ceiling it is 5 feet thick. The MDF consists of two sides, the VDF and the
HDF. Cables from outside connect on one side and cables from the switching
equipment connect to the other side and jumper wires connect the two. This way
any piece of equipment can be connected to any incoming "cable pair". These
jumper wires are simply 2 conductor twisted pair, running between the VDF and
the HDF.

    What does all this mean? Well if you had access to COSMOS you would see
information regarding cable and pair and "OE" (Office Equipment). With this
information you could find your line on the frame and on the switch. The VDF
side is clearly marked by cable and pair at the top of the frame, however the
HDF side is a little more complicated and varies in format from frame to frame
and from switch to switch. Since I am writing this article around the 1AESS,
I will describe the OE format used for that switch.



     A = Control Group (when more than one switch exists in that C.O.)
     B = LN  Line Link Network
     C = LS  Line Switching Frame
     D = CONC or CONCentrator
     E = Switch (individual, not the big one)
     F = Level

                                   Page 83

                       The Official Phreaker's Manual

   There is one more frame designation called LOC or LOCation. This gives the
location of the connector block on the HDF side. Very simply, looking at the

H  ---------------------------------------------------------------------

G  ---------------------------------------------------------------------

F  ---------------------------------------------------------------------

E  ---------------------------------------------------------------------

D  ---------------------------------------------------------------------

C  ---------------------------------------------------------------------

B  ---------------------------------------------------------------------

A  ---------------------------------------------------------------------

  123456789 etc.

   Please note that what you are looking at here represents the HDF side of
the MDF, being up to 100 feet long, and 20 feet high. Each "-" represents a
connector block containing connections for 4 x 24 (which is 96) pairs.

   So far I've covered how the wires get from you to the switching
equipment. Now we get to the switching system itself.


   Writing an article that covers them all would be lengthy indeed. So I am
only going to list the major ones and a brief description of each.

   - Step by Step
     Strowger 1889
     First automatic, required no operators for local calls
     No custom calling or touch tone
     Manufactured by many different companies in different versions
     Hard wire routing instructions, could not choose an alternate route if
     programed route was busy
     Each dial pulse tripped a "stepper" type relay to find its path

   - No.1 Crossbar 1930
   - No.5 Crossbar 1947 (faster, more capacity)
     Western Electric
     First ability to find idle trunks for call routing
     No custom calling, or equal access
     Utilized 10x20 cross point relay switches
     Hard wired common control logic for program control
     Also copied by other manufactures

                                   Page 84

                       The Official Phreaker's Manual

   - No.4 Crossbar
     Used as a toll switch for AT&T's long lines network
     4 wire tandem switching
     Not usually used for local loop switching

   - No.1ESS  1966
   - No.1AESS 1973
     Western Electric
     Described in detail later

   - No.1EAX
     GTE Automatic Electric
     GTE's version of the 1AESS
     Slower and louder

   - No.2ESS  1967
   - No.2BESS 1974
     Western Electric
     Analog switching under digital control
     Very similar to the No.1ESS and No.1AESS
     Downsized for smaller applications

   _ No.3ESS
     Western Electric
     Analog switching under digital control
     Even smaller version of No.1AESS
     Rural applications for up to 4500 lines

   - No.2EAX
     GTE Automatic Electric
     Smaller version of 1EAX
     Analog switch under digital control

   - No.4ESS
     Western Electric
     Toll switch, 4 wire tandem
     Digital switching
     Uses the 1AESS processor

   - No.3EAX
     Gee is there a pattern here? No GTE
     Digital Toll switch
     4 wire tandem switching

   - No.5ESS
     AT&T Network Systems
     Full scale computerized digital switching
     ISDN compatibility
     Utilizes time sharing technology
     Toll or end office

   - DMS 100 Digital Matrix Switch
     Northern Telecom
     Similar to 5ESS
     Runs slower
     Considerably less expensive

                                   Page 85

                       The Official Phreaker's Manual

   - DMS 200
     Toll and Access Tandem
     Optional operator services

   - DMS 250
     Toll switch designed for common carriers

   - DMS 300
     Toll switch for international gateways

   - No.5EAX
     GTE Automatic Electric
     Same as above

   How much does a switch cost? A fully equipped 5ESS for a 40,000
subscriber end office can cost well over 3 million dollars. Now you know why
your phone bill is so much. Well...maybe you parents bill.

   ** The 1ESS and 1AESS **

   This was the first switch of it's type put into widespread use by Bell.
Primarily an analog switch under digital control, the switch is no longer
being manufactured. The 1ESS has been replaced by the 5ESS and other full
scale digital switches, however, it is still by far the most common switch
used in today's Class 5 end offices.

   The #1 and 1A use a crosspoint matrix similar to the X-bar.  The primary
switch used in the matrix is the ferreed (remreed in the 1A).  It is a two
state magnetic alloy switch.  It is basically a magnetic switch that does not
require voltage to stay in it's present position. A voltage is only required
to change the state of the switch.

  The No. 1 utilized a computer style, common control and memory.  Memory
used by the #1 changed with technology, but most have been upgraded to RAM.
Line scanners monitor the status of customer lines, crosspoint switches,
and all internal, outgoing, and incoming trunks, reporting their status to
the central control.  The central control then either calls upon program or
call store memories to chose which crosspoints to activate for processing the
call.  The crosspoint matrices are controlled via central pulse distributors
which in turn are controlled by the central control via data buses.  All of
the scanner's AMA tape controllers, pulse distro, x-point matrix, etc., listen
to data buses for their address and command or report their information on
the buses. The buses are merely cables connecting the different units to the
central control.

                                   Page 86

                       The Official Phreaker's Manual

  The 1E was quickly replaced by the 1A due to advances in technology. So
1A's are more common, also many of the 1E's have been upgraded to a 1A.
This meant changing the ferreed to the remreed relay, adding additional
peripheral component controllers (to free up central controller load) and
implementation of the 1A processor.  The 1A processor replaced older style
electronics with integrated circuits.  Both switches operate similarly.
The primary differences were speed and capacity.  The #1ESS could process
110,000 calls per hour and serve 128,000 lines.

   Most of the major common control elements are either fully or partially
duplicated to ensure reliability. Systems run simultaneously and are checked
against each other for errors. When a problem occurs the system will double
check, reroute, or switch over to auxiliary to continue system operation.
Alarms are also reported to the maintenance console and are in turn printed
out on a printer near the control console.

   Operation of the switch is done through the Master Control Center (MCC)
panel and/or a terminal. Remote operation is also done through input/output
channels. These channels have different functions and therefore receive
different types of output messages and have different abilities as for what
type of commands they are allowed to issue. Here is a list of the commonly
used TTY channels.

  Maintenance     - Primary channel for testing, enable, disable etc.
  Recent Change   - Changes in class of service, calling features etc.
  Administrative  - Traffic information and control
  Supplementary   - Traffic information supplied to automatic network control
  SCC Maint.      - Switching Control Center interface
  Plant Serv.Cent.- Reports testing information to test facilities

   At the end of this article you will find a list of the most frequently
seen Maintenance channel output messages and a brief description of their
meaning. You will also find a list of frequently used input messages.

   There are other channels as well as back ups but the only ones to be
concerned with are Recent Change and SCC maint. These are the two channels
you will most likely want to get access to. The Maintenance channel doesn't
leave the C.O. and is used by switch engineers as the primary way of
controlling the switch. During off hours and weekends the control of the
switch is transferred to the SCC.

   The SCC is a centrally located bureau that has up to 16 switches
reporting to it via their SCC maint. channel. The SCC has a mini computer
running SCCS that watches the output of all these switches for trouble
conditions that require immediate attention. The SCC personnel then have the
ability to input messages to that particular switch to try and correct the
problem. If necessary, someone will be dispatched to the C.O. to correct the
problem. I should also mention that the SCC mini, SCCS has dialups and access
to SCCS means access to all the switches connected to it. The level of access
however, may be dependent upon the privileges of the account you are using.

                                   Page 87

                       The Official Phreaker's Manual

   The Recent Change channels also connect to a centrally located bureau
referred to as the RCMAC. These bureaus are responsible for activating lines,
changing class of service etc. RCMAC has been automated to a large degree by
computer systems that log into COSMOS and look for pending orders. COSMOS is
basically an order placement and record keeping system for central office
equipment, but you should know that already, right? So this system, called
Work Manager running MIZAR logs into COSMOS, pulls orders requiring recent
change work, then in one batch several times a day, transmits the orders to
the appropriate switch via it's Recent Change Channel.

   Testing of the switch is done by many different methods. Bell Labs has
developed a number of systems, many accomplishing the same functions. I will
only attempt to cover the ones I know fairly well.

   The primary testing system is the trunk test panels located at the switch
itself. There are three and they all pretty much do the same thing, which is
to test trunk and line paths through the switch.

        Trunk and Line Test Panel
        Supplementary Trunk Test Panel
        Manual Trunk Test Panel

    MLT (Mechanized Loop Testing) is another popular one. This system is
often available through the LMOS data base and can give very specific
measurements of line levels and losses. The "TV Mask" is also popular giving
the user the ability to monitor lines via a call back number.

   DAMT (Direct Access Mechanized Testing) is used by line repairmen to put
tone on numbers to help them find lines. This was previously done by Frame
personnel, so DAMT automated that task. DAMT can also monitor lines, but
unfortunately, the audio is scrambled in a manor that allows one only to tell
what type of signal is present on the line, or whether it is busy or not.

   All of these testing systems have one thing in common: they access the
line through a "No Test Trunk". This is a switch which can drop in on a
specific path or line and connect it to the testing device. It depends on
the device connected to the trunk, but there is usually a noticeable "click"
heard on the tested line when the No Test Trunk drops in. Also the testing
devices I have mentioned here will seize the line, busying it out. This will
present problems when trying to monitor calls, as you would need to drop in
during the call. The No Test Trunk is also the method in which operator
consoles perform verifications and interrupts.

                                   Page 88

                       The Official Phreaker's Manual


   Calls coming into and leaving the switch are routed via trunks. The
switches select which trunk will route the call most effectively and then
retransmits the dialed number to the distant switch. There are several
different ways this is done. The two most common are Loop Signaling and CCIS,
Common Channel Interoffice Signaling. The predecessor to both of these is the
famous and almost extinct "SF Signaling". This utilized the presence of
2600hz to indicate trunks in use. If one winks 2600Hz down one of these
trunks, the distant switch would think you hung up. Remove the 2600, and you
have control of the trunk and you could then MF a number. This worked great
for years. Assuming you had dialed a toll free number to begin with, there
was no billing generated at all. The 1AESS does have a program called SIGI
that looks for any 2600 winks after the original connection of a toll call.
It then proceeds to record on AMA and output any MF digits received.
However due to many long distant carriers using signaling that can generate
these messages it is often overlooked and "SIG IRR" output messages are quite

   Loop signaling still uses MF to transmit the called number to distant
switches, however, the polarity of the voltage on the trunk is reversed to
indicate trunk use.

   CCIS sometimes referred to CCS#6 uses a separate data link sending
packets of data containing information regarding outgoing calls. The distant
switch monitors the information and connects the correct trunk to the correct
path. This is a faster and more efficient way of call processing and is being
implemented everywhere. The protocol that AT&T uses is CCS7 and is currently
being accepted as the industry standard. CCS6 and CCS7 are somewhat similar.

   Interoffice trunks are multiplexed together onto one pair. The standard
is 24 channels per pair. This is called T-1 in it's analog format and D-1
in its digital format. This is often referred to as carrier or CXR. The terms
frame error and phase jitter are part of this technology which is often a
world in itself. This type of transmission is effective for only a few miles
on twisted pair. It is often common to see interoffice repeaters in manholes
or special huts. Repeaters can also be found within C.O.s, amplifying trunks
between offices. This equipment is usually handled by the "carrier" room,
often located on another floor. Carrier also handles special circuits, private
lines, and foreign exchange circuits.

    After a call reaches a Toll Switch, the transmit and receive paths of
the calling and called party are separated and transmitted on separate
channels. This allows better transmission results and allows more calls to
be placed on any given trunk. This is referred to as 4 wire switching. This
also explains why during a call, one person can hear crosstalk and the other
cannot. Crosstalk will bleed over from other channels onto the multiplexed
T-Carrier transmission lines used between switches.

                                   Page 89

                       The Official Phreaker's Manual


    So with the Loop Signaling standard format there is no information being
transmitted regarding the calling number between switches. This therefore
causes the call tracing routine to be at least a two step process. This is
assuming that you are trying to trace an anticipated call, not one in
progress. When call trace "CLID" is placed on a number, a message is output
every time someone calls that number. The message shows up on most of the ESS
output channels and gives information regarding the time and the number of the
incoming trunk group. If the call came from within that office, then the
calling number is printed in the message. Once the trunk group is known, it
can usually be determined what C.O. the calls are coming from. This is also
assuming that the calls are coming from within that Bell company and not
through a long distance carrier (IEC). So if Bell knows what C.O. the calls
are coming from, they simply put the called number on the C.I. list of that
C.O. Anytime anyone in that C.O. calls the number in question another message
is generated showing all the pertinent information.

   Now if this were a real time trace it would only require the assistance
of the SCC and a few commands sent to the appropriate switches (i.e.
NET-LINE). This would give them the path and trunk group numbers of the call
in progress. Naturally the more things the call is going through, the more
people that will need to be involved in the trace. There seems to be a common
misconception about the ability to trace a call through some of the larger
packet networks i.e. Telenet and TYMNET. Well I can assure you, they can
track a call through their network in seconds (assuming multiple systems
and/or network gateways are not used) and then all that is needed is the
cooperation of the Bell companies. Call tracing in itself it not that
difficult these days. What is difficult is getting the different organizations
together to cooperate. You have to be doing something relatively serious to
warrant tracing in most cases, however, not always. So if tracing is a
concern, I would recommend using as many different companies at one time as
you think is necessary, especially US Sprint, since they can't even bill
people on time much less trace a call. But...it is not recommended to call
Sprint direct, more on that in the Equal Access section.


   The first thing you need to understand is that every IEC Inter Exchange
Carrier (long distance company) needs to have an agreement with every LEC
Local Exchange Carrier (your local phone company) that they want to have
access to and from. They have to pay the LEC for the type of service they
receive and the amount of trunks, and trunk use. The cost is high and the
market is a zoo. The LECs have the following options:

    - Feature Group A -

   This was the first access form offered to the IECs by the LECs. Basically
whenever you access an IEC by dialing a regular 7 digit number (POTS line)
this is FGA. The IECs' equipment would answer the line and interpret your
digits and route your call over their own network. Then they would pick up an
outgoing telephone line in the city you were calling and dial your number
locally. Basically a dial in, dial out situation similar to Telenet's
PC pursuit service.

                                   Page 90

                       The Official Phreaker's Manual

    - Feature Group B -

    FGB is 950-xxxx. This is a very different setup from FGA. When you dial
950, your local switch routes the call to the closest Access Tandem (AT) (Toll
Switch) in your area. There the IECs have direct trunks connected between the
AT and their equipment. These trunks usually use a form of multiplexing like
T-1 carrier with wink start (2600Hz). On the incoming side, calls coming in
from the IEC are basically connected the same way. The IEC MFs into the AT
and the AT then connects the calls. There are many different ways FGB is
technically setup, but this is the most common.

    Tracing on 950 calls has been an area of controversy and I would like to
clear it up. The answer is yes, it is possible. But like I mentioned earlier,
it would take considerable manpower which equals expensive to do this. It
also really depends on how the IEC interface is set up. Many IECs have
trunks going directly to Class 5 end offices. So, if you are using a small
IEC, and they figure out what C.O. you are calling from, it wouldn't be out
of the question to put CLID on the 950 number. This is highly unlikely and I
have not heard from reliable sources of it ever being done. Remember, CLID
generates a message every time a call is placed to that number. Excessive
call trace messages can crash a switch. However, I should mention that brute
force hacking of 950s is easily detected and relatively easy to trace. If the
IEC is really having a problem in a particular area they will pursue it.

    - Feature Group C -

    FGC is reserved for and used exclusively by AT&T.

    - Feature Group D -
    FGD is similar to FGB with the exception that ANI is MF'ed to the IEC.
The end office switch must have Equal Access capability in order to transmit
the ANI. Anything above a X-bar can have it. FGD can only be implemented on
800 numbers and if an IEC wants it, they have to buy the whole prefix. For a
list of FGD prefixes see 2600 Magazine. You should also be aware that MCI,
Sprint, and AT&T are offering a service where they will transmit the ANI to
the customer as well. You will find this being used as a security or
marketing tool by an increasing amount of companies. A good example would be


The following is a compiled list of common switch messages. The list was
compiled from various reference materials that I have at my disposal.

                                   Page 91

                       The Official Phreaker's Manual

                    1AESS COMMON OUTPUT MESSAGES

   ** ALARM **

AR01  Office alarm
AR02  Alarm retired or transferred
AR03  Fuse blown
AR04  Unknown alarm scan point activated
AR05  Commercial power failure
AR06  Switchroom alarm via alarm grid
AR07  Power plant alarm
AR08  Alarm circuit battery loss
AR09  AMA bus fuse blown
AR10  Alarm configuration has been changed (retired,inhibited)
AR11  Power converter trouble
AR13  Carrier group alarm
AR15  Hourly report on building and power alarms

AT01  Results of trunk test

     ** CARRIER GROUP **
CG01  Carrier group in alarm
CG03  Reason for above

     ** COIN PHONE **
CN02  List of pay phones with coin disposal problems
CN03  Possible Trouble
CN04  Phone taken out of restored service because of possible coin fraud

     ** COPY **
COPY  Data copied from one address to another

     ** CALL TRACE **
CT01  Manually requested trace line to line, information follows
CT02  Manually requested trace line to trunk, information follows
CT03  Intraoffice call placed to a number with CLID
CT04  Interoffice call placed to a number with CLID
CT05  Call placed to number on the CI list
CT06  Contents of the CI list
CT07  ACD related trace
CT08  ACD related trace
CT09  ACD related trace

DCT COUNTS Count of T carrier errors

DGN   Memory failure in cs/ps diagnostic program

                                   Page 92

                       The Official Phreaker's Manual

FM01  DCT alarm activated or retired
FM02  Possible failure of entire bank not just frame
FM03  Error rate of specified digroup
FM04  Digroup out of frame more than indicated
FM05  Operation or release of the loop terminal relay
FM06  Result of digroup circuit diagnostics
FM07  Carrier group alarm status of specific group
FM08  Carrier group alarm count for digroup
FM09  Hourly report of carrier group alarms
FM10  Public switched digital capacity failure
FM11  PUC counts of carrier group errors

     ** MAINTENANCE **
MA02  Status requested, print out of MACII scratch pad
MA03  Hourly report of system circuits and units in trouble
MA04  Reports condition of system
MA05  Maintenance interrupt count for last hour
MA06  Scanners,network and signal distributors in trouble
MA07  Successful switch of duplicated unit (program store etc.)
MA08  Excessive error rate of named unit
MA09  Power should not be removed from named unit
MA10  OK to remove paper
MA11  Power manually removed from unit
MA12  Power restored to unit
MA13  Indicates central control active
MA15  Hourly report of # of times interrupt recovery program acted
MA17  Centrex data link power removed
MA21  Reports action taken on MAC-REX command
MA23  4 minute report, emergency action phase triggers are inhibited

     ** MEMORY **
MN02  List of circuits in trouble in memory

NT01  Network frame unable to switch off line after fault detection
NT02  Network path trouble Trunk to Line
NT03  Network path trouble Line to Line
NT04  Network path trouble Trunk to Trunk
NT06  Hourly report of network frames made busy
NT10  Network path failed to restore

OP:CISRC     Source of critical alarm, automatic every 15 minutes
OP:CSSTATUS  Call store status
OP:DUSTATUS  Data unit status
OP:ERAPDATA  Error analysis database output
OP:INHINT    Hourly report of inhibited devices
OP:LIBSTAT   List of active library programs
OP:OOSUNITS  Units out of service
OP:PSSTATUS  Program store status

                                   Page 93

                       The Official Phreaker's Manual

PM01  Daily report
PM02  Monthly report
PM03  Response to a request for a specific section of report
PM04  Daily summary of IC/IEC irregularities

     ** REPORT **
REPT:ADS FUNCTION  Reports that a ADS function is about to occur
REPT:ADS FUNCTION SIMPLEX Only one tape drive is assigned
REPT:LINE TRBL Too many permanent off hooks, may indicate bad cable
REPT:PROG CONT OFF-NORMAL System programs that are off or on
REPT:RC CENSUS Hourly report on recent changes
REPT:RC SOURCE Recent change system status (RCS=1 means RC Channel inhibited)

     ** RECENT CHANGE **
RC18  RC message response

     ** REMOVE **
RMV   Removed from service

     ** RESTORE **
RST   Restored to service status

RT04  Status of monitors

SA01  Call store memory audit results
SA03  Call store memory audit results

SIG IRR  Blue box detection
SIG IRR TRAF  Half hour report of traffic data

TC15  Reports overall traffic condition
TL02  Reason test position test was denied
TL03  Same as above

     ** TRUNK NETWORK **
TN01  Trunk diagnostic found trouble
TN02  Dial tone delay alarm failure
TN04  Trunk diag request from test panel
TN05  Trunk test procedural report or denials
TN06  Trunk state change
TN07  Response to a trunk type and status request
TN08  Failed incoming or outgoing call
TN09  Network relay failures
TN10  Response to TRK-LIST input, usually a request from test position
TN11  Hourly, status of trunk undergoing tests
TN16  Daily summary of precut trunk groups

                                   Page 94

                       The Official Phreaker's Manual

TOC01 Serious traffic condition
TOC02 Reports status of less serious overload conditions

     ** TRANSLATION **  (shows class of service, calling features etc.)
TR01  Translation information, response to VFY-DN
TR03  Translation information, response to VFY-LEN
TR75  Translation information, response to VF:DNSVY
     **             **
TW02  Dump of octal contents of memory

                   1AESS COMMON INPUT MESSAGES

Messages always terminate with ". ctrl d "      x=number or trunk network #

MSG.                   DESCRIPTION
NET-LINE-xxxxxxx0000   Trace of path through switch
NET-TNN-xxxxxx         Same as above for trunk trace
T-DN-MBxxxxxxx         Makes a # busy
TR-DEACTT-26xxxxxxx    Deactivates call forwarding
VFY-DNxxxxxxx          Displays class of service, calling features etc.
VFY-LENxxxxxxxx        Same as above for OE
VFY-LIST-09 xxxxxxx    Displays speed calling 8 list


   There are many things I didn't cover in this article and many of the
things I covered, I did so very briefly. My intention was to write an article
that explains the big picture, how everything fits together. I hope I helped.

   Special thanks to all the stupid people, for without them some of us
wouldn't be so smart and might have to work for a living. Also all the usual
Bell Labs, AT&T bla bla bla etc. etc.

   I can usually be reached on any respectable board, ha!

                                   Page 95

                       The Official Phreaker's Manual

                                  Chapter 13

                        The personal Thanx to autors!

Atlantis board, Metal Shop private board, Digital Logic board, Taran King,
      Hell Phrozen Over board, Mark Tabas, The Videosmith, Lex Luthor,
         The Marauder, Jester Sluggo, Phucked Agent 04, Gary Seven,
                            Rogue Fed and others.

                                   Page 96

                       The Official Phreaker's Manual

            Well, this is just a page to protect the other pages.
                        I hope you enjoyed the book!

                                   Page 97

Яндекс цитирования