*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* -=[SD]=- Sepulchral Darkness -=[SD]=- presents : **************************** * British Exchange Hacking * **************************** (A referential guide to The System X Switch,and its control processes) Brought to you by : ---=[AZTECH]=--- Sepulchral Darkness '95 All Rights Worth Shit *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* For those of you,who,like me,live in the UK and are jerked off with the constant stream of BT propaganda on the TV,read on.Even if you arent from the UK, read anyway, as you probably wont see this anywhere else in its current form. First,A general synopsis:There are generally four types of British Telephone exchange:TXE4,TXE2,UXD5B and Y types. (I actually did some proper research instead of guesswork, and all are digital). UXD5B handles 600 lines with a general excess of unused numbers within the 000-200 and 600-800 ranges. The last 200 lines do not all exist at the same time:remember,we are dealing with only 600 Working lines.These are just reserved as CRC lines or spare lines. The UXD5B exchange is a quirky piece of telephony,and I have been hard pushed what to classify it as exactly,as when pulse dialling,loud,and I mean LOUD clicks and whirrs can be heard emanating from the exchange circuitry,which would normally indicate an analogue(Bleeuurgh)exchange.However,When Tone Dialling with generic DTMF,Call handling is top speed.It also handles high data transfer speeds (up to 14.400 and above).This was later cleared up when a visit was paid to one of these exchanges,and it could be seen that a central server was running banks of analogue reed-relay switches. BUT!!Up until Three or four months ago,Third Party Phone Calls were possible,with a sectional ID the best the operator could do to pin you down to any one number.A Classic example of this brilliant little phry-um was demonstrated to its conclusion when some unwitting dork in my school had to shell out for a œ750 Bill,purely because every time the op asked for my number,his would take its place,and thus become the billing number.Yiddish Telecom knew what was happening,but were powerless to stop me.How could they possibly pinpoint someone without an exact number? UXD5B exchanges tend to crop up in rural or country areas,where expected throughput is low,but the capability is provided for expansion. With an estimated throughput of 60 calls at any one time,you can see that it doesnt really have its work cut out for it.So really,when in control, you can do anything you want.TCing doesnt work particularly well though,as TCing between TXE4/2s and UXD5Bs causes a lot of extraneous noise and shit.Ive never really understood why this is,but if anyone has an explanation,please get in touch. Line Noise is another thing to deal with:You may sometimes here a loud electrical hum,like when you put a transformer next to your ear.If this has happened,you have been unlucky enough to be put through a switching bank in close proximity to the backup generator within the exchange itself.Voice is OK,but crackly ,and data is out of the question. Monitored lines are easy to detect however,with an occassional soft click every 30-40 seconds,with the minimum of white noise in the background. Myself and Falconet had a rather drawn out discussion one day as to what system the exchange was running,and eventually decided that it utilises some very nifty switching gear to handle both and keep traffic at an optimum level.Nearly all your standard boxes(Blue,silver,white,etc)work fine,with the exception of the green and red boxes.Because the British phone Co. utilises different voltages to the US(+48v Ring,-48v Tip)You may run into problems when ripping off payphones,coupled with the fact that British Payphones are a nightmare of aluminium and wires.For the more aurally challenged out there, another reason for their non-functioning is the different tone sets used to signify coin tolling,grounding,etc.. I wil go into the enigma that is the phonebox in another tutorial or file,and possibly include some old phreaks and diagrams.Meanwhile,back to the UXD5b.Each system is individually commisioned at various points,so not a lot of sytems tend to run the same software version.The one next to my old house (Which was a favourite trashing spot for MONTHS!!Thanks BT!)always turned up the goods as far as test listings and terminating circuit records and all that other stuff goes.To initially gain access,you must first find a service access number or MMI Dialup,taking you onto the internal call handler circuitry.These can be found by scanning the 'Blank' number ranges in your exchange,or just through plain trashing.Scanning these types of exchanges enables you to listen and probe when looking,ie:Enter the desired number one digit at a time,slowly.If you get a no carrier after entering a specific value,then increment or decrement the value until you have a clear path. Feel free to pay a visit to the exchange in this file,as I will give away a few dialups and access numbers(If you get in touch). When logging in,you are presented with the legend: UXD5B - A 600 line Local Exchange Software Copyright - British Telecom 1993 SOFTWARE RELEASE 3CO.01 EXCHANGE IDENTITY : 069072(Or whatever the local code happens to be) TIME DATE XXXX XXXX ENTER DESTINATION:> This is either when the shit hits the fan or the fun starts. You can now try the age old 'HELP' command, but what would a BT Software engineer be doing asking for help immediately after logging on? Also bear in mind that a strict system log is kept,so just use your common sense, and dont start to allocate yourself unbilled numbers,OK? Now the fun begins.From here you can do anything you want really, because you are now in complete control of 600 lines including test lines. Enter your destination.This takes the syntax of :> CPU#*# X; Some CPUs are: CPUA1A B; CPUA1X B; CPUA1Y B; CASX B; (Charge Data and Batch Meter Tolling CPU) Where # indicates a letter and * indicates an integer.Shortened ones are used,but all use the initial format of CPU#X#(the final string is just a path specifier) After messing about with destinations and paths for a while,you are asked for an OSL,or UserID.This is really easy.All this is is just the fieldsman or engineer division for that particular area,some of which I will try to provide at the end of this file.These take the format of ###XXX(as before for key)eg;BDG567.A status check will then show up your access level; (For more info on OSL Systems, check out Evil Jay's article for Phrack on OSL's) OSL PLEASE ?BDG567 USER NO.8 LEVEL 5 ? From here,you can check up on every line available to you.Some examples of the facilities provided are tagging for Junction boxes to monitor routing, Call Trace(It -works-:trust me),Batch Meter monitoring,call diagnostics, Memory to Hex value Field conversion,Individual line priority,disable all special customer facilities(eg;call waiting,caller ID,etc..) But first those all important commands: CPU#X# Jumps to predetermined Switching bank and its concerned processor.(See Above) LENC XX or LDNC XX (List Equipment Number Calls ###) (List Directory Number Calls ###) Shows all operative call trace diagnostics for Equipment number XXX.This then shows the particular Dir.No.,along with the type of call,be it basic,operator,etc.Port type is also specified,eg; Ordinary Subscriber,Outgoing/Incoming Junction. Status is also indicated.Active indicates an off hook no.,Parked an on hook no...Date of trace is also shown,along with the time.Inactive indicates a free line. DNCD = Directory Number Called DNCG = Directory Number Calling ENCD = Equipment Number Called ENCG = Equipment Number Calling CRN = Call Return Number CRA = Call Return Address(Hex) O/G = Outgoing Junction I/C = Incoming Junction OGMHJ = OutGoing Multiple Handler Junction O/GSJ = OutGoing Sub Junction LSBA(6 digit No.) (List Subscriber Access) This will bring up a display of all current status On the number you entered after the command.Data shown includes Port type,Functional Class of service, Preferential Category.Class of service indicates the signalling method employed by that customers, and any additions to the POTS like Call waiting,be it Loop Disconnect,DTMF,Telex,Earth Breaking etc.. This menu also provides the facility to Bar certain switching routes to that no.,administer or subtract Privileges and special facilities,Null their DN (Directory Number for the abbrevatically challenged) NB:When Barring Switching routes,a password option is added to prevent unrestricted reconnection.In this case,it is usually a four figure PIN which only the system manager sees.Also provided is any auxhilliary no.s available for that pair,and its EN(Vital if you want to come back to that particular no. in a hurry). It will also display a called number if the search is made at the time of dialling.After the LSBA command has been implemented,you can sign onto the CASS CPU to list all specific charge data for that number. END Close CPU access at any point,taking you back to the DESTINATION:> prompt. NB:Phucking up at any point will present the message MMI ACCESS TERMINATED 703 703 703 etc.. Dont worry,its just an error in your input. Dial in again,and try to be more careful. You may,however,sometimes see this happen after a set period of time,in which case,you will need to change your time allocation,or just access the system again. RSBA (Routing Subscriber Access) A cut down version of LSBA,this displays only Set route barring,Port type,class of service and preferential category. VDB (View Database) Runs a diagnostic on the routine proms within each bank,respective of where you are currently situated,eg: DATABASE PROMS 25 BYTES DIFFER Indicates a differential for approx.25 bytes. CASX #; Switches to a specified Toll meter,#.From here you are asked for an OSL.Just type semi-colon. This is what the CASS CPU is,and from here,any billing info you could care to glean is yours for the taking. LISBB XXX Where XXX is the last three digits of the number. Displays Bulk Meter No.s and Pay line status along with the directory number in the format: DN BULK_METER XXXXXX 00-066789 Remember the Bulk Meter number if you wish to deactivate the tolling mechanism for your line. Knowing more about AT+Ts old billing methods will work wonders here.Eg;Batch Metering and even Individual line metering for smaller exchanges. NB: The command LISBB; is a wildcard,and will list all active and parked DNs along with their Bulk Meter No. Bmeter staus can be increased in proportion to the cost of each call,allowing you to get one over your enemies as never before.It also provides a Handy No-Scan list for your local area. NB:You MUST be logged onto the Charge data CPU for this command to work. LMEM(#x#x#x#x) Show memory contents of Address #x#x#x#x in a table or specifying each individual address and its Hex LMEM contents,in full,with the range being specified by #x#x#x#x. ; Not sure:Possibly another wildcard for use with LISBB,but I couldnt determine any parameters for it. (Errata:The command ; skips through the OCL requester and into the command line,giving: USER No.3 ACCESS LEVEL 3 Leading me to believe that this is a default password for test and system engineers.How dumb can BT get?) LFHO Lists Recent Faults in Exchange History. Nothing too exciting,but I will give away a list of error codes so you can figure out for yourself whats going on. These include Attention required for particular fault and the date it first occured,as well as fault parameters and addresess. EDT XX XXX X Edit Fault Code and Parameters shown by SFCD (XX and XXX being the fault code and Parameter respectively,and X being the relevant test to pinpoint exact problems). SFCD X Sort a particular fault record of value X in the fault field provided by LFHO. NSS Provides Subscriber No. or DN of the caller in the current switching bank. LPG X (Where X is an integer) My personal favourite.This lists the numbers of every phone within the specified local exchange, from 000-600,Categorising them into: 1 = Ordinary Customers 2 = Shared Service Customers 3 = Earth Calling Customers 4 = Coin Box Customers 5 = Incoming Junction Equipment Numbers 6 = Outgoing Junction Equipment Numbers 7 = Bothway Junction Equipment Numbers 8 = Alarm Extension Junction Numbers 0 = List all the above categories Needless to say,If you are trying to pinpoint a specific customer within that area,this provides an invaluable starting point. CD Jump back to DESTINATION:> Prompt. LOCAL TEST ACCESS Hmmmm.Complicated.Its probably better If I explain This in depth.After this request,a system alert will appear,in the form of: DO YOU WISH TO SET UP A SPEECH PATH Y/N? Upon typing yes,you will then be asked for this: ENTER ACCESS GROUP+LAST 6 DIGITS OF NAT. No + and then ENTER D OR E enter your directory or equipment number. This allows you to run a test on a line with either ENs or DNs.Now type in your Directory Number,and this should happen: SHITSVILLE ACCESSING XX DIAGNOSTIC TEST IN PROCESS where XX is the Full National number of your test line. If the scanner finds no faults,it will come back with the message: LINE TESTS OK REPEAT TEST Y/N? replying Yes requires you to provide a test number, some of which I will provide at the end of this file. Now you should see: ENTER TEST CODE (enter your code,remembering there is no echo to the screen)See above for valid codes. followed by: DIAGNOSTIC TEST IN PROGRESS and so on.The real strength of this command is that if it finds a supplemantary or auxhilliary line sharing the same wire pair as your test no.,It will immediately inform you so,and give its no. and the option to switch to supplementary Directory no. Hey Presto,your very own private line!!You can also listen in on phone conversations while the tester is scanning your test line.Sometimes the tester may come back with: LINE TEST OK REPEAT TEST Y/N? Dont worry about this,because soooooo many different messages can manifest themselves after this test. LGM XX (List Group Member) List O/G Junction Group XX with Member Number and Equipment Number beside each. LDUA X(usually 0) Heaven..This command lists Dial up access numbers, Exchange test directory numbers,Part time Private Circuit Directory numbers,MAC Test Directory numbers, Routiner access Dir Numbers,Test Desk access numbers and MMI access numbers!!!Theres just one snag: You need to find an MMI dialup yourself initially. LSPMDN; Unsure,server would not allow execution of command. EVLN DH Unsure,but this could possibly give a EN for any specific DN,and vice versa. As Far as I can ascertain,thats all the commands there are worth knowing about,but if any more crop up,Ill post them in any revisions I release. As far as compatibilty between exchanges goes,any command that works on UXD5B will work on TXE4/2,and vice versa.The only difference is the call handling capacity(2000 for TXE2, 4000 for TXE4, 600 max for UXD5B).General Syntax is strange,with the only string error code being REJECTED.When in Diagnostics a lot of info is presented in Hex form,such as Billing Return Address and Time Slot.Use your common sense as to which should be changed into decimals and what should stay as Hex. DIALUPS ------- +----------------------------------------------------------+ | Dialup Access Numbers| Exchange Test Directory Numbers | |----------------------|-----------------------------------| | XXXX-XX0-794 | XXXX-XX0-299 | | XXXX-XX0-791 | | | XXXX-XX0-792 | | | XXXX-XX0-793 | | |----------------------|-----------------------------------| | | MMI user numbers | MAC Test Numbers | |----------------------|-----------------------------------| | XXXX-XX0-780 | XXXX-XX0-370 | | XXXX-XX0-781 |-----------------------------------| | XXXX-XX0-782 | Routiner Answer Relay Set | | XXXX-XX0-783 | (Routiner Access)Number | | XXXX-XX0-784 |-----------------------------------| | XXXX-XX0-785 | XXXX-XX0-720 | | XXXX-XX0-786 | | | XXXX-XX0-787 | | | XXXX-XX0-788 | | | XXXX-XX0-789 | | +----------------------------------------------------------+ The Xs indicate directory numbers,and UXD5bs can be found by the very pattern shown in the above numbers,ie:four digits,two digits,a zero,then the test or access number.The access number for -all- UXD units is 721,regardless of where it is located. ABOUT TXE4/2 ------------ Much of what is laid out in the above passage holds true for TXE4/2,except their applications in the field.TXE4 is used in large cities in conjunction with TXE2 to provide an efficient but cost effective network,ie:Where an exchange is situated will govern the number of lines it handles.Distinct Patterns can be noticed as the system flows toward the suburbs,of gradually less powerful exchanges more widely spaced.Use this to your advantage by first hacking an UXD5B,then jumping to the next more powerful as an established user,which looks a lot less suspicious than getting straight in on a TXE4 and not having a scooby whats going on.. NB:My Research has shown that TXE4/2 exchanges DO NOT use the same standard test and data access numbers as UXDs.TXEs terminate in four,or even five digit numbers,so the scan range is increased somewhat. Thats about all I can hope to say about the internals of each one,but I will provide details of how to bust in on them and their buildings in another file. If you wish to contact me to obtain some dial-ups for this system, then mail me somewhere out there. Make sure you have a GOOD reason for needing these numbers,as Im not going to give them up without a lot of abuse. ---=[AZTECH]=---