ITS Prison Phones

by ElecRage

I'm currently serving time in a Tennessee prison, and have spent a considerable amount of time trying to beat the Inmate Telephone System (ITS).

I don't know of anyone who has ever found a way to do it.  I know that some other states use this system, so if anyone has anything to add to what follows, the info would be greatly appreciated.

What I Know So Far

The ITS consists of four main subsystems: inmate telephones, Trunk Management Units (TMUs), a CPU (containing the ITS database), and terminals.

How does it work?

The inmate dials a phone number and his/her 8-digit Personal Access Code (PAC).

The TMU sends the site code, trunk, phone number, and PAC to the CPU at Inmate Network Control.  The CPU (using the Enforcer database) checks a range of control parameters.  If all checks out okay, the CPU notifies the TMU at the site that it's okay to connect the call to the LocTel phone lines (formerly Telco) which are managed by Opus Telecom.

The TMU is the physical interface between the inmate phones and the outside telephone network.  Each TMU supports seven phones (max), and they communicate with the CPU via synchronous and asynchronous data and voice lines to the Inmate Network Control on a T1 (I think).

The CPU is an Intel 486-based NCR 3550 super-mini-computer operating at 50 MHz.  It has two routers with one Ethernet and 16 synchronous connections each.

Remote terminals at each prison are also connected to the CPU through high-speed connections.  The CPU is accessed through a console connected to a VGA card in the CPU.  Additional terminals are connected through RS-232 ports locally or remotely by high-speed links.

The ITS software is firmware in the TMUs or in files on the CPU's hard disk.  The software resident on the CPU runs under UNIX System V 4.2, but users only interact with the Oracle Relation Database (unless you have programmer rights on the system).

The system controls everything as soon as the phone goes off hook.  When an inmate enters a phone number and their 8-digit access code, the TMU sends the request to the CPU which looks up the inmate's account to decide if the call is authorized.  The RDBMS keeps a detailed audit trail of the entire call (number called, time, date, length, collect/debit, etc.) and sorts account informatLDn.

It's set up to limit the use of UNIX commands to the system administrator only (called Database Administrator [DBA] on the system).  You can get to this part of the system by the "System Data Administrator" branch on the main menu.

The only way you can get direct access to raw UNIX is if you have programming access privileges (pick "Operating System Utilities" from the main menu).  Only the programming access privileges allow you to see the full system menu.  Users are only able to login on terminals in their approved area, and a failed login attempt freezes the account until the sysadmin restores it.

I have tried many PACs from 00000000 to 99999999 with no luck (and my fingers hurt like hell too).  An inmate can enter 118 to get his/her prepaid account balance, so I tried 000 through 999 using the code and any PIN (staff) that I could guess, but nothing good came from it (now my fingers are bleeding).

114 plus a staff PIN followed by an inmate's PAC allows staff to listen to the last recorded name you used (for collect call connection).

If anyone has ideas about how an inmate might beat this phone system, I would love to hear them.  ITS is like Fort Knox!

Note:  This is not a PBX!  They just add TMUs when they need more phones.