STEP BY STEP SWITCHING NOTES
BY PHANTOM PHREAKER
WRITTEN FOR LOD/H TECHNICAL JOURNAL
The following research was done on a class 5 Step By Step switching system.
Items mentioned in this article are not guaranteed to work with your particular
office. The following interesting topics about Step By Step switching are for
informational and educational purposes only. This article is aimed at people
who wish to learn more about telephone switching systems.
I realize step-by-step switching is dwindling every day, with many
electromechanical SxS offices being replaced with newer electronic/digital
switches and Remote Switching Systems (RSS's). However, rural areas of the U.S.
still use Step, so if you are ever in an area served by a SxS CO you may be
able to use this information.
1:ANI Failure/ONI
To understand this technique, you must understand how ANI functions in the
Step-by-Step switching system. Your CO sends ANI, with your number, in MF or DP
to recievers that collect the ANI information and store it, along with the
called number, on the appropriate form of AMA tape. ANI outpulsing in MF can
use either LAMA (Local Automatic Message Accounting) or CAMA (Centralized
Automatic Message Accounting). ANI sent in DP type signalling can also be used,
but is rare. DP vs MF trunk signalling is similar to the difference between
DTMF and pulse dialing, except on a trunk. DP signalling sends all information
in short bursts of 2600Hz tones.
Causing ANIF's/ONI is an easy task in SxS (and some versions of Xbar),
because the customer's link to the CO will allow the customer to input MF tones
to influence a calls completion. This can be done by dialing a long distance
number and listening to the clicks that follow. After the first click when you
are done dialing, you will hear a few more. They will be timed very close to
one another, and the last click occurs right before the called telephone rings.
The number and speed of the clicks probably varies. Basically what these clicks
are is the Toll Office that serves your CO setting up a route for your call. In
order to abuse this knowledge, you need access to a MF source, whether it be a
blue box, a computer with a good sound chip, tape recording, etc. Right before
you hear the series of clicks, send one of the following sequences in MF:
KP+1 (Repeatedly) For Automatic Number Identification Failure (ANIF)
-or-
KP+2 (Repeatedly) For Operator Number Identification (ONI)
(Note:these will not work if your CO uses DP signalling.)
Play these tones into the phone at a sufficient volume so that they 'drown out'
the series of clicks. Do not send an ST signal, as you are not actually dialing
on a trunk. You must send these MF sequences quickly for this method to work
correctly. After you have played your 'routing' a few times, you will hear a
TSPS operator intercept your call and ask for the number you are calling FROM.
When an ANIF is recognized, the call is cut through to a TSPS site that serves
your area. Now, you can give the operator any number in your exchange and she
will enter the billing information manually, and put the call through. The toll
charges will appear on the customer who owns the number you gave. You can also
accomplish a similar feat by merely flashing the switchook during the series of
clicks. This will send DC pulses that scramble the ANI outpulsing and cause
your call to be sent to a TSPS operator before the dialed number. Be sure to
stop sending the MF 'routing' after the operator attaches or she may know that
something's up. Use this method sparingly and with caution. It would also be a
good idea not to use the same number for billing more than one time. Don't use
this method in excess, because a toll office report will list the number of ANI
failures for a specific time period. The ONI method works better because it is
assumed ONI is needed to identify a caller's DN upon a multi-party line. Too
many ANI failures will generate a report upon a security/maintenance TTY, so if
you plan on using this method, use the ONI method instead of just ANI Failure.
The basic idea behind the ANIF is to scrramble your ANI information by using MF
(or the switchhook) to send your LD call to a TSPS operator for Operator Number
Identification (ONI) due to ANI Failure. The idea behind the ONI method is that
you are fooling the switch into thinking you are calling from a multi-party
line and ONI is needed to identify your DN.
2:Test numbers
Some other interesting things in the Step By Step system can be found by
dialing test numbers. Test numbers in SxS switching systems are usually hidden
in the XX99 area, as opposed to 99XX, which is common for other types of
switching systems. These types of numbers are possibly physical limitations of
a SxS switch, and thus a milliwatt tone or other test numbers will be placed
there, because a normal DN can't be assigned such a number. However, these XX99
numbers are usually listed in COSMOS as test numbers. Another interesting note
about XX99 numbers is that they seem (at least in some offices) to be on the
same circuit. (That is, if one person calls an XX99 number and recieves a test
tone, and another person calls any other XX99 number in that same prefix, the
second caller will recieve a busy signal).
Here we must examine the last four digits of a telephone number in detail.
XXXX=WXYZ W=Thousands digit
X=Hundreds digit
Y=Tens digit
Z=Units digit
Dialing your prefix followed by an XX99 may result in a busy signal test
number, a network overflow (reorder), miilliwatt tones, or other type of error
messages encountered when dialing.
Not every XX99 number is a test number, but many are. Try looking for these
in a known Step by Step office.
The numbers that return a busy signal are the ones that incoming callers
are connected to when the Sleeve lead of the called Directory Number is in a
voltage present state, which means the line is in use or off-hook. More about
this in the next topic.
3:Busy signal confrencing
Another interesting feature of the Step-By-Step system is the way busy
tones (60 IPM) are generated. In ESS and DMS central offices, busy signals that
are sent by the terminating switch are computer generated and sound very even
and clear with no signal irregularity. In SxS, all calls to a particular DN are
sent to the same busy signal termination number, which can be reached most of
the time by a POTS number. These busy tones are not computer generated and the
voice path is not cut-off.
You can take advantage of this and possibly have a 'busy signal confrence'.
This can be achieved by having several people dial the same busy DN that is
served by a Step office, or by dialing an always-busy termination number. When
you are connected to the busy signal, you will also be able to hear anyone else
who has dialed the same busy number. Connection quality is very poor however,
so this is not a good way to communicate.
As an added bonus, answering supervision is not returned on busy numbers,
and thus the call will be toll-free for all parties involved. However, you must
be using AT&T as your inter-LATA carrier if the call to the busy number is an
inter-LATA call for you. So if your IC is US Sprint, you must first dial the
AT&T Carrier Access Code (10ATT) before the busy number. If your IC doesn't
detect answer supervision, and begins billing immediately or after a certain
amount of time, then you will be billed for the length of the call.
4:Temporarily 'freezing' a line
A SxS switching system that operates on the direct control principle is
controlled directly by what the subscriber dials. Jamming a line on SxS to
prevent service is possible by simply flashing the switchook a number of times.
Or you may find after serveral aborted dialing attempts, the line will freeze
until it is reset, either manually or by some time-out mechanism. Usually the
time the line is out of action is only a few minutes. The line will return a
busy signal to all callers, and the subscriber who has a 'dead' phone will not
even hear sidetone. This happens when one of the elements in the switch train
gets jammed. The switch train consists of the linefinder, which sends a dial
tone to the subscriber who lifted his telephone, and places voltage on the S
(Sleeve) lead as to mark that given DN as busy. Next in the switch train are
the selectors. The selectors are what recieve the digits you dial and move
accordingly. The last step in the switch train is the connector. The connector
is what connects calls that are intraoffie, and sends calls to a Toll office
when necessary. Other types of devices can be used in the switch train, such as
Digit Absorbing Selectors, where needed.
5:Toll/Operator assisted dialing
You may be able to dial 1/0+ numbers with your prefix included in some
areas. You can dial any call that you could normally reach by dialing 1+ or 0+.
For example, to dial an operator-assisted call to a number in Chicago, you
could dial NXX+0312+555+1000 where NXX is your prefix, and you would recieve
the usual TSPS bong tone, and the number you dialed, 312+555+1000, would show
up on the TSPS consoles LED readout board. You can also use a 1 in place of the
0 in the above example to put the call through as a normal toll call.
This method does not bypass any type of billing, so don't get your hopes
up high.
The reason this works is twofold. The first reason is that the thousandths
digit in many SxS offices determines the type of call. A 0 or a 1 in place of
another number (which would represent a local call) is handled accordingly. The
other reason is due to a Digit Absorbing Selector that can be installed in some
SxS offices to 'absorb' the prefix on intraoffice calls when it is not needed
to process the call. A DAS can absorb either two or three digits, depending
on whether the CO needs any prefix digit(s) for intraoffice call completion.
6:Hunting prefixes
SxS switches may also translate an improperly dialed local call and send
it to the right area over interoffice trunks. Take for instance, you need to
make a local call to 492-1000. You could dial 292-1000 and reach the exact
same number, provided that there is no 292 prefix within your local calling
area. However, only the first digit of a prefix may be modified or the call
will not go through correctly unless you happen to have dialed a valid local
prefix. You also cannot use a 1 or a 0 in place of the first prefix digit,
because the switch would interpet that as either dialing a toll or an operator
assisted call.
7:Trunks
Step by Step switching system incoming and outgoing trunks are very likely
to use In-band supervisory signalling. This means you could possibly use
numbers served by a SxS CO to blue box off of. But, some older step areas may
not use MF signalling, but DP signalling. DP signalling uses short bursts of
2600Hz to transfer information as opposed to Multi-Frequency tones. In DP
signalling, there are no KP or ST equivalents. Boxing may be accomplished from
DP trunks by sending short bursts of 2600Hz (2 bursts would be the digit 2).
Acceptablepulse rates are 7.5 to 12 pulses per second, but the normal rate is
10 pulsesper second. A pulse consists of an 'on hook' (2600Hz) tone and an
off-hook (no tone). So, at 10 pulses per second, a digit might be .04 seconds
of tone and .06 seconds of silence. DP is rarely used today, but some
direct-control Step offices still use it. Common Control Step offices are much
more likely to use MF trunk signalling.
As said at the start of this file, some of the things mentioned here may
have no practical use, but are being exposed to the public and to those who did
not know about any one of the procedures mentioned here previously.
References and acknowledgements
===============================================================================
Basic Telephone Switching Systems-By David Talley, Hayden publishers
No. 1 AMARC-Bell System Technical Journal
Mark Tabas for information about CAMA and DP, The Marauder, and Doom Prophet.
===============================================================================