The Hacker's Encyclopedia 1998

home *** CD-ROM | disk | FTP | other *** search

/ The Hacker's Encyclopedia 1998 / hackers_encyclopedia.iso / zines / phrack2 / phrack44.013 < prev next >

Wrap

Text File | 2003-06-11 | 15.7 KB | 457 lines

==Phrack Magazine== Volume Four, Issue Forty-Four, File 13 of 27 **************************************************************************** METRO P/H Presents Northern Telecom's FMT-150B/C/D Optical Fiber Digital Transmission System ≡Intro≡ This file will cover the FMT-150, the equipment that sends info over the digital trunks using lasers. It is an accompaniment to our guide to remotes (COs). I will cover all the interesting and useful stuff. This file is mostly for SERIOUS phreaks, we'll have more non-technical cool stuff coming up. ≡System Description≡ The FMT-150 fiber optic transmission system combines DM-13 multiplexers and 150 Mb/s Fiber Transports in compact shelf packages, I will refer to it as a shelf. The FMT-150 product architecture supports subscriber loop and interoffice link applications using hub, drop/insert, repeater and terminal configurations. The following is what a FMT-150 shelf system consists of. FMT-150B 1 DM-13 multiplexer (multiplexes 3 signals into one signal of 44.736 Mb/s.) 1 150 Mb/s fiber interface 1 maintenance control unit 1 service channel unit (optional) 2 (or 4) power supply units FMT-150C 2 DM-13 multiplexers 2 (or 4) power supply units FMT-150D 2 150 Mb/s fiber interfaces 2 service channel units (both optional) 2 maintenance control units 2 (or 4) power supply units ≡Maintenance≡ Service Channel Unit Order-wire Facility Two voice channels per DS-3 signal are provided for individual addressing using DIP switches on the SCU. Dial over a 4 wire headset/handset. (more in Order-Wire) Interfaces The CRT (good old Cathode Ray Tube) Interface is an important system feature of the Maintenance Control Unit (MCU). You can plug in to a RS-232 port directly (use a null-modem cable) on the "shelf" or remotely via a modem (!). Also a Tandy 200 can be interfaced with the Maintenance Control Unit. The network configuration, the status of each node, and any alarm existing can be viewed on the terminal. The interface goes from 300 to 9600 baud. The software already present on the MCU is all that is needed, the interface need only support certain emulations (see Operation Procedures.) (hmmm... Could Radio Shack and Northern Telecom be butt buddies?) Also available is a RS-422 interface which provides a large number of alarm status and control points through the MCU. The port is labeled "Customer E2A" on the shelf. CAMMS is an extended feature of the FMT-150. It stands for Central Access Maintenance and Monitoring System which can also take advantage of the Maintenance features (see Operation Procedures). All this is, is a mini-terminal, that can be installed and act like a CRT interface. Specifications When interfacing the CRT with a null modem cable, your cable should fit the diagram below. ┌────┐ ┌────┐ │1 O┼────────────────────────────────────────┼O 1 │ │2 O┼────────────────────────────────────────┼O 3 │ │3 O┼────────────────────────────────────────┼O 2 │ │4 O┼────────────────┬───────────────────────┼O 8 │ │5 O┼────────────────┘ ┌─────────────────────┼O 20│ │6 O┼──────────────────┘ ┌───────────────────┼O 7 │ │7 O┼────────────────────┘ ┌─────────┼O 4 │ │8 O┼──────────────────────────────┴─────────┼O 5 │ │20 O┼────────────────────────────────────────┼O 6 │ └────┘ └────┘ Pin Definitions 1. Ground 6. Data Set Ready 2. Transmit Data 7. Ground 3. Receive Data 8. Data Carrier Detect 4. Request to Send 9. Data Terminal Ready 5. Clear to Send When interfacing your Hayes compatible (telephone connection) configure the DIP switches in this manner. X=empty space O X O X X O X O O=the switch's position X O X O O X O X 1 2 3 4 5 6 7 8 Alarms and Buttons Listed below are some LED descriptions and button meanings that a phreak will find on the shelf. LEDs Description ----------------------------------------------------------------- MAJOR RED - Service affecting failure (run, they'll be there soon!) MINOR YELLOW - Non-service affecting failure. FUSE ALARM RED - A fuse blew REM YELLOW - An alarm has occurred at a remote site. Order-wire Left GREEN - Solid, Left order wire is active, if flashing, incoming call on left. Order-wire Right Same as above, but for Right ----------------------------------------------------------------- BUTTONS Description _________________________________________________________________ LP TEST Lights up all LEDs ACO Turns off existing audible alarm LOC 1, 2, 3 (OW) Rings every site common to STX signal 1, 2, and 3 EXP 1, 2, 3 (OW) Same as above ----------------------------------------------------------------- Power Supply Unit This is a seemingly 5V output power supply, which has a simple ON/OFF switch which is housed under a protective latch, pull this and have an instant phreak marathon (see REDUNDANCY at end of file.) ≡Equipment Configuration≡ The FMT-150 system is suitable for a wide variety of applications, as follows: * Access Networks CO to Customer Serving Areas CO to Digital Loop Carrier CO to Switch Remote CO to Customer Premises. * Inter-Office Trunk routes * Broadband Applications such as Video * Entrance Links to Radio Systems * Dynamic Network Routing * Stand-Alone Multiplexer Applications with Radio * Route Diversity * Wide Area Network (WAN) Application ≡Order-Wire≡ Order Wire A buzzer is heard and a flashing LED is seen if a call is coming in, plug in a handset/headset connector into the jack on the shelf. To terminate the call pull the plug out or hit #. To dial, just plug in and dial four digits, wildcards are also allowed by use of the * key. The handset described is a Contempra Handset (NT2E36AA). A test set could also be used but the plug would have to be altered, its 4 wire, remember. Order Wire is only CO-to-CO communication. The jack can be plugged into the front of the FMT-150 shelf. The dialing format is described below. ----------------------------------------------------------------- First digit: Indicates the type of call being made Second, Third, and Indicated which site will be dialed. Fourth digits Address of the site is set via rotary switches located on the front edge of the SCU module. ----------------------------------------------------------------- First digit significance 1 = local call for STX ({Pseudo} Synchronous Transport Signal: First Level at 49.92 Mb/s [NT]) signal 2 2 = local call for STX signal 2 3 = local call for STX signal 3 (where'd 4 go?) 5 = express call for STX signal 1 6 = express call for STX signal 2 7 = express call for STX signal 3 The three following digits are not standard, so if you want to experiment with this hit a first digit and then three *'s On the shelf there are buttons which act like speed dialing, the first three letters stand for LOCal or EXPress and the number is the signal, so EXP 2 would be broadcast call on STX signal 2, express channel. ≡Installation≡ A typical FMT-150 Setup ┌────────────────────────────────────┐ │ Ground Bar │ ├────────────────────────────────────┤ │ Fuse & Alarm Panel │ A ├────────────────────────────────────┤ | │ FMT-150 Shelf │ | ├────────────────────────────────────┤ 7ft │ FMT-150 Shelf │ | ├────────────────────────────────────┤ | │Fiber Splice/Storage Panel or CAMMS │ V ├────────────────────────────────────┤ <----25.94in----> │ FMT-150 Shelf │ ├────────────────────────────────────┤ │ FMT-150 Shelf │ ├────────────────────────────────────┤ │ FMT-150 Shelf │ ├────────────────────────────────────┤ │ FMT-150 Shelf │ ├────────────────────────────────────┤ │ FMT-150 or Rectifier Shelf │ ├────────────────────────────────────┤ │ FMT-150 or Standby Batt. Shelf │ ├────────────────────────────────────┤ │ AC outlet Assy │ └────────────────────────────────────┘ ≡Operation Procedures≡ Specifics on Interfacing The RS-232 serial interface supports the following terminals. * DEC VT 100 * DEC VT 102 * DEC VT 220 * DEC VT 320 * FALCO * IBM 3162 with VT 220 cartridge * Wyse WY85 with VT100 Emulation * Ramodom VT200 portable terminal * Televideo 922 * Televideo 9220 * Tandy 200 (only with Multipoint Plus MCU:NT7H90CA/XC) * CAMMS (only with Multipoint Plus: NT7H90CA/XC/FA) * Cybernex (in 8-bit mode only) (Ok bros this is the part we are interested in so sit back) Login Procedures If you approach the FMT-150 shelf and have a previously described interface, then you can login. Also if you are scanning (GTE (Northern Telecom) areas only) and come across a "sitting system" that displays a message (below) after hitting 3 returns, you are in! 1 - DEC VT100 2 - NT Meridian 6000 (Crosstalks or Procom with VT100 emulation) 3 - Tandy 200 (running Telecom) F4- NTCAMMS MDU Enter Terminal Type: Choose your terminal type, usually 2 (use VT100) if you are calling in, and it will prompt you with a "Login: " prompt, this is a trick, there are no user levels, the "Login:" simply means enter the password, and the default is to hit return, so always try that first. If a password is installed then try something like FMT-150 or something that you would think they would use. You should get a screen like this one after choosing the terminal type: FMT-150 Transmission System Northern Telecom Firmware Copyright Northern Telecom 1988 - - Node Id.: 123456789012345- - - - Last Update 87/03/06 11:07- Login: (remember, enter a password here, no user levels!) - - Syst Id.: 123456789012345- - - - Time: 87/03/06 11:07- - - After Logging In (commands are presented in an outline configuration, you should be getting screens of output, but this outline will show you what to input. # = number, not pound, <sp> = spacebar.) Example: If I wanted to set the system's date to 1/4/1943 (heh) then after logging in I would press, "c" then "d", then "43", then "1" and finally "4". ----------------------------------------------------------------- a Alarms (once again, lame stuff) o Optical Tx/Rx unit-level alarm screen. t Translator module-level alarm screen. m DM-13 multiplexer-level alarm screen. c Common equipment-level and customer input/output points alarm screen. c Configuration (!) a alarm logger e enable alarm logger d disable alarm logger i # <sp> "name" Name a customer input point o # <sp> "name" Name a customer output point d #1 <sp> #2 <sp> #3 <sp> Set date: #1 is year, #2 is month #3 is day. t #1 <sp> #2 <sp> #3 <sp> Set time: #1 is hour, #2 is minute. p "oldpass" "newpass" Change password from "oldpass" to "newpass". s "system ID name" Name System ID s Switching commands (extremely extensive, so I will include a small portion) # <sp> m # <sp> <return> Display DM-13 Switch Screen t <return> Display translator/optics switch status for node #. <return> Display translator/optics switch status for local node or node last displayed. m Maintenance Commands r (see note) * Reset all nodes # <sp> Reset node # t # <sp> o Operate test of customer input/output points and E2A ports. r Release test of customer input/output points and E2A ports. l Logout of the FMT-150 system. n Network Status <return> Display network status screen. NOTE: After executing a local or global MCU reset, the message "PROCESSOR CRASH" will appear on the bottom of the CRT's screen. As a result, the user will have to log back into the system. In addition, a global MCU reset will clear all "names" and "settings" previously defined (that is, system ID, node, customer inputs/outputs, time and date). ----------------------------------------------------------------- Many other commands are listed but they are extremely numerous and useless to the average phreak. If a "terminal" that is 4.4 inches tall with a center screen and 2 12 key keypads on either side is seen on the shelf, this will be a CAMMS terminal, all functions above can be performed with this unit, its menu driven. ≡Troubleshooting≡ This section is the manual is devoted to fixing problems in the FMT-150, aimed at the average see-my-crack-of-the-ass telco maintenance man. Basically, if you see any red LEDs, inspect them and judge if you should get the hell out of the CO or not, usually red LEDs mean trouble. REDUNDANCY When doing anything of this nature to a fone company, you must remember, they are not stupid, everything has something to fall back on, if you were to cut a trunk line, there would be another to take its place. Usually there will be only one backup, so be meticulous and find both. ≡Outro≡ Hope this file was worth something to somebody, it applies mostly to those in a GTE area, since GTE uses Northern Telecom equipment and most everyone else uses AT&T stuff. -FyberLyte 9-93