Hacker Chronicles 1

home *** CD-ROM | disk | FTP | other *** search

/ Hacker Chronicles 1 / HACKER1.ISO / miscpub1 / lo018.txt < prev next >

Wrap

Text File | 1992-09-26 | 26KB | 410 lines

The LOD/H Technical Journal: File #8 of 12 *** NOTE *** BECAUSE OF THE LENGTH OF THIS GUIDE, IT HAS BEEN BROKEN INTO TWO PARTS FOR TRANSMISSION. HOWEVER, IT IS ONE VOLUME, AND IS INTENDED TO BE PRINTED AS A WHOLE FOR USE AS BOTH A TUTORIAL AND A REFERENCE GUIDE. ********************************* The Legion of Doom! Presents: ------------- LOD Reference Guide Vol. I Outside Loop Distribution Plant -------------- Written 12/86 Phucked Revision III Agent 04 ********************************* ---------------------- INTRODUCTION / OUTLINE ---------------------- Basically, the outside local loop distribution plant consists of all of the facilities necessary to distribute telephone service from the central office (CO) out to the subscribers. These facilities include all wire, cable, and terminal points along the distribution path. In this article, we shall follow this path from the CO to the subscriber, examining in depth each major point along the route and how it is used. This is especially useful for checking if any 'unauthorized equipment' is attached to your line, which would not be attached at the Central Office. I suppose this article can also be interpreted to allow someone to do just the opposite of its intended purpose... Note that this article is intended as a reference guide for use by persons familiar with the basics of either LMOS/MLT or the operation of the ARSB/CRAS (or hopefully both), because several references will be made to information pertaining to the above systems/bureaus. I have no manuals on this topic, all information has been obtained through practical experience and social engineering. ******************** -------------------------------- Serving Area Concepts (SAC) plan -------------------------------- In order to standardize the way loop distribution plants are set up in the Bell System of the U.S. (and to prevent chaos), a reference standard design was created. For urban and suburban areas, this plan was called the Serving Area Concepts (SAC) plan. Basically, in the SAC plan, each city is divided into one or more Wire Centers (WC) which are each handled by a local central office switch. A typical WC will handle 41,000 subscriber lines. Each WC is divided into about 10 or so Serving Areas (depending on the size and population of the city), with an average size of 12 square miles each (compare this to the RAND (Rural Area Network Design) plan where often a rural Serving Area may cover 130 square miles with only a fraction of the number of lines). Each Serving Area may handle around 500-1000 lines or more for maybe 200-400 hous- ing units (typically a tract of homes). From the CO, a feeder group goes out to each Serving Area. This con- sists of cable(s) which contain the wire pairs for each line in the SA, and it is almost always underground (unless it is physically impossible). These feeder cables surface at a point called the Serving Area Interface (SAI) in a pedestal cabinet (or "box"). From the SAI, the pairs (or individual phone lines) are crossed over into one or several distribution cables which handle different sections of the SA (ie. certain streets). These distribution cables are either of the aerial or underground type. The modern trend is to use buried distribution cables all the way to the subscriber premises, but there are still a very large number of existing loop plants using aerial distribu- tion cables (which we will concentrate mainly upon in this article). These distribution cables are then split up into residence aerial drop wires (one per phone line) at a pole closure (in aerial plant), or at a cable pair to service wire cross box (in buried plant). The cable pairs then end up at the station protector at the customer's premises, where they are spliced into the premise "inside wire" (IW) which services each phone in the customer's premi- ses (and is also the customer's responsibility). Although this is the "standard" design, it is by no means the only one! Every telco makes it's own modifications to this standard, depending on the geographic area or age of the network, so it's good to keep your eyes and your mind open. ******************** At this point, we will detail each point along the Loop Distribution Plant. ----------------------------- Cable Facility F1 - CO Feeder ----------------------------- The F1 cable is the feeder cable which originates at the Main Distribu- tion Frame (MDF) and cable vault at the local CO and terminates at the SAI. This cable can contain from 600 to over 2000 pairs, and often more than one physical F1 cable is needed to service a single Serving Area (at an SAI). The F1 is almost always located underground, because the size, weight, and number of feeders leaving the CO makes it impossible to put them on normal telephone poles. Since is is also impractical to use one single piece of cable, the F1 usually consists of several pieces of large, pressurized or armored cable spliced together underground (this will be covered later) into a single cable. Cable Numbering --------------- In order to make locating cables and pairs easier (or possible, for that matter), all of the cables in the loop distribution plant are numbered, and these numbers are stored in databases such as LMOS at the ARSB or other records at the LAC (Loop Assignment Center) or maintenance center. When trying to locate someone's cable pair, it helps a great deal to know these numbers (although it can be done without them with experience and careful observa- tion). Probably the most common place to find these numbers is on a BOR, in the "Cable & Assignment Data" block. The F1 is usually assigned a number from 00 to 99 (although 000-999 is sometimes used in large offices). Cable >pair< numbering is different however, especially in older offices; typical F1 pair numbers range from 0000 to 9999. Keep in mind that the pair number is not concrete -- it is merely nominal, it can change, and it doesn't necessarily have any special meaning (in some well organized offices, however, the cables and pairs may be arranged in a certain way where you can determine what area it serves by its number (such as in my area...heh heh); in any case, it's up to you to figure out your area's layout). Anyway, the cable-pair number is usually written in a format such as 02-1495, where 02 is the cable and 1495 is the pair (incidentally, since this is the CO Feeder cable pair that is connect- ed to the MDF, it is the one that will be listed in COSMOS). F1 Access Points ---------------- Although the F1 is run underground, there is really not a standard access point down there where a certain pair in a cable can be singled out and accessed (as will be explained next). There is, however, a point above ground where all the pairs in the F1 can be accessed -- this point is known as the Serving Area Interface (SAI), and it will be detailed later. In LMOS or other assignment records, the address of the SAI will be listed as the TErminal Address (TEA) for the F1 cable handling a certain pair in question; therefore, it is where facility F1 stops. ----------------- Underground Plant ----------------- The term "Underground Plant" refers to any facilities located below the surface of the earth; this includes truly "buried" cables, which are located 6-or-so feet underground surrounded basically by a conduit and dirt, as well as cables placed in underground cement tunnels along with other "below-ground" equipment (such as seen in most urban areas). Whereas the first type is really impossible to access (unless, of course, you want to dig for a day or so and then hack into an armored, jelly-filled PIC cable-- then you should take a bit of advice from our resident Icky-PIC "Goo" advisor, The Marauder), the latter type can be accessed through manholes which lead to the underground tunnel. Manholes -------- Bell System manholes are usually found along a main street or area where a feeder cable group passes through. Using an underground cable location map is the best method for locating cable paths and manhole appear- ances, although it may not always be available. These maps can be acquired from the Underground Service Alert (USA) (at 800-422-4133), but often a "cable locator" will be dispatched instead (usually he will just mark off how far down or where you can dig without hitting a cable), so this is not a very practical method. Of course, you can always follow the warning signs on telephone poles ("call before you dig", etc) and the spans between SAI bridging heads until you find a manhole. The F1 for the SAI nearest the manhole should be found down there along with others en route to the areas they serve. There are several types of manhole covers, both round and rectangular. The rectangular ones are sometimes just hinged metal plates covering an under- ground terminal or cable closure, and these are easily opened by one person. A non-hinged one may require two people. Round manhole covers (which, by the way, are round so that a lineman can't accidentally drop the cover down the hole) are basically all the same, except for the types known as "C" and "D" type manhole covers which utilize locking bolts (these can be removed using a standard crescent or hex socket wrench). These covers are the same as the standard "B","A", and "SA" type covers once the bolts are removed. The best way to open a cover is to use a manhole cover lifter (ie. Defiance Corp. PTS- 49 or B-type Manhole cover lifter), although an ordinary 3/4 - 1 inch crow- bar (hook-side) can be used. Put the tool into one of the rim slots and press down on the bar until the hook is pressing up against the cover flange. Then push or lift the cover a few inches up and slide it off the hole. You can use a bent sprinkler turn-off wrench on the other side to lift up if there are two of you. You should have no problem with two people, although it can be done alone provided you are strong enough. Once inside, check around for any test equipment or papers which may have been left inside. Basically, there is really no pair access down there, as it is mainly a place through which the protected feeder cables are run and spliced together. These splice points are usually sealed in pressurized air and water-proof closures which protect the open splices from corrosion and ultra-violent rodent attack. If for some reason you happen to find an open splice case or a cable with it's armor and sheath removed, then it may be poss- ible (although not easy) to match color codes (see chart) and find a certain pair. You would have to strip the wire near the splice, though, and this is not recommended. Don't get the bright idea to pry open, or (worse yet) blow open a splice case, as they are often pressurized (see "manhole dangers"), and the telco will frown on your actions sooner or later. Anyway, the feeder cab- les generally are labelled at a point near the manhole, so it is easy to find and follow any certain cable. Because of this, the manhole access points in your neighborhood are good places to examine (and even sketch or map) the cable distribution plant in your area. This could be interesting, especially if you find a lot of recently installed groups or special service cables, etc. There could even be several types of apparatus cases containing either analog or digital carrier equipment (ie. T1 digital or O,L,or N analog), pair gain systems, repeaters, equalizers, or loading coils (which help compensate for shunt losses caused by the parasitic capacitance between pairs in pressurized cable). A typical underground apparatus facility is the BERT (Below ground Electronics Remote Terminal). However, it's unlikely that you will find any of this special equipment down there (other than loading coils, which look like metal cylinders) unless you are in a very rural or specialized area, or you happen to be in a manhole serving an inter-office trunk span (smile here). Manhole Dangers --------------- One must use good sense when entering a manhole, however, especially if you don't have the right equipment. First, you could drop the cover on your foot, or get a crowbar or bent sprinkler tool (the WORST) in the groin. Secondly, you must take precautions if you stay down long, because the atmos- phere in the hole will become oxygen depleted in a matter of minutes and there may be suffocating or otherwise dangerous gases in the manhole. Third, if you tamper with nitrogen-pressurized cables or closures, a depressurization alarm signal may be set off at the maintenance center, and technicians could be sent out while you are still in the hole. It is also known that expensive electronic equipment mounted below-ground (ie. SLC remote terminals) may be equipped with tamper alarms, and they are securely locked as well. ************************* ---------------------------- Serving Area Interface - SAI ---------------------------- The Serving Area Interface (SAI) is basically the point on the loop distribution path where the F1 feeder cable is cross-connected over into one or more F2 aerial (or buried) distribution cable. This terminal can be pole, pad, or pedestal mounted - however, for this article, we will concentrate on the pedestal mounted cabinet as it is by far the most common (the other forms are functionally similar, anyway). These things are seen all over -- the 4-foot high gray-green "boxes". There are several names for this terminal-- technically it is called the SAI or FDI (Feeder Distribution Interface), but it is usually called a Bridging Head, Pedestal, B-Box (lineman term), or just plain "Box." The standard cabinet is the Western Electric 40-Type cabinet, and it comes in several sizes, depending on the amount of cable pairs in the Serving Area. The size and style of the cabinet is usually stenciled or marked on the cement pedestal at the base of the cabinet. (ie. S-40-E = 40 type, E size, SAI cabinet). These cabinets can handle anything from 400 (A size- 200 feeder in, 200 distribution out - 43"H x15"W x12"D) to 1800 (E size - 900 in, 900 out - 54"H x 40"W x12"D), with some newer size F, H, and some 3M series- 4200 cabinets handling up to 3600 pairs at one site! Also note that 40-type (or look-alike) cabinets are not exclusively for use as a SAI, especially in areas using a buried F2 distribution plant. Note that all Bell System (Western Electric) cabinets, cross-boxes, etc. which are pedestal mounted are painted a standard grey-green (Technically, they are painted per Munsell Color Code Standard, EIA RS-359. This color is supposed to be the least obtrusive and most pleasing to the eye). This also helps to distinguish Telco boxes from sprinkler and signal control boxes. Also note that there are still a large number of older loop plants in the Bell System, and the terminal boxes may differ (ie. nut-bolt type binding posts, panel-removal type cabinets, etc.) in appearance, but the are all functionally similar. To open a 40-type or other common cabinet, one must use a 7/16" hex wrench (also called a "can-" or "216-" tool). Place the wrench on the bolt and turn it 1/8 of a turn clockwise (you should hear a spring release inside). Holding the bolt, turn the handle all the way to the right and pull the door outward. If you happen to see a locked cabinet pried open by a crowbar placed in the slot above the right door, you should report it to the telco AT ONCE! On the inside of the door, there should be a circular attachment with a "D"- type test cord on it which makes accessing pairs with a test set easier (if you dont have a test set, I will describe how to make a basic one later in this article). You should hook the alligator clips on your test set to the two bolts on the attachment, and then use the specialized cord to hook up to binding posts on the panel (it is specially designed to do so, whereas alliga- tor clips aren't). There are usually also spare decals and 2 reels of #22 solid "F" cross-connect wire stored somewhere in the cabinet, either on the doors in a box (along with a "788N1" tool for seating and trimming jumper wires) or mounted in the splice chamber (described in the next section). Locating Pairs and Cross-Connects --------------------------------- Basically, the SAI cabinet contains several terminal block panels (size A=1 panel, size C+D (800+1200 pairs, respectively)=2 panels, size E= 3 panels) of either 76-type screw binding posts (the most common) or more modern 108-type "quick-connect" connectors. These panels are divided up into 6 blocks of 100 cable pairs (2 screws = 1 binding post, per cable pair) each, with block 1-100 on the top and 501-600 on the bottom. In a 2-panel cabinet, the left panel typically contains the pairs from the F1 (feeder) cable, and the right panel contains the F2 distribution cable pairs. This is accomplished by either a harness or cable stub whose pairs are internally connected to the binding posts on a panel. The harness or stub is then spliced, usually with "710" splicing connector modules, to the respective F1 or F2 cable. In the case of the harness, this splice is located in the back of the cabinet, in the splicing chamber, which can be accessed by rotating the notched circular latch on the top of the terminal block assembly and letting the panel fall forward. Often the splices are covered with plas- tic bags. Note the color code of the pairs; if you can locate the pair you want, this is an excellent location to covertly access it, because this area is rarely seen during normal use of the cabinet (it is usually only opened during a cable cutover or "throw", in which a whole section of feeder or dist- ribution cable is replaced at one time). In the case of cable stub, the splicing is usually done underground at a closure, because the raw-ended cable extends 20 to 100 feet from the cabinet; in this case, there won't be a splic- ing chamber. This type is often used for aerial pole-mounted SAI's. Also note that in an F-size cabinet, you have to remove the whole back panel in order to access the splice chamber. Anyway, the pairs from the feeder panel are cross-connected with wire jumpers over to the binding posts on the dist- ribution panel; in this way, the two cables are connected. There are several ways to locate a pair in an SAI. First, and best, if you have assignment data from LMOS or equivalent, there should be an F1 Binding Post (BP) number listed along side the cable numbers. This number is usually a 3 digit number, 001-999, and it will correspond to a binding post pair in one of the hundred-blocks on the feeder panel side. The first digit of the BP is the block, and the other digits represent the pair in that block. Example- Terminal Panel (Green) (Blue) F1 pairs --F1----F2--- -- F1 Feeder --------- F2 Dist.---- ==>001-100 ! *** XXX ! F1 BINDING POST ! XXXXXXXXXX XXXXXXXXXX ! ! 101-200 ! XXX XXX ! # 025 ! XXXXXXXXXX SAI XXXXXXXXXX ! ! 201-300 ! XXX XXX ! ! ! XXXXXXXXXX XXXXXXXXXX ! ! 301-400 ! XXX XXX ! ------------------^ ! 401-500 ! XXX XXX ! (^^ close up view of first 3 of 10 binding post ! 501-600 ! XXX XXX ! rows of the first hundred block (marked ***)----! !-----------! F1 BP # 025 : 0 = first 100-block, 2 = pass over 2 full rows (go to 3rd row down), 5 = 5 pairs from left. The color of the pair label is important, also -- feeder pairs are always marked with GREEN labels. Secondly, if you don't have a binding post number, there may be a log or other chart posted on one of the doors of the cabinet showing the cable pairs and their corresponding binding posts (or the posts may in some cases be arranged or labelled in a way such that the cable pair number could be derived). Thirdly, as a last resort, you could connect a test set to each pair in the terminal, and dial your area's ANI number (This "ANI" number is usually a multi-digit test code which, when dialled responds with a voice announcement of the Directory Number (DN) for the line you are dialling from). This would have to be repeated until you happen to hook up to the line you are looking for (it's time consuming, but it works). Some sample ANI numbers are- 213 NPA - Dial 1223 213 NPA (GTE) - Dial 114 408 NPA - Dial 760 914 NPA - Dial 990 These numbers will vary from area to area, and some areas may not have such a service (in this case, you may have to dial a TSPS operator and have her read off the number on her ANI panel -- in some areas, you may have to say a code word or phrase in order for her to give you the number). In any case, it would be a good idea to ask a lineman or testboard employee for the proce- dure to use in your area to get ANI, because it's very useful and you'll need it sooner or later. Anyway, once an F1 BP is found, the cross-connect wire can be traced over to the distribution panel, and in this way, the F2 pair can be found. These F2 distribution pairs are always marked with BLUE labels. Note also that the binding post number of the cross-connected F2 pair is not recorded in LMOS (the F2 BP is NOT in the SAI, so don't confuse an F2 BP number with a BP in the SAI); however, when the cables are first installed, the feeder pairs and distribution pairs are in sequence -- this makes it easy to visually ass- ume where the F2 pair is. This order can be upset when cable pairs are added or changed, however, so it can't always be relied upon to produce valid F2 cable pair numbers (also, there may be two distribution cables, with the low-numbered pairs on the bottom and the high-numbered pairs on the top! -- It all depends on how the local telco sets things up). Floaters / Multiples -------------------- All of the pairs in a feeder cable are rarely used simultaneously; this would be impractical, because if one of the pairs was discovered to be faulty, or if a subscriber wanted another line, a whole new feeder cable would have to be added. To solve this, extra facilities are left in the loop plant as a provision for expansion. For example; on the feeder panel, all of the binding posts may be connected to F1 cable pairs, but not all of them may be crossed over to distribution pairs. These spare pairs are not connected to the switch, so they won't "have dial tone", but they are numbered. Since these lines aren't assigned, they wont be found in LMOS, but they will definitely be listed in LAC records. These records are the Dedicated Plant Assignment Cards (DPAC) / Line Cards and the Exchange Cable Conductor Records (ECCR), or even computerized databases (ie. MODE). If the numbers can be found (or even noted, if the numbers on the binding posts at the SAI correspond with feeder cable pair numbers) then the lines can be activated via a COSMOS service order. This is aided even further by the fact that since F1's usually last longer than F2 facilities, there are often more spare provisional F2 facili- ties in the loop plant (ie. 100 feeders in, 300 F2 out (200 aren't cross- connected to F1's)). So there is a good chance that you will find one that is distributed to your area. Other spare facilities include "floaters", which are like spare feeder pairs, except they are ACTIVE lines. Often, a telco will extend whole feeder groups to more than one SAI in provision for future expan- sion, including active cable pairs. If you find a working pair on a feeder panel which is not cross-connected to a distribution pair, that pair is a floater. This is by far the best way to covertly access a certain pair, because most linemen will probably not be aware of the pair's presence (it looks unused on the surface). Beware! If you think you can hook up to someone's floater and get free service, you're probably wrong (so many other people have been wrong, in fact, that Pacific Bell has a special "Form K-33" to report this type of fraud), because the telco is more aware of this than you may think. Obviously any toll call you make will show up on the bill for that line. A do-it-yourself spare pair activation can avoid this problem, if done correctly. ******************** Downloaded From P-80 International Information Systems 304-744-2253 12yrs+