Hacker Chronicles 1

home *** CD-ROM | disk | FTP | other *** search

/ Hacker Chronicles 1 / HACKER1.ISO / miscpub1 / phun406.txt < prev next >

Wrap

Text File | 1992-09-26 | 34KB | 681 lines

NOTICE: THIS FILE MAY ALSO BE RELEASED IN A 'YET TO COME' NEWSLETTER. ************************************************************************* * * P/HUN Issue #4, Volume 2: Phile 6 of 11 * * * * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * * * * * * * * Traffic Service Position System(TSPS) No. 1B * * * * * * * * Call Processing and Explanation * * * * Part One * * * * * * * ********************************************************************* * * ********************************************************************* * * * * * * * - Coin Stations and ACTS * * * * - Calling Card Service * * * * and * * * * - Billed Number Screening * * * * - Busy Line Verification * * * * * * * ********************************************************************* * * ********************************************************************* * * * * * * * Written By. . . Phelix the Hack * * * * * * * ********************************************************************* * * ********************************************************************* * * * * * * * The author hereby grants permission to reproduce, redistribute * * * * or include this file in your g-file section, electronic or print * * * * newsletter, or any other form of transmission of your choice, * * * * pending the fact that it is kept intact and in its entirety, * * * * with no additions, alterations or deletions of any of the info * * * * included below. * * * * * * * * Phelix the Hack Feb. 1989 * * * * * * * ********************************************************************* * ************************************************************************* 1.0 Introduction ================ The purpose of this file is discuss and describe the general system architecture and processing of certain calls handled in a Traffic Service Position System (TSPS) No. 1B office. From here after, any reference to the anacronym - TSPS, will be used to describe the Traffic Service Position System 1B. Wheras TSPS processes a wide variety of call types (listed below), this file will deal primarily with only a few types which I feel to be of special interest and importance to the phreak/hack community. Future files on TSPS will continue to expand upon the information presented here, and will discuss additional call types and processing. The types of calls, elected to be discussed in this file will fall primarily within the three following categories: 1) Coin Station Calls (Payphone) and ACTS call processing. 2) Calling Card Service and Billed Number Screening. 3) Busy Line Verification 2.0 Table of Contents ====================== Section Description ======= =========== 3 Anacronyms and Abbreviations used throughout this file. 4 General overview of call types. 5 General call processing for Coin and CC Services. 6 Coin Station. 7 Calling Card Service. 8 Busy Line Verification 9 Conclusion : Acknowledgements and References. 3.0 Anacronyms and Abbreviations ================================= The following is a list of anacronyms and abbreviations commonly used throughout this file. Due to the large number of times each appears, from this point on the abbreviations will be used the majority of the time. - TSPS - Traffic Service Position System - ANI - Automatic Number Identification - ANIF - ANI Failure - ONI - Operator Number Identification - H/M - Hotel/Motel - DLS - Dial Line Service - ACTS - Automated Coin Toll Service - CCS - Calling Card Service - BNS - Billed Number Screening - OST - Originating Station Treatment - SOST - Special Operator Service Treatment - OPCR - Operator Actions Program - RQS - Rate Quote System - PTS - Position and Trunk Scanner - RTA - Remote Trunk Arrangement - DDD - Direct Distance Dialed - AMA - Automatic Message Accounting - CAMA - Centralized Message Accounting - RBOC - Regional Bell Operating Company - MF - Multi-Frequency - DTMF - Dual Tone Multi-Frequency - CDA - Coin Detection and Announcement - SSAS - Station Signaling and Announcement Subsystem - SPC - Stored Program Control - T&C - Time and Charge - PIN - Personal Identification Number - RAO - Revenue Accounting Office - NPA - Numbering Plan Area - CCIS - Common Channel Interoffice Signaling - APF - All PINs Fail - OTC - Operating Telephone Company - ICVT - InComing Verification Trunk - OGVT - OutGoing Verification Trunk - INTT - Incoming No Test Trunks 4.0 General Overview of Call Types ================================== All call processing can be broadly thought of as the processing of a service request (by an operator or a customer) thru connection, talking state, and disconnection. Call types can be classified into the following two major groups: (Although no definite line can be drawn, in that the groups often overlap each other.) 4.1 Customer Originated Calls ============================== The first category of calls are those which can be classified as customer originated. In an effort to keep with the three main types discussed here, some of the call types listed will not be explained. 4.1.1) 1+ Calls =============== - DDD calls - Calls with ANIF or ONI - H/M calls - CAMA calls - 900 Dial Line Service (DLS)..."Dial a Vote" - NonCoin transfers from offices with out billing equipment - Coin Calls...Discussed later in greater detail 4.1.2) 0+ Calls ================ - Calling Card Service (CCS) Calls - Billed Number Screening (BNS) Calls - Originating Station Treatment (OST)..Third Party Billing, Collect.. 4.1.3) 0- Calls ================ - OPCR ...Standard RBOC(or Equivalent) "0" operator 4.1.4) International Call Handling (ICH) ...Overseas Calls =========================================================== 4.1.5) Automated Quotation Service and H/M calls ================================================= 4.2 Operator Originated ======================== The second category of calls handled by TSPS are operator originated, and are normally only initiated after a response to a customers request. These calls are of a nature that require operator intervention in order to complete. Examples: BLV/EMG INT, collect, third party billing... 4.2.1) Special Operator Service Traffic (SOST) =============================================== - These include calls which must be transferred to a SOST switchboard before they can be processed. Examples: Conferences, Appointment, Mobile... 4.2.2) Delayed Calls ===================== 4.2.3) Operator Service Calls ============================== - Customer/ Operator requested Rate and Route information ( RQS ) 4.2.4) CAMA Transfer Calls =========================== - Includes ANIF and ONI - Transfers from areas without billing equipment 4.2.5) Busy Line Verification (BLV) ==================================== - The Busy Line Verification allows a TSPS operator to process a customers request for a confirmation of a repeatedly busy line. This service is used in conjunction with Emergency Interrupts and will be discussed later in more detail. 4.2.6) Inward Calls ==================== - An inward call requires a TSPS operator to provide services which the customers originating operator is not able to provide. Ex: connection to a hard to reach number, BLV/EMG INT, CCS billing validation...An inward call can be originated with any of the following arrival codes: - 121 : NonCoin code...standard inward connection - 1150 : Coin code - 1155 : Noncoin with T&C code - 1160 : TSPS operator assisted inward CCS validation - 1161 : Automated inward CCS validation for non TSPS operator with DTMF touch tone signaling. - 1162 : Automated inward CCS validation for non TSPS operator with MF signaling. - Examples of the above codes: - KP+NPA+121+ST gets inward operator in NPA selected with only INWD key illuminated, indicating call connected to position in an inward call. - KP+1161+ST gets automated CCS validation that responds to DTMF tones. 5.0 General Call Processing for Coin Stations and CCS ====================================================== This section will deal with the processing that occurs during all customer initiated calls, and can be applied to both Coin and CCS calls. The following processes are presented in the order which they would normally be handled. 5.1) Trunk Seizure =================== - When a local office seizes a trunk in response to a customer request (i.e.- A customer has picked up the phone, placing it off-hook), current flows thru the circuit, changing the state of the ferrods (i.e.- scan points ) from an on-hook to an off-hook position. When this change is determined by the PTS (Position and Trunk Scanner) at the RTA (Remote Trunk Arrangement) to be an actual off-hook transition, and not merely a flash (tapped switch hook), it is taken as a request for service. 5.2) Digit Reception ===================== - After a trunk is seized the local office sends the called and calling number to the TSPS by means of MF pulsing. A Base Remote Trunk is connect to the MF receiver, which then proceeds to outpulse the MF digits. The digits are received and registered on ferrods by the PTA in the order in which they were received. The called number is the number dialed by the customer and consists of either 7 or 10 digits; the calling number is determined by the local office ANI equipment or by ONI, in case of ANIF. 5.3) Bridging a Position ========================= - An idle occupied position is then bridged onto the call by a connection to the TSPS. If operator service is required after connection to a position, the operator is prompted by a "zip" tone, and is alerted by a KIND OF CALL lamp, which provides information as to whether the call is coin, noncoin, 0+, 0-...If no operator service is required, the MF digits are outpulsed along the appropriate routing. 5.4) Call Connection ===================== - If operator action was needed, upon the operators disconnect of the line (position released), the network connection between the the TSPS trunk and the base remote trunk is severed. The established through connection is now placed in a call floating (talking) state until disconnect. 5.5) Call Disconnection ======================== - Both ends of a connected call are monitored for an off-hook state change, which upon indication,must occur long enough to be recognized as an actual disconnect (and not merely a flash...). Another manner of disconnect is from a called party Time Released Disconnect (TRD), which is employed to limit billed party liability and release network connections. Example: A customer requests a disconnect after x number of minutes, or after $x.xx. The final action in a disconnect is to return the TSPS trunk to an idle position, which then awaits recognition of another service request. 5.6) AMA Data Accumulation and Reception ========================================= - After a disconnect has been established, the AMA information is registered, and prepared for billing. The following is just some of the information that is recorded on disk for processing. - Call Connect - Elapsed time - Signaling Irregularities - WalkAway Toggle (coin station fraud...discussed later) - Type of number billed 6.0 Coin Station Calls and ACTS Processing ========================================== In general, coin station calls can be divided into 1+, 0+ and 0- originated calls, not including 0+ and 0- CCS calls which will be discussed later in this file. All calls falling into these categories go through the following basic operations, many of which were described in section 5 of this file. (The [] indicate operations that may or may not be present, depending on the type of call placed) - 1) Trunk Seizure - 2) Digit Reception - 3) Bridging a Position [and Coin Detection and Announcement (CDA)] - 4) [Operation Action and] Digit Outpulsing. - 5) Talking Connection - 6) Call Disconnect - 7) AMA Processing 6.1 Automated Call Processing ============================== All coin station calls requiring coin input from the customer are handled by the Automated Toll Services (ACTS) which is implemented by the Station Signaling and Announcement Subsystem (SSAS). The SSAS automates the initial contact on most 1+ (station paid) toll calls, by transmitting an announcement requesting the initial deposit from the customer, and counting the deposits. If an unusual delay occurs during the coin deposit period, the SSAS will prompt the user for the remaining deposit needed to complete the call. Upon completion of sufficient deposit, SSAS provides an acknowledgement announcement thanking the customer, and then causes the outpulsing of the called digits to be handled by the Stored Program Control (SPC). This delay in outpulsing prevents free, short duration messages and keeps the audible ring of the called party from interfering with coin detection signals. Any customer over-deposit is automatically credited towards overtime charges. SSAS can accommodate initial periods of up to 6 minutes, at the end of which the local office rate schedule is accessed and announcement may or may not notify the customer of the end of initial period. 6.2 Operator Intervention =========================== If at any time during the coin collection period, a customer fails to deposit the sufficient funds (within a specified time period), or a flash is registered on the switchhook, a TSPS operator will be bridged onto the call. In this event SSAS will monitor the coin deposits via a type I CDA circuit; however all automated coin announcements will be suppressed. All calls originating from postpay coin stations must initially be handled by an operator, in that postpay coin stations lack coin return equipment, and cannot return deposited coins (i.e.- Postpay stations do not have a coin hopper, only a coin box). This physical restriction requires the operator to verify that the correct party has been reached (and goes off-hook), before the customer makes any deposit. Upon verification, a type II CDA circuit is connected to count and monitor the coin deposits. This type of circuit is also connected whenever there is a large amount of change associated with the call. This is because the coin hoppers on standard payphones, can only handle limited deposits. If a deposit exceeds the hopper limit, an operator will be bridged to the circuit to make a series of partial collections. 6.3 SSAS Fully Automatic Criteria ================================== The SSAS fully automates 1+ coin station calls (ACTS) if and only if all of the following conditions are met. Failure to meet any of these conditions results in operator intervention. 6.3.1) ACTS Converted Trunk Group ================================== - Coin Stations must be converted to provide DTMF coin deposit signals that the CDA can recognize. 6.3.2) Machine Ratable ======================= - The TSPS must receive sufficient rating information; failure to do so will result in operator intervention. 6.3.3) Successful ANI ====================== - If ANIF or the call is ONI, an operator must be added to the circuit to record the calling number. 6.3.4 Cannot Be a Postpay Station ================================== - See previous explanation of postpay stations (6.2). 6.3.5 Cannot Have Large Charges ================================ - See previous explanation (6.2). 6.4 Fraud Detection and Prevention ================================== If a calling customer goes on-hook (hangs up), at the end of a conversation and charges are still due, TSPS automatically sends a ringback signal to that station in the attempt to get the customer to pick up the phone. If the calling party answers, an ACTS overtime charge message is made requesting the customer to deposit the remaining amount due. At any time during this message, an operator may be connected to the circuit and harass the customer for payment If however 5 rings with a 4 second interval occur without an off-hook state change, TSPS assumes a walkaway, and a registered traffic counter is flagged, a walkaway bit set, and the amount due is all registered as AMA data. Whenever the called party is off-hook, ACTS is susceptible to generated coin signals (Red Box Tones). In an attempt to prevent this fraud, a special type II CDA is employed: Two-wire trunks are isolated between forward and back party to monitor coin deposits. The talking path maintains conversation by being routed through the type II CDA. When coin signals are detected, the SSAS informs TSPS that a called party fraud is suspected. If more then one detection occurs on one call, TSPS flags a fraud indicator on the calls AMA record. NOTE:A trunk group may or may not detect and/or record this information depending on office criteria. 7.0 Calling Card Service and Billed Number Service =================================================== I am assuming that everyone reading this file has at least some concept of what a calling card is and how it would be utilized from a local office. The CCS and BNS services are implemented in TSPS by CCIS hardware, SSAS and several processing programs that will not be discussed in this file (ABEGN, ACALL, ASEQ...) The CCS and BNS together provide for the customer an automated credit card calling option that was initially implemented as an alternative to third party billing, collect and large change calls. In order for the CCS and BNS to function, they require that each TSPS becomes a node on the SPC network, which then allows access to a nationwide database of Billing Validation Applications (BVA). The BVA currently consists of nodes which are connected by CCIS, and are in turn made up of individual Billing Validation Files (BVF). A BVF is a file of data that is needed by the SPC and associated database software to process queries about the data. Each TSPS is integrated into the SPC network and uses the CCIS direct signaling to access the BVA. Connected in parallel to the BVA is the Network Call Denial (NCD), which allows the call denial to AT&T customers with outstanding bills. The CCS billing number consists of a 10 digit billing number and a 4 digit PIN. There are two categories that a CCS billing number can fall into and they are as follows: - 7.0.1) Directory Billing Number ================================= - The billing number is usually the directory number to which the card is billed, and is in the following format: NPA-NXX-XXXX : Where the NPA represents Numbering Plan Area, N is a digit 2-9, and X is a digit 0-9. - 7.0.2) Special Billing Number =============================== - Wheras the typical CCS billing number is discribed above in 7.0.1, here exists a special type of billing number that bills the card to a special nondirectory billing number. The format for this type of card is as follows: RAO-(0/1)-XX-XXXX : Where the RAO is the Revenue Accounting Office code which assigns the billing number. The X represents a digit 0-9. The PIN is a 4 digit number in the format of NYYY, where N is a digit 2-9, and Y a digit 0-9. Each PIN is designated upon assignment to the customer as either restricted or unrestricted. An unrestricted PIN can place calls to all destinations. If the called number is the same as the billing number, only the 4 digit PIN need be entered by the customer. A restricted PIN can only be used for station calls to the billing number. NOTE: A special billing number (section 7.0.2) can only have an unrestricted PIN. The CCS can be broken down into two basic category of calling types and are as follows: 7.1 Customer Dialed CCS Call ============================= The customer initiates the CCS sequence by dialing a 0 + Called Number. The Called number can take the format of a 7 digit number, a 14 digit number or 01+ country code and national number. This information, as well the calling number (originating) is received by TSPS from the CO. OST is then used to determine whether CCS is available/given to the customer. Based on the determined OST features (Does phone have Touch Tone? Is it a coin station?..), TSPS either routes the call to an operator or provides an alerting tone and announcement to prompt the customer for the CCS number (in the format discussed in sec 7.0). Assuming no operator intervention, the CCS number is subjected to a series of checks and queries detailed below. (sec 7.3) 7.2 Operator Dialed CCS Call ============================ There are several ways a customer can receive operator assistance in CCS dialing. - 7.2.1) 0- call. - 7.2.2) 0+ Called Number +0 - 7.2.3) 0+ Called Number +Switch-hook flash. - 7.2.4) 0+ Called Number +No Action. - 7.2.5) 0+ Called Number +OST feature information requiring operator intervention. Example: Call placed from rotary phone... - 7.2.6) 0+ octothorpe. A customer dials an octothorpe ( pound key "#") after the initial 0. When the position is seized if the operator determines that a CCS call is requested, the operator keys in the CCS number (or the PIN only) and call is subjected to a series for checks for validity, detailed below (sec 7.3) 7.2.1 Non-TSPS Dailed CCS Call =============================== The TSPS operators do not serve all CCS users. Non-TSPS operators and independent telephone companies also serve CCS customers, and must access the BVA for validity checks.(Examples: mobile,marine,international...) This access to the BVA is provided for cordboards and independent telephone companies by reaching a nearby TSPS, via TSPS base unit inward trunks. A distant operator may reach the BVA by any of the routing codes detailed in section 4.2.6, and the CCS validation is subject to the same security checks detailed below. If a non-TSPS operator dials either KP+(1161 or 1162)+ST, the operator hears a CCS alert tone, and then has one minute in which to dial the 14 digit CCS number. The TSPS initiates a format check, an APF check (see 7.3), and access the BVA to determine the status of the CCS number in question. The following are the different corresponding announcements which would follow: - Calling Card Service Number Accepted, PIN unrestricted - Calling Card Service Number Accepted, PIN restricted - Calling Card Service Number Accepted, RAO unknown - Calling Card Service Number Rejected If a CCS number is accepted, the connection to the non-TSPS operator is terminated by the TSPS. If a rejection message results, the operator will be prompted by the alert tone and may attempt to redial the CCS. 7.3 CCS Validation =================== After the CCS billing number is keyed in (either by customer, TSPS operator, or independent operator) the All PINs Fail (APF) feature may cause the card to be rejected and the call to be halted. The APF is a security feature designed to frustrate attempts at discovering valid PINs by a brute force hack method (trial and error). A list of CCS validation failures is maintained, which is updated with both invalid billing numbers and calling numbers. When a number of failures for a given billing number exceeds a specified threshold, in x amount of time, all subsequent attempts are declared invalid for a certain amount of time y (Lock Out Time). Even if the actual PIN is used during the lockout time, the CCS number would be considered invalid, and the call process would be halted. 7.4 Billed Number Screening ============================ The BNS service applies to collect and third party billing calls placed through a TSPS operator. The BVF contains information designating certain numbers as "collect denied" or "bill-to-third denied". Each time an operator attempts to place a collect or third party billing number a BVA and a NCD inquiry are made. 8.0 Busy Line Verification =========================== A dedicated network is provided to process BLV calls and traffic. This network originates at the TSPS base office and connects through dedicated trunks to toll, intertoll, and local offices. The equipment consists of the BLV trunk, a TSPS-4 wire bridging repeater, a verification circuit at TSPS, InComing Verification Trunks (ICVT), OutGoing Verification Trunks (OGVT) at both toll and intertoll offices, and Incoming No Test Trunks (INTT) at local offices. The TSPS gains access to a single local, toll, and/or intertoll office. The initial request for a BLV appears as an position seizure to a TSPS operator over an incoming trunk via a local office or as an inward trunk via a toll office. The initial loop seized becomes the originating loop and is connect in position via an idle TSPS loop. In that the originating loop cannot be connected to the verification loop, the operator must switch between the two. Security is maintained to insure that a customers privacy is not violated, and consists of the following: - 8.0.1) Speech Scrambler at Console Level (not BLV trunk level). - 8.0.2) Alert Tone Generator (ATG). - 8.0.3) Translation of the NPA to 0XX or 1XX. - 8.0.4) Dedicated BLV trunks. - 8.0.5) Cross office security checks at toll offices. 8.1 BLV Processing =================== When a customer requests that a BLV be preformed on a certain number within the TSPS's LAN the following actions are taken. - 8.1.1) The TSPS attempts to DDD the number in question , to confirm that the number is indeed busy. This action is preformed so that if in the event that an recorded error announcement is reached, the operator may understand the nature of the error without the speech scrambler interfering in quality. - 8.1.2) If the line is confirmed to be busy and the customer requests further action, the operator then attempts verification through the BLV network. The operator then presses the VFY key, in which case an attempt at a BLV will be made if and only if the following conditions are met: - 8.1.2.1) There is an idle loop at the position =============================================== - This condition must be met because the BLV trunk must be placed in a loop with the Traffic Service Position. If there are no idle loops remaining the BLV cannot be processed. This condition can be gotten around by the operator pressing the POS TRSFR key, which causes all the calls in the hold state to be transferred to loops on the original operator position. - 8.1.2.2) The call is on an incoming/inward trunk ================================================ - This insures that an operator cannot preform a BLV without a originating customer request. - 8.1.2.3) The called party is off-hook ====================================== - See 8.1.2.2 - 8.1.2.4) The called number is a domestic number ================================================ - That is the called number cannot be an overseas number. - 8.1.2.5) The call has no forward connection ============================================ - This ensures that the busy condition detected by the INTT is not due to the connection of the calling party. - 8.1.2.6) The line number can be verified ========================================= - This condition would fail if the local office is not served by the BLV network... - ..or the number in question is excluded from BLV calls (Example: Emergency or Police Lines...) 8.1.3) The BLV is preformed and the BLV trunk dropped by pressing the REC MSG key for an incoming call or VFY for an inward call. 9.0 Conclusion : Acknowledgements and References ================================================= I have assumed that the reader of this file has a general working knowledge of phone systems and their associated terminology. As it is impossible to please everyone, some readers will find this file too advanced while others will find it lacking in several areas...too bad. This file has intentionally *not* covered previously released information on TSPS found in files by other authors, in an attempt to provide the phreak/hack community with another source of information to be used in conjunction with the existing ones. The following reading list is highly recommend for furthering ones knowledge on TSPS, and is as follows: - Understanding TSPS Part 1: The Console - Written by The Marauder, LOD/H Technical Journal: Issue No. 1, file #4. - Busy Line Verification Part 1 - Written by Phantom Phreaker, Phrack Vol 2, Issue XI, file #10. - Busy Line Verification Part 2 - Written by Phantom Phreaker, Phrack Vol 2, Issue XII, file #8 - Telephony Magazine 9.1 Acknowledgements ===================== - Eastwind...the Man Behind the Garbage Can... - AT&T - My Local RBOC...and all of the Trash that's fit to print =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Downloaded From P-80 International Information Systems 304-744-2253 12yrs+