===================================== -+ 0Line +- of the -+ MED +- (an infamous source of gnosis) in Spring, 1997 Presents a guide to UK Telephonics 2 ============== Part (v) ============= SWITCHING & ROUTING IN THE UK NETWORK ===================================== Since shit went digital, boxing without backwards compatability has more or less gone up the creek. These days, to box the UK for REAL, you would need a modem and the ability to splice into a PCM line and speak signal talk. Sure, there may be backdoors, but things aren't what they used to be. Signalling is a very complex affair these days, so i'm not going to say to much about it.. well perhaps just a little.. The purpose of a telephone exchange is to switch calls and charge the subscribers accordingly. In order for a System-X or AXE10 exchange to do this, it is given a data-build which feeds it with the relevant routing infomation. In an exchange, the software responsible for call control is the Control Processing Subsystem (CPS). The areas of infomation handled by the CPS are the subscriber infomation, call routing, routes & circuits and call charging information. CPS is constructed of both terminal and transit call control. When a phone number is dialled, the digits sent go through what is known as a digit decode. Transit Call Control supports interworking with the rest of the existing network. The digit decode under Transit Call Control is thus: Digit 0 indicates a National Decode Digit 1 indicates a Service Decode Digit 2-9 indicates a Local Decode Whilst there are loads of different types of phone traffic: 1. SERV (Service) 2. LND (Local Number Dialled) 3. NNDT (National Number Dialled) 4. INDT (International Number Dialled) 5. NNDJ (National Number Dialled Junction) 6. INDJ (International Number Dialled Junction) 7. NIDT (National/International Dialled Trunk) 8. NIDJ (National/International Dialled Junction) 9. COMB (Combined) 10. UAXC (UAX Combined) 11. MSAC (Miscellaneous Access) 12. TKO (Trunk Offering) 13. NAMC (National Auto Manual Centre) 14. IAMC (International Auto Manual Centre) 15. AMNI (National/International Auto Manual Centre) 16. AMCC (Auto Manual Centre Combined) 17. AMCS (Auto Manual Centre Service) 18. TABC (Transit Network ABC) 19. TBC (Trunk Transit BC) 20. TC (Transit Network C) 21. CRTG (Code Routing) 22. SVI (Service Interception) 23. CNI (Changed Number Interception) .... And you'd be having a laugh if you thought I was going to talk about all of them. Service traffic is for those numbers 1xx, like the operator, or the SALT (Subscriber's Automatic Line Test) test line, 175. Strictly, 999, the emergency operator, is also on service traffic. The 'real' number for the emergency operator is just '99', which would mean that dialling '199' would give you the same operator because the '1' is absorbed at the first stage to identify the traffic as service. Dialling 199 used to get the operator, but not anymore as it has been barred to only allow calls from a certain route (incidentally, 17099 now works as emergency operator). If you live in somewhere like London and your prefix starts with 99, then in overload conditions, whilst others lines cannot be reached, yours would be able to be contacted because calls to exchanges with prefix 99x are allowed to proceed due to the emergency operator being 999. A brief insight into CCS & PCM ============================== The signalling infomation between switches now runs independantly from the actual speech paths, thus there is no necessary connection between the two. When signalling was in-band, the infomation ran along the same lines (or channels) as the speech and thus a caller could jump onto a trunk if he had the right control freqs (typically, it was 2280Hz). Today, BT use a system called PCM, or Pulse Code-Modulation, which cuts all the infomation from several calls into lots of packets, and sends them in turn down a single line. One of the channels, or timeslots, is reserved for signalling and it controls all of the channels in question. The UK system that does this is known as Common Channel Signalling. speech channels 01-15 speech channels 17-31 / \ / \ ----+-----+-----+--------+------+------+------+---------+------+------ TS0 | TS1 | TS3 | TS3-14 | TS15 | TS16 | TS17 | TS18-29 | TS30 | TS31 ^ ^ | | SYNCHRONISATION SIGNALLING TS 0 is used for alignment/sync, TS 16 is used for Common Channel Signalling, TS 1-15 and 17-31 are used as speech channels. Now, this CCS method in PCM is not like the normal method of 30 channel PCM signalling. For example, in normal PCM land, our exchange has hit a bit of a quiet spell where all the speech channels are free. On the standard PCM systems, TS16 is constantly signalling that channels 1-30 are free. This means that even when there is no speech (or whatever) on the lines, channel sixteen if full of signalling infomation. CCS is different. TS16 (timeslot 16) would send Ch.1 Free, Ch.2 Free...... Ch.30 free once and then it wouldn't send anything else until one or more of the channels become busy again. CCS is the standard method of signalling between digital exchanges and is based upon CCITT No 7. CCITT is the abbreviation for the Consultative Commitee for International Telegraphs and Telephones, and CCITT No 7 Signalling system (also known as C7) is the specification for the transmission of signalling for speech and data over a digital system. This is based upon some sort of international specification. In C7, a message is sent to say that a message (speech or data) is following. The signals are sent contain codes giving both the destination and origination of the message, so that the receiving end can send a message back to confirm the message or to say that it failed to arrive or is not intact. The message and the signal can use different routes, if there is a fault in a line then they can be re-routed without and loss of signal or message. I don't know if its of any significance to anyone, but here are the some 'codez' for BT CCS: Time Slot 16 Signalling Codes for British CCS: Digits 1-4(5-8) Signalling Condition Foward Signalling Condition Backward ---------------------------------------------------------------------------- A B C D 1 1 1 1 Circuit idle Circuit busy 0 0 1 1 Circuit seized Called subscriber answered 1 0 1 1 Dial break Not used 0 1 1 1 Not used Circuit free 0 0 0 1 OOR Manual hold 1 0 0 1 Not used CFC 1 1 0 1 Disconnect code (AC8 only) Disconnection code (AC8 only) 0 1 0 1 Earth code (AC8) Earth code (AC8) 0 0 0 0 Not to be used. Any other codes and those 'not used' should not cause a response in a receiving unit. Manual Hold is the signalling condition that operators use where they have control over the call rather than you the caller, and therefore you can't hang up unless they do. Most of the major links are 19.2 baud but it is likely that they will be done up towards the 64Kbps arena. Three major call carriers are London, Tokyo and New York and are connected over high speed data links. These links consist of satallites (over the Indian & Pacific oceans) and Transatlantic Submarine Cable, between London and NY. The routing is variable, last Christmas, when the call count was one of the highest ever recorded, if you called Australia, it is likely that your call would have been sent to America first, and then rerouted to Japan (that connects to Australia) before your call was connected. It should be noticed that England carries, from a Digital Service Unit in London, a very high percentage of Europe's traffic. These aren't the only connections by any notion of the idea, we in England, have many DISCs (Digital International Switching Centre) situated far outside London, and the London, NY, Tokyo links only route so far (not to Russia for instance). ========= Part (vi) ========= NETWORK SUPPORT SYSTEMS ============================= As a bit of a file-filer, i'll just do a quick list of the network-support systems that BT use. The total number of systems that BT use is actually very big, and there is a lot of hacker potential there if you'd only look. TXD Operations & Maintenance: OMC/OMUSS EIR (Local + Trunk) RESPA TRACKER NOMS1 Telecom Gold (RIP) CRAISE PASTE Transmission Network Surveillance: TONS/NETMON ECIS DSEA MANUS JNS NOMS1 CAMMS SPUD Building Services Operation, Maint: AMPERE PMS SEMAC STACCS TRACKER PLC NOMS1 Network Control Centre: WILDFIRE SPUD Customer-Facing Organisation: ARSCC CSS Circuit Provision: OMS JNS MANUS DSEA CAPPS AXIS Network Performance Monitoring OMC/OMUSS EPIC DESS (LTLA) CSS PASTE TELCARE EXPRES Access is provided via T-NET, Telecom's internal network. ====================== Part (vii) ======================= UNDERGROUND EXCHANGES IN LONDON AND BT'S PRESENCE THEREOF ========================================================= Central London is vastly dominated by a wealth of buildings owned by B.T, and in some cases, BT & the GPO (since Telecom went private). The greater number of buildings are around the Holborn area, North of the Thames and again, on the South side. This area is also one that gives itself to the communications industry underground; BT & the GPO own the monopoly of tunnels, private train lines, cable runs, exchanges... the sort of things adventurers of the great concrete-jungle would die for. Without going into too much politics, the Cold War was a cause for the growth-spurt of London in many areas - particularly underground, and was a great excuse for GPO to receive lots of funding from the government (in the form of our taxes). What we were paying for at the time was kept under wraps under the Official Secrets Act until a certain newspaper incident in The Times which let the cat out of the bag. The government and GPO were hell-bent on making sure their communications would be secure in war time (should a nuclear bomb fall), digging deeper and deeper underground and building up a very dense network of tunnels, cables and switches underground. The most notable underground exchange is the one situated at High Holborn (not that you would have ANY chance of knowing if you went there), under Chancery Lane Underground station, running from there to Red Lion Square, which is a little to the East. Incidentally, if you would visit Red Lion Square, you will notice a strange presence in terms of phone companies as BT, Mercury, Cable & Wireless, and a few others seem to have all bought buildings around this little green patch! Strange coincidence! The exchange also runs a little west, up to the BT building (forget the name) on the corner where Holborn and Hatton Garden meet. If you walk this stretch, there is a noticeable number of BT buildings along this one road.. all fairly indiscreet (apart from the one I just mentioned which is a fancy fucker) and tucked away. It leads up to about Proctor House which is next to the McDonalds. BTW; if you are inclined in a phreak/hack sort of way, don't try and trash these places because they seem to use rent-a-tramps to sleep outside their buildings and scare people away. Eating, sleeping, and working facilities are provided on the under the Red Lion Square side of the exchange, whilst the telecommunications plant, generators and repeator stations occupy the Hatton Garden side. The four extension tunnels under Chancery Lane Underground station house switching units and an artesian well. The Holborn tunnels run east under London Wall via the exchange/P.O in Moorgate (code named the Fortress.. probably because it is on Fore Street) and then to an exchange near Liverpool street station and onwards, eventually running south under the Thames. Most of these cable runs are in alignment with the underground P.O railway (which not quite as extensive as our own Underground network, but getting there) because it was a lot cheaper that way. On the western end of the Holborn tunnel, two extensions were made, one North-West under Gerrard Street P.O towards Paddington District P.O, and another via Covent Garden T.E to Trafalgar Square PO, where it links up with the governments own Whitehall tunnels. Some of these cable-tunnels are up to seventeen feet in diameter, although most of the newer tunnels, implemented by the P.O as mailcarriers and BT as cable runs are now smaller. The tunnels themselves are well-ventilated and neon-lit, accessible through any of the post-offices they run between, or from any of the man-hole covers dotted throughout London, apparently the New Statesman held an Xmas party in one of them in Decemeber 1980!?. Needless to say, the exchange under Holborn has undergone numerous upgrades since 1954 (when it was opened), even though it could already handle 2 million calls a day then. The exchanges in this area form much of the backbone of GCHQ and are likely subject to frequent visitation from the Tinkerbell Squad, conveniently close to an international telephone exchange or two. Faraday DISC, on Queen Victoria Street right next to the Thames is a menacing bastard.. it was code named the Citadel in its time and does appear fairly un-open to the public. Mondial House, which is home to a 5ESS switch is pretty close aswell, even closer to the Thames than before (Upper Thames street) roundabouts. Addresses to keep away from.. ============================= 203 High Holborn, London WC1V 7BU Holborn TE, 268/270 High Holborn, London WC1V 7EJ 150 Holborn, London EC1N 2NS Holborn Centre, 120 Holborn, EC1N 2TE Bath House, 52 Holborn Viaduct, London, EC1A 2ET Weston House, 246 High Holborn, London, WC1V 7DQ Parker Tower, 43-49 Parker Street, London, WC2B 5PS 103-105 Bunhill Row, Moorgate.. (unmarked) 45 Moorgate (vaccuum sealed :)) 2-12 Gresham Street (Big fucker) Moorgate ATE, 72 Fore Street, London, EC2Y 5EQ <----(the 'FORTRESS') Cavendish TE, 107 Houndsditch, London, EC3A 7NB Faraday Building, Queen Victoria Street, EC4U 4BU <----(the 'CITADEL') Wellington House, 6-9 Upper St Martin's Lane, London, WC2H 9DL Columbo House, Joan Street, London, SE1 8BE (0171 555 xxxx) Kings Cross TE, 233 Greys Inn Road, London, WC1X 8RD Mondial House, 90-94 Upper Thames Street, London EC4R 3UB *5ESS* Covent Garden ATE, 24-28 Russel Street, London, WC2B 5HL Paddington TE, 75-77 St Michaels Street, London, W2 1QS Jus' like a ninja. Cyaz.