DATU for Dummies.........................................................
Text by: teletrix, written for f41th.....................................


Preface

So now I assume that most of us have heard of the wonderful tool which
we call the DATU.  It stands for Direct Access Testing Unit.  This
testing unit is a remote tool utilized by technicians.  I don't know if
they exist in Canada, and for the most part I believe they are mainly a
state-side toy, if I'm wrong please let me know I'd love to see a DATU
from another country, differences and etc.  Now to let you know where
this information came from: I went through many attempts at SEing the
Harris corporation for the System Administrator Manual to the DATU, (The
Dracon division of Harris makes these testing units) I searched the
dumpsters, I tried every resource.  Finally, I got someone at Harris to
give me the manual and I also asked him a lot of questions, this
information was what I used to make this test.  The people at Phrack did
this too to get the info, but they didn't give all the info such as
administrator mode.  This text will teach you about the basics of the
DATU, how to find one, and all about the User and Administrative modes
on each.  Just some food for thought, these things are really expensive,
so be careful.  Know what you are getting into, if you access these
lines through boxing it is a Federal Crime (wiretapping) if you damage
it, destroy it, all that stuff it is a federal crime, know the risks,
don't pretend like you didn't know.

Where is the DATU?

The DATU is located at your local central office, or CO.  The way it
works is you have the PSTN, and then that is connect to the CCITT5
Trunk, which goes to the toll switch (DMS 200, 250, 500), which is
connect to your CO, your local switch if you will, which runs off of
5ess, or DMS 10, or DMS 100.  From the CO you have your Plain Old
Telephone Service Lines (POTS), they go through the area, nicely for one
area at a junction box, then to your home.  Anyway the DATU itself is
located at the CO as part of the computer.  So you're saying that's
great, but I don't give a shit about the technicals just tell me what
number the DATU is at. 

.  Type in your area code and exchange, you will then at the bottom of
the page receive a report of all the exchanges on that switch.  Now you
need to try each exchange with 9935 until you find that DATU.  You will
know you've found the DATU when you hear a 440mhz tone, the DATU will
either be busy, or pick up usually on the first or second ring. 
Congratulations you found the DATU, now this isn't time for a smoke
break or anything like that, this was cake, in fact nothing about this
is really too hard, but if you're a first timer you should feel happy
about the fact that you just found the DATU.

Accessing the DATU

So now you're saying well done asshole, but how do I use this thing, how
do I make this god damned noise stop.  Well if you noticed you are
hearing this noise and then being disconnected after a few seconds,
approximately 7, well then you are waiting for what to do next.  This
first 440mhz tone is a signal to enter input.  In this case they want
you to enter the user password.  So now you've accessed your DATU, you
can enter that user password, which is a four digit code, or you can
enter the system password.

Entering User Mode

To enter user mode you simply need to enter the four digit code, and
then you will hear a second 440mhz tone, a second input prompt.  Now,
the default set password is 1111, yeah telco just never learns, I have
never once encountered a DATU in my area, NJ, where this does not work. 
So after entering that password you will hear Incorrect, or if it is the
default you will hear another 440mhz tone.  If 1111 doesn't work, try
4300 the default for older models, or try pairs that are easy to
remember 5454, 5353 and so on.  At default it is set for 16 attempts at
a password before a warning goes off at the CO.  So be careful they do
have some kind of counter-measure for just brute forcing the fucker. 
But again, 1111 works perfectly fine 9 out of 10 times unless some
phreaks before you fucked with the DATU to royal extremes.

Now once you enter the password and hear that second 440mhz tone it
wants you to enter the number to be tested.  You must enter a number
which is one of the exchanges served by that CO, hence served by that
DATU.  Now once you type in the number, usually just the 7 digits will
work, if not you will get an error message telling you to use all 10
digits.  When this happens the DATU will do one of two things it will
say: ``Connected to xxx-xxxx, OK'' or it will say ``Connected to
xxx-xxxx, BUSY LINE. Audio Monitor.  If its busy the audio monitor will
start which allows you to hear unintelligible scrambled traffic, this
will last for 10 seconds.  If the line remains busy you will have
limited testing options.  Below you will find the list of options
available, what they do, and if they have a `+' in front of them they
can only be used on an idle line.

Number		Function			Description	

1		Read off Menu			Reads DATU Menu
2		Audio Monitor			Check for Line Activity
+33		Tip/Ring Short to Ground	Connects Tip/Ring to Ground
+37 		Ring Ground			Unterminates the Tip Lead	
+38		Tip Ground			Unterminates the Ring Lead
+44		Tip/Ring High Level Tone	+22dBm, 577hz bursts on line
+47		Ring High Level Tone		High Level Tone with Tip Grd
+48		Tip High Level Tone		High Level Tone with Ring Grd
5		Low Level Tone			-12dBm, 577hz burst on Line
+6		Open Subscriber Line		Removes Power to Line at CO	
+7		Short Subscriber Line		Electrical Short Sent to Line
9		Permanent Signal Release	Clears Busy Line Condition
*		Keep Test After Disconnect	Allows to Keep Test on Line
#		For New Subscriber Line		Enter new Line to Test

Below are some important notes about certain functions.

For those numbers which are two digits indicates the selection of the
function, the first digit, and the corresponding submenu, the second
digit.

Permanent Signal Release will only work if it is set as active in the
system settings, accessible by the System Programming Menu.

For keeping a test after Disconnect you will be prompted to enter data,
indicated the amount of time to continue the condition.  If the minute
interval is less than 10 simply dial 1-9 depending on the minute, if it
is 10 or greater you must first dial two digits, for 10 minutes simply
dial 0.  After this you will be prompted to hang up, and will have no
other choice, in approximately 30 seconds the condition should enter
into effect.

If you need to do this on the same line you are calling from simply dial
* first then choose the option, afterwards it will ask you for a time
interval.

There is even more crazy stuff you can do with carrier access and pair
gains but that is more advanced, and if you are interested can read all
about that in PPM 2 and 3.

Administrator Mode

Well I'm sure this is what many of you have been waiting for, or just
scrolled on down to, the administrator mode, allowing you to set
everything on the DATU.  Now when you dial in the DATU, you will as
mentioned hear that sweet, sweet 440mhz tone.  This time you're going to
want to enter * then a 7 digit code.  Now, the default administrator
code is 2222222, that's right, and in every DATU I have dialed it has
been this default.  Once you do that you will hear ``OK''.  Under Admin
mode you can not do any subscriber line testing.

Important to note here, you can seriously fuck shit up under Admin mode.
 I caution you to make sure you understand what you are doing, fucking
this up can cause big problems, use your head, if you mess this up you
better damn well bet ma bell is going to come after you and make you pay
for a new one, and then jail your ass.  Below are all the functions you
can do and they will be described in detail.  Please understand what
this means, and use your head if you fuck it up you didn't just screw
yourself, you screwed the other phreaks in the area who have used their
head.

Number		Function		Description

1	Change Passwords		Set User and Admin Passwords
2	Select Busy Test		Not Sure, Don't Play With
3	Read/Change Prefixes		Read, Add, Delete Prefixes
4	Read or Clear Timers		Read/Clear Usage/Function Timers
5	Set Digits to Select Line	Set 4,5,7,10 Digits to Select Line
6	Set Time out Parameters		Set Timeout Interval
7	Read/Clear Counters		Read/Clear Usage/Function Counters
8	Permanent Signal Release	Enable or Disable Function
9	Pair-Gains Parameters		Read/Change Paramaters
0	Clear Alarm Condition		Clear Alarm

Important notes about Administrator Mode

Changing the passwords is never a good idea, it can screw things for you
and other phreaks as well as tip off the technicians, however if it's on
a DATU not in your area, you could have some serious fun.  Because the
user password is stored in a memory, however the system password is
reset after the DATU looses power for 7 seconds.  So you could change
the user password, and it would be living hell to fix.

Under Read/Change Prefixes you will have the option to list prefixes on
that switch, add, and delete.  Now this does not mean you can create
your own exchange, it just let's the DATU know what exchanges it has
access to, and adding one that is not served by that CO will be totally
useless, and cause errors.

Permanent Signal Release will allow you to enable that function, which
would allow you to use that function on a busy line in user mode.

For the Pair Gains stuff I suggest you read PPM 2 and 3 they really
outlined it nicely, and the best I could so with that is simply copy and
paste.

Clear Alarm Condition this is useful if you fuck something up and are
worried that an alarm was tripped, or if you screwed up the password 16
times, remember to cover your ass.

Uses for the DATU 

Well there are a ton of uses for this new toy, some legitimate, some
just plain fucking stupid, but all can be fun.  So under user mode you
could use your DATU to do the following: free that busy signal on your
friends line, if he's on the computer you could blast a low level tone
to throw off the modem, you could open someone's line for 20+ minutes
for fun, and then blast high level tones right before they pick up the
phone.  Trust me setting a high level tone then having the person in
your house pick up the phone to use it is hysterical.  The other use for
the high level tone is say you're boxing in a cabinet, you have a good
feeling that your mark's line is in that cabinet, simply use the DATU
place a high level tone on the line, and look for a line that has a
pulsating 577mhz tone.  You could screw with the linemen in the area by
changing the user password, but you really shouldn't even though this is
saved in memory even if the board short circuits, it will fuck things up
in your area, and tip them off.  You could do a Short to Ground making
someone's line busy, or your own if you don't want to be bothered.  Also
you do not have to be calling from that switch to use that DATU, you can
use it from anywhere on the PTSN.

Conclusion

Well that's the DATU at it's best, if you have any questions contact me
at efnet in #darkcyde, and if you are interested in getting a copy of
the official system manual talk to me and we might be able to make a
trade.  Use this information carefully, know what you're getting into,
have fun, and learn all you can.

For further reading check out Phrack 52 and PPM 2&3