        ³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ³
                                +-+-+-+-+-+-+-+-+
         ÛÛÛÛÛÛÛÛÛ²²²²²±±±±±°°°ð|O|u|t|b|r|e|a|k|ð°°°±±±±±²²²²²ÛÛÛÛÛÛÛ
                                +-+-+-+-+-+-+-+-+
                             Issue #5 - Page 12 of 13 
        ³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ³

- - - - - - - - - - - - - - - - - - - - - - - - - -
Step by Step (SxS) switching notes
by: antimatt3r
on: 4/29/02
for: Issue 5
- - - - - - - - - - - - - - - - - - - - - - - - - -

 The information provided below was conducted on a class 5 step by step
switching sytem.
The topics/methods described in the following may not work on your 
switching system and also may have no practical use, but are being exposed 
to the public simply becaise knowledge is power. This text is for those of 
you who know about switching and telefone system architcture, meaning dont 
come to me asking what this and that means.... read a bewk   =)

 Step by step switching (I would say) is rare. On most occasions it will be
only in use in very rural areas w/o digital equipment. Everyday
electromechanical SxS systems are being replaced with electronic/digital
switches and Remote Switching Systems (RSSs). SO if your in the middle of
nowhere give this sh!t a try.....

Toll/Operator Assisted Dialing
 Most likley you can dial 1/0+ numbers with your prefix included in most
areas. You can dial any call that you could normally reach by dialing 1+ or
0+. Example; to dial an operator assisted call to a number in Chicago, you
would dial NXX+0312+555+1000 where NXXX is your prefix, and you would
recieve the TSPS bong tone, and the number you dialed (312 555 1000) would
show up on the TSPS console readout board. You can also use a 1 in the 
place of the 0 in the above example to put the call thru as a normal toll 
call. Sorry for you folks that think that this bypasses billing, it dosent 
in any way. The actual reason that this works that the thousandths digit in 
many SxS offices determines the type of call. A 0 or a 1 in place of 
another number  (which would represent a local call) is handled 
accordingly. Another reason is due to a DAS that can be installed in some 
SxS offices to 'absorb' the prefix on intraoffice calls when its not needed 
to process the call. A DAS can absorb either two or three digits, depending 
on weather the CO needs any prefix digit(s) for intraoffice call 
execution.

Hunting Prefixes
 SxS switches may also translate an improperly dialed local call and send 
it to the right area over intraoffice trunks. Example; you need locally 
call 492 1000. You could dial 292 1000 and reach the same number, provided 
there is no 292 prefix within your local calling area. However, only the 
first digit of a prefix may be modified or the call will not go through 
correctly unless you happened to dial a valid local prefix. You also cannot 
use a 1 or a 0 in place of the first digit in the prefix. If you should, 
the switch would interpret that as either dialing a toll or operator 
assisted call.

ONI / ANI Fail
 To get this you must have basic knowledge on how ANI functions on the SxS
system. ONI stands for Operator Number Identification. Your  CO sends ANI
with you number, in MF or DP toreceivers that recieve (duh) the ANI
information and display (and\or) store it with the called number If it is
stored, (almost always) it is stored in the form of AMA tape. ANI 
outpulsing in MF can use either Local Automatic Message Accounting (LAMA) 
or Centralized Automatic Message Accounting (CAMA). ANI sent in DP type 
signalling is rare.  DP vs. MF type signalling is like comparing DTMF to 
pulse dialing. On a trunk DP sends all information in short bursts of 
2600hz tones.

 Triggering ANIF's/ONI is an easy task on SxS (and some versions of xbar)
because the customers link to the CO allows the input of MF tones to
infulence a calls completion. This can be accomplished by dialing a long
distance number, then listening to the click that follow. After the first
click (after dialing) you will hear a few more usually timed very close to
one another. The final click always happens right before the called fone
rings. The number and speed of clicks usually varies.The click are the toll
office that serves your CO setting up a route for your call. In order to
'exploit' this you will need a MF source. It could be a recording, blue 
box, good sound card or anything else you can come up with. Soon before you 
hear the clicks, send the sequence KP+1 (repeatedly) for ANIF or KP+2 
(repeatedly) for ONI. This will NOT work if your CO uses DP signalling. 
Play the tones into the fone at a sufficent volume to overpower the clicks. 
The MF squences must be sent quickly for this to work correctly. After you 
have played your 'routing' a few times you should hear a TSPS op. S/he will 
want to know the number you are calling from. (When ANIF is recognised the 
call is sent to a TSPS site for the area. You can give the op any number in 
your exchange and s/he will enter the billing information manually. then 
put your call through. The charges for your call will be billed to the 
number you gave as yours. Another method to do this is just to click the 
switchhook during the clicks. This sends DC pulses that scramble ANI 
outpulsing and cause the call to be directed to a TSPS site before dialing 
the number. This method should be used sparingly and with caution. 
Hopefully you would gather that its not advisable to use the same number 
to bill the calls to often. If you should do this (to someone like 
thuglife32 (4747631)) the toll office report will list the number of ANIFs 
in a period of time. The ONI method works better because it is gathered 
that ONI is needed to identify a callers DN upon a multi-party line. Too 
many ANIFs generated a report on a security/maintenence TTY, so if you use 
this method, use ONI more than just ANIFs. The idea of ANIF is to scramble 
your ANI info by using MF (or the switchhook) to send your long distance 
call to a TSPS op for ONI due to ANIF. The idea behind ONI is that you are 
making them think that youre calling from a multi-party line and ONIis 
needed to identify your DN.

Test Numbers
 Some interesting features in the step switching network can be found by
dialing test numbers. Test numbers in SxS switching are usually hidden in
the xx99 area, as opposed to 99xx which is common for other types of
switching areas/systems. These types of numbers are possibly physical
limitations of a SxS switch, and thus a milliwatt tone or other test 
numbers may be placed there because a normal DN cant be assigned to such a 
number. However, these xx99 numbers are usually listed in COSMOS as test 
numbers. Another interseting note about xx99 numbers is that they seem (in 
some offices) to be on the same circut. (if one person calls a xx99 number 
and gets the test tone, and another person dials any other xx99 number they 
will get a busy signal) DIaling your prefix followed by an xx99 may result 
in a busy signal test numbet, a network overflow (recorder), milliwatt 
tones, or some other type of message encountered when dialing. Although not 
every xx99 is a test number, many are. The numbers that return busy signals 
are the ones that incoming callers are connected to when then sleeve lead 
of the called number is in a voltage present state, which is when the line 
is in use or off hook.

Busy Signal Confing
 This really sucks, and its a easy, but annoying way to conf. Imagine you
call up a number and you get a busy signal, then someone says, "hey whats
up". What the hell? Well, another interesting feature on the SxS switching
system is the way busy signals are generated. In ESS and DMS COs, busy
signals that are sent by the terminating switch are computer generated and
sound very even and clear with no signal irregularity. In SxS, all calls to
a particular DN are sent the same busy signal termination number, which can
usually be reached by a POTS number. These busy tones arent computer
generated and the voice path is not cut off. You can exploit this and have 
a busy signal confrence. Several people dial the same busy DN that is 
served by a step office, or they can dial the always busy termination 
number. When the people are connected to the number you can hear them 
talking. (over the damn 60 IPM tone that is) One bonus of this is that 
answering supervision is not returned on busy numbers and thus the call is 
toll free for all parties calling. You must be using AT&T as your 
inter-LATA carrier if the call to the busy number is an inter-LATA number 
for you. So if you have sprint you must first dial the AT&T carrier acess 
code (10ATT) before the busy number. If your LC dosent detect answer 
supervision, and beings billing immediatley or after a certain amount of 
time, then you are billed for the length of the call. Geez, just go get a 
damn raindance eh?!?

Temporarily Freezing a Line
 On a SxS system that runs on the direct control idea, which controlled
directly by what the subscriber dials, it is possible to jam a line to
prevent service by flashing the switchhook several times. Another way to
temporarily freeze a line is several aborted dialing attempts, this makes
the line freeze untill the line is manually reset, or if theres some sort 
of timeout mechanism.  Usually when you do this the line will only be out 
of service for a few minutes. The line shows the same characteristics as if 
you busyed someone out, the line is busy to callers, and the line seems 
dead for the victim. This is what happens when an element is jammed. The 
switch itself consists of a linefinder, which sends a dialtone to the 
customer who picked their fone up, and puts voltage on the sleeve lead to 
mark the given DN busy. Next are the selectors, which recieve the digits 
dialed and move accordingly. The last step in the switch is the connector, 
which connects the calls (no shit eh?) that are intraoffice, and sends 
calls to a toll office when necessary. Other types of devices can be used 
where needed. (such as Digit Absorbing Sensors (DAS))

Trunks
 The SxS system incoming and outgoing trunks are very likley to use in-band
supervisory signalling. This should tell you that you could possibly use
numbers served by a SxS CO to blue box off of. Some older step areas may 
not use MF signalling, but DP signalling. DP signalling (if you recall) 
uses short busrts of 2600Hz to transfer information as opposed to MF tones. 
In DP signalling, there are no KP or ST equivalents. Boxing may be 
accomplished from DP trunks by sending short bursts of 2600Hz (2 bursts = 
the number 2). Usable rates are 7.5 to 12 pulses per second, a digit might 
be around .04 seconds of tone and .06 seconds of silence. DP is rare today, 
but some direct-control step offices may still use it. Common control step 
offices are more likely to use MF trunk signalling.

Refrences: Basic Telephone Switching Systems - By: David Tally
                No.1 AMARC-Bell System Tech. Journal