AOH :: P03-02.TXT

Rolm systems

				==Phrack Inc.==
		    Volume One, Issue Three, Phile #2 of 10

  The purpose of this file is to tell you what you would be dealing with if you
stumble across this system, or if you know of a company that is using this
system.  It doesn't go into incredible detail, and is lacking in areas.  It is
not a guide to hacking into it, just letting you know what you would be dealing
with.  This is to pique your interest in the system.

   So What the Hell is ROLM?

  ROLM is a "Business Communications System" bought by IBM a few months ago, in
an effort to compete effectively with AT&T, and get a larger share of the
market, in a grand master plan to become "Big Daddy Blue" as opposed to "Ma
Bell".  It is a very complex system, with features such as PhoneMail, A
Super-PBX, Local Area Networks, Public and Private Data Networks, Desktop
Communications, and Call Management.

  The heart of the system is the Controller, called the CBX <Computerized
Business Exchange>.  This controls the entire network accessible through ROLM.
Since 1983, the CBX was redesigned and upgraded to the CBX II.	It is a PBX
with much much more <See 'Introduction to PBX's' available on your local bbs>
to offer, and that is ROLM's claim to fame.  It is light years ahead of the
regular PBX system.

    The CBX II

  The CBX II is the core of the ROLM network.  It is computer driven and
expandable from one node, with 165 channels, to 15 nodes providing 11,5200
2-way channels.  The smaller business could have a model with a 16 user maximum
limit, but it can go up to 10,000 users, though this would be quite rare <and
quite God Damn expensive!>.  It can be accessed from outside lines <like you>
as well as HardWired units, with a switching system to prevent busy signals on
a port.  Speed depends on the system in place, either the newer, faster ROLMbus
295, or the older standard ROLMbus 74.	<see Service manuals for exact details>
The larger the system, the faster as well.  It is adjustable to accept
different bandwidths for the various components, such as Telex, Voice, Data,
Mainframe, LAN, Video <ta-da!  Picturefones in reality!>, and anything hooked
up to the system.  Similar tasks can be bunched onto one channel as well, at
high or low speeds.  If multiplexing is used <above>, the maximum speed is
192,000 bps, and if using a single interface, the top possible rate is a
mindboggling 37,000,000 bps, which if you ask me, if just fluff and not too
practical, so they are usually multiplexed.  <Now, what a difference that is
from 300 baud!>.  Using the CBX II network, you might find just about any kind
of mainframe, from HP, to DEC, to VAX, to the IBM 327# series.

   Note : There is a smaller version of this called the VSCBX.

    Phone Mail

  This is one of the little beauties of the system, something truly fun to fuck
with.  I called ROLM Headquarters in California to ask specific questions about
ROLM, posing as a researcher, and I got the big runaround, transferred from
department to department.  Maybe you can get further than I.  Their # is
408-986-1000.  The # to PhoneMail from the outside is 800-345-7355.  A nice
computer-generated voice comes on asking you to enter your Extension number
<which each employee has>, and then enter the "#" sign.  Then enter your
password.  If you make around 3 or 4 bad attempts at an Extension of Password,
it will automatically ring another number, assistance I assume, to find out why
there has been an unsuccessful entry attempt.  I haven't played around with
this that much, so leave mail to Monty Python with whatever you find.  Once
entering an authorization # with correct password, you will be presented with
more options, leave messages to other people, and whatnot.  You can hear your
messages, forward them to another person, leave the same message to more than
one person, change your welcome message, etcetera.  The service is for those
business-type pigs who never sit still for one minute, like they are
permanently on speed.

     A Phone Mail Scenario

  Let's say if Mr.  Greed goes out to meet his secretary at a motel, but
definitely has to get that important message from Mr.  Rasta, who's bringing in
$3 mil in FLake, and can't trust it to the person who would handle it <ie:  the
person filling in for his sec with the tremendous tits who is getting balled by
the dirty old fat man>.  Mr.  Greed would have given Mr.  Rasta his phone # and
he would be forwarded to the Phone Mail network, where he would hear a message
left my Mr.  Greed, to anyone who would call.  Mr.  Rasta would leave his
message and hang up.  Then Mr.	Greed could call up the 800-345-7355 #, punch
in his extension authorization number, and password.  Or, if he was back at the
office, he could get it there through DeskTop communications.  Messages can be
delivered without error, in the person's own voice, without other people
knowing about it.  Therefore, someone with enough knowledge could use an unused
account and use it as his own service, without the knowledge of others.

    DeskTop communications

  ROLM has developed a Computer/Telephone integrated device for use with the
Desktop communications.  It is linked with the CBX II through fone lines, thus
accessible by you and me from the outside.  It is not hardwired, though it can
approach hardwired speed.  If you could get your hands on one of these
computer/fones then I think you would have found something very useful at home,
in your general life.  But you could access the network without the special
features of the fone, like one touch dialing, which is designed for the stupid
lazy businessman.  You can access company databases through the network,
mainframes, other people, just about anything as if you were right there and
told your secretary to do it for you.  There is special software used by the
computers or computer/fone but it can be improvised and is just an aid.  It
uses a special protocol <Don't know what, try to get your hands on one by
trashing a sales office>.  What is great is that everything is tied together
through telefone lines, and not RS-232C!  Thus, there is an access
port....somewhere.  Scan the #'s around the office # using ROLM.  How do you
know if it is using ROLM one way or the other.	Compile a list of local
businesses, call them up saying "This is ROLM Customer Support.  We have a
report of a complaint in your CBX II network, let me speak to your supervisor
please." If they say "ROLM?  CBX II?  We don't use that" then just apologize
and go elsewhere.  Or say that you are from ROLM corp and would like to know if
the company is interested in using it to network its system.  Like, if they
have it already, they would say that they had it.  And if they didn't, you
would just give them a fake # <or if you're nice the # for the local sales
office obtainable in the list below>.

  But you know what's REALLY Great?  They have made the network link in mind
for the person with a Computer IQ of about 0.  Commands are in plain English.

Here is a demonstration screen as seen in their brochure:


	   Display groups

	     [00] PAYROLL	[01] MODEM	 [02] IBMHOST
	     [03] DOWJONES	[04] DECSYSTM	 [05] MIS-SYSTM
	     [06] DALLAS	[07] SALES

	   Call Payroll

	   CALLING 7717  <which would be the ID code for the PAYROLL file>

	   **PAYROLL SYSTEM** <or whatever they want to call it>

  See, nothing is confusing, everything pretty self-explanatory.  There may be
more than one person wanting to do the same thing you are, so if there is, you
would be put on a queue for the task.  It seems that those with an IBM would be
best suited for ROLM hacking, because ROLM is owned by IBM, and the PC's used
by the network are IBM.  A person with a simpler fone/Terminal couldn't access
something like their DEC mainframe, or something like that.  By calling in, you
could not run an application, unless you had a special interface, but you could
access the database, which any dumb terminal could do.

  However, there are security levels.  Thus one with a privileged account could
access more things than one without it.  Like Joe Schmoe in Sales couldn't get
to Payroll .  It seems that for non-IBM's to access some of the parts of the
network, you would need an interface to become the same thing as a RolmPhone.

  Excessive #'s of bad logon attempts, which would be construed as a linking
error would notify the network manager, And if they saw that there was no
hardware error, eventually, they would think of if they were somewhat
experienced, you guessed it, hackers.

   The PBX

  ROLM has something called Integrated Call Management <from here on known as
ICM>.  Now, when designing ICM, they must have taken into account the abuse
possible in plain ol' PBX's.  So they put in something called Call Screening.
This will enable the company to restrict calls to certain #'s and prefixes.
Calls to non-business #'s or certain areas can be screened out <"No personal
calls on my time, Johnson!">, with the exception of 1 specific # that you want.

  There is a choice of having a codeless, screened PBX, or a PBX where accounts
are assigned to each employee, and the #'s they call get recorded to that
account.  There can be privileged accounts where a large volume of calls would
go relatively un-noticed.  But I don't think that large-scale abuse of this
system would be easy or practical.  Calls are routed AUTOMATICALLY through the
service where the rates are cheaper to the location dialed, which is pretty
fucking cool.  And, the PBX is accessible from the outside, using Direct Inward
System Access, making it AB-useable.

  But what about if there is Equal Access in that area?  It doesn't matter, the
CBX will automatically access the service without you having to worry about it
<hell, this is totally unnecessary for a hack/phreak, cause we ain't paying for
the damn call anyhow!>

  BUT!:  There is a use of Call Detail Recording, where information on all
ingoing and outgoing calls are recorded.


  Not a lot of research went into this file, but it did take a little while to
type up, and all of the information is correct, to my knowledge.  Anyone is
free to expand on this file into a Part II.  It was written to enlighten people
about this system, and I hope this has helped a little bit.

  Sysops:  You are free to put this file up as long as NONE of the credits are
changed!  <this means the Phrack, Inc.	AND Personal credits>.	Please give us
a chance.

  Coming soon, to a telephone near you:  The Return of The Flying Circus.  Look
for it.
		   --Later On
Monty Python		 <01/11/86>

AOH Site layout & design copyright © 2006 AOH