AOH :: P41-06.TXT

Hacking AT&T System 75

                                ==Phrack Inc.==

                   Volume Four, Issue Forty-One, File 6 of 13

                   A Brief Guide to Definity G Series Systems
                                 System 75 - 85

                            Written by Scott Simpson

          Greets to Jim Anderson, The Missing Link, Randy Hacker, Dark Druid,
Nickodemus, Mercury, Renegade, Infinity (enjoy the army!), Weirdo, TomCat,
GarbageHeap, Phrack Inc.

Basic History
Definity model systems came into existent in the later part of the 1970s.  In
1983, AT&T came out with a revised model called 75.  This system was built to
hold more incoming lines and did not have as many errors as the earlier version
did.  The 1983 version was replaced with a version re-written in 1986.  Today,
the systems are referred to as G models.  System 75 is now called G1 and 85 is
called G2.  A new model is currently available and is called the Definity G3I
which is Generic 3 with an Intel chip, and Definity G3R which is Generic 3 with
a Risk chip.  There are 3 different versions to each model.  Version one is the
most common and it is an XE Single Carrier Unit.  The other two systems are 2
carriers.  A system will usually cost somewhere around 50 to 80 thousand
dollars.  You MIGHT come across a smaller version and it is called "Merlin
Legend."  This system will hold about 50-100 lines.  System 75 & 85 will hold
around 1000 lines.  System 75/85 are used by companies to house all of their
incoming lines, as well as to send their incoming lines to destinations set up
by the owners, whether it be Audix or any other setup.  There are many uses for
the system besides VMBs and PBXes.  System 75/85 has three main functions that
hackers are interested in. They are the capabilities of VMB, bridging, and of
course PBX exchanges.

Discovering the System
When you find a System 75, you will make a 1200/NONE connection (if HST used),
as most setups have a built in 1200 baud modem.  Normally, the controller
number will not be in the same prefix as the business or the PBX and the line
is actually owned by AT&T.  Try CNAing a System 75 line and it will tell you
that it is owned by AT&T.  Once you find a carrier, you will need to be able to
display ANSI or some equivalent type of terminal graphics.  Most are set to
N81, but some may be E71.  My suggestion is to use ToneLoc which is produced by
Mucho Maas and Minor Threat.  As you know, this program will scan for carriers
as well as tones.  This program can be found on just about every ELEET H/P BBS.

Getting into the System
Getting into the system is the easy part if you have the defaults.  You must
find them on your own and you will find out that a lot of people are not
willing to trade for them.  There is one default that will enable you to snoop
around and tell whether or not they have a PBX, provided that they have not
changed the password or restricted the account.  This one default is usually a
fully operational account without the privileges of altering any data but I
have come across a couple of systems where it wouldn't do anything.  Using this
default account is a good way to start if you can find it.  It is also good to
use any time you call and don't plan on changing anything.  All actions by this
account are not kept in the system history file.  Now on to the good stuff!!

Abusing System 75
After logging into a 75, there are several commands available depending on the
default you are using.  This part will be for the basics.  I will explain more
later for the more advanced people.

When you log in, you will have the commands LIST, DISPLAY, and a couple others
that don't matter.  These are the only ones that you will need with the
aforementioned default.  First type "DIS REM" (display remote access).  If
there is a PBX set up on the system, it will be shown on the extension line.
The barrier code is the code to the PBX. If "none" appears, there is no code
and it's just 9+1.  The extension line can either be 3 or 4 digits.  Usually,
if it's 3 digits, it is run off of AUDIX (AUDio Information eXchange) or they
are smart and are hiding the one digit!  Look at the dialplan and see if the
extensions are 3 or 4 digits.  If it tells you that the extensions are three
digits, chances are that it is somewhere in the AUDIX system.  If it's run off
of an AUDIX, look through all of the extensions by either list or display
'extensions' until you find one that says something like "remote extension" or
something that looks different.  If the one digit is hidden, use ToneLoc and
scan for the digit needed.  Next, display the trunk groups.  This will tell you
the actual dial-up.  If you don't find it here, don't panic.  As you go through
the trunk groups, also look at the incoming destination as well as the night
destination.  If any of these show the remote extension here, there is your
PBX.  If not, keep looking through all of the trunk groups.  Write down all of
the phone numbers it gives you and try them.  They can usually be found on page
three or so.

A LOT of the time, places call forward a back line or so to the actual PBX.  If
there is no remote access extension when you display the remote access, you are
shit out of luck unless you have a higher default and read the rest of this

Setting Up Your Own PBX
If you have a higher default, you will notice that if you type help, you have
more commands that are available to you, such as change, download, etc.
Remember, the company can change the privileges of the defaults so if you
cannot see these commands, use another default.  The first thing you want to do
is to display the dialplan.  This will tell you the amount of digits and the
first digit of all of the sequences.  Here is an example of a dialplan.  There
are several ways the dialplan may look.

                 Number of Digits
F 1
I 2        Tac
R 3
S 4             Fac
T 5
  6               Extension
D 7               Extension
I 8        Tac
G 9
I 0 Attendant
T *

Using the above chart, all extensions will start with either a 6 or 7 and will
be four digits long.  The Tac is two digits, and will start with a 2 or an 8.
Don't worry about FAC or any others at this time.

After you make note of this, type "ch rem" (change remote access), go to the
extension line, and put in an extension.  Next, find the trunk group that you
want to use and type "ch tru #".  Go to the line for night service and put the
extension in there.  If there is already an extension for night service on all
of the trunks, don't worry. If not, add it, and then save it.  If it says
invalid extension, you misread the dialplan.  If you pick an extension already
in use, it will tell you so when you try to install it in the remote extension
line in the remote address.  Once all of this is completed, you may go back to
the remote access and add a code if you like, or you may just enter "none" and
that will be accepted.  THE NEXT PART IS VERY IMPORTANT!  Look at the trunk
that you installed and write down the COR number.  Cancel that command and type
"dis cor #".  Make sure that the Facilities Restriction Level (FRL) at the top
is set to 7 (7 is the least restricted level & 0 is the most) and that under
calling party restrictions & called party restrictions, the word "none" (lower
case) is there!  If they are not, type "ch cor #" and make the changes.  Last,
type "dis feature".  This will display the feature access codes for the system.
There will be a line that says something like "SMDR Access Code."  This will be
the code that you enter after the barrier code if there is one.  I have seen
some be like *6, etc.  Also, there will be, on page 2 I believe, something to
the like of outside call. usually it is set to 9 but check to be sure.   That's
about it for this segment.  All should be fine at this point.  For those that
want a 24 hour PBX, this next section is for you.

For those of you that are greedy, and want a 24 hour PBX, most of the steps
above are the same.  The only difference is that you will look through all of
the trunks until you come across one that has several incoming rotary lines in
it.  Simply write down the port number and the phone number for future
reference and delete it by using the "ch" command.  From the main prompt, type
"add tru #".  For the TAC, enter a correct TAC number.  Keep going until you
get to the COR.  Enter a valid one and remember that the FRL should be set to
7, etc.  Keep going...the next line that is vacant and needs something is the
incoming destination.  Set it to the remote extension that you have created.
The next vacant line I think is type (towards the middle of the page).  Enter
ground and it should print out "ground-start."  If there is a mistake, it will
not save and it will send you to the line that needs to have something on it.
After all is done, it will save.  After this segment, there is a copy of a
trunk and what it should look like for the use of a PBX.  Next, go to page 3
and enter the port and phone number that you wrote down earlier.  Save all of
the changes that you have made.  This should be all you need.

One more way!  If you scan through all of the extensions on the system, you may
find an "open" extension.  This extension may be like the phone outside in the
waiting room or an empty office or whatever.  This extension must be a valid
phone number on their network or must be reachable on their AUDIX for this
method to work. If you know how to add ports to Audix, this method will be best
for you since setting up a trunk is not needed.  If you find something like
this, it's usually better to use this as your 24 hour PBX rather than taking
away a line for several reasons:  1) there are less changes that you must make
so there will be less data saved in the history file; 2) other people that have
legal uses for the line won't trip out when they get a dial tone; and 3) the
company will not notice for some time that they've lost an extension that is
hardly used!  To set it up this way, you must delete the old info on that
extension by typing "remove extension #".  It will then show you the station in
detail.  Save it at that point and it will be deleted.  Next go to the remote
access and enter the extension that you deleted on the remote extension line.
Next enter a barrier code or "none" if you don't want one.  Save it!  Doing it
this way USUALLY does not require a new trunk to be added since the port is
already in the system but if you run into problems, go back and add it through
the use of a trunk.  You will still have to assign it a "cor" in the remote
access menu, and remember to make sure that the FRL and the restrictions are
set correctly as stated as above.

In part 2, if there is a demand, I will tell how to make a bridge off of a 75.
It is a lot more difficult, and requires a lot more reading of the manuals.  If
anyone can obtain the manuals, I would strongly urge them to do so.  Also
potentially in part 2, I will show how to create a VMB.  If they have AUDIX
voice mail, chances are they have a 75!

So happy hunting and see ya soon!

If you need to get a hold of me to ask a question, you may catch me on the nets
or on IRC.


Scott Simpson

APPENDIX A : Example of a Trunk For PBXs

                              Trunk Group                    Page 1 of 5

Group Number #               Group Type: co                Smdr Reports: n

   Group name: Whatever ya want         Cor: #            Tac: #

Mis Measured? n

   Dial access: y    Busy Threshold: 60      Night Service: What will answer
                                                            after hours

Queue length: 0  Abandoned call Search: n   Incoming Dest: What will answer
                                                           any time the # is
                                                           called unless NS
                                                           has an extension.

    Comm Type: voice       Auth Code: n     Digit Absorption List:

      Prefix-1? n    Restriction: code    Allowed Calls List: n

   Trunk-Type: Ground-start

 Outgoing Dial type: tone

  Trunk Termination: whatever it is        Disconnect Timing: Whatever it is
                     to.                                      set to.
                             ACA Assignments: n

[Page 2 is not all that important.  It's usually used for all of the
[maintenance to the trunk etc. so leave it all set to its default setting.]

                                                  page 3 of 5
       Port        Name        Mode      Type       Answer delay
1   Port number  phone number

That's all that is needed for the trunks.
APPENDIX B : Basic Commands and Terms

     Basic Terminology
COR  - Class Of Restriction
FRL  - Facilities Restriction Level
SMDR - Station Message Detail Recording
TAC  - Trunk Access Code
FAC  - Feature Access Code

     Basic Commands for Default Emulation (513)
Esc Ow - Cancel
Esc [U - Next Page
Esc SB - Save
Esc Om - Help

     Commands for 4410
Esc Op - Cancel
Esc Ot - Help
Esc Ov - Next Page
Esc Ow - Back Page
Esc OR - Save
Esc Oq - Refresh
Esc Os - Clear Fields

Below is an explanation of all of the commands.

The following is a captured buffer of a login to System 75.  I have captured
the commands and have edited the buffer to include brief definitions of the

Display and list are basically the same command, but display shows more
detailed information on the command that you select.  For example, "list tru"
will list all of the trunk groups in the system.  "dis tru" will ask for a
trunk number, and then display all of the information on that trunk.

CH Help
Please enter one of the following action command words:

add                      duplicate                save
change                   list                     set
clear                    monitor                  status
display                  remove

Or enter 'logoff' to logoff the system
Add       - Is pretty self-explanatory
Change    - Is also self-explanatory
Clear     - will clear out the segment
Duplicate - will duplicate the process
List      - self-explanatory
Monitor   - used for testing, and monitoring the system
Remove    - remove anything from the system EXCEPT the History File!  Sorry
Save      - saves work done
Set       - sets the time, etc.
Status    - shows current status of the system

List Help
Please enter one of the following object command words:
                      COMMANDS UNDER "LIST"
abbreviated-dialing      groups-of-extension      personal-CO-line
aca-parameters           hunt-group               pickup-group
bridged-extensions       intercom-group           station
configuration            measurements             term-ext-group
coverage                 modem-pool               trunk-group
data-module              performance

Or press CANCEL to cancel the command
Abbreviated-Dialing: Speed calling feature from their voice terminal
Aca-parameters: Automatic-Circuit-Assurance
Bridged Extensions: Used for bridging extensions together
Configuration: Overall system Configuration
Coverage: Call Coverage
Data-module: Description of the data module used
Groups Of Extensions: Lists all of the extensions available
Hunt-Group: Checks for active or idle status of extension numbers
Intercom-group: Lists the intercoms and their info
Modem-Pool: Allows switched connects between data modules and analog data
Performance: Shows the performance of the system
Personal-CO-line: Is for dedicated trunks to or from public terminals
Pickup-group: Pickup station setup
Station: Will list all of the available stations assigned
Term-ext-group: For terminating extension group
Trunk-Group: Lists ALL of the trunks; will NOT show all details like Display

Dis Help
Please enter one of the following object command words:
                    Commands Under 'Display'
abbreviated-dialing      data-module              personal-CO-line
alarms                   dialplan                 pickup-group
allowed-calls            digit-absorption         port
announcements            ds1                      psc
attendant                errors                   remote-access
button-location-aca      feature-access-codes     route-pattern
circuit-packs            hunt-group               station
code-restriction         intercom-group           synchronization
communication-interface  ixc-codes                system-parameters
console-parameters       listed-directory-numbers term-ext-group
cor                      modem-pool               time
cos                      paging                   trunk-group
coverage                 permissions

Or press CANCEL to cancel the command
Abbreviated Dialing: Covered above, but shows more information
Alarms: Will show information on the alarms (which ones are on/off)
Allowed-Calls: Will show LD carrier codes and allowed call list
Attendant: Allows attendant to access trunks without voice terminals
Button-location-aca: Will show the location of the aca selected
circuit-packs: Tells types of lines used.
Code-Restriction: Shows restrictions for HNPA and FNPA
Communication-Interface: Information on the communication interface
Console-Parameters: Will list the parameters of the console, etc.
Cor: Class Of Restriction (will show the cor for the # entered)
Cos: Class Of Service
Coverage: Shows the coverage of the system (voice terminals, etc.)
Data-Module: Will show information for the data channels entered
Dialplan: List the current config for extensions etc.
Ds1: Used for tie-trunk services
Errors: Shows all of the errors on the system
Feature-Access_Codes: Lists all of the feature access codes for all of the
                      features on the entire system
Hunt-Group: As above, but will tell more information for the # you enter
Intercom Group: Lists all of the names and their intercom assignments
IXC-Codes: Inter-eXchange Carrier codes
Listed-Directory: Lists the numbers in the directory of the system
Modem-Pool: Will show info on the channel you select (exp baud, parity, etc.)
Paging: Used for the paging stations on the voice terminals
Permissions: Will show the privileges of the other accounts/defaults
Personal-CO-Line: As above but more descriptive
Pickup-Group: Shows names and extensions in the specified group number
Port: Will show the info on the port you ask about
PSC: Keeps a call between to data points connected while the system is active
Remote-Access: Will show the Remote Access that is there (if any)
Route-Pattern: The pattern of routing within the voice terminals, etc.
Station: Will show detailed information on the station # you enter
Synchronization: Will show the location of the DS1 packs
System-Parameters: List of all of the available systems parameters
Term-Ext-Group: As above but more descriptive
Time: Will show the current time and date
Trunk-Group: Will show all available information for the trunk you select

AOH Site layout & design copyright © 2006 AOH