AOH :: P44-19.TXT

Northern Telecom's SL-1



                              ==Phrack Magazine==

                 Volume Four, Issue Forty-Four, File 19 of 27

****************************************************************************

                      Northern Telecom Meridian SL-1

                                by Iceman

                               Introduction
                               ~~~~~~~~~~~~

 This article is the first in a possible series devoted to Northern
Telecom's line of Meridian SL-1 switches. At the moment, I'm unsure if there
will even be a second article, since it would consist completely of the
programming of these switches, and it's not difficult for me, or anyone else
to type up a manual. If you haven't heard of an SL-1 before, to put things
simply, if you have ever called a Meridian Voice Mail system, this is the
computer that runs the show! Not all SL-1's have Voice Mail features, but
it makes things easier (for the electronic adventurer) if you have one that
does. Now it's far more than a simple voice mail system, it's a complete
phone switch, a PBX. Of course, like most computers, if you can gain access
to it, the system is at your beckon call, to do what you make it do. What
follows is a brief history, and technical overview of the SL-1 series, as
well as information on identifying them. If this looks familiar, a large
portion of this article appeared my own magazine, Freedom, but was updated
for Phrack. If you had read the issue relating to SL-1's, you will also
find basic programming information for some of the more commonly used
overlay programs, it was purposely omitted in this article.

   History and Technical Overview
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 Development of Northern Electric's SL-1 started in 1971. Their
objective was to design a superior communications system for business
subscribers in the range of 100 to 7600 stations. The system had to encompass
all the features of a PBX, Centrex and key systems and be economically
competitive with them. It had to have new custom services not previously
feasible with the older systems. It had to be easy to learn and to operate.
As well, it had to be easy to install and maintain.

 What the designers came up with was a digital, stored program control
machine using an 8-bit PCM. They also came up with a new telephone instrument,
the SL-1 telephone, which is a multi-line instrument with many features, but
uses only 2 pairs of wires, instead of 25 pairs required by key telephones.

 The SL-1 system has three main parts: The common equipment (CE), the
peripheral equipment (PE) and the power supplies.

 The CE performs the central control and switching functions for all
the connecting lines and trunks. It has a central processing unit (CPU) and
read/write memory which stores all the operating programs and data unique
to the particular system, including switching sequences, feature and class
of service information, and numbers and types of terminals. Various models
use various media to store information, ranging from magnetic tape drives
to disk drives, for high-speed loading of the operating programs and data
into the read/write memory, and providing data restoration after a power
failure.  This media also contains the diagnostic routines, and all software
needed to program the switch. There is a Teletype to communicate to the system
with and to print error messages on. The network circuits perform the switching
duties for all lines and trunks. The digital service circuits provide for such
functions as dial and ringing tones and call conferencing.

 The CE units communicate over a common central bus under control of
the CPU. Speech signals, converted to digital, follow a separate path on a
network switching bus.

 The PE performs the interface between the line and trunk circuits and
the SL-1 system. It consists mainly of line and trunk cards which convert
analog speech to digital signals for digital switching and vice-versa. Lines
connect to individual instruments and trunks to other PBX's. Peripheral
buffers act as interface between the PE and the CE providing power control,
timing and switching control signals for the line and trunk circuits. Digital
conversion into 8-bit PCM is done by a single encoder/decoder (codec) for each
line or trunk. This codec is a custom LSI circuit.

 Between the PE and the CE, all signals travel in digital format on
time multiplexed loops. Each loops carriers 30 voice channels, one control
signalling channel and one unused channel. The channels operate at 64 kbps
to give a total data rate of 2.048 mbps. Each loops terminates on a different
circuit pack in the CE. There can be up to 16 multiplex loops.

 When a call is set up, the CPU assigns each party a channel from among
the 30 on their own multiplex loops. These channels form a matched pair. For
instance, the calling party may use channel 2 of it's digital loop, and the
called party may use channel 3 of it's loop.

 The SL-1 conducts audio digitally. The line and trunk cards contain
A/D and D/A converters. Received audio is changed to a digital signal and
put on a voice channel. At it's destination, the digital signal is converted
back to analog audio.

 All programming is done from a keyboard with the output going to a
printer. To program, a specific diagnostic program, called an overlay, is
selected, and is automatically loaded from tape or disk. Once this is done,
the appropriate commands are entered to change the options. All inputs, and
SL-1 responses are echoed on a printer or echoed out of the specified port.
If any system parameters or configurations are changed, these changes will
not survive a total power outage unless a new tape or disk is made.

 In case of a power outage, upon restoration of power, the SL-1 activates
the tape or disk unit and loads in the system operating data, and runs some
diagnostics. This takes from 5-15 minutes, and at the end of that time,
service is fully restored with all the options which were recorded on the tape
or disk being implemented. Of course any user-selected options like speed
call lists and call waiting which had been selected before the outage will
be lost.

 Automatic diagnostics (called 'background' programs) are being run
constantly with the results of any problems being echoed to output. At
midnight a more thorough set of diagnostics are run. Any of the diagnostics
may be run on demand from the keyboard. Also available on demand from the
keyboard are a series of diagnostics to determine the status of lines and
trunks, to trace calls, and to print lists and traffic studies.

     SL-1 Features
     ~~~~~~~~~~~~~

 - Call Waiting                     - Digitone (DTMF) service
 - Ring Again                       - Direct inward dialing
 - Display services                 - Direct outward dialing
 - Tandem switching                 - Private line service
 - Special dial tone                - Remote administration and
 - Traffic measurement                maintenance
 - Common control switching         - Multi-customer group operation
   arrangement access               - Line/trunk lockout
 - Data transmission                - Flexible numbering system
 - Access to automatic recorded       (2 to 4 digits)
   answering equipment              - Pulse to DTMF conversion
 - Access to paging equipment       - DTMF to pulse conversion
 - Call forward - busy              - Emergency transfer
 - Call forward - don't answer      - Hunting
 - Call forward - follow me         - Intercept
 - Call pickup                      - Manual service
 - Conference (3 or 6 party)        - Night service
 - Service restrictions

     SL-1 Telephone Set Features
     ~~~~~~~~~~~~~~~~~~~~~~~~~~~

 - Autodial                         - Automatic preselection
 - Call status                      - Headset connection
 - Call forwarding                  - Executive override
 - Call transfer                    - Hold
 - Speed calling                    - On-hook dialing
 - Call waiting                     - LED indicators
 - Tone ringing                     - Call pickup
 - Common audible signalling        - Loudspeaker/Amplifier
 - Ring again                       - Voice calling
 - Hands free operation             - Manual signalling
 - Multiple appearance directory    - 3 or 6 party conference
   number; multiple call            - non-locking keys
   arrangements                     - Single appearance directory
 - Prime directory number             number
 - Station set expansion            - Privacy
 - Privacy release


   Explanation of Some Features
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Station to station calling - Any station can directly call any other station
without attendant assistance.

Direct Outward Dialing (DOD) - Allows a station to gain access to the exchange
network without attendant assistance and receives a second dialtone.

Hunting - Routes a call to an idle station directory number when the called
number is busy. The numbers in the hunt group do not have to be in sequence
nor do they have to appear on the same instrument. The sequence can be
consecutive (station directory numbers are hunted in ascending numerical
order) or non-consecutive.

Access to paging - Provides a connection to customer-owned paging equipment.

Access to Automatic Recorded Answering Equipment - SL-1 stations can have
incoming messages recorded on customer-provided answering equipment by
forwarding calls to the directory number (DN) assigned to the equipment.

Direct Inward Dialing (DID) - Allows an incoming call from the exchange
network to reach a station without attendant assistance. The DN for each
station will normally be the last 2,3 or 4 digits of the 7 digit exchange
network number.

Tandem Switching - The SL-1 can act as an intermediate switching point for
traffic between other PBX's.

Manual Service - Does not provide a dialtone when a station goes off-hook.
Instead the attendant is alerted and completes the call for the user.

Private Line Service - Permits the appearance of a private central office line
on an SL-1 Telephone set. Dialtone is received directly from the telco and
calls are not processed by the SL-1.

Multi-Customer Group Operation - Allows for the provision of services for more
than one business customer from the same switching machine. Each customer
is totally separate from the others, may have the same directory numbers as
the others, has his own attendant console, his own trunks, and cannot directly
call stations belonging to the other customers.

Service Restrictions - Allows the ability to restrict various functions.

Intercept - Disposes of calls which cannot be completed because of
restrictions or dialing errors. They are either routed to the attendant
or overflow tone.

Special Dial Tone - A Regular dialtone with three 128 ms interruptions at the
beginning to advise the user that his hookswitch flash has been successful.

Line Lockout - Disconnects stations which have been off-hook for too long to
prevent system problems.

Night Service - Allows the attendant to preconnect some or all of the incoming
telco trunks to selected DN's on the SL-1.

Emergency Transfer - Puts the system in the power fail transfer mode. This
transfers telco trunks to selected stations to provide some continuity of
service to the outside world during the time the SL-1 is inoperative.

Remote Administration and Maintenance - Permits operation of the diagnostics
from a remote location via a modem and telephone line. You may do anything
from the remote terminal that you can do from the local terminal.

Call Forward - Busy - Routes incoming calls to another number when the called
station is busy.

Call Forward - Don't answer - Routes incoming calls to another number when the
called station doesn't answer within a prescribed time.

Call Forward - Follow me - Routes incoming calls to another, programmable
number.

Call Waiting - Informs the user of a second incoming call while he is already
in conversation. He can then place the first caller on hold and answer the
second call. He can then return to the first call.

Conference - Allows a user to connect up to either 1 or 4 additional persons
into an existing call. Up to 2 of the users may be trunks.

Call Pickup - Allows a station to answer an incoming call to another station
in the same pickup group by dialing a special code.

Ring Again - Permits a calling station, on encountering a busy DN, to operate
a dedicated key or dial a special code to have the system monitor the called
station and alert him when it goes idle. He is then automatically connect to
that station when he goes off-hook or presses the key during the alert and the
system rings that station.

Data Transmission - The SL-1 is suitable for voiceband data transmissions
and is compatible with a conventional modem.


     SL-1 Models
     ~~~~~~~~~~~

Model    Lines     Introduced    Generic      Features
~~~~~    ~~~~~     ~~~~~~~~~~    ~~~~~~~      ~~~~~~~~
SL1-L    300-700      1975         x01      - N/A

SL1-VL   700-2500     1976         x02      - Multi customer operation
         - Automatic Identification of
           outward dialing
         - Do not disturb

CDR      N/A          1977       x03,x04,   - Call detail recording
     x08 - Recorded Announcement
         - Digit display console

SL1-LE   300-700      1978         x05      - Automatic Route Selection

SL1-VLE  700-2500      N/A         N/A      - Remote peripheral equipment
         - Automatic Number Identification
         - "E" system
         - Autovon

SL1-A    60-400       1979       x06,x07,   - Centralized attendant service
     x14        - Automatic call distribution
         - Digit display SL-1 Sets
         - 2500 Set Features
         - Direct inward system access
         - Dial Intercom
         - Message Center
         - Hotel/Motel
         - International Phase 1

SL1-XL   1000-5000    1980       x09,X17    - Advanced ACD packages
         - Multiple message center
         - Integrated voice and data
           switching
         - Hospital/Clinic
         - International Phase 2

ESN      N/A          1981       x9000      - Office data administration
           system
         - Automatic Wake-up
         - Room status
         - Auxiliary data system
         - Electronic switched network
         - International Phase 3

SL1-M    60-400       1982       x11 rls 1  - Attendant Administration
         - Attendant overflow
         - Automatic set relocation
         - History file
         - Call park
         - Flexible code restriction
         - System speed call
         - International Phase 4&5

SL1-S    30-160       1983       x11 rls 4  - Distinctive ringing
         - Stored number redial
         - Async. interface module
         - Sync. data transmission
         - Multi-channel data system
         - SL-1 displayphone
         - Hotel/Motel


'Generic' refers to the software version. It is expressed as a 3 or 4 digit
number where the first part of the number indicates the machine it is for
and the second part indicates the purpose of the software and serves as a
version number and also indicates the type of machine it can be used with. The
'X' stands for a 1 or 2 digit number representing the model:

1 = SL1-L     2 = SL1-VL     3 = SL1-LE     4 = SL1-VLE     5 = SL1-A
6 = SL1-XL    7 = SL1-M/S    8 = SL1-N      9 = SL1-XN      10= SL1-ST
11= SL1-NT    12= SL1-XT

        Maintenance Programs
        ~~~~~~~~~~~~~~~~~~~~

 All troubleshooting procedures, configuration changes and circuit
disabling/enabling are carried out from the keyboard of a Teletype via
software programs. There is virtually no physical contact with the exchange
other than required to remove a defective board and replace it with a spare.
Even this does not require tools.

 Before running a program you must first gain access to the computer.
The dialup will normally be a 1200 baud connection, with an even parity,
databits of 7, and stopbits of 1 (E71). Once connected press <CR> several
times key to wake the system up. The system SHOULD respond with 'OVL111 BKGD'
or 'OVL111 IDLE' and now you know it's alright to login. If the response is
'OVL000' and then a '>' prompt you are already logged in, and you can go
straight to loading an overlay.

 Type 'LOGI' to initiate the login. Make sure when entering commands
that they are all input in uppercase. The system responds with 'PASS?'. Now
enter the password, (we do have a password, RIGHT?), it has a default, like
everything else. The password will always be a 4 digit number, other
characters are not valid. If you have correctly logged in, the system will
respond with a '>' prompt. The system will display this prompt whenever
waiting for operator input and is not running a diagnostic program. Once
a diagnostic program is running the prompt becomes a '.' (period). If you
are not logged in, there is no prompt.

 What follows is an example of what you will see during login.

{ Hit Carriage Return }
OVL111 IDLE
.
.
.LOGI                        { Initiate Login                    }
PASS?                        { Enter password, it will not echo  }
OVL015                       { Error code for incorrect password }
TTY 01 SCH MTC    16:40

OVL 45 BKGD
.LOGI                        { Try again }
PASS?
.
>
OVL000
>LD 22           { You are now logged in and ready to load an overlay program }
   { in this case we are loading overlay 22, a print routine.   }
PT20000

REQ TID          { The REQ prompt appears, now enter your selection, in this }
   { case we want to print the TID (Tape ID)                   }
TAPE ID:
LOADED XXXXXX
DISK/TAPE   XXXXXX

REQ ISS          { Enter ISS to view the Issue and Release number of the     }
   { software/switch                                           }
VERSION 1011
RELEASE 14
ISSUE 39


REQ END          { Enter END to quit this overlay }
>LOGO
>
.                { Logout and hangup }


 Now after gaining this information, we can determine what type of
system we're dealing with. Notice that the version number is 1011. Now
refer back to the listing of SL-1 Models for the information we seek. We are
logged into an x11 system (last 2 digits of the version number). Unfortunately,
there are two system with x11 generics, and none of which have a release
number of 14, so we're either dealing with an SL1-M or an SL1-S, with either a
60-400 or 30-160 line capability respectively. Although this information isn't
extremely useful, it comes in handy when determining how large the system is.


         Overlay Programs
         ~~~~~~~~~~~~~~~~

 Upon first logging in, no program is loaded, and you must load a
program (overlay) into system memory. This is done by the command 'LD'
followed by a space and the overlay number. To load overlay 10 you would
simply do a 'LD 10'. It will take approximately 1 minute to load the overlay
into memory from tape, if the system uses a tape drive. If the system uses
disk storage then it will load quickly. Once the program is loaded, a 'REQ'
(request) prompt will appear. The system is now waiting for input from the
administrator.

 There are many different overlays which can be used, all of which
are explained in the following section.

Number     Name                          Purpose
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  10   500/2500 Type     Allows new 500/2500 telephone data blocks to be
       Telephone         generated, existing office data modified, moved
                         to a new TN location on the same loop, or removed
                         from the system. Standard telephone sets.

  11   SL-1 Type         Allows new SL-1 telephone data blocks to be
       Telephone         generated, existing office data to be modified,
                         moved to a new TN location on the same loop, or
                         removed from the system.

  12   Attendant         Allows new SL-1 attendant console data blocks to be
       Console           generated, existing office data to be modified,
                         moved to a new TN location on the same loop, or
                         removed from the system.

  13   DIGITONE          Allows new DIGITONE and SL-1 tone detectors blocks
       Receiver and      to be generated, moved to a new TN location on the
       SL-1 Tone         same loop, or removed from the system.
       Detectors

  14   Trunks            Allows new trunk data blocks to be generated,
                         existing office data modified, moved to a new TN
                         location on the same loop, or removed from the
                         system.

  15   Customer          Allows new customer data blocks to be generated,
                         existing office data modified, or removed from the
                         system.

  16   Trunk Route/      Allows new trunk/ATM route and ATM schedule hours
       Automatic Trunk   data blocks to be generated, existing office data
       Maintenance       modified, or removed from the system.

  17   Configuration     Allows the configuration record to be modified to
       Record            reflect changes in the system parameters.

  18   Speed Call        Allows speed call/system speed call and group call
       Group Call Data   data to be generated, modified, or removed from the
                         system.

  19   Code Restriction  Allows code restriction data block to be generated,
                         modified, or removed from the system.

  20   Print Routine 1   Allows the printing of:
                         - SL-1 TN data blocks
                         - 500 TN data blocks
                         - attendant TN data blocks
                         - trunk TN data blocks
                         - DIG data blocks
                         - group call data
                         - templates
                         - speed call lists
                         - hunting patterns of stations
                         - unused units
                         - unused card positions
                         - terminal numbers

  21   Print Routine 2   Allows the printing of:
                         - customer data blocks
                         - code restriction data blocks
                         - route data blocks
                         - a list of trunks in a route
                         - ATM data
                         - ATM schedules
                         - TN associated with CAS keys

  22   Print Routine 3   Allows the printing of:
                         - the configuration record
                         - directory number to TN matrix
                         - equipped packages
                         - history
                         - password numbers
                         - ROM QPC number
                         - station category indication
                         - version and issue of generic

  23   ACD/Message       Allows ACD data, ACD management report schedules,
       Center            and Message Center data to be generated, modified,
                         or removed.

  24   DISA              Allows data for direct inward system access to be
                         generated, modified or printed.

  25   Move Data         Allows movement or interchanges of data between
       Blocks            loops, shelves and packs in the same customer
                         group.

  26   Do Not Disturb    Allows DND groups to be formed, changed, merged,
                         removed or printed.

  28   ANI Route         Allows ANI route selection data block to be
       Selection         generated, modified, removed, or printed.

  29   Memory/           Used to determine the amount of unused memory, and
       Management        to determine if enough memory is available to add
                         new data. Also used to respond to error messages
                         SCH601 and 603 on Meridian SL-1 XN systems.

  49   NFCR              Allows code restriction data blocks to be defined,
                         modified, removed, or printed.

  50   Call Park         Allows call park data to be generated, modified,
                         removed, or printed.

  73   Digital Trunk     Allows Digital Trunk Interface data to be generated
       Interface         or modified.

  81   Features/         Allows stations to be listed or counted according
       Stations Print    to their features.

  82   Hunt Chain/       Allows printing of hunting patterns and multiple
       Multiple          appearance groups.
       Appearance Print

  83   TN Sort Print     Allows printing of stations according to station DES.

  84   DES Entry         Allows the assignment of station DES (description)
                         to 500/2500 sets.

  85   DES Entry         Allows the assignment of station DES (description)
                         to SL-1 sets.

  86   ESN 1             Allows electronic switched network data defining
                         BARS/NARS/CDP features to be generated, modified,
                         or printed.

  87   ESN 2             Allows electronic switched network data defining
                         BARS/NARS/CDP features to be generated, modified,
                         or printed.

  88   Authorization     Allows data for Basic Authorization Code (BAUT) and
       Code              Network Authorization Code (NAUT) to be generated,
                         modified, or printed.

  90   ESN 3             Allows data for ESN network translation tables to be
                         generated, modified, or printed.

  93   Mult-Tenant       Used to enable and administer multi-tenant service.
       Service           For example, more than one company can use the same
                         PBX.

 Those are the main overlays used to modify setups and print the
system configuration information. SL-1's are mainly used in buildings, and
by larger companies, ranging from department stores to complete office
complexes. The dialups are commonly found on an extension of the PBX. You
can generally come across the dialup while scanning extensions on a Meridian
Voice Mail system. Meridian SL-1's are a very common switch used on WATS
lines, generally by larger companies. I've also talked to several people who
have encountered the actual dialup modem to the switch on the public
phone network (exchange scanning). Once you have found one, it's easy to
identify with it's trademark 'OVL' greeting.


          Meridian Manager
          ~~~~~~~~~~~~~~~~

 Obviously SL-1 administrators can't be expected to program a switch
using such archaic methods, and remembering every prompt and required input.
Northern Telecom has developed terminal software that makes the job easier,
which replaces the traditional teletype setup with a PC running their terminal
software. Each copy of the software is sold at upwards of $5000 for a site
license, and you are entered into a license agreement with NT. As Northern
Telecom puts it...

 "Title to and ownership of Meridian SL-1 software shall at all times
remain with Northern Telecom. Meridian SL-1 software shall not be sold
outright and the use thereof by the customer shall be subject to the parties
entering into software agreement as specified by Northern Telecom."

 Each copy contains a serial number which matches the PBX's own serial
number, thus cannot be used on any switch other than one specified in your
license agreement. The software provides a user friendly method to add,
remove, and modify information, without dealing with the unfriendly switch
directly. Initially the software will phone the specified switch, and check
the serial number of the switch. After this, it will load and run the print
overlays, and ascii capture all output, building several database files
locally, on your own system. After this is completed, it disconnects, and
you now have the complete configuration of the switch sitting on your system.
You now make the necessary modifications, and upon completion, the software
again calls the switch, and updates the switches database. The software,
called the Meridian Manager, comes complete with a full internal tutorial on
how to use it, and is very helpful. Thanks Northern Telecom, for making it so
easy!

       Additional Information
       ~~~~~~~~~~~~~~~~~~~~~~

 If you require programming information, probably the handiest piece
of material that I've found is the Data Administration, Generic X11 : Pocket
Reference Guide. This is a pocket book that contains a listing of all
Overlay Programs, possible inputs and error codes. The reference is about
100 pages, and can be ordered from Northern Telecom, the order number being
P0674785,S086/01. Social Engineering may be required.

* Meridian and SL-1 are trademarks of Northern Telecom Limited.

Greetings to Talsfalon, Akalabeth, Okinawa, Mechanix, and all those I've
forgotten. See you at hohocon, we'll be giving away one of the previously
mentioned Pocket Reference Guide's at the raffle.

I can be reached at my email address, iceman@silicon.bison.mb.ca, or my own
system at 204-669-7983.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.3

mQCNAiwKJFQAAAEEALaKeir7NjTo0SawUR5jC7EIxTl+f1Yv3AvxwmHMOC0aZJwq
WHqZajrdQ0UXKS6j/2bKgFwfuo76O/KeZmuo4Q05JLRl1epO6SfGMjfSP0zR2y0n
2oSsiA9VNpI/eeZAqJpa15ItpWEXZOwNIHKvTjEqOjADwtVCvkRf68TwYncbAAUR
tCNJY2VtYW4gPGljZW1hbkBzaWxpY29uLmJpc29uLm1iLmNhPg==
=BlEm
-----END PGP PUBLIC KEY BLOCK-----

           Iceman
  * The Digital Resistance *

AOH Site layout & design copyright © 2006 AOH