TUCoPS :: Phreaking General Information :: sys75.txt

Definity System 75 - 85 PBX Hacking


                The Complete Guide to Definity G Series Systems
                           AKA System 75 - 85

                      Written by: Scott Simpson


                               June 18, 1992

          Greets to:  Invalid Media, The Missing Link, Randy Hacker, 
Dark Druid, Nickodemus, Mercury, Renegade, Infinity (enjoy the army!),
Weirdo, TomCat, GarbageHeap, Dark Shadow and The M&M boys for their ToneLoc.

            I am accepting new users on my bbs, leave mail on Unphamiliar
Territory if you wish to call! My board is 14.4k, and has over 250k of 
files, and texts.


     Basic History
     -------------

Definity model systems became in existent in the later part of the 1970's.
In 1983 AT&T came out with a revised model called 75.  This system was
built to hold more incoming lines, and did not have as many errors as the 
earlier version did.  The 1983 version was replaced with a version 
re-written in 1986.  Today the systems are referred to as G models. 
System 75 is now called G1 and 85 is called G2.  A new model is currently
available and is called the Definity G3I wich is Generic 3 w/ Intel chip,
and Definity G3R which is Generic 3 w/ Risk chip.  There are 3 different
versions to each model. Version one is the most common, and it is a 
XE Single Carrier Unit.  The other two version I forgot.  A system will
usually cost somewhere around 50 to 80 thousand dollars.  You MIGHT come
across a smaller version and it is called 'Merlin Legend' this system will
hold about 50-100 lines.  System 75 & 85 will hold around 1000 lines.
Enough history!!!


     Discovering the System
     ----------------------

When you find a system 75 or so, you will make a 1200/NONE connection,
as for most setups have a built in 1200 baud modem.  Normally the carrier
number will not be in the same prefix as the business or the pbx.  And the
line is actually owned by at&t. Try CNA'ing a system 75 line, it will tell
you that it is owned by att.  Once you find a carrier, you will need to be 
able to display ANSI or some equivelent type of terminal graphics.  I 
prefer ansi over strip 7+.  My suggestion is to use ToneLoc which is 
produced by Mucho Maas, and Minor Threat.  As you know this file will scan
for for carriers aswell as tones.  This file can be found on just about
every ELITE H/P bbs.


     Getting into the System
     -----------------------

Getting into the system is the easy part if you have the defaults.  I will
not give out any defaults, you must find them on your own, and you will
find out that alot of people are not willing to trade for them.  The one
account I will give is BROWSE PW:??????.  This default will enable you to 
snoop around and tell whether or not they have a pbx, providing they have
not changed the password or restricted the account.  Browse is usually 
a full operational account without the privledges of altering any data.
But I have come across a couple of systems where browse wouldnt do anything.
Using the browse account is a good way to start.  It is also good to use
anytime you call and dont plan on changing anything.  All actions by browse
are not kept in the system history file. Now on to the actual commands.


     Using System 75
     ---------------

     After logging on to 75, there are several accounts available depending
on the default you are using.  This part will e for the basics and the 
people using browse.  I will explain more next for the more advanced people.
When you logon you will have the commands: LIST, DISPLAY and a couple others
that dont matter.  These are the only ones that you will need with browse.
First type 'DIS REM' (display remote access).  If there is a pbx set on the 
system, it will be shown on the extension line.  The barrier code is the 
code to the dialup.  The extension lie can either be 3 or 4 digits.  Usually
if its 3 digits, it is run off of AUDIX (automated directory exchange) or 
are smart and are hidding the last digit!  Next display the trunk groups,
this will tell you the actual dialups; normally.  If they are not, dont 
panic.  As you go thru the trunk groups, look also at the incoming 
destination aswell as the night destination.  If any of these show the 
remote extension here, there is your pbx.  If doesnt, keep looking thru all
of the trunk groups.  Write down all of the phone numbers it gives you, and
try them. They will usually be found on page three or so.
 Alot of the time, places call forward a back line or so to the 
actual pbx.  If there is no remote access extension when you display the 
remote access, then you are shit out of luck unless you have a higher 
default and read the rest of this text.


     Setting Up Your Own PBX
     -----------------------

     If you have a higher default, you will notice if you type help you have
more commands that are available to you, such as: change, download, etc...
Remember, the company can change the privledges of the defaults, so if you 
can not see these commands, use another default.  The first thing you want 
to do is display the dialplan,  this will tell you the amount of digits and 
the first digit of all of the sequences. ie...

                 Number of Digits
-------1----2----3----4----5----6----7----8----9
--
F 1
I 2        Tac
R 3
S 4             Fac
T 5
  6               Extension
D 7               Extension
I 8        Tac
G 9
I 0
T *
  #

     
All extension will start with either a 6 or 7 and be four digits long.  The
Tac is two digits, and will start with a 2 or 8.  Dont worry about FAC or 
any others.  After you make notes of this, type 'ch rem' (change remote) and
goto the extension line, and put in an extension.  Next find the trunk group
that you want to use, and type 'ch tru #' goto the line for night service
and put the extension in there.  If there is already an extension for night
service on all of the trunks dont fear, KEEP READING.  If not, add it, and 
then save it.  If it says invalid extension, you misread the dialplan.  If
you pick an extension already in use, it will tell you that when you try to
install it in the remote extension line in the remote address.  Once all of
this is completed, you may go back to the remote access, and add a code if 
you like.  NEXT IS VERY IMPORTANT..  Look at the trunk that you installed 
night service.  Write down the COR number.  Cancle that command, and type
'dis cor #'.  Make sure that the Facilities Restriction level.
 (FRL) at the top is set to
7!!!! and under calling party restrictions & called party restrictions the 
word NONE (lower case) is there!  If they are not type 'ch cor #' and do all
of it.  Last, type 'dis feature'  this will display the feature access 
codes for the system.  There will be a line that says something like SMDR
Access Code.  This will be the code that you enter after the barrier code, 
if there is one. I have seen some be like *6 etc...
 Also there will be on page 2 I think something to the like outside call,
usually it is set to 9, but be sure.
 Thats about it for this segment.  All should be fine at this point,
for those that want a 24 hour pbx, this next section is for you. 




     For those of you that are greedy, and want a 24 hour pbx, most of the
steps above are the same.  The only difference is that you will look through
all of the trunks until you come across one that has several incoming rotory
lines in it,  simply write down the port number, and the phone number for 
future reference, and delete it by using the ch command.  From the main 
prompt type 'add tru #', dont change anything! For the TAC enter a correct 
tac number.  Keep going to you get till the COR, enter a valid one, and
remember that the FRL should be set to 7 etc... keep going, the next line
that is vacant and needs something is the incoming destination set it to 
remote extension that you have created.  The next vacant line i think is
type, towards the middle of the page.  Enter ground, and it should print out
ground-start.  Hmm, next goto page 3 and enter the port and phone number
that you wrote down earlier.  Save all of the changes that you have made.
This should be all you need.  In part, if there is a demand, I will tell
how to make a bridge off of a 75.  It is alot more diffucult, and am not
going to sit here and type if no one is interested.  Also in part 2, i will
discuss how to add a vmb to their system for your own use!  Remember, if 
they have AUDIX Voice Mail, THEY HAVE a system 75 so happy hunting, and
see ya soon.


 If you need to get ahold of me, I call The Million Dollar Saloon, 
Unphamiliar Territory.  Just leave mail there, and I will reply as soon
as possible.


Scott Simpson

06/22/1992 



     Basic Terminology
     -----------------
COR - Class Of Restriction
FRL - Facilities Restriction Level 
SMDR - Station Message Detail Recording  
TAC - Trunk Access Code
FAC - Feature Access Code

     Basic Commands for Default Emulation (513)
     ------------------------------------------
Esc Ow - Cancel
Esc [U - Next Page
Esc SB - Save
Esc Om - Help

     Commands for 4410
     -----------------
Esc Op - Cancel
Esc Ot - Help
Esc Ov - Next Page
Esc Ow - Back Page
Esc OR - Save
Esc Oq - Refresh
Esc Os - Clear Fields
                          

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH