TUCoPS :: Phreaking General Information :: cabphrk.txt

Cabinet Phreaking with ITM V3 

 Cabinet Phreaking With ITM V3 - NaNTo

 I managed to place my hands on a partial manual for this *very* interesting
 system and have done some extensive playing around with it. After this ezine
 I will organise some scans so you can all help out working out new commands,
 syntax etc. If you have any information about this system (esp. exchange
 uses etc.) please email at NaNTo199@yahoo.com. I have included the commands
 that I have actually got to work here, but there are more. Considering the
 time and effort I have put into gathering this information it should be well
 worth your reading.

 ITM stands for Individual Trunk Monitoring and is used by Telstra to perform
 service tasks and connections at SLICs or cabinets (whatever you want to call
 them). They are the junction boxes that provide services such as connecting
 home loop runs to pressurised cables and fiber optic cables for the run to
 the exchange, amplification of loops on long runs etc.

 The ITM system is accessed by a serial port on the left lower box of the SLIC
 and the bit protocol used is ASCII. I use my modem port to interface. The
 only problem with this is that you need to have the key for the cabinet to be
 able to access the port. This is obtained by going through a van, or from an
 employee if you can become friends with one (highly recommended.) You could
 also pick it open as access to the system is dependant upon physical access
 to the port only. You also need a program that can transmit on the serial
 port. There are plenty of old DOS programs that perform this function.


 - Commands - 

 When I use <something> that means don't put in the <>, just put in the feeder
 number (or whatever.)

 :FL:<prefix> - Feeder List. This will provide a list of feeder numbers that
 are serviced by this SLIC. The prefix on the end is the reference for the
 group that is to be displayed as the system only seems to give out feeders
 10-25 or so at a time. ** Feeder numbers are like : 0297412719U0201  So the
 first 10 numbers are the actual telephone number, the letter 'U' is the
 feeder group number and I don't know that the other numbers do. You have to
 use *existing* feeder #'s as this system doesn't initialise them, the
 exchange does. However, you can change how the SLIC treats that Feeder #.

 :ATT:<Incoming Feeder #>:<Incoming Feeder #> - Route. I think the ATT stands
 for attach (???) What this does is routes the first feeder number through to
 the second feeder number, creating a loop at the SLIC. The first feeder #
 will be silent and the second feeder # will have a high pitched tone on it.
 If you ring one, you'll be able to listen to the other and vice-versa. You
 can't use it to dial into one and dial out the other which kinda sucks as
 that would have been very useful ;)

 S:ATT:<Incoming Feeder #>:<Outgoing Feeder #> - Route. When I say outgoing
 feeder here, I mean the original feeder connected to a home loop run. This
 routes the Outgoing Feeder #'s home loop run to the specified incoming
 Feeder #. Using this, I have successfully routed a home loop run I had my
 beige box on to another feeder # and rung ANI. I could transfer it back and
 forth at my whim, effectively changing the number of the line I was calling
 from! I don't know what happens to the Incoming Feeder # I 'hijacked' but it
 remained on the feeder list and it could be put back later on with the same
 command.

 :TONE - Put 25,000 hz tone on the line. This doesn't affect the DC conditions
 on the line and is used to find the correct feeder cable once you have added
 the feeder # to the Feeder List and now wish to manually attach it to the
 frame. My guess is there is a line back to the exchange for telling it which
 # to put the tone on. The 25,000 hz is designed to be above human hearing and
 is detecting using an inductive amplifier.

 <Feeder #>:FL - Adds Feeder # to the Feeder List.

 :<Feeder #>:FL - Removes Feeder # from the Feeder List. Can be used to
 disconnect ppl you don't like ;)

 1:GAIN - Adjusts decibel gain of Feeders to home loops by 0.1 db. You can
 also specify other number up to 10. You can also specify negative values,
 which lowers the db instead.

 :1:GAIN - Adjusts decibel gain of Home Loops to Feeders by 0.1 db. The same
 as the first GAIN command, but increases the gain from the other way.


 - Conclusion -

 That is everything that I have got to work so far. When I get access to a
 scanner I will scan the whole manual (or what I have of it) for Phrost Byte
 so you can try out some of the other commands/command sets. Also, there was
 reference in the manual to ITM operations at the exchange itself. I would be
 very interested if anyone has information on that.


 NaNTo - NaNTo199@yahoo.com

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH