% % % % % % % % % % % % % % % % % % %
% % % % % % % % % % % % % % % % % % % %
% % % %
% AT$T 5ESS(tm) %
% % From Top to Bottom % %
% %
% % % %
% by: Firm G.R.A.S.P. %
% % % %
% % % % % % % % % % % % % % % % % % % %
% % % % % % % % % % % % % % % % % % %
Introduction
~~~~~~~~~~~
Welcome to the world of the 5ESS. In this file I will be covering
the switch topology, hardware, software, and how to program the switch. I
am sure this file will make a few people pissed off over at BellCORE.
Anyways, the 5ESS switch is the best (I think) all around switch. Far
better then an NT. NT has spent too much time with SONET and their S/DMS
TransportNode OC48. Not enough time with ISDN, like AT$T has done. Not only
that, but DMS 100s are slow, slow, slow! Though I must hand it to NT, their
DMS-1 is far better then AT&T's SLC-96.
What is the 5ESS
~~~~~~~~~~~~~~~
The 5ESS is a switch. The first No. 5ESS in service was cut over in Seneca,
Illinois (815) in the early 1982. This test ran into a few problem, but all
and all was a success. The 5ESS is a digital switching system, this
adcantage was realized in No. 4 ESS in 1976. The 5ESS network is a TST
(Time Space Time) topology, the TSIs (Time Slot Interchangers) each
have their own processor, this makes the 5ESS one of the faster switches.
Though I hear some ATM switchs are getting up there.
5ESS System Architecture & Hardware
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5ESS SYSTEM ARCHITECTURE
OSS Data Links
^ ^ ^
| | |
| | |
......|.|....|......
: v v v :
: ------------- :
: | | :
: | Input | :
........................... : | Output |====== TTY/CRT
----------- : : : | Processor | :
| Switch |<=========== : : ------------- :
| Module |<========] | : : ^ ..............
----------- : v v : : | :
o : ======= ---------- : : | ------------ :
o : | TMS |<->|Message | : : | | Main | :
o : | |<->|Switch |<============ | | Store | :
----------- : ======= ---------- : : | | -----.------ :
| Switch | : ^ ^ : : | | | :
| Module |<========= | : : v v | :
-----------<=========== : : -------------- | :
:.........................: : | 3B |======= :
: | Central | :
: | Control |<=====> Disk! :
: -------------- :
: :
................................:
COMMUNICATIONS MODULE ADMINSTRATIVE MODUAL
The 5 ESS is a digital SPC switching system which utilizes distributed
control, a TST switching network and modular hardware and software design.
The major components are:
ADMINSTRATIVE MODUAL
Two 3B20S Processors (Which equal a 3B20D)
- Central control and main storage
- Disk storage for infrequently used programs and data, and main storage
regeneration.
- The two 3B20S processors are always compairing data, and when one fails
the other acts in its place.
Two Input/Output Processors (IOP)
- Provides TTY and data-link interfaces to the 3B20D Processor, 5ESS
Network, Master Control Center (MCC), and various Operational Support
Systems (OSS). Here is a list of the defult TTY (also called
"channels")
tty Channel Name
ttyA Master control console (MCC) terminal.
ttyB Master control console (MCC) terminal.
ttyC Traffic report printer
ttyJ supplementary trunk and line work station (STLWS) terminals
ttyK supplementary trunk and line work station (STLWS) terminals
ttyL supplementary trunk and line work station (STLWS) terminals
ttyM supplementary trunk and line work station (STLWS) terminals
ttyN supplementary trunk and line work station (STLWS) terminals
ttyO supplementary trunk and line work station (STLWS) terminals
ttyP Repair service bureau - Recent change and verify (RSB-RCV)
ttyR Office records printer
ttyQ Switching control center-recent change and verify (SCC-RCV)
terminals
ttyR Repair service bureau-automatic line insulation testing
(RSB-ALIT) terminal.
ttyS Switching control center-recent change and verify (SCC-RCV)
terminals
ttyT Switching control center-recent change and verify (SCC-RCV)
terminals
ttyU Belt line B
ttyV Local recent change and verify (RCV) terminal
ttyW Remote recent change and verify (RCV) terminal.
ttyY Network administration center (NAC) terminal.
ttyZ The switching control center (SCC) terminal.
ttyi SLC(R) carrier maintenance
ttyj STLWS - fifth of six
ttyk STLWS - sixth of six
ttyl STLWS - first of six
ttym STLWS - second of six
ttyn STLWS - third of six
ttyo STLWS - fourth of six
ttyp RCV/Repair Service Bureau
ttyq RCV/Network Administration Center
ttyr ALIT/Repair Service Bureau
ttys Maintenance
ttyt Maintenance
ttyu Belt line A
ttyv Local RC/V
ttyw Remote RC/V
ttyx Maintenance Control Center/Switching Control Center System
(MCC/SCCS)
ttyy Maintenance Control Center/Switching Control Center System
(MCC/SCCS)
ttyz Maintenance Control Center/Switching Control Center System
(MCC/SCCS)
FILE Destination file name in /rclog partition
mt00 High-density tape device, rewind after I/O
mt04 High-density tape device, does not rewind after I/O
mt08 Low-density tape device, rewind after I/O
mt0c Low-density tape device, does not rewind after I/O
mt18 Low-density tape device, rewind after I/O
mt1c Low-density tape device, does not rewind after I/O
mttypc0 Special tape device, IOP 0, rewind after I/O
mttypc1 Special tape device, IOP 1, rewind after I/O.
Two Automatic Message Accounting (AMA) units
- Uses data links to transport calling information to central revenue
accounting office and AMA tape. Here is the basic structure AMA
structure for the OSPS model.
- Called customer's telephone number, either a
seven- or ten-digit number
- Calling customer's telephone number, seven digits
- Date
- Time of day
- Duration of conversation.
COMMUNICATIONS MODULE
Message Switch (MSGS)
- Provides for control message transfer between the 3B20D Processor and
Interface Modules (IM's)
- Contains the clock for synchronizing the network.
Time Mutiplexed Switch (TMS)
- Performs space division switching between SM's
- Provides permanent time slot paths between each SM and the MSGS
for control messages between the Processor and SM's (or between SM's)
Switching Modual (SM)
- Terminates line and trunks
- Performs time division switching
- Contains a microprocessor which performs call processing function
for the SM
5ESS - SWITCH MODUAL
--------------
| |
| SMPU |
|------------|
--------- | |
| | (64) | |
Analog Sub Lines <---->| LU |<-------->| |
|-------| | |
| | (64) | |
Analog Trunk Lines <-->| TU |<-------->| | (256)
|-------| | TSIU |<--------> NCT
| | | | Links
| | (128) | 512 | to
SLC-96 Remote <------->| DCLU |<-------->| Time |<--------> TMS
| | | Slots |
|-------| | |
| | | |
| | | |
| | | |
| | (256) | |
T1 Lines <---------->| DLTU |<-------->| |
| | | |
| | | |
| | |------------|
--------- | |
| DSU |
--------------
COMMON COMPONENTS OF THE SWITCH MODULE (SM)
Switch Module Processor Unit (SMPU)
- Contains microprocessors which perform many of the call processing
functions for trunks and links terminated on the SM.
Time Slot Interchange Unit (TSIU)
- 512 time slot capacity
- Connects to the TMS over two 256-time slot Network Control and Timing
(NCT) links.
- Switches time slots from Interface Units to one of the NCT links (for
intermodule calls).
- Switches time slots from one Interface Unit to another within the SM
(for intramodule calls).
Digital Service Unit (DSU)
- Local DSU provides high usage service circuits, such as tone decoders
and generators, for lines and trunks terminated on the SM.
- Global DSU provides low useage service circuits, such as 3-port
confrence circuits and the Transmission Test Facility, for all lines
and trunks in the office (requires 64 time slots).
The SM may be equipped with four types of Interface Units:
Line Unit (LU)
- For terminating analog lines.
- Contains a solid-state two-stage analog concentrator that provides
access to 64 output channels. The concentrator can be fully equipped to
provide 8:1 concentration or can be fully equipped to provide 6:1 or 4:1
concentration.
- Each TU requires 64 time slots.
Trunk Unit (TU)
- For terminating analog trunks.
- Each TU requires 64 time slots.
Digital Line Trunk Unit (DLTU)
- For terminating digital trunks and RSM's.
- Each fully equipped DLTU requires 256 time slots.
- A maximum of 10 DSls maybe terminated on one DLTU.
The SM may be equipped with any combination of LU's, TU's, DCLU's and DLTU's
totaling 512 time slots.
5ESS System Software
~~~~~~~~~~~~~~~~~~~
The 5ESS is a UNIX based switch. UNIX has played a large part in
switching systems since 1973 when UNIX was use in the Switching Control Center
System (SCCS). The first SCCS was a 16 bit microcomputer. The use of
UNIX for SCCS allowed development in C code, pseudo code, load test,
structure and thought. This led the development of the other switching systems
which AT$T produces today (such at System 75, 85, 1AESS AP, and 5ESS).
NOTE: You may hear SCCS called the "mini" sometimes
The 5ESS's /etc/getty is not set up for the normal login that one would
expect to see on a UNIX System. This is due to the different channels that
the 5ESS has. The some channels are the TEST Channel, Maintance Channel,
and RC Channel (which will be the point of focus). Once you are on one
channel you can not change the channel, as someone has said " it is
not a TV!" You are physically on the channel you are on.
Test Channel
~~~~~~~~~~~
The TEST channel is where one can test lines, and test the switch itself.
This is where operating support systems (such as LMOS) operate from.
This channel allows one to monitor lines via the number test trunk aka
adding a third trunk), voltage test and line seizure.
Here is a list of OSSs which access the test channels on the 5ESS.
Group Operating Support Systems
Specal Service Center
SMAS via NO-Test
SARTS (IPS)
NO-TEST trunk (from the switch)
TIRKS
17B and 17E test boards (CCSA net using X-Bar)
RTS
BLV
POVT
DTAC
etc...
Repair Service Bureau
#16LTD
#14LTD
LMOS (IPS)
MLT-2
ADTS
TIRKS
TFTP
TRCO
DAMT
ATICS
etc...
SCC Channel
~~~~~~~~~~
The SCC channel is where the SCC looks and watches the switch 24 hours a day,
seven days a week! From this channel one can input RC messages if nessary.
A lot of people have scanned these out, and though they were AMATs. Well this
is in short, WRONG! Here is a sample buffering of what they are finding.
-----------------------------------------------------------------------------
S570-67 92-12-21 16:16:48 086901 MDIIMON BOZOVILL DS0
A REPT MDII WSN SIGTYPE DP TKGMN 779-16 SZ 21 OOS 0
SUPRVSN RB TIME 22:16:48 TEN=14-0-1-3-1 TRIAL 1 CARRFLAG NC ID
OGT NORMAL CALL CALLED-NO CALLING-NO DISCARD 0
S4C0-148963487 92-12-21 16:17:03 086902 MAIPR BOZOVILL DS0
OP:CFGSTAT,SM=1&&192,OOS,NOPRINT; PF
S570-67 92-12-21 16:17:13 086903 S0 BOZOVILL DS0
M OP CFGSTAT SM 5 FIRST RECORD
UNIT MTCE STATE ACTIVITY HDWCHK DGN RESULT
LUCHAN=5-0-0-3-4 OOS,AUTO,FE BUSY INH CATP
LUCHAN=5-0-0-2-5 OOS,AUTO,FE BUSY INH ATP
LUCHAN=5-0-0-0-3 OOS,AUTO,FE BUSY INH ATP
LUCHAN=5-0-0-3-5 OOS,AUTO,FE BUSY INH ATP
LUHLSC=5-0-0-1 OOS,AUTO,FE BUSY INH ATP
LUCHAN=5-0-0-0-2 OOS,AUTO,FE BUSY INH CATP
LUCHAN=5-0-0-3-6 OOS,AUTO,FE BUSY INH ATP
LUCHAN=5-0-0-1-4 OOS,AUTO,FE BUSY INH ATP
S570-983110 92-12-21 17:09:53 144471 TRCE WCDS0
A TRC IPCT EVENT 2991
DN 6102330000 DIALED DN 6102220001
TIME 17:09:52
------------------------------------------------------------------------------
This has nothing to do with AMA, this is switch output on say the SCC
channel. This is used by the SCCS for logging, and monotering of alarms.
The whole point of this channel is to make sure the switch is doing what it
should do, and to log all activity onthe switch. NOTHING MORE!
To go into these messages and say what they are would take far too long,
order the OM manuals for the 5ESS, watch out, they are about 5 times the size of
the IM (input manual) set. On average it takes someone three years of training
to be able to understand all this stuff, there is no way anyone can write a
little file in Phrack and hope all who read it understand everything about the
5ESS. RTFM!
RC Channel
~~~~~~~~~
The RC/V (Recent Change/Verify) Channel is where new features can be added or taken
away from phone lines. This is the main channel you may come in contact with,
if you come in contact with any at all. When one connects to a 5ESS RC/V channel
one may be dumped to a CRAFT
shell if the login has not been activated. Access to the switch when the
login is active is controlled by lognames and passwords to restrict
unwanted entry to the system. In addition, the SCC (Switching Control
Center) sets permission modes in the 5ESS switch which control the RC
(recent change) security function.
The RC security function determines whether recent changes may be made
and what types of changes are allowed. If a situation arises where the RC
security function denies the user access to recent change via RMAS or RC
channels, the SCC must be contacted so that the permission modes can be
modified. (Hint Hint)
The RC security function enables the operating telephone company
to decide which of its terminals are to be allowed access to which
set of RC abilities. NOTE that all verify input messages are always
allowed and cannot be restricted, which does not help too much.
The RC security data is not part of the ODD (office dependent data).
Instead, the RC security data is stored in relatively safe DMERT operating
system files which are only modifiable using the following message:
SET:RCACCESS,TTY="aaaaa",ACCESS=H'bbbbb;
where: aaaaa = Symbolic name of terminal in double quotes
H' = Hexadecimal number indicator in MML
bbbbb = 5-character hexadecimal field in 5E4 constructed
from binary bits corresponding to RC ability.
The field range in hexadecimal is from 00000 to
FFFFF.
This message must be entered for each type terminal (i.e.
"aaaaa"="rmas1", "rmas2", etc., as noted above in
TTY explanations).
NOTE: Order IM-5D000-01 (5ESS input manual) or OM-5D000-01 (5ESS output manual)
for more information on this and other messages from the CIC at 1-800-432-6600.
You have the money, they have the manuals, do not ask, just order. I
think they take AMEX!
When the message is typed in, a DMERT operating system file is created
for a particular terminal. The content of these files, one for each terminal,
is a binary field with each bit position representing a unique set of RC
abilities. Conversion of this hexadecimal field to binary is accomplished
by converting each hexadecimal character to its equivalent
4-bit binary string.
----------------------------------------------------------
HEX BINARY | HEX BINARY | HEX BINARY | HEX BINARY
-------------|--------------|--------------|--------------
0 0000 | 4 0100 | 8 1000 | C 1100
-------------|--------------|--------------|--------------
1 0001 | 5 0101 | 9 1001 | D 1101
-------------|--------------|--------------|--------------
2 0010 | 6 0110 | A 1010 | E 1110
-------------|--------------|--------------|--------------
3 0011 | 7 0111 | B 1011 | F 1111
----------------------------------------------------------
Each bit position corresponds to a recent change functional area.
A hexadecimal value of FFFFF indicates that all bit positions are
set to 1 indicating that a particular terminal has total RC access. Also,
verify operations as well as lettered classes are not included in the
terminals security scheme since all terminals have access to verify views
and lettered classes.
In addition, maintenance personnel are able to verify the security
code for any terminal by typing the following message from either
the MCC (Master Control Center) or SCCS (Switching Control Center System)
Mini terminal:
OP:RCACCESS,TTY="xxxxx";
where: xxxxx = symbolic name of terminal in double quotes.
Each bit position corresponds to a recent change functional area.
To ensure redundancy, DMERT operating system files are backed up
immediately on disk by the SCC.
The input message that defines the password and CLERK-ID (another name for
username) is in the Global RC feature. This input message defines a clerk-id
and associated password or deletes an existing one. (Recall that CLERK-ID and
PASSWORD are required fields on the Global RC Schedule view 28.1 in
RCV:MENU:APPRC, but more on this later)
This new input message is as follows:
GRC:PASSWORD,CLERKID=xxxxxxxxxx,[PASSWD=xxxxxxxx|DELETE]
Note: CLERKID can be from 1 to 10 alphanumeric characters and
PASSWORD from 1 to 8 alphanumeric characters.
This input message can only be executed from the MCC or SCCS
terminals, and only one password is allowed per CLERK-ID. To
change a clerk-id's password, this message is used with the same
CLERK-ID but with a different password.
Global RC Schedule View 28.1 from the RC/V Recent Change Menu System
----------------------------------------------------------------------------
5ESS SWITCH WCDS0
RECENT CHANGE 28.1
GLOBAL RECENT CHANGE SCHEDULING
*1. GRC NAME __________
*2. SECTION _____
#3. CLERK ID __________
#4. PASSWORD ________
5. MODE _______
6. RDATE ______
7. RTIME ____
8. SPLIT _
9. SPLIT SIZE _____
10. MAX ERRORS _____
11. VERBOSE _
----------------------------------------------------------------------------
When the security is set up on the RC/V channel, one will see:
----------------------------------------------------------------------------
5ESS login
15 WCDS0 5E6(1) ttsn-cdN TTYW
Account name:
----------------------------------------------------------------------------
There are no defults, since the CLERK-ID and the password are set by craft,
but common password would be the name of the town, CLLI, MANAGER, SYSTEM,
5ESS, SCCS1, SCC, RCMAC, RCMAxx, etc,...
If one sees just a " < " prompt you are at the 'craft' shell
of the RC/V channel, the 5E login has not been set. The Craft shell is
running on the DMERT (which is