____________________________________________________________________________ End Of Intro/TOC Issue #4 The LOD/H Technical Journal, Issue #4: File 02 of 10 The AT&T BILLDATS Collector Written by: Rogue Fed ============================================================================== NOTES: This article will hopefully give you a better understanding of how the billing process occurs. BILLDATS is just one part of the billing picture. Before I began working for the government, I was a Telco employee and thus, the information within this article has been learned through experience. Unfortunately, I was only employed for a few months (including training on BILLDATS) and am still learning more about the many systems that a telco uses. There are however, a couple of lists that were compiled and slightly modified from what little reference material I could smuggle out and my notes from the training class. This article does require a cursory knowledge of telco and computer operations (ie. switching, SCCS, UNIX). INTRODUCTION - ============== BILLDATS - BILLing DATa System BILLDATS can be explained in a nutshell by the acronym listed above. If it's one thing telecommunications providers do well, it's creating acronyms. Basically, BILLDATS collects billing information (that's why they call it a Collector) from AMATs (Automatic Message Accounting Transmitters). The AMATs are situated in or close to switching offices and are connected to BILLDATS either through dedicated or dial-up lines. BILLDATS can be considered as the "middleman" in the billing process. The system collects, validates, and adds identification information regarding origination and destination. This is then transferred to tape (or transmitted directly) to the RPC (Regional Processing Center) or the RAO (Revenue Accounting Office). The RPC/RAO actually processes the billing information. Typically the BILLDATS system is located in the same or adjoining building (but can be across town) to the RPC/RAO. BILLDATS is similar to many other phone company systems (ie. SCCS) as it uses a combination of software. The software base is UNIX and the BILLDATS Generic program runs on it. The hardware used is an AT&T 3B20 (this is what 5ESS switches use). Some of the more interesting features BILLDATS possesses are: * Can be accessed via dialup (always a plus). * Runs under UNIX (another plus). * Interface with SCCS (yet another plus). * Can store about 12 million calls for the first two disks and about 8 million calls for each additional disk. A total of 6 (675 MB) disks can be used. * Inserts the sensor type and ID and recording office type and ID onto every AMA record that it collects. * Capable of collecting information from nearly 600 AMATs. To better understand how/why you get a bill after making long distance phone calls, I have delineated the steps involved. You call Hacker X and tell him all about the latest busts that have occurred, he exclaims "Oh Shit!" hangs up on you and throws all his hacking information into the fireplace. The actual call is referred to as a call event. As each event happens (upon termination of the call) the event is recorded by the switch. This information is then sent via an AMA Transmitter which formats the information and then sends it to BILLDATS (commonly called a "Host Collector"). BILLDATS then provides the information to the RAO/RPC. The billing computer is located at the RAO/RPC. Do not confuse the actual billing system with BILLDATS! The billing computer: * Contains customer records * Credit ratings (in some telcos) * Totals and prints the bill * Generates messages when customers do not pay (ie. last chance and temporary termination of service) When the billing period is over, (typically 25-30 days), many events (it depends on how many calls you have made) have accumulated. A bill is then generated and mailed to you. COLLECTION - ============ BILLDATS collects information in two ways: 1. AMATs 2. Users AMAT input ---------- BILLDATS collects data from the AMAT either directly from the switch, or from a front end which performs some processing on the data before giving it to BILLDATS. The data I am talking about here is usually AMA billing information. The information is in the usual AMA format (see Phantom Phreaker's article in the LOD/H Technical Journal, Issue #3 on AMA for formats and other info). As I said earlier, the recording office and sensor types and IDs have to be added by BILLDATS. The other information that is transmitted is usually maintenance data. The data that is transferred between BILLDATS and an AMAT is accomplished over either dedicated or dialup lines using the BX.25 protocol. This protocol has been adopted by the telecommunications industry as a whole. It is basically a modified version of X.25. User input ---------- This is simply sysadmin and sysop information. INSERTED INFORMATION - ====================== Once the information is collected, additional data (mentioned earlier) must be inserted. The information that BILLDATS inserts into the AMA records it receives depends on whether the AMAT is a single or multi-switch AMAT. Either way, the data is passed through the DEP. The DEP is a module which is part of the LHS (Link Handler Subsystem) that actually inserts the additional data. It also performs other functions which are rather uninteresting to the hacker. The LHS manages the x-mission of all the collected information. This is either through dedicated or dialup lines. The LHS is responsible for: * Logging of statistics as related to the performance of links. * Polling of remote switches for maintenance and billing information. * Passing information to the DEP in which additional information is inserted. * Storing billing information. * Other boring stuff. AMATS - ======= Basically an AMAT is a front end to the switch. The AMAT: * Gets AMA information from the switch. * Formats and processes the information. * Transmits it to BILLDATS. * An AMAT can also store information for up to 1 week. The following is a list of switches and their related AMAT equipment that BILLDATS obtains billing information from: 1A ESS: This is usually connected to a 3B APS (Attached Processor System) or BILLDATS AMAT. 2ESS: This is connected to an IBM Series 1 AMAT. 2BESS: Connected to a BILLDATS AMAT. 4ESS: Connects to 3B APS. 5ESS: Direct connection. TSPS 3B:Direct connection. DMS-10: Connects to IBM Series 1 AMAT. There are other AMATs/Switches but they must be compatible with the BILLDATS interface. ACCESSING BILLDATS - ==================== Even though a system is UNIX based, that doesn't mean that it is a piece of cake to get into. Surprisingly (when you think about the average Intelligence Quotient of telco personnel) but not surprisingly (when you consider that the information contained on the system is BILLING information--the life blood of the phone company) BILLDATS is a little more secure than your average telco system, except for the fact the all login IDs are 5 lower case characters or less. BILLDATS can usually be identified by: bcxxxx 3bunix SV_R2+ where: bc = B(ILLDATS) C(ollector). xxxx = The node suffix. This is entered when the current Generic is installed. 3bunix = This simply indicates that UNIX is running on an AT&T 3Bxx system. SV_R2+ = Software Version. The good news is that there is a default username when the system is installed. The bad news is that upon logon, the system forces you to choose a password. The default username is not passworded initially. The added security feature is simply that the system forces all usernames to have passwords. If it doesn't have an associated password, the system will give you the message: "Your password has expired. Choose a new one" A 6-8 character password must then be entered. After this you will be asked to enter the terminal type. The ones provided are AT&T terminals (615, 4425, and 5420 models). Once entered a welcome message will probably be displayed: "Welcome to the South Western Bell BILLDATS Collector" "Generic 3, Issue 1" "Tuesday 01 Aug 1989 12:44:44 PM" dallas> The BILLDATS prompt was displayed "dallas>" where dallas is the node name. There are 3 privilege levels within BILLDATS: 1. Administrator 2. Operator 3. UUCP * Administrator privs are basically root privs. * An account with Operator privs can still do about anything an Admin can do except make data base changes. * UUCP privs are the lowest and allow file transfer. Commands -------- Just like SCCS, UNIX commands can be entered while using BILLDATS. The format is: dallas>run-unx:$unix cmd; All unix commands must be preceded by "run-unx:" and end with a semicolon ";". The semicolon is the command terminator character (just like Carriage Return). BILLDATS isn't exactly user friendly, but it does have on-line help. There are a number of ways that it can be obtained: dallas> help-?; or help-??; or ?-help; or ??-help; If you want specific help: dallas> help-(command name); I can list commands forever, but between UNIX (commands every hacker should be familiar with) and help (any moron can use it), you can figure out which ones are important. Error Messages -------------- Just like SCCS, BILLDATS has some rather cryptic error messages. There are thousands of error messages, once you know a little about the format they are easier to understand. When a mistake is made, something similar to the following will appear: UI0029 (attempted command) is not a valid input string. ^ ^- error message information | |-- This is the subsystem and error message number The following is a brief description of subsystem abbreviations: BD: BILLDATS system utilities. Errors associated with the use of utility programs will be displayed. DB: Data Base manager. These messages are generated when accessing or attempting to access the various Data Bases (explained later) within BILLDATS. DM: Disk Manager. Basically, information pertaining to the system disk(s). EA: Error and Alarm. As the name implies, system errors and alarms. LH: Link Handler. Messages related to data link activity, either between BILLDATS and the AMAT or BILLDATS and the RAO/RPC. SC: Scheduler. The scheduler is BILLDATS' version of the UNIX cron daemon. BILLDATS uses cron to schedule things like when to access remote systems. TW: Tape Writer. Messages related to storing billing information on tapes which will then be transported to the RAO/RPC. UI: User Interface. This was used in the above example. Displays syntax, range or status errors when entering commands. DL: Direct Link. Instead of BILLDATS information being written to tape, a direct link to the RPC/RAO mainframe (the actual billing system computer) can be accomplished. This is usually done when BILLDATS is located far away from the RPC/RAO office as there is always some risk involved in transporting tapes, and that risk increases the farther away the two offices are. Another neat thing about Direct Link is that the billing data can be sent across a LAN (Local Area Network) also. Obviously this incurs some concerns regarding security, but from what I have heard and seen, AT&T and the BOC's typically choose to ignore the security of their systems which suits me just fine. The Direct Link is an optional BILLDATS feature and if it is in use, messages related to its operation are displayed with the DL prefix. BILLDATS DATA BASES - ===================== The databases contain all kinds of useful information such as usernames, switch types, scheduled polling times, etc. The AMAT Data Base contains: * Type of switch * Sensor type and identification * AMAT phone number * Channel and port number/group * Other boring information The Port Data Base contains: * Communications information (like L-Dialers on UNIX Sys. V) * Channel and port information * Other boring information The Collector Data Base contains: * Collector office ID * Version number of the Data Base * Number and speed of any remote terminals * When reports are scheduled for output * Other boring information CONCLUSION - ============ If you are not technically oriented, I hope this article helped you understand how you get your bill. I assumed that you would skip over the commands for using BILLDATS and similar information. If you are technically oriented, I hope I not only helped you understand more about the billing process, but also increased your awareness of how detailed the whole process is. And if you do happen to stumble onto a BILLDATS system, you have been pointed in the right direction as far as using it correctly is concerned. I tried to leave out all the boring details, but some may have slipped by me. I reserved the right to omit specific details and instructions regarding any alteration or deletion of calls/charges for my own use/abuse. The Rogue Federal Agent