The Alcatel LiteSpan 2000
A Phreak's Dream!
Shortfuse, Southbend Hackers Club President:
Figure 1: The LiteSpan 2000 System
So, exactly what is a LiteSpan 2000 Unit? Well, in a nut shell, it is a very large, unmanned sitting duck target for all phreaks. This is my column here on Black Zine, so you will soon become used to seeing me. Lets delve into the world of telecommunications, as we examine in depth, The LiteSpan 2000 System.
History of the LiteSpan 2000 System is a very large subject. The unit evolved when the need for intra-lata telecommunications carriers had maxed out the usefulness of their copper telephone networks. The idea was, have copper lines coming from a customers house, down the street, to the binding posts, in which they would be bundled with other subscribers lines. They would go down the street, terminating into multiple binding post cabinets, such as Figure 2, shown below. From these cabinets, multiple 'trunks' or rather bundles of cable would run to a box, called The LiteSpan Unit. The LiteSpan is not a term used for a type of box, but rather a trademark of the most successful manufacturer of these type of boxes, Alcatel Communications.
The LiteSpan Unit, shown to the left, is about six feet high, four feet deep, and twelve feet wide. The technical term for this type of box is an 'Optical Loop Carrier System'. The basis of the unit, is basically to 'multiplex', that is combine, many POTS (Plain Old Telephone Service) lines, such as those commonly found in homes and small business, onto a single fiber optic line, for long range transmission, from the collection point, to the CBO (Central Billing Office). This is where the term Optical Loop Carrier System originates. The LiteSpan 2000 unit can handle, switch & route up to ten thousand POTS lines at one time.
The unit accomplishes this by using OC carrier lines, most usually OC-12s. The unit can support up to 16 such lines, and they are on a fiber medium. As one could guess, a vast amount of sophisticated processing equipment would be in use to accomplish such a task. To start, a system must be in place to power the unit, that is supply it with electricity to perform its functions. The small, white box on the left side of Figure 1, does just that. A connection, supplied from the local utility company, at 120 Volts AC and 400 Amp service is in use here. A modern home has 200 Amp service. But what if the normal utility power fails, due to a storm or other natural disaster? Plans must be made for this type of event, correct? Of Course! 24 Sealed, lead-acid batteries are set on trays in the lower depths of the unit, serving as a backup power source. The batteries are rechargeable, and are maintained at peak performance by a computer-controlled trickle charge system. The batteries themselves cost in the neighborhood of three hundred dollars each, and have a useful life of about five years. They have an output of 48V DC.
Figure 2: Junction Box
These units also produce alot of heat. Atop each unit, are four large, 19" Rackmount blowers, which will run on a temperature activated switching unit. Inside the units, the entire usable space is taken up with 19" racks. Various interface card racks, fan banks, power conditioners and other such items are used to perform various functions.
The units are so sophisticated, they are able to not only plex POTS services, but also smaller T carrier lines, ISDN and many other digital services. Some of the racks also perform CO (Central Office) functions, such as Coin Return for payphones, Caller ID information processing, Phone Company Voicemail Functions and many others. The units also perform such functions as routing a call hunting circuit, responding to customer requests for special services, such as Automatic Callback, Repeat Dialing and others. One of the most interesting functions, however, is that Centrex functions can be performed at these boxes. Centrex units emulate a PBX for a business customer, but unlike a PBX, the customer does not have to purchase, install or maintain CPE (Customer Premises Equipment). An entire companies voicemail system, call sequencers, switching systems and DID (Direct Inward Dialing) lines can be maintained offsite. The advantages of this are lower cost, better reliability, dedicated telecom techs are not required on staff. The disadvantages of this type of setup are obvious. You are at the mercy of the telephone company, and your information, such as voicemail messages, are available to anyone who access to the equipment, authorized or otherwise. This is very true in areas with a high per capita population of phreaks. Case in point, Southbend, Indiana, in a scenario which unfolded over the course of two months, a group of phreaks and hackers, known as The Southbend Hackers Club, of which this writer is the acting president, allegedly damaged, pilfered, explored, dismantled and dissected over 35 of these units. The group also allegedly cost the local telephone company, Ameritech, an estimated 10 million dollars in damages related to the incident. Needless to say, if and when these networks are compromised, it gets rather expensive, quickly.
So how does the system operate? How does it process information? The LiteSpan units are computerized, and are based on a proprietary operating system designed by the manufacturer. Using the operating system, which comes from the manufacture on 1.44MB floppy diskettes, formatted for MS-DOS based computers, a technician would load the diskettes locally onto a portable computer, connect an RS-232 cable to a card on the box known as an 'Interface Card', and execute commands on the portable computer, which would then send commands to the CPU of the LiteSpan unit via the serial cable connection. Essentially, someone with access to the diskettes, any laptop computer, and an open LiteSpan Cabinet, could take over the system. The operating system is mostly menu driven, and has little security features incorporated into the design. The diskettes are routinely left inside the doors of the LiteSpan Cabinets, as well as numerous manuals, detailing the operation of the software as well as the specifications of the interface cards contained inside. The operating system has total control over the entire unit. A user with control of the operating system thus has control over the LAN of LiteSpan Units.
How do the interface cards operate, and what do they do? Of course this unit is very complex, as it took over four hundred million dollars to develop and prototype this unit, the entire operation of the unit is not known. What is known, is the operation of a few cards, as described below.
The Coin RT card is an interface card that is used with COCOTT Payphones, as well as Fortress Phones. This card is the telephone company's Red Box. It sends the nickel, dime and quarter tones to a pay phone, and receives said tones, instructing the billing systems when money has been deposited into the phone. The card also performs coin return functions, which is where the pay phone is instructed to return the deposited change to the customer, because the call could not be processed from some reason.
This card is responsible for handling the routing of ISDN Services. ISDN is a service offered by the telephone company, which allows to 'B' Channels, which are 64Kbs each, to be combined over a single twisted copper pair, allowing 128Kbps of usable bandwidth to be used. These special circuits used to connect entire offices to the internet, and are digital, so error rates are much lower. The line can handle voice and data traffic simultaneously, with the purchase of optional services. This like having four telephone lines in one, because you can place and receive calls on both B Channels even while connected to the internet.
This special interface card has multiple uses for the technician. Using a portable computer, as a host for the configuration software. Not only does it allow a technician to provision high speed data services, such as ISDN, T-1, T-3, OC-1, OC-3, but it also serves as a diagnostic port. The technician can attach many different types of diagnostic tools to the port, and receive readouts on everything from battery status to recent invalid logins. Some of these items run of the laptop, as a software-based solution. Others, plug into the order wire, and readout information on small LCD displays, or print it out on thermal printers, on a receipt-style tape.
Well, if you have not already guessed, this unit reports the status of all alarms on the unit to the CO. There are different types of alarms, each receiving a certain type of attention. There are fault and intrusion alarms. The fault alarms will tell a technician at a remote location that a malfunction has occurred. Many of these problems do not even require a technician to be dispatched. They can be solved over the LAN. As stated before, The LiteSpan System is networked, and is arranged in a hierarchy. If you have digital cable service, it works much in the same manner. If you call technical support, and report that you are having problems with your service, the technician can reset, reprogram or rehash your box, without any user intervention. Since the LiteSpan unit is not supposed to have anyone inside of it, many commands can be executed right over the link, and the system itself can be rebooted, powered down, or taken offline and a backup node instated to carry the load. The alarms that we worry about the most are the intrusion alarms. All of the doors of the LiteSpan box have a plunger type switch, which is a normally closed circuit. When the door is opened, the plunger is released, opening the circuit. When an absence of voltage appears, the Alarm Comm. Card will initiate communications over the LAN, and alert the CO that a door has been opened. Many times, an entire states alarms will ring in one building. Indiana's alarms ring in Wisconsin. The technician decides whether or not to dispatch an agent immediately, or wait until normal business hours. Usually, the technician at the CO will determine if the LiteSpan box can continue to operate, or if it must come offline. If it must come offline, it is taken offline, and a backup node is called to handle the load. Then, someone will go out to the box itself in the morning, and figure out what happened, if anything. The Alarm Comm. card can be thought of as a relay to the CO of all alarms on the unit.
Ring Generators perform a very simple function: produce the sound that you hear when you pick up a phone and dial someone. Ring Generators take AC voltage and convert to DC, and produce the ring tone. The ring tone is constantly being emitted from the Ring Generator. Whenever a circuit needs a ring tone, it 'borrows' it from the Ring Generator, and releases it upon determination that it no longer needs the tone.
How does one gain access to the cabernet? As far as physical security, you will need a minimum of three items to access the unit. Other items would be needed to perform any type of removal. If you have a can wrench, with a security adapter insert, then you are good to go. If you are not lucky enough to have one, you can improvise. Some of these units are locked with a padlock. A simple pair of bolt cutters will take care of these pad locks. Due to the small diameter of the hole in which the telephone company has to insert the lock though. it limits the size of the shank, thereby not allowing a very strong lock. You will also need a large pair of needle nose pliers, which you insert between the post in the security torx adapter. Then, turning this pair of pliers, you will turn the torx key, hold it all the way to the right, and turn the door handle. It should open. If you release the grip of the torx key, it will lock the handle again. This double authentication method can be problematic if you do not have the can wrench. As far as removing cards from the system, be careful. As you may have guessed, The LiteSpan would respond much like a computer that you yank the processor out of in the middle of an operation. It will perform a abnormal shutdown, and due to the high voltage present in some areas of the cabinet, you may get electrocuted. A close up photo of the handle has been included for your reference.
About the author, Shortfuse. Thank you for reading, and I hope that you have enjoyed my article. I will be contributing to BlackZine every issue now, so you can expect to see alot more of this type of inside information disclosed. I am the current President & Webmaster of The SBHC Global Networks, which currently owns five domains, and has two of them actively online, with the rest planning to be online within the next few months. The Southbend Hackers Club, L.L.C., which is located on the world wide web at http://www.southbendhackersclub.com, is our group's main website, and is a wealth of knowledge. We have many items of interest for download, and a ton of links to other sites that host useful, entertaining and/or interesting content. Our sister company, Phreak Store Enterprises, L.L.C., which is located at http://www.phreakstore.com, specializes in the sale of Phreaking related equipment to phreaks and hackers. As a company run by phreaks, for phreaks, Phreak Store makes available many specialized devices and equipment that is needed to access many of the greater things in the telecommunications industry. Items suck as Can Wrenches, Butt Sets, Telecom Security Bits, Testers & and other accessories are available at our site. The SBHC Global Network is committed to serving hackers and phreakers with some of the best, most informative, useful and entertaining content on the web. Please note that whatever you do with this information is your responsibility, and I take no part in your punishments. This article is written for educations purposes only, and should not be viewed by anyone having the intention of using this information to assist them in committing an illegal act. For those of you who would like to learn more about us, visit one of our websites, or contact me personally by one of these methods:
Phone: (616) 683-9800
Fax: (616) 687-5331
IRC #sbhc on smack.yak.net (2600Net)