Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Phreaking General Information :: med-te~2.htm

MED Guide to UK Telephonics 2

Presents a guide to UK Telephonics. 2 -+ 0Line +- of the -+ MED +-
(an infamous source of gnosis)
in Spring, 1997
Presents a guide to UK Telephonics.2
============= Part (iv) =============


Since shit went digital, boxing without backwards compatability has
more or less gone up the creek. These days, to box the UK for REAL, you
would need a modem and the ability to splice into a PCM line and speak
signal talk. Sure, there may be backdoors, but things aren't what they used
to be. Signalling is a very complex affair these days, so i'm not going to
say to much about it.. well perhaps just a little..

The purpose of a telephone exchange is to switch calls and charge the
subscribers accordingly. In order for a System-X or AXE10 exchange to do
this, it is given a data-build which feeds it with the relavent routing
infomation. In an exchange, the software responsible for call control is
the Control Processing Subsystem (CPS). The areas of infomation handled by
the CPS are the subscriber infomation, call routing, routes & circuits and
call charging infomation. CPS is contructed of both terminal and transit
call control.

When a phone number is dialled, the digits sent go through what is known as
a digit decode. Transit Call Control supports interworking with the rest
of the existing network. The digit decode under Transit Call Control is thus:

Digit 0 indicates a National Decode
Digit 1 indicates a Service Decode
Digit 2-9 indicates a Local Decode

Whilst there are loads of different types of phone traffic:

1. SERV (Service)
2. LND (Local Number Dialled)
3. NNDT (National Number Dialled)
4. INDT (International Number Dialled)
5. NNDJ (National Number Dialled Junction)
6. INDJ (International Number Dialled Junction)
7. NIDT (National/International Dialled Trunk)
8. NIDJ (National/International Dialled Junction)
9. COMB (Combined)
10. UAXC (UAX Combined)
11. MSAC (Miscellaneous Access)
12. TKO (Trunk Offering)
13. NAMC (National Auto Manual Centre)
14. IAMC (International Auto Manual Centre)
15. AMNI (National/International Auto Manual Centre)
16. AMCC (Auto Manual Centre Combined)
17. AMCS (Auto Manual Centre Service)
18. TABC (Transit Network ABC)
19. TBC (Trunk Transit BC)
20. TC (Transit Network C)
21. CRTG (Code Routing)
22. SVI (Service Interception)
23. CNI (Changed Number Interception)

And you'd be having a laugh if you thought I was going to talk about
all of them. Service traffic is for those numbers 1xx, like the operator, or
the SALT (Subscriber's Automatic Line Test) test line, 175. Strictly, 999,
the emergency operator, is also on service traffic. The 'real' number for
the emergency operator is just '99', which would mean that dialling '199'
would give you the same operator because the '1' is absorbed at the first
stage to identify the traffic as service. Dialling 199 used to get the
operator, but not anymore as it has been barred to only allow calls from
a certain route (incidentally, 17099 now works at emergency operator). If
you live in somewhere like London and your prefix starts with 99, then
in overload conditions, whilst others lines cannot be reached, yours would
be able to be contacted because calls to exchanges with prefix 99x are
allow to proceed due to the emergency operator being 999.

A brief insight into CCS & PCM

The signalling infomation between switches now runs independantly from
the actual speech paths, thus there is no necessery connection between
the two. When signalling was in-band, the infomation ran along the same
lines (or channels) as the speech and thus a caller could jump onto a trunk
if he had the right control freqs (typically, it was 2280Hz).
Today, BT use a system called PCM, or Pulse Code-Modulation, which cuts all
the infomation from several calls into lots of packets, and sends them in
turn down a single line. One of the channels, or timeslots, is reserved for
signalling and it controls all of the channels in question. The UK system
that does this is known as Common Channel Signalling.

speech channels 01-15 speech channels 16-30
/ \ / \
TS0 | TS1 | TS3 | TS3-14 | TS15 | TS16 | TS17 | TS18-29 | TS30 | TS31
^ ^
| |

TS 0 is used for allignment/sync,
TS 16 is used for Common Channel Signalling,
TS 1-15 and 17-31 are used as speech channels.

Now, this CCS method in PCM is not like the normal method of 30 channel PCM
signalling. For example, in normal PCM land, our exchange has hit a bit of
a quite spell where all the speech channels are free. On the standard PCM
systems, TS16 is constantly signalling that channels 1-30 are free. This
means that even when there is no speech (or whatever) on the lines, channel
sixteen if full of signalling infomation.

CCS is different. TS16 (timeslot 16) would send Ch.1 Free, Ch.2 Free......
Ch.30 free once and then it wouldn't send anything else until one or more
of the channels become busy again.

CCS is the standard method of signalling between digital exchanges and
is based upon CCITT No 7.

CCITT is the abbreviation for the Consultative Commitee for International
Telegraphs and Telephones, and CCITT No 7 Signalling system (also known as
C7) is the specification for the transmission of signalling for speech and
data over a digital system. This is based upon some sort of international

In C7, a message is sent to say that a message (speech or data) is following.
The signals are sent contain codes giving both the destination and
origination of the message, so that the recieving end can send a message back
to confirm the message or to say that it failed to arrive or is not
intact. The message and the signal can use different routes, if there is
a fault in a line then they can be re-routed without and loss of signal or
message. I don't know if its of any significance to anyone, but here are
the some 'codez' for BT CCS:

Time Slot 16 Signalling Codes for British CCS:

Digits 1-4(5-8) Signalling Condition Foward Signalling Condition Backward
1 1 1 1 Circuit idle Circuit busy
0 0 1 1 Circuit seized Called subscriber busy
1 0 1 1 Dial break Not used
0 1 1 1 Not used Circuit free
0 0 0 1 OOR Manual hold
1 0 0 1 Not used CFC
1 1 0 1 Disconnect code (AC8 only) Disconnection code (AC8 only)
0 1 0 1 Earth code (AC8) Earth code (AC8)
0 0 0 0 Not to be used.

Any other codes and those 'not used' should not cause a response in a
recieving unit. Manual Hold is the signalling condition that operators
use where they have control over the call rather than you the caller, and
therefore you can't hang up unless they do. Most of the major links are
19.2 or 14.4 baud but it is likely that they will be done up towards the
64Kbps arena.

Three major call carriers, London, Tokyo and New York are connected
over three 64Kbps links. These links consist of two satallites (over the
Indian & Pacific oceans) and one Transatlantic Submarine Cable, between
London and NY. The routing is varible, last Christmas, when the
call count was one of the highest ever recorded, if you called Australia,
it is likely that your call would have been sent to America first, and
then rerouted to Japan (that connects to Australia) before your call was
connected. It should be noticed that England carries, from a Digital
Service Unit in London, a very high percentage of Europe's traffic. These
arn't the only connections by any notion of the idea, we in England, have
many DISCs (Digital International Switching Centre) situated far outside
London, and the London, NY, Tokyo links only route so far (not to Russia for

======== Part (xxx) =========


As a bit of a file-filer, i'll just do a quick list of the
network-support systems that BT use. The total number of systems that BT
use is actually very big, and there is a lot of hacker potential there if
you'd only look.

TXD Operations & Maintenance: OMC/OMUSS
EIR (Local + Trunk)
Telecom Gold (RIP)
Transmission Network Surveillance: TONS/NETMON
Building Services Operation, Maint: AMPERE
Network Control Centre: WILDFIRE
Customer-Facing Organisation: ARSCC
Circuit Provision: OMS
Network Performance Monitoring OMC/OMUSS

Access is provided via T-NET, Telecom's internal network.
(Stolen from BTEngineering, Vol9, Pt3)

===================== Part (xxxx) =======================


Central London is vastly dominated by a wealth of buildings owned by
B.T, and in some cases, BT & the GPO (since Telecom went private). The
greater number of buildings are around the Holborn area, North of the
Thames and again, on the South side. This area is also one that gives itself
to the communications industry underground; BT & the GPO own the monopoly of
tunnels, private train lines, cable runs, exchanges... the sort of things
adventurers of the great concrete-jungle would die for.

Without going into to much politics, the Cold War was a cause for the
growth-spurt of London in many areans - particularly underground, and was
a great excuse for GPO to recieve lots of funding from the government (in
the form of our taxes). What we were paying for at the time was kept under
wraps under the Official Secrets Act until a certain newspaper incident in
The Times which let the cat out of the bag. The government and GPO were
hell-bent on making sure their communications would be secure in war time
(should a nuclear bomb fall), digging deeper and deeper underground and
building up a very dense network of tunnels, cables and switches underground.

The most noteable underground exchange is the one situated at High
Holborn (not that you would have ANY chance of knowing if you went there),
under Chancery Lane Underground station, running from there to Red Lion
Square, which is a little to the East. Incidentally, if you would visit Red
Lion Square, you will notice a strange presense in terms of phone companies
as BT, Mercury, Cable & Wireless, and a few others seem to have all bought
buildings around this little green patch! Strange coincidence! The exchange
also runs a little west, up to the BT building (forget the name) on the
corner where Holborn and Hatton Garden meet. If you walk this stretch, there
is a noticable number of BT buildings along this one road.. all fairly
undiscreet (apart from the one I just mentioned which is a fancy fucker) and
tucked away. It leads up to about Proctor House which is next to the
McDonalds. BTW; if you are inclined in a phreak/hack sort of way, don't try
and trash these places because they seem to use renta-tramps to sleep outside
their buildings and scare people away.

Eating, sleeping, and working facilities are provided on the under the
Red Lion Square side of the exchange, whilst the telecommunications plant,
generators and repeator stations occupy the Hatton Garden side. The four
extension tunnels under Chancery Lane Underground station house switching
units and an artesian well. The Holborn tunnels run east under London Wall
via the exchange/P.O in Moorgate (code named the Fortress.. probably because
it is on Fore Street) and then to an exchange near Liverpool street station
and onwards, eventually running south under the Thames. Most of these cable
runs are in alignment with the underground P.O railway (which not quite as
extensive as our own Underground network, but getting there) because it was a
lot cheaper that way. On the western end of the Holborn tunnel, two
extensions were made, one North-West under Gerrard Street P.O towards
Paddington District P.O, and another via Covent Garden T.E to Trafalgar
Square PO, where it links up with the governments own Whitehall tunnels. Some
of these cable-tunnels are up to seventeen feet in diameter, although most of
the newer tunnels, implented by the P.O as mailcarriers and BT and cable-runs
are now smaller. The tunnels themselves are well-ventilated and neon-lit,
accessable through any of the post-offices they run between, or from any of
the man-hole covers dotted throughout London, apparently the New Statesman
held an Xmas party in one of them in Decemeber 1980!?.

Needless to say, the exchange under Holborn has undergone numerous
upgrades since 1954 (when it was opened), even though it could already
handle 2 million calls a day then. The exchanges in this area form much of
the backbone of GCHQ and are likely subject to frequent visitation from the
Tinkerbell Squad, conveniantly close to an international telephone exchange
or two. Faraday DISC, on Queen Victoria Street right next to the Thames
is a menacing bastard.. it was code named the Citadel in its time and does
appear fairly un-open to the public. Mondial House, which is home to a 5ESS
switch is pretty close aswell, even closer to the Thames than before (Upper
Thames street) roundabouts.

Addresses to keep away from..

203 High Holborn, London WC1V 7BU
Holborn TE, 268/270 High Holborn, London WC1V 7EJ
150 Holborn, London EC1N 2NS
Holborn Centre, 120 Holborn, EC1N 2TE
Bath House, 52 Holborn Viaduct, London, EC1A 2ET
Weston House, 246 High Holborn, London, WC1V 7DQ

Parker Tower, 43-49 Parker Street, London, WC2B 5PS
103-105 Bunhill Row, Moorgate.. (unmarked)
45 Moorgate (vaccuum sealed :))
2-12 Gresham Street (Big fucker)
Moorgate ATE, 72 Fore Street, London, EC2Y 5EQ <----(the 'FORTRESS')
Cavendish TE, 107 Houndsditch, London, EC3A 7NB
Faraday Building, Queen Victoria Street, EC4U 4BU <----(the 'CITADEL')

Wellington House, 6-9 Upper St Martin's Lane, London, WC2H 9DL
Columbo House, Joan Street, London, SE1 8BE (0171 555 xxxx)

Kings Cross TE, 233 Greys Inn Road, London, WC1X 8RD
Mondial House, 90-94 Upper Thames Street, London EC4R 3UB *5ESS*
Covent Garden ATE, 24-28 Russel Street, London, WC2B 5HL
Paddington TE, 75-77 St Michaels Street, London, W2 1QS

Jus' like a ninja. Cyaz.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH