Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Phreaking Technical System Info :: 9x_tel.txt

Telecommunications Systems and Structures

STATION ID - 7047/3.12

9x Datakit Network

This is a 9x system, restricted to authorized persons and for
official 9x business only. Anyone using this system, network or data
is subject to being monitored at any time for system administration and
for identifying unauthorized users or system misuse. Anyone using this
system expressly consents to such monitoring and is advised that any
evidence of criminal activity revealed through such monitoring may be
provided to law enforcement for prosecution.

Telecommunication Systems and Structures.
by Hybrid ( Febuary 1999.


Welcome to the last part in my series of texts on telecommunications
networks. Someone said to me the other day: 'get some hacking sk1llz, phones
are bollocks.'.. To me there is no difference between phreaking and hacking,
they are both about learning stuff through hands on experience, I hack the
phone network rather than computer networks for many reasons.. a) I don't
get a 900 net dialup bill, b) The phone network is more ellaborate than most
computer networks, c) I can't code, d) I can dial faster than I can type ;)

So whats this file about? This file will cover some of the many layers of
protocols and network structures of todays phone network, and is primarily
aimed at phreaks who want to gain better knowledge of our phone system.


Part I.  Analogue systems and techniques

         1.1.  Basic network structures
         1.2.  Basic exchange structures
         1.3.  Centrex services
         1.4.  Frequency division multiplex
               (FDM hierarchy)
         1.5.  Personal communications services
         1.6.  Signalling
         1.7.  Stored program control (SPC)
         1.8.  Switching
         1.9.  Trunking and scanning

Part II. Digital systems and technologies (the fun part)

         2.1.  Developing digital technologies
                        ACD (automatic call distibution)
                        ADSL (asymetrical digital subscriberes line)
                        ATM (asynchronus transfer mode)
                        Digital Centrex
         2.2.  Signalling
                        CCITT No. 6 (Common channel signalling system
                                     number 6)
                        CCITT No. 7 (C7)

4. References

1.1.  Basic network structures

I'll begin this file by explaining the basics of phone network structures.
Each subscriber is conencted to a local junction exchange which provides the
power supply for the teminal and the means for switching the subscribers
communications needs. Each local exchange is connected via trunk lines into
a group of switching centres which manage a load of local exchanges. The
total local, plus trunk networks form the national network. Within each
country there exists a number of international exchanges which act as
switching centres to the international network. The international links are
either provided by land-lines, or sub-marine cables or satelites.

In the trunk network, two twin wire pairs for transmit and recieve (go and
return) - Known as four wire operation. By comparison the subscribers
connection to the local exchange is via a single wire pair that performs
both functions, the go and return signals being seperated by a special type
of transformer known as a 'hybrid'. This device, shown bellow, provides two
wire to four wire conversion as follows:

          input 2                                |
                   =========           =========
               .---oOOOOOOOo---.   .---oOOOOOOOo----<------>
           ____|_______________|   |
          |    |______________     |
          |                   |    |
        .---.                 |    | (Hybrid transformer)  input 3
        |||||                 |    |
        |||||                 |    |
          |                   |    |
           --------oOOOOOOOo--      ---oOOOOOOOo----<------>
                   =========           =========
          input 1                                |

A signal from the four wire side at input 1 will drive the current through.
This will induce equal voltages. Beacuse the later inducances are connected
in series oposition, the voltages will be self cancelling. None of the signal
at input 1 will appear at input 2 and vise versa. At the same time however, a
transmmision path exists to the two wire side of the hybrid. The subscribers
terminal is dc coupled to the local exchange to similary provide a power
supply, but is also ac coupled for the signals, this dual function is
controled via a transmission bridge.

1.2.  Basic exchange structures

For economy, exchange lines and equipment can be shared by subscribers by
using a multiplexing technique. Using the assumption that not all subscribers
will need to use the system at any given time, the technique show bellow is

                      (Exchange distribution)

                ---->--------------.   .----------------------->
             Incomming trunks      |   |             Outgoing trunks
                ---->-----------.  |   |  .-------------------->
                                |  |   |  |
            Concentrator        |  |   |  |
                 ___            |  |   |  |             ___
                |   |         __|__|___|__|__          |   |  Expandor
    <-------->--|   |--------|               |---------|   |----------.
 Local lines    |   |        |  Distributor  |         |   |          |
    <-------->--|   |--------|_______________|---------|   |------.   |
      |   |     |___|                                  |___|      |   |
      |   |                                                       |   |
      |   |                                                       |   |
      |   |_______________________________________________________|   |
      |                                                               |

Every 1000 lines may be fed in via a concentrator to 100 exchange
distrobution lines. Then to ensure that every subscriber can still
connected to every other, a distributor routes these lines through the
exchange to a number of expandors, connecting all it's 100 lines to all 1000
subscribers lines. If more than 100 calls are presented to such a system, it
is obvious that the excess calls will be blocked for a period of time. So the
exchange can also play its part in the group switching concept, the
distributor stage has to handle incomming and outgoing trunk connections.

1.3.  Centrex services

Centrex is the generic title of a number of services that offer the large
user (more than 100 extension lines) the facilitys of a PABX (private
automatic branch exchange), within certain major exchanges. This avoids the
user cost of installing and operating an on-site branch exchange. The concept
also allows for different user sites within the same call charge area to
share the same equivalent PABX.

The extension phones are given short dialling codes within the exchange which
can be reached by direct dialing in the manner of normal PABX extension

Although the concept will function over the anologue public switched
telephone network (PSTN), it is particually well suited for operation over
an ISDN system.

1.4.  Frequency division multiplex (FDM hierarchy)

To maximise the frequency spectrum available over trunk cables and
international links, the subscribers base band voice signals covering from
300 to 3400 Hz are translated usinga sideband (SSB) modulation to a higher
frequency range suitable for propagation over coaxial cables and radio links.

12 basic channels are modulated on to carriers in the range 64 to 108 KHz
and speed 4 kHz apart. When the lower sideband (LSB) is selected, these  form
a 'group' with a bandwidth of 48 kHz, extending from 60 to 108 kHz. Five
groups are then modulated in a similar manner onto carriers spaced at 48 kHz
intervals from 420 to 612 kHz to form a 'supergroup'.

16 supergroups are then LSB-SSB modulated onto carriers spaced by 248 kHz
from 1116 kHz upwards. This results in band of freqencies from 564 kHz

To utilise the range bellow 564 kHz, a supergroup is modulated on to a 612
kHz carrier which after selection of LSB is reduced to a band between 60 and
300 kHz. The band between 300 and 564 kHz is filled with another supergroup
in basic form (312 to 552 kHz).

This hierarchy, referred to as 'master' or 'hypergroup', provides a muliplex
(including freqency gaps or guardbands to cater for the characteristics of
practical filters), with an upper frequncy of close to 4 MHz which is easyily
carried over a coax cable. (wake up) =]

1.5.  Personal communications services (analogue)

Yes, I know this has been covered before, but I thought I'd go over it again.
=] Here are will only cover the very basics of radio telephony, there are
stacks of files on this subject if you want to read more.

Cellular radio:

By using either frequency, time or code division multiple access techniques
with low power radiation, and suitibly located antennas, the carrier
frequencys can be re-used many times over without creating cross-channel
interference. Thus by suitibly selecting a power level, radiating frequency
and antenna system, a complete network can be built up to provide continuous
coverage over a wide area. Such cellular radio phone systems use power levels
ranging from around 10 mW upto 20 W and frequencies from around 27 MHz upto
1.8 GHz to provide communications areas ranging from picocells of about 200m
diameter. By using freqency agile mobile transmmiter/recievers, it is
possible for a subscriber to roam from cell to cell and still maintain
communications contact.

Ct1 (cordeless telephone, 1st generation):

The first step towards cordless operation was applied to the domestic phone
and involved replacing the normal cord (wiring) between the handset and
instrument with a radio link. These phones operate in 1 of 4 channels within
the 27 MHz band and provide a cell of about 200m diameter. In addition to
providing this remote link, the system also usulally provides an intercom
between the handset and the instrument base station.

Ct1+ (cordless telephone 1st generation development):

This standardised system moved cordless operation into the European buisness
field. The system operates using a trunked version of Ct1 with freqency
division multiple access (FDMA) to provide 80 channels within the band 885 to
887 MHz. Because 2 channels are needed to provide for a single duplex speech
communications link, a maximum of 40 similatanious calls are possible within
each cell. Within the UK, 40 duplex channels are provided within the bands
914 to 915 MHz and 958 to 959 MHz. The mobile and base station transmitters
are allocated to the lower and higher freqency range to provide a maximum
range of about 400 metres. NMT is a Nordic version operating within the 450
MHz band and C-NET is an equivalent German system.

Private mobile radio (PMR):

Trunked PMRs are bassically private communications systems operating in the
UK within VHF band III that was previously used by 405 line TV services.
Several variants are in use and operate within the terms of MPT1327/MPT1343.
The service allows roaming between cells and even connections to the
international networks.


This is a low cost type of service which is intended to alert a subscriber
that he is required to respond by calling back to the base over the
national phone network. There are 3 basic techniques in use:

        * a simple single or multiple audiable tone emitted from
          the pocket reciever which requires the user to call
          directly back to a controlling agency.

        * a numeric pager that displays a limited number of digits.

        * an alphanumeric display reciever that can recieve simple
          but detailed messages.

TACS/ETACS (total access communications systems/extended TACS):

This UK cellular phone system operates within 2 paired 15 MHz bands, 890 to
905 MHz and 935 to 950 MHz, with the mobile transmitter using the lower
freqency. The system is a derivative of the American AMPS (advanced mobile
phone service) system that operates in 2 segmants of the 800 MHz band, but
modifide to operate with 25 kHz channel spacing. The cells are typically
of 1 to 2 km diameter. As the service expanded and congestion occured, 2
further sub-bands where added (872 to 888 MHz and 917 to 933 MHz) and this
gave rise to the extended TACS concept.

1.6.  Signalling

Signals are needed within the phone network to establish line acquistion at
the start, call routing through the network, monitoring the call progress
and detecting line clearence. In addition it is nessasary to provide for
such services as billing, quallity of service records and general network
managment. When such signalling is carried over the communicaiton lines it is
refered to as channel assosciated signalling. Since this technique is not
compatable with stored program control, it has been replaced by Common
Channel Signalling where a seperated dedicated channel is reaerved for this
function (CCS). This is why it is no longer possible to 'interact' with the
signalling channel, like with the old C5 hierarchys. It is however possible
to do this via direct lines to countrys that operate on this old method of

A system known as the loop dissconnect dialing system, where the line is
pulsed at 10 p/s via interupter contacts, was previously used in the UK. This
mwthod of signalling is now dead, sinse the advent of multi-frequncy dialing
techniques (DTMF), whereas if you press a button, it selects a unique
combination of 2 tones of different freqency for transmission over the voice
channel. These dual tone multi-frequency (DTMF) tones provide more reliable
signalling over analogue lines than the the digital pulses of the loop
disconnect system. At the exchange decoder, the signals are filtered into low
and high freqencies and then processed to provide addresses in a ROM look-up-
table. This then outputs each dialled digit as a 4-bit binary code.

1.7.  Stored program control (SPC)

As networks have expaned and the range of services offered has increased,
system control using computers has become more efficient and economical.
Using SPC, all the neccessary opertaional instructions are held in
programable read only memories (PROMs). Due to the high degree of flexibility
that this provides, systems of widely differing size and architecures can be
made to operate together in a compatable manner.

1.8.  Switching

There are basically 2 concepts used in telephony switching systems. 'Circuit
switching', whereas an actual path is set up between subscribers and operates
in real-time, and 'Message switching', which involves storing the signals in
memory. This method is restricted to digital systems, and is also known as
'store and forward'. Overloading produces call blocking and queing in circuit
and message switched systems.

The old Strowger automatic exchanges utilised a number of dual motion electro
mechanical selector switches coupled in series. Each selector consists of a
bank of 10 semicircular rotary switch elements each carrying 10 output
contacts. Any particular contact on the switch is then selected by a vertical
motion to select the required contact. Then any input line can be connected
to any one of 100 output lines. By using 3 such selectors in series it is
possible to service any phone system based on 6 figure numbers.

For modern exchange applications, electro-mechanical switching is much too
slow and unrealible. The first replacment for this type of exchange consisted
of matrix cross-point switches used to interconnect input and output lines.
That system is now more or less dead, and my favourite type of switch is
implemeted: Common Control Switching. Here the incomming directory number is
stored in a digital memory and this is then used to find the best route
through the switching matrix. In large installations, switching matrices are
coupled in series and this is refered to as a 'space divided network'. To
maximise the use of excange equipment and utilise computer control, these
are operated on the statistical basis that only a realitivaly few
interconnections will be needed at any one time.

1.9.  Trunking and scanning

These terms are usually applied to telephony channels used over radio nets.
The frequency spectrum of a trunked network is divided into channels which
are managed by a central contoller. A caller obtains access to the network
via the controller which allocates a free channel for the duration of the
call. Once completed, the channel is returned to the control pool for future

Scanning or self-trunking is an extension of this technique. The equipment of
the user making the call, scans the available spectrum to locate a free
channel. The user then calls the other person either over a calling channel
or the free one, to establish communications over a nominated channel.
Without the central control, such a system is likely to crash under overload
condition, rather than degrade gracfully like the trunked network.

Part II. Digital systems and technologies (the fun part)

Hah, did part I boor you? damn it, go back and read it again. In this part of
the file will include imph0 on (in my opinion) the best part of telephonics,
Digital matrix telecommunication infastructures. O yeah, CCS in your face..
read on..

2.1.  Developing digital technologies

ACD (automatic call distibution):

This represents a concept that was designed for the optimum managment of a
communications system where the traffic consists of shit loads of incomming
calls. Each call is distributed to a 'free agent' as it arives without the
intervention of an operator, typical applications being credit card
validation, air line booking facilitys and similar situations that require
the back-up of a large computer-held database. Such a system is designed to
control call ques, and stop switch overload withn a PABX or similar network.
However ACD is designed to differ from a convensional PABX in the following

      * Because an incomming call is directed to the 1st free
        agent rather than being picked up by an operator, less
        time is lost.

      * The agents terminals are more sophisticated than the
        conventional phone terminal. They are normally equipped
        with a full keyboard and visaul display screen, with a
        direct link to the operator mainframe computer.

      * ACD is capable of being able to provide a great deal of
        statistical managment iformation, such as call queue lenghs,
        periods over _overload_ and other lost time.

      * The greater cost of the ACD system is offset by the greater
        throughput of calls, reduced lost time and calls and by
        the use of fewer operators.

      * In some cases, the use of a DTMF phone allows callers to
        make direct access to sections of the computer data while
        waiting for a free agent. When the call is _eventually_
        picked up, the nessasary customer information can be
        displayed on the agents screen immediatly to reduce lost

      * ACDs can be networked over PSTN (public switched telephone
        network) so that several remote common databases can be
        directly linked. This allows sharing of databases under the
        loading variation that is bound to happen thoughout the day.
        It also allows for the shut down of some ACDs during off-
        peak periods.

      * Developing systems aslo allow for the use of voice recognition
        techniques to further reduce a queing problem. (hint- next
        time you are in a call queue, start shouting violently down
        the phone)

ADSL (asymetrical digital subscriberes line):

Experiments have shown that the un-shielded twisted pair (UTP) cables
origiaonally designed to carry voice freqency signals in the band of 300 to
3400 Hz, are capable of transporting very much higher frequencies. (hmm)
In the ADSL network it is possible to similtaniously continue to use the
voice band for normal anolouge phone traffic. In practice it is necessery to
be able to sepertate the ADSL signals of a few millivolts amptitude, from
the few tens of volts of a ringing tone.

ATM (asynchronus transfer mode):

Convensional networks carry data in a syncronus manner and because empty
slots are circulating even when the link is not needed, network capicity is
wasted. The ATM concept, which has been developed for use in broadband
metropolitan area networks (MAN) and optical fibre based systems, is
supported by both CCITT and ANSI standards, and can also be interfaced to
SONET (synchronus optical network). ATM automatically adjusts the network
capacity to meet the system needs and can handle data, voice, video, and TV
signals. These are transfered in a sequence of fixed length data units called

Common standards definitions are provided for both private and public
networks so that ATM systems can be interfaced to either or both.

ATM is a wideband, low delay, packet like and switching and multiplexing
concept that allows flexible use of the transmission bandwidth and is capable
of working at data rates as high as 622.08 M bit/s.

Digital Centrex:

Within Europe, digital Centrex serices are ISDN compatible and meet the CCITT
2.048 Mbit/s PCM standard. These are designed to fit the PSTN's call progress
tones, ringing cadences, numbering plans, billing and trunk signalling. The
system is well suited to the needs of large coperate users who may also be
members of a particlur 'closed user group' (CUG). As in the anolouge case in
part I, the network supplier provides PABX facilities within a local exchange
and this saves the subscriber space, equipment costs and operating staff
expenses. In addidtion it is very eay for the network provider to update the
facilities. The services provided by Centrex include call transfer, call-
forwarding, call pick up, call waiting, teleconferencing, short code dialing,
call holding, call splitting, automatic recall, and CLID.

2.2.  Signalling

CCITT No. 6 (Common channel signalling system number 6)

This signalling specification was designed for operation over a dedicated
voice band analouge circuit to handle the requirments of many similanious
callers. The system also permits the use of low speed digital modems
operating at 1200 bauds using QPSK and a carrier freqency of 1800 Hz over the
same audio channel. In the USA, a variation known as 'Common Channel Inter-
office Signalling' (CCIS) procedure is adopted by the Bell/AT&T system.

CCITT No. 7 (C7)

Although the Common Channel Signalling System (CCSS) No. 7 was initially
developed to manage call connection and disconnection, it has been expanded
to provide many other service functions. The specification which is based on
the ISO 7 layer model, is ISDN compatable and suitable for use over a
satelite link.

    _______       _____________                         _______________
   |   7   |     |    TCAS     | transaction     bit 1 |    flag       |
   |_______|     |_____________| capabilites           |---------------|
   |   6   |     |             | application           |   backward    |
   |_______|     |             | section.              |   sequence    |
   |       |     |     |       |                       |    number     |
   |   5   |     |     TC      | transaction           |---------------|
   |-------|     |     |       | capabilies.         a |     BIB       |
   |   4   |     |             |                       |---------------|
   |_______|     |_____________|                       |   forward     |
   |       |     |             |                       |   sequence    |
   |   |   |     |    SCCS     |                       |    number     |
   |   3   |     |-------------|   <------             |---------------|
   |   |   |     | network signalling     |          b |     FIB       |
   |       |     |_____________|          |            |---------------|
   |_______|     |    link     |  message |            |link indicator |
   |       |     | signalling  |  transfer|            |---------------|
   |   2   |     |_____________|  section |          c |     SIB       |
   |-------|     |  data link  |          |            |---------------|
   |   1   |     |  signalling |          |            |    label      |
   |_______|     |_____________|   <______|            |_______________|
      OSI           CCSS No. 7                         |   signalling  |
     layers          layers                            |  information  |
                                                       |   check sum   |
a) Backward indicator bit                Signal        |---------------|
b) Forward indicator bit                 Structure     |     flag      |
c) Serivice information byte                           |_______________|

As shown in the above diagram the message transfer section covers the lower 3
OSI levels. The data link level is a full duplex, 64 Kbit/s link dedicated to
signalling. Because the system may have to handle the needs for many
thousands of callers similtaniously, it is important that the link is error
free. This level ensures that blocks of data are delivered in the correct
order, and are not transmitted a rate to high for the reciever and make sure
that data is not duplicated. CCSS-7 has a large degree of inbuilt flexibilty
that allows new services to be added without changes to thr network or

4. References

Communications Technolgy (2nd edition) -book
Bell labs ss7 research papers
Telecom Digest

Well thats it for this file, hope you enjoyed it. Shouts fly out to the
following people:

[9x] [Substance] [d4rkcyde] [downt1me] [elf] [psyclone] [backa] [xio]
[public-n] [b4b0] [klaus floride] [sim] [volt4ge] [nothingg] [everyone in
#darkcyde #9x #b4b0 #legions #phonez #2600-uk EfNet]

9x SpreAd1ng thE hp in thE neW m1lleniuM.
d4rkcyde ideling into thE neW milLeniuM.

Version: PGPfreeware 5.0i for non-commercial use
Comment: I Encrypt, Therefore I Am


*  | DSS: 0x5493F1307 *
*       | D-H: 0x8B314ED9  *
*      | RSA: 0xA42A953D  *
*     |                  *
*         | 1999-02-09       *
*      |                  *

                    ___ ___ _____.___.____________________  ____________    /   |   \\__  |   |\______   \______   \/_   \______ \  /    ~    \/   |   | |    |  _/|       _/ |   ||    |  \   \    Y    /\____   | |    |   \|    |   \ |   ||    `   \
----------------   \___|_  / / ______| |______  /|____|_  / |___/_______  /
                         \/  \/               \/        \/              \/

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH