==Phrack Inc.== Volume Four, Issue Forty-One, File 6 of 13 A Brief Guide to Definity G Series Systems a.k.a System 75 - 85 Written by Scott Simpson Greets to Jim Anderson, The Missing Link, Randy Hacker, Dark Druid, Nickodemus, Mercury, Renegade, Infinity (enjoy the army!), Weirdo, TomCat, GarbageHeap, Phrack Inc. Basic History ~~~~~~~~~~~~~ Definity model systems came into existent in the later part of the 1970s. In 1983, AT&T came out with a revised model called 75. This system was built to hold more incoming lines and did not have as many errors as the earlier version did. The 1983 version was replaced with a version re-written in 1986. Today, the systems are referred to as G models. System 75 is now called G1 and 85 is called G2. A new model is currently available and is called the Definity G3I which is Generic 3 with an Intel chip, and Definity G3R which is Generic 3 with a Risk chip. There are 3 different versions to each model. Version one is the most common and it is an XE Single Carrier Unit. The other two systems are 2 carriers. A system will usually cost somewhere around 50 to 80 thousand dollars. You MIGHT come across a smaller version and it is called "Merlin Legend." This system will hold about 50-100 lines. System 75 & 85 will hold around 1000 lines. System 75/85 are used by companies to house all of their incoming lines, as well as to send their incoming lines to destinations set up by the owners, whether it be Audix or any other setup. There are many uses for the system besides VMBs and PBXes. System 75/85 has three main functions that hackers are interested in. They are the capabilities of VMB, bridging, and of course PBX exchanges. Discovering the System ~~~~~~~~~~~~~~~~~~~~~~ When you find a System 75, you will make a 1200/NONE connection (if HST used), as most setups have a built in 1200 baud modem. Normally, the controller number will not be in the same prefix as the business or the PBX and the line is actually owned by AT&T. Try CNAing a System 75 line and it will tell you that it is owned by AT&T. Once you find a carrier, you will need to be able to display ANSI or some equivalent type of terminal graphics. Most are set to N81, but some may be E71. My suggestion is to use ToneLoc which is produced by Mucho Maas and Minor Threat. As you know, this program will scan for carriers as well as tones. This program can be found on just about every ELEET H/P BBS. Getting into the System ~~~~~~~~~~~~~~~~~~~~~~~ Getting into the system is the easy part if you have the defaults. You must find them on your own and you will find out that a lot of people are not willing to trade for them. There is one default that will enable you to snoop around and tell whether or not they have a PBX, provided that they have not changed the password or restricted the account. This one default is usually a fully operational account without the privileges of altering any data but I have come across a couple of systems where it wouldn't do anything. Using this default account is a good way to start if you can find it. It is also good to use any time you call and don't plan on changing anything. All actions by this account are not kept in the system history file. Now on to the good stuff!! Abusing System 75 ~~~~~~~~~~~~~~~~~ After logging into a 75, there are several commands available depending on the default you are using. This part will be for the basics. I will explain more later for the more advanced people. When you log in, you will have the commands LIST, DISPLAY, and a couple others that don't matter. These are the only ones that you will need with the aforementioned default. First type "DIS REM" (display remote access). If there is a PBX set up on the system, it will be shown on the extension line. The barrier code is the code to the PBX. If "none" appears, there is no code and it's just 9+1. The extension line can either be 3 or 4 digits. Usually, if it's 3 digits, it is run off of AUDIX (AUDio Information eXchange) or they are smart and are hiding the one digit! Look at the dialplan and see if the extensions are 3 or 4 digits. If it tells you that the extensions are three digits, chances are that it is somewhere in the AUDIX system. If it's run off of an AUDIX, look through all of the extensions by either list or display 'extensions' until you find one that says something like "remote extension" or something that looks different. If the one digit is hidden, use ToneLoc and scan for the digit needed. Next, display the trunk groups. This will tell you the actual dial-up. If you don't find it here, don't panic. As you go through the trunk groups, also look at the incoming destination as well as the night destination. If any of these show the remote extension here, there is your PBX. If not, keep looking through all of the trunk groups. Write down all of the phone numbers it gives you and try them. They can usually be found on page three or so. A LOT of the time, places call forward a back line or so to the actual PBX. If there is no remote access extension when you display the remote access, you are shit out of luck unless you have a higher default and read the rest of this text. Setting Up Your Own PBX ~~~~~~~~~~~~~~~~~~~~~~~ If you have a higher default, you will notice that if you type help, you have more commands that are available to you, such as change, download, etc. Remember, the company can change the privileges of the defaults so if you cannot see these commands, use another default. The first thing you want to do is to display the dialplan. This will tell you the amount of digits and the first digit of all of the sequences. Here is an example of a dialplan. There are several ways the dialplan may look. Number of Digits -------1----2----3----4----5----6----7----8----9 -- F 1 I 2 Tac R 3 S 4 Fac T 5 6 Extension D 7 Extension I 8 Tac G 9 I 0 Attendant T * # Using the above chart, all extensions will start with either a 6 or 7 and will be four digits long. The Tac is two digits, and will start with a 2 or an 8. Don't worry about FAC or any others at this time. After you make note of this, type "ch rem" (change remote access), go to the extension line, and put in an extension. Next, find the trunk group that you want to use and type "ch tru #". Go to the line for night service and put the extension in there. If there is already an extension for night service on all of the trunks, don't worry. If not, add it, and then save it. If it says invalid extension, you misread the dialplan. If you pick an extension already in use, it will tell you so when you try to install it in the remote extension line in the remote address. Once all of this is completed, you may go back to the remote access and add a code if you like, or you may just enter "none" and that will be accepted. THE NEXT PART IS VERY IMPORTANT! Look at the trunk that you installed and write down the COR number. Cancel that command and type "dis cor #". Make sure that the Facilities Restriction Level (FRL) at the top is set to 7 (7 is the least restricted level & 0 is the most) and that under calling party restrictions & called party restrictions, the word "none" (lower case) is there! If they are not, type "ch cor #" and make the changes. Last, type "dis feature". This will display the feature access codes for the system. There will be a line that says something like "SMDR Access Code." This will be the code that you enter after the barrier code if there is one. I have seen some be like *6, etc. Also, there will be, on page 2 I believe, something to the like of outside call. usually it is set to 9 but check to be sure. That's about it for this segment. All should be fine at this point. For those that want a 24 hour PBX, this next section is for you. For those of you that are greedy, and want a 24 hour PBX, most of the steps above are the same. The only difference is that you will look through all of the trunks until you come across one that has several incoming rotary lines in it. Simply write down the port number and the phone number for future reference and delete it by using the "ch" command. From the main prompt, type "add tru #". For the TAC, enter a correct TAC number. Keep going until you get to the COR. Enter a valid one and remember that the FRL should be set to 7, etc. Keep going...the next line that is vacant and needs something is the incoming destination. Set it to the remote extension that you have created. The next vacant line I think is type (towards the middle of the page). Enter ground and it should print out "ground-start." If there is a mistake, it will not save and it will send you to the line that needs to have something on it. After all is done, it will save. After this segment, there is a copy of a trunk and what it should look like for the use of a PBX. Next, go to page 3 and enter the port and phone number that you wrote down earlier. Save all of the changes that you have made. This should be all you need. One more way! If you scan through all of the extensions on the system, you may find an "open" extension. This extension may be like the phone outside in the waiting room or an empty office or whatever. This extension must be a valid phone number on their network or must be reachable on their AUDIX for this method to work. If you know how to add ports to Audix, this method will be best for you since setting up a trunk is not needed. If you find something like this, it's usually better to use this as your 24 hour PBX rather than taking away a line for several reasons: 1) there are less changes that you must make so there will be less data saved in the history file; 2) other people that have legal uses for the line won't trip out when they get a dial tone; and 3) the company will not notice for some time that they've lost an extension that is hardly used! To set it up this way, you must delete the old info on that extension by typing "remove extension #". It will then show you the station in detail. Save it at that point and it will be deleted. Next go to the remote access and enter the extension that you deleted on the remote extension line. Next enter a barrier code or "none" if you don't want one. Save it! Doing it this way USUALLY does not require a new trunk to be added since the port is already in the system but if you run into problems, go back and add it through the use of a trunk. You will still have to assign it a "cor" in the remote access menu, and remember to make sure that the FRL and the restrictions are set correctly as stated as above. In part 2, if there is a demand, I will tell how to make a bridge off of a 75. It is a lot more difficult, and requires a lot more reading of the manuals. If anyone can obtain the manuals, I would strongly urge them to do so. Also potentially in part 2, I will show how to create a VMB. If they have AUDIX voice mail, chances are they have a 75! So happy hunting and see ya soon! If you need to get a hold of me to ask a question, you may catch me on the nets or on IRC. Enjoy! Scott Simpson ------------------------------------------------------------------------------- APPENDIX A : Example of a Trunk For PBXs Trunk Group Page 1 of 5 ----------- Group Number # Group Type: co Smdr Reports: n Group name: Whatever ya want Cor: # Tac: # Mis Measured? n Dial access: y Busy Threshold: 60 Night Service: What will answer after hours Queue length: 0 Abandoned call Search: n Incoming Dest: What will answer any time the # is called unless NS has an extension. Comm Type: voice Auth Code: n Digit Absorption List: Prefix-1? n Restriction: code Allowed Calls List: n Trunk-Type: Ground-start Outgoing Dial type: tone Trunk Termination: whatever it is Disconnect Timing: Whatever it is to. set to. ACA Assignments: n [Page 2 is not all that important. It's usually used for all of the [maintenance to the trunk etc. so leave it all set to its default setting.] page 3 of 5 Port Name Mode Type Answer delay 1 Port number phone number 2 3 etc. That's all that is needed for the trunks. ------------------------------------------------------------------------------- APPENDIX B : Basic Commands and Terms Basic Terminology ----------------- COR - Class Of Restriction FRL - Facilities Restriction Level SMDR - Station Message Detail Recording TAC - Trunk Access Code FAC - Feature Access Code Basic Commands for Default Emulation (513) ------------------------------------------ Esc Ow - Cancel Esc [U - Next Page Esc SB - Save Esc Om - Help Commands for 4410 ----------------- Esc Op - Cancel Esc Ot - Help Esc Ov - Next Page Esc Ow - Back Page Esc OR - Save Esc Oq - Refresh Esc Os - Clear Fields Below is an explanation of all of the commands. The following is a captured buffer of a login to System 75. I have captured the commands and have edited the buffer to include brief definitions of the commands. Display and list are basically the same command, but display shows more detailed information on the command that you select. For example, "list tru" will list all of the trunk groups in the system. "dis tru" will ask for a trunk number, and then display all of the information on that trunk. CH Help Please enter one of the following action command words: add duplicate save change list set clear monitor status display remove Or enter 'logoff' to logoff the system Add - Is pretty self-explanatory Change - Is also self-explanatory Clear - will clear out the segment Duplicate - will duplicate the process List - self-explanatory Monitor - used for testing, and monitoring the system Remove - remove anything from the system EXCEPT the History File! Sorry guys! Save - saves work done Set - sets the time, etc. Status - shows current status of the system List Help Please enter one of the following object command words: COMMANDS UNDER "LIST" abbreviated-dialing groups-of-extension personal-CO-line aca-parameters hunt-group pickup-group bridged-extensions intercom-group station configuration measurements term-ext-group coverage modem-pool trunk-group data-module performance Or press CANCEL to cancel the command Abbreviated-Dialing: Speed calling feature from their voice terminal Aca-parameters: Automatic-Circuit-Assurance Bridged Extensions: Used for bridging extensions together Configuration: Overall system Configuration Coverage: Call Coverage Data-module: Description of the data module used Groups Of Extensions: Lists all of the extensions available Hunt-Group: Checks for active or idle status of extension numbers Intercom-group: Lists the intercoms and their info Modem-Pool: Allows switched connects between data modules and analog data Performance: Shows the performance of the system Personal-CO-line: Is for dedicated trunks to or from public terminals Pickup-group: Pickup station setup Station: Will list all of the available stations assigned Term-ext-group: For terminating extension group Trunk-Group: Lists ALL of the trunks; will NOT show all details like Display Dis Help Please enter one of the following object command words: Commands Under 'Display' abbreviated-dialing data-module personal-CO-line alarms dialplan pickup-group allowed-calls digit-absorption port announcements ds1 psc attendant errors remote-access button-location-aca feature-access-codes route-pattern circuit-packs hunt-group station code-restriction intercom-group synchronization communication-interface ixc-codes system-parameters console-parameters listed-directory-numbers term-ext-group cor modem-pool time cos paging trunk-group coverage permissions Or press CANCEL to cancel the command Abbreviated Dialing: Covered above, but shows more information Alarms: Will show information on the alarms (which ones are on/off) Allowed-Calls: Will show LD carrier codes and allowed call list Announcements: Attendant: Allows attendant to access trunks without voice terminals Button-location-aca: Will show the location of the aca selected circuit-packs: Tells types of lines used. Code-Restriction: Shows restrictions for HNPA and FNPA Communication-Interface: Information on the communication interface Console-Parameters: Will list the parameters of the console, etc. Cor: Class Of Restriction (will show the cor for the # entered) Cos: Class Of Service Coverage: Shows the coverage of the system (voice terminals, etc.) Data-Module: Will show information for the data channels entered Dialplan: List the current config for extensions etc. Digit-absorption: Ds1: Used for tie-trunk services Errors: Shows all of the errors on the system Feature-Access_Codes: Lists all of the feature access codes for all of the features on the entire system Hunt-Group: As above, but will tell more information for the # you enter Intercom Group: Lists all of the names and their intercom assignments IXC-Codes: Inter-eXchange Carrier codes Listed-Directory: Lists the numbers in the directory of the system Modem-Pool: Will show info on the channel you select (exp baud, parity, etc.) Paging: Used for the paging stations on the voice terminals Permissions: Will show the privileges of the other accounts/defaults Personal-CO-Line: As above but more descriptive Pickup-Group: Shows names and extensions in the specified group number Port: Will show the info on the port you ask about PSC: Keeps a call between to data points connected while the system is active Remote-Access: Will show the Remote Access that is there (if any) Route-Pattern: The pattern of routing within the voice terminals, etc. Station: Will show detailed information on the station # you enter Synchronization: Will show the location of the DS1 packs System-Parameters: List of all of the available systems parameters Term-Ext-Group: As above but more descriptive Time: Will show the current time and date Trunk-Group: Will show all available information for the trunk you select _______________________________________________________________________________