==Phrack Magazine== Volume Four, Issue Forty-Four, File 19 of 27 **************************************************************************** Northern Telecom Meridian SL-1 by Iceman Introduction ~~~~~~~~~~~~ This article is the first in a possible series devoted to Northern Telecom's line of Meridian SL-1 switches. At the moment, I'm unsure if there will even be a second article, since it would consist completely of the programming of these switches, and it's not difficult for me, or anyone else to type up a manual. If you haven't heard of an SL-1 before, to put things simply, if you have ever called a Meridian Voice Mail system, this is the computer that runs the show! Not all SL-1's have Voice Mail features, but it makes things easier (for the electronic adventurer) if you have one that does. Now it's far more than a simple voice mail system, it's a complete phone switch, a PBX. Of course, like most computers, if you can gain access to it, the system is at your beckon call, to do what you make it do. What follows is a brief history, and technical overview of the SL-1 series, as well as information on identifying them. If this looks familiar, a large portion of this article appeared my own magazine, Freedom, but was updated for Phrack. If you had read the issue relating to SL-1's, you will also find basic programming information for some of the more commonly used overlay programs, it was purposely omitted in this article. History and Technical Overview ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Development of Northern Electric's SL-1 started in 1971. Their objective was to design a superior communications system for business subscribers in the range of 100 to 7600 stations. The system had to encompass all the features of a PBX, Centrex and key systems and be economically competitive with them. It had to have new custom services not previously feasible with the older systems. It had to be easy to learn and to operate. As well, it had to be easy to install and maintain. What the designers came up with was a digital, stored program control machine using an 8-bit PCM. They also came up with a new telephone instrument, the SL-1 telephone, which is a multi-line instrument with many features, but uses only 2 pairs of wires, instead of 25 pairs required by key telephones. The SL-1 system has three main parts: The common equipment (CE), the peripheral equipment (PE) and the power supplies. The CE performs the central control and switching functions for all the connecting lines and trunks. It has a central processing unit (CPU) and read/write memory which stores all the operating programs and data unique to the particular system, including switching sequences, feature and class of service information, and numbers and types of terminals. Various models use various media to store information, ranging from magnetic tape drives to disk drives, for high-speed loading of the operating programs and data into the read/write memory, and providing data restoration after a power failure. This media also contains the diagnostic routines, and all software needed to program the switch. There is a Teletype to communicate to the system with and to print error messages on. The network circuits perform the switching duties for all lines and trunks. The digital service circuits provide for such functions as dial and ringing tones and call conferencing. The CE units communicate over a common central bus under control of the CPU. Speech signals, converted to digital, follow a separate path on a network switching bus. The PE performs the interface between the line and trunk circuits and the SL-1 system. It consists mainly of line and trunk cards which convert analog speech to digital signals for digital switching and vice-versa. Lines connect to individual instruments and trunks to other PBX's. Peripheral buffers act as interface between the PE and the CE providing power control, timing and switching control signals for the line and trunk circuits. Digital conversion into 8-bit PCM is done by a single encoder/decoder (codec) for each line or trunk. This codec is a custom LSI circuit. Between the PE and the CE, all signals travel in digital format on time multiplexed loops. Each loops carriers 30 voice channels, one control signalling channel and one unused channel. The channels operate at 64 kbps to give a total data rate of 2.048 mbps. Each loops terminates on a different circuit pack in the CE. There can be up to 16 multiplex loops. When a call is set up, the CPU assigns each party a channel from among the 30 on their own multiplex loops. These channels form a matched pair. For instance, the calling party may use channel 2 of it's digital loop, and the called party may use channel 3 of it's loop. The SL-1 conducts audio digitally. The line and trunk cards contain A/D and D/A converters. Received audio is changed to a digital signal and put on a voice channel. At it's destination, the digital signal is converted back to analog audio. All programming is done from a keyboard with the output going to a printer. To program, a specific diagnostic program, called an overlay, is selected, and is automatically loaded from tape or disk. Once this is done, the appropriate commands are entered to change the options. All inputs, and SL-1 responses are echoed on a printer or echoed out of the specified port. If any system parameters or configurations are changed, these changes will not survive a total power outage unless a new tape or disk is made. In case of a power outage, upon restoration of power, the SL-1 activates the tape or disk unit and loads in the system operating data, and runs some diagnostics. This takes from 5-15 minutes, and at the end of that time, service is fully restored with all the options which were recorded on the tape or disk being implemented. Of course any user-selected options like speed call lists and call waiting which had been selected before the outage will be lost. Automatic diagnostics (called 'background' programs) are being run constantly with the results of any problems being echoed to output. At midnight a more thorough set of diagnostics are run. Any of the diagnostics may be run on demand from the keyboard. Also available on demand from the keyboard are a series of diagnostics to determine the status of lines and trunks, to trace calls, and to print lists and traffic studies. SL-1 Features ~~~~~~~~~~~~~ - Call Waiting - Digitone (DTMF) service - Ring Again - Direct inward dialing - Display services - Direct outward dialing - Tandem switching - Private line service - Special dial tone - Remote administration and - Traffic measurement maintenance - Common control switching - Multi-customer group operation arrangement access - Line/trunk lockout - Data transmission - Flexible numbering system - Access to automatic recorded (2 to 4 digits) answering equipment - Pulse to DTMF conversion - Access to paging equipment - DTMF to pulse conversion - Call forward - busy - Emergency transfer - Call forward - don't answer - Hunting - Call forward - follow me - Intercept - Call pickup - Manual service - Conference (3 or 6 party) - Night service - Service restrictions SL-1 Telephone Set Features ~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Autodial - Automatic preselection - Call status - Headset connection - Call forwarding - Executive override - Call transfer - Hold - Speed calling - On-hook dialing - Call waiting - LED indicators - Tone ringing - Call pickup - Common audible signalling - Loudspeaker/Amplifier - Ring again - Voice calling - Hands free operation - Manual signalling - Multiple appearance directory - 3 or 6 party conference number; multiple call - non-locking keys arrangements - Single appearance directory - Prime directory number number - Station set expansion - Privacy - Privacy release Explanation of Some Features ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Station to station calling - Any station can directly call any other station without attendant assistance. Direct Outward Dialing (DOD) - Allows a station to gain access to the exchange network without attendant assistance and receives a second dialtone. Hunting - Routes a call to an idle station directory number when the called number is busy. The numbers in the hunt group do not have to be in sequence nor do they have to appear on the same instrument. The sequence can be consecutive (station directory numbers are hunted in ascending numerical order) or non-consecutive. Access to paging - Provides a connection to customer-owned paging equipment. Access to Automatic Recorded Answering Equipment - SL-1 stations can have incoming messages recorded on customer-provided answering equipment by forwarding calls to the directory number (DN) assigned to the equipment. Direct Inward Dialing (DID) - Allows an incoming call from the exchange network to reach a station without attendant assistance. The DN for each station will normally be the last 2,3 or 4 digits of the 7 digit exchange network number. Tandem Switching - The SL-1 can act as an intermediate switching point for traffic between other PBX's. Manual Service - Does not provide a dialtone when a station goes off-hook. Instead the attendant is alerted and completes the call for the user. Private Line Service - Permits the appearance of a private central office line on an SL-1 Telephone set. Dialtone is received directly from the telco and calls are not processed by the SL-1. Multi-Customer Group Operation - Allows for the provision of services for more than one business customer from the same switching machine. Each customer is totally separate from the others, may have the same directory numbers as the others, has his own attendant console, his own trunks, and cannot directly call stations belonging to the other customers. Service Restrictions - Allows the ability to restrict various functions. Intercept - Disposes of calls which cannot be completed because of restrictions or dialing errors. They are either routed to the attendant or overflow tone. Special Dial Tone - A Regular dialtone with three 128 ms interruptions at the beginning to advise the user that his hookswitch flash has been successful. Line Lockout - Disconnects stations which have been off-hook for too long to prevent system problems. Night Service - Allows the attendant to preconnect some or all of the incoming telco trunks to selected DN's on the SL-1. Emergency Transfer - Puts the system in the power fail transfer mode. This transfers telco trunks to selected stations to provide some continuity of service to the outside world during the time the SL-1 is inoperative. Remote Administration and Maintenance - Permits operation of the diagnostics from a remote location via a modem and telephone line. You may do anything from the remote terminal that you can do from the local terminal. Call Forward - Busy - Routes incoming calls to another number when the called station is busy. Call Forward - Don't answer - Routes incoming calls to another number when the called station doesn't answer within a prescribed time. Call Forward - Follow me - Routes incoming calls to another, programmable number. Call Waiting - Informs the user of a second incoming call while he is already in conversation. He can then place the first caller on hold and answer the second call. He can then return to the first call. Conference - Allows a user to connect up to either 1 or 4 additional persons into an existing call. Up to 2 of the users may be trunks. Call Pickup - Allows a station to answer an incoming call to another station in the same pickup group by dialing a special code. Ring Again - Permits a calling station, on encountering a busy DN, to operate a dedicated key or dial a special code to have the system monitor the called station and alert him when it goes idle. He is then automatically connect to that station when he goes off-hook or presses the key during the alert and the system rings that station. Data Transmission - The SL-1 is suitable for voiceband data transmissions and is compatible with a conventional modem. SL-1 Models ~~~~~~~~~~~ Model Lines Introduced Generic Features ~~~~~ ~~~~~ ~~~~~~~~~~ ~~~~~~~ ~~~~~~~~ SL1-L 300-700 1975 x01 - N/A SL1-VL 700-2500 1976 x02 - Multi customer operation - Automatic Identification of outward dialing - Do not disturb CDR N/A 1977 x03,x04, - Call detail recording x08 - Recorded Announcement - Digit display console SL1-LE 300-700 1978 x05 - Automatic Route Selection SL1-VLE 700-2500 N/A N/A - Remote peripheral equipment - Automatic Number Identification - "E" system - Autovon SL1-A 60-400 1979 x06,x07, - Centralized attendant service x14 - Automatic call distribution - Digit display SL-1 Sets - 2500 Set Features - Direct inward system access - Dial Intercom - Message Center - Hotel/Motel - International Phase 1 SL1-XL 1000-5000 1980 x09,X17 - Advanced ACD packages - Multiple message center - Integrated voice and data switching - Hospital/Clinic - International Phase 2 ESN N/A 1981 x9000 - Office data administration system - Automatic Wake-up - Room status - Auxiliary data system - Electronic switched network - International Phase 3 SL1-M 60-400 1982 x11 rls 1 - Attendant Administration - Attendant overflow - Automatic set relocation - History file - Call park - Flexible code restriction - System speed call - International Phase 4&5 SL1-S 30-160 1983 x11 rls 4 - Distinctive ringing - Stored number redial - Async. interface module - Sync. data transmission - Multi-channel data system - SL-1 displayphone - Hotel/Motel 'Generic' refers to the software version. It is expressed as a 3 or 4 digit number where the first part of the number indicates the machine it is for and the second part indicates the purpose of the software and serves as a version number and also indicates the type of machine it can be used with. The 'X' stands for a 1 or 2 digit number representing the model: 1 = SL1-L 2 = SL1-VL 3 = SL1-LE 4 = SL1-VLE 5 = SL1-A 6 = SL1-XL 7 = SL1-M/S 8 = SL1-N 9 = SL1-XN 10= SL1-ST 11= SL1-NT 12= SL1-XT Maintenance Programs ~~~~~~~~~~~~~~~~~~~~ All troubleshooting procedures, configuration changes and circuit disabling/enabling are carried out from the keyboard of a Teletype via software programs. There is virtually no physical contact with the exchange other than required to remove a defective board and replace it with a spare. Even this does not require tools. Before running a program you must first gain access to the computer. The dialup will normally be a 1200 baud connection, with an even parity, databits of 7, and stopbits of 1 (E71). Once connected press several times key to wake the system up. The system SHOULD respond with 'OVL111 BKGD' or 'OVL111 IDLE' and now you know it's alright to login. If the response is 'OVL000' and then a '>' prompt you are already logged in, and you can go straight to loading an overlay. Type 'LOGI' to initiate the login. Make sure when entering commands that they are all input in uppercase. The system responds with 'PASS?'. Now enter the password, (we do have a password, RIGHT?), it has a default, like everything else. The password will always be a 4 digit number, other characters are not valid. If you have correctly logged in, the system will respond with a '>' prompt. The system will display this prompt whenever waiting for operator input and is not running a diagnostic program. Once a diagnostic program is running the prompt becomes a '.' (period). If you are not logged in, there is no prompt. What follows is an example of what you will see during login. { Hit Carriage Return } OVL111 IDLE . . .LOGI { Initiate Login } PASS? { Enter password, it will not echo } OVL015 { Error code for incorrect password } TTY 01 SCH MTC 16:40 OVL 45 BKGD .LOGI { Try again } PASS? . > OVL000 >LD 22 { You are now logged in and ready to load an overlay program } { in this case we are loading overlay 22, a print routine. } PT20000 REQ TID { The REQ prompt appears, now enter your selection, in this } { case we want to print the TID (Tape ID) } TAPE ID: LOADED XXXXXX DISK/TAPE XXXXXX REQ ISS { Enter ISS to view the Issue and Release number of the } { software/switch } VERSION 1011 RELEASE 14 ISSUE 39 REQ END { Enter END to quit this overlay } >LOGO > . { Logout and hangup } Now after gaining this information, we can determine what type of system we're dealing with. Notice that the version number is 1011. Now refer back to the listing of SL-1 Models for the information we seek. We are logged into an x11 system (last 2 digits of the version number). Unfortunately, there are two system with x11 generics, and none of which have a release number of 14, so we're either dealing with an SL1-M or an SL1-S, with either a 60-400 or 30-160 line capability respectively. Although this information isn't extremely useful, it comes in handy when determining how large the system is. Overlay Programs ~~~~~~~~~~~~~~~~ Upon first logging in, no program is loaded, and you must load a program (overlay) into system memory. This is done by the command 'LD' followed by a space and the overlay number. To load overlay 10 you would simply do a 'LD 10'. It will take approximately 1 minute to load the overlay into memory from tape, if the system uses a tape drive. If the system uses disk storage then it will load quickly. Once the program is loaded, a 'REQ' (request) prompt will appear. The system is now waiting for input from the administrator. There are many different overlays which can be used, all of which are explained in the following section. Number Name Purpose ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 10 500/2500 Type Allows new 500/2500 telephone data blocks to be Telephone generated, existing office data modified, moved to a new TN location on the same loop, or removed from the system. Standard telephone sets. 11 SL-1 Type Allows new SL-1 telephone data blocks to be Telephone generated, existing office data to be modified, moved to a new TN location on the same loop, or removed from the system. 12 Attendant Allows new SL-1 attendant console data blocks to be Console generated, existing office data to be modified, moved to a new TN location on the same loop, or removed from the system. 13 DIGITONE Allows new DIGITONE and SL-1 tone detectors blocks Receiver and to be generated, moved to a new TN location on the SL-1 Tone same loop, or removed from the system. Detectors 14 Trunks Allows new trunk data blocks to be generated, existing office data modified, moved to a new TN location on the same loop, or removed from the system. 15 Customer Allows new customer data blocks to be generated, existing office data modified, or removed from the system. 16 Trunk Route/ Allows new trunk/ATM route and ATM schedule hours Automatic Trunk data blocks to be generated, existing office data Maintenance modified, or removed from the system. 17 Configuration Allows the configuration record to be modified to Record reflect changes in the system parameters. 18 Speed Call Allows speed call/system speed call and group call Group Call Data data to be generated, modified, or removed from the system. 19 Code Restriction Allows code restriction data block to be generated, modified, or removed from the system. 20 Print Routine 1 Allows the printing of: - SL-1 TN data blocks - 500 TN data blocks - attendant TN data blocks - trunk TN data blocks - DIG data blocks - group call data - templates - speed call lists - hunting patterns of stations - unused units - unused card positions - terminal numbers 21 Print Routine 2 Allows the printing of: - customer data blocks - code restriction data blocks - route data blocks - a list of trunks in a route - ATM data - ATM schedules - TN associated with CAS keys 22 Print Routine 3 Allows the printing of: - the configuration record - directory number to TN matrix - equipped packages - history - password numbers - ROM QPC number - station category indication - version and issue of generic 23 ACD/Message Allows ACD data, ACD management report schedules, Center and Message Center data to be generated, modified, or removed. 24 DISA Allows data for direct inward system access to be generated, modified or printed. 25 Move Data Allows movement or interchanges of data between Blocks loops, shelves and packs in the same customer group. 26 Do Not Disturb Allows DND groups to be formed, changed, merged, removed or printed. 28 ANI Route Allows ANI route selection data block to be Selection generated, modified, removed, or printed. 29 Memory/ Used to determine the amount of unused memory, and Management to determine if enough memory is available to add new data. Also used to respond to error messages SCH601 and 603 on Meridian SL-1 XN systems. 49 NFCR Allows code restriction data blocks to be defined, modified, removed, or printed. 50 Call Park Allows call park data to be generated, modified, removed, or printed. 73 Digital Trunk Allows Digital Trunk Interface data to be generated Interface or modified. 81 Features/ Allows stations to be listed or counted according Stations Print to their features. 82 Hunt Chain/ Allows printing of hunting patterns and multiple Multiple appearance groups. Appearance Print 83 TN Sort Print Allows printing of stations according to station DES. 84 DES Entry Allows the assignment of station DES (description) to 500/2500 sets. 85 DES Entry Allows the assignment of station DES (description) to SL-1 sets. 86 ESN 1 Allows electronic switched network data defining BARS/NARS/CDP features to be generated, modified, or printed. 87 ESN 2 Allows electronic switched network data defining BARS/NARS/CDP features to be generated, modified, or printed. 88 Authorization Allows data for Basic Authorization Code (BAUT) and Code Network Authorization Code (NAUT) to be generated, modified, or printed. 90 ESN 3 Allows data for ESN network translation tables to be generated, modified, or printed. 93 Mult-Tenant Used to enable and administer multi-tenant service. Service For example, more than one company can use the same PBX. Those are the main overlays used to modify setups and print the system configuration information. SL-1's are mainly used in buildings, and by larger companies, ranging from department stores to complete office complexes. The dialups are commonly found on an extension of the PBX. You can generally come across the dialup while scanning extensions on a Meridian Voice Mail system. Meridian SL-1's are a very common switch used on WATS lines, generally by larger companies. I've also talked to several people who have encountered the actual dialup modem to the switch on the public phone network (exchange scanning). Once you have found one, it's easy to identify with it's trademark 'OVL' greeting. Meridian Manager ~~~~~~~~~~~~~~~~ Obviously SL-1 administrators can't be expected to program a switch using such archaic methods, and remembering every prompt and required input. Northern Telecom has developed terminal software that makes the job easier, which replaces the traditional teletype setup with a PC running their terminal software. Each copy of the software is sold at upwards of $5000 for a site license, and you are entered into a license agreement with NT. As Northern Telecom puts it... "Title to and ownership of Meridian SL-1 software shall at all times remain with Northern Telecom. Meridian SL-1 software shall not be sold outright and the use thereof by the customer shall be subject to the parties entering into software agreement as specified by Northern Telecom." Each copy contains a serial number which matches the PBX's own serial number, thus cannot be used on any switch other than one specified in your license agreement. The software provides a user friendly method to add, remove, and modify information, without dealing with the unfriendly switch directly. Initially the software will phone the specified switch, and check the serial number of the switch. After this, it will load and run the print overlays, and ascii capture all output, building several database files locally, on your own system. After this is completed, it disconnects, and you now have the complete configuration of the switch sitting on your system. You now make the necessary modifications, and upon completion, the software again calls the switch, and updates the switches database. The software, called the Meridian Manager, comes complete with a full internal tutorial on how to use it, and is very helpful. Thanks Northern Telecom, for making it so easy! Additional Information ~~~~~~~~~~~~~~~~~~~~~~ If you require programming information, probably the handiest piece of material that I've found is the Data Administration, Generic X11 : Pocket Reference Guide. This is a pocket book that contains a listing of all Overlay Programs, possible inputs and error codes. The reference is about 100 pages, and can be ordered from Northern Telecom, the order number being P0674785,S086/01. Social Engineering may be required. * Meridian and SL-1 are trademarks of Northern Telecom Limited. Greetings to Talsfalon, Akalabeth, Okinawa, Mechanix, and all those I've forgotten. See you at hohocon, we'll be giving away one of the previously mentioned Pocket Reference Guide's at the raffle. I can be reached at my email address, iceman@silicon.bison.mb.ca, or my own system at 204-669-7983. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3 mQCNAiwKJFQAAAEEALaKeir7NjTo0SawUR5jC7EIxTl+f1Yv3AvxwmHMOC0aZJwq WHqZajrdQ0UXKS6j/2bKgFwfuo76O/KeZmuo4Q05JLRl1epO6SfGMjfSP0zR2y0n 2oSsiA9VNpI/eeZAqJpa15ItpWEXZOwNIHKvTjEqOjADwtVCvkRf68TwYncbAAUR tCNJY2VtYW4gPGljZW1hbkBzaWxpY29uLmJpc29uLm1iLmNhPg== =BlEm -----END PGP PUBLIC KEY BLOCK----- Iceman * The Digital Resistance *