/ __ \/ /_ ________ ____ ___ _____ ____ _______ __
/ /_/ / __ \/ ___/ _ \/ __ `/ / / / _ \/ __ \/ ___/ / / /
/ ____/ / / / / / __/ /_/ / /_/ / __/ / / / /__/ /_/ /
/_/ /_/ /_/_/ \___/\__, /\__,_/\___/_/ /_/\___/\__, /
/_/ /____/
[ 12/08/01 ] ------ ISSUE #1 -->
~-~-~-~-~-~-~- Contents ~-~-~-~-~-~-~-
1. The Telstra Dial-IP Switched Data Network ..................... Marlinspike
2. Working Around The X2 FAST Block .............................. Dark Thief & Zaleth
3. Indigo Box .................................................... Dies Irae
4. Caller ID Program ............................................. Diab
5. Payphone Numbers .............................................. Zaleth & Dies Irae
6. RIM & COMNET Overview ......................................... Phreakau Team
7. BnE Into Telstra Exchanges Part II ............................ Marlinspike
8. Telstra News .................................................. Phreakau Team
9. Links ......................................................... Phreakau Team
~-~-~-~-~-~-~- Contacts ~-~-~-~-~-~-~-
To contact us, or send feedback to the author of an article, select from the following
email addresses :
Dark Thief (dt) : darkthief@iamwasted.com
Diab : diab@hackermail.com
Dies Irae : speedy69@mailcity.com
Marlinspike : p0lter_g@yahoo.com
Zaleth : zaleth@hushmail.com
~-~-~-~-~-~-~- Intro ~-~-~-~-~-~-~-
Welcome to the first issue of Phrequency Ezine. This has been in the works for
months and has taken a shitload of work to get out to you. This issue was primarily
written by Phreakau, a group best described as a "Phreaking Research Group". That
is we are interested in the study and exploration of the inner workings of the
Australian telecommunications network. Most of us are interested in other subjects,
such as computer security, and if we end up working on any significant project that
captures that right 'flavour' it might end up in a future issue. However, we are
primarily a phreaking group.
As you can see from the articles here written by more than one person, we have a
strong leaning towards working together on projects and research. Largely, Phreakau
is a contributors only group that has been closed off from the the rest of the
scene due to concerns over things such as discussion based on raw information being
too sensitive for public release. We were going to limit the distribution of this
ezine, but a big reason we decided upon a full release is because phreaking has
seen abit of a resurgence in the past months and we wanted to give some new
phreaking information to the scene, show everyone that phreaking is not dead in AU
and what kind of information is available if they have the initiative to simply go
out and get it.
So, start hanging around your local pits, cans, cabinets and exchanges. Start
scanning local number exchanges, 1800 numbers and anything else you can think of.
Go trashing. There are people out here willing to share information and help you
with your research. You could be the one to uncover the lead by which the next big
system or phreaking technique is discovered - all it takes is initiative.
Will there be future issues of this ezine? We hope so. We've set this as a
precedent in quality, so if we keep going, keep at our research and get the articles
for a second issue that rivals this one then there mostly likely will. You are
welcome to help, or provide your own touch, of course
For now sit back, whack
on some tunes and see what you can learn.
~-~-~-~-~-~-~- The Telstra Dial IP Switched Data Network ~-~-~-~-~-~-~-
- By Marlinspike
Contents
========
1. What Is Dial IP?
2. Accessing Dial IP
3. Logging In
4. RADIUS
5. The Dial IP RADIUS Proxy
6. Scanning And Hax0ring
7. Free Calls
8. Logging
9. Further Reading
What Is Dial IP?
================
Telstra Dial IP is one of the more recent Switched Data Network offerings from
Telstra. It is designed to be a cost-effective and secure solution for dial up users to
connect to corporate LANs running IP from anywhere in Australia.
Dial IP is classed as a Switched Data Network as the underlying protocol uses packet
switching as a transmission method. This is also why it is cost effective as many
transmissions can use the same media at once.
The theory goes that Dial IP is more secure than regular dialups as it consolidates
remote access into one chokepoint using RADIUS rather than having a whole load of
unmanageable dialup servers for different areas in the country. Yay.
Accessing Dial IP
=================
So what's the Dialup? Well, there ain't one. Note that I said 'one'. In the Dial IP
network each customer gets their own dialup to the network which connects to their
LAN and their LAN only. How does this work? Well, there is a range of numbers assigned
as 'Data Network Access Services' for Dial IP. If you apply for a Dial IP service,
your dialup will be in that range and you can use that number to call your network.
The range of numbers that the Dial IP service uses are :
019830XXXX
So that's 019830 followed by FOUR numbers. Just about every technical document I've
seen (including the Telstra ones) have got this written wrong. Don't trust them, trust
me
That is 10,000 assignable numbers. Check the Austel website for 'Data Network
Access Service' if you don't believe me. They got it right atleast. An example working
Dial IP access number is 0198304107 which belongs to Edith Cowan University for their
Remote Rural users (I found this on the net
Logging In
==========
Okay, you've dialed your number (right now we're examining the system from the
perspective of a legitimate user, we'll get into the nefarious shit after I'm done
explaining) so what happens next, here's the prompt you get if you've dialed with
Hyperterminal or other VT100 emulator (Dial IP has support for PPP/PAP/CHAP so most
legit users won't do it this way cause they'll be using windoze dial up networking),
I've included all the prompts like you've gone through and got the authentication
wrong so you can see :
** Dial IP **
Username:
Password:
** Bad Password
These are pretty much the standard prompts you will get. This is the RADIUS server
talking to you. It may be that it is authenticating you against a UNIX password file,
but note that it does not display the UNIX login. This is to prevent information
leakage regarding the operating system (and therefore default accounts and so forth).
The system can be configured to present a different prompt if wanted, for example,
you can get a challenge between the Username and Password for CHAP or token based
system and I have also seen custom error messages. The point is the above is the
default and has to be deliberately modified if needed to be. You get three incorrect
tries before losing the carrier.
Once authenticated, you will be handed over to the LAN and can access all resources
normally. Most of the time this will mean a PPP is fired back at you, but this can
depend on what resource your account allowed you access to, PPPsh in UNIX for example.
Yes, if the LAN you've connected to can reach the internet then you've just got net
access dependant on the LAN or larger internal network's firewall egress filters etc.
of course.
RADIUS
======
While we've been logging in in the last section, this is what has been working behind
the scenes to authenticate us. It is basically transparent and regular users need not
know what it is, but seeing as we're not regular users (not to mention 'interested' in
the authentication procedure) it might pay to know abit about it.
RADIUS stands for (R)emote (A)uthentication (D)ial (I)n (U)ser (S)ervice and is
specified in RFC 2138, with additional accounting details specified in RFC 2139.
RADIUS is also Open Source and so can therefore be modified as the providers wish. In
this way it can be customised to support various different authentication protocols.
At the destination LAN resides the RADIUS server. This can be in synch with whatever
table of usernames and passwords the LAN cares to use. When the user dials up, they are
attached to the RADIUS client, which will issue a request for authentication (username
and password etc.) The user types it in and the client sends the request to the
server for verification. As you can see this centralises the authentication procedure
to the one RADIUS server on the LAN which is completely under the control of the
owner of the LAN.
The RADIUS server and client share a secret key. This is used to encrypt the
authentication request in transit. Although the medium used is a Telstra controlled
dedicated frame relay service and therefore inaccessible to anyone but Telstra staff
(theoretically anyway) the encryption provides an extra layer of security.
The Dial IP RADIUS Proxy
========================
Despite the fact that Dial IP uses separate PSTN numbers for access to separate
systems, Dial IP is still one big network. The communications media are not dedicated
to each customer, they are interwoven with packets from each customer being transmitted
alongside one another. What this means is that there needs to be another layer to the
system directing traffic from the Dial Gateways (PoPs or Dialin Nodes etc.) to the
various LAN controlled RADIUS servers. This makes Dial IP differ from a traditional
RADIUS network somewhat, although still providing good transparency.
This is where the Telstra Dial IP RADIUS proxy comes in. Once the dial in user has
connected, the client actually forwards the authentication request to the RADIUS proxy.
Then, the proxy determines which end RADIUS server the request needs to go to based
upon the PSTN Dial IP access number dialed. Crap ASCII pr0n diagram follows :
_______________ ___________ ____ ____ ________
| | | | / \ / \ | |
| Dial IP | | Dial IP | | |_/ \ | RADIUS |
| Gateway & |------>| RADIUS |------> Dial IP ---|---->| Server |
| RADIUS Client | | Proxy | | ____ / | At LAN |
|_______________| |___________| \__/ \___/ |________|
As far as the RADIUS server is concerned, it is talking to a regular client. The
proxy is completely transparent. There are actually multiple proxies around Australia
to ensure reliability and availability.
Scanning And Hax0ring
=====================
The fact that the prompts are standardised present an interesting problem in terms
of hacking on Dial IP. Also, I have tried a whole load of numbers in all areas of the
range and have never received a message stating the number is not connected, neither
a voice message, nor a message in my terminal window. So, even if you ring a number
that is not connected to a LAN, you will get :
** Dial IP **
Username:
Password:
** Bad Password
3 tries and then NO CARRIER. So infact, you may not have even been hacking into a
system at all. Of course, there is always the possibility that you get a non-standard
login prompt or a challenge, which would certainly indicate a system present or a
custom error message, like this one from the ECU number I mentioned earlier :
** Dial IP **
Username:
Password:
Login Failed: check your username,
password and time limits.
A classic case of user friendliness over security.
As far as hacking is concerned, the obvious thing to note is that system
identification is quite difficult and so what you'll have to do is have a generic
set of usernames to try from various systems. As far as I can tell, the systems most
in use on Dial IP are Windows NT/2000 and then UNIX.
There is one other way to determine if a number connects to a valid system or not,
which I will now 'splain you.
Free Calls
==========
Being a phreaking zine this was bound to come up. I am however, speaking of it here
in a semi-legitimate capacity. You see, I do most of my scanning from payphones. When
scanning these Dial IP numbers after I first learned of the network I noticed that
some of the numbers were being connected and modem breath emitting without my having
to insert coins/phreaking for the call. Many did require payment/phreaking. In
documentation it does mention that you can provide the dialin at free call rate if
desired. Obviously, if the number is not connected Telstra wouldn't be footing for a
free call for you now would they? It is the default that the numbers are not free and
if you scanned looking for free numbers you could probably get a lengthy list of valid
numbers. Sure you'd miss afew, but in the meantime you've got a whole bunch of valid
systems to play with that are free to ring continuosly.
Logging
=======
This is something I get asked about alot in regards to Austpac Public Access PADs.
What kind of logging do they have? can they log with ANI/CLI? Well, here's what I know
about Dial IP. Due to the nature of RADIUS, there is the potential to log alot of
stuff. The logs for Dial IP at the RADIUS server are very verbose. There are two logs
generated for a session, a start log and a stop log. They contain entries such as :
Start Time
Stop Time
Username Logged in under
Session Time
Framing Protocol Used
Allocated IP Address
Reason For Disconnection
Called Station ID - The last four digits of the number dialled
AND ALSO
CALLING STATION ID (!!!) - This is the number Dial IP was CALLED FROM. However, for
most users the last 3 digits of the number will not be recorded in the RADIUS logs.
Basically, this provides for administrators of the system to know what suburb the call
came from. Note that often the 4th to last number is needed to make up the exchange
prefix in some phone numbers. Some 'authorised' customers can receive logs of the
full numbers, but I am unsure whether this is allowed for some kind of government
security agencies, or just whether or not you grease Telstra's palms enough. Probably
the latter.
The fact of the matter is, this last item is necessary for us to know, but seeing as
it can be defeated by a simple call to a number diverted to the relevant Dial IP access
number (in the suburb the owner of the username resides) it is still not a security
panacea.
Further Reading
===============
Linkage :
http://www.telstra.com.au/dialip/
Documents:
Telstra Remote Access Dial-In User Service (RADIUS) Information Document
RFC 2138 Remote Authentication Dial In User Service (RADIUS)
RFC 2139 RADIUS Accounting
- Marlinspike 10/6/01
~-~-~-~-~-~-~- Working Around The X2 FAST Block ~-~-~-~-~-~-~-
- By Dark Thief & Zaleth
Contents
========
Summary Of FAST
The X2 FAST Block
Zaleth's Workaround (Aka "Dick Smith's Revenge")
Dark Thief's Workaround (Aka "#INCLUDE <Dark.*>")
Summary Of FAST
===============
FAST (F)ield (A)ccess to (S)ULTAN (T)esting is Telstra's field based access service for
Telstra techs (linesmen etc.) to obtain remote (field) access to special functions such
as electrical tests from an exchange along a customer's line. FAST is accessed via a
1800 number :
1800 050 051
This number is in the 1800 prefix 1800 05x xxx which denotes "Enhanced 1800" and in
which calls are routed to destinations based on the location of the caller. The FAST
number was originally discovered in a 1800 scan by APB (Australian Phone Brotherhood)
and first detailed by ALOC in Morpheus Laughing #1. Subsequent 1800 scans in the 05
prefix haven't turned up anything more of special interest (although that doesn't mean
we're not still trying
FAST seems to be constantly having features added to it and
has had some options added since the 1999 Morpheus article. A Telstra employee number
and its corresponding PIN are required to access the service, which makes it mostly
inaccessible to people without contacts or the enterprise to get this info themselves.
The X2 FAST Block
=================
When FAST was first discovered it was relatively easy for us all to explore it as we
could simply dial it up from a payphone and have fun. For some wierd reason Telstra does
not want us screwing around with their system (or something like that anyway) and have
taken measures to prevent FAST from being called from payphones. Bugger. Well, until
now anyway. w00h00!
So, you ring FAST from a payphone and what happens? Well, everything is fine until you
get to 1800 050 05. The immediate moment you press the '1' that follows here is what
happens :
(1) The payphone disconnects the line
(2) The screen displays "Service Not Available"
(3) The payphone resets and you get dial-tone again
This is similar to what would happen if you pressed the FOLLOW ON button. If
1800 050 052 or any other permutation on the last number apart from '1' is dialed, the
phone will place the call and not reset. The reset occurs only on pressing the last '1'
in FAST. It occurs without pause for connection or other signalling.
Based on this, it follows that the payphone itself implements the FAST block. There
are other ways for Telstra to administer a block on a service. For example, if some
127 xxx xxx numbers, such as ANI and RINGBACK are called from a payphone, it will call
through and the service itself will announce "Access Denied To Customer Number" for
ANI. This is a function of the payphone LINE and not because of any signalling from the
payphone itself.
If we think of the payphone as a 'client' then what we've got in terms of protection
against us calling FAST is a protection scheme based on the restrictiveness of the
client. However, in order for the payphone to work it requires a channel to send its
signalling data (in the form of DTMF tones) to the exchange and a channel by which to
send the user supplied voice communications. These two channels are one and the same.
The 'protection' is implemented by limiting what signals the user can send by function
of the payphone. The problem is - What if the user supplies his own signalling data on
the common communications/signalling channel or subverts the client (payphone) to
unwittingly send the right signals to the channel in an unexpected manner?
This type of problem is analogous to users editing the URL in a web browser instead
of submitting data through a controlled HTML form and also the good ole in-band
inter-office signalling that has caused Telcos so many problems in the past. We've
included two methods of exploiting this problem in this article and hopefully the
discussion will spark some new ideas on how to get around the FAST block and other
similar blocks. An obvious method would be to beige box off the pit near the payphone,
or from the plugs in the wall, but we wanted to be more cool & doing this in broad
daylight may attract the wrong kind of attention (ie ass whooping by irate store owner
or police officer).
This block is called the X2 FAST block because that (The Smartphone) was the phone it
was originally discovered on, the most prevalent payphone around these days and hence
the phone you'll most probably encounter it on. However, Zaleth checked out some other
phones for the block as well.
Bluephones don't seem to have a FAST block on them. This is probably because this type
of blocking feature is unsupported. However, if it was, it could be worked around like
the other phones.
P2's or PHONECARD phones, pieces of antiquated crap from the early '90s that you insert
a magstripe card into to make calls and have it punch holes in the card to show you how
much credit you have left, believe it or not, have FAST blocks on them. Fortunately,
both workarounds described below have been tested, and work, on P2's.
Zaleth's Workaround (Aka "Dick Smith's Revenge")
================================================
Recently, Dick Smith bought out Tandy. This may have some kind of greater economic
implications that we frankly couldn't care less about, but what we do care about is
that as a result of the buyout a lot of Tandy's "low dollar" products (little stuff,
electronic components etc.) have been discontinued presumably to give Dick Smith
Electronics stores a monopoly in that area. One of the lines included in the
discontinuation were Tandy's Tone Dialers. As a result, they were going out the door
cheap cheap ($2.95 - Thanks to Nightscout for this info). Due to not wanting to be the
poor bastard that didn't invest the price of a Big Mac to get a tone dialer in the
instance a use was found for them we all went out and bought tone dialers. Ironically,
this probably accounts for the fact that a use has now been found for them. Sucks if
you didn't jump on the bandwagon (fact is if you hurry there are still some left
So, back to FAST. Tone Dialers give us a useful ability. The ability to supply DTMF
signalling on the shared communications/signalling channel from the payphone to the
exchange. To put it simply, we can signal the exchange with the number we want to call
using the tone dialer without the payphone being able to detect what we've dialed and
hence not knowing to block us if we call FAST. Step by step :
(1) Lift handset, dial 1800
(2) Whip out tone dialer, hold to mouthpiece of payphone, dial 050 051
(3) Get put through to FAST - Enter employee number + PIN as usual
Dark Thief's Method (Aka "#INCLUDE <Dark.*>")
=============================================
A nifty feature currently installed on the X2's is AUTO REDIAL. This is used when,
you've put your coins in the phone and you've rung someone up, the line is engaged
or the call rings out and you want to place another call without reinserting your
coins. To call again, you press FOLLOW ON, then '*'. The '*' is the button that
denotes AUTO REDIAL but it must be noted that AUTO REDIAL does not work if you
replace the handset rather than pressing FOLLOW ON. You must press FOLLOW ON to use
AUTO REDIAL. When you press the '*' the number will "fan" across the screen and the
number will be redialed for you. Neato huh? OK, maybe its not that cool, but throw
intended purposes out the window and you've got yourself a subversive little function
so yes neato!
How this is used to work around FAST is by inputting the first numbers of FAST into
memory and using that as part of the number for the phone to dial (note that if you
put all numbers of FAST into memory the phone would reset and it wouldn't work). It
goes a little like this :
(1) Dial 1800 050 05
(2) Hit FOLLOW ON
(3) Wait for phone to reset whilst cackling insanely
(4) Hit '*'
(5) Dial '1'
(6) Get put through to FAST
What you've just done is put the first part of FAST (1800 050 05) into memory, reset
the phone, redialled 1800 050 05 and then whacked in the last number of FAST (1) in
order to complete the call without the payphone knowing you've called FAST and therefore
bypassing the blocking mechanism.
- Propz Dark Thief & Zaleth 10/8/01
~-~-~-~-~-~-~- Indigo Box ~-~-~-~-~-~-~-
- By Dies Irae
This is a Brown, DLOC, Party, Pink Box, they all do basically the same thing...connect
two phone lines together. so that you can take advantage of conference call, eg have 5 ppl
instead of 3. All of those boxes i meantioned before were for america, so i decided to
alter one for Australia. It wasn't to hard, but have fun and don't get caught. Because
there are many things that they (Tel$tra and Austel) can screw you over for having and
placing this on your line. (Just warning you).
There has to be enough to phone wire from each of the male plugs so that the box can be in
the middle of the two phone wall outlets.then you can mount a modular plug in the side of the
box so you plug your phone in if you want. Also i presume that you have a grasp of
electronics and know how to wire plugs up.
THE SCHEMATIC WONT MAKE MUCH SENSE UNLESS YOU KNOW WHAT A KNIFE SWITCH LOOKS LIKE...SO BUY
THE PARTS AND THEN LOOK AT IT...
You Will Need
-------------
Okay I'll be nice and include Dick $mith catalog numbers...
2 SPST Switches (i used P 7668) $2.60
2 Phone Lines
2 Male Phone Plugs (F 5117) $6.95
1 Knife Switch (P 7862) $4.95
2 alligator clips (P 6406) $0.80
1 Phone
1 White Plastic Box (you can buy them from Dick Smith, fairly small 10cm x 10cm max)
1 can Indigo spray paint (optional, to spray the box of course)
SPST===============|blue or white wire to phone
alligator clip | __________|_|__________ alligator clip
| | | |=| | |
male plug===|====to knife switch= | |++to knife switch+++|+++++male plug
| knife switch |
male plug--------to knife switch- | |,,to knife switch,,,,,male plug
| | |
| ---------|-------------
|SPST++++++++++++|blue or white wire to phone
= white line from line 1
- blue line from line 1
+ blue line from line 2
, white line from line 2
instructions
------------
1. assemble it like the crap schematic. where a wire hits the knife switch, screw it in.
2. where the connections from line 1 come in, also screw the wires connecting to the SPST
switches.
3. strip back a bit of covering from one wire from either of the male plugs. and solder an
alligator clip on.
4. no on the other wire coming from each of the male plugs, (not the one with the alligator
clip) strip back enough covering to clip the alligator clip on.
using it
--------
well you have to built it right for it to work...
IMPORTANT!!! MAKE SURE THAT BOTH OF THE SPST SWITCHES ARE OFF BEFORE YOU START DOING THIS
BELOW! first put the handle of the knife switch to the left, (so line 1 is open) so you are
dialing on line 1. dial your two ppl and conference them. then clip the alligator clip
across these to lines. this is to keep the line open. now throw the knife switch over to
the right, so that you are dialling on line 2. now dial and conference your two ppl on
line 2. then open both of the SPST switches and you should have 5 ppl online. easy...
~-~-~-~-~-~-~- Caller ID Program ~-~-~-~-~-~-~-
- By Diab
/*
*
* Simple caller ID program for POSIX Compliant systems
* Should work for: Linux, windows (providing you have a C compiler,
* e.g. djgpp), and most *nix variants.
*
* Usage: ./callid <modem-port> <outfile>
* e.g. *nix: ./callid /dev/ttyS1 clid.log
* e.g. win: ./callid COM2 clid.log
*
* * NOTE * : Your modem should be able to receive callerID information for
* this program to work, consult your modem manual. Most modems
* should have this feature.
*
* - diab < diab@hackermail.com >
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <termios.h>
#define ENABLE "AT#CID=1\r" /* This enables Caller ID on my modem */
/* Change if you want... */
void set_terminal(void);
int fd, send, n;
struct termios options;
FILE *logfile;
int main(int argc, char *argv[])
{
char recv[3024];
char s3nd[100];
fprintf(stderr,"\n----------------------------------------\n");
fprintf(stderr,"Callid by diab - < diab@hackermail.com >\n");
fprintf(stderr,"----------------------------------------\n\n");
if(argc!=3){
fprintf(stderr,"Usage: %s <Modem-Port> <OutFile>\n", argv[0]);
exit(1);
}
/* open log file */
if((logfile = fopen(argv[2], "a")) == NULL){
fprintf(stderr,"Error opening log file: %s\n", argv[2]);
exit(0);
}
/* open modem port */
fd = open(argv[1], O_RDWR | O_NDELAY);
if(fd==1){
fprintf(stderr, "Can not open modem port:[ %s ]\n", argv[1]);
exit(1);
}
fcntl(fd, F_SETFL, 0);
sleep(1);
/* set the terminal baud rate etc */
set_terminal();
/* send cid init string */
snprintf(s3nd, sizeof(s3nd),"%s", ENABLE);
fprintf(stderr,"[!] Enabling caller id on your modem\n");
fprintf(stderr,"[!] Waiting for call...\n");
send = write(fd, s3nd, strlen(s3nd));
/* keep reading modem port until we get a ring and notify the user */
while ((n = read(fd, recv, sizeof(recv))) > 0) {
fprintf(stderr,"%s", recv);
if (strstr(recv, "RING") != NULL) {
fprintf(stderr,"[!] Phone ringing... saving Caller ID info.\n");
printf("\a");
}
fprintf(logfile, "%s", recv);
fflush(logfile);
sleep(1);
bzero(recv,sizeof(recv));
}
return 0;
}
/* terminal stuff */
void set_terminal(void)
{
tcgetattr(fd, &options);
options.c_cflag |= (CLOCAL | CREAD);
options.c_cflag &= ~PARENB;
options.c_cflag &= ~CSTOPB;
options.c_cflag &= ~CSIZE;
options.c_cflag |= CS8;
options.c_iflag |= (INPCK | ISTRIP);
options.c_lflag &= ~(ICANON | ECHO | ISIG);
options.c_oflag &= ~OPOST;
cfsetispeed(&options, B115200);
cfsetospeed(&options, B115200);
tcsetattr(fd, TCSANOW, &options);
}
~-~-~-~-~-~-~- Payphone Numbers ~-~-~-~-~-~-~-
- By Zaleth & Dies Irae
Shenton Park:
- Onslow Rd:
- X2 Outside Playgroup: (08)9381 2876
- X2 Near Newsagent: (08)9388 3527
- X2 Outside chemist: (08)9388 3535
- Smith Rd:
- X2 near Abedare Rd near graveyard gates: (08)9388 1635
- Derby Rd:
- X2 Corner of Nickleson Rd next to chemist: (08)9381 1033
Daglish:
- Park (Near a lot of units)
- Phonecard phone opposite park: (08)9381 5903 (weird ringer)
Melbourne ...
Mentone:
- Blue Phone, Some School: (03) 9583 1179
- Blue Phone, Some School #2: (03) 9583 1189
- Blue Phone, Franklins: (03) 9585 3962
- Blue Phone, Safeways: (03) 9585 1556
~-~-~-~-~-~-~- RIM & COMNET Overview ~-~-~-~-~-~-~-
- By Phreakau Team
1. What Is A RIM?
2. Types Of RIMs
3. RIM Components
4. SULTAN And RIMs
5. COMNET-1
6. COMNET-2
7. Systems Interfaces
If you have read Neurocactus #7, you would have read their article about RIM Remote System.
Well, some of us at Phreakau have come across some information on this subject and so have
decided to provide a further overview or sequel on this interesting technology and
information about advances since 1996 when it was incepted.
1. What Is A RIM?
=================
R.I.M. Stands for (R)emote (I)ntegrated (M)ultiplexer. The RIM System consists of several
components. The main component is the RU (Remote Unit) itself. This is often seen as a
green cabinet by the roadside although they can also be found indoors. There is also the EU
(Exchange Unit) which is used to communicate between the servicing switch and the RIM Box
(RU). These two components are manufactured by Alcatel. The RU has a communications channel
for OAM (Operations, Administration & Maintenance) use, which is to say that it can be
remotely controlled. In Australia this was implemented with COMNET, which we will get into
later.
A RIM is a highly modular electronic pair gain system. A pair gain system is defined in
Telstra documentation as:
"A system that cuts down on the number of wire pairs needed to carry telephone channels.
They work by multiplexing analog conversations together into a digital transmission that
can be sent more efficiently."
So that would be that each customer's line feeds into the RIM, the RIM multiplexes the
transmissions into a digital transmission and sends it off to the exchange. The speed of
the RIM -> Exchange Bearer Cable is generally 2Mbits/s over copper cable with a higher
rate of 8Mbits/s or 34Mbits/s using a fibre optic bearer. RIMs can also use radio if
required. This is probably used only in rural deployments.
RIMs can also, through their various modules, support various Special Services such as
PABXes and Faxstream. Capabilities like providing a ring signal for incoming calls, DTMF
and Call Progress Signalling are standard.
2. Types Of RIMs
================
Being extremely modular RIMs can come in many different configurations. However, there
are some basic types of configuration that can be noted.
Mode Of Integration
~~~~~~~~~~~~~~~~~~~
RIMs are capable of interfacing with their servicing/parent exchange in a few
different ways. We already know that when transmissions are received, the RIM
multiplexes them into a digital transmission. Where the modes of integration differ is
how the RIM is further integrated into the Telephone Network as a whole. There are a
few modes :
(*) Non Integrated Mode:-
In this mode the digital transmission is de-multiplexed at the parent exchange back
into copper pairs. That means that for each pair going into the RIM there is still
a corresponding pair at the exchange, as there would be in normal operation. This
requires the EU to be present at the exchange. A RIM EU can be mounted via an
Exchange Unit Rack Panel Adapter and can be fitted to a Type 84 or Type 92 exchange
rack.
(*) Integrated Mode:-
In this mode the digital transmission is not de-multiplexed at the parent exchange
but instead bypasses the racks and goes direct to the switching stage. This requires
that the switch in use has a 'parenting' protocol for which it can communicate with
equipment such as a RIM and handle its traffic directly. See below in IRIM Interface
Protocol for more information.
(*) Mixed Mode:-
This is quite simply where the RIM utilises both modes for separate pairs. For
whatever reason, probably to provide some type of special services this mode may
be required. An EU and a direct link to the switch are both present in this mode.
Size
~~~~
Depending upon the amount of pairs the RIM will need to service the size of the Remote
Unit can differ. The standard amount of pairs that can fit into one access panel is 60
but RIMs have more than one access panel. There are three sizes currently in use depending
on requirements, 240 Lines, 480 Lines & 180 Lines in the New CRIMS (Compact RIMs).
IRIM Interface Protocol
~~~~~~~~~~~~~~~~~~~~~~~
Where the RIM is configured as integrated there needs to be a common protocol between the
RIM and the switch at the exchange for communication of the various multiplexed
transmissions and the switching instructions. There are a few different types of exchanges
in use in Australia and the Parenting Protocol for each is different :
Type Of Exchange Parenting Protocol Info
Ericsson AXE ARK-P Stands for ARK-Parenting
Ericsson AXE ESM Probably Newer Ericsson Protocol
Alcatel Sys12 RSU
CAN Or IEN
~~~~~~~~~~
RIMs were designed to save copper wiring and take the load off existing exchanges. There
are two distinct situations in which they can be used. A RIM can be deployed in the CAN
(Customer Access Network), that is a RIM serviced by a local exchange and used as support
for an area within an exchange locality. However, A RIM can also be deployed as an exchange
in its own right. Old Ericsson ARK exchanges in rural areas (ARK is a Crossbar exchange -
very schick) are being outmoded and replaced by RIMs. In this type of deployment they are
connected to the IEN, the Inter Exchange Network and are serviced by a transit exchange.
3. RIM Components
=================
I will now attempt to explain the basic structure of components within RIM units. Bear in
mind that the information we had was abit sketchy in this area, but we believe we have put
it together correctly. The more specific cards are fitted to panels in the units, so we'll
start with the panels :
Exchange Unit Panels
~~~~~~~~~~~~~~~~~~~~
The Exchange Units for interface with the parent switch have a base selection of panels.
Note that in Integrated Mode, there are no Access Panels as there is no need to
demultiplex to individual pairs :
(*) Access Panels - Provides the end copper pair connections to the switch with the
various electrical capabilities of the pairs.
(*) Line Transmission Panel - Reponsible for communicating on the optical or electrical
bearer between the EU and RU.
(*) Common Panel - Provides control, clock generation/distribution and OAM (ie COMNET)
access functions at both EU and RU.
(*) Power And Alarm Distribution Panel
Remote Unit Compartments
~~~~~~~~~~~~~~~~~~~~~~~~
All RIM installations will have the following base compartments and panels. Where they
differ will be the cards and the software on the cards used to implement differing jobs :
(*) Cross Connect Facility Compartment
(*) Equipment Compartment With The Following
Panels (Same uses as in EU) :
(*) Access Panels - Connected to customer side pairs
(*) Line Transmission Panel
(*) Common Panel
And additionally :
(*) Ring/Meter Panel - Provides RING and METER pulses
(*) Terminal Regenerator Panel - Capable of boosting signals for
further transmission
(*) Trunk Interface Panel - Interfaces Between Common and Line
Transmission Panels (OAM comms are
multiplexed in with regular comms)
(*) Environmental Control Panel - Cooling fans and climate control
(*) Power And Battery Compartment
Card Components
~~~~~~~~~~~~~~~
More specific components would include things like a module card for Access Panels
that allows communication with 4/6 wire customer units such as PABXes and 4 Wire Modems. I
won't go into much more detail about various cards that can be installed, as that is where
the information gets really sketchy and it probably wouldn't make for much interesting
reading anyway. However, there are two things I would like to explain. The first is the
units used for OAM (Which stands for Operations, Administration & Maintenance), which in
Australia is handled by COMNET and the second is RIM support for things like SULTAN. I will
explain the first now, but SULTAN has a full section afterwards.
Remote Management/OAM :
The RMU (Remote Management Unit) is responsible for providing an integrated OAM system.
It communicates with the counterpart remote or exchange unit and the NMQ (Network
Management Units) via a Q2 Bus OAM link. The RMU is probably mounted on the Common Panel
and seems to communicate over the Q2 Bus with the RAC Unit (Rate Adaptor Unit) which
enables multiplexing of OAM communications onto the main bearer. The RAC Unit is probably
mounted on the Trunk Interface Panel. The NMQ communicates with the RMU and the COP
(COre Processor unit). It also receives some alarm messages from other RIM components.
4. SULTAN And RIMs
==================
This section will be short but I believed it was important enough to warrant its own
separate section. First of all S.U.L.T.A.N. stands for (SU)bscriber (L)ine (T)esting
(A)ccess (N)etwork. This system is responsible for performing electrical tests on
subscriber lines. Now, a little thing that not all of you may be aware of is that F.A.S.T.
stands for (F)ield (A)ccess to (S)ULTAN (T)esting, however those of you that are familiar
with the system may know about running a SULTAN test through FAST.
The fact that to do an electrical test on a customer line you need a complete electric
path (ie. coppper wiring path) along the length of the customer line poses a problem for
RIMs as there is no constant path for each individual pair. They are multiplexed at the
RIM.
Alcatel has solved this with the CTU (C)ustomer (T)est (U)nit. This unit takes care of
electrical testing from the RIM itself as directed via SULTAN through COMNET-1 or by
COMNET-2 itself. The CTU is also capable of establishing a speech path for call setup
between an operator and a customer as in ring testing. It can also perform busy line
monitoring and testing of tones and pulses on the line. Altogether a pretty nifty unit.
Typically, SULTAN can test the status of the RIM and if OK it can proceed with a line
test from the RU to the customer equipment using the CTU.
Yes. Using FAST you can test the status of a RIM and also any specific lines through the
RIM. Remember FAST stands for Field Access to SULTAN Testing. I just had to explicitly
state this or else I just know I would be asked the relevant stupid question by someone
in the future heh.
An electrical test on a line can also be initiated by a COMNET system terminal or,
automatically by COMNET-2.
5. COMNET-1
===========
Okay, lets start by playing games with acronyms. Telstra, like most large telecommunications
corporations and the military like acronyms cause they sound cool. Here's the explanation of
the acronym COMNET. COMNET is actually a few acronyms within one another. First there is :
COMNET : (C)AN (O)A(M) (NET)work
CAN and OAM are acronyms themselves :
CAN : (C)ustomer (A)ccess (N)etwork - This defines the telecommunications network area
between an exchange and the customer premises. RIMs are installed in this area.
OAM : (O)perations, (A)dministration & (M)aintenance.
So COMNET actually stands for :
Customer Access Network Operations, Adminstrations & Maintenance Network. Shame to all of
you who thought it simply stood for "(COM)munications (NET)work".
'COMNET' refers to the network and associated systems that are required for interface
between various core Telstra systems and RIM to provide the management that RIM requires to
be a part of the telecommunications network. COMNET-1 was the initial stage of this product
created to support the roll-out of the RIM system, and COMNET-2 is a further upgrade of the
product. This upgrade has been implemented one location at a time and so depending on your
area the available system may be either COMNET-1 or 2.
The support provided by COMNET-1 can be broken down into the following applications :
Service Activation
~~~~~~~~~~~~~~~~~~
(*) Automatic activation of RIM equipment in conjunction with the exchange interface
to provide the physical service
(*) Recording of newly commissioned RIMs
Service Assurance
~~~~~~~~~~~~~~~~~
(*) Customer fault report handling
(*) Efficient management of RIM equipment alarms
(*) Pro-active planned outage and hazard advice
(*) Repair workforce dispatch
(*) Remote diagnostic handling
Other Key Features
~~~~~~~~~~~~~~~~~~
(*) Remote software download (down to card level)
(*) Remote network management of RIM systems
(*) Remote customer line testing (Standard SULTAN functionality)
(*) Remote configuration management
(*) In service performance monitoring, fault location and alarm monitoring
(Alarm and equipment fault reports are relayed to the NMG, which will
then dispatch a service restorer)
The management application used on COMNET-1 workstations is NECTAS : Network Element
Craft Application Software. The network is X.25 based, and as you will see ALOT of Telstra
systems seem to hang of X.25 and not just COMNET.
Explanatory ASCII Pr0n diagram demonstrates :
FIGURE 1 : COMNET-1 ARCHITECTURE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Customer Operations National Maintenance
Centre Group
Alarm COMNET <---- Terminal
COMNET Handler Workstation Application
Workstation | ___<>________|_____ is NECTAS
___|_____<>______ | / Lan
Lan \ / /
\ __________/ ___/ RIM
\/ \ / /
/ COMNET \/ /
SULTAN --------| Data Comms |----------Mediator-------RIM
\ Network / \
\__________/ `--modem >-< modem -- RIM
6. COMNET-2
===========
As previously mentioned, the COMNET-1 architecture was largely an ad-hoc arrangement
to support the initial RIM inception. According to Telstra, a number of problems existed
with COMNET-1 that they sought to correct. Some of these were :
(*) The distributed nature of the network made it hard to maintain things like security
and integrity of the system. There was a lack of central management that they wished
to address.
(*) The Mediator between the RIMs and the COMNET Data Communications Network was not
standard and so whenever the RIM software was upgraded by Alcatel, new support
needed to be implemented in the Mediator.
(*) Alarm management was inadequate. (Hehe, this is bad).
(*) Integration with Telstra core systems was inadequate and Telstra wished to automate
many tasks such as Activation without having to manually go to all the involved
systems and Exchange Interfaces.
COMNET-2 was the answer to these problems. Further upgrades are always being proposed.
Here is a diagram of the COMNET-2 setup :
FIGURE 2 : COMNET-2 ARCHITECTURE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Customer Operations Regional Maintenance
Centre (Regional) Group
COMNET COMNET
Workstation Workstation
____|__________<>_____ ______<>__________|____
Lan \ / Lan
\_____ _____/
\ /
_\______/_
| |
SULTAN _________________| Manager/ |__________________ Service
| Agent | Activation
|__________|
|
_____|____
/ \
/ COMNET-2 \
| Data Comm |
\ Network /
\__________/
/ | \
/ | \
/ | \
RIM RIM RIM
As you can see this setup is much neater (The diagram is neater and was much easier to
draw as well). Obvious differences between this and the COMNET-1 setup are :
(*) The introduction of the central Manager/Agent. We are unclear on whether there are
Manager/Agents for each region or whether this component is national.
(*) Removal of the Mediator between the RIMs and the network. It is now standardised as
much as possible and the rest handled by the Manager/Agent.
(*) Removal of the modem connections to the RIMs.
(*) Removal of the singular Alarm Handler which is now integrated and automated. RIM
alarms are now forwarded to NICAD (National Integrated Customer Alarm Display).
(*) Introduction of a Service Activation component which is an integration with Telstra
core systems such as AXIS & RASS.
(*) Communications with Regional centres rather than National.
Additional features of COMNET-2 include :
(*) Improved customer line testing capability. COMNET-2 will automatically test lines and
not just when directed to by SULTAN or a system terminal.
(*) Remote software download, backup and archiving.
(*) Organised security management.
(*) Operating on the HP OpenView software platform.
If I had to speculate on the security architecture of COMNET-2 I'd say that the Telstra
core mainframe etc systems and LANs around the country communicate with the Manager/Agent
over X.25 and the requests are moderated and passed on to COMNET-2 as appropriate. In this
manner the Manager/Agent acts as a kind of national application proxy firewall moderating
requests for action. COMNET-2 may also communicate over the X.25 network, but the RIM
access points would only accept connections from the Manager/Agent. Hence, a less
distributed method of managing security/integrity with the Manager/Agent as a chokepoint.
Of course, all this goes out the window if someone were to 0wn the Manager/Agent, make
acceptable requests that do the job, or subvert the COMNET-2 communications protection.
7. Systems Interfaces
=====================
COMNET, and particularly COMNET-2 support integration with existing Telstra core systems.
COMNET-2 in particular is designed to be configured automatically by entering the details
into the core systems. In the context of the information below, 'regular telephone lines'
means regular voice grade telephone or P.O.T.S. lines and not lines supporting Special
Services. Some systems and the ways in which they interact with RIM & COMNET are :
(*) AXIS : The order system used by Telstra to order work to be done on regular telephone
lines. This can involve ordering a linesman to set a line up, automatically
configuring the exchange by interfacing with AUTOCAT or, remotely configuring
a RIM via COMNET.
(*) AUTOCAT : (AUTO)matic (C)onfigur(A)tion of (T)elephone Exchanges, or (AUTO)matic
(CAT)egory Change System. The automated system that other Telstra systems
integrate with to automatically configure a telephone exchange. Does this
by changing 'categories' within the exchange.
(*) DCRIS : (D)istributed (C)ustomer (R)ecord (I)nformation (S)ystem. COMNET initially
accepted service orders from this system until it was replaced in 1997 by
AXIS.
(*) FACS : (F)rame (A)nd (C)able (S)ystem. A database used to record information and
manage regular telephone lines. RIM configuration information is also stored in
FACS. Used for some recording of copper RIM bearers. Also for recording of some
Special Services lines such as ISDN.
(*) MULTIMAN : Optical links recording system for CAN. If the RIM uses an optical bearer,
it will be recorded in MULTIMAN rather than FACS or NPAMS.
(*) NPAMS : (N)etwork (P)lant (A)ssignment and (M)anagement (S)ystem. Used for some
recording of copper bearers from RIMs. Also used for recording RIMs in the
IEN as cable pair groups. Used for some management of regular telephone lines.
(*) RASS : (R)ecord (A)utomation for (S)pecial (S)ervices. Order system for Special
Services rather than regular telephone lines. AXIS's Special Services
counterpart. Two sub-systems : RASS-P (RASS-(P)rovisioning) & RASS-M
(RASS-(M)aintenance).
(*) TRAC : (T)ransmission (R)ecording (A)nd (C)ontrol System. Used for recording RIMs in
the Inter Exchange Network. Recorded as multiplex links.
Propz - Phreakau Team 5/8/01
~-~-~-~-~-~-~- Bne Into Telstra Exchanges Part II ~-~-~-~-~-~-~-
- By Marlinspike
Intro
Building And Security
Whats Inside
Area Sensors
Slip & Pull Tool
Contact Switches
Door Destruction
Schools Of Entry
Appendix 1 : Responsibilities For Credential Users
Appendix 2 : Social Engineering The After Hours Centre
Intro
=====
In your suburb right now, the coolest place by far in the entire area is inside
your local telephone exchange. This is part II of my manuals on breaking into
them with the intention of learning more about the telephone network and
procuring information (such as hands-on experience & manuals) about the telephone
network. Every successful Phreaker who got anywhere did this. Poulsen did it,
Mitnick did it, The Phonemasters did it - and now you can do it too.
The first manual was basically my conclusions on what techniques could be used to
enter exchanges from afew basic observations. This manual will cover my
conclusions based on my now extensive observations of many telephone exchanges
and my own successful entries and explorations. This manual is meant as
complementary to part I. If you find yourself wanting more techniques/options,
refer to part I as it was very comprehensive in that regard.
Finally, since the first manual was published, I have been asked what is my
preferred entry method. The answer is : I have used many different methods for
different exchanges and situations. This is more to do with expedience than
concealing my Modus Operandi. It is true that professional burglars often use
changing and the most rank amateur methods they can use to get away with the
burglary to throw off the cops, but in regard to exchanges I think you have to
make up your own mind about which techniques you want to use based on your
situation. This file is meant to provide you with a choice of techniques.
You might want to go trashing at your surrounding exchanges before actually
breaking in. This will give you a chance to gain confidence, become used to the
exchange and the surrounding area and escape routes and also ... get some pretty
good information just from the trashing. You'll notice that in the appendices I
have ommitted the numbers that you need to ring. This is because if you've even
got of your butt and gone to an exchange a couple of times you'll probably get it
and because if Telstra gets hold of this doc, they'd be able to change it quite
simply.
Building And Security
=====================
This section covers basic understanding of exchange perimeter structure and some
basic techniques so keep reading if it seems abit basic.
The basic suburban telephone exchange is usually a relatively old structure
in your area. It would seem from my observations that they have concentrated on
perimeter security and haven't even really done a good job of that. The primary
obvious entry points into the building would be the windows and the doors (unless
you feel like breaking through a wall or going through the roof - which is still
a viable method if you don't mind being destructive.)
I have looked at the air-conditioning on exchanges and have come to the
conclusion that they probably aren't safe to try and get in through. Some of the
units though are mounted in windows and if you could pry one out or unscrew it,
that would do but you'd probably be better off using a technique on the window
itself.
There are quite afew windows on exchanges funnily enough, on concealed walls
as well as walls open to the road. Because of the focus on perimeter security
these windows will usually have bars on them. They are locked and opened by a
lever (see diagram in slip & pull tool section) if required. I have not seen
contact switches or vibration detectors on these windows. A possibility for
detecting broken windows is a 'shatter guard' which is a unit mounted in
a concealed location inside the building that detects the high pitched sound of
glass breaking. I have tested for this device by smashing a bottle near the
doors of the exchange and no alarm has gone off. The windows it seems could be
opened by smashing as long as the bars were gotten past.
The bars on the windows are vertical only. I have seen some security grilles
which are frail and offer no protection at all, but bars seem to be the
predominant window protector. A simple trick to use here is to car jack them
apart. Then, you can squeeze through the gap and do your stuff. Afterwards, you
can re-close the bars (somewhat messily, but can often turn out ok) by instead of
applying pressure to two bars side by side with the jack in the middle; applying
pressure between one bar at a time and the window frame. That is to say, mount
the jack on one bar and some pieces of wood reaching the window frame.
It would also seem that the bars themselves have been mounted on a frame that
has not been welded to the window frame itself, but instead have been screwed in.
This opens up the opportuntiy for unscrewing the bar frame at one end and pushing
your way past the slightly bent frame to get in and then rescrewing it back on
later.
There are doors on exchanges at the main entrance which is usually pretty
standard and well protected (more on this later) and there are also other doors
around exchanges, for moving in and out equipment. These doors are usually
double doors and are made of wood, occasionally reinforced with metal. These
doors are designed to be opened from the inside only and so do not have key locks
but have bolts on the inside. There will usually be two vertical bolts at the
top and bottom of the door which are just push in/pull out of the floor/ceiling
numbers and a horizontal bolt between the doors which is like a bolt on a gate -
not simply push in/pull out, but has to be manipulated past a stop which could
(but never does) have a padlock in it. They will also have contact switches -
usually mounted at the top of one of the doors. Examine the diagram :
__________________________|____[__]______
| | | [ ] <----|------- Contact
| | -> | | Switch
| | | |
| | | |
| | --Vertical |
| | Bolt 1 |
| | | Well? f***ing
| Horizontal --> --|-- | Examine it! You
| Bolt | | will be needing this
| | | information later.
| | | (Sorry, just needed
| | Vertical | something to fill this
| | Bolt 2 | space
| | | |
| | | <---- |
|___________________|_______|_____________|
|
There are very limited intruder alarm systems in Telstra exchanges, however there
are extensive fire/smoke, gas and equipment alarm systems which you should be aware
of. One night on one of my trashing runs I jumped the fence completely prepared to
grab some goods and noticed that an alarm was going off inside the exchange. Peering
through the window I noticed it was coming from a panel marked 'VESDA MIMIC' a
quick web search got me the following url :
http://www.vsl.com.au/vesda/index.html
Thanks to Phunki for helping me hack and search my way through this site! It would
seem that this is the basic technology Telstra uses for fire and gas monitoring in
its exchanges. The equipment itself has several alarm conditions. If you want some
examples, have a look at the ICM docs in Infosurge #6. Needless to say, you wouldn't
want to set off any of these alarms either. This could happen, if for example you
decided to use an oxyacetylene torch to burn your way through one of the side doors.
Getting back to the story though, I waited for 1 - 2 hours at a nearby property for
*someone* to show up and no-one did. During this time two police cars cruised past
blithely unknowing. After that I got sick of waiting and trashed the place and left.
I have had similar reports from other people saying that no-one gives a shit about
alarms (intruder or otherwise) going off at exchanges. Because there are no area
sensors in Exchanges, if you only set off the contact switch on one door (all that
is needed to gain entry) the maximum 'event' you could provoke would be a 'one-zone
violation'. This is considered by the police to be a low priority event. In other
alarm cases, all the police will respond to is a two-zone violation as a matter of
policy. One-zone violations are deemed as being the responsibility of the owner or
their security company. Still, its up to you how paranoid you want to be. I
personally err to the side of caution and don't hang around longer than a minute or
so if I've set off an alarm.
Whats Inside
============
Airconditioning Plant Room : Gas pressure compressors etc. Large pipes.
Battery Power Room : Room filled with wierd alien looking boxen.
Uncrating Areas : Open spaces where secondary doors described above open onto,
will have a monorail - a big metal support - running into it at ceiling
level for supporting massive equipment being loaded in and out.
Lunch Room : Token Amenity So Telstra Isn't Accused Of Slave Labor.
Toilets : Guess it was either here or in the equipment room
Store : Filled with tools and other interesting items.
Office/s : Mostly desks, occasionally have bookshelves and filing cabinets
which are good for a rummage.
Maintenance Control : Either used as storage space or has actual control
equipment in - bookcase with manuals may be here.
Equipment Rooms : These are the main rooms you'll want to concentrate on and
that have the most interesting things in. Like a big warehouse floor. A block
of pairs at one end with equipment (CMUXes, RIM boxes, Tran$end boxes, PABXes
etc) hooked up to it. This room can also have a partitioned off area which has
consoles for the equipment and a nice bookcase filled with nice manuals.
The manuals come in four types I've seen, the more 'commercial' ones which
come spiral bound, computer printouts hole punched and bound in a file folder,
loose paper computer printouts and manuals still on disk in Microsoft Word
Format. I think the main resource for manuals (Not for ALL manuals though) is
the Telstra Intranet. A web based intranet for Telstra staff :
http://www.cdn.telstra.com.au/
I have seen a number of things referring to this url, however it is not
part of the regular internet and I have tried to break in via computer a number
of times with varying degrees of success and have never been able to crack it.
There is a directory called /cc-docs which seems to hold alot of manuals.
Alot of the manuals they have gotten through third party by buying equipment
are separate from these, probably due to
