The Analogue T.X.E Switch - a Debriefing
^ iNFERNO
T.X.E stands for Telephone eXchange Electronic, it is a vast step
down from
it`s bigger (but younger) brother, the T.X.D (Sys X,AXE10, etc..). Its
call processes are all handeled electronically, yet it is an analogue
exchange (the wave form that carriers the speech and data signals is not
converted into digital format). Due to its inherent lack of digital quality,
the lines can get bad quaility, high speed fax cannot be used and high
speed
modems have problems. They cannot support ISDN facilites, or, in most cases,
star services. Tracing operations are not fully robust here, but that does
not imply the common dillusion that you cannot be traced from a TXE, you
can.
The TXE switch breaks down into several formats:
TXE - Telephone eXchange Electronic
TXE2 - Telephone eXchange Electronic (2)
TXE4 - Telephone eXchange Electronic (4)
TXE4A - TXE4, cost-reduced.
TXEE - Telephone eXchange Electronic Enhancement.
Electronic exchanges may be upgraded to offer the sort of facilites
that
Digital exchanges have, such as star services, but these are not inherent
facilites and will not be operative in all TXE areas. The TXE is dying,
and
rapidly. Evan as we speak (or read?!) the TXE switches are being replaced
by the new TXD switches (so stand up, vote for, and support your local
TXE!
:)), something BT should have done a long time ago.
Having said all this, most would be surprised that one of my favorite
types
of switch is the TXE. This is because it is fairly phreak/hacker friendly.
For a start, BT claims that their digital exchanges are paperless (bollox,
i
know, but more so than TXEs), this sort of misfortune does not pay of on
trash visits (or however far you choose to go into your local TXD). TXEs
produced enough paper to be a threat to nature conservation.. most of this
comes in the form of DWI printouts (Display Work Intructions) - which list
an engineers jobs for the day, or software reports.. if you`ve trashed
many
TXEs, you should be very recognize the software reports instantly, they
normally go something like this..
SOFTWARE REPORT (x) ALIGNER NNI (yeh rite) xx/xx xx:xx:xx
SOURCE CCFxB STATUS CATEGORY 013 ALARM NO ALARM SYMPTOM ID 328
IDR from SHC timed out - overload/terminal congestion message
00 00 04 12 FF FF EF 23 00 04 05 02 04 07 03 03 01 EE EE EE EE EE EE EE
EE EE
END
DATA FOR SYMPTOM 328
00 00 04 12 FF FF EF 23 00 04 05 02 04 07 03 03 01 EE EE EE EE EE EE EE
EE EE
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF
FF FF 00..
The above sequence is an example of what might happen if a TXE4 was
to
experience a flood of incoming C7 calls (CCITT7) as a result of, for example,
a radio phone-in. Another type of printout may be the DN printouts, these
are possibly the best print you will ever find.. if you get a full set,
it
will list every single DN, xxx 0000 - xxx 9999 in your exchange, along
with
any other prefixes the exchange manages. Various numbers may have comments
next to them (some printouts only contain numbers with these comments),
these
range from misc. crap to BT dial-in ports for that exchange. The types
of
dial-in you may find range quite a lot, but one you will probarbly find
in
any printout from a TE is the number for its EBP (exchange based processor)
or, if you're lucky, CSP (Central Site Procsessor).
The EBP & CSP - These are both run of a DRS300 level 70 Microcomputer
which
runs UNIX, they are the brains of the electronic switch and contain all
sorts of crap, including customer infomation. Together they are known as
the CMA - Coordinated Management Approach. In normal circumstances, the
CSP
is expected to look after around thirty EBPs. The processors communicate
on
an X.25 network.
CMA works in conjunction with equiptment from other sources:
o The ECTE interface unit : The interface retained from the superseeded
ECTE (Exchange Computer Terminal Equiptment) system houses the
Meter & Alarm Interface Unit (MAIU) and the modems used for
communication over the Public Switched Telephone Network and the
X.25 network.
o Gateway : The gateway system consists of two types of unit: the
Gateway G and the Gateway ARU (Alarm Reporting Unit) at the central
site. The alarm relays at the exchange can be connected to alarm
leads on the Gateway G unit. Any lead detecting an alarm will cause
the Gateway G to send this over the PSTN to the central site (!),
each Gateway G consists of up to 128 alarm leads. The signals coming
or going out from the central site over the PSTN are handled by
the Gateway ARU. The alarms can them be monitored by the CSP.
o ARAB : The ARAB (Alarm Reset And Busy) system is used to place
MCUs (Main Control Units) and Markers OOS (out of service), or
busied whilst other equiptment in the exchange can reset. ARAB can
control up to 130 reset relays and 70 busy relays. In conjunction
with the Gateway system, ARAB is used to reset, busy and unbusy
equiptment under control of the central site. Four gateway ARUs
are used at the CS, two for receiving Gateway G alarms (nominated
as Incoming ARUS) and the other two for PSTN communications with
the ARAB units (nominated as outgoing ARUs).
o SADIE : SADIE (Subscriber Automatic Disconnect Equiptment) is used
on TXE4RD (TXE4 Rectory Design Exchange) to place subscribers
Temporarlily Out Of Servoce (TOS) and to restore them. It resides
in and recieves commands from ARAB. (which, is accessed via PSTN..)
CMA maintains a database of exchange performance, and history, updates
subscribers lines, etc...
The DRS300 consists of, an A4 Processor Module, a D9 Disk Module,
an S1
Tape Streamer and a K3 Power module. An X.25 modem is used by thr DRS to
communicate with other processors on the CMA system via PSN (packet-switched
network) and an autodialling modem allows communication over the PSTN.
The EBP features a Newbury 8000 terminal emulation allowing the user to
log
on to a remote ECTE system from an EBP workstation. The connection is made
over the PSTN, the system also allows connection to other systems on the
PSTN.
Being a UNIX, all logon attempts are recorded, and some programs
carried out
from within the system will require extra passwords to be entered. The
sysadm will have full access to the Shell and can enable a Shutdown command
from the logon prompt the will shutdown the processor to run level 0.
Once inside it is possible to jump to other EBP on the network, via option
81 on its COMFORTE (COMputers FOR Telephone Exhchanges) menu system.
You may also find numbers for communications with other parts of the TXE,
such as the 4-Tel modules (i have one such data number), or, in special
cases, remote meter reading or electronic monitoring, but the two latter
are normally only available on ATEs (Automatic Telephone eXchanges), that
may remain unmanned for some period (i suggest you go for some of these,
they DO exist and I cannot stress their usefulness!!).. another system
goes by the name of MIRACLE, which is used for Call Logging Purposes. This
too, is accessed via PSTN and only requires a single password to gain entry
(the default is `MIRACLE'!!).. logging on is as follows:
BRITISH TELECOM
BIRMINGHAM
PLEASE ENTER PASSWORD>xxxxxx
PRESS `Q' TO ABANDON A FUNCTION AT ANY TIME.
RESPONDING TO A MULTIPLE CHOICE WITH `?' WILL LIST ALTERNATIVES.
SYSTEM WAS LAST CALLED AT... 10:56:24 (GMT) ON THURDAY DECEMBER 30TH
SYSTEM CLOCK NOW READS ... 09:43:12 (GMT) ON FRIDAY DECEMBER 30TH.
MEMORY STATUS : MAXIMUM CAPACITY __ 8191
: ENTRIES IN MEMORY __ 290
: PERCENTAGE USED __ 3
SELECT REQUIRED FUNCTION>V
GIVE INITAL EXCHANGE METER READING.
OR JUST PRESS RETURN TO AVOID COMPARISON.
?
GIVE START DATE IN FORM DD/MM
OR `_' TO LIST FROM START
?05/06
GIVE LAST DATE IN FORM DD/MM
OR `_' TO LIST UNTIL END OF FILE
?09/06
DATE RANGE COMPLETELY OUTPUT FROM (05/06 TO 09/06)
METERING TOTAL:
100 METER UNITS, COSTING 4.5 PENCE EACH
TOTALLING. 4 POUNDS 50 PENCE.
PRESS RETURN TO CONTINUE?
SELECT REQUIRED FUNCTION>P
GIVE INITAL EXCHANGE METER READING.
OR JUST PRESS RETURN TO AVOID COMPARISON.
?
GIVE START DATE IN FORM DD/MM
OR `_' TO LIST FROM START
?05/06
GIVE LAST DATE IN FORM DD/MM
OR `_' TO LIST UNTIL END OF FILE
?09/06
LISTING FROM 05/06 TO 06/06
BIRMINGHAM xxxxxxx 5TH JUNE
START DIALLED METER CALL ANS FINISH COST/
TIME DATE/MTH DIGITS PULSES 1ST M/P TIME DURATION PENCE
----------------------------------------------------------------------------
15:03:49 05/06 6442371 0005 15:03:57 15:15:32 000:11:55 22
15:06:22 05/06 INCOMING 0000 15:06:29 15:11:57 000:05:18
19:06:12 05/06 5542399 0002 19:06:36 19:09:42 000:03:06 9
TOTAL COST FOR ONE DAY, 5TH JUNE = 31 PENCE
09:23:54 06/06 2334157 0001 09:24:16 09:25:42 000:01:26 4
20:32:52 06/06 INCOMING 0000 20:33:12 000:03:06 9
TOTAL COST FOR ONE DAY, 6TH JUNE = 4 PENCE
SELECT REQUIRED FUNCTION>9
SESSION COMPLETED ... GOODBYE
I think you get the picture, it's also possible to choose lines to
be
monitored etc.. I expect this is the system BT use on TXEs to catch people
carding and PBXing as it records EVERY number you dial. Check this,
Live Monitor Facility...
FUNCTION 4 ... LIVE MONITOR
ENTER PORT IDENTIFICATION LETTER>A
MONITOR ACTIVE ... BIRMINGHAM xxxxxxx
15:03:32 *LINE IS FREE*
15:03:49 SEIZED OUTGOING
15:03:55 DIGIT 1
15:03:57 DIGIT 2
15:03:59 DIGIT 3
15:04:09 METER PULSE
15:06:32 LINE CLEAR
(the port is simply a database reference of numbers to act on)..
this is
also avaiable as infomation recovery so BT can do it whilst they`re not
there. (it records all the shit), also, as you can see, it records the
line
status, seized etc, could be bad news for boxing =)..
I mentioned previously ISDN problems, here is a quick insight into
them:
In the early stages of TXE4 introduction into the digital networkm
ISDN
customers were trying to make data calls to TXE4 customers. TXE4s do not
support ISDN functions and the calls resulted in the generation of error
symptoms.
If an ISDN call is recieved by a TXE, the Calling Path Indicator
contained in the C7 Address Message will have a value of 01. This indicates
that the calling customer requires a full 64KBit path which the TXE cannot
supply. This generates an error message, service not available.
BT introduced the Group 4 Fax Machine a while ago. It attempts to
send
a call requiring a 64Kbit path, i.e CPI=01. It then reattempts the call
on
the above recieved error message.. this means it continually reattempts
the
call when the message is given.. the problem was fixed to allow the correct
message to sent back so the fax could try again at a lower speed.
If a TXE subscriber moves to a TXD they can have an overlay option,
where
they keep their existing telephone number, but still have all the benefits
of a TXD exchange.. all his local calls however, are still handled as if
he were still in the TXE area, the same stands for ISDN calls.
The general tone of this phile is go and trash your local TXE, because
the
sort of things you may find could be really useful, and if you can - go
in!
(heh, more about that later..) Actual numbers may also be released at a
later date...
iNFERNO, 06/01/96..
Back to document index
