STEP BY STEP SWITCHING NOTES

BY PHANTOM PHREAKER

WRITTEN FOR LOD/H TECHNICAL JOURNAL

The following research was done on a class 5 Step By Step switching system. Items mentioned in this article are not guaranteed to work with your particular office. The following interesting topics about Step By Step switching are for informational and educational purposes only. This article is aimed at people who wish to learn more about telephone switching systems.

I realize step-by-step switching is dwindling every day, with many electromechanical SxS offices being replaced with newer electronic/digital switches and Remote Switching Systems (RSS's). However, rural areas of the U.S. still use Step, so if you are ever in an area served by a SxS CO you may be able to use this information.

1) ANI Failure/ONI

To understand this technique, you must understand how ANI functions in the Step-by-Step switching system. Your CO sends ANI, with your number, in MF or DP to recievers that collect the ANI information and store it, along with the called number, on the appropriate form of AMA tape. ANI outpulsing in MF can use either LAMA (Local Automatic Message Accounting) or CAMA (Centralized Automatic Message Accounting). ANI sent in DP type signalling can also be used, but is rare. DP vs MF trunk signalling is similar to the difference between DTMF and pulse dialing, except on a trunk. DP signalling sends all information in short bursts of 2600Hz tones.

Causing ANIF's/ONI is an easy task in SxS (and some versions of Xbar), because the customer's link to the CO will allow the customer to input MF tones to influence a calls completion. This can be done by dialing a long distance number and listening to the clicks that follow. After the first click when you are done dialing, you will hear a few more. They will be timed very close to one another, and the last click occurs right before the called telephone rings.

The number and speed of the clicks probably varies. Basically what these clicks are is the Toll Office that serves your CO setting up a route for your call. In order to abuse this knowledge, you need access to a MF source, whether it be a blue box, a computer with a good sound chip, tape recording, etc. Right before you hear the series of clicks, send one of the following sequences in MF:

KP+1 (Repeatedly) For Automatic Number Identification Failure (ANIF)

-or-

KP+2 (Repeatedly) For Operator Number Identification (ONI)

(Note:these will not work if your CO uses DP signalling.)

Play these tones into the phone at a sufficient volume so that they 'drown out' the series of clicks. Do not send an ST signal, as you are not actually dialing on a trunk. You must send these MF sequences quickly for this method to work correctly. After you have played your 'routing' a few times, you will hear a TSPS operator intercept your call and ask for the number you are calling FROM.

When an ANIF is recognized, the call is cut through to a TSPS site that serves your area. Now, you can give the operator any number in your exchange and she will enter the billing information manually, and put the call through. The toll charges will appear on the customer who owns the number you gave. You can also accomplish a similar feat by merely flashing the switchook during the series of clicks. This will send DC pulses that scramble the ANI outpulsing and cause your call to be sent to a TSPS operator before the dialed number. Be sure to stop sending the MF 'routing' after the operator attaches or she may know that something's up. Use this method sparingly and with caution. It would also be a good idea not to use the same number for billing more than one time. Don't use this method in excess, because a toll office report will list the number of ANI failures for a specific time period. The ONI method works better because it is assumed ONI is needed to identify a caller's DN upon a multi-party line. Too many ANI failures will generate a report upon a security/maintenance TTY, so if you plan on using this method, use the ONI method instead of just ANI Failure.

The basic idea behind the ANIF is to scrramble your ANI information by using MF (or the switchhook) to send your LD call to a TSPS operator for Operator Number Identification (ONI) due to ANI Failure. The idea behind the ONI method is that you are fooling the switch into thinking you are calling from a multi-party line and ONI is needed to identify your DN.

2) Test numbers

Some other interesting things in the Step By Step system can be found by dialing test numbers. Test numbers in SxS switching systems are usually hidden in the XX99 area, as opposed to 99XX, which is common for other types of switching systems. These types of numbers are possibly physical limitations of a SxS switch, and thus a milliwatt tone or other test numbers will be placed there, because a normal DN can't be assigned such a number. However, these XX99 numbers are usually listed in COSMOS as test numbers. Another interesting note about XX99 numbers is that they seem (at least in some offices) to be on the same circuit. (That is, if one person calls an XX99 number and recieves a test tone, and another person calls any other XX99 number in that same prefix, the second caller will recieve a busy signal).

Here we must examine the last four digits of a telephone number in detail.




XXXX=WXYZ             W=Thousands digit

                      X=Hundreds digit

                      Y=Tens digit

                      Z=Units digit

Dialing your prefix followed by an XX99 may result in a busy signal test number, a network overflow (reorder), miilliwatt tones, or other type of error messages encountered when dialing.

Not every XX99 number is a test number, but many are. Try looking for these in a known Step by Step office.

The numbers that return a busy signal are the ones that incoming callers are connected to when the Sleeve lead of the called Directory Number is in a voltage present state, which means the line is in use or off-hook. More about this in the next topic.

3) Busy signal confrencing

Another interesting feature of the Step-By-Step system is the way busy tones (60 IPM) are generated. In ESS and DMS central offices, busy signals that are sent by the terminating switch are computer generated and sound very even and clear with no signal irregularity. In SxS, all calls to a particular DN are sent to the same busy signal termination number, which can be reached most of the time by a POTS number. These busy tones are not computer generated and the voice path is not cut-off.

You can take advantage of this and possibly have a 'busy signal confrence'. This can be achieved by having several people dial the same busy DN that is served by a Step office, or by dialing an always-busy termination number. When you are connected to the busy signal, you will also be able to hear anyone else who has dialed the same busy number. Connection quality is very poor however, so this is not a good way to communicate.

As an added bonus, answering supervision is not returned on busy numbers, and thus the call will be toll-free for all parties involved. However, you must be using AT&T as your inter-LATA carrier if the call to the busy number is an inter-LATA call for you. So if your IC is US Sprint, you must first dial the AT&T Carrier Access Code (10ATT) before the busy number. If your IC doesn't detect answer supervision, and begins billing immediately or after a certain amount of time, then you will be billed for the length of the call.

4) Temporarily 'freezing' a line

A SxS switching system that operates on the direct control principle is controlled directly by what the subscriber dials. Jamming a line on SxS to prevent service is possible by simply flashing the switchook a number of times.

Or you may find after serveral aborted dialing attempts, the line will freeze until it is reset, either manually or by some time-out mechanism. Usually the time the line is out of action is only a few minutes. The line will return a busy signal to all callers, and the subscriber who has a 'dead' phone will not even hear sidetone. This happens when one of the elements in the switch train gets jammed. The switch train consists of the linefinder, which sends a dial tone to the subscriber who lifted his telephone, and places voltage on the S (Sleeve) lead as to mark that given DN as busy. Next in the switch train are the selectors. The selectors are what recieve the digits you dial and move accordingly. The last step in the switch train is the connector. The connector is what connects calls that are intraoffie, and sends calls to a Toll office when necessary. Other types of devices can be used in the switch train, such as Digit Absorbing Selectors, where needed.

5) Toll/Operator assisted dialing

You may be able to dial 1/0+ numbers with your prefix included in some areas. You can dial any call that you could normally reach by dialing 1+ or 0+.

For example, to dial an operator-assisted call to a number in Chicago, you could dial NXX+0312+555+1000 where NXX is your prefix, and you would recieve the usual TSPS bong tone, and the number you dialed, 312+555+1000, would show up on the TSPS consoles LED readout board. You can also use a 1 in place of the 0 in the above example to put the call through as a normal toll call.

This method does not bypass any type of billing, so don't get your hopes up high.

The reason this works is twofold. The first reason is that the thousandths digit in many SxS offices determines the type of call. A 0 or a 1 in place of another number (which would represent a local call) is handled accordingly. The other reason is due to a Digit Absorbing Selector that can be installed in some SxS offices to 'absorb' the prefix on intraoffice calls when it is not needed to process the call. A DAS can absorb either two or three digits, depending on whether the CO needs any prefix digit(s) for intraoffice call completion.

6) Hunting prefixes

SxS switches may also translate an improperly dialed local call and send it to the right area over interoffice trunks. Take for instance, you need to make a local call to 492-1000. You could dial 292-1000 and reach the exact same number, provided that there is no 292 prefix within your local calling area. However, only the first digit of a prefix may be modified or the call will not go through correctly unless you happen to have dialed a valid local prefix. You also cannot use a 1 or a 0 in place of the first prefix digit, because the switch would interpet that as either dialing a toll or an operator assisted call.

7) Trunks

Step by Step switching system incoming and outgoing trunks are very likely to use In-band supervisory signalling. This means you could possibly use numbers served by a SxS CO to blue box off of. But, some older step areas may not use MF signalling, but DP signalling. DP signalling uses short bursts of 2600Hz to transfer information as opposed to Multi-Frequency tones. In DP signalling, there are no KP or ST equivalents. Boxing may be accomplished from DP trunks by sending short bursts of 2600Hz (2 bursts would be the digit 2). Acceptablepulse rates are 7.5 to 12 pulses per second, but the normal rate is 10 pulsesper second. A pulse consists of an 'on hook' (2600Hz) tone and an off-hook (no tone). So, at 10 pulses per second, a digit might be .04 seconds of tone and .06 seconds of silence. DP is rarely used today, but some direct-control Step offices still use it. Common Control Step offices are much more likely to use MF trunk signalling.

As said at the start of this file, some of the things mentioned here may have no practical use, but are being exposed to the public and to those who did not know about any one of the procedures mentioned here previously.

References and acknowledgements

Basic Telephone Switching Systems-By David Talley, Hayden publishers
No. 1 AMARC-Bell System Technical Journal
Mark Tabas for information about CAMA and DP, The Marauder, and Doom Prophet.