syn2cat
/
phrack
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
phrack/phrack44/13.txt

456 lines
14 KiB
Plaintext
Raw Permalink Blame History

==Phrack Magazine==
Volume Four, Issue Forty-Four, File 13 of 27
****************************************************************************
METRO P/H Presents
Northern Telecom's
FMT-150B/C/D
Optical Fiber Digital Transmission System
Intro
This file will cover the FMT-150, the equipment that sends info over
the digital trunks using lasers. It is an accompaniment to our guide
to remotes (COs). I will cover all the interesting and useful stuff.
This file is mostly for SERIOUS phreaks, we'll have more non-technical
cool stuff coming up.
System Description
The FMT-150 fiber optic transmission system combines DM-13
multiplexers and 150 Mb/s Fiber Transports in compact shelf
packages, I will refer to it as a shelf. The FMT-150 product
architecture supports subscriber loop and interoffice link
applications using hub, drop/insert, repeater and terminal
configurations. The following is what a FMT-150 shelf system
consists of.
FMT-150B 1 DM-13 multiplexer (multiplexes 3 signals
into one signal of 44.736 Mb/s.)
1 150 Mb/s fiber interface
1 maintenance control unit
1 service channel unit (optional)
2 (or 4) power supply units
FMT-150C 2 DM-13 multiplexers
2 (or 4) power supply units
FMT-150D 2 150 Mb/s fiber interfaces
2 service channel units (both optional)
2 maintenance control units
2 (or 4) power supply units
Maintenance
Service Channel Unit
Order-wire Facility
Two voice channels per DS-3 signal are provided for individual
addressing using DIP switches on the SCU. Dial over a 4 wire
headset/handset. (more in Order-Wire)
Interfaces
The CRT (good old Cathode Ray Tube) Interface is an important
system feature of the Maintenance Control Unit (MCU). You can
plug in to a RS-232 port directly (use a null-modem cable) on the
"shelf" or remotely via a modem (!). Also a Tandy 200 can be
interfaced with the Maintenance Control Unit. The network
configuration, the status of each node, and any alarm existing
can be viewed on the terminal. The interface goes from 300 to
9600 baud. The software already present on the MCU is all that
is needed, the interface need only support certain emulations
(see Operation Procedures.) (hmmm... Could Radio Shack and
Northern Telecom be butt buddies?) Also available is a
RS-422 interface which provides a large number of alarm status
and control points through the MCU. The port is labeled
"Customer E2A" on the shelf. CAMMS is an extended feature
of the FMT-150. It stands for Central Access Maintenance and
Monitoring System which can also take advantage of the
Maintenance features (see Operation Procedures). All this is,
is a mini-terminal, that can be installed and act like a CRT
interface.
Specifications
When interfacing the CRT with a null modem cable, your cable
should fit the diagram below.
Ŀ Ŀ
1 OO 1
2 OO 3
3 OO 2
4 OO 8
5 O O 20
6 O O 7
7 O O 4
8 OO 5
20 OO 6
Pin Definitions
1. Ground 6. Data Set Ready
2. Transmit Data 7. Ground
3. Receive Data 8. Data Carrier Detect
4. Request to Send 9. Data Terminal Ready
5. Clear to Send
When interfacing your Hayes compatible (telephone connection)
configure the DIP switches in this manner.
X=empty space O X O X X O X O
O=the switch's position X O X O O X O X
1 2 3 4 5 6 7 8
Alarms and Buttons
Listed below are some LED descriptions and button meanings that a
phreak will find on the shelf.
LEDs Description
-----------------------------------------------------------------
MAJOR RED - Service affecting failure
(run, they'll be there soon!)
MINOR YELLOW - Non-service affecting
failure.
FUSE ALARM RED - A fuse blew
REM YELLOW - An alarm has occurred at
a remote site.
Order-wire Left GREEN - Solid, Left order wire is
active, if flashing, incoming
call on left.
Order-wire Right Same as above, but for Right
-----------------------------------------------------------------
BUTTONS Description
_________________________________________________________________
LP TEST Lights up all LEDs
ACO Turns off existing audible alarm
LOC 1, 2, 3 (OW) Rings every site common to STX
signal 1, 2, and 3
EXP 1, 2, 3 (OW) Same as above
-----------------------------------------------------------------
Power Supply Unit
This is a seemingly 5V output power supply, which has a simple
ON/OFF switch which is housed under a protective latch, pull this
and have an instant phreak marathon (see REDUNDANCY at end of
file.)
Equipment Configuration
The FMT-150 system is suitable for a wide variety of
applications, as follows:
* Access Networks
CO to Customer Serving Areas
CO to Digital Loop Carrier
CO to Switch Remote
CO to Customer Premises.
* Inter-Office Trunk routes
* Broadband Applications such as Video
* Entrance Links to Radio Systems
* Dynamic Network Routing
* Stand-Alone Multiplexer Applications with Radio
* Route Diversity
* Wide Area Network (WAN) Application
Order-Wire
Order Wire
A buzzer is heard and a flashing LED is seen if a call is
coming in, plug in a handset/headset connector into the jack on
the shelf. To terminate the call pull the plug out or hit #. To
dial, just plug in and dial four digits, wildcards are also
allowed by use of the * key. The handset described is a
Contempra Handset (NT2E36AA). A test set could also be used but
the plug would have to be altered, its 4 wire, remember. Order Wire
is only CO-to-CO communication. The jack can be plugged into the
front of the FMT-150 shelf. The dialing format is described below.
-----------------------------------------------------------------
First digit: Indicates the type of call being made
Second, Third, and Indicated which site will be dialed.
Fourth digits Address of the site is set via rotary
switches located on the front edge of
the SCU module.
-----------------------------------------------------------------
First digit significance
1 = local call for STX ({Pseudo} Synchronous Transport Signal:
First Level at 49.92 Mb/s [NT]) signal 2
2 = local call for STX signal 2
3 = local call for STX signal 3
(where'd 4 go?)
5 = express call for STX signal 1
6 = express call for STX signal 2
7 = express call for STX signal 3
The three following digits are not standard, so if you want to
experiment with this hit a first digit and then three *'s
On the shelf there are buttons which act like speed dialing, the
first three letters stand for LOCal or EXPress and the number is
the signal, so EXP 2 would be broadcast call on STX signal 2,
express channel.
Installation
A typical FMT-150 Setup
Ŀ
Ground Bar
Ĵ
Fuse & Alarm Panel A
Ĵ |
FMT-150 Shelf |
Ĵ 7ft
FMT-150 Shelf |
Ĵ |
Fiber Splice/Storage Panel or CAMMS V
Ĵ <----25.94in---->
FMT-150 Shelf
Ĵ
FMT-150 Shelf
Ĵ
FMT-150 Shelf
Ĵ
FMT-150 Shelf
Ĵ
FMT-150 or Rectifier Shelf
Ĵ
FMT-150 or Standby Batt. Shelf
Ĵ
AC outlet Assy
Operation Procedures
Specifics on Interfacing
The RS-232 serial interface supports the following terminals.
* DEC VT 100
* DEC VT 102
* DEC VT 220
* DEC VT 320
* FALCO
* IBM 3162 with VT 220 cartridge
* Wyse WY85 with VT100 Emulation
* Ramodom VT200 portable terminal
* Televideo 922
* Televideo 9220
* Tandy 200 (only with Multipoint Plus MCU:NT7H90CA/XC)
* CAMMS (only with Multipoint Plus: NT7H90CA/XC/FA)
* Cybernex (in 8-bit mode only)
(Ok bros this is the part we are interested in so sit back)
Login Procedures
If you approach the FMT-150 shelf and have a previously described
interface, then you can login. Also if you are scanning (GTE
(Northern Telecom) areas only) and come across a "sitting system"
that displays a message (below) after hitting 3 returns, you are in!
1 - DEC VT100
2 - NT Meridian 6000
(Crosstalks or Procom with VT100
emulation)
3 - Tandy 200 (running Telecom)
F4- NTCAMMS MDU
Enter Terminal Type:
Choose your terminal type, usually 2 (use VT100) if you are calling in,
and it will prompt you with a "Login: " prompt, this is a trick, there
are no user levels, the "Login:" simply means enter the password, and
the default is to hit return, so always try that first. If a password
is installed then try something like FMT-150 or something that you would
think they would use. You should get a screen like this one after
choosing the terminal type:
FMT-150 Transmission System
Northern Telecom
Firmware Copyright Northern Telecom 1988
- - Node Id.: 123456789012345- - - - Last Update 87/03/06 11:07-
Login: (remember, enter a password here, no user levels!)
- - Syst Id.: 123456789012345- - - - Time: 87/03/06 11:07- - -
After Logging In
(commands are presented in an outline configuration, you should
be getting screens of output, but this outline will show you what
to input. # = number, not pound, <sp> = spacebar.)
Example: If I wanted to set the system's date to 1/4/1943 (heh)
then after logging in I would press, "c" then "d", then
"43", then "1" and finally "4".
-----------------------------------------------------------------
a Alarms (once again, lame stuff)
o Optical Tx/Rx unit-level alarm
screen.
t Translator module-level alarm
screen.
m DM-13 multiplexer-level alarm
screen.
c Common equipment-level and customer
input/output points alarm screen.
c Configuration (!)
a alarm logger
e enable alarm logger
d disable alarm logger
i
# <sp> "name" Name a customer input point
o
# <sp> "name" Name a customer output point
d
#1 <sp> #2 <sp> #3 <sp> Set date: #1 is year, #2 is month
#3 is day.
t
#1 <sp> #2 <sp> #3 <sp> Set time: #1 is hour, #2 is
minute.
p
"oldpass" "newpass" Change password from "oldpass" to
"newpass".
s
"system ID name" Name System ID
s Switching commands (extremely extensive,
so I will include a small portion)
# <sp>
m
# <sp>
<return> Display DM-13 Switch Screen
t
<return> Display translator/optics
switch status for node #.
<return> Display translator/optics switch
status for local node or node last
displayed.
m Maintenance Commands
r (see note)
* Reset all nodes
# <sp> Reset node #
t
# <sp>
o Operate test of customer
input/output points and E2A
ports.
r Release test of customer
input/output points and E2A
ports.
l Logout of the FMT-150 system.
n Network Status
<return> Display network status screen.
NOTE: After executing a local or global MCU reset, the message
"PROCESSOR CRASH" will appear on the bottom of the CRT's screen.
As a result, the user will have to log back into the system. In
addition, a global MCU reset will clear all "names" and
"settings" previously defined (that is, system ID, node, customer
inputs/outputs, time and date).
-----------------------------------------------------------------
Many other commands are listed but they are extremely numerous
and useless to the average phreak.
If a "terminal" that is 4.4 inches tall with a center screen and
2 12 key keypads on either side is seen on the shelf, this will
be a CAMMS terminal, all functions above can be performed with
this unit, its menu driven.
Troubleshooting
This section is the manual is devoted to fixing problems in the
FMT-150, aimed at the average see-my-crack-of-the-ass telco
maintenance man.
Basically, if you see any red LEDs, inspect them and judge if you
should get the hell out of the CO or not, usually red LEDs mean
trouble.
REDUNDANCY
When doing anything of this nature to a fone company, you must
remember, they are not stupid, everything has something to
fall back on, if you were to cut a trunk line, there would be
another to take its place. Usually there will be only one
backup, so be meticulous and find both.
Outro
Hope this file was worth something to somebody, it applies mostly
to those in a GTE area, since GTE uses Northern Telecom equipment
and most everyone else uses AT&T stuff.
-FyberLyte 9-93
Reference in New Issue View Git Blame Copy Permalink