% % % % % % % % % % % % % % % % % % %

                  % % % % % % % % % % % % % % % % % % % %

                 % %                                   % %

                  %            AT$T 5ESS(tm)            %

                 % %        From Top to Bottom         % %

                  %                                     %

                 % %                                   % %

                  %         by: Firm G.R.A.S.P.         %

                 % %                                   % %

                  % % % % % % % % % % % % % % % % % % % %

                   % % % % % % % % % % % % % % % % % % %



   Welcome to the world of the 5ESS.  In this file I will be covering

the switch topology, hardware, software, and how to program the switch.  I

am sure this file will make a few people pissed off  over at BellCORE.

   Anyways, the 5ESS switch is the best (I think) all around switch. Far

better then an NT. NT has spent too much time with SONET and their S/DMS

TransportNode OC48.  Not enough time with ISDN, like AT$T has done. Not only

that, but DMS 100s are slow, slow, slow! Though I must hand it to NT, their

DMS-1 is far better then AT&T's SLC-96.

What is the 5ESS


   The 5ESS is a switch. The first No. 5ESS in service was cut over in Seneca,

Illinois (815) in the early 1982.  This test ran into a few problem, but all

and all was a success.  The 5ESS is a digital switching system, this

adcantage was realized in No. 4 ESS in 1976.  The 5ESS network is a TST

(Time Space Time) topology, the TSIs (Time Slot Interchangers) each

have their own processor, this makes the 5ESS one of the faster switches.

Though I hear some ATM switchs are getting up there.

5ESS System Architecture & Hardware


                    5ESS SYSTEM ARCHITECTURE

                                               OSS Data Links

                                                  ^ ^    ^

                                                  | |    |

                                                  | |    |


                                            :     v v    v     :

                                            :   -------------  :

                                            :   |           |  :

                                            :   |   Input   |  :

               ...........................  :   |   Output  |====== TTY/CRT

-----------    :                         :  :   | Processor |  :

| Switch  |<===========                  :  :   -------------  :

| Module  |<========] |                  :  :           ^      ..............

-----------    :    v v                  :  :          |                    :

    o          :  =======   ----------   :  :          |       ------------ :

    o          :  | TMS |<->|Message |   :  :          |       |  Main    | :

    o          :  |     |<->|Switch  |<============    |       |  Store   | :

-----------    :  =======   ----------   :  :     |    |       -----.------ :

| Switch  |    :    ^ ^                  :  :     |    |            |       :

| Module  |<========= |                  :  :     v    v            |       :

-----------<===========                  :  :   --------------      |       :

               :.........................:  :   |  3B        |=======       :

                                            :   | Central    |              :

                                            :   | Control    |<=====> Disk! :

                                            :   --------------              :

                                            :                               :



   The 5 ESS is a digital SPC switching system which utilizes distributed

control, a TST switching network and modular hardware and software design.

   The major components are:


    Two 3B20S Processors  (Which equal a 3B20D)

    - Central control and main storage

    - Disk storage for infrequently used programs and data, and main storage


    - The two 3B20S processors are always compairing data, and when one fails

      the other acts in its place.

    Two Input/Output Processors (IOP)

    - Provides TTY and data-link interfaces to the 3B20D Processor, 5ESS

      Network, Master Control Center (MCC), and various Operational Support

      Systems (OSS). Here is a list of the defult TTY (also called


          tty     Channel Name

         ttyA     Master control console (MCC) terminal.

         ttyB     Master control console (MCC) terminal.

         ttyC     Traffic report printer

         ttyJ     supplementary trunk and line work station (STLWS) terminals

         ttyK     supplementary trunk and line work station (STLWS) terminals

         ttyL     supplementary trunk and line work station (STLWS) terminals

         ttyM     supplementary trunk and line work station (STLWS) terminals

         ttyN     supplementary trunk and line work station (STLWS) terminals

         ttyO     supplementary trunk and line work station (STLWS) terminals

         ttyP     Repair service bureau - Recent change and verify (RSB-RCV)

         ttyR     Office records printer

         ttyQ     Switching control center-recent change and verify (SCC-RCV)


         ttyR     Repair service bureau-automatic line insulation testing

                   (RSB-ALIT) terminal.

         ttyS     Switching control center-recent change and verify (SCC-RCV)


         ttyT     Switching control center-recent change and verify (SCC-RCV)


         ttyU     Belt line B

         ttyV     Local recent change and verify (RCV) terminal

         ttyW     Remote recent change and verify (RCV) terminal.

         ttyY     Network administration center (NAC) terminal.

         ttyZ     The switching control center (SCC) terminal.

         ttyi     SLC(R) carrier maintenance

         ttyj     STLWS - fifth of six

         ttyk     STLWS - sixth of six

         ttyl     STLWS - first of six

         ttym     STLWS - second of six

         ttyn     STLWS - third of six

         ttyo     STLWS - fourth of six

         ttyp     RCV/Repair Service Bureau

         ttyq     RCV/Network Administration Center

         ttyr     ALIT/Repair Service Bureau

         ttys     Maintenance

         ttyt     Maintenance

         ttyu     Belt line A

         ttyv     Local RC/V

         ttyw     Remote RC/V

         ttyx     Maintenance Control Center/Switching Control Center System


         ttyy     Maintenance Control Center/Switching Control Center System


         ttyz     Maintenance Control Center/Switching Control Center System


         FILE     Destination file name in /rclog partition

         mt00     High-density tape device, rewind after I/O

         mt04     High-density tape device, does not rewind after I/O

         mt08     Low-density tape device, rewind after I/O

         mt0c     Low-density tape device, does not rewind after I/O

         mt18     Low-density tape device, rewind after I/O

         mt1c     Low-density tape device, does not rewind after I/O

         mttypc0  Special tape device, IOP 0, rewind after I/O

         mttypc1  Special tape device, IOP 1, rewind after I/O.

     Two Automatic Message Accounting (AMA) units

     - Uses data links to transport calling information to central revenue

       accounting office and AMA tape. Here is the basic structure AMA

       structure for the OSPS model.

         - Called customer's telephone number, either a

            seven- or ten-digit number

         - Calling customer's telephone number, seven digits

         - Date

         - Time of day

         - Duration of conversation.


    Message Switch (MSGS)

    - Provides for control message transfer between the 3B20D Processor and

      Interface Modules (IM's)

    - Contains the clock for synchronizing the network.

    Time Mutiplexed Switch (TMS)

    - Performs space division switching between SM's

    - Provides permanent time slot paths between each SM and the MSGS

      for control messages between the Processor and SM's (or between SM's)

    Switching Modual (SM)

    - Terminates line and trunks

    - Performs time division switching

    - Contains a microprocessor which performs call processing function

      for the SM

                    5ESS - SWITCH MODUAL


                                          |            |

                                          |   SMPU     |


                       ---------          |            |

                       |       |   (64)   |            |

Analog Sub Lines <---->|  LU   |<-------->|            |

                       |-------|          |            |

                       |       |   (64)   |            |

Analog Trunk Lines <-->|  TU   |<-------->|            |   (256)

                       |-------|          |    TSIU    |<--------> NCT

                       |       |          |            |           Links

                       |       |   (128)  |     512    |           to

SLC-96 Remote <------->| DCLU  |<-------->|    Time    |<--------> TMS

                       |       |          |    Slots   |

                       |-------|          |            |

                       |       |          |            |

                       |       |          |            |

                       |       |          |            |

                       |       |   (256)  |            |

T1 Lines   <---------->| DLTU  |<-------->|            |

                       |       |          |            |

                       |       |          |            |

                       |       |          |------------|

                       ---------          |            |

                                          |    DSU     |



    Switch Module Processor Unit (SMPU)

    - Contains microprocessors which perform many of the call processing

      functions for trunks and links terminated on the SM.

    Time Slot Interchange Unit (TSIU)

    - 512 time slot capacity

    - Connects to the TMS over two 256-time slot Network Control and Timing

      (NCT) links.

    - Switches time slots from Interface Units to one of the NCT links (for

      intermodule calls).

    - Switches time slots from one Interface Unit to another within the SM

      (for intramodule calls).

    Digital Service Unit (DSU)

    - Local DSU provides high usage service circuits, such as tone decoders

      and generators, for lines and trunks terminated on the SM.

    - Global DSU provides low useage service circuits, such as 3-port

      confrence circuits and the Transmission Test Facility, for all lines

      and trunks in the office (requires 64 time slots).

    The SM may be equipped with four types of Interface Units:

    Line Unit (LU)

    - For terminating analog lines.

    - Contains a solid-state two-stage analog concentrator that provides

      access to 64 output channels. The concentrator can be fully equipped to

      provide 8:1 concentration or can be fully equipped to provide 6:1 or 4:1


    - Each TU requires 64 time slots.

    Trunk Unit (TU)

    - For terminating analog trunks.

    - Each TU requires 64 time slots.

    Digital Line Trunk Unit (DLTU)

    - For terminating digital trunks and RSM's.

    - Each fully equipped DLTU requires 256 time slots.

    - A maximum of 10 DSls maybe terminated on one DLTU.

   The SM may be equipped with any combination of LU's, TU's, DCLU's and DLTU's

totaling 512 time slots.

5ESS System Software


   The 5ESS is a UNIX based switch. UNIX has played a large part in

switching systems since 1973 when UNIX was use in the Switching Control Center

System (SCCS).  The first SCCS was a 16 bit microcomputer. The use of

UNIX for SCCS allowed development in C code, pseudo code, load test,

structure and thought. This led the development of the other switching systems

which AT$T produces today (such at System 75, 85, 1AESS AP, and 5ESS).

NOTE: You may hear SCCS called the "mini" sometimes

   The 5ESS's /etc/getty is not set up for the normal login that one would

expect to see on a UNIX System. This is due to the different channels that

the 5ESS has. The some channels are the TEST Channel, Maintance Channel,

and RC Channel (which will be the point of focus). Once you are on one

channel you can not change the channel, as someone has said " it is

not a TV!" You are physically on the channel you are on.

Test Channel


   The TEST channel is where one can test lines, and test the switch itself.

This is where operating support systems (such as LMOS) operate from.

This channel allows one to monitor lines via the number test trunk aka

adding a third trunk), voltage test and line seizure.

Here is a list of OSSs which access the test channels on the 5ESS.

 Group                    Operating Support Systems

 Specal Service Center

                          SMAS via NO-Test

                          SARTS (IPS)

                          NO-TEST trunk (from the switch)


                          17B and 17E test boards (CCSA net using X-Bar)






 Repair Service Bureau



                          LMOS (IPS)









SCC Channel


   The SCC channel is where the SCC looks and watches the switch 24 hours a day,

seven days a week! From this channel one can input RC messages if nessary.

A lot of people have scanned these out, and though they were AMATs.  Well this

is in short, WRONG! Here is a sample buffering of what they are finding.


   S570-67 92-12-21 16:16:48 086901 MDIIMON BOZOVILL DS0

A  REPT MDII WSN  SIGTYPE DP            TKGMN 779-16    SZ 21   OOS 0

     SUPRVSN RB  TIME 22:16:48  TEN=14-0-1-3-1  TRIAL 1 CARRFLAG NC     ID


   S4C0-148963487 92-12-21 16:17:03 086902 MAIPR BOZOVILL DS0


   S570-67 92-12-21 16:17:13 086903 S0 BOZOVILL DS0


     UNIT                       MTCE STATE       ACTIVITY  HDWCHK  DGN RESULT

     LUCHAN=5-0-0-3-4           OOS,AUTO,FE      BUSY      INH        CATP

     LUCHAN=5-0-0-2-5           OOS,AUTO,FE      BUSY      INH        ATP

     LUCHAN=5-0-0-0-3           OOS,AUTO,FE      BUSY      INH        ATP

     LUCHAN=5-0-0-3-5           OOS,AUTO,FE      BUSY      INH        ATP

     LUHLSC=5-0-0-1             OOS,AUTO,FE      BUSY      INH        ATP

     LUCHAN=5-0-0-0-2           OOS,AUTO,FE      BUSY      INH        CATP

     LUCHAN=5-0-0-3-6           OOS,AUTO,FE      BUSY      INH        ATP

     LUCHAN=5-0-0-1-4           OOS,AUTO,FE      BUSY      INH        ATP

   S570-983110 92-12-21 17:09:53 144471 TRCE WCDS0


     DN 6102330000  DIALED    DN 6102220001

     TIME 17:09:52


  This has nothing to do with AMA, this is switch output on say the SCC

channel.  This is used by the SCCS for logging, and monotering of alarms.

The whole point of this channel is to make sure the switch is doing what it

should do, and to log all activity onthe switch. NOTHING MORE!

   To go into these messages and say what they are would take far too long,

order the OM manuals for the 5ESS, watch out, they are about 5 times the size of

the IM (input manual) set.  On average it takes someone three years of training

to be able to understand all this stuff, there is no way anyone can write a

little file in Phrack and hope all who read it understand everything about the


RC Channel


   The RC/V (Recent Change/Verify) Channel is where new features can be added or taken

away from phone lines. This is the main channel you may come in contact with,

if you come in contact with any at all. When one connects to a 5ESS RC/V channel

one may be dumped to a CRAFT

shell if the login has not been activated.  Access to the switch when the

login is active is controlled by lognames and passwords to restrict

unwanted entry to the system.  In addition, the SCC (Switching Control

Center) sets permission modes in the 5ESS switch which control the RC

(recent change) security function.

   The RC security function determines whether recent changes may be made

and what types of changes are allowed.  If a situation arises where the RC

security function denies the user access to recent change via RMAS or RC

channels, the SCC must be contacted so that the permission modes can be

modified.  (Hint Hint)

   The RC security function enables the operating telephone company

to decide which of its terminals are to be allowed access to which

set of RC abilities.  NOTE that all verify input messages are always

allowed and cannot be restricted, which does not help too much.

     The RC security data is not part of the ODD (office dependent data).

Instead, the RC security data is stored in relatively safe DMERT operating

system files which are only modifiable using the following message:


where: aaaaa = Symbolic name of terminal in double quotes

          H' = Hexadecimal number indicator in MML

       bbbbb = 5-character hexadecimal field in 5E4 constructed

               from binary bits corresponding to RC ability.

               The field range in hexadecimal is from 00000 to


     This message must be entered for each type terminal (i.e.

               "aaaaa"="rmas1", "rmas2", etc., as noted above in

                TTY explanations).

NOTE: Order IM-5D000-01 (5ESS input manual) or OM-5D000-01 (5ESS output manual)

for more information on this and other messages from the CIC at 1-800-432-6600.

You have the money, they have the manuals, do not ask, just order.  I

think they take AMEX!

     When the message is typed in, a DMERT operating system file is created

for a particular terminal.  The content of these files, one for each terminal,

is a binary field with each bit position representing a unique set of RC

abilities.  Conversion of this hexadecimal field to binary is accomplished

by converting each hexadecimal character to its equivalent

4-bit binary string.




        0     0000  |  4     0100  |  8     1000  |  C     1100


        1     0001  |  5     0101  |  9     1001  |  D     1101


        2     0010  |  6     0110  |  A     1010  |  E     1110


        3     0011  |  7     0111  |  B     1011  |  F     1111


Each bit position corresponds to a recent change functional area.

  A hexadecimal value of FFFFF indicates that all bit positions are

set to 1 indicating that a particular terminal has total RC access.  Also,

verify operations as well as lettered classes are not included in the

terminals security scheme since all terminals have access to verify views

and lettered classes.

  In addition, maintenance personnel are able to verify the security

code for any terminal by typing the following message from either

the MCC (Master Control Center) or SCCS (Switching Control Center System)

Mini terminal:


where: xxxxx = symbolic name of terminal in double quotes.

Each bit position corresponds to a recent change functional area.

  To ensure redundancy, DMERT operating system files are backed up

immediately on disk by the SCC.

  The input message that defines the password and CLERK-ID (another name for

username) is in the Global RC feature.  This input message defines a clerk-id

and associated password or deletes an existing one. (Recall that CLERK-ID and

PASSWORD are required fields on the Global RC Schedule view 28.1 in

RCV:MENU:APPRC, but more on this later)

This new input message is as follows:


Note: CLERKID  can be from 1 to 10 alphanumeric characters and

      PASSWORD from 1 to 8 alphanumeric characters.

This input message can only be executed from the MCC or SCCS

terminals, and only one password is allowed per CLERK-ID.  To

change a clerk-id's password, this message is used with the same

CLERK-ID but with a different password.

Global RC Schedule View 28.1 from the RC/V Recent Change Menu System


                          5ESS SWITCH  WCDS0

                          RECENT CHANGE  28.1


*1. GRC NAME   __________

*2. SECTION    _____

#3. CLERK ID   __________

#4. PASSWORD   ________

 5. MODE       _______

 6. RDATE      ______

 7. RTIME      ____

 8. SPLIT      _

 9. SPLIT SIZE _____

10. MAX ERRORS _____

11. VERBOSE    _


When the security is set up on the RC/V channel, one will see:


5ESS login

15       WCDS0                    5E6(1)                   ttsn-cdN TTYW

Account name:


There are no defults, since the CLERK-ID and the password are set by craft,

but common password would be the name of the town, CLLI, MANAGER, SYSTEM,

5ESS, SCCS1, SCC, RCMAC, RCMAxx, etc,...

      If one sees just a " < "  prompt you are at the 'craft' shell

of the RC/V channel, the 5E login has not been set. The Craft shell is

running on the DMERT (which is