[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]

..[ Phrack Magazine ]..
.:: How To Build a DMS-10 Switch ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ]
Current issue : #41 | Release date : 1992-12-31 | Editor : Dispater
Phrack LoopbackMind Mage & Dispater
Phrack Pro-Phile on SuperniggerSupernigger
Network MiscellanyThe Racketeer
Pirates CoveRambone
Hacking AT&T System 75Scott Simpson
How To Build a DMS-10 Switchcavalier
TTY SpoofingVaxBuster
Security Shortcomings of AppleShare NetworksBobby Zero
Mall Cop FrequenciesCaligula XXI
PWN/Part 1Datastream Cowboy
PWN/Part 2Datastream Cowboy
PWN/Part 3Datastream Cowboy
Title : How To Build a DMS-10 Switch
Author : cavalier
                                ==Phrack Inc.==

                   Volume Four, Issue Forty-One, File 7 of 13

                          How To Build A DMS-10 Switch

                                by The Cavalier
                     Society for the Freedom of Information

                                 March 11, 1992

     With the telephone network's complexity growing exponentially as the
decades roll by, it is more important than ever for the telecom enthusiast to
understand the capabilities and function of a typical Central Office (CO)
switch.  This text file (condensed from several hundred pages of Northern
Telecom documentation) describes the features and workings of the Digital
Multiplex Switch (DMS)-10 digital network switch, and with more than an average
amount of imagination, you could possibly build your own.

     The DMS-10 switch is the "little brother" of the DMS-100 switch, and the
main difference between the two is the line capacity.  The DMS line is in
direct competition to AT&T's ESS line (for the experienced folks, the features
covered are the as those included in the NT Software Generic Release 405.20 for
the 400 Series DMS-10 switch).

 Table of Contents
     1. Network Hardware
     2. Network Software
     3. Advanced Network Services
     1. Billing Hardware
     2. Recorded Announcement Units
     3. Other Misc. Hardware
     1. OAM
     2. Interactive Overlay Software Guide

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



     The DMS-10 switch is capable of handling up to 10,800 lines, and was
designed for suburban business centers, office parks, and rural areas.  It can
be installed into a cluster configuration to centralize maintenance and
administration procedures and to increase combined line capacity to 50,000
lines.  It is capable of functioning as an End Office (EO), an Equal Access End
Office (EAEO), and an Access Tandem (AT), and is a known as a Class 5 switch.
It supports up to 3,408 trunks and 16,000 directory numbers.  It can outpulse
in DP (Dial Pulse), MF (Multi-Frequency), or DTMF (Dual-Tone Multi-Frequency),
insuring compatibility with new and old switches alike (translation -- the
switch is small, by most standards, but it has massive bounce for the ounce).

Hardware Specifications

     The DMS-10 switch itself is a 680x0-based computer with 1 MB of RAM in its
default configuration.  The processor and memory are both duplicated; the
backup processor remains in warm standby.  The memory system is known as the
n+1 system, meaning that the memory is totally duplicated.


Network Hardware

     The DMS-10 network hardware consists mostly of PEs, or Peripheral
Equipment trunk and line packs.  The PEs take the incoming analog voice
signals, digitalize them into 8 bit PCM (Pulse Code Modulation) signals, and
feed it into the main transmission matrix section of the switch.  There, it is
routed to another trunk or line and converted back into an analog signal for
retransmission over the other side of the call.  Note that manipulating voice
in the digital domain allows the signal to be rerouted, monitored, or
retransmitted across the country without any reduction in signal quality as
long as the signals remain in PCM format.  <Hint!>

Network Software

     The DMS-10 has a variety of software available to meet many customers'
switching needs.  A good example of this software is the ability of several
DMS-10 switches to be set up in a cluster (or star configuration, for those of
you familiar with network topologies).  In this arrangement, one DMS-10 is set
up as the HSO (Host Switching Office) and up to 16 DMS-10s are set up as SSOs
(Satellite Switching Offices), allowing all billing, maintenance, and
administration to be handled from the HSO.  Additionally, all satellites can
function on their own if disconnected from the HSO.

     Another feature of the DMS-10's network software are nailed-up
connections, commonly known as loops.  The DMS-10 supports up to 48 loops
between any two points.  The connections are constantly monitored by the switch
computer, and if any are interrupted, they are re-established.

     Meridian Digital Centrex (MDC) is the name given to a group of features
that enable businesses to enjoy the benefits of having PBX (Private Branch
Exchange) equipment by simply making a phone call to the local telco.

Advanced Network Services (ANS)

     If the DMS-10 is upgraded with the 400E 32-bit RISC processor, the switch
will be able to handle 12,000 lines, enjoy a speed improvement of 80%, support
a six-fold increase in memory capacity, and, perhaps most importantly, will be
able to run NT's Advanced Network Services software.  This software includes
Common Channel Signaling 7 (CCS7), Advanced Meridian Digital Centrex, DMS
SuperNode connectivity, and ISDN.  CCS7 is the interswitch signaling protocol
for Signaling System 7, and the concept deserves another text file entirely
(see the New Fone eXpress/NFX articles on SS7).


Billing Format Specifications

     The DMS-10 can record AMA (Automatic Message Accounting) billing data in
either Bellcore or Northern Telecom format, and it can save this data in one of
several ways:

     - by saving onto a 9-track 800 BPI (Bits-Per-Inch) density tape drive
       called an MTU (Magnetic Tape Unit)

     - by saving onto a IOI (Input/Output Interface) pack with a 64 MB SCSI
       (Small Computer System Interface) hard drive, and transferring to 1600
       BPI tape drives for periodic transport to the RAO (Regional Accounting

     - by transmitting the data through dial-up or dedicated telephone lines
       with the Cook BMC (Billing Media Converter) II, a hard drive system that
       will transmit the billing records on request directly to the RAO.  The
       Cook BMC II supports six different types of transmission formats, listed

        * AMATS (BOC)                           [max speed: 9600 bps]
            Call records are stored using the Bellcore AMA format and polled
            using the BX.25 protocol.  Two polling ports are provided with one
            functioning as a backup.

        * BIP Compatible                        [max speed: 9600 bps (2400*4)]
            Call records are stored using the Bellcore AMA format and polled
            using the HDLC Lap B protocol.  Four polling ports are provided
            that can function simultaneously for a combined throughput of 9600
            bps. This specification is compatible with GTE's Billing
            Intermediate Processor.

        * Bellcore AMA w/ BiSync polling        [max speed: 9600 bps]
            Call records are stored using the Bellcore AMA format and polled
            using the IBM BiSync 3780 protocol.  One polling port is provided.
            This option is intended for operating companies who use independent
            data centers or public domain protocols for data processing.

        * Bellcore AMA w/ HDLC polling          [max speed: 9600 bps]
            Call records are stored using the Bellcore AMA format and polled
            using the HDLC (High-level Data Link Control) protocol.  One port
            is provided.

        * NT AMA w/ HDLC polling                [max speed: 9600 bps]
            Call records are stored using the Northern Telecom AMA format and
            polled using the HDLC protocol.

        * NT AMA w/ BiSync polling              [max speed: 4800 bps]
            Call records are stored using the Northern Telecom AMA format and
            polled using the BiSync protocol.

     - by interfacing with AT&T's AMATS (Automatic Message Accounting
       Teleprocessing System)

     - by interfacing with the Telesciences PDU-20

     All of the above storage-based systems are fully fault-tolerant, and the
polled systems can store already-polled data for re-polling.

Recorded Announcement Units

     The DMS-10 system may be interfaced to one or more recorded announcement
units through two-wire E&M trunks.  Some units supported include the Northern
Telecom integrated Digital Recorded Announcement Printed Circuit Pack (DRA
PCP), the Cook Digital Announcer or the Audichron IIS System 2E.

     The DRA PCP is integrated with the DMS-10 system, as opposed to the Cook
and Audichron units, which are external to the switch itself.  It provides
recorded announcements on a plug-in basis and offers the following features:

     - Four ports for subscriber access to announcements
     - Immediate connection when pack is idle
     - Ringback tone when busy until a port is free
     - Switch-selectable message lengths (up to 16 seconds)
     - Local and remote access available for message recording
     - Memory can be optionally battery-backed in case of power loss
     - No MDF (Main Distribution Frame) wiring required

Other External Hardware

     The DMS-10 can also support the Tellabs 292 Emergency Reporting System,
the NT Model 3703 Local Test Cabinet, and the NT FMT-150 fiber optic
transmission system.  More on this stuff later, perhaps.


     OAM, or Operations, Administration, and Maintenance functions, are
performed through an on-site maintenance terminal or through a remote
maintenance dial-in connection.  The DMS-10 communicates at speeds ranging from
110 to 9600 baud through the RS-232C port (standard) in ASCII.  There can be up
to 16 connections or terminals for maintenance, and security classes may be
assigned to different terminals, so that the terminal can only access the
programs that are necessary for that person's job.  The terminals are also
password protected, and bad password attempts result in denied access, user
castration and the detonation of three megatons of on-site TNT.  <Just kidding>

     The software model for the DMS-10 consists of a core program which loads
overlays for separate management functions.  These overlays can be one of two
types:  either free-running, which are roughly analogous to daemons on Unix
environments, which are scheduled automatically; or interactive, which
communicate directly with the terminal user.

     The major free-running programs are the Control Equipment Diagnostic
(CED), the Network Equipment Diagnostic (NED), the Peripheral Equipment
Diagnostic (PED), and the Digital Equipment Diagnostic (DED).  The CED runs
once every 24 hours, and tests the equipment associated with the CPU buses and
the backup CPU.  The NED runs whenever it feels like it and scans for faults in
the network and proceeds to deal with them, usually by switching to backup
hardware and initiating alarm sequences.  The PED is scheduled when the switch
is installed to run whenever the telco wants it to, and it systematically tests
every single trunk and line connected to that central office (CO).  The DED
tests the incoming line equipment that converts analog voice to digital PCM.

     Now, for interactive programs (a.k.a. interactive overlays), I'm going to
list all of their codes, just in case one of you gets lucky out there.  To
switch to an overlay, type OVLY <overlay>.  To switch to a sub-overlay, type
CHG <sub-overlay>.  Keep in mind that NT has also installed help systems on
some of their software, accessible by pressing "?" at prompts.  Here we go:

Overlay     Explanation and Prompting Sequences
-------     -----------------------------------
ALRM        Alarms

            ALPT - Alarm scan points
            SDPT - Signal distribution points

AMA         Automatic Message Accounting

            AMA  - Automatic Message Accounting
            MRTI - Message-rate treatment index
            PULS - Message-rate pulsing table
            TARE - Tariff table

AREA        Area

            CO   - Central Office Code
            HNPA - Home Numbering Plan Area
            RC   - Rate Center
            RTP  - Rate Treatment Package

CLI         Calling Line Identification

CNFG        Configuration Record

            ALRM - Alarm System Parameters
            AMA  - Automatic Message Accounting parameters
            BUFF - System Buffers
            CCS  - Custom Calling Services
            CCS7 - Common Channel Signaling No. 7
            CDIG - Circle Digit Translation
            CE   - Common Equipment Data
            CLUS - Cluster data
            COTM - Central Office overload call timing
            CP   - Call processing parameters
            CROT - Centralized Automatic Reporting of Trunks
            CRTM - Central Office regular call processing timing
            CSUS - Centralized Automatic Message Accounting suspension
            DLC  - Data Link Controller assignment for clusters
            E800 - Enhanced 800 Service
            FEAT - Features
            GCON - Generic Conditions
            HMCL - Host message class assignment
            IOI  - Secondary input/output interface pack(s)
            IOSF - Input/Output Shelf Assignment
            LCDR - Local Call Detail Recording
            LIT  - Line Insulation Testing parameters
            LOGU - Logical Units Assignments
            MOVE - Move Remote Line Concentrating Module
            MTCE - Maintenance Parameters
            MTU  - Magnetic Tape Unit Parameters
            OPSM - Operational Measurements
            OVLY - Overlay scheduling
            PSWD - Password Access
            SITE - Site assignments
            SSO  - Satellite Switching Office Assignments
            SUB  - Sub Switch
            SYS  - System parameters
            TRB  - Periodic trouble status reporting
            VERS - Version

CPK         Circuit Pack

            ACT  - AC Testing Definition
            DCM  - Digital Carrier Module
            LPK  - Line Concentrating Equipment line packs
            PACK - Peripheral Equipment packs
            PMS  - Peripheral Maintenance System pack
            PSHF - Peripheral Equipment Shelf
            RMM  - Remote Maintenance Module
            RMPK - Remote shelf
            RSHF - Remote Concentration Line Shelf
            SBLN - Standby line
            SLC  - SLC-96
            SLPK - SLC-96 pack

DN          Directory Number

            ACDN - Access Directory Number
            CRST - Specific Carrier Restricted
            ICP  - Intercept
            RCFA - Remote Call Forwarding appearance
            ROTL - Remote Office Test Line
            STN  - Station Definition

EQA         Equal Access

            CARR - Carrier Data Items
            CC   - Country Codes

HUNT        Hunting

            DNH  - Directory Number Hunting
            EBS  - Enhanced Business Services hunting
            KEY  - Stop hunt or random make busy hunting

LAN         Local Area Network

            LAC  - LAN Application Controller
            LCI  - LAN CPU Interface
            LSHF - Message LAN Shelf

NET         Network

            D1PK - DS-1 interface pack (SCM-10S)
            1FAC - Interface packs
            LCM  - Line Concentrating Module
            LCMC - Line Concentrating Controller Module
            NWPK - Network Packs
            RCT  - Remote Concentrator Terminal
            REM  - Remote Equipment Module
            RSLC - Remote Subscriber Line Module Controller
            RSLE - Remote Subscriber Line Equipment
            RSLM - Remote Subscriber Line Module
            SCM  - Subscriber Carrier Module (DMS-1)
            SCS  - SCM-10S shelf (SLC-96)
            SRI  - Subscriber Remote Interface pack

NTWK        Network

            ACT  - AC Testing definition
            D1PK - DS-1 interface pack (SCM-10S)
            DCM  - Digital Carrier Module
            1FAC - Interface packs
            LCM  - Line Concentrating Module
            LPK  - Line Concentrating Equipment line packs
            NWPK - Network packs
            PACK - Peripheral Equipment packs
            PMS  - Peripheral Maintenance System packs
            PSHF - Peripheral Equipment Shelf
            RCT  - Remote Concentrator Terminal
            REM  - Remote Equipment Module
            RSHF - Remote Shelf
            SBLN - Standby line
            SCM  - Subscriber Carrier Module
            SCS  - SCM-10S Shelf (SLC-96)
            SLC  - SLC-96
            SLPK - SLC-96 Line Packs
            SRI  - Subscriber Remote Interface (RLCM)

ODQ         Office Data Query

            ACDN - Access Directory Number
            CG   - Carrier group
            CNTS - Counts
            DN   - Directory Number
            DTRK - Digital Trunks (line and trunk)
            LINE - Lines (line and trunk)
            PIN  - Personal Identification Number
            STOR - Memory Storage
            TG   - Trunk Group
            TRK  - Trunks (line and trunk)

QTRN        Query Translations

            ADDR - Address Translations
            EBSP - Enhanced Business Services prefix translations
            ESAP - Emergency Stand-Alone Prefix
            PRFX - Prefix translations
            SCRN - Screening translations
            TRVR - Translation verification

ROUT        Routes

            CONN - Nailed-up connections
            DEST - Destinations
            POS  - Centralized Automatic Message Accounting positions
            ROUT - Routes
            TR   - Toll regions

SNET        CCS7 Signaling Network

            SNLS - Signaling Link Set
            SNL  - Signaling Link
            SNRS - Signaling Network Route Set

TG          Trunk Groups

            INC  - Incoming trunk groups
            OUT  - Outgoing trunk groups
            2WAY - Two-way trunk groups

THGP        Thousands Groups

TRAC        Call Tracing

TRK         Trunks

            DTRK - Digital Trunks
            TRK  - Analog or digital recorded announcement trunks

TRNS        Translations

            ADDR - Address translations
            EBSP - EBS prefix translations
            ESAP - Emergency Stand-Alone prefix
            PRFX - Prefix translations
            SCRN - Screening translations


Maximum # Subscriber Lines:            10,800
     (in stand-alone mode)

Maximum # Trunks:                       3,408
     - Incoming Trunk Groups:             127
     - Outgoing Trunk Groups:             127
     - Two-way Trunk Groups:              127
     - Maximum Routes:                    512
     - Maximum Trunks per Group:          255

Directory Numbers:                     16,000

Office Codes:                               8

Home Numbering Plan Area:                   4

Thousands Groups:                          64

Number of Network Groups:              1 or 2

Total Network Capacity:
    - One Network Module:               5,400 POTS lines + 600 trunks
    - Two Network Module:              10,800 POTS lines + 1,200 trunks

     - Busy Hour Calls                 38,000
     - Average Busy Season             29,000
         Busy Hour Attempts
     - CCS per line                      5.18 centi call seconds
     - CCS per trunk                     27.0 centi call seconds
     - Total CCS                      133,000 centi call seconds

Outpulsing                    DP, MF, or DTMF

     - Trunks                 DP, MF, or DTMF
     - Lines                       DP or DTMF

Register Capacity
     - Outgoing                  DP=16 digits
                               DTMF=16 digits
                                 MF=14 digits+KP+ST
                            LEAS MF=20 digits+KP+ST
                             [LEAS Route Access]

     - Incoming                  DP=14 digits
                               DTMF=16 digits
                                 MF=14 digits


DP - Dial Pulse.  A form of signaling that transmits pulse trains to indicate
     digits.  Slow compared to DTMF and MF.  Made obsolete by DTMF.  Old
     step-by-step switches use this method, and there are still quite a few
     subscriber lines that use DP, even though DTMF is available.

In-band Signaling - Transmitting control signals in the 300 - 3300 hz voice
                    band, meaning that they're audible to subscribers.

Out-of-band Signaling - Transmitting control signals above or below the 300 -
                        3300 hz voice band.  See SS7, CCS7.

DTMF - Dual Tone Multi-Frequency.  A form of in-band signaling that transmits
       two tones simultaneously to indicate a digit.  One tone indicates the
       row and the other indicates a column.  A fast, technically simple way of
       dialing that is in use almost all over the United States.  White boxes
       generate DTMF tones, a.k.a. "Touch Tones" or Digitones.  See DP, MF.

MF - Multi-frequency.  A form of in-band signaling similar to DTMF, except the
     signals are encoded differently (i.e., the row and column tones are
     different, because the keypad for MF tones isn't laid out in a rectangular
     matrix).  These are the "operator tones."  Blue boxes generate these
     tones. See DTMF, In-band signaling.

CCS7 - Common Channel Signaling 7.  Part of the Signaling System 7
       specification, CCS7 transmits control signals either above or below the
       voice band to control switch equipment, so control signals may be
       transmitted simultaneously with voice.  See SS7.

SS7 - Signaling System 7.  An inter-switch signaling protocol developed by
      Bellcore, the RBOCs' research consortium.  Relatively new, this protocol
      can be run only on digital switches. See CCS7, CLASS.

CLASS - Custom Local Area Signaling Services.  Several subscriber-line features
        that are just being introduced around the United States at the time of
        this article.  See SS7, CCS7.

Centrex - A scheme that turns a switch into an off-site PBX for business users.
          It can usually co-exist with existing lines.

If anyone has any more questions, contact me at WWIVNet THE CAVALIER@3464.

Thanks to Northern Telecom (the nicest sales staff in the world of switch
manufacturers, with a killer product to boot!), Pink Flamingo, Taran King,
Grim, and the crew who supported the NFX in "days of yore."
[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2021, Phrack Magazine.