The DATU Modes and Practical Uses

by Phractal

[ disclaimer: unless you are a certified technician, any DATU you access
is not your property and therefore is electronic trespassing into the
insides of your local Central Office. Know what you're getting into. This
information may or may not have been test by someone certified to operate
a DATU. This is merely information, nothing more.]

I.    Intro, Switching Diagrams, DATU definition
II.   Format of DATUs
III.  Test Mode
IV.   Admin Mode
V.    Practical DATU uses
VI.   Theoretical DATU uses
VII.  Final Notes
VIII. Technical Acronyms

I. Intro
	Well, a great many of articles have been written recently
regarding the Direct Access Test Unit (DATU). A DATU is a computer
that you can connect to via the PSTN, all you need is the phone number.
My local Central Office uses a AT&T 5ESS switch, so I know for a fact that
those switches use DATUs, I am not sure about others, like DMS switches,
but chances are, your local, residential Central Office has a DATU. DATUs
use the ring and tip wires a lot to test lines, the ring and tip wires
are often the red and green wires that go into your phone.

	DATUs are tubular little wonders that allow the phone company and
phreaks to perform tests on local loops. To test a line outside your
Central Office's area, you need the DATU number for the Central Office
that serves it.

I should mention that this article discusses but is not necessarily
limited to testing POTS lines.

>From the PSTN to your home:

          |
  \              /
                         /------------------\   /-----------------------\
_      PSTN!     ---ss7--| Toll Switch      |---| Local Switch / CO     |
                         |DMS 200, 250, 500 |   | 5ESS, DMS 10, DMS 100 |
                         \------------------/   \-----------------------/
  /       |     \                                         |
                                			  |
                                                     <POTS lines>
                                                          |
                                                         ___
                                                        /   \
                                               /--------\   /--------\
                                               |Junction|   |Junction|
                                               |  Box   |   |   Box  |
                                               \--------/   \--------/
		                                  /\   Split    /\
                        Your k-rad line~~~~~~~~~>/  \   lines  /  \
                                                /\  /\        /\  /\
                                               /  \          /
                                              /
                                             /
                                       tip> /\ <ring     Residential
                                           /  \          Loops
                                           |  |
                                           |  |
                                         /------\
                                         | home |
                                         \------/



II. The Format of DATUs

The format of most DATUs is xxx-9935

It is up to you to find an exchange that works, it shouldn't be too hard
since most non-toll COs only serve less than 15 or so exchanges. If you
still can't find it, the DATU could be anyplace else, or you have a
different switch, but for most 9935 is the suffix for the DATU. You can
try wardialing for them. You will recognize a DATU by it's weird prompt.
It is a 440hz tone sounding like a low hum. The prompt is asking you to
enter in the DATU password on your DTMF keypad. All passwords that I have
found to work are 4 digits, the default is 1111. If it isn't the password,
try pairs like 3535 or 9292, i have found some that work with pairs, as
well as 4300. Then again, don't try and brute force the password, at least
not from home. If the Telco notices a lot of failed DATU logins then they
will contact you or they will change the password, causing a headache for
all the linemen and phreaks who already know it. Use your head :)



The real hardcore hardware nerdy stuff of DATUs can be acquired by reading
Phrack 52, and PPM issue 2 and 3.

Therefore I'm not going to heavily explain what all the functions do
inside the DATU.

Also, for a quick reference, check Telec's article @ phonerangers.org

-Once you have the DATU, and the 440Hz tone, you will have to dial the
password using DTMF tones. There are two accounts/passwords THAT I KNOW OF
for each DATU. There is the normal account which is a 4 digit password,
and there is an ADMIN account, which is * followed by 7 digits.

III. Test Mode

Default passwords for the normal account are 1111 and 4300
Once inside the DATU using the normal account you will hear a second
440 Hz tone prompting you to enter in a seven digit phone number that
is served by the switch the DATU is at. After that you should hear an OK
to confirm, otherwise you did something wrong, or the line is busy. You
can perform tests on the line by using the corresponding codes:

Code:   Test:                     Fuction:
1       ----                      Announces the menu over the phone

2       Audio Montior             Hear SCRAMBLED traffic on the phone, can
                                  be used to test if there is activity on
                                  line or not.

33      Short to Ground           Shorts the ring, tip and ground wires of
                                  your line back at the CO(red and green
                                  wires)

37      Ring Ground               Shorts ground and ring wires

38      Tip Ground                Shorts ground and tip wires

44      Ring/Tip High Tone        Bursts a high level tone onto the Tip
                                  and Ring Wires

47      Ring High Tone            Bursts a high level tone onto Ring wire,
                                  Tip grounded

48      Tip Hight Tone            Bursts a high level tone onto Tip wire,
                                  Ring grounded

5       Low level Tone            Bursts low level tone onto tip and ring
                                  wires

6       Open Line                 Cuts battery power to tip and ring, line
                                  has no electricuty from CO, rendering it
                                  unusable

7       Short Line                Electricity given to tip and ring from
                                  CO

9       Permanent Signal Release  Used on busy lines in older switches,
                                  refer to the DATU article by BlackAxe in
                                  Phone Punx Magazine Issue 2

*       Hold Function             Keeps current test on line active after
                                  you disconnect for a specified amount of
                                  time that you have to enter in, most of
                                  the time 10  minutes is the max, to
				          prevent things like a line being open
                                  for a month.
#       New Test                  Disconnects you from current line, and
                                  prompts you to enter in a new number to
                                  test, like the Control-C of a DATU.

IV. ADMIN MODE:

/!#@$%@#$

HI, I just want to make a point of saying that the following is info is
NOT confirmed, I am writing this from my experiences using admin mode.
For example, I don't know if option 3 actually has the power to delete
exchanges or not, i haven't tried it, and neither should you, really.

The Admin mode is entered by entering in a * followed by a seven digit
passsword. I currently am un-aware of any 'defaults' for this. The
options in the admin account allow you to do things that pertain more to
the Central Office and how it serves the public. You cannot test local
loops with the ADMIN ACCOUNT. Once you get a valid password, you should
NOT hear a second 440hz tone, you should just automatically hear an 'OK'. 
The
following codes work for the ADMIN mode:

***PLEASE IF YOU HAVE ACCESS HERE, EXPLORE WITH CARE! YOU COULD SERIOUSLY
CAUSE DAMAGE TO YOU AND YOUR LOCAL NEIGHBORS SERVED BY THE LOCAL CO. I
WOULD SUGGEST YOU DO NOT EVEN ATTEMPT TO CHANGE OR ACCESS ANY OPTIONS
OTHER THAN TO CLEAR YOUR TRACKS(covered later).

Code:     Option:                       Sub-Optionz:
1         Set password                  1.Set System Password
					          2.Set User Password

2         Select Busy Test              1.Select Busy Test
                                           4. Stanard Busy Test
                                           5. 5ESS Busy Test
                                        2.Select Dialing Message
                                           1. MF Dialing Message (??)
                                           2. MF Dialing Message
                                           3. Pulse Dialing Message (??)
                                           4. Pulse Dialing Message
                                           5. MF with Reversal Sensing
                                           6. Pulse with Reversal Sensing
                                        3.Select Trunk
                                           1.Standard Trunk
			                         2.Special Trunk
                                             1. Trunk Share
                                             2. No Trunk Share

3         Read/Change Prefixes          3.Add Prefix
                                        4.Clear all prefixes
                                        5.Delete Prefix
                                        6.Read all prefixes

4         Read/Clear Timers             1. Read Timers
					             1. Usage Timers
					             2. Function Timers
					          2. Clear Timers
                                           1. Clear Usage Timers
                                           2. Clear Function Timers
                                           3. Clear all Timers

5         Select # of digits            Dial 4, 5, or 7

6         Set AccessTimeout Parameters  Dial Three Digits

7         Read/Clear Counters           1. Read Counters
                                           1. Read Usage Counters
                                           2. Read Function Counters
                                        2. Clear Counters
                                           1. Clear Usage Counters
                                           2. Clear Function Counters
                                           3. Clear all Counters
8         Enable/Disable Test 9         Toggle wheather Permanent Signal
                                        Release is allowed or not to be
                                        used
0         Clear Alarm                        ??



There are other kinds of lines and functions that you can do with the DATU
computer, but I suggest you look them up in Phrack or PPM, or maybe I'll
write a part 2 sometime later :)

BTW, the only tests that work on a busy line are: Audio Monitor, Low Level
Tone, and Permanent Signal Release.

To cover  your tracks, clear the onboard logs, aka Timers, via Option 7.

V. Practical Uses for DATUs:

Busy Lines:
	Let's say you call a number, be a friend, or wardialing and its
busy. You can use the audio montitor to test if there is actual traffic
on the line, if not, then maybe the line is somesort of test line or
someone left a phone off the hook. I have found audio monitor useful when
trying to hack weird modern COCOTs. Let's say you know a BBS or some
carrier that you want to connect to, but it's busy, like a COCOT's
computer modem, you can blast a Low Level Tone to throw off the modem and
have it get disconected, you can also remotely disconnect any modem from
a connection if you know the number of the line. (You can only do this if
the line has a ground going into thehouse, or building and not just at
the CO) If there is a number you have found that is ALWAYS busy, i mean
ALWAYS, try  opening the line and dialing it right after the line is
shorted back. I find that COCOTS almost always have grounds in them.

*Most residential lines will not hear Low Level Tone, because they have
no ground going into the phone.

Beige Boxing in a large Telco Boxes:
	When beiging in a large telcobox, depending on where you are, it
can be a puzzle to find the right pair to connect to the line you want to,
if it is a specific line that you are looking for. You can use High Level
Tone Tests to look for the pair, when you reach a pair that has a beeping
you can bet its the same line you inputted into the DATU. If the line is
busy, or you want to be more stealthy, you can use the low level tone,
which is less likely for someone to hear unless they have a ground going
into their phone, most don't nowadays.

Remote Busy Box:
	Remember the Busy Box? You crossed the green and red wires to busy
out any line. The green and red wires are tip and ring, so test code 33
can remotely turn any local line into a busy box since the tip and ring
wires are shorted out at the CO. Be in mind that most likely you can only
keep a line shorted for 10 minutes after you hang up, if you want longer,
just keep dialing in every 10 minutes. The same goes for opening a line
(shutting it off) or any tone tests.

(Hint about time limits, study ADMIN functions)

Some notes about Audio Monitor:

--- The Audio Monitor feature is not a tap or eavesdropping feature, you
can not understand any speech or capture any DTMF tones traveling along
the line though the DATU. It is merely used to verify that there is indeed
activity on a line, if the line is busy and there is no acitivy, then
there could be a problem.

VI. Theoretical Uses for DATUs:

Creating Phone Numbers:
	Have you ever dreamed of creating a phone number out of thin air,
with no billable address like the Legion of Doom did back in the day?
Well, the first step could be creating a new exchange to use your numbers
on. Once the exchange is created, I can't really tell you where to go
from there. If you find other ways of entering the switch, like thru a
dialup or over some Packet Switched Network, then go for it, but be
careful, respect the telco's turf, and DON'T MODIFY OTHER PEOPLE'S STUFF!

Mapping Switch Hardware:

	I have heard some DATUs announce the switch they are attached to.
This can be useful to find out info on how to remotely explore the switch.
Also, if Permanent Signal Release is enabled, then you could find a stroke
of unbelievable good luck, Step by Step switching, which in theory of
course, all kinds of things would work, like blueboxing (inband
signalling), black boxes, etc...


VII. Final Notes:

DATUs are for testing lines only, they apply certain tones and can short
lines, but they are not used to add features or anything to a line. You
cannot add three way calling to your line through a DATU. You cannot add
Call Forwarding to you line, you cannot get ISDN or ADSL. And please test
responsably. If you keep opening a line to annoy someone then the
password will most likely get changed.

As far as I know, if you have the dialup and password, you can access the
DATU from anyplace on the PSTN, there is no confirmation that you are
calling from a local number or anything, so If you are in NY, you can test
lines in California providing you have the DATU k0d3z.

VIII. Technical Acronyms:

PSTN   Public Switched Telephone Network (the global phone network)
AT&T   American Telephone and Telegraph
ESS    Electronic Switching System
DMS    Digital Multiplexing System
CCITT  Committee Consultative International Telegraph and Telephone
POTS   Plain Old Telephone System
DTMF   Dual Tone Multi Frequency
PPM    Phone Punx Magazine
MF     Multi Frequency
CO     Central Office
COCOT  Customer Owned Coin Operated Telephone
BBS    Bulliten Board System
ISDN   Integrated Services Digital Network
ADSL   Asynchronous Digital Subscriber Line
DATU   You should know this...

Greets:

9x, Substance, Hybrid, D4RKCYDE, Downtime, Phonerangers, Telec, Mastermind,
Black Axe, Janus, linear, terror eyz, dijit, nawleed, vixen, Zylone,
Pinguino, The Clone, logicbox, velocity, Venadium, Brisk, Bor, Xade :),
notten, barby, bikr, tomgavin, leprekaun, dinkee, purp, vap0r,
Tubular Phreak, 3rd worm, diozepart, Team Phreak, and all my other old
skool conf buddiez, you know who you are ;)

I also owe alot to Telec and MMX to my current understanding of the DATU.






