[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]

..[ Phrack Magazine ]..
.:: DCO Operating System ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ]
Current issue : #50 | Release date : 1997-04-09 | Editor : daemon9
IntroductionPhrack Staff
Phrack LoopbackPhrack Staff
Line Noisevarious
Phrack Prophile on Aleph1Phrack Staff
Linux TTY hijackinghalflife
SNMP insecuritiesAlhambra
Cracking NT PasswordsNihil
SS7 Diverter plansMastermind
Skytel Paging and VoicemailpbxPhreak
Hardwire Interfacing under LinuxProfessor
PC Application Level SecuritySideshow Bob
DTMF signalling and decodingMr. Blue
DCO Operating Systemmrnobody
Phrack World NewsAlhambra
extract.cPhrack Staff
Title : DCO Operating System
Author : mrnobody
                                .oO Phrack 50 Oo.

                            Volume Seven, Issue Fifty

                                     14 of 16
                     ||  The DCO-CS Operating System  ||
                     ||              -*-              ||
                     ||                               ||
                     || by Trunkin' Fool AKA mrnobody ||
                     ||             4.1.97            ||

	OK... this is the first part of what (hopefully) will be a little
series type thing of articles on the DCO operating system, which is from
Siemens.  DCO is run on an LLS/RLS-1000/RLS-4000 machine. It has
psychotically mad logging, but the logs are configurable from the admin
accounts.  The DCO box I was using just happened to only have a 1200 bps
dialup, so some operations (i.e. listing INWATS trunks and what they route
to) were painfully slow considering the large amount of trunks this thing
can control.  It is similar to a 4ESS in some ways, and offers some PABX
functions.  A guy can have lots of fun with one of these things...

        Some features/specifications:

        Billing Computer Interface
        "The DCO-CS collects AMA data and provides direct data interface with
        your business computer, as well as 1600 BPI magnetic tape backup
        or primary data collector"

        International Callback
        "Allows the system to place a return call to an international
        subscriber for the dialed domestic number originally called, either
        through a live or automated operator position."

        ISDN Transport
        The DCO-CS is capable of switching 64 Kb/s data. This allows people
        (customers, hehe) to switch Primary and Basic Rate ISDN traffic.

        LEC Services
        Full LEC services are offered, including POTS (duh), Centrex &
        Enhanced Centrex (combines ISDN & POTS lines in the same Centrex
        groups, direct inward dialing, call forwarding, hold, call transfer,
        intercom, conferencing, OUTWATS over line groups of any size.), CLASS
        including calling number delivery and display, selective call blocking
        and forwarding, automatic recall and call trace.

        "Hacker intrusion is detected and 'thwarted' by sophisticated pattern
recognition software.  The DCO-CS switch lets you detect abused authorization
codes and service-denied authorization codes and automatically route the
calls to your service departments.  The system also offers timed threshold
levels for both ANI and authorization codes as another form of fraud
protection.  It delivers detailed traffic and facilities usage reports to help
you plan the optimum use of your private and leased facilities."

                                --Siemens Stromberg-Carlson

        Calls are processed simultaneously with separate processors and
switching matrices.  In the event of a failure, not even calls in the process
of being switched are lost because when the failure occurs, the system simply 
switches to "its redundant processor and memory".

        I guess that before I dive straight into the commands, I should
discuss something pretty damn important.  That something is MMI. MMI
stands for Man-Machine-Interface,and is basically the 'shell' for this
system.  First off, in MMI, every command is prefixed by a '$', ie, to run
the account maintenance program, "passwm", one would type: "$PASSWM",
without the quotes. Always put a comma between parameters. For example,
say that a program ADDTFREE requires the parameters SAC(service access
code),Toll-Free Number, and the Trunk to Assign the Toll-Free number to.
The hypothetical command to add a tollfree number, 555-6969, with a SAC of
800, for example, and route it to (123)456-7890, would be: 

    "$ADDTFREE 800,5556969,1234567890" 

(without the quotes). The ';' denotes a line terminator. For example, to run 
a program PROG1, which,say, clears the terminal screen, and the INWANI
utility, one would type: "$PROG1;$INWANI", without the quotes. The ""
(quotes) are used to contain a string of one or more characters. A string
is considered anything that contains either a blank or comma not being
used as a delimiter. The '\' allows special characters to be input to
tasks (similar to linux/unix?). And finally, the ':' is synonymous to done
(whatever that means).

        Some more on MMI... The command line/response length is 65 characters,
so anything longer than 65 will be truncated.  Exit is a valid response at any
prompt.  Help is also valid and lists the valid responses with descriptions.
To automatically display the help information prior to all prompts, type
"HELP=ON" without the quotes.  "HELP=OFF" disables this function. The '^' is
used to back up a menu.  Control-P cancels a function in progress. The '&'
represents logical AND.  However, the '&&' represents a logical inclusive.
The '*' is a wildcard, and allows the user to select the entire range of

        'Option Words'- the option word is entered on the command line
after the task(command) name.  The Option Word can be either in octal or

Value   ASCII           Definition
-F1     /NODIAL         no dialogue (header or trailer msg output) to terminal
-F2     /OFFLINE        Request communication with offline CP
-F4     /NOCOMM         No user input. All input must be on the command line
-F40    /NOPAGE         Do not paginate output.
        Values may be added together to indicate multiple options, eg:
-F3 = -F1 and -F2.

        One final thing: I said that all commands must be prefixed with a '$',
however, this does not apply to input, ie when inside a program it is not

        The next part is basically just a command list for DCO. I will do
a more detailed (tutorial even) as i learn more and as people ask for one,
or if I just feel like writing it (and I probably do, as I have read Phrack
for some time and always wanted to contribute). One last warning: the LLS/RLS
is a fairly large system, so be VERY CAREFUL as one can do about as many
bad things as good things if you're not careful.
	So... without further ado, heres the command list:

Command   ~   Description
-------       -----------
ABNUTL    -   perform automatic balance network (ABN) functions
ABORT     -   abort operation of an active task
ACISU     -   alarm control interface start up
ACITST    -   alarm control interface test
ACTUTL    -   display/clear/acknowledge active alarms
ADMIN     -   recent change/database administration
ALMSEN    -   switch between local and remote alarm reporting
AMA       -   configure automatic message accounting (AMA)
AMCDMP    -   administer AMA message thresholds
AMFMAU    -   verify formatted AMA tickets
AMOPT     -   administer system options
AMPRPT    -   set frequency of repeat notification of alarms
AMPUTL    -   alarm message processing utility
AUDIT     -   verify software record of hardware states match actual hardware
BKRNS     -   backup RNS disk at the host office
BLDINH    -   mask/unmask building security alarm (heh, this should be fun)
BUFDMP    -   search/clear/dump CP buffers
CANCEL    -   cancel wait timer for TID and IDN
CBUG      -   debug utility for LLS/RLS-1000 and CODC devices
CHEKER    -   compare MP memory to disk
CHKUTL    -   verify disk integrity (DCO equivalent of scandisk for dos)
CLEAR     -   initialize span error counters
CODE      -   DCO-CS customer routing
CONFIG    -   configuration control (load,switch,mask, etc.)
CONUTL    -   convert equipment numbers
COPY      -   copy databases from memory to disk
CPDMP     -   display data collected from a CP crash
CPPTCH    -   call processing patch utility
CPREST    -   online CP reset
CPSRCH    -   search CP buffer
CPSU      -   call processing startup
CSADM     -   DCO-CS administer ANI DN's and auth codes
DBADMN    -   DCO-CS change max entries in selected tables
DBUTL     -   administer MP database parameters
DBVER     -   database verifications and configuration reports
DEBUG     -   debug utility for MP
DEVMOU    -   build config file to rebuild system mount status
DIAG2     -   manually diagnose/verify fault in the MOS side of the system
DIAG3     -   manual diagnostics to test forced faults
DMPUTL    -   duplex MP utility (switchover,download,lock,etc.)
DNAUTL    -   directory number audit utility
DTIUTL    -   configure/status of DTI/DS1M for LLS/RLS-1000/RLS-4000
DUMPER    -   dump raw data records from disk
ECCRPT    -   report 1-bit parity errors corrected in MP/CP/FP
ECD       -   display error counters
EDIT      -   DCO system editor
EQCHEK    -   test access to equipped hardware
FILSYS    -   perform file or disk manipulation functions
FLSH      -   flush alarm message processing buffers
FLXANI    -   DCO-CS administer FLEX ANI tables
FPBUG     -   debug utility for FP
FPCDMP    -   display/save data collected from FP crash
FPSU      -   FP start up
FREE      -   display number of free blocks in MP memory
FXLN      -   administer/configure FX communications to an RNS
GBUG      -   generic debug utility
HEY       -   MP operating system task completion advisor
HSTUTL    -   collect/retrieve alarm message history
HOTLIN    -   DCO-CS administer hotline database
INSTAL    -   MP operating system manual task installer
INWANI    -   DCO-CS administer INWATS number routed by NPA/NXX
INWATS    -   DCO-CS administer incoming toll free (INWATS) service
ISUUTL    -   administer alarm level priorities and conditions
LLC       -   line load control of subscriber lines
LOGOFF    -   logs off the terminal
LSPT      -   light traffic tests (avoid running during heavy traffic)
MACLR     -   clear memory audit data
MANUAL    -   manual control of ports
MAUDIT    -   memory audit routine
MBI       -   report masks and errors on MBI bus
MEMCHK    -   report differences between CP memory (generic code) and disk
MEMMAP    -   display memory map
MODEM     -   administer system parameters for modem security
MOVEDB    -   DCO-CS database compress program
MSKUTL    -   temporarily mask alarm and message reporting
NITSWC    -   initiate service circuit switchover
OCC       -   DCO-CS administer system options
OPR       -   administer system operator groups
PABX      -   administer PABX groups
PARTN     -   DCO-CS administer partition number tables
PASSWM    -   administer user/password list
PATCH     -   MP operating system patcher
PATRPT    -   format patch into report
PAUDIT    -   audit patches applied to disk/system
PCOS      -   DCO-CS administer partition class of service
PED       -   administer/apply/verify patches to disk/system
POORA     -   point of origination for recorded announcements
PORTST    -   list port status; list/change lockout thresholds
PSAUTL    -   port store area (PSA) utility
REBOOT    -   reboots the maintenance processor
RECOV     -   put call processors in sync
REMOVE    -   remove a resident program from memory
RESTOR    -   restore call processor
RFRNS     -   copy files from an RNS to the host office
RGU       -   DCO-CS least cost routing/update display
RNSAMA    -   display AMA buffer status in an RNS at the host
RNSBMP    -   display RNS BMP status at the host
RNSUTL    -   configure/status/diagnostic testing of signaling links
ROTL      -   transmission/operational testing of outgoing & 2-way trunks
ROUTE     -   DCO-CS display customer routing
RRTUTL    -   reroute messages to additional terminal points
RSMUTL    -   remove/restore/mask/unmask/test RLG span
RSUTL     -   routine switchover utility
RTEST     -   routine testing
RTOPT     -   administer analog trunks and service circuits
RTR       -   administer route treatment database
SBUG      -   stop FBUG
SCTST     -   DCO-CS service circuit diagnostics
SECTTY    -   administer terminal access groups
SELMCL    -   outgoing call trace
SELNUM    -   DCO-CS administer blocked directory tables
SERV      -   DCO-CS change service circuit tables
SLUUTL    -   configure/administer/mask/test SLUS
SNCUTL    -   configure/status of SNC for LLS & RLS-1000
SPCALL    -   DCO-CS administer speed codes
STASND    -   digital alarm sending utility
STATE     -   display system state
STATE1    -   switch to system state 1
STATE2    -   switch to system state 2
STATUS    -   display system status
STOP      -   terminate execution of TEST, GBUG, DIAG2, or BTBT
SWITCH    -   manually switch tones/ringing generators/clocks (non RLS-4000)
TAPE      -   display formatted tickets on AMA tape
TASKCK    -   audits the disk database for necessary/unnecessary files
TCOS      -   administer trunk class of service
TFM       -   activate/deactive/audit/display TMRS
TFMRP     -   display specific TMRS measurements/report data/study set
TIKFM     -   DCO-CS display AMA tape format
TIME      -   display system date/time
TIMEC     -   changes system date/time
TIMER     -   administer/configure CP occupancy measurements
TKTHRS    -   administer trunk thresholds
TMAD      -   administer/configure TMRS
TMBUG     -   debugger for traffic measurement processor
TMPDMP    -   display data collected from a TMP crash
TMRPRT    -   manually display a TMRS variable report (with FP)
TRACE     -   DCO-CS call trace utility
TRACER    -   allows use of tracer board for CP
TRK       -   administer trunk group assignments
TRKUTL    -   administer trunk testing database
TSEP      -   administer/configure traffic separations
TTU       -   administer translation database
UNMASK    -   enable reporting of messages & H/W faults (non-RLS-4000)
UNSYNC    -   take call processors out of sync
UPACK     -   unpack a file
UPDATE    -   update the system state
UTL       -   mount/dismount device/feature; configure tasks
VALPC     -   DCO-CS administer validated project codes
VCHECK    -   version checker
VST       -   administer variable state timers
XDSO      -   CP message sender/debugger
XFER      -   transfer files between the DCO and another system
XRTEST    -   terminate routine testing

        Thats all for the commands... I will probably write a follow-up
explaining some of the commands usage, what a DCO looks like when you call it
(ie how you know its a DCO machine), what some defaults are, how to route
numbers using INWATS or INWANI, and whatever else i figure out... for now,
have phun & read Phrack...  Feel free to contact me:

resources i used:

- an actual RLS machine running DCO siemens stromberg-carlson

- my mind 
- the minds of my phriends, to whom i give much thanks: 
    c-stone (is thatit?), lefty, port9, cyklonik (hope everything turns out 
    OK....), a guy named don in CA :), and ben (look at me now, m0f0)

sorry if i forgot anything or anyone that helped me... 
look out for "The DCO-CS part 2" soon...


[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2021, Phrack Magazine.