Centrex Quirks of '83

From PhreakNet, the phreaks' encyclopedia
Jump to navigation Jump to search

The Centrex Quirks of '83, also known as the 1AESS Centrex Quirks of '83, is a 4-part series of telephone recordings from Atlanta around 1983 by former phone phreak Evan Doorbell, documenting some bugs in the 1AESS Centrex software that made certain call bridging anomalies possible.

Synopsis

Part 1

By 1983, Evan's interest in the telephone had more or less gone dormant. However, his friend Les, working as a communications consultant for the State of Georgia, has 1AESS Centrex service at his office. Initially, Evan and Ben thought 1ESS would be the "switch of the future", but the 1ESS/1AESS, being an analog switch, was just "the switch of the 1980s".

One day, Les receives a call waiting, flashes to get a recall dial tone, and then dials an external number. When he flashes again, he gets another recall dial tone and is able to dial another number again. This process is allowed to continue indefinitely, building up a "stack" of calls in the process that could later be torn down, similar to classic "tandem stacking".

In playing with Call Hold and Call Waiting on Centrex, Evan and Les find a number of bugs in the 1AESS software. Evan and Les order Prestige for their apartments in order to explore the 1AESS bugs in more depth. Les is assigned intercom code *20 and Evan is assigned *21. They discover the problems are so bad that they decide to record a series of tapes to send to a contact at Bell Labs so the problems can be fixed. The problems were not fixed by 1988, but were finally fixed by 1989 or 1990.

In Part 1, Evan and Les test the Transfer Permissions bug and the Unwanted Bridge bug.

Part 2

Evan discusses how changes in call state were clearly audible with 1AESS, due to physical connections being modified. When a subscriber received a call waiting, for example, this was audible to the other party with whom this person was speaking, unlike digital switches like the 5ESS, where no such audible indication is provided[1]. This had the effect of making the other party naturally stop speaking, unlike modern systems that force the person with the call waiting to manually interrupt the other person before switching to the new call.

In Part 2, Evan and Les explore the Unwanted Bridge bug and Funny Mode.

Part 3

Evan makes a 5-way call using a single phone line. He invokes Funny Mode on a loopback call to himself through TSPS by hitting # right before flashing, thus getting a recall dial tone just before his call through TSPS back to himself hangs up.

In Part 3, Evan and Les play with the Ad Infinitum bug.

Part 4

Evan uses funny mode in conjunction with ad infinitum to prematurely conference a three-way bridge in order to build a stack and allow hearing the call stack growing.

Several years later, in 1987, Clay creates a conference for a group of bulletin board system (BBS) users using ad infinitum, which Evan later starts recording. The conference grows so large that the stack is large enough that participants at the top have trouble hearing participants at the bottom.

Later that evening, the conference is set up again. To add additional participants, Evan gives himself a call waiting, adds the next participant, lets the call waiting drop, and then conferences the next person in. To address participants' difficulty in hearing each other, Evan uses a loop around on each side to tie together the ends of the stack. At some point, a call waiting is dropped prematurely while Evan is adding a participant, inadvertently activating "funny mode". If the latest caller hangs up, this will cause Evan to lose the conference, and the conference can't get any larger, due to the unwanted bridge bug.

Calling Features

Call Hold

Call Hold allows users to make two separate calls on one phone line, without conferencing them together as is done in three-way calling. Users can dial one call, flash to get a recall dial tone, dial the Call Hold code, and then dial another number. The first call remains on hold while the second call goes through. The user can then swap between calls by flashing to a recall dial tone and dialing the Call Hold code again[2]. The code in Les' office for Call Hold was 111 (feature and tie line codes on Centrex are typically assigned in the 1XX range).

Call Waiting

Call Waiting allows users to receive another incoming call while they are already in an existing stable call. In Les' office, it was available starting in 1983[3].

When Call Waiting is assigned on a line with the Call Hold feature, operation of the feature is modified slightly. Flashing during a call waiting does not answer the call waiting; instead, it provides a recall dial tone. Dialing the Call Hold code is necessary to answer the call waiting[4]. To swap between calls, flashing and dialing the Call Hold code again is necessary.

Because of the presence of the Call Hold code, it is not necessary to immediately dial the Call Hold code during a call waiting. A user can instead dial another number so as to transfer his existing call to the new destination number, before answering the call waiting. Normally, this kind of procedure is not possible.

Multiline Variety Package

Southern Bell debuted a new service called Prestige[5], also known by its generic name Multiline Variety Package or MVP[6]. Customers in the same central office could be in the same customer group. This offered Call Hold and Call Pickup to residences and small businesses.

Call Pickup is assigned the code *8[7]. Call Hold is assigned the code *9[8]. Three-way calling is called Conference, but also has the "Transfer" feature, so calls can be transferred by hanging up after dialing a second number. Speed Calling 6 is present by the name Convenience Dialing, with 6 entries from #2 through #7. Intercom calls (within the system) are dialed using long-list speed calling, from *20 through *49.

Because *8 is assigned for Call Pickup, the usual *8X vertical service codes cannot be dialed in the usual manner. For this reason, they are assigned the *5X range with MVP[9].

Bugs

Throughout their exploration, Evan and Les find that all of the unusual bridging bugs are caused by bugs which cause the switching system to not work as intended. In retrospect, Evan deduces the problems were caused by four distinct bugs.

These bugs were fixed in the 1980s and since then were no longer present on 1ESS/1AESS switches.

Transfer Permissions bug

Call Waiting on Centrex was an afterthought, and when it became available, the extended definitions for calls that could be transferred were not fully updated. When there is a call waiting, answered or unanswered, the original call cannot be transferred to an outside number[10]. (If the transfer-to number is an intercom call, it does work.)

In one scenario, with a call up between two stations, one station receives an intraoffice (but non-intercom) call waiting. This station flashes to a recall dial tone and dials the Call Hold code, so as to answer the call waiting. This station then flashes again to dial another number and then hangs up, so as to transfer the incoming call to an external number. Afterwards, the station hangs up momentarily to allow the original call to ring back again and then answers the original call. After the external call hangs up, the incoming call then triggers another call waiting[11]. Another scenario has the original stable call between an intraoffice call and a Centrex station.

Unwanted Bridge bug

In 1ESS, physical relay-operated bridges are used to facilitate Three-Way Calling, Call Waiting, Call Hold, and other "complex" calls. When a call is set up between two parties in the 1E, no bridge is required. When a user flashes to initiate a three-way call, the original call is moved to the A-side of a three-way bridge. The subscriber is connected to the customer dial pulse receiver, which obtains the second phone number. The new call is then put on the B-side of the three-way bridge, and the user is connected to the center of the bridge. Relays in the bridge cut audio through from the center to the B-side of the bridge, so the user only hears the second call. Upon flashing, another relay operates to connect all calls together, forming a three-way calling.

The same bridge is also used in Call Waiting, with the difference that the relays to connect A and B to the center are never all operated at the same time, so a conference is never formed. In regular call waiting, hook flashing indirectly causes bridge relays to operate which cut audio through from the center to the B-side; flashing again disconnects the B-side and connects the A-side again. With Call Hold, flashing removes the user from the bridge to the CDPR. Dialing the Call Hold code sends the user back to the bridge, adjusting the relays as needed to swap calls[12].

Normally, with Call Waiting, the A-side and B-side are never supposed to be connected to the center at the same time; a deviation from this can happen if, with a stable intercom call up, a user receives a call waiting. The user flashes to get a recall dial tone; however, after flashing but before dialing the Call Hold code, the call waiting hangs up. This connects the user to "nothing". Afterwards, he is unable to flash at all. If he hangs up, the original call does not ring back, as the original call was improperly cut off.

This bug "traps" a user, i.e. results in a user no longer being able to flash for a recall dial tone[13]. It can also result in not being able to hear a connected call. This is due to a bridge remaining in a connection that is no longer supposed to be present after a 3-way call is dropped[14].

With a stable intercom call, one station dials the Call Hold code and then initiates an outgoing interoffice call. He then switches between the two calls a few times using Call Hold, eventually transferring the outgoing call to another intercom station. This number is busy, and the user can no long flash to get a recall dial tone.

If the outgoing call is an intraoffice call, this bug does not occur, and the busy signal can be dropped successfully for another attempt. If the second incoming call is an incoming call, it also does not occur.

In another scenario, if an answered incoming call is transferred to a ringing extension, if another station puts an existing call on hold and answers the ringing call using Call Pickup, the two parties can converse normally, but if the answerer swaps calls and then comes back, the two parties can no longer hear each other[15]. This also occurs if the initial call is an answered outgoing call, with Call Waiting instead of Call Pickup.

Funny Mode

With funny mode, if a call on hold hangs up after flashing to a recall dial tone but before dialing the additional number, a conference is formed between the A-side and the B-side. This occurs without the user flashing again to conference the calls. With 2 calls up, the user can then flash again and dial another number. Calls 3 and 1 are then conferenced together as soon as dialing is finished, and flashing again connects the A and B sides on the original bridge, causing calls 1, 2, and 3 to all be connected. Flashing again drops call 3, but flashing afterwards does not work anymore[16].

Funny mode can also be used to split an existing conference call into two calls. Afterwards, the user cannot disconnect either call without losing the other one, and either of the calls disconnecting would also disconnect the other one[17].

Ad Infinitum

With Call Hold, a station can flash to get a recall dial tone when a call waiting is present. Instead of answering the call waiting or transferring the call, the user can instead dial another number. Flashing does not conference the calls or disconnect the last call, but instead provides a recall dial tone again. The user can thus flash and repeat this procedure to add additional calls. None of the calls is conferenced yet, but additional three-way calling bridges are added for each call added, to anticipate being conferenced.

As long as the call waiting is present, additional calls can be added. To stop building a stack of calls, the initial incoming call is either abandoned or answered. Now when flashing, the call is conferenced with the most recently added call. Repeatedly hook flashing will conference calls and then drop calls in the reverse order of being added, i.e. the next flash will conference the two most recently added calls, and the following flash will disconnect the most recently added call, and so on, such that 1 or 2 of the most recently added calls are present at a time.

This effectively produces a "call stack", since previously added calls cannot be accessed without tearing more recently added calls off the stack. If calls in the middle of the stack answer and hang up, the bridges cut through, allowing transmission from one end of the stack to the other[18].

Hanging up on a stack consisting of stable calls that would not eventually hang up had the effect of taking the corresponding trunks out of service, since those calls would stay up[19].

References

  1. Joel, Amos. "Oral History, 1993".
  2. Doorbell, Evan. "The (1A ESS) Centrex Quirks of '83, part 1, 2:20-4:05".
  3. Doorbell, Evan. "The (1A ESS) Centrex Quirks of '83, part 1, 4:05".
  4. Doorbell, Evan. "The (1A ESS) Centrex Quirks of '83, part 1, 4:20".
  5. Doorbell, Evan. "The (1A ESS) Centrex Quirks of '83, part 1, 8:30".
  6. Doorbell, Evan. "The (1A ESS) Centrex Quirks of '83, part 1, 11:10".
  7. Doorbell, Evan. "The (1A ESS) Centrex Quirks of '83, part 1, 13:05".
  8. Doorbell, Evan. "The (1A ESS) Centrex Quirks of '83, part 1, 11:35".
  9. "Phrack Magazine, Volume 6, Issue 47, File 7 of 22".
  10. Doorbell, Evan. "The (1A ESS) Centrex Quirks of '83, part 1, 19:15".
  11. Doorbell, Evan. "The (1A ESS) Centrex Quirks of '83, part 1, 14:00-19:00".
  12. Doorbell, Evan. "The (1A ESS) Centrex Quirks of '83, part 2, 3:45-5:40".
  13. Doorbell, Evan. "The (1A ESS) Centrex Quirks of '83, part 1, 26:50".
  14. Doorbell, Evan. "The (1A ESS) Centrex Quirks of '83, part 2, 33:10".
  15. Doorbell, Evan. "The (1A ESS) Centrex Quirks of '83, part 1, 29:00".
  16. Doorbell, Evan. "The (1A ESS) Centrex Quirks of '83, part 2, 10:00-12:30".
  17. Doorbell, Evan. "The (1A ESS) Centrex Quirks of '83, part 2, 15:00-15:40".
  18. Doorbell, Evan. "The (1A ESS) Centrex Quirks of '83, part 3".
  19. Doorbell, Evan. "The (1A ESS) Centrex Quirks of '83, part 4, 14:00".