Spliting phone lines. The British Telecom Wb9OO digital exchange unit. by hybrid (hybrid@phunc.com) (darkcyde.8m.com/hybrid/hybrid.htm) WB9OO is a system designed by BT to split a line into two carriers. This way two seperate BT customers can use the same line with privacy, in other words two seperate incoming/outgoing calls can be made on 1 subscriber loop similtaniously. Basicaly, the hardware BT have devoloped to allow this kind of loop is called _WB9OO 1+1 Carrier System, and consists of 1 exchange unit, 1 customer unit and a filter, all of which I will explain later. The exchange unit is designed to be attached to the Main Distribution Frame (MDF). The idea is that the standard line pair is attached to the filter at the Destination Point (DP). The filter and the DP WB9OO equipment is installed on the customers premisis, usually hidden away somewhere. In order for two people to use the same line, the two subscribers are split into differnet catigories, one of them being the _Audio Customer_ the other being the _Carrier Customer_. The audio customer will use normal speech and carrier freqencys, wile the carrier customer would use a higher carrier freqency, operating well above the standard audio freqency range. Lets take a look at this setup a little closser... Remember: * The audio customer and carrier customer use the SAME line * (SIMILTANIOUSLY with SEPERATE call setups and routes) ****************** The Audio Customer ****************** The audio customers part of the line is basicaly the same as a standard phone line, implementing DC signals with the normal 25 Hz which makes the phone ring. The customers voice patterns will use the audio freqency band, hence the name. Here a filter is implemented which is designed to stop the audio freqncys interfering with the carrier customers freqencys and equipment. As said before, this filter is fitted at the Destination Point of the subscribers line. ******************** The Carrier Customer ******************** Listen up, heres the whole emphasis of this file, the carrier customer. Basicaly, as I said before, the audio and carrier customers are on the same line or cable pair, but the carrier customer is on a higher freqency. Here, simple science is implemented and Amplitude Modulation (AM) is deployed to provide the line split. Here the signals and speech from the customer to the exchange (TXD) are modulated on a 40 kHz carrier. From the exchange to the subsciber, the carrier is modulated at a steady 64 kHz. Lets take another look at this subsciber line setup... Carrier Customer ________________ | _ ____ | | |-|--|----|::::::::::::::. | -|-|--| b) | | | || a) Customer Adapter | | | |____| | | || b) Customer WB9OO unit | |_|a) | | || -------> Carrier | |__________| | || | Customer |________________| || | Exchange || | || | || | WB9OO (exchange) This is the || ___|____ part of the WB9OO || | | This part system which ----||---- | | of the is fitted at the | || | Cable Pair/SL | | WB9OO is subsciber[s] | ::::::|::::::::::::::::::::|:::::: | fitted at home. |____||____| | | the local || Filter | | exchange. Audio Customer || |________| ________________ || | | | || | | | || | | | || -------> Audio | :::::[]:::::|::::::::::| Customer | | Exchange | | -------> External |________________| -------> Network. **************************************** Outgoing calls from the carrier customer **************************************** When the customer places a call, 40 kHz is transmitted to the line. 40 kHz is well outside the audio freqency range and will not interfere with the audio customers telephone equipment. This 40 kHz will be detected by the WB9OO unit at the exchange, and will then create a DC loop for the call to procede. Similtaniously a 64 kHz tone is transmitted to the customers line from the exchange itself (modualted dialtone). ************************************** Incoming calls to the carrier customer ************************************** If the carrier customer is called by someone, the WB9OO exchange unit detects the ringing current, and the 64 kHz carrier is activated and then modualted to the normal 25 Hz ringing current. ************ Interfernece ************ As on most freqency dependant electrical equipment, the WB9OO exchange units can be 'interfered with'. The customer, and exchange units are suseptable to freqnecys in the following bands: 36-44 kHz - 60-68 kHz. ****************** System componments ****************** exchange unit WB9OO/1-/7 [obsolete] exchagen unit WB9OO/8 [for anolouge and TXD exchanges made by Telespec] exchange unit WB9OO/9 [for analouge and TXD exchanges made by STC] mounting unit WB9OO/9 [for 10 exchange units] exchange unit WB9OO adapter1 [for exchange unit types 1/7 when connected to TXD suitable for mountings with green PCB runners] exchange unit WB9OO adapter2 [TXD suitable for mountings with black or no runners] power units [for 50 V / 12 V] subscribers unit WB9OO/a/6 [obsolete] -------------- filter unit [security filter] *********************************** Underground filter unit connections *********************************** ____________________________ | | | | | | | | | Filter Unit | | | | | |____________________________| |||||| |||||| |||||| orange wire ||||||_______________________| |_____________ ||||| white wire Audio Customer |||||________________________| |_____________ |||| |||| green wire ||||______________________| |________________ ||| white wire Carrier Customer |||_______________________| |________________ blue || ___________| |_________|| white | <----------The customer loop/cable pair ___________| |__________| ******************************************************** Testing this kind of loop setup at the exchange and line ******************************************************** Any UK phreak worth his/her weight in pbx's should have resonable knowledge of BT line testing techn1que. In this setup the audio and carrier customers are tested in differnt ways, these tests are performed from the local exchange using a technique called test selecting. Also from the Main Distrobution Frame and remote equipment located away from the exchange itself. The usuall BT testing facilitys are deployed in this scenario, SALT (for the audio customer) FRB (ringback for both audio and carrier customers) and howler tests. ************** Vulnerablittys ************** As far as I can tell the only real obvious security issue with this type of customer loop setup is via physical phreaking, ie- the use of a beige box or interception of carrier loop from local distrobution points. The customers equipment comes in many flavours, ranging from drop wires on poles, wall mountings and underground filters. If a WB9OO distrobution box is located and riged up, it would be possible to have the use of two lines instead of one. I'm lazy, so you won't find me climbing any telegraph poles with my beige box although one of the most common instalations for this type of equipment is in well built up areas such as apartment buildings, where the WB9OO units would all be coupled to together (knowing BT thrown together), here it's just a case of pic'n'mix. Anyway, I'm not encouraging you to participate in such fraudualant activitys :p Just wait until telephony over the national grid comes into play, try beige boxing then.... Hope you enjoyed this article, and play saftly kids. ___ ___ _____.___.____________________ ____________ hybrid@b4b0.org / | \\__ | |\______ \______ \/_ \______ \ hybrid@ninex.com / ~ \/ | | | | _/| _/ | || | \ hybrid.dtmf.org \ Y /\____ | | | \| | \ | || ` \ ---------------- \___|_ / / ______| |______ /|____|_ / |___/_______ / \/ \/ \/ \/ \/