Things Everyone Should Know About Telephony-Over-Cable

by Treephrog
Feb. 9/03

Disclaimer:
All information contained in this text file is for edu-tainment puposes only. Any and all resemblences to any real persons or acts is strictly coincidental and/or fictional. I do not condone breaking the law, and you cannot hold me or anyone else besides yourself responsible for the consequences if you choose to act upon anything you read here. By reading beyond this point, you agree to this. If not, don't read anymore. Go back to the construct.

There.
 

"Oh, bother," said Pooh, as he was frozen in carbonite.

Shouts & Greetz:

Cyborgasm (Many Thanks)
TheClone (Many Thanks)
h410g3n (Inspiration & info)
Grease (You know you waaaaaaaaant it.)
The Pope (pants...)
Untoward (wassabie...)
HackCanada, Nettwerked and
All 902's, if there are any besides me... :/

Essential Linkage:
http://www.hackcanada.com
http://www.nettwerked.net
http://www.h410g3n.com
http://www3.ns.sympatico.ca/grease/

/Start file

A (Very) Brief History Lesson

So, with the wonderful world of technology expanding at a spine-breaking pace, and the telecommunications sector being "de-communized", there's been all kinds of new and exciting things happening in all the R & D labs all over the planet.  Billions and billions of dollars of drugs are being consumed by electronics technicians, all in the hopes that they will be the ones to out-do the competition.

Well, the boys in the labs at Arris Interactive got their mitts on some pretty heavy shit, hot-boxed in their VW Vanagon, and put this stuff down on paper.

Someone figured out that a good place to make a market would be to look at who could compete pound-for-pound with the local telco providers.  Who had a similar infrastructure, who already had cabling in place, yadda, yadda, yadda, and the answer that leapt up was none other than the CATV industry.

CATV was already on its way into a new era.  Digital cable and broadband internet were becoming commonplace commodities for the big players such as Time-Warner, Bell and such.  Therefore, it wasn't much of a stretch to figure that voice couldn't be that hard to put in the mix.

Enter Arris Interactive.  The boys in the lab figured out Time-Division Multiplexing (TDM), which is beyond the scope of this phile, suffice to say it's not nearly as complex as the name implies.  They figured out a way to make their system play nice with existing systems, a cheap way to mass-produce and deliver to CATV companies, and so-simple-it's-stupid installation method so all the dumb pole-monkeys (CATV linemen) could understand how to set it all up.  The boys goofed on one thing, though.

Security.

This thing is, in my opinion, about as secure as a paper bag in the shower.

Physically, you'd have to have been poked repeatedly in the soft-spot as an infant to not be able to open it up and understand what's going on in under five seconds.  Yes, folks, it's that simple.  From the activation/social engineerablity/usefulness point-of-view, it's almost as simple.

Here's the gist of it.

You call up your local CATV provider and ask if they offer phone service.  (Do this before you do anything else, because this is still a brand-new service, limited deployment, but I believe it's low front-end cost to high revenue ratio will make it insanely popular with CATV providers, especially if they already offer digital cable/broadband internet, within the next 2 to 3 years.  And if you know of an area that this service is currently running in that's not local to you, go for a drive, trust me, it will be worth it.)  If they say yes, yer off to the races.  If they say no, they don't, then get on the grapevine and find one of your pals in an area that does have this and get them to put you up for a weekend.  Either way, this is what you're looking for, probably mounted on the side of the house in close proximity to the power meter:

This is an Arris Interactive 2-Line Cornerstone Voice Port.  Access doors open.  It's measurements are approx. 12" high by 8" across by 4" deep.  They may or may not be accompanied by a small grey box about 12" by 4" by 4".  More on that later.

The access doors are insanely easy to get into.  The hardest part is that the left "Network Access" side is closed with a "booth bolt", a hex-headed bolt with a little round nub in the middle of the hex pattern to prevent a regular hex-key from fitting.  A small flat-headed screwdriver with a blade width of about 1/8" (precision screwdriver) easily bypasses this minor annoyance, assuming a lack of a proper booth tool.  The right side is flapped over the left side and held in place with a simple flat/phillips combo screw.  Easy.  There may be some sort of clip-tag hanging off a little loop-hole attached to the left side that fits into the little slot on the right side.  Just give the tag a couple of twists and turns while tugging on the right-hand door.  It'll pop out after a bit.  It may sound complicated, but you'll see exactly what I mean when you see one up close.

Sooooo, once you've managed to finangle your way into the thing without alerting the general populace, homeowner, police or roaming CATV technician, here's the general gist of what's going on inside:

A.  Warning Label.  Read it.  Note: 90 Volts.  Read it again.  Notice how they don't tell you the amps?  It's between 0.1 and 0.3.  Yes, this is in the painful range.  Yes, you'll know immediately if you've touched something you shouldn't have.

B.  This the backside of the booth bolt.  It inserts into the round brass fitting above F.

C.  This it the little loophole that may or may not have a clip-tag attached to it.  It's a whole lot easier if it doesn't.

D.  This is the slot that C goes through and the flat/phillips combo screw.

E.  Power Supply connections.  Pay attention, this could prove useful, and may save you some painful fingers.  The unit in the picture is currently configured to draw power directly from the coax feed coming from the street which is attached to G.  This is one of 3 possible configurations.  The other 2 configurations are: Jumper from "Ground" (top post) to "Coax Power" (second post down from top), with "Supply" and "Return" wires attached to the coax feed coming from the street; and finally 4 wires (I've seen this done with Cat 3 network cable, believe it or not!) attached to the 4 leads and going off to a UPS somewhere, probably in the basement.

F.  Status LED.  1 long flash, unit trouble, no communication to CO.  4 flashes, no carrier signal or unit trouble.  3 flashes, unit is ranging (frequency scanning) for carrier signal from CO.  2 flashes, unit has acquired carrier frequency from CO and is awaiting programming instructions.  1 flash, dial tone.

G.  CATV feed IN from street.

H.  CATV feed OUT to premises.

I.  House Telco Demarcation Point.  Red is ring, green is tip.  Dial tone, it's what we're all about...

Only other thing of note:  Directly above I. (you'll have to twist your neck in all manner of horrible ways to see it)  is small sticker containing a bar code, a unit S/N (Serial Number) and V/P (Voice Port Number).  The Voice Port number is the one you want.  That's the one that the CO uses to access that particular Voice Port and see what going on with it, program it, make changes to the subscribers phone services, perform maintenance, etc., etc.

What good is that, you may ask?  Well, if one were to open a Voice Port, and see no wires attached to Line 2, and one had particularly good social engineering skills, one could conceivably go through the phone hierarchy and end up on the phone with the SOC (Service Operations Centre, a.k.a. Provisioning/Programming), which might enable one to get dial-tone on Line 2...

... or you could use your test set (beige box?) on Line 1 and make all kinds of cool calls, listen in, whatever...

... or if the unit is configured as above, disconnect the Network Coax and attach it by way of an F-81 (the little cable do-dad that lets you hook 2 pieces of cable together) to the Customer Coax, and then run like hell, because you've now sent 90 volts to any TV's or VCR's that might be hooked up in the house...

Not that you would.  But you could.  *grinz*

Just some quick additional info.  There are 3 other flavours of this unit.  There's a 4 Line version of the one I've covered in this phile.  Exactly the same in all respects, save 4 pairs of red/greens instead of 2.

There's the now discontinued 12-Port:

... and the spanky new 24-Port:

... and they all operate off the same principles as the 2 port.  Just more lines.  The 12 and 24 line versions are common in multi-unit apartment buildings.  At least here they are.  *grinz*

The only caution I have for you with these, besides the voltage, is the fact that if you disconnect power to any of them, an alarm rings at the CO.  They know the number of the VP that has been taken off-line, and thus know the address.  No big deal with the 2 port, raises a few eyebrows with the 4 port, gives instant indigestion with the 12 port, and if you take a 24 port offline, someone has a litter of kittens.  Of course, temper all that with company policy of dial-tone restored in "under an hour", and you've got at least 5 minutes of play time...

So there you have it.  Pretty straight-forward, as I said.  There have got to be tons of possibilities with this, I've given you 3 for a start.  Have at it, have phun, and if someone has any more info on these or similar units, share it around.  I don't want to look like the only cable phreak left in the world.

And to the boys in the Arris labs, don't worry about system security.  Light another.  We've got you covered.

Tha 'Phr0g