If the thread devs into stealing paid goods it'll be promptly locked. It's also good to keep in mind that several .gov agencies visit this site regularly, so posting about telecommunications fraud isn't something smart to do.
Now, discovery of the activation and maintenance processes is perfectly fine to talk about...
And #a2 It'd be SSH or another secure service; telnet and standard web based would leave them open for sniffing and I'm sure they thought of this. Likely it's a simple web-ap hidden behind an ssl connection.
As for #a4, minutes aren't stored on phones anymore, they're stored on server to where they cannot be edited short of a refil card.
As for what you'd need, b1 is correct, you'd also need the port in which connections are handled; which can get kind of tricky as well, as they can use both SSL (port 443) and another port over the ssl connection.
B2 it'd be likely that the account number is a raw number/letter combination, there would also be some sort of authentication string (likely an MD5ed password) as well as some sort of unique id for that store and possibly one to identify employees. Likely it'd be something such as aaaaaaaaaa.###### where a is the store/location id and # is the unique employee id.
B3, who needs a GUI? Adobe's licensing system for example runs off of a telnet server, nothing fancy