Hey All,
Just thought I would post a little bit of info here on a little hack I performed last night, not exactly electronics, more software then anything, but someone else might want this at some point, so posting it all here for the world to see.
Five years ago I was issued this phone and promptly set it all up, and then discarded my voip password. Now like all good systems, it does not allow password recovery, even if you dump the MTD using its debug interface, it discards the JFFS2 block that contains the information. Now I could just wait for my superiour to return from his break and give me the password, or I could try to 'recover' it myself.
Upon tearing it apart, I found 3 very clearly marked pads under the main PCB, GND/RX/TX. My DSO was quickly attached and noted that there was 115200 baud serial data at 3.3v levels. So I broke out my USB RS232 adaptor and wired it up to the pads, only to find I was getting nothing from the port now. After much messing around I discovered the issue, the 3.3V from the TX of my USB adaptor was keeping the SoC partially powered while resetting the device, and serial output would not work. The solution, power the device, and then quickly connect the adaptor. That solved I was greeted with a custom built version of u-boot, with a 'Press enter' to abort boot, and then after doing so, the following prompt
INCA-IP-ROM #
Going forward with u-boot... first thing is first, printenv:
INCA-IP-ROM # printenv
bootcmd=run flash_all
baudrate=115200
nfsargs=setenv bootargs root=/dev/nfs rw nfsroot=$(serverip):$(rootpath)
ramargs=setenv bootargs root=/dev/ram rw
addip=setenv bootargs $(bootargs) ip=$(ipaddr):$(serverip):$(gatewayip):$(netmask):$(hostname):$(netdev):off
flash_nfs=run nfsargs addip addmisc;bootm $(kernel_addr)
flash_self=run ramargs addip addmisc;bootm $(kernel_addr) $(ramdisk_addr)
net_nfs=tftp 80500000 $(bootfile);run nfsargs addip addmisc;bootm
rootpath=/opt/eldk/mips_4KC
bootfile=uImage
kernel_addr=B0040000
ramdisk_addr=B0100000
u-boot=u-boot.bin
loadloader=tftp 80500000 $(u-boot)
updloader=protect off 1:0-2;era 1:0-2;cp.b 80500000 B0000000 $(filesize)
loadkernel=tftp 80400000 $(bootfile)
updkernel=era b0040000 b00fffff;cp.b 80400000 B0040000 $(filesize)
jffs2args=setenv bootargs root=/dev/mtdblock2 rw rootfstype=jffs2
flash_all=run jffs2args addip addmisc;fsload 80400000 /boot/uImage;bootm 80400000
factoryargs=setenv bootargs root=/dev/mtdblock3 rw rootfstype=jffs2
factory_system=run factoryargs addip addmisc;bootm $(kernel_addr)
failsave=setenv bootcmd run factory_system;saveenv;run factory_system
reset_env=protect off b0030000 b003ffff;erase b0030000 b003ffff
dhcp=off
console_on=setenv addmisc 'setenv bootargs $(bootargs) console=ttyS0,$(baudrate) ethaddr=$(ethaddr) panic=1'
console_off=setenv addmisc 'setenv bootargs $(bootargs) console=NULL ethaddr=$(ethaddr) panic=1'
ethact=INCA-IP Switch
ethaddr=<REMOVED>
ipaddr=192.168.0.105
netmask=255.255.0.0
serverip=192.168.0.38
gatewayip=192.168.0.1
addmisc=setenv bootargs $(bootargs) console=NULL ethaddr=$(ethaddr) panic=1
bootdelay=1
phone_signature=<REMOVED>
phone_info=Mac:<REMOVED>;Version:Standard;Hardware:snom370 (H: R2A);Date:09/04/10;Copyright(C) snom technology AG
stdin=serial
stdout=serial
stderr=serial
Following this through, we can see that the bootcmd is 'run flash_all', which compiles the bootargs, loads the kernel at 0x80400000 from the jffs2 filesystem, and then boots the kernel. More interesting in here is the 'reset_env' parameter, which blanks out 0xb30000-0xb003ffff of the flash, this is the block missing from the firmware dump from the debug interface.
So, before trying to dump this out I decided to try a trick I commonly use to reset passwords on servers for clients who loose their root password, init=/bin/sh.
setenv bootargs root=/dev/mtdblock2 rw rootfstype=jffs2 ip=$(ipaddr):$(serverip):$(gatewayip):$(netmask):$(hostname):$(netdev):off console=ttyS0,115200 ethaddr=$(ethaddr) panic=1 mem=32M init=/bin/sh
fsload 80400000 /boot/uImage
bootm 80400000
And here is the money shot
Checking for Inca-IP type.
memsize=32
flash_start=0xb0000000
flash_size=8388608
CPU revision is: 00018009
Primary instruction cache 4kB, physically tagged, 2-way, linesize 16 bytes.
Primary data cache 4kB, 2-way, linesize 16 bytes.
Linux version 2.4.31-INCAIP-4.3 (anderssv@anderssv-lx-01) (gcc version 3.3.6) #1 Do 7. Jul 12:49:43 CEST 2011
Can't analyze prologue code at 8001ad70
Inca-IP Multiplex Initialization
LEDs=0 Addr=23 Keys=0
SSC1 n/a
SSC2 n/a
PWM1 available
PWM2 n/a
Determined physical RAM map:
User-defined physical RAM map:
memory: 02000000 @ 00000000 (usable)
On node 0 totalpages: 8192
zone(0): 8192 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/mtdblock2 rw rootfstype=jffs2 ip=192.168.0.105:192.168.0.38:192.168.0.1:255.255.0.0:::off console=ttyS0,115200 console=ttyS0,115200 ethaddr=<REMOVED> panic=1 mem=32M init=/bin/sh
INCA-IP CPU Ver. 1.4 150MHz
Using 75.000 MHz high precision timer.
Syam before calibrate_delay
Calibrating delay loop...
149.50 BogoMIPS
Syam after calibrate_delay
MIPS CPU counter frequency is fixed at 75000000 Hz
Memory: 30608k/32768k available (1525k kernel code, 2160k reserved, 96k data, 80k init, 0k highmem)
Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)
Inode cache hash table entries: 2048 (order: 2, 16384 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 8192 (order: 3, 32768 bytes)
Checking for 'wait' instruction... available.
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
JFFS version 1.0, (C) 1999, 2000 Axis Communications AB
JFFS2 version 2.1. (C) 2001 Red Hat, Inc., designed by Axis Communications AB.
pty: 256 Unix98 ptys configured
ttyS0 at MEM 0xb8000400 (irq = 81) is a INCAIPASC
Software Watchdog Timer: 0.05, timer margin: 60 sec
eth0: incaipsw, <REMOVED>
loop: loaded (max 8 devices)
Universal TUN/TAP device driver 1.5 (C)1999-2002 Maxim Krasnyansky
init_incaip_mtd: chip probing count 0
Amd/Fujitsu Extended Query Table v1.1 at 0x0040
number of CFI chips: 1
cfi_cmdset_0002: Disabling fast programming due to code brokenness.
init_incaip_mtd: bank1, name:INCA-IP Bank 0, size:8388608bytes priv1=0xb0000000
INCA-IP flash0: Using static image partition definition
Creating 5 MTD partitions on "INCA-IP Bank 0":
0x00000000-0x00040000 : "U-Boot"
0x00040000-0x00050000 : "Environment"
0x00050000-0x00800000 : "filesystem"
0x00050000-0x00800000 : "mirror_fs"
0x00000000-0x00800000 : "whole flash"
IPv6 v0.8 for NET4.0
IPv6 over IPv4 tunneling driver
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 2048 bind 4096)
ip_conntrack version 2.1 (256 buckets, 2048 max) - 292 bytes per conntrack
ip_tables: (C) 2000-2002 Netfilter core team
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
ip6_tables: (C) 2000-2002 Netfilter core team
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
Device availability: pwm1=1 and pwm2=0
Device pwm2 not available!
PWM device registered. major: 251.
/proc/driver/pwm1 created!
INCA-IP Pulse Width Modulator initialized
Inca-IP Switch Access Initialization
Switch device registered. major: 248.
/proc/driver/inca_switch_lan created!
Inca-IP Port Initialization
inca-port: Registered port device with major. 247
INCA-IP OAK mailbox driver, Version 0.1.1.2
(c) Copyright 2003, Infineon Technologies AG
VFS: Mounted root (jffs2 filesystem).
Freeing unused kernel memory: 80k freed
Algorithmics/MIPS FPU Emulator v1.5
Bus handler 1 activated
Bus handler 1 activated
Bus handler 1 activated
Bus handler 1 activated
Bus handler 1 activated
Bus handler 1 activated
Bus handler 1 activated
Bus handler 1 activated
Bus handler 1 activated
Bus handler 1 activated
Bus handler 1 activated
Bus handler 1 activated
Bus handler 1 activated
#
This worked a treat, logged me into a clean shell, I just had to correct the path so busybox tools could be found (PATH=/bin). Digging around the filesystem I found what I was looking for in /snomconfig, a file (which name eludes me, I did this last night and didn't note it) that contained exactly what I was looking for, all the identies on the device, and their plain text passwords, just had to cat it out and bingo!
I hope this helps anyone else trying to do something similar.
Home
Help
Search
Login
Register
