NEC DT700-series VoIP phone
The NEC DT700 series is a collection of similar IP phone models running Wind River Linux, targeted at the corporate market. There is very little obfuscation on the devices, making it easy to SSH in, gain root access, and modify the firmware as desired (the JFFS2 root filesystem is mounted read/write).
While possible to brick the device, the flash stores two copies of the kernel and root filesystem, so as long as experiments are kept to only one of these, the other one can be used to boot the phone, mount the root filesystem of the broken copy, and repair it. Serial console access is required in order to select which copy to boot, however this can be gained through an externally-accessible connector, so no disassembly or soldering is required.
Early firmware releases had SSH access enabled by default with a factory password, however current firmware versions require a serial console in order to enable SSH.
To access the phone's service menu, hold down the Help button (top right) for a few seconds and the menu will appear. Use the number buttons to select a menu entry, and next/prev soft buttons to move between items.
This menu can be used to find out the phone's IP address and other configuration details.
A TTL UART running at 115200 8N1 is available on the SIDE2 connector, which can be accessed without disassembling the phone. The connector is located under a flap on the underside of the phone (see photo).
In the image on the right, with the word "SIDE2" readable normally, pin 1 is in the upper-right corner, and pin 2 is in the upper-left. The full pinout, in the same orientation as the photo on the right, is:
Pin 8/TX is where the device sends data, so should be connected to the RX of a USB UART adapter. Pin 9/RX is where the device receives data and should be connected to a USB UART adapter's TX pin. The exact voltage is unknown but a 3.3V USB TTL adapter works fine.
When powering up the device, there are two very fast boot prompts where you can press a key to interrupt the boot process. Let the first one go through and press a key to interrupt the second one.
Press any key to enter download mode or bring up the menu[................]
(don't press a key here)
Color-Value Detected: Drawing Initializing display
(press a key here)
Press any key to enter control command mode >>> 03 [boot]
At this [boot] prompt you can type ? to get a menu, or K to select whether to boot from the primary or backup copy of the kernel/rootfs.
To enable the Linux serial console, type #f.
[boot] #f Entering boot-flag configuration... MainBoard TP switch(ON:0xAA) : 0 Telephone TP switch(ON:0xAA) : 0 Emergency Boot switch : 0 Model(J:0xAA/F:0xFF) : ff LineType(1..7) : 1 FuncType(1..17) : 2 TelnetMode(0..3) : 0 Sidetone Type(0..1) : 1 Log Level(0..6) : 0 Log Destination(1..8) : 6 flash_eraseall started for /dev/mtd4 flash_eraseall done for /dev/mtd4 nandwrite started for /dev/mtd4 nandwrite done for /dev/mtd4 Flash memory updated
At each prompt just press enter to leave the value unchanged, until the TelnetMode option. Set this to one of these values:
|0||Serial console enabled, SSH daemon enabled|
|1||Serial console enabled, SSH disabled|
|2||Serial console disabled, SSH disabled|
|3||Serial console disabled, SSH disabled (default)|
The difference between options 2 and 3 is unknown.
After applying the change, boot the device with @ or power cycle it. This time the serial console messages will continue after the Linux kernel has started, and pressing enter after the boot process has finished will start a serial console. SSH can also be used, however the ciphers are limited. A command like this is required:
ssh tp@phone-ip -o KexAlgorithms=diffie-hellman-group1-sha1 -c aes256-cbc
Older versions of the firmware use the following passwords.
|root||6633222444||"NECI" on the phone keypad|
|admin||6633222||"NEC" on the phone keypad|
|tp||8442444||"THAI" on the phone keypad|
As of 2021, the "tp" password is still valid but the others have been changed.
The backup rootfs is still likely using these passwords, so following the serial console instructions above to switch to the backup rootfs may allow you to log in with these credentials. At this point you can mount the new firmware (see below), update /etc/passwd then reboot to the latest firmware with your own credentials.
Boot backup firmware
Follow the instructions in the serial console section above, and use the K command to select image 0 or 1 to boot. Note that sometimes the last successful boot seems to be assigned to slot 0, so image 0 or 1 don't always appear to refer to the same flash partitions.
Mount other firmware
If you have booted the alternative kernel/rootfs, you can mount the other one to repair it:
$ su # mkdir /mnt/mtd10 # mount -t jffs2 /dev/mtdblock10 /mnt/mtd10
This mounts the mtd10 rootfs in /mnt/mtd10. The two copies are in mtd9 and mtd10 - one will be running the current firmware and one will be running the other. Until you identify which is which, you can create a file on each, before mounting as above:
# touch /mnt/backup.firmware # mkdir /mnt/mtd9 /mnt/mtd10 # mount -t jffs2 /dev/mtdblock9 /mnt/mtd9 # mount -t jffs2 /dev/mtdblock10 /mnt/mtd10 # ls /mnt/mtd9/mnt/ # ls /mnt/mtd10/mnt/ # umount /mnt/mtd9 # umount /mnt/mtd10 # rmdir /mnt/mtd9 # Remove whichever one is the current one
One of the last two ls commands will include the backup.firmware file created in the first command, and this will identify which mtdblock is currently in use. Leaving behind the correct /mnt/mtdX folder will serve as a future reminder which block contains the other rootfs.