NEC DT700-series VoIP phone

Revision as of 22:30, 1 October 2021 by Malvineous (talk | contribs) (Add kernel boot log)
Jump to: navigation, search

The NEC DT700 series is a collection of similar IP phone models running Wind River Linux, targeted at the corporate market. There is very little obfuscation on the devices, making it easy to SSH in, gain root access, and modify the firmware as desired (the JFFS2 root filesystem is mounted read/write).

While possible to brick the device, the flash stores two copies of the kernel and root filesystem, so as long as experiments are kept to only one of these, the other one can be used to boot the phone, mount the root filesystem of the broken copy, and repair it. Serial console access is required in order to select which copy to boot, however this can be gained through an externally-accessible connector, so no disassembly or soldering is required.

Early firmware releases had SSH access enabled by default with a factory password, however current firmware versions require a serial console in order to enable SSH.

Service menu

To access the phone's service menu, hold down the Help button (top right) for a few seconds and the menu will appear. Use the number buttons to select a menu entry, and next/prev soft buttons to move between items.

This menu can be used to find out the phone's IP address and other configuration details.

Serial console/SSH

Rear view of phone showing SIDE2 connector
Close up of SIDE2 connector with the case removed

A TTL UART running at 115200 8N1 is available on the SIDE2 connector, which can be accessed without disassembling the phone. The connector is located under a flap on the underside of the phone (see photo).

In the image on the right, with the word "SIDE2" readable normally, pin 1 is in the upper-right corner, and pin 2 is in the upper-left. The full pinout, in the same orientation as the photo on the right, is:

2/GND 1
4 3
6 5
8/TX 7
10 9/RX

Pin 8/TX is where the device sends data, so should be connected to the RX of a USB UART adapter. Pin 9/RX is where the device receives data and should be connected to a USB UART adapter's TX pin. The exact voltage is unknown but a 3.3V USB TTL adapter works fine.

When powering up the device, there are two very fast boot prompts where you can press a key to interrupt the boot process. Let the first one go through and press a key to interrupt the second one.

Press any key to enter download mode or bring up the menu[................]

(don't press a key here)

Color-Value Detected: Drawing Initializing display

(press a key here)

Press any key to enter control command mode >>> 03

At this [boot] prompt you can type ? to get a menu, or K to select whether to boot from the primary or backup copy of the kernel/rootfs.

To enable the Linux serial console, type #f.

[boot] #f
Entering boot-flag configuration...
MainBoard TP switch(ON:0xAA) : 0 
Telephone TP switch(ON:0xAA) : 0 
Emergency Boot switch        : 0 
Model(J:0xAA/F:0xFF)         : ff 
LineType(1..7)               : 1 
FuncType(1..17)              : 2 
TelnetMode(0..3)             : 0 
Sidetone Type(0..1)          : 1 
Log Level(0..6)              : 0 
Log Destination(1..8)        : 6 
flash_eraseall started for /dev/mtd4
flash_eraseall done for /dev/mtd4
nandwrite started for /dev/mtd4
nandwrite done for /dev/mtd4
Flash memory updated

At each prompt just press enter to leave the value unchanged, until the TelnetMode option. Set this to one of these values:

TelnetMode Behaviour
0 Serial console enabled, SSH daemon enabled
1 Serial console enabled, SSH disabled
2 Serial console disabled, SSH disabled
3 Serial console disabled, SSH disabled (default)

The difference between options 2 and 3 is unknown.

After applying the change, boot the device with @ or power cycle it. This time the serial console messages will continue after the Linux kernel has started, and pressing enter after the boot process has finished will start a serial console. SSH can also be used, however the ciphers are limited. A command like this is required:

ssh tp@phone-ip -o KexAlgorithms=diffie-hellman-group1-sha1 -c aes256-cbc


Older versions of the firmware use the following passwords.

Username Password Notes
root 6633222444 "NECI" on the phone keypad
admin 6633222 "NEC" on the phone keypad
tp 8442444 "THAI" on the phone keypad

As of 2021, the "tp" password is still valid but the others have been changed.

The backup rootfs is still likely using these passwords, so following the serial console instructions above to switch to the backup rootfs may allow you to log in with these credentials. At this point you can mount the new firmware (see below), update /etc/passwd then reboot to the latest firmware with your own credentials.

Firmware recovery

Boot backup firmware

Follow the instructions in the serial console section above, and use the K command to select image 0 or 1 to boot. Note that sometimes the last successful boot seems to be assigned to slot 0, so image 0 or 1 don't always appear to refer to the same flash partitions.

Mount other firmware

If you have booted the alternative kernel/rootfs, you can mount the other one to repair it:

$ su
# mkdir /mnt/mtd10
# mount -t jffs2 /dev/mtdblock10 /mnt/mtd10

This mounts the mtd10 rootfs in /mnt/mtd10. The two copies are in mtd9 and mtd10 - one will be running the current firmware and one will be running the other. Until you identify which is which, you can create a file on each, before mounting as above:

# touch /mnt/backup.firmware
# mkdir /mnt/mtd9 /mnt/mtd10
# mount -t jffs2 /dev/mtdblock9 /mnt/mtd9
# mount -t jffs2 /dev/mtdblock10 /mnt/mtd10
# ls /mnt/mtd9/mnt/
# ls /mnt/mtd10/mnt/
# umount /mnt/mtd9
# umount /mnt/mtd10
# rmdir /mnt/mtd9   # Remove whichever one is the current one

One of the last two ls commands will include the backup.firmware file created in the first command, and this will identify which mtdblock is currently in use. Leaving behind the correct /mnt/mtdX folder will serve as a future reminder which block contains the other rootfs.

Boot logs


BRCM boot1.8802
NAND: ID: 0x98 0xd1

PT @ 0x00000000 is valid...
magic 0x0000babe
size  0x00019a2c
Checksum PASSED: 0x00c01f9f
imageType   0x00000080
encryptType 0x00000000
OTP key length 0x00000000
No DSA Key.  No authentication required.
Image not encrypted
disPerh 0x00000028
Erasing ARAM

Broadcom Linux NAND boot2.8802
NAND: (DMA) ID: 0x98 0xd1
  Strap Extra Addr Cycle: 0
  Strap   Page Size Bits: 11 (2K)
  Strap  Block Size Bits: 17 (128K)
Actual Page Size (2K)
Actual Block Size (128K)

Press any key to enter download mode or bring up the menu[................]
Skipping download mode

FLASH (MB): 0x00000080
PT Valid
Entry   Offset    Size     ActualSize Name
00 : 0x00000000 0x00040000 0x00040000 boot1
01 : 0x00040000 0x00080000 0x00080000 boot2
02 : 0x000c0000 0x00080000 0x00080000 boot3
03 : 0x00140000 0x00080000 0x00080000 tp
04 : 0x001c0000 0x00040000 0x00040000 flag
05 : 0x00200000 0x00040000 0x00040000 ctrl
06 : 0x00240000 0x01040000 0x01040000 nvdata
07 : 0x01280000 0x00300000 0x00300000 k0
08 : 0x01580000 0x00300000 0x00300000 k1
09 : 0x01880000 0x03280000 0x03280000 root0
0a : 0x04b00000 0x03280000 0x03280000 root1

Reading OTA Control block...
Control Block Contents
kcrc   = 0xa45a5197
ksize  = 0x00162814
fcrc   = 0xe84ddafc
fsize  = 0x01046d9c
date    = Tue May 20 13:01:23 2014
name    = ota_apps_jffs2.bin
hdr crc  = 0x4c90d95e (from side header field)
         = 0x4c90d95e (by crc'ing side header data)
Hdr1 <============================================== Active Image (Next Reboot)
kcrc   = 0xd59f3811
ksize  = 0x0016294c
fcrc   = 0xbaffa710
fsize  = 0x0104c1f4
date    = Mon Feb 15 17:14:58 2016
name    = ota_apps_jffs2.bin
hdr crc  = 0x1682eb3a (from side header field)
         = 0x1682eb3a (by crc'ing side header data)

ota ctrl block hdr crc = 0x4ab36360 (from block hdr field)
                       = 0x4ab36360 (by crc'ing block hdr data)
Booting side 1
Hardware ID: 2
LCD Type: 12
PCB Version: 1
Color-Value Detected: Drawing Initializing display

Press any key to enter control command mode >>> 01

Booting Linux...
Kernel magic OK
kernelPartition 0x08
kstart 0x0d000000
kend 0x0d16294c
kcopysize 0x0016294c
kernelStart 0x0d000000
Copying kernel to SDRAM ...........
Branch to kernel at 0x0d000000
memstart 0x00200000
memrsvd 0x00200000
memsize 0x0fe00000
TelnetMode: 2 UART0 Option mode
Constructed command line 'console=null,115200n8 vmalloc=256m mtdparts=bcm_umi-nand:0x00040000(boot1),0x00080000(boot2),0x00080000(boot3),0x00080000(tp),0x00040'
Machine ID is 0x00000a31
Uncompressing Linux................................................................................................... done, booting the kernel.

If the serial console is disabled, output stops here. If it is enabled, the command line is different and the boot continues:

TelnetMode: 1 UART0 debug mode
Constructed command line 'console=ttyAMA0,115200n8 vmalloc=256m mtdparts=bcm_umi-nand:0x00040000(boot1),0x00080000(boot2),0x00080000(boot3),0x00080000(tp),0x00'
Machine ID is 0x00000a31
Uncompressing Linux................................................................................................... done, booting the kernel.
Linux version (release@Taurus-IP) (gcc version 4.3.2 (Wind River Linux Sourcery G++ 4.3-85) ) #1 PREEMPT Tue May 20 12:47:35 JST 2014
CPU: ARMv6-compatible processor [410fb767] revision 7 (ARMv7), cr=00c5387f
CPU: VIPT aliasing data cache, VIPT aliasing instruction cache
Memory policy: ECC disabled, Data cache writeback
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 64516
Kernel command line: console=ttyAMA0,115200n8 vmalloc=256m mtdparts=bcm_umi-nand:0x00040000(boot1),0x00080000(boot2),0x00080000(boot3),0x00080000(tp),0x0004000p
BCMRING_CUSTOM_bootmemheap_calc_fb_mem: Reserving memory for frame buffer w:480 h:272 bpp:2 x 2 (1044480 bytes)
LcdHeapSize: framebuffer rounded up to page size = 1044480 = 0xff000 bytes
BCMRING_CUSTOM_bootmemheap_calc_mmdma: Reserving memory 11194368 bytes for MMDMA
mmDmaHeapSize: mmdma heap size = 11194368 = 0xaad000 bytes
bootmemheap_setup: total heapsize = 0xbac000 bytes = 2988 pages
bootmemheap_setup: Allocated 2988 pages at 0xc0534000.
PID hash table entries: 1024 (order: 0, 4096 bytes)
Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
Memory: 254MB = 254MB total
Memory: 242432KB available (2808K code, 300K data, 92K init, 0K highmem)
Hierarchical RCU implementation.
SVN Revision: 5708M
Console: colour dummy device 80x30
Calibrating delay loop... 498.07 BogoMIPS (lpj=2490368)
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
NET: Registered protocol family 16
bcmring_ddrvpmphase_init: *** DDR Phase Value: 0x1f
Chip: 0x00011107
BCMRING_CUSTOM_bootmemheap_calc_mmdma: Reserving memory 11194368 bytes for MMDMA
gpio_init called
GPIO Control Driver: 1.00 (built on May 20 2014 12:43:03)
Serial: AMBA PL011 UART driver
UARTA: ttyAMA0 at MMIO 0x80012000 (irq = 46) is a AMBA/PL011
console [ttyAMA0] enabled
UARTB: ttyAMA1 at MMIO 0x80013000 (irq = 44) is a AMBA/PL011
bio: create slab <bio-0> at 0
calling host_cpu_usage_init
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
*************Starting host ICP thread **************
usbcore: registered new device driver usb
BCM11xx i2c adapter module
SPU: driver probed. tx_ring virt=0x08ff000000 phys=0x08ffaa000
Switching to clocksource timer1
NET: Registered protocol family 2
IP route cache hash table entries: 2048 (order: 1, 8192 bytes)
TCP established hash table entries: 8192 (order: 4, 65536 bytes)
TCP bind hash table entries: 8192 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 8192 bind 8192)
TCP reno registered
NET: Registered protocol family 1
JFFS2 version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
msgmni has been set to 473
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
io scheduler noop registered (default)
Broadcom RNG Driver
RNG: Driver initialized
HPM Driver: 1.00 (built on May 20 2014 12:45:09)

HAL Audio Driver: 1.0
HAL Audio platform support installed. Built May 20 2014 12:45:14
Audio Mixer Driver: 1.0
Broadcom GPIO Driver: 1.00
BSC: Driver initialized
BCM UMI MTD NAND Driver: 1.00
NAND device: Manufacturer ID: 0x98, Chip ID: 0xd1 (Toshiba NAND 128MiB 3,3V 8-bit)  options=0x101
Scanning device for bad blocks
11 cmdlinepart partitions found on MTD device bcm_umi-nand
Creating 11 MTD partitions on "bcm_umi-nand":
0x000000000000-0x000000040000 : "boot1"
0x000000040000-0x0000000c0000 : "boot2"
0x0000000c0000-0x000000140000 : "boot3"
0x000000140000-0x0000001c0000 : "tp"
0x0000001c0000-0x000000200000 : "flag"
0x000000200000-0x000000240000 : "ctrl"
0x000000240000-0x000001280000 : "nvdata"
0x000001280000-0x000001580000 : "k0"
0x000001580000-0x000001880000 : "k1"
0x000001880000-0x000004b00000 : "root0"
0x000004b00000-0x000007d80000 : "root1"
input: dt730c-keypad as /devices/platform/bcmring-keypad/input/input0
[dt730c-ledmtrix] : major = 252
[dt730c-ledmtrix] : minor = 0
i2c /dev entries driver
watchdog: BROADCOM WDT driver
nf_conntrack version 0.5.0 (3791 buckets, 15164 max)
TCP cubic registered
NET: Registered protocol family 17
jffs2_scan_eraseblock(): Node at 0x023d4ffc {0x1985, 0xe002, 0xe0021985) has invalid CRC 0x00000044 (calculated 0xd7cd6a7b)
VFS: Mounted root (jffs2 filesystem) on device 31:9.
Freeing init memory: 92K
init started: BusyBox v1.11.1 (2011-04-13 20:57:56 JST)
MMDMA: Using dedicated DMA channel
bootmemheap_alloc: 'mmdma' allocated 0xaad000 bytes at 0xc0534000
MMDMA: Reserved memory: 11194368 bytes
MMDMA: Unused memory: 0 bytes
MMDMA: Module initialized
GE: Driver initialized
bootmemheap_alloc: 'lcd_com43h4m09' allocated 0xff000 bytes at 0xc0fe1000
LCD: early screen draw BMP:480,272(32) SCRN:480,272(32)
LCD: Driver initialized
LCD: name=CASIO COM43H4M09XLC width=480 height=272 bytes/pixel=4
SCSI subsystem initialized
USB: Port 0 has been brought up as Host
bcm-ohci: init device 0
bcm-ohci bcm-ohci.0: bcm-ohci
bcm-ohci bcm-ohci.0: new USB bus registered, assigned bus number 1
bcm-ohci bcm-ohci.0: irq 18, io mem 0xf8400000
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
bcm-ehci: init device 0
bcm-ehci bcm-ehci.0: bcm-ehci
bcm-ehci bcm-ehci.0: new USB bus registered, assigned bus number 2
bcm-ehci bcm-ehci.0: irq 18, io mem 0xf8400800
bcm-ehci bcm-ehci.0: USB 2.0 started, EHCI 1.00
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 1 port detected
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
amxr: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
HAL Audio APM Driver: 1.0. Built May 20 2014 12:45:15
HAL Audio PCM Driver: 1.0. Built May 20 2014 12:45:16
channels=1 channel_select=0
HAL Audio USB Core Driver: 1.0. Built May 20 2014 12:45:17
usbcore: registered new interface driver HAL Audio USB
HAL Audio USB Driver: 1.0. Built May 20 2014 12:45:17
snd_halaudio driver: 1.0 built May 20 2014 12:45:15
starting pid 92, tty '': '/etc/init.d/rcS start'
Entering /etc/rc.d/S009udev
-n Starting kernel event manager...
JFFS2 notice: (35) check_node_data: wrong data CRC in data node at 0x015f2684: read 0x7dae3e1e, calculated 0x48741060.
-n Loading hardware drivers...
udevd-work[119]: device node '/dev/input/event0' already exists, link to '/dev/input/event0' will not overwrite it

Leaving /etc/rc.d/S009udev
entering /etc/rc.d/S010fs ...
leaving /etc/rc.d/S010fs ...
entering /etc/rc.d/S020log ...
killall: syslogd: no process killed
leaving /etc/rc.d/S020log ...
entering /etc/rc.d/S030proc-config ...
leaving /etc/rc.d/S030proc-config ...
+ echo entering /etc/rc.d/S035nvdata ...
entering /etc/rc.d/S035nvdata ...
+ . /etc/init.d/rc.config
+ CONFIG=/etc/sysconfig
+ . /etc/sysconfig
+ NV_ROOT=/nvdata
+ NVVOIP_ROOT=/nvdata/voip
+ NVETC_ROOT=/nvdata/etc
+ NVSYS_ROOT=/nvdata/system
+ NVSCFG_ROOT=/nvdata/system/config
+ NVSCSYS_ROOT=/nvdata/system/config/system
+ NVSDEF_ROOT=/nvdata/system/config/def
+ NVUSR_ROOT=/nvdata/user
+ NVUSHR_ROOT=/nvdata/user/share
+ NVUCFG_ROOT=/nvdata/user/share/config
+ NVLOG_ROOT=/nvdata/log
+ ETCNECI_ROOT=/etc/neci
+ uname -r
+ MODULE_DIR=/lib/modules/
+ WL_INTF=eth0
+ WL_DRIVER=/lib/modules/
+ WL_UTIL=/bin/wl
+ DHD_DRIVER=/lib/modules/
+ DHD_UTIL=/bin/dhd
+ WLAN_BIN_FILE=/bin/rtecdc.bin
+ WLAN_CFG_FILE=/etc/dhd.cfg.ORIG
+ eth0_PASS=
+ eth0_SSID=
+ eth0_ENC=
+ HOSTNAME=dt730c
+ . /etc/syslog.setting
+ SYSLOG_FILE=/tmp/messages
+ . /etc/
+ export PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/sbin/mtd-utils
+ awk {print $1}
+ sed -e s/mtd//
+ sed -e s/://
+ grep nvdata
+ cat /proc/mtd
+ mtdnum=6
+ mtddev=/dev/mtd6
+ mtdblock=/dev/mtdblock6
+ [[ -e /sys/class/misc/ubi_ctrl/dev ]]
+ mount_successful=0
+ count=1
+ [ ! -d /nvdata ]
+ [ 1 -le 10 ]
+ mount -t jffs2 /dev/mtdblock6 /nvdata
+ [ 0 = 0 ]
+ echo /nvdata mounted successfully
/nvdata mounted successfully
+ mount_successful=1
+ mkdir -p /nvdata/voip
+ mkdir -p /nvdata/etc
+ mkdir -p /nvdata/system
+ mkdir -p /nvdata/system/config
+ mkdir -p /nvdata/system/config/def
+ mkdir -p /nvdata/system/config/system
+ mkdir -p /nvdata/user
+ mkdir -p /nvdata/user/share
+ mkdir -p /nvdata/user/share/config
+ mkdir -p /nvdata/log
+ [ ! -f /nvdata/etc/network-interface.cfg ]
+ [ ! -f /nvdata/etc/enet.cfg ]
+ [ ! -f /nvdata/etc/wlconfigd.rc ]
+ [ ! -f /nvdata/voip/log.cfg ]
+ [ ! -d /nvdata/etc/greybox ]
+ break
+ [ 1 == 0 ]
+ echo leaving /etc/rc.d/S035nvdata ...
leaving /etc/rc.d/S035nvdata ...
mount: can't find /dev/shm in /etc/fstab
entering /etc/rc.d/S040network ...
+ NET_DRIVER=bcmring_net
+ [ up = up ]
+ modprobe bcmring_net
+ modprobe bcmring_eth_sla
+ unset x
+ exit 0
** Error - No MAC address specified for interface eth!
** Error - Refer to /nvdata/etc/network-interface.cfg
[DoS] SET rate limit 8000pps
leaving /etc/rc.d/S040network ...
entering /etc/rc.d/S065modprobe_after_vc ...
modprobe: module cmp_battery not found
modprobe: failed to load module cmp_battery
modprobe: module leds-gpio not found
modprobe: failed to load module leds-gpio
modprobe: module pm_init not found
modprobe: failed to load module pm_init
modprobe: module bma150_driver not found
modprobe: failed to load module bma150_driver
leaving /etc/rc.d/S065modprobe_after_vc ...
entering /etc/rc.d/S090apps ...
busybox su command set suid
leaving /etc/rc.d/S090apps ...
entering /etc/rc.d/S096neciphone_apps ...
[254] Jan 01 00:00:15 Running in background
** phone app watch daemon **
 HC interval: 60 sec
 HC timeout: 1 sec

leaving /etc/rc.d/S096neciphone_apps ...
entering /etc/rc.d/S099local ...
Module                  Size  Used by
ept_core              432302  0
pxcLdxHausware       1647831  1 ept_core
ept_driver             27896  1 ept_core
pxcLdxSupport          38358  2 ept_core,pxcLdxHausware
bcmring_eth_sla        56395  0
bcmring_esw             1570  1 bcmring_eth_sla
bcmring_net            29617  1 bcmring_eth_sla
snd_halaudio           11168  0
snd_pcm                61444  1 snd_halaudio
snd_page_alloc          3740  1 snd_pcm
snd_timer              18462  1 snd_pcm
snd                    34575  3 snd_halaudio,snd_pcm,snd_timer
soundcore                634  1 snd
halaudio_usb            8326  0
halaudio_usbcore       20817  1 halaudio_usb
halaudio_pcm           18707  0
halaudio_apm           24235  0
halaudio               13406  0
amxr                   19960  1 halaudio
usb_storage            34195  0
ehci_hcd               31630  0
ohci_hcd               16013  0
sg                     23200  0
sd_mod                 22985  0
scsi_mod               82332  3 usb_storage,sg,sd_mod
scsi_wait_scan           438  0
evdev                   7777  0
bcmring_fb              4913  0
cfbimgblt               1657  1 bcmring_fb
lcd_com43h4m09          8989  1 bcmring_fb
display_bcmring_generic      829  1 lcd_com43h4m09
bcmring_gev3           20911  1 bcmring_fb
mmdma                   7974  1 bcmring_gev3
leaving /etc/rc.d/S099local ...

=== NEC Phone Program Start...
reloading /etc/inittab

Welcome to Wind River Linux
Please press Enter to activate this console. [299] Jan 01 00:00:02 Failed listening on '22': Error listening: Address family not supported by protocol
[299] Jan 01 00:00:02 premature exit: No listening ports available.
2011-01-01 00:00:07: (log.c.166) server started
IPC Register 0: 2E444C
[340] Jan 01 00:00:07 Failed listening on '22': Error listening: Address family not supported by protocol
[340] Jan 01 00:00:07 premature exit: No listening ports available.
*** uartInit Start!! ***
*** uartInit end ***
RNG task start: 0
IPC Register 1: 34A290
killall: dhcpcd: no process killed
dhcpcd[383]: version 5.2.12 starting
dhcpcd event:reason = PREINIT
dhcpcd[383]: eth0: broadcasting for a lease
dhcpcd[383]: eth0: offered x.x.x.x from y.y.y.y
dhcpcd event:reason = BOUND
IPC: 1
necNetDhcpEvtRtn called.  event 1
dhcpcd[383]: forked to background, child pid 396
route: SIOCDELRT: No such process