VP5500: Unterschied zwischen den Versionen

Aus LaborWiki
Wechseln zu: Navigation, Suche
(ausverkauft)
K (translated to english since we seem to have gained international interest ;))
Zeile 1: Zeile 1:
Das Philips VP5500 ist ein WLan Videotelefon, das von KPN in den Niederlanden zusammen mit einem Router verkauft wurde. Ohne passenden Router, bzw. Software scheint das Telefon nicht zu funktionieren. Der Technikverramscher Pollin verkaufte das Telefon für 10 EUR, allerdings mit dem Hinweis, das es unbenutzbar wäre... genau das wollen wir ändern!
The Philips VP5500 is a WLAN VOIP- & Video Phone sold by KPN in the netherlands. Some of the features, such as configuration settings for the VOIP connection are usually hidden from the user, but can be revealed through a fake firmware image ([http://spritesmods.com/?art=vpx500 description here]). Thanks to this restriction the device was rendered useless when KPN decided to disconnect the VOIP services this phone was relieing on.
 
This article intends to collect all relevant information about the hard- & software on the telephone and to provide information to actually reuse the hardware.


== Hardware ==
== Hardware ==
* Prozessor: [http://www.freescale.com/files/32bit/doc/data_sheet/MC9328MX21.pdf MC9328MX21] @ 266MHz (ARM9 Kern)
* CPU: [http://www.freescale.com/files/32bit/doc/data_sheet/MC9328MX21.pdf MC9328MX21] @ 266MHz (ARM9 Core)
* FS455LF: PAL Video converter chip
* FS455LF: PAL Video converter chip
* Wlan: Marvell 88w8385 ([http://wireless.kernel.org/en/users/Drivers/libertas OSS driver], [http://www.mikrocontroller.net/attachment/72802/WM-G-MR-01-v27__01192006.pdf Datenblatt])
* Wlan: Marvell 88w8385 ([http://wireless.kernel.org/en/users/Drivers/libertas OSS driver], [http://www.mikrocontroller.net/attachment/72802/WM-G-MR-01-v27__01192006.pdf Datasheet])
* RAM: 64MB (2x K4S56163LF)
* RAM: 64MB (2x K4S56163LF)
* Flash: 16MB
* Flash: 16MB
Zeile 10: Zeile 12:
* Audio Codec: [http://focus.ti.com/general/docs/lit/getliterature.tsp?genericPartNumber=tlv320aic12k&fileType=pdf TI TLV 320 AIC 12K]
* Audio Codec: [http://focus.ti.com/general/docs/lit/getliterature.tsp?genericPartNumber=tlv320aic12k&fileType=pdf TI TLV 320 AIC 12K]


== Pinbelegungen ==
== Pinning ==
=== Serielle ===
=== Serial ===
[[Bild:Vp5500_serial.png]]
[[Bild:Vp5500_serial.png]]


VCC: 3.3V
VCC: 3.3V, Rate 115200 Baud


Wenn man den "TIN" pin auf Low setzt, kann man die Serielle Schnittstelle auf 115200 Baud auslesen und schreiben. Leider kommt auch auf der Seriellen ein Login prompt mit unbekanntem Passwort.
Setting the "TIN" Pin to low or pressing keys while the bootloader is waiting will redirect first Console to the serial device. Fortunately the bootloader allows editing the kernel command line, so you're able to directly "chroot" the device by setting a different initrc (sh). Type the following at the bootloader prompt:
Glücklicherweise unterstützt auch der Bootloader commandline editing, sodass man dort den folgenden Befehl eintippen kann, um sein Passwort zu ändern:
  boot root=/dev/mtdblock2 init=/bin/sh
  boot root=/dev/mtdblock2 init=/bin/sh


In den Bootloader (Blob) kommt man auch wenn man während des Einschaltens auf der Console irgendwelche Tasten drückt.
[[VP5500/bootlog|Boot Log]] of the standard installation
 
[[VP5500/bootlog|Boot Log]] der Standardinstallation


=== JTAG ===
=== JTAG ===
[[Bild:Vp5500_jtag.jpg|rahmenlos]]
[[Bild:Vp5500_jtag.jpg|rahmenlos]]


Diese Pins befinden sich auf der Rückseite der Platine.
Pins are at the back of the circuit board.


== Partitionen ==
== Partitionen ==
  0x00000000-0x00014000 : "bootloader"    blob version 2.0.5-pre2
  0x00000000-0x00014000 : "bootloader"    blob version 2.0.5-pre2
  0x00014000-0x00100000 : "kernel"        wahrscheinlich /boot
  0x00014000-0x00100000 : "kernel"        /boot (?)
  0x00100000-0x01ce0000 : "fs #1"        rootfs?
  0x00100000-0x01ce0000 : "fs #1"        rootfs (?)
  0x01ce0000-0x01fe0000 : "fs #2"
  0x01ce0000-0x01fe0000 : "fs #2"
  0x01fe0000-0x02000000 : "fs #3"
  0x01fe0000-0x02000000 : "fs #3"


==Treiber & Software==
==Drivers & Software==
===Audio===
===Audio===
* Kein OSS Modul gefunden bisher
* Looks as if the audio codec in use needs a proprietary driver


===MPEG en/decoder===
===MPEG en/decoder===
* Hantrop MPEG EN- DECODER, kernel Modul: hmp4e
* Hantrop MPEG EN- DECODER, kernel module: hmp4e


===Kamera===
===Camera===
* [http://www.bitshrine.org/gpp/celinux-040503-mw-v4l2-1.patch Patch für 2.4.Xer Kernel] - CMOS Sensor am I²C
* [http://www.bitshrine.org/gpp/celinux-040503-mw-v4l2-1.patch Patch for 2.4.X] - CMOS Sensor connected via I²C


===Wlan===
===Wlan===
* [http://wireless.kernel.org/en/users/Drivers/libertas Libertas OSS driver]
* [http://wireless.kernel.org/en/users/Drivers/libertas Libertas OSS driver]


== Links ==
== Links ==
* [http://www.mikrocontroller.net/topic/170483 Thread mit Bildern des Innenlebens]
* [http://www.mikrocontroller.net/topic/170483 Thread where the actual reverse engineering happens]
* Die Ergebnisse werden u.A. auf dem Workshop [[Workshop_root_your_toaster|root your toaster]] am 1. Mai vorgestellt
* Results will be demonstrated on the workshop [[Workshop_root_your_toaster|root your toaster]] (2010/05/01)
* [http://spritesmods.com/?art=vpx500 Hack zum freischalten des Config Interfaces]
* [http://spritesmods.com/?art=vpx500 Hack to reveal the Config interface]
 
== Datenmitschnitt ==
Dank R.H. (snapper) haben wir jetzt auch einen Mitschnitt der Daten die das Gerät sendet:


== Networking stuff ==
R.H. (snapper) intercepted & posted a sip register request sent by the device:
  INVITE,ACK,BYE,CANCEL,OPTIONS,REFER,SUBSCRIBE,NOTIFY,MESSAGE,INFO,SERVICE,UPDATE,PRACK
  INVITE,ACK,BYE,CANCEL,OPTIONS,REFER,SUBSCRIBE,NOTIFY,MESSAGE,INFO,SERVICE,UPDATE,PRACK
  Accept: application/sdp
  Accept: application/sdp
Zeile 71: Zeile 68:
  Max-Forwards: 70
  Max-Forwards: 70
  From: <sip:103@192.168.2.1
  From: <sip:103@192.168.2.1
Interpretation:
Das Gerät versucht sich "zu hause" anzumelden. Aus einem [http://www.mikrocontroller.net/attachment/72662/data_trace.JPG anderen Mitschnitt] erfahren wir, das es versucht, sich auf vpcm-001.cust.kpn.net anzumelden, damit aber keinen Erfolg hat. Mysteriös bleibt bisher, warum es als Absender Adresse 192.168.2.1 sendet statt der 192.168.178.20.

Version vom 18. März 2010, 22:55 Uhr

The Philips VP5500 is a WLAN VOIP- & Video Phone sold by KPN in the netherlands. Some of the features, such as configuration settings for the VOIP connection are usually hidden from the user, but can be revealed through a fake firmware image (description here). Thanks to this restriction the device was rendered useless when KPN decided to disconnect the VOIP services this phone was relieing on.

This article intends to collect all relevant information about the hard- & software on the telephone and to provide information to actually reuse the hardware.

Hardware

Pinning

Serial

Vp5500 serial.png

VCC: 3.3V, Rate 115200 Baud

Setting the "TIN" Pin to low or pressing keys while the bootloader is waiting will redirect first Console to the serial device. Fortunately the bootloader allows editing the kernel command line, so you're able to directly "chroot" the device by setting a different initrc (sh). Type the following at the bootloader prompt:

boot root=/dev/mtdblock2 init=/bin/sh

Boot Log of the standard installation

JTAG

Vp5500 jtag.jpg

Pins are at the back of the circuit board.

Partitionen

0x00000000-0x00014000 : "bootloader"    blob version 2.0.5-pre2
0x00014000-0x00100000 : "kernel"        /boot (?)
0x00100000-0x01ce0000 : "fs #1"         rootfs (?)
0x01ce0000-0x01fe0000 : "fs #2"
0x01fe0000-0x02000000 : "fs #3"

Drivers & Software

Audio

  • Looks as if the audio codec in use needs a proprietary driver

MPEG en/decoder

  • Hantrop MPEG EN- DECODER, kernel module: hmp4e

Camera

Wlan

Links

Networking stuff

R.H. (snapper) intercepted & posted a sip register request sent by the device:

INVITE,ACK,BYE,CANCEL,OPTIONS,REFER,SUBSCRIBE,NOTIFY,MESSAGE,INFO,SERVICE,UPDATE,PRACK
Accept: application/sdp
Accept-Encoding: identity
Accept-Language: en
Supported: 100rel,replaces
Date: Mon, 15 Mar 2010 22:17:28 GMT
User-Agent: VP5500 (VeriCall Edge)
Content-Length: 0
REGISTER sip:192.168.2.1:5060 SIP/2.0
Via: SIP/2.0/UDP
192.168.178.20:5060;branch=z9hG4bK7576a67c231d790cc8c04075
Max-Forwards: 70
From: <sip:103@192.168.2.1