VP5500
The Philips VP5500 is a WLAN VOIP- & Video Phone sold by KPN in the netherlands. Some of the features, such as configuration settings for the VOIP connection are usually hidden from the user, but can be revealed through a fake firmware image (description here). Thanks to this restriction the device was rendered useless when KPN decided to disconnect the VOIP services this phone was relieing on.
This article intends to collect all relevant information about the hard- & software on the telephone and to provide information to actually reuse the hardware.
Hardware
- CPU: MC9328MX21 @ 266MHz (ARM9 Core)
- FS455LF: PAL Video converter chip
- Wlan: Marvell 88w8385 (OSS driver, Datasheet)
- RAM: 64MB (2x K4S56163LF)
- Flash: 16MB
- Kamera: Chicony dc-4626.a5
- Audio Codec: TI TLV 320 AIC 12K
Pinning
Serial
VCC: 3.3V, Rate 115200 Baud
Setting the "TIN" Pin to low or pressing keys while the bootloader is waiting will redirect first Console to the serial device. Fortunately the bootloader allows editing the kernel command line, so you're able to directly "chroot" the device by setting a different initrc (sh). Type the following at the bootloader prompt:
boot root=/dev/mtdblock2 init=/bin/sh
Boot Log of the standard installation
JTAG
Pins are at the back of the circuit board.
Partitionen
0x00000000-0x00014000 : "bootloader" blob version 2.0.5-pre2 0x00014000-0x00100000 : "kernel" /boot (?) 0x00100000-0x01ce0000 : "fs #1" rootfs (?) 0x01ce0000-0x01fe0000 : "fs #2" 0x01fe0000-0x02000000 : "fs #3"
Drivers & Software
Audio
- Looks as if the audio codec in use needs a proprietary driver
MPEG en/decoder
- Hantrop MPEG EN- DECODER, kernel module: hmp4e
Camera
- Patch for 2.4.X - CMOS Sensor connected via I²C
Wlan
Links
- Thread where the actual reverse engineering happens
- Results will be demonstrated on the workshop root your toaster (2010/05/01)
- Hack to reveal the Config interface
Software
Bootloader (Blob)
Root FS & Toolchain
According to the boot log, the root fs is derived from some sample source code for the iMX21 development platform.
Kernel
Version: 2.4.20
Networking stuff
R.H. (snapper) intercepted & posted a sip register request sent by the device:
INVITE,ACK,BYE,CANCEL,OPTIONS,REFER,SUBSCRIBE,NOTIFY,MESSAGE,INFO,SERVICE,UPDATE,PRACK Accept: application/sdp Accept-Encoding: identity Accept-Language: en Supported: 100rel,replaces Date: Mon, 15 Mar 2010 22:17:28 GMT User-Agent: VP5500 (VeriCall Edge) Content-Length: 0 REGISTER sip:192.168.2.1:5060 SIP/2.0 Via: SIP/2.0/UDP 192.168.178.20:5060;branch=z9hG4bK7576a67c231d790cc8c04075 Max-Forwards: 70 From: <sip:103@192.168.2.1
Configuration
For Sipgate:
SIP1 Display Name: your Name
User Name: your SIP-ID
Telephone Number: Tel.Nr.
Auth
Authentification UserName: your SIP-ID
Password: Sipgate Password
Server
SIP register address:port: sipgate.de:5060
Proxy
SIP proxy1 address:port: sipgate.de:5060
SIP2
SIP Port Listen
for UDP: 5062
for TCP: 5062
for TCP TLS: 5053
SIP Outbound needs to be empty.