Pirelli DP-L10
Hacking the Pirelli DP-L10
Pollin recently added the GSM/Wifi Phone "DP-PL10" to it's catalogue, so I dug a bit 'round to see what kind of hard- and software it uses. The firmware is available with different brandings from different vendors. I've used the firmware from sipgate to see what software it runs.
Firmware strings
The firmware you get from the above zip image contains an .exe file which again contains a .zip file (at offset 67072). This zip file hosts the actual firmware (probably divided into different flash blocks).
The firmware files (*.m0) seem to be "encoded" (in intel hex format?), so i wrote a quick & dirty "extractor":
#!/bin/bash
if [ $# -ne 1 ] ; then
echo "usage: $0 file.m0"
exit
fi
if [ ! -r $1 ] ; then
echo "can't open $1"
exit
fi
cat $1 | sed -r 's/^S[A-F0-9]{11}(.*)..$/\1/gm' \
| sed -r 's/(..)(..)/\\x\2\\x\1/g' > $1.esc
echo -e `cat $1.esc` > $1.bin
This extractor isn't error-free yet, but enough to give you an idea about the firmware contents. Among other things I found several references to wpa_supplicant and a GPL header in the extracted ap.m0 file.
Here's a list of references I found so far:
- ap.m0
- Wifi Hardware seems to be a marvell chipset
- Uses wpa_supplicant
- String: Copyright (c) 2002 WWW.NexGen-Software.fr
- Probably either one of the tcp/ip stack, the gui or xml browser (see http://www.nexgen-software.com/PublicAsp/Default.asp)
- Copyright (c) 1993 ATI - Nucleus PLUS 3 - Version 1.0.G1.1
- Device is probably using Nucleus RTOS
- fs.m0
- Mostly media files (icons, ringtones) and confiuguration stuff
- amdfast.m0
- Unknown binary blob, ~490 Bytes
- cmd.m0
- Another binary blob ~4kbytes
More info
- Detailed HW description (german): http://wiki.ip-phone-forum.de/telefone:t-one_tc300:start
- The device is supported by OsmocomBB - an OpenSource GSM/Phone stack. Deatails here