Modding a Vonage VDV23 to work with Asterisk
While browsing through a thrift store, I saw a new-in-box Vonage VDV23-VD for only five bucks! After having recently setting up an Asterisk server for the heck of it, I thought that maybe adding some vintage phones would be fun. Only problem is, Vonage locks these units to explicitly use their own SIP server, so modifications would need to be arranged. I decided to get it and see if I could do any mucking about to jury rig together a cheap VoIP to analog adapter.
When I first got this, I thought that worst case scenario I would have to do some messy custom DNS stuff to redirect the packets to my asterisk server and spoof a bunch of things. Cracking it open though reveals a blatantly obvious Serial port labeled J4 (and a board number ending in 69 ⁿᶦᶜᵉ). Luckily ground was marked so finding VCC was easy. I hooked the remaining two pins up to my logic analyzer to see if 1. the port wasn't disabled after flashing the release firmware (such as Nintendo's re-released Game & Watch) and 2. which pins were Tx and Rx.
Yay, the serial port isn't disabled! Tx and Rx are pulled up and Tx is transmitting. Measuring multiple bits I get lengths between 8.75 and 9 microseconds. These are both really close to 115200 baud rate (calculated using (1/x)*10^6), so I entered these into the analyzer aaaaaaand...
Voila! A perfectly functional, fully accessible bootloader! This was definitely the best scenario possible, and I'm somewhat relieved that it ended up being this easy to accomplish. At this point I grabbed my cheap Serial to USB adapter to hook it up to PuTTY and do some fiddling, but the output was garbled nonsense. Presumably the serial adapter works on a different voltage than this device, so I grabbed an ESP32 to use as a better serial adapter. For some reason my computer had massive amounts of trouble just getting the driver for it, but eventually I was able to find it online and get it set up with PuTTY. The main menu was surprisingly robust for a bootloader.
The coolest option to me was the ability to run a firmware file from RAM, presumably for debugging (more on why I think this is cool later). Being able to read and write directly to memory was also really interesting. Either way I figured at this point I'd turn to the internet to see if there were any bin files for this, and apparently I'm not the only one wanting to unlock this thing. A website called VoIP Fan has a ton of info on it, including multiple firmware files! After reading through his guide, I decided to ford my own path with a combination of his learnings and my own. My firmware was newer than version 3.1.2, which he says was the point where the password was stored at a random location rather than the static memory address. I thought about flashing it first, but instead I dumped the data from the aforementioned memory addresses, and got data similar-ish to his findings. the first byte for me was 08, which was none of what he mentioned, but the password length was dead on (and the last 2 bytes are actually "Ad", suggesting the username is Admin and stored one address over).
After decoding the password, I rebooted the unit and let it post. Turns out the firmware doesn't give you a clean terminal, but instead logs are intertwined with anything you type and makes for entering commands near impossible. Good news though, my password worked! This meant I could skip downgrading the firmware just to upgrade. After restarting and entering the bootloader menu again, I tried initializing the internet on the unit. This proved to be the most frustrating part of this, since it kept kicking back to the factory set IP, subnet mask, etc. at random. Eventually I got it to work, so I hosted a TFTP server hosting the new firmware file and tried flashing it to the second boot partition only. I wanted to see if I could preserve the original firmware and configuration just for fun. After rebooting the system again, everything went as expected. I followed the rest of the instructions for removing the remaining Vonage configs from the system and it worked like a charm. I finally got to setting it up, and no matter what I could not get it to connect to my http server to upload the config file. Instead I set it up using the serial command line with the commands specified. After much trial and error, this is the result.
This would have been a lot cooler with the Garfield phone, or perhaps the extremely cursed teddy bear phone I saw a while back...
In the future, I'd love to make my own firmware file that has a new page to upload an XML configuration file so that I don't need to fiddle with web servers and serial interfaces anytime I need to reconfigure the SIP settings. This is why I found that "load from RAM" feature really cool earlier. I'm also not sure if this guy put anything malicious into the custom firmware file. I really doubt it, but it wouldn't be the internet without malware.
Comments
Post a Comment