NEC DT700-series VoIP phone

Revision as of 22:27, 1 October 2021 by Malvineous (talk | contribs) (Document findings)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The NEC DT700 series is a collection of similar IP phone models running Wind River Linux, targeted at the corporate market. There is very little obfuscation on the devices, making it easy to SSH in, gain root access, and modify the firmware as desired (the JFFS2 root filesystem is mounted read/write).

While possible to brick the device, the flash stores two copies of the kernel and root filesystem, so as long as experiments are kept to only one of these, the other one can be used to boot the phone, mount the root filesystem of the broken copy, and repair it. Serial console access is required in order to select which copy to boot, however this can be gained through an externally-accessible connector, so no disassembly or soldering is required.

Early firmware releases had SSH access enabled by default with a factory password, however current firmware versions require a serial console in order to enable SSH.

Service menu

To access the phone's service menu, hold down the Help button (top right) for a few seconds and the menu will appear. Use the number buttons to select a menu entry, and next/prev soft buttons to move between items.

This menu can be used to find out the phone's IP address and other configuration details.

Serial console/SSH

Rear view of phone showing SIDE2 connector
Close up of SIDE2 connector with the case removed

A TTL UART running at 115200 8N1 is available on the SIDE2 connector, which can be accessed without disassembling the phone. The connector is located under a flap on the underside of the phone (see photo).

In the image on the right, with the word "SIDE2" readable normally, pin 1 is in the upper-right corner, and pin 2 is in the upper-left. The full pinout, in the same orientation as the photo on the right, is:

2/GND 1
4 3
6 5
8/TX 7
10 9/RX

Pin 8/TX is where the device sends data, so should be connected to the RX of a USB UART adapter. Pin 9/RX is where the device receives data and should be connected to a USB UART adapter's TX pin. The exact voltage is unknown but a 3.3V USB TTL adapter works fine.

When powering up the device, there are two very fast boot prompts where you can press a key to interrupt the boot process. Let the first one go through and press a key to interrupt the second one.

Press any key to enter download mode or bring up the menu[................]

(don't press a key here)

Color-Value Detected: Drawing Initializing display

(press a key here)

Press any key to enter control command mode >>> 03

At this [boot] prompt you can type ? to get a menu, or K to select whether to boot from the primary or backup copy of the kernel/rootfs.

To enable the Linux serial console, type #f.

[boot] #f
Entering boot-flag configuration...
MainBoard TP switch(ON:0xAA) : 0 
Telephone TP switch(ON:0xAA) : 0 
Emergency Boot switch        : 0 
Model(J:0xAA/F:0xFF)         : ff 
LineType(1..7)               : 1 
FuncType(1..17)              : 2 
TelnetMode(0..3)             : 0 
Sidetone Type(0..1)          : 1 
Log Level(0..6)              : 0 
Log Destination(1..8)        : 6 
flash_eraseall started for /dev/mtd4
flash_eraseall done for /dev/mtd4
nandwrite started for /dev/mtd4
nandwrite done for /dev/mtd4
Flash memory updated

At each prompt just press enter to leave the value unchanged, until the TelnetMode option. Set this to one of these values:

TelnetMode Behaviour
0 Serial console enabled, SSH daemon enabled
1 Serial console enabled, SSH disabled
2 Serial console disabled, SSH disabled
3 Serial console disabled, SSH disabled (default)

The difference between options 2 and 3 is unknown.

After applying the change, boot the device with @ or power cycle it. This time the serial console messages will continue after the Linux kernel has started, and pressing enter after the boot process has finished will start a serial console. SSH can also be used, however the ciphers are limited. A command like this is required:

ssh tp@phone-ip -o KexAlgorithms=diffie-hellman-group1-sha1 -c aes256-cbc


Older versions of the firmware use the following passwords.

Username Password Notes
root 6633222444 "NECI" on the phone keypad
admin 6633222 "NEC" on the phone keypad
tp 8442444 "THAI" on the phone keypad

As of 2021, the "tp" password is still valid but the others have been changed.

The backup rootfs is still likely using these passwords, so following the serial console instructions above to switch to the backup rootfs may allow you to log in with these credentials. At this point you can mount the new firmware (see below), update /etc/passwd then reboot to the latest firmware with your own credentials.

Firmware recovery

Boot backup firmware

Follow the instructions in the serial console section above, and use the K command to select image 0 or 1 to boot. Note that sometimes the last successful boot seems to be assigned to slot 0, so image 0 or 1 don't always appear to refer to the same flash partitions.

Mount other firmware

If you have booted the alternative kernel/rootfs, you can mount the other one to repair it:

$ su
# mkdir /mnt/mtd10
# mount -t jffs2 /dev/mtdblock10 /mnt/mtd10

This mounts the mtd10 rootfs in /mnt/mtd10. The two copies are in mtd9 and mtd10 - one will be running the current firmware and one will be running the other. Until you identify which is which, you can create a file on each, before mounting as above:

# touch /mnt/backup.firmware
# mkdir /mnt/mtd9 /mnt/mtd10
# mount -t jffs2 /dev/mtdblock9 /mnt/mtd9
# mount -t jffs2 /dev/mtdblock10 /mnt/mtd10
# ls /mnt/mtd9/mnt/
# ls /mnt/mtd10/mnt/
# umount /mnt/mtd9
# umount /mnt/mtd10
# rmdir /mnt/mtd9   # Remove whichever one is the current one

One of the last two ls commands will include the backup.firmware file created in the first command, and this will identify which mtdblock is currently in use. Leaving behind the correct /mnt/mtdX folder will serve as a future reminder which block contains the other rootfs.