Daniel's Stuff

I write code

Category: VOIP

More Yealink VP-2009 stuff

I have to admit is a little disappointed with the phone when I got it. ¬†I updated the firmware as far as it would allow me, but the more recent versions of the software would not install ūüôĀ ¬†After a bit of googling I found that there was supposedly a procedure for updating the old firmware to one of the newer sets, but that it was a secret. ¬†That got me really interested so I dug a little deeper. ¬†I found a PDF that contained a link to a Yealink FTP server which I’m not sure is supposed to be publicly available. ¬†On the FTP server was a set of files that detailed in rather broken English the process. ¬†Basically you put the phone into a special mode that causes it to download a new firmware from a TFTP server running on the same network and off it goes with the new firmware.

My phone now says is has firmware version 23.70.0.66 and it now has all the features I was hoping to get.  From what I can see it now has pretty much the same software as the new VP530.

Happy now ūüôā

I also tested the technique used to get root on the old firmware and it is no longer available, however the technique used for the T38G now works.

Yealink VOIP phone back doors

vp2009

Yesterday I took delivery of a Yealink VP-2009 VIOP phone. ¬†I was hoping it would be a nicer phone than it actually turned out to be. ¬†I have a Yealink T38G and was really happy with it. ¬†Unfortunately a lot of the features I like in the T38G are not present in the VP-2009. Ah well, live and learn I guess ūüėČ

To the meat of it.  When I plugged the new VP-2009 in to my network and attempted to configure it there was a weird caching issue with my browser as it took the same IP address as the old T38G which resulted in an error page being shown.  Initially I thought the phone by broken in some strange way, so I started to investigate a firmware download for the phone.  After extracting the firmware using binwalk I found the HTML for the web interface and found that there is a back door that allows arbitrary commands to be executed on the phone.  The first thing I did was remove the password on the root user (passwd -d root) so I was able to telnet into the device.  Once on the device I was able to poke around and see all sorts of interesting stuff.

I was interested to see if there was anything like this back door in the T38G. ¬†It turns out there is, although it isn’t as easy to use as the one in the VP-2009. ¬†There is a hidden page that allows the telnet server to be turned on, and the same code can be exploited to remove the root user password ūüôā