Daniel's Stuff

I write code

Yealink VOIP phone back doors


Yesterday I took delivery of a Yealink VP-2009 VIOP phone.  I was hoping it would be a nicer phone than it actually turned out to be.  I have a Yealink T38G and was really happy with it.  Unfortunately a lot of the features I like in the T38G are not present in the VP-2009. Ah well, live and learn I guess ;)

To the meat of it.  When I plugged the new VP-2009 in to my network and attempted to configure it there was a weird caching issue with my browser as it took the same IP address as the old T38G which resulted in an error page being shown.  Initially I thought the phone by broken in some strange way, so I started to investigate a firmware download for the phone.  After extracting the firmware using binwalk I found the HTML for the web interface and found that there is a back door that allows arbitrary commands to be executed on the phone.  The first thing I did was remove the password on the root user (passwd -d root) so I was able to telnet into the device.  Once on the device I was able to poke around and see all sorts of interesting stuff.

I was interested to see if there was anything like this back door in the T38G.  It turns out there is, although it isn’t as easy to use as the one in the VP-2009.  There is a hidden page that allows the telnet server to be turned on, and the same code can be exploited to remove the root user password :)

2 comments for “Yealink VOIP phone back doors

  1. dendad51
    July 22, 2013 at 1:07 pm

    The big screen looks good.
    It doesn’t have as many buttons as the T38G. Can you try to use a Pi and make an expansion like the EXP39 external call book?

  2. Kyle
    December 29, 2014 at 7:32 am

    Good work Daniel! I don’t mind doing the grunt work myself, but would you share what the hidden page was? I have about 40 of these phones. I am looking to get them tightly integrated into our Spiceworks database, but of course need to get at least telnet going to start breaking them down. Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *