Unlocking the DLink DPH-C160S
Tue, 10/07/2007 - 16:12 — alastair
A few weeks back I picked up a couple of Engin 221 VOIP DECT phones (a rebadged DLink DPH-C160S) from Ebay, with the hopes of being able to use them with my Asterisk server. As it turns out, the Engin ship these units with crippled firmware, so you can only reconfigure the IP settings, but not the SIP settings, rendering it useless for anything except talking to Engin. It won't even work with their VOIPer accounts, nor are they willing to unlock the device.
After being frustrated for a few minutes, I dismantled the unit and found a serial port within it. Although the port speaks the serial protocol, it uses +3.3V, not +/-12V like proper RS232 ports, so to connect to it, you need to use a level shifter such as the MAX232. If you don't have one handy, Sean Lincolne has a useful tutorial describing how to modify a $20 phone cable from Ebay to connect to the serial port.
Here is the pinout of the serial port:
Pin 1 (marked with a square) UART0, RX
Pin 2 (no connection)
Pin 3 +3.3V,
Pin 4 Ground
Pin 5 UART0, TX
Once you're connected, power the unit up. You will see something similar as the machine boots:
* Power On Testing *
---------------------------------- ---------------
* DRAM Memory Test ..... PASSED
* Active RunTime Region ..... 2
* Active RunTime Code Checksum ..... PASSED
* Standby RunTime Region ..... 1
* Standby RunTime Code Checksum ..... PASSEDBoot Code Version : ATA1.1B01
Active RUNTIME Version : 1.00.009DPH-EN
Standby RUNTIME Version: 1.00.004DPH-AUS
Initializing Device OS
---------------------------------- ---------------------------------- -----> DOWNLOAD RUN TIME IMAGE FROM FLASH:
.. Decompress Run Time Image : 100%(STOP system boot/load )
Active RunTime Region: 2
Configure: End the decode processSystem Driver Initialization is Ready
In MXP Root before lock
In MXP Root after lock
After hwu_init
NWIF: get_ip_address()=10.1.1.1
NWIF: get_netmask()=255.0.0.0
NWIF: get_gateway_address()=10.1.1.254
NWIF: get_mac_address()=00:19:5b:xx:xx:x x
CreateEtherEvtGroup() SUCCESS
NWIF: NET Device Ready
After nw_create
After nwdb_create
After Xml_create
After telnet_create
SSL Initializing...
SSL Init ok
After Web_create
After Tftp_create
After PPPoE_create
After Ntp_create
After Stun_create
000000301 XmlTask: task running...
Rompager ssl =0After VTSP_start
000000501 ===== SIP Stack version 1.0.5 =====
000000501 SIP: (0) Server Address= byo.engin.com.au
000000501 SIP: (0) Server Port= 5060
000000501 SIP: (0) Phone Number =
000000501 SIP: (0) User Agent Address = 10.1.1.1
000000501 SIP: (0) User Agent Port = 5060
000000501 SIP: (0) Display Name =
After Sip_create
After PlayVoice_createcphone add command
XtCreate Task_CPhone
After CPhone_create
After unlock
000000501 SIP network task started.
000000511 SIP will restart after Prov Sending!!
000000511 SIP User Agent task started.
hook release
FXO on-hook : 1
Username:
Log in using the same username/password as you use to log in to the web interface (the default is admin/admin). Once logged in, you can issue a "help" command to get a summary of commands.
The phone's flash memory is divided into 2 regions, the first region contains the original factory firmware, the second region contains the Engin butchered firmware. You can request the phone to boot from the first region by issuing the following commands:
runtime active_region 1
nwdbg system reboot
Once your phone comes back up, you are ready to reflash the second region with an up to date copy of the factory firmware. Download the firmware from ftp://files.dlink.com.au/products/DPH-C160S/REV_A/Firmware and set up a TFTP server on an available computer on your network (make sure this computer can ping the phone's IP address). Place the firmware in the root of the TFTP server. Under Windows 2000/XP, there is apparently a tftp daemon on the CD. Run the following to extract and install it, setting the path to tftpd.ex_ as appropriate (code lifted from http://www.governmentsecurity.org/archive/t13902.html, note that this procedure is untested):
expand tftpd.ex_ %windir%\system32\tftpd.exe
instsrv tftpd %windir%\system32\tftpd.exe
reg add hklm\system\currentcontrolset\services\tftpd\Parameters
reg add hklm\system\currentcontrolset\services\tftpd\Parameters /v Directory /t REG_SZ /d c:\tftproot
md c:\tftproot
net start tftpd
Back on the phone, log in, then issue the following commands to fetch and reflash the firmware. This will overwrite the firmware in region 2 (region 1 will still contain the original factory firmware).
tftp srvip <your tftp server>
tftp get dph_c160s-100006DPH-AUS-20070226.tfp
tftp update
nwdbg system reboot
After rebooting, disable the automatic provisioning on boot (the phone will still try and download its settings from Engin) by issuing the following commands:
nwdbg prov disable
nwdbg save changes
Finally, enable telnet access, so you don't need to dismantle the unit again to get access to the console
nwdbg TelnetAccessOn
nwdbg save changes
Thats it! Your phone should now be unlocked, and you can configure it both via telnet and via the web interface for whatever SIP service you like.
Comments
cable
Where can i buy a made up cable. I NEED HELP!!!!
PLSSSSSSSSSS HELP. i am so frustrated!!!!!
Getting an unlocked phone to work with engin
Alastair unlocked my phone and it didn't work with engin anymore.
I rang engin support and they sent me the details to get it to work as a BYO plan. The important part was to set the userid and password. The userid was the phone number they gave me. At first I couldn't get it to connect so I installed SJPhone on my PC and got that to work.
It seems that the problem was copying and pasting the password. When I typed it in it worked and I am now connected to engin again.
I may still try mynetphone.
I do have the port 5060 redirected to the dlink.
I bought Engin 221 at Harris
I bought Engin 221 at Harris for $79 and your instructions on re-flashing worked! Thanks.
The phone is still D-Link branded even though the picture on the box has Engin logo.
I have 3.3V level serial to USB adapter so connecting to PC was easy.
The only problem I have is that I can't configure this phone to work with MyNetFone. I'm not sure whether its the phone or the VoIP provider fault.
The phone works fine with the iiNet VoIP account.
Any ideas?
MyNetPhone compatibility
I'm not sure myself -it is authenticated properly I presume? SIP is also very sensitive to NAT - the best thing to do is make sure that UDP port 5060 is forwarded to the phone.
I'm running it against an internal Asterisk server myself, however, one of my workmates is going to try it with MyNetPhone, so I'll get him to post his findings.
When to tweak the settings
Disable Provisioning
Do i issue the follwing commands after the TFTP update and before rebooting or after system reboot
nwdbg prov disable
nwdbg save changes
and this command as well straight after nwdbg save changes or
system reboot and
nwdbg TelnetAccessOn
nwdbg save changes
Thanks
brilliant work!!!
and apparently the phones are at harris technology for ~80,
Cheers
Unable to login to c160s
Hi
I have a c160s which I'm using a cable i have used on a number of other hardware hacks and and double checked there is nothing with by access one of my old projects.
The issue is that I get the startup logs but when I enter the username/password nothing happens
000000511 SIP User Agent task started.
hook release
FXO on-hook : 1
Username:
Any ideas ?
Mike
RE: Unable to login to c160s
Check your wiring - it sounds like the transmit line from the computer is not being received by the receive line on the phone.
Unable to transmit
After upgrading my computer, I have found I have been unable to transmit to the unit, so I cannot log in. It seems to be a combination of both the serial port on the computer and the level shifter you are using. While the level shifter I originally used worked on the original machine, it would not work on the new computer, nor with cheap Prolific converter (PL-2303) I bought on Ebay. It did however work with an aftermarket serial card, my understanding is that modern serial ports cheat and do not output voltages within the correct ranges to work effectively. If you are having trouble sending data to the unit, it is worth trying an older (Pentium era) machine, or getting hold of a serial card.