Unlocking the DLink DPH-C160S

Topics: 

A few weeks back I picked up a couple of Engin 221 VOIP DECT phones (a rebadged DLink DPH-C160S) from Ebay, with the hopes of being able to use them with my Asterisk server. As it turns out, the Engin ship these units with crippled firmware, so you can only reconfigure the IP settings, but not the SIP settings, rendering it useless for anything except talking to Engin. It won't even work with their VOIPer accounts, nor are they willing to unlock the device.

After being frustrated for a few minutes, I dismantled the unit and found a serial port within it. Although the port speaks the serial protocol, it uses +3.3V, not +/-12V like proper RS232 ports, so to connect to it, you need to use a level shifter such as the MAX232. If you don't have one handy, Sean Lincolne has a useful tutorial describing how to modify a $20 phone cable from Ebay to connect to the serial port.

Here is the pinout of the serial port:

Pin 1 (marked with a square) UART0, RX
Pin 2 (no connection)
Pin 3 +3.3V,
Pin 4 Ground
Pin 5 UART0, TX

Once you're connected, power the unit up. You will see something similar as the machine boots:

* Power On Testing *
----------------------------------­ ---------------
* DRAM Memory Test ..... PASSED
* Active RunTime Region ..... 2
* Active RunTime Code Checksum ..... PASSED
* Standby RunTime Region ..... 1
* Standby RunTime Code Checksum ..... PASSED

Boot Code Version : ATA1.1B01

Active RUNTIME Version : 1.00.009DPH-EN

Standby RUNTIME Version: 1.00.004DPH-AUS

Initializing Device OS
----------------------------------­ ----------------------------------­ ----

-> DOWNLOAD RUN TIME IMAGE FROM FLASH:
.. Decompress Run Time Image : 100%(STOP system boot/load )
Active RunTime Region: 2
Configure: End the decode process

System Driver Initialization is Ready

In MXP Root before lock
In MXP Root after lock
After hwu_init
NWIF: get_ip_address()=10.1.1.1
NWIF: get_netmask()=255.0.0.0
NWIF: get_gateway_address()=10.1.1.254
NWIF: get_mac_address()=00:19:5b:xx:xx:x­ x
CreateEtherEvtGroup() SUCCESS
NWIF: NET Device Ready
After nw_create
After nwdb_create
After Xml_create
After telnet_create
SSL Initializing...
SSL Init ok
After Web_create
After Tftp_create
After PPPoE_create
After Ntp_create
After Stun_create
000000301 XmlTask: task running...
Rompager ssl =0

After VTSP_start
000000501 ===== SIP Stack version 1.0.5 =====
000000501 SIP: (0) Server Address= byo.engin.com.au
000000501 SIP: (0) Server Port= 5060
000000501 SIP: (0) Phone Number =
000000501 SIP: (0) User Agent Address = 10.1.1.1
000000501 SIP: (0) User Agent Port = 5060
000000501 SIP: (0) Display Name =
After Sip_create
After PlayVoice_create

cphone add command

XtCreate Task_CPhone
After CPhone_create
After unlock
000000501 SIP network task started.
000000511 SIP will restart after Prov Sending!!
000000511 SIP User Agent task started.
hook release
FXO on-hook : 1
Username:

 

Log in using the same username/password as you use to log in to the web interface (the default is admin/admin). Once logged in, you can issue a "help" command to get a summary of commands.

The phone's flash memory is divided into 2 regions, the first region contains the original factory firmware, the second region contains the Engin butchered firmware. You can request the phone to boot from the first region by issuing the following commands:

runtime active_region 1
nwdbg system reboot

Once your phone comes back up, you are ready to reflash the second region with an up to date copy of the factory firmware. Download the firmware from ftp://files.dlink.com.au/products/DPH-C160S/REV_A/Firmware and set up a TFTP server on an available computer on your network (make sure this computer can ping the phone's IP address). Place the firmware in the root of the TFTP server. Under Windows 2000/XP, there is apparently a tftp daemon on the CD. Run the following to extract and install it, setting the path to tftpd.ex_ as appropriate (code lifted from http://www.governmentsecurity.org/archive/t13902.html, note that this procedure is untested):

expand tftpd.ex_ %windir%\system32\tftpd.exe
instsrv tftpd %windir%\system32\tftpd.exe
reg add hklm\system\currentcontrolset\services\tftpd\Parameters
reg add hklm\system\currentcontrolset\services\tftpd\Parameters /v Directory /t REG_SZ /d c:\tftproot
md c:\tftproot
net start tftpd

Back on the phone, log in, then issue the following commands to fetch and reflash the firmware. This will overwrite the firmware in region 2 (region 1 will still contain the original factory firmware).

tftp srvip <your tftp server>
tftp get dph_c160s-100006DPH-AUS-20070226.t­fp
tftp update
nwdbg system reboot

After rebooting, disable the automatic provisioning on boot (the phone will still try and download its settings from Engin) by issuing the following commands:

nwdbg prov disable
nwdbg save changes

Finally, enable telnet access, so you don't need to dismantle the unit again to get access to the console

nwdbg TelnetAccessOn
nwdbg save changes

Thats it! Your phone should now be unlocked, and you can configure it both via telnet and via the web interface for whatever SIP service you like.

Comments

and apparently the phones are at harris technology for ~80, Cheers

Do i issue the follwing commands after the TFTP update and before rebooting or after system reboot nwdbg prov disable nwdbg save changes and this command as well straight after nwdbg save changes or system reboot and nwdbg TelnetAccessOn nwdbg save changes Thanks

You need to disable the provisioning and turn on telnet access after the phone has rebooted. I've modified the instructions to make this clearer.

I bought Engin 221 at Harris for $79 and your instructions on re-flashing worked! Thanks. The phone is still D-Link branded even though the picture on the box has Engin logo. I have 3.3V level serial to USB adapter so connecting to PC was easy. The only problem I have is that I can't configure this phone to work with MyNetFone. I'm not sure whether its the phone or the VoIP provider fault. The phone works fine with the iiNet VoIP account. Any ideas?

I'm not sure myself -it is authenticated properly I presume? SIP is also very sensitive to NAT - the best thing to do is make sure that UDP port 5060 is forwarded to the phone.

I'm running it against an internal Asterisk server myself, however, one of my workmates is going to try it with MyNetPhone, so I'll get him to post his findings.

 

Hey, thanks for sharing your experience with a USB to Serial adapter.

I have a Jaycar XC4834 (GUC-AD9) and from all accounts this appears to have 3 - 5V range by the specs I can find.  Haven't tested myself as yet; just trying to research.

With your USB to Serial adapter, from what pin did you get your +3.3V from or did you use an external source?

Jaycar's XC4834 is an RS232 device (outputting nominally +/- 12V). You will need to use a level shifter such as a Max232 chip to convert the voltage levels to TTL.

The cheapest, easiest option would be to grab an adapter from Ebay - just search for "USB TTL" and sort by price + postage. The USB adapter will be powered from your PC, while the DLink unit should be powered from its plug pack.

Alastair unlocked my phone and it didn't work with engin anymore. I rang engin support and they sent me the details to get it to work as a BYO plan. The important part was to set the userid and password. The userid was the phone number they gave me. At first I couldn't get it to connect so I installed SJPhone on my PC and got that to work. It seems that the problem was copying and pasting the password. When I typed it in it worked and I am now connected to engin again. I may still try mynetphone. I do have the port 5060 redirected to the dlink.

Pages