1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. If you had a PIAF Forum account in the vBulletin days, log in with your old credentials. Otherwise, sign up again and we'll get you back in business as soon as we can.
  3. A serious FreePBX vulnerability has been reported. Update your Framework Module immediately. Click here for details.

Nortel IP 1535 Development

Discussion in 'Endpoints' started by rxcomm, Nov 11, 2010.

  1. rxcomm Guru

    Figured I'd start a new thread on application development issues.

    Some good news. I've got an OpenVPN 2.1.4 binary built that runs on the phone. Includes OpenSSL 0.9.8n and lzo-2.0.4. I haven't made that first cryptocall yet, though. There are still a couple of issues to be worked out. When these are dealt with, I'll post the binary.

    OpenVPN starts, and writes to the log file (that's nice) as it progresses. I'm attempting to start it as a client. Right now, it barfs at the point where it tries to use /usr/bin/openssl-vulnkey to test its keys for the vulnerability identified a couple of years ago. openssl-vulnkey is a python script. Unfortunately, it won't run on the python version that is on the phone. I'm not much of a python programmer, so if somebody would like to see if they could get this script running on the phone's python version, that would be great. The other alternative is to fake the output - I'd just as soon not do that, for obvious reasons.

    When I get some time (probably this weekend), I'll also post details on the toolchain I used.

  2. petr Guru

    Where can I find the file? Maybe I can fix it. I have also made a package with additional files from the python 2.4 library that are missing on the phone, since I needed those for the web interface.
  3. rxcomm Guru

    pm me your email address and I'll send you a copy.

  4. petr Guru

    I am afraid it is not that easily fixable after all, the python version does not have the fnctl module. It would be great to get better python on it. Maybe it can be done using your toolchain.
    I could rewrite it without the subprocess module if you really need it.
  5. petr Guru

    I have just identified the Python as "2.4a0", that's why decorators are not there (added in a2).
  6. rxcomm Guru

    Can't get working /dev/net/tun

    tun support is not enabled in the IP 1535 kernel that is on the phone. I edited the kernel config to add tun support:
    and recompiled. Transferred the resulting tun.o module (but not the new kernel vmlinux - still using the old one) to the phone and insmod'd it:
    # insmod /usr/local/drivers/tun.o
    Using /usr/local/drivers/tun.o
    # lsmod
    Module                  Size  Used by
    tun                     4012   0 (unused)
    ipt_TOS                  316   0 (unused)
    iptable_mangle          1996   0 (unused)
    iptable_filter          1572   0 (unused)
    ip_tables              14120   3 [ipt_TOS iptable_mangle iptable_filter]
    lgvp_hw_wdt              896   0 (unused)
    cohiba                499376   0 (unused)
    midi                    5216   0 (unused)
    eth0_mod                 792   0 (unused)
    mmc                     1840   0 (unused)
    lgvp-ssp-audio         14476   0
    dspg                   26048   1 [lgvp-ssp-audio]
    camera-lgvp            38248   0 (unused)
    nofilter_tffs         403064   1
    It loaded.

    I then tried to mknod the tun device:
    # mknod /dev/net/tun c 10 200 
    # ls -las /dev/net
       0 crw-r--r--    1 0        0         10, 200 tun
       0 drwxr-xr-x    1 0        0               0 .
       0 drwxr-xr-x    1 0        0               0 ..
    # chmod 666 tun
    # ls -las
       0 crw-rw-rw-    1 0        0         10, 200 tun
       0 drwxr-xr-x    1 0        0               0 .
       0 drwxr-xr-x    1 0        0               0 ..
    but it doesn't work.
    # cat /dev/net/tun
    cat: /dev/net/tun: No such device
    and OpenVPN can't use it either:
    # /usr/local/bin/openvpn --dev tun --mktun
    Fri Jan  2 04:40:38 1970 Note: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
    Fri Jan  2 04:40:38 1970 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
    Fri Jan  2 04:40:38 1970 Cannot allocate TUN/TAP dev dynamically
    Fri Jan  2 04:40:38 1970 Exiting
    Do I have to use the new vmlinux, even if the tun.o module loads with the old one?

  7. petr Guru

    IMHO the compiled module should work. Same ABI/API, similar compiler. How about putting some debug messages to the tun code and then compiling?

    I have also updated the web interface a little. Still does not do much, only reading from some of the files, like missed/received/dialed calls, few settings and a reboot. No destructive operations yet.

    I am looking for help with identification of the fields in the calls list. I can't figure out a few of them.

  8. rxcomm Guru

    Building a cross-compiler for the IP 1535

    Here are some instructions to generate a working cross-compiler toolchain for the IP 1535 using gcc-3.4.6 and glibc-2.3.3. gcc 3.4 was chosen because it will generate native iwmmxt/xscale code for the PXA270. Version 2.3.3 of glibc was chosen because this matches the version on the phone.


  9. fang0654 Guru

    Looks like the first ? row is length of call in seconds.
  10. petr Guru

    Right. The difference between call start and end time are probably just rounding errors, since they always differ by 1.
  11. petr Guru

  12. rxcomm Guru

    Two new tidbits...

    1) Here's a working tun.o module:

    2) I sorted out the console. Looking at the bottom of the board with the word CONSOLE right side up, there are four pins above the word CONSOLE. Numbering these left to right 1 - 2 - 3 - 4:

    Pin 1: Transmit data (to terminal - DB9 pin 2)
    Pin 2: Receive data (from terminal - DB9 pin 3)
    Pin 3: N/C
    Pin 4: GND (DB9 pin 5)

    Note, you must have a level shifter/inverter (MAX232A or similar) between your serial port and the CONSOLE pins. The data on the CONSOLE pins is inverted TTL.

    Baud rate is 19.2kbaud.

    After booting, hit the <ENTER> key to get a command prompt.

    The system uses BLOB as a bootloader. But there is no bootloader prompt. I haven't yet figured out how to add one, but it should definitely be possible to boot more than one kernel.

  13. petr Guru

    Are the pins 3.3V or 5V? I only have a 5V USB-serial for my arduino board.

    As to the number of kernels, I think there are two residing in the internal flash, from that mdoc/kernel_update utility. One that boots by default and the second one that is a backup when something goes wrong during the flashing. Or maybe it is the root filesystem, I am not sure.

    I would also be interested in reading out the kernel that is already there, but I am not sure that is possible.

    I have tried to boot 070820_lvp2890_sdmmc_update_kernel.bin from the 2.50 firmware in QEMU, it definitely does something, you can connect to it with gdb, but that's about it. I would also like to know what is lvp2890_g4_root_20061128.bin from the 2.50 update, because it is written to the flash with the mdoc utility as "mdoc root". Is it the root file system?
  14. rxcomm Guru

    5V - your arduino board serial connector should work fine.

  15. rxcomm Guru

    Level shifter/inverter circuit

    A couple of people have asked me how to build a level shifter/inverter circuit to access the console. Probably the easiest way to do this is to use a MAX3235E chip from http://www.maxim-ic.com. You can get a couple of samples from them for free. This one has internal charge-pump capacitors so you don't need any extra components except the bypass capacitor. The plastic DIP package is MAX3235ECPP.

    The data sheet for this part is at http://datasheets.maxim-ic.com/en/ds/MAX3233E-MAX3235E.pdf. Take a look at the figure on page 12.

    Connections are indicated by lines.


    Connect Pins 9 and 10 of the MAX3235E to 5V and pins 5 and 18 to GND. Put a 0.1 uF bypass capacitor between pins 9 and 18 of the MAX3235E as close to the chip as possible. Do not connect any of the other MAX3235E pins.

  16. petr Guru

    If you are lazy like me, go for http://www.watterott.com/de/FTDI-Basic-Breakout-5V or similar. If you own an Arduino board, you can just take out the mcu and connect the correct pins.
  17. rxcomm Guru

    OpenVPN on a Nortel IP 1535

    I'll post a HOWTO in a day or so, but my $35 cryptophone lives!

    OpenVPN -2.1.4 on a Nortel IP 1535 videophone runs. Lag doesn't seem bad at all. I'm running OpenVPN as a client on the 1535. I'm using TUN mode, and at this point have a server and 7 different clients connected to my network.

    # cat /var/log/openvpn.log
    Mon Nov 15 23:43:43 2010 OpenVPN 2.1.4 arm-xscale-linux-gnu [SSL] [LZO2] built on Nov 15 2010
    Mon Nov 15 23:43:43 2010 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Mon Nov 15 23:43:43 2010 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Mon Nov 15 23:43:43 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Mon Nov 15 23:43:43 2010 LZO compression initialized
    Mon Nov 15 23:43:43 2010 UDPv4 link local (bound): [undef]:1194
    Mon Nov 15 23:43:43 2010 UDPv4 link remote:
    Mon Nov 15 23:43:43 2010 TLS Error: local/remote TLS keys are out of sync: [0]
    Mon Nov 15 23:43:46 2010 [server] Peer Connection Initiated with
    Mon Nov 15 23:43:49 2010 TUN/TAP device tun0 opened
    Mon Nov 15 23:43:49 2010 /sbin/ifconfig tun0 pointopoint mtu 1500
    Mon Nov 15 23:43:49 2010 Initialization Sequence Completed
    # ifconfig -a
    eth0      Link encap:Ethernet  HWaddr 00:1A:7E:A3:EB:C2  
              inet addr:  Bcast:  Mask:
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:5898 errors:0 dropped:0 overruns:0 frame:0
              TX packets:2906 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:546817 (534.0 KiB)  TX bytes:282662 (276.0 KiB)
              Interrupt:9 Base address:0x300 
    lo        Link encap:Local Loopback  
              inet addr:  Mask:
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:3 errors:0 dropped:0 overruns:0 frame:0
              TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:336 (336.0 B)  TX bytes:336 (336.0 B)
    tun0      Link encap:Point-Point Protocol  
              inet addr:  P-t-P:  Mask:
              RX packets:6 errors:0 dropped:0 overruns:0 frame:0
              TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:100 
              RX bytes:460 (460.0 B)  TX bytes:480 (480.0 B)
  18. TheMole Member

    Major accomplishment, congrats Dave.

    Nice work.
  19. tshif Guru

    Awesome! The work being done in this forum make these telephones a far superior device from what they were when the manafacturer released them to the public.

    I hope I can figure out how to follow your step-by-steps. Like TheMole said, Nice work!
  20. wardmundy Nerd Uno


Share This Page