Nortel IP 1535 Development

rxcomm

Guru
Joined
Sep 13, 2010
Messages
77
Reaction score
2
Figured I'd start a new thread on application development issues.

Some good news. I've got an OpenVPN 2.1.4 binary built that runs on the phone. Includes OpenSSL 0.9.8n and lzo-2.0.4. I haven't made that first cryptocall yet, though. There are still a couple of issues to be worked out. When these are dealt with, I'll post the binary.

OpenVPN starts, and writes to the log file (that's nice) as it progresses. I'm attempting to start it as a client. Right now, it barfs at the point where it tries to use /usr/bin/openssl-vulnkey to test its keys for the vulnerability identified a couple of years ago. openssl-vulnkey is a python script. Unfortunately, it won't run on the python version that is on the phone. I'm not much of a python programmer, so if somebody would like to see if they could get this script running on the phone's python version, that would be great. The other alternative is to fake the output - I'd just as soon not do that, for obvious reasons.

When I get some time (probably this weekend), I'll also post details on the toolchain I used.

Dave
 

petr

Guru
Joined
Nov 8, 2010
Messages
16
Reaction score
0
Right now, it barfs at the point where it tries to use /usr/bin/openssl-vulnkey to test its keys for the vulnerability identified a couple of years ago. openssl-vulnkey is a python script. Unfortunately, it won't run on the python version that is on the phone.
Where can I find the file? Maybe I can fix it. I have also made a package with additional files from the python 2.4 library that are missing on the phone, since I needed those for the web interface.
 

petr

Guru
Joined
Nov 8, 2010
Messages
16
Reaction score
0
I am afraid it is not that easily fixable after all, the python version does not have the fnctl module. It would be great to get better python on it. Maybe it can be done using your toolchain.
Edit:
I could rewrite it without the subprocess module if you really need it.
 

petr

Guru
Joined
Nov 8, 2010
Messages
16
Reaction score
0
I have just identified the Python as "2.4a0", that's why decorators are not there (added in a2).
 

rxcomm

Guru
Joined
Sep 13, 2010
Messages
77
Reaction score
2
Can't get working /dev/net/tun

tun support is not enabled in the IP 1535 kernel that is on the phone. I edited the kernel config to add tun support:
Code:
CONFIG_TUN=y
and recompiled. Transferred the resulting tun.o module (but not the new kernel vmlinux - still using the old one) to the phone and insmod'd it:
Code:
# insmod /usr/local/drivers/tun.o
Using /usr/local/drivers/tun.o
# lsmod
Module                  Size  Used by
tun                     4012   0 (unused)
ipt_TOS                  316   0 (unused)
iptable_mangle          1996   0 (unused)
iptable_filter          1572   0 (unused)
ip_tables              14120   3 [ipt_TOS iptable_mangle iptable_filter]
lgvp_hw_wdt              896   0 (unused)
cohiba                499376   0 (unused)
midi                    5216   0 (unused)
eth0_mod                 792   0 (unused)
mmc                     1840   0 (unused)
lgvp-ssp-audio         14476   0
dspg                   26048   1 [lgvp-ssp-audio]
camera-lgvp            38248   0 (unused)
nofilter_tffs         403064   1
It loaded.

I then tried to mknod the tun device:
Code:
# mknod /dev/net/tun c 10 200 
# ls -las /dev/net
   0 crw-r--r--    1 0        0         10, 200 tun
   0 drwxr-xr-x    1 0        0               0 .
   0 drwxr-xr-x    1 0        0               0 ..
# chmod 666 tun
# ls -las
   0 crw-rw-rw-    1 0        0         10, 200 tun
   0 drwxr-xr-x    1 0        0               0 .
   0 drwxr-xr-x    1 0        0               0 ..
but it doesn't work.
Code:
# cat /dev/net/tun
cat: /dev/net/tun: No such device
and OpenVPN can't use it either:
Code:
# /usr/local/bin/openvpn --dev tun --mktun
Fri Jan  2 04:40:38 1970 Note: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
Fri Jan  2 04:40:38 1970 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Fri Jan  2 04:40:38 1970 Cannot allocate TUN/TAP dev dynamically
Fri Jan  2 04:40:38 1970 Exiting
#
Do I have to use the new vmlinux, even if the tun.o module loads with the old one?

Dave
 

petr

Guru
Joined
Nov 8, 2010
Messages
16
Reaction score
0
IMHO the compiled module should work. Same ABI/API, similar compiler. How about putting some debug messages to the tun code and then compiling?

I have also updated the web interface a little. Still does not do much, only reading from some of the files, like missed/received/dialed calls, few settings and a reboot. No destructive operations yet.

I am looking for help with identification of the fields in the calls list. I can't figure out a few of them.

webui.png
 

rxcomm

Guru
Joined
Sep 13, 2010
Messages
77
Reaction score
2
Building a cross-compiler for the IP 1535

Here are some instructions to generate a working cross-compiler toolchain for the IP 1535 using gcc-3.4.6 and glibc-2.3.3. gcc 3.4 was chosen because it will generate native iwmmxt/xscale code for the PXA270. Version 2.3.3 of glibc was chosen because this matches the version on the phone.

http://dave.tycho.ws/n1535/toolchain.htm

Dave
 

fang0654

Guru
Joined
Nov 14, 2009
Messages
25
Reaction score
4
IMHO the compiled module should work. Same ABI/API, similar compiler. How about putting some debug messages to the tun code and then compiling?

I have also updated the web interface a little. Still does not do much, only reading from some of the files, like missed/received/dialed calls, few settings and a reboot. No destructive operations yet.

I am looking for help with identification of the fields in the calls list. I can't figure out a few of them.

Looks like the first ? row is length of call in seconds.
 

petr

Guru
Joined
Nov 8, 2010
Messages
16
Reaction score
0
Looks like the first ? row is length of call in seconds.
Right. The difference between call start and end time are probably just rounding errors, since they always differ by 1.
 

rxcomm

Guru
Joined
Sep 13, 2010
Messages
77
Reaction score
2
Two new tidbits...

1) Here's a working tun.o module:
http://dave.tycho.ws/n1535/tun.o

2) I sorted out the console. Looking at the bottom of the board with the word CONSOLE right side up, there are four pins above the word CONSOLE. Numbering these left to right 1 - 2 - 3 - 4:

Pin 1: Transmit data (to terminal - DB9 pin 2)
Pin 2: Receive data (from terminal - DB9 pin 3)
Pin 3: N/C
Pin 4: GND (DB9 pin 5)

Note, you must have a level shifter/inverter (MAX232A or similar) between your serial port and the CONSOLE pins. The data on the CONSOLE pins is inverted TTL.

Baud rate is 19.2kbaud.

After booting, hit the <ENTER> key to get a command prompt.

The system uses BLOB as a bootloader. But there is no bootloader prompt. I haven't yet figured out how to add one, but it should definitely be possible to boot more than one kernel.

Dave
 

petr

Guru
Joined
Nov 8, 2010
Messages
16
Reaction score
0
1) Here's a working tun.o module:
http://dave.tycho.ws/n1535/tun.o

2) I sorted out the console. Looking at the bottom of the board with the word CONSOLE right side up, there are four pins above the word CONSOLE. Numbering these left to right 1 - 2 - 3 - 4:

Pin 1: Transmit data (to terminal - DB9 pin 2)
Pin 2: Receive data (from terminal - DB9 pin 3)
Pin 3: N/C
Pin 4: GND (DB9 pin 5)

Note, you must have a level shifter/inverter (MAX232A or similar) between your serial port and the CONSOLE pins. The data on the CONSOLE pins is inverted TTL.

Baud rate is 19.2kbaud.

After booting, hit the <ENTER> key to get a command prompt.

The system uses BLOB as a bootloader. But there is no bootloader prompt. I haven't yet figured out how to add one, but it should definitely be possible to boot more than one kernel.

Dave

Are the pins 3.3V or 5V? I only have a 5V USB-serial for my arduino board.

As to the number of kernels, I think there are two residing in the internal flash, from that mdoc/kernel_update utility. One that boots by default and the second one that is a backup when something goes wrong during the flashing. Or maybe it is the root filesystem, I am not sure.

I would also be interested in reading out the kernel that is already there, but I am not sure that is possible.

I have tried to boot 070820_lvp2890_sdmmc_update_kernel.bin from the 2.50 firmware in QEMU, it definitely does something, you can connect to it with gdb, but that's about it. I would also like to know what is lvp2890_g4_root_20061128.bin from the 2.50 update, because it is written to the flash with the mdoc utility as "mdoc root". Is it the root file system?
 

rxcomm

Guru
Joined
Sep 13, 2010
Messages
77
Reaction score
2
Are the pins 3.3V or 5V? I only have a 5V USB-serial for my arduino board.
5V - your arduino board serial connector should work fine.

Dave
 

rxcomm

Guru
Joined
Sep 13, 2010
Messages
77
Reaction score
2
Level shifter/inverter circuit

A couple of people have asked me how to build a level shifter/inverter circuit to access the console. Probably the easiest way to do this is to use a MAX3235E chip from http://www.maxim-ic.com. You can get a couple of samples from them for free. This one has internal charge-pump capacitors so you don't need any extra components except the bypass capacitor. The plastic DIP package is MAX3235ECPP.

The data sheet for this part is at http://datasheets.maxim-ic.com/en/ds/MAX3233E-MAX3235E.pdf. Take a look at the figure on page 12.

Connections are indicated by lines.

max.png


Connect Pins 9 and 10 of the MAX3235E to 5V and pins 5 and 18 to GND. Put a 0.1 uF bypass capacitor between pins 9 and 18 of the MAX3235E as close to the chip as possible. Do not connect any of the other MAX3235E pins.

Dave
 

petr

Guru
Joined
Nov 8, 2010
Messages
16
Reaction score
0
A couple of people have asked me how to build a level shifter/inverter circuit to access the console. Probably the easiest way to do this is to use a MAX3235E chip from http://www.maxim-ic.com. You can get a couple of samples from them for free. This one has internal charge-pump capacitors so you don't need any extra components except the bypass capacitor. The plastic DIP package is MAX3235ECPP.

The data sheet for this part is at http://datasheets.maxim-ic.com/en/ds/MAX3233E-MAX3235E.pdf. Take a look at the figure on page 12.

Connections are indicated by lines.

max.png


Connect Pins 9 and 10 of the MAX3235E to 5V and pins 5 and 18 to GND. Put a 0.1 uF bypass capacitor between pins 9 and 18 of the MAX3235E as close to the chip as possible. Do not connect any of the other MAX3235E pins.

Dave

If you are lazy like me, go for http://www.watterott.com/de/FTDI-Basic-Breakout-5V or similar. If you own an Arduino board, you can just take out the mcu and connect the correct pins.
 

rxcomm

Guru
Joined
Sep 13, 2010
Messages
77
Reaction score
2
OpenVPN on a Nortel IP 1535

I'll post a HOWTO in a day or so, but my $35 cryptophone lives!

OpenVPN -2.1.4 on a Nortel IP 1535 videophone runs. Lag doesn't seem bad at all. I'm running OpenVPN as a client on the 1535. I'm using TUN mode, and at this point have a server and 7 different clients connected to my network.

Code:
# cat /var/log/openvpn.log
Mon Nov 15 23:43:43 2010 OpenVPN 2.1.4 arm-xscale-linux-gnu [SSL] [LZO2] built on Nov 15 2010
Mon Nov 15 23:43:43 2010 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mon Nov 15 23:43:43 2010 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Nov 15 23:43:43 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Nov 15 23:43:43 2010 LZO compression initialized
Mon Nov 15 23:43:43 2010 UDPv4 link local (bound): [undef]:1194
Mon Nov 15 23:43:43 2010 UDPv4 link remote: 128.255.70.95:1194
Mon Nov 15 23:43:43 2010 TLS Error: local/remote TLS keys are out of sync: 128.255.70.95:1194 [0]
Mon Nov 15 23:43:46 2010 [server] Peer Connection Initiated with 128.255.70.95:1194
Mon Nov 15 23:43:49 2010 TUN/TAP device tun0 opened
Mon Nov 15 23:43:49 2010 /sbin/ifconfig tun0 10.8.0.38 pointopoint 10.8.0.37 mtu 1500
Mon Nov 15 23:43:49 2010 Initialization Sequence Completed
# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:1A:7E:A3:EB:C2  
          inet addr:192.168.0.72  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5898 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2906 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:546817 (534.0 KiB)  TX bytes:282662 (276.0 KiB)
          Interrupt:9 Base address:0x300 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:3 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:336 (336.0 B)  TX bytes:336 (336.0 B)

tun0      Link encap:Point-Point Protocol  
          inet addr:10.8.0.38  P-t-P:10.8.0.37  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:6 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:460 (460.0 B)  TX bytes:480 (480.0 B)
Dave
 

tshif

Guru
Joined
Jan 3, 2008
Messages
1,240
Reaction score
4
Awesome! The work being done in this forum make these telephones a far superior device from what they were when the manafacturer released them to the public.

I hope I can figure out how to follow your step-by-steps. Like TheMole said, Nice work!
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
I'll post a HOWTO in a day or so, but my $35 cryptophone lives!

OpenVPN -2.1.4 on a Nortel IP 1535 videophone runs. Lag doesn't seem bad at all. I'm running OpenVPN as a client on the 1535. I'm using TUN mode, and at this point have a server and 7 different clients connected to my network.

:party::party::party::party:
 

Members online

No members online now.

Forum statistics

Threads
25,782
Messages
167,514
Members
19,203
Latest member
frapu
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top