Hacking of videophones
Let us understand the operation of fixed video phones that allow video calls. In particular we will study the software update. This procedure works for most phones, probably all of those produced by TLC Urmet. If any of you make some tests with other devices can communicate so as to update the list.
The phones on which I conducted the tests are the MP315 and the V300, its upgrade is based on standard TR069, also used by other devices such as train stations, counters llettrici, routers, and therefore can be extended on a number of cosiderevole device.
Brief description of the operation of the telephone
The phone all'accenzione queries a server dhcpd. In addition to its IP phone obtains the address of the DNS server. These parameters can also read from the phone settings, very useful for testing. Now the phone queries the DNS server to obtain the resolution of an address. Response is obtained from the DNS to communicate with that software update.
What we need
Surely a computer, a DHCP server, DNS server, a video phone for testing, a software version to be loaded on the device, a program that communicates with the device and a web server.
We could bring up a network with multiple computers, one for each service and architecture more complex, with routers that natto IP phone, everyone can indulge as he wishes but for now I will try to simplify things as much as possible . We use a single computer that will run Linux and all the services we need.
How did the telephone
We seek to understand how it is done the phone, with a colleghiamolo
network cable to an ethernet card in our computer. Let a
address our board that is suppose eth1
ifup eth0 192.168.1.1
now we need a dhcp server. This configuration is fine:
ddns-update-style none; ignore client-updates; authoritative; subnet 192.168.1.0 netmask 255.255.255.0 ( option routers 192.168.1.1; subnet-mask 255.255.255.0 option; option domain-name-servers 192.168.1.1; # me default-lease-time 21600; max-lease-time 43200; dhcp101 host ( hardware ethernet 00: D0: 1A: A0: 0C: 43; fixed-address 192.168.1.2; ) )
As you can see I set the ethernet address of the phone, it is written in a Pecetto underneath the telephone and also in the menu 'configuration of the phone.
We start the server
service dhcpd start
and turn on the phone. We see that everything works as we want, the phone has an IP address 192.168.1.2.
Let us understand what we face with nmap
nmap -A -T4 192.168.1.2
Starting Nmap 4:52 (http://insecure.org) at 19/11/2008 15:55 CET Interesting ports on 192.168.1.2: Not shown: 1713 closed ports PORT STATE SERVICE VERSION Boa HTTPd http 8080/tcp open 0.94.8.3 | _ HTML title: MediaPhone Web Server MAC Address: 00: D0: 1A: A0: 0C: 43 (Urmet Spa TLC) Device type: general purpose Running: Linux 2.4.X OS details: Linux 2.4.18 - 2.4.32 (Likely embedded) Uptime: 0.005 days (since Wed November 19 15:48:27 2008) Network Distance: 1 hop OS and Service detection performed. Please report incorrect Any results at http://insecure.org/nmap/submit/. Nmap done: 1 IP address (1 host up) scanned in 21,051 seconds
Perfect, there's our beloved penguin:) and a Web server on port 8080, not much but better than nothing.
Leave a Reply