Author Topic: Spot the EEPROM?  (Read 4318 times)

0 Members and 1 Guest are viewing this topic.

Offline kujina

  • Contributor
  • Posts: 5
  • Country: gb
Spot the EEPROM?
« on: March 17, 2016, 03:51:12 am »
Hello all

Question
I have looked over the board in the photo below and searched the codes on google but I cant locate the eeprom on this board, I appreciate any help.

Background
Basically I bought a couple of cisco spa502g voIP phones cheap on eBay and unfortunately they are password protected (this often is the case with these phones second hand), the problem I have is these phones have strong security and I cant factory reset these phones (tried tftp provisioning).

The idea now is to remove the EEPROM and swap in an un-programmed one, and perhaps the phone would go in SOS (recovery) mode and then I could re-flash using the 'Cisco SPA Device Firmware Upgrade Utility'.

Thanks

Click for much larger image
« Last Edit: March 17, 2016, 04:10:44 am by kujina »
 

Offline Kjelt

  • Super Contributor
  • ***
  • Posts: 4561
  • Country: nl
Re: Spot the EEPROM?
« Reply #1 on: March 17, 2016, 04:02:23 am »
Which foto?
 

Offline kujina

  • Contributor
  • Posts: 5
  • Country: gb
Re: Spot the EEPROM?
« Reply #2 on: March 17, 2016, 04:08:45 am »
Which foto?

Sorry was faffing with image  :o
 

Offline Kjelt

  • Super Contributor
  • ***
  • Posts: 4561
  • Country: nl
Re: Spot the EEPROM?
« Reply #3 on: March 17, 2016, 04:12:20 am »
The 29lv64 is a huge flash rom, why would they not store it in there?
I would first try a factory reset and the factory passwords if you can get them.
 

Offline Kilrah

  • Supporter
  • ****
  • Posts: 1488
  • Country: ch
Re: Spot the EEPROM?
« Reply #4 on: March 17, 2016, 04:14:45 am »
If there's one it would most likely be the little 8-pin chip on top right (U16), but it's likely there is none and everything's stored in the flash with a small partition of it being mounted read/write. 
 

Offline andtfoot

  • Supporter
  • ****
  • Posts: 350
  • Country: au
Re: Spot the EEPROM?
« Reply #5 on: March 17, 2016, 04:22:29 am »
In the firmware download from the Cisco site there is a recovery .exe.
I haven't tried it (I've only worked with the Call Manager connected stuff), but does that maybe work without having to reset the phone first?
 

Offline NANDBlog

  • Super Contributor
  • ***
  • Posts: 4026
  • Country: nl
Re: Spot the EEPROM?
« Reply #6 on: March 17, 2016, 04:45:19 am »
If there's one it would most likely be the little 8-pin chip on top right (U16), but it's likely there is none and everything's stored in the flash with a small partition of it being mounted read/write. 
doubt it, it goes to J23 so it is power.
I think it might be one of the small SOT23 devices. U9 is either a reset IC or a one wire eeprom.
 

Offline kujina

  • Contributor
  • Posts: 5
  • Country: gb
Re: Spot the EEPROM?
« Reply #7 on: March 17, 2016, 05:19:48 am »
Thanks guys really appreciate all the replies, I'm trying to get those working to give to my brother in law to use with his new business.  The eBay seller sells lot of general commercial & industrial items and has no clue about these phones. I've tried all the standard avenues of reseting the phone including trying to "provision" the phone via TFTP on boot. I did actually get the provisioning via TFTP (as a test) to work on my spa504g I already have. So these spa502G's probably have provisioning disabled and the web (admin) interface is also disabled so they have been really locked down!

doubt it, it goes to J23 so it is power.
I think it might be one of the small SOT23 devices. U9 is either a reset IC or a one wire eeprom.

The U9 component has written on it AM034 or AMO34.

The following link is where I got the idea about the eeprom (unfortunately the thread is closed as it's old).
« Last Edit: March 17, 2016, 05:21:29 am by kujina »
 

Offline daqq

  • Super Contributor
  • ***
  • Posts: 1309
  • Country: sk
    • My site
Re: Spot the EEPROM?
« Reply #8 on: March 17, 2016, 05:33:05 am »
Try contacting CISCO for a reset procedure maybe? Other than that there's still the possibility that any configuration data is stored either in the main ASIC or in the main FLASH memory... maybe if you have access to a scope you could scope out the communication in and out of the U9 to see/guess what it does?

Also, I'm guessing that there is a fair amount of stuff to configure on such a phone - it'll probably run some kind of linux/obscure OS with a lot of networking settings. As such 1-2kB is the bare minimum value for such a configuration, probably more. As such it's a good bet that they won't be storing it in a small 1 wire memory. My best guess would be that it's stored in the main FLASH.
Believe it or not, pointy haired people do exist!
+++Divide By Cucumber Error. Please Reinstall Universe And Reboot +++
 

Offline Kjelt

  • Super Contributor
  • ***
  • Posts: 4561
  • Country: nl
Re: Spot the EEPROM?
« Reply #9 on: March 17, 2016, 08:39:08 am »
You could desolder the flash chip, solder it on a breakoutboard and read out its contents.
However looking in the manual that this thing can do real time 256 bits  encryption/decryption, if I was the SW engineer I would encrypt the entire external flash and sign it.
Still it could be unencrypted in which case the flash might give clues about configuration or passwords etc.
 

Offline kujina

  • Contributor
  • Posts: 5
  • Country: gb
Re: Spot the EEPROM?
« Reply #10 on: March 17, 2016, 09:33:20 am »
Sorry guys you'll have to forgive me, my knowledge of electronics is very very basic. Re-reading the responses I've realised that the answer is probably the large 29LV640ETTI-70G - "The 29lv64 is a huge flash rom, why would they not store it in there?" comments from Kjelt made the penny drop.

As I wrote before, I got the idea from this thread to remove the EEPROM flash memory and swap in an un-programmed one, hopfully making the phone go into SOS mode recovery and then I could re-flash using the 'Cisco SPA Device Firmware Upgrade Utility'.

Is this making more sense now?
 

Offline ade

  • Supporter
  • ****
  • Posts: 231
  • Country: ca
Re: Spot the EEPROM?
« Reply #11 on: March 17, 2016, 09:56:51 am »
If you attempt to replace the flash memory you'll probably just damage the phone permanently.

It sounds like your phone is provider locked.   Your best bet is to find out which company was the service provider (maybe there's a message on boot), call them up and kindly ask them if they would unlock the phone for you ("pretty please"). 
 

Offline ve7xen

  • Frequent Contributor
  • **
  • Posts: 644
  • Country: ca
    • VE7XEN Blog
Re: Spot the EEPROM?
« Reply #12 on: March 17, 2016, 12:39:47 pm »
You can also try hooking the phone up to a network you control and monitor its traffic. Chances are that it reaches out for a provisioning file. Set up a server to respond on whatever address it is reaching out to (maybe you can just set a local DNS entry to override it) and I believe you should be able to re-provision the phone. I'm not too familiar with the provisioning files for these phones, but you should be able to set the front-panel password that way, then do a factory reset.

Pretty sure Cisco didn't use encryption anywhere inside the box. They are stuck in the 90s when it comes to software development, and this series of phones is no exception. The software quality is quite horrible.
73 de VE7XEN
 

Offline kujina

  • Contributor
  • Posts: 5
  • Country: gb
Re: Spot the EEPROM?
« Reply #13 on: March 17, 2016, 01:31:56 pm »
ve7xen I actually just did that before refreshing this page and reading your post! Earlier I read ade's reply and I knew trying to get the password from the original supplies of the phones would be a long shot but I decided to look through the phone's menu's once again for any details and I saw the provisioning server url in the Status menu so I set everything up DNS wise etc and a correctly named .xml file with a password of 0000, the phone provisioned and voilĂ   :) factory reseted them both!

Thanks everybody for your responses, these phones will be off to my brother in-law now. I will pick up one or two more of these spa50XG series phones for myself and if provisioning doesn't work (these phones are almost always password protected coming from business environments) I will attempt removing the flash memory as a last resort.

Thanks!
« Last Edit: March 17, 2016, 07:11:42 pm by kujina »
 

Online blueskull

  • Supporter
  • ****
  • Posts: 9632
  • Country: cn
  • Power Electronics Guy
Re: Spot the EEPROM?
« Reply #14 on: March 17, 2016, 01:35:15 pm »
If the top right corner one is not, then there is not one, at least on the top side.
SIGSEGV is inevitable if you try to talk more than you know. If I say gibberish, keep in mind that my license plate is SIGSEGV.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf