Pirelli DP-L10

Aus LaborWiki
Wechseln zu: Navigation, Suche

Hacking the Pirelli DP-L10[Bearbeiten]

Pollin recently added the GSM/Wifi Phone "DP-PL10" to it's catalogue, so I dug a bit 'round to see what kind of hard- and software it uses. The firmware is available with different brandings from different vendors. I've used the firmware from sipgate to see what software it runs.

Firmware strings[Bearbeiten]

The firmware you get from the above zip image contains an .exe file which again contains a .zip file (at offset 67072). This zip file hosts the actual firmware (probably divided into different flash blocks).

The firmware files (*.m0) seem to be "encoded" (in intel hex format?), so i wrote a quick & dirty "extractor":

#!/bin/bash
if [ $# -ne 1 ] ; then
       echo "usage: $0 file.m0"
       exit
fi
if [ ! -r $1 ] ; then
       echo "can't open $1"
       exit
fi
cat $1 | sed -r 's/^S[A-F0-9]{11}(.*)..$/\1/gm' \
       | sed -r 's/(..)(..)/\\x\2\\x\1/g' > $1.esc
echo -e `cat $1.esc` > $1.bin

This extractor isn't error-free yet, but enough to give you an idea about the firmware contents. Among other things I found several references to wpa_supplicant and a GPL header in the extracted ap.m0 file.

Here's a list of references I found so far:

  • ap.m0
    • Wifi Hardware seems to be a marvell chipset
    • Uses wpa_supplicant
    • String: Copyright (c) 2002 WWW.NexGen-Software.fr
    • Copyright (c) 1993 ATI - Nucleus PLUS 3 - Version 1.0.G1.1
      • Device is probably using Nucleus RTOS
  • fs.m0
    • Mostly media files (icons, ringtones) and confiuguration stuff
  • amdfast.m0
    • Unknown binary blob, ~490 Bytes
  • cmd.m0
    • Another binary blob ~4kbytes

More info[Bearbeiten]