inside the Belkin desktop Skype phone

One of the hardhack team members recently purchased a Belkin Desktop Internet Phone for Skype (product ID F1PP010EN-SK). These phones are a self-contained unit that runs Skype natively without the assistance of a PC. We decided to take a peek inside the phone to see what we see. Unfortunately, this phone is meant for actual use, so we did not want to actually try to hook anything up to it (JTAG, etc.) or experiment with it at this time; maybe we'll buy another one in the future to dedicate to more devious purposes. At US$80 (Amazon, circa Dec 2008), it's not that expensive.

The main PCB of the phone is largely one sided, as the opposite side essentially just holds the button pads and the LCD screen. The lower-right side of the board (as pictured, below) holds the RJ45 Ethernet and power jacks, and the extreme left side holds the RJ11 phone handset jack and on-hook switch. The LCD is on the opposite side of the PCB (not shown), immediately right of the pictured speaker (the big circle thing, can't miss it).


 

IC/component markings are as indicated:

  • 1: Broadcom CPU, BCM1191KPGB. We couldn't find info on the BCM1191, but the BCM1190 is an VoIP-centric 32-bit CPU meant for residential ethernet IP phone devices. The BCM1191 might be a derivitive of the BCM1190 especially adapted for Skype.
  • 2: 256 Mbit DDR SDRAM, Qimonda HYB25DC256160CE-5
  • 3: Unknown IC, 809L1 A4890
  • 4: 32MB NAND Flash, Samsung 810 K9F5608U0D
  • 5: Ethernet transformer, TAIMAG HA-103
  • 6: Generic 74HC32D IC - Quad 2-input OR gate

There are only a few obvious connection locations. There are two unpopulated connector locations next to the existing RJ45 connector; the BCM1190 supports two Ethernet MAC/PHY, so it is very likely that the unpopulated 8-pin connector location is meant for the second RJ45 Ethernet connector. On the upper-left are two 20-point connection pads and a 4-pin connector. Perhaps the 20-point pads are MIPS JTAG (particularly the top one as pictured, below), and/or the 4-pin connector is a UART? Unfortunately it's a multi-layer PCB and the traces to these connection locations were not easily followable (they disappear into vias, under dense component clusters, etc.).


 

A simple nmap of the network-side of the device (when up and running, obviously) looks like: 

hardhack:~# nmap -sS -p 1-65535 -n -O 10.0.100.73
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-12-30 22:51 EST
Interesting ports on 10.0.100.73:
Not shown: 65532 closed ports
PORT      STATE SERVICE
80/tcp    open  http
443/tcp   open  https
13230/tcp open  unknown
MAC Address: 00:1C:DF:80:05:AC (Unknown)
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.7 - 2.6.11
Uptime 49.709 days (since Tue Nov 11 05:50:56 2008)
Nmap finished: 1 IP address (1 host up) scanned in 20.660 seconds
The reported update is bogus, because the device was only powered on for about 2 minutes before this nmap scan was ran. You can see that a port 80 was listed; there is indeed a webserver running on it (default auth is user "admin" and no password). This brings you to a device page that allows you to update the device's firmware. Speaking of firmware, the product CD includes a GPL tarball with the basic GPL components of the device's firmware. A quick review of some of the files shows that it is indeed running Linux, and seems to be based on a generic platform called the Broadcom 'OnePhone', which is also apparently used for Wi-fi VoIP phones too (Samsung's SPH-V6900 was mentioned by name). There definately seems to be hacking potential.

Some minor hacking of the web CGI interface can cause it to dump a status blurb if you give it a bad page parameter. On our device, it lists the image as being "ota_BCM91103_vlinux-2.6.17.14_cramfs.bin", built on Jan 14 11:50:31 2008 and version 1_0_0L.

- hardhack team

posted on 31 Dec 2008 | permalink | comment on this post