How to determine EEPROM codes

[jschwartzenberg]

I saw you had managed to figure out multiple EEPROM codes. Could you explain a bit about the process you used to do that? I'd like to try something similar with my C450 IP.

[neffs]

I reverse engineered this function and the EEPROM memory layout using the open source releases and IDA Pro, you can find a script to generate the codes here: https://github.com/neffs/gigahack/blob/master/scripts/eepromWriteCalc.py

To get the current eeprom content I originally dumped the EEPROM using an i2c adapter. Later I used a function on the handset to send service data to siemens and recorded the transfer (wireshark). after you put the file together you can decrypt it using this: https://github.com/neffs/gigahack/blob/master/scripts/sysdump_decode/decode.py

Most settings are documented here: https://github.com/neffs/gigahack/blob/master/documentation/flags.txt

most of the IP related stuff can be set by using manipulated profiles, you can find the files which enable everything here: https://github.com/neffs/gigahack/tree/gh-pages

What do you want to do specifically?

[jschwartzenberg]

I'm using a Targa DIP 450 here which is very similar to the Gigaset C450 IP, they both use the same firmware. The Targa lacks some features however, so it would be interesting to see if I can turn them on.

I guess I should look into the function to send the service data first and run it through your script.

[neffs]

I just remembered that the C450 (and the Targa) is a different hardware. Maybe the features really aren't there, not just disabled. did you compare it with the C450 IP features?

[jschwartzenberg]

I checked the firmware and it contains all the strings that would be needed. Even the images for the C450 branding are available through the webserver which is running on the Targa. Do you remember how you managed to send the service data?

[neffs]

Its in the menu during a call.

[jschwartzenberg]

I have a 'Service Info' menu during a call, but there doesn't seem to be an option to send the service data from there. I'm afraid my base doesn't support this feature. Do you think there is anything I could do with the data from the source release to extract some info about the EEPROM? How did you manage to document the different settings?

[neffs]

IDA Pro, lucky guessing and too much time. You can have a look at the firmware: http://profile.gigaset.net/chagall/1/1/chagall063_01.bin I think at 0xB8132 starts an empty EEPROM, which you can compare to an EEPROM from a newer base (i can e-mail you one). It looks quite similar in some ways, but it's a stock EEPROM, so yours should be different.

As a starting point here should be one ID which tells the the device where to find its firmware. http://profile.gigaset.net/chagall/1/1/chagall063_01.bin First 1: C450 Hardware Second 1: Siemens Branding Targa probably uses another path. You can change this ID with an EEPROM Code, on my phone the address of this setting is 0x020D.

If you just want to change the branding for the web interface try setting up your own profile server just link in the gh-pages branch, starting with: http://profile.gigaset.net/chagall/1/1/master.bin

[jschwartzenberg]

The firmware is identical for both devices. The branding for both Siemens and Targa are on my base already, when I take the path to the Siemens image files from the firmware file, I can successfully retrieve these files from the webserver that is running on the device. There is just a switch somewhere which determines the correct image file to display.

I took a look at the files included with the source release with with IDA Pro and this indeed shows some interesting things :) ae_eep.o in app.a contains a function to select the correct country. ae_ctrl.o contains a lot of functions to determine whether the base is locked to a specific provider, how many simultaneous VoIP calls are possible, how many VoIP numbers can be set up, messenger, e-mail, PPPoE support. I think this is the place from where I need to look further. I'll look up some ARM documentation on its opcodes tomorrow to get a better understanding of how these functions actually work.

I'm not really sure yet how I will have to convert all the addresses and whether I need to check the firmware binary file for that. Isn't it compressed in some way? I also wonder whether it would be attractive to adjust the firmware binary itself. If you have any more tips at this point, I would be very interested! Thanks a lot for the info so far!!

[ge0rg]

I'm another "lucky" Targa DIP450 owner, and now I had a little look into the chagall072_01.bin (latest firmware release). The http://dip450ip/scripts/navnodes.js page is generated from a kind of template language (if you open the page on your device, you will see many empty lines. Searching for addNavigationItem in the .bin reveals the following:

nav = new Array();
addNavigationItem (1, 'nowhere.xxx', '', 0);
addNavigationItem (2, 'login.html', '%J27%', 1);
addNavigationItem (1, 'home.html', '%J28%', 1);
addNavigationItem (1, 'settings_lan.html', '%J29%', 1);
addNavigationItem (2, 'settings_lan.html', '%J14%', 1);
%E0105%addNavigationItem (2, 'settings_pppoe.html', '%JDF%', 1);%F0105%
%E0106%addNavigationItem (2, 'settings_telephony_voip_multi.html', '%J2B%', 1);
addNavigationItem (3, 'settings_telephony_voip_multi.html', '%J12B%', 1);

From this I would conclude the following:

• %J<hex number>% is replaced by a localized string
• %E<hex number>% .. %F<same hex number>% is a conditional depending on some internal variable.

It also seems that the webserver checks if it is allowed to serve the according pages, as they return 404 when tried manually. I would like to find out the dependency of these variables on the EEPROM state :)

[ge0rg]

Another small finding: %C1E00% is replaced by the branded device name, that actually looks like an EEPROM address here.

[jschwartzenberg]

Also for reference. This Russian forum topic contains a list with a large amount of known codes: http://forum.siemens-club.ru/viewtopic.php?TopicID=63193

Maybe it would be possible to match some known functionality with what can be seen through IDA and the info from neffs to figure out how to calculate more EEPROM codes.

[jschwartzenberg]

I just hooked my device up again in years as I needed it again. No idea if anybody else is still using their device? :) Regarding the firmware, see these:

https://www.targa.gmbh/nc/service/suche/gnu/ https://www.targa.gmbh/fileadmin/user_upload/GNU/LinuxSourceCode_TARGA_DIP_Phone_450.ZIP (firmware from 2006)

https://web.archive.org/web/20120419222958/http://gigaset.com/hq/en/cms/PageOpenSource.html https://web.archive.org/web/20110702081912if_/http://gigaset.com/opensource/C450%20IP%20Baseline72/ (firmware from 2008)

The strings mentioned above can be found in there too, possibly easier to analyze as there's a bit more context.