June | 2012 | The Wanderer

There’s no point in leaving an insecure WiFi network lying around, open for abuse by some toerag with too much time an no social life, even if it is a horrible little 802.11b one.

Fortunately by hacking the handset, we have allowed the phone to use WPA encryption (the Telecom Italia firmware is crippled, and only allows WEP). So lets begin……

In the WiFi settings (menu 5.12.11), enter the following values:

1. Wi-fi Flag: OFF
2. Auth Type: Open
3. Type WPA: WPA
4. EAP Type: None
5. EAP Sub-Type: None
6. Encrypt type: TKIP
7. GrpEnc Type: TKIP
8. EAP TLS PW: blank
9. EAP ID: empty
10. EAP PW: blank

Now, on your AP, set the security mode to WPA with PSK, the cipher type to TKIP, and set the passphrase to whatever you want – just make sure it’s exactly 24 characters. Ensure the authentication type is set to Open, reboot your AP. Reboot the phone, and it will ask for the passphrase. Enter it, the phone will connect, and you’re secure. Please don’t ask me how to do this for YOUR AP. Google it!

If you’re really paranoid, like me, you can also disable SSID broadcast, and enable MAC address filtering, ensuring that your phone MAC is in the ACL.

There’s no point to having an Asterisk server if there are no phones to go with it……….

I’ve got a Linksys SPA3102 which interfaces my old DECT Philips phones with my Asterisk server, but with only two handsets, it’s not really ideal.

Enter the Telecom Italia Aladino WiFi. This is a rebadged Samsung WIP-6000M, it’s a fairly old phone, around 2004 vintage, maybe even earlier, is only 802.11b, and worst of all, is locked to the Telecom Italia Alice service. However, it’s cheap (I picked up six of them for about EUR 9.00 each, excluding postage), it can be hacked, and it can have bog standard firmware flashed. Read on to find out how.

The first thing you need is the firmware, and it also helps to have some documentation. Here’s one I prepared earlier. Once you have the zip file, extract it, and then extract the firmware from aladino_fw.zip contained within it.

You will need an FTP server. Setting one up is beyond the scope of this post, please don’t ask me how, there’s just too many variables involved – Google is Your Friend! Once you have your FTP server set up, you will need to copy all of the firmware files to the root of the FTP server.

After you have your FTP server set up, you will need to prepare your WiFi router or access point. A better option is to go and buy a separate, cheap, 802.11b pure access point, that you can dedicate to phone service only. You will need to change some settings, don’t worry, you can set them back later. First, you will need to change the SSID of your access point to “Alice-12345678” (minus the quotes). Remove any encryption, and ensure any MAC filtering. You can add this back later.

Now on to the handset. You’re at a disadvantage here, if you’re not Italian, as it’s set (obviously!) to Italian. I’ve done the hard work for you, we’ll get it to a stage where we can change it to English. Switch it on buy pushing and holding down the on-hook button (the one with the red phone symbol). A spalsh screen will come up, it will play a cheesy tune, and eventually will give a display titled “Selezione Rete”, and allow you to select your “Alice-12345678” AP. Hit the OK button.when the sand timer has finished spinning, and it comes up with a display titled “Inserisci numero”, enter the number “0” and hit the OK button. More sand timer…..follwoed by an error message “Errore, riprovare”. Hit the exit button (top right smartkey), and you’ll have the display up and ready.

Now to change the language. Hit the menu smartkey, and use the cursor ring to scroll across to menu 5, “Impostazioni”. You can scroll down to item 5.6, “Lingua”, or just hit the 6 key. Hit OK, and OK again. select “English, and hit OK. You will go back to menu item 5.6.1. Hit the 2 button (Or scroll), and change the Input Mode to English as well. exit out of the menus (you will need to hit the exit key a few times).

Before we can do anything useful, we have to turn access control ON. You do this by entering the following key sequence: *#0214*1004#

Yeah, the sounds are really cheesy, aren’t they?

Now we need to enter the test menu. you do this by entering the following key sequence: *#8999*8378#

You will need to turn provisioning and firmware signing off. These settings are found in Test Mode 4.3 (Env Settings -> PROV) and 4.4 (Env Settings -> DSIGN)

Now set up the IP settings in Test Mode 6. If you are running a DHCP server, you only need to worry about setting the FTP server IP address in 6.6, otherwise also set 6.1 and 6.2.

In the upgrade menus in Test Mode 7, set the protocol in 7.3 to FTP Auto, the CNF file in 7.4 to “Upgrade.cnf” (note the uppercase “U”), your FTP server login and password in 7.7 and 7.7, and either “/” for the path in 7.8, otherwise set this to the path under your FTP root where you saved the firmware files. Now you can start the main upgrade, option 7.1. This takes a while. Go and make yourself a cup of coffee.

Once the phone has rebooted into a fresh new firmware, you will find that the Test Mode is now exposed in menu item 5.12. Set your Asterisk server IP address in 5.12.5.1 and 5.12.5.4. Set the phone number in 5.12.5.12. Set the auth username and password in 5.12.5.13 and 5.12.5.14. Exit out of the menus, and reboot the phone by removing and reinstalling the battery, and switching it on.

Congratulations. You now have a WiFi SIP handset that works with your Asterisk server.

The Wanderer

Crap that interests me

Monthly Archives: June 2012

Securing the Telecom Italia Aladino WiFi (Samsung WIP-6000M) SIP Handset.

Hacking the Telecom Italia Aladino WiFi (AKA Samsung WIP-6000M) SIP phone

Interesting little DJ device I found