Metz Open Source

As of today, Metz Consumer Electronics GmbH doesn’t publish open source code on its company website, but you may ask their customer support and they’ll send it to you on CD-ROM. I received a disc containing source code for Chassis 610/611/612 LCD-TV models.

The customer support was very cooperative and responsive and kept me informed while preparing the disc. Much appreciated!

Speedport ISDN Adapter

These devices are used by customers of Deutsche Telekom as ISDN-to-SIP gateways. Currently there doesn’t seem to be much public information about it, so I’ll make a start.

Deutsche Telekom offers broadband network connectivity and telephony services via a combined ADSL2+ and LTE router, the Speedport Hybrid, which unfortunately comes without ISDN S0 ports. Attempts to use other ISDN-to-SIP gateways behind a Speedport Hybrid have failed for reasons still to be determined. Plus, there’s no known router available which could replace the Speedport Hybrid without losing its unique channel bonding feature. So if you want to keep using your PBX, the Speedport ISDN Adapter inevitably comes into play.

[Edit: According to a blog post at, the information regarding other ISDN-to-SIP gateways is obsolete.]

The adapter features one 10/100 Mbps ethernet connector and two ISDN S0 connectors.

When the device starts up, the following network activity can be observed:

  1. Requests IPv4 settings via DHCP
  2. Obtains network time from or (port 123/udp)
  3. Requests external IPv4 address via STUN from (port 3478/udp)
  4. Requests settings from (using a client certificate)
  5. Optionally requests a firmware update from, probably depending on the reply to the previous request.
  6. Registers at the SIP server (SRV record)

Upon removal of two rubber feet from the bottom of its casing, two Philips screws appear. Unscrewing them allows to open the device. The PCB features a Lantiq PXB 4210 EL processor and has a serial port connector.

This is the boot log:

ROM VER: 1.1.4
CFG 01
VRX family DDR Access auto data-eye tuning Rev 0.1a
DDR check ok... start booting...

ISDN Terminal Adaptor GR9 Loader v1.01.001 build Apr 2 2014 19:24:45
 Arcadyan Technology Corporation
A2x VR9,
0xbf106a10 : 78
0xbf106a11 : 0
0xbf106a0c : 88
MXIC MX29LV640EB bottom boot 16-bit mode found

Copying boot params.....DONE

Get Primary to 0.....
Flash Checking Passed.

Unzipping firmware at 0x80002000 ... with AREA[2][ZIP 3]
[ZIP Extra] [ZIP 1] source:816f0011
Ready to run firmware
In c_entry() function ...^M
install_exception ^M
Co config = 80048483
sys_irq_init ...
VR9 is A21 chip !!!!, ifx_bsp_basic_mps_decrypt bf001f38
0xbf106a10 : 78
0xbf106a11 : 0
0xbf106a0c : 88
##### _ftext = 0x80002000
##### _fdata = 0x8058B5F0
##### __bss_start = 0x80625F5C
##### end = 0x82EFEEB0
allocate_memory_after_end: alloc from 82F06EB0 to 82FA1830, length=633196
##### Backup Data from 0x8058B5F0 to 0x82F06EB0~0x82FA181C len 633196
##### Backup Data completed
##### Backup Data verified
[GPIO FLOW] SetGpio() Begin ..
PLL1 locked..fails 0.
ifx_gpio_init() !!!
ifx_gpio_pre_init() !!!
[KERN_INFO]IFX GPIO driver, version 1.2.10, (c)2009 Infineon Technologies AG
Register LED MODULE OK!!
[GPIO FLOW] SetGpio() End.
[INIT] System Log Pool startup ...
[INIT] MTinitialize ..
CPU Clock 500000000 Hz
r4k_offset: 0x0003d090(250000)
init_US_counter : time1 = 34 , time2 = 225065, diff 225031
US_counter = 112
set to constant US_counter = 112
 cnt1 2040034 cnt2 2042615, diff 2581
 cnt1 2886380 cnt2 2888184, diff 1804
Runtime code version: 01012701.00.004
System startup...
[INIT] Memory COLOR 0, 8242880 bytes ..
[INIT] Memory COLOR 1, 2097152 bytes ..
[INIT] Memory COLOR 2, 10906608 bytes ..
InitCommSys: RESOURCE_BASE = 29, NUMRES = 640
InitCommSys: EVENT_BASE = 163, NUMEVT = 818
InitCommSys: MAILBOX_BASE = 6, NUMMBX = 64

rzMemory start: 0x82313DB0, end 0x8252FE38, size 2211976
Build Day = 05.03.2015, 17:34 Uhr Version = 01012701.00.004
Version Type 'NORMAL'
>>>>set_MP_pass_Magic to 4
MXIC MX29LV640EB bottom boot 16-bit mode found
Set flash memory layout to FL2MacAddr=XX:XX:XX:XX:XX:XX
Boot Parameters found !!!
Bootcode version: v1.01.001
Serial number: XXXXXXXXXX
Hardware version: 01
Firmware Ready!

According to the manual, the boot loader is based on u-boot 1.1.5, but the source code doesn’t seem to have been published yet.

Bluetooth weaknesses in mobile phones

Once I met Collin R. Mulliner at the university, he told me he was having fun exploring weak bluetooth stacks. I liked the idea, and some days later I bought a bluetooth dongle. It was quite a surprise to me that my phone, a Nokia 6310i, silently accepted AT modem commands on some RFCOMM channels without pairing. Later I discovered that some Ericsson phones had the same kind of vulnerability. This is the C code which I wrote while learning how to use the bluez stack and how to get data from a phone using AT commands.

I2C monitoring

If you write software for a badly documented or undocumented device, then it is sometimes easier to just sniff some bytes of data sent by the original software instead of using a disassembler. Milk is a great software which can be used to capture I2C traffic. To make its output more verbose I modified it to include register names where available and to calculate some stuff for the devices used in the Nokia dbox2.