Calling Comdial - Part 1

by Metalx1000 (

For those who are unfamiliar, Comdial phones are Session Initiation Protocol (SIP) phones that are used in offices.

Instead of traditional phone lines, these phones connect to your local network via Cat-5.  Although I have not worked with Cisco phones, from what I have read they are similar.

In this article I will be talking about model "CONVERSip EP300", although I'm sure that these techniques will work on other models.  The first step in exploring the phone is to find its IP address.  There are two ways of doing this.  The first way is to walk right up to the phone and get the information.

To do this look at the LCD screen on the front of the phone.

Right below the LCD screen are three buttons.  Each corresponds with a menu option on the screen.  The three default options are VMAIL (Voice mail), DND (Do Not Disturb), and MENU.

Let's choose MENU then NEXT.  When you see "2 Info" on the LCD screen, press ENTER.  Now press NEXT twice.  This brings you to a screen that says "3 System Info".

Press ENTER and you will see "1 Network Info".  Press ENTER again.  Press NEXT three times and your screen will say "4 IP Address".  Press ENTER one last time and you will see the IP Address of the phone.

Now, if you can't physically get to the phone, you can find it easily with Nmap, a great tool for scanning networks.  I'm not going to go into detail on Nmap, as there have been plenty of articles written on it, and there is plenty of info available on the web.

Once you run a full scan on the phone with Nmap you will find that ports 8001, 8002, 8003, 9026, 9027 are open.  Ports 8001, 8002, 8003 I believe are used for the communication itself.  Port 9026 asks for a user name and password, which I don't know, but if I find them I will let you all know.  Finally, we get to port 9027, which we will be looking at today.

I will be using Netcat in this tutorial, but Telnet or similar programs will work as well.  Let's say our IP address is, we would connect to the phone with Netcat and you would get the following output:

$ nc 9027
[17:17:12.428] command_poll: got listenfd event
[17:17:12.439] command_poll: action->fd_ptr=9 accepted
[17:17:12.439] Connected to station 237
[17:17:12.441] Phone Version: 3.0.026
[17:17:12.439] Phone Build Date: 06/05/2008 17:17:12
[17:17:12.439] Phone MD5Sum: 3777ad4b3ac20ae9b56391267e81bb90
[17:17:12.450] Boot Version: 1.04
[17:17:12.451] Boot Build Date: 05/03/2005 22:40:17
[17:17:12.450] Boot MD5Sum: 5b84e34dcf06235e3763c755a9c57e9c

Now that you are connected, type ? and press Enter.  This will bring up the help menu as follows:

*** Console commands
[19:42:19.089] @ [destip] - Send debug log to remote syslog at [destip]
[19:42:19.089] or turn off if [destip] not specified
[19:42:19.100] ! [agressiveness] - Set speakerphone agressiveness
[19:42:19.100] 0..7 - debug flag level
[19:42:19.099] a - debug flag toggle
[19:42:19.098] A - verbose flag toggle
[19:42:19.099] B - Generate Test Tone on Bzr
[19:42:19.109] c - core selection alt between 1, 2
[19:42:19.109] C - crash write to 0
[19:42:19.108] D - 1 - Si3000, Default - Dump DSP statistics
[19:42:19.109] d - increase dspDriverVerbose (wrap around range 0-3)
[19:42:19.108] E - Dump EPROM info
[19:42:19.110] e - Dump Ethernet stats
[19:42:19.118] e 0 - reset Ethernet stats
[19:42:19.119] g - gdb spin loop
[19:42:19.120] H - Switch to Headset
[19:42:19.118] h - Switch to Handset
[19:42:19.120] I - Switch to Mic/Spkr
[19:42:19.119] i - Adjust mic input gain (@DSP) +1dB (wraps around)
[19:42:19.128] k - Dump system info
[19:42:19.129] K - Keypad timer ticks since last key event
[19:42:19.129] L - LED test
[19:42:19.128] M - Increase ADC Rx (Mic) gain +1
[19:42:19.129] m - Decrease ADC Rx (Mic) gain -1
[19:42:19.130] o - Toggle voice activity detection
[19:42:19.140] p - Play voice prompt welcome to Soundpipe...
[19:42:19.140] r - Request DSP Statistics
[19:42:19.138] S - Inc Spkr Out Gain (@DSP)
[19:42:19.139] s - print station number of this phone
[19:42:19.140] T - Mute ALL Input and Outputs
[19:42:19.149] t - Generate DSP tones
[19:42:19.148] U - Inc Spkr Vol. (Dec Attenuation)
[19:42:19.148] u - Dec Spkr Vol. (Inc Attenuation)
[19:42:19.149] V - Inc ADC Tx PGA (O/P) gain +1
[19:42:19.150] v - Dec ADC Tx PGA (O/P) gain -1
[19:42:19.148] W - Inc ADC Rx PGA (I/P) gain +1
[19:42:19.158] w - Dec ADC Rx PGA (I/P) gain -1
[19:42:19.159] X - Inc ADC Line Out gain (Dec Attenuation)
[19:42:19.158] x - Dec ADC Line Out gain (Inc Attenuation)
[19:42:19.159] Y - Increase Line-In gain
[19:42:19.160] y - Decrease Line-In gain
[19:42:19.159] z - Test LCD/Signal/Notify msgs
[19:42:19.169] Z - Play test tone

Each of the letters listed run the function indicated, when you type the letter and press Enter.  So if you type k and press Enter, it will dump a bunch of system info to your screen such as microphone and speaker volume, numbers dialed, called received, call times, and a bunch of other info.

If someone is using the phone you can use the u and U command to raise and lower the volume on the phone.  Command I will switch on the speaker of the phone while h will set it back to the headset (this is fun to do if you are in the same room as the person on the phone).

T will "Mute ALL Input and Outputs", but I don't know how to unmute them unless they hang up and redial.  So, only use the "T" command if you want to disconnect someone's call.

Some other commands are not as fun.

For example z will cause a whole lot of messages to flash on the screen of the phone, but all the messages flash for about one tenth of a second, making it very hard to notice.

You may also notice that if someone picks up the headset or presses buttons on the phone while you are connected you will receive some output on your screen.  By default the output is mostly useless, telling you that buttons have been pressed, but not which buttons.  But, if you change the "debug flag level" by choosing a number from 0 through 7 you can change the amount of information displayed.

Level "3" is when things start getting useful.

It allows you to see what is being displayed on the LCD screen of the phone.  And since the LCD screen displays the numbers being dialed and the numbers of incoming calls, you can see, in real time, who is calling whom.  Of course, the more output you have the harder it is to keep track of, especially when you get up to level "6" or "7".

This is where your command line skills could come in handy.  Using a simple command such as grep you can filter out unwanted info.  To only display messages on line one of the LCD screen, which is where numbers being dialed are displayed, set the debug level to at least "3" and try the following set of commands:

$ nc 9027 |grep LCDLine1
[20:55:52.687] LCDLine1: ENTER NUMBER
[20:55:53.409] LCDLine1: PRI
[20:55:54.210] LCDLine1: PRI
[20:55:54.728] LCDLine1: 1
[20:55:55.059] LCDLine1: 18
[20:55:55.358] LCDLine1: 180
[20:55:55.518] LCDLine1: 1800
[20:55:55.868] LCDLine1: 18004
[20:55:56.109] LCDLine1: 180046
[20:55:56.259] LCDLine1: 1800466
[20:55:56.449] LCDLine1: 18004664
[20:55:56.608] LCDLine1: 180046644
[20:55:56.808] LCDLine1: 1800466441
[20:55:56.987] LCDLine1: 18004664411

As you can see, the grep command filtered out a lot of unwanted info and showed the number being dialed in real time.

Well, this concludes this tutorial.  This is just part one of my Comdial articles.  I hope to write at least two more.

Calling Comdial - Part 2

Well, I guess this is where I do shout-outs to people.  So, hey Kenn, James, and Eric.