ADSI CPE Reset Procecures & CPE ID Misc

Apologies for the long introduction but I believe it’s necessary for context….

I purchased my first NT Vista 350 back in '98 and have since collected a few others. However, recently I purchased a couple of Aastra 390 models to see how different they are, apart from the quality of the Nortel-manufactured models. This is barring, of course, the horrendous design flaw of the 350’s flex bonding for its PCB-to-display connection.

After examining both 390s, I have noticed one of them does not have a typical CPE ID. Instead, it indicates FFFFFFFF.

This led me to some intensive searching where I located some technical notes from Aastra/Sayson from 2005. The notes provide instructions on disabling advertisements on the 350, 390 and 480 models. However, there are 2 different procedures, and it appears one of the procedures does more than disable adverts.

I am posting this here as a resource to anyone who is interested:


Note: These procedures require the date and time to be set to Jan 1 12:00am, otherwise, the key sequences are ignored:

1. Display CPE ID and Firmware Version
To display this information…
a) Press key sequence is: options + menu

2. Factory Reset (clear directory, settings and ADSI programming only)
This deletes the ADSI programming on the phone. There are no changes made to the CPE ID:

a) Press key sequence: menu + options + # (hash)

3. Unlock FDNs, clear CPE ID and stop self-launch (390 and 480 only)
This is the interesting one as this will delete ADSI programming on the phone, change the CPE ID to FFFFFFFF and disable the self-launch/idle screen functionality. I have not figured out how to re-enable the self-lauch functionality.

a) Set area code 0099 in one of the Area Code slots in the Area Code settings page, in whatever position (1-3)
b) Press key sequence: menu + options + 0 (zero)


The last procedure made me think about how the CPE ID is programmed into the phone in the first place.

Taking the 390 as an example, there appears to be two primary components involved, the MCU and an SRAM chip.

The 390’s MCU is a Renesas M38869MFA and the SRAM is a Renesas SRAM suited for low power applications, with battery backup. The SRAM also has a barcoded label with a unique number printed on it, perhaps to identify its programmed contents.

With that in mind, would the CPE ID be stored in the MCU or the SRAM? Well, I thought about that and since the MCU has RAM and ROM memory space, it could be either.

If it were in the ROM, this would indicate that the CPE ID cannot be changed, and the full reset procedure (3) above only inhibits the MCU from outputting the CPE ID in its ROM, which would then mean there must be another procedure to re-enable it. In other words, procedure 3 could be reversed.

If on the other hand, the CPE ID was in the SRAM, then it means the SRAM can be read and written to but may be tricky with the battery involved. This would potentially make it easier to extract FDN security codes, re-program its CPE ID and so on.

It would be nice, however, to put together a database of CPE IDs and FDN/Security codes that work. I have since observed that every FDN is different and whilst one particular FDN may go into slot 1, for example, that same FDN will go into a different slot on a different phone.

Just something to think about…….

How about something like this list of codes from the mailing list archives ?

http://lists.digium.com/pipermail/asterisk-users/2005-January/076436.html

Hat-tip to this dinosaur…

Probably should tag this under “remember, children, what happens on the internet, stays on the internet.” :slight_smile:

I am already aware of this list. In fact, it is the only list out on the Internet and is incomplete.

You’ll also notice it does not have the third procedure I have mentioned above.

Also, the codes for the Bell 390 do not work and the codes for the Aastra 390 only partially work.

I am less interested in the security codes than the FDNs as it seems different phones or phones programmed from different companies will not use the same FDN even for the same slot.

Anyway, I doubt anyone really uses this technology anymore but just thought I’d see who was interested in doing some hardware reverse engineering and experimentation with software.