Josh Max Dials Up a Demon, Hacking a CaptionCall Landline to Create a Dedicated Doom Device

Self-described "low-level hacker" Josh Max has cracked a CaptionCall landline open in order to make it run something for which it was never designed: Id Software's classic first-person shooter Doom.

"Recently, I came across a very interesting telephone service called CaptionCall," Max explains. "For those of you who don’t know about this service, it’s essentially a government-funded telephone captioning service that allows deaf or hard-of-hearing individuals to see a textual description of audio calls."

"But, more interesting than the service itself is the device they provide to their customers. It’s a fancy, Linux-based touchscreen landline running a proprietary UI atop a buildroot userspace."

The internal specifications of the hardware itself are surprising for something which is, at its heart, a landline telephone: An NXP i.MX6 quad-core ARMv7 processor, 1GB of DDR3 memory, and 4GB of NAND flash storage — all in a device costing around $25 secondhand on auction sites.

Max was interested in reverse engineering the device and having it run custom code, picking a classic as his target: Id Software's Doom, first released in 1993 to critical acclaim and since adopted as an unofficial benchmark for repurposed computing devices — leading to the cry of "can it run Doom," and the all-too-common answer of "yes, it can."

"After prying the two halves [of the case] apart, two headers on the PCB immediately caught my attention," Max writes. "The first looks like a standard Arm JTAG pad; however the leads from the traces to the SoC were cut. Kind of a bummer. Not unfixable, but I really didn’t feel like soldering tiny jumper wires and inevitably burning off my fingertips."

"The second header definitely appeared familiar too. I guessed it was for UART access, and after probing it with a multimeter my assumption turned out to be correct!"

After finding a way to access the UART, Max was able to see the system console — but it required login. None of the usual defaults applied, but Max found he was able to access the uboot firmware — and, from there, dump a copy of the firmware, extract the /ect/passwd file, and crack the root user's password.

"Since I really didn’t want to hassle with cross-compiling Doom for an embedded buildroot ramdisk running an ancient version of libc, I opted to use debootstrap and create an armel jessie chroot," Max notes. "Using my l33t Xorg.conf trial-and-error skills, I eventually wrangled fbdev, mesa, and evdev to load IceWM on the screen with touchscreen and keypad support. A bit more hacking and audio, Bluetooth, and finally GPIO support was complete within my chroot. Then finally, the moment of truth: It can run Doom."

Max's full write-up is available on his blog, while a pre-patched kernel is available on GitHub. Max has also contacted the company regarding apparent violations of the GNU General Public License under which Linux is published, but has heard nothing back — "nor," he adds, "do I expect that I ever will."