Reverse engineering a Viking VOIP phone protocol with Claude Code — Boris Starkov, Eleven Labs

Added: 2026-05-31

[00:00:07][music] >> Hi everyone. Thank you for coming.

[00:00:17]Even though there is a lunch being served now. Really appreciate you coming here.

[00:00:22]Um I'm Boris. I work for 11 Labs.

[00:00:27]Usually we do agents voice agents like all things voice. But for this chat I just wanted to show you something else. Um you might have seen if you've been on the third floor, you might have seen this phone booth. This is Twilio by the way, the organizer.

[00:00:43]Um Um We've built it as a as a demo. Um demo for this summit. Uh there is this phone inside.

[00:00:53]Um and I don't know how many of you have went through it. Did anyone? You should totally give it a try. Oh my god. Okay.

[00:01:01]But uh the idea is that when when you pick it up, you actually end up talking to AI agent uh with the Michael Caine's voice uh approved. Um there you go.

[00:01:12]Who who then walks you through five questions about British AI history. And then if you answer at least one of them, you can get a swag from from 11 Labs. So that's the idea. But uh today I want to show you how I actually build it.

[00:01:27]So this is how it looks like now. And this is how it looked like last week.

[00:01:33]This is the um old I mean it's not that old. It still has a a controller inside, but it's a quite old piece of hardware, this phone. And the main problem when we tried to make this happen the main problem with the this piece of hardware was that um it only had uh Windows Windows XP compatible uh software. So it was very hard to set it up cuz it turned out that nobody at 11 Labs have a Windows uh laptop. Uh they all had Macs.

[00:02:09]But also when we tried to set up like a virtual environment, you know, also had some driver issues. So uh what happened to this phone? Um Our team in San Francisco purchased it 1 year ago for some other event. And three software engineers, three senior software engineers and a Claude uh sorry, ChatGPT at the time, they couldn't figure out how to make it work.

[00:02:31]So it was just for 1 year it was just laying there uh waiting for waiting to be rescued.

[00:02:38]And uh for this project we we we asked them to send it to to London. Um and uh then I tried to crack it hack it, reverse engineer it using Claude code. And this is what I wanted to talk about. How to use Claude code not just to build uh applications, but how to use it to actually like uh reverse engineer some hardware.

[00:03:02]So by the way, this slides are fully fully made by Claude code as well. So I the way I made them is I um put the whole conversation we had about this um process and then asked it to as a context and then asked it to make slides based on that.

[00:03:20]So the goal here uh what we want to achieve is uh they have this Viking phone.

[00:03:26]The uh retro legacy Viking phone.

[00:03:30]And we want to connect it to a conversational AI agent by 11 Labs.

[00:03:36]Uh it can only make a phone call to a phone number. So we need to put Twilio in between.

[00:03:41]Just um to handle that a SIP SIP domain complexity. So it goes Viking phone, then Twilio, then 11 Labs.

[00:03:49]Um Yeah, the problem.

[00:03:53]I have a Mac.

[00:03:55]Uh so we couldn't really like easily set it up.

[00:04:00]Uh so what we ended up doing, what I ended up doing instead, I uh connected the connected my laptop to the phone via router and uh started exploring. I mean, by saying I started exploring, uh Claude code started exploring it. So first it um nmapped all of the ports that were available.

[00:04:25]Uh so port 1001.

[00:04:28]Um Which turned out to be the wrong one. It was just uh electronics tunnel.

[00:04:35]Uh then it proceeded to iterate and the next one was the actual uh target port that could be used to communicate with the phone. So step one, Claude code found the way to communicate with the phone.

[00:04:49]Um then uh then it started discovering it.

[00:04:54]So it sent um some random sequence. I mean, not random Viking, but just random sequence.

[00:05:01]Um to the phone and the phone responded.

[00:05:04]So that's how Claude code realized that um that this is an actual interface, a protocol.

[00:05:10]But the protocol is not like Google-able. You can't There is no open documentation on what the exact protocol is. So it had to then um reverse engineer it, right?

[00:05:22]So first thing Claude noticed is that when you send a random string to the phone, it returns uh this ER and then the string itself.

[00:05:31]Meaning likely it's an error.

[00:05:34]Error that this string is not a correct command for the phone. So next um Yeah, next Claude figured out those commands that um that this this phone it operates using two-letter commands, command codes. Um some of them are non-existent, then it returns an error like on this slide. Other, however, they return something else.

[00:06:05]Um the next idea was that actually if it's two-letter commands, then we can just iterate through all of them, right?

[00:06:13]Uh brute forcing. So it wrote this this program and literally like tried out every single combination of two letters.

[00:06:23]Um and it turned out that most of them returned error codes, but 80 of them returned actual like something else, meaning they're actual valid commands.

[00:06:34]Uh those were some of them.

[00:06:41]By the way, I'm not sure Okay, I'm not sure what this is, but uh Yeah, then it then it some of the commands they kind of made sense based on the on the name.

[00:06:57]Maybe not those ones, but for example uh SA for status kind of makes sense.

[00:07:05]I don't know if it makes sense. Yeah. Uh Then then it proceeded to try to set up the actual credentials on the phone. So this is this is uh this is the phone memory. And it basically what they're trying to do here is to put the right credentials to the phone memory so that it knows where to call. We want to call Twilio SIP trunk, right? Um And it turned out that yes, these commands they worked and all of the settings got accepted.

[00:07:34]But the problem is the moment the phone got rebooted they all were gone.

[00:07:40]So they were not saved in the memory. They were just wrote to the temporary memory.

[00:07:50]And then uh we started me and Claude code we started like a multi-hour operation of trying to figure out how to actually save what you put to the put to this like temporary memory, how to make it actually um persistent. Like how to save it to the long-term memory of the phone. It tried everything. It tried different commands. And then it I don't know if the slides are going to show this, but it tried three-letter commands. It iterated over all three-letter commands, over all reasonable words.

[00:08:25]And it didn't find anything.

[00:08:28]Uh so this was the dead end situation.

[00:08:33]This was around the place where our team in San Francisco, when we just started exploring it the first time.

[00:08:41]Um They they could they couldn't figure out what to do next. But that was 1 year ago when um there was only ChatGPT. Now with Claude, Claude didn't give up at this point.

[00:08:54]Claude suggested that uh there is a Yeah, Claude figured figured out the problem and then it suggested a solution. So the solution at this uh step was was to set up a Windows virtual machine.

[00:09:12]However, uh the main problem with with Windows virtual machine is that you can't bridge Wi-Fi um to macOS. So there is no internet connection in the Windows virtual machine. So what Claude did next was actually a very smart thing. It set up a TCP proxy on the Mac so that the uh traffic from the virtual machine Oh, why are we setting up virtual machine?

[00:09:36]Because in the virtual in the Windows virtual machine, we can set we can um run the software of this phone that actually knows how to communicate with it.

[00:09:46]So the solution uh so what we're trying to do now, we're trying to uh put like a man in the middle attack kind of to intercept the traffic between the software and the phone to analyze it and to figure out how how it communicates, how it works.

[00:10:03]So, the software is running in Windows virtual machine now. Then it it's directed it communicates to the proxy on my Mac. The proxy is relaying it to the Viking phone, but also it logs everything so that to figure out what they're talking about and what's the protocol is, what are the what is the missing piece.

[00:10:25]Um very simple code.

[00:10:29]And then yeah, then it started capturing the communication.

[00:10:35]And it figured out that there was this command that uh that Cloud didn't understand before, which is TS.

[00:10:45]Um which had like some weird binary payload.

[00:10:49]And then that had like this format.

[00:10:56]And what you can see here is most of the most of the params of this uh command they kind of make sense except for the checksum. But checksum turned out to be only uh one byte. So, it's something that you can brute force as well.

[00:11:14]Um right.

[00:11:19]Yeah.

[00:11:21]Uh so, the way it it work it doesn't know the checksum, but it knows which data is being sent and it knows the result.

[00:11:28]So, it can easily reverse engineer the the encryption protocol.

[00:11:34]Which is just which turned out to be just adding a uh Yeah, basically doing a simple subtraction like adding a sim a simple one byte value uh to the checksum. It not just Cloud code, I want to highlight it. Cloud code didn't just figure out what the um format of the checksum is. It actually like managed to find it and then it confirmed it uh by running uh by running more values through it. So, it it was kind of like closed loop iteration.

[00:12:11]Um and at this point the phone was pretty much cracked.

[00:12:16]Um so now we managed to figure out how the software communicated to the phone.

[00:12:24]And uh we had the list of commands and we What was that?

[00:12:33]Yeah, and then we figured out how to actually the the problem I stated in the beginning, how to actually uh save what you what you put to the memory. We need um this uh to run this sequence of commands.

[00:12:49]Um and the last one the fun bit was that actually there is this uh 256 bytes um memory in the phone which um it also happened to crack.

[00:13:03]Um and then the the last bit the last bit of this process was that actually I didn't want to run Windows virtual machine every time.

[00:13:15]So, the last bit was actually uh now when I know the protocol, I know how to talk to the phone.

[00:13:22]I can just factory reset it and now I can use this skill this information to program it directly without having to run the virtual machine at all. So, what I did I put all of this as a skill and open sourced it so that now um now everyone if any of you by any chance have a Viking phone, you don't have to set up Windows machine. You can just ask Cloud code like give this uh skill to Cloud code and it will set it up.

[00:13:55]Um yeah, victory.

[00:13:57]Um it works. I mean, I didn't go into much details about how this step works because it's super easy thanks to Eleven Labs. We we really made it end video. I mean, this step is super easy. This one was the most painful part. I think it took me like couple of days to to reverse engineer it. I'm really trying to avoid the word hack uh that I hacked the phone. I reverse engineered it. Um Yeah. So, I mean, what we learned about the protocol it has two layers. Um the encryption it we were lucky that the encryption was just a single byte checksum because it if it was something harder than it would probably be much harder to break. And um yeah, and the persistence bit we had to run the server intermediate server between virtual Windows machine and and the phone.

[00:14:54]And that's how just yeah to comment on the step five here.

[00:15:01]Um without Cloud code it wouldn't be possible to to to do that demo. It it it's not just it made it 10 times faster, it just made it possible because I'm not a security security engineer whatsoever. I'm actually like just a normal software engineer and I had like when I looked at all this like programs, I was like, what what is that? What is that? What is zero X? Okay.

[00:15:27]Um Yeah, that's it. Um so, now uh the outcome of this is not just a nice demo that you can see on the third floor.

[00:15:37]It's also a skill that makes it much easier to to program the this this kind of phone and um the nice part is that I think this is extendable to other hardware as well.

[00:15:51]So, it's not just like Viking specific, but like if you want to crack some other hardware I would really recommend thinking about Well, you don't the the difference is that 1 year ago you actually needed the proprietary software interface that the provide the the company that made the hardware provides. Now you don't need it. You can connect to to the phone, but you can the same way you can connect to any like piece of hardware in your house.

[00:16:21]Um so, this is this is cool. Um yeah, this is how it started and the the actual demo again to people who just came here. On the third floor we have a this red telephone booth that lets you speak to Michael Caine. How many of you have tried it? Have has anyone?

[00:16:39]Oh my god. Okay, you should totally try it. It's it's it feels magical and I just uh told you how I how I made it into real life. Yeah. Um any I guess any questions?

[00:16:55]This is the booth.

[00:16:56]And this is Swiggy.

[00:16:57]>> tokens you burned?

[00:17:00]>> [sighs] >> I used Eleven Labs our corporate tokens. So, I I yeah, I think it was in order of between 10 and 100 dollars. So, quite reasonable.

[00:17:13]And and did you did you have the did you have Cloud So, you see you had some software installed on UTM on Windows.

[00:17:20]Did you have Cloud control that as well?

[00:17:23]Or or did somebody have to manually It it was a quite interesting because my participation in that was basically following Cloud's commands.

[00:17:33]>> Right. So, it would tell me like, "Hey, can you can you like take the handle and how many beeps can you hear?" And I would like listen and like, "Okay, I think three." It was like, "You idiot, it's either two or four."

[00:17:46]And I'm like, "Oh yeah, it's two." So, it was like I was actually like the agent for Cloud. Like Cloud was orchestrating the whole thing. And answering your No, answering your Basically, I was the hands for Cloud. It couldn't really I think if I use like computer user something I could make it fully like close the close the loop and make it control the virtual machine, but I was too lazy so I just did what it told me to do.

[00:18:13]Were there any places where Cloud got stuck and you had to unblock it?

[00:18:21]Uh stuck in in what sense? As in it couldn't figure out the next step.

[00:18:25]So, that's the thing. It it was orchestrating it. Like I had no idea what was going on. So, intellectually I couldn't unblock it. So, you just unblocked I unblocked it by like actually like rebooting like physically rebooting the phone or like controlling the virtual machine, but the intellectual part which is like cracking the cracking the algorithm I could I wouldn't be able to unblock it. I mean, it was just smarter than me, I think.

[00:18:51]Yeah.

[00:18:52]Um How how did you physically connect to the phone? Yeah, I I wish I had a picture. Um So, this phone you can see the black cable. It's uh called power over Ethernet, PoE. Yeah. Which is uh basically there is an Ethernet cable, the one that everyone probably has at home for home internet and there is also a power adapter and it brings them together.

[00:19:20]And I put a router in between which let me connect my So, this was connected to the router and my laptop was connected to the Wi-Fi router as well. And then yeah, and then there was this step of uh >> [clears throat] >> searching the network. So, this was the first step. Cloud just checked all of the devices connected to the router and found the the phone.

[00:19:46]Okay.

[00:19:47]And I have full time.

[00:19:49]Yeah. Next session is at 11.

[00:19:50]>> Thanks. Thanks everyone. Great. Um >> [applause] [music]