Admin password locked Cisco phone spa504G.
How to factory reset Cisco spa504g without admin password? Well, read on.
Many of us, myself included have been looking all over for the procedure factory reset cisco SPA504G phone admin password locked. Many suggested to attempt to sniff packages coming from the phone to carrier’s ftp, tftp, http or https server. Some may even be successful in spoofing DNS or IP and let the phone pull the file from our equipment resetting or changing password.
The spoofing may not work if configuration is requesting secure https connection, or if the phone is expecting an encrypted configuration file.
The other options include cisco default password v01p4f@n
And forcing the phone to provision via web browser:
http://phoneIP/admin/resync?http://webIP/new_password.xml
<?xml version=”1.0″ encoding=”ISO-8859-1″?><flat-profile> <Admin_Passwd ua=”na”>newpass</Admin_Passwd></flat-profile>
I found the way that worked for me. Keep in mind; this method worked only on the phones that I had available: spa504G, firmware 7.5.2b and 7-6-2b admin password locked by a provider1 and requesting provisioning from https server. One cannot fake secure certificate easily.
Most of the phones ware not even getting an IP from my DHCP server, but I was able to overcome it by disabling VLAN in network configuration.
Edit 2; see below.
What you need is a DHCP server with option 66. I use ddwrt and point my 66 option to an external IP address of my tftp server.
Now we need to create some files on tftp server:
XMLDefault.cnf.xml or XMLDefault504G.cnf.xml to be phone model specific.
<Default>
<callManagerGroup>
<members>
<member priority=”0″>
<callManager>
<ports>
<ethernetPhonePort>2000</ethernetPhonePort>
</ports>
<processNodeName>10.0.0.1</processNodeName>
</callManager>
</member>
<member priority=”1″>
<callManager>
<ports>
<ethernetPhonePort>2000</ethernetPhonePort>
</ports>
<processNodeName>10.0.0.2</processNodeName>
</callManager>
</member>
</members>
</callManagerGroup>
<loadInformation80000 model =”Cisco SPA 521S”></loadInformation80000>
<loadInformation80003 model =”Cisco SPA 502G”></loadInformation80003>
<loadInformation80004 model =”Cisco SPA 504G”></loadInformation80004>
<loadInformation80005 model =”Cisco SPA 525G”></loadInformation80005>
<loadInformation80009 model =”Cisco SPA 525G2″></loadInformation80009>
<loadInformation80011 model =”Cisco SPA 303G”></loadInformation80011>
<authenticationURL>http://10.0.0.3/authentication.php</authenticationURL>
<idleURL>http://10.0.0.3/idle.php</idleURL>
<informationURL>http://10.0.0.3/help/help.php</informationURL>
<messagesURL></messagesURL>
<proxyServerURL></proxyServerURL>
<servicesURL>http://10.0.0.3/menu.php</servicesURL>
<directoryURL>http://10.0.0.3/directory.php</directoryURL>
</Default>
Some of this file is unnecessary; I just did not want to mess with it and used an example file; converting the phones from SIP to SPCP. URLs are irrelevant.
After reboot the phone asks tftp server for a file name: SPA504G-cfg.xml
<?xml version=”1.0″ encoding=”ISO-8859-1″?>
<flat-profile>
<Admin_Passwd ua=”na”>123</Admin_Passwd>
</flat-profile>
or
<?xml version=”1.0″ encoding=”ISO-8859-1″?>
<flat-profile>
<Protect_IVR_FactoryReset>No</Protect_IVR_FactoryReset>
</flat-profile>
Once the phone downloads the SPA504G-cfg.xml file the admin password will be changed to 123 or it will remove the need for password.
From there you can go to menu of the phone, factory reset, and enter your new password if asked.
Delete or rename XMLDefault.cnf.xml on tftp server or you will see your phone reboot every minute.
And create one more file on tftp server spa504G.cfg
<flat-profile>
<Resync_On_Reset>Yes</Resync_On_Reset>
<Resync_Periodic>7200</Resync_Periodic>
<Profile_Rule group=”Provisioning/Configuration_Profile”>tftp://your.server/SIP$MA.xml</Profile_Rule>
<Upgrade_Rule group=”Provisioning/Firmware_Upgrade”>($SWVER lt 7.5.2b) ? tftp:// your.server /30x-50x/spa50x-30x-7-5-2b.bin | tftp:// your.server /30x-50x/spa50x-30x-7-6-2b.bin </Upgrade_Rule>
</flat-profile>
to upgrade phone firmware.
There is an issue with upgrading from 7.4.3a, to overcome it just remove the condition to look like this:
<Upgrade_Rule group=”Provisioning/Firmware_Upgrade”>tftp:// your.server /30x-50x/spa50x-30x-7-5-2b.bin</Upgrade_Rule>
This procedure was successfully tested on spa303 firmware version 7.5.3 and 7.6.2b.
If for any reason one would wish to lock the factory reset from user edit your configuration xml file, set these 2 values to Yes:
<Phone-UI-readonly group=”System/System_Configuration”>Yes</Phone-UI-readonly>
<Phone-UI-user-mode group=”System/System_Configuration”>Yes</Phone-UI-user-mode>
And add a line
<Protect_IVR_FactoryReset>Yes</Protect_IVR_FactoryReset>
Before
</flat-profile>
To disable this hack on your phone simply remove DHCP option 66 from your configuration, or disable provisioning.
Edit:
I have recently obtained provider1 locked spa508 phone and the seller provided an unlock code. It sure looked as a challenge. At boot the phone did not requested any files from tftp, so the provisioning was disabled. The factory reset also asked for admin password.
What I did was to check the provisioning status in phone menu; it was programed to get a file form
http://prov.provider2.com/prov.cgi?ipeprov&sn=XXXXXXXXXXX&pn=SPA508G
where XXXXXXXXXXX was a serial number of the phone. Since the request was http; not https I have entered a static entry in my ddwrt router under Additional DNSMasq Options like so
address=/prov.provider2.com/XX.XX.XX.XX where XX.XX.XX.XX is an IP address of my web server.
If you run your own dns server or even a bind on linux server the same can be achieved.
From there I have created a file prov.cgi with already familiar content:
<?xml version=”1.0″ encoding=”ISO-8859-1″?>
<flat-profile>
<Protect_IVR_FactoryReset>No</Protect_IVR_FactoryReset>
</flat-profile>
In any case, if you wish to explore the provider configuration you may simply change or remove the admin password and enable web server if disabled, then from your web browser navigate to the phone and explore. You will not get any account passwords, but perhaps a dialplan or provisioning setup may interest you.
Edit 2.
This one took almost 2 days. At that point it was not even worth it, but it was a challenge. Yet an other spa504g that would not obtain an IP from my router. On screen options would not let me see any more then 5 options in network configuration and factory reset was admin password locked. The only thing that I can think of was that the phone was configured for vlan. It took a while, but finally using tcpdump:
tcpdump -vv -n -i eth0 -e | grep “vlan”
I got :
21:49:27.444997 XX:XX:XX:XX:XX:XX > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 357: vlan 15, p 0, ethertype IPv4, (tos 0x0, ttl 3 0, flags [DF], proto UDP (17), length 339)
where XX:XX:XX:XX:XX:XX was a mac address of the phone.
I used raspberry Pi 3 with wifi, connected the wireless to my network and eth0 straight to the phone.
Installed and configured vlan with id 15, dhcp server and tftp server on raspberry pi and allowed the
Download of XMLDefault.cnf.xml and SPA504G-cfg.xml. It worked.
Edit 3.
Some phones showed up completely locked; not requesting any files from tftp server at boot; and with https server provisioning. What we did is to reach out to a carrier and provided him with 4 mac addresses of the phones and kindly receive a respond with an admin password to unlock one of the phones. The reaming phones apparently did not showed up in the database. Received admin password was a 6 digits string.
To unlock the reaming phones the decision was made to try to brute force the password. After little testing the determination was made that cisco spa phones does not have any protection against brute force attack, and it worked just fine on the test phone. 6 digits string rendered only 1 million combinations from 000000 to 999999. Simple c, perl, bash or php script was able to crack it under 4 hours given the time it took to send and receive a respond. Spa303 took little longer, I guess the cpu is slower.
We have chosen not to revel the names of the providers at this time.
Once you have your voip phone unlocked; visit VoipPlus and sign up for service.
Looks like a challenge, i have 5 spa504g phones that will get an ip but wireshark and the tftp are both not picking up any config requests from it…….But i will soldier on and with your article as a guide should be able to tame the beast. Excellent work.
Good job. I use similar techniques.
Are you know how to remove the customization from the phones and modify to open?
Whit perl script, may be?