VoIP hardware is developing fast - this is where you ask all those “how do I make my SIP Telephone, Adapter or Asterisk box work with my voip provider?” questions.

Advertisement

By Sponsor

Advertisement

By Sponsor
User avatar
By WelshPaul
#5245
You're both more than welcome to post about unlocking the devices in the topic at hand (that is if you want to). Other than maybe intercepting the provisioning request and pushing your own config file (used this method myself with Snom's), I don't see any other way? Anyway, good luck! :thumbsup:

Edit:
So it looks like some Cisco phones can be unlocked using option 66, read more here

If that doesn't work, brute force may be the answer:
cisco spa phones does not have any protection against brute force attack, and it worked just fine on the test phone. 6 digits string rendered only 1 million combinations from 000000 to 999999. Simple c, perl, bash or php script was able to crack it under 4 hours given the time it took to send and receive a respond. Spa303 took little longer, I guess the cpu is slower.
I have some Cisco phones laying around and when I get the time, I will try out these methods.
User avatar
By WelshPaul
#5416
@edilson I very much doubt it. :dunno:
User avatar
By AntalVincz
#5419
Hi,

The /fp file delete don't solve the locked customization problem.
Because the phone restarting and butting rebuild all file from image file.
The image file include the secret.
Some people able solve this.

If the phone is just password locked (the phone requesting the password for the factory reset) that is different problem and I able solve that, without brute force technique.

Regards

Tony
WelshPaul liked this
User avatar
By edilson
#5420
I read on some documentation that all SPA525 go to cisco.com to check if it is a customized equipment, if it is it will download a bin file to rebuild the firmware. So even if you are able crack the password it will redownload the customization. But if one deletes the "/home/fp" file and are able to reprogram the EEPROM with a different MAC and serial number that should fix the re-customization problem. I have successfully reprogrammed EEPROM on SPA504's.
On a side note, If you are able to reset SPA504 or SPA514 by other means please let me know.
Thank you
User avatar
By AntalVincz
#5458
Hi,

I think the Cisco closed the redirection and remote customization server for the SPA RC units. Those units discontinued and not supported.

Few people able change the customization to the open status. And the phone MAC and serial number can't changed.
But they people request much money (10GBP / each phone open) for this action. That is good business.
I think those people not decomplete the phone, reprogramming externally, because the phone decompleting is too complicated procedure.
I think the SPA phones able running scripts or allow the "secret" html command.
For example this document section 3-40 speak from the script: https://www.cisco.com/c/en/us/td/docs/v ... _admin.pdf

"I have successfully reprogrammed EEPROM on SPA504's. "

Where to locate the EEPROM? And you reprogrammed in circuit or removed from the phone?

Are you found the customization status parameter in EEPROM?

Thank you

Tony

Advertisement

By Sponsor
Vonage Fined £24.5K by Ofcom

An investigation into the availability of Vonage&l…

SIP ALG problem Linksys Router

Linksys Router SIP ALG Problem. Hello, I have Pow…

Just wanted to say thanks again for your help. I…

BT Cloud and Cisco SPA

@amstel is the information not accessible vi…

Sign up for full membership