SPA504G Reset

We were recently approached by a customer (They will remain nameless but are a charity) with a batch of Cisco SPA504G IP phones. These had been purchased in good faith and duly delivered. Only they had vendor lock in. The customer tried a few avenues and if you’ve done a lot of searching you’ll know that there are a dozen ways to unlock. Most of them rely on assumptions that the vendor has not done something. The method below worked in this case and goes a little further than other suggestions, however if there has been a certificate set you are out of luck. I know there are people looking at hardware unlocking but at this point I would suggest you gave up.

Firsty, an honourable mention to the provider, Gamma Telecom. An inital call to their support guy was very promising. He didnt see an issue, took some details and we looked at the wireshark dumps (with plain text SIP credentials) and worked out who they belonged to and that they were indeed retired phones and there wasnt an issue with us having them. He took my number and wandered off. Shortly he called back and said I needed to speak to someone else and told me the process to get through the labyrinthine voicemail system. Hopeful I did as instructed.

“No, absoluteley not, we cant give you that information” Thats as far as I got. Despite owning the phones legally the rather rude woman wouldnt even listen to anything we asked. Explaining they were for a charity got no leeway at all. I even suggested the reprovision them and push a reset out that way. The phone went down.

SO here’s what was needed.

The phone gets plugged into my lab setup, its behind its own firewall there and I can control and manipulate everything. It turns out some simple DNS hacks were all that were needed. So watching the phone with wireshark, it asks for an IP, great, it’ll take the TFTP server and try that, no, no dice. It then asks right away for a SRV record from the provider. Ah-HA! I cant change the SRV record at this point, but a quick dig shows that it will ALWAYS return the same hosts, node7 and node4.sip.unlimitedhorizon.co.uk. Host overrides entered in PFSense and the phones start trying to register to my Freepbx lab server. They get denied, but it means I have some control over the damn things.

At this stage I’ve been puzzling over this for a while and then I spot something. When the phones dont get a response or are told to go swing by those servers they sit there in a loop retrying. HOWEVER a login failure rather than a refusal triggers something else. Hot on the tails of both servers failing the login it then tries to connect to an HTTP server, xsp.unlimitedhorizon.co.uk and it asks for /dms/Cisco_504d/<mac>-Recovery.xml A manual browse over there gets nothing, however tweeking the mac address results in firmware images being served. There’s some big security issues here, least being that I suspect its possible to take over another phone by flashing that image to another unit. For us this means that we have an in.

This Site suggests that you can serve an xml file to it. You can then force the phone to pull the file. However if the web UI is locked that wont work and if it’s also not looking for TFTP servers it wont work either. So, I added another DNS override to point that host to one of my servers, uploaded that file, renamed it to match what the phone was asking for and rebooted.

File gets requested and sent, all looks good, phone then ignores the file and switches to trying to use TLS for an update. Uh oh I’m stuffed here. I cant spoof the cert. I can see it failign as it doent like my server cert’s CA. What now.

I have an SPA504G on my desk, I know you can dump the XML so off I go and do just that. A quick look at the XML shows that the MAC is included, so thats edited to match the locked phone and the admin password line from the above xml is added. We reboot again…

Asks for the file…
Grabs the whole damn thing…
Reboots. On reboot i’m greeted with a clone of my phone. A quick venture into the menus shows that the admin password has gone too. A quick factory reset which I can now do and its all up and running as it should. One clean, factory reset phone.

Now this presents a number of conclusions. Cisco are good at this, we’ve seen that if this DID resort to TLS and there is an option to do this, you would be screwed. That they didnt do this seems odd, its one setting, but in doing so they left it wide open. Everything else was set to make it as hard as possible to unlock the phone so why leave this back door wide open?

How much of a risk is that web server. I have five phones here with distict MAC ranges. I can take a good guess that phones would have arrived in batched and a search in a range and a quick text shows I can pull about 5 xml files that dont relate to me.

Its possible they have realised there could be an issue here as the XML files point to a .bin file, the file freely downloads which raises the question of what it is, and can I flash it to anything? I knwo I can force the phones as they stand into arbitary configurations, can these files then be written to a phone to hijack that ‘line’? I’m not willing to risk the customers phones but it does raise the question of security of the system as a whole.

UPDATE

The XML I used from my own phone is here, you use these files at your own risk!

Cisco_504d XML Files

 

18 thoughts on “SPA504G Reset”

  1. The spa504g , or any other spa device does not verify if the xml files have a proper, or not mac or serial number. It just takes the file as is, And it will not change the mac nor serial even if you try from xml file.
    In addition, all you needed to include in the file was :

    No

    and then the phone would let you do a factory reset without prompting for admin password.

    1. Thats good to know about the MAC.
      I was aware of the ability to disable the admin password rather than force a change, however on these particular phones it was ignored. The XML files recommended all over the web also failed to work.

      It’s a Faff but its gets there in the end. Thank you for the feedback though 🙂

  2. We have a couple of SPA504G phones with Gamma firmware, but we do not have a suitable .xml file to put on our HTTP server. Could you email me a copy of the .xml file you used at the
    “Aks for the file…
    Grabs the whole damn thing,,,
    Reboots. ….”
    stage. Once the password has cleared will will reset the phones to factory defaults.

    Many thanks.

    Chris

  3. Thank you for this article, my company have (now had) a number of customers tied Gamma because they didn’t want to pay for new handsets.

    1. I’ve also found that the FreePBX commercial “Endpoint Manager” module works well with these and updates the firmware.

  4. How do I get a login failure instead of a refusal trying in order to get the handset to push for the recovery file?
    Any help would be appreciated:

    “When the phones dont get a response or are told to go swing by those servers they sit there in a loop retrying. HOWEVER a login failure rather than a refusal triggers something else. Hot on the tails of both servers failing the login it then tries to connect to an HTTP server, xsp.unlimitedhorizon.co.uk and it asks for /dms/Cisco_504d/-Recovery.xml”

  5. Thank you for a comprehensive article – I can confirm the method above works on unlocking handsets tied to this particular operator.

  6. Bloody hell Richard you’re a lifesaver, I had one of these provisioned to the same vendor and while I successfully intercepted the request for the XML file I was missing the full config with MAC and serial, etc., which you provided as a download. Thanks a million, you have no idea how helpful publishing it has been!

  7. This post was such a life saver. We have a couple hundred SPA504g phones at my office that were bought outright from a service provider who locked them all down. Now we are planning to auction them off but they were useless without having the admin password. Reading through this post gave use the knowledge needed to factory wipe all the devices! Thanks Richard!

Leave a Reply

Your e-mail address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.