SPA504G Reset

We were recently approached by a customer (They will remain nameless but are a charity) with a batch of Cisco SPA504G IP phones. These had been purchased in good faith and duly delivered. Only they had vendor lock in. The customer tried a few avenues and if you’ve done a lot of searching you’ll know that there are a dozen ways to unlock. Most of them rely on assumptions that the vendor has not done something. The method below worked in this case and goes a little further than other suggestions, however if there has been a certificate set you are out of luck. I know there are people looking at hardware unlocking but at this point I would suggest you gave up.

Firsty, an honourable mention to the provider, Gamma Telecom. An inital call to their support guy was very promising. He didnt see an issue, took some details and we looked at the wireshark dumps (with plain text SIP credentials) and worked out who they belonged to and that they were indeed retired phones and there wasnt an issue with us having them. He took my number and wandered off. Shortly he called back and said I needed to speak to someone else and told me the process to get through the labyrinthine voicemail system. Hopeful I did as instructed.

“No, absoluteley not, we cant give you that information” Thats as far as I got. Despite owning the phones legally the rather rude woman wouldnt even listen to anything we asked. Explaining they were for a charity got no leeway at all. I even suggested the reprovision them and push a reset out that way. The phone went down.

SO here’s what was needed.

The phone gets plugged into my lab setup, its behind its own firewall there and I can control and manipulate everything. It turns out some simple DNS hacks were all that were needed. So watching the phone with wireshark, it asks for an IP, great, it’ll take the TFTP server and try that, no, no dice. It then asks right away for a SRV record from the provider. Ah-HA! I cant change the SRV record at this point, but a quick dig shows that it will ALWAYS return the same hosts, node7 and node4.sip.unlimitedhorizon.co.uk. Host overrides entered in PFSense and the phones start trying to register to my Freepbx lab server. They get denied, but it means I have some control over the damn things.

At this stage I’ve been puzzling over this for a while and then I spot something. When the phones dont get a response or are told to go swing by those servers they sit there in a loop retrying. HOWEVER a login failure rather than a refusal triggers something else. Hot on the tails of both servers failing the login it then tries to connect to an HTTP server, xsp.unlimitedhorizon.co.uk and it asks for /dms/Cisco_504d/<mac>-Recovery.xml A manual browse over there gets nothing, however tweeking the mac address results in firmware images being served. There’s some big security issues here, least being that I suspect its possible to take over another phone by flashing that image to another unit. For us this means that we have an in.

This Site suggests that you can serve an xml file to it. You can then force the phone to pull the file. However if the web UI is locked that wont work and if it’s also not looking for TFTP servers it wont work either. So, I added another DNS override to point that host to one of my servers, uploaded that file, renamed it to match what the phone was asking for and rebooted.

File gets requested and sent, all looks good, phone then ignores the file and switches to trying to use TLS for an update. Uh oh I’m stuffed here. I cant spoof the cert. I can see it failign as it doent like my server cert’s CA. What now.

I have an SPA504G on my desk, I know you can dump the XML so off I go and do just that. A quick look at the XML shows that the MAC is included, so thats edited to match the locked phone and the admin password line from the above xml is added. We reboot again…

Asks for the file…
Grabs the whole damn thing…
Reboots. On reboot i’m greeted with a clone of my phone. A quick venture into the menus shows that the admin password has gone too. A quick factory reset which I can now do and its all up and running as it should. One clean, factory reset phone.

Now this presents a number of conclusions. Cisco are good at this, we’ve seen that if this DID resort to TLS and there is an option to do this, you would be screwed. That they didnt do this seems odd, its one setting, but in doing so they left it wide open. Everything else was set to make it as hard as possible to unlock the phone so why leave this back door wide open?

How much of a risk is that web server. I have five phones here with distict MAC ranges. I can take a good guess that phones would have arrived in batched and a search in a range and a quick text shows I can pull about 5 xml files that dont relate to me.

Its possible they have realised there could be an issue here as the XML files point to a .bin file, the file freely downloads which raises the question of what it is, and can I flash it to anything? I knwo I can force the phones as they stand into arbitary configurations, can these files then be written to a phone to hijack that ‘line’? I’m not willing to risk the customers phones but it does raise the question of security of the system as a whole.

UPDATE

The XML I used from my own phone is here, you use these files at your own risk!

Cisco_504d XML Files

 

38 thoughts on “SPA504G Reset”

  1. The spa504g , or any other spa device does not verify if the xml files have a proper, or not mac or serial number. It just takes the file as is, And it will not change the mac nor serial even if you try from xml file.
    In addition, all you needed to include in the file was :

    No

    and then the phone would let you do a factory reset without prompting for admin password.

    1. Thats good to know about the MAC.
      I was aware of the ability to disable the admin password rather than force a change, however on these particular phones it was ignored. The XML files recommended all over the web also failed to work.

      It’s a Faff but its gets there in the end. Thank you for the feedback though πŸ™‚

  2. We have a couple of SPA504G phones with Gamma firmware, but we do not have a suitable .xml file to put on our HTTP server. Could you email me a copy of the .xml file you used at the
    “Aks for the file…
    Grabs the whole damn thing,,,
    Reboots. ….”
    stage. Once the password has cleared will will reset the phones to factory defaults.

    Many thanks.

    Chris

  3. Thank you for this article, my company have (now had) a number of customers tied Gamma because they didn’t want to pay for new handsets.

    1. I’ve also found that the FreePBX commercial “Endpoint Manager” module works well with these and updates the firmware.

  4. How do I get a login failure instead of a refusal trying in order to get the handset to push for the recovery file?
    Any help would be appreciated:

    “When the phones dont get a response or are told to go swing by those servers they sit there in a loop retrying. HOWEVER a login failure rather than a refusal triggers something else. Hot on the tails of both servers failing the login it then tries to connect to an HTTP server, xsp.unlimitedhorizon.co.uk and it asks for /dms/Cisco_504d/-Recovery.xml”

  5. Thank you for a comprehensive article – I can confirm the method above works on unlocking handsets tied to this particular operator.

  6. Bloody hell Richard you’re a lifesaver, I had one of these provisioned to the same vendor and while I successfully intercepted the request for the XML file I was missing the full config with MAC and serial, etc., which you provided as a download. Thanks a million, you have no idea how helpful publishing it has been!

  7. This post was such a life saver. We have a couple hundred SPA504g phones at my office that were bought outright from a service provider who locked them all down. Now we are planning to auction them off but they were useless without having the admin password. Reading through this post gave use the knowledge needed to factory wipe all the devices! Thanks Richard!

  8. would it possible to have a step by step guide on how you did it? Shall I use option 66 in my DHCP server to point the phone to my TFTP server? i would appreciate if you can give me some hints.

    1. If you have redirected the DNS query as above it will fail. With the 525G this is the only way to do it and you have to emulate the whole infrastructure of the provider to push the file. However if you watch the phone with wireshark you get a good feel for what it is up to. Use the filters to exclude the mac of the machine you are listening on with to make it easier.

  9. Hi Richard

    I have the same issue with one of these Gamma phones brought in good faith, are you able to email step by step guide how to unlock this SPA504G I have.

    When mine boots from POE it actually locks the keys so you cannot press anything – pretty crazy stuff just for a phone. anyway if you could email what to do, I’m using tftpd64 as my TFTP server if that helps.

    Well done for sorting this problem out….

    Thanks
    Chris

    1. Its pretty much all there in the text. You will need a way to redirect those DNS queries. In my case this was done via the firewall in my lab setup, PFsense. You could do the same with windows DNS or any DNS server but it *must* be the DNS server provided by the DHCP server. If the whole thing is locked to a static IP you’ll need to break out wireshark and see what is going on.

      I’ve never seen the keypad locked, that is strange as even totally locked down the keypad does work. It makes me think you have more going on here. Try from a 5V dc power supply as some of the Chineesium POE switches and older HP ones can do odd things.

      I *may* offer a reset service for these as it seems to be becoming a common problem and these are decent phones especially now I’ve found a 3D printable stand

  10. Unfortunately it seems to be provider specific, I managed to force a SPA504G to get an authentication error on the SIP lines but the HTTP request never came. I also tried forcing it into SPCP mode which retrieved a file from a TFTP server, but it just kept trying to re-download the configuration file and the password was never reset. Cisco certainly has done an awesome job of generating landfill with this ridiculous provider locking.

    1. So far I’ve not found one I can’t unlock, however there is a certificate based authentication system that in theory would screw you up. I wonder if that is what you are seeing here. You could (if you have one) directly upload a config dump from another identical phone if you change the MAC in the file. I have done this before now.

      I’d argue that this comes under right to repair as you own the phone. Here is hoping this behaviour stops, it certainly is in the EU with carrier locked mobiles now.

  11. Thanks so much for your time posting your experience on this, unbricked my 4 phones.

    I used tcpdump in our EdgeRouter to listen to packets from the phone, identified the IP of the server it was attempting to get the _-Recovery.xml from, then used NAT to send to my own web server IP all outgoing requests to the discovered IP.

    The phone received the config file below, served up by my server, delightfully booted without a password protected factory reset. Done!

    Great job.

    -Recovery.xml

    123
    No

    1. Can’t post the xml file here, but there’s loads of references to the recovery file to include just the xml tags Protect_IVR_FactoryReset and Admin_Passwd ua=”na” .

      1. Glad it helped. The minimal config is mentioned a few placed but certainly on my ones they were for the best part ignored. Cisco does like to make major tweaks silently to firmware so it may have been broken somewhere along the line. It seems this post is keeping a lot of phones out of the trash and I’m going to youtube this I think.

  12. Hi Richard

    Have you done a Youtube video yet?
    I am new to voip and recently bought one of these spa 504g phones off Ebay with a Gamma lock. I get an ip from my router when connected but I cannot access the web ui when typing the ip in a web browser. Factory reset asking for an Admin password. I have trawled the web looking for a solution but yours seems to be the inly credible one. My firmware version is 7.6.1. I am a total novice when it comes to PFSence and tftp servers etc. Do you happen to have a step by step guide?
    I know others have asked but i would really be helpful if you could point us in the right direction.
    Thanks in advance.

    1. Sorry, I don’t get time to check comments that frequently. I don’t really have that much time right now to break it down, but again, as it seems a common ask, when things quieten down in Sept I’ll get a video done.

  13. Hi Richard, you are the only hope available over the internet. I was just scammed with 80 units of spa504 phones and all are admin locked. I am unable to figure out exactly what to do. can you assist me in doing so as i am in desparate to fix it and save my job. I am available as per your availability. Please inform. This will be a saviour for me.

    1. Sorry, I don’t get time to check comments that frequently. As someone else has asked I will try and do a youtube video on this as I have two that are locked here. It’s unlikely to happen before the end of September though. Because of the amount of control needed over the host network I can’t do this remoteley.

  14. I cant for the life of me get this to work!
    I have managed to override the host to point to a local IP and have installed a TFTP server on the local IP.
    Using Wireshark, the phones are indeed stuck in a loop trying to Register. I have created a local Asterisk server so the phones are getting a Status: 401 Unauthorised response which i would class as a failure, but the phones continue to try to register.
    I have tried sending no response at all, but they still keep looping trying to register.
    The phones say Failed(Authenticate) on the LCD screens.
    I cannot see any HTTP requests for a Recovery.xml file.
    What am i missing?
    Thanks!

    1. Some of these can be locked down to need certificates. If that’s been done you are stuck.
      Registration with Asterisk isn’t going to work unless you know the credentials they are trying to use. You might find that in the packets. But this won’t allow you to reset the phones. Look at the TFTP log and see what the phones are actually doing an RRQ for and work from there. If you know the TFTP file or URL you can sometimes spoof your user agent in the browser and pull the config file from the provider.

Leave a Reply to chris Cancel reply

Your e-mail address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.