Factory Reset Cisco SPA504G without admin password

voip

I've been trying to factory reset some SPA50x phones, specifically the 504G but the old provider has locked out everything.

I need to reset about 50 phones for use with a new service. I've man in the middle'd their provisioning server, but the phone profiles are compiled with SPC.

I've found a reference to how the old provider created the compiled profiles, and I have recompiled a new profile overriding the Admin_Passwd in the config file, but the phone simply complained that the config file was corrupted.

The phone is configured for SIP, but I have tried connecting it to a UC540 to see what would happen. The phone is able to re provisioned against it, but I still can't reset it without the admin password. This was just for testing anyways, since I actually need the phones connected to Asterisk.

I am very close to considering opening the phone and looking for a jtag port or some other way to reset these phones. I have a single phone on my desk right now that I can play with. I am hoping to find a repeatable solution to this.

Any advice would be great.

Best Answer

If you can successfully provision the phone by intercepting its provisioning requests, you should be able to reset the admin password. It's just one more field in the provisioning file (and indeed, in this case it can be the only field).

You shouldn't even really need to compile it with SPC; I only serve plain XML files to my devices.

A trivial XML file to reset the admin password would be:

<?xml version="1.0" encoding="ISO-8859-1"?>
<flat-profile>
    <Admin_Passwd ua="na">changeme</Admin_Passwd>
</flat-profile>

Your only trick there will be serving it with a MIME type of application/xml when the filename is probably something like spa####.cfg, but either a tweak to your web server config or doing it in a scripting language like PHP should solve that.

Or you can do it in plain text format compiled with SPC, if you can figure out the right parameters to encrypt it with. (You might be able to tease this info out of the phone, but I wouldn't hold my breath.)

Finally, you may be able to get the phone to resync to a URL of your choice (if this hasn't been restricted) by talking to the phone's internal web server with a crafted URL:

http://10.48.203.15/admin/resync?http://10.48.207.1/reset_password.xml

For more, you may find the Cisco Small Business IP Telephony Devices Provisioning Guide useful.

Related Topic