How to unlock a SPA504 and 303

Adam Harvey · ‎12-21-2016

I have one 504 and a 303 both of which have admin passwords on them so I can't factory reset them.

I know I need to run a wireshark trace route and edit the admin password in the file that it's looking for.

But how do I do this?

If anyone knows how to help me unlock these phones it would be appreciated

Dan Lukes · ‎12-21-2016

I know I need to run a wireshark trace route and edit the admin password in the file that it's looking for.

I'm almost sure it's not real.

Yes, you can order the phone to save current configuration, but passwords are not saved with it - the password fields are saved "empty" or they are replaced by '*' (it depend on the save method you decide to use) - see real part of saved configuration:

<Admin_Passwd group="System/System_Configuration">*************</Admin_Passwd>
<XML_Password group="Phone/XML_Service">*************</XML_Password>
<Password_1_ group="Ext_1/Subscriber_Information">*************</Password_1_>

Wireshark will not disclose more to you - it's the content as transferred over wire. Passwords are just removed before transmission by phone itself.

If you can access WWW UI the passwords are not shown here as well.

There's no way known to force phone to send clear password over wire.

You are out of luck even if you have browser that have correct password saved, or an application that can access the phone with admin credentials - HTTP access is using Digest authentication. No clear-text password is passed thru wire:

Authorization: Digest username="admin", realm="spa admin", nonce="f6d1008414e58ee8598e6b88f36c04ba7a15864f", uri="/admin/advanced", algorithm=MD5, response="a8e243726bd9ebea9db1466e75ace92f", opaque="f4990cbda4216e19fe39e57d35d079724084091e", qop=auth, nc=00000006, cnonce="27cd78403c2717d4"

If anyone knows how to help me unlock these phones it would be appreciated

I feel self very familiar with the issue you are speaking of - but as far as I know, there's no way to unlock properly locked phone. It's valuable feature of SPA504G model, not the unintentional bug.

Those phones can't be unlocked by unauthorized person. Ask their administrator (e.g. person who know the password and locked the phones against unauthorized manipulation) for help.

If you bough phones from someone, request passwords from them. If he will reject to disclose them, you has been cheated. Return phones to seller.

Adam Harvey · ‎12-22-2016

Shame there's no way of doing it. I even set up a test 504 with the password 1234 which I typed carefully and tired to factory reset it and it still said it was the wrong password. Went to the set password menu and typed 1234 twice and still can't unlock it!

Dan Lukes · ‎12-22-2016

Well, if the phone has not been hardened intentionally, there may be a chance.

At the first, factory reset (initiated from phone's menu) require no admin password by default.

At the second, unless you turned off remote provisioning (it's enabled by default) you can order phone (via DHCP) to load provisioning file. Thus you can reconfigure phone from scratch including the admin password.

I would like to ask you - open the WWW UI, the "Info" tab. It require no login at all. What's the value of "Product Information" -> "Customization" ?

By the way, you should NEVER turn on password protection of reset to factory default unless you are pretty sure you can log-in. So next time - turn off protection of reset to factory default, change admin password, verify you can login, *then* you can turn on protection of reset to factory default again.

Adam Harvey · ‎01-03-2017

I'm pretty sure there is a way of unlocking 504 but can this be done with a 303. Just curious to know what the differences are between the phones.

Dan Lukes · ‎01-03-2017

SPA50NG can be powered by PoE while SPA30NG have no such capability. It's the only difference as far as I know.

And - of course, there may be way to unlock the phone. You can try to disassemble the unit, identify internal memory chip and erase saved configuration on it using an external device connected to chip's address and data bus pins. May be, there's JTAG connector that can be used for something like it as well (if you will reverse-engineer information required for JTAG access).

Moreover, there may be firmware bug in particular firmware that will allow you to take control over locked device (SPA112 has been known to have such bug in ancient firmware version, but I know nothing about something like it on SPA[35]0x platform).

But unless you are enthusiast and you are working on it for fun, it will be much and much and much cheaper to trash your current locked device and buy the brand new one, unlocked.