Dear Dan,

I unlocked the Vodafone SPA525 phones. (Thank you! Your one of your articles here helped.)

Upgraded the highest firmware and full configured and tested with my SIP VOIP system.

But left one problem. 

The phone show on the WEB UI the customization is vodafone.

And when I factory reseted the phone and the phone does't download the my confoguration file the WEB UI is locked again unknow password.

If the phone can download my configuration file, the WEB UI is opened again.

How to change the customization to the open state?

Thank you.

While you can take control over locked device sometime (if lock has been imperfect), you can't  remove customization. The so called 'customization' mean there is customized 'factory default configuration' burned inside the device/

Cisco can modify factory default configuration, but Cisco will not do it for you (and even not for Vodafone as far as I know).

Consider it just feature of devices you buyed. If you has been cheated by seller (you has not been aware the units are customized), return devices to them ...

So sorry not having better advice for you.

Hi Dan,

First I thank you for your answer!

I understand.

But according to them there is a way.
I was also testing the phone on the internal serial port.
And I saw a file system in the flash (similar to Linux).

I can do anything. Possible I can rewrite the full flash.
Just tell me how to do it.

There are a lot of such phones, it would be a pity to do it in the recycling trash.
Vodafone has long been concerned about it.

Thank you

Tony

Yes, it's Linux. And I assume the default configuration is stored as a file somewhere in the filesystem (like the current configuration).

While I like reverse engineering, we have no SPA525G phones. Well, I have one for configuration testsbut I must not trash it (which may happen by blind changes in filesystem). Moreover, no phone I have is RC unit (customized).

But you have a lot of customized phones, so you have chance for success. Be careful as blind change may irreversibly brick the particular phone.

If you will take it, I will be curious to know details.

May be, in my next comment I will claim that only Cisco and you can remove customization ;-)

Hi Dan and all,

News.

I removed this file /home/fp

And now the phone customization changed to the pending.

Lost from admin menu from WEB UI.

A try uploding the new fp file from open customized phone.

Regards

Tony

The RC units doesn't know for whom they are dedicated at the time of displatch from Cisco. They are in 'customization pending' state.

Those units are trying to contact Cisco's RC provisioning server and download initial configuration from it server. Such configuration become 'factory default' configuration. Customization state become changed to name of the customized phone owner as a result.

So you won just a battle, but not war. Phone is recognize consider self to be RC unit.

OK. Either, there's a manufacturing configuration stored somewhere - the serial number, MAC address, flag claiming device to be RC unit. Or - lack of /home/fp is the flag claiming unit to be RC unit and retail devices (Customized: Open) are just RC unit pre-customized for company named 'Open'.

In both cases the fp file from open phone may help. In the first case the unit will still consider self RC unit, but stored factory default configuration will be the same as in retail unit, so it will not harm. In second case, unit become true retail unit.

I'm staying tuned.

By the way, I'm curious to see content of 'fp' file you deleted. I'm so sad I'm have no RC unit, so I can be just external observer of this adventure. If you are willing to send it to me, there's my email address of the day: <removed, no longer necessary>

Hi Dan,

I connected the phone to Internet.

And the phone connected this site: https://webapps.cisco.com

I tracking the phone IP traffics and waiting patiently.

The downloaded unknown files from cisco site.

And couple of second restarting.

I look again the /home.

And came back the fp file. The customization is pending.

Unfortunately I don't save the original fp file.

I sent email for you.

Regards

Tony 

Hi all,

Two fp files.

Look description on file name.

@AntalVincz@Dan Lukes 

Hi,

I know this is a long shot but did you ever manage to get the phones unlocked.

Also how do you connect to this internal serial connector you mentioned.

Don't want to start up a thread again but have the same problem as you and I'm interested if it is at all possible.

Thanks a ton

Hi,

I can remove (overwrite) unknown passwords from SPA5xx series phone.
It doesn't matter the unit is RC or non RC.
Unfortunately, I can't remove (overwrite) the customization.
I know lot of person can able overwrite the customization.
Unfortunately, nobody shares how to.
Regards

Tony

Brilliant,

Shame about customisation but the password is the main issue. Please can you share the method (is it with dns override and a web server Like this?) or is there a better way. Thanks for all your efforts. 

Hi TobyWhiting,

You need this server: DHCP + option 66, DNS, TFTP, WEB.
I'm using a Linux Debian with isc-dhcp, bind9, HPA TFTP, Apache2.
Set your IP tables to forward any request on TCP port 69,80,443,53 for your ser local IP.

Case A, if the Call Control Settings is available.
Drop the attached file XMLDefault.cnf.zip into your TFTP server root folder.
Extract the .zip file. Change all IP addresses in the file to your server IP address. 
1. Go to Call Control Setting on the menu
2. Press SELECT 
3. Press edit on Signalling Protocol
4. Press the option and change SIP to SPCP
5. Press OK and SAVE
The phone restarts automatically. When the phone is booting up restart automatically downloads the XMLDefault.cnf.xml and applies. The phone is restarting again. When the phone is restarted press the menu and go to menu 7, type the password 123456 and reset to the factory the phone. The phone is restarting and going back to SIP mode. Upgrade the firmware and enjoy.

I will be back later with the DNS hack.

Regards
Tony

Hello, 

Please if you can share how to rel the customization from vodafone. We bought over 100 Spa525g2 from UK company called Disk Source. They are not able to get code from vodafone and will not take the phones back. We are a small company and can not afford to take the hit. 

Thank you