Showing results for 
Search instead for 
Did you mean: 

Lost admin password for SPA-941

Hi all,

I asked this question on community/netpro/collaboration-voice-video/ip-telephony, but was told that it was the wrong place to do it.  I don't know how to move a post, so I'm asking again here (I hope I got it right this time).

The short version: how to reset/disable admin password in SPA-941 phone?

The long version:

I have an IP Phone SPA-941 --- bought it on eBay with 'lost admin password'.  I've found somewhere on the Internet that it's possible to reset the phone to 'factory defaults', which is supposed to reset the admin password as well (which is why I bought the phone with this 'warning').  However, the 'information', failed to mention, that the factory reset is protected by the said administrator password.

Now, I have a bit of a problem since without this password, the phone is useless --- I cannot configure my SIP account there.

I cannot believe that loosing the admin password could yield a device unusable, so I presume that there must be a way to reset/recover password.

I have found somewhere a tool to upgrade firmware.  I tried it.... Not surprisingly, it requires the admin password.  However, it also prints a very promising message: "If you are the administrator and forgot the password, you may perform a factory reset by entering ****, option 73738#, and value 1 from a telephone connected to the unit to be upgraded.".  I have no idea what the 'option' might be and the 'value 1'...  I also do not know what they mean by 'telephone connected to the unit to be upgraded' --- this seems to indicate that the upgrade tool (or message) isn't meant for a phone, but for some other device to which a phone is to be connected.

I also found some discussions about the jumpers (JP1 and JP4) in the printed board of the phone.  I tried all of possible combinations and none of them caused the phone to be any less demanding in terms of admin password (if it booted at all).

I also found some kind of 'recovery software'.  It is supposed to 'recover' firmware to a version 4.1.x (I have 5.1.8 now but I assume that I'd be able to upgrade it back again when the 'downgrading' removes password).  There are two options --- one is for 'normal' upgrade (well.. downgrade in this case), which requires admin password.

The second option is the 'recovery' --- it requires serial number.  When I choose this one, the program warns me that it's only meant for phones displaying SOS message... I tried it regardless (what do I have to loose?), but the 'device couldn't be found'.  Perhaps there is a way of corrupting the phone and entering this SOS-state?

This, for the moment used up my ideas as how to use my phone.  In desperation I'm trying the brute-force 'attack' --- I'm able to check about 1k passwords in 60s...  I've found in some docs, that passwords can be 63 character long alphanumeric strings, which means that I should be able to check all of the combinations in something about 264646141002173127075674008932259139731080369373079015446569116064180887885670843 years, so I'll not hold my breath.  In the meanwhile...  Please help.  Is there a way to 'crack' the phone and reset the admin password?

Cisco Employee

Hi Michal,

From what you describe, it appears that the original service provider properly locked down the phone. If they really did, then brute force is the only way ahead.

There are no backdoors in the SPA phones or ATAs. The idea being that a service provider can easily recover from a lost password by simply reprovisioning a device with a new or blank password. Many service providers give the SPA devices away and then sell a service, this is why they allow the customer to keep the device when the service is terminated.

I read articles where if so inclined, as you appear to be, you can set up a private network to replicate the original service provider's network, including DNS. Then, using a protocol analyzer, you watch to see how the SPA device behaves and what it looks for. I've read that if you devote enough time to this exercise, you could build the files that make the phone believe it is on its home network and then provision it with a blank password.

Or, you could buy a shiny new SPA5xx or SPA3xx phone with many more features, current firmware, and get to spend the time doing something else.

Best of luck, either way.





I know this is an old thread but I came across a similar issue when a colleague accidentally set a password that they did not know.

The solution was to place the phones ip address in a web browser suffixed with /admin (http:///admin).  I found that this by passed the login. 

On the system tab there is a user password that can then be changed or blanked...

The phone had firmware version 4.1.8


This provides the password, but where can I find the username?


I'm not sure, but it's not changeable. So, did you tried "admin" ?


Hi Lukes,

you can do factory reset  that reset all new configuration, password to factory reset. Then you can use the default password to log in.

Thank you.