I asked this question on community/netpro/collaboration-voice-video/ip-telephony, but was told that it was the wrong place to do it. I don't know how to move a post, so I'm asking again here (I hope I got it right this time).
From what you describe, it appears that the original service provider properly locked down the phone. If they really did, then brute force is the only way ahead.
There are no backdoors in the SPA phones or ATAs. The idea being that a service provider can easily recover from a lost password by simply reprovisioning a device with a new or blank password. Many service providers give the SPA devices away and then sell a service, this is why they allow the customer to keep the device when the service is terminated.
I read articles where if so inclined, as you appear to be, you can set up a private network to replicate the original service provider's network, including DNS. Then, using a protocol analyzer, you watch to see how the SPA device behaves and what it looks for. I've read that if you devote enough time to this exercise, you could build the files that make the phone believe it is on its home network and then provision it with a blank password.
Or, you could buy a shiny new SPA5xx or SPA3xx phone with many more features, current firmware, and get to spend the time doing something else.
Best of luck, either way.
I know this is an old thread but I came across a similar issue when a colleague accidentally set a password that they did not know.
The solution was to place the phones ip address in a web browser suffixed with /admin (http://
On the system tab there is a user password that can then be changed or blanked...
The phone had firmware version 4.1.8