Cisco SPA504G any last ditch efforts?

[bithead9]

I have one SPA504G that I cannot do a factory reset (via phone menu) due to not having the Admin password. I have searched on Google and other sites and there is the hack of trying to "provision" the phone via TFTP and either a password XML file or the Default config.xml - I tried this and cannot even PING the phone. It does acquire a local LAN IP address in my subnet. So the DHCP is OK. The phone was provisioned for VLAN and I am not running any VLAN on my subnet. I opened the case and there are 2 or 3 JTAG connectors. I tried to JTAG (J2) and no luck there. It does appear to be a standard 12 pin but the tools I have do not recognize the CPU / flash memory.... SO, that is where I am. Any suggestions, hints or tips ? Is there any magic pins I can short to force a reset of the NVRAM (like can be done on routers, etc).... I did not find any forums or web hits of ANYONE that has jtagged these or recovered from a lost admin password.

 

[bithead9]

Update... I was able to gain access to the browser interface by turning off the VLAN. I can now PING the device. The Cisco recovery utility does not recognize the device by either serial# or FFFFFFFFFFFF - of course the phone is not in SOS mode. The firmware update utility still prompts for the user/password for admin access. The phone was formerly provisioned via provider: optimumlightpathvoice.com - I tried to spoof the DNS and redirect this to my local TFTP server but no luck so far. I think I will try to redirect to Asterisk next and see if the provisioning might take. Unfortunately the URL saved in the phone is https with 443 code at the end. So even if I get it to find the Asterisk or other TFTP it is looking for a CERT. I think I am screwed on this one. The only other thing I can imagine might work is to replace the EPROM with an un-programmed one. Perhaps the on board CPU will then either go into recovery mode or allow the firmware upgrade utility to work. Does anyone have thoughts on that method? Or any other hints. I also tried the "crafted" http URL with password reset xml and that still asked for the admin password.

 

[EmuDan]

I'm in the same boat here..I've tried various xml files, but still no dice. One thing I can say about those SPA phones - they can be made VERY secure.

Dan

I wouldn't say I "hate" my job...it's just that most days, I'd rather get kicked in the nuts repeatedly instead of being here.

 

[bithead9]

Dan you got that right! The J3 header on the board looks like a serial interface. GND +3.3V and tx rx pins. When the phone boots I hooked a scope on there and it is sending data on the tx pin. I tries a TTL serial converter with hyper terminal and no dice. I think the eeprom being secure does not allow direct access. You need to send special sequences to unlock and enable writing, etc. I was contemplating to remove the EEPROM and swap in an un-programmed one, perhaps the phone would go in SOS mode and let me flash all defaults. But that would be for fun only since I only have one phone in this state. Maybe if I have time I will order the $3.00 eeprom and do the swap.