How to unlock the latest Engin Voice Box 2 (Sipura/Linksys SPA3000)
Foreword: I like Engin, and this article is not about moving services away from Engin, although it will empower you to do so. It's about allowing you to fully gain access to the ATA (Voice Box) that you purchased, in order to further the quality of your VOIP (Voice over IP *duh*) experience.
This information pertains to the latest (last) issue of the Sipura SPA-3000 units, which are locked with a password so you have no web access or IVR access whatsoever.
Firmware: SPA-3000-3.1.7(GWc)
This is a very technical article that is going to skip minor details, so if you're not comfortable with setting up a "fake internet" and don't have a Linux box, then you'll be treading water to keep up.
There are millions of articles covering the general topic, so I will get straight to the point.
This is for the worst case scenario of having bought a box, and letting it connect to Engin and provision itself. It's now locked up tighter than your grandmothers undies.
This was done using Centos as the Linux distribution, so Fedora and Red Hat can be substituted, any other distributions will have to find their own packages.
You need installed: dhcpd, bind, httpd, and I would recommend tcpdump so you can watch your progress.
These can be installed (from memory) by typing
yum -y dhcp bind-server httpd tcpdump
Debian and apt-get related distros can perform a similar apt-get, I just don't know the package names off the top off my head.
Firstly, you'll need to make sure DHCP is switched off on your router/hub/switch or use a crossover cable to connect directly to the Engin Voice Box 2 / SPA3K
First, create a virtual network for your SPA-3000 to play in:
ifconfig eth0:1 192.168.0.10
ifconfig eth0:1 192.168.0.10
ifconfig eth0:2 192.168.0.1
ifconfig eth0:3 202.139.89.133
ifconfig eth0:4 202.61.12.230
Some of these IP addresses are probably overkill, as will be a few steps in the process... but you didn't spent 18 hours hacking one of these suckers so a few extra lines of cut & paste won't kill you.
The following configuration files are going to have to be made. I will list their names, and their contents. Explanations will be terse:
/etc/dhcpd.conf
ddns-update-style interim;
ignore client-updates;
subnet 192.168.0.0 netmask 255.255.255.0 {
option routers 192.168.0.1;
option subnet-mask 255.255.255.0;
option nis-domain "domain.org";
option domain-name "domain.org";
option domain-name-servers 192.168.0.10;
option log-servers 192.168.0.10;
option tftp-server-name "192.168.0.10";
range dynamic-bootp 192.168.0.128 192.168.0.254;
default-lease-time 900;
max-lease-time 3600;
}
/etc/named.conf
acl all { 0.0.0.0/0; };
options {
listen-on port 53 { all; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
query-source port 53;
query-source-v6 port 53;
allow-query { all; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view localhost_resolver {
match-clients { localhost; };
match-destinations { localhost; };
recursion no;
};
view "all"
{
recursion no;
include "/etc/named.root.hints";
zone "mibroadband.com.au" {
type master;
file "mibroadband.com.au.db";
};
zone "engin.com.au" {
type master;
file "engin.com.au.db";
};
};
You will also need to copy named.root, named.root.hints into /etc from the doc's directory, if they're not already there.
/usr/share/doc/bind-9.3.3/sample/etc/named.root.hints
/usr/share/doc/bind-9.3.3/sample/var/named/named.root
Copy named.root into /var/named/ aswell (You might have to make this directory) as well. I can't remember which one is used, but two copies won't kill you.
Now, change directories to /var/named and make these:
engin.com.au.db
@ in soa localhost. root 2 3H 15M 1W 1D
ns localhost.
$ORIGIN engin.com.au.
config A 10.58.33.10
The 10.58.33.10 address used in these examples was the normal address of the server, which I had to use because Apache was cracking the sads and refusing to answer any other IP addresses. Just replace it with whatever your eth0 is where-ever you see it from now on:
mibroadband.com.au.db
@ in soa localhost. root 2 3H 15M 1W 1D
ns localhost.
$ORIGIN mel.mibroadband.com.au.
_sip._udp SRV 10 1 5060 mel-rsbc.mel.mibroadband.com.au.
_sip._udp SRV 30 1 5060 nsw-rsbc.mel.mibroadband.com.au.
_sip._udp SRV 50 1 5060 nsw-vsbc.mel.mibroadband.com.au.
mel-rsbc A 10.58.33.10
nsw-rsbc A 192.168.0.1
nsw-vsbc A 192.168.0.10
I actually have Asterisk running on this server, so I let the Sipura connect to that, and fail. I'm sure it's not a necessary step, just put in that same default IP your box had and let it fail.
Now we need a configuration file for your Engin Voice Box to download, which is was allows you to over-ride the provisioning that Engin used. Unlike most guides, we're not going to wipe out all your settings, we're just going to remove the admin/user passwords.
Now I used a program called "spc.exe" which is a binary compiler for making Sipura 1000, 2000, configuration files. Worked fine for The SPA3000 too. The program is property of Sipura and I can't post it here, so if you can't find it, I'll show you another way that I haven't personally tested but purportedly works. My copy was called "spc2_0_11_e.exe"
Regardless, we need to make a text file with some options. This can be done under Unix or Windows, the application is available for both. It doesn't matter where you do the work, we'll copy the end result later.
Make a file: nopass.txt
# ***
# *** Sipura SPA Series Configuration Parameters
# ***
# *** System Configuration
Restricted_Access_Domains "" ;
Enable_Web_Server "Yes" ;
Web_Server_Port "80" ;
Enable_Web_Admin_Access "Yes" ;
Admin_Passwd "" ;
User_Password ! "" ;
Now if you don't have spc.exe, just rename this file to spa.cfg and cross your fingers.
type:
spc2_0_11_e.exe nopass.txt spa.cfg --target 000e08123456
The last word is your MAC address, it's written underneath. Make sure it's lowercase and looks like the above. This generates a file that looks just like the ones Engin sent out, so it was good enough for me to give it a burl.
Copy the spa.cfg that it makes into a directory under your webroot. For me, that was
/var/www/html/sipura/000e0812345/spa.cfg
Now create the extra IP addresses you'll need to pull this off by typing:
ifconfig eth0:1 192.168.0.10
ifconfig eth0:1 192.168.0.10
ifconfig eth0:2 192.168.0.1
ifconfig eth0:3 202.139.89.133
ifconfig eth0:4 202.61.12.230
You may need to enable forwarding or routing or something, I couldn't remember how and I was off the net at the time so YMMV. "echo 1 > /proc/forwarding" or /proc/net/forwarding didn't work, but it worked anyway and I didn't have to strain my brain.
Modify /etc/resolv.conf to contain only one line:
nameserver 127.0.0.1
Make sure that the user "named" owns all the nameserver files if necessary (just type the following, if it fails, your distribution may not need it).
chown -R named:named /etc/named* /var/named
Now there will probably be errors, so good to have a "tail -f /var/log/messages &" running to spot them.
Start your engines gentlemen:
service httpd restart
service dhcpd restart
service named restart
Debian and other users can try /etc/init.d/xxxxx restart.
I made it restart in case you need to do it again, or you already had the service running. You will see [ FAIL ] if the service wasn't running, but as long as its [ OK ] when it restarts you're good. Fixing errors is your business, but feel free to comment if I screwed up in my instructions.
You want to be watching the following three files as you plug in your ATA (or if it's already plugged in, power cycle or ****REBOOT# from the IVR)
tail -f /var/log/httpd/access_log &
tail -f /var/log/httpd/error_log &
and you want to see the traffic as it flows:
tcpdump | grep -v ssh &
Now plug in your Engin Hell Box, and watch it play. It will take about 5 minutes of bind SRV queries, SIP logins, and then finally a web request to config.engin.com.au.
At this point you will see either an access or an error message from your httpd logs, it will stick out because the line will look a bit different. If it was an error message, then put the file in the right place dummy. If it was a good transfer, then you should unlocked.
If you have web access to your Sipura, then try logging in (the IP address will probably be 192.168.0.254), you can always type "arp -an" for a list of IP addresses. You can also use the IVR via the handset, and type ****73738# ... if it doesn't ask for a password then just hang up.
If it never asked for a password before you started this procedure, you're a dumbass.
Now edit the provisioning tab of the admin menu so that it can't re-provision itself, or let it re-provision to a server of your choosing.
All your Engin settings are still there, so you can stay using Engin as you choose, but now you can control over the ATA and you can have much more fun. :)
Labels: SPA3000 SPA-3000 Sipra Linksys Engin unlock ATA VOIP
5 Comments:
Hi,
Its a terrefic document. I followed the doc and successfully unlocked a spa3k.
But I could not unlock spa 3102. DNS is up and running. The spa3102 connects to the web server and tries to get the cfg file. The file is there, but it seems it is not downloaded by the spa 3102. Here is the tail of httpd access log:
192.168.0.206 - - [12/Sep/2007:18:27:28 +1000] "GET /linksys/SPA-3102/000e08cc0ad8.cfg HTTP/1.0" 302 326 "-" "Linksys/SPA-3102-3.3.6(GW) (FM600G400081)"
192.168.0.206 - - [12/Sep/2007:18:27:44 +1000] "GET /linksys/SPA-3102/000e08ccXXXX.cfg HTTP/1.0" 302 326 "-" "Linksys/SPA-3102-3.3.6(GW) (FM600G40YYYY)"
(000e08ccXXXX is the MAC and FM600G40YYYY is the serial number of the spa3102 box).
Please help.
Thanks
September 12, 2007 at 1:31 AM
Leave me an email or something, sipura@(this domain) and I'll try.
I have plenty of 3000's and 2000's lying about mainly still in the box unprovisioned.
February 7, 2008 at 8:48 AM
First. Top marks for a great method.
Second I needed to run Asterisk inorder for something to time out and the config file be requested from the web server.
Third I had the same problem for my spa3102 as samarules
Checking out the Linksys ATA Admin Guide around page 51 I found the following
"The Linksys ATA configuration profile can be either an XML file or a binary file with a proprietary format."
and a few lines down a sample!!! which I can't seem to include here as it won't allow the HTML
http://www.provu.co.uk/pdf/linksys/Linksys_ATA_ADMINGUIDE.pdf
changing some secret to something easy to remember (i.e. your name) I didn't try blank but this might work also. Then save the file as your3102mac.cfg in the directory as indicated in the error log. Don't for get to keep the mac all lower case.
Power off and power on the SPA3102. Browse to the admin login and type in your Admin/Password pair.
Finally don't for get to turn off Provision Enable and delete what ever is in the profile rule from the provisioning tab otherwise it might get all locked up again...
October 24, 2008 at 5:20 AM
Thanks - still works with a dusty Engin SPA-3000 I rescued from a drawer
March 14, 2010 at 1:29 AM
Thanks for doing the spade work on this one.
Able to unlock an SPA-2102.
The cfg file compiler is available from the Cisco download site.
tcpdump was essenial to discover the URL being requested by the provisioning profile rule, in my case lsc.engin.com.au.
Watch the httpd error logs to discover the directory and file name provisioning requires.
in my case /linksys/SPA-2102/'mac'.cfg
November 5, 2010 at 3:29 PM
Post a Comment
Subscribe to Post Comments [Atom]
<< Home