How to unlock the latest Engin Voice Box 2 (Sipura/Linksys SPA3000)

Foreword: I like Engin, and this article is not about moving services away from Engin, although it will empower you to do so. It's about allowing you to fully gain access to the ATA (Voice Box) that you purchased, in order to further the quality of your VOIP (Voice over IP *duh*) experience.

This information pertains to the latest (last) issue of the Sipura SPA-3000 units, which are locked with a password so you have no web access or IVR access whatsoever.

Firmware: SPA-3000-3.1.7(GWc)

This is a very technical article that is going to skip minor details, so if you're not comfortable with setting up a "fake internet" and don't have a Linux box, then you'll be treading water to keep up.

There are millions of articles covering the general topic, so I will get straight to the point.

This is for the worst case scenario of having bought a box, and letting it connect to Engin and provision itself. It's now locked up tighter than your grandmothers undies.

This was done using Centos as the Linux distribution, so Fedora and Red Hat can be substituted, any other distributions will have to find their own packages.

You need installed: dhcpd, bind, httpd, and I would recommend tcpdump so you can watch your progress.

These can be installed (from memory) by typing

yum -y dhcp bind-server httpd tcpdump

Debian and apt-get related distros can perform a similar apt-get, I just don't know the package names off the top off my head.

Firstly, you'll need to make sure DHCP is switched off on your router/hub/switch or use a crossover cable to connect directly to the Engin Voice Box 2 / SPA3K

First, create a virtual network for your SPA-3000 to play in:

ifconfig eth0:1 192.168.0.10
ifconfig eth0:1 192.168.0.10
ifconfig eth0:2 192.168.0.1
ifconfig eth0:3 202.139.89.133
ifconfig eth0:4 202.61.12.230

Some of these IP addresses are probably overkill, as will be a few steps in the process... but you didn't spent 18 hours hacking one of these suckers so a few extra lines of cut & paste won't kill you.

The following configuration files are going to have to be made. I will list their names, and their contents. Explanations will be terse:

/etc/dhcpd.conf

ddns-update-style interim;
ignore client-updates;

subnet 192.168.0.0 netmask 255.255.255.0 {

option routers 192.168.0.1;
option subnet-mask 255.255.255.0;

option nis-domain "domain.org";
option domain-name "domain.org";
option domain-name-servers 192.168.0.10;
option log-servers 192.168.0.10;
option tftp-server-name "192.168.0.10";
range dynamic-bootp 192.168.0.128 192.168.0.254;
default-lease-time 900;
max-lease-time 3600;
}


/etc/named.conf

acl all { 0.0.0.0/0; };
options {
listen-on port 53 { all; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
query-source port 53;
query-source-v6 port 53;
allow-query { all; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view localhost_resolver {
match-clients { localhost; };
match-destinations { localhost; };
recursion no;
};

view "all"
{
recursion no;
include "/etc/named.root.hints";

zone "mibroadband.com.au" {
type master;
file "mibroadband.com.au.db";
};

zone "engin.com.au" {
type master;
file "engin.com.au.db";
};
};

You will also need to copy named.root, named.root.hints into /etc from the doc's directory, if they're not already there.

/usr/share/doc/bind-9.3.3/sample/etc/named.root.hints
/usr/share/doc/bind-9.3.3/sample/var/named/named.root


Copy named.root into /var/named/ aswell (You might have to make this directory) as well. I can't remember which one is used, but two copies won't kill you.

Now, change directories to /var/named and make these:

engin.com.au.db

@ in soa localhost. root 2 3H 15M 1W 1D
ns localhost.
$ORIGIN engin.com.au.
config A 10.58.33.10

The 10.58.33.10 address used in these examples was the normal address of the server, which I had to use because Apache was cracking the sads and refusing to answer any other IP addresses. Just replace it with whatever your eth0 is where-ever you see it from now on:

mibroadband.com.au.db
@ in soa localhost. root 2 3H 15M 1W 1D
ns localhost.
$ORIGIN mel.mibroadband.com.au.
_sip._udp SRV 10 1 5060 mel-rsbc.mel.mibroadband.com.au.
_sip._udp SRV 30 1 5060 nsw-rsbc.mel.mibroadband.com.au.
_sip._udp SRV 50 1 5060 nsw-vsbc.mel.mibroadband.com.au.
mel-rsbc A 10.58.33.10
nsw-rsbc A 192.168.0.1
nsw-vsbc A 192.168.0.10

I actually have Asterisk running on this server, so I let the Sipura connect to that, and fail. I'm sure it's not a necessary step, just put in that same default IP your box had and let it fail.

Now we need a configuration file for your Engin Voice Box to download, which is was allows you to over-ride the provisioning that Engin used. Unlike most guides, we're not going to wipe out all your settings, we're just going to remove the admin/user passwords.

Now I used a program called "spc.exe" which is a binary compiler for making Sipura 1000, 2000, configuration files. Worked fine for The SPA3000 too. The program is property of Sipura and I can't post it here, so if you can't find it, I'll show you another way that I haven't personally tested but purportedly works. My copy was called "spc2_0_11_e.exe"

Regardless, we need to make a text file with some options. This can be done under Unix or Windows, the application is available for both. It doesn't matter where you do the work, we'll copy the end result later.

Make a file: nopass.txt

# ***
# *** Sipura SPA Series Configuration Parameters
# ***


# *** System Configuration

Restricted_Access_Domains "" ;
Enable_Web_Server "Yes" ;
Web_Server_Port "80" ;
Enable_Web_Admin_Access "Yes" ;
Admin_Passwd "" ;
User_Password ! "" ;

Now if you don't have spc.exe, just rename this file to spa.cfg and cross your fingers.

type:

spc2_0_11_e.exe nopass.txt spa.cfg --target 000e08123456

The last word is your MAC address, it's written underneath. Make sure it's lowercase and looks like the above. This generates a file that looks just like the ones Engin sent out, so it was good enough for me to give it a burl.

Copy the spa.cfg that it makes into a directory under your webroot. For me, that was

/var/www/html/sipura/000e0812345/spa.cfg

Now create the extra IP addresses you'll need to pull this off by typing:

ifconfig eth0:1 192.168.0.10
ifconfig eth0:1 192.168.0.10
ifconfig eth0:2 192.168.0.1
ifconfig eth0:3 202.139.89.133
ifconfig eth0:4 202.61.12.230

You may need to enable forwarding or routing or something, I couldn't remember how and I was off the net at the time so YMMV. "echo 1 > /proc/forwarding" or /proc/net/forwarding didn't work, but it worked anyway and I didn't have to strain my brain.

Modify /etc/resolv.conf to contain only one line:

nameserver 127.0.0.1

Make sure that the user "named" owns all the nameserver files if necessary (just type the following, if it fails, your distribution may not need it).

chown -R named:named /etc/named* /var/named

Now there will probably be errors, so good to have a "tail -f /var/log/messages &" running to spot them.

Start your engines gentlemen:

service httpd restart
service dhcpd restart
service named restart

Debian and other users can try /etc/init.d/xxxxx restart.

I made it restart in case you need to do it again, or you already had the service running. You will see [ FAIL ] if the service wasn't running, but as long as its [ OK ] when it restarts you're good. Fixing errors is your business, but feel free to comment if I screwed up in my instructions.

You want to be watching the following three files as you plug in your ATA (or if it's already plugged in, power cycle or ****REBOOT# from the IVR)

tail -f /var/log/httpd/access_log &
tail -f /var/log/httpd/error_log &

and you want to see the traffic as it flows:

tcpdump | grep -v ssh &

Now plug in your Engin Hell Box, and watch it play. It will take about 5 minutes of bind SRV queries, SIP logins, and then finally a web request to config.engin.com.au.

At this point you will see either an access or an error message from your httpd logs, it will stick out because the line will look a bit different. If it was an error message, then put the file in the right place dummy. If it was a good transfer, then you should unlocked.

If you have web access to your Sipura, then try logging in (the IP address will probably be 192.168.0.254), you can always type "arp -an" for a list of IP addresses. You can also use the IVR via the handset, and type ****73738# ... if it doesn't ask for a password then just hang up.

If it never asked for a password before you started this procedure, you're a dumbass.

Now edit the provisioning tab of the admin menu so that it can't re-provision itself, or let it re-provision to a server of your choosing.

All your Engin settings are still there, so you can stay using Engin as you choose, but now you can control over the ATA and you can have much more fun. :)