1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. If you had a PIAF Forum account in the vBulletin days, log in with your old credentials. Otherwise, sign up again and we'll get you back in business as soon as we can.
  3. A serious FreePBX vulnerability has been reported. Update your Framework Module immediately. Click here for details.
  4. Critical FreePBX vulnerability! Update your server immediately. Details here.

FOOD FOR THOUGHT ACN Iris 3000 Videophone

Discussion in 'Endpoints' started by vcallaway, Nov 9, 2010.

  1. vcallaway Guru

    A friend dropped off a handful of these phones to me. Bit of a cheap build but they do have a decent screen.

    Did some googling and number one complaint is they are locked. Fortunately not very well.

    You can telnet to the phone and log in as root, no password. Change to the /tmp directory and there is a file called tmp_config.conf. In that file is the admin and reset passwords.

    I did a factory reset and then entered the sip settings for the piaf server. Root login does get changed to root, pw of root.

    Connects to the server, I can receive calls and talk away. If I try to dial out the phone appears to freeze but I can still telnet in. It never makes contact with the piaf box to dial out.

    Anyone else played with these?

    Any ideas as to why it wont contact the server to dial out?
  2. vcallaway Guru

    This phone is about to drive me to drink. Inbound including video calls are working fine. Phone registers and seems to be fine.

    Dialing out is just not working. Here is the sip debug from ext 706 (acn phone) to 704 (a softphone). Server is at 192.168.1.100.

    Code:
    <--- SIP read from UDP:192.168.1.176:5060 --->
    ACK sip:704@192.168.1.100:5060 SIP/2.0
    Call-ID:1367092179-A186-0033@192.168.1.176
    Content-Length:0
    CSeq:1 ACK
    From:706<sip:706@192.168.1.100>;tag=iclsip-13670922340320
    Max-Forwards:70
    To:<sip:704@192.168.1.100>;tag=as66cbee66
    Via:SIP/2.0/UDP 192.168.1.176:5060;rport;branch=z9hG4bK9e8bc2bfbe185f66c6abd853cac4d7b7
    
    <------------->
    --- (8 headers 0 lines) ---
    
    <--- SIP read from UDP:192.168.1.176:5060 --->
    INVITE sip:704@192.168.1.100:5060 SIP/2.0
    Accept:application/sdp
    Allow:INVITE,BYE,CANCEL,INFO,REFER,SUBSCRIBE,NOTIFY,MESSAGE
    Authorization:Digest username="706",realm="asterisk",nonce="33234ec4",uri="sip:704@192.168.1.100:5060",response="c724a82f13b3e9381adff2f556b5aa11",algorithm=MD5,nc=0000001c
    Call-ID:1367092590-96C7-0034@192.168.1.176
    Contact:sip:706@192.168.1.176:5060
    Content-Length:481
    Content-Type:application/sdp
    CSeq:1 INVITE
    From:706<sip:706@192.168.1.100>;tag=iclsip-13670926440321
    Max-Forwards:70
    Supported:replaces,100rel
    To:<sip:704@192.168.1.100>
    Via:SIP/2.0/UDP 192.168.1.176:5060;rport;branch=z9hG4bK5433981fe14bf084375f6f44196de38a
    
    v=0
    o=CCLSIP 1367092643 1367092643 IN IP4 192.168.1.176
    s=CCLSDP
    c=IN IP4 192.168.1.176
    t=0 0
    m=audio 9000 RTP/AVP 18 0 8 101
    a=rtpmap:18 G729/8000
    a=rtpmap:0 PCMU/8000
    a=rtpmap:8 PCMA/8000
    a=rtpmap:101 telephone-event/8000
    a=fmtp:101 0-15
    a=ptime:20
    m=video 5000 RTP/AVP 34 99 97
    b=AS:100
    a=rtpmap:34 H263/90000
    a=rtpmap:99 H264/90000
    a=rtpmap:97 H263-1998/90000
    a=fmtp:34 CIF=3
    a=fmtp:99 sprop-parameter-sets=Z0IAHqaBYJZA,aM44gA==
    a=fmtp:97 CIF=3
    a=sendrecv
    <------------->
    --- (14 headers 21 lines) ---
    Sending to 192.168.1.176:5060 (NAT)
    Using INVITE request as basis request - 1367092590-96C7-0034@192.168.1.176
    Found peer '706' for '706' from 192.168.1.176:5060
    
    <--- Reliably Transmitting (no NAT) to 192.168.1.176:5060 --->
    SIP/2.0 401 Unauthorized
    Via: SIP/2.0/UDP 192.168.1.176:5060;branch=z9hG4bK5433981fe14bf084375f6f44196de38a;received=192.168.1.176;rport=5060
    From: 706<sip:706@192.168.1.100>;tag=iclsip-13670926440321
    To: <sip:704@192.168.1.100>;tag=as193f2a15
    Call-ID: 1367092590-96C7-0034@192.168.1.176
    CSeq: 1 INVITE
    Server: Asterisk PBX 1.8.0
    Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
    Supported: replaces, timer
    WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="4c4f5a31"
    Content-Length: 0
    
    
    <------------>
    
    Can anyone explain why I'm getting the 401 error? From what I've googled it means the 706 extension is not registered, but it is.

    It would really be nice to get this working. Got a bunch of them.
  3. blanchae Guru

    Can you ping the phone from the server? What does "sip show peers" display from the Asterisk CLI>? Do you have nat=no for the extension config in FreePBX? That can cause strange problems.
  4. vcallaway Guru

    Server and the phone are talking fine. Phone registers and can receive calls. Just dialing out is broken.

    I've compared the "show peer" info between it and an Aastra and nothing stands out. Tried NAT= yes and no. No difference.

    I'm stumped.
  5. TucsonDirect New Member

    Can you Google that for me? (what did u searchfor?????) Also how did you telnet in? what port accepted a connection
    i did a Port scan and only a few ports were open from the "Lan" port v.s. the "Wan" port. The ports i came up with were
    21,79,113,513,514, and 554

    i was able to get all of the passwords to the phone by Causing it to crash and having a Log placed on the USB
    For other users searching for default factory reset password mine was 7517517 (i think, i will double check...)
    How did you Change the default sip settings?
    What do you mean when you said "Root login does get changed to root, pw of root." ?
  6. TucsonDirect New Member

    This sounds like an authentication error, with the VP

    As in The videophone is not authenticating with the SIP server/pbx check your auth config
  7. vcallaway Guru

    default telnet port is 21. Use telnet, not ssh.

    I gave up on this phone. The audio quality is worse than the cheapie grandstream phones. Never could get it to do an outbound call.
  8. TucsonDirect New Member

    So Telnet in on port 21, use user name "root" and a password of "" from the lan or wan port?

    i suspect that this phone runs a Linux Distro of some sort, so im sure the problems could all be resolved with a few cases of beer, a carton of cigarettes and a little time :)
    Do you still have the phones?
  9. Bart Member

    I found one of these at the Goodwill today for $4.00...

    I attempted to telnet into the phone by doing telnet 192.168.1.40 21. It appears to connect to phone. But how do I get it to request a user/password? It seems to disconnect on any key press.

    any ideas?

    Thanks, Bart
  10. bjeung Member

    Default telnet port is 23. FTP is 21.
  11. Bart Member

    oops, missed that. But still no luck accessing the phone. Port 21 is the only port that seem to want to work

    Bart
  12. enrique New Member

    unlocking / hacking iris 3000

    I have been trying to unlock this phone so hopefully I can do some development on it. I did not find it quite as easy as vcallaway. His limited information did not work as posted. maybe he has a different firmware.
    I found TucsonDirect's information helpful. The password 7517517 does indeed work for resetting the phone. However, resetting the phone still did not give me access to the OS nor voip settings. Here is what i have figured out so far:
    Open ports: 21,79,113,513,514,554,1780,5060,7022,8080
    www: http://10.0.0.111:8080/resource/AppWeb/login.esp
    I believe its running emedthis appweb.
    Haven't really dug into the webserver too much.
    I have been trying to brute force ssh port 7722.
    It is running SSH-2.0-dropbear_0.45. No success yet.
    The telnet trick mentioned in this thread does not ask for password. It simply disconnects when you hit any key. My guess is that it waits for a certain sequence of data. Like maybe a firmware upload?
    The phone uses flavor of the i.MX27 board. Is is running QT for embeded linux. I downloaded some documentation from several sites on this including boot images and dev info.
    One site is:
    http://www.armadeus.com/english/products-softwares_linux_embedded-qt_for_embedded_linux.html

    http://www.armadeus.com/english/products-processor_boards-apf27.html

    http://www.freescale.com/webapp/sps...odeId=018rH3ZrDR66AF&pspll=1&fromSearch=false

    Anyone want to compare notes or help?
  13. enrique New Member

    ACN Iris 3000 Provision

    Almost forgot. I played a bit with the provisioning.
    I have a local dns with the domain prox-hnt.sjc01.acndigital.net whom gives out the ip to my local web server. The phone accesses /initconfig and posts the mac address, firmware version, and its ip address.

    GET /initconfig P01=0020F0040719&P12=0&P09=0&P03=0&P04=0&P05=10.0.0.111&P06=20.6.31&P07=0&P08=1&P15=10.0.0.22 80 - 10.0.0.111 HTTP/1.1 Mozilla/5.0 - - cpe-cfg.acndigital.net 301 0 0 608 224 328

    I tried seeing what acn puts out on that webpage, but it seems to be binary. At least for the mac address i posted:
    http://cpe-cfg.acndigital.net/initc...0.111&P06=20.6.31&P07=0&P08=1&P15=69.9.126.98

    If I knew what it is expecting back, I would maybe unlock the phone through here. Maybe someone with service can send me a wireshark sniff capture. I tried sending a cisco spa provision xml output. No success.

    If anyone has more info, let me know.
  14. TucsonDirect New Member

    Still having some trouble with this phone..CU-776 is another name that it goes by. From earlier version produced the product info states that it receives updates via FTP? (dont know about Acn Version) Perhaps an e-mail to the manufacturer would help? There are other passwords included in the dump i will see if i can figure out were they are on my HDD and post everything i have.

    Another possible solution is that the phone when a usb stick is plugged in looks for a update or a config file, Then goes from there.... Because it certainly does dump memory and logs onto the Mass Storage. During a system crash

    (WHY ELSE DO U NEED A USB PORT ON A PHONE?)
  15. TucsonDirect New Member

    This doesnt mean That ACN didnt change it to 21, To keep people out..... 21 is open but naturally boots you out instantly (via ftp anyways) telnet too...
  16. TucsonDirect New Member

    try "227a57735227a575" for the appweb password!
  17. ezekielmudd New Member

    Someone mentioned that it's running a version of Linux.

    That causes me to ask "Where's the source code for the phone?"

    The manufacturer legally has to make the source code available. Just ask Linksys about this.

    Has anyone attempted to ask for the source code?
  18. repherb New Member

    Little help here... have login screen, need password???

    Hi all, little bump here...

    i have the iris 3000 GUI login at http://10.0.0.52:8080/resource/AppWeb/login.esp, but i can't find a password to get into the unit. is there anyone that can help please? tried what is in other posts in this thread and nothing is working, help!?!
  19. repherb New Member

    **UPDATE** IRIS 3000 from ACN

    Okay, so Here is my discoveries thusfar:

    if you go to the factory reset menu option in Settings, punch in 7517517 and reset the unit, then once it reboots to the main screen, power off the phone and hold 1 and # at the same time and power up the phone.

    Hold it for 1 minute then let got of 1 and #, you should see a red bar up top moving back and forth.

    Leave the phone alone (up to 40 minutes) until it reboots again to the main screen. This will reload the original (or last updated) firmware image before the current one was applied.

    Now you should be able to use the Admin page on the phone and use the password 3157919 to get in and change the SIP settings.

    :banghead: NOTE: the DNS settings are hardcoded, and not modifiable via the phone GUI, and those DNS's entries are non-existant anymore which prevents the unit from registering. I still have not found a way to get into the unit via telnet or SSH, as all passwords do not work (from what i have found on the internet) and a brute force would be way too long. I am confident that if i can get into the shell, i can modify the DNS entries manually and then we are cooking with gas :mad5:!!

    (author's note: i am not too savvy on creating my own DNS server, and hope that my DD-WRT router has some sort of forwarding capability to send requests from the hardcoded DNS entries to a proper DNS server like 4.2.2.1 or 8.8.8.8. any help with this would be really appreciated too!!)

    Also, the webGUI on port 8080 is not available via this method, as an NMAP scan shows only ports 21 (ftp), 22 (telnet), 23 (ssh), 79 (finger), 113 (auth), 513 (login), 514 (shell) and 5060 (sip) open.

    Normal passwords (root, admin, ACN, acn, iris, password) do not work on the SSH or telnet ports.

    ANY help would be appreciated here.
  20. Joshoa Member

    Hi!
    If somebody still interested in this phones, like me, i can tell some of results of my investigation.
    During 1+# process you are able to ssh to phone using root/root, moreover it is possible to download firmware image from it. Phone saves several old firmware versions in /oldversion in .jffs2 and .tgz
    So i was able to scp rootfs.tgz and .jffs2
    Strange thing is that after reflashing process you are able to connect to telnet:23 but it does not accept root/root.
    But the password for root is realy root (based on /etc/shadow hash)
    So any help would be appretiated.
    J

Share This Page