Thank you for answer.

I tried to do it but unsuccessful

When SPA303 coming up after reset it takes configuration ("hostname".cnf.xml) file from TFTP

I put renamed to "hostname" template configuration file on TFTP there is admin passwd is empty

Phone download this file but do nothing after

Maybe something wrong in file?

Can you give me sample of xml file?

SW version of SPA303 is 7.4.5

The following link shows an example which contains the Admin_Passwd in xml file.

http://www.sbgenterprises.com/boards/t/5/a-step-by-step-guide-to-making-the-cisco-spa504g-configure-itself.aspx

Thank you!

Good description.

I did it step by step but there is some trouble

SPC have no version 7.4.5.  It start from 7.4.6

I prepared xml manualy like below:

http://www.sipura.net/xsd/SPA50x-30x-SIP" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.sipura.net/xsd/SPA50x-30x-SIP http://www.sipura.net/xsd/SPA50x-30x-SIP/SPA50x-30x-SIP-7-4-5.xsd">

After I put this file on TFTP and capture TCP traffic for look what happens

I saw that phone download this file from TFTP and do nothing after

When I trying to perform Factory reset via phone MENU ADMIN password required again

The filename for "hostname".cnf.xml is for the spcp setup.

The default filename that it looks for the sip setup is spa$PSN.cfg, in this case it should be spa303.cfg.  Do you see that in the trace?  If so, rename the file to spa303.cfg and see if that works.

Dear nseto, I see only "hostname".cnf.xml

Hi Alexander,

As an addition to what Nelson said, the phone, in SIP-mode looks for /spa$PSN.cfg

Take note that there is a forward slash "/" meaning the root of the server offering the /spa303.cfg file.

You must have a DHCP server on the network that will respond to the phone when the phone sends out a DHCP DISCOVER. The DHCP server must supply OPTION 66 [or 150, 159, or 160] which points to the server. [TFTP to keep things simple]

When the phone receives a DHCP offer that contains an OPTION 66, the phone knows that it can get its provisioning file/s from a server and will then send out a request.

As Nelson said, a factory-fresh phone will look for /spa303.cfg

A phone that may have been previously provisioned will look for whatever file it has been previously configured to look for. This is why you would run a Wireshark trace to monitor the phone's requests during boot up. [It will not request SIP-based configuration files if no DHCP OPTION 66 [or 150, 159, or 160] with a valid IP address are received.

This may help you better understand the phone's boot process:

• SPA5xx IP Phone DHCP OPTIONS [66, 159, 160, 150]: YouTube[4.5 minutes]
  
• SPA5xx IP Phone Boot Process Details: YouTube[8 minutes]
  
• https://supportforums.cisco.com/docs/DOC-9954 [I wrote this for Asterisk, but it shows how to build a configuration file and get it to a phone in a step-by-step manner which may be of use to you]
  

Regards,

Patrick

----------

Use this reference document to locate SPA phone resources

Dear Patrick,

Thank you for detailed information how it should to boot up

But in my case phone (SPA303) doesn't like to do it

In DHCP discover he asking TFTP name/address - options 66 & 150

DHCP server sent him correct TFTP name (my PC addr there is TFTP server activated)

but SPA303 asking TFTP on my router's address in the LAN

OK., I activated TFTP server on our router and put config file there

SPA303 asking the file and download it but admin password doesn't clear.

Hi Patrick,

I read your writing to the SPA5x phones.
There are many things I learned excellent writing.
Unfortunately not helped to solve the admin password problem.

How to open pass locked, forgot admin pass SPA502G and 504G phones?

The phone asks for and receives an IP address.

But do not try to download anything.For example spa504G.cfg.

I'm looking at the phone's IP traffic, but there does not seem to ask for the phone trying to file. 

Please help me.

Thank you

Tony

Phone my be configured not to load a remote configuration. In such case you can't reconfigure it this way. Unfortunately, if "reset to factory defaults" is password protected and phone load no remote configuration you are out of luck.

Brute force is your only chance.

Ok Dan,

Thanks. What is the brute force procedure?

If you do not want to write, you write your privat address.

antal.vincz(at)gmail(dot)com

Tony

"Brute force" method is "try all possible passwords one by one". You need to create script that will try to login to real phone.

It may take very long time. Even many years. So you may consider it no solution for you.

If you have just few phones, forgot them and buy new one. If you have many phones, call your previous administrator and offer them a money if he will disclose the password he configured.

So sorry for those bad news ...

That's not an option.

I do not think so throroughly Cisco users.

Even if the small business category.

The device can be configured and locked the way preventing unauthorized user to use it. I consider it valuable feature, not bug.

The phone administrator decided to configure the lock of such kind and it's decision is just honored. No way the unauthorized person can override the decision.