Cisco Support Community
Community Member

How to clear Admin password on SPA 303?


Help me please to clear admin password on SPA 303

For now I can't to configure the phone because admin password defined

Factory reset also impossible to do....

How to perform factory reset without admin password? by some keys press or other procedure?

FW version 7.4.5

HW ver 1.0.0

Everyone's tags (1)
Community Member

How to clear Admin password on SPA 303?

There is no factory reset avail without that admin pw.

What you can do is, run a wireshark trace when the phone is restarted.  If the phone is trying to hit the provisioning server for its resync, you can find out what file the phone is trying to pull.  Then modify that file on the provisioning server and change or blank out the admin password.  When the phone has completed downloading that file, the admin password will have been changed.

Community Member

Re: How to clear Admin password on SPA 303?

Thank you for answer.

I tried to do it but unsuccessful

When SPA303 coming up after reset it takes configuration ("hostname".cnf.xml) file from TFTP

I put renamed to "hostname" template configuration file on TFTP there is admin passwd is empty

Phone download this file but do nothing after

Maybe something wrong in file?

Can you give me sample of xml file?

SW version of SPA303 is 7.4.5

Community Member

Re: How to clear Admin password on SPA 303?

The following link shows an example which contains the Admin_Passwd in xml file.

Community Member

Re: How to clear Admin password on SPA 303?

Thank you!

Good description.

I did it step by step but there is some trouble

SPC have no version 7.4.5.  It start from 7.4.6

I prepared xml manualy like below:" xmlns:xsi="" xsi:schemaLocation="">




After I put this file on TFTP and capture TCP traffic for look what happens

I saw that phone download this file from TFTP and do nothing after

When I trying to perform Factory reset via phone MENU ADMIN password required again

Community Member

Re: How to clear Admin password on SPA 303?

The filename for "hostname".cnf.xml is for the spcp setup.

The default filename that it looks for the sip setup is spa$PSN.cfg, in this case it should be spa303.cfg.  Do you see that in the trace?  If so, rename the file to spa303.cfg and see if that works.

Community Member

Re: How to clear Admin password on SPA 303?

Dear nseto, I see only "hostname".cnf.xml

Cisco Employee

Re: How to clear Admin password on SPA 303?

Hi Alexander,

As an addition to what Nelson said, the phone, in SIP-mode looks for /spa$PSN.cfg

Take note that there is a forward slash "/" meaning the root of the server offering the /spa303.cfg file.

You must have a DHCP server on the network that will respond to the phone when the phone sends out a DHCP DISCOVER. The DHCP server must supply OPTION 66 [or 150, 159, or 160] which points to the server. [TFTP to keep things simple]

When the phone receives a DHCP offer that contains an OPTION 66, the phone knows that it can get its provisioning file/s from a server and will then send out a request.

As Nelson said, a factory-fresh phone will look for /spa303.cfg

A phone that may have been previously provisioned will look for whatever file it has been previously configured to look for. This is why you would run a Wireshark trace to monitor the phone's requests during boot up. [It will not request SIP-based configuration files if no DHCP OPTION 66 [or 150, 159, or 160] with a valid IP address are received.

This may help you better understand the phone's boot process:

  • SPA5xx IP Phone DHCP OPTIONS [66, 159, 160, 150]: YouTube[4.5 minutes]
  • SPA5xx IP Phone Boot Process Details: YouTube[8 minutes]
  • [I wrote this for Asterisk, but it shows how to build a configuration file and get it to a phone in a step-by-step manner which may be of use to you]




Use this reference document to locate SPA phone resources

Community Member

Re: How to clear Admin password on SPA 303?

Dear Patrick,

Thank you for detailed information how it should to boot up

But in my case phone (SPA303) doesn't like to do it

In DHCP discover he asking TFTP name/address - options 66 & 150

DHCP server sent him correct TFTP name (my PC addr there is TFTP server activated)

but SPA303 asking TFTP on my router's address in the LAN

OK., I activated TFTP server on our router and put config file there

SPA303 asking the file and download it but admin password doesn't clear.

Community Member

Hi Patrick,

Hi Patrick,

I read your writing to the SPA5x phones.
There are many things I learned excellent writing.
Unfortunately not helped to solve the admin password problem.

How to open pass locked, forgot admin pass SPA502G and 504G phones?

The phone asks for and receives an IP address.

But do not try to download anything.For example spa504G.cfg.

I'm looking at the phone's IP traffic, but there does not seem to ask for the phone trying to file. 

Please help me.

Thank you


VIP Blue

Phone my be configured not to

Phone my be configured not to load a remote configuration. In such case you can't reconfigure it this way. Unfortunately, if "reset to factory defaults" is password protected and phone load no remote configuration you are out of luck.

Brute force is your only chance.

Community Member

Ok Dan,

Ok Dan,

Thanks. What is the brute force procedure?

If you do not want to write, you write your privat address.



VIP Blue

"Brute force" method is "try

"Brute force" method is "try all possible passwords one by one". You need to create script that will try to login to real phone.

It may take very long time. Even many years. So you may consider it no solution for you.

If you have just few phones, forgot them and buy new one. If you have many phones, call your previous administrator and offer them a money if he will disclose the password he configured.

So sorry for those bad news ...

Community Member

That's not an option.

That's not an option.

I do not think so throroughly Cisco users.

Even if the small business category.

VIP Blue

The device can be configured

The device can be configured and locked the way preventing unauthorized user to use it. I consider it valuable feature, not bug.

The phone administrator decided to configure the lock of such kind and it's decision is just honored. No way the unauthorized person can override the decision.

CreatePlease to create content