Hacking the Cisco 79xx Series

Cisco 7960GThe phones where I work are fun. When we moved to the new digs back in 2001 (September 11th, actually) we were probably some of the first kids on the block to have a whole building running on Cisco 7960s – VoIP phones. Most of the time these look like normal phones, but the plug at the back is an RJ-45, not an RJ-11 which means there’s all kinds of fun available for people who like to play.

First of all, if you have one of these phones, make sure these problems have been fixed. I put that notice out in conjunction with Cisco back in 2002 and any reasonable admin should have pushed out the necessary firmware updates. But hey, if your phone system still allows one person to shut down arbitrary phones or potentially the entire phone system – neat.

After that notice went out I stopped playing with the phones quite as actively, but there are several other cell-phone-like things you can do if you’re lucky enough to have one of these on your desk.

Ringtones!

Obviously the first thing any sensible human being wants for their phone is to make it moo like a cow, ribbit like a frog, or play the CTU ringtone from 24 (yes, the phone props on 24 are Cisco 7960s). Cisco’s phones get their ring tones via tftp from their call manager, but if you don’t control the central call manager server you might decide that you are out of luck. Turns out, not so much.

Open the phone’s network config from the “Settings” button. If your screen shows a little locked padlock it means the network config has been locked down, preventing user tampering. Handy tip: the password is **#. Once unlocked, you can scroll through the list of options and you’ll notice the ability to specify an alternate tftp server. Huzzah! For reasons beyond mortal comprehension, changing it here is not enough, you need to also set “Use Alternate TFTP Server” value to Yes, but once that is done, fire up a tftp server on your desktop machine or anywhere else for that matter and point your phone thereto. TFTP servers, should you need one, are plentiful – I happen to use SolarWinds tftp because it is free and it works.

Your phone will ask for several files which, if you haven’t already done so, you can download from the “real” tftp server, among these: RingList.xml. I won’t belabour the details here but the file is pretty easy to figure out in a text editor, it basically just lists all the available ringtones in terms of display name and file name. To create your own, add an entry to the file, find an audio file you like and then use your favourite audio converter to make a version which is:

  • PCM Format (no header)
  • uLaw compression
  • 8kHz sampling rate
  • 8 bits per sample

You might need to reboot the phone to make it take effect (**#** to reboot). Yes. Reboot the phone. This is the age we are living in.

Wallpaper!

You can’t directly set the wallpaper on the phone, but you can set the Idle URL to a URL of your choosing, which might-just-might be a graphic of some kind. I don’t know about Cisco’s other offerings, but the 7960 series can’t display regular graphics formats , just .CIP files (an odd XML-based graphics format with some header tags and then a data block full of hex) but that needn’t stop you. Conversion can be done using Cisco’s own SDK, which is available here. That page speaks again in terms of an administrator who controls the CallManager, but for just customizing your own phone, you don’t need no stinking administrator. If you’re really clever, you’ll host a dynamic image for it to point to.

Spying!

A VoIP phone is really less a phone and more a small, stupid computer. And if there isn’t already an eponymous law out there that covers it I would like to officially coin Nightingale’s Inevitability Maxim:

Any device which is connected to the internet will eventually have a web server built in.

Cisco IP Phones, it should come as no surprise, have a web server built in. Point your browser at the phone’s IP address (check network config if you don’t know it, for Cisco’s conference phones it is right on the display) and you’ll get a lovely little diagnostic site that lists the phone’s extension, firmware version, &c. Fun thing number one to do with this is to write a one-liner to enumerate your company’s phone network. I can’t say for certain, but I strongly suspect something like this would work fine (at least for a single subnet):

perl -e 'for($i = 1; $i < 255; $i++) { $output = `lynx -dump http://your.subnet.here.${i} | grep "Phone DN"`; print "host: $i\t$output\n";}'

With that in hand, fun thing number 2 is to pay some attention to the StreamStatistics page which, when the phone is idle, isn’t very fun. But by writing a script that polls a given phone regularly, this page can provide a wealth of information. It tells you each time a call starts and how long it has lasted. If it’s an internal call, it will also tell you the IP of the phone that it’s connected to which, using the enumeration compiled above, is as good as a phone number.

Basically, Cisco has helpfully created a situation where junior level coding/command line skills allow you to compile a live traffic log of any target phone or phones. You don’t get the contents of conversations unless you do something more nefarious like pointing their phone to a rogue call manager, but if your inner voyeur can be satisfied by knowing who they call and when they call, Cisco has got the product for you!

Asterisk!

With a little bit of coaxing, these phones make fine independent VoIP units. They can be made, for instance, to interoperate with the Asterisk open source PBX. In principle I could talk more about this but Julian Dunn has already done so for me, so I include its mention for completeness alone.

I like my 7960, and this post shouldn’t be taken as knocking its design particularly. The web server is sort of stupid, but at the end of the day I would rather my electronics be too configurable than not configurable enough. This post is just a compendium of things I’ve made the phone do which I haven’t seen specifically spelled out elsewhere. To those who read my blog hoping for updates on my life or day job, my apologies for the digression but really, who are we kidding here, anyway?

13 comments

  1. Hi,

    I recently purchased a CISCO 7960 IP Phone intend for Broadvoice VoIP connection. However, the 7960 comes with default basic SCCP firmware image (shipped from manufacturing). And, for Broadvoice VoIP service requires a SIP image 7.5.x I have follow your suggestion to download SolarWinds TFTP server and installed in my Windows XP SP2 desktop PC. I also load the 7.5.x image files onto TFTP Root directory. However, after power on the CISCO 7960 phone, the display went through “Configuring IP”, then “Configuring CM List”, finally received “TFTP Timeout” and went back to “Configuring IP”, “Configuring CM List” … and so … Can you tell me why the 7960 did not automatically pick up new SIP firmware from SolarWinds TFTP server instead timeout on me? Any trouble-shooting tips will be highly appreciated!

    Sincerly yours

    Weijen

  2. Hello
    The ip of TFTP server should be give by DHCP (option 66).
    If it’s done and the firmware won’t load do a factory reset.

    Regards

    Arn

  3. Well, that was fun. Thanks!

  4. I don’t suppose you feel like illuminating a layperson in the the non admin required method of displaying a customized wallpaper do you?

    It would be greatly appreciated.
    Thanks for your time.
    BM.

  5. Hello.
    Can anyone tell me what function responsible for the possibility to enter digits before any pickup?
    Those digits then displayed instead of “Your current options” string on the phone’s display.
    I can use it on 7960 (have no other models to check it out) with sccp firmware 8.0, but with sip firmware (7 or 8) it doesn’t work.

    Thanks in advance.

  6. Can anyone elaborate on the step by step instructions for downloading the CTU ringtone (yes I am that sad!). I got as far as unlocking the network config but it’s my new work phone so don’t want to fiddle with the settings too much and get into trouble! Have no idea what TFTP is for example!

    Thanks

  7. If you have something to say, say it becouse you doing this really good 🙂

  8. Cheap wow gold purchasing.World of Warcraft, Super …buy cheap wow gold,sell wow

    gold.welcome to buy cheap wow gold-We can have wow gold, buy wow gold game,world of warcraft

    gold,,wow Gold, world of warcraft gold deal,Cheap WOW Gold…Welcome to our website for world

    of warcraft gold,buy cheap wow gold,sell wow gold and .Welcome to buy cheapest wow

    gold.World of warcraft gold,Super fast delivery of gold…purchasing.World of Warcraft,wow

    gold Super.
    Please don’t delete it!Thanks!

  9. This e-mail message is intended only for the addressee(s) and contains information which may be confidential or legally privileged. If you are not the intended recipient please advise the sender by return e-mail, do not use, copy or disclose the contents, and delete the message and any attachments from your system. Unless specifically indicated, this email does not constitute formal advice or commitment by the sender. E-mail communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions which arise as a result.

  10. I’ve a couple of Cisco 7960 which currently having SIP firmware version 7.4 whereas i want to install Cisco sip firmware version 8.5. I tried alot but there are different kinds of problem while fetching data from TFTP server to phone. Is there any working tutorial/steps for that? thanks

  11. Bored With Cisco

    This is great! Perfect slow-day experiment. Thanks!

  12. […] about my IP phone. One goal is to get different ringtones. I read hacking the cisco 79xx series I installed solar winds TFTP Server locally. Sitting on my desk is a CISCO 7960 IP Phone. […]

  13. […] • Phones (VOIP) A simple Perl script modification to common Cisco 79XX phones can allow remote users the ability to monitor phone conversations, log call histories and essentially obtain SIP credentials to your phone system. Keep in mind the URL only covers the exploit for Cisco. Our research has indicated that many different vendors are susceptible to similar hacks. http://blog.johnath.com/2006/12/05/hacking-the-cisco-79xx-series/ […]