Find out the administrator password in the phone Grandstream GXP2124

Today I ran into a problem: someone changed the administrator password to the phone. After reading the information in the network, concluded that:

• Change admin password, need admin password;
• Reset the phone to factory settings, you need an administrator password;
• Reflash the phone - you need that missing password again ...

How to find a way out of this situation? Yes Easy!
To “learn” the password, I used the most common Google Chrome browser with the installed Furebug components, plus another Grandstream GXP2124 phone, access to which I have.


Further the course of action was as follows:

We launch the browser and turn on the Firebug utility, and then we begin to “walk” on various pages. The list of requests was found:
')

POST cgi-bin / api.values.get

and in the response body listed:

{"Response": "success", "body": {"vendor_fullname": "Grandstream Networks, Inc."}}

Scrolling further, I found such a query:

POST cgi-bin / api-phone_operation

in whose request the parameters were passed:

cmd = extend & arg = & sid = 639534b3e5a

What next? And then I go to the security settings and change the password on the phone, access to which I already have and see the list of answers:

POST cgi-bin / api.values.post
Source:
P2 = MyNewPass &: confirmAdminPwd = MyNewPass & sid = 639534b3e5a

Where:

• P2 - transmitted administrator password;
• confirmAdminPwd - confirmation of the administrator password;
• sid - current session (we will not need it).

Further, having shown imagination, we make request of a type:

192.168.1.253/cgi-bin/api.values.get?request=P2

where 192.168.1.253 is the phone’s IP address.

Sent and ...

... and get a JSON response of the form:

{"Response": "success", "body": {"P2": "adminPass"}}

where adminPass is the current administrator password.

Profit!

Sincerely, Andrey Helldar!

PS: The above chip works on the firmware version before 1.0.5.58
Specifically tested on software version 1.0.5.23