who ever said that you need a certficate to now authenticate was dead wrong! this is a witch hunt dont bother wasting your time with this..
shame on the people who started this BS and wasted a lot of peoples time
Certificate is a joke does not work
Moderators: Bill Smith, Pilot
-
dallasib1485
- magicJack Apprentice
- Posts: 14
- Joined: Mon Mar 23, 2009 4:05 pm
I also agree, I have tried several different certs from several sources and it does not work, the certs only allow for encryption of the call data not the register process which is where the problem lies. I believe the trick is going to be getting TLS support on our ATA's which could be a long time from now if ever. For me i have given up on MJ on the ATA.
The certificate post was a total nonsense. My apologies for not realizing it sooner.
There were a bunch of people contributing to those threads. Upon further investigation, 9 of the users posting comments in there all originated from the same IP address.
That address has since been banned.
This is a serious forum. If you come here only to post garbage, your IP will be banned as well.
There were a bunch of people contributing to those threads. Upon further investigation, 9 of the users posting comments in there all originated from the same IP address.
That address has since been banned.
This is a serious forum. If you come here only to post garbage, your IP will be banned as well.
Thank you admin. For the clarification MJ engineers are pretty slick. Looks like it is locked down pretty good now.. MJ is a good service for a 2nd line or people on the go.. by no means should this be your primary service.. there are plenty of posts out there if people are looking for cheaper VOIP service out there.. I personally use Vitelity for trunking and they seem to work great.. Average around 1200 calls a month for around 18 bucks a month and they allow caller id spoofing and lots more
As I've said, we need to start with a softphone w/TLS support like eyeBeam. The hard part is to get the REAL client certificate from MJ, obviously only the certificate MJ distributes with its own softphone -- which matches the one on their server -- will work, generating your own is just nonsense. Even though, little hope for ATAs but at least we can get some idea of what is REALLY behind the scene.
-
gooney
- Dan isn't smart enough to hire me
- Posts: 382
- Joined: Sat Feb 09, 2008 5:38 pm
- Location: Salt Lake City, Utah
Yes it is a joke, just forget it and move on... this would be better for me and a couple of others.dtm wrote:It is a joke. If there was any truth to it he would prove it by posting the procedure to get and install the certificate.
Chat with me LIVE!!! 
gooney - Salt lake City, UT (801)
Don't mind me grammar cuzz it sukks!!
gooney - Salt lake City, UT (801)
Don't mind me grammar cuzz it sukks!!
-
magicjacktech
- magicJack Apprentice
- Posts: 12
- Joined: Sat Jun 20, 2009 10:18 am
magicjack error 9, 3, 400 , 404 ,please connect to internet
Hi Friends,
I have worked for magicjack for more than one year as a technical executive. Error 9 has started from 24th december 2008 . Our team has upgraded magicjack upgrade. This was for security purpose. Error-9 occurs either your firewall or router is blocking your magic jack to connect wioth magicjack servers.
Error 3 occurs when your router is blocking your magicjack. In both situation you need to open your firewall and router UDP port 5060 and UDP port 5070 for magicjack.
Error -400 and 404 : These errors occurs when you or your magicjack have upgraded but in some cases your magicjack setting has not refreshed from server end. In this case tech guys refresh your account setting from their end.
Many more like ( unable to connect with servers or magicjack servers are down at present please try again later occurs because of firewell , Pop up and due to routers. Well all of you will be familiar with my tech name. Anyone need help then feel free to write. One more thing I would like to share with you . Most of time you see Ready to call on dial pad but you can not make calls then simply open task manager (CTRL+ALT+DELETE) and end magicjack.exe process from there . after that unplug your magicjack and replug after 1 minutes , It will help to refresh your magicjack setting at both ends(your and magicjack servers)
I hope above information will be helpful for you. Dan I am not working any more for your product. However I want to share something with you. Please contact me at
I have worked for magicjack for more than one year as a technical executive. Error 9 has started from 24th december 2008 . Our team has upgraded magicjack upgrade. This was for security purpose. Error-9 occurs either your firewall or router is blocking your magic jack to connect wioth magicjack servers.
Error 3 occurs when your router is blocking your magicjack. In both situation you need to open your firewall and router UDP port 5060 and UDP port 5070 for magicjack.
Error -400 and 404 : These errors occurs when you or your magicjack have upgraded but in some cases your magicjack setting has not refreshed from server end. In this case tech guys refresh your account setting from their end.
Many more like ( unable to connect with servers or magicjack servers are down at present please try again later occurs because of firewell , Pop up and due to routers. Well all of you will be familiar with my tech name. Anyone need help then feel free to write. One more thing I would like to share with you . Most of time you see Ready to call on dial pad but you can not make calls then simply open task manager (CTRL+ALT+DELETE) and end magicjack.exe process from there . after that unplug your magicjack and replug after 1 minutes , It will help to refresh your magicjack setting at both ends(your and magicjack servers)
I hope above information will be helpful for you. Dan I am not working any more for your product. However I want to share something with you. Please contact me at
Magicjack
[email protected]
[email protected]
Here's a link to the provisioning guide: https://www.myciscocommunity.com/docs/DOC-3216
Could anyone post the sequence MJ currently uses to connect to the server?
Here're my thoughts:
1.Assuming one can find the certificate MJ uses, and
2.Assuming one can enter that certificate into the ATА, and
3.Assuming one can find the URL MJ uses to connect to the server, then
4.It'd be possible to make an ATA to fake MJ connection, but
5.What does MJ get from the server? I'm skeptical you could emulate that.
Your thoughts/experience will be appreciated.
Could anyone post the sequence MJ currently uses to connect to the server?
Here're my thoughts:
1.Assuming one can find the certificate MJ uses, and
2.Assuming one can enter that certificate into the ATА, and
3.Assuming one can find the URL MJ uses to connect to the server, then
4.It'd be possible to make an ATA to fake MJ connection, but
5.What does MJ get from the server? I'm skeptical you could emulate that.
Your thoughts/experience will be appreciated.
Using PMDUMP you can find the registration steps with MJ. I don't know if this helps or not.
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.1.104:56104;branch=XXXXXbKc0a80168054ac70f226a69410;rport=41175;received=241.53.47.22
To: <sip:[email protected]>
From: "unknown"<sip:[email protected]>;tag=xxxxx4ac6ff
Call-ID: 02DED9B351E14E379A1A4F0B97E10C7D0xcaa80168
CSeq: 1 REGISTER
User-Agent: ENSR2.5.47.0-IS10-RMRG0-RG900-EP313326
WWW-Authenticate: Digest nonce="1210c9678_09785",realm="stratus.com",algorithm=MD5
Content-Length: 0
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.1.104:56104;branch=XXXXXbKc0a80168054ac95144e83f201;rport=41175;received=241.53.47.22
Contact: <sip: [email protected]:56104>
To: <sip: [email protected]>;tag=7aa2d790-co9792-INS010
From: "unknown"<sip: [email protected]>;tag= xxxxx4ac6ff
Call-ID: 02DED9B351E14E379A1A4F0B97E10C7D0xcaa80168
CSeq: 2 REGISTER
Expires: 1800
User-Agent: ENSR2.5.47.0-IS10-RMRG0-RG900-EP313326
Content-Length: 0
REGISTER sip:talk4free.com SIP/2.0
Via: SIP/2.0/UDP 192.168.1.104:56104;branch=z9hG4bKc0a80168054ad3f07af91f382;rport
From: "unknown" <sip:[email protected]>;tag=589654ad3e0
To: <sip: [email protected]>
Contact: <sip: [email protected]:56104>
Call-ID: 02DED9B351E14E379A1A4F0B97E10C7D0xcaa80168
CSeq: 3 REGISTER
Expires: 0
Max-Forwards: 70
User-Agent: MagicJack/1.80.484a (SJ Labs)
Authorization: Digest username=" EXXXXXXXXXX01",realm="stratus.com",nonce="1210c9678_09785",uri="sip:talk4free.com",response="1baa8f830261a1238ae3dee501c98292",algorithm=MD5
Content-Length: 0
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.1.104:56104;branch=XXXXXbKc0a80168054ac70f226a69410;rport=41175;received=241.53.47.22
To: <sip:[email protected]>
From: "unknown"<sip:[email protected]>;tag=xxxxx4ac6ff
Call-ID: 02DED9B351E14E379A1A4F0B97E10C7D0xcaa80168
CSeq: 1 REGISTER
User-Agent: ENSR2.5.47.0-IS10-RMRG0-RG900-EP313326
WWW-Authenticate: Digest nonce="1210c9678_09785",realm="stratus.com",algorithm=MD5
Content-Length: 0
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.1.104:56104;branch=XXXXXbKc0a80168054ac95144e83f201;rport=41175;received=241.53.47.22
Contact: <sip: [email protected]:56104>
To: <sip: [email protected]>;tag=7aa2d790-co9792-INS010
From: "unknown"<sip: [email protected]>;tag= xxxxx4ac6ff
Call-ID: 02DED9B351E14E379A1A4F0B97E10C7D0xcaa80168
CSeq: 2 REGISTER
Expires: 1800
User-Agent: ENSR2.5.47.0-IS10-RMRG0-RG900-EP313326
Content-Length: 0
REGISTER sip:talk4free.com SIP/2.0
Via: SIP/2.0/UDP 192.168.1.104:56104;branch=z9hG4bKc0a80168054ad3f07af91f382;rport
From: "unknown" <sip:[email protected]>;tag=589654ad3e0
To: <sip: [email protected]>
Contact: <sip: [email protected]:56104>
Call-ID: 02DED9B351E14E379A1A4F0B97E10C7D0xcaa80168
CSeq: 3 REGISTER
Expires: 0
Max-Forwards: 70
User-Agent: MagicJack/1.80.484a (SJ Labs)
Authorization: Digest username=" EXXXXXXXXXX01",realm="stratus.com",nonce="1210c9678_09785",uri="sip:talk4free.com",response="1baa8f830261a1238ae3dee501c98292",algorithm=MD5
Content-Length: 0
Last edited by laserjobs on Sat Jul 11, 2009 7:12 pm, edited 1 time in total.
laserjobs:
I don't see it either. I don't see a secure connection between the first registration attempt that fails and the second one that succeeds. I don't see an https:// at all until long after the dongle is is registered. All I see is 147 bytes of data being sent from the dongle to 29.4.236.236 (map.softjoys.com). I have an old WireShark dump from before the update that does a very similar sequence.
I tend to think they are salting our ProxyUserName or ProxyUserPassWord before calculating the MD5 hash. Unless domingo can offer more proof than what I have seen so far, I think he is pulling our leg.
I don't see it either. I don't see a secure connection between the first registration attempt that fails and the second one that succeeds. I don't see an https:// at all until long after the dongle is is registered. All I see is 147 bytes of data being sent from the dongle to 29.4.236.236 (map.softjoys.com). I have an old WireShark dump from before the update that does a very similar sequence.
I tend to think they are salting our ProxyUserName or ProxyUserPassWord before calculating the MD5 hash. Unless domingo can offer more proof than what I have seen so far, I think he is pulling our leg.
Sorry I did not see the pics you posted, can you point me to them?domingo wrote:Easily done. It's not rocket science.pagemen wrote:I might give up this completely. Even if I get the certificate, how can I put it in the Linksys firmware? The firmware is compressed(or even encrypted?) so the replacement can't be done with a single hex editor, one has to unpack->replace->repack and I can't find any document about Sipura/Linksys firmware structure...
What would you like for proof ? The pictures I posted before of it still connected and registered not enough ?
Bahh I give up on nay sayers , Im enjoying my mj on a pap2t , and a couple folks I emailed are now as well , im done.
I already gave out enough info , good luck.
Also could you get another user or two to confirm they got it working with your help?
hey guys
I can understand the frustration, but no use in beating up probably the last guy on the forum still around that seems to know something.
The mods have already looked into the situation, in fact they banned
a chunk of accounts that were on the same IP.
They also have cleaned up posts containing rumors or speculation.
A step by step guide posted on here is probably the quickest way to get dan to auto provision or use some other method to stop this fix from working.
You can lead a horse to water, but you can't make him think.
I think domingo doesn't want to sit and hand holds all day.
It's ok to be skeptical but there isn't any need to bash a fellow forum member.
Apparently the people he helped haven't had a need to return to the forum since they are off and running, and that would certainly explain why there hasn't been any 3rd party verification.
I am attempting however to verify if the information presented in the forum is accurate by making a successful session using a TLS authentication compatible softphone program, in theory that will also verify whether or not this works for the linksys ATA adapters you guys are using OR NOT.
My results should put an end to any speculation.
Maybe you guys aren't asking the right questions.
We all have the same goals here, and I don't believe there is any
ulterior motive from any active member on here.
Further more domingo has been a member for a while now you can see
his stats, he isn't some troll. I am pretty new here, but I am going to share what I can and help whoever I can with this.
I still have a bit to catch up on myself however.
The mods have already looked into the situation, in fact they banned
a chunk of accounts that were on the same IP.
They also have cleaned up posts containing rumors or speculation.
A step by step guide posted on here is probably the quickest way to get dan to auto provision or use some other method to stop this fix from working.
You can lead a horse to water, but you can't make him think.
I think domingo doesn't want to sit and hand holds all day.
It's ok to be skeptical but there isn't any need to bash a fellow forum member.
Apparently the people he helped haven't had a need to return to the forum since they are off and running, and that would certainly explain why there hasn't been any 3rd party verification.
I am attempting however to verify if the information presented in the forum is accurate by making a successful session using a TLS authentication compatible softphone program, in theory that will also verify whether or not this works for the linksys ATA adapters you guys are using OR NOT.
My results should put an end to any speculation.
Maybe you guys aren't asking the right questions.
We all have the same goals here, and I don't believe there is any
ulterior motive from any active member on here.
Further more domingo has been a member for a while now you can see
his stats, he isn't some troll. I am pretty new here, but I am going to share what I can and help whoever I can with this.
I still have a bit to catch up on myself however.
Yes the Digest Authentication Response does not seem to follow the RFC 2617 standard according to my calculations... that is assuming the password found by Stroth's program is correct. Someone should debug the .exe and see how the Response is calculated.dtm wrote:I tend to think they are salting our ProxyUserName or ProxyUserPassWord before calculating the MD5 hash. Unless domingo can offer more proof than what I have seen so far, I think he is pulling our leg.
TLS capable soft phone doesn't work for me.
------
If domingo really knows what is happening he could provide us with a logical sequence of events for the registering process. All I can see in the logs is a register attempt, 401 response, attempt 2 with response MD5. If it is the dongle, it succeeds if it is an ATA it fails. I see no data being sent from the server to the dongle in between registration attempts. No TLS, SSL, or anything else for that matter.
Domingo, you are the expert. Explain in clear detail the sequence of events that leads to a successful register.
------
If domingo really knows what is happening he could provide us with a logical sequence of events for the registering process. All I can see in the logs is a register attempt, 401 response, attempt 2 with response MD5. If it is the dongle, it succeeds if it is an ATA it fails. I see no data being sent from the server to the dongle in between registration attempts. No TLS, SSL, or anything else for that matter.
Domingo, you are the expert. Explain in clear detail the sequence of events that leads to a successful register.
Tips and Tricks...
Sniffing
From a fresh boot
Start wireshark
Stop ANYTHING that will generate any network traffic
This will help you to avoid generating superfluous data to glean.
You can netstat /an to check and make sure your network is
quiet
Close any: browsers, chat programs, newsreaders, widgets,
anything that goes online...
Dump File
If your dump file isn't around 94-96MB then you do not have a good dump file.
Making Dump File More Manageable
You can use a program called Strings to further truncate your
memory dump to make it more manageable.
For further information, there is a video on securitytube.
Reading MagicJack In RAM
Get HxD Portable
Extras - Open Ram - Pick MagicJack.exe
You will see public token and a little further down
another key also.
p.u.b.l.i.c.K.e.y.T.o.k.e.n.=."xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
etc...
But if you poke around
you might find your profile information / secret phrase.
I will keep editing this post as I have time and add more tips and tricks.
I have to get back to work now - good luck everybody.
I will NOT post information pertaining to the MJ Profile, as it may
violate certain laws in my area. (DCMA law) reverse engineering,
circumventing any sort of protection. DO NOT ASK about anything
related to those things.
I cannot post keys, certs, or anything that would violate the law.
Hoping the mods will close this thread now it's no longer productive.
It's nothing but drama now. Nothing to see here, move along please.
For the neophytes:
Security Certificate
Contains information about who owns the certificate, certificate issuer, a unique serial number or other unique identification, expiration dates, and encrypted information that can be used to verify the information held within the certificate.
Hash
Taking arbitrary block of data and returning a fixed-size bit string
If you understand what a CRC is it's kinda like that
Secret Phrase
A cryptographic key is pretty much synonymous with a secret phrase
RADIUS is a moot point with MJ, it just refers over to kerberos version 1.0
the microsoft flavor.
Ignore anything that says secret its for LSA and not applicable to what you are looking for.
I dump during MJ startup, dump running /idle and also dump starting a call
and during a call to compare what changes
From a fresh boot
Start wireshark
Stop ANYTHING that will generate any network traffic
This will help you to avoid generating superfluous data to glean.
You can netstat /an to check and make sure your network is
quiet
Close any: browsers, chat programs, newsreaders, widgets,
anything that goes online...
Dump File
If your dump file isn't around 94-96MB then you do not have a good dump file.
Making Dump File More Manageable
You can use a program called Strings to further truncate your
memory dump to make it more manageable.
For further information, there is a video on securitytube.
Reading MagicJack In RAM
Get HxD Portable
Extras - Open Ram - Pick MagicJack.exe
You will see public token and a little further down
another key also.
p.u.b.l.i.c.K.e.y.T.o.k.e.n.=."xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
etc...
But if you poke around
you might find your profile information / secret phrase.
I will keep editing this post as I have time and add more tips and tricks.
I have to get back to work now - good luck everybody.
I will NOT post information pertaining to the MJ Profile, as it may
violate certain laws in my area. (DCMA law) reverse engineering,
circumventing any sort of protection. DO NOT ASK about anything
related to those things.
I cannot post keys, certs, or anything that would violate the law.
Hoping the mods will close this thread now it's no longer productive.
It's nothing but drama now. Nothing to see here, move along please.
For the neophytes:
Security Certificate
Contains information about who owns the certificate, certificate issuer, a unique serial number or other unique identification, expiration dates, and encrypted information that can be used to verify the information held within the certificate.
Hash
Taking arbitrary block of data and returning a fixed-size bit string
If you understand what a CRC is it's kinda like that
Secret Phrase
A cryptographic key is pretty much synonymous with a secret phrase
RADIUS is a moot point with MJ, it just refers over to kerberos version 1.0
the microsoft flavor.
Ignore anything that says secret its for LSA and not applicable to what you are looking for.
I dump during MJ startup, dump running /idle and also dump starting a call
and during a call to compare what changes
Last edited by netdata on Wed Jun 24, 2009 4:32 am, edited 13 times in total.
something i find interesting,
if i add the following lines to my host file
127.0.0.1 mls.softjoys.com
127.0.0.1 map.softjoys.com
127.0.0.1 prov1.talk4free.com
127.0.0.1 prov2.talk4free.com
127.0.0.1 prov1.magicjack.com
127.0.0.1 prov2.magicjack.com
the magicjack will still register, which tells me that the cert or secret or hash, etc is stored locally on the machine. It however did want to to connect to the server. So when i blocked prov1.talk4free.com it tried to use prov2, and so on. This leads me to believe that the info stored locally is only a cache of the info.
if i add the following lines to my host file
127.0.0.1 mls.softjoys.com
127.0.0.1 map.softjoys.com
127.0.0.1 prov1.talk4free.com
127.0.0.1 prov2.talk4free.com
127.0.0.1 prov1.magicjack.com
127.0.0.1 prov2.magicjack.com
the magicjack will still register, which tells me that the cert or secret or hash, etc is stored locally on the machine. It however did want to to connect to the server. So when i blocked prov1.talk4free.com it tried to use prov2, and so on. This leads me to believe that the info stored locally is only a cache of the info.
Fix isnt that hard
All they did is is go TLS, even if they used SRP doesnt matter
the credentials used eventually goes somewhere plaintext.
If you have that you dont need a certificate.
Here is my explaination:
Mentioning about generating your own certs
Why it is BS:
Because your information in the root certification
wouldnt not match MJs since nobody has it (root cert) but them
A certificate exchange does NOT happen.
Its all PKI related. Yes in a way like those satellite cards.
Are certs important then? Not yet, but they could be useful in the
future. So I dont think it was a waste exploring what we can now,
before further obfuscation happens.
the credentials used eventually goes somewhere plaintext.
If you have that you dont need a certificate.
Here is my explaination:
Mentioning about generating your own certs
Why it is BS:
Because your information in the root certification
wouldnt not match MJs since nobody has it (root cert) but them
A certificate exchange does NOT happen.
Its all PKI related. Yes in a way like those satellite cards.
Are certs important then? Not yet, but they could be useful in the
future. So I dont think it was a waste exploring what we can now,
before further obfuscation happens.
For what it is worth...
I wrote a small php program to calculate the register response hash. I confirmed the program was working properly by sniffing my ATA with Wireshark and plugging the numbers into my program.
The response hash from the dongle on register does not match my program. It gives a different response than the ATA when using the same password. The username, realm,uri, and nounce are all visible so the final hash depends on the password.
This confirms that what we think is the ProxyUserPassword is in fact NOT the password being used to compute the response. They could also be using a non standard method to compute the hash or they could be manipulating the password before computing the hash. Obviously this secret is known to both server and client.
I don't have the debugging tools/skills to figure out what is happening but I think some effort should be concentrated on that level.
I wrote a small php program to calculate the register response hash. I confirmed the program was working properly by sniffing my ATA with Wireshark and plugging the numbers into my program.
The response hash from the dongle on register does not match my program. It gives a different response than the ATA when using the same password. The username, realm,uri, and nounce are all visible so the final hash depends on the password.
This confirms that what we think is the ProxyUserPassword is in fact NOT the password being used to compute the response. They could also be using a non standard method to compute the hash or they could be manipulating the password before computing the hash. Obviously this secret is known to both server and client.
I don't have the debugging tools/skills to figure out what is happening but I think some effort should be concentrated on that level.
Brainstorm
We need a general consensus on several questions.
Help me sort this out:
We know they changed the way the user is authorized.
But did they switch to TLS or SRP and how can we verify without a doubt
they have.
(Well one way is to make a successful registration using either protocol)
Auth method that was used hasnt changed, but proxy authentication has.
(provisioning has changed)
We need to verify this also for sure.
Should we not see this key in memory if we get lucky enough to capture it at the right time? I think we can.
We need to isolate the memory address or at least a general range
so we can narrow our search.
If we can compare the before and after we can figure out the algorithm
used to generate it. And we will already have the key to pass ourself.
Theoretically we just need to put the new key and off we go anyway.
But it would be nice to know, so I can write a stroth style utility
to save people a bunch of hassle.
Help me sort this out:
We know they changed the way the user is authorized.
But did they switch to TLS or SRP and how can we verify without a doubt
they have.
(Well one way is to make a successful registration using either protocol)
Auth method that was used hasnt changed, but proxy authentication has.
(provisioning has changed)
We need to verify this also for sure.
Should we not see this key in memory if we get lucky enough to capture it at the right time? I think we can.
We need to isolate the memory address or at least a general range
so we can narrow our search.
If we can compare the before and after we can figure out the algorithm
used to generate it. And we will already have the key to pass ourself.
Theoretically we just need to put the new key and off we go anyway.
But it would be nice to know, so I can write a stroth style utility
to save people a bunch of hassle.
1. The sip traffic is not encrypted.
2. The only authentication to the proxy is via the digest method.
3. The provisioning file may or may not contain anything useful.
Basically someone who is good at that stuff needs to use a debugger and see what is passed to the md5 hash during a sip transaction.
I tend to believe that it is the password that is salted and not that they are using a modified algorithm. They use the serial number in an md5 hash to generate the dbkey so maybe that is reused somehow though a simple concat of the serial + password does not seem to be it.
2. The only authentication to the proxy is via the digest method.
3. The provisioning file may or may not contain anything useful.
Basically someone who is good at that stuff needs to use a debugger and see what is passed to the md5 hash during a sip transaction.
I tend to believe that it is the password that is salted and not that they are using a modified algorithm. They use the serial number in an md5 hash to generate the dbkey so maybe that is reused somehow though a simple concat of the serial + password does not seem to be it.
srvtec:
It is MD5 as that is specified in the sip register request. The problem is, they could be doing a million things to hide or alter the password. I have tried a few obvious things like MD5ing the password, adding and removing characters from it, and appending things to it. The reality is, I am shooting into the dark. The only hope is to debug it and figure out what is going on.
It is MD5 as that is specified in the sip register request. The problem is, they could be doing a million things to hide or alter the password. I have tried a few obvious things like MD5ing the password, adding and removing characters from it, and appending things to it. The reality is, I am shooting into the dark. The only hope is to debug it and figure out what is going on.
I think you have figured it out but we will probably need to decompile the software and hope we can find the algorithm. That is why I was wondering if the Mac OS version would be easier to deal with than Windows.dtm wrote:srvtec:
It is MD5 as that is specified in the sip register request. The problem is, they could be doing a million things to hide or alter the password. I have tried a few obvious things like MD5ing the password, adding and removing characters from it, and appending things to it. The reality is, I am shooting into the dark. The only hope is to debug it and figure out what is going on.
Here is the php code to calculate the response if anyone else wants to play. I have confirmed it works on a sucessful login to a known account with my ATA.
Take a wireshark dump from your MJ and see if you can make the response match the MJ response by manipulating your password. Maybe somebody will get lucky! If you do, you are required to PM me.
<?php
$nonce = "XXXXXXXXXXXXXXXXX";
$user = "EXXXXXXXXXX01";
$password = "XXXXXXXXXXXXXXXXXXXX";
$realm = "stratus.com";
$uri = "sip:talk4free.com";
$method = "REGISTER";
$A1 = ($user.":".$realm.":".$password);
$A2 = ($method.":".$uri);
echo "A1 = ".$A1."<br>";
echo "A2 = ".$A2."<br><br>";
$HA1 = MD5($A1);
$HA2 = MD5($A2);
echo "HA1 = ".$HA1."<br>";
echo "HA2 = ".$HA2."<br><br>";
$response = MD5($HA1.":".$nonce.":".$HA2);
echo "response = ".$response."<br>";
?>
Take a wireshark dump from your MJ and see if you can make the response match the MJ response by manipulating your password. Maybe somebody will get lucky! If you do, you are required to PM me.
<?php
$nonce = "XXXXXXXXXXXXXXXXX";
$user = "EXXXXXXXXXX01";
$password = "XXXXXXXXXXXXXXXXXXXX";
$realm = "stratus.com";
$uri = "sip:talk4free.com";
$method = "REGISTER";
$A1 = ($user.":".$realm.":".$password);
$A2 = ($method.":".$uri);
echo "A1 = ".$A1."<br>";
echo "A2 = ".$A2."<br><br>";
$HA1 = MD5($A1);
$HA2 = MD5($A2);
echo "HA1 = ".$HA1."<br>";
echo "HA2 = ".$HA2."<br><br>";
$response = MD5($HA1.":".$nonce.":".$HA2);
echo "response = ".$response."<br>";
?>
-
MJuser909909
- magicJack Apprentice
- Posts: 15
- Joined: Sat Jun 13, 2009 5:05 pm
-
MJuser909909
- magicJack Apprentice
- Posts: 15
- Joined: Sat Jun 13, 2009 5:05 pm
deleted due to stewart being smarter and far more superior.
Last edited by MJuser909909 on Fri Jun 26, 2009 9:05 am, edited 2 times in total.
The above is not correct; the argument to the final digest must include colon separator characters. Unless you are trying to spread disinformation (like some others here), you should test your code before posting, e.g. on the traffic generated by your ATA.MJuser909909 wrote:here is the Perl version of dtm's script. (run from a unix shell):
Also, IMHO, while OOP has its place, it's better to use simple procedural code when explaining a concept or an algorithm to a wide audience.
Code: Select all
#!/usr/local/bin/perl -w
use Digest::MD5 qw(md5_hex);
$nonce = "XXXXXXXXXXX";
$user = "EXXXXXXXXX01";
$password = "XXXXXXXXXXXXXX";
$realm = "stratus.com";
$uri = "sip:talk4free.com";
$method = "REGISTER";
$ha1 = md5_hex($a1 = "$user:$realm:$password");
$ha2 = md5_hex($a2 = "$method:$uri");
$response = md5_hex("$ha1:$nonce:$ha2");
print "a1 = $a1\n";
print "a2 = $a2\n\n";
print "ha1 = $ha1\n";
print "ha2 = $ha2\n\n";
print "response = $response\n\n";
-
richardtaur
- Dan isn't smart enough to hire me
- Posts: 123
- Joined: Mon Mar 17, 2008 5:02 pm
Question: How did Ringo get high?
Answer that and you will know how I got this... MJ is dead and so is RFC 2617. It doesn't require any certs or keys or TLS encryption to verify the code below. Just punch in your numbers and see if the response matches the dongle's response. The trick is explained in the code.
The bad news is, an ATA won't do this and even if you modify the firmware to do it, the other side can change it again. They can keep screwing us until the sun don't shine. Once you leave the RFC standards behind (which they have) then you can do as you please.
So I present this here for your discussion. To Mr. Dan the inventor; I ask that you do consider a byod service, premium account, or whatever you want to call it. You now have the ATAs locked out so we can't cheat so charge us a little extra to use them legitimately.
--------------------------------------
<?php
$nonce = "5437837f0_06998";
$callid = "75E16D8104254DB68CFE8CAF8D78DCD60xc0a80504";
$realm = "stratus.com";
$uri = "sip:talk4free.com";
$method = "REGISTER";
$user = "EXXXXXXXXXX01";
$password = "XXXXXXXXXXXXXXXXXXXX";
// Here comes the trick
// $callid is used as a lookup table to append the nonce value
// 75E16D8104254DB68CFE... callid
// 0123456789abcdef....... index
// First an underscore is appended to the nonce
// Now take the first hex character of the nonce which is 5 so get the callid character at index 5
// This is a D since the index is zero based
// Append a D to the nonce and so on
// The final nonce = 5437837f0_06998_D6110116 in this example
// The next block of code does the trick
$newnonce = $nonce."_";
for ($i=0; $i<8; $i++){
$index = hexdec(substr($nonce,$i,1));
$newnonce = $newnonce.substr($callid,$index,1);
}
$A2 = ($method.":".$uri);
$A1 = ($user.":".$realm.":".$password);
$HA1 = MD5($A1);
$HA2 = MD5($A2);
$response = MD5($HA1.":".$newnonce.":".$HA2);
echo "A1 = ".$A1."<br>";
echo "A2 = ".$A2."<br><br>";
echo "response = ".$response."<br>";
// The original nonce is returned to the server but the response
// is actually calculated with the appended nonce.
?>
Answer that and you will know how I got this... MJ is dead and so is RFC 2617. It doesn't require any certs or keys or TLS encryption to verify the code below. Just punch in your numbers and see if the response matches the dongle's response. The trick is explained in the code.
The bad news is, an ATA won't do this and even if you modify the firmware to do it, the other side can change it again. They can keep screwing us until the sun don't shine. Once you leave the RFC standards behind (which they have) then you can do as you please.
So I present this here for your discussion. To Mr. Dan the inventor; I ask that you do consider a byod service, premium account, or whatever you want to call it. You now have the ATAs locked out so we can't cheat so charge us a little extra to use them legitimately.
--------------------------------------
<?php
$nonce = "5437837f0_06998";
$callid = "75E16D8104254DB68CFE8CAF8D78DCD60xc0a80504";
$realm = "stratus.com";
$uri = "sip:talk4free.com";
$method = "REGISTER";
$user = "EXXXXXXXXXX01";
$password = "XXXXXXXXXXXXXXXXXXXX";
// Here comes the trick
// $callid is used as a lookup table to append the nonce value
// 75E16D8104254DB68CFE... callid
// 0123456789abcdef....... index
// First an underscore is appended to the nonce
// Now take the first hex character of the nonce which is 5 so get the callid character at index 5
// This is a D since the index is zero based
// Append a D to the nonce and so on
// The final nonce = 5437837f0_06998_D6110116 in this example
// The next block of code does the trick
$newnonce = $nonce."_";
for ($i=0; $i<8; $i++){
$index = hexdec(substr($nonce,$i,1));
$newnonce = $newnonce.substr($callid,$index,1);
}
$A2 = ($method.":".$uri);
$A1 = ($user.":".$realm.":".$password);
$HA1 = MD5($A1);
$HA2 = MD5($A2);
$response = MD5($HA1.":".$newnonce.":".$HA2);
echo "A1 = ".$A1."<br>";
echo "A2 = ".$A2."<br><br>";
echo "response = ".$response."<br>";
// The original nonce is returned to the server but the response
// is actually calculated with the appended nonce.
?>
-
onlinepcfun
- magicJack Apprentice
- Posts: 19
- Joined: Mon Apr 21, 2008 6:57 pm
I see light at the end of tunnelQuick calculator
Making a quick calculator program to generate your password.
I will put a link to the windows executable and later put up the linux and osx version and maybe a windows mobile version also.
I have a summer cold, and my birthday is tomorrow, but I will try
to put it up tonight.
I am pretty miserable right now.
dtm and stewart if you have anything that needs to be added to the program
please pm me. Thanks guys you are great.
I will put a link to the windows executable and later put up the linux and osx version and maybe a windows mobile version also.
I have a summer cold, and my birthday is tomorrow, but I will try
to put it up tonight.
I am pretty miserable right now.
dtm and stewart if you have anything that needs to be added to the program
please pm me. Thanks guys you are great.
-
richardtaur
- Dan isn't smart enough to hire me
- Posts: 123
- Joined: Mon Mar 17, 2008 5:02 pm
-
UncleRunkle
- magicJack Apprentice
- Posts: 27
- Joined: Tue Jun 09, 2009 11:20 am