Rotating Password Research

[genxweb]

First off lets keep this thread free of hearsay as much as possible. Many of you know who I am from these forums and what I have developed to help those on these forums.

I need some input from users here to help get a understanding of the rotations. From my initial research I am assuming that this will pass like the last round. From the post I have read, my clients emails and my own jack it seems this effecting jacks that were not effected by the last rotating jack snafu.

I like to see if you have the issue I am seeing do you have a jack that did not fall victim to the last rotation like mine and now it is. Also has your jack had this issue the last time and this time.

From experience I know this is not effecting every jack that is out there just like last time it is only effecting some. Almost like they are doing a migration in stages.

Please only provide that info for right now. I think this will help clarify some of the speculations.

[antman1]

I am happy to provide any info you need. I want to help. I had my magicjack Sip info put into my RTP300 and was working fine for a year then as it came time to renew my subscription my ATA would not register (my guess is the sip credentials changed then. I plugged in my magicjack dongle on Thursday and then it told me to renew so on Friday (Payday) I renewed it and got my new credentials then my ATA did not work with the credentials so I had to install MJ Proxy on my Linksys Router with Tomato and that worked great till this morning and I noticed it had a new password. I got it then changed all the info still wouldn't register so I checked the pw again and it was changed it did this 3 times before I gave up and checked the posts and saw others were having this problem. I never had this problem before so this is my first.

Also my Username did change at the end from 01 to 02

[sabresfan]

One jack has had this problem both times now and the other has not changed yet.

[Toink]

@GenxWeb

This is the first time I got a rotating password issue. I never got it the first time members reported the issue. I still have v2.0.4 when I plugged the MJ unit this morning. Never got the latest upgrade to 2.0.562d
(yet). MJ + mjproxy tomato + SPA3102 was working great until yesterday. Tried to get my credentials using, (MagicSipac 1.2), 5 times. Got different password each time. Same username.

[nimbus]

I am happy to provide any info you need. I want to help. I had my magicjack Sip info put into my RTP300 and was working fine for a year then as it came time to renew my subscription my ATA would not register (my guess is the sip credentials changed then. I plugged in my magicjack dongle on Thursday and then it told me to renew so on Friday (Payday) I renewed it and got my new credentials then my ATA did not work with the credentials so I had to install MJ Proxy on my Linksys Router with Tomato and that worked great till this morning and I noticed it had a new password. I got it then changed all the info still wouldn't register so I checked the pw again and it was changed it did this 3 times before I gave up and checked the posts and saw others were having this problem. I never had this problem before so this is my first.

Also my Username did change at the end from 01 to 02

My magicjack behavior is identical to above.

- Not affected last time (rotation)
- Password did change this time
- Username is still same as before and still ends with 01

[neo2121]

I have 3 that were not effected but every brand new account I have created has been effected to include accounts that got hit last time. The math is the same to create the password it's just constiantly changing it's not per session it's intervals not sure how long each password is good for. I will have some free time tonight and some Tuesday to look at stuff if it hasn't already passed by then. That seems like a lot of wasted resources crunching numbers on passwords on all accounts every 45 seconds.

[surnj1]

[quote="antman1"]I am happy to provide any info you need. I want to help. I had my magicjack Sip info put into my RTP300 and was working fine for a year then as it came time to renew my subscription my ATA would not register (my guess is the sip credentials changed then. I plugged in my magicjack dongle on Thursday and then it told me to renew so on Friday (Payday) I renewed it and got my new credentials then my ATA did not work with the credentials so I had to install MJ Proxy on my Linksys Router with Tomato and that worked great till this morning and I noticed it had a new password. I got it then changed all the info still wouldn't register so I checked the pw again and it was changed it did this 3 times before I gave up and checked the posts and saw others were having this problem. I never had this problem before so this is my first.

Also my Username did change at the end from 01 to 02[/quote]


the same here, password gets changed everytime i reconnect my MJ dongle.

[Toink]

Would it help if we also post our MJ software versions? as posted above mine is still on 2.04.

[pancho1950]

Would it help if we also post our MJ software versions? as posted above mine is still on 2.04.

magicjackloaderexe ver. 2.0.5624.3932
magicjack.exe ver. 2.0.562.4 (A92105XXXXXXXX).
I belive that the new software is generating the new passwords every time is hook up. Reason to belive that when I recieved the update it ask me for my login credentials (e-mail adress & login password) with the dongle # (A92105XXXXXXXX) then it registered; All my five dongles did the samething. Conclution the dongle number plus some algorithm=password

[antman1]

I forgot to mention I was also upgraded to client 2.0.562d.

[cucu007]

I hope someone can come with a solution, my PAP2T box die yesterday, the password change appears to be affecting it. Let's see if they can keep up with the number crushing for long enough or they get a system crash.

[JOFTAA]

I have never been affected by anything other than a changing password a few months back. Been using ATA alone, without proxy all along, until Oct 20th.

Now I am getting a new password each time I use a password extraction utility.

If you tell me where to look for my version number, I will look and post it here.

Also, thank you, genxweb, for everything you have done to help us. And, thanks to everyone who has helped me in the past.

[genxweb]

If you are using mjsip and get 1IJIJIJIJIJIJIJIJIJIJ let me know I will add a filter. After my first release they added a lot of crap that matched the search string regex I use.

[dbean]

I am happy to provide any info you need. I want to help. I had my magicjack Sip info put into my RTP300 and was working fine for a year then as it came time to renew my subscription my ATA would not register (my guess is the sip credentials changed then. I plugged in my magicjack dongle on Thursday and then it told me to renew so on Friday (Payday) I renewed it and got my new credentials then my ATA did not work with the credentials so I had to install MJ Proxy on my Linksys Router with Tomato and that worked great till this morning and I noticed it had a new password. I got it then changed all the info still wouldn't register so I checked the pw again and it was changed it did this 3 times before I gave up and checked the posts and saw others were having this problem. I never had this problem before so this is my first.

Also my Username did change at the end from 01 to 02

My magicjack behavior is identical to above.

- Not affected last time (rotation)
- Password did change this time
- Username is still same as before and still ends with 01

same exact situation here also:

- Not affected last time (rotation)
- Password did change this time
- Username is still same as before and still ends with 01

[pancho1950]

If you are using mjsip and get 1IJIJIJIJIJIJIJIJIJIJ let me know I will add a filter. After my first release they added a lot of crap that matched the search string regex I use.

Yes I been getting the same thing in mjsip and also with magicsipack 1.2

[genxweb]

Ok this is what i am seeing now that I am at home and had a chance to check my jacks.

I am running 2.04 My last update was on 10/20 and it worked to this morning 10/25. My password seems to have stopped rotating. The issue I am seeing is registration is failing. One user has reported that they noticed a difference in the md5 nonce. I have not confirmed this as of yet so do not jump to conclusions.

From the reports I got it looks like 90% of you are experiencing this for the first time while 10% had this happen in the last round as well. I have also learned that the loss of access seemed to start in different areas last week each day a different section.

This leads me to believe they are rolling something out, what I am not 100% sure of yet.

I also just got 40 new jacks that I will be testing tonight.

I am also thinking about maybe trying to find funds to purchase a nettalk to see if I can set those up and tell mj they can eat the 100 + jacks I have at renewal.

I will update this as I get more info

[pancho1950]

magicjackloaderexe ver. 2.0.5624.3932
magicjack.exe ver. 2.0.562.4 (A92105XXXXXXXX).
I belive that the new software is generating the new passwords every time is hook up. Reason to belive that when I recieved the update it ask me for my login credentials (e-mail adress & login password) with the dongle # (A92105XXXXXXXX) then it registered; All my five dongles did the samething. Conclution the dongle number plus some algorithm=password.

I have systematically unplug the dongles every 15 min for the past 4 hours in five diferent computers the results is the same diferent passwords for each dongle. I use ccleaner before trying to get the sip credentials found a reason for it it give me a 1IJIJIJIJIJIJIJIJIJIJ as a password if I do not do it.

[jaywong]

I purchased my first MagicJack 3 months ago and I had been using mjproxy + PAP2 since then until it stopped working 2 days ago which was a few days after I renewed my MJ service. To attempt to fix it, I loaded up X-Lite and WireShark to see what's going on. It turns out that my SIP device is getting 401 Authentication errors.

Upon further diagnosis, I found out that the SIP password gets rotated(but username stays the same) on every MJ software reload. So I searched around and I landed here. It's a pitty that I'm not the only person that is having this issue. I wish you all luck in finding the algorithm used for mj's md5 password rotation.

First off lets keep this thread free of hearsay as much as possible. Many of you know who I am from these forums and what I have developed to help those on these forums.

I need some input from users here to help get a understanding of the rotations. From my initial research I am assuming that this will pass like the last round. From the post I have read, my clients emails and my own jack it seems this effecting jacks that were not effected by the last rotating jack snafu.

I like to see if you have the issue I am seeing do you have a jack that did not fall victim to the last rotation like mine and now it is. Also has your jack had this issue the last time and this time.

From experience I know this is not effecting every jack that is out there just like last time it is only effecting some. Almost like they are doing a migration in stages.

Please only provide that info for right now. I think this will help clarify some of the speculations.

[blueadept]

I have 2 mj and my friend has 2mj.

Both of mine needed the md5, one of my friends needed the md5 his other did not.

Both of my mjs got hit with the rotating passwords which cleared up. My friend did not get hit with it.

My friend called me the other day and said his pw changed and then he had to use the MD5 on the one that never used it before. My passwords also changed.

Today, both of my mjs are hit with the rotating passwords and both of my friends are hit with the rotating passwords.

[steroids]

First off lets keep this thread free of hearsay as much as possible. Many of you know who I am from these forums and what I have developed to help those on these forums.

I need some input from users here to help get a understanding of the rotations. From my initial research I am assuming that this will pass like the last round. From the post I have read, my clients emails and my own jack it seems this effecting jacks that were not effected by the last rotating jack snafu.

I like to see if you have the issue I am seeing do you have a jack that did not fall victim to the last rotation like mine and now it is. Also has your jack had this issue the last time and this time.

From experience I know this is not effecting every jack that is out there just like last time it is only effecting some. Almost like they are doing a migration in stages.

Please only provide that info for right now. I think this will help clarify some of the speculations.

Every time I request the sip credentials, they change. On each request, I create the dbkey the same way. Each time I am using the same "random" 5 digits when creating the DBKeyHeader,

Code: Select all

local r = SJphone.GetRandomValue
return string.format(";%d%d%d%d%d\n[Params]", r(), r(), r(), r(), r())

passing the same nonce

Code: Select all

return os.time()

serial

Code: Select all

return SJphoneScripts._GetSerialNumber()

etc.

I can only assume that the server is modifying the ProxyUserPassword on every request.

I am still perplexed by the SIPModeProxy. It is clearly base64 encoded, but after decoding, it appears to be random bytes. It is not encrypted using the standard sjlab encryption. It is also interesting that SIPProxyMode seems to be back to 1, rather than 81, which I saw in the past.

Also, what's up with the

Code: Select all

[MagicJackOptions.Installation]
InstallationID=##

The number seems to increase on each request for credentials. Even when I change the dbkey by passing a new random number and nonce.

Ideas?

[vj244]

First off lets keep this thread free of hearsay as much as possible. Many of you know who I am from these forums and what I have developed to help those on these forums.

I need some input from users here to help get a understanding of the rotations. From my initial research I am assuming that this will pass like the last round. From the post I have read, my clients emails and my own jack it seems this effecting jacks that were not effected by the last rotating jack snafu.

I like to see if you have the issue I am seeing do you have a jack that did not fall victim to the last rotation like mine and now it is. Also has your jack had this issue the last time and this time.

From experience I know this is not effecting every jack that is out there just like last time it is only effecting some. Almost like they are doing a migration in stages.

Please only provide that info for right now. I think this will help clarify some of the speculations.

Every time I request the sip credentials, they change. On each request, I create the dbkey the same way. Each time I am using the same "random" 5 digits when creating the DBKeyHeader,

Code: Select all

local r = SJphone.GetRandomValue
return string.format(";%d%d%d%d%d\n[Params]", r(), r(), r(), r(), r())

passing the same nonce

Code: Select all

return os.time()

serial

Code: Select all

return SJphoneScripts._GetSerialNumber()

etc.

I can only assume that the server is modifying the ProxyUserPassword on every request.

I am still perplexed by the SIPModeProxy. It is clearly base64 encoded, but after decoding, it appears to be random bytes. It is not encrypted using the standard sjlab encryption. It is also interesting that SIPProxyMode seems to be back to 1, rather than 81, which I saw in the past.

Also, what's up with the

Code: Select all

[MagicJackOptions.Installation]
InstallationID=##

The number seems to increase on each request for credentials. Even when I change the dbkey by passing a new random number and nonce.

Ideas?

I believe you are correct. In dump file, I see entry like:

Code: Select all

Created URL: Type = <Provisioning>, ResultUrl = <https://prov1.talk4free.com/softphone/provision/?dbkey=...

I assume this is for return provisioning data.

I put this URL into firefox, which returns some data. When I refresh, the data changes. Since I not changing the URL, I assume the server is changing SIP Password on dynamic?

[q2n]

With mjproxy on DD-WRT router and ATA (or softphone for troubleshooting):

• + No problems whatsoever before the forced L.Y. update to 2.0.562d (previous was 1.92.530.5)
  + After update-forced pwd change, all returned to normal for 3-4 days.
  + New authentication scheme then triggered and ATA unregistered (without any client-side input; calls, dropped WAN, etc.).
  + Four subsequent retrievals of pwd (over a two-hour period) then yielded different pwds each time.
  + Attempting to use the newly retrieved pwds to re-connect was futile.
  + On the fifth cycle, the pwd was found to be unchanged from the 4th attempt -- but still no connections.
  + Waited an hour (instead of 30-min) to do last dump: New pwd but still can not register.
  + No changes to UserName (E...01) in any of the dumps.

The key (if any) was finding two consecutive dumps with no change in pwd, but not being able to register with either the ATA or softphone in-between (tried individually, of course).

It does appear an enhanced algorhythm is at work. As noted:

Conclution the dongle number plus some algorithm=password

and:

(I)t appears to be random bytes. It is not encrypted using the standard sjlab encryption.

But how to crack it? Or was SJ Labs trying to drive a bunch of its business away?

[vasuki]

I am encountering the same issue here. I was up on Friday, down again today - can't find a working password in the dump.

Please keep me posted on any progress with this.

[rawflyer]

New to mj x 1.5 months. Worked great until this weekend.

Each time credentials obtained with pwdumps... it's different, and none of them work with mjproxy on dd-wrt or mjmd5 and xlite softphone... peeving me off.

about to give up. there goes their tech savvy customer base.

[Kenny2469]

So, if the MJ gets a new password each time the dongle or program is launched, can't someone fix sipdump or one of the programs to not close the application after it dumps the files? maybe this would keep the same password as we see it in the file until its restarted again?

[genxweb]

So, if the MJ gets a new password each time the dongle or program is launched, can't someone fix sipdump or one of the programs to not close the application after it dumps the files? maybe this would keep the same password as we see it in the file until its restarted again?

Problem with that is then you are sending multiple registration packets and keep alive s causing instant detection.

[genxweb]

First off lets keep this thread free of hearsay as much as possible. Many of you know who I am from these forums and what I have developed to help those on these forums.

I need some input from users here to help get a understanding of the rotations. From my initial research I am assuming that this will pass like the last round. From the post I have read, my clients emails and my own jack it seems this effecting jacks that were not effected by the last rotating jack snafu.

I like to see if you have the issue I am seeing do you have a jack that did not fall victim to the last rotation like mine and now it is. Also has your jack had this issue the last time and this time.

From experience I know this is not effecting every jack that is out there just like last time it is only effecting some. Almost like they are doing a migration in stages.

Please only provide that info for right now. I think this will help clarify some of the speculations.

Every time I request the sip credentials, they change. On each request, I create the dbkey the same way. Each time I am using the same "random" 5 digits when creating the DBKeyHeader,

Code: Select all

local r = SJphone.GetRandomValue
return string.format(";%d%d%d%d%d\n[Params]", r(), r(), r(), r(), r())

passing the same nonce

Code: Select all

return os.time()

serial

Code: Select all

return SJphoneScripts._GetSerialNumber()

etc.

I can only assume that the server is modifying the ProxyUserPassword on every request.

I am still perplexed by the SIPModeProxy. It is clearly base64 encoded, but after decoding, it appears to be random bytes. It is not encrypted using the standard sjlab encryption. It is also interesting that SIPProxyMode seems to be back to 1, rather than 81, which I saw in the past.

Also, what's up with the

Code: Select all

[MagicJackOptions.Installation]
InstallationID=##

The number seems to increase on each request for credentials. Even when I change the dbkey by passing a new random number and nonce.

Ideas?

It seems to be the same issue as last time. I am going to give it a week to see how it layouts like last time.

Also this happens on multiple code versions I got jacks from 1.9 to the most recent all not effected last time and all are affected this time.

[CaptWho]

I did 2 dumps and my passwords are still changing. Just an FYI for those of you that are waiting for MJ to stop messing around.

[JOFTAA]

I did 2 dumps and my passwords are still changing. Just an FYI for those of you that are waiting for MJ to stop messing around.

Is there a reason that they would stop? Other than the massive amount of computer power they must be using to generate passwords for all of these MJs each time.

Frankly, I don't know what the big deal about using an ATA is. Their competition allows it. And, it isn't like they are showing advertising on their dial pad. And, even if they were, who is looking at the on screen dial pad to read the ads?

[CaptWho]

Is there a reason that they would stop?

Some people are predicting that this will all be over in a week or so. If that's true, maybe they'll be doing it periodically just to be irritating. I have my fingers crossed, but if they keep it up, then someone will figure out how to get around it and we'll be up and running again.

[plut0]

I can help troubleshoot as mine is changing passwords constantly. Was anyone able to get the provisioning URL working? I tried putting the URL in a browser and never got anything returned.

[bgfrmnyc]

I have 2 jacks. One is older. The older jack has rotating passwords, the newer one does not. Both had passwords changed but the newer one kept the same password and has been online via ATA since the initial change and is working fine.

I tried retrieving the PW from the older one and it changed 5 times in 30 minutes so I gave up! At one point however, the password stayed the same for at least a few hours, but I was never able to get it online.

The older jack was pointing to the losangeles proxy. the newer one the newyork proxy.

[q2n]

This is a second report of being unable to connect with the 'correct' pwd.

At one point however, the password stayed the same for at least a few hours, but I was never able to get it online.

(The first being:

The key (if any) was finding two consecutive dumps with no change in pwd, but not being able to register with either the ATA or softphone in-between...

Thinking about this from SJLabs' view, if you were updating security and wanted the new scheme to last for years to come, wouldn't incorporating the device number in authentication be a viable way to accomplish this? It may be something like:

Conclution the dongle number plus some algorithm=password.

or could be a much more complex arrangement. (Puzzle solvers needed.)

If they were simply calling that pwd server each time, ATAs would have registered during the short intervals the pwds remained static.

As to the prospect of their going back to 'the old way', that wouldn't make sense. Why trifle with all this only to say "Oh, never mind."

[dtm]

I let my MJ expire. I am through with them but as always the game intrigues me. If I was attacking this problem I would start here:

http://en.wikipedia.org/wiki/Rolling_code

Then look for the PRNG algorithm.

Good luck guys.

[CaptWho]

Did anyone notice that under the 'Advanced Users" menu on the softphone, just beneath 'Terms of Service', there are a couple of greyed out lines? I've never seen these before and I'm wondering if this might be of interest?

[bitstopjoe]

Did anyone notice that under the 'Advanced Users" menu on the softphone, just beneath 'Terms of Service', there are a couple of greyed out lines? I've never seen these before and I'm wondering if this might be of interest?

Those have been there since the major 2.0 update ( currently 2.04) last month..

[neo2121]

I let my MJ expire. I am through with them but as always the game intrigues me. If I was attacking this problem I would start here:

http://en.wikipedia.org/wiki/Rolling_code

Then look for the PRNG algorithm.

Good luck guys.

Nah

[antman1]

Magicjack may have lost me. I am lovin privacy director from google working on my ata and such.

[jeffnyc]

Magicjack may have lost me. I am lovin privacy director from google working on my ata and such.

what is privacy director?

[antman1]

Callers that are unknown must state their name before it rings to me.

[plut0]

Has everyone given up on this?

[Harold]

Maybe this will give someone an idea or clue in solving the new MJ puzzle.
Yesterday (Nov. 2, 2010) I connected my X-lite 3.0 dialer using my original password without MJMD5 running (this was by accident I was going to use the X-lite dialer in testing my Sipgate account). After placing test calls and confirming MJMD5 was not running I restarted the dialer. I was able to do this about 5 times and each time connect and was able to make calls. At last I assume the password changed and I got a timeout error on the X-lite when I tried to connect.
I don't know if this is of any help, but every bit of knowledge passed on to the right person will help solve this.
The server I was using was proxy01.columbus.talk4free.com. My last MJ upgrade is- 2.0.5624.3932 and runs on Windows XP service pack 3.
The connections without MJMD5 running were made between 8:00-8:40 pm EST.
I did in the past if I had poor call quality I would change the proxy I used to one in another state.

[jeffnyc]

has anyone tried recently to register ata? any luck?

[scottexpat]

impossible!

passwords keep rotating.

I bought the Nettalk device as a replacement.

Plugs into router.

No more programming or hacking.

Hopefully better. .

[pancho1950]

impossible!

passwords keep rotating.

I bought the Nettalk device as a replacement.

Plugs into router.

No more programming or hacking.

Hopefully better. .

Passwords are not ratating anymore since three days ago

[m8ra1yn1l]

i'm sure the magicjack softphone makes api calls through the windows shell/internet explorer, so if you can "hook" into these processes you wouldn't have to work from memory dumps anymore. you could actually view the http headers, even if it is encapsulated in ssl. with some modifications, mjproxy/mjmd5 could easily pull the sip account passwords on its own from the magicjack servers.

not really sure why this approach wasn't tried before, but i hope this helps anyone that's working on it. i would do it myself, but i let my account expire. good luck!

[adam3914]

My password stooped rotating, however my ata does not register any more when using the new password. I am using dd-wrt with mjmd5 and tried my ata, and x-lite, and neither works, I get a 401 unauthorized error. Anybody else get theirs working again?

[genxweb]

i'm sure the magicjack softphone makes api calls through the windows shell/internet explorer, so if you can "hook" into these processes you wouldn't have to work from memory dumps anymore. you could actually view the http headers, even if it is encapsulated in ssl. with some modifications, mjproxy/mjmd5 could easily pull the sip account passwords on its own from the magicjack servers.

not really sure why this approach wasn't tried before, but i hope this helps anyone that's working on it. i would do it myself, but i let my account expire. good luck!

You have always been able to pull your credentials using a http proxy you just needed to decrypt he string that is old news. For the majority of people the sip dump roue was so much easier.

[m8ra1yn1l]

You have always been able to pull your credentials using a http proxy you just needed to decrypt he string that is old news. For the majority of people the sip dump roue was so much easier.

I see, so has anyone tried disassembling the binary? Is there any documentation on how the string is hashed?

[plut0]

I no longer need MJ since I found out Google Voice works on Asterisk. Good luck folks!