View previous topic :: View next topic |
Author |
Message |
dan Dan isn't smart enough to hire me
Joined: 12 Nov 2007 Posts: 113 Location: Denver
|
Posted: Tue Jun 16, 2009 8:22 am Post subject: Certificate is a joke does not work |
|
|
who ever said that you need a certficate to now authenticate was dead wrong! this is a witch hunt dont bother wasting your time with this..
shame on the people who started this BS and wasted a lot of peoples time |
|
Back to top |
|
|
laserjobs Dan Should Pay Me
Joined: 12 Nov 2007 Posts: 670
|
Posted: Tue Jun 16, 2009 10:40 am Post subject: |
|
|
I agree, the cert information is complete BS. The users who posted that should be banned. |
|
Back to top |
|
|
dallasib1485 magicJack Apprentice
Joined: 23 Mar 2009 Posts: 14
|
Posted: Tue Jun 16, 2009 11:09 am Post subject: |
|
|
I also agree, I have tried several different certs from several sources and it does not work, the certs only allow for encryption of the call data not the register process which is where the problem lies. I believe the trick is going to be getting TLS support on our ATA's which could be a long time from now if ever. For me i have given up on MJ on the ATA. |
|
Back to top |
|
|
admin MagicJack Contributor
Joined: 12 Nov 2007 Posts: 60
|
Posted: Tue Jun 16, 2009 11:21 am Post subject: |
|
|
The certificate post was a total nonsense. My apologies for not realizing it sooner.
There were a bunch of people contributing to those threads. Upon further investigation, 9 of the users posting comments in there all originated from the same IP address.
That address has since been banned.
This is a serious forum. If you come here only to post garbage, your IP will be banned as well. |
|
Back to top |
|
|
dan Dan isn't smart enough to hire me
Joined: 12 Nov 2007 Posts: 113 Location: Denver
|
Posted: Tue Jun 16, 2009 12:10 pm Post subject: |
|
|
Thank you admin. For the clarification MJ engineers are pretty slick. Looks like it is locked down pretty good now.. MJ is a good service for a 2nd line or people on the go.. by no means should this be your primary service.. there are plenty of posts out there if people are looking for cheaper VOIP service out there.. I personally use Vitelity for trunking and they seem to work great.. Average around 1200 calls a month for around 18 bucks a month and they allow caller id spoofing and lots more |
|
Back to top |
|
|
pagemen Dan isn't smart enough to hire me
Joined: 15 Dec 2008 Posts: 128
|
Posted: Tue Jun 16, 2009 6:11 pm Post subject: |
|
|
As I've said, we need to start with a softphone w/TLS support like eyeBeam. The hard part is to get the REAL client certificate from MJ, obviously only the certificate MJ distributes with its own softphone -- which matches the one on their server -- will work, generating your own is just nonsense. Even though, little hope for ATAs but at least we can get some idea of what is REALLY behind the scene. |
|
Back to top |
|
|
dan Dan isn't smart enough to hire me
Joined: 12 Nov 2007 Posts: 113 Location: Denver
|
Posted: Tue Jun 16, 2009 9:32 pm Post subject: |
|
|
Again callling Bullshit as I have the Certificate! And put this in my Linksys does not register..
I would post the certificate here but most likely my post would be deleted. |
|
Back to top |
|
|
dan Dan isn't smart enough to hire me
Joined: 12 Nov 2007 Posts: 113 Location: Denver
|
Posted: Tue Jun 16, 2009 9:48 pm Post subject: |
|
|
Actually I know where in the linkys to put the cert Have no idea what you mean by CRCs |
|
Back to top |
|
|
dtm MagicJack Expert
Joined: 27 Jul 2008 Posts: 95 Location: In the hardware.
|
Posted: Wed Jun 17, 2009 12:13 am Post subject: |
|
|
It is a joke. If there was any truth to it he would prove it by posting the procedure to get and install the certificate. |
|
Back to top |
|
|
gooney Dan isn't smart enough to hire me
Joined: 09 Feb 2008 Posts: 382 Location: Salt Lake City, Utah
|
Posted: Wed Jun 17, 2009 11:56 am Post subject: |
|
|
dtm wrote: | It is a joke. If there was any truth to it he would prove it by posting the procedure to get and install the certificate. |
Yes it is a joke, just forget it and move on... this would be better for me and a couple of others. |
|
Back to top |
|
|
magicjacktech magicJack Apprentice
Joined: 20 Jun 2009 Posts: 12
|
Posted: Sat Jun 20, 2009 10:22 am Post subject: magicjack error 9, 3, 400 , 404 ,please connect to internet |
|
|
Hi Friends,
I have worked for magicjack for more than one year as a technical executive. Error 9 has started from 24th december 2008 . Our team has upgraded magicjack upgrade. This was for security purpose. Error-9 occurs either your firewall or router is blocking your magic jack to connect wioth magicjack servers.
Error 3 occurs when your router is blocking your magicjack. In both situation you need to open your firewall and router UDP port 5060 and UDP port 5070 for magicjack.
Error -400 and 404 : These errors occurs when you or your magicjack have upgraded but in some cases your magicjack setting has not refreshed from server end. In this case tech guys refresh your account setting from their end.
Many more like ( unable to connect with servers or magicjack servers are down at present please try again later occurs because of firewell , Pop up and due to routers. Well all of you will be familiar with my tech name. Anyone need help then feel free to write. One more thing I would like to share with you . Most of time you see Ready to call on dial pad but you can not make calls then simply open task manager (CTRL+ALT+DELETE) and end magicjack.exe process from there . after that unplug your magicjack and replug after 1 minutes , It will help to refresh your magicjack setting at both ends(your and magicjack servers)
I hope above information will be helpful for you. Dan I am not working any more for your product. However I want to share something with you. Please contact me at |
|
Back to top |
|
|
qwer1304 magicJack Apprentice
Joined: 16 Mar 2009 Posts: 15
|
Posted: Sat Jun 20, 2009 12:29 pm Post subject: |
|
|
Here's a link to the provisioning guide: https://www.myciscocommunity.com/docs/DOC-3216
Could anyone post the sequence MJ currently uses to connect to the server?
Here're my thoughts:
1.Assuming one can find the certificate MJ uses, and
2.Assuming one can enter that certificate into the ATА, and
3.Assuming one can find the URL MJ uses to connect to the server, then
4.It'd be possible to make an ATA to fake MJ connection, but
5.What does MJ get from the server? I'm skeptical you could emulate that.
Your thoughts/experience will be appreciated. |
|
Back to top |
|
|
laserjobs Dan Should Pay Me
Joined: 12 Nov 2007 Posts: 670
|
Posted: Sat Jun 20, 2009 4:43 pm Post subject: |
|
|
Using PMDUMP you can find the registration steps with MJ. I don't know if this helps or not.
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.1.104:56104;branch=XXXXXbKc0a80168054ac70f226a69410;rport=41175;received=241.53.47.22
To: <sip:[email protected]>
From: "unknown"<sip:[email protected]>;tag=xxxxx4ac6ff
Call-ID: 02DED9B351E14E379A1A4F0B97E10C7D0xcaa80168
CSeq: 1 REGISTER
User-Agent: ENSR2.5.47.0-IS10-RMRG0-RG900-EP313326
WWW-Authenticate: Digest nonce="1210c9678_09785",realm="stratus.com",algorithm=MD5
Content-Length: 0
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.1.104:56104;branch=XXXXXbKc0a80168054ac95144e83f201;rport=41175;received=241.53.47.22
Contact: <sip: [email protected]:56104>
To: <sip: [email protected]>;tag=7aa2d790-co9792-INS010
From: "unknown"<sip: [email protected]>;tag= xxxxx4ac6ff
Call-ID: 02DED9B351E14E379A1A4F0B97E10C7D0xcaa80168
CSeq: 2 REGISTER
Expires: 1800
User-Agent: ENSR2.5.47.0-IS10-RMRG0-RG900-EP313326
Content-Length: 0
REGISTER sip:talk4free.com SIP/2.0
Via: SIP/2.0/UDP 192.168.1.104:56104;branch=z9hG4bKc0a80168054ad3f07af91f382;rport
From: "unknown" <sip:[email protected]>;tag=589654ad3e0
To: <sip: [email protected]>
Contact: <sip: [email protected]:56104>
Call-ID: 02DED9B351E14E379A1A4F0B97E10C7D0xcaa80168
CSeq: 3 REGISTER
Expires: 0
Max-Forwards: 70
User-Agent: MagicJack/1.80.484a (SJ Labs)
Authorization: Digest username=" EXXXXXXXXXX01",realm="stratus.com",nonce="1210c9678_09785",uri="sip:talk4free.com",response="1baa8f830261a1238ae3dee501c98292",algorithm=MD5
Content-Length: 0
Last edited by laserjobs on Sat Jul 11, 2009 7:12 pm; edited 1 time in total |
|
Back to top |
|
|
az1324 Dan isn't smart enough to hire me
Joined: 20 Feb 2008 Posts: 100
|
Posted: Sun Jun 21, 2009 6:33 am Post subject: |
|
|
I don't know what I'm doing so don't ask me. |
|
Back to top |
|
|
laserjobs Dan Should Pay Me
Joined: 12 Nov 2007 Posts: 670
|
Posted: Sun Jun 21, 2009 11:24 am Post subject: |
|
|
domingo can you show us some proof that you actually have a PAP2 working or ay other ATA for that matter. From what I can speculate the changes that Magicjack made do not have anything to do with certs. I do not see how any of your riddled soution would work. |
|
Back to top |
|
|
dtm MagicJack Expert
Joined: 27 Jul 2008 Posts: 95 Location: In the hardware.
|
Posted: Sun Jun 21, 2009 12:34 pm Post subject: |
|
|
laserjobs:
I don't see it either. I don't see a secure connection between the first registration attempt that fails and the second one that succeeds. I don't see an https:// at all until long after the dongle is is registered. All I see is 147 bytes of data being sent from the dongle to 29.4.236.236 (map.softjoys.com). I have an old WireShark dump from before the update that does a very similar sequence.
I tend to think they are salting our ProxyUserName or ProxyUserPassWord before calculating the MD5 hash. Unless domingo can offer more proof than what I have seen so far, I think he is pulling our leg. |
|
Back to top |
|
|
laserjobs Dan Should Pay Me
Joined: 12 Nov 2007 Posts: 670
|
Posted: Sun Jun 21, 2009 11:37 pm Post subject: |
|
|
domingo wrote: | pagemen wrote: | I might give up this completely. Even if I get the certificate, how can I put it in the Linksys firmware? The firmware is compressed(or even encrypted?) so the replacement can't be done with a single hex editor, one has to unpack->replace->repack and I can't find any document about Sipura/Linksys firmware structure... |
Easily done. It's not rocket science.
What would you like for proof ? The pictures I posted before of it still connected and registered not enough ?
Bahh I give up on nay sayers , Im enjoying my mj on a pap2t , and a couple folks I emailed are now as well , im done.
I already gave out enough info , good luck. |
Sorry I did not see the pics you posted, can you point me to them?
Also could you get another user or two to confirm they got it working with your help? |
|
Back to top |
|
|
netdata magicJack Apprentice
Joined: 09 Jun 2009 Posts: 29
|
Posted: Mon Jun 22, 2009 1:41 am Post subject: hey guys |
|
|
I can understand the frustration, but no use in beating up probably the last guy on the forum still around that seems to know something.
The mods have already looked into the situation, in fact they banned
a chunk of accounts that were on the same IP.
They also have cleaned up posts containing rumors or speculation.
A step by step guide posted on here is probably the quickest way to get dan to auto provision or use some other method to stop this fix from working.
You can lead a horse to water, but you can't make him think.
I think domingo doesn't want to sit and hand holds all day.
It's ok to be skeptical but there isn't any need to bash a fellow forum member.
Apparently the people he helped haven't had a need to return to the forum since they are off and running, and that would certainly explain why there hasn't been any 3rd party verification.
I am attempting however to verify if the information presented in the forum is accurate by making a successful session using a TLS authentication compatible softphone program, in theory that will also verify whether or not this works for the linksys ATA adapters you guys are using OR NOT.
My results should put an end to any speculation.
Maybe you guys aren't asking the right questions.
We all have the same goals here, and I don't believe there is any
ulterior motive from any active member on here.
Further more domingo has been a member for a while now you can see
his stats, he isn't some troll. I am pretty new here, but I am going to share what I can and help whoever I can with this.
I still have a bit to catch up on myself however. |
|
Back to top |
|
|
az1324 Dan isn't smart enough to hire me
Joined: 20 Feb 2008 Posts: 100
|
Posted: Mon Jun 22, 2009 3:33 am Post subject: |
|
|
dtm wrote: | I tend to think they are salting our ProxyUserName or ProxyUserPassWord before calculating the MD5 hash. Unless domingo can offer more proof than what I have seen so far, I think he is pulling our leg. |
Yes the Digest Authentication Response does not seem to follow the RFC 2617 standard according to my calculations... that is assuming the password found by Stroth's program is correct. Someone should debug the .exe and see how the Response is calculated. |
|
Back to top |
|
|
az1324 Dan isn't smart enough to hire me
Joined: 20 Feb 2008 Posts: 100
|
Posted: Mon Jun 22, 2009 7:40 am Post subject: |
|
|
What are you going to do with the secret key? Unless you can figure out how to generate the auth response you can't do anything anyway. |
|
Back to top |
|
|
mel2000 MagicJack Contributor
Joined: 31 May 2009 Posts: 67
|
Posted: Mon Jun 22, 2009 9:09 am Post subject: |
|
|
That only shows that I'm even more confused than I thought. I think I'll just wait around for other replies to give me more clues to what I'm supposed to be doing. |
|
Back to top |
|
|
dtm MagicJack Expert
Joined: 27 Jul 2008 Posts: 95 Location: In the hardware.
|
Posted: Mon Jun 22, 2009 10:32 am Post subject: |
|
|
TLS capable soft phone doesn't work for me.
------
If domingo really knows what is happening he could provide us with a logical sequence of events for the registering process. All I can see in the logs is a register attempt, 401 response, attempt 2 with response MD5. If it is the dongle, it succeeds if it is an ATA it fails. I see no data being sent from the server to the dongle in between registration attempts. No TLS, SSL, or anything else for that matter.
Domingo, you are the expert. Explain in clear detail the sequence of events that leads to a successful register. |
|
Back to top |
|
|
netdata magicJack Apprentice
Joined: 09 Jun 2009 Posts: 29
|
Posted: Tue Jun 23, 2009 4:22 am Post subject: Tips and Tricks... |
|
|
Sniffing
From a fresh boot
Start wireshark
Stop ANYTHING that will generate any network traffic
This will help you to avoid generating superfluous data to glean.
You can netstat /an to check and make sure your network is
quiet
Close any: browsers, chat programs, newsreaders, widgets,
anything that goes online...
Dump File
If your dump file isn't around 94-96MB then you do not have a good dump file.
Making Dump File More Manageable
You can use a program called Strings to further truncate your
memory dump to make it more manageable.
For further information, there is a video on securitytube.
Reading MagicJack In RAM
Get HxD Portable
Extras - Open Ram - Pick MagicJack.exe
You will see public token and a little further down
another key also.
p.u.b.l.i.c.K.e.y.T.o.k.e.n.=."xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
etc...
But if you poke around
you might find your profile information / secret phrase.
I will keep editing this post as I have time and add more tips and tricks.
I have to get back to work now - good luck everybody.
I will NOT post information pertaining to the MJ Profile, as it may
violate certain laws in my area. (DCMA law) reverse engineering,
circumventing any sort of protection. DO NOT ASK about anything
related to those things.
I cannot post keys, certs, or anything that would violate the law.
Hoping the mods will close this thread now it's no longer productive.
It's nothing but drama now. Nothing to see here, move along please.
For the neophytes:
Security Certificate
Contains information about who owns the certificate, certificate issuer, a unique serial number or other unique identification, expiration dates, and encrypted information that can be used to verify the information held within the certificate.
Hash
Taking arbitrary block of data and returning a fixed-size bit string
If you understand what a CRC is it's kinda like that
Secret Phrase
A cryptographic key is pretty much synonymous with a secret phrase
RADIUS is a moot point with MJ, it just refers over to kerberos version 1.0
the microsoft flavor.
Ignore anything that says secret its for LSA and not applicable to what you are looking for.
I dump during MJ startup, dump running /idle and also dump starting a call
and during a call to compare what changes
Last edited by netdata on Wed Jun 24, 2009 4:32 am; edited 13 times in total |
|
Back to top |
|
|
kp magicJack Apprentice
Joined: 10 Jun 2009 Posts: 19
|
Posted: Tue Jun 23, 2009 10:02 am Post subject: |
|
|
something i find interesting,
if i add the following lines to my host file
127.0.0.1 mls.softjoys.com
127.0.0.1 map.softjoys.com
127.0.0.1 prov1.talk4free.com
127.0.0.1 prov2.talk4free.com
127.0.0.1 prov1.magicjack.com
127.0.0.1 prov2.magicjack.com
the magicjack will still register, which tells me that the cert or secret or hash, etc is stored locally on the machine. It however did want to to connect to the server. So when i blocked prov1.talk4free.com it tried to use prov2, and so on. This leads me to believe that the info stored locally is only a cache of the info. |
|
Back to top |
|
|
netdata magicJack Apprentice
Joined: 09 Jun 2009 Posts: 29
|
Posted: Wed Jun 24, 2009 2:23 pm Post subject: Fix isnt that hard |
|
|
All they did is is go TLS, even if they used SRP doesnt matter
the credentials used eventually goes somewhere plaintext.
If you have that you dont need a certificate.
Here is my explaination:
Mentioning about generating your own certs
Why it is BS:
Because your information in the root certification
wouldnt not match MJs since nobody has it (root cert) but them
A certificate exchange does NOT happen.
Its all PKI related. Yes in a way like those satellite cards.
Are certs important then? Not yet, but they could be useful in the
future. So I dont think it was a waste exploring what we can now,
before further obfuscation happens. |
|
Back to top |
|
|
dtm MagicJack Expert
Joined: 27 Jul 2008 Posts: 95 Location: In the hardware.
|
Posted: Wed Jun 24, 2009 3:11 pm Post subject: |
|
|
For what it is worth...
I wrote a small php program to calculate the register response hash. I confirmed the program was working properly by sniffing my ATA with Wireshark and plugging the numbers into my program.
The response hash from the dongle on register does not match my program. It gives a different response than the ATA when using the same password. The username, realm,uri, and nounce are all visible so the final hash depends on the password.
This confirms that what we think is the ProxyUserPassword is in fact NOT the password being used to compute the response. They could also be using a non standard method to compute the hash or they could be manipulating the password before computing the hash. Obviously this secret is known to both server and client.
I don't have the debugging tools/skills to figure out what is happening but I think some effort should be concentrated on that level. |
|
Back to top |
|
|
srvctek MagicJack Expert
Joined: 09 Jan 2009 Posts: 76
|
Posted: Wed Jun 24, 2009 5:02 pm Post subject: |
|
|
either a salt or its not md5? |
|
Back to top |
|
|
netdata magicJack Apprentice
Joined: 09 Jun 2009 Posts: 29
|
Posted: Wed Jun 24, 2009 6:12 pm Post subject: Brainstorm |
|
|
We need a general consensus on several questions.
Help me sort this out:
We know they changed the way the user is authorized.
But did they switch to TLS or SRP and how can we verify without a doubt
they have.
(Well one way is to make a successful registration using either protocol)
Auth method that was used hasnt changed, but proxy authentication has.
(provisioning has changed)
We need to verify this also for sure.
Should we not see this key in memory if we get lucky enough to capture it at the right time? I think we can.
We need to isolate the memory address or at least a general range
so we can narrow our search.
If we can compare the before and after we can figure out the algorithm
used to generate it. And we will already have the key to pass ourself.
Theoretically we just need to put the new key and off we go anyway.
But it would be nice to know, so I can write a stroth style utility
to save people a bunch of hassle. |
|
Back to top |
|
|
az1324 Dan isn't smart enough to hire me
Joined: 20 Feb 2008 Posts: 100
|
Posted: Wed Jun 24, 2009 6:57 pm Post subject: |
|
|
1. The sip traffic is not encrypted.
2. The only authentication to the proxy is via the digest method.
3. The provisioning file may or may not contain anything useful.
Basically someone who is good at that stuff needs to use a debugger and see what is passed to the md5 hash during a sip transaction.
I tend to believe that it is the password that is salted and not that they are using a modified algorithm. They use the serial number in an md5 hash to generate the dbkey so maybe that is reused somehow though a simple concat of the serial + password does not seem to be it. |
|
Back to top |
|
|
laserjobs Dan Should Pay Me
Joined: 12 Nov 2007 Posts: 670
|
Posted: Wed Jun 24, 2009 7:24 pm Post subject: |
|
|
Would it be any easier to try to decompile the latest Mac OS software for magicJack? |
|
Back to top |
|
|
az1324 Dan isn't smart enough to hire me
Joined: 20 Feb 2008 Posts: 100
|
Posted: Wed Jun 24, 2009 8:23 pm Post subject: |
|
|
Maybe but probably only if you are already experienced with analysing osx programs. Historically there have been some instances of osx programs being easier to analyze for one reason or another but if you know what you're doing it doesn't matter too much. |
|
Back to top |
|
|
dtm MagicJack Expert
Joined: 27 Jul 2008 Posts: 95 Location: In the hardware.
|
Posted: Wed Jun 24, 2009 8:35 pm Post subject: |
|
|
srvtec:
It is MD5 as that is specified in the sip register request. The problem is, they could be doing a million things to hide or alter the password. I have tried a few obvious things like MD5ing the password, adding and removing characters from it, and appending things to it. The reality is, I am shooting into the dark. The only hope is to debug it and figure out what is going on. |
|
Back to top |
|
|
laserjobs Dan Should Pay Me
Joined: 12 Nov 2007 Posts: 670
|
Posted: Wed Jun 24, 2009 8:41 pm Post subject: |
|
|
dtm wrote: | srvtec:
It is MD5 as that is specified in the sip register request. The problem is, they could be doing a million things to hide or alter the password. I have tried a few obvious things like MD5ing the password, adding and removing characters from it, and appending things to it. The reality is, I am shooting into the dark. The only hope is to debug it and figure out what is going on. |
I think you have figured it out but we will probably need to decompile the software and hope we can find the algorithm. That is why I was wondering if the Mac OS version would be easier to deal with than Windows. |
|
Back to top |
|
|
dtm MagicJack Expert
Joined: 27 Jul 2008 Posts: 95 Location: In the hardware.
|
Posted: Wed Jun 24, 2009 9:20 pm Post subject: |
|
|
Here is the php code to calculate the response if anyone else wants to play. I have confirmed it works on a sucessful login to a known account with my ATA.
Take a wireshark dump from your MJ and see if you can make the response match the MJ response by manipulating your password. Maybe somebody will get lucky! If you do, you are required to PM me.
<?php
$nonce = "XXXXXXXXXXXXXXXXX";
$user = "EXXXXXXXXXX01";
$password = "XXXXXXXXXXXXXXXXXXXX";
$realm = "stratus.com";
$uri = "sip:talk4free.com";
$method = "REGISTER";
$A1 = ($user.":".$realm.":".$password);
$A2 = ($method.":".$uri);
echo "A1 = ".$A1."<br>";
echo "A2 = ".$A2."<br><br>";
$HA1 = MD5($A1);
$HA2 = MD5($A2);
echo "HA1 = ".$HA1."<br>";
echo "HA2 = ".$HA2."<br><br>";
$response = MD5($HA1.":".$nonce.":".$HA2);
echo "response = ".$response."<br>";
?> |
|
Back to top |
|
|
MJuser909909 magicJack Apprentice
Joined: 13 Jun 2009 Posts: 15
|
Posted: Thu Jun 25, 2009 9:30 am Post subject: |
|
|
DTM that is pretty sweet, ill play with it and let you know my results... |
|
Back to top |
|
|
MJuser909909 magicJack Apprentice
Joined: 13 Jun 2009 Posts: 15
|
Posted: Thu Jun 25, 2009 6:30 pm Post subject: |
|
|
deleted due to stewart being smarter and far more superior.
Last edited by MJuser909909 on Fri Jun 26, 2009 9:05 am; edited 2 times in total |
|
Back to top |
|
|
Stewart Dan Should Pay Me
Joined: 13 Nov 2007 Posts: 663
|
Posted: Thu Jun 25, 2009 9:29 pm Post subject: |
|
|
MJuser909909 wrote: | here is the Perl version of dtm's script. (run from a unix shell): | The above is not correct; the argument to the final digest must include colon separator characters. Unless you are trying to spread disinformation (like some others here), you should test your code before posting, e.g. on the traffic generated by your ATA.
Also, IMHO, while OOP has its place, it's better to use simple procedural code when explaining a concept or an algorithm to a wide audience.
Code: | #!/usr/local/bin/perl -w
use Digest::MD5 qw(md5_hex);
$nonce = "XXXXXXXXXXX";
$user = "EXXXXXXXXX01";
$password = "XXXXXXXXXXXXXX";
$realm = "stratus.com";
$uri = "sip:talk4free.com";
$method = "REGISTER";
$ha1 = md5_hex($a1 = "$user:$realm:$password");
$ha2 = md5_hex($a2 = "$method:$uri");
$response = md5_hex("$ha1:$nonce:$ha2");
print "a1 = $a1\n";
print "a2 = $a2\n\n";
print "ha1 = $ha1\n";
print "ha2 = $ha2\n\n";
print "response = $response\n\n";
| Above tested on ActiveState perl 5.8.7 under Win XP; I would expect it to also work under Linux, Unix, or Mac, all of which normally have perl preinstalled. |
|
Back to top |
|
|
dan Dan isn't smart enough to hire me
Joined: 12 Nov 2007 Posts: 113 Location: Denver
|
Posted: Fri Jun 26, 2009 9:14 am Post subject: |
|
|
Stewart did you come out of reitrement?
You going to make an app to pull all the registrations requirments? |
|
Back to top |
|
|
srvctek MagicJack Expert
Joined: 09 Jan 2009 Posts: 76
|
Posted: Fri Jun 26, 2009 9:52 am Post subject: |
|
|
Great Idea! Stewart please help us! |
|
Back to top |
|
|
banstro MagicJack Newbie
Joined: 03 Dec 2007 Posts: 4
|
Posted: Fri Jun 26, 2009 10:27 am Post subject: |
|
|
Ahh finally Stewart. I thought you retired. Now I see some ray of hope. |
|
Back to top |
|
|
srvctek MagicJack Expert
Joined: 09 Jan 2009 Posts: 76
|
Posted: Fri Jun 26, 2009 11:26 am Post subject: |
|
|
Yes please come out of retirement, lots of people need your help right now, retirement sux anyway, you can only sip margarita's on a beach for so long before it gets boring |
|
Back to top |
|
|
richardtaur Dan isn't smart enough to hire me
Joined: 17 Mar 2008 Posts: 123
|
Posted: Fri Jun 26, 2009 11:37 am Post subject: |
|
|
same here~ please help us. So, I don't have to look very hard to find any other VOIPs to make it works with sipsorcery, etc... |
|
Back to top |
|
|
dtm MagicJack Expert
Joined: 27 Jul 2008 Posts: 95 Location: In the hardware.
|
Posted: Fri Jun 26, 2009 1:49 pm Post subject: |
|
|
Question: How did Ringo get high?
Answer that and you will know how I got this... MJ is dead and so is RFC 2617. It doesn't require any certs or keys or TLS encryption to verify the code below. Just punch in your numbers and see if the response matches the dongle's response. The trick is explained in the code.
The bad news is, an ATA won't do this and even if you modify the firmware to do it, the other side can change it again. They can keep screwing us until the sun don't shine. Once you leave the RFC standards behind (which they have) then you can do as you please.
So I present this here for your discussion. To Mr. Dan the inventor; I ask that you do consider a byod service, premium account, or whatever you want to call it. You now have the ATAs locked out so we can't cheat so charge us a little extra to use them legitimately.
--------------------------------------
<?php
$nonce = "5437837f0_06998";
$callid = "75E16D8104254DB68CFE8CAF8D78DCD60xc0a80504";
$realm = "stratus.com";
$uri = "sip:talk4free.com";
$method = "REGISTER";
$user = "EXXXXXXXXXX01";
$password = "XXXXXXXXXXXXXXXXXXXX";
// Here comes the trick
// $callid is used as a lookup table to append the nonce value
// 75E16D8104254DB68CFE... callid
// 0123456789abcdef....... index
// First an underscore is appended to the nonce
// Now take the first hex character of the nonce which is 5 so get the callid character at index 5
// This is a D since the index is zero based
// Append a D to the nonce and so on
// The final nonce = 5437837f0_06998_D6110116 in this example
// The next block of code does the trick
$newnonce = $nonce."_";
for ($i=0; $i<8; $i++){
$index = hexdec(substr($nonce,$i,1));
$newnonce = $newnonce.substr($callid,$index,1);
}
$A2 = ($method.":".$uri);
$A1 = ($user.":".$realm.":".$password);
$HA1 = MD5($A1);
$HA2 = MD5($A2);
$response = MD5($HA1.":".$newnonce.":".$HA2);
echo "A1 = ".$A1."<br>";
echo "A2 = ".$A2."<br><br>";
echo "response = ".$response."<br>";
// The original nonce is returned to the server but the response
// is actually calculated with the appended nonce.
?> |
|
Back to top |
|
|
srvctek MagicJack Expert
Joined: 09 Jan 2009 Posts: 76
|
Posted: Fri Jun 26, 2009 2:32 pm Post subject: |
|
|
Are you 100% sure this is what they did and it cant be emulated? |
|
Back to top |
|
|
az1324 Dan isn't smart enough to hire me
Joined: 20 Feb 2008 Posts: 100
|
Posted: Fri Jun 26, 2009 2:37 pm Post subject: |
|
|
Nice friends.
Well that is interesting. At least now we can make a proxy server that will run without the dongle for now. |
|
Back to top |
|
|
onlinepcfun magicJack Apprentice
Joined: 21 Apr 2008 Posts: 19
|
Posted: Fri Jun 26, 2009 2:46 pm Post subject: |
|
|
az1324 wrote: | Nice friends.
Well that is interesting. At least now we can make a proxy server that will run without the dongle for now. |
Exactly...something similar to Stewart's callerid spoof script I see light at the end of tunnel
Stewart...you are next |
|
Back to top |
|
|
netdata magicJack Apprentice
Joined: 09 Jun 2009 Posts: 29
|
Posted: Fri Jun 26, 2009 11:31 pm Post subject: Quick calculator |
|
|
Making a quick calculator program to generate your password.
I will put a link to the windows executable and later put up the linux and osx version and maybe a windows mobile version also.
I have a summer cold, and my birthday is tomorrow, but I will try
to put it up tonight.
I am pretty miserable right now.
dtm and stewart if you have anything that needs to be added to the program
please pm me. Thanks guys you are great. |
|
Back to top |
|
|
richardtaur Dan isn't smart enough to hire me
Joined: 17 Mar 2008 Posts: 123
|
Posted: Fri Jun 26, 2009 11:42 pm Post subject: |
|
|
I wish you a happy birthday. Take a warm shower then turn it to a cold shower, and you will feel a lot better. Wish you get well. |
|
Back to top |
|
|
UncleRunkle magicJack Apprentice
Joined: 09 Jun 2009 Posts: 27
|
Posted: Fri Jun 26, 2009 11:42 pm Post subject: |
|
|
Thanks netdata for your help. You are invaluable as well to this thread... |
|
Back to top |
|
|
dtm MagicJack Expert
Joined: 27 Jul 2008 Posts: 95 Location: In the hardware.
|
Posted: Sat Jun 27, 2009 12:32 am Post subject: |
|
|
Quote: | Making a quick calculator program to generate your password. |
How can that be done? The nonce and callid changes with each register. |
|
Back to top |
|
|
|