Pages

21/04/2021

A Yealink T46S locked to Zoom! - How to unlock...ish

I recently purchased a Yealink T46S SIP phone from EBay as I wanted something with more line keys that supported Opus.

When it arrived it had an active account on it, which would potentially allow me to make outbound calls billed to the original owner. Unfortunately this is quite common for phones acquired on EBay and is incredibly poor practise.

The phone was quite well locked down with an admin password and the SIP signalling being sent via TLS, but a packet capture revealed the phone communicating with IPs belonging to Zoom.

Being an upstanding citizen I wanted to factory reset the phone so I could use it on my own service. The admin password prevented me from reseting the phone via the menu, but Google revealed that pressing the OK button for 5 seconds will factory reset the phone, or so I thought!




Update: Yealink's support team removed the phone from Zero Touch Provisioning 20 minutes after I opened a ticket with the MAC and proof of purchase, at 5am local time - pretty impressive!


After the factory reset the phone immediately re-provisioned onto the Zoom account again, annoying but not unheard of - many providers are now using "Zero Touch Provisioning" (ZTP) where the phone contacts the manufacturer (In this case Yealink) which then re-directs the phone to the providers own provisioning server, but the process can usually be circumvented. 

So the next step was to block internet access, reset the phone, and try and disable anything related to auto-provisioning. Except that didn't work either, as soon as I unblocked the internet it re-provisioned onto Zoom.

After some head scratching I noticed the phone was using a customised "Zoom" firmware, so perhaps it's enforcing the auto-provisioning regardless of settings. Once again I blocked the internet, reset the phone, uploaded the standard firmware, disabled auto-provisioning and crossed my fingers. But once again once I unblocked the internet the phone provisioned onto Zoom. Dammit! 

After a little more hunting on Google I discovered that the Zoom account holder can remove the phone from provisioning in their account settings. I fired a message over to the seller in the hope they have access to remove it. It's also possible to contact Yealink to ask them to remove it, so I opened a ticket

Another post indicated that a provisioning URL sent via DHCP Options will take precedence over the ZTP so I gave it a try, setting DHCP Option 66 to "http://127.0.0.1" and sure enough the phone reset and made no attempt to contact the provisioning server. Success! Well, not quite. Most people aren't able to set DHCP Options on their router and what if I want to provision something else using that option?

Instead, I tried setting the provisioning URL to http://127.0.0.1 (Settings > Auto Provision > Server URL) and removing the DHCP Option, however ZTP appears to take precedence over the Server URL and once again the phone provisioned onto Zooms service.

So, in conclusion it seems Yealink can really lock these phones down when they want, overriding any option to disable ZTP. This is a poor show in my opinion, ZTP is great, but the user should be able to disable it if they wish.

Tl;Dr: If your Yealink is locked to Zoom it appears the only way to remove it is by contacting Zoom, Yealink, or using a DHCP option to override ZTP.




No comments:

Post a Comment