Recently i came across some super-cheap Avaya E129 IP phones, and wanted to set them up to connect to an Asterisk Server over SIP.

Unfortunately with these phones, in order to reset the admin password and actually change any configuration options (including doing a factory reset!), you had to actually know the admin password in the first place. This was most disappointing, and made it much more effort to actually use the phones.

Luckily, the reset process isn't too bad with a bit of tcpdump and iptables.

First, I plugged the phone into my network, and noted from tcpdump that it was requesting DHCP on VLAN 502.

From here, I set up an interface on a Raspberry Pi listening on this VLAN. This Pi had isc-dhcp-server, tftpd-hpa and nginx installed alongside standard utilities.

Once I managed to give the IP phone an IP address, its web interface was accessible. Sadly, I didn't know the password for this, so more digging was required.

Looking through my tcpdump capture, it was clear that the phone was contacting pre-configured addresses from its previous life. One notable occurrence was it trying to load something from a http server at a private 10. address.

First, it tries to load a device-specific config, e.g. cfg000b8289xxxx.xml, then falls back to just cfg.xml at a certain path.

17:11:05.651561 00:0b:82:89:xx:xx > b8:27:eb:ee:xx:xx, 
ethertype 802.1Q (0x8100), length 225: vlan 502, p 5, 
ethertype IPv4, > 
Flags [P.], seq 0:155, ack 1, win 2920, options 
[nop,nop,TS val 4294910278 ecr 1420117325], length 155: 
HTTP: GET /e129/cfg.xml HTTP/1.0

Then, I downloaded a standard template cfg.xml from Avaya's website here, and placed it in a subfolder served by nginx.

The default config file contains a lot of commented options, but the key line <P2>admin</P2> resets the default admin password to 'admin'.

Once the phone booted, it was now possible to access the web interface and do an actual factory reset to default values. If the phone displays a 'Username' login screen, cycle through using the button on the right until you see 'Menu', and then authenticate using the password admin (keep pressing the button to cycle from caps to lowercase). Then go to Config->Factory Reset and confirm.

The phone will reboot, and the web interface will once again be accessible but this time with the previous user's settings all cleared and reset to defaults.

Notably, this also clears the VLAN Tag settings, so the phone will request DHCP from your untagged network now.

Now, it's time to configure the phone to use Asterisk. Simply configure a new extension on your server and set the following items in the phone web interface:

If you want to use XML files to configure your phones:

Maintenance->Upgrade and Provisioning
Upgrade Via = HTTP
Config Server Path =

If you want your phones to be on a VLAN:

Network->Advanced Settings
Layer 2 QOS 802.1Q/VLAN Tag = 502 (your vlan here)

To set up a SIP account:

Accounts->Account 1, set the following:
Account Name
SIP Server
SIP User Id
Authenticate ID
Authenticate Password
Name (caller ID)