Cable Internet - Part 2: VoIP

It seems to be common practice, that the hardware router, that you get from your ISP runs a branded firmware which restricts certain configuration options - most important, you can’t simply configure your VoIP phone connection. This is probably, because the ISP offers you also phone services and he wants to ensure, that you his and only his phone service.

But thanks to the internet community, there is a way around this: The Fritz!Box firmware provides the ability to backup the configuration settings into a file and restore it again. In this file, every configuration option is present, and this includes the VoIP configuration. The file has certain checksum, so that you can’t just modify this (text) file and restore it. But there is another tool available, that can recalculate the checksums, it’s the FBEditor.

My Fritz!Box is the model 6490 Cable, which runs a branded firmware by Vodafone Kabel Deutschland (kdg). FBEditor is available also on github, the main repo is olistudent/FBEditor. However, there are forks, which contain new commits, which add support for e.g. 6490. The currently most recent fork seems to be CyberLine/FBEditor, which can be easily seen on the network graph.

First Step: Run FBEditor

So, first step is: Fork this repo and build it…

git clone https://github.com/CyberLine/FBEditor.git
cd FBEditor
ant jar

Note: There seems to be a small problem with the file src/de/FBEditor/utils/Utils.java: Just replace ConfigImExPwd with an empty string: "" to make it work.

It requires at least java 7, I used java 8 for compiling and running. Obviously, you’ll need ant.

Now, just run it with ant. You’ll be asked for the hostname of your Fritz!Box, which is typically fritz.box and the password. With the password, FBEditor can download the current configuration directly. Next you’ll see a text editor like window. FBEditor will now connect to the fritzbox and determine the model. In the console window, you should see something like [java] Debug boxtype: 141. When this appears, you are ready to fetch the configuration via the menu “Datei, Konfiguration einlesen”.

Second Step: Configure VoIP provider

Then search the configuration about voip. Therefore search for “voip.cfg” via the menu “Bearbeiten, Suchen” (CTRL+F). The section voipcfg contains several subsections ua1, ua2, ua3, and so on. These are the different voip phone numbers. There are probably a couple of numbers already configured, just search the next free entry, which is enabled = no. For me, it was ua4.

Now modify the entry, and add the login details for your VoIP provider:

ua4 {
        enabled = yes;
        username = "<your-user-name>";
        authname = "<your-login-name>";
        passwd = "<your-password>";
        registrar = "<your-sip-provider-server>";
        name = "<your-phone-number>";
        protocolprefer = protocolprefer_ipv6;
        outboundproxy = "";
        route_always_over_internet = yes;
}

Some providers, such as sipgate, no separate login name. In that case, just leave the property empty (authname = ""). The name property is, how this voip connection is displayed on the web interface of your Fritz!Box. Since we are in a modern world, I used IPv6. You can also keep the setting as protocolprefer_ipv4only. Make sure, to leave the outboundproxy either empty or use the correct proxy of your voip provider (if any).

The last property is important: route_always_over_internet = yes. Your ISP might have dedicated VoIP connections for his own phone system, through which you can’t connect to your voip provider. With this setting, the Fritz!Box will open the SIP connection via the “normal” internet connection.

Third Step: Configure the Number and Dial rules

If you would use this configuration now, the Fritz!Box would register itself at your voip provider and you would be reachable. However, the web interface wouldn’t show the “green” light and you can’t easily select your voip number as the primary number for a phone device.

Therefore, we still need to configure something via FBEditor. This time, it’s the binary file fx_conf. It’s unfortunately not so simple now, but in the end, this file is also just ASCII but presented here as a hex dump. Ok - as a binary file, it also has a specific inner structure with sometimes fixed field length and sometimes variable field lengths.

Search for the 48th line. Before that, you should see the sequence 0000, which maybe indicates the end of the previous section. The section, that starts with the 48th line configures the dial rule: when a leading zero should be used, what’s the city code, the country code, special numbers (like emergency calls), that don’t need any leading codes, and so on. Since there are already some numbers configured by your ISP, you can just take the same settings for you own number.

The first byte indicates the length of the dial rule field: For me, it’s 5C, which is in decimal 92. This means, that 92 more bytes are following:

5C3131302A313130233131322A313132233131352A313135233131362A313136233131382A313138
233139392A3139392330302A303023302A30232A30383923302A3023383923312330233123343923
302330302331236F7468657223

After that, a couple of FF are following. To be exact, 163 bytes. This makes the complete possible data for this field 1 + 92 + 163 = 256 bytes.

If you look at the ASCII equivalent (ignoring the 5C which indicates the length), you’ll get this:

110*110#112*112#115*115#116*116#118*118#199*199#00*00#0*0#*089#0*0#89#1#0#1#49#0#00#1#other#

These 92 bytes describe only one phone number, the first (ua1). After that, the next number comes (ua2). For me, it’s again the exact same pattern.

Now, search the 4th pattern (this time, it was much shorter for me) and replace the full 256 available bytes with the 256 bytes from one of the previous numbers.

By the way - you can also see these dial rules, when you request the support data via http://fritz.box/support.lua.

This will add the dial rules, but the number is still missing and it would still not appear with the “green” light. Strangely, there is a UI support to configure the number, but saving it, doesn’t seem to have any effect: The branded firmware obviously doesn’t allow to change this.

In the same file (fx_conf), starting at line 338, you’ll see many 00 bytes and some numbers always beginning with 3 (30, 31, 32, …). These are the actual phone numbers. The first number appears to begin at byte 13500 (337*40+20) from the beginning of the file or after 20 bytes of line 338. Note: These are the numbers without city code. The numbers have obviously a fixed length of 21 bytes, the not needed bytes are filled with 00. This could mean, that this is actually somehow null-terminated, which would limit the length of a phone number to 20 digits.

Anyway, the same as above: The numbers are in order, the first corresponds to ua1, the second to ua2 and so on. Now, the data is always 21 bytes apart (42 characters in the hexdump). Just overwrite the zeros with your number as hexadecimal ASCII digits:

0   ->    30
1   ->    31
2   ->    32
3   ->    33
4   ->    34
5   ->    35
6   ->    36
7   ->    37
8   ->    38
9   ->    39

And you’re almost done.

Fourth Step: Save configuration and restore

Now save the configuration file in FBEditor into a new file (menu “Datei, Speichern”). And upload this file in the “restore configuration” section into your Fritz!Box. It will take a while, the box will reboot and eventually, you should be able to use your VoIP provider.

Update: It seems, that FBEditor doesn’t calculate the checksum correctly for FRITZ!OS 7 and later. But there is an alternative: The FritzBoxJSTool.

Caveat

It is said, that the providers are keeping an eye on the configuration of their router. And since they can remotely reconfigure them, they might remove the extra VoIP account, that we just added. Not sure, if this is only a problem, if one of the provider numbers are overridden (e.g. ua1) or in general.

References

Andreas Dangel | subscribe via RSS | adangel | .onion © Copyright 2019. adangel.org (17 August 2019)