I flashed 5 of these phones back 6 months ago with some difficulty (after trying different methods/firmware versions/network cables/switches etc I finally got them all working), unfortunately I failed to record my findings! Time to resurrect the blog!
Last week I found myself with a few more Cisco CP-7906G IP phones to convert from old SCCP firmware to SIP. Rather than using the xml.conf method I chose to hard reset (I could remember this is how I did it last time);
- Hold the # key while powering on the phone (either by POE or mains)
- Once the red indicator on the handset start flashing release #
- Key 3491672850*#
As my FreePBX (Asterisk PBX) is running and has the firmware ready I hoped everything would just work… Unfortunately not. All of the phones got stuck trying to pull term06.default.loads. I spent countless hours trying to figure out the problem, including;
- Trying different DHCP servers (tftpd32, tftpd64, pumpkin & solarwinds TFTP server)
- Trying different switches, network patch leads and even a direct connection between my laptop and the phones
- Trying different IP ranges and network configurations
But still the phones repeatedly searched for term06.default.loads;
Dec 30 10:15:32 localhost in.tftpd: RRQ from 192.168.0.224 filename term06.default.loads Dec 30 10:15:33 localhost in.tftpd: RRQ from 192.168.0.224 filename term06.default.loads Dec 30 10:18:00 localhost in.tftpd: RRQ from 192.168.0.224 filename term06.default.loads Dec 30 10:18:00 localhost in.tftpd: RRQ from 192.168.0.224 filename term06.default.loads Dec 30 10:19:33 localhost in.tftpd: RRQ from 192.168.0.224 filename term06.default.loads Dec 30 10:19:34 localhost in.tftpd: RRQ from 192.168.0.224 filename term06.default.loads
Eventually I decided to try a few different firmware versions “just in case”. Initially none worked (and they are hard to come by because I don’t have an active Cisco subscription and without one, you cannot download them directly from Cisco).
After almost giving up, I figured out that many of the firmware images I was previously unable to open (.cop or .cop.sgn) were in fact just zip files which can be opened in 7-zip. I recall when using the old technique to upgrade the firmware you need to start with a version around 8.5 then slowly incrementally patch. I didn’t think this was necessary with the “hard reset” technique, but found cmterm-7911_7906-sccp.8-5-2.cop.sgn and gave it a whirl….
Dec 30 10:44:41 localhost in.tftpd: RRQ from 192.168.0.245 filename term06.default.loads Dec 30 10:44:42 localhost in.tftpd: RRQ from 192.168.0.245 filename jar11sccp.8-5-2TH1-9.sbn Dec 30 10:44:49 localhost in.tftpd: RRQ from 192.168.0.245 filename cnu11.8-5-2TH1-9.sbn Dec 30 10:44:51 localhost in.tftpd: RRQ from 192.168.0.245 filename apps11.8-5-2TH1-9.sbn Dec 30 10:45:03 localhost in.tftpd: RRQ from 192.168.0.245 filename dsp11.8-5-2TH1-9.sbn Dec 30 10:45:05 localhost in.tftpd: RRQ from 192.168.0.245 filename cvm11sccp.8-5-2TH1-9.sbn
Instantly the phone picked up term06.default.loads and proceeded to pickup the other files!
Once the phone booted, it clearly wasn’t going to register against my PBX (as it’s still running SCCP firmware). So I placed the SIP firmware cmterm-7911_7906-sip.9-4-2SR1-1.cop.sgn back on the TFTP. Carried out another hard reset and again, the phone instantly picked up the new files;
Dec 30 11:01:20 localhost in.tftpd: RRQ from 192.168.0.224 filename term06.default.loads Dec 30 11:01:21 localhost in.tftpd: RRQ from 192.168.0.224 filename jar11sip.9-4-2ES9.sbn Dec 30 11:01:28 localhost in.tftpd: RRQ from 192.168.0.224 filename cnu11.9-4-2ES9.sbn Dec 30 11:01:31 localhost in.tftpd: RRQ from 192.168.0.224 filename apps11.9-4-2ES9.sbn Dec 30 11:01:44 localhost in.tftpd: RRQ from 192.168.0.224 filename dsp11.9-4-2ES9.sbn Dec 30 11:01:46 localhost in.tftpd: RRQ from 192.168.0.224 filename cvm11sip.9-4-2ES9.sbn
I provisioned the phones in FreePBX but they seemed to get stuck in a cycle registering/updating locale/rebooting. Fortunately I recalled having this issue previously and determined that the 7906 phones have a relatively short maximum password length which the default FreePBX passwords exceed. I was able to confirm this by looking at the Asterisk log;
[root@localhost ~]# tail /var/log/asterisk/full [2015-12-30 02:06:30] NOTICE chan_sip.c: Registration from '<sip:firstname.lastname@example.org>' failed for '192.168.0.198:51838' - Wrong password [2015-12-30 02:08:07] NOTICE chan_sip.c: Registration from '<sip:email@example.com>' failed for '192.168.0.198:51978' - Wrong password [2015-12-30 02:08:54] NOTICE chan_sip.c: Registration from '<sip:firstname.lastname@example.org>' failed for '192.168.0.198:49878' - Wrong password
Once I changed the password and rebuilt the configs in Endpoint manager the phones registered straight away.
In conclusion, I think the bootloader on the phones needed to be upgraded to enable them to be capable of loading the 9.x firmware. Flashing them with the 8.x firmware first upgraded the bootloader and from there it was plane sailing! I have attached the two firmwares for reference;
As a sidenote; I have never had luck with using DHCP option 150 (in either pfSense or tftpd32). Entering an IP address in it’s normal format has definitely never worked (when I do a wireshark trace I can confirm this). I believe you’re supposed to use some hex format, but having tried this in several different formats i’ve still never managed to get it working. The preferable route seems to be using DHCP option 66 (I believe this supports either a hostname or IP). In tftpd32 you don’t actually need to configure this option, the built in DHCP server automatically configures it to the hostname of the interface running the service.