Magic Jack SIP auth proxy
by trixter on Aug.22, 2009, under Telephony
Magicjack has changed the way they authenticate SIP calls in an effort to break 3rd party devices. Sometimes its not the best thing to have a computer running, sometimes you want to use something other than Windows, sometimes you just want to use different software. Whatever the case, this proxy will let you have choice and options.
I wrote MagicCrack specifically to address this problem. MagicCrack is a proxy written in Perl, and uses iptables to modify the packets so that the authentication can occur. This lets you forward packets to whatever proxy you configure in your device. Because MagicJack uses port 5070 that means you can have most sip traffic untouched and only do this to MagicJack traffic. The Perl script works as a transparent proxy allowing you to quickly and easily configure your gateway without having to reconfigure any other systems that may exist on your network.
In essence MagicJack changed the way they calculate the nonce for MD5 authentication. They add a little bit of extra information, which is calculated off the Call-ID header. This is not that complex, although it is somewhat effective since most devices are unable to do this.
The transparent proxy Perl script will add the extra data to the nonce, and after it is hashed by the SIP UA it will be stripped. I used the iptables QUEUE target to accomplish this.
In order to run this script you must execute as root:
modprobe ip_queue iptables -I OUTPUT -p udp --dport 5070 -j QUEUE iptables -I INPUT -p udp --sport 5070 -j QUEUE
Then run the script (also as root) and it should just magically work. Your SIP UA will haave the right data when it does the MD5 hash, and you can have different proxies used, and all that good stuff.
August 30th, 2009 on 7:54 am
Sounds like a nice little proxy, but probably needs a step by step tutorial including examples for most people to use. Is this for local or remote server and do we have to assign the udp and ip addresses ourselves in the command line or are those just variables for use by the script. More importantly does this solve the SIP/ATA non registry problem that everyone has been experiencing after JULY?
August 30th, 2009 on 8:19 am
It does correct the problem, what MagicJack did was to change the way the nonce is processed. Instead of using the RFC standard, which is what your ATA would use, they add some extra data, calculated off the Call-ID header, which changes the response. This proxy adds that extra data when sending the request to your ATA, and removes it when sending it back to MagicJack. Everyone ends up being blissfully unaware that this even occured.
This is a transparent proxy, it must be run local, presumably at your local gateway machine. For those that have a linux router/firewall system this would work well. If you do not, you have to at least install a linux box locally and use that as your default gateway for the ATA (or anything else that needs to use this proxy).
The ports are 5070 because that is what MagicJack uses for SIP. Your ATA should be configured as normal, you would just add this script in, run the iptables commands shown above, and launch the script. Iptables will redirect any matching packets to the perl script automatically, which will then see if its a packet to an ATA or to MagicJack and apply the fixups as needed.
You said that there should be a howto, I have given the exact commands to run, so if you have a specific question on how to use this please ask. I am unsure what you would be unclear on, so I cannot comment on those issues until I know more specifically what is unclear.
September 6th, 2009 on 1:09 pm
Can I run this on my RTP300? I think it is running linux
September 6th, 2009 on 3:21 pm
I dont know anything about rtp300. The minimum requirements the way that I wrote this one are:
linux (reasonably current)
ip tables
queue redirect target for ip tables
perl + modules required by this script
root access
As long as you have those requirements on your device it should work just fine. If you are missing some, but it is linux, you may be able to add them by compiling them, something I am unable to assist you with, or adding them from a package manager if your distribution has one.
September 9th, 2009 on 5:31 am
I was using MJ with Asterisk PBX with out hardware. And programing it so I can use it as a SIP trunk for Incoming and outgoing calls. Since they changed authentication method I can’t use it any more.
If I need to make this work as a trunk with Asterisk How I need to install this script. I was able to connect multiple MJ on same Asterisk PBX. Do I need physical MJ to be connected with Asterisk PBX?
Or I need to plugin MJ with gateway/router of perticular make? If so let me know how what I need to buy and how to prepare router with MJ so I don’t have to use Windows computer 24 hours.
Thank you for your help
Nick
September 9th, 2009 on 10:30 am
This proxy is designed to let you continue to use asterisk (or whatever) with magicjack. It corrects the auth changes they did so that you can use whatever you were using however you were using it.
You do not need their dongles for this to work, assuming you have valid sip credentials from them already.
If you follow this articles instructions it should work with asterisk again.
October 1st, 2009 on 6:16 am
Can the script run on the asterisk box itself? or does it need to be an inline gateway process?
Thanks,
free
October 1st, 2009 on 11:21 am
yes it can run on the asterisk or freeswitch box itself.
October 3rd, 2009 on 10:17 pm
I ran this on my centos 5.1 linux box and got the following errors:
MagicCrack.pl: line 6: use: command not found
MagicCrack.pl: line 7: syntax error near unexpected token `(‘
MagicCrack.pl: line 7: `use IPTables::IPv4::IPQueue qw(:constants);’
October 3rd, 2009 on 11:07 pm
if ‘use’ is not found then its not being run by perl. Did you do
sh ./MagicCrack.pl
Those errors make me think that you ran it in sh/bash and not perl. Try this:
chmod 755 MagicCrack.pl
./MagicCrack.pl
or
perl MagicCrack.pl
October 7th, 2009 on 7:33 am
Hi trixter,
Can you tell us how MagicJack calculate the response ?
The standard is
ha1=md5(username:realm:password)
ha2=md5(method:uri)
response=md5(ha1:nonce:ha2)
can you tell us what MagicJack change and add so we can calculate the same response?
Thank you,
Charles
October 7th, 2009 on 7:47 am
they modify the nonce, other than that its the same. They add _XXXXXX to the end of the nonce which is calculated off the callid. The perl script does this and its easy to see what it does.
All the perl script does is add the extra nonce data when going to the UA and remove it when going back to magicjack.
October 7th, 2009 on 8:55 am
Thanks trixter, it works. how did you know they added some digits at the end of the nonce and how did you come up with the formula to calculate it?
Thanks again,
Charles
October 16th, 2009 on 8:19 am
Hi,
I’m running Asterisk on CentOS 5 and having issues installing the MagicCrack. Here’s what I’ve done for the pre-reqs:
- yum install iptables-devel
- perl Makefile.PL for perlipq-1.25
and make, make install per it’s readme file
I get “Can’t locate NetPacket/IP.pm in @INC” when I try perl MagicCrack.pl
I’m very green on all of this as you probably figured out by now. Any help?
Thanks,
JR
October 16th, 2009 on 8:45 am
perl -MCPAN -e ‘install NetPacket::IP’
you are missing NetPacket::IP, there may or may not be a yum package for it, I do not run centos so I dont know. The above line works for virtually all perl installations, so it should work to install the missing module.
October 16th, 2009 on 9:52 am
Thanks trixter, that got it installed on CentOS as well. I’m not sure what could be wrong now. I run your script and it sits there presumably waiting for packets but nothing is displayed. I’m not entirely sure my MJ password is correct so that’s another variable I need to work.
Thanks for your help
JR
October 16th, 2009 on 10:12 am
The script is intended to be run as a daemon, while it does not fork and background itself, it can be run with an & at the end to background it.
It will just silently sit there waiting for packets.
If you run something like wireshark it will display the packets, and you should see that the nonce in the auth headers is something like XXXXX_XXXXXX coming from magicjack and XXXXX_XXXXXX_NNNNNN where the _NNNNNN is added by the script towards your sip device.
As for the password, the tools that I have seen all do a ram dump of the process while running in windows and pulls it out of there. I am a bit lazy, but I do know that the password, your email, and other bits of info are stored on the USB drive that the magicjack dongle has. The dbkey which is used for web authentication uses those bits of info to automatically authenticate by running the data through a hash type algorithm. The client will then be able to download any password change or anything else that way, and decrypt/decode it from what is stored on the USB drive. If I get particularly bored I may write a tool that will fetch that data without ever having to run their client, but I am not that bored yet
October 16th, 2009 on 11:45 am
Thanks again for the tip. I’ll see if wireshark shows anything.
I have another MJ account that I use straight from the PBX with no proxy needed. Hope I don’t jinx myself on that one. They’re probably requiring the new auth from newer dongles like the one I bought last night. I bet if I plug my MJ old dongle in the account will update and I’ll lose my SIP credential compatibility.
JR
October 16th, 2009 on 12:05 pm
some do some dont, it depends on what software version of their client they think you are running. I do not know of a way to roll back the software version, although I bet that the dbkey reveals that since it seems to reveal a lot of other things. They will be able ot force people to upgrade simply by changing the auth credentials which causes you to run their software which downloads the update.
The code change was at least in the magic jack executable softphone that they use. AFAIK that is the only place in userland that it exists. They really dont want people running clients they cannot display adverts on
October 22nd, 2009 on 9:48 am
after a long fight with perl I had the script run but when it injects a modified packet … that packet doesn’t make it to my Asterisk … I finally converted your fix_nonce/sum functions to C and put it in chan_sip …anyways how did you find the algorithm ? was it published somewhere or did you use debugger ? will it be doable in the future if they change the algorithm ?
October 22nd, 2009 on 12:56 pm
You should have asked, I have a C function that I converted to perl
If you ran the script and had iptables set up properly, then it should have worked. Adding it to chan_sip means that you run into the problem of trying to use the box for magicjack and non-magicjack accounts. Yes, you can write clever bits of code to turn the feature on/off, you can make a chan_mj which is a cloned copy of chan_sip (asterisk fails when it comes to chan_sip, allowing you 1 and only 1 UA for the entire box forces you to violate some of the RFCs when you want to make it do a B2BUA or even when you want to make the box a forwarding system, but then chan_sip is not RFC compliant on its own anyway).
I think the easier thing would have been to make it into a perl proxy that uses a fixed MJ SIP server instead of forwarding the packets via iptables. Then you would just point your asterisk box to the perl proxy instead of to MJ itself. I did the iptable way so that you can force different MJ targets if you wanted, like if you had several accounts. Most of the code for a standalone proxy is already there, you just have to make it bind to a port, and send the packet after inspection/modification.
I found the algorithm with IDA pro. After a certain version their client started doing this. It only took a couple hours to do, and I havent done this type of thing for almost 20 years, so I was rusty. I am sure that others found this in much less time. If you know what to look for it should take minutes to locate where in the code it is doing what it is doing, and document it. I cannot say that it would be easy to do this in the future or not, it depends on what MJ does.
November 3rd, 2009 on 8:49 pm
[root@astpbx Desktop]# ./MagicCrack.pl
Failed to send netlink message: Connection refused at ./MagicCrack.pl line 92.
[root@astpbx Desktop]#
I am getting above error now. Is there any one tell me what is missing still?
Thanks nick
November 3rd, 2009 on 9:03 pm
did you load the iptables queue module? Failing to send a netlink message makes me think that its having problems talking to the iptables subsystem in the kernel.
November 18th, 2009 on 7:36 pm
Does anybody in this forum knows how I can get SIP info from my magicjack. I think that they’ve changed the way things are transmitted. I am able to get UID and PWD from a dump, but can’t get the rest of SIP info.
Thanks in advance.
November 19th, 2009 on 1:10 am
I am having problems as of today as well, all my jacks wanted to do an update. I may have to bust out IDA again and see about writing a file decoder. The username, email address, and other bits of info are stored on the jack’s flashdrive in an encoded format. I never bothered to look at that file, but I am confident that upon decoding that I can get some of the info at least, potentially all of it. There is a HTTPS exchange that returns encoded data for provisioning, at the very least the data is contained in there but you have to be able to build a query string “dbkey” for the HTTPS GET in order to get that info.
This would potentially be more reliable and allow you to do it without ever plugging the jack in. It may also be a good time to release my serial number spoofing tool, which is a trivial thing, the serial number is just data passed on the USB bus, if you intercept that data and alter it on the fly you can easily set the serial number to anything you want.
November 19th, 2009 on 6:02 am
Thank you for the quick reply Trixter. I actually see the dbkey string with Fiddler but it is encoded. Do you happen to know a tool that will help me decode it?
November 19th, 2009 on 7:00 am
No, that is what I would use IDA for. It looks to be to be a hash comprised of various bits of info but that is only required to get the provisioning info from MagicJack, the real info is contained in its response (or at least appears to be), that is where the sip credentials will be, and that is what has to be decoded.
There is a hidden file on the usb drive, at least windows default is to hide it. \magicJack\Profiles.db this is similar to but not identical to the sjphone profile storage info. In normal SJ phone, and presumably here, this file contains the sip proxy, username, password, etc. SJphone calls a configured sip client a “profile”, and this is a database of sorts of the connection info.
By looking into that file you can get the data, of course that means that you have to change it if for any reason MJ changes the way they do things. Magicjack (Ymax specifically) bought softjoys the company that makes sjphone, they have sought to own the supply chain, as they also bought tigerjet according to rumors. Ymax is a certified telephone company owning at least part of the telephony supply chain as well.
November 19th, 2009 on 9:22 am
Trixter, again very kind of you to reply so quickly. I see the profile.db file, there is also an options.ini file which is in binary format. Sorry, but I am new at this, how can I query the profile.db and/or read the options.ini file?
Can do direct email if you’d like. My email is [redacted]
Thanks again!
November 19th, 2009 on 9:40 am
What I was saying is that I know the file is there, I do not know its format and until I do I cant write a tool that would be able to read it.
November 21st, 2009 on 11:32 pm
I loaded into my /home/user/bin folder, chmod +x the file and then run it and at first it gave error so i installed the modlipq or whatever from synaptic, and it ran ok, i think.
I try MagicJack soft phone on xp in virtualbox and noticed it would not connect, so i assume it was working adding extra data on top of the data provided by the softphone. I was watching traffik with wireshark so i could see it not authorizing, so i fire up the real phone plugged into linksys 54g p2 and tried to dial, all i get is busy signal after dialing. I closed terminal and verified with iptables -L .
The problem i have now is when i try to access MagicCrack.pl i get error saying busy at line 101, the die. Im new to perl so i just commented out that line and tried again and it went on to error at line 107, so i reverted back. If i remember right, when i ran this very first time and was successfull, it ran and returned the command prompt back to me right? Cause now when i restart the pc and run it it hangs there like if i woudl run sudo gedit or something where it keeps the terminal busy or whatever you call it.
Any idea on the error at line 101. After i reboot i readd the iptables info and do just liek direction , but always same and hangs and pap2 not working, so im thinking it might not be my sip info but rather the pl hanging and not running all the way. I dont get any error messages when it hangs
November 30th, 2009 on 4:15 pm
Hello I have been following this for a half a month now, Im at a point where I believe it is working Its running happy in the back ground anyway.
I however would really like to find out how to make the phone actually work.
I don’t have a IDA just a nice old fax/phone, I like to use this phone for magic Jack as the buttons dial with the Magic Jack soft phone in windows. (no intended faxing)
However, I am attempting to migrate to Linux the same functionality, the magic jack soft phone don’t work in linux, and I was wonder how can I get it to work?
I downloaded a soft phone called sflphone, how can this work with magic jack and the 5070 port?
December 1st, 2009 on 6:42 am
Regarding the files aformentioned
could you do a device query or rather as a rough Idea (bear with me I’m super new to linux)
mount the file as a loop device or null? or if that is not plausible, somehow track the progressive changes via a text log like one would do to a mounted device, with the cat out command?
~sorry If that is completely vague.
December 9th, 2009 on 6:08 am
Any further developments in figuring this out?
December 10th, 2009 on 10:19 am
Hi trixter, Need info to fix problem on iphone3G I dump
my MJ and load info. to Siphon and i get message on the right of the screen MAXIMUM NUMBER OF STALE RETRIES EXCEEDED (PJSIP_AUTHstalecount)This is what i load
username=”EXXXXXXXXXX01″
password=FSXXXXXXXXXXXXXXXX40
server= prov1.talk4free.com or 216.234.64.8
reg. Timeout 3600
Proxy Server 216.234.64.8:5070
Auth. Username EXXXXXXXXXX01
Enable NAT OFF
Siphon over EDGE/3G ON
Local Port 5070
STUN Server
STUN Domain
RTP Port 4000
Need HELP
THANKS in advance
December 10th, 2009 on 7:42 pm
Hi trixter, I see your work and look so interesting, Im traying to have multiple MJ on one server and tray to apply your solution, I tray to do it on elastix solution, it work on Centos OS and asterisk, I tray to run sh ./MagiCrack.pl but have this errors.
./MagicCrack.pl: line 6: use: command not found
./MagicCrack.pl: line 7: syntax error near unexpected token `(‘
./MagicCrack.pl: line 7: `use IPTables::IPv4::IPQueue qw(:constants);’
If I tray only with ./
have no response
If I tray with
perl MagicCrack.pl
have
Failed to send netlink message: Connection refused at MagicCrack.pl line 92.
January 5th, 2010 on 9:14 pm
for rtp300 / wrtp54g look at this post:
http://www.magicjacksupport.com/wrtp54g-mjproxy-t7750-15.html
January 21st, 2010 on 2:50 am
does this still works?
January 21st, 2010 on 9:45 pm
Ok, so I managed to get the script running on my Asterisk/Trixbox server running CentOS. I am also running MagicCrack on the same box as my Asterisk box, so the question is, do I need to setup a configuration so that the MagicJack trunk points to the local box’s IP? If so, how?
February 3rd, 2010 on 1:53 pm
I have Centos OS (FreePbx/PBX in a Flash). I cannot get the perl script to work. The error is:
Can’t locate IPTables/IPv4/IPQueue.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/li………
Obviously, I don’t have some of the modules I need, but don’t know what I need, nor how to get/load them. I loaded the whole system from a CD. I am familiar with Linux to a point.
Any suggestions (please be as specific as possible) on what might be missing and how to install it. Thanks.
February 4th, 2010 on 2:43 am
That error means that you do not have IPTables::IPQueue, you can either try to find a yum package that has it (I dont use redhat/centos so I dont know) or you can type sudo perl -MCPAN -i IPTables::IPQueue and that should download, build and install it for you.
February 4th, 2010 on 2:47 am
Makoto: magiccrack works as a transparent proxy, it will transparently add the extra data to the nonce field in the sip messages on port 5070 so asterisk will properly do the MD5sum and strip it for the response back to magic jack. You would set up everything else normally, set the asterisk server to try to talk to the magic jack proxy and it will be transparently grabbed and modified automagically.
February 4th, 2010 on 2:48 am
chewbacca: the proxy should still work, although some of the tools to get the sip credentials no longer do.
February 4th, 2010 on 2:56 am
That is a different proxy, and it does not do 1 thing that I think it should. It will direct all calls to the same proxy. The way that I did things originally (unpublished version) is that there is a lookup table, for acct1 it goes to proxy1, for acct2 it goes to proxy2. This is useful if you have a large quantity of magic jack dongles and you do not want to overwhelm a given proxy with calls.
February 4th, 2010 on 3:02 am
tlmk: the first error means that you are not running it as a perl script. Instead its more likely that its being run as a bash script, which means that you either need to edit/add an initial line that reads #!/bin/perl or #!/usr/bin/perl based on your distribution.
The second means that you do not have the netlink kernel modules installed. Reread the article and follow the instructions about doing that.
February 4th, 2010 on 3:04 am
mnmervin: the iphone is a bit out of the scope of this script as its a linux kernel specific script. If you want me to figure this out send me an iphone and I will do my best. I can return the phone when I am done if you pay for return shipping. In short I am not going to spend my money to solve your problem.
February 4th, 2010 on 3:05 am
jsherk: not quite sure what you mean. What problem are you having specifically?
February 4th, 2010 on 3:13 am
jayson: I have no idea what you are talking about. This is a perl script that talks to a kernel module and modifies the packets similar to packet mangling that occurs via a kernel module.
A loop device is normally a pseudo block device that is mounted (like a disk image).
I am unsure how you would mount a null …
What progressive changes are you speaking of?
Do you just want more debugging output? Those would be print statements within the script itself (or if you want to be nicer syslog messages, which could be a print to the /dev/log special ‘file’ and the syslog format of message where X is the facility and Y is the priority (both are single digit numbers) if you do not know what I mean then you probably shouldnt do it until you learn about syslog messages. Just make it open and append to its own log file instead
February 4th, 2010 on 3:16 am
jayson: IDA is a debugger, it is not a phone or anything that way. It lets me see what the magic jack software is doing, and how it is doing it.
The directions in the article explain exactly how to get this to work in linux. Basically you need to install some kernel modules, install the perl script and the perl modules it requires then as root/sudo run the perl script so that it can modify the packets in realtime. Then any sip packets to port 5070 will be modified so it will work with a standard SIP device.
February 5th, 2010 on 4:29 pm
With CentOS operating system, FreePBX version of Asterisk, I tried to install …::IPQueue but it failed. Here are excerpts of the failure. I entered the first line. The rest is parts of the response. Any help on how to load this would be appreciated. Thanks.
root@pbx:~ $ perl -MCPAN -e ‘install IPTables::IPv4::IPQueue’
CPAN: Storable loaded ok
Going to read /root/.cpan/Metadata
Database was generated on Fri, 05 Feb 2010 05:49:03 GMT
Running install for module IPTables::IPv4::IPQueue
Running make for J/JM/JMORRIS/perlipq-1.25.tar.gz
.
.
Location of iptables development components: [/usr/local]
Ok, using ‘/usr/local’ to find libipq headers and libraries.
.
.
Running make test
PERL_DL_NONLAZY=1 /usr/bin/perl “-MExtUtils::Command::MM” “-e” “test_harness(0, ‘blib/lib’, ‘blib/arch’)” t/*.t
t/simple.t .. 1/4 Fatal: Failed to send netlink message: Connection refused at t/simple.t line 33.
t/simple.t .. Dubious, test returned 111 (wstat 28416, 0x6f00)
Failed 3/4 subtests
Test Summary Report
——————-
t/simple.t (Wstat: 28416 Tests: 2 Failed: 1)
Failed test: 2
Non-zero exit status: 111
Parse errors: Bad plan. You planned 4 tests but ran 2.
Files=1, Tests=2, 0 wallclock secs ( 0.06 usr 0.01 sys + 0.03 cusr 0.01 csys = 0.11 CPU)
Result: FAIL
February 16th, 2010 on 8:24 pm
Hello,
I have a asterisk Freepbx build that I have been fighting to get working utilizing this perl script and have failed. If anyone has the solution set and is willing to ssh into the server, I can pay via paypal…looking to have 8 different MJ accounts configured…already have all sip login information for all accounts.
J