Home > Technology > FRITZ!Box VoIP password extraction

FRITZ!Box VoIP password extraction

Many providers send you the preconfigured FRITZ!Box containing all settings, whereas passwords are not visible in the webinterface. Some providers, such as Sunrise in Switzerland, argue they wont give you the password due to “safety reasons” when you call their helpdesk. m) – To extract your VoIP password from your FRITZ!Box follow these steps:

1.) Enable Telnet
Open the webinterface of your FRITZ!Box an choose > Telephony > Telephonebook
Add two new entries:
Name: Telnet On
Number: #96*7*

and
Name: Telnet Off
Number: #96*8*

FritzBox-telnet-phonebook

Dial #96*7* on your connected DECT phone to enable telnet on your FRITZ!Box. If you don’t have a phone connected to the Box, enable “click to dial” in telephony > calls > click to dial and dial the number by clicking on the number in the phonebook on the webinterface.

2.) Extract VoIP password in telnet
Access your router via telnet in the command line (aka Terminal). Use the IP of your router and your FRITZ!Box password.

user@host:~$ telnet 192.168.1.1
password: ***********

BusyBox v1.20.2 (2013-05-13 12:53:07 CEST) built-in shell (ash)
Enter ‘help’ for a list of built-in commands.

#

Then use the following two commands to extract the VoIP password:

# allcfgconv -C voip -o /var/tmp/temp -c
# cat /var/tmp/temp |grep passwd
passwd = “23f00b4R”;
passwd = “”;
#

Done 😎
Now disable telnet again, – for security reasons, – by dialing #96*8* on your DECT. – Have phun!

For further reading:

Update (11. November 2016):
AVM secret FritzBox Key

  1. M.S.
    July 10th, 2014 at 23:29 | #1

    Hi lx

    what version of FritzOS is your FritzBox running?
    The newest Labor Version (FRITZ!OS 06.10-28247 BETA) doesn’t seem to recognize the -c parameter:

    # allcfgconv -C voip -o /var/tmp/temp -c
    illegal option ‘c’

    • July 10th, 2014 at 23:48 | #2

      Hi M.S.
      The “-c” option is the decrypt option, without it you’ll only see the encrypted password. Check this page for all explanations on allcfgconv.
      Regarding the box version I will tell you in a couple of days, as soon as I can access the box again.

      Best, Lx

  2. M.S.
    July 11th, 2014 at 00:48 | #3

    Thanks for your info,

    I was aware, what the -c switch does, however with the Labor-Version FRITZ!OS 06.10-28247 BETA the allcfgconv command didn’t recognize the switch, it was compiled out i guess. It didn’t even show up in the help file.
    I reverted back to the official firmware (FRITZ!OS 06.03) and updated to the newest (06.04) (as of 07. Jul. 2014) version, in both cases the -c switch worked as intended, exactly as you described.

    As to why it was disabled/removed in the Labor-Version, i have no clue. I’m curious if the next Labor-Version will include it. Also it would be interesting how the decryption worked without the command, and if they will depreciate the -c switch in future versions.

    -M.S.

    • July 11th, 2014 at 00:56 | #4

      I didn’t yet fiddle around with the Lab-version, so I didn’t know. – Thanks for the information likewise!
      Makes no sense to me the “-c” option isn’t there in that version.

      And I totally agree with you, we’ll have to find out how to decrypt the stored info in an alternative way. – Please let me know, in case you find a way…

      [Update]
      This and this link might illuminate the issue.

  3. jens
    May 26th, 2015 at 14:35 | #5

    Hi Lx,

    Thanks for your howto. I am trying to follow your steps from a remote location. I can do everything over the webinterface (using my MyFritz account) except that I cannot fire up telnet from a shell, because I have no running SSH server over which I could access my home network.

    Do you know a workaround?

    (I have firmware 06.05 so I wonder if it will work at all, but I wanted to give it a try nonetheless)

    Best,
    jens

    • May 26th, 2015 at 14:47 | #6

      AFAIK the specified command can only be executed from the shell.
      Best, Lx

  4. February 25th, 2016 at 11:59 | #7

    Thank bro worked perfectly.

  1. No trackbacks yet.