What would be nicer is if we knew the format of the query string to https://linediscovery.hub.bt.com/ I tried a GET / and it just returns HTTP error 404. It's probably just something like https://linediscovery.hub.bt.com/getSIP?SessionID=12... and it may then return you the SIP details in the response. I wonder if there's any way to dump the SH2 firmware out and then search it and maybe get lucky and reveal the format of the query.

I don't think it would help, given that you won't be able to provide a valid certificate for linediscovery.hub.bt.com. You need to let the SH2 make its own request, which is encrypted end-to-end.

chrisu

Think of the SH2 as having a mobile SIM coded inside it and how this registers with a mobile network.

This may give hints to what is happening . You may also find that a SH2 Mac address is involved, it may have more than one!, and that is preregistered within BT to the voice service. ( A change of SH2 may also break the service without BT involvement , this could be tested for to agree / remove MAC identities from the issue)

In reply to a post by kitcat:

chrisu

Think of the SH2 as having a mobile SIM coded inside it and how this registers with a mobile network.

This may give hints to what is happening . You may also find that a SH2 Mac address is involved, it may have more than one!, and that is preregistered within BT to the voice service. ( A change of SH2 may also break the service without BT involvement , this could be tested for to agree / remove MAC identities from the issue)

I don't think this is how it works, as if it was authenticated using a private key on the SH2 in a similar way to how there is an app on the SIM card with a private key, the PPP session details wouldn't be important, but they are. It would also mean you could take your SH2 to someone else's house, plug it in and have your phone line there. It would also mean they would need to make SH2s individually for each customer.

In reply to a post by candlerb:

I don't think it would help, given that you won't be able to provide a valid certificate for linediscovery.hub.bt.com. You need to let the SH2 make its own request, which is encrypted end-to-end.

You would only need an individual certificate if they are doing client certificate authentication, which is unlikely. More likely is that all the SH2s have the same publicly available CA Root Cert so the SH2 can validate the server certificate.

I just realised I can enable SSH access on my ASUS router. I just tried and it looks like a linux server. When I get time next week, I'll have a look around to see if the PPP session details are logged anywhere, or if they are available somewhere under the /dev or /sys pseudo filesystems.

In reply to a post by chrisu:

In reply to a post by candlerb:

I don't think it would help, given that you won't be able to provide a valid certificate for linediscovery.hub.bt.com. You need to let the SH2 make its own request, which is encrypted end-to-end.

You would only need an individual certificate if they are doing client certificate authentication, which is unlikely.

What I meant was that the SH2, when it connects to https://linediscovery.hub.bt.com/, will validate that the *server* it is talking to has a certificate for "linediscovery.hub.bt.com" signed by a known root CA.

If you try to intercept the traffic, for example to see what it puts in its GET or POST request, it will discover that you don't have a valid certificate and immediately terminate the connection.

I have found out that I can SSH into my Asus router and /proc/net/pppoe will give me the PPPoE Session ID and remote MAC address of the PPPoE session. I had previously speculated that the SH2 is making a call to https://linediscovery.hub.bt.com/ and passing some details known to both sides (I guessed PPPoE Session ID, AC Name, Host-Uniq but there could be others) and returning the SIP details.

I made the PPPoE Server on my LAN have the same IP address as the OpenReach PPPoE Server, made my PPPoE server allocate the same IP address to the SH2 as was allocated to my Asus router, changed the MAC address of my PPPoE Server network card to the same as the one in openreach, made the PPPoE Server use the same AC-Name and PPPoE Session ID as the one in use by the Asus router and set the Asus router to use the same Host-Uniq tag as I has seen the SH2 use in Wireshark.

It still didn't work. I then noticed that the SH2 changes the Host-Uniq tag to what appears to be a random value every time it tries to connect. If it is using the Host-Uniq in a call to get the SIP details, then the only way to get this to work is to change the LAN PPPoE server so that when it receives the PADI message, it gets the Host-Uniq tag from it, SSHs into the ASUS router, sets the Host-Uniq tag in the Asus router to be the same, causes it to re-establish the PPPoE session, and return the new PPPoE Session ID to the LAN PPPoE server and then it can then send it back to the SH2. It would also be possible to change the MAC address of the Asus router WAN interface to be the same as the SH2 if that is important. Although it would be interesting to try this, it's too much work, so I'm going to give up.

Sounds like it has been nicely designed to prevent easy hacking into your voice comms. Makes it a nice secure voice service to meet all the security standards at the customer end.

Still has legal interception within the network of course but little chance of interception in the local network even with the access you have a s a customer.

This is the same situation I'm finding myself in with Digital Voice.
I found the following on ISP review which would seem to give a work round for this.
I'm not in the same league regarding networking etc. as most of the posters on here, so I'm sorry if this is not what you are looking for.


I’ve had a very similar experience to Richard. The bureaucracy and support systems are impossible. I ordered 1GB ftth on 21st August. Today is 26th October and I’m still waiting for a fully functional phone service from BT. We didn’t have the option of a copper analogue line as we had been with Telewest/Virgin for about 20 years. I placed an order by phone as I wanted to ask some questions about the handsets available. That was my mistake.

The short version of the story is that we now have a very good and stable internet connection, but after two months still don’t have a fully working BT line or any handsets from BT. The order is not showing up on their systems as having been completed so the “fancy” services on Digital Voice (voicemail, Call Guardian, etc) don’t work my old DECT system. The handsets, unbelievably, are out of stock.

Having to use the BT Router was a pain too, though the idea of bundling it all together in a combined router/DECT base station is probably good for those who want a simple set up which works (or should work) straight out of the box. I wanted to use my existing mesh wi-fi and the only way to do this was to set up the mesh system in Access point mode only and connect to the BT Router. This was a pain to set up, involved more ugly boxes and cables, but (apart from a fully functional phone)it worked.

Last week, in despair at BT’s inability to complete the order I realised that as the order was still showing as “not completed” BT’s billing systems weren’t working either. I ordered a Gigaset VOIP/analogue DECT system from Amazon, managed to divert all BT calls to a Sipgate VOIP number, took out the BT router and connected the TP-Link Deco mesh system directly to the ONT. Bingo! A fully functional phone at last.

Siplink allow you to substitute a presentation number in place of the number they allocate to you. I’m now receiving calls on the BT network, diverted to Sipgate and received using a “normal” VOIP service, which means that I can receive calls on my landline on my mobile or anywhere in the world that I choose, as well as get the essential things such as voicemail and being able to configure how long the phone rings before diverting.

I’ve given up chasing BT. For now at least I have a great 1GB internet connection and fully functional phone service which costs me £9.95 per month for the all UK landline and mobiles inclusive package from Sipgate. No bills from BT until they sort their systems out.

Due to being locked down over the Christmas and New Year period, I've had a lot of spare time to continue this, and I have eventually made it work. My Asus router is now connected to the ONT and is acting as the router and the SH2 is connected to one of the LAN ports on the Asus router and is only used for Digital Voice phone and I am able to make phone calls.

I worked out that the SH2 makes a call to https://linediscovery.hub.bt.com/ and passes the PPPoE Host-Uniq tag value and the PPPoE Session ID and it is returned the SIP details which it then uses to initiate the SIP connection for phone calls. The local and remote IP addresses and MAC addresses, and the AC Name are not important. The SH2 changes the Host-Uniq value every time it makes a new connection which makes it more difficult to get this to work.

The Asus router is running a version of linux, the source code is freely available on the Asus web site, and it is possible to configure SSH access in order to run commands on the Asus router in order to reconfigure things.

I downloaded a copy of the open source PPPoE server https://dianne.skoll.ca/projects/rp-pppoe/ I changed it so that on receipt of the PADI message, it extracts the Host-Uniq tag, and reconfigures the Asus router to use this value on it's external PPPoE connection, and then makes the Asus router re-establish the PPPoE session. Once it is re-established, it gets the PPPoE Session ID and uses that later in the PADS message sent back to the SH2 so that the SH2 will use that, along with the host-Uniq value, when making a call to https://linediscovery.hub.bt.com/

In order to change the Host-Uniq tag on the Asus router and cause it to reconnect the following commands can be run on the Asus router:
nvram set wan0_pppoe_hostuniq=20EF000
nvram set rc_service="restart_wan_if 0"
kill -SIGUSR1 1

In order to get the PPPoE session ID on the Asus router, the following command can be run:
cat /proc/net/pppoe|cut -d" " -f1

A linux server (Raspberry Pi or other), needs to be running on the same LAN as the SH2. On this server, the changed RP-PPPOE needs to be installed and the file /etc/ppp/pppoe-server-options needs to contain the following (192.168.0.1 is the Asus LAN IP Address):
noauth
noproxyarp
ms-dns 192.168.0.1
lcp-echo-interval 10
lcp-echo-failure 2

IP forwarding needs to be enabled on the linux server :
echo 1 > /proc/sys/net/ipv4/ip_forward

A NAT rule needs to be added on the linux server to NAT the data coming from the SH2 to the internet. I use a bridge interface br0, but for most servers it will be eth0 or similar:
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o br0 -j MASQUERADE

The Asus router needs to be configured to forward UDP traffic on port 5050 to an additional IP address which will be assigned to the linux server. The linux server will have 2 IP addresses - it's main one and the one used for PPP. I assigned 192.168.0.11 for this purpose.
A NAT rule needs to be added to the linux server to forward the voice data from the internet through the PPP connection to the SH2:
iptables -t nat -A PREROUTING -d 192.168.0.11 -p udp --dport 5050 -j DNAT --to-destination 192.168.1.1:5050

The hacked PPPoE server needs to be run (the -o 1 is ignored in my hacked server and be replaced with the Session ID):
pppoe-server -C acc-aln2.l-zzz -I br0 -L 192.168.0.11 -R 192.168.1.1 -o 1 -N 1 -k

The SH2 will then think it's connected to the ONT and connect the Digital Voice even though it's running on the LAN.