Fanvil is re-labeled and sold by many others like Digium as A-series, ATLINKS as Swissvoice, and AGFEO. If the firmware-upgrade file starts with the model and has the file extension ‘z’, it might be a Fanvil. Fanvil has at least two series.
| Password: | Web: admin/admin, Phone: 123 Web → System → Account → (User Management) admin → (button) Modify Web → Phone → Advanced → LCD Menu Password |
| HTTPS: | X5 and higher: Web → Network → Service Port → Web Server Type: HTTPS X4 and lower: Web → Phone → Device Certificates: Device Certificates → (button) Apply → Network → Service Port → Web Server Type: HTTPS |
| Update: | Web → System → Upgrade → System Image File |
| Trust Anchors: | Web → Security or Phone → Trust(ed) Certificates → Custom Certificates: Base64 |
| SIP-URI User: | Web → Line → SIP → Username Web → Line → SIP → Authentication User/Name |
| SIP-URI Host: | Web → Line → SIP → Register/Server Address Web → Line → SIP → Advanced → DNS Mode: SRV |
| SIP-over-TLS: | Web → Line → SIP → Transport(ation) Protocol: TLS Web → Line → SIP → Register/Server Port: 5061 Web → Line → SIP → Advanced → TLS Version this is not a minimum version, therefore, you have to know the version(s) of your SIP provider (higher is better) |
| SDES-sRTP: | Web → Line → SIP → Advanced → RTP Encryption: Optional which is RTP/AVP with crypto |
| Keep-Alive: | Web → Line → SIP → Advanced → Keep-Alive Type: UDP → Interval which is TCP-Keep-Alive; recommended: lower than 300 |
| Symmetric Response: | offers parameter rport in the header Via not only with UDP but also TCP (and TLS) X5 and higher: instead of sticking to the learned public ip:port combination for the header Contact, the phone removes/adds its binding in parallel on each re-REGISTER Mitigation: Web → Line → SIP → Advanced → rPort: Disable |
| SHA-2 Digest: | does not pick MD5, continues without header Authorization, therefore is not able to register; therefore incompatible with Linphone |
| AES-256 sRTP: | X5 and higher: accepted although not supported; therefore no audio (fixed in hardware models V2 with firmware 2.12) X4 and lower: |
| DNS-NAPTR: | broken; does nothing after DNS query Mitigation: Web → Line → SIP → Advanced → DNS Mode: SRV |
| Session Timers: | X4 and lower: broken; reset of sRTP-ROC, when re-INVITE Mitigation: Web → Line → SIP → Advanced → Enable Session Timer: Off no full mitigation, because the other party still can send re-INVITE any time |
| Compact Form: | Supported (k) and Session-Expires (x) are not understood |
| SIP-over-TLS: | large SDP messages are ignored, see SSL_WANT_WRITE |
| Audio: | |
| DiffServ: | in IPv6, SIP and RTP are at 0x00; works in IPv4 |
| Signaling DiffServ: | X5 and higher: not enabled on default Mitigation: Web → Network → Advanced → Enable DSCP → Signal DSCP: 40 X4 and lower: Web interface shows the value 40 but does not use it Mitigation: change it once via Web → Network → Advanced → (button) Apply |
| Bugs: | X5 and higher: SIP-over-TLS without authentication because ‘Web → Security → Trust Certificates → (Permission Certificate) Permission Certificate: Enabled’ gives Certificate Unknown (TLS alert 46) X5 and higher: X4 and lower: SDES-sRTP key with reduced entropy (keys observed were half null) not yet fixed, padlock icon even without SIP-over-TLS, and found no way to avoid Ghost Calls via TCP Mitigation: do not expose port 5060/tcp to the Internet |
| Privacy: | SIP messages contain MAC Mitigation: Web → Line → SIP → Advanced → User Agent: anything, for example ‘Fanvil X4/2.10.2.6887’ … Enable Register MAC Header: Off … Enable MAC Header: Off … GRUU: Off (UUID is the MAC) device phones home to https://fdps.fanvil.com Mitigation for X5 and higher: Web → System → Configuration → Import → FDPS Enable: 0 Mitigation for X4 and lower: Web → System → Configuration → Import → FDPS_Enable: 0 |
| Responsible Disclosure: | via ticket system |
| Firmware Update: | missing Automation missing Newsletter |
X5 and higher: 12 V 1 A, Coaxial: 5.5 mm × 2.1 mm
X4 and lower: 5 V 0.6 A, Coaxial: 5.5 mm × 2.1 mm