Grandstream offers a vast range of phones, asks for small prices, provides big data-sheets, and what about the software? Let us have a look! By the way, their Webpage is using Mixed Content. Although two years after reporting this, it is not fixed as of today.
1.0.9.9
retested in Oct. 2019 with 1.0.11.4
retested in May 2020 with 1.0.13.2 (DP750) and 1.0.3.6 (GRP2612)
| Password: | admin/sticker on back or admin Web → Maintenance → Web Access → Admin Password |
| HTTPS: | Web → Maintenance → Security → Web → Access Mode: HTTPS |
| Update: | Web → Maintenance → Firmware → Server Path: firmware.grandstream.com → Button: Save and Apply → Status → System info: Check for New Firmware the factory/default path does not work; you have to change this first |
| Trust Anchors: | Web → Profile or Account → Security 1. Authenticate Server Certificate Domain: Yes (broken in GRP2612) 2. Authenticate Server Certificate Chain: Yes (broken in GRP2612 if used with Custom Trusted CA Certificates) 3a. (DP750) Trusted CA Certificate: Base64 you have to paste the Base64 of your trust anchor; only one certificate possible; you have to save, apply, and reboot; you do not see your certificate 3b. (GRP2612) Web → Maintenance → Security → Trusted CA Certificates: Base64 → Load: Custom because you cannot double-check the Default Trusted CA Certificates; currently broken, instead you have to use ‘All’ |
| SIP-URI User: | Web → (DECT → SIP) Account → SIP User ID |
| SIP-URI Host: | Web → Profile or Account → General → SIP Server |
| SIP-over-TLS: | Web → Profile or Account → Network → DNS Mode: NAPTR Web → Profile or Account → SIP → Basic → Transport: TLS Web → Profile or Account → SIP → Basic → Use Random SIP Port: Yes |
| SDES-sRTP: | Web → Profile or Account → Audio → Crypto Life Time: No Web → Profile or Account → Audio → SRTP Mode: Enabled But Not Forced which is RTP/SAVP; Optional is RTP/AVP + RTP/SAVP = sRTP is second; therefore Digium Asterisk (and DUStel which use Asterisk) do not go for sRTP |
These features are disabled on default, although they are automatically negotiated. Tests revealed they work. Therefore, no reason exists to disable those on default.
| Session Timers: | Web → Profile or Account → SIP Settings → Session Timers 1. Enable Session Timers: Yes 2. Session Expiration: 1800 3. UAC Specify Refresher: Omit |
| PRACK: | Web → Profile or Account → SIP → Basic → 100rel: Yes |
| SHA-2 Digest: | crashes when several digests exist; therefore incompatible with Linphone |
| DNS-NAPTR: | has not effect in the GRP2612 |
| AES-256 sRTP: | wrong name and the key is not 46 but 48 bytes long |
| Audio: | G.726-32 has the wrong endianness on default and ‘G726-32 Packing Mode’ has no effect Mitigation: set ‘g726nonstandard=yes’ in your Digium Asterisk Opus-Codec gives just buzzing noise Mitigation: set the ‘Preferred Vocoder’ 6 and 8 to the same as 1; this disables Opus-Codec and G.721 (aka G.726-32). |
| Compact Form: | Supported (k) and Session-Expires (x) are not understood Mitigation: Web → Profile or Account → SIP → Session Timers → Enable Session Timers: No |
| Bugs: | padlock icon even without authenticated transport Cipher Suites include RC4 (even MD5) |
| Privacy: | phones home to https://acs.gdms.cloud Mitigation: Web → Maintenance → TR-069: ACS URL: empty phones home to http://fm.grandstream.com/gs Mitigation: Web → Maintenance → Upgrade → Firmware Server empty Mitigation: Web → Maintenance → Provisioning → Config Server: empty phones home to https://service.ipvideotalk.com Mitigation: Web → Settings → Web Service → Auto Location: No |
| Responsible Disclosure: | although a ticket system exists, it does not work: I had to go to a venue and get the business card of a Product Manager. After an issue gets fixed, the corresponding ticket is not updated/closed. Instead, you have to go through the Release Notes, whether your issue got fixed. |
| Firmware Update: | Newsletter |
DP750: 5 V 1 A, Micro-USB
GRP2612: 5 V 0.6 A, Coaxial: 5.5 mm × 2.1 mm