HT802 update fields pre-populated by third party


#1

I bought a new HT802 from NetXL via Amazon uk. In the box was a voucher from YAY. OK. But then I noticed the Firmware Server Path is pre-populated, pointing to s3-eu-west-1.amazonaws.com/gs-firmware, and the Config Server Path is pre-populated, pointing to provision.yay.com/grandstream

Not only that, but even after deleting and overtyping the fields, updating the firmware and then rebooting, the pre-populated details reappear. They have been burnt in.

I did not buy the device from YAY, I have no relationship with them. Is it standard practice for their details to be on my device?


#2

Short answer - NO.

Further, in a standard unit, you can change these values to what you want them to be and they will be remembered.

No offence, but did you press the save/apply button after the change?

Have you tried doing a factory reset?


#3

Thanks, no offence taken! All the other changes stuck, so I must have pressed save/apply. I’ll have another go to make sure though. I got the device for a friend, so I feel responsible.

It’s really annoying, since the device is effectively hijacked as far as I can see. If it is set it to auto-update (as I have with my own HT502 since forever) then it risks getting whatever YAY might choose to push its way.

I will investigate further and update here. Meanwhile if anybody else has experienced anything similar I’d be grateful to know.


#4

Well, I see that you posted the same concern on the UK Amazon site for the product and that no answers have been forthcoming.
A number of hosting services will make arrangements with manufacturers to customize the firmware with their details and possibly their logos to prevent customers from being able to use the devices once the contract period expires. They defend it by selling the service and equipment to work with their offerings and not that of others and presumably to make it a little more enticing to remain with the service given the investment already made.

Others who bought the device did not mention the issue and as the Amazon site makes no mention of the device being pre-programmed for a service, I assume (perhaps wrongly) that the others used it with other services. One post even mentioned the need for an adapter to work with BT.

If the factory reset does not work (it did not on the other devices I have come across), then you should either a) return it to Amazon or,
b) contact the seller

Detailed Seller Information
Business Name:NetXL Limited
Business Type:Limited
Trade Register Number:08739807
VAT Number:GB191526011
Phone number:03300433000
Customer Services Address:
Westbury House
15 Bury Street
Guildford
Surrey
GU2 4AW
GB
Business Address:
Westbury House
15 Bury Street
Guildford
Surrey
GU2 4AW
GB


#5

Thanks Ipneblett. Indeed I am familiar with the tied device scenario you describe, but Amazon/NetXL do not describe this as being tied/sponsored etc by any third party service.
I chased up NetXL via Amazon and this was their response:

"NetXL shares its products with its sister company Yay, which specialises in VoIP and offers an auto-provisioning feature.

As a result, when Grandstream devices (purchased through NetXL or Yay.com), are powered up for the first time, or factory reset, they speak to Grandstream to ask who the owner of the device is. These settings for the firmware and config server path will have no impact on the device and will change no settings at all if they are not linked to an active Yay.com account.

Additionally these settings can be changed and will not revert unless the device is factory reset and it speaks to Grandstream again.

I can remove this device in particular from Grandstream’s provisioning server if you would like, however to keep the settings in there will have no effect on your enjoyment of the product. "

So there you have it, there is a commercial arrangement between the two companies which I assume is for their benefit, not mine. It pretty much confirms my initial suspicion that they have crossed the line from simply providing an introduction. They have actually introduced a backdoor for YAY, so I am entirely dependent on YAY not to interfere with or monitor my device. I remain beholden to their bona-fides, and to their server security.

It is as if I bought the device from YAY.

EDIT - solved - I DID (effectively) buy the device from Yay. I just did not know it, because I was deceived. NetXL and YayYay limited are joined at the hip, same director, same registered address etc. This really annoys me, as having been fully aware of the pitfalls of buying a VoIP device from a service provider, I made sure to buy from an independent reseller - or so I thought.


#6

I can remove this device in particular from Grandstream’s provisioning server if you would like, however to keep the settings in there will have no effect on your enjoyment of the product. "

Have them remove the device from the provisioning server or send it back.
What an absurd statement about keeping it and it having no affect on the enjoyment of using,


#7

I agree. If they can get it removed from GAPS then you should be good to go.


#8

I am a little confused here. The rep said “I can remove this device in particular from Grandstream’s provisioning server”

Why would NetXL have write access to Grandstream’s server? I would understand if he had referred instead to YAY’s provisioning server.

He also said, “As a result, when Grandstream devices (purchased through NetXL or Yay.com), are powered up for the first time, or factory reset, they speak to Grandstream to ask who the owner of the device is.”

So Grandstream maintains a lookup table of device “owners”, but only in the case of devices purchased from YAY? Is this in fact the “Grandstream’s provisioning server” to which he refers previously? Since Grandstream and YAY are also in bed together (search yay.com on Grandstream’s homepage), who knows?

When I get answers from NetXL I’ll update. I just want a ‘clean’ device, not one where I have to rely on a third party to not use their back door (and to keep it secure).


#9

Grandstream provides a service called GAPS. When any Grandstream device is Factory Reset the device goes to Grandstream’s provisioning server and sees if it is on Grandstream’s list for provisioning. If it is, the two URLs are changed to what the reseller wants them to be; normally the reseller’s provisioning server. From there the device is provisioned.

This is a value added service Grandstream sells.

If they remove your device from th GAPS server, your problem will go away.

I hope I’ve explained it clearly enough.


#10

Thank you for this info.

I’ve just bought a GXP1620 as I enter the world of VOIP, and I was looking at the firmware and wondering how to get it up to the latest version (I’m on 1.0.4.82 and the latest 1.0.4.128). I run a local HTTP server and thought I’d go about updating through there. Long story short I keep finding provision.yay.com/grandstream in the Config Server Path and s3-eu-west-1.amazonaws.com/gs-firmware in the Firmware Server Path.

I thought my phone had been hacked at first. After a small panic and discovering this post I can see it’s not the case. However, something makes me wary about a third party effectively being able to post their firmware to my device - at least that seems possible from what I can see?

I’m off to ask to have my device removed from their GAPS server. @coi did you happen to have any joy, and if so can you let me have their email address? Thanks.


#11

Markos, yes I got joy. I contacted them via Amazon since that was how I bought mine. They were very good and removed my device from their provisioning register. In the end I’m confident that there is no bad intention on their part, and unless you are subscribed to their service nothing will be provisioned to your ATA anyway, but it is nice to have a ‘clean’ device all the same.