Linksys PAP2 locked to Vonage, support people funny

Page 2 - Seeking answers? Join the Tom's Hardware community: where nearly two million members share solutions and discuss the latest tech.
Archived from groups: comp.dcom.voice-over-ip (More info?)

In article <35udnfOI9vQ1Xk3cRVn-qg@rogers.com> m <googlenews@s2angel.com>
writes:


>I knoticed alot of Ebay listings of PAP2 I personaly emailed almost all
>of them and they always reply with out answering the question weather
>its realy a pap2-na or just a pap2 I am extreamly clear too on the matter

>So beware!

From what little has been written so far it looks like the -na variant is
only available for new purchase through a voip service provider (other
than Vonage). Also it's fairly apparent from the pricing that Linksys
has/had no intention whatsoever of fielding 1st and 2nd level support
calls from the actual end-user.

Now as far as eBay goes, don't waste your time pestering the seller asking
them if theirs is the -NA model. It the listing doesn't specificaly say
"NA" then take it safely on faith that it isn't one. They are in enough
demand that anyone selling one would certainly be smart enough to
differentiate that fact in his listing and the world would surely beat a
path to his door.
 
Archived from groups: comp.dcom.voice-over-ip (More info?)

> Jeeves_Mosswrote:
If any one is intrested in the hardware specs, follow this link for
pics and specs.
> http://www.bekka.dynu.com/vonageworkaround/vonageworkaround.htm

That URL doesn't work 🙁
I too want to know how to unlock a pap2 device.
Does the reset code work if you just get the pap2 out of the box and
DO NOT connect it to the internet so it cannot download the xml?
 
Archived from groups: comp.dcom.voice-over-ip (More info?)

> Brendonwrote:
Could you spoof ls.tftp.vonage.net to point to your tftp server and
provide
> the spa000F66A84007.xml file yourself? Just an idea.

I downloaded that file with KugleSoft TFTP Server & Client, and
it's an encrypted file :x
I ordered 3 vonage-non-opened pap2, Hope I can get it work with
stanaphone 🙁
 
Archived from groups: comp.dcom.voice-over-ip (More info?)

smoothy wrote:
>>Brendonwrote:
>
> Could you spoof ls.tftp.vonage.net to point to your tftp server and
> provide
>
>>the spa000F66A84007.xml file yourself? Just an idea.
>
>
> I downloaded that file with KugleSoft TFTP Server & Client, and
> it's an encrypted file :x
> I ordered 3 vonage-non-opened pap2, Hope I can get it work with
> stanaphone 🙁
>

Most devices ask to download several config files. You will need to
monitor the network traffic and see what the device trying to download
from where. There is another file that is not encrypted that gets
downloaded.

I use a different service that sent me a locked device and was able to
unlock it by giving it a config file to download. The device specific
file was encrypted but the device was also downloading a general config
file which was not encrypted.

Yaser
 
Archived from groups: comp.dcom.voice-over-ip (More info?)

not to kick a dead horse (assuming this discussion is still of interest
to some ppl), i've had some success following the advice in this
thread, but alas, i'm still far from freeing the pap2 from the vonage
hegemony.

1.) setup a tftp server on a network at home with a spaXXXXXXXXXXXX.xml
file in /tftpboot and the same file in /tftpboot/YYYYYYYYYY. i know
that the spaXXXXXXXXXXXX.xml file is dependent on the pap2 MAC, but i'm
still unsure as to what determines the /tftpboot/YYYYYYYYYY
designation. i think this may be a password used derive a salt to
decrypt spaXXXXXXXXXXXX.xml and verify it's integrity. i also think
that /tftpboot/spaXXXXXXXXXXXX.xml file is identical to
/tftpboot/YYYYYYYYYY/spaXXXXXXXXXXXX.xml file.
2.) configured my dhcp server to distribute a known ip address to the
pap2 MAC.
3.) placed the pap2 on a separate subnet/interface
4.) configured my firewall/router to redirect all requests originiating
from the pap2 to tftp.vonage.net to a local tftpserver on a separate
subnet/interface. natted all packets from the local tftpserver to the
pap2, so as to appear to be coming from tftp.vonage.net.
5.) connected the pap2 (with a default factory configuration) to the
network and plugged in the power cord.

the pap2 successfully connects to the local tftpserver, downloads
/tftpboot/spaXXXXXXXXXXXX.xml and
/tftpboot/YYYYYYYYYY/spaXXXXXXXXXXXX.xml, self-installs the firmware,
reboots, and connects to vonage via port 5060-5061.

now, i've tried replacing the spaXXXXXXXXXXXX.xml file with a
spa2k-2.0.10e.bin file and renamed the tftpboot/YYYYYYYYYY directory to
whatever the pap2 was asking for (obtained by tcpdump and ethereal),
but the download stops abruptly when the pap2 returns an icmp packet
with a "port unreachable" message. i think that in this case the
spa2k-2.0.10e.bin (709K) much bigger than spaXXXXXXXXXXXX.xml (29K), so
the device rejects the firmware upload (probably due to a max file size
constraint).

i see two ways of getting around this problem:
1.) brute force the admin password from the pap2 prior to the vonage
firmware update and update the configurations via the pap2 web
interface.
2.) brute force the spaXXXXXXXXXXXX.xml file using openssl rc4 and some
variation of the MAC/Serial Num/YYYYYYYYYY as the salt or password.

let me know what you think.


Yaser Doleh wrote:
> smoothy wrote:
> >>Brendonwrote:
> >
> > Could you spoof ls.tftp.vonage.net to point to your tftp server
and
> > provide
> >
> >>the spa000F66A84007.xml file yourself? Just an idea.
> >
> >
> > I downloaded that file with KugleSoft TFTP Server & Client, and
> > it's an encrypted file :x
> > I ordered 3 vonage-non-opened pap2, Hope I can get it work with
> > stanaphone 🙁
> >
>
> Most devices ask to download several config files. You will need to
> monitor the network traffic and see what the device trying to
download
> from where. There is another file that is not encrypted that gets
> downloaded.
>
> I use a different service that sent me a locked device and was able
to
> unlock it by giving it a config file to download. The device specific

> file was encrypted but the device was also downloading a general
config
> file which was not encrypted.
>
> Yaser
 
Archived from groups: comp.dcom.voice-over-ip (More info?)

spa2k-2.0.10e.bin and spaXXXXXXXXXXXX.xml are completely 2 different
files. The first is a firware upgrade and the second is a configuration.
You don't need the firmware upgrade and if you did it once, you don't
need to do it again.

If you have the firmware file, chances are the default passwords are
stored on clear text in the file. Try to extract the strings from the
file and see what you can find. On a UNIX type machine run

% strings spa2k-2.0.10e.bin

If you want just email me the file and I can try for you.

Yaser

will@mccammon.name wrote:
> not to kick a dead horse (assuming this discussion is still of interest
> to some ppl), i've had some success following the advice in this
> thread, but alas, i'm still far from freeing the pap2 from the vonage
> hegemony.
>
> 1.) setup a tftp server on a network at home with a spaXXXXXXXXXXXX.xml
> file in /tftpboot and the same file in /tftpboot/YYYYYYYYYY. i know
> that the spaXXXXXXXXXXXX.xml file is dependent on the pap2 MAC, but i'm
> still unsure as to what determines the /tftpboot/YYYYYYYYYY
> designation. i think this may be a password used derive a salt to
> decrypt spaXXXXXXXXXXXX.xml and verify it's integrity. i also think
> that /tftpboot/spaXXXXXXXXXXXX.xml file is identical to
> /tftpboot/YYYYYYYYYY/spaXXXXXXXXXXXX.xml file.
> 2.) configured my dhcp server to distribute a known ip address to the
> pap2 MAC.
> 3.) placed the pap2 on a separate subnet/interface
> 4.) configured my firewall/router to redirect all requests originiating
> from the pap2 to tftp.vonage.net to a local tftpserver on a separate
> subnet/interface. natted all packets from the local tftpserver to the
> pap2, so as to appear to be coming from tftp.vonage.net.
> 5.) connected the pap2 (with a default factory configuration) to the
> network and plugged in the power cord.
>
> the pap2 successfully connects to the local tftpserver, downloads
> /tftpboot/spaXXXXXXXXXXXX.xml and
> /tftpboot/YYYYYYYYYY/spaXXXXXXXXXXXX.xml, self-installs the firmware,
> reboots, and connects to vonage via port 5060-5061.
>
> now, i've tried replacing the spaXXXXXXXXXXXX.xml file with a
> spa2k-2.0.10e.bin file and renamed the tftpboot/YYYYYYYYYY directory to
> whatever the pap2 was asking for (obtained by tcpdump and ethereal),
> but the download stops abruptly when the pap2 returns an icmp packet
> with a "port unreachable" message. i think that in this case the
> spa2k-2.0.10e.bin (709K) much bigger than spaXXXXXXXXXXXX.xml (29K), so
> the device rejects the firmware upload (probably due to a max file size
> constraint).
>
> i see two ways of getting around this problem:
> 1.) brute force the admin password from the pap2 prior to the vonage
> firmware update and update the configurations via the pap2 web
> interface.
> 2.) brute force the spaXXXXXXXXXXXX.xml file using openssl rc4 and some
> variation of the MAC/Serial Num/YYYYYYYYYY as the salt or password.
>
> let me know what you think.
>
>
> Yaser Doleh wrote:
>
>>smoothy wrote:
>>
>>>>Brendonwrote:
>>>
>>>Could you spoof ls.tftp.vonage.net to point to your tftp server
>
> and
>
>>>provide
>>>
>>>
>>>>the spa000F66A84007.xml file yourself? Just an idea.
>>>
>>>
>>>I downloaded that file with KugleSoft TFTP Server & Client, and
>>>it's an encrypted file :x
>>>I ordered 3 vonage-non-opened pap2, Hope I can get it work with
>>>stanaphone 🙁
>>>
>>
>>Most devices ask to download several config files. You will need to
>>monitor the network traffic and see what the device trying to
>
> download
>
>>from where. There is another file that is not encrypted that gets
>>downloaded.
>>
>>I use a different service that sent me a locked device and was able
>
> to
>
>>unlock it by giving it a config file to download. The device specific
>
>
>>file was encrypted but the device was also downloading a general
>
> config
>
>>file which was not encrypted.
>>
>>Yaser
>
>
 
Archived from groups: comp.dcom.voice-over-ip (More info?)

Does anyone have a copy of the flash from an orinanally UNLOCKED PAP2
(PAP2-NA)?
I would like to look at it.


MK


"smoothy" <smoothy@nj-dot-cl.no-spam.invalid> wrote in message
news:er2dnVANEv2--pHfRVn_vQ@giganews.com...
> > Brendonwrote:
> Could you spoof ls.tftp.vonage.net to point to your tftp server and
> provide
> > the spa000F66A84007.xml file yourself? Just an idea.
>
> I downloaded that file with KugleSoft TFTP Server & Client, and
> it's an encrypted file :x
> I ordered 3 vonage-non-opened pap2, Hope I can get it work with
> stanaphone 🙁
>
 
Archived from groups: comp.dcom.voice-over-ip (More info?)

so, what you're saying is that i could theoretically create my own
unsalted config file, upload it, reboot, and the pap2 would be
unencumbered? how do i go about creating a realistic config to replace
the salted one? what are the parameters?

thanks for clearing up my misconception. i didn't know what the
spaXXXXXXXXXXXX.xml file was for. i thought it might be a combination
of the firmware update and config. at any rate, it's salted/encrypted
so i don't know its actual contents. i ran 'strings
spaXXXXXXXXXXXX.xml > strings.out' and got a bunch of short one-liners
that looked like gobbly beloved patriot to me. then i used the output file as the
password file for hydra and pointed it at the pap2. no juice.

at this point, i'm stuck with the two choices that i posted previously.
short of launching a full-blown brute force attack on the pap2 or it's
config, i'm not sure of what to try next. any more ideas?
 
Archived from groups: comp.dcom.voice-over-ip (More info?)

oh yea, forgot to mention that i also tried 'strings spa2k-2.0.10e.bin
> strings.out' and ran those through hydra without success, also.
 
Archived from groups: comp.dcom.voice-over-ip (More info?)

> summiterwrote:
Could someone with access to a pap2-na send me the html source for
the
> admin page or post it here please?
>
> My current thinking is that although authentication is required to
access the admin pages, the data that is "posted" via those pages
doesn't go through any sort of checking.
>

I thought the same, so searching some equivalent-sipura configs, I
found out that to upgrade the firmware via web interface, you have to
do it this way:
http://PAP2-IP/admin/upgrade?http://yoursite.com/PAP2-bin-2-00-13-LSb.bin

Still asks me for the admin password.. 🙁
 
Archived from groups: comp.dcom.voice-over-ip (More info?)

Could someone with access to a pap2-na send me the html source for the

admin page or post it here please?

My current thinking is that although authentication is required to
access the admin pages, the data that is "posted" via those pages
doesn't go through any sort of checking.

I've noticed that the field have numerical names. If I can find out
the names of the fields for various admin config stuff, I might be
able to inject those values somehow.

I'm not sure easy this will be though...

I wish the person who had the walk-though on linuxvoip.info would
speak up! =)
 
Archived from groups: comp.dcom.voice-over-ip (More info?)

Would be nice if someone, with the adequate hardware, could
interrogate the NVRAM of a PAP2-NA and
and extract the firmware image.

I don't know how to do that though 🙁

I've tried resetting the pap2, it indeed come to factory defaults (I
can see the web interface), but it keeps asking me a password to the
Admin Area and once connected to the net, it starts to download
vonage firmware. 🙁
 
Archived from groups: comp.dcom.voice-over-ip (More info?)

You can dl a copy of a recent release here:

http://www.inphonex.com/download/PAP2-bin-2-00-13-LSb.bin

But I'm tellin' ya, there's no way to get it onto a "locked" pap2,
that I've found anyway.

You can't simply rename it to the filename requested via tftp at boot.
It starts to transfer then errors out before comletion..probably
beacuse the device isn't expecting a firmware file, it's expecting a
config file.

The is a way to upload firmware to the pap2 via the web interface, but
it requires the admin password...which is the problem we have in the
first place.

I just want to get this thing working with my Asterisk server..I
already have Vontage on another device. But if I can't get it
working, I'm cancelling Vontage and buying a pap2-na and going with
another provider.

> smoothywrote:
Could you please send me the PAP2-NA firmware? (.bin?)
>
> thanks
 
Archived from groups: comp.dcom.voice-over-ip (More info?)

PAP2-NA firmware is available. Getting it to load onto the PAP2 is
the challenge. It's apparently not as simple as renaming it to the
file requested by tftp. That results in the tftp session shutting
down before the transfer completes.



> smoothywrote:
Would be nice if someone, with the adequate hardware, could
interrogate the NVRAM of a PAP2-NA and
and extract the firmware image.
>
> I don't know how to do that though 🙁
>
> I've tried resetting the pap2, it indeed come to factory defaults (I
can see the web interface), but it keeps asking me a password to the
Admin Area and once connected to the net, it starts to download
vonage firmware. 🙁
 
Archived from groups: comp.dcom.voice-over-ip (More info?)

Based on reading the fragments of information spread across many sites
and newsgroups, it's apparent *someone* knows the steps involved in
getting into these things!

The mysterious post on linuxvoip.info leads me to believe that all can
be found by sniffing packets and perhaps some tftp craftiness
(although the message on linuxvoip.info doesn't mention anything
other than utilizing ethereal). The problem with that is after the
tftp requests, the pap2 just site there and doesn't try again.
Someone mentioned that it may make a request for an unencrypted file,
but so far all tftp requests to ls.tftp.vonage.net are for the
mac-based .xml file.

Anyone have some new thoughts? How about a source for a basic,
unencrypted xml config file?
 
Archived from groups: comp.dcom.voice-over-ip (More info?)

OK since I've already wasted my Friday night, I might as well lay out
what I've found.

I've successfully changed the firmware to two other versions, a .10LSc
and a .13LSb.

It appears thought that the provider config is stored somewhere
outside of the main firmware, because despite flashing to different
versions, I am still prompted to enter a password for the admin
pages, and the device still makes requests to a vonage tftp server.

I tried a factory reset after loading each firmware, and it didn't
help.

I noticed that the device says it has a certificate installed. I'm
assuming this is what's used to authenticate/decrypt the .xml config
file the device is trying to load. If that's the case, then the
configs are likely signed with a key unique to vonage, and that
pretty much ends that direction. I think that will likely prevent
the loading of some generic, yet properly compiled config file, since
it won't be signed by vonage's key.

I read somewhere that older versions of the firmware had a particular
vulnerability that allowed config access - does anyone recall what
that was about?
 
Archived from groups: comp.dcom.voice-over-ip (More info?)

> summiterwrote:
I noticed that the device says it has a certificate installed. I'm
assuming this is what's used to authenticate/decrypt the .xml config
file the device is trying to load. If that's the case, then the
configs are likely signed with a key unique to vonage, and that
pretty much ends that direction. I think that will likely prevent
the loading of some generic, yet properly compiled config file, since
it won't be signed by vonage's key.

Besides the PAP2 provided by vonage (and which we all here are trying
to unlock) I also have a PAP2-NA, that was provided by my local VoIP
provider, and which I've reset once with the RESET# command (no
password asked). That, indeed reseted the unit, was able to make it
into the admin pages. And it also has the Client
Certificate:Installed
thing. This unit doesnt download any particular configuration. It's
just configured by hand using SIP proxy, user & password.

By the way, let's suppose I want to cancel my account with Vonage. My
credit card is "broken" (doesn't allow any charges). Vonage tries to
charge me $40 disconnection fee.. And it cant do it... What happens
then? Does Vonage like sue you to obtain the money? or just nothing
happens at all and you just keep a useless pap2 ?

thanks.
 
Archived from groups: comp.dcom.voice-over-ip (More info?)

Is it really worth the effort when you can get a Sipura?

On Sat, 12 Mar 2005 02:03:43 -0600,
kmayeux@hotmail-dot-com.no-spam.invalid (summiter) wrote:

>Based on reading the fragments of information spread across many sites
>and newsgroups, it's apparent *someone* knows the steps involved in
>getting into these things!
>
>The mysterious post on linuxvoip.info leads me to believe that all can
>be found by sniffing packets and perhaps some tftp craftiness
>(although the message on linuxvoip.info doesn't mention anything
>other than utilizing ethereal). The problem with that is after the
>tftp requests, the pap2 just site there and doesn't try again.
>Someone mentioned that it may make a request for an unencrypted file,
>but so far all tftp requests to ls.tftp.vonage.net are for the
>mac-based .xml file.
>
>Anyone have some new thoughts? How about a source for a basic,
>unencrypted xml config file?
 
Archived from groups: comp.dcom.voice-over-ip (More info?)

I'm sure they will send you to collections unless you talk them out of
the fee.

As far as the certificate goes, I now believe it's only in place to
enable HTTPS transfers of config info if the provider chooses that
mechanism.

I still haven't made any more progress on this thing..

> smoothywrote:
I noticed that the device says it has a
certificate installed. I'm assuming this is what's used to
authenticate/decrypt the .xml config file the device is trying to
load. If that's the case, then the configs are likely signed with a
key unique to vonage, and that pretty much ends that direction. I
think that will likely prevent the loading of some generic, yet
properly compiled config file, since it won't be signed by vonage's
key.I noticed that the device says it has a certificate installed.
I'm assuming this is what's used to authenticate/decrypt the .xml
config file the device is trying to load. If that's the case, then
the configs are likely signed with a key unique to vonage, and that
pretty much ends that direction. I think that will likely prevent
the loading of some generic, yet properly compiled config file, since
it won't be signed by vonage's key.

Besides the PAP2 provided by vonage (and which we all here are trying
to unlock) I also have a PAP2-NA, that was provided by my local VoIP
provider, and which I've reset once with the RESET# command (no
password asked). That, indeed reseted the unit, was able to make it
into the admin pages. And it also has the Client
Certificate:Installed
thing. This unit doesnt download any particular configuration. It's
just configured by hand using SIP proxy, user & password.

By the way, let's suppose I want to cancel my account with Vonage. My
credit card is "broken" (doesn't allow any charges). Vonage tries to
charge me $40 disconnection fee.. And it cant do it... What happens
then? Does Vonage like sue you to obtain the money? or just nothing
happens at all and you just keep a useless pap2 ?

thanks.
 
Archived from groups: comp.dcom.voice-over-ip (More info?)

Naw, that's not really possible...but I wouldn't be surpised if there
were some "backdoor" somewhere in the http interface.

Still stumped....

> smoothywrote:
Isn't there a way to trick the .htaccess file inside this thing to
allow access to the /admin directory? That's how the authentication
works, doesn't it?
 
Archived from groups: comp.dcom.voice-over-ip (More info?)

Isn't there a way to trick the .htaccess file inside this thing to
allow access to the /admin directory? That's how the authentication
works, doesn't it?
 
Archived from groups: comp.dcom.voice-over-ip (More info?)

> Jo Cloewrote:
Is it really worth the effort when you can get a Sipura?

Well.. let's say that I want to make it worthy for the money I paid
for the PAP2... 🙁
 
Archived from groups: comp.dcom.voice-over-ip (More info?)

> summiterwrote:
Naw, that's not really possible...but I wouldn't be surpised if there
were some "backdoor" somewhere in the http interface.
>
> Still stumped....
>
> smoothywrote:
Isn't there a way to trick the .htaccess file inside this thing to
allow access to the /admin directory? That's how the authentication
works, doesn't it?

Figured out that my local VoIP provider doesn't configure the settings
by hand, but using a program that loads the config into the ATA.
For instance, when you go to the voice menu on the Linksys RT31P2 it
just says "Contact your service provider". No manual config
whatsoever...
I need to get my hands onto that proggie..