| Author |
Message |
Kyler Laird
Guest
|
 Posted:
Fri Sep 24, 2004 5:11 pm Post subject:
Re: Linksys PAP2 locked to Vonage, support people funny |
|
|
t0k3n@hotmail.com (Dustin) writes:
| Quote: | I made the assumption you did not have active service with Vonage
currently under that mac address.
|
Ah! Yes, you're right. The file still seems to be able to configure
the unit though, so I'd expect that if you can do something with it
you'd have control.
--kyler |
|
| Back to top |
|
 |
Dustin
Guest
|
| Posted:
Sat Sep 25, 2004 1:39 am Post subject:
Re: Linksys PAP2 locked to Vonage, support people funny |
|
|
Kyler Laird <Kyler@news.Lairds.org> wrote in message news:<jlhd22-4nb.ln1@lairds.us>...
| Quote: | t0k3n@hotmail.com (Dustin) writes:
I made the assumption you did not have active service with Vonage
currently under that mac address.
Ah! Yes, you're right. The file still seems to be able to configure
the unit though, so I'd expect that if you can do something with it
you'd have control.
--kyler
|
Well the Vonage website says something like "reboot your unit and do
not unplug your it during the first 5 minutes... or you may end up
with a dead unit..." that makes me think it might be firmware and
reflashing the unit. Has anyone had Vonage and canceled? And did their
unit revert to the way it was when you first got it after canceling?
-dustin |
|
| Back to top |
|
|
DevilsPGD
Guest
|
| Posted:
Sat Sep 25, 2004 3:03 pm Post subject:
Re: Linksys PAP2 locked to Vonage, support people funny |
|
|
In message <66019d61.0409240243.187141ff@posting.google.com>
t0k3n@hotmail.com (Dustin) wrote:
| Quote: | I checked this file out - its encrypted somehow, right? Just want to make
sure we're on the same page.
Yes...
I was under the impression that all units downloaded a "firmware"
file, not just the active ones. This is not that case. Virgin MAC's do
not have a file. I downloaded a few different MAC's by incrementing
the *known* good MAC and ran kDiff against the files. They are
different. So maybe the salt somehow involves that MAC?
|
All units download files which can contain firmware+configuration. If a
unit hasn't been activated there is no need to send it firmware or even
configuration files, just enough to tell the device to try again later.
--
1989 - The movie "Batman," notches $100 million in 10 days,
proving once and for all that the public can't get enough
of men in tights. |
|
| Back to top |
|
|
m
Guest
|
| Posted:
Wed Dec 22, 2004 4:21 am Post subject:
Re: Linksys PAP2 locked to Vonage, support people funny |
|
|
Yes I would like to know to...
I have a pap2-na and If someone will tell me how to get the firm ware
off it I will do it.. long as it leaves mine finctional.. (I use it
every day with fwd .. and diffrent providers)
not to mention asterisk.
I am trying to find a way to buy a unit from vontage from my local radio
shack or best buy or what ever and stay on long enough to get my mail
in rebate then cancel if possible , then see if I can copy the firmware
from my unlocked na model to the vontage model.. then save like
$15-16$ per unit and give them as gifts to friends pre registered with
Freeworlddial.com accounts and send a msg to hook em up and dial my fwd ...
any one?!
I really would like to try it.. anyone have a locked one and up to try
this.. ??
m.
Dustin wrote:
| Quote: | What is SPC?
cecco_at_peppe_dot_it@foo.com (Ceccopeppe) wrote in message news:<xjmjd.2528693$yk.401874@news.easynews.com>...
Ok, I downloaded six spa<macaddress>.xml files. I've seen that they are
really
cripted (using mac address?) and my PAP2 does not validate the one loaded.
So I wish i try using the Sipura configuration compile, SPC, available
only on
protected Sipura site so to compile a text file using macaddress as
cripting
key.
Does someone have a copy of SPC, either for windows or for linux ?
Thanks
##-----------------------------------------------##
Article posted with Cabling-Design.com Newsgroup Archive
http://www.cabling-design.com/forums
no-spam read and post WWW interface to your favorite newsgroup -
comp.dcom.voice-over-ip - 1063 messages and counting!
##-----------------------------------------------## |
|
|
| Back to top |
|
|
m
Guest
|
| Posted:
Wed Dec 22, 2004 5:52 am Post subject:
Re: Linksys PAP2 locked to Vonage, support people funny |
|
|
ok
well after some googling I was able to find this.. for locked pap2
you can unlock it by performing a factory reset over the IVR IF YOU HAVE
THE PASSWORD. To get to the IVR hit "****" while connected over the
phone. The factory reset command is "73738#". You will be asked for a
password.
Now the question is, what is that dang password?
m wrote:
| Quote: | Yes I would like to know to...
I have a pap2-na and If someone will tell me how to get the firm ware
off it I will do it.. long as it leaves mine finctional.. (I use it
every day with fwd .. and diffrent providers)
not to mention asterisk.
I am trying to find a way to buy a unit from vontage from my local radio
shack or best buy or what ever and stay on long enough to get my mail
in rebate then cancel if possible , then see if I can copy the firmware
from my unlocked na model to the vontage model.. then save like
$15-16$ per unit and give them as gifts to friends pre registered with
Freeworlddial.com accounts and send a msg to hook em up and dial my fwd ...
any one?!
I really would like to try it.. anyone have a locked one and up to try
this.. ??
m.
Dustin wrote:
What is SPC?
cecco_at_peppe_dot_it@foo.com (Ceccopeppe) wrote in message
news:<xjmjd.2528693$yk.401874@news.easynews.com>...
Ok, I downloaded six spa<macaddress>.xml files. I've seen that they are
really cripted (using mac address?) and my PAP2 does not validate the
one loaded. So I wish i try using the Sipura configuration compile,
SPC, available
only on protected Sipura site so to compile a text file using
macaddress as
cripting key. Does someone have a copy of SPC, either for windows or
for linux ? Thanks
##-----------------------------------------------##
Article posted with Cabling-Design.com Newsgroup Archive
http://www.cabling-design.com/forums
no-spam read and post WWW interface to your favorite newsgroup -
comp.dcom.voice-over-ip - 1063 messages and counting!
##-----------------------------------------------## |
|
|
| Back to top |
|
|
pl
Guest
|
| Posted:
Wed Dec 22, 2004 7:06 am Post subject:
Re: Linksys PAP2 locked to Vonage, support people funny |
|
|
In article ID <faydnXKoUPasWFXcRVn-1g@rogers.com>, m <googlenews@s2angel.com>
writes:
| Quote: | well after some googling I was able to find this.. for locked pap2
you can unlock it by performing a factory reset over the IVR IF YOU HAVE
THE PASSWORD. To get to the IVR hit "****" while connected over the
phone. The factory reset command is "73738#". You will be asked for a
password.
Now the question is, what is that dang password?
|
Same exact reset code as the Sipura. When I left Broadvoice, I was able to
reset my Sipura 1000 since they do not lock the hardware.
http://www.sipura.com/Documents/SipuraSPAUserGuidev2.0.9.pdf
By factory default there is no password and no password authentication is
prompted for all the IVR settings. If administrator password is set,
password authentication will be prompted for certain IVR settings.
Enter IVR Menu * * * *
Ignore SIT or other tones until you hear, "Sipura configuration menu.Please
enter option followed by the pound key or hang-up to exit."
Factory Reset of Unit 73738 Enter 1 to confirm
SPA will prompt for confirmation. After confirming, you will hear Option
Successful. Hangup. Unit will reboot and all configuration parameters will be
reset to factory default values. |
|
| Back to top |
|
|
m
Guest
|
| Posted:
Thu Dec 23, 2004 6:03 am Post subject:
Re: Linksys PAP2 locked to Vonage, aNYONE HAVE A LOCKED ONE |
|
|
Well I have the unlocked pap2-na so I can't try that mine works good
very open for changes.. anyone have the locked one and willing to give
it a try.. I can bet there are a ton of people dieing to know if it
works and what you did. maybe do it before you go away someplace. and
have anouther phone you can use so you can call vontage and tell them
your rented box is messed up leaving time for them to send you anouther
lol...
Some one hurry up and try this.. i wanna buy these things as gifts and
send them setup with fwd numbers so I can call my LD buddies...
m.
pl wrote:
| Quote: | In article ID <faydnXKoUPasWFXcRVn-1g@rogers.com>, m <googlenews@s2angel.com
writes:
well after some googling I was able to find this.. for locked pap2
you can unlock it by performing a factory reset over the IVR IF YOU HAVE
THE PASSWORD. To get to the IVR hit "****" while connected over the
phone. The factory reset command is "73738#". You will be asked for a
password.
Now the question is, what is that dang password?
Same exact reset code as the Sipura. When I left Broadvoice, I was able to
reset my Sipura 1000 since they do not lock the hardware.
http://www.sipura.com/Documents/SipuraSPAUserGuidev2.0.9.pdf
By factory default there is no password and no password authentication is
prompted for all the IVR settings. If administrator password is set,
password authentication will be prompted for certain IVR settings.
Enter IVR Menu * * * *
Ignore SIT or other tones until you hear, "Sipura configuration menu.Please
enter option followed by the pound key or hang-up to exit."
Factory Reset of Unit 73738 Enter 1 to confirm
SPA will prompt for confirmation. After confirming, you will hear Option
Successful. Hangup. Unit will reboot and all configuration parameters will be
reset to factory default values.
|
|
|
| Back to top |
|
|
m
Guest
|
| Posted:
Tue Dec 28, 2004 7:23 am Post subject:
Re: Linksys PAP2 locked to Vonage,Ebay |
|
|
I knoticed alot of Ebay listings of PAP2 I personaly emailed almost all
of them and they always reply with out answering the question weather
its realy a pap2-na or just a pap2 I am extreamly clear too on the matter
So beware!
m wrote:
| Quote: | Well I have the unlocked pap2-na so I can't try that mine works good
very open for changes.. anyone have the locked one and willing to give
it a try.. I can bet there are a ton of people dieing to know if it
works and what you did. maybe do it before you go away someplace. and
have anouther phone you can use so you can call vontage and tell them
your rented box is messed up leaving time for them to send you anouther
lol...
Some one hurry up and try this.. i wanna buy these things as gifts and
send them setup with fwd numbers so I can call my LD buddies...
m.
pl wrote:
In article ID <faydnXKoUPasWFXcRVn-1g@rogers.com>, m
googlenews@s2angel.com
writes:
well after some googling I was able to find this.. for locked pap2
you can unlock it by performing a factory reset over the IVR IF YOU
HAVE THE PASSWORD. To get to the IVR hit "****" while connected over
the phone. The factory reset command is "73738#". You will be asked
for a password.
Now the question is, what is that dang password?
Same exact reset code as the Sipura. When I left Broadvoice, I was
able to
reset my Sipura 1000 since they do not lock the hardware.
http://www.sipura.com/Documents/SipuraSPAUserGuidev2.0.9.pdf
By factory default there is no password and no password authentication is
prompted for all the IVR settings. If administrator password is set,
password authentication will be prompted for certain IVR settings.
Enter IVR Menu * * * *
Ignore SIT or other tones until you hear, "Sipura configuration
menu.Please
enter option followed by the pound key or hang-up to exit."
Factory Reset of Unit 73738 Enter 1 to confirm
SPA will prompt for confirmation. After confirming, you will hear Option
Successful. Hangup. Unit will reboot and all configuration parameters
will be
reset to factory default values.
|
|
|
| Back to top |
|
|
Guest
|
| Posted:
Tue Dec 28, 2004 8:08 pm Post subject:
Re: Linksys PAP2 locked to Vonage,Ebay |
|
|
In article <35udnfOI9vQ1Xk3cRVn-qg@rogers.com> m <googlenews@s2angel.com>
writes:
| Quote: | I knoticed alot of Ebay listings of PAP2 I personaly emailed almost all
of them and they always reply with out answering the question weather
its realy a pap2-na or just a pap2 I am extreamly clear too on the matter
So beware!
|
From what little has been written so far it looks like the -na variant is
only available for new purchase through a voip service provider (other
than Vonage). Also it's fairly apparent from the pricing that Linksys
has/had no intention whatsoever of fielding 1st and 2nd level support
calls from the actual end-user.
Now as far as eBay goes, don't waste your time pestering the seller asking
them if theirs is the -NA model. It the listing doesn't specificaly say
"NA" then take it safely on faith that it isn't one. They are in enough
demand that anyone selling one would certainly be smart enough to
differentiate that fact in his listing and the world would surely beat a
path to his door. |
|
| Back to top |
|
|
Jeeves_Moss
Joined: 30 Jan 2005
Posts: 1
|
|
| Back to top |
|
|
smoothy
Joined: 10 Feb 2005
Posts: 10
|
| Posted:
Thu Feb 10, 2005 2:44 pm Post subject:
Re: Vonage PAP2 |
|
|
That URL doesn't work 
I too want to know how to unlock a pap2 device.
Does the reset code work if you just get the pap2 out of the box and DO NOT connect it to the internet so it cannot download the xml? |
|
| Back to top |
|
|
smoothy
Joined: 10 Feb 2005
Posts: 10
|
| Posted:
Thu Feb 10, 2005 3:08 pm Post subject:
Re: Linksys PAP2 locked to Vonage, support people funny |
|
|
| Brendon wrote: | Could you spoof ls.tftp.vonage.net to point to your tftp server and provide
the spa000F66A84007.xml file yourself? Just an idea. |
I downloaded that file with KugleSoft TFTP Server & Client, and it's an encrypted file 
I ordered 3 vonage-non-opened pap2, Hope I can get it work with stanaphone |
|
| Back to top |
|
|
Yaser Doleh
Guest
|
| Posted:
Fri Feb 11, 2005 7:02 pm Post subject:
Re: Linksys PAP2 locked to Vonage, support people funny |
|
|
smoothy wrote:
| Quote: | Brendonwrote:
Could you spoof ls.tftp.vonage.net to point to your tftp server and
provide
the spa000F66A84007.xml file yourself? Just an idea.
I downloaded that file with KugleSoft TFTP Server & Client, and
it's an encrypted file :x
I ordered 3 vonage-non-opened pap2, Hope I can get it work with
stanaphone :(
|
Most devices ask to download several config files. You will need to
monitor the network traffic and see what the device trying to download
from where. There is another file that is not encrypted that gets
downloaded.
I use a different service that sent me a locked device and was able to
unlock it by giving it a config file to download. The device specific
file was encrypted but the device was also downloading a general config
file which was not encrypted.
Yaser |
|
| Back to top |
|
|
Guest
|
| Posted:
Tue Feb 22, 2005 11:40 pm Post subject:
Re: Linksys PAP2 locked to Vonage, support people funny |
|
|
not to kick a dead horse (assuming this discussion is still of interest
to some ppl), i've had some success following the advice in this
thread, but alas, i'm still far from freeing the pap2 from the vonage
hegemony.
1.) setup a tftp server on a network at home with a spaXXXXXXXXXXXX.xml
file in /tftpboot and the same file in /tftpboot/YYYYYYYYYY. i know
that the spaXXXXXXXXXXXX.xml file is dependent on the pap2 MAC, but i'm
still unsure as to what determines the /tftpboot/YYYYYYYYYY
designation. i think this may be a password used derive a salt to
decrypt spaXXXXXXXXXXXX.xml and verify it's integrity. i also think
that /tftpboot/spaXXXXXXXXXXXX.xml file is identical to
/tftpboot/YYYYYYYYYY/spaXXXXXXXXXXXX.xml file.
2.) configured my dhcp server to distribute a known ip address to the
pap2 MAC.
3.) placed the pap2 on a separate subnet/interface
4.) configured my firewall/router to redirect all requests originiating
from the pap2 to tftp.vonage.net to a local tftpserver on a separate
subnet/interface. natted all packets from the local tftpserver to the
pap2, so as to appear to be coming from tftp.vonage.net.
5.) connected the pap2 (with a default factory configuration) to the
network and plugged in the power cord.
the pap2 successfully connects to the local tftpserver, downloads
/tftpboot/spaXXXXXXXXXXXX.xml and
/tftpboot/YYYYYYYYYY/spaXXXXXXXXXXXX.xml, self-installs the firmware,
reboots, and connects to vonage via port 5060-5061.
now, i've tried replacing the spaXXXXXXXXXXXX.xml file with a
spa2k-2.0.10e.bin file and renamed the tftpboot/YYYYYYYYYY directory to
whatever the pap2 was asking for (obtained by tcpdump and ethereal),
but the download stops abruptly when the pap2 returns an icmp packet
with a "port unreachable" message. i think that in this case the
spa2k-2.0.10e.bin (709K) much bigger than spaXXXXXXXXXXXX.xml (29K), so
the device rejects the firmware upload (probably due to a max file size
constraint).
i see two ways of getting around this problem:
1.) brute force the admin password from the pap2 prior to the vonage
firmware update and update the configurations via the pap2 web
interface.
2.) brute force the spaXXXXXXXXXXXX.xml file using openssl rc4 and some
variation of the MAC/Serial Num/YYYYYYYYYY as the salt or password.
let me know what you think.
Yaser Doleh wrote:
| Quote: | smoothy wrote:
Brendonwrote:
Could you spoof ls.tftp.vonage.net to point to your tftp server
and
provide
the spa000F66A84007.xml file yourself? Just an idea.
I downloaded that file with KugleSoft TFTP Server & Client, and
it's an encrypted file :x
I ordered 3 vonage-non-opened pap2, Hope I can get it work with
stanaphone :(
Most devices ask to download several config files. You will need to
monitor the network traffic and see what the device trying to
download
from where. There is another file that is not encrypted that gets
downloaded.
I use a different service that sent me a locked device and was able
to
unlock it by giving it a config file to download. The device specific
file was encrypted but the device was also downloading a general
config
file which was not encrypted.
Yaser |
|
|
| Back to top |
|
|
Yaser Doleh
Guest
|
| Posted:
Wed Feb 23, 2005 12:19 am Post subject:
Re: Linksys PAP2 locked to Vonage, support people funny |
|
|
spa2k-2.0.10e.bin and spaXXXXXXXXXXXX.xml are completely 2 different
files. The first is a firware upgrade and the second is a configuration.
You don't need the firmware upgrade and if you did it once, you don't
need to do it again.
If you have the firmware file, chances are the default passwords are
stored on clear text in the file. Try to extract the strings from the
file and see what you can find. On a UNIX type machine run
% strings spa2k-2.0.10e.bin
If you want just email me the file and I can try for you.
Yaser
will@mccammon.name wrote:
| Quote: | not to kick a dead horse (assuming this discussion is still of interest
to some ppl), i've had some success following the advice in this
thread, but alas, i'm still far from freeing the pap2 from the vonage
hegemony.
1.) setup a tftp server on a network at home with a spaXXXXXXXXXXXX.xml
file in /tftpboot and the same file in /tftpboot/YYYYYYYYYY. i know
that the spaXXXXXXXXXXXX.xml file is dependent on the pap2 MAC, but i'm
still unsure as to what determines the /tftpboot/YYYYYYYYYY
designation. i think this may be a password used derive a salt to
decrypt spaXXXXXXXXXXXX.xml and verify it's integrity. i also think
that /tftpboot/spaXXXXXXXXXXXX.xml file is identical to
/tftpboot/YYYYYYYYYY/spaXXXXXXXXXXXX.xml file.
2.) configured my dhcp server to distribute a known ip address to the
pap2 MAC.
3.) placed the pap2 on a separate subnet/interface
4.) configured my firewall/router to redirect all requests originiating
from the pap2 to tftp.vonage.net to a local tftpserver on a separate
subnet/interface. natted all packets from the local tftpserver to the
pap2, so as to appear to be coming from tftp.vonage.net.
5.) connected the pap2 (with a default factory configuration) to the
network and plugged in the power cord.
the pap2 successfully connects to the local tftpserver, downloads
/tftpboot/spaXXXXXXXXXXXX.xml and
/tftpboot/YYYYYYYYYY/spaXXXXXXXXXXXX.xml, self-installs the firmware,
reboots, and connects to vonage via port 5060-5061.
now, i've tried replacing the spaXXXXXXXXXXXX.xml file with a
spa2k-2.0.10e.bin file and renamed the tftpboot/YYYYYYYYYY directory to
whatever the pap2 was asking for (obtained by tcpdump and ethereal),
but the download stops abruptly when the pap2 returns an icmp packet
with a "port unreachable" message. i think that in this case the
spa2k-2.0.10e.bin (709K) much bigger than spaXXXXXXXXXXXX.xml (29K), so
the device rejects the firmware upload (probably due to a max file size
constraint).
i see two ways of getting around this problem:
1.) brute force the admin password from the pap2 prior to the vonage
firmware update and update the configurations via the pap2 web
interface.
2.) brute force the spaXXXXXXXXXXXX.xml file using openssl rc4 and some
variation of the MAC/Serial Num/YYYYYYYYYY as the salt or password.
let me know what you think.
Yaser Doleh wrote:
smoothy wrote:
Brendonwrote:
Could you spoof ls.tftp.vonage.net to point to your tftp server
and
provide
the spa000F66A84007.xml file yourself? Just an idea.
I downloaded that file with KugleSoft TFTP Server & Client, and
it's an encrypted file :x
I ordered 3 vonage-non-opened pap2, Hope I can get it work with
stanaphone :(
Most devices ask to download several config files. You will need to
monitor the network traffic and see what the device trying to
download
from where. There is another file that is not encrypted that gets
downloaded.
I use a different service that sent me a locked device and was able
to
unlock it by giving it a config file to download. The device specific
file was encrypted but the device was also downloading a general
config
file which was not encrypted.
Yaser
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in
