Discussion of VoIP, VPN, Video Conferencen, DSL and other data commucations.
by Kyler Laird » Fri Sep 24, 2004 12:11 pm
I made the assumption you did not have active service with Vonage
currently under that mac address.
by Dustin » Fri Sep 24, 2004 8:39 pm
t0k3n@hotmail.com (Dustin) writes:
I made the assumption you did not have active service with Vonage
currently under that mac address.
Ah! Yes, you're right. The file still seems to be able to configure
the unit though, so I'd expect that if you can do something with it
you'd have control.
--kyler
by DevilsPGD » Sat Sep 25, 2004 10:03 am
I checked this file out - its encrypted somehow, right? Just want to make
sure we're on the same page.
Yes...
I was under the impression that all units downloaded a "firmware"
file, not just the active ones. This is not that case. Virgin MAC's do
not have a file. I downloaded a few different MAC's by incrementing
the *known* good MAC and ran kDiff against the files. They are
different. So maybe the salt somehow involves that MAC?
by m » Tue Dec 21, 2004 11:21 pm
What is SPC?
cecco_at_peppe_dot_it@foo.com (Ceccopeppe) wrote in message news:<xjmjd.2528693$yk.401874@news.easynews.com>...
Ok, I downloaded six spa<macaddress>.xml files. I've seen that they are
really
cripted (using mac address?) and my PAP2 does not validate the one loaded.
So I wish i try using the Sipura configuration compile, SPC, available
only on
protected Sipura site so to compile a text file using macaddress as
cripting
key.
Does someone have a copy of SPC, either for windows or for linux ?
Thanks
##-----------------------------------------------##
Article posted with Cabling-Design.com Newsgroup Archive
http://www.cabling-design.com/forums
no-spam read and post WWW interface to your favorite newsgroup -
comp.dcom.voice-over-ip - 1063 messages and counting!
##-----------------------------------------------##
by m » Wed Dec 22, 2004 12:52 am
Yes I would like to know to...
I have a pap2-na and If someone will tell me how to get the firm ware
off it I will do it.. long as it leaves mine finctional.. (I use it
every day with fwd .. and diffrent providers)
not to mention asterisk.
I am trying to find a way to buy a unit from vontage from my local radio
shack or best buy or what ever and stay on long enough to get my mail
in rebate then cancel if possible , then see if I can copy the firmware
from my unlocked na model to the vontage model.. then save like
$15-16$ per unit and give them as gifts to friends pre registered with
Freeworlddial.com accounts and send a msg to hook em up and dial my fwd ...
any one?!
I really would like to try it.. anyone have a locked one and up to try
this.. ??
m.
Dustin wrote:
What is SPC?
cecco_at_peppe_dot_it@foo.com (Ceccopeppe) wrote in message
news:<xjmjd.2528693$yk.401874@news.easynews.com>...
Ok, I downloaded six spa<macaddress>.xml files. I've seen that they are
really cripted (using mac address?) and my PAP2 does not validate the
one loaded. So I wish i try using the Sipura configuration compile,
SPC, available
only on protected Sipura site so to compile a text file using
macaddress as
cripting key. Does someone have a copy of SPC, either for windows or
for linux ? Thanks
##-----------------------------------------------##
Article posted with Cabling-Design.com Newsgroup Archive
http://www.cabling-design.com/forums
no-spam read and post WWW interface to your favorite newsgroup -
comp.dcom.voice-over-ip - 1063 messages and counting!
##-----------------------------------------------##
by pl » Wed Dec 22, 2004 2:06 am
well after some googling I was able to find this.. for locked pap2
you can unlock it by performing a factory reset over the IVR IF YOU HAVE
THE PASSWORD. To get to the IVR hit "****" while connected over the
phone. The factory reset command is "73738#". You will be asked for a
password.
Now the question is, what is that dang password?
by m » Thu Dec 23, 2004 1:03 am
In article ID <faydnXKoUPasWFXcRVn-1g@rogers.com>, m <googlenews@s2angel.com
writes:
well after some googling I was able to find this.. for locked pap2
you can unlock it by performing a factory reset over the IVR IF YOU HAVE
THE PASSWORD. To get to the IVR hit "****" while connected over the
phone. The factory reset command is "73738#". You will be asked for a
password.
Now the question is, what is that dang password?
Same exact reset code as the Sipura. When I left Broadvoice, I was able to
reset my Sipura 1000 since they do not lock the hardware.
http://www.sipura.com/Documents/SipuraS ... v2.0.9.pdf
By factory default there is no password and no password authentication is
prompted for all the IVR settings. If administrator password is set,
password authentication will be prompted for certain IVR settings.
Enter IVR Menu * * * *
Ignore SIT or other tones until you hear, "Sipura configuration menu.Please
enter option followed by the pound key or hang-up to exit."
Factory Reset of Unit 73738 Enter 1 to confirm
SPA will prompt for confirmation. After confirming, you will hear Option
Successful. Hangup. Unit will reboot and all configuration parameters will be
reset to factory default values.
by m » Tue Dec 28, 2004 2:23 am
Well I have the unlocked pap2-na so I can't try that mine works good
very open for changes.. anyone have the locked one and willing to give
it a try.. I can bet there are a ton of people dieing to know if it
works and what you did. maybe do it before you go away someplace. and
have anouther phone you can use so you can call vontage and tell them
your rented box is messed up leaving time for them to send you anouther
lol...
Some one hurry up and try this.. i wanna buy these things as gifts and
send them setup with fwd numbers so I can call my LD buddies...
m.
pl wrote:
In article ID <faydnXKoUPasWFXcRVn-1g@rogers.com>, m
googlenews@s2angel.com
writes:
well after some googling I was able to find this.. for locked pap2
you can unlock it by performing a factory reset over the IVR IF YOU
HAVE THE PASSWORD. To get to the IVR hit "****" while connected over
the phone. The factory reset command is "73738#". You will be asked
for a password.
Now the question is, what is that dang password?
Same exact reset code as the Sipura. When I left Broadvoice, I was
able to
reset my Sipura 1000 since they do not lock the hardware.
http://www.sipura.com/Documents/SipuraS ... v2.0.9.pdf
By factory default there is no password and no password authentication is
prompted for all the IVR settings. If administrator password is set,
password authentication will be prompted for certain IVR settings.
Enter IVR Menu * * * *
Ignore SIT or other tones until you hear, "Sipura configuration
menu.Please
enter option followed by the pound key or hang-up to exit."
Factory Reset of Unit 73738 Enter 1 to confirm
SPA will prompt for confirmation. After confirming, you will hear Option
Successful. Hangup. Unit will reboot and all configuration parameters
will be
reset to factory default values.
by Guest » Tue Dec 28, 2004 3:08 pm
I knoticed alot of Ebay listings of PAP2 I personaly emailed almost all
of them and they always reply with out answering the question weather
its realy a pap2-na or just a pap2 I am extreamly clear too on the matter
So beware!
by Jeeves_Moss » Sun Jan 30, 2005 1:24 am
by smoothy » Thu Feb 10, 2005 9:44 am
Jeeves_Moss wrote:If any one is intrested in the hardware specs, follow this link for pics and specs.
http://www.bekka.dynu.com/vonageworkaro ... around.htm
by smoothy » Thu Feb 10, 2005 10:08 am
Brendon wrote:Could you spoof ls.tftp.vonage.net to point to your tftp server and provide
the spa000F66A84007.xml file yourself? Just an idea.
by Yaser Doleh » Fri Feb 11, 2005 2:02 pm
Brendonwrote:
Could you spoof ls.tftp.vonage.net to point to your tftp server and
provide
the spa000F66A84007.xml file yourself? Just an idea.
I downloaded that file with KugleSoft TFTP Server & Client, and
it's an encrypted file :x
I ordered 3 vonage-non-opened pap2, Hope I can get it work with
stanaphone :(
by Guest » Tue Feb 22, 2005 6:40 pm
smoothy wrote:
Brendonwrote:
Could you spoof ls.tftp.vonage.net to point to your tftp server
and
provide
the spa000F66A84007.xml file yourself? Just an idea.
I downloaded that file with KugleSoft TFTP Server & Client, and
it's an encrypted file :x
I ordered 3 vonage-non-opened pap2, Hope I can get it work with
stanaphone :(
Most devices ask to download several config files. You will need to
monitor the network traffic and see what the device trying to
download
from where. There is another file that is not encrypted that gets
downloaded.
I use a different service that sent me a locked device and was able
to
unlock it by giving it a config file to download. The device specific
file was encrypted but the device was also downloading a general
config
file which was not encrypted.
Yaser
by Yaser Doleh » Tue Feb 22, 2005 7:19 pm
not to kick a dead horse (assuming this discussion is still of interest
to some ppl), i've had some success following the advice in this
thread, but alas, i'm still far from freeing the pap2 from the vonage
hegemony.
1.) setup a tftp server on a network at home with a spaXXXXXXXXXXXX.xml
file in /tftpboot and the same file in /tftpboot/YYYYYYYYYY. i know
that the spaXXXXXXXXXXXX.xml file is dependent on the pap2 MAC, but i'm
still unsure as to what determines the /tftpboot/YYYYYYYYYY
designation. i think this may be a password used derive a salt to
decrypt spaXXXXXXXXXXXX.xml and verify it's integrity. i also think
that /tftpboot/spaXXXXXXXXXXXX.xml file is identical to
/tftpboot/YYYYYYYYYY/spaXXXXXXXXXXXX.xml file.
2.) configured my dhcp server to distribute a known ip address to the
pap2 MAC.
3.) placed the pap2 on a separate subnet/interface
4.) configured my firewall/router to redirect all requests originiating
from the pap2 to tftp.vonage.net to a local tftpserver on a separate
subnet/interface. natted all packets from the local tftpserver to the
pap2, so as to appear to be coming from tftp.vonage.net.
5.) connected the pap2 (with a default factory configuration) to the
network and plugged in the power cord.
the pap2 successfully connects to the local tftpserver, downloads
/tftpboot/spaXXXXXXXXXXXX.xml and
/tftpboot/YYYYYYYYYY/spaXXXXXXXXXXXX.xml, self-installs the firmware,
reboots, and connects to vonage via port 5060-5061.
now, i've tried replacing the spaXXXXXXXXXXXX.xml file with a
spa2k-2.0.10e.bin file and renamed the tftpboot/YYYYYYYYYY directory to
whatever the pap2 was asking for (obtained by tcpdump and ethereal),
but the download stops abruptly when the pap2 returns an icmp packet
with a "port unreachable" message. i think that in this case the
spa2k-2.0.10e.bin (709K) much bigger than spaXXXXXXXXXXXX.xml (29K), so
the device rejects the firmware upload (probably due to a max file size
constraint).
i see two ways of getting around this problem:
1.) brute force the admin password from the pap2 prior to the vonage
firmware update and update the configurations via the pap2 web
interface.
2.) brute force the spaXXXXXXXXXXXX.xml file using openssl rc4 and some
variation of the MAC/Serial Num/YYYYYYYYYY as the salt or password.
let me know what you think.
Yaser Doleh wrote:
smoothy wrote:
Brendonwrote:
Could you spoof ls.tftp.vonage.net to point to your tftp server
and
provide
the spa000F66A84007.xml file yourself? Just an idea.
I downloaded that file with KugleSoft TFTP Server & Client, and
it's an encrypted file :x
I ordered 3 vonage-non-opened pap2, Hope I can get it work with
stanaphone :(
Most devices ask to download several config files. You will need to
monitor the network traffic and see what the device trying to
download
from where. There is another file that is not encrypted that gets
downloaded.
I use a different service that sent me a locked device and was able
to
unlock it by giving it a config file to download. The device specific
file was encrypted but the device was also downloading a general
config
file which was not encrypted.
Yaser
Users browsing this forum: No registered users and 0 guests