DComTalk.com

Shaker · Guest

Does anyone have a copy of the flash from an orinanally UNLOCKED PAP2
(PAP2-NA)?
I would like to look at it.

MK

"smoothy" <smoothy@nj-dot-cl.no-spam.invalid> wrote in message
news:er2dnVANEv2--pHfRVn_vQ@giganews.com...

pr0m · Guest

so, what you're saying is that i could theoretically create my own
unsalted config file, upload it, reboot, and the pap2 would be
unencumbered? how do i go about creating a realistic config to replace
the salted one? what are the parameters?

thanks for clearing up my misconception. i didn't know what the
spaXXXXXXXXXXXX.xml file was for. i thought it might be a combination
of the firmware update and config. at any rate, it's salted/encrypted
so i don't know its actual contents. i ran 'strings
spaXXXXXXXXXXXX.xml > strings.out' and got a bunch of short one-liners
that looked like gobbly gook to me. then i used the output file as the
password file for hydra and pointed it at the pap2. no juice.

at this point, i'm stuck with the two choices that i posted previously.
short of launching a full-blown brute force attack on the pap2 or it's
config, i'm not sure of what to try next. any more ideas?

pr0m · Guest

oh yea, forgot to mention that i also tried 'strings spa2k-2.0.10e.bin
> strings.out' and ran those through hydra without success, also.

summiter · Joined: 11 Mar 2005 Posts: 7

Based on reading the fragments of information spread across many sites and newsgroups, it's apparent *someone* knows the steps involved in getting into these things!

The mysterious post on linuxvoip.info leads me to believe that all can be found by sniffing packets and perhaps some tftp craftiness (although the message on linuxvoip.info doesn't mention anything other than utilizing ethereal). The problem with that is after the tftp requests, the pap2 just site there and doesn't try again. Someone mentioned that it may make a request for an unencrypted file, but so far all tftp requests to ls.tftp.vonage.net are for the mac-based .xml file.

Anyone have some new thoughts? How about a source for a basic, unencrypted xml config file?

smoothy · Joined: 10 Feb 2005 Posts: 10

Would be nice if someone, with the adequate hardware, could interrogate the NVRAM of a PAP2-NA and and extract the firmware image.

I don't know how to do that though Sad

I've tried resetting the pap2, it indeed come to factory defaults (I can see the web interface), but it keeps asking me a password to the Admin Area and once connected to the net, it starts to download vonage firmware. Sad

summiter · Joined: 11 Mar 2005 Posts: 7

PAP2-NA firmware is available. Getting it to load onto the PAP2 is the challenge. It's apparently not as simple as renaming it to the file requested by tftp. That results in the tftp session shutting down before the transfer completes.

smoothy · Joined: 10 Feb 2005 Posts: 10

Could you please send me the PAP2-NA firmware? (.bin?)

thanks

summiter · Joined: 11 Mar 2005 Posts: 7

You can dl a copy of a recent release here:

http://www.inphonex.com/download/PAP2-bin-2-00-13-LSb.bin

But I'm tellin' ya, there's no way to get it onto a "locked" pap2, that I've found anyway.

You can't simply rename it to the filename requested via tftp at boot. It starts to transfer then errors out before comletion..probably beacuse the device isn't expecting a firmware file, it's expecting a config file.

The is a way to upload firmware to the pap2 via the web interface, but it requires the admin password...which is the problem we have in the first place.

I just want to get this thing working with my Asterisk server..I already have Vontage on another device. But if I can't get it working, I'm cancelling Vontage and buying a pap2-na and going with another provider.

summiter · Joined: 11 Mar 2005 Posts: 7

Could someone with access to a pap2-na send me the html source for the
admin page or post it here please?

My current thinking is that although authentication is required to access the admin pages, the data that is "posted" via those pages doesn't go through any sort of checking.

I've noticed that the field have numerical names. If I can find out the names of the fields for various admin config stuff, I might be able to inject those values somehow.

I'm not sure easy this will be though...

I wish the person who had the walk-though on linuxvoip.info would speak up! =)

summiter · Joined: 11 Mar 2005 Posts: 7

OK since I've already wasted my Friday night, I might as well lay out what I've found.

I've successfully changed the firmware to two other versions, a .10LSc and a .13LSb.

It appears thought that the provider config is stored somewhere outside of the main firmware, because despite flashing to different versions, I am still prompted to enter a password for the admin pages, and the device still makes requests to a vonage tftp server.

I tried a factory reset after loading each firmware, and it didn't help.

I noticed that the device says it has a certificate installed. I'm assuming this is what's used to authenticate/decrypt the .xml config file the device is trying to load. If that's the case, then the configs are likely signed with a key unique to vonage, and that pretty much ends that direction. I think that will likely prevent the loading of some generic, yet properly compiled config file, since it won't be signed by vonage's key.

I read somewhere that older versions of the firmware had a particular vulnerability that allowed config access - does anyone recall what that was about?

smoothy · Joined: 10 Feb 2005 Posts: 10

smoothy · Joined: 10 Feb 2005 Posts: 10

summiter · Joined: 11 Mar 2005 Posts: 7

I'm sure they will send you to collections unless you talk them out of the fee.

As far as the certificate goes, I now believe it's only in place to enable HTTPS transfers of config info if the provider chooses that mechanism.

I still haven't made any more progress on this thing..

smoothy · Joined: 10 Feb 2005 Posts: 10

Isn't there a way to trick the .htaccess file inside this thing to allow access to the /admin directory? That's how the authentication works, doesn't it?

summiter · Joined: 11 Mar 2005 Posts: 7

Naw, that's not really possible...but I wouldn't be surpised if there were some "backdoor" somewhere in the http interface.

Still stumped....

Linksys PAP2 locked to Vonage, support people funny Goto page Previous 1, 2, 3, 4 Next

	DComTalk.com Forum Index -> VoIP	All times are GMT Goto page Previous 1, 2, 3, 4 Next
Page 3 of 4