DComTalk.com

Does anyone have a copy of the flash from an orinanally UNLOCKED PAP2
(PAP2-NA)?
I would like to look at it.


MK


"smoothy" <smoothy@nj-dot-cl.no-spam.invalid> wrote in message
news:er2dnVANEv2--pHfRVn_vQ@giganews.com...

Brendonwrote:
Could you spoof ls.tftp.vonage.net to point to your tftp server and
provide
the spa000F66A84007.xml file yourself? Just an idea.

I downloaded that file with KugleSoft TFTP Server & Client, and
it's an encrypted file :x
I ordered 3 vonage-non-opened pap2, Hope I can get it work with
stanaphone :(

so, what you're saying is that i could theoretically create my own
unsalted config file, upload it, reboot, and the pap2 would be
unencumbered? how do i go about creating a realistic config to replace
the salted one? what are the parameters?

thanks for clearing up my misconception. i didn't know what the
spaXXXXXXXXXXXX.xml file was for. i thought it might be a combination
of the firmware update and config. at any rate, it's salted/encrypted
so i don't know its actual contents. i ran 'strings
spaXXXXXXXXXXXX.xml > strings.out' and got a bunch of short one-liners
that looked like gobbly gook to me. then i used the output file as the
password file for hydra and pointed it at the pap2. no juice.

at this point, i'm stuck with the two choices that i posted previously.
short of launching a full-blown brute force attack on the pap2 or it's
config, i'm not sure of what to try next. any more ideas?

oh yea, forgot to mention that i also tried 'strings spa2k-2.0.10e.bin
> strings.out' and ran those through hydra without success, also.

Based on reading the fragments of information spread across many sites and newsgroups, it's apparent *someone* knows the steps involved in getting into these things!

The mysterious post on linuxvoip.info leads me to believe that all can be found by sniffing packets and perhaps some tftp craftiness (although the message on linuxvoip.info doesn't mention anything other than utilizing ethereal). The problem with that is after the tftp requests, the pap2 just site there and doesn't try again. Someone mentioned that it may make a request for an unencrypted file, but so far all tftp requests to ls.tftp.vonage.net are for the mac-based .xml file.

Anyone have some new thoughts? How about a source for a basic, unencrypted xml config file?

Would be nice if someone, with the adequate hardware, could interrogate the NVRAM of a PAP2-NA and and extract the firmware image.

I don't know how to do that though

I've tried resetting the pap2, it indeed come to factory defaults (I can see the web interface), but it keeps asking me a password to the Admin Area and once connected to the net, it starts to download vonage firmware.

PAP2-NA firmware is available. Getting it to load onto the PAP2 is the challenge. It's apparently not as simple as renaming it to the file requested by tftp. That results in the tftp session shutting down before the transfer completes.

smoothy wrote:Would be nice if someone, with the adequate hardware, could interrogate the NVRAM of a PAP2-NA and and extract the firmware image.

I don't know how to do that though

I've tried resetting the pap2, it indeed come to factory defaults (I can see the web interface), but it keeps asking me a password to the Admin Area and once connected to the net, it starts to download vonage firmware.

Could you please send me the PAP2-NA firmware? (.bin?)

thanks

You can dl a copy of a recent release here:

http://www.inphonex.com/download/PAP2-b ... 13-LSb.bin

But I'm tellin' ya, there's no way to get it onto a "locked" pap2, that I've found anyway.

You can't simply rename it to the filename requested via tftp at boot. It starts to transfer then errors out before comletion..probably beacuse the device isn't expecting a firmware file, it's expecting a config file.

The is a way to upload firmware to the pap2 via the web interface, but it requires the admin password...which is the problem we have in the first place.

I just want to get this thing working with my Asterisk server..I already have Vontage on another device. But if I can't get it working, I'm cancelling Vontage and buying a pap2-na and going with another provider.

smoothy wrote:Could you please send me the PAP2-NA firmware? (.bin?)

thanks

Could someone with access to a pap2-na send me the html source for the
admin page or post it here please?

My current thinking is that although authentication is required to access the admin pages, the data that is "posted" via those pages doesn't go through any sort of checking.

I've noticed that the field have numerical names. If I can find out the names of the fields for various admin config stuff, I might be able to inject those values somehow.

I'm not sure easy this will be though...

I wish the person who had the walk-though on linuxvoip.info would speak up! =)

OK since I've already wasted my Friday night, I might as well lay out what I've found.

I've successfully changed the firmware to two other versions, a .10LSc and a .13LSb.

It appears thought that the provider config is stored somewhere outside of the main firmware, because despite flashing to different versions, I am still prompted to enter a password for the admin pages, and the device still makes requests to a vonage tftp server.

I tried a factory reset after loading each firmware, and it didn't help.

I noticed that the device says it has a certificate installed. I'm assuming this is what's used to authenticate/decrypt the .xml config file the device is trying to load. If that's the case, then the configs are likely signed with a key unique to vonage, and that pretty much ends that direction. I think that will likely prevent the loading of some generic, yet properly compiled config file, since it won't be signed by vonage's key.

I read somewhere that older versions of the firmware had a particular vulnerability that allowed config access - does anyone recall what that was about?

summiter wrote:Could someone with access to a pap2-na send me the html source for the
admin page or post it here please?

My current thinking is that although authentication is required to access the admin pages, the data that is "posted" via those pages doesn't go through any sort of checking.

I thought the same, so searching some equivalent-sipura configs, I found out that to upgrade the firmware via web interface, you have to do it this way:
http://PAP2-IP/admin/upgrade?http://you ... 13-LSb.bin

Still asks me for the admin password..

summiter wrote:I noticed that the device says it has a certificate installed. I'm assuming this is what's used to authenticate/decrypt the .xml config file the device is trying to load. If that's the case, then the configs are likely signed with a key unique to vonage, and that pretty much ends that direction. I think that will likely prevent the loading of some generic, yet properly compiled config file, since it won't be signed by vonage's key.

Besides the PAP2 provided by vonage (and which we all here are trying to unlock) I also have a PAP2-NA, that was provided by my local VoIP provider, and which I've reset once with the RESET# command (no password asked). That, indeed reseted the unit, was able to make it into the admin pages. And it also has the Client Certificate:Installed thing. This unit doesnt download any particular configuration. It's just configured by hand using SIP proxy, user & password.

By the way, let's suppose I want to cancel my account with Vonage. My credit card is "broken" (doesn't allow any charges). Vonage tries to charge me $40 disconnection fee.. And it cant do it... What happens then? Does Vonage like sue you to obtain the money? or just nothing happens at all and you just keep a useless pap2 ?

thanks.

I'm sure they will send you to collections unless you talk them out of the fee.

As far as the certificate goes, I now believe it's only in place to enable HTTPS transfers of config info if the provider chooses that mechanism.

I still haven't made any more progress on this thing..

smoothy wrote:

summiter wrote:I noticed that the device says it has a certificate installed. I'm assuming this is what's used to authenticate/decrypt the .xml config file the device is trying to load. If that's the case, then the configs are likely signed with a key unique to vonage, and that pretty much ends that direction. I think that will likely prevent the loading of some generic, yet properly compiled config file, since it won't be signed by vonage's key.

Besides the PAP2 provided by vonage (and which we all here are trying to unlock) I also have a PAP2-NA, that was provided by my local VoIP provider, and which I've reset once with the RESET# command (no password asked). That, indeed reseted the unit, was able to make it into the admin pages. And it also has the Client Certificate:Installed thing. This unit doesnt download any particular configuration. It's just configured by hand using SIP proxy, user & password.

By the way, let's suppose I want to cancel my account with Vonage. My credit card is "broken" (doesn't allow any charges). Vonage tries to charge me $40 disconnection fee.. And it cant do it... What happens then? Does Vonage like sue you to obtain the money? or just nothing happens at all and you just keep a useless pap2 ?

thanks.

Isn't there a way to trick the .htaccess file inside this thing to allow access to the /admin directory? That's how the authentication works, doesn't it?

Naw, that's not really possible...but I wouldn't be surpised if there were some "backdoor" somewhere in the http interface.

Still stumped....

smoothy wrote:Isn't there a way to trick the .htaccess file inside this thing to allow access to the /admin directory? That's how the authentication works, doesn't it?