DComTalk.com

Is it really worth the effort when you can get a Sipura?

On Sat, 12 Mar 2005 02:03:43 -0600,
kmayeux@hotmail-dot-com.no-spam.invalid (summiter) wrote:

Based on reading the fragments of information spread across many sites
and newsgroups, it's apparent *someone* knows the steps involved in
getting into these things!

The mysterious post on linuxvoip.info leads me to believe that all can
be found by sniffing packets and perhaps some tftp craftiness
(although the message on linuxvoip.info doesn't mention anything
other than utilizing ethereal). The problem with that is after the
tftp requests, the pap2 just site there and doesn't try again.
Someone mentioned that it may make a request for an unencrypted file,
but so far all tftp requests to ls.tftp.vonage.net are for the
mac-based .xml file.

Anyone have some new thoughts? How about a source for a basic,
unencrypted xml config file?

summiter wrote:Naw, that's not really possible...but I wouldn't be surpised if there were some "backdoor" somewhere in the http interface.

Still stumped....

smoothy wrote:Isn't there a way to trick the .htaccess file inside this thing to allow access to the /admin directory? That's how the authentication works, doesn't it?

Figured out that my local VoIP provider doesn't configure the settings by hand, but using a program that loads the config into the ATA.
For instance, when you go to the voice menu on the Linksys RT31P2 it just says "Contact your service provider". No manual config whatsoever...
I need to get my hands onto that proggie..

Jo Cloe wrote:Is it really worth the effort when you can get a Sipura?

Well.. let's say that I want to make it worthy for the money I paid for the PAP2...

Anyone having any luck with this???

I really need to get this device unlocked, lol.

smoothy wrote:

summiterwrote:

Naw, that's not really possible...but I wouldn't be surpised if there
were some "backdoor" somewhere in the http interface.

Still stumped....

smoothywrote:

Isn't there a way to trick the .htaccess file inside this thing to
allow access to the /admin directory? That's how the authentication
works, doesn't it?[/quote:44bc0aae47]

Figured out that my local VoIP provider doesn't configure the settings
by hand, but using a program that loads the config into the ATA.
For instance, when you go to the voice menu on the Linksys RT31P2 it
just says "Contact your service provider". No manual config
whatsoever...
I need to get my hands onto that proggie..

You think you're going to hack it! Not.

summiter wrote:It appears thought that the provider config is stored somewhere outside of the main firmware, because despite flashing to different versions, I am still prompted to enter a password for the admin pages, and the device still makes requests to a vonage tftp server.

According to http://www.phone4internet.com/linksys_IVR.html there's a "provisoning" option where you can specify where the pap2 should download it's configuration..

smoothy wrote:

s suppose I want to cancel my account with Vonage. My

credit card is "broken" (doesn't allow any charges). Vonage tries to
charge me $40 disconnection fee.. And it cant do it... What happens
then? Does Vonage like sue you to obtain the money? or just nothing
happens at all and you just keep a useless pap2 ?

It's likely that they'll refer you to a collections agency: Vonage may
or may not report the debt as unpaid to your credit report, then "sell"
the debt to a collection agency, who then makes it their task to cajole,
harrass and threaten you till you decide to pay up. If you have a
strong will and don't mind a bad mark on your credit rating, then have
at. :)

For me, it's not worth the hassle. If I ever cancel my Vonage service,
they can have their useless PAP2 back.


--
E-mail fudged to thwart spammers.
Transpose the c's and a's in my e-mail address to reply.

Hi All,
I just read this one on the net, I do not have one handy to try. Would
someone willing to try and post the results. Thanks.

UPDATE
Well it appers that Vonage let ~some~ info slip this morning around
5am. The master reset is "73738" and the password is "7756112". for
those of you who don't know what a master rest is (and all tose who
have e-mailed me insted of trying the codes), it ONLY resets the unit
BACK to the ORIGNAL factory settings. DON'T e-mail me with "your code
didden't unlock my unit".. The next person who sends me an e-mail like
that is going to get blasted!!!

I can get the PAP2 unlock unit. They sell for around $75.00. The ones that are all ready locked by Vonage are not worth the trouble. I get them directly from cisco.

maybe this LINK will help all of you to unlock your PAP2.. lucky for you all mine is RT31P2 and still waiting for some luck and for someone who will have luck to take that out from the edge,... Goodluck!!!

its me,

Neo

Are there any news about rt31p2?

I figured that the reason that locked units abort the tftp of the unlocked firmware -NA is a small text in the bin file.

The first row of the unlocked one contains the following text

Code: Select all

P2NA\

I guess if we knew what the relevant text was in the locked one, we could enter that in the unlocked version and allow it to tftp gracefully.
This change obviously has to be made on binary level and not using a text editor....

Any thoughts?

I have a PAP2T-NA with firmware version 3.1.16(LS) that was locked from VE.

I followed most of what this post says: http://www.venturevoip.com/news.php?rssid=949

I set up a Linux box running Fedora Core 7 that was providing DHCP, DNS, syslogd, and apache on a disconnected network. I would power on the PAP2T and watch all of the packets using "tcpdump" and added every name that it tried to look up to the local DNS server pointing to the IP address of the Linux box. This was verified by turning on DNS query logging in addition to the "tcpdump" output. My biggest time waster was that external DNS lookups were blocked by the firewall. I found this out by putting a second PC on the network and trying to do lookups to the Fedora box using "dig @<Fedora IP> a <name>". Running the command "iptables -F" flushed all of the rules and allowed the queries to come in. Running "syslogd -r" allowed it to log events like failed/successful config file loads.

Every once in a while the PAP2T-NA would try and download a file named http://<Fedora IP>/sipura/<MAC>.cfg. I put the following lines in a file with that name:
<?xml version="1.0" encoding="ISO-8859-1"?>
<flat-profile> <!-- PAP2-NA Configuration Parameters -->
<Admin_Passwd>123456</Admin_Passwd>
</flat-profile>

After power-cycling the PAP2T again, it reported a "successful re-sync". I was then able to plug the dumb phone into port 1 and hit the "*****" "RESET#", the "123456#" password and "1" to verify that I really wanted to do a factory reset.

Voila! I had a completely unlocked device from one that I did not even know the user password, much less the admin one.

I have heard that Vonage uses encrypted files though, so the above might not work for their boxes.

After acquirements that the Linksys RT32P2 I purchased was bound to
Vonage, I alternate it. While at Staples I noticed the Linksys
PAP2. I asked a sales being about whether or not it was
similarly locked. We acclaimed that it did not account Vonage service
under the minimum requirements and he encouraged me to just get
it and acknowledgment it if it didn't work.

Those are all guesses though. I'd adulation to ascertain that I'm

wrong but I went advanced and had a brace *real* SPA-2000s air

mailed to me this evening. I don't accept time to blend around

with "buying" accouterments I don't control.