dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
85095
mazilo
From Mazilo
Premium Member
join:2002-05-30
Lilburn, GA

mazilo to drose25

Premium Member

to drose25

Re: [PAP2] Unlocking Guide - Part II

said by drose25:

Thanks for the suggestions. I've tried another factory reset and still wind up with the unit asking for an admin password when it comes time to upgrade.
R U sure it is running with firmware below v3.1.6 that supports USER MODE firmware upgrades?
I guess this particularly uncooperative PAP2 is destined for the trash can. I can't pawn it off on Ebay and frustrate someone else like this.
Oh no! It is better to donate it for the cause of hacking. I wouldn't mind if you want to send it to me.
rizzo2dial
Premium Member
join:2004-08-05

rizzo2dial to drose25

Premium Member

to drose25
said by drose25:

Initially the unit's webpage access was disabled. Trying the **** 7932# routine would not enable web access, despite trying all passwords in the previous threads. The unit did do a factory reset, without a password, from the IVR.

That failing, I moved on to the DNS spoofing/tftp server method. This unit happily accepts unencrypted xml files. Using a plaintext xml file, I was able to turn webpage access on, and I thought I set the admin password. However, although the unit downloads and processes the xml file, it DOES NOT change the admin password. I have double-checked the xml syntax, and tried a variety of passwords, and even left it blank, all without success. I have made sure to log in with the user name and password first, and then tried to click to the admin section and enter the admin credentials there.
In the quote above, you believe that the plaintext xml file you fed the adapter enabled the web interface. Yet prior to that you performed a factory reset through the IVR. A factory reset enables in the web interface. To test whether the xml file being fed gets processed, set the value of something harmless like the HostName to a test value:
<HostName ua="rw">UNLOCKABLE</HostName>

If it doesn't work, try changing The ua="rw" to ua="na".

If you succeed in getting the "Host Name" to show "UNLOCKABLE" in the web interface, your adapter is processing plain-text XML files. Otherwise, the firmware version you have doesn't support plain-text XML files.
said by drose25:

From reading all the foregoing posts, firmware 2.0.10 was supposed to be one of the easiest to unlock, especially via the plaintext xml method. This unit, however, will not change admin passwords that way.

Any suggestions?
2.0.9 is the version of firmware known to accept/process plain-text xml files. There've been rumors that 2.0.10(LSa) also had this flaw, but yours is 2.0.10(LSb). If your adapter won't process plain-text XML files, and if it's a Vonage PAP2, the more complex unlock process for firmware 3.1.7+ (commonly called the "3.1.9 unlock process") should work. It's discussed in the threads here as well at numerous other sites. Search Google for instructions if you don't want to wade through the posts here.

drose25
join:2001-06-12
Dallas, TX

drose25

Member

Hmmm...

I reset the unit many times using the **** 73738# method without it enabling the web interface. That was why I switched to the plaintext xml method. After doing that, the web interface was enabled, but the admin password still wasn't changed. I assumed that this meant the unit was accepting plaintext xml files.

However, trying to set the hostname in the xml file as suggested by rizzo2dial above does not work. The unit retains the hostname set in the web interface.

Since I already have DNS spoofing and everything else set up, I am going to try the more complex unlocking process using the Vonage xml file. I will let you know how it works out. If it doesn't, I'm more than happy to send it on to Mazilo for destructive testing, if required.
drose25

drose25

Member

Thanks to everyone for their suggestions. I was able to turn the demonic PAP2 into a good unlocked citizen using the encrypted spa...xml file from Vonage and spoofing the httpconfig webserver so it would download the Sipura firmware.

For those of you with a PAP2 that shows firmware 2.0.10(LSb): despite what most of the PAP2 unlock guides say, your PAP2 may not allow you to upgrade firmware using just a user login. If so, follow the more complex procedures as suggested by Rizzo2dial and you should be unable to unlock the beast with a little patience.
mazilo
From Mazilo
Premium Member
join:2002-05-30
Lilburn, GA

mazilo

Premium Member

said by drose25:

Thanks to everyone for their suggestions. I was able to turn the demonic PAP2 into a good unlocked citizen using the encrypted spa...xml file from Vonage and spoofing the httpconfig webserver so it would download the Sipura firmware.
Congratulation on your achievement. Make sure you don't factory reset your PAP2 to let it phone home to Vonage. If your router runs on a DD-WRT firmware, you may be able to block any traffics to/from Vonage servers. This way, even if you accidentally factory reset your PAP2, it won't be able to reach Vonage to get upgraded.

Have fun with your newly unlocked PAP2.
mypiv7
join:2006-04-29
USA

mypiv7

Member

said by mazilo:

If your router runs on a DD-WRT firmware, you may be able to block any traffics to/from Vonage servers.
Could you please provide more details about how to block Von servers using iptables or others methods at the router level using dd-wrt? Also a link to it if any would be appreciated. Thanks.

toro
join:2006-01-27
Scarborough, ON

toro to rcilink

Member

to rcilink
Just got 2 previously used with Vonage PAP2v1's unlocked and -NAized remotely by DogFace05. I can only tell that he's a really nice fellow, and I would recommend his services to anyone !
mazilo
From Mazilo
Premium Member
join:2002-05-30
Lilburn, GA

mazilo

Premium Member

said by toro:

Just got 2 previously used with Vonage PAP2v1's unlocked and -NAized remotely by DogFace05. I can only tell that he's a really nice fellow, and I would recommend his services to anyone !
If I may add to what you have already said above, DogFace05 is a very humble and down to earth person, let alone the knowledge he posses on NAizing PAP2v1/RT31P2 (among other Linksys/Sipura made ATA devices based on the same chipset used on a PAP2v1). You just can't go wrong with DogFace05 when it comes to NAizer. If my memory serves me right, my first few NAized PAP2v1 units (by DogFace05) have been running since 6/2006 (may be even earlier than that).
mazilo

mazilo to mypiv7

Premium Member

to mypiv7
said by mypiv7:

Could you please provide more details about how to block Von servers using iptables or others methods at the router level using dd-wrt?
Currently, my WRT54GS v3 has been bricked for quite some times and I just haven't got any motivation to debrick it. Anyway, I dug up some of my old notes on how to block traffics from/to my LAN to/from Vonage servers (based on IP subnets) using some IPTables rules as follows:
  1. Subnet 69.59.0.0/16: iptables -I FORWARD -d 69.59.0.0/16 -j DROP
  2. Subnet 216.115.0.0/16: iptables -I FORWARD -d 216.115.0.0/16 -j DROP
IIRC, these two rules were the ones I used on my WRT54GS v3 router. I believe you can insert these two rules under Administrator -> Command of DD-WRT GUI and they will survive from a reboot but not factory reset. Once you have these two rules implemented, see if you will prevail on grabbing some XML provision files from any Vonage server. Let me know if this will do.
skypeuser
join:2005-03-08
United State

skypeuser to mazilo

Member

to mazilo
My experience with DogFace05 was without any problems.
He provided a very professional and quick service.
I have a few other 3.1.19LSc PAP2V1 s. I will probably get my Rtp31p2 NAized. I will use his services over time.

mazilo
From Mazilo
Premium Member
join:2002-05-30
Lilburn, GA

mazilo

Premium Member

said by skypeuser:

My experience with DogFace05 was without any problems.
He provided a very professional and quick service.
I am sure you are not the only satisfied customer who enjoys very quick, courteous, and professional services from DogFace05, but perhaps the only one who has publicly came out to make such a declaration and am very glad to know this. DogFace05 really deserves this kind of acknowledgement considering the amount of times he has put into learning and hacking to perfecting his skills on NAizing the devices that certainly will benefit the owners of locked PAP2v1. I believe we have made our points clear and enough said before we get side track on this thread.

DogFace056
join:2005-12-09
Cary, NC

DogFace056

Member

Thanks a bunch y'all for all the kind words. They're much appreciated.

skuds
Remember 9-11
join:2000-12-21
Houston, TX

skuds to rcilink

Member

to rcilink
Count me as another happy DogFace05 customer.
I'm usually a DIY kinda guy... In this case, quick and easy is a much better value proposition for me.
mazilo
From Mazilo
Premium Member
join:2002-05-30
Lilburn, GA

mazilo

Premium Member

said by skuds:

In this case, quick and easy is a much better value proposition for me.
And, 100% guarantee not to phone home even after a factory reset!
aix170
join:2007-04-20

aix170

Member

count me in, another happy customer of DogFace05.

phaded
@insightbb.com

phaded

Anon

ok after talking to vonage for 3hours they told me how to unlock my box and gave me all the passwords to do so

first off i have a pap2 v1 with 3.1.9(LSc)firmware. so i don't know if this will be the same for other firmwares

ok first he told me to pick the phone up and press ****
then 73738# and use the password 7756112# then press 1 to confirm. after that it enabled the web page. then he told me to go to the web page and click the admin login and use the username: admin and password: Q6d30Wkb
now i have access to add the firmware that i need to make it unlocked

if u have any problem call vonage and tell them that u need to talk to some one in advance tec. support then tell them that u got the box unbranded from them and u need the admin password so u can use it with another Voip. it took me 3 hours to do so i hope you have the time.

Gary
phaded

phaded

Anon

after looking at the xml file i downloaded thay have change the password to the admin account to WnxqecnOXq and the user password is 8995523 i hope this will help every one

we need to find out if they are now setting these password by mac address. (everyone has a different password)

if any one has there factory gpp k key and would post it with there mac address i will see if its the same

also if any one know where they put the password to Protect_IVR_FactoryReset

gary
havarian
join:2005-10-27

havarian to rcilink

Member

to rcilink
I purchased a vonage pap2 from justdeals.com and it was not customized.
I think they have a tool to fully unlock those devices.
mazilo
From Mazilo
Premium Member
join:2002-05-30
Lilburn, GA

mazilo

Premium Member

said by havarian:

I purchased a vonage pap2 from justdeals.com and it was not customized.
How much did you pay for this PAP2, $60, $50, or even less?
pnbalaji
join:2007-07-11
Dodgeville, WI

pnbalaji

Member

Hi,

Does any one know what IP address or server name the vonage PAP2 is trying to connect? Instead of disconnecting the PAP2 from internet, why not putting the vonage server name or IP address in the windows hosts file (c:\winnt\system32\drivers\etc\hosts) ? Something like the below entry should work, if I am right.

127.0.0.1

The PAP2 will not be able to connect to actual vonage IP, if we have this entry in hosts file.

Thanks,
Balaji.
pnbalaji

pnbalaji

Member

it should be like below

{vonage IP that PAP2 tries to connect} 127.0.0.1

Thanks,
Balaji.
ned2021
join:2007-07-11
Canada

ned2021 to rcilink

Member

to rcilink
I'm completely new to this so please be patient. I just received in the mail a Linksys PAP2 adapter and whrn I dial **** 110# it says that my IP is 0.0.0.0 . I can't get to the WEB interface with my Linksys router. I connected the adapter directly on my box instead of the router and there's no communication there either. What gives? Is that adarpter DEAD???

Sukru Bey
join:2005-09-17
Toronto, ON

Sukru Bey to rcilink

Member

to rcilink
IP 0.0.0.0 means you have not connected your PAP2 to your router yet, or your router didn't give an IP to your PAP2 yet.

Make sure you are not connected to internet, OK?
dm33
join:2007-07-05
Raleigh, NC

dm33 to rcilink

Member

to rcilink
Does it work to unlock a Vonage PAP2 v2 from BestBuy using CYT? Does some sort of reset allow it to go back to the Vonage configuration? Any special instructions?
mazilo
From Mazilo
Premium Member
join:2002-05-30
Lilburn, GA

mazilo

Premium Member

said by dm33:

Does it work to unlock a Vonage PAP2 v2 from BestBuy using CYT?
The CYT_Unlocker only works with a PAP2v2 (running on older firmware). If you bought a Linksys/Vonage locked PAP2v1 (the box has an orange color trim), then it is better to return it to BB to get your money back and go out to purchase a PAP2T-NA unless you only paid less than $15. Otherwise, you will need to unlock it or have it NAized.

nuzzy
join:2003-12-17
Danville, NH

nuzzy to rcilink

Member

to rcilink
Trying to find out if it's possible to unlock a Voicewing PAP2? I see Vonage, but haven't come across VZN.
mazilo
From Mazilo
Premium Member
join:2002-05-30
Lilburn, GA

mazilo

Premium Member

said by nuzzy:

Trying to find out if it's possible to unlock a Voicewing PAP2? I see Vonage, but haven't come across VZN.
Looks like this is a PAP2v1. If so, then your best option is to contact DogFace05 to get your PAP2v1 NAized. Unfortunately, this is not going to be a freebie, AFAIK.
hiremichael
join:2007-05-10
Canada

1 edit

hiremichael to rcilink

Member

to rcilink
I can't get my PAP2 to accept the second spa*.xml file in the special directory. What's up with that second file ? Is it an identical copy of the first as I gathered from these instructions ? I have to imagine that Vonage would send a different file, otherwise it's useless to send the same file twice.

My PAP2 was just purchased new from Staples in Canada and is FW 3.1.9c and has never had access to the internet.

Here are my observations:

Once I figured out that the spa*.xml file had to be TFTPd from Vonage in binary mode, I finally got a 29456 byte file that worked in the TFTP root. I think it worked because the PAP2 stopped asking for the TFTP root file (Until RESET#) and started asking for the special directory file.

I noted that until the PAP2 got a file it liked, it would start with the TFTP 69 port, go on to the FSP 21 port and finally on to the 2400 port. I presume Vonage does this so that the PAP2 can get through even if 2 of the 3 ports are blocked by your ISP or router. So, IMO you don't need TFTP on the other ports if there is nothing blocking those ports between your PC and your PAP2. This port cycling happened no matter the error: port not listening, file not found or bad file.

So, my PAP2 accepted the TFTP root file but will not accept the Special Directory copy of the same file. It never accesses the HTTP server and repeats asking for /SpecialDir/spa*.xml from ls.tftp.vonage.net every half hour using ports 69, 21 and 2400.

I tried retrieving /SpecialDir/spa*.xml from ls.tftp.vonage.net myself but got "File not found". Huh ? Shouldn't that file be there ? I tried removing my SpecialDir file to see if that was some trick but it didn't help.

If I TFTP the spa*.xml file from vonage I seem to get a different file each time. Is this normal ? Perhaps the file is encrypted with some randomness ?

BTW, it appears as if DogFace05 is the only one who knows how to NAIze. Is there some secrecy as to what he charges ?

Thanks...
hiremichael

1 edit

hiremichael

Member

Some observations to share:

Ethernet crossover cable not needed (For me at least). A lot of modern ethernet stuff works no matter if a straight thru or crossover cable is used. I don't know if it's the PAP2 or my PC and laptop, but either cable works for me.

I'm running Ubuntu Linux (Feisty) and had problems with TFTPD. Vonage asks for "/spa*.xml" not "spa*.xml" so the standard /srv/tftp directory did not work for TFTP root. I had to use the root dir for the spa*.xml file and copied it to a /SpecialDir off of the root. I also had to change ownership of the files and special dir to user "nobody".

To be clear, upper case letters are needed in MAC address portion of spa*.xml file name. I thought somebody had said lower. UPPER !

As far as I can tell, the NTP requests to time.vonage.net are benign to the unlock process whether you are running a NTP server or peer or not. Same with the SIP requests to ccivr.vonage.net.
mazilo
From Mazilo
Premium Member
join:2002-05-30
Lilburn, GA

mazilo to hiremichael

Premium Member

to hiremichael
said by hiremichael:

My PAP2 was just purchased new from Staples in Canada and is FW 3.1.9c and has never had access to the internet.
Just curious, unless you got this PAP2 very inexpensive from your local Staples and/or unless you want to waste your time to learn on how to hack/unlock a PAP2v2 with a firmware v3.1.9c, you are better off to return this product and use your money to purchase a PAP2T-NA that is not locked.