toro
join:2006-01-27
Scarborough, ON
 ·TekSavvy Solutions..
| reply to usbjtag
Re: VONAGE VT2142 unlock help
If we use TFTP to upgrade we can change the product ID.
If we just modify the product ID and still want to use web upgrade page to upgrade it will never fire up. How do you change the Product ID without reprogramming the flash with a JTAG ?
In my case the process is always the following:
- read the boot and env block with JTAG
- change the product ID, remove the env variables I don't need
- write back the boot and anv blocks
- at this point, the router won't boot up anymore, because the existing firmware has a different Product ID than the environment key
- use TFTP to program the 3.1.x firmware
After this, the router will boot up and can be flashed with -NA firmwares from the web interface. |
|
usbjtag
join:2008-10-21
Burnaby, BC
| I program the flash with JTAG. It is faster than TFTP as I do not need second cable to run the console. One tool is all I need to program the flash.
But I would prefer to get a clean NA dump and modify the mac address to make a new flash dump. This will create a clean NA box.
Just modify the product ID will still have some left overs in the boot. (Some Vonage urls and paths). |
|
toro
join:2006-01-27
Scarborough, ON
·TekSavvy Solutions..
| Just modify the product ID will still have some left overs in the boot. (Some Vonage urls and paths).
Correct. Those are the HASH_DIR and CRYPT_KEY I mentioned in an earlier post, which I normally remove.
Just one thing I want to mention: if you're really picky about the way you unlock these routers, if you clone another router by changing the MAC addresses and Serial Number, the SSL certificate stored in the flash will become invalid. This is no big deal for 99% of the home users. However some VoIP providers use it for a secure remote provisioning, to ensure that no-one except the Linksys router with the right MAC address can download a certain configuration file. |
|
usbjtag
join:2008-10-21
Burnaby, BC
| Does the SSL certificate belongs to Vonage?
Actually it is not hard to find all the left overs and remove them as they are pure text and no checksum applied to the boot for those parameters. A few tries can make reasonable "clean" boot and a good NA VOIP box can be created.
One thing I am interested recently is I found people complaining it is difficult to configure VT2442 box even it is unlocked. You need to use CYT to push the configuration in. I noticed if you log in as admin (even router) you can export the config file.
In admin we can import the config file. If we can make a legal configure file we can config the box without CYT tool and it will be much easier. I have found how to generate the proper config based on xml file but the CRC calculation of the config is blocking me. I have searched the source code from CYT devices but non of the CRC algorithms work for the configuration. I think this should be that hard and once we have done that we only need a free xml notepad to configure the VT2x42 box. |
|
toro
join:2006-01-27
Scarborough, ON
·TekSavvy Solutions..
| Does the SSL certificate belongs to Vonage?
No, the SSL certificate is issued by Linksys.
Actually it is not hard to find all the left overs and remove them as they are pure text and no checksum applied to the boot for those parameters. A few tries can make reasonable "clean" boot and a good NA VOIP box can be created.
That's the point, you should NOT erase the SSL certificate.
I found people complaining it is difficult to configure VT2442 box even it is unlocked. You need to use CYT to push the configuration in.I noticed if you log in as admin (even router) you can export the config file.
The configuration can be uploaded using a TFTP or HTTP server, I think many people do it this way rather than using the CYT unlocker. Plus the CYT unlocker doesn't work for the newest firmware versions.
In my opinion is easier to use this method than encrypting/compressing a configuration file. But that's just me. |
|
usbjtag
join:2008-10-21
Burnaby, BC
| Totally agree with you.
Export the configure and unzip it still have some value as it is much easier to get the configuration from VOnage and de-cipher it. Someone would like to use software with their current account. The configuration on the box is much easier to unzip than to decode the Vonage xml file. |
|
DogFace05
join:2005-12-09
Cary, NC
| FWIW, you may want to be aware of the potentially very serious legal trouble you could risk exposing yourself to by modifying the product ID.
Here in the US, it would constitute a violation of the DMCA (H.R.2281, Sec. 1201, Circumvention of copyright protection systems), as the product ID controls access to code that the device owner has not been licensed to use with the device as sold by its manufacturer. I'm not familiar with the laws in Canada, but the US DMCA is part of a wider international treaty known as WIPO, which Canada is also a signator of. It is therefore very likely that the same, or similar laws apply there as well.
Furthermore, modifying the product ID and distributing the device as an -NA, also falls into the realm of counterfeiting, with very severe penalties here in the US (10-20 years in jail). Again, counterfeiting laws are very similar in most western countries, and are the result of international treaties. Even if the laws happened to be more liberal up north of the border, if you plan on exporting/distributing any such modified devices to the US, you effectively become bound by and subject to US law.
Note that Cisco/Linksys do not seem to have bothered legally persuing any such cases todate. However, there's nothing to stop them, should they choose to, as our current laws give them every right to. And even if Cisco/Linksys don't bother persuing any legal action, there are several other parties with intellectual property rights in the firmware of these devices, who could if so inclined.
I don't mean to scare you--just pointing out the potential risks that you could expose yourself to. If you're just doing it for personal use, there's probably little to worry about. However, should you plan on distributing such modified devices, it may be in your best interest and peace of mind to first consult with a lawyer versed in such legal matters. |
|
usbjtag
join:2008-10-21
Burnaby, BC
| I agree. But if you are not for the reason to make money and you play with it, I think it is OK for the testing purpose. There is nothing legal as to program third party firmware. Or modify the NA to program on an non-NA router. Saying that everything sold on eBay saying UNLOCKED is somewhat questioned. |
|
Teksavvy1
join:2008-03-29
3 edits | reply to johngd
Unlock Motorola VT2142 and VT2442
I have collected the information I used to unlock my
VONAGE VT2142 and VT2442
unlockvt2442.com
.
.
--
found link www.unlockvta.com 4 Unlocking the Vonage VTA |
|
Teksavvy1
join:2008-03-29
1 edit | reply to meister_sd
I have collected the information I used to unlock my
VONAGE vt2142 and VT2442
www.unlockvt2442.com
.
.
.
--
found link www.unlockvta.com 4 Unlocking the Vonage VTA |
|
usbjtag
join:2008-10-21
Burnaby, BC
| reply to johngd
I made a script to modify the RTP300 to accept NA firmware. As DogFace05 mentioned change productID might be illegal but technically it is possible. All it does is to
1. Empty all the keys. Make Admin password empty.
2. Change the productID.
3. modify the stocked firmware one byte to allow program via JTAG.
4. Program two copies of the Linksys firmware.
5. Erase two copies of configuration and log.
After those steps the RTP300 looks truly NA to me and never will be factory re-locked. |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
| said by usbjtag  :1. Empty all the keys. Make Admin password empty. AFAIK, this is OK.
3. modify the stocked firmware one byte to allow program via JTAG. I doubt this is needed through a JTAG cable.
After those steps the RTP300 looks truly NA to me and never will be factory re-locked. Have you confirm this by flashing back a Vonage firmware to see if it will re-lock after a factory reset?
--
Mazilo always prays for FREEBIES!
US Phone: +1-678-601-0907
UK Phone: +44-703-194-2574
|
|
toro
join:2006-01-27
Scarborough, ON
·TekSavvy Solutions..
| said by mazilo :Have you confirm this by flashing back a Vonage firmware to see if it will re-lock after a factory reset? The Vonage firmware can't be flashed back on the device once the ProductID has been changed (unless one would patch the Vonage firmware to have the RTP300-NA ProductID which doesn't make much sense) |
|
usbjtag
join:2008-10-21
Burnaby, BC | reply to mazilo
Yes if you donot modify one BYTE from ff to 0x57 it will not boot. The upgrade process will modify that byte for you.
Why I want to have the Vonage firmware? The default directory is built in the firmware. |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
| said by usbjtag :Why I want to have the Vonage firmware? I didn't ask you to flash a Vonage firmware; however, I just asked if you can confirm the device will re-lock itself after a factory reset if you re-flash your device with a Vonage firmware. This way what you said in your post and I quoted below will be true.
said by usbjtag :After those steps the RTP300 looks truly NA to me and never will be factory re-locked.
--
Mazilo always prays for FREEBIES!
US Phone: +1-678-601-0907
UK Phone: +44-703-194-2574
|
|
meister_sd
Premium
join:2006-01-29
La Mesa, CA
| reply to usbjtag
said by usbjtag :2. Change the productID. Are you talking about the area around 0x0000d53d? If I change anything in that area, including the password, it won't boot.
Can I see the script? |
|
usbjtag
join:2008-10-21
Burnaby, BC
| Here is the script.
// modify the password. Find ADMIN_PWD in here the password start at 0x9000d575
// Replace with 9000d574 with your address
// Modify it with empty password. ABW9wzpK6VV4Q
e 9000d575 41 42 57 39 77 7a 70 4b 36 56 56 34 51
// Empty CRYPT_KEY
// replace 9000d52a with your address of CRYPT_KEY
e 9000d52a 0
// Empty HASH_DIR
// replace 9000d515 with your address of HASH_DIR
e 9000d515 0
// Modify the ProductID to CYLM
// replace 9000d43d with your address of ProductID
e 9000d4ed 43 59 4c 4D
// program the boot
pause
program boot
// Erase log
f log ff
pause
program log
// erase the cfg
f cfg ff
pause
program cfg
// erase the cfg1
f cfg ff
pause
program cfg1
// Load the initial Linksys firmare to kernel
ldram kernel
// modify so it can boot
e 9002000b 57
// program the kernel
pause
program kernel
// Load the initial Linksys firmare to kernel1
ldram kernel1
// modify so it can boot
e 9040000b 57
// program the kernel1
pause
program kernel1
// You have finished the unlock. Good luck |
|
toro
join:2006-01-27
Scarborough, ON
·TekSavvy Solutions..
| You can't use hardcoded addresses to change the environment variables. If you take another router, same model but made at a different time, the environment variables will be located in the same area but different addresses (mostly due to minor version differences in the boot loader code). You will need to either use the same boot loader dump, or implement a search feature. |
|
meister_sd
Premium
join:2006-01-29
La Mesa, CA
| said by toro :You can't use hardcoded addresses to change the environment variables. Right - that is why he said this:
"Find ADMIN_PWD in here the password start at 0x9000d575"
But I haven't had any luck changing anything in this area. Even if I change one byte in the Admin password - it won't boot and nothing shows in the console. I'm going to look more at his commands this weekend to see what needs to be changed using HairyDairy. |
|
toro
join:2006-01-27
Scarborough, ON
·TekSavvy Solutions..
| I've unlocked many (30+) of these routers the following way:
- I have a good boot loader image with ADMIN_PWD changed, HASH_DIR and CRYPT_KEY, MAC addresses and the SerialNumber removed and the ProductID set to match the -NA version. Also the console state is set to unlocked
- I flash the boot loader with my image and erase the environment block
- reboot the router. It will automatically rebuild the environment block and stop at the boot prompt because the ProductID doesn't match
- at this point I use the serial console to set the environment variables for correct MAC addresses, SerialNumber, and then I format and flash the two firmware images using the -NA firmware
- now you can boot the router into the -NA firmware
There's no way that router can get locked again or even accept Vonage firmwares. |
|
