VOIP etc > Voice Over IP - VOIP > VOIP Tech Chat > VONAGE VT2142 unlock help

reply to usbjtag

Re: VONAGE VT2142 unlock help

If you just need to unlock one router it is not need to buy a fast JTAG> Build a simple JTAG. I will compile how to and latter post at www.usbjtag.com.
There is no need to downgrade the firmware to be able to get admin access.
All you need to do is erase the log and cfg and then modify the ADMIN_PWD key. The same method applies to RTP300. I have not tested with WRTP54G. But should be the same.

If you have a VT2142 and log in as router/router, go to tools and export the config. You then unzip the file to xml, your VONAGE phone password is in it.

The same tech works for RTP300.
The theory is once you erase the log and cfg patition, the firmware will load the default admin password stored in bootblock. The well know hash of the Admin can be put in the boot and it will be the new password of admin.
Since those Vt2142 has flash types that has to be distinguished by the CFI command, I need to finish the software and then make a step by step unlock VT2142, VT2442 and new steps of RTP300. (I do not have other devices yet). I have already posted the RTP300 in the forum but will make it more public along with VT2X42 unlock.

reply to meister_sd
I've used the technique so far on RTP300, WRTP54G, Moto VT2142, Moto VT2442, Linksys PAP2v2, D-Link VWR-VD. It should work for the Vtech IP8100 as well, except not all the JTAG pins are present.
Basically I save the first 128K of the flash using the JTAG, then look for ADMIN_PWD, HASH_DIR and CRYPT_KEY. I replace the value for ADMIN_PWD with a known hash such as ABW9wzpK6VV4Q ("Admin") and get rid of HASH_DIR and CRYPT_KEY completely (to prevent any further provisioning). I also look for CONSOLE_STATE and set it to unlocked. Then upload the bin file back to the same location, boot up to the PSP loader and use the console to erase CONFIG_A and CONFIG_B.
That's all, after this you can boot up, and use Admin/Admin to login and point the provisioning to your own TFTP or HTTP server.

Agree. No need to downgrade to special firmware to work. Yet RTP-300 has NA version of firmware and that is good choice after unlocked.

reply to toro

I have not tested ADM5120 myself.
If I have a full flash dump, I can convert linksys to true -NA version. Not only the product ID. There are other data in the boot makes it non-NA.

reply to meister_sd

If we use TFTP to upgrade we can change the product ID.
If we just modify the product ID and still want to use web upgrade page to upgrade it will never fire up.
A complete re-program the whole flash with MAC modified can make it a true -NA. With USB JTAG program a whole flash will take only about 2 minute include the erasing. Not 90 hours to program. So it makes the re-factory the router possible and fast too. The programming time is so fast and you will take long time to open the box and put back than the programming.

I program the flash with JTAG. It is faster than TFTP as I do not need second cable to run the console. One tool is all I need to program the flash.
But I would prefer to get a clean NA dump and modify the mac address to make a new flash dump. This will create a clean NA box.
Just modify the product ID will still have some left overs in the boot. (Some Vonage urls and paths).

Does the SSL certificate belongs to Vonage?
Actually it is not hard to find all the left overs and remove them as they are pure text and no checksum applied to the boot for those parameters. A few tries can make reasonable "clean" boot and a good NA VOIP box can be created.
One thing I am interested recently is I found people complaining it is difficult to configure VT2442 box even it is unlocked. You need to use CYT to push the configuration in. I noticed if you log in as admin (even router) you can export the config file.
In admin we can import the config file. If we can make a legal configure file we can config the box without CYT tool and it will be much easier. I have found how to generate the proper config based on xml file but the CRC calculation of the config is blocking me. I have searched the source code from CYT devices but non of the CRC algorithms work for the configuration. I think this should be that hard and once we have done that we only need a free xml notepad to configure the VT2x42 box.

Totally agree with you.
Export the configure and unzip it still have some value as it is much easier to get the configuration from VOnage and de-cipher it. Someone would like to use software with their current account. The configuration on the box is much easier to unzip than to decode the Vonage xml file.

FWIW, you may want to be aware of the potentially very serious legal trouble you could risk exposing yourself to by modifying the product ID.

Here in the US, it would constitute a violation of the DMCA (H.R.2281, Sec. 1201, Circumvention of copyright protection systems), as the product ID controls access to code that the device owner has not been licensed to use with the device as sold by its manufacturer. I'm not familiar with the laws in Canada, but the US DMCA is part of a wider international treaty known as WIPO, which Canada is also a signator of. It is therefore very likely that the same, or similar laws apply there as well.

Furthermore, modifying the product ID and distributing the device as an -NA, also falls into the realm of counterfeiting, with very severe penalties here in the US (10-20 years in jail). Again, counterfeiting laws are very similar in most western countries, and are the result of international treaties. Even if the laws happened to be more liberal up north of the border, if you plan on exporting/distributing any such modified devices to the US, you effectively become bound by and subject to US law.

Note that Cisco/Linksys do not seem to have bothered legally persuing any such cases todate. However, there's nothing to stop them, should they choose to, as our current laws give them every right to. And even if Cisco/Linksys don't bother persuing any legal action, there are several other parties with intellectual property rights in the firmware of these devices, who could if so inclined.

I don't mean to scare you--just pointing out the potential risks that you could expose yourself to. If you're just doing it for personal use, there's probably little to worry about. However, should you plan on distributing such modified devices, it may be in your best interest and peace of mind to first consult with a lawyer versed in such legal matters.

I agree. But if you are not for the reason to make money and you play with it, I think it is OK for the testing purpose. There is nothing legal as to program third party firmware. Or modify the NA to program on an non-NA router. Saying that everything sold on eBay saying UNLOCKED is somewhat questioned.

reply to toro

Yes, it's possible, but I don't know the algorythm for obtaining the RC4 key from the CRYPT_KEY (I know for sure it depends on the ADMIN_PWD and CRYPT_KEY).
If anyone is willing to try and find it, I can provide a few combinations of ADMIN_PWD, CRYPT_KEY and the resulting RC4 key.