AT&T CallVantage → Unlock DVG-5102S -- Anyone found a way?

With AT&T dumping all their CV customers, there are going to be thousands of these DLink DVG-5102S units sitting around, useless. I've googled around but haven't found any positive clues these units might be unlock-able, or any 3rd party firmware (like the dd-wrt firmware for Linksys, etc).

Seems a real shame to throw this box away when it's only about 15 months old, and I don't need another doorstop.

Anyone heard new rumors of unlock-ability? This would be a nice little BYOS (bring-your-own-sip) device for another VoIP service.

I have been looking too. I would sure like to use it as just a router if nothing else, but as a TA on a BYOA would be cool too!

Too bad AT&T didn't have the decency to unlock it on the way out. They're pushing all their CV subscribers out the door, and leaving (how knows how many) TAs behind which will be useless now.

I hate to throw away a perfectly good piece of network/VoIP gear.

There is nothing to stop you from continuing to use the DVG-5102S as a router.

As for the VoIP features, it appears to have been designed for remote provisioning only, so using it with another service would be unlikely even if CallVantage supplied its discarded users with the magic username/password to access the limited SIP controls (which consisted of only being able to point the router to the provisioning server).

This reminds me of when DirecTV DSL ceased operations. They also had a custom gateway with remote provisioning. Some clever ISPs spoofed DirecTV's provisioning servers.

Has anyone analyzed the "conversation" that the D-link has with the provisioning server?

It probably would not help since the conversation is likely encrypted (notice the https protocol in the provisioning server url shown in the image capture I posted previously).

I took mine apart and found it's made up of:

esmt m12l128168a-7t azg2p70f3 071b (16MB RAM)

ubicom ip3023/bg228-250u 10dh0717aa (processor, no linux kernel support)

ic+ ip101a lf 0704s16 fnr1606.1f (2x ethernet transceivers)

hc55185 ecmzr4854 p0714bb8b (2x VOIP Ringing SLIC -- phone interface)

voicepump vp101x12dqc-2 cv4203.00 tmf050d0001e 0718 (VOIP)

7D545 1412d ? (4MB flash?)

Linux-based firmware won't work because Linux doesn't run on the IP3023. I thought about trying to find another IP3023-based VOIP router in hopes that the firmware for it might work but I can't find one.

At this point the best bet is probably to try to fake the provisioning part. As NetFixer mentioned, this is done over SSL so this probably won't be possible unless the device is sloppy about checking certificates. Mine makes two https connections to sasvp.callvantage.att.com (12.194.240.10) which presents an RSA Data Security, Inc. signed cert. The client doesn't like it and hangs up, then opens another connection 30 seconds later and accepts a very similar certificate. The rejected cert has an OU of VOIP - 1 Single and the accepted one has VOIP - 3 Single. It seems odd to me that 12.194.240.10 would give out two different certificates...