VOIP Tech Chat → [Unlock] Unlocking Linksys SPA2102 adapter

I filled DCHP tab of tftpd32 with details, add option you mentioned into the ini file, run it and sniffed traffic when ATA powered on, but didn't find anything that pointed to a .cfg file.

Please confirm that the DHCP ACK received by the ATA contained option 66 in the proper format.

I'm not sure about this, added into DHCP tab tftpd32 settings from my default network adapter (IP address, subnet mask, default gateway) and the additional options. I'm not sure how this additional DHCP server can work at the same time with default DHCP?
I tried click Release settings on network adapter, this cause adapter to discard DHCP network settings, then disconnect from the network, but then network connection is lost.

You're not supposed to use your default DHCP server. You should have only the ATA and your computer connected to the network (hub) and let the ATA get an IP address from tftp32

I did this, in tftpd32 dhcp "additional option" specified IP address of PC and port 66. Capture have 'Parameter request list' where specfied line 66=TFTP Server Name. But I didn't find address of this TFTP.

The DHCP server that answered the ATA's request does not appear to be the one that you set up. It would be simplest if for this test, you disconnect your hub from the rest of your network, leaving only the ATA and your PC (that is running your DHCP server) connected.

Also, your network seems to be quite complicated, with both public (91.x.x.x) and private (10.x.x.x) on the same LAN. If your PC has more than one NIC, make sure that your DHCP server is bound to the correct interface. Or, temporarily disable any interfaces not used for this test.

my network is very simple, only ATA and one PC is connected to hub, and cable modem is connected to uplink port on a hub. PC have one network card. Private IPs assigned to ATA. There're also visible names of few .bin files, which belong to a cable config files, I guess. But one file named D3-SIP.bin

Just temporarily unplug the connection from cable modem to hub, start up the DHCP server on your PC, start a Wireshark capture, then reboot the ATA. Your DHCP server should answer the requests from the ATA and put option 66 in the ACK.

Once you have that working correctly, you should see the ATA then make a TFTP request to the address you send in the option 66. If it does, i.e. the provisioning settings were left at defaults by your provider, you should be able to send it a config file to reset the admin password or make any other desired changes.

To keep things simple, your TFTP server should assign an address to the ATA that is in the same subnet as the PC. (If the ATA gets a 10.x.x.x address and the PC has a 91.x.x.x address, the ATA won't be able to talk to the PC, with the cable modem disconnected.)

I did test with cable modem unplugged from hub. It show TFTP server name with IP specified in dhcp server tab, and config file name /spa2102.cfg
But I dont know where I can get this file, and it settings. If I upload new config, then the old settings (programmed manually) will be removed, and ATA will not work.

This is looking good.The config file should not wipe anything out. It will only change the parameters that are specified in the file. For example, this file:

<?xml version="1.0" encoding="UTF-8"?>
<flat-profile>
 <Admin_Passwd ua="na">1234</Admin_Passwd>
</flat-profile>
 

should change the admin password to 1234 and leave everything else unchanged.

How to upload this .cfg config into the ATA?

Put the text into a file named spa2102.cfg, which should be located in the directory specified by Current Directory on the Tftpd32 screen. For debugging, also start a Wireshark capture. Reboot ATA. If you have trouble, report what error is returned (as shown by Wireshark) and what, if anything, is logged on the Tftp server screen.

and the address of ATA web interface will be an IP address of Server interface from tftpd32?

Once the ATA has successfully read by TFTP (and presumably applied) your config file, you can restore your normal setup and access the ATA's web interface as usual.

The ATA's WAN address is normally what it got by DHCP. If you pick up the phone and dial **** (hear configuration menu prompt) and then 110#, you should hear the IP address spoken. If you open a web browser at that address with /admin/ (e.g. if address is 10.11.12.13, use 10.11.12.13/admin/) you should get a prompt for username (use admin) and password (use whatever you set).

If you don't get the prompt, confirm that you can ping the ATA. If not, check that ATA and PC are on the same subnet, etc. If you can ping it but not access the web page, dial **** then 7932#. If prompted for password, enter the admin password you set, followed by #. Enter 1# for value and 1 to save. Then, try to access the web page again.

If no luck, dial **** then 210# to hear the LAN address (defaults to 192.168.0.1). Temporarily connect a PC to the LAN port and try to access that address, e.g. 192.168.0.1/admin/ .

I had problem to upload config file in the beginning, but I managed to solve it. The spa2102.cfg was in Current Directory, shown in Tftpd (in same dir with Tftpd). Tftpd32 shows an error in Log viewer window:

Read request for file </spa2102.cfg>. Mode octet [21/12 21:50:05.790]
Error EACCESS on file \spa2102.cfg. Ext error The directory name is invalid. [21/12 21:50:05.790]
 

I changed in Tftpd32 settings the Base Directory from (.) dot to path to Tftpd folder, and also in 'TFTP Security' changed from Standard to None. This helped, config was uploaded and ATA is unlocked now. Thanks for your help!

I'm glad to hear that you got it working.

One last comment: this scheme does not give you access to the SIP password for the existing account in Line 1. If you want that account to keep working, you need to be careful not to accidentally change it, because you have no way to restore the old setting. Be sure that that you don't set the Line 1 password from the web interface or from a config file, and that you don't perform a factory reset. This last one means that you should avoid making any changes, e.g. to the network settings, that could result in losing control of the device.

yes, I see this. So, in this case the only way to get sip password would be hardware way, i.e. to to read MX29LV160ATTC-70 flash memory and dump it content.

Unfortunately, I know almost nothing about the internals of Linksys ATAs.

It might be difficult to read the device, e.g. it may not be set up for JTAG, or an in-circuit read may be thwarted by other connections to the required pins. Although of course you could physically remove it for reading, you'll need surface-mount rework equipment and a reasonably recent device programmer; perhaps you have that available at your workplace.

The next hurdle is that the data is likely compressed and/or utilizes an error-correcting code. It may take considerable effort to figure out how that works, and if it is non-standard, you would need to write your own decoder/uncompressor.

If you really want those credentials, IMO there are easier approaches; what's best for you is determined by your skill set and interests.

There is definitely no connector pins on board. I think the most important is, does this chip have In-Circuit-Programming capability or not. If it does not have this capability and therefore, must be removed from PCB to be READ, then it's just not worth the effort, as desoldering a chip, then soldering it back would be very difficult procedure without use an industrial equipment.