dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
110239

toro
join:2006-01-27
Scarborough, ON

3 edits

8 recommendations

toro

Member

[Unlock] Unlocking the BasicTalk ATA

Important NOTE: a better unlocking method has been posted later in this thread. Please see this post for a permanent unlock developed by mackey See Profile. My soft unlock may help in some cases if the ATA has "called home".

I have some good news for those of you looking for an inexpensive ATA.
I've just got my hands yesterday on a couple of BasicTalk ATAs (I've had my eyes on them for a few months but I live in Canada and don't go to US that often) and I put together a small tutorial for unlocking them.
The ATA is a Grandstream HT701 with a customized firmware.
I posted it on my website at »voipfan.net/unlock/ht701bt.php
I will leave the access open to everyone for a couple months then make it available to registered users (like my other unlocking tutorials).
Enjoy and if you run into any trouble please post here.

WhyADuck
Premium Member
join:2003-03-05

WhyADuck

Premium Member

I gave you a thumbs up on this because it is interesting and worthwhile information to have available, particularly if you somehow manage to pick up one of these devices relatively inexpensively or free. But on the other hand, with Obihai OBi100's going on sale every month or two for ~$30, I think that if you have to spend any actual money to get one of those HT701's, it might be better to wait for the next sale on the OBi100 to come along. Then you don't have to worry about trying to unlock it, and you are probably getting a much better device.

Still, I always appreciate it when someone posts this kind of information, because you never know when a device of this type is going to fall into your lap, and it's always interesting to be able to play around with these various devices and find out what their capabilities are.

toro
join:2006-01-27
Scarborough, ON

toro

Member

The BasicTalk ATAs are $10 at Walmart

cybersaga
join:2011-12-19
Selby, ON

cybersaga

Member

Nice work!

Can you flash it with Granstream's firmware after unlocking it so it doesn't re-lock after factory reset?

toro
join:2006-01-27
Scarborough, ON

toro

Member

At this point it doesn't appear to accept the regular HT701 firmware. I would like to work on that too but I would need an unlocked HT701 to dump the flash chip and compare.
BTW, if anyone has one of those and a SPI flash programmer such as the USB JTAG, and is not afraid to tinker with their hardware, I would be very interested to get an image of your device. The flash chip is a MX25L3206E, should be pretty easy to read.
I found an unlocked HT701 locally but I am not very eager to spend another $40 just for this project.
scooper
join:2000-07-11
Kansas City, KS
·Google Fiber

scooper to toro

Member

to toro
While Basic talk is an interesting concept - I just number ported my mother-in-law to Callcentric using an Obihai 110 (port just finished up including 911). I'm not so keen about the idea of trying to do unlocked devices myself , but i do find it interesting that you were able to do this.

toro
join:2006-01-27
Scarborough, ON

3 edits

2 recommendations

toro

Member

Unlocking the BasicTalk ATA made even easier !

OK, so I had an idea how to make this even easier, and here it is:
- disconnect your internet
- plug in the ATA, wait until it comes up and dial ***** to find the IP address
- login to the ATA with password "123" (that's the user password)
- go to the Basic tab and change all 4 DNS servers to 198.12.67.129 167.88.118.111
- click Update, Apply, Reboot
- reconnect your internet
- wait until the ATA reboots twice (you can do a ping -t ipaddress to find when it stops replying and comes back). Should be no more than 3-4 min
- your ATA should be unlocked, you can login with the password "admin" and configure it for your service provider

KA0OUV
Premium Member
join:2010-02-17
Jefferson City, MO

KA0OUV

Premium Member

Re: [Unlock] Unlocking the BasicTalk ATA made even easier !

Toro,

Notes for the tutorial:
tftp32 does the DNS feature without a trial version. Can also DHCP server to bring box up with direct ethernet connection.
»tftpd32.jounin.net

WhyADuck
Premium Member
join:2003-03-05

WhyADuck to toro

Premium Member

to toro
said by toro:

OK, so I had an idea how to make this even easier, and here it is:
- disconnect your internet
- plug in the ATA, wait until it comes up and dial ***** to find the IP address
- login to the ATA with password "123" (that's the user password)
- go to the Basic tab and change all 4 DNS servers to 198.12.67.129
- click Update, Apply, Reboot
- wait until the ATA reboots twice (you can do a ping -t ipaddress to find when it stops replying and comes back). Should be no more than 3-4 min
- your ATA should be unlocked, you can login with the password "admin" and configure it for your service provider

Are you supposed to reconnect your internet at some point during this process, like maybe after you've changed the DNS addresses AND clicked Update, Apply, Reboot? If so, you might want to edit your post to mention that.

toro
join:2006-01-27
Scarborough, ON

toro

Member

Updated, thanks
ogdensburg
join:2006-12-12
Ogdensburg, NY

ogdensburg

Member

I use 198.12.67.129 as DNS and it get unlocked. After that, I played on it and did a factory default (off internet). When I put the DNS back, again, I put 192.12.67.129 (shoudl be 198.x.x.x) and connected to internet. Now it's locked . I can't use IVR to do factory default neither. Please help.
mazilo
From Mazilo
Premium Member
join:2002-05-30
Lilburn, GA

mazilo

Premium Member

said by ogdensburg:

I use 198.12.67.129 as DNS and it get unlocked. After that, I played on it and did a factory default (off internet). When I put the DNS back, again, I put 192.12.67.129 (shoudl be 198.x.x.x) and connected to internet. Now it's locked . I can't use IVR to do factory default neither. Please help.

Have you tried to use 198.x.x.x and see if it will unlock?

BTW, does anyone here know the link to download the latest firmware?

toro
join:2006-01-27
Scarborough, ON

toro to ogdensburg

Member

to ogdensburg
The way the "easy" procedure works, is that your ATA's DNS is pointing at a server that I own, which has a DNS zone for vonage.net and the host httpconfig.vonage.net points to the same server which also hosts a web server that will serve the configuration file which resets the settings. Once the configuration file is served, the DNS servers are replaced with some public ones (Google's public DNS servers and the OpenDNS servers).
My DNS server should not be used after the ATA is unlocked, because it cannot resolve other hosts or domain names.
Also, as I think I mentioned before, factory reset is not safe (regardless of which unlock procedure you use). If you do a factory reset you must unlock the ATA again before it has a chance to connect to the internet. Otherwise it will download its configuration from Vonage and the unlock will not work anymore. I realize this sucks, but it's a situation very similar to the one in the past about the Vonage PAP2s. I definitely want to address this as well, but it may be weeks away if it's even possible.
ogdensburg
join:2006-12-12
Ogdensburg, NY

ogdensburg to mazilo

Member

to mazilo
No, the unlock methods (both easy & hard way) don't work any more.

Here is the official firmware link for HT701:

»www.grandstream.com/supp ··· firmware
said by mazilo:

does anyone here know the link to download the latest firmware?

mazilo
From Mazilo
Premium Member
join:2002-05-30
Lilburn, GA

mazilo

Premium Member

said by ogdensburg:

No, the unlock methods (both easy & hard way) don't work any more.

Here is the official firmware link for HT701:

»www.grandstream.com/supp ··· firmware

I am not looking for the link to an HT701 but rather a BasicTalk firmware.

cybersaga
join:2011-12-19
Selby, ON

cybersaga

Member

toro, if you're able to pull the configuration file from Vonage (wherever the ATA was looking for it), then it may have a link to the firmware in that configuration. That is, if they've set it up for automatic firmware updates.

toro
join:2006-01-27
Scarborough, ON

toro

Member

The config file is easy to get, it's »httpconfig.vonage.net/cf ··· 22334455 (replace 001122334455 with the actual mac address) but it's encrypted.
I actually let one of my ATAs connect to the Vonage but it never tried to pull any firmware.
ogdensburg
join:2006-12-12
Ogdensburg, NY

ogdensburg

Member

If an ATA was provisioned with an encrypted config file, does that mean it ONLY take encrypted config file with same encryption key in the future?
said by toro:

it's encrypted.

qingz
join:2003-10-20
Canada

qingz

Member

I think the provision file it got from Vonage tells it what to expect in the future. If we can decrypt the first provision file from Vonage, we will know everything.

toro
join:2006-01-27
Scarborough, ON

toro

Member

Re: [Unlock] Unlocking the BasicTalk ATA

The Vonage provisioning scheme generally looks like this:
- the ATA has a "root" encryption key stored in from the factory (unique for each ATA). Let's call it KeyA
- when it downloads its first configuration file from Vonage (we'll call it CfgA), it uses the factory key (KeyA) to decrypt the provisioning file. The provisioning file will contain a new key (KeyB) and a subdirectory where the ATA is supposed to find the next provisioning file. We'll call that SubB
- the next provisioning file won't be available until a change needs to be made to the ATA. At that point, a file CfgB will be created at the path httpconfig.vonage.net / SubB. This file is encrypted with KeyB and contains the next set of provisioning parameters, KeyC and SubC
- when a new change needs to be applied to the ATA, a new file will be available at SubC encrypted with KeyC
And so on, you probably get the idea.

In the case of BasicTalk, it looks like things are a little easier. Apparently there's no KeyA stored in the device from the factory, so technically it will accept an unencrypted CfgA. However, once CfgA is downloaded from Vonage, it will contain an encryption key and the ATA will not accept an unencrypted config file any further. That's why an ATA that was connected to the internet can't be unlocked with this procedure anymore.

However, the CfgA coming from Vonage is still encrypted (or maybe I should say obfuscated) so that the settings inside can't be seen easily. Also, if you download the same file over and over, the files will be different, so the key must be somehow stored in the file. In fact, I've been playing with the Grandstream Configuration Tools which has the capability to generate plain files as well as obfuscated files and it works the same way, each time the file generated is different.
I am trying to figure out how it's encrypted but didn't have much luck so far.
qingz
join:2003-10-20
Canada

qingz to toro

Member

to toro
This post describes how the configuration file is encrypted, but the situation may change with the HT701 with the new firmware.
»voipsa.org/pipermail/voi ··· 939.html

Unfortunately the attached utility for decrypting the encrypted config files can't be found any more.

toro
join:2006-01-27
Scarborough, ON

toro

Member

The other Vonage ATAs used OpenSSL or RC4 encryption, depending on the manufacturer and model.
I think the root file for HT701 uses a simpler encryption mechanism. Subsequent files are most likely encrypted using OpenSSL AES 128 bit.
qingz
join:2003-10-20
Canada

qingz to toro

Member

to toro
I have a HT701 which is previously connected to internet and locked by Vonage. I managed to reset the admin password by feeding it a configuration file generated by the Grandstream tools without encryption.

After I get into the Advanced and FXS setting page, the Config Server Path and Config File Prefix is preset by Vonage which can not be changed. The worst is the Primary SIP Server can not be changed, this makes the HT701 useless without faking the DNS.

I tried to change it both from the web interface and a configuration file, none of them works. I even did a factory full reset, these fields are still fixed.

I suspect that Vonage changed the firmware on this HT701, but it has the exactly same Hardware Version and Software Version comparing to my virgin HT701.

toro
join:2006-01-27
Scarborough, ON

1 edit

toro

Member

What are the versions showing up in the status page ?
If you have access to the admin account, have you tried a factory reset from the web interface, by selecting the option Full Reset ?
Obviously, if you do that you must take precautions and don't allow the device to connect to Vonage until you unlock it again.
qingz
join:2003-10-20
Canada

qingz

Member

I did a factory full reset from both web and telnet. Same thing.
The status page is exactly the same as my virgin one except the MAC address.

toro
join:2006-01-27
Scarborough, ON

toro

Member

Before doing the factory reset, can you make sure that Lock Keypad Update: and Disable Voice Prompt: are both set to No in the Advanced Settings tab ?
qingz
join:2003-10-20
Canada

qingz to toro

Member

to toro
Disable Voice Prompt is set to "NO". Lock Keypad Update is not set to anyone (not "yes", not "No"). I don't think Lock Keypad Update has anything to do with this. I am not using keypad.

toro
join:2006-01-27
Scarborough, ON

toro

Member

Yes, it does actually. If you look in the provisioning samples, it says there are 3 values possible for that parameter: 0 = No, 1 = Yes, 2 (not visible in the web interface) = Do not reset VoIP settings.
Set it to No then try to reset it.
qingz
join:2003-10-20
Canada

1 edit

qingz to toro

Member

to toro
I can not change it, like I can not change the other fields. As soon as I click "Update", the value returns back to the previous one. The change I made to that field on the web interface does not stay. I will try to make a configuration file to change that field.

Update:
Configuration file can not change it either.

cybersaga
join:2011-12-19
Selby, ON

cybersaga

Member

Are there any configuration options for fetching new firmware from the Vonage site? If so, can you spoof DNS and feed it a different firmware, like the one from the Grandstream site?