site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

VOIP etc > Voice Over IP - VOIP > VOIP Tech Chat > Linksys PAP2 change from Vonage to Broadvoice

Search Topic:
 Uniqs:
11669		 Share Topic
Posting?
Post a:
Post a:
Links: ·ALL ·Review Your VoIP Provider ·VoIP Providers ·VoIP FAQ ·Porting Rules ·What Codec?
page: 1 · 2 · 3
AuthorAll Replies


VoIP_LuRKeR

@res.rr.co

reply to mazilo

Re: Linksys PAP2 change from Vonage to Broadvoice

rcilink,

Any luck thus far with your "proof of concept?"
Do you still believe it is possible to unlock the PAP2?
I wish I had even half the talent you have with
hardware hacking. Best of luck!

,.-=* [VoIP_LuRKeR] *=-.,
to forum · permalink · 2005-09-02 02:24:13 ·


Malcolm

@dsl.netsource.ie

Did anyone get any further with this? I have an RT31P2 I would like to unlock!!

I grabbed the encrypted XML off the vonage server but I guess its not gonna be easy.

Heres hoping......

to forum · permalink · 2005-09-05 06:09:16 ·


zkipsi

@res.rr.co

I'd also like to hear about some kind of status update from the powers that be on this project. Even if it is just a "nothing new to report..." type message. Just to find where things stand and if it is time to eBay my locked (to Vonage) PAP2.

rizzo2dial?
rcilink?
mazilo?

Anyone?

to forum · permalink · 2005-09-05 17:19:14 ·

rizzo2dial
Premium
join:2004-08-05

I've made no further progress w/ my attempts. I'm also in the camp that's awaiting an update from rcilink.

RIzzo

to forum · permalink · 2005-09-05 19:04:07 ·

mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
kudos:1

reply to forrestin
I am in the same boat with rizzo2dial. NO luck at all. I have setup TFTP and DNS servers within an isolated private LAN and every now an then do some tests when some ideas pop up; however, none of the ideas has any solutions at all.

I heard there's some chat rooms on IRC servers where lots of hackers exchange ideas on hacking stuffs. Since I am not good with IRC and don't know how to navigate through it, I just don't know where to lurk. If anyone here is good with IRC, perhaps posting asking for the v2.0.9(LSb) and v2.0.10(LSb) firmwares in the IRC chat rooms will yield a better result. When anyone gets one of these two firmwares, the hope to unlock a PAP2 is greater.

Let's hope rcilink will have solutions in no time.

to forum · permalink · 2005-09-06 06:27:00 ·

rcilink
Premium
join:2003-12-15
Manchester, NH

reply to forrestin

Re: Update (sort-of)

Sorry I did not post anything here on the weekend-- it ended up being a very busy weekend, and I did not have any time to work on this project.

Anyhow... there are a couple of little projects, related to unlocking the PAP2 device, that are underway..

Status: not much to report now.. just that they are a 'work in progress'. The 'proof of concept' did not get completed, so more time will be applied (as soon as I get more time to re-configure the test environment)..

I don't plan to post details here. If I were to do that, it would allow the device-manufacture folks to change their configuration, making it harder for me to get this completed. Believe it or not, they do read these forums.

Keep up the good work... seeking the 2.0.9 release of the PAP2 firmware.
to forum · permalink · 2005-09-06 08:52:45 ·

mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
kudos:1

reply to forrestin

Re: Linksys PAP2 change from Vonage to Broadvoice

I concurred with rcilink not to post the work-in-progress in any public forums to avoid snooping by the device-manufacture folks.

Regarding the old firmware, I do believe it will be easier to ask hackers in the IRC chat rooms. Like I said here before, if anyone is familiar navigating through the IRC chat rooms, please help us by asking in the chat room about these two old firmwares. So far, it looks like our only hope to unlock this PAP2 depends on either these two firmwares.
to forum · permalink · 2005-09-06 09:43:18 ·

malcolm8

join:2005-09-05

Sorry to be asking but......

Will any solution EVER be made public or should we take it as read that it will be kept a secret amongst the researchers?

I was just not sure what people meant by work-in-progress

Regards,

Malcolm.

to forum · permalink · 2005-09-08 05:08:41 ·

rcilink
Premium
join:2003-12-15
Manchester, NH

Yes, I believe you will find the 'completed' solution posted here (or in other VOIP related areas). It just does not make sense to post updates on this sensitive subject.. The Linksys company does read these messages, and might decide to make changes, preventing the possible solution we find from working...

Sorry if that sounds like we are hording the information, but the answer at this moment is: the newer pap2 units that are locked to vonage are not unlockable at this time. Several factors: vonage wont give out the admin password, vonage encrypted the XML config settings (if you dont have the key, you can't load new XML config settings), firmware updates prevent 'plain-text' XML config updates... the list goes on.

Apparently, these PAP2 units are initially staged with a 'bare-bones' XML config. This config is encrypted with a key. vonage (or is it the Linksys factory) has a script written to change the key on the XML config each time a new PAP2 is initially staged. So, forget about thinking that one 'code' will open every unit. That is not going to work. It would not hurt to look at the script from vonage.. Anyone at vonage want to contribute to this project? (it would be a great community service... trust me! )

to forum · permalink · 2005-09-08 08:48:27 ·

mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
kudos:1

I guessed no one would like to contribute/participate, anyone from Vonage?

to forum · permalink · 2005-09-15 16:18:46 ·


YOUR_UGLY_VT
Windows Is Crap

join:2001-09-27
Hoover, AL

I had vonage and switched to viatalk and kept using the same Linksys Pap2, to unlock it try dialing, ****, then when it says config menu dial 73768#,then 1

to forum · permalink · 2005-09-15 16:55:55 ·

mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
kudos:1

said by YOUR_UGLY_VT:

I had vonage and switched to viatalk and kept using the same Linksys Pap2, to unlock it try dialing, ****, then when it says config menu dial 73768#,then 1
That is well written on the PAP2 manual to unlock for webmenu. What we want is to unlock the Voice menu.

I have a friend who has an unused Vonage PAP2 and viatalk refused to unlock it to use with its service mainly because viatalk said to her that they have no way to be able to unlock her PAP2 unit locked by Vonage. Perhaps, you are lucky and would like to share your story here so we can at least know how to have our PAP2 units unlocked.
to forum · permalink · 2005-09-15 17:01:23 ·


soopagroove

@nrockv01.md.comcast.

reply to forrestin
Ok, to anyone out there that might know what is going on
here, check out the network traffic coming from my PAP2 (I
filtered to show anything with ls.tftp.vonage.net):
-----------------------------------------------------


1127417998.258513 IP (tos 0x0, ttl   1, id 19064, offset 0, flags [none], length: 32, optl ength: 4 ( RA )) ls.tftp.vonage.net > 224.0.0.2: igmp leave 224.0.0.251
1127417998.258773 IP (tos 0x0, ttl   1, id 19065, offset 0, flags [none], length: 32, optl ength: 4 ( RA )) ls.tftp.vonage.net > 224.0.0.251: igmp v2 report 224.0.0.251
1127417999.204432 IP (tos 0x0, ttl   1, id 19071, offset 0, flags [none], length: 118) ls. tftp.vonage.net.51524 > 224.0.0.251.mdns: [udp sum ok]  47580+ PTR?
1127417999.455171 IP (tos 0x0, ttl   1, id 19074, offset 0, flags [none], length: 118) ls. tftp.vonage.net.51524 > 224.0.0.251.mdns: [udp sum ok]  47580+ PTR?
1127417999.705890 IP (tos 0x0, ttl   1, id 19077, offset 0, flags [none], length: 118) ls. tftp.vonage.net.51524 > 224.0.0.251.mdns: [udp sum ok]  47580+ PTR?
1127417999.956606 IP (tos 0x0, ttl   1, id 19080, offset 0, flags [none], length: 118) ls. tftp.vonage.net.51524 > 224.0.0.251.mdns: [udp sum ok]  47580+ PTR?
1127418001.239950 IP (tos 0x0, ttl   1, id 19137, offset 0, flags [none], length: 32, optl ength: 4 ( RA )) ls.tftp.vonage.net > 224.0.0.251: igmp v2 report 224.0.0.251
1127418002.070673 IP (tos 0x0, ttl   1, id 19139, offset 0, flags [none], length: 32, optl ength: 4 ( RA )) ls.tftp.vonage.net > 224.0.0.2: igmp leave 224.0.0.251
1127418002.079106 IP (tos 0x0, ttl   1, id 19141, offset 0, flags [none], length: 32, optl ength: 4 ( RA )) ls.tftp.vonage.net > 224.0.0.251: igmp v2 report 224.0.0.251
1127418004.640577 IP (tos 0x0, ttl   1, id 19172, offset 0, flags [none], length: 32, optl ength: 4 ( RA )) ls.tftp.vonage.net > 224.0.0.251: igmp v2 report 224.0.0.251
1127418006.322328 IP (tos 0x0, ttl 255, id 17777, offset 0, flags [none], length: 328) ls. tftp.vonage.net.bootps > 192.168.2.8.bootpc: BOOTP/DHCP, Reply, length: 300, xid:0x83c9f84 9, flags: [none] (0x0000)
	  Your IP: 192.168.2.8
	  Server IP: ls.tftp.vonage.net
	  Client Ethernet Address: aa:bb:cc:dd:ee:ff
	  sname "localpc" [|bootp]
1127418006.330579 arp who-has 192.168.2.8 tell 192.168.2.8
1127418006.574350 arp who-has 192.168.2.8 tell 192.168.2.8
1127418031.138448 arp who-has ls.tftp.vonage.net tell 192.168.2.8
1127418031.138498 arp reply ls.tftp.vonage.net is-at 00:11:22:33:44:55
1127418031.139200 IP (tos 0x0, ttl 250, id 1, offset 0, flags [none], length: 64) 192.168. 2.8.10533 > 216.115.24.230.domain: [udp sum ok]  1+ A? ls.tftp.vonage.net. (36)
1127418032.131188 IP (tos 0x0, ttl 250, id 2, offset 0, flags [none], length: 64) 192.168. 2.8.10533 > 216.115.24.230.domain: [udp sum ok]  1+ A? ls.tftp.vonage.net. (36)
1127418033.131130 IP (tos 0x0, ttl 250, id 3, offset 0, flags [none], length: 64) 192.168. 2.8.10533 > 216.115.24.230.domain: [udp sum ok]  1+ A? ls.tftp.vonage.net. (36)
1127418034.131140 IP (tos 0x0, ttl 250, id 4, offset 0, flags [none], length: 64) 192.168. 2.8.10533 > 216.115.24.230.domain: [udp sum ok]  1+ A? ls.tftp.vonage.net. (36)
1127418035.131000 IP (tos 0x0, ttl 250, id 5, offset 0, flags [none], length: 64) 192.168. 2.8.10533 > 216.115.24.230.domain: [udp sum ok]  1+ A? ls.tftp.vonage.net. (36)
1127418036.131212 IP (tos 0x0, ttl 250, id 6, offset 0, flags [none], length: 64) 192.168. 2.8.48121 > 216.115.31.140.domain: [udp sum ok]  1+ A? ls.tftp.vonage.net. (36)
1127418037.130914 IP (tos 0x0, ttl 250, id 7, offset 0, flags [none], length: 64) 192.168. 2.8.48121 > 216.115.31.140.domain: [udp sum ok]  1+ A? ls.tftp.vonage.net. (36)
1127418038.130811 IP (tos 0x0, ttl 250, id 8, offset 0, flags [none], length: 64) 192.168. 2.8.48121 > 216.115.31.140.domain: [udp sum ok]  1+ A? ls.tftp.vonage.net. (36)
1127418039.130920 IP (tos 0x0, ttl 250, id 9, offset 0, flags [none], length: 64) 192.168. 2.8.48121 > 216.115.31.140.domain: [udp sum ok]  1+ A? ls.tftp.vonage.net. (36)
1127418040.130750 IP (tos 0x0, ttl 250, id 10, offset 0, flags [none], length: 64) 192.168 .2.8.48121 > 216.115.31.140.domain: [udp sum ok]  1+ A? ls.tftp.vonage.net. (36)
1127418041.130920 IP (tos 0x0, ttl 250, id 11, offset 0, flags [none], length: 64) 192.168 .2.8.19716 > ls.tftp.vonage.net.domain: [udp sum ok]  1+ A? ls.tftp.vonage.net. (36)
1127418042.130693 IP (tos 0x0, ttl 250, id 12, offset 0, flags [none], length: 64) 192.168 .2.8.19716 > ls.tftp.vonage.net.domain: [udp sum ok]  1+ A? ls.tftp.vonage.net. (36)
1127418043.130573 IP (tos 0x0, ttl 250, id 13, offset 0, flags [none], length: 64) 192.168 .2.8.19716 > ls.tftp.vonage.net.domain: [udp sum ok]  1+ A? ls.tftp.vonage.net. (36)
1127418044.130608 IP (tos 0x0, ttl 250, id 14, offset 0, flags [none], length: 64) 192.168 .2.8.19716 > ls.tftp.vonage.net.domain: [udp sum ok]  1+ A? ls.tftp.vonage.net. (36)
1127418045.130454 IP (tos 0x0, ttl 250, id 15, offset 0, flags [none], length: 64) 192.168 .2.8.19716 > ls.tftp.vonage.net.domain: [udp sum ok]  1+ A? ls.tftp.vonage.net. (36)
1127418131.131453 IP (tos 0x0, ttl  64, id 20239, offset 0, flags [none], length: 64) ls.t ftp.vonage.net.domain > 192.168.2.8.19716: [udp sum ok]  1 ServFail q: A? ls.tftp.vonage.n et. 0/0/0 (36)
1127418131.131531 IP (tos 0x0, ttl  64, id 20240, offset 0, flags [none], length: 64) ls.t ftp.vonage.net.domain > 192.168.2.8.19716: [udp sum ok]  1 ServFail q: A? ls.tftp.vonage.n et. 0/0/0 (36)
1127418131.131563 IP (tos 0x0, ttl  64, id 20241, offset 0, flags [none], length: 64) ls.t ftp.vonage.net.domain > 192.168.2.8.19716: [udp sum ok]  1 ServFail q: A? ls.tftp.vonage.n et. 0/0/0 (36)
1127418131.131594 IP (tos 0x0, ttl  64, id 20242, offset 0, flags [none], length: 64) ls.t ftp.vonage.net.domain > 192.168.2.8.19716: [udp sum ok]  1 ServFail q: A? ls.tftp.vonage.n et. 0/0/0 (36)
1127418131.131627 IP (tos 0x0, ttl  64, id 20243, offset 0, flags [none], length: 64) ls.t ftp.vonage.net.domain > 192.168.2.8.19716: [udp sum ok]  1 ServFail q: A? ls.tftp.vonage.n et. 0/0/0 (36)
1127418131.132435 IP (tos 0x0, ttl 250, id 16, offset 0, flags [none], length: 56) 192.168 .2.8 > ls.tftp.vonage.net: icmp 36: 192.168.2.8 udp port 19716 unreachable for IP (tos 0x0 , ttl  64, id 20239, offset 0, flags [none], length: 64) ls.tftp.vonage.net.domain > 192.1 68.2.8.19716: [|domain]
1127418131.132682 IP (tos 0x0, ttl 250, id 17, offset 0, flags [none], length: 56) 192.168 .2.8 > ls.tftp.vonage.net: icmp 36: 192.168.2.8 udp port 19716 unreachable for IP (tos 0x0 , ttl  64, id 20240, offset 0, flags [none], length: 64) ls.tftp.vonage.net.domain > 192.1 68.2.8.19716: [|domain]
1127418131.132934 IP (tos 0x0, ttl 250, id 18, offset 0, flags [none], length: 56) 192.168 .2.8 > ls.tftp.vonage.net: icmp 36: 192.168.2.8 udp port 19716 unreachable for IP (tos 0x0 , ttl  64, id 20241, offset 0, flags [none], length: 64) ls.tftp.vonage.net.domain > 192.1 68.2.8.19716: [|domain]
1127418131.133185 IP (tos 0x0, ttl 250, id 19, offset 0, flags [none], length: 56) 192.168 .2.8 > ls.tftp.vonage.net: icmp 36: 192.168.2.8 udp port 19716 unreachable for IP (tos 0x0 , ttl  64, id 20242, offset 0, flags [none], length: 64) ls.tftp.vonage.net.domain > 192.1 68.2.8.19716: [|domain]
1127418131.133644 IP (tos 0x0, ttl 250, id 20, offset 0, flags [none], length: 56) 192.168 .2.8 > ls.tftp.vonage.net: icmp 36: 192.168.2.8 udp port 19716 unreachable for IP (tos 0x0 , ttl  64, id 20243, offset 0, flags [none], length: 64) ls.tftp.vonage.net.domain > 192.1 68.2.8.19716: [|domain]
1127418330.970494 IP (tos 0x18, ttl 255, id 21377, offset 0, flags [none], length: 109) ls .tftp.vonage.net.mdns > 224.0.0.251.mdns: [udp sum ok]  0*- [0q] 2/0/0 _services._dns-sd._ udp.local. PTR _ftp._tcp.local., _ftp._tcp.local. PTR bs._ftp._tcp.local. (81)

-----------------------------------------------------

In the above network traffic dump, my PAP2 has MAC address
aa:bb:cc:dd:ee:ff and my computer has MAC address
00:11:22:33:44:55 (I changed them, obviously). I set up a
TFTP server on my machine and made sure that
ls.tftp.vonage.net is pointing to my machine (192.168.2.1)
in my hosts file. I enabled Internet Sharing and plugged my
PAP2 into my computer. I set things up this way so that I
could monitor the network traffic of the PAP2 and computer
more easily.

What I think I'm seeing is that the PAP2 gets a DHCP
address, then checks to see what MAC address
ls.tftp.vonage.net has, then pings a couple of static
addresses, on non-standard ICMP ports, that must be hard
coded into the firmware or configuration. Is this because it
does not get a MAC address that matches whatever it is
expecting? The IP addresses it pings are 216.115.24.230 and
216.115.31.140, which are both Vonage servers (do a
nslookup/dig on them). Then, nothing else happens. Looks
like the PAP2 knows that ls.tftp.vonage.net is not the
right server and it can't ping a couple of Vonage servers either, so it does not try to update itself. I'm not
seeing the PAP2 request the spa{MAC}.xml file at all.

So, here is my speculation: If you lookup the real MAC
address of ls.tftp.vonage.net, then change your MAC address
to be the same, then set your machine up to respond to ping
(ICMP) on a large range of ports (say 10000 to 65000) for
the above mentioned Vonage IP addresses, you might be able
to trick the PAP2 into thinking it is talking to Vonage and
upload the configuration. I think in my version of firmware
2.0.10(LSc), plain text XML will be accepted, it's just that
the PAP2 knows that my computer is not really
ls.tftp.vonage.net, so it won't try to upload it.

If anyone has an easy way to spoof their MAC address and
configure their machine to use multiple IP addresses (if you
are running Linux you can do this), please try this and see
if it works. Oh, and if anyone from Vonage or Linksys is
reading this, WE WILL FIND A WAY!!! ;)
to forum · permalink · 2005-09-22 17:15:49 ·

rcilink
Premium
join:2003-12-15
Manchester, NH

reply to forrestin
make sure you connect to the pap2 web page and remove the two dns servers in there. if you dont, it wont check locally for ls.tftp.vonage.net, but at the vonage nameservers....

to forum · permalink · 2005-09-22 23:44:57 ·

doctorcisco

join:2002-10-30
Aurora, IL

reply to forrestin
To correct some misunderstandings up above, from a real life network engineer:

I set up a TFTP server on my machine and made sure that ls.tftp.vonage.net is pointing to my machine (192.168.2.1) in my hosts file.
The hosts file on the server is irrelevant. The PAP doesn't look at the hosts file on your server.

What I think I'm seeing is that the PAP2 gets a DHCP address, then checks to see what MAC address
ls.tftp.vonage.net has,
MAC addresses only matter, and are only visible, on the local ethernet segment. If you go back and look at your traces, you'll probably find that the MAC the Vonage receives for ls.tftp.vonage.com, if any, is the MAC of your router's LAN interface.

The MAC address(es) of the server(s) at vonage.com will not help you at all.

then pings a couple of static addresses, on non-standard ICMP ports, that must be hard coded into the firmware or configuration.
Nope. ICMP doesn't have ports, it has types/codes. You can't "ping" with a "non-standard type." In addition, since firewalls and a few ISP's may filter oddball ICMP traffic, this would cause support nightmares for Vonage because a number of users would not be able to connect. There's no reason for them to do anything this goofy.

The Vonage is undoubtedly getting the IP's for ls.tftp.vonage.com from the DNS server address it receives when it gets its DHCP address, probably from your router. The hosts file on your server won't change that. It then arps for that IP. It will receive a proxy arp reply from your router with the router's MAC address. The trace then shows the PAP sending UDP packets to tftp.vonage.com ... almost certainly tftp get requests. It gets no response after 5 tries to each of 3 different server IP's. It then sends a query to 224.0.0.251, which is multicast DNS, looking for a multicast address for tftp.vonage.com. This fails, because you don't have a multicast DNS server on your local network.

Long story short ... all this trace shows is the PAP trying to phone home, getting valid server IP's from DNS, failing to get a response from any of the tftp servers at Vonage, and giving up.

To try this sort of methodology to break these boxes, you need to set up a completely isolated network, with a DNS server on your local network to give the IP of a local tftp server to the PAP's DNS query. If you wanted to get fancy, you could even put one of the valid server IP's on your own server, give the PAP an address in the same subnet as the valid IP, and dish out that IP from DNS.

But all of that is (relatively) easy. You'd then need a file on your tftp server which is acceptably formatted so that the PAP will swallow it, that sets the password to something you know, or resets the device to non-Vonage factory defaults. Making that file would be very, very hard, I'd think.

Since these PAP's are currently free after $50 rebate at Staples, I sure wish I had a way to use them!

doc
to forum · permalink · 2005-09-26 14:42:51 ·

mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
kudos:1
2 edits

said by doctorcisco:

Making that file would be very, very hard, I'd think.
Use the Sipura Profile Compiler (SPC) to generate this file. Do a google search to find out.
to forum · permalink · 2005-09-26 15:35:42 ·


Wizatcomp

@east.verizon.ne

reply to mazilo
Installed everything using the guide here. (BTW - take out the "-" in the files when you are tftping them) Wverything worked beautifuly, and now I'm using the PAP2 with FWD. Thanks!

to forum · permalink · 2005-09-27 21:16:34 ·

tarclee

join:2005-11-07
malaysia

reply to rizzo2dial
may i know how to get the unlock firmware?

to forum · permalink · 2005-11-07 02:01:32 ·
Forums > VOIP etc > Voice Over IP - VOIP > VOIP Tech Chat
page: 1 · 2 · 3

Saturday, 11-Feb 21:29:06 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online! © 1999-2012 dslreports.com.
Most commented news this week
Hot Topics