rizzo2dial
Premium
join:2004-08-05
| reply to rcilink
SOLVED: Virgin GPP_K different than XML GPP_K
I figured out what Vonage is doing with regards to the GPP_K encryption key value. They are using it in conjunction w/ the GPP_D (diretory) value.
The initial fresh out-of-the-box PAP2 has no GPP_D value set. Thus, the first time a virgin PAP2 auto-provisions from Vonage, it grabs the file as:
//SPA0000000000.xml
which can only be decrypted using GPP_K[initial]
That XML file in turn sets a GPP_D (directory) value as well as new GPP_K key value. The next time it auto-provisions, it grabs the file from/as:
/$GPP_D[update1]/SPA0000000000.xml
which can only be be decrypted using GPP_K[update1]
That file in turn assigns a new GPP_D (directory) value and associated GPP_K key . Subsequent autoprovisions will grab files from/as:
/$GPP_D[updateX]/SPA0000000000.xml
which can only be decrypted using GPP_K[updateX]
Thus, Vonage's actual auto-provisioning process is designed to use a unique DIRECTORY & KEY each time it performs a "real" TFTP get of the salted XML config file.
So... If you grab your INITIAL and UPDATE[1] XML config files now, you'll have 1 extra opportunity to unlock your PAP2 should you accidentally factory reset it and put it on-line. This will need to be done by feeding it an XML config file w/ web acces enabled, no admin password set, etc., encrypted w/ GPP_K[update1] and spoofing ls.tftp.vonage.net to point to your own TFTP server. You can grab config files UPDATE[2, 3, 4, etc.] as well; however, they may not be on-line.
Rizzo
P.S. My /$GPP_D[update1]/SPA0000000000.xml config file wasn't available at first. After making attempts over several minutes, it finally appeared. Thus, Vonage appears to have some automated process designed to create the directory & file after it's initial request. I guess there is some delay associated w/ this process.
Of course, replace the ZERO's in all instances of SPA0000000000.xml above w/ your adapter's actual MAC ADDRESS. |
|
rizzo2dial
Premium
join:2004-08-05
| In light of my previous post, I would like to test out a theory. If you are in the situation where you've connected your PAP2 to the internet and it is once again locked, if you have your ORIGINAL/VIRGIN GPP_K key saved, please IM me your PAP2's MAC ADDRESS and ORIGINAL/VIRGIN GPP_K key. I may be able to help you re-unlock your adapter.
Rizzo |
|
jbaddsl
join:2001-01-29
Los Angeles, CA
| rizzo2dial wow!
I noticed the changing 10 char "D" key too.
But I thought the PAP2 itself will calculate a new correct key/link out of the two keys.
Your findings are very interesting.
I have saved each info from each device during each step.
I will PM you these info's later. |
|
jbaddsl
join:2001-01-29
Los Angeles, CA
| reply to rizzo2dial
said by rizzo2dial  :In light of my previous post, I would like to test out a theory. If you are in the situation where you've connected your PAP2 to the internet and it is once again locked, if you have your ORIGINAL/VIRGIN GPP_K key saved, please IM me your PAP2's MAC ADDRESS and ORIGINAL/VIRGIN GPP_K key. I may be able to help you re-unlock your adapter. Rizzo Rizzo, I IM'd you the info's of three units, MAC, old K key and new K keys plus new D keys etc.
mazilo, thanks for the info, I feel better now that I know that the decoded PW might not really be the master PW.
I don't want to risk another factory reset before this is cleared up.
Has anybody noticed that inside the unit, on top of a chip, there are some other strings too?
I think they contribute to the master key, as it would be natural to link the actual hardware with it's key. |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
| reply to rizzo2dial
said by rizzo2dial :In light of my previous post, I would like to test out a theory. If you are in the situation where you've connected your PAP2 to the internet and it is once again locked, if you have your ORIGINAL/VIRGIN GPP_K key saved, please IM me your PAP2's MAC ADDRESS and ORIGINAL/VIRGIN GPP_K key. I may be able to help you re-unlock your adapter. Why not tell people how you do it instead of asking people sending you the MAC Address?
This is how I see things regarding the admin password and the GPP_K:
Unless Vonage can change the factory default values on a remote PAP2 unit through the Provisioning process (I wished so!), I believe the factory default values remain intact in your PAP2 ROM and can be brought back through a factory reset.
I don't know if the above will still hold true for PAP2 units sent out from the factory after 09/26/2005 (the day the unlocking process was released).
Let's assume Vonage can change the factory default values through a remote provisioning process, then it's a matter of time before someone will post out the process to let us know. In this case, we all can convert our PAP2 units to become PAP2-NA units ... 
So, let's assume you have your unit unlocked, setup with other VoSPs, connected to the Internet, and your stinking brother had played with it like a toy to factory reset the unit while you were out (Yeah, just like what happened to the VoIP Warrior -- sounded like his stinking brother is not a warrior  ), then I believe a factory reset is your best friend in this matter. Let's see if VoIP Warrior will confirm this. |
|
rizzo2dial
Premium
join:2004-08-05
| said by mazilo :Why not tell people how you do it instead of asking people sending you the MAC Address? If my theory is incorrect, posting details won't benefit anyone anyway. If my theory is CORRECT... stay tuned!
Rizzo |
|
devil24
Premium
join:2002-06-28
Houston, TX
1 edit | reply to mazilo
I hope you aren't trying to be a smartass with that comment, hehehe .
Now, I'm sorry to inform you that even when I try to do a full factory reset now, it asks for a password and none of the ones posted here (or in other forums) have worked so far. I guess that, at least for the moment, I'm just SOL. |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
| said by devil24 :I hope you aren't trying to be a smartass with that comment, hehehe . Nope, but looked like your brother did! Otherwise, he won't have factorily reset your PAP2 that rendered it to a brick ... But don't worry, here comes the rescue:
Just have your PAP2 factory reset again, then supply a password to the user account. Hopefully, you can re-flash your doomed PAP2 unit, due to your smartass brother's act, to unlock it. |
|
devil24
Premium
join:2002-06-28
Houston, TX
3 edits | Yeah, well, he's only 12. They are visiting for a couple of weeks, but back when I still lived with them, he was always messing around with my stuff, so this isn't the first time he has done something like this. I just need to be more careful with my stuff with him around (like not keeping print outs with all the PAP2 function/access codes in plain view, hehehe)... and of course, let the fucker know that he can get into some serious trouble if he keeps doing it.
Now, back to the PAP2. If I'm able to unlock it again (and hopefully, I will), what am I supposed to do next? extract the GPP_K key? if so, what is it exactly that one needs to do? |
|
rizzo2dial
Premium
join:2004-08-05
| The H,
Did you capture your ORIGINAL GPP_K off to the side from when you unlocked your virgin adapter? If so, please IM me that key & the PAP2's MAC address.
Those two pieces of info may be all that is needed to re-unlock your adapter.
Rizzo |
|
devil24
Premium
join:2002-06-28
Houston, TX
1 edit | Mazilo,
Following your advice, I was able to unlock it again and it now has firmware 3.1.3(ls).
rizzo,
No, I didn't, but if I still need it, I'd love to get it. What am I supposed to do to get it? |
|
rizzo2dial
Premium
join:2004-08-05
| said by devil24 :rizzo, No, I didn't, but if I still need it, I'd love to get it. What am I supposed to do to get it? If you were able to re-unlock your adapter, to get your original GPP_K key value:
1) With the adapter disconnected from the internet, FACTORY RESET it.
2) Repeat the original UNLOCK technique (as listed in the OP of this thread).
3) Don't forget to turn off PROVISIONING!!!
4) Capture the GPP_K key.
I don't think the installed firmware revision makes any difference, so if you re-unlocked your PAP2, you likely already performed STEPS 1, 2 & 3.
Rizzo |
|
devil24
Premium
join:2002-06-28
Houston, TX | rizzo,
Check your PMs. |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
| reply to devil24
said by devil24 :Now, back to the PAP2. If I'm able to unlock it again (and hopefully, I will), what am I supposed to do next? extract the GPP_K key? if so, what is it exactly that one needs to do? I believe this means even Vonage has relocked our PAP2 units, due to mishaps on the factory reset, there is a chance to re-unlock the re-locked PAP2 by Vonage unless the re-lock process from Vonage complete locking the user ability to perform firmware upgrades (which may be possible). I reckon Vonage will have to re-think very hard to take this kind of action due to lawsuit case filed by SipPhone company.
Well, follow the steps needed to unlock your PAP2 units. |
|
rizzo2dial
Premium
join:2004-08-05
| reply to jbaddsl
said by jbaddsl :Rizzo, I IM'd you the info's of three units, MAC, old K key and new K keys plus new D keys etc. I IM'd you back at least an hour ago. |
|
gatzdon
join:2002-10-25
Lake Zurich, IL
| reply to mazilo
said by mazilo : I reckon Vonage will have to re-think very hard to take this kind of action due to lawsuit case filed by SipPhone company. Don't forget that Lexmark won their case (sort of) in which they were told they can sue their customers who don't mail back their empty toner cartridges, the ones where you agreed to mail them back when you opened the box. For Vonage, it may be as simple as changing the agreement on the box (from a legal standpoint). I'll find the link when I get a chance.
--
$100 placed at 7 percent interest compounded quarterlyfor 200 years will increase to more than $100,000,000 --by which time it will be worth nothing.- Lazarus Long |
|
devil24
Premium
join:2002-06-28
Houston, TX | Yeah, but such a change wouldn't affect PAP2 owners who got their devices before the policy update. |
|
nozzer
join:2004-06-25
Waltham, MA
| reply to mazilo
OK - heres my theory on how to get a unlocked unit still provisioned for Vonage service on line 1
1) Follow unlock procedure to get the GPP_K key.
2) TFTP download the appropriate file from Vonage.
3) Decrypt the file using openssl
4) Modify the values in the cleartext file so that provisioning is disabled and web interface and admin is enabled, and password set appropriately. Set DNS server to fake lan DNS.
5) Reencrypt the file
6) Put reencrypted file on TFTP server
7) Factory reset unit, and cross fingers.
After this point, I believe it should be possible to access the unit, which should be configured for Vonage access.
Anyone want to give it a whirl?
noz |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
| said by nozzer :OK - heres my theory on how to get a unlocked unit still provisioned for Vonage service on line 1 1) Follow unlock procedure to get the GPP_K key. 2) TFTP download the appropriate file from Vonage. 3) Decrypt the file using openssl 4) Modify the values in the cleartext file so that provisioning is disabled and web interface and admin is enabled, and password set appropriately. Set DNS server to fake lan DNS. 5) Reencrypt the file 6) Put reencrypted file on TFTP server 7) Factory reset unit, and cross fingers. After this point, I believe it should be possible to access the unit, which should be configured for Vonage access. Anyone want to give it a whirl? I believe this is nothing new to me, YMMV. IIRC, I did this the night (a week ago) the unlocking process was released and forgot completely (so many different experiments were done). In addition to what you posted above, basically what I did was to leave the unit live and connected to the Internet. Then, I factory reset my PAP2 and it sure phoned home but intercepted and got provisioned by my TFTP server. Since the XML provisioned file I have for this PAP2 unit already edited to include access to my VoIP accounts with some free VoSPs, my PAP2 unit automatically registered itself to these VoSPs and I could use both lines to place/receive calls right the way without any furher mods (as if the device has been provisioned by the VoSPs). This proved that you can provision your own PAP2 units and taylor it with different VoSPs. Please be careful because one slight thing you miss may render your PAP2 to provision to Vonage, instead.
OTOH and as I posted above, you can re-unlock the re-locked PAP2 units by Vonage by simply performing a factory reset. Since both IVR and adding a password to user features are enabled by factory defaults, after a factory reset process you can still perform the unlocking process as before unless Vonage+Linksys has a way to come up with a new firmware to change the factory default values.
Speaking of new firmware, has anyone managed to download the PAP2-bin-03-01-07-LS.bin firmware from the Vonage TFTP server? Every time I tried tftp -i ls.tftp.vonage.net get PAP2-bin-03-01-07-LS.bin, I keep getting the Error on server : File not found. messages. |
|
nozzer
join:2004-06-25
Waltham, MA | But the point is, I want it to provision to an existing (non softfone) Vonage account, and Vonage don't freely hand out the detail. Once provisioned, I want to retain admin access to set up Line2 to an alternative provider. |
|
