[Vonage] SIP credentials, RTP300, GPP_K? - dslreports.com

			Search:
	login · register

	All Forums		Hot Topics		Gallery

how-to block ads

Forums » VOIP etc » Voice Over IP - VOIP » Vonage » [Vonage] SIP credentials, RTP300, GPP_K?


Search Topic:	Uniqs: 31472	Share Topic:	RSS topic:	toggle: flat / full normal / watch	Posting:	Post a:	Post a:

Links: ·ALL ·Review Your VoIP Provider ·VoIP Providers ·VoIP FAQ ·Porting Rules ·What Codec?

Would Vonage Be a mistake? » « $4.99 a month for incoming calls.
page: 1 · 2 · 3 · 4 ...18 · 19 · 20

Author

All Replies

scaredofvonage

@comcast.net

[Vonage] SIP credentials, RTP300, GPP_K?

I've heard that it's possible to extract Vonage SIP credentials from some RTP300s using methods discovered on another site (we wouldn't want Vonage to know who or where!), but the extracted config information I saw from an RTP300 didn't include any kind of GPP_K or other encryption key, as the PAP2s did. If I were to extract all this configuration info from my RTP300, is there any way I could find the encryption key so as to download my actual config file with VuckFonage and decrypt it?

to forum · permalink · 2006-04-07 09:45:48 ·

ptrowski
Got Helix?
Premium
join:2005-03-14
Putnam, CT
clubs:

The credentials were not there? I watched someone do it with the instructions I gave him and they were there...Hmmmm
--
Make a Difference-Join Team Helix!

to forum · permalink ·

· 2006-04-07 09:50:56 ·

scaredofvonage

@comcast.net

The SIP credentials were there. I just couldn't find any kind of key that would allow me to download config files and decrypt them.

to forum · permalink · 2006-04-07 10:03:16 ·

ptrowski
Got Helix?
Premium
join:2005-03-14
Putnam, CT
clubs:

reply to scaredofvonage
Ahh, my misunderstanding.

to forum · permalink ·

· 2006-04-07 10:05:02 ·

rcilink
Premium
join:2003-12-15
Manchester, NH

reply to scaredofvonage
Re: [Vonage] Getting the encryption key for RTP300 & WRTP54G

Click for full size

Yes. Here's how to get the encryption key for your VOICE_XML file.

Experiment with this, and it will work out.

1. Disable javascript. If you dont, the page will redirect to a different page. Some have reported hitting ESC repeatedly to stop this from happening-- it is hard to time this one!

2. Hook your PC into the RTP300 or WRT54GP2 LAN port. Your pc will get an IP address of 192.168.15.100.

3. Open a web browser and point to »192.168.15.1

4. Login to the device. Default is admin for username and password.

5. Point your browser to: »192.168.15.1/cgi-bin/webcm?getpa···ion.html

6. If you did not turn off JAVA, you got redirected. The page you want to see is attached.. Keep trying. Load the page, hit escape key.. Eventually it will show up. I find this works well when using an old 400MHz PC..

7. Once the page is visable, it appears blank. Right-click on it and click view source.

8. Scroll down towards the bottom of the source.. Look for entries like this:

<!-- Provisioning -->
.
.(removed.. redundant info)
.
<!--new-->
<input type="hidden" name="provision:settings/intervalimg" value="3600" id="uiPostProvisionIntImg">
<input type="hidden" name="provision:status/profileurl" value="tftp://ti.tftp.vonage.net:69,21,2400" id="uiPostProvisionProfileDef" disabled>
<input type="hidden" name="provision:status/imageurl" value="tftp://ti.tftp.vonage.net:69,21,2400" id="uiPostProvisionImageDef" disabled>

<input type="hidden" name="provision:status/path" value="pexxxxxxx2" id="uiPostProvisionPathDef" disabled>
<input type="hidden" name="provision:status/key" value="6C04A7A8F44FC354435AAAAAAAAAAxxxxxxxxF1AC5A065F8EEE91CF7F23CD4DA" id="uiPostProvisionKeyDef" disabled>
<input type="hidden" name="provision:status/interval" value="1" id="uiPostProvisionIntDef" disabled>
<!--new-->
<input type="hidden" name="provision:status/intervalimg" value="60" id="uiPostProvisionIntImgDef" disabled>

<input type="hidden" name="provision:settings/dns1" value="4.4.4.4" id="uiPostProvisionDNS1">
<input type="hidden" name="provision:settings/dns2" value="4.4.4.5" id="uiPostProvisionDNS2">

<input type="hidden" name="provision:status/last" value="Not provisioned" id="uiPostProvisionStatus" disabled>

<input type="hidden" name="provision:settings/VOICE_XML/PORT_1_CONFIG/CID_NAME" value="LINE_1" id="uiPostProvisionCID">

Your Provision key is listed in there. The tftp address and folder location for your file is also listed there.

filename is ti00000000.xml (replace 0's with MAC addy)

to forum · permalink ·

· 2006-04-07 10:54:45 ·

meister_sd
Premium
join:2006-01-29
La Mesa, CA

This is what I've been looking for! Thanks alot! I'll try this when I get home tonight.

Have you had any luck in getting a serial console working? I've seen some tutorials on openwrt, but I haven't heard from anyone here who actually did it. I have the settings on HyperTerm to 115000 8-N-1 and Control to "None".

to forum · permalink ·

· 2006-04-07 14:32:05 ·

rcilink
Premium
join:2003-12-15
Manchester, NH

The serial console is set to a 'login' prompt, so you cant get into it unless you have the password.

If you have the root password, why not just use ssh and connect that way?

Here's where I'm at with this device..
I have it registered and working with Asterisk... I have not gotten the provision portion working though. In addition, I would like to get the shell password, so I can get into the Linux filesystem.

I have the GPL source for 1.00.60 firmware for this device. (can be downloaded from Linksys).

In the firmware, under /usr/bin, look at the cm_ files.

# ls

[@           cm_logic*    cm_reset*  foxy*  passwd@       traceroute@  whoami@
cm_config*   cm_monitor*  cut@       free@  pppoe-relay*  tty@         yes@
cm_convert*  cm_msg*      dbgcmd@    id@    test@         upgrade*
cm_klogd*    cm_pc*       env@       nmm*   tftp@         wget*

The cm_config is one of interest. Since this device is not i386 based, it needs an emulator to run.

# file cm_config

cm_config:  ELF 32-bit LSB MIPS-I executable, MIPS, version 1 (SYSV),
            dynamically linked (uses shared libs), stripped

So, if you have a MIPS version 1 emulator for linux, you can most likely run that config program and make a new XML to unlock your box completely, using the encrypt key it wants to see.

to forum · permalink ·

· 2006-04-07 16:25:35 ·

meister_sd
Premium
join:2006-01-29
La Mesa, CA

edit:
April 8th, @08:53PM

reply to scaredofvonage
Re: [Vonage] SIP credentials, RTP300, GPP_K?

Well, I tried the above hack to get to the provisioning page. The first thing is you have to have v1.0.60. I had .37 and didn't work. The next thing is I was able to download my encrypted .xml file but when I tried to decrypt it using the method for the PAP2 I got a "bad magic number". When I looked at openssl it says there are other ways to encrypt/decrypt. Anyone decrypted their file?

openssl aes-256-cbc -d -in ti00xxxxxxxxxx.xml -out cleartext.xml -k AB82DD541xxxxxxxxxxAA622E9FC6F43EAE48FDF93D1F4E789DFA93005C2D8AA

I did see that there were two provisioning folders each with their own key and I've tried them both with the same error.

Now the first part of my encrypted pap2 file is:
Salted__Á[¯G€Šæt°>ìb"§¿ÞChaš>ÕéÝ;J!

Now this says "Salted" in the beginning, but on my rtp300 xml file this is what I get:
‡g f¹eœ_E4€ÔÒ±öÞuÞû

No salted...... Any ideas?

to forum · permalink ·

· 2006-04-08 20:49:35 ·

meister_sd
Premium
join:2006-01-29
La Mesa, CA

reply to scaredofvonage
I just created a batch file to try to decrypt the file using all the commands in openssl, 52 of them. All came up with "bad magic number" or a syntax error. So maybe they are using their own encryption? I can give anyone the files I have if they want to check my work or try another path. Just PM me.

to forum · permalink ·

· 2006-04-08 22:18:30 ·

rizzo2dial
Premium
join:2004-08-05

reply to meister_sd

said by meister_sd

:

Now the first part of my encrypted pap2 file is:
Salted__Á[¯G€Šæt°>ìb"§¿ÞChaš>ÕéÝ;J!

Now this says "Salted" in the beginning, but on my rtp300 xml file this is what I get:
‡g f¹eœ_E4€ÔÒ±öÞuÞû

No salted...... Any ideas?

Peppered?

The "salted" config file simply means that in addition to encrypting the file using the "GPP_K equivalent" passphrase, a random SALT value is inserted into the encrypted file immediately after the "salted__" keyword. The GPP_K passphrase in conjunction w/ the random SALT value are then used to build the actual encryption/decryption KEY needed to encrypt/decrypt the file. This is how Vonage is able to encrypt the same plain-text XML over and over such that each produced ENCRYPTED file is unique (at least for the PAP2).

If the encrypted file isn't salted, and if it's encrypted with the same "GPP_K equivalent" passphrase, so long as no changes have been made to the plain-text file, the resulting encrypted file will be the same every time.

Rizzo

to forum · permalink ·

· 2006-04-08 22:30:52 ·

meister_sd
Premium
join:2006-01-29
La Mesa, CA

Excellent explination. Thanks.

Any ideas how it is encrypted and how to decrypt it? As shown above, I do have the passphrase. Everything rcilink I have been able to duplicate just as described. Now the decrypting of the XML file is all that is left.

to forum · permalink ·

· 2006-04-08 23:21:43 ·

rizzo2dial
Premium
join:2004-08-05

Perhaps the file is encrypted using a different encryption scheme. When you execute the command:

quote:
openssl aes-256-cbc -d -in ti00xxxxxxxxxx.xml -out cleartext.xml -k AB82DD541xxxxxxxxxxAA622E9FC6F43EAE48FDF93D1F4E789DFA93005C2D8AA

"aes-256-cbc" is the encryption scheme you're instructing openssl to use. openssl supports numerous encryption schemes (google the openssl docs), so perhaps try some other schemes. Try writing a script / batch file to go through all possible schemes offered by openssl.

Rizzo

to forum · permalink ·

· 2006-04-09 05:18:57 ·

meister_sd
Premium
join:2006-01-29
La Mesa, CA

batch.zip 584 bytes

said by rizzo2dial

:

Try writing a script / batch file to go through all possible schemes offered by openssl.

Rizzo

That is what I did in the post about 4 messages up. I got the same error. I'll try to attach the file.

One thing I did last night was to use the same hack from rcilink, look at my values, make changes in the screen and click save. It worked! After reloading my page, even unplugging the router and relogging back in, my chages were there. I then went to all the screens that are in the voice folder and used the same delay/esc trick to get copies of all the files in there so I can change the routers settings. The user screen, provisioning and everything can be changed. Just one screen voiceAuthenticate.html is a problem. This screen is where you can change the "Admin" (big admin). It will let me change but when I save it an error about being outside the html path occurs.

The good thing is I can make changes. I'm going to print the screens of all the voice pages and fill in what I need from my working PAP2 so I can insert all the correct info. We'll see if this will work.

One other thing I tried is in the Provision.html, I removed my encryption key, which worked, but then I tried to give it an unencrypted file. For some reason my tftp server would send but time out sending it. It seems the rtp300 will ask but not transfer it.

I also found this:
»www.profiber.dk/media/router_opdatering.pdf
This talks about an rtp300 with firmware 3.1.10 including screen shots of the voice screens. Anyone seen this? I tried to get the .bin file but no luck. The IP in the example and the IP of the host of the file come from the same place. That is as far as I got. Anyone have a rtp300-na? What is the firmware version for that model?

to forum · permalink ·

· 2006-04-09 12:58:24 ·

czyc

@rr.com

I'm quite sure the algorithm is rc4 and it is a raw key. I'm not sure if the whole string is the key or if there is an initialization vector.

to forum · permalink · 2006-04-09 20:14:55 ·

czyc

@rr.com

Ok, openssl won't decrypt it but »www.uqtr.ca/~delisle/Crypto/codes/rc4/rc4.c does it nicely.

to forum · permalink · 2006-04-09 21:36:13 ·

czyc

@rr.com

Oh, I can't test it, but rc4 is a stream cypher so you can use the same program to reencrypt it with the same key, then you should be able to feed it to the router.

to forum · permalink · 2006-04-09 21:39:12 ·

meister_sd
Premium
join:2006-01-29
La Mesa, CA

edit:
April 10th, @03:17AM

reply to scaredofvonage
I didn't have any luck with the RC4.

I did try changing the values in user1 but my screen doesn't populate the saved values so I have to enter them all in again. If I don't, during the save it will enter nothing for the values - erasing the old ones.

So now my problem is that there is a timeout of about 10 minutes (??) so not everything was written. I am using IE6 with normal settings. I will try to open two IE screens, populate one and let the other screen re-register the timeout.

The other thing I see is even with these settings changed, a factory reset won't clear my changes and replace them with the old Vonage info!

to forum · permalink ·

· 2006-04-10 03:16:41 ·

rcilink
Premium
join:2003-12-15
Manchester, NH

I did not have much luck with the RC4 either. It takes the key and xml file. The output is not plaintext, so I can not do much with it... Anyone get this working?

------------------
Some observations about changing data in the other Voice pages:

IF you want to setup a SIP service, use the ESC trick and look at voiceLine1.html (Link: »192.168.15.1/cgi-bin/webcm?getpa···ne1.html )

Before changing the info in there, make sure you 'view source' and pay attention to the values stored at the bottom of the page. Since it can't fill-in the fields (the javascript is not enabled, or it was stopped using ESC), you need to plug-in all fields, and set all settings prior to hitting the 'SAVE' button!

I found that an easier way to do this is to save the source to the voiceLine1.html and modify it locally to have the correct data in it. Then, when I run it locally, it can use java, and show the 'defaults' I pre-set on my page.

Two more steps to make the local page load and save correctly:

1. Find this:

function uiDoOnLoad(){
var user= "ROUTER";
if(user != "ADMIN"){

...and change it to:

function uiDoOnLoad(){
var user= "ADMIN";
if(user != "ADMIN"){

2. Find this:

<!-- Post Form -->
<form method="POST" action="webcm" target="_self" id="Line1PostForm"
 onsubmit="jslDoOnSubmit()">

...and change it to:

<!-- Post Form -->
<form method="POST" action="http://192.168.15.1/webcm" target="_self"
id="Line1PostForm" onsubmit="jslDoOnSubmit()">

As for the provisioning stuff... Some observations:

1. If I set the "KEY" to blank (nothing in there), it complains in the syslog. (syslog link: »192.168.15.1/cgi-bin/webcm?getpa···_vo.html ) The device wants a key that is divisible by 2!

2. If you mess with putting a plain-text file, a modified config.xml from the source code, and feed it to the box, it will appear to be receiving the file, but it then goes to vonage and re-gets the XML file from vonage! Once this happens, it is a pain to undo the SIP settings. For example, Vonage puts 666 in the dialplan. Even if you change the dialplan, it keeps sending the 666! The solution: you must do this:
1. Let the box read the vonage .xml file
2. Go to this link: »192.168.15.1/cgi-bin/webcm?getpa···Def.html (This is where to restore factory defaults for voice)
3. Select 'restore voice defaults' (not router).
4. unplug your device from the Internet!
5. username = user password = tivonpw
6. Voice will reset- and the dialplan will be clean.
7. Change the TFTP settings in the Provision.html page to prevent it from going back to vonage settings.

Best of luck with the box!

to forum · permalink ·

· 2006-04-10 10:43:34 ·

meister_sd
Premium
join:2006-01-29
La Mesa, CA

said by rcilink

:

I did not have much luck with the RC4 either. It takes the key and xml file. The output is not plaintext, so I can not do much with it... Anyone get this working?

I have my XML file and key from my Provision.html I can give you.

said by rcilink

:

Two more steps to make the local page load and save correctly:

I will try this later today.

said by rcilink

:

Best of luck with the box!

Thanks! And I think I have another bit of luck. I found the file I was looking for in the PDF from my post above rtp300-3.1.10.bin. Inside the file name is said to be rt-11.1.1-r060214-3.1.10-r060214.img. I tried to load it into my router and got an image error (forgot the exact message). Anyone want to try it? Maybe it is something along the lines of needing to create an spa-tools to make some changes like with the PAP2 and the Sipura software?!?!?!

to forum · permalink ·

· 2006-04-10 10:58:20 ·

rcilink
Premium
join:2003-12-15
Manchester, NH

reply to scaredofvonage
Made my own provision file

I decided to get creative and make a provision file to try..

I took a plaintext XML file that had all the params setup for line1 and line2 and used the RC4 tool to 'encrypt' with a 6-byte key.

I then placed this file on my server and spoon-fed it by changing the provision settings on the Provision.html page.

Outcome: it blew-away my settings, and resorted to vonage!! argh!

Here is a snip of the syslog code.. [sanitized]

Starting wget 'http://myserver.com/prov/ti0013abcdefaa.xml'
'-nv' '--failover' '-O' '/var/tmp/provision.xml'
Report 'start' 'prov_xml' '(null)'!
Report 'all' 'prov_xml' '14:55:22 URL:http://myserver.com/prov/ti0013abcdefaa.xml
[11192/11192] -} "/var/tmp/provision.xml" [1] '!
provisioning xml: 14:55:22 URL:http://myserver.com/prov/ti0013abcdefaa.xml
[11192/11192] -} "/var/tmp/provision.xml" [1]
Report 'exit' 'prov_xml' '0'!
*** Checksum of the file = EE3F3F65, previous = (null)
*** Decrypting provision XML file!
*** Parsing provision XML file! prov_state = 2,
image_state = 0
Error parsing XML provisioning file from directory 'prov',
 trying the default location
Starting wget 'tftp://ti.tftp.vonage.net:69,21,2400/xyzxyz/ti0013abcdefaa.xml'
 '-nv' '--failover' '-O' '/var/tmp/provision.xml'

to forum · permalink ·

· 2006-04-10 11:08:13 ·

-

Topic: Follow · Sitemark · Mark Unread

Forums » VOIP etc » Voice Over IP - VOIP » Vonage	Would Vonage Be a mistake? » « $4.99 a month for incoming calls.
page: 1 · 2 · 3 · 4 ...18 · 19 · 20


Saturday, 30-Aug 04:18:23	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 9 years online! © 1999-2008 dslreports.com. page compression OFF

Most commented news this week
· [330] Comcast 250GB Cap Goes Live October 1
· [223] FBI To Allow Warrantless Investigations
· [154] Industry Reacts To Comcast Cap Plans
· [130] AT&T Thanks Democrats For Telecom Immunity
· [123] Time Warner Cable Cripples TiVO, Gets FCC Fine
· [120] Why Run FTTH When You Can Pretend You Do?
· [70] Friday Open Thread
· [67] Telus CAPS 'Unlimited' EVDO Data Plans
· [65] Game Publishers Follow The RIAA's Lead
· [60] Qwest Defends Not Running FTTH

Most people now reading
· Comcast has new Acceptable Use Policy besides the 250GB cap [Comcast HSI]
· Bandwidth Monitor for Computers-Suggestions? [Comcast HSI]
· [iPhone] Did I Buy A Fake iPhone? [All things Macintosh]
· What happens with returns at supermarkets [General Questions]
· KUbuntu upgraded to 8.04 no audio [All Things Unix]
· Windows Genuine Advantage Notification (KB905474) [Security]
· [Vonage] SIP credentials, RTP300, GPP_K? [Vonage]
· I got some money! [No, I Will Not Fix Your #@$!! Computer]