Re: [Vonage] SIP credentials, RTP300, GPP_K?

Author

All Replies

meister_sd
Premium
join:2006-01-29
La Mesa, CA

reply to scaredofvonage
Re: [Vonage] SIP credentials, RTP300, GPP_K?

Well, I tried the above hack to get to the provisioning page. The first thing is you have to have v1.0.60. I had .37 and didn't work. The next thing is I was able to download my encrypted .xml file but when I tried to decrypt it using the method for the PAP2 I got a "bad magic number". When I looked at openssl it says there are other ways to encrypt/decrypt. Anyone decrypted their file?

openssl aes-256-cbc -d -in ti00xxxxxxxxxx.xml -out cleartext.xml -k AB82DD541xxxxxxxxxxAA622E9FC6F43EAE48FDF93D1F4E789DFA93005C2D8AA

I did see that there were two provisioning folders each with their own key and I've tried them both with the same error.

Now the first part of my encrypted pap2 file is:
Salted__Á[¯G€Šæt°>ìb"§¿ÞChaš>ÕéÝ;J!

Now this says "Salted" in the beginning, but on my rtp300 xml file this is what I get:
‡g f¹eœ_E4€ÔÒ±öÞuÞû

No salted...... Any ideas?

to forum · permalink ·

· 2006-04-08 20:49:35 ·

rizzo2dial
Premium
join:2004-08-05

said by meister_sd

:

Now the first part of my encrypted pap2 file is:
Salted__Á[¯G€Šæt°>ìb"§¿ÞChaš>ÕéÝ;J!

Now this says "Salted" in the beginning, but on my rtp300 xml file this is what I get:
‡g f¹eœ_E4€ÔÒ±öÞuÞû

No salted...... Any ideas?

Peppered?

The "salted" config file simply means that in addition to encrypting the file using the "GPP_K equivalent" passphrase, a random SALT value is inserted into the encrypted file immediately after the "salted__" keyword. The GPP_K passphrase in conjunction w/ the random SALT value are then used to build the actual encryption/decryption KEY needed to encrypt/decrypt the file. This is how Vonage is able to encrypt the same plain-text XML over and over such that each produced ENCRYPTED file is unique (at least for the PAP2).

If the encrypted file isn't salted, and if it's encrypted with the same "GPP_K equivalent" passphrase, so long as no changes have been made to the plain-text file, the resulting encrypted file will be the same every time.

Rizzo

to forum · permalink ·

· 2006-04-08 22:30:52 ·

meister_sd
Premium
join:2006-01-29
La Mesa, CA

Excellent explination. Thanks.

Any ideas how it is encrypted and how to decrypt it? As shown above, I do have the passphrase. Everything rcilink I have been able to duplicate just as described. Now the decrypting of the XML file is all that is left.

to forum · permalink ·

· 2006-04-08 23:21:43 ·

rizzo2dial
Premium
join:2004-08-05

Perhaps the file is encrypted using a different encryption scheme. When you execute the command:

quote:
openssl aes-256-cbc -d -in ti00xxxxxxxxxx.xml -out cleartext.xml -k AB82DD541xxxxxxxxxxAA622E9FC6F43EAE48FDF93D1F4E789DFA93005C2D8AA

"aes-256-cbc" is the encryption scheme you're instructing openssl to use. openssl supports numerous encryption schemes (google the openssl docs), so perhaps try some other schemes. Try writing a script / batch file to go through all possible schemes offered by openssl.

Rizzo

to forum · permalink ·

· 2006-04-09 05:18:57 ·

meister_sd
Premium
join:2006-01-29
La Mesa, CA

batch.zip 584 bytes

said by rizzo2dial

:

Try writing a script / batch file to go through all possible schemes offered by openssl.

Rizzo

That is what I did in the post about 4 messages up. I got the same error. I'll try to attach the file.

One thing I did last night was to use the same hack from rcilink, look at my values, make changes in the screen and click save. It worked! After reloading my page, even unplugging the router and relogging back in, my chages were there. I then went to all the screens that are in the voice folder and used the same delay/esc trick to get copies of all the files in there so I can change the routers settings. The user screen, provisioning and everything can be changed. Just one screen voiceAuthenticate.html is a problem. This screen is where you can change the "Admin" (big admin). It will let me change but when I save it an error about being outside the html path occurs.

The good thing is I can make changes. I'm going to print the screens of all the voice pages and fill in what I need from my working PAP2 so I can insert all the correct info. We'll see if this will work.

One other thing I tried is in the Provision.html, I removed my encryption key, which worked, but then I tried to give it an unencrypted file. For some reason my tftp server would send but time out sending it. It seems the rtp300 will ask but not transfer it.

I also found this:
»www.profiber.dk/media/router_opdatering.pdf
This talks about an rtp300 with firmware 3.1.10 including screen shots of the voice screens. Anyone seen this? I tried to get the .bin file but no luck. The IP in the example and the IP of the host of the file come from the same place. That is as far as I got. Anyone have a rtp300-na? What is the firmware version for that model?

to forum · permalink ·

· 2006-04-09 12:58:24 ·

czyc

@rr.com

I'm quite sure the algorithm is rc4 and it is a raw key. I'm not sure if the whole string is the key or if there is an initialization vector.

to forum · permalink · 2006-04-09 20:14:55 ·

czyc

@rr.com

Ok, openssl won't decrypt it but »www.uqtr.ca/~delisle/Crypto/codes/rc4/rc4.c does it nicely.

to forum · permalink · 2006-04-09 21:36:13 ·

czyc

@rr.com

Oh, I can't test it, but rc4 is a stream cypher so you can use the same program to reencrypt it with the same key, then you should be able to feed it to the router.

to forum · permalink · 2006-04-09 21:39:12 ·

rizzo2dial
Premium
join:2004-08-05

reply to czyc

RC4.zip 22,381 bytes
rc4 Windows Executable + Source Code

said by czyc

:

Ok, openssl won't decrypt it but »www.uqtr.ca/~delisle/Crypto/codes/rc4/rc4.c does it nicely.

I've modified the code for the program to accept file names for the input & output files (instead of using STDIN/STDOUT redirection) and have compiled it under Visual Studio .NET 2003. I've also cleaned up the program a bit (and moved some logic out of the MAIN function).

Attached is a zip file containing the modified source code as well as a Windows (DOS/Command Prompt) executable. Since it's compiled under VS.NET 2003 (which is a development environment for the .NET 1.1 framework), the Microsoft .NET 1.1 framework will likely need to be installed for the program to run. (Microsoft provides it for free).

The syntax for this version is of rc4 is:
rc4 key inFile outFile

Rizzo

to forum · permalink ·

· 2006-04-12 03:06:16 ·

Steve Masten

@rr.com

The: rc4 key inFile outFile, and question is what is the "infile" and what is the "outfile" is supposed to be called?

I just want to unlock my rtp300 so I can firmware upgrade, cause these bastards locked it all up.

So can you explain a bit more?

Steve Masten

to forum · permalink · 2006-11-07 00:15:22 ·

Steve-Masten

@rr.com

I hope you will, or someone will reply.

Uuummm... My friend just told me you guys might not answer cause vonage put you all in jail?

If you want me to slap my friend sebastian again, I will be glad too... No offense, I am curious.

SM

to forum · permalink · 2006-11-07 00:36:26 ·


Tuesday, 10-Nov 22:52:50	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF