dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
14513

meister_sd
Premium Member
join:2006-01-29
La Mesa, CA

1 edit

meister_sd

Premium Member

Unlocking the UTStarCom F1000

This unlocking guide was made in a large part
from the unlocking guide 'rkworth' posted here:
»www.vonage-forum.com/fto ··· 464.html
I've added a few comments, which are [in brackets]
and then taken the extra step to totally remove
vonage from the phone. Here is his guide, and then
mine follows at the end.

-------------------------

i got into it and got it working with our asterisk
gateway - thank you google..

no more cutting out - cleaner sound. sorry vonage.

for firmware upgrade - utvonpw

then-

So I've managed to unlock the Vonage UT starcom F1000
wifi phone from Vonage. I think it's a first because
there's no other info on how to do this anywhere on the web.

You'll need a Windows pc for this...

The first thing to do is download the firmware from here:

[link removed because of DSLReport link policy. File name
is F1000_V3.80st.exe]

If the link is broken just google for f1000 firmware.

Run this self extracting archive - it's German but no need
to worry - just accept the defaults.
It should unpack 4 files.

Next make sure your Vonage wifi phone is connected and registered
i.e. you can make a call. [Here, the phone never actually has to
connect to the internet. The password "utvonpw" is factory set
into the phone. You just need it connected on your wireless]

Scroll through the menus on your phone and choose Wi-Fi
Settings / Network Parameters / Network Info.

Take note of the IP address (you may not need this but it's
handy to have). Mine is 192.168.1.14.

Exit out of the Network Info menu and go to the Misc menu

Select Local TFTP Update.
At the Code prompt enter utvonpw
You'll see a message that says TFTP is a long process..

Select Update
The Screen will say Connecting...

Back to Windows PC and launch the fwupgrade.exe application

After a split second you should see a phone list that shows the
IP address we had earlier.

Click Update

You'll get a warning not to turn off either the Computer, Phone
or Access Point...don't turn them off!

Mine took about 45 seconds to push the firmware.

The screen on the phone will read Processing...

then Decompressing...

Windows will say that the task was complete...you can close the
updater by clicking Cancel

Phone is still Decompressing 3 minutes later...

Then it will switch off.

***DO NOT TURN IT BACK ON**** or your work will be undone by Vonage!

-------THIS STEP IS REALLY IMPORTANT-------

Disconnect your broadband. [You never actually had to have it connected]

Don't power it off, just disconnect either the phone cable if DSL or
the Coax if on cable. It's important that your wireless network stays up.

Check that you can no longer browse the internet on your windows pc.

Turn the F1000 on and it will connect to your wireless network.

It will try and register via your network but of course you are
disconnected so it can't - this is good!

Go to the Misc menu on the phone and select remote TFTP server - it
should have a Vonage server address in here...change it to a single
letter "a" (Or any other setting to remove the vonage URL)
[This step isn't really needed if you keep the unit off a
wireless connection and complete my steps at the end of
this part. I've also been told this doesn't always work
to keep the unit from getting provisioned again if it
gets a wireless connection.]

Turn the phone off

Reconnect your broadband and ensure you CAN browse to a
webpage or two.

Turn phone on and it will connect to your wireless network but
it will never Register as it can't find Vonage servers!

Usng a web browser open the IP address that we remember from earlier.
(This actually connects you to the phones internal web server)
Login as user with password 888888 (six 8's)

Click User Menu on the left and go immediately to SIP & RTP Config

-------------------

Now comes my part, the coup de grâce. This is taken from the
FAQ's guide at:
»web.quick.cz/lake/f1000_faq.htm
What we are going to do is to perform a factory reset using the new
firmware that you installed (F1000_V3.80st) which will reload
all the factory defaults, which vonage is not part of! This involves
putting the phone into the ATE Menu. Follow this part of the guide
to get you into that menu:

> 7.2 Secret menu
> This is an undocumented Operating System level function, referred
> to as "ATE menu". It was implemented on early shipped phones only.
> Invoking the ATE menu requires the following steps:
> 1) Turn off the phone.
> 2) Hold 1 and 9 and the power button simultaneously for cca 3 seconds.
> 3) Wait for the input field "Func No:". The phone is now in the
> "ATE state", ready to receive ATE commands via keyboard.
> 4) Enter the required ATE commands (known key sequences are power
> savings setup and phone reset).
> 5) Turn the phone off and on again. This will clear the ATE state and
> make all changes valid.
> Note: The ATE menu is implemented on some - but not all - F1000 phones.
> It has been reported that the ATE menu feature is hardware dependent
> and can not be brought back by changing the firmware.Most providers
> now sell phones without the ATE menu, which makes the password reset
> impossible.

Now once we are in this screen, follow the steps to do the factory reset.

> 4.2 Phone Reset
> Early manufactured phones can be reset to factory defaults, including
> admin and user passwords, using the undocumented ATE menu feature.
> 1) Invoke the ATE menu and wait for the "Func No:" prompt.
> 2) Enter 37 and press the green key. Wait for "Success" and press red key.
> 3) Enter 38 and press the green key. Wait for "Success" and press red key.
> 4) Enter 41 (=Clear User Data) and press the green key. Wait for "Success"
> and press red key.
> 5) Turn the phone off and back on - it should be totally cleared and the
> default passwords will be set.
> WARNING: Performing the ATE reset will also clear the phonebook entries
> and all user-specific settings.

If you followed everything, the phone is off. Now turn it back on and you
will have reset the phone completely. The passwords are set to factory
default and you will also now have "admin" access. Here are the passwords:

login name = admin, password = psw
login name = user, password = 888888

Now you can see, vonage is bye, bye!

This part involves programming the phone to a provider. There aren't
many examples on programming, so I will provide a screen shot that
shows it connected to the Betamax companies. I actually used this
exact setup for my voipstunt account without any other changes other
than putting in my username/password.

"

This image and setup is from:
»members.home.nl/geurtsva ··· 1000.htm

Now my personal notes.
I found that Telnet is running and in the older firmware, pre v3.10,
the username/password is "target/password". This is actually a well
known security hole. In the version used for this hack, telnet is
still working but the username and password have changed. If anyone
knows what that is, please either PM me or post it here. There is a
newer version available from SipGate, version 4.50.
»www.sipgate.co.uk/faq/in ··· brik=690
Once you've gone to v4.50st though, you cannot downgrade the firmware
ever again according to the upgrade notes.
markosjal
join:2005-08-06
Portland, OR

markosjal

Member

So if there is no ATE menu, no unlock?

meister_sd
Premium Member
join:2006-01-29
La Mesa, CA

meister_sd

Premium Member

The first part of the unlock will work but the ATA method is the only way *I* know of to completely erase vonage.

SteveLV702
Premium Member
join:2004-04-22
Las Vegas, NV

SteveLV702 to meister_sd

Premium Member

to meister_sd
no ATE Menu for me and once I am connected for like 5 minutes then the phone will suddenly say "connecting" then will go to "Downloading Firmware" then "Decompressing" and then it will turn the phone off and when I turn it back on its relocked to Vonage... So I am pretty much screwed????