Hydraglass
Premium
join:2002-05-08
Kingston, ON
 ·Bell Sympatico
| reply to chopp
Re: [General] DLink VTA-VR
After battling with my VTA-VR for 3 days, I want to fill everyone in on what happened, and what I managed to do - as well as give you some hints and tips if you're in the same spot I was.
I have a VTA-VR that was provisioned on Vonage for approx. 18 months. I recently canceled (Jan 5, 08) and the box was now out of commission. I previously switched to running Asterisk/FreePBX and now have my service through Les.Net with IAX trunks to my Asterisk server. I had one Grandstream ATA that i configured with one extension and have been using that. I wanted to break into my VTA-VR and clean it out and configure it for Asterisk SIP extensions as well.
My VTA-VR, having been "online and working with Vonage" had updated itself to Firmware VTA-11.4.1-r060815-1.00.09-r070401.img - this is a problem. In this version they have "fixed" the hole that was previously used by the CYT tools to break Admin, as well as it hides/removes the "encryption key" from the Admin interface. Several other problems - the "Support" login/password is neither blank nor the old "tivonpw" password so I couldn't get in to Support even. The CYT tools get a "Page outside the html tree" error provided by the now "upgraded"? webcm gatekeeper. So how was I going to break this thing?
Also trying to go to the user/user page when you check the box to "Reset Provisioned Parameters" it doesn't let you - it prompts for an admin password. I decided to work on breaking this first. Running Wireshark packet capture, and setting the PC up with its own DHCP server setting itself as default gateway (but no way to get to the internet of course), and connecting the VTA-VR with a switch to the LAN port I was able to reset the VTA-VR and convince it to use my PC for "all traffic" thus ensuring I caught everything on Wireshark (including DNS requests, etc). A look at what happens when you try to fake the admin PW for the "Provisioned Parameters" leads me to a URL it was POST submitting. A little edit of that URL and pasting it in my browser and I was able to get the page to come back with the boxes already checked, with no request for password. Here's that URL:
192.168.0.2/cgi-bin/webcm?getpage=/usr/www_safe/html/home/home_system.htm&var:OldProvisioned=on&=&var:OldUnProvisioned=on&=&var:isFirstTime=no
You may have to try a few times or tweak the "OldProvisioned" to yes/no - it's all a javascript program in the page source for home_system.html. In any case I got it to come up with both boxes checked and I hit reset. The box reset and I saw it trying to download an image by http now rather than by tftp (trying to connect to "httpconfig.vonage.net" and retrieve /CodeHere/tiMAC.xml ) - so I knew it was fully "reset" to blank.
Well I'll be darned.. logging in as Support with no password now gave me the extra tab to do firmware. A little searching on Google leads me to the page on httpconfig.vonage.net that has the firmware (if you have trouble here - the firmware image I was looking for was the older 1.00.07 one - the firmware file name is VTA-11.4.0-r060331-1.00.07-r060418.img - there's nothing other than "/" in the http path between the host name and file name.)
With a copy of 1.00.07 now in hand and the firmware page up, I was able to reload the system with the old firmware. It then rebooted and I saw it trying to connect back to vonage again on my Wireshark (but of course it couldn't get there).
I loaded up CYT46 with the DLINK command line option, pointed it to the IP of the VTA-VR, and bingo, it reset the password for Admin and I was in. Now I was able to play with the configuration etc. and get my decrypt key from that version of the Admin pages.
Now I got brave and decided to re-flash it with the newest firmware again, let it connect to Vonage, get all its XML files, and log in with the password I got by using RC4 decrypt on the XML file from ti.tftp.vonage.net. Well that worked beautifully - except for one thing - the new version of the firmware *requires* the .xml files to be encrypted - and for some reason when I encrypted them with the RC4 key I got before out of the old version of firmware, it wouldn't use them or accept them. It certainly wouldn't accept unencrypted XML's. Also there are a few changes in the Admin pages that restrict what you can do. On the other hand it brings all the "SIP" options up easy to check out.
But, now I was in as Admin with Vonage's Admin Password for the device, I was able to simply re-flash to the 11.4.0/1.00.07 firmware, pointed the device to my Asterisk server (and I set up tftp server on it to hand out the tiMAC.XML file) - edited the XML file based on the template one included with CYT - and a little help from several of the XML files here on the forum, rebooted the VTA-VR, watched it TFTP the file from my asterisk box, and then connect both extensions by SIP. Tried with both handsets plugged into both ports and all my calls are working, and incoming calls to those extensions ring them.
So the short answer after the long explanation is - the newest firmware - 11.4.1/1.00.09 - is relatively useless for those of us who want to use our box on another carrier. So, break into the reset page using the URL above, force it to reset both Provisioned and NonProvisioned, login as Support/(blank), grab the 11.4.0/1.00.07 firmware off Vonage's httpconfig server while it's available (I've got a copy and if they ever remove it I'll make sure it ends up somewhere you can get your hands on it). Then, break in using CYT46 (I don't know if 35 or 39 will work - 46 was flawless for me) - set yourself up your TFTP provisioning server, edit your XML file, and you're good to go.
Good luck to anyone out there working on breaking the 11.4.1/1.00.09 firmware - let us know if you get it to work for you. The inability to turn off the requirement for an RC4 encrypted XML file was the killer for me. I could have forced it to retrieve any XML file from my PC directly by "faking myself as Vonage" on the LAN - but it wouldn't do any good and wouldn't read the configs from the files. Also my RC4 decrypted XML files didn't decrypt nicely - about half of the file was garbage - but luckily the first half was clean enough to get the Admin PW. |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA | Good job and well done! Another way to hack Vonage!  |
|
Splat1
@ntl.com
| reply to Hydraglass
Hydraglass, works fine until I go to login as Support. I get this funky little number.
Error: User not enabled to login into the system
FIRMWARE=VTA-11.4.1-r060815-1.00.09-r070401
Got a serial console on the thing, but its no use without the admin password :/
Any hints? |
|
Hydraglass
Premium
join:2002-05-08
Kingston, ON
·Bell Sympatico
| Only thing I can suggest is to make sure you're logged out of all the other accounts (I.e. when I'm logged in as Admin, I can't log in as User or Support, etc.) - but with the same firmware it did decide to let me in as Support and hit the firmware update page (which is and you can try to go to:
»[YOURVTAIP]/cgi-bin/webcm?getpag···ware.htm
As I mentioned to one other person on PM - you can also try the hard reset procedure in combination with the instructions for the URL above (holding the PIN reset, remove power, continue holding PIN reset, restore power, continue still holding PIN reset for up to 25 more seconds) -- also depending on the exact hardware in your box some people have found the Support account logs in with the password "tivonpw" as well (for me it was blank however). You may need to go through that "provisioned and non-provisioned parameter reset" more than once as well - it was the 3rd time through it worked for me).
If anyone else has hints - feel free to chime in! |
|
rcilink
Premium
join:2003-12-15
Manchester, NH
| reply to Splat1
said by Splat1 :
Error: User not enabled to login into the system
If you get this message when trying to login as Support and the device is not registered with vonage (no active account), you can hook it to the net and let it download the first provisioning XML file. On my test unit, i downloaded it to my tftp server and fed it to the device. It 'unconfigured' both lines to ccivr.vonage.net and set '666' as a dial prefix.
this is fine. Save that XML -- it enables the User-level login (Support). Password= tivonpw or blank.
Your results may vary. |
|
SirSIlentBob
join:2008-01-28
Newport News, VA
| reply to Hydraglass
Hydraglass,
How exactly did you decode the xml file? what programs did you use? is the "decrypt" key the same as the mac address of the adapter, or is it something else? Thanks for posting so much useful information!  |
|
Hydraglass
Premium
join:2002-05-08
Kingston, ON
·Bell Sympatico
| said by SirSIlentBob  :Hydraglass, How exactly did you decode the xml file? what programs did you use? is the "decrypt" key the same as the mac address of the adapter, or is it something else? Thanks for posting so much useful information! I use the RC4 program to decode and re-encode the files. I got it here:
»/r0/download/9···/RC4.zip
You use the program from a command prompt:
rc4 YourKey tiYOURMAC.xml output.xml
You need to get into the Admin/Admin login to obtain the unique key for your device - it's a LONG key - 256 bits encoded into 64 hex characters. This is why you need to break into the "Support" account and down-rev your firmware first. Once you downrev your firmware you can use the CYT unlocker as is explained early on in this long thread. Once you use the CYT unlocker you log into the device's web console as Admin/Admin and can view the "provision" page -- on that page on the "default" column is a box with that ever so long and ever so important key. Once you've got the key and have it saved somewhere, you are ready to tftp Vonage's encrypted provision file (which you find the TFTP URL from the provision page as well), use RC4 with the long key to decrypt it, and now you know your routers "default" Admin login for when it's unlocked, as well as you have a base provision file to start working from.
Hope that helps - it still seems to be a bit of "black magic and guesswork" to get the new firmware to break and let you in. Some people have good luck - others not so much. I've confirmed that my method outlined in the earlier post worked on both a VTA-VR and a VTA-CV (Canadian version) - I don't have a UK version to test on. |
|
cannotconnect
@acanac.net | reply to Hydraglass
Does anyone have a link to the old firmware? I want to downgrade the one I have.
Thanks |
|
Hydraglass
Premium
join:2002-05-08
Kingston, ON
·Bell Sympatico
| The firmware is available on the Vonage server at »httpconfig.vonage.com
just put in the URL after the .com whatever version of the firmware you are looking for, e.g.: /VTA-11.4.0-r060331-1.00.07-r060418.img
For the 11.4.0 / 1.00.07 firmware (that's the oldest commonly used firmware) - I was still able to download that from the server just now so I know it's still good. |
|
piranhaphish
join:2008-02-03
Midland, TX
| I have a VTA-VR with the new firmware and I'm trying to downgrade to VTA-11.4.0-r060331-1.00.07-r060418.img.
I am able to go to the support page and upload the firmware. Almost immediately the four LEDs start blinking and continue to do so for about a minute or two.
When the unit finally comes up again, it is still at the new firmware version of VTA-11.4.1-r060815-1.00.09-r070401.img.
Did I miss a critical step? I am not connected to the internet, so it can't be re-upgrading itself I don't believe.
Thanks in advance. |
|
Dan_voip
join:2007-01-03
Canada
| Dlink VTA has 2 firmware in the flash, A and B. Seems to be loading the firmware if you don't get any error and the adapter is rebooting himself after that. What I can think of is somehow it doesn't boot with the last firmware loaded.
You can try to power off for a few seconds and try to load again the firmware.
The last resort will be to load the firmware using a console cable. |
|
piranhaphish
join:2008-02-03
Midland, TX
| Okay, I consoled into the device and downloaded the firmware into both images, and erased the configuration data for both images while I was there. All per instructions from here.
setenv IPA 192.168.1.105
fmt IMAGE_A
tftp -i 192.168.1.104 VTA-11.4.0-r060331-1.00.07-r060418.img IMAGE_A
fmt IMAGE_B
tftp -i 192.168.1.104 VTA-11.4.0-r060331-1.00.07-r060418.img IMAGE_B
fmt CONFIG_A
fmt CONFIG_B
and now I get the error: OS boot failed.
and I'm taken directly to the PSPBoot menu. I've tried the firmware version matching the one originally on the device (VTA-11.4.1-r060815-1.00.09-r070401.img), only I downloaded it from the Vonage httpconfig server. It had the same results, as did 1.00.08-NA.
My VTA-VR is "H/W Ver.: A4" and apparently came with the 1.00.07 firmware originally. I don't know why it doesn't like the one I fed it. And since I wrote the firmware to both slots, I don't have the original as a backup. I don't even know if it's possible to download from it (speaking of, what is the 'tftp -r' command for?).
Am I using the correct format of firmware? Is there a check sum or something, or is that only regarding custom firmware? Did erasing the CONFIG_A/B cause it (I doubt it)? |
|
rcilink
Premium
join:2003-12-15
Manchester, NH
1 edit | HEXedit the firmware you are trying to tftp into your device..
change offset 0x0B byte to 17 (this is in HEX)
Save that, then follow the same steps you did (fmt the IMAGE_A and IMAGE_B before tftping into them)
It should boot ok after that.
EDIT:Fixed offset value |
|
madmatrix
join:2006-09-03
Fairfax, VA | reply to Hydraglass
It seems httpconfig.vonage.com is not availabe? So where to find the old firmware? Thanks a lot! |
|
piranhaphish
join:2008-02-03
Midland, TX
| reply to rcilink
Thanks rcilink. That worked, although I had to use an offset of 0x0B as you had mentioned in a prior post on this thread.
I finished the rest of the steps and got my VTA-VR successfully talking to my Asterisk server. I set my digit_map up as x.T and I'm able to seamlessly dial through the pbx. Well, almost. Dialing any feature code starting with * gives me a fast busy tone; I imagine I just need to tweak my digit_map some, though (I bet 'x' doesn't include *, right?)
But I just wanted to thank you and all the others who got us to where we are today. You rock! |
|
arturoport
join:2008-02-20
| reply to Hydraglass
Hey, your killer was killed
**once you downgrade to 1.0.7 you can download all xml settings for 1.0.9 version. by this way.**
in VTA-VR 1.0.7 web interface
Provisioning File Path: someSFEX
Encryption Key: THEENCRYPTIONKEYFOR1.0.7
get your own information in web interface.
in linux: you can do this:
#atftp ti.tftp.vonage.net
tftp> get /someSFEX/tiMAC.xml
where MAC is your device MAC address like "001b111203"
Ok, put your tiMAC.xml file on windows and do
C:>RC4 THEENCRYPTIONKEYFOR1.0.7 tiMAC.xml myMAC.xml
now you have myMAC.xml decrypted and this file contains all configurations for your 1.0.9 firmware version.
i can show you a little of this file:
as we can see, now we have THE KEY for 1.0.9 firmware version
and now... :) full hack of VTA-VR in the last version. :) |
|
arturoport
join:2008-02-20 | reply to Hydraglass
Your killer was killed
»Re: [General] DLink VTA-VR |
|
squid636
Squid636
Premium
join:2002-12-16
Vancleave, MS
1 edit | reply to Hydraglass
After searching the site I was able to log in to the VTA-VR by using Support and blank as a password. I was using firmware version VTA-11.4.1-r060815-1.00.09-r070401.img From there you can downgrade the firmware. Thanks for the help.
--
AMD64 w 1gb of ram running WIN XP SP2 |
|
