johngd
@comcast.net | reply to johngd
Re: VONAGE VT2142 unlock help
I got the Gizmo5 sip info and now i am ready to put in my ATA VT2142. But my firmware is 11.4 . can i downgrade using user login? |
|
usbjtag
join:2008-10-21
Burnaby, BC
| I found a way to unlock VT2442 and VT2142 without downgrading the firmware. Actually keep the latest firmware has benefit.
You just need to use JTAG to erase the configuration patitions and then modify the admin password in the bootblock. Then you can login as Admin and use CYT to push the configuration.
I also found if you use VT2442 and VT2142 you can get yoru VONAGE configuration and possible use software phone or use your own device to work with VONAGE (untested). |
|
Johngd
@comcast.net | Hi Usbjtag,
Please help me. Can you show me some pic of your jtag that you used and if possible can please direct me where i can buy?
Thanks in advance |
|
usbjtag
join:2008-10-21
Burnaby, BC
| If you just need to unlock one router it is not need to buy a fast JTAG> Build a simple JTAG. I will compile how to and latter post at www.usbjtag.com.
There is no need to downgrade the firmware to be able to get admin access.
All you need to do is erase the log and cfg and then modify the ADMIN_PWD key. The same method applies to RTP300. I have not tested with WRTP54G. But should be the same.
If you have a VT2142 and log in as router/router, go to tools and export the config. You then unzip the file to xml, your VONAGE phone password is in it. |
|
meister_sd
Premium
join:2006-01-29
La Mesa, CA
| said by usbjtag  :I will compile how to and latter post at www.usbjtag.com. Can you let us know when you do that and where the post is? This should apply to most of the Linux devices of that type. |
|
usbjtag
join:2008-10-21
Burnaby, BC
| The same tech works for RTP300.
The theory is once you erase the log and cfg patition, the firmware will load the default admin password stored in bootblock. The well know hash of the Admin can be put in the boot and it will be the new password of admin.
Since those Vt2142 has flash types that has to be distinguished by the CFI command, I need to finish the software and then make a step by step unlock VT2142, VT2442 and new steps of RTP300. (I do not have other devices yet). I have already posted the RTP300 in the forum but will make it more public along with VT2X42 unlock. |
|
toro
join:2006-01-27
Scarborough, ON
 ·TekSavvy Solutions..
| reply to meister_sd
I've used the technique so far on RTP300, WRTP54G, Moto VT2142, Moto VT2442, Linksys PAP2v2, D-Link VWR-VD. It should work for the Vtech IP8100 as well, except not all the JTAG pins are present.
Basically I save the first 128K of the flash using the JTAG, then look for ADMIN_PWD, HASH_DIR and CRYPT_KEY. I replace the value for ADMIN_PWD with a known hash such as ABW9wzpK6VV4Q ("Admin") and get rid of HASH_DIR and CRYPT_KEY completely (to prevent any further provisioning). I also look for CONSOLE_STATE and set it to unlocked. Then upload the bin file back to the same location, boot up to the PSP loader and use the console to erase CONFIG_A and CONFIG_B.
That's all, after this you can boot up, and use Admin/Admin to login and point the provisioning to your own TFTP or HTTP server. |
|
usbjtag
join:2008-10-21
Burnaby, BC | Agree. No need to downgrade to special firmware to work. Yet RTP-300 has NA version of firmware and that is good choice after unlocked. |
|
meister_sd
Premium
join:2006-01-29
La Mesa, CA
| reply to toro
said by toro :I've used the technique so far on RTP300, WRTP54G, Moto VT2142, Moto VT2442, Linksys PAP2v2, D-Link VWR-VD. Have you ever changed the ProductID to make it a true -NA? One that will accept -NA firmware without modification?
@USBJTAG: Do you have any support for an ADM5120? |
|
usbjtag
join:2008-10-21
Burnaby, BC | I have not tested ADM5120 myself.
If I have a full flash dump, I can convert linksys to true -NA version. Not only the product ID. There are other data in the boot makes it non-NA. |
|
toro
join:2006-01-27
Scarborough, ON
·TekSavvy Solutions..
| reply to meister_sd
Have you ever changed the ProductID to make it a true -NA? One that will accept -NA firmware without modification? Yes, for RTP300 and WRTP54G I usually change the ProductID to the one corresponding to the -NA version so I can load -NA firmwares without having to patch them. I haven't encountered any issue doing that. |
|
usbjtag
join:2008-10-21
Burnaby, BC
| If we use TFTP to upgrade we can change the product ID.
If we just modify the product ID and still want to use web upgrade page to upgrade it will never fire up.
A complete re-program the whole flash with MAC modified can make it a true -NA. With USB JTAG program a whole flash will take only about 2 minute include the erasing. Not 90 hours to program. So it makes the re-factory the router possible and fast too. The programming time is so fast and you will take long time to open the box and put back than the programming. |
|
toro
join:2006-01-27
Scarborough, ON
·TekSavvy Solutions..
| If we use TFTP to upgrade we can change the product ID.
If we just modify the product ID and still want to use web upgrade page to upgrade it will never fire up. How do you change the Product ID without reprogramming the flash with a JTAG ?
In my case the process is always the following:
- read the boot and env block with JTAG
- change the product ID, remove the env variables I don't need
- write back the boot and anv blocks
- at this point, the router won't boot up anymore, because the existing firmware has a different Product ID than the environment key
- use TFTP to program the 3.1.x firmware
After this, the router will boot up and can be flashed with -NA firmwares from the web interface. |
|
usbjtag
join:2008-10-21
Burnaby, BC
| I program the flash with JTAG. It is faster than TFTP as I do not need second cable to run the console. One tool is all I need to program the flash.
But I would prefer to get a clean NA dump and modify the mac address to make a new flash dump. This will create a clean NA box.
Just modify the product ID will still have some left overs in the boot. (Some Vonage urls and paths). |
|
toro
join:2006-01-27
Scarborough, ON
·TekSavvy Solutions..
| Just modify the product ID will still have some left overs in the boot. (Some Vonage urls and paths).
Correct. Those are the HASH_DIR and CRYPT_KEY I mentioned in an earlier post, which I normally remove.
Just one thing I want to mention: if you're really picky about the way you unlock these routers, if you clone another router by changing the MAC addresses and Serial Number, the SSL certificate stored in the flash will become invalid. This is no big deal for 99% of the home users. However some VoIP providers use it for a secure remote provisioning, to ensure that no-one except the Linksys router with the right MAC address can download a certain configuration file. |
|
usbjtag
join:2008-10-21
Burnaby, BC
| Does the SSL certificate belongs to Vonage?
Actually it is not hard to find all the left overs and remove them as they are pure text and no checksum applied to the boot for those parameters. A few tries can make reasonable "clean" boot and a good NA VOIP box can be created.
One thing I am interested recently is I found people complaining it is difficult to configure VT2442 box even it is unlocked. You need to use CYT to push the configuration in. I noticed if you log in as admin (even router) you can export the config file.
In admin we can import the config file. If we can make a legal configure file we can config the box without CYT tool and it will be much easier. I have found how to generate the proper config based on xml file but the CRC calculation of the config is blocking me. I have searched the source code from CYT devices but non of the CRC algorithms work for the configuration. I think this should be that hard and once we have done that we only need a free xml notepad to configure the VT2x42 box. |
|
toro
join:2006-01-27
Scarborough, ON
·TekSavvy Solutions..
| Does the SSL certificate belongs to Vonage?
No, the SSL certificate is issued by Linksys.
Actually it is not hard to find all the left overs and remove them as they are pure text and no checksum applied to the boot for those parameters. A few tries can make reasonable "clean" boot and a good NA VOIP box can be created.
That's the point, you should NOT erase the SSL certificate.
I found people complaining it is difficult to configure VT2442 box even it is unlocked. You need to use CYT to push the configuration in.I noticed if you log in as admin (even router) you can export the config file.
The configuration can be uploaded using a TFTP or HTTP server, I think many people do it this way rather than using the CYT unlocker. Plus the CYT unlocker doesn't work for the newest firmware versions.
In my opinion is easier to use this method than encrypting/compressing a configuration file. But that's just me. |
|
usbjtag
join:2008-10-21
Burnaby, BC
| Totally agree with you.
Export the configure and unzip it still have some value as it is much easier to get the configuration from VOnage and de-cipher it. Someone would like to use software with their current account. The configuration on the box is much easier to unzip than to decode the Vonage xml file. |
|
DogFace05
join:2005-12-09
Cary, NC
| FWIW, you may want to be aware of the potentially very serious legal trouble you could risk exposing yourself to by modifying the product ID.
Here in the US, it would constitute a violation of the DMCA (H.R.2281, Sec. 1201, Circumvention of copyright protection systems), as the product ID controls access to code that the device owner has not been licensed to use with the device as sold by its manufacturer. I'm not familiar with the laws in Canada, but the US DMCA is part of a wider international treaty known as WIPO, which Canada is also a signator of. It is therefore very likely that the same, or similar laws apply there as well.
Furthermore, modifying the product ID and distributing the device as an -NA, also falls into the realm of counterfeiting, with very severe penalties here in the US (10-20 years in jail). Again, counterfeiting laws are very similar in most western countries, and are the result of international treaties. Even if the laws happened to be more liberal up north of the border, if you plan on exporting/distributing any such modified devices to the US, you effectively become bound by and subject to US law.
Note that Cisco/Linksys do not seem to have bothered legally persuing any such cases todate. However, there's nothing to stop them, should they choose to, as our current laws give them every right to. And even if Cisco/Linksys don't bother persuing any legal action, there are several other parties with intellectual property rights in the firmware of these devices, who could if so inclined.
I don't mean to scare you--just pointing out the potential risks that you could expose yourself to. If you're just doing it for personal use, there's probably little to worry about. However, should you plan on distributing such modified devices, it may be in your best interest and peace of mind to first consult with a lawyer versed in such legal matters. |
|
usbjtag
join:2008-10-21
Burnaby, BC
| I agree. But if you are not for the reason to make money and you play with it, I think it is OK for the testing purpose. There is nothing legal as to program third party firmware. Or modify the NA to program on an non-NA router. Saying that everything sold on eBay saying UNLOCKED is somewhat questioned. |
|
