toro
join:2006-01-27
Scarborough, ON
 ·TekSavvy Solutions..
| reply to meister_sd
Re: VONAGE VT2142 unlock help
I've used the technique so far on RTP300, WRTP54G, Moto VT2142, Moto VT2442, Linksys PAP2v2, D-Link VWR-VD. It should work for the Vtech IP8100 as well, except not all the JTAG pins are present.
Basically I save the first 128K of the flash using the JTAG, then look for ADMIN_PWD, HASH_DIR and CRYPT_KEY. I replace the value for ADMIN_PWD with a known hash such as ABW9wzpK6VV4Q ("Admin") and get rid of HASH_DIR and CRYPT_KEY completely (to prevent any further provisioning). I also look for CONSOLE_STATE and set it to unlocked. Then upload the bin file back to the same location, boot up to the PSP loader and use the console to erase CONFIG_A and CONFIG_B.
That's all, after this you can boot up, and use Admin/Admin to login and point the provisioning to your own TFTP or HTTP server. |
|
usbjtag
join:2008-10-21
Burnaby, BC | Agree. No need to downgrade to special firmware to work. Yet RTP-300 has NA version of firmware and that is good choice after unlocked. |
|
meister_sd
Premium
join:2006-01-29
La Mesa, CA
| reply to toro
said by toro  :I've used the technique so far on RTP300, WRTP54G, Moto VT2142, Moto VT2442, Linksys PAP2v2, D-Link VWR-VD. Have you ever changed the ProductID to make it a true -NA? One that will accept -NA firmware without modification?
@USBJTAG: Do you have any support for an ADM5120? |
|
usbjtag
join:2008-10-21
Burnaby, BC | I have not tested ADM5120 myself.
If I have a full flash dump, I can convert linksys to true -NA version. Not only the product ID. There are other data in the boot makes it non-NA. |
|
toro
join:2006-01-27
Scarborough, ON
·TekSavvy Solutions..
| reply to meister_sd
Have you ever changed the ProductID to make it a true -NA? One that will accept -NA firmware without modification? Yes, for RTP300 and WRTP54G I usually change the ProductID to the one corresponding to the -NA version so I can load -NA firmwares without having to patch them. I haven't encountered any issue doing that. |
|
usbjtag
join:2008-10-21
Burnaby, BC
| If we use TFTP to upgrade we can change the product ID.
If we just modify the product ID and still want to use web upgrade page to upgrade it will never fire up.
A complete re-program the whole flash with MAC modified can make it a true -NA. With USB JTAG program a whole flash will take only about 2 minute include the erasing. Not 90 hours to program. So it makes the re-factory the router possible and fast too. The programming time is so fast and you will take long time to open the box and put back than the programming. |
|
toro
join:2006-01-27
Scarborough, ON
·TekSavvy Solutions..
| If we use TFTP to upgrade we can change the product ID.
If we just modify the product ID and still want to use web upgrade page to upgrade it will never fire up. How do you change the Product ID without reprogramming the flash with a JTAG ?
In my case the process is always the following:
- read the boot and env block with JTAG
- change the product ID, remove the env variables I don't need
- write back the boot and anv blocks
- at this point, the router won't boot up anymore, because the existing firmware has a different Product ID than the environment key
- use TFTP to program the 3.1.x firmware
After this, the router will boot up and can be flashed with -NA firmwares from the web interface. |
|
usbjtag
join:2008-10-21
Burnaby, BC
| I program the flash with JTAG. It is faster than TFTP as I do not need second cable to run the console. One tool is all I need to program the flash.
But I would prefer to get a clean NA dump and modify the mac address to make a new flash dump. This will create a clean NA box.
Just modify the product ID will still have some left overs in the boot. (Some Vonage urls and paths). |
|
toro
join:2006-01-27
Scarborough, ON
·TekSavvy Solutions..
| Just modify the product ID will still have some left overs in the boot. (Some Vonage urls and paths).
Correct. Those are the HASH_DIR and CRYPT_KEY I mentioned in an earlier post, which I normally remove.
Just one thing I want to mention: if you're really picky about the way you unlock these routers, if you clone another router by changing the MAC addresses and Serial Number, the SSL certificate stored in the flash will become invalid. This is no big deal for 99% of the home users. However some VoIP providers use it for a secure remote provisioning, to ensure that no-one except the Linksys router with the right MAC address can download a certain configuration file. |
|
usbjtag
join:2008-10-21
Burnaby, BC
| Does the SSL certificate belongs to Vonage?
Actually it is not hard to find all the left overs and remove them as they are pure text and no checksum applied to the boot for those parameters. A few tries can make reasonable "clean" boot and a good NA VOIP box can be created.
One thing I am interested recently is I found people complaining it is difficult to configure VT2442 box even it is unlocked. You need to use CYT to push the configuration in. I noticed if you log in as admin (even router) you can export the config file.
In admin we can import the config file. If we can make a legal configure file we can config the box without CYT tool and it will be much easier. I have found how to generate the proper config based on xml file but the CRC calculation of the config is blocking me. I have searched the source code from CYT devices but non of the CRC algorithms work for the configuration. I think this should be that hard and once we have done that we only need a free xml notepad to configure the VT2x42 box. |
|
toro
join:2006-01-27
Scarborough, ON
·TekSavvy Solutions..
| Does the SSL certificate belongs to Vonage?
No, the SSL certificate is issued by Linksys.
Actually it is not hard to find all the left overs and remove them as they are pure text and no checksum applied to the boot for those parameters. A few tries can make reasonable "clean" boot and a good NA VOIP box can be created.
That's the point, you should NOT erase the SSL certificate.
I found people complaining it is difficult to configure VT2442 box even it is unlocked. You need to use CYT to push the configuration in.I noticed if you log in as admin (even router) you can export the config file.
The configuration can be uploaded using a TFTP or HTTP server, I think many people do it this way rather than using the CYT unlocker. Plus the CYT unlocker doesn't work for the newest firmware versions.
In my opinion is easier to use this method than encrypting/compressing a configuration file. But that's just me. |
|
usbjtag
join:2008-10-21
Burnaby, BC
| Totally agree with you.
Export the configure and unzip it still have some value as it is much easier to get the configuration from VOnage and de-cipher it. Someone would like to use software with their current account. The configuration on the box is much easier to unzip than to decode the Vonage xml file. |
|
DogFace05
join:2005-12-09
Cary, NC
| FWIW, you may want to be aware of the potentially very serious legal trouble you could risk exposing yourself to by modifying the product ID.
Here in the US, it would constitute a violation of the DMCA (H.R.2281, Sec. 1201, Circumvention of copyright protection systems), as the product ID controls access to code that the device owner has not been licensed to use with the device as sold by its manufacturer. I'm not familiar with the laws in Canada, but the US DMCA is part of a wider international treaty known as WIPO, which Canada is also a signator of. It is therefore very likely that the same, or similar laws apply there as well.
Furthermore, modifying the product ID and distributing the device as an -NA, also falls into the realm of counterfeiting, with very severe penalties here in the US (10-20 years in jail). Again, counterfeiting laws are very similar in most western countries, and are the result of international treaties. Even if the laws happened to be more liberal up north of the border, if you plan on exporting/distributing any such modified devices to the US, you effectively become bound by and subject to US law.
Note that Cisco/Linksys do not seem to have bothered legally persuing any such cases todate. However, there's nothing to stop them, should they choose to, as our current laws give them every right to. And even if Cisco/Linksys don't bother persuing any legal action, there are several other parties with intellectual property rights in the firmware of these devices, who could if so inclined.
I don't mean to scare you--just pointing out the potential risks that you could expose yourself to. If you're just doing it for personal use, there's probably little to worry about. However, should you plan on distributing such modified devices, it may be in your best interest and peace of mind to first consult with a lawyer versed in such legal matters. |
|
usbjtag
join:2008-10-21
Burnaby, BC
| I agree. But if you are not for the reason to make money and you play with it, I think it is OK for the testing purpose. There is nothing legal as to program third party firmware. Or modify the NA to program on an non-NA router. Saying that everything sold on eBay saying UNLOCKED is somewhat questioned. |
|
vilord
join:2006-09-05
Las Vegas, NV
 ·Future Nine Corpor..
| reply to toro
said by toro :get rid of HASH_DIR and CRYPT_KEY completely (to prevent any further provisioning) Is it possible to get the CRYPT_KEY from this to get the GPP KEY to be able to ask [insert provider here]'s tftp server for the xml file, with plans to decrypt it and modify it and upload it to the box?
I'm thinking for using a VT2142 with port one on vonage and port two on something else... |
|
toro
join:2006-01-27
Scarborough, ON
·TekSavvy Solutions..
| Yes, it's possible, but I don't know the algorythm for obtaining the RC4 key from the CRYPT_KEY (I know for sure it depends on the ADMIN_PWD and CRYPT_KEY).
If anyone is willing to try and find it, I can provide a few combinations of ADMIN_PWD, CRYPT_KEY and the resulting RC4 key. |
|
usbjtag
join:2008-10-21
Burnaby, BC
1 edit | reply to vilord
I am not 100% sure but I see some key in the log. And if it is then you can encrypt the xml file.
If not what you can do is to delete the keys. But you can get the Vonage configuration with LMMC tool so you can get the VOnage setting and put back with plane text xml. |
|
vilord
join:2006-09-05
Las Vegas, NV | sounds like lmmc tool is what i want, don't really care to re-encrypt  |
|
usbjtag
join:2008-10-21
Burnaby, BC | If you have the tool, log in to your router with password router/router and export the configuration. Use LMMC tool to unzip it and you have plane text xml of router and voice settings. |
|
vilord
join:2006-09-05
Las Vegas, NV
·Future Nine Corpor..
| Glad I checked I'll be sure to dump it first before I wipe out the config partitions. Now to find that lmmc tool...  |
|
