Linksys PAP2 locked to Vonage, support people funny

Discussion in 'VOIP' started by Kyler Laird, Sep 8, 2004.

  1. Kyler Laird

    m Guest

    Yes I would like to know to...

    I have a pap2-na and If someone will tell me how to get the firm ware
    off it I will do it.. long as it leaves mine finctional.. (I use it
    every day with fwd .. and diffrent providers)

    not to mention asterisk.

    I am trying to find a way to buy a unit from vontage from my local radio
    shack or best buy or what ever and stay on long enough to get my mail
    in rebate then cancel if possible , then see if I can copy the firmware
    from my unlocked na model to the vontage model.. then save like
    $15-16$ per unit and give them as gifts to friends pre registered with accounts and send a msg to hook em up and dial my fwd ...

    any one?!

    I really would like to try it.. anyone have a locked one and up to try
    this.. ??

    m, Dec 21, 2004
    1. Advertisements

  2. Kyler Laird

    m Guest


    well after some googling I was able to find this.. for locked pap2
    you can unlock it by performing a factory reset over the IVR IF YOU HAVE
    THE PASSWORD. To get to the IVR hit "****" while connected over the
    phone. The factory reset command is "73738#". You will be asked for a

    Now the question is, what is that dang password?
    m, Dec 22, 2004
    1. Advertisements

  3. Kyler Laird

    pl Guest

    Same exact reset code as the Sipura. When I left Broadvoice, I was able to
    reset my Sipura 1000 since they do not lock the hardware.

    By factory default there is no password and no password authentication is
    prompted for all the IVR settings. If administrator password is set,
    password authentication will be prompted for certain IVR settings.

    Enter IVR Menu * * * *

    Ignore SIT or other tones until you hear, "Sipura configuration menu.Please
    enter option followed by the pound key or hang-up to exit."

    Factory Reset of Unit 73738 Enter 1 to confirm

    SPA will prompt for confirmation. After confirming, you will hear Option
    Successful. Hangup. Unit will reboot and all configuration parameters will be
    reset to factory default values.
    pl, Dec 22, 2004
  4. Kyler Laird

    m Guest

    Well I have the unlocked pap2-na so I can't try that mine works good
    very open for changes.. anyone have the locked one and willing to give
    it a try.. I can bet there are a ton of people dieing to know if it
    works and what you did. maybe do it before you go away someplace. and
    have anouther phone you can use so you can call vontage and tell them
    your rented box is messed up leaving time for them to send you anouther

    Some one hurry up and try this.. i wanna buy these things as gifts and
    send them setup with fwd numbers so I can call my LD buddies...

    m, Dec 23, 2004
  5. Kyler Laird

    m Guest

    I knoticed alot of Ebay listings of PAP2 I personaly emailed almost all
    of them and they always reply with out answering the question weather
    its realy a pap2-na or just a pap2 I am extreamly clear too on the matter

    So beware!
    m, Dec 28, 2004
  6. Kyler Laird

    Mitel Lurker Guest

    From what little has been written so far it looks like the -na variant is
    only available for new purchase through a voip service provider (other
    than Vonage). Also it's fairly apparent from the pricing that Linksys
    has/had no intention whatsoever of fielding 1st and 2nd level support
    calls from the actual end-user.

    Now as far as eBay goes, don't waste your time pestering the seller asking
    them if theirs is the -NA model. It the listing doesn't specificaly say
    "NA" then take it safely on faith that it isn't one. They are in enough
    demand that anyone selling one would certainly be smart enough to
    differentiate that fact in his listing and the world would surely beat a
    path to his door.
    Mitel Lurker, Dec 28, 2004
  7. Kyler Laird

    Jeeves_Moss Guest

    Jeeves_Moss, Feb 11, 2005
  8. Kyler Laird

    smoothy Guest

    If any one is intrested in the hardware specs, follow this link fo
    pics and specs That URL doesn't work :
    I too want to know how to unlock a pap2 device
    Does the reset code work if you just get the pap2 out of the box an
    DO NOT connect it to the internet so it cannot download the xml
    smoothy, Feb 11, 2005
  9. Kyler Laird

    smoothy Guest

    Could you spoof to point to your tftp server an
    I downloaded that file with KugleSoft TFTP Server & Client, an
    it's an encrypted file :x
    I ordered 3 vonage-non-opened pap2, Hope I can get it work wit
    stanaphone :
    smoothy, Feb 11, 2005
  10. Kyler Laird

    Yaser Doleh Guest

    Most devices ask to download several config files. You will need to
    monitor the network traffic and see what the device trying to download
    from where. There is another file that is not encrypted that gets

    I use a different service that sent me a locked device and was able to
    unlock it by giving it a config file to download. The device specific
    file was encrypted but the device was also downloading a general config
    file which was not encrypted.

    Yaser Doleh, Feb 11, 2005
  11. Kyler Laird

    will Guest

    not to kick a dead horse (assuming this discussion is still of interest
    to some ppl), i've had some success following the advice in this
    thread, but alas, i'm still far from freeing the pap2 from the vonage

    1.) setup a tftp server on a network at home with a spaXXXXXXXXXXXX.xml
    file in /tftpboot and the same file in /tftpboot/YYYYYYYYYY. i know
    that the spaXXXXXXXXXXXX.xml file is dependent on the pap2 MAC, but i'm
    still unsure as to what determines the /tftpboot/YYYYYYYYYY
    designation. i think this may be a password used derive a salt to
    decrypt spaXXXXXXXXXXXX.xml and verify it's integrity. i also think
    that /tftpboot/spaXXXXXXXXXXXX.xml file is identical to
    /tftpboot/YYYYYYYYYY/spaXXXXXXXXXXXX.xml file.
    2.) configured my dhcp server to distribute a known ip address to the
    pap2 MAC.
    3.) placed the pap2 on a separate subnet/interface
    4.) configured my firewall/router to redirect all requests originiating
    from the pap2 to to a local tftpserver on a separate
    subnet/interface. natted all packets from the local tftpserver to the
    pap2, so as to appear to be coming from
    5.) connected the pap2 (with a default factory configuration) to the
    network and plugged in the power cord.

    the pap2 successfully connects to the local tftpserver, downloads
    /tftpboot/spaXXXXXXXXXXXX.xml and
    /tftpboot/YYYYYYYYYY/spaXXXXXXXXXXXX.xml, self-installs the firmware,
    reboots, and connects to vonage via port 5060-5061.

    now, i've tried replacing the spaXXXXXXXXXXXX.xml file with a
    spa2k-2.0.10e.bin file and renamed the tftpboot/YYYYYYYYYY directory to
    whatever the pap2 was asking for (obtained by tcpdump and ethereal),
    but the download stops abruptly when the pap2 returns an icmp packet
    with a "port unreachable" message. i think that in this case the
    spa2k-2.0.10e.bin (709K) much bigger than spaXXXXXXXXXXXX.xml (29K), so
    the device rejects the firmware upload (probably due to a max file size

    i see two ways of getting around this problem:
    1.) brute force the admin password from the pap2 prior to the vonage
    firmware update and update the configurations via the pap2 web
    2.) brute force the spaXXXXXXXXXXXX.xml file using openssl rc4 and some
    variation of the MAC/Serial Num/YYYYYYYYYY as the salt or password.

    let me know what you think.
    will, Feb 22, 2005
  12. Kyler Laird

    Yaser Doleh Guest

    spa2k-2.0.10e.bin and spaXXXXXXXXXXXX.xml are completely 2 different
    files. The first is a firware upgrade and the second is a configuration.
    You don't need the firmware upgrade and if you did it once, you don't
    need to do it again.

    If you have the firmware file, chances are the default passwords are
    stored on clear text in the file. Try to extract the strings from the
    file and see what you can find. On a UNIX type machine run

    % strings spa2k-2.0.10e.bin

    If you want just email me the file and I can try for you.

    Yaser Doleh, Feb 22, 2005
  13. Kyler Laird

    Shaker Guest

    Does anyone have a copy of the flash from an orinanally UNLOCKED PAP2
    I would like to look at it.

    Shaker, Feb 22, 2005
  14. Kyler Laird

    pr0m Guest

    so, what you're saying is that i could theoretically create my own
    unsalted config file, upload it, reboot, and the pap2 would be
    unencumbered? how do i go about creating a realistic config to replace
    the salted one? what are the parameters?

    thanks for clearing up my misconception. i didn't know what the
    spaXXXXXXXXXXXX.xml file was for. i thought it might be a combination
    of the firmware update and config. at any rate, it's salted/encrypted
    so i don't know its actual contents. i ran 'strings
    spaXXXXXXXXXXXX.xml > strings.out' and got a bunch of short one-liners
    that looked like gobbly gook to me. then i used the output file as the
    password file for hydra and pointed it at the pap2. no juice.

    at this point, i'm stuck with the two choices that i posted previously.
    short of launching a full-blown brute force attack on the pap2 or it's
    config, i'm not sure of what to try next. any more ideas?
    pr0m, Feb 23, 2005
  15. Kyler Laird

    pr0m Guest

    oh yea, forgot to mention that i also tried 'strings spa2k-2.0.10e.bin
    pr0m, Feb 23, 2005
  16. Kyler Laird

    smoothy Guest

    Could you please send me the PAP2-NA firmware? (.bin?

    smoothy, Mar 12, 2005
  17. Kyler Laird

    smoothy Guest

    Would be nice if someone, with the adequate hardware, coul
    interrogate the NVRAM of a PAP2-NA an
    and extract the firmware image

    I don't know how to do that though :

    I've tried resetting the pap2, it indeed come to factory defaults (
    can see the web interface), but it keeps asking me a password to th
    Admin Area and once connected to the net, it starts to downloa
    vonage firmware. :
    smoothy, Mar 12, 2005
  18. Kyler Laird

    summiter Guest

    Based on reading the fragments of information spread across many site
    and newsgroups, it's apparent *someone* knows the steps involved i
    getting into these things

    The mysterious post on leads me to believe that all ca
    be found by sniffing packets and perhaps some tftp craftines
    (although the message on doesn't mention anythin
    other than utilizing ethereal). The problem with that is after th
    tftp requests, the pap2 just site there and doesn't try again.
    Someone mentioned that it may make a request for an unencrypted file
    but so far all tftp requests to are for th
    mac-based .xml file

    Anyone have some new thoughts? How about a source for a basic
    unencrypted xml config file
    summiter, Mar 12, 2005
  19. Kyler Laird

    summiter Guest

    You can dl a copy of a recent release here

    But I'm tellin' ya, there's no way to get it onto a "locked" pap2
    that I've found anyway

    You can't simply rename it to the filename requested via tftp at boot
    It starts to transfer then errors out before comletion..probabl
    beacuse the device isn't expecting a firmware file, it's expecting
    config file

    The is a way to upload firmware to the pap2 via the web interface, bu
    it requires the admin password...which is the problem we have in th
    first place

    I just want to get this thing working with my Asterisk server..
    already have Vontage on another device. But if I can't get i
    working, I'm cancelling Vontage and buying a pap2-na and going wit
    another provider
    Could you please send me the PAP2-NA firmware? (.bin?
    summiter, Mar 12, 2005
  20. Kyler Laird

    summiter Guest

    Could someone with access to a pap2-na send me the html source for th

    admin page or post it here please

    My current thinking is that although authentication is required t
    access the admin pages, the data that is "posted" via those page
    doesn't go through any sort of checking

    I've noticed that the field have numerical names. If I can find ou
    the names of the fields for various admin config stuff, I might b
    able to inject those values somehow

    I'm not sure easy this will be though..

    I wish the person who had the walk-though on woul
    speak up! =
    summiter, Mar 12, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.