Linksys PAP2 locked to Vonage, support people funny

summiterwrote
Could someone with access to a pap2-na send me the html source fo
the

access the admin pages, the data that is "posted" via those page
doesn't go through any sort of checking
I thought the same, so searching some equivalent-sipura configs,
found out that to upgrade the firmware via web interface, you have t
do it this way
http://PAP2-IP/admin/upgrade?http://yoursite.com/PAP2-bin-2-00-13-LSb.bi

Still asks me for the admin password.. :

 

PAP2-NA firmware is available. Getting it to load onto the PAP2 i
the challenge. It's apparently not as simple as renaming it to th
file requested by tftp. That results in the tftp session shuttin
down before the transfer completes

Would be nice if someone, with the adequate hardware, coul
interrogate the NVRAM of a PAP2-NA an
and extract the firmware image

can see the web interface), but it keeps asking me a password to th
Admin Area and once connected to the net, it starts to downloa
vonage firmware. :

 

OK since I've already wasted my Friday night, I might as well lay ou
what I've found

I've successfully changed the firmware to two other versions, a .10LS
and a .13LSb.

It appears thought that the provider config is stored somewher
outside of the main firmware, because despite flashing to differen
versions, I am still prompted to enter a password for the admi
pages, and the device still makes requests to a vonage tftp server

I tried a factory reset after loading each firmware, and it didn'
help

I noticed that the device says it has a certificate installed. I'
assuming this is what's used to authenticate/decrypt the .xml confi
file the device is trying to load. If that's the case, then th
configs are likely signed with a key unique to vonage, and tha
pretty much ends that direction. I think that will likely preven
the loading of some generic, yet properly compiled config file, sinc
it won't be signed by vonage's key

I read somewhere that older versions of the firmware had a particula
vulnerability that allowed config access - does anyone recall wha
that was about

 

summiterwrote
I noticed that the device says it has a certificate installed. I'
assuming this is what's used to authenticate/decrypt the .xml confi
file the device is trying to load. If that's the case, then th
configs are likely signed with a key unique to vonage, and tha
pretty much ends that direction. I think that will likely preven
the loading of some generic, yet properly compiled config file, sinc
it won't be signed by vonage's key

Besides the PAP2 provided by vonage (and which we all here are tryin
to unlock) I also have a PAP2-NA, that was provided by my local VoI
provider, and which I've reset once with the RESET# command (n
password asked). That, indeed reseted the unit, was able to make i
into the admin pages. And it also has the Clien
Certificate:Installe
thing. This unit doesnt download any particular configuration. It'
just configured by hand using SIP proxy, user & password.

By the way, let's suppose I want to cancel my account with Vonage. M
credit card is "broken" (doesn't allow any charges). Vonage tries t
charge me $40 disconnection fee.. And it cant do it... What happen
then? Does Vonage like sue you to obtain the money? or just nothin
happens at all and you just keep a useless pap2

thanks

 

Is it really worth the effort when you can get a Sipura?

On Sat, 12 Mar 2005 02:03:43 -0600,

 

Isn't there a way to trick the .htaccess file inside this thing t
allow access to the /admin directory? That's how the authenticatio
works, doesn't it

 

I'm sure they will send you to collections unless you talk them out o
the fee

As far as the certificate goes, I now believe it's only in place t
enable HTTPS transfers of config info if the provider chooses tha
mechanism

I still haven't made any more progress on this thing..

[quote:e93d20b655="summiter"]I noticed that the device says it has
certificate installed. I'm assuming this is what's used t
authenticate/decrypt the .xml config file the device is trying t
load. If that's the case, then the configs are likely signed with
key unique to vonage, and that pretty much ends that direction.
think that will likely prevent the loading of some generic, ye
properly compiled config file, since it won't be signed by vonage'
key.I noticed that the device says it has a certificate installed.
I'm assuming this is what's used to authenticate/decrypt the .xm
config file the device is trying to load. If that's the case, the
the configs are likely signed with a key unique to vonage, and tha
pretty much ends that direction. I think that will likely preven
the loading of some generic, yet properly compiled config file, sinc
it won't be signed by vonage's key.[/quote:e93d20b655

Besides the PAP2 provided by vonage (and which we all here are tryin
to unlock) I also have a PAP2-NA, that was provided by my local VoI
provider, and which I've reset once with the RESET# command (n
password asked). That, indeed reseted the unit, was able to make i
into the admin pages. And it also has the Clien
Certificate:Installe
thing. This unit doesnt download any particular configuration. It'
just configured by hand using SIP proxy, user & password.

By the way, let's suppose I want to cancel my account with Vonage. M
credit card is "broken" (doesn't allow any charges). Vonage tries t
charge me $40 disconnection fee.. And it cant do it... What happen
then? Does Vonage like sue you to obtain the money? or just nothin
happens at all and you just keep a useless pap2

thanks.[/quote:e93d20b655

 

Naw, that's not really possible...but I wouldn't be surpised if ther
were some "backdoor" somewhere in the http interface

Still stumped...

Isn't there a way to trick the .htaccess file inside this thing t
allow access to the /admin directory? That's how the authenticatio
works, doesn't it

 

summiterwrote
Naw, that's not really possible...but I wouldn't be surpised if ther
were some "backdoor" somewhere in the http interface

Isn't there a way to trick the .htaccess file inside this thing t
allow access to the /admin directory? That's how the authenticatio
works, doesn't it?[/quote:44bc0aae47

Figured out that my local VoIP provider doesn't configure the setting
by hand, but using a program that loads the config into the ATA
For instance, when you go to the voice menu on the Linksys RT31P2 i
just says "Contact your service provider". No manual confi
whatsoever...
I need to get my hands onto that proggie.

 

Jo Cloewrote
Is it really worth the effort when you can get a Sipura

Well.. let's say that I want to make it worthy for the money I pai
for the PAP2... :

 

You think you're going to hack it! Not.

 

Anyone having any luck with this??

I really need to get this device unlocked, lol

 

smoothy wrote:

s suppose I want to cancel my account with Vonage. My

It's likely that they'll refer you to a collections agency: Vonage may
or may not report the debt as unpaid to your credit report, then "sell"
the debt to a collection agency, who then makes it their task to cajole,
harrass and threaten you till you decide to pay up. If you have a
strong will and don't mind a bad mark on your credit rating, then have
at.

For me, it's not worth the hassle. If I ever cancel my Vonage service,
they can have their useless PAP2 back.

 

summiterwrote
It appears thought that the provider config is stored somewher
outside of the main firmware, because despite flashing to differen
versions, I am still prompted to enter a password for the admi
pages, and the device still makes requests to a vonage tftp server
According to http://www.phone4internet.com/linksys_IVR.htm
there's a "provisoning" option where you can specify where the pap
should download it's configuration.

 

Hi All,
I just read this one on the net, I do not have one handy to try. Would
someone willing to try and post the results. Thanks.

UPDATE
Well it appers that Vonage let ~some~ info slip this morning around
5am. The master reset is "73738" and the password is "7756112". for
those of you who don't know what a master rest is (and all tose who
have e-mailed me insted of trying the codes), it ONLY resets the unit
BACK to the ORIGNAL factory settings. DON'T e-mail me with "your code
didden't unlock my unit".. The next person who sends me an e-mail like
that is going to get blasted!!!

 

I can get the PAP2 unlock unit. They sell for around $75.00. The one
that are all ready locked by Vonage are not worth the trouble. I ge
them directly from cisco