Linksys PAP2 locked to Vonage, support people funny

Discussion in 'VOIP' started by Kyler Laird, Sep 8, 2004.

  1. Kyler Laird

    smoothy Guest

    summiterwrote
    Could someone with access to a pap2-na send me the html source fo
    the
    access the admin pages, the data that is "posted" via those page
    doesn't go through any sort of checking
    I thought the same, so searching some equivalent-sipura configs,
    found out that to upgrade the firmware via web interface, you have t
    do it this way
    http://PAP2-IP/admin/upgrade?http://yoursite.com/PAP2-bin-2-00-13-LSb.bi

    Still asks me for the admin password.. :
     
    smoothy, Mar 12, 2005
    #41
    1. Advertisements

  2. Kyler Laird

    summiter Guest

    PAP2-NA firmware is available. Getting it to load onto the PAP2 i
    the challenge. It's apparently not as simple as renaming it to th
    file requested by tftp. That results in the tftp session shuttin
    down before the transfer completes

    Would be nice if someone, with the adequate hardware, coul
    interrogate the NVRAM of a PAP2-NA an
    and extract the firmware image
    can see the web interface), but it keeps asking me a password to th
    Admin Area and once connected to the net, it starts to downloa
    vonage firmware. :
     
    summiter, Mar 12, 2005
    #42
    1. Advertisements

  3. Kyler Laird

    summiter Guest

    OK since I've already wasted my Friday night, I might as well lay ou
    what I've found

    I've successfully changed the firmware to two other versions, a .10LS
    and a .13LSb.

    It appears thought that the provider config is stored somewher
    outside of the main firmware, because despite flashing to differen
    versions, I am still prompted to enter a password for the admi
    pages, and the device still makes requests to a vonage tftp server

    I tried a factory reset after loading each firmware, and it didn'
    help

    I noticed that the device says it has a certificate installed. I'
    assuming this is what's used to authenticate/decrypt the .xml confi
    file the device is trying to load. If that's the case, then th
    configs are likely signed with a key unique to vonage, and tha
    pretty much ends that direction. I think that will likely preven
    the loading of some generic, yet properly compiled config file, sinc
    it won't be signed by vonage's key

    I read somewhere that older versions of the firmware had a particula
    vulnerability that allowed config access - does anyone recall wha
    that was about
     
    summiter, Mar 12, 2005
    #43
  4. Kyler Laird

    smoothy Guest

    summiterwrote
    I noticed that the device says it has a certificate installed. I'
    assuming this is what's used to authenticate/decrypt the .xml confi
    file the device is trying to load. If that's the case, then th
    configs are likely signed with a key unique to vonage, and tha
    pretty much ends that direction. I think that will likely preven
    the loading of some generic, yet properly compiled config file, sinc
    it won't be signed by vonage's key

    Besides the PAP2 provided by vonage (and which we all here are tryin
    to unlock) I also have a PAP2-NA, that was provided by my local VoI
    provider, and which I've reset once with the RESET# command (n
    password asked). That, indeed reseted the unit, was able to make i
    into the admin pages. And it also has the Clien
    Certificate:Installe
    thing. This unit doesnt download any particular configuration. It'
    just configured by hand using SIP proxy, user & password.

    By the way, let's suppose I want to cancel my account with Vonage. M
    credit card is "broken" (doesn't allow any charges). Vonage tries t
    charge me $40 disconnection fee.. And it cant do it... What happen
    then? Does Vonage like sue you to obtain the money? or just nothin
    happens at all and you just keep a useless pap2

    thanks
     
    smoothy, Mar 12, 2005
    #44
  5. Kyler Laird

    Jo Cloe Guest

    Is it really worth the effort when you can get a Sipura?

    On Sat, 12 Mar 2005 02:03:43 -0600,
     
    Jo Cloe, Mar 13, 2005
    #45
  6. Kyler Laird

    smoothy Guest

    Isn't there a way to trick the .htaccess file inside this thing t
    allow access to the /admin directory? That's how the authenticatio
    works, doesn't it
     
    smoothy, Mar 13, 2005
    #46
  7. Kyler Laird

    summiter Guest

    I'm sure they will send you to collections unless you talk them out o
    the fee

    As far as the certificate goes, I now believe it's only in place t
    enable HTTPS transfers of config info if the provider chooses tha
    mechanism

    I still haven't made any more progress on this thing..
    [quote:e93d20b655="summiter"]I noticed that the device says it has
    certificate installed. I'm assuming this is what's used t
    authenticate/decrypt the .xml config file the device is trying t
    load. If that's the case, then the configs are likely signed with
    key unique to vonage, and that pretty much ends that direction.
    think that will likely prevent the loading of some generic, ye
    properly compiled config file, since it won't be signed by vonage'
    key.I noticed that the device says it has a certificate installed.
    I'm assuming this is what's used to authenticate/decrypt the .xm
    config file the device is trying to load. If that's the case, the
    the configs are likely signed with a key unique to vonage, and tha
    pretty much ends that direction. I think that will likely preven
    the loading of some generic, yet properly compiled config file, sinc
    it won't be signed by vonage's key.[/quote:e93d20b655

    Besides the PAP2 provided by vonage (and which we all here are tryin
    to unlock) I also have a PAP2-NA, that was provided by my local VoI
    provider, and which I've reset once with the RESET# command (n
    password asked). That, indeed reseted the unit, was able to make i
    into the admin pages. And it also has the Clien
    Certificate:Installe
    thing. This unit doesnt download any particular configuration. It'
    just configured by hand using SIP proxy, user & password.

    By the way, let's suppose I want to cancel my account with Vonage. M
    credit card is "broken" (doesn't allow any charges). Vonage tries t
    charge me $40 disconnection fee.. And it cant do it... What happen
    then? Does Vonage like sue you to obtain the money? or just nothin
    happens at all and you just keep a useless pap2

    thanks.[/quote:e93d20b655
     
    summiter, Mar 13, 2005
    #47
  8. Kyler Laird

    summiter Guest

    Naw, that's not really possible...but I wouldn't be surpised if ther
    were some "backdoor" somewhere in the http interface

    Still stumped...
    Isn't there a way to trick the .htaccess file inside this thing t
    allow access to the /admin directory? That's how the authenticatio
    works, doesn't it
     
    summiter, Mar 13, 2005
    #48
  9. Kyler Laird

    smoothy Guest

    summiterwrote
    Naw, that's not really possible...but I wouldn't be surpised if ther
    were some "backdoor" somewhere in the http interface
    Isn't there a way to trick the .htaccess file inside this thing t
    allow access to the /admin directory? That's how the authenticatio
    works, doesn't it?[/quote:44bc0aae47

    Figured out that my local VoIP provider doesn't configure the setting
    by hand, but using a program that loads the config into the ATA
    For instance, when you go to the voice menu on the Linksys RT31P2 i
    just says "Contact your service provider". No manual confi
    whatsoever...
    I need to get my hands onto that proggie.
     
    smoothy, Mar 14, 2005
    #49
  10. Kyler Laird

    smoothy Guest

    Jo Cloewrote
    Is it really worth the effort when you can get a Sipura

    Well.. let's say that I want to make it worthy for the money I pai
    for the PAP2... :
     
    smoothy, Mar 14, 2005
    #50
  11. Kyler Laird

    Rick Merrill Guest

    You think you're going to hack it! Not.
     
    Rick Merrill, Mar 14, 2005
    #51
  12. Kyler Laird

    0pt1c0n Guest

    Anyone having any luck with this??

    I really need to get this device unlocked, lol
     
    0pt1c0n, Mar 15, 2005
    #52
  13. Kyler Laird

    Isaiah Beard Guest

    smoothy wrote:

    s suppose I want to cancel my account with Vonage. My
    It's likely that they'll refer you to a collections agency: Vonage may
    or may not report the debt as unpaid to your credit report, then "sell"
    the debt to a collection agency, who then makes it their task to cajole,
    harrass and threaten you till you decide to pay up. If you have a
    strong will and don't mind a bad mark on your credit rating, then have
    at. :)

    For me, it's not worth the hassle. If I ever cancel my Vonage service,
    they can have their useless PAP2 back.
     
    Isaiah Beard, Mar 17, 2005
    #53
  14. Kyler Laird

    smoothy Guest

    summiterwrote
    It appears thought that the provider config is stored somewher
    outside of the main firmware, because despite flashing to differen
    versions, I am still prompted to enter a password for the admi
    pages, and the device still makes requests to a vonage tftp server
    According to http://www.phone4internet.com/linksys_IVR.htm
    there's a "provisoning" option where you can specify where the pap
    should download it's configuration.
     
    smoothy, Mar 18, 2005
    #54
  15. Kyler Laird

    arsh Guest

    Hi All,
    I just read this one on the net, I do not have one handy to try. Would
    someone willing to try and post the results. Thanks.

    UPDATE
    Well it appers that Vonage let ~some~ info slip this morning around
    5am. The master reset is "73738" and the password is "7756112". for
    those of you who don't know what a master rest is (and all tose who
    have e-mailed me insted of trying the codes), it ONLY resets the unit
    BACK to the ORIGNAL factory settings. DON'T e-mail me with "your code
    didden't unlock my unit".. The next person who sends me an e-mail like
    that is going to get blasted!!!
     
    arsh, Mar 19, 2005
    #55
  16. Kyler Laird

    william Guest

    I can get the PAP2 unlock unit. They sell for around $75.00. The one
    that are all ready locked by Vonage are not worth the trouble. I ge
    them directly from cisco
     
    william, Mar 25, 2005
    #56
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.