SadMan6
join:2003-01-10
| RT31P2 Unlock thoughts??
Anybody managed to unlock those things?
I've tried several approaches but no success so far.
So some info I managed to get:
1.If you have -NA version of firmware, then to make unit to accept it, it seems you have to modify it the same way you modify spa2000 firmware for pap2 (rt31p2 firmware consist of 2 modules 1 for marvell chip, arm946, the other one is for visba3 chip-in general same format firmware as for spa2000, search for "LsInTeG" to find start point). After modification it looks like it accepts firmware but, the problem is you need admin??? password to update it. Same with original vonage firmware.
2.The unit I have has 20pin JTAG unpopulated connector, »hri.sourceforge.net/tools/jtag_faq_org.html
it works, but the problem is I couldn't find any datasheets for marvell chipset, all is known it has arm946 core.
3. Other way is to try Administration/Backup and Restore, this is probably dead end but who knows. You can see in those files UserPassword and SIPloginPassword if you invert file.
Just some thoughts - may be a hint for somebody... |
|
rcilink
Premium
join:2003-12-15
Manchester, NH
| I do not have a RT31P2. Which Sipura box does it resemble the most?
At the risk of guessing wrong, and bricking the box, have you tried patching a sipura 2000 firmware and then uploading it to the RT31P2 box? (From what you wrote, it sounds like you tried a -NA version of RT31P2 firmware, right?)
I am working on another technique, for those 'hard to unlock' boxes. If it works, more will be posted.. Someone is testing it now, so stay tuned. |
|
Hilbe
join:2002-12-13 | reply to SadMan6
I have a spare unit if you want to send me anything to test... |
|
SadMan6
join:2003-01-10
| reply to rcilink
rcilink:
It looks like it's spa2000/PAP2 + routing hardware&software (I have admin manual it's same file for both RT31P2&PAP2, wireless version I think is the same also if you take a look inside you can fine unpopulated space for RF parts on RT31P2 board), and yes I patched RT31P2-NA firmware, but in the middle of process it asks for password. So if there was a method of feeding this firmware to unit it could work, the major difference between PAP2 & RT31P2.
Can you give a clue what technique you are talking about? |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA | reply to SadMan6
This is just a thought:
Have you tried to see if a factory reset your RT31P2 unit before the firmware upgrade will do the trick? Please make the necessary save/backup before you perform the factory reset. |
|
SadMan6
join:2003-01-10
| In distinction from PAP2, RT31P2 has reset button, also there is unpopulated space for jumper on board for reseting Visba 3 chip, I also tried, no luck. Standart reset clearing only router part of unit, not voice part, jumper seems don't work at all except when it's on reset position you get "router is still booting" on voice tab of menu. RT31P2-NA version behave differently so I guess that depends on firmware. |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA | reply to SadMan6
Perhaps, one will need an RT31P2-NA boot prom flashed to a non RT31P2-NA unit before flashing it with a -NA firmware. Can anyone find the RT31P2-NA boot prom? |
|
SadMan6
join:2003-01-10
| The question is how to feed firmware (or prom) to unit. I have a mod -NA firmware which may work.
The only way I see right now is to wait for another firmware update to come, feed unit with .XML from Vonage, then spoof vonage firmware ftp server. |
|
g-nexus
@comcast.net
| reply to SadMan6
According to Sipura the rom is burned in at factory with certain provider settings. Although they did not produce the device and the information could be incorrect I would assume that the information is correct. Therefore the only solution would be to replace, or reprogram if possible, the rom chip. It is likely that someone has attempted this unsuccessfully as otherwise there would be thousands of these units on Ebay for sale.
Additionally, IF you manage to succeed, which is doubtful, I would personally be VERY hesitant to discuss the matter here unless you are certain you cannot be tracked by your BBR registration info. If sucessful RT31P2 hacking information became widely known Linksys and Vonage would be rather upset, much more so than with the PAP2.
But PLEASE, keep working on it! 
And keep posting if you have success stories! We are ALL dying to know the solution! While you're at it please tackle the WRT54GP2! I'd bet funding is available for the first successful entrepreneur.  |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
| reply to SadMan6
Hi SadMan,
Can you locate the flash memory on your RT31P2 unit? If so, you may want to read this article on how to get your RT31P2 into a fail-safe mode. According to Havarian's recent post, and I quoted below:
said by havarian  :Regarding failsafe mode, if you managed to let the device think that the flash memory is not ready or empty, it will enter safe mode. and since it can't read the flash, it will not get the password Can you give that a try? |
|
SadMan6
join:2003-01-10 | Yeap, will try. The only complication is that RT31P2 has 2 flashes (each for voice and router processors)... |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
| said by SadMan6 :Yeap, will try. The only complication is that RT31P2 has 2 flashes (each for voice and router processors)... I reckon what you want to find out is to first do this hack on the VoIP flash memory that locks its unit with password. If that fails, you may need to do both flash memories at the same time to see if that will do the tricks.
In either case, please take the necessary precautions not to short other pins to render your RT31P2 unit to useless. Do it at your own discretion only. |
|
jsusek
Johnsolo.Net
join:2003-12-10
Dekalb, IL | reply to SadMan6
Any news on this? |
|
jsusek
Johnsolo.Net
join:2003-12-10
Dekalb, IL | no dice? |
|
mikenelis
join:2005-10-31
Hinsdale, MA
| reply to SadMan6
Hello,
I have managed to disconnect the voice unit from the routor and atattached a lan module from and old motherboard.
The voice gets an IP and will constantly send UDP packets to an address arounf 234.4.4.4??? on port 46000 I think(I dont know it off hand).
Hope this helps |
|
mikenelis
join:2005-10-31
Hinsdale, MA
| reply to SadMan6
Sorry to double post but, i think the password of the voice page may be on the routor and not the voice part.
Also when the routor is connected, as i mentioned earlier it will send UDP packets then restart, I guess its waiting for a response and times out
Hope this Helps |
|
rcilink
Premium
join:2003-12-15
Manchester, NH | reply to mikenelis
Can you take pics?? I would really like to see the hack you have made.. |
|
mikenelis
join:2005-10-31
Hinsdale, MA | reply to SadMan6
Sorry i havent got a camera. |
|
rcilink
Premium
join:2003-12-15
Manchester, NH
edit:
December 16th, @09:58PM
| OK, I just took mine apart.. can you explain what you removed or cut to get the voice disconnected from the realtek chip?
Please see attached pic of the insides of the RT31P2. |
|
mikenelis
join:2005-10-31
Hinsdale, MA
| Hi, sure
I took off the circled transformer, as this is the one that connects it to the routing chip.
Then I soldered on a motherboard lan header module in its place, and connected the module to my computer and gave it an IP.
I will try and find an ethereal trace from somewhere as the routor is in my other house over Xmas.
Mike |
|
