havarian
join:2005-10-27
|  [Vonage] Unlock PAP2 previously connected to vonage
to unlock your PAP2 that was previously connected to vonage, you need to revert back to an old firmware.
there are 2 ways of doing this
1-get an old firmware (prefarably 2.0.9d)
2-change the version to a newer version using the following steps
- pap22spa -v 4.0.1 pap2firmware spa2firmware
- spa2pap2 -v 4.0.1 spa2firmware pap2firmware
-install tftp server and put the firmware, you might also need to add spaxxxxxx.xml to the ftp folder
-install dns server
-restart the pap2, it will download the firmware
the other option is through forcing the device into failsafe mode. this is dangerous and if you missed up, you might destroy your device.
the following link describe how to enter linksys router wrt54g into failsafe mode. you'll need to do the same procedure but the pin diagram for the flash in pap2 might be different.
check this link:
»voidmain.is-a-geek.net:81/redhat···val.html |
|
rizzo2dial
Premium
join:2004-08-05
| said by havarian  :to unlock your PAP2 that was previously connected to vonage, you need to revert back to an old firmware. there are 2 ways of doing this 1-get an old firmware (prefarably 2.0.9d) 2-change the version to a newer version using the following steps - pap22spa -v 4.0.1 pap2firmware spa2firmware - spa2pap2 -v 4.0.1 spa2firmware pap2firmware -install tftp server and put the firmware, you might also need to add spaxxxxxx.xml to the ftp folder -install dns server -restart the pap2, it will download the firmware Have you actually tested the above recently with a PAP2 less than 6 months old? My guess is it'll only work if you:
a) Place a copy of your actual Vonage encrypted spaxxxxxxxxxxxx.xml in your TFTP Root, and
b) The Vonage XML file is configured to load a newer version of firmware than you currently have installed on your PAP2.
In other words, you need to disconnect your PAP2 from the internet NOW and wait until Vonage rolls out a new firmware update to attempt the above.
BTW, do you have PAP2 firmware 2.0.9d?
said by havarian :the other option is through forcing the device into failsafe mode. this is dangerous and if you missed up, you might destroy your device. the following link describe how to enter linksys router wrt54g into failsafe mode. you'll need to do the same procedure but the pin diagram for the flash in pap2 might be different. check this link: » voidmain.is-a-geek.net:81/redhat···val.html I doubt this too will work since the PAP2 doesn't have a DHCP SERVER. Again, have you tried this?
Rizzo |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
| reply to havarian
Re: [Vonage] Unlock PAP2 previously connected to v
said by havarian :to unlock your PAP2 that was previously connected to vonage, you need to revert back to an old firmware. Unless you have successfully done so, I doubt what you said on the above is true. The locking mechanism employed on a PAP2 has nothing to do with the firmware. You could upgrade your locked PAP2 unit with a PAP2-NA firmware (provided you are allowed, i.e. know the password), yet your PAP2 that has been locked by Vonage will still remain locked. So, reverting back to an older firmware will do no good. Just think of the common sense on this:
Take any virgin Linksys PAP2 unit (which is factory locked). Then, flash it with an older firmware and it will still be unlocked. Since you had brought up about SAFE mode, can you explain what a SAFE mode is in your own words? The reason I asked such a stupid question is I want to know if you really understand how the SAFE mode can be used to unlock PAP2 units.
If a locked PAP2 unit runs on a SAFE mode requires no password to factory reset the unit, then what you said here is true and can be considered as a preliminary step used to unlock the locked PAP2 as explained in this thread. |
|
havarian
join:2005-10-27
| reply to rizzo2dial
Re: [Vonage] Unlock PAP2 previously connected to vonage
first, yes I have pap2 version 2.0.9d.
you're right about waiting for vonage to roll out a new firmware. but you don't need to disconnect from the internet now. all you need to do is to block access to ls.tftp.vonage.net especially for ports 21 69 2400.
I got my spaxxxx.xml from vonage and I decrypted and it has interesting information about how is the upgrade procedure work.
one more info that might be helpful , there is log message sent from PAP2 to vonage informing about the success of firmware upgrade or for requesting firmware upgrade.
another interesting info, there might be more than 1 spaxxxx.xml for each device but in different locations. so, a device that had a factory reset, will download a different config file.
Regarding failsafe mode, if you managed to let the device think that the flash memory is not ready or empty, it will enter safe mode. and since it can't read the flash, it will not get the password |
|
havarian
join:2005-10-27
| reply to mazilo
Re: [Vonage] Unlock PAP2 previously connected to v
The newer firmware versions doesn't accept non encrypted XML config file nor allowing firmware upgrade without admin password.
If you moved back to an older firmware on a locked device it will remain locked, but some older firmware like 2.0.9d accept non encrypted XML config file where you can set the admin password yourself.
other firmware versions accept firmware upgrade without asking for admin password, it only require user password. |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
| reply to havarian
said by havarian :Regarding failsafe mode, if you managed to let the device think that the flash memory is not ready or empty, it will enter safe mode. and since it can't read the flash, it will not get the password Some of us already known this issue regarding the failsafe option; however, your OP did not mention any offer to prove that this failsafe mode will not ask for a password. For one thing, do you know if the passwords really reside on the flash memory and not the ROM? Until you have tried your theory to prove, please don't avoid to answer the questions we have thrown in earlier, i.e. have you tried this? We all are very eager to know, too, and hope you have the answers. |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
| reply to havarian
said by havarian :If you moved back to an older firmware on a locked device it will remain locked, but some older firmware like 2.0.9d accept non encrypted XML config file where you can set the admin password yourself. A lot of people have known this flaw before you. If you do a search on Google, you will find out lots of posts asking for this particular v2.0.9d firmware and no where to be found. If you have this v2.0.9d firmware, you are sure welcome to forward a copy to me (I will let you know my e-mail address through a PM). That way, we can find a means to re-distribute the v2.0.9d firmware. Do you have the v2.0.9d firmware? |
|
havarian
join:2005-10-27 | I have it inside my PAP2, do you know how to get it out? |
|
havarian
join:2005-10-27 | reply to mazilo
I didn't try it because I have have version 2.0.9d in my PAP2 and I unlocked the device.
There are 3 files in the flash, the firmware, loader, and the config file. |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
| reply to havarian
said by havarian :I have it inside my PAP2, do you know how to get it out? Some people had tried to get a copy of this v2.0.9d off the Internet as well as off a PAP2 unit; however, to this date, I have yet to find and hear from any individual who has a success story about this. |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
| reply to havarian
said by havarian :I didn't try it because I have have version 2.0.9d in my PAP2 and I unlocked the device. It would be nice if you had tried this theory of yours and to prove it before starting to post in any forum telling people on how to do it.
Also, do you have a hard proof of what you said earlier about the fail-safe mode or did you just make an assumption? FYI, here is what you had said about the fail-safe mode and I quoted below:
said by havarian :Regarding failsafe mode, if you managed to let the device think that the flash memory is not ready or empty, it will enter safe mode. and since it can't read the flash, it will not get the password |
|
havarian
join:2005-10-27 | why don't you use spa2k-2-00-09-d.bin, it's available everywhere.
the web interfaces are identical except for the logo and background color. |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
| said by havarian :why don't you use spa2k-2-00-09-d.bin, it's available everywhere. I don't need neither Linksys nor Sipura v2.0.9d firmware; however, since your OP stated about how to unlock a PAP2 unit with a preferable v2.0.9d old firmware for your unproven theory, all we want here is for you to substantiate what you had said here. So far, you had started this thread to claim something you had no proofs. And, you had not answered my question regarding what you had said about the proof of fail-safe mode and I quoted below:
said by havarian :Regarding failsafe mode, if you managed to let the device think that the flash memory is not ready or empty, it will enter safe mode. and since it can't read the flash, it will not get the password If you still can't substantiate what you had said as quoted above, I believe your OP is just a hoax here to get attention. AFAIC, this is a junk; however, to others who are desperate and know nothing (not techies) may try your unproven theory that may lead them to fry their PAP2 units. I just hope people will read all through this thread before going ahead to take the risks to test your unproven theory. You still have the last resort to contact the mods to remove this thread before such incidents will happen to cause some griefs. Just my $0.02. |
|
sheik28
Premium
join:2000-10-15
New York, NY
 ·1and1
 ·Packet8
| reply to havarian
Re: [Vonage] Unlock PAP2 previously connected to vonage
Or you could just check this thread...»[PAP2] Unlocking Guide
--
There is no such thing as a stupid question, and yes, the camel types.  |
|
rizzo2dial
Premium
join:2004-08-05
edit:
November 3rd, @02:35PM
| reply to havarian
said by havarian :I got my spaxxxx.xml from vonage and I decrypted and it has interesting information about how is the upgrade procedure work. one more info that might be helpful , there is log message sent from PAP2 to vonage informing about the success of firmware upgrade or for requesting firmware upgrade. Which line(s) in the decrypted config file indicate that the PAP2 sends a LOG MESSAGE back to Vonage? (I see the stuff about resynchronization). The reason I'm asking is I'm going to be releasing a utility soon to make it easier for people to obtain their PAP2 config files:
»[PAP2] Coming soon...
said by havarian :another interesting info, there might be more than 1 spaxxxx.xml for each device but in different locations. so, a device that had a factory reset, will download a different config file. There's no MIGHT about it. I already figured this out a moth ago:
»SOLVED: Virgin GPP_K different than XML GPP_K
said by havarian :you're right about waiting for vonage to roll out a new firmware. but you don't need to disconnect from the internet now. all you need to do is to block access to ls.tftp.vonage.net especially for ports 21 69 2400. Actually, my previously posted suggestion of disconnecting from the internet and waiting for a new firmware upgrade won't work. If your PAP2 has been connected to the internet and has already received an upgraded config file, it now has a new GPP_D and GPP_K key installed. Vonage has made changes to their TFTP process making it difficult (if not impossible) for a subsequent TFTP client to download an already downloaded GPP_D based update file. Thus, even if Vonage rolls out a newer firmware file, if you can't feed your adapter a properly ENCRYPTED spaXXXXXXXXXXXX.xml file (w/ the adapter's currently stored GPP_K value), spoofing Vonage's TFTP server won't instruct your adapter to grab the firmware file.
Then again, Vonage applies firmware updates via HTTP (from a different URL), so a working solution should in theory be to allow the adapter to connect to Vonage's actual TFTP server but spoof their HTTP server for the firmware file update. I'll have to give that one a little more thought and post a possible solution.
Rizzo |
|
rcilink
Premium
join:2003-12-15
Manchester, NH
| If they had the 'syslog server' configured with an IP address, it would send back a success or failure.
I have it configured on a test box at home, and can see everything.. it even tells me when the PAP2 is booted, with a reason code.
Other things change how much info u get back, for example: the debug level must be set (multiple places).
As for vonage seeing it, i doubt it. I do believe that they see the first TFTP file get downloaded. They hold the second file (not available for d/l) until they see a SIP REGISTER come from your PAP2 with the settings from the first tftp config. Then, the second TFTP file becomes available. (only a guess, i did not test this) |
|
