I have a pap2-na and If someone will tell me how to get the firm ware off it I will do it.. long as it leaves mine finctional.. (I use it every day with fwd .. and diffrent providers)
not to mention asterisk.
I am trying to find a way to buy a unit from vontage from my local radio shack or best buy or what ever and stay on long enough to get my mail in rebate then cancel if possible , then see if I can copy the firmware from my unlocked na model to the vontage model.. then save like $15-16$ per unit and give them as gifts to friends pre registered with Freeworlddial.com accounts and send a msg to hook em up and dial my fwd ...
any one?!
I really would like to try it.. anyone have a locked one and up to try this.. ??
well after some googling I was able to find this.. for locked pap2 you can unlock it by performing a factory reset over the IVR IF YOU HAVE THE PASSWORD. To get to the IVR hit "****" while connected over the phone. The factory reset command is "73738#". You will be asked for a password.
Same exact reset code as the Sipura. When I left Broadvoice, I was able to reset my Sipura 1000 since they do not lock the hardware.
formatting link
By factory default there is no password and no password authentication is prompted for all the IVR settings. If administrator password is set, password authentication will be prompted for certain IVR settings.
Enter IVR Menu * ** *
Ignore SIT or other tones until you hear, "Sipura configuration menu.Please enter option followed by the pound key or hang-up to exit."
Factory Reset of Unit 73738 Enter 1 to confirm
SPA will prompt for confirmation. After confirming, you will hear Option Successful. Hangup. Unit will reboot and all configuration parameters will be reset to factory default values.
Well I have the unlocked pap2-na so I can't try that mine works good very open for changes.. anyone have the locked one and willing to give it a try.. I can bet there are a ton of people dieing to know if it works and what you did. maybe do it before you go away someplace. and have anouther phone you can use so you can call vontage and tell them your rented box is messed up leaving time for them to send you anouther lol...
Some one hurry up and try this.. i wanna buy these things as gifts and send them setup with fwd numbers so I can call my LD buddies...
I knoticed alot of Ebay listings of PAP2 I personaly emailed almost all of them and they always reply with out answering the question weather its realy a pap2-na or just a pap2 I am extreamly clear too on the matter
From what little has been written so far it looks like the -na variant is only available for new purchase through a voip service provider (other than Vonage). Also it's fairly apparent from the pricing that Linksys has/had no intention whatsoever of fielding 1st and 2nd level support calls from the actual end-user.
Now as far as eBay goes, don't waste your time pestering the seller asking them if theirs is the -NA model. It the listing doesn't specificaly say "NA" then take it safely on faith that it isn't one. They are in enough demand that anyone selling one would certainly be smart enough to differentiate that fact in his listing and the world would surely beat a path to his door.
Most devices ask to download several config files. You will need to monitor the network traffic and see what the device trying to download from where. There is another file that is not encrypted that gets downloaded.
I use a different service that sent me a locked device and was able to unlock it by giving it a config file to download. The device specific file was encrypted but the device was also downloading a general config file which was not encrypted.
not to kick a dead horse (assuming this discussion is still of interest to some ppl), i've had some success following the advice in this thread, but alas, i'm still far from freeing the pap2 from the vonage hegemony.
1.) setup a tftp server on a network at home with a spaXXXXXXXXXXXX.xml file in /tftpboot and the same file in /tftpboot/YYYYYYYYYY. i know that the spaXXXXXXXXXXXX.xml file is dependent on the pap2 MAC, but i'm still unsure as to what determines the /tftpboot/YYYYYYYYYY designation. i think this may be a password used derive a salt to decrypt spaXXXXXXXXXXXX.xml and verify it's integrity. i also think that /tftpboot/spaXXXXXXXXXXXX.xml file is identical to /tftpboot/YYYYYYYYYY/spaXXXXXXXXXXXX.xml file.
2.) configured my dhcp server to distribute a known ip address to the pap2 MAC.
3.) placed the pap2 on a separate subnet/interface
4.) configured my firewall/router to redirect all requests originiating from the pap2 to tftp.vonage.net to a local tftpserver on a separate subnet/interface. natted all packets from the local tftpserver to the pap2, so as to appear to be coming from tftp.vonage.net.
5.) connected the pap2 (with a default factory configuration) to the network and plugged in the power cord.
the pap2 successfully connects to the local tftpserver, downloads /tftpboot/spaXXXXXXXXXXXX.xml and /tftpboot/YYYYYYYYYY/spaXXXXXXXXXXXX.xml, self-installs the firmware, reboots, and connects to vonage via port 5060-5061.
now, i've tried replacing the spaXXXXXXXXXXXX.xml file with a spa2k-2.0.10e.bin file and renamed the tftpboot/YYYYYYYYYY directory to whatever the pap2 was asking for (obtained by tcpdump and ethereal), but the download stops abruptly when the pap2 returns an icmp packet with a "port unreachable" message. i think that in this case the spa2k-2.0.10e.bin (709K) much bigger than spaXXXXXXXXXXXX.xml (29K), so the device rejects the firmware upload (probably due to a max file size constraint).
i see two ways of getting around this problem:
1.) brute force the admin password from the pap2 prior to the vonage firmware update and update the configurations via the pap2 web interface.
2.) brute force the spaXXXXXXXXXXXX.xml file using openssl rc4 and some variation of the MAC/Serial Num/YYYYYYYYYY as the salt or password.
spa2k-2.0.10e.bin and spaXXXXXXXXXXXX.xml are completely 2 different files. The first is a firware upgrade and the second is a configuration. You don't need the firmware upgrade and if you did it once, you don't need to do it again.
If you have the firmware file, chances are the default passwords are stored on clear text in the file. Try to extract the strings from the file and see what you can find. On a UNIX type machine run
% strings spa2k-2.0.10e.bin
If you want just email me the file and I can try for you.
Yaser
snipped-for-privacy@mccamm> not to kick a dead horse (assuming this discussion is still of interest
so, what you're saying is that i could theoretically create my own unsalted config file, upload it, reboot, and the pap2 would be unencumbered? how do i go about creating a realistic config to replace the salted one? what are the parameters?
thanks for clearing up my misconception. i didn't know what the spaXXXXXXXXXXXX.xml file was for. i thought it might be a combination of the firmware update and config. at any rate, it's salted/encrypted so i don't know its actual contents. i ran 'strings spaXXXXXXXXXXXX.xml > strings.out' and got a bunch of short one-liners that looked like gobbly gook to me. then i used the output file as the password file for hydra and pointed it at the pap2. no juice.
at this point, i'm stuck with the two choices that i posted previously. short of launching a full-blown brute force attack on the pap2 or it's config, i'm not sure of what to try next. any more ideas?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.