Linksys PAP2 locked to Vonage, support people funny

PAP2-NA firmware is available. Getting it to load onto the PAP2 is

the challenge. It's apparently not as simple as renaming it to the

file requested by tftp. That results in the tftp session shutting

down before the transfer completes.

Would be nice if someone, with the adequate hardware, could

interrogate the NVRAM of a PAP2-NA and

and extract the firmware image.

can see the web interface), but it keeps asking me a password to the

Admin Area and once connected to the net, it starts to download

vonage firmware. :(

OK since I've already wasted my Friday night, I might as well lay out

what I've found.

I've successfully changed the firmware to two other versions, a .10LSc

and a .13LSb.

It appears thought that the provider config is stored somewhere

outside of the main firmware, because despite flashing to different

versions, I am still prompted to enter a password for the admin

pages, and the device still makes requests to a vonage tftp server.

I tried a factory reset after loading each firmware, and it didn't

help.

I noticed that the device says it has a certificate installed. I'm

assuming this is what's used to authenticate/decrypt the .xml config

file the device is trying to load. If that's the case, then the

configs are likely signed with a key unique to vonage, and that

pretty much ends that direction. I think that will likely prevent

the loading of some generic, yet properly compiled config file, since

it won't be signed by vonage's key.

I read somewhere that older versions of the firmware had a particular

vulnerability that allowed config access - does anyone recall what

that was about?

I noticed that the device says it has a certificate installed. I'm assuming this is what's used to authenticate/decrypt the .xml config file the device is trying to load. If that's the case, then the configs are likely signed with a key unique to vonage, and that pretty much ends that direction. I think that will likely prevent the loading of some generic, yet properly compiled config file, since it won't be signed by vonage's key.

Besides the PAP2 provided by vonage (and which we all here are trying to unlock) I also have a PAP2-NA, that was provided by my local VoIP provider, and which I've reset once with the RESET# command (no password asked). That, indeed reseted the unit, was able to make it into the admin pages. And it also has the Client Certificate:Installed thing. This unit doesnt download any particular configuration. It's just configured by hand using SIP proxy, user & password.

By the way, let's suppose I want to cancel my account with Vonage. My credit card is "broken" (doesn't allow any charges). Vonage tries to charge me $40 disconnection fee.. And it cant do it... What happens then? Does Vonage like sue you to obtain the money? or just nothing happens at all and you just keep a useless pap2 ?

thanks.

I'm sure they will send you to collections unless you talk them out of

the fee.

As far as the certificate goes, I now believe it's only in place to

enable HTTPS transfers of config info if the provider chooses that

mechanism.

I still haven't made any more progress on this thing..

[quote:e93d20b655="summiter"]I noticed that the device says it has a

certificate installed. I'm assuming this is what's used to

authenticate/decrypt the .xml config file the device is trying to

load. If that's the case, then the configs are likely signed with a

key unique to vonage, and that pretty much ends that direction. I

think that will likely prevent the loading of some generic, yet

properly compiled config file, since it won't be signed by vonage's

key.I noticed that the device says it has a certificate installed.

I'm assuming this is what's used to authenticate/decrypt the .xml

config file the device is trying to load. If that's the case, then

the configs are likely signed with a key unique to vonage, and that

pretty much ends that direction. I think that will likely prevent

the loading of some generic, yet properly compiled config file, since

it won't be signed by vonage's key.[/quote:e93d20b655]

Besides the PAP2 provided by vonage (and which we all here are trying

to unlock) I also have a PAP2-NA, that was provided by my local VoIP

provider, and which I've reset once with the RESET# command (no

password asked). That, indeed reseted the unit, was able to make it

into the admin pages. And it also has the Client

Certificate:Installed

thing. This unit doesnt download any particular configuration. It's

just configured by hand using SIP proxy, user & password.

By the way, let's suppose I want to cancel my account with Vonage. My

credit card is "broken" (doesn't allow any charges). Vonage tries to

charge me $40 disconnection fee.. And it cant do it... What happens

then? Does Vonage like sue you to obtain the money? or just nothing

happens at all and you just keep a useless pap2 ?

thanks.[/quote:e93d20b655]

Isn't there a way to trick the .htaccess file inside this thing to

allow access to the /admin directory? That's how the authentication

works, doesn't it?

Naw, that's not really possible...but I wouldn't be surpised if there were some "backdoor" somewhere in the http interface.

Still stumped....

Isn't there a way to trick the .htaccess file inside this thing to allow access to the /admin directory? That's how the authentication works, doesn't it?

Is it really worth the effort when you can get a Sipura?

Well.. let's say that I want to make it worthy for the money I paid

for the PAP2... :(

Naw, that's not really possible...but I wouldn't be surpised if there

were some "backdoor" somewhere in the http interface.

Isn't there a way to trick the .htaccess file inside this thing to

allow access to the /admin directory? That's how the authentication

works, doesn't it?[/quote:44bc0aae47]

Figured out that my local VoIP provider doesn't configure the settings

by hand, but using a program that loads the config into the ATA.

For instance, when you go to the voice menu on the Linksys RT31P2 it

just says "Contact your service provider". No manual config

whatsoever...

I need to get my hands onto that proggie..

You think you're going to hack it! Not.

Anyone having any luck with this???

I really need to get this device unlocked, lol.

s suppose I want to cancel my account with Vonage. My

It's likely that they'll refer you to a collections agency: Vonage may or may not report the debt as unpaid to your credit report, then "sell" the debt to a collection agency, who then makes it their task to cajole, harrass and threaten you till you decide to pay up. If you have a strong will and don't mind a bad mark on your credit rating, then have at. :)

For me, it's not worth the hassle. If I ever cancel my Vonage service, they can have their useless PAP2 back.

It appears thought that the provider config is stored somewhere

outside of the main firmware, because despite flashing to different

versions, I am still prompted to enter a password for the admin

pages, and the device still makes requests to a vonage tftp server.

According to

there's a "provisoning" option where you can specify where the pap2

should download it's configuration..

Hi All, I just read this one on the net, I do not have one handy to try. Would someone willing to try and post the results. Thanks.

UPDATE Well it appers that Vonage let ~some~ info slip this morning around

5am. The master reset is "73738" and the password is "7756112". for those of you who don't know what a master rest is (and all tose who have e-mailed me insted of trying the codes), it ONLY resets the unit BACK to the ORIGNAL factory settings. DON'T e-mail me with "your code didden't unlock my unit".. The next person who sends me an e-mail like that is going to get blasted!!!

I can get the PAP2 unlock unit. They sell for around $75.00. The ones

that are all ready locked by Vonage are not worth the trouble. I get

them directly from cisco.