Chinese in Canada

FIRST TIME READERS: It's suggested you start with the 2006-11-14 post below, then read up (newer posts), then if you have the interest read the older posts (nearer the bottom).

Methods for unlocking the Linksys PAP2

The following is a list of updates tracking the progress of unlocking the Linksys PAP2:

2007-02-25

The PAP2v1 units I have are all based on v0.03.4 board where the SW1 block has four jumper PINs (exactly as shown on the snapshot below). I took a working PAP2v1 unit configured with FWD accounts and shorted out the outer two PINs (red circles) and my PAP2v1 seemed to perform a factory reset (the power LED activities indicated so). However, upon returning from this factory reset, all the configured parameters were still there and Line 1/2 were still registered to FWD as if the unit was never factory reset. To this date, my PAP2v1 unit that undergone this jumper shorting is still operating normally as before. This is all I can say about shorting the two outer PINs on the SW1 block. So, if you want to do this, do it at your own discretions and I take no responsibility of any mishaps.

2007-02-23
There is a graphic that I saw that purports to show the location of reset jumper pads on the majority of newer PAP-2 version 1 boards, which apparently do not have the jumper pins and shorting block that older boards have. In the photo below, there are red circles around the purported jumper pads (to the right of the phone line jacks). I do not know precisely how these are used (I've never had to use that method), but I would suppose either you short the pads while powering the unit up, or perhaps while doing a factory reset (of course you would only do that while the adapter is not connected to the Internet). I do not recommend that anyone experiment with this because if the information I received is wrong, you could damage your adapter. But if it's a choice between using a unit as a paperweight and trying the jumpers, I suppose I'd try them at least. If anyone can provide more information on unlocking a PAP-2 by using the jumper pads, please post it.



2007-01-17
Addendum to 2006-11-14 notes:
If you're lucky enough to be running a wireless router — such as the Linksys WRT-54G — and it uses the DD-WRT open-source firmware, the simplest way to do this is in the "Administration / Services" menu. Enable DNSMasq, Enable Local DNS, and enter something similar to "address=/vonage.net/10.10.50.224" into the Additional DNS Options box. Any machines that use the router's DNS server to resolve IPs will then report the IP 10.10.50.224 for the entire vonage.net domain, so put in your tftp's IP address instead.

With the wireless router's WAN port disconnected and the PAP2 behind it's firewall, it will try (and fail) to reach Vonage's hard-coded DNS ip addresses, then fall back to using the router's DNS which we've redirected to our tftp server.

2006-12-23
Addendum to the 2006-12-19 item - you may not even need to install a DNS server at all - I read something that said that all you have to do is load the C:\Windows\System32\Drivers\etc\hosts file into any plain text editor (such as Notepad) and add the following to the end of the file:



(You will probably need to substitute the actual IP address of the computer you are using for the unlock process in place of 192.168.0.1, and if you change the computer's IP address to pretend to be the DNS server that the device wants to see, don't forget to change the address in these two lines as well). This has not been tested, but looks like it should work - if it doesn't then you can always try using a standalone DNS server as described below.

2006-12-19
When following the instructions in the next section (dated 2006-11-14), be aware that things don't always go as smoothly as you might expect - we tried this with a PAP-2 that also came with firmware 3.1.9(LSc) out-of-the-box. After it went out to the "special" webserver to get the ersatz PAP2-bin-03-01-09-LSc.bin, we found that the unit's internal web server had been disabled AND the unit demanded a password to turn it back on. It also wanted a password to do a complete factory reset. We had no idea what password it was looking for (it was NOT one of the several common user passwords), so all we knew was that we had a unit that obviously had the SPA-2000 firmware loaded, but we could not access the web browser, nor factory reset the unit, nor basically do anything except listen to the responses in the * * * * menu. It also appeared that it was not attempting to load any additional files.

We had read that you could change the user and admin passwords to known values by feeding it an XML file that looks like this:



The above is a plain text file that should be saved using the filename 666666666666.xml (where the 6's are the MAC of your PAP-2) - basically it replaces the XML file you obtained from Vonage in an earlier step, and should be placed in the TFTP server root directory and any other directory where you had to place the original XML file (be sure you delete/overwrite any copies of the original XML file that you downloaded earlier). Note that ONLY the Sipura firmware mentioned below will take a plain text XML file, so you have to have at least been successful in getting the unit to take that firmware for the plain-text XML file to work.

The problem was that the PAP-2 wouldn't come and get the file. After much head scratching we finally realized that the PAP-2 was now looking for a DNS server at a specific new address (which the packet sniffer never revealed, but which we finally discovered by going to the * * * * menu and entering 160#) and therefore we had to change the IP address of the computer to match, then go into the "special" DNS server to tell it to repoint the other addresses to the new IP address. And then, after much more head scratching we figured out that there was a checkbox in the DNS server options that had to be checked or it wouldn't work at the new address (even though it worked fine without the box checked when the computer was set to an address in the 192.168.0.x range) - go figure.

Oh, and we had to restart the TFTP server so it would pick up the new address, and disable our firewall software, and maybe a couple more things I've forgotten.

For any Windows users attempting to do this, the software used was the Solar Winds TFTP server, Ethereal (now Wireshark) as the packet sniffer, AnalogX SimpleServer:WWW as the web server (I wish this one had at least some output to let you know that the files have been downloaded, but you can't get much simpler to set up, just don't forget to click the button to start the server!) and Simple DNS Plus as the DNS server (the latter has a 14 day trial period, we would have preferred something open source but since we were only using it once, we didn't feel the need to search all over for something else, and it WAS pretty simple to use except for the aforementioned checkbox that caused us some grief).

2006-11-14
Bought an off the shelf Vonage locked PAP-2 with the intent of unlocking. Came with firmware 3.1.9(LSc) out-of-the-box. The instructions for unlocking found on the FWD forum listed below did not work exactly as documented but provided a basis for what worked for me. There are so many tid-bits of information in various forums, all for various versions of the PAP-2, its challenging to determine exactly what to try.

Unlocking: Its not some voodoo, the goal is the replace the firmware on the PAP-2 device with the Sipura firmware that allows full administrative view so that you may oogle the settings. Now, I suppose you could just leave the Sipura firmware, but I replaced mine with another Linksys version.

You need to sandbox your PAP-2, it CANNOT (well, I assume this... this experiment was out-of-the-box, clean no Vonage call-home) see the 'net just yet. Once I was ready, I just shutdown my WAN card on my linux box.... you'll need to be careful as you don't want Vonage to provision the PAP-2.

You'll also need a DNS server, add a vonage.net zone so we can spoof out their servers.



-Setup a TFTP server on a host, and adjust the ls.tftp record to point to it.
-Setup an HTTP server on a host, and adjust the httpconfig record to point to it.
-Get firmwares from http://www.bargainshare.com/index.php?showtopic=69607 ...
--Sipura Firmware &
--Linksys 3.1.6 ..

Pull down your Vonage config file from their http provisioning server http://httpconfig.vonage.net/spa666666666666.xml (where the 6's are the MAC of your PAP-2) (do this BEFORE you spoof the DNS!!). Copy this file to the root of the tftp server root.

Create a directory +666666666666 on the spoofed httpconfig.vonage.net server (add a PLUS (+) to the MAC address). In my case, this is where the device downloaded a new firmware.

We now need to reset the PAP-2 so we can specify our fake nameserver.

Plug a phone into line 1 of the PAP. Plug in the power but not the ethernet.

- Dial **** for the IVR
- Dial 73738# (R E S E T #)

You may be prompted for a password, I was not (yet). See http://www.bargainshare.com/index.php?showtopic=69607&st=90&p=687285&#entry687285 for some known passwords. Press #1 to confirm. The PAP-2 reboots.

Ok, shut down your internet... I just take down eth0 and flush my iptables.

Plug the PAP into your network, let it get an IP. Access the weberface on the PAP-2: the DNS fields should now be enabled allowing you to specify your "special" DNS server. I power cycled it and fired up TCPDUMP to see what was going on. The PAP device calls to a number of hard-coded vonage IPs, then begins to query DNS for the records listed in the zone file above.

The TFTP is the first to be hit:



Then it looks for a "special" directory:



So, you want, you get (created the KzBDrz5zLz directory and copied the file), your directory name will be different; consult the tftp logs:



Sometime after this, the following occurs on the "special" webserver for httpconfig.vonage.net (yes, I have some clock drift on my play server)



This is the important part: I simply renamed the Sipura firmware to PAP2-bin-03-01-09-LSc.bin and hoped... and it totally ate the firmware and rebooted.

The Sipura web interface came right up, from there its a matter of disabling all the provisioning stuff and follow the normal firmware upgrade procedures to get 3.1.6(Ls) (working great here) installed. When you reload the Linksys firmware, you may have to re-do the reset procedure and be confronted with a password thru the IVR (see http://www.bargainshare.com/index.php?showtopic=69607&st=90&p=687285&#entry687285) , or I suppose you could get the GPP_K and use VuckFonage to get the admin password.



2006-02-24

I have a PAP2-NA Firmware Version: 3.1.9(LSc). The unit was locked by the provider but they gave me the password to make changes due to the problem I am having. I was able to get a dump of the provisioning nfo from the provider by executing the link under provisioning profile rule. I just added my mac address to the string and used IE to get the provisioning nfo. The admin password is in plain text and I was able to easily locate it in the dump (since I knew what the password was). The trick is to isolate the password in the dump because the position varies depending on the information going to the unit. Map the dump and you should be able determine the password. BTW, can't get my problem fixed, go figure.




2006-02-12

I only have had to deal with a 2.0.9 and a 2.0.12 so far. But the .12 was admined locked. This forced me to work out how to 'provision' admin password from other's notes. For those of you with a 3.1.9 and the wherewithall to do the packet sniffing, put ut a spoofed DNS and tftp server (if tftp is used for 3.1.9), it would be interesting to see if this gets you past the admin blockaid.

My notes on admin password setting can be found at: http://www.dslreports.com/forum/remark,15458239.

Notes on provisioning PAP2s in general are at http://www.freeworlddialup.com/community/forum/viewtopic.php?t=3748&sid=b1fc477dab538155656d7cee5cb96880

2006-02-04
The default admin password seems to be based on the GPP_K field and the MAC of the unit. I don't believe there is a 'master' password because that would be a security issue.

Currently Vonage is pushing 3.1.9 and currently there is no known way to unlock your device if it was not already once unlocked and you have your GPP_K written down. If you recently bought a PAP2 and you can return it, return it. You will be better off buying a PAP2-NA (unlocked already) from eBay or an online store (as suggested already). The 3.1.9 firmware may never be unlocked and/or it may be quite a while so again if you can I suggest returning the device.

Complain isn’t going to help the situation at the same time it would be a good idea to let people know on the PAP2 mailing list http://groups.yahoo.com/group/Linksys_Pap2 that you have a 3.1.9 unit just so the people who are working on a workaround know there are others out there that need their device unlocked.

2006-02-04
Some brainstorming is necessary... I've read the guides from Linksys and it works like this: The file supplied by Vonage is either signed and/or gzipped (vendor's choice) and all the new Vonage units have the key (the guy below supposes it's the GPP_K field which is the key) and only recognize firmware that's supplied to it which is signed with that string and possibly gzipped. Now, since a license agreement is no longer necessary to get your PAP2-NAs you should just get a new one, or if you're really hung up on the Vonage one you have, brute force the admin password on yours (my ticker has been running for a week with no matches). My guess is that the default admin password on a Vonage PAP2 is either the same on all of them or something to do with either the serial number or the mac address or both (perhaps an md5 hash... backwards) it really could be anything.

2006-02-04
That's not really fair - the previous poster has the same issue that everyone has right now. The current firmware has an admin password which has not been bypassed yet. It would be helpful and productive if the next post could be how to bypass this.

2006-02-02

Like 99% of unlocked PAP2 owners, the steps laid out on some of unlocking pages are easy to follow. You should be able to unlock your own PAP2 easily. too. If you feel unlocking your PAP2 is so frustrating, please don't do it. If you do, you may end up re-locking your PAP2 further by Vonage. Instead, pay someone to do this dirty work for you for some prices. BTW, if you think to pay $60 for a Linksys/Vonage locked PAP2 to get it unlock, don't do it mainly because a PAP2-NA (unlocked version) is about $60 + S/H charges. I hope this helps you.

2006-01-26
This is SO Frustrating.
Everyone always writes in here like it's so easy.
They point you to pages where you can download the new firmware and explain it's easy, you just need the admin password, then they tell you that you can get the admin password by getting this GPP_K, which is simple to get after you unlock your PAP2.

Does anyone realize and the VuckFonage and the binary are all USELESS unless you have the admin password, AND IF YOU HAVE THE ADMIN PASSWORD YOUR DEVICE IS UNLOCKED, and there are no further steps!?!?!?!?!

Can ANYONE explain it without putting in sentences like: "To unlock your PAP2 use your admin password from your unlocked PAP2" - Actual line from one of the pages most referenced!!


2006-01-22

I was trying to do some hacking today and accidentally allowed the PAP2 to connect online after a factory reset and just like you, got upgraded to 3.1.9LSc. At first, I was stuck like you, since they've disallowed the user from changing the firmware. However, and I'm going to be brief and assume that you already know these tools and terms (I may elaborate on my homepage later on how I did it), I was able to modify the settings because I already knew my GPP_K. I'm not sure if you could figure out what your GPP_K is without having admin priviledges and maybe someone can help me out here.

With the GPP_K, just like how VuckFonage was able to decrypt the xml and show it in plain text, I was able to use it to encrypt the xml into something the PAP2 would be able to decrypt and read. Apparently, in the newest firmware, they no longer allow plain text xml settings uploads. To trick the PAP2 into downloading your encrypted xml instead of Linksys/Vonage, you need a TFTP server and a DNS server. Disconnect your internet connection and then FACTORY RESET your PAP2. Web Interface will be enabled and you can point the DNS server to the machine you have it setup. In the DNS server, point ls.tftp.vonage.net to the machine with the TFTP server. Reboot your PAP2 and it should now download your encrypted file.

I notice, even with this hack, I was unable to replace any firmware with it for it appears to have a firmware validation check before it actually flashes.

But with the admin and user password changed to anything that I wanted to (leave it blank and it won't even ask you for a password), I was able to set up line 1 with Telepacket and line 2 with VoipBuster.

2006-01-12

I was hacking a couple units for some firends. Two days ago on the 10th the box came preconfigured with 3.1.8(LS). The normal method didn't work. Provissioned by Vonage it went to 3.1.6. Factory reset, and we are on our way. Today got another unit 3.1.8. Provisioned by vonage and now it's a 3.1.9(LSc). Tried everything I could, including the "Firmware and FREE UPLOADER utility that lets you flash the PAP2 and turn it into a vanilla SPA-1000 Sipura box" no go. It all hinges on that stupid admin password. Is there a short circut that can be performed to wipe out the password? Or perhaps a packet sniff that could see what traffic (spacificly password) vonage sends the unit when it provisions it?


2006-01-10

I know it's not much fun, but did anyone go here, download the firmware and FREE UPLOADER utility that lets you
flash the PAP2 and turn it into a vanilla SPA-1000 Sipura box ??

http://www.sipura.com/



2006-01-10

Vonage is still pushing 3.1.6 firmware so it is possible to hookup a 3.1.8 PAP2 device to the internet so Vonage will automatically downgrade it to the unlockable 3.1.6 firmware. http://groups.yahoo.com/group/Linksys_Pap2/message/477 (requires registration) for more info.

2006-01-09

Here is an article, SPA2K/PAP2 firmwares for unlocking a PAP2, that I wrote on the BBR VoIP forum to show readers the links where to obtain an SPATools.zip and SPA2K/PAP2 firmware files to unlock a Linksys/Vonage locked PAP2. Once your PAP2 unlocked, please pin it on Frappr Map for PAP2 to show how many PAP2 units Vonage has lost due to the unlocking hack.

2006-01-09

Actually, I have discovered some tricks to re-unlock a PAP2 locked with firmware v3.1.7LSd/e a month ago. I don't have a firmware v3.1.8 to test, yet. I need some victims as guinea pigs to test my discoveries.

2005-12-06

New Linksys PAP2 Devices ship with Firmware 3.1.8(LS) which require admin password to TFTP upgrade. No work-around known. This also applies to firmwares of 3.1.7(LSe) or later.

2005-10-11

A simple method of upgrading is provided here: http://www.telephreak.org/PAP2/. This is similar to the FatWalletForums version but has less steps. This works on 2.0.11 firmware with a 'virgin' unit (never connected to the internet — supposedly it can work even after being connected, but requires additional resets). This has been around for a week or two at this point, but was not linked from here.

2005-09-27
For those who do not have Linux experience, you can find the 'patched' firmwares here: BBR though they disappear from time to time. Also step by step instructions and other links to binaries here at FatWalletForums.

2005-09-26
There is now a way to unlock PAP2 boxes with later firmware. Patching and applying an SPA2000 firmware update binary, tested with version 2.0.9 removes the admin password (they must have different configuration layouts?). Here is the patcher. Note that the LEDs won't work properly, and Line2 is unavailable. Another patcher (pap2spa) is available to convert PAP2 firmware upgrade binaries to SPA2k format. This allows reverting back to PAP2 firmware after the SPA firmware has been applied.

2005-09-11
there is currently no known way to unlock the recent Linksys PAP2 Vonage boxes. These have firmware version 2.0.10(LSc) and a rev 3 board which doesn't have the jumpers referred to in some unlocking guides. Various threads may have solutions by the time you read this as these boxes have recently been available quite cheaply ($20 after rebate).

2005-08-08
Firmware upgrades for the PAP2-NA can be found at (requires registration):
http://groups.yahoo.com/group/Linksys_Pap2

2005-07-22
PAP2-EU (PAP2-NA locked) is locked to the PhoneSystems.net service.
There is a password if you try to login on the admin web.

There is no jumper on this version (REV 3 board), so PAP2 trick won't work.



2005-07-06
Reportedly, PAP2 can be unlocked with a simple procedure: