Sign in with
Sign up | Sign in
Your question

Linksys PAP2 locked to Vonage, support people funny

Last response: in Networking
Share
Anonymous
September 8, 2004 8:10:38 PM

Archived from groups: comp.dcom.voice-over-ip (More info?)

After learning that the Linksys RT32P2 I purchased was locked to
Vonage, I returned it. While at Staples I noticed the Linksys
PAP2. I asked a sales person about whether or not it was
similarly locked. We noted that it did not list Vonage service
under the minimum requirements and he encouraged me to just get
it and return it if it didn't work.

Well...I've been trying it. It does indeed appear to be an
SPA-2000 under the hood. When it boots, it makes a TFTP request
to ls.tftp.vonage.net for "/spa000F66A84007.xml". The Web
interface is Linksys-branded but similar to the Sipura devices.

One of the options is "Admin Login". When I tried this, I was
unable to authenticate successfully. I called Linksys support
in India. After a couple of people told me that there was no
Web interface, I made a tunnel to the PAP2 and gave one of the
technicians the URL. He tried it. Long silence.

Finally he said that he had examined the URL and determined it
to be a PAP2 simulator. Arrghh! It took a few more minutes
to convince him that it's the non-existant Web interface on
*my* PAP2 that he was seeing. (BTW, another technician told
me to hit a reset button on the unit. There is none. She was
sure it was "near the lights.")

I finally got to talk to Senior Technician Gordon (in the
US?). He quickly explained that it's locked to Vonage. It
only took an hour on the phone to get the answer but it was at
least a bit entertaining.

BTW, it does appear that the unit can directly dial IP
addresses without registering with Vonage. So you *could* use
it on its own (especially on a phone with speed dial) or with
Asterisk. It's not worth it to me though.

Back goes another piece of Linksys hardware... I'll spend the
extra $20 for hardware I control.

--kyler
Anonymous
September 9, 2004 2:22:55 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

Could you spoof ls.tftp.vonage.net to point to your tftp server and provide
the spa000F66A84007.xml file yourself? Just an idea.

"Kyler Laird" <Kyler@news.Lairds.org> wrote in message
news:06m312-uvh.ln1@lairds.us...
> After learning that the Linksys RT32P2 I purchased was locked to
> Vonage, I returned it. While at Staples I noticed the Linksys
> PAP2. I asked a sales person about whether or not it was
> similarly locked. We noted that it did not list Vonage service
> under the minimum requirements and he encouraged me to just get
> it and return it if it didn't work.
>
> Well...I've been trying it. It does indeed appear to be an
> SPA-2000 under the hood. When it boots, it makes a TFTP request
> to ls.tftp.vonage.net for "/spa000F66A84007.xml". The Web
> interface is Linksys-branded but similar to the Sipura devices.
>
> One of the options is "Admin Login". When I tried this, I was
> unable to authenticate successfully. I called Linksys support
> in India. After a couple of people told me that there was no
> Web interface, I made a tunnel to the PAP2 and gave one of the
> technicians the URL. He tried it. Long silence.
>
> Finally he said that he had examined the URL and determined it
> to be a PAP2 simulator. Arrghh! It took a few more minutes
> to convince him that it's the non-existant Web interface on
> *my* PAP2 that he was seeing. (BTW, another technician told
> me to hit a reset button on the unit. There is none. She was
> sure it was "near the lights.")
>
> I finally got to talk to Senior Technician Gordon (in the
> US?). He quickly explained that it's locked to Vonage. It
> only took an hour on the phone to get the answer but it was at
> least a bit entertaining.
>
> BTW, it does appear that the unit can directly dial IP
> addresses without registering with Vonage. So you *could* use
> it on its own (especially on a phone with speed dial) or with
> Asterisk. It's not worth it to me though.
>
> Back goes another piece of Linksys hardware... I'll spend the
> extra $20 for hardware I control.
>
> --kyler
Anonymous
September 9, 2004 5:11:44 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

"Brendon" <brendon@nospam-itology.net> writes:
> Could you spoof ls.tftp.vonage.net to point to your tftp server and provide
> the spa000F66A84007.xml file yourself? Just an idea.

That is a very interesting idea. Anyone know if the format of that
file defined anywhere?

I haven't been able to find much information about constructing either
Sipura or Bugtone config files. It would be nice to be able to
program them via a file that I could keep under CVS instead of some
web browser interface that doesn't allow me to save a copy of the
phone's state.

-wolfgang
--
Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/
Related resources
Anonymous
September 9, 2004 5:27:28 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

***"When it boots, it makes a TFTP request to ls.tftp.vonage.net for
"/spa000F66A84007.xml"***

I'll hazard a guess that 00:0F:66:A8:40:07 is the MAC address of the
Linksys, this is how a Cisco 7960 requests its config file from a TFTP
server using Asterisk - the file name requested is specific to the MAC
address.

"Wolfgang S. Rupprecht"
<wolfgang+gnus20040908T180513@dailyplanet.dontspam.wsrcc.com> wrote in
message news:x7isaoqm9c.fsf@bonnet.wsrcc.com...
>
> "Brendon" <brendon@nospam-itology.net> writes:
>> Could you spoof ls.tftp.vonage.net to point to your tftp server and
>> provide
>> the spa000F66A84007.xml file yourself? Just an idea.
>
> That is a very interesting idea. Anyone know if the format of that
> file defined anywhere?
>
> I haven't been able to find much information about constructing either
> Sipura or Bugtone config files. It would be nice to be able to
> program them via a file that I could keep under CVS instead of some
> web browser interface that doesn't allow me to save a copy of the
> phone's state.
>
> -wolfgang
> --
> Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/
Anonymous
September 9, 2004 6:10:40 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

"Brendon" <brendon@nospam-itology.net> writes:

>Could you spoof ls.tftp.vonage.net to point to your tftp server and provide
>the spa000F66A84007.xml file yourself? Just an idea.

That was my idea too. Take a look at the file though. I have a
feeling that it's a signed config file. It probably references
some firmware that's downloaded if it's different than the
current version. I'd expect it to be signed too.

Those are all guesses though. I'd love to discover that I'm
wrong but I went ahead and had a couple *real* SPA-2000s air
mailed to me this evening. I don't have time to mess around
with "buying" hardware I don't control.

--kyler
Anonymous
September 9, 2004 7:10:40 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

I just got this from Jeremy McNamara who is apparently still upset
at me for trying to provide help with his ticket handling system.
The only thing for which he has shown any appreciation has been my
posting of his information, so here goes...

The PAP2 and the RT31P2 both are ABSOLUTELY NOT ~LOCKED~ to Vonage.

I have personally reconfigured both units to talk to any SIP proxy,
without opening the unit or otherwise violating the warranty

If you were a nicer person I might give you a few really good tips. All
I will say is the other people that responded to your post are on the
right track.


Jeremy McNamara

--kyler
Anonymous
September 9, 2004 8:08:59 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

Can you post the file or email it to me?

"Kyler Laird" <Kyler@news.Lairds.org> wrote in message
news:cto412-arl.ln1@lairds.us...
> "Brendon" <brendon@nospam-itology.net> writes:
>
>>Could you spoof ls.tftp.vonage.net to point to your tftp server and
>>provide
>>the spa000F66A84007.xml file yourself? Just an idea.
>
> That was my idea too. Take a look at the file though. I have a
> feeling that it's a signed config file. It probably references
> some firmware that's downloaded if it's different than the
> current version. I'd expect it to be signed too.
>
> Those are all guesses though. I'd love to discover that I'm
> wrong but I went ahead and had a couple *real* SPA-2000s air
> mailed to me this evening. I don't have time to mess around
> with "buying" hardware I don't control.
>
> --kyler
Anonymous
September 9, 2004 9:10:39 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

"Brendon" <brendon@nospam-itology.net> writes:

>Can you post the file or email it to me?

Anyone can get the file through TFTP.

--kyler
Anonymous
September 9, 2004 9:10:40 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

I'm apparently a Usenet posting service now. It's not clear to
me what the value of this is but perhaps someone else can use it.

--kyler

=================================================================

From: Jeremy McNamara <jj@nufone.net>
Subject: Detail

*CLI>

Sip read:
INVITE sip:18102341212@X.X.X.X SIP/2.0
Via: SIP/2.0/UDP 192.168.1.125:5060;branch=z9hG4bK-f85be36a
From: <sip:p ap2@X.X.X.X>;tag=96564193ae44263e
To: <sip:12319723156@X.X.X.X>
Call-ID: f2ce5b85-7638edb2@192.168.1.125
CSeq: 101 INVITE
Max-Forwards: 70
Contact: <sip:p ap2@192.168.1.125:5060>
Expires: 240
User-Agent: Linksys/PAP2-2.0.9(LSd)
Content-Length: 422
Allow: ACK, BYE, CANCEL, INFO, INVITE, NOTIFY, OPTIONS, REFER
Supported: x-sipura
Content-Type: application/sdp

v=0
o=- 26868 26868 IN IP4 192.168.1.125
s=-
c=IN IP4 192.168.1.125
t=0 0
m=audio 16442 RTP/AVP 0 2 4 8 18 96 97 98 100 101
a=rtpmap:0 PCMU/8000
<snip>

*CLI> sip show peer pap2
* Name : pap2
Secret : <Set>
MD5Secret : <Not set>
Context : NANPA
Language :
FromUser :
FromDomain :
Callgroup : (0)
Pickupgroup : (0)
Mailbox :
LastMsgsSent : -1
Dynamic : Yes
Expire : 991
Expiry : 900
Insecure : No
Nat : Always
ACL : No
CanReinvite : Yes
PromiscRedir : No
DTMFmode : rfc2833
LastMsg : 0
ToHost :
Addr->IP : X.X.X.X Port 5060
Defaddr->IP : 0.0.0.0 Port 5060
Username : pap2
Codecs : G.729A
Status : UNKNOWN
Useragent : Linksys/PAP2-2.0.9(LSd)
Full Contact : sip:p ap2@192.168.1.125:5060




Jeremy McNamara


P.S. Yes, it works thru my home NAT, as you can see
September 23, 2004 3:56:28 PM

Archived from groups: comp.dcom.voice-over-ip (More info?)

Care to share? Anyone by chance have Vonage and willing to give me
their MAC address or a copy of their tftp downloaded "xml" file? I
bought a couple of these units after the sales people at Fry's told me
"they are not locked to Vonage, but are bundeled with it. You can use
them with any VoIP provider." And I like a lot of other people would
like to be able to use them with any VoIP provider. I opened up one of
the units and was going to desolder the two flash roms and read them
in an attempt to be able to "unlock" them. But that may not be
necessary?

Thanks,

Dustin


Kyler Laird <Kyler@news.Lairds.org> wrote in message news:<8fr412-00m.ln1@lairds.us>...
> I just got this from Jeremy McNamara who is apparently still upset
> at me for trying to provide help with his ticket handling system.
> The only thing for which he has shown any appreciation has been my
> posting of his information, so here goes...
>
> The PAP2 and the RT31P2 both are ABSOLUTELY NOT ~LOCKED~ to Vonage.
>
> I have personally reconfigured both units to talk to any SIP proxy,
> without opening the unit or otherwise violating the warranty
>
> If you were a nicer person I might give you a few really good tips. All
> I will say is the other people that responded to your post are on the
> right track.
>
>
> Jeremy McNamara
>
> --kyler
Anonymous
September 24, 2004 4:11:17 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

t0k3n@hotmail.com (Dustin) writes:

>Care to share? Anyone by chance have Vonage and willing to give me
>their MAC address or a copy of their tftp downloaded "xml" file?

I posted the server and path for mine awhile ago.

Good luck!

--kyler
Anonymous
September 24, 2004 4:43:47 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

I checked this file out - its encrypted somehow, right? Just want to make
sure we're on the same page.

"Kyler Laird" <Kyler@news.Lairds.org> wrote in message
news:o rub22-3v2.ln1@lairds.us...
> t0k3n@hotmail.com (Dustin) writes:
>
>>Care to share? Anyone by chance have Vonage and willing to give me
>>their MAC address or a copy of their tftp downloaded "xml" file?
>
> I posted the server and path for mine awhile ago.
>
> Good luck!
>
> --kyler
September 24, 2004 6:45:17 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

Kyler Laird <Kyler@news.Lairds.org> wrote in message news:<orub22-3v2.ln1@lairds.us>...
> t0k3n@hotmail.com (Dustin) writes:
>
> >Care to share? Anyone by chance have Vonage and willing to give me
> >their MAC address or a copy of their tftp downloaded "xml" file?
>
> I posted the server and path for mine awhile ago.
>
> Good luck!
>
> --kyler

I made the assumption you did not have active service with Vonage
currently under that mac address. I used a tftp client and pulled the
file. Based on the first few characters of the file Salted__ I would
have to agree with everyone that the file appears to be Salt
encrypted...
Anonymous
September 24, 2004 7:23:38 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

In message <75K4d.145140$4h7.23635037@twister.nyc.rr.com> "Brendon"
<brendon@nospam-itology.net> wrote:

>I checked this file out - its encrypted somehow, right? Just want to make
>sure we're on the same page.

Yes...


--
Do not taunt zombie badgers
September 24, 2004 7:43:32 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

DevilsPGD <theone@crazyhat.net> wrote in message news:<_qM4d.1971284$6p.338208@news.easynews.com>...
> In message <75K4d.145140$4h7.23635037@twister.nyc.rr.com> "Brendon"
> <brendon@nospam-itology.net> wrote:
>
> >I checked this file out - its encrypted somehow, right? Just want to make
> >sure we're on the same page.
>
> Yes...

I was under the impression that all units downloaded a "firmware"
file, not just the active ones. This is not that case. Virgin MAC's do
not have a file. I downloaded a few different MAC's by incrementing
the *known* good MAC and ran kDiff against the files. They are
different. So maybe the salt somehow involves that MAC?
Anonymous
September 24, 2004 5:11:16 PM

Archived from groups: comp.dcom.voice-over-ip (More info?)

t0k3n@hotmail.com (Dustin) writes:

>I made the assumption you did not have active service with Vonage
>currently under that mac address.

Ah! Yes, you're right. The file still seems to be able to configure
the unit though, so I'd expect that if you can do something with it
you'd have control.

--kyler
September 24, 2004 6:39:30 PM

Archived from groups: comp.dcom.voice-over-ip (More info?)

Kyler Laird <Kyler@news.Lairds.org> wrote in message news:<jlhd22-4nb.ln1@lairds.us>...
> t0k3n@hotmail.com (Dustin) writes:
>
> >I made the assumption you did not have active service with Vonage
> >currently under that mac address.
>
> Ah! Yes, you're right. The file still seems to be able to configure
> the unit though, so I'd expect that if you can do something with it
> you'd have control.
>
> --kyler

Well the Vonage website says something like "reboot your unit and do
not unplug your it during the first 5 minutes... or you may end up
with a dead unit..." that makes me think it might be firmware and
reflashing the unit. Has anyone had Vonage and canceled? And did their
unit revert to the way it was when you first got it after canceling?

-dustin
Anonymous
September 25, 2004 3:03:44 PM

Archived from groups: comp.dcom.voice-over-ip (More info?)

In message <66019d61.0409240243.187141ff@posting.google.com>
t0k3n@hotmail.com (Dustin) wrote:

>>>I checked this file out - its encrypted somehow, right? Just want to make
>>>sure we're on the same page.
>>
>> Yes...
>
>I was under the impression that all units downloaded a "firmware"
>file, not just the active ones. This is not that case. Virgin MAC's do
>not have a file. I downloaded a few different MAC's by incrementing
>the *known* good MAC and ran kDiff against the files. They are
>different. So maybe the salt somehow involves that MAC?

All units download files which can contain firmware+configuration. If a
unit hasn't been activated there is no need to send it firmware or even
configuration files, just enough to tell the device to try again later.


--
1989 - The movie "Batman," notches $100 million in 10 days,
proving once and for all that the public can't get enough
of men in tights.
Anonymous
November 7, 2004 12:56:45 PM

Archived from groups: comp.dcom.voice-over-ip (More info?)

Ok, I downloaded six spa<macaddress>.xml files. I've seen that they are
really
cripted (using mac address?) and my PAP2 does not validate the one loaded.
So I wish i try using the Sipura configuration compile, SPC, available
only on
protected Sipura site so to compile a text file using macaddress as
cripting
key.
Does someone have a copy of SPC, either for windows or for linux ?
Thanks



##-----------------------------------------------##
Article posted with Cabling-Design.com Newsgroup Archive
http://www.cabling-design.com/forums
no-spam read and post WWW interface to your favorite newsgroup -
comp.dcom.voice-over-ip - 1063 messages and counting!
##-----------------------------------------------##
December 2, 2004 4:16:44 PM

Archived from groups: comp.dcom.voice-over-ip (More info?)

What is SPC?

cecco_at_peppe_dot_it@foo.com (Ceccopeppe) wrote in message news:<xjmjd.2528693$yk.401874@news.easynews.com>...
> Ok, I downloaded six spa<macaddress>.xml files. I've seen that they are
> really
> cripted (using mac address?) and my PAP2 does not validate the one loaded.
> So I wish i try using the Sipura configuration compile, SPC, available
> only on
> protected Sipura site so to compile a text file using macaddress as
> cripting
> key.
> Does someone have a copy of SPC, either for windows or for linux ?
> Thanks
>
>
>
> ##-----------------------------------------------##
> Article posted with Cabling-Design.com Newsgroup Archive
> http://www.cabling-design.com/forums
> no-spam read and post WWW interface to your favorite newsgroup -
> comp.dcom.voice-over-ip - 1063 messages and counting!
> ##-----------------------------------------------##
December 21, 2004 9:21:51 PM

Archived from groups: comp.dcom.voice-over-ip (More info?)

Yes I would like to know to...

I have a pap2-na and If someone will tell me how to get the firm ware
off it I will do it.. long as it leaves mine finctional.. (I use it
every day with fwd .. and diffrent providers)

not to mention asterisk.

I am trying to find a way to buy a unit from vontage from my local radio
shack or best buy or what ever and stay on long enough to get my mail
in rebate then cancel if possible , then see if I can copy the firmware
from my unlocked na model to the vontage model.. then save like
$15-16$ per unit and give them as gifts to friends pre registered with
Freeworlddial.com accounts and send a msg to hook em up and dial my fwd ...


any one?!

I really would like to try it.. anyone have a locked one and up to try
this.. ??

m.

Dustin wrote:
> What is SPC?
>
> cecco_at_peppe_dot_it@foo.com (Ceccopeppe) wrote in message news:<xjmjd.2528693$yk.401874@news.easynews.com>...
>
>>Ok, I downloaded six spa<macaddress>.xml files. I've seen that they are
>>really
>>cripted (using mac address?) and my PAP2 does not validate the one loaded.
>>So I wish i try using the Sipura configuration compile, SPC, available
>>only on
>>protected Sipura site so to compile a text file using macaddress as
>>cripting
>>key.
>>Does someone have a copy of SPC, either for windows or for linux ?
>>Thanks
>>
>>
>>
>>##-----------------------------------------------##
>>Article posted with Cabling-Design.com Newsgroup Archive
>>http://www.cabling-design.com/forums
>>no-spam read and post WWW interface to your favorite newsgroup -
>>comp.dcom.voice-over-ip - 1063 messages and counting!
>>##-----------------------------------------------##
December 21, 2004 10:52:02 PM

Archived from groups: comp.dcom.voice-over-ip (More info?)

ok

well after some googling I was able to find this.. for locked pap2
you can unlock it by performing a factory reset over the IVR IF YOU HAVE
THE PASSWORD. To get to the IVR hit "****" while connected over the
phone. The factory reset command is "73738#". You will be asked for a
password.

Now the question is, what is that dang password?

m wrote:
> Yes I would like to know to...
>
> I have a pap2-na and If someone will tell me how to get the firm ware
> off it I will do it.. long as it leaves mine finctional.. (I use it
> every day with fwd .. and diffrent providers)
>
> not to mention asterisk.
>
> I am trying to find a way to buy a unit from vontage from my local radio
> shack or best buy or what ever and stay on long enough to get my mail
> in rebate then cancel if possible , then see if I can copy the firmware
> from my unlocked na model to the vontage model.. then save like
> $15-16$ per unit and give them as gifts to friends pre registered with
> Freeworlddial.com accounts and send a msg to hook em up and dial my fwd ...
>
>
> any one?!
>
> I really would like to try it.. anyone have a locked one and up to try
> this.. ??
>
> m.
>
> Dustin wrote:
>
>> What is SPC?
>>
>> cecco_at_peppe_dot_it@foo.com (Ceccopeppe) wrote in message
>> news:<xjmjd.2528693$yk.401874@news.easynews.com>...
>>
>>> Ok, I downloaded six spa<macaddress>.xml files. I've seen that they are
>>> really cripted (using mac address?) and my PAP2 does not validate the
>>> one loaded. So I wish i try using the Sipura configuration compile,
>>> SPC, available
>>> only on protected Sipura site so to compile a text file using
>>> macaddress as
>>> cripting key. Does someone have a copy of SPC, either for windows or
>>> for linux ? Thanks
>>>
>>>
>>> ##-----------------------------------------------##
>>> Article posted with Cabling-Design.com Newsgroup Archive
>>> http://www.cabling-design.com/forums
>>> no-spam read and post WWW interface to your favorite newsgroup -
>>> comp.dcom.voice-over-ip - 1063 messages and counting!
>>> ##-----------------------------------------------##
Anonymous
December 22, 2004 12:06:04 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

In article ID <faydnXKoUPasWFXcRVn-1g@rogers.com>, m <googlenews@s2angel.com>
writes:

>well after some googling I was able to find this.. for locked pap2
>you can unlock it by performing a factory reset over the IVR IF YOU HAVE
>THE PASSWORD. To get to the IVR hit "****" while connected over the
>phone. The factory reset command is "73738#". You will be asked for a
>password.
>
>Now the question is, what is that dang password?

Same exact reset code as the Sipura. When I left Broadvoice, I was able to
reset my Sipura 1000 since they do not lock the hardware.

http://www.sipura.com/Documents/SipuraSPAUserGuidev2.0....

By factory default there is no password and no password authentication is
prompted for all the IVR settings. If administrator password is set,
password authentication will be prompted for certain IVR settings.

Enter IVR Menu * * * *

Ignore SIT or other tones until you hear, "Sipura configuration menu.Please
enter option followed by the pound key or hang-up to exit."

Factory Reset of Unit 73738 Enter 1 to confirm

SPA will prompt for confirmation. After confirming, you will hear Option
Successful. Hangup. Unit will reboot and all configuration parameters will be
reset to factory default values.
December 22, 2004 11:03:56 PM

Archived from groups: comp.dcom.voice-over-ip (More info?)

Well I have the unlocked pap2-na so I can't try that mine works good
very open for changes.. anyone have the locked one and willing to give
it a try.. I can bet there are a ton of people dieing to know if it
works and what you did. maybe do it before you go away someplace. and
have anouther phone you can use so you can call vontage and tell them
your rented box is messed up leaving time for them to send you anouther
lol...

Some one hurry up and try this.. i wanna buy these things as gifts and
send them setup with fwd numbers so I can call my LD buddies...

m.

pl wrote:
> In article ID <faydnXKoUPasWFXcRVn-1g@rogers.com>, m <googlenews@s2angel.com>
> writes:
>
>
>>well after some googling I was able to find this.. for locked pap2
>>you can unlock it by performing a factory reset over the IVR IF YOU HAVE
>>THE PASSWORD. To get to the IVR hit "****" while connected over the
>>phone. The factory reset command is "73738#". You will be asked for a
>>password.
>>
>>Now the question is, what is that dang password?
>
>
> Same exact reset code as the Sipura. When I left Broadvoice, I was able to
> reset my Sipura 1000 since they do not lock the hardware.
>
> http://www.sipura.com/Documents/SipuraSPAUserGuidev2.0....
>
> By factory default there is no password and no password authentication is
> prompted for all the IVR settings. If administrator password is set,
> password authentication will be prompted for certain IVR settings.
>
> Enter IVR Menu * * * *
>
> Ignore SIT or other tones until you hear, "Sipura configuration menu.Please
> enter option followed by the pound key or hang-up to exit."
>
> Factory Reset of Unit 73738 Enter 1 to confirm
>
> SPA will prompt for confirmation. After confirming, you will hear Option
> Successful. Hangup. Unit will reboot and all configuration parameters will be
> reset to factory default values.
>
>
December 28, 2004 12:23:44 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

I knoticed alot of Ebay listings of PAP2 I personaly emailed almost all
of them and they always reply with out answering the question weather
its realy a pap2-na or just a pap2 I am extreamly clear too on the matter

So beware!



m wrote:
> Well I have the unlocked pap2-na so I can't try that mine works good
> very open for changes.. anyone have the locked one and willing to give
> it a try.. I can bet there are a ton of people dieing to know if it
> works and what you did. maybe do it before you go away someplace. and
> have anouther phone you can use so you can call vontage and tell them
> your rented box is messed up leaving time for them to send you anouther
> lol...
>
> Some one hurry up and try this.. i wanna buy these things as gifts and
> send them setup with fwd numbers so I can call my LD buddies...
>
> m.
>
> pl wrote:
>
>> In article ID <faydnXKoUPasWFXcRVn-1g@rogers.com>, m
>> <googlenews@s2angel.com>
>> writes:
>>
>>
>>> well after some googling I was able to find this.. for locked pap2
>>> you can unlock it by performing a factory reset over the IVR IF YOU
>>> HAVE THE PASSWORD. To get to the IVR hit "****" while connected over
>>> the phone. The factory reset command is "73738#". You will be asked
>>> for a password.
>>>
>>> Now the question is, what is that dang password?
>>
>>
>>
>> Same exact reset code as the Sipura. When I left Broadvoice, I was
>> able to
>> reset my Sipura 1000 since they do not lock the hardware.
>> http://www.sipura.com/Documents/SipuraSPAUserGuidev2.0....
>>
>> By factory default there is no password and no password authentication is
>> prompted for all the IVR settings. If administrator password is set,
>> password authentication will be prompted for certain IVR settings.
>>
>> Enter IVR Menu * * * *
>> Ignore SIT or other tones until you hear, "Sipura configuration
>> menu.Please
>> enter option followed by the pound key or hang-up to exit."
>>
>> Factory Reset of Unit 73738 Enter 1 to confirm
>> SPA will prompt for confirmation. After confirming, you will hear Option
>> Successful. Hangup. Unit will reboot and all configuration parameters
>> will be
>> reset to factory default values.
>>
>>
Anonymous
December 28, 2004 12:08:51 PM

Archived from groups: comp.dcom.voice-over-ip (More info?)

In article <35udnfOI9vQ1Xk3cRVn-qg@rogers.com> m <googlenews@s2angel.com>
writes:


>I knoticed alot of Ebay listings of PAP2 I personaly emailed almost all
>of them and they always reply with out answering the question weather
>its realy a pap2-na or just a pap2 I am extreamly clear too on the matter

>So beware!

From what little has been written so far it looks like the -na variant is
only available for new purchase through a voip service provider (other
than Vonage). Also it's fairly apparent from the pricing that Linksys
has/had no intention whatsoever of fielding 1st and 2nd level support
calls from the actual end-user.

Now as far as eBay goes, don't waste your time pestering the seller asking
them if theirs is the -NA model. It the listing doesn't specificaly say
"NA" then take it safely on faith that it isn't one. They are in enough
demand that anyone selling one would certainly be smart enough to
differentiate that fact in his listing and the world would surely beat a
path to his door.
February 11, 2005 5:04:51 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

> Jeeves_Mosswrote:
If any one is intrested in the hardware specs, follow this link for
pics and specs.
> http://www.bekka.dynu.com/vonageworkaround/vonageworkar...

That URL doesn't work :( 
I too want to know how to unlock a pap2 device.
Does the reset code work if you just get the pap2 out of the box and
DO NOT connect it to the internet so it cannot download the xml?
February 11, 2005 5:04:51 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

> Brendonwrote:
Could you spoof ls.tftp.vonage.net to point to your tftp server and
provide
> the spa000F66A84007.xml file yourself? Just an idea.

I downloaded that file with KugleSoft TFTP Server & Client, and
it's an encrypted file :x
I ordered 3 vonage-non-opened pap2, Hope I can get it work with
stanaphone :( 
Anonymous
February 11, 2005 12:02:40 PM

Archived from groups: comp.dcom.voice-over-ip (More info?)

smoothy wrote:
>>Brendonwrote:
>
> Could you spoof ls.tftp.vonage.net to point to your tftp server and
> provide
>
>>the spa000F66A84007.xml file yourself? Just an idea.
>
>
> I downloaded that file with KugleSoft TFTP Server & Client, and
> it's an encrypted file :x
> I ordered 3 vonage-non-opened pap2, Hope I can get it work with
> stanaphone :( 
>

Most devices ask to download several config files. You will need to
monitor the network traffic and see what the device trying to download
from where. There is another file that is not encrypted that gets
downloaded.

I use a different service that sent me a locked device and was able to
unlock it by giving it a config file to download. The device specific
file was encrypted but the device was also downloading a general config
file which was not encrypted.

Yaser
Anonymous
February 22, 2005 1:40:07 PM

Archived from groups: comp.dcom.voice-over-ip (More info?)

not to kick a dead horse (assuming this discussion is still of interest
to some ppl), i've had some success following the advice in this
thread, but alas, i'm still far from freeing the pap2 from the vonage
hegemony.

1.) setup a tftp server on a network at home with a spaXXXXXXXXXXXX.xml
file in /tftpboot and the same file in /tftpboot/YYYYYYYYYY. i know
that the spaXXXXXXXXXXXX.xml file is dependent on the pap2 MAC, but i'm
still unsure as to what determines the /tftpboot/YYYYYYYYYY
designation. i think this may be a password used derive a salt to
decrypt spaXXXXXXXXXXXX.xml and verify it's integrity. i also think
that /tftpboot/spaXXXXXXXXXXXX.xml file is identical to
/tftpboot/YYYYYYYYYY/spaXXXXXXXXXXXX.xml file.
2.) configured my dhcp server to distribute a known ip address to the
pap2 MAC.
3.) placed the pap2 on a separate subnet/interface
4.) configured my firewall/router to redirect all requests originiating
from the pap2 to tftp.vonage.net to a local tftpserver on a separate
subnet/interface. natted all packets from the local tftpserver to the
pap2, so as to appear to be coming from tftp.vonage.net.
5.) connected the pap2 (with a default factory configuration) to the
network and plugged in the power cord.

the pap2 successfully connects to the local tftpserver, downloads
/tftpboot/spaXXXXXXXXXXXX.xml and
/tftpboot/YYYYYYYYYY/spaXXXXXXXXXXXX.xml, self-installs the firmware,
reboots, and connects to vonage via port 5060-5061.

now, i've tried replacing the spaXXXXXXXXXXXX.xml file with a
spa2k-2.0.10e.bin file and renamed the tftpboot/YYYYYYYYYY directory to
whatever the pap2 was asking for (obtained by tcpdump and ethereal),
but the download stops abruptly when the pap2 returns an icmp packet
with a "port unreachable" message. i think that in this case the
spa2k-2.0.10e.bin (709K) much bigger than spaXXXXXXXXXXXX.xml (29K), so
the device rejects the firmware upload (probably due to a max file size
constraint).

i see two ways of getting around this problem:
1.) brute force the admin password from the pap2 prior to the vonage
firmware update and update the configurations via the pap2 web
interface.
2.) brute force the spaXXXXXXXXXXXX.xml file using openssl rc4 and some
variation of the MAC/Serial Num/YYYYYYYYYY as the salt or password.

let me know what you think.


Yaser Doleh wrote:
> smoothy wrote:
> >>Brendonwrote:
> >
> > Could you spoof ls.tftp.vonage.net to point to your tftp server
and
> > provide
> >
> >>the spa000F66A84007.xml file yourself? Just an idea.
> >
> >
> > I downloaded that file with KugleSoft TFTP Server & Client, and
> > it's an encrypted file :x
> > I ordered 3 vonage-non-opened pap2, Hope I can get it work with
> > stanaphone :( 
> >
>
> Most devices ask to download several config files. You will need to
> monitor the network traffic and see what the device trying to
download
> from where. There is another file that is not encrypted that gets
> downloaded.
>
> I use a different service that sent me a locked device and was able
to
> unlock it by giving it a config file to download. The device specific

> file was encrypted but the device was also downloading a general
config
> file which was not encrypted.
>
> Yaser
Anonymous
February 22, 2005 5:19:59 PM

Archived from groups: comp.dcom.voice-over-ip (More info?)

spa2k-2.0.10e.bin and spaXXXXXXXXXXXX.xml are completely 2 different
files. The first is a firware upgrade and the second is a configuration.
You don't need the firmware upgrade and if you did it once, you don't
need to do it again.

If you have the firmware file, chances are the default passwords are
stored on clear text in the file. Try to extract the strings from the
file and see what you can find. On a UNIX type machine run

% strings spa2k-2.0.10e.bin

If you want just email me the file and I can try for you.

Yaser

will@mccammon.name wrote:
> not to kick a dead horse (assuming this discussion is still of interest
> to some ppl), i've had some success following the advice in this
> thread, but alas, i'm still far from freeing the pap2 from the vonage
> hegemony.
>
> 1.) setup a tftp server on a network at home with a spaXXXXXXXXXXXX.xml
> file in /tftpboot and the same file in /tftpboot/YYYYYYYYYY. i know
> that the spaXXXXXXXXXXXX.xml file is dependent on the pap2 MAC, but i'm
> still unsure as to what determines the /tftpboot/YYYYYYYYYY
> designation. i think this may be a password used derive a salt to
> decrypt spaXXXXXXXXXXXX.xml and verify it's integrity. i also think
> that /tftpboot/spaXXXXXXXXXXXX.xml file is identical to
> /tftpboot/YYYYYYYYYY/spaXXXXXXXXXXXX.xml file.
> 2.) configured my dhcp server to distribute a known ip address to the
> pap2 MAC.
> 3.) placed the pap2 on a separate subnet/interface
> 4.) configured my firewall/router to redirect all requests originiating
> from the pap2 to tftp.vonage.net to a local tftpserver on a separate
> subnet/interface. natted all packets from the local tftpserver to the
> pap2, so as to appear to be coming from tftp.vonage.net.
> 5.) connected the pap2 (with a default factory configuration) to the
> network and plugged in the power cord.
>
> the pap2 successfully connects to the local tftpserver, downloads
> /tftpboot/spaXXXXXXXXXXXX.xml and
> /tftpboot/YYYYYYYYYY/spaXXXXXXXXXXXX.xml, self-installs the firmware,
> reboots, and connects to vonage via port 5060-5061.
>
> now, i've tried replacing the spaXXXXXXXXXXXX.xml file with a
> spa2k-2.0.10e.bin file and renamed the tftpboot/YYYYYYYYYY directory to
> whatever the pap2 was asking for (obtained by tcpdump and ethereal),
> but the download stops abruptly when the pap2 returns an icmp packet
> with a "port unreachable" message. i think that in this case the
> spa2k-2.0.10e.bin (709K) much bigger than spaXXXXXXXXXXXX.xml (29K), so
> the device rejects the firmware upload (probably due to a max file size
> constraint).
>
> i see two ways of getting around this problem:
> 1.) brute force the admin password from the pap2 prior to the vonage
> firmware update and update the configurations via the pap2 web
> interface.
> 2.) brute force the spaXXXXXXXXXXXX.xml file using openssl rc4 and some
> variation of the MAC/Serial Num/YYYYYYYYYY as the salt or password.
>
> let me know what you think.
>
>
> Yaser Doleh wrote:
>
>>smoothy wrote:
>>
>>>>Brendonwrote:
>>>
>>>Could you spoof ls.tftp.vonage.net to point to your tftp server
>
> and
>
>>>provide
>>>
>>>
>>>>the spa000F66A84007.xml file yourself? Just an idea.
>>>
>>>
>>>I downloaded that file with KugleSoft TFTP Server & Client, and
>>>it's an encrypted file :x
>>>I ordered 3 vonage-non-opened pap2, Hope I can get it work with
>>>stanaphone :( 
>>>
>>
>>Most devices ask to download several config files. You will need to
>>monitor the network traffic and see what the device trying to
>
> download
>
>>from where. There is another file that is not encrypted that gets
>>downloaded.
>>
>>I use a different service that sent me a locked device and was able
>
> to
>
>>unlock it by giving it a config file to download. The device specific
>
>
>>file was encrypted but the device was also downloading a general
>
> config
>
>>file which was not encrypted.
>>
>>Yaser
>
>
February 22, 2005 5:21:46 PM

Archived from groups: comp.dcom.voice-over-ip (More info?)

Does anyone have a copy of the flash from an orinanally UNLOCKED PAP2
(PAP2-NA)?
I would like to look at it.


MK


"smoothy" <smoothy@nj-dot-cl.no-spam.invalid> wrote in message
news:er2dnVANEv2--pHfRVn_vQ@giganews.com...
> > Brendonwrote:
> Could you spoof ls.tftp.vonage.net to point to your tftp server and
> provide
> > the spa000F66A84007.xml file yourself? Just an idea.
>
> I downloaded that file with KugleSoft TFTP Server & Client, and
> it's an encrypted file :x
> I ordered 3 vonage-non-opened pap2, Hope I can get it work with
> stanaphone :( 
>
Anonymous
February 23, 2005 4:43:10 PM

Archived from groups: comp.dcom.voice-over-ip (More info?)

so, what you're saying is that i could theoretically create my own
unsalted config file, upload it, reboot, and the pap2 would be
unencumbered? how do i go about creating a realistic config to replace
the salted one? what are the parameters?

thanks for clearing up my misconception. i didn't know what the
spaXXXXXXXXXXXX.xml file was for. i thought it might be a combination
of the firmware update and config. at any rate, it's salted/encrypted
so i don't know its actual contents. i ran 'strings
spaXXXXXXXXXXXX.xml > strings.out' and got a bunch of short one-liners
that looked like gobbly gook to me. then i used the output file as the
password file for hydra and pointed it at the pap2. no juice.

at this point, i'm stuck with the two choices that i posted previously.
short of launching a full-blown brute force attack on the pap2 or it's
config, i'm not sure of what to try next. any more ideas?
Anonymous
February 23, 2005 4:46:54 PM

Archived from groups: comp.dcom.voice-over-ip (More info?)

oh yea, forgot to mention that i also tried 'strings spa2k-2.0.10e.bin
> strings.out' and ran those through hydra without success, also.
March 12, 2005 5:03:43 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

> summiterwrote:
Could someone with access to a pap2-na send me the html source for
the
> admin page or post it here please?
>
> My current thinking is that although authentication is required to
access the admin pages, the data that is "posted" via those pages
doesn't go through any sort of checking.
>

I thought the same, so searching some equivalent-sipura configs, I
found out that to upgrade the firmware via web interface, you have to
do it this way:
http://PAP2-IP/admin/upgrade?http://yoursite.com/PAP2-bin-2-00-13-LSb.bin

Still asks me for the admin password.. :( 
March 12, 2005 5:03:43 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

Could you please send me the PAP2-NA firmware? (.bin?)

thanks
Anonymous
March 12, 2005 5:03:43 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

Could someone with access to a pap2-na send me the html source for the

admin page or post it here please?

My current thinking is that although authentication is required to
access the admin pages, the data that is "posted" via those pages
doesn't go through any sort of checking.

I've noticed that the field have numerical names. If I can find out
the names of the fields for various admin config stuff, I might be
able to inject those values somehow.

I'm not sure easy this will be though...

I wish the person who had the walk-though on linuxvoip.info would
speak up! =)
March 12, 2005 5:03:43 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

Would be nice if someone, with the adequate hardware, could
interrogate the NVRAM of a PAP2-NA and
and extract the firmware image.

I don't know how to do that though :( 

I've tried resetting the pap2, it indeed come to factory defaults (I
can see the web interface), but it keeps asking me a password to the
Admin Area and once connected to the net, it starts to download
vonage firmware. :( 
Anonymous
March 12, 2005 5:03:43 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

You can dl a copy of a recent release here:

http://www.inphonex.com/download/PAP2-bin-2-00-13-LSb.b...

But I'm tellin' ya, there's no way to get it onto a "locked" pap2,
that I've found anyway.

You can't simply rename it to the filename requested via tftp at boot.
It starts to transfer then errors out before comletion..probably
beacuse the device isn't expecting a firmware file, it's expecting a
config file.

The is a way to upload firmware to the pap2 via the web interface, but
it requires the admin password...which is the problem we have in the
first place.

I just want to get this thing working with my Asterisk server..I
already have Vontage on another device. But if I can't get it
working, I'm cancelling Vontage and buying a pap2-na and going with
another provider.

> smoothywrote:
Could you please send me the PAP2-NA firmware? (.bin?)
>
> thanks
Anonymous
March 12, 2005 5:03:43 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

PAP2-NA firmware is available. Getting it to load onto the PAP2 is
the challenge. It's apparently not as simple as renaming it to the
file requested by tftp. That results in the tftp session shutting
down before the transfer completes.



> smoothywrote:
Would be nice if someone, with the adequate hardware, could
interrogate the NVRAM of a PAP2-NA and
and extract the firmware image.
>
> I don't know how to do that though :( 
>
> I've tried resetting the pap2, it indeed come to factory defaults (I
can see the web interface), but it keeps asking me a password to the
Admin Area and once connected to the net, it starts to download
vonage firmware. :( 
Anonymous
March 12, 2005 5:03:43 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

Based on reading the fragments of information spread across many sites
and newsgroups, it's apparent *someone* knows the steps involved in
getting into these things!

The mysterious post on linuxvoip.info leads me to believe that all can
be found by sniffing packets and perhaps some tftp craftiness
(although the message on linuxvoip.info doesn't mention anything
other than utilizing ethereal). The problem with that is after the
tftp requests, the pap2 just site there and doesn't try again.
Someone mentioned that it may make a request for an unencrypted file,
but so far all tftp requests to ls.tftp.vonage.net are for the
mac-based .xml file.

Anyone have some new thoughts? How about a source for a basic,
unencrypted xml config file?
Anonymous
March 12, 2005 5:03:43 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

OK since I've already wasted my Friday night, I might as well lay out
what I've found.

I've successfully changed the firmware to two other versions, a .10LSc
and a .13LSb.

It appears thought that the provider config is stored somewhere
outside of the main firmware, because despite flashing to different
versions, I am still prompted to enter a password for the admin
pages, and the device still makes requests to a vonage tftp server.

I tried a factory reset after loading each firmware, and it didn't
help.

I noticed that the device says it has a certificate installed. I'm
assuming this is what's used to authenticate/decrypt the .xml config
file the device is trying to load. If that's the case, then the
configs are likely signed with a key unique to vonage, and that
pretty much ends that direction. I think that will likely prevent
the loading of some generic, yet properly compiled config file, since
it won't be signed by vonage's key.

I read somewhere that older versions of the firmware had a particular
vulnerability that allowed config access - does anyone recall what
that was about?
March 12, 2005 5:03:44 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

> summiterwrote:
I noticed that the device says it has a certificate installed. I'm
assuming this is what's used to authenticate/decrypt the .xml config
file the device is trying to load. If that's the case, then the
configs are likely signed with a key unique to vonage, and that
pretty much ends that direction. I think that will likely prevent
the loading of some generic, yet properly compiled config file, since
it won't be signed by vonage's key.

Besides the PAP2 provided by vonage (and which we all here are trying
to unlock) I also have a PAP2-NA, that was provided by my local VoIP
provider, and which I've reset once with the RESET# command (no
password asked). That, indeed reseted the unit, was able to make it
into the admin pages. And it also has the Client
Certificate:Installed
thing. This unit doesnt download any particular configuration. It's
just configured by hand using SIP proxy, user & password.

By the way, let's suppose I want to cancel my account with Vonage. My
credit card is "broken" (doesn't allow any charges). Vonage tries to
charge me $40 disconnection fee.. And it cant do it... What happens
then? Does Vonage like sue you to obtain the money? or just nothing
happens at all and you just keep a useless pap2 ?

thanks.
Anonymous
March 13, 2005 4:24:39 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

Is it really worth the effort when you can get a Sipura?

On Sat, 12 Mar 2005 02:03:43 -0600,
kmayeux@hotmail-dot-com.no-spam.invalid (summiter) wrote:

>Based on reading the fragments of information spread across many sites
>and newsgroups, it's apparent *someone* knows the steps involved in
>getting into these things!
>
>The mysterious post on linuxvoip.info leads me to believe that all can
>be found by sniffing packets and perhaps some tftp craftiness
>(although the message on linuxvoip.info doesn't mention anything
>other than utilizing ethereal). The problem with that is after the
>tftp requests, the pap2 just site there and doesn't try again.
>Someone mentioned that it may make a request for an unencrypted file,
>but so far all tftp requests to ls.tftp.vonage.net are for the
>mac-based .xml file.
>
>Anyone have some new thoughts? How about a source for a basic,
>unencrypted xml config file?
Anonymous
March 13, 2005 5:06:52 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

I'm sure they will send you to collections unless you talk them out of
the fee.

As far as the certificate goes, I now believe it's only in place to
enable HTTPS transfers of config info if the provider chooses that
mechanism.

I still haven't made any more progress on this thing..

> smoothywrote:
Quote:
I noticed that the device says it has a
certificate installed. I'm assuming this is what's used to
authenticate/decrypt the .xml config file the device is trying to
load. If that's the case, then the configs are likely signed with a
key unique to vonage, and that pretty much ends that direction. I
think that will likely prevent the loading of some generic, yet
properly compiled config file, since it won't be signed by vonage's
key.I noticed that the device says it has a certificate installed.
I'm assuming this is what's used to authenticate/decrypt the .xml
config file the device is trying to load. If that's the case, then
the configs are likely signed with a key unique to vonage, and that
pretty much ends that direction. I think that will likely prevent
the loading of some generic, yet properly compiled config file, since
it won't be signed by vonage's key.


Besides the PAP2 provided by vonage (and which we all here are trying
to unlock) I also have a PAP2-NA, that was provided by my local VoIP
provider, and which I've reset once with the RESET# command (no
password asked). That, indeed reseted the unit, was able to make it
into the admin pages. And it also has the Client
Certificate:Installed
thing. This unit doesnt download any particular configuration. It's
just configured by hand using SIP proxy, user & password.

By the way, let's suppose I want to cancel my account with Vonage. My
credit card is "broken" (doesn't allow any charges). Vonage tries to
charge me $40 disconnection fee.. And it cant do it... What happens
then? Does Vonage like sue you to obtain the money? or just nothing
happens at all and you just keep a useless pap2 ?

thanks.
Anonymous
March 13, 2005 5:06:52 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

Naw, that's not really possible...but I wouldn't be surpised if there
were some "backdoor" somewhere in the http interface.

Still stumped....

> smoothywrote:
Isn't there a way to trick the .htaccess file inside this thing to
allow access to the /admin directory? That's how the authentication
works, doesn't it?
March 13, 2005 5:06:52 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

Isn't there a way to trick the .htaccess file inside this thing to
allow access to the /admin directory? That's how the authentication
works, doesn't it?
March 14, 2005 5:05:23 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

> Jo Cloewrote:
Is it really worth the effort when you can get a Sipura?

Well.. let's say that I want to make it worthy for the money I paid
for the PAP2... :( 
March 14, 2005 5:05:23 AM

Archived from groups: comp.dcom.voice-over-ip (More info?)

> summiterwrote:
Naw, that's not really possible...but I wouldn't be surpised if there
were some "backdoor" somewhere in the http interface.
>
> Still stumped....
>
> smoothywrote:
Isn't there a way to trick the .htaccess file inside this thing to
allow access to the /admin directory? That's how the authentication
works, doesn't it?

Figured out that my local VoIP provider doesn't configure the settings
by hand, but using a program that loads the config into the ATA.
For instance, when you go to the voice menu on the Linksys RT31P2 it
just says "Contact your service provider". No manual config
whatsoever...
I need to get my hands onto that proggie..
!