[Asterisk-Users] Using locked PAP2 and PAP2-NA with Asterisk

[VoIP Hacker]

Here is some info that may allow some "locked" PAP2 and
PAP2-NA units to be used with Asterisk:

I have a PAP2-NA (from a provider other than Vonage) for
which I did not know the admin password, though the "user"
pages were accessible to me.  The provider had set it up to
fetch at startup, its configuration file by HTTP from a
numeric IP.  It was running 2.0.10(LSc).

A search of the wiki found the Sipura mass deployment page,
which says "NOTE: Recent versions of the SPA-2000 and
SPA-3000 firmware ( > 2.0.11), and the Linksys PAP2, also
support the plaintext XML configuration format."

That suggested a solution in two steps: upgrade the
firmware, then feed in an XML file.
PAP2-bin-2-00-13-LSb.bin is readily available on the Net;
after making it accessible to my TFTP server, a visit to
http://<PAP2 IP>/upgrade?tftp://<server IP>/<filename>
caused the PAP-NA to upgrade successfully.  Then, a PC on an
isolated LAN was configured with the IP from which the
PAP2-NA was trying to read its config.  The PC was set to
provide the following response:

HTTP/1.0 200 OK
Content-Type: text/xml

<?xml version="1.0" encoding="ISO-8859-1"?> 
<flat-profile> <!-- PAP2-NA Configuration Parameters --> 
<Admin_Passwd>123456</Admin_Passwd>
<Domain>foo</Domain>
</flat-profile> 

Setting the domain is not part of the hack, but it makes it
easy to see that it worked.  You refresh the user status
page, if you see the domain change to foo, you can then go
to the admin page and login with 123456.

Emboldened by the easy solution, I went to a local store,
bought a PAP2 (sold for use with Vonage), and hooked it up
on an isolated LAN.  First, I tried "reset" from the IVR
menu.  Strangely, it was accepted without a password and the
unit rebooted, but nothing got reset.  Next, since the unit
had 2.0.9(LSd), I tried to upgrade.  Shoot, it asked for the
admin password.  However, I decided to continue anyway.  The
unit does a DNS lookup for ls.tftp.vonage.net, so I set it
to use the PC as DNS server, which was suitably configured
to provide the PC's IP as the answer.  Next, the unit is
trying to to TFTP to port 2400.  My TFTP server wasn't port
agile, so I found one that was.  But then, it's back on port
69, asking for /spa<MAC>.xml .  I put the xml file (starting
with <?xml ) under that name and voilà, it worked!  Turned
off provisioning, configured an account, connected to the
Net, and was able to make a call.

I don't know whether the above hack will work on a
non-virgin PAP2, or on a box with current firmware.  Of
course, I won't be responsible if it turns your ATA into a
brick.  However, I'd be interested in hearing what does and
doesn't work.  Don't say it doesn't, until the TFTP log or
Ethereal shows that the XML file was really read.

The initial config has some data that I suspect might prove
useful for obtaining Vonage SIP credentials, or for using a
"foreign" PAP2 with Vonage.  There is a base64-encoded,
256-bit key, visible as the "GPP K" parameter.  Perhaps this
key decrypts the initial provisioning data downloaded from
ls.tftp.vonage.net.  By following the chain of keys, it
would be possible to view all configuration updates in
plaintext form.