martes, 22 de septiembre de 2009
domingo, 20 de septiembre de 2009
Linksys PAP2 Unlocking Methods
Linksys PAP2 Unlocking Methods
FIRST TIME READERS: It's suggested you start with the 2006-11-14 post below, then read up (newer posts), then if you have the interest read the older posts (nearer the bottom).
Methods for unlocking the Linksys PAP2
The following is a list of updates tracking the progress of unlocking the Linksys PAP2:
2009-1-24
Should you still be able to find one of these PAP2 in its original packaging (strangely, they do turn up now and then, but remember you want an UNOPENED one in a box with an ORANGE band, not the SILVER one) here are a few additional hints (especially for those of us who haven't done this in a while and may have forgotten what we did).
1) Make sure that at NO time until the unlock is completed do you ever connect the PAP2 to the Internet, or to a computer, switch, or router that is connected to the Internet. The PAP2 and the computer you are using to configure it MUST remain as a network unto themselves, with NO way to gain access to the net. MAKE SURE YOU TOTALLY DISABLE ANY WIRELESS NETWORKING CAPABILITY IN THE COMPUTER!!!
2) Do NOT succumb to the temptation to set the adapter to a static IP address. Set up Internet Connection Sharing on the computer (of course you are NOT really sharing the Internet) or do whatever you have to do to get the computer to act as a DHCP server and feed the adapter its IP address and (most important) DNS server information. If you don't do this, you may find yourself in a situation from which it is very difficult to recover.
3) Do NOT get the binary files confused and download the PAP2 binary first. You MUST download the Sipura binary first.
4) If you did not see my above warning (for #2 and/or #3) until it was too late, all may not be lost as long as the adapter did not see the Internet. The very first thing to do is try to reset the device again by using **** and then 73738# as per the original instructions - if you can do this it will (hopefully) dump the firmware you loaded by mistake and bring in the original firmware from ROM, letting you start over from scratch (well, almost). But a problem arises - when you pick up the phone, you hear a short ring followed by a ghastly sounding busy signal, and hitting **** does nothing! Just have patience - you just have to wait a few seconds (after the trashy busy signal starts) and then the **** may work! By the way, if you are prompted for a password, try any of these: 78196365#, 50274537#, 7756112#, 8995523#, 5465866# (and if one works, then hit 1 to confirm).
5) If you tried to use a static IP address and then got into the situation in #4, you may have to do the procedure in the 2006-12-19 post below. But it may be harder because, since the device isn't trying to pull addresses from a DHCP server, it may actually looking for two (or more) different IP addresses - one is the DNS server itself, and the other is one or more of the addresses you entered manually. You can use Wireshark to see what it's trying to access. You will have to make your computer pretend to be the DNS server it wants to see as described in the 2006-12-19 post below, but you may have to actually create a mini-network consisting of the PAP2 and TWO other computers, one acting as the DNS server and the other being the other address it's trying to get to (note that it IS possible to make one NIC respond to multiple IP addresses, by using advanced TCP/IP options, but this can cause other complications, particularly since Windows assumes you don't know what you're doing and will sometimes block you from doing the very thing you really need to do!). Now, if you happen to have two NIC cards in your computer, then you should set one to be the DNS server, set the other to be the other address(es) that the device is looking for, and set up your Internet Connectiong Sharing or DHCP server on that last one. It's probably easier with two computers and a small switch or hub, but remember that under NO circumstances can ANY of the devices be allowed to connect to the Internet while you are trying to recover!!!!!
6) If #5 sounds like a royal pain in the neck (or perhaps a lower part of the anatomy), believe me when I say it IS! Unless, of course, you are a networking guru, in which case you probably wouldn't make these types of dumb mistakes in the first place. I strongly suggest you heed the warnings in #2 and #3, and I only post this to let you know that if you DID make such a mistake, the unit may still be recoverable if you stop and think about what you are doing and IF YOU DO NOT AT ANY POINT CONNECT THE DEVICE TO THE INTERNET, OR TO A COMPUTER THAT IS CONNECTED TO THE INTERNET until it is FULLY unlocked. But whether it is worth the extra time it will take you to figure out what works is another matter altogether!
2009-1-6
Don't buy locked pap2, the latest firmware is very hard to unlock. bot unlocked from Mutualphone , for $45
2008-04-16
I can confirm the odd packet size mentioned in the 2007-05-03 entry below. I got my PAP2 off eBay. It was listed as unlocked, but it turned out to be locked. It came with firmware 3.1.9 LSc. For me it lists the total packet size as 27990, but only grabbing 100 bytes on the wire. I'm not uber enough to find the TCP window size on linux, so I am unable to continue my unlock attempt.
2007-07-03
Hello All,
I did the Short Jumper at the PAP2v1 (like the figure below) this only do a Reset like the reset by the IVR **** 73738# 1 to Confirm it doen´t work. I will keep trying
2007-06-21
For whatever it's worth, rumor has it that the PAP2v1 units run a little-known operating system that comes from Green Hills Software
2007-05-03
After hours of trying to upload the Sipura to my PAP2 with 3.1.9Lsc, I took a closer look at the packets with Ethereal. One of the response packets from my HTTP server was basically that the packet was fragmented or too big (I don't remember the actual message, but that was what i meant when I looked it up). The way I finally got around this and forced it to eat the Sipura firmware was by using DrTCP (normally used to change MTU) to change the window size of the TCP packets to 20000 on the ethernet adapter the HTTP was listening on. After this, the download of the .bin worked. I presume they made the http request with a huge TCP packet size to attempt to prevent "unauthorized" upload of firmware. I'd like to know if anyone else has gotten it to work this way.
2007-02-25
The PAP2v1 units I have are all based on v0.03.4 board where the SW1 block has four jumper PINs (exactly as shown on the snapshot below). I took a working PAP2v1 unit configured with FWD accounts and shorted out the outer two PINs (red circles) and my PAP2v1 seemed to perform a factory reset (the power LED activities indicated so). However, upon returning from this factory reset, all the configured parameters were still there and Line 1/2 were still registered to FWD as if the unit was never factory reset. To this date, my PAP2v1 unit that undergone this jumper shorting is still operating normally as before. This is all I can say about shorting the two outer PINs on the SW1 block. So, if you want to do this, do it at your own discretions and I take no responsibility of any mishaps.
2007-02-23
There is a graphic that I saw that purports to show the location of reset jumper pads on the majority of newer PAP-2 version 1 boards, which apparently do not have the jumper pins and shorting block that older boards have. In the photo below, there are red circles around the purported jumper pads (to the right of the phone line jacks). I do not know precisely how these are used (I've never had to use that method), but I would suppose either you short the pads while powering the unit up, or perhaps while doing a factory reset (of course you would only do that while the adapter is not connected to the Internet). I do not recommend that anyone experiment with this because if the information I received is wrong, you could damage your adapter. But if it's a choice between using a unit as a paperweight and trying the jumpers, I suppose I'd try them at least. If anyone can provide more information on unlocking a PAP-2 by using the jumper pads, please post it.
Image
2007-01-17
Addendum to 2006-11-14 notes:
If you're lucky enough to be running a wireless router — such as the Linksys WRT-54G — and it uses the DD-WRT open-source firmware, the simplest way to do this is in the "Administration / Services" menu. Enable DNSMasq, Enable Local DNS, and enter something similar to "address=/vonage.net/10.10.50.224" into the Additional DNS Options box. Any machines that use the router's DNS server to resolve IPs will then report the IP 10.10.50.224 for the entire vonage.net domain, so put in your tftp's IP address instead.
With the wireless router's WAN port disconnected and the PAP2 behind it's firewall, it will try (and fail) to reach Vonage's hard-coded DNS ip addresses, then fall back to using the router's DNS which we've redirected to our tftp server.
2006-12-23
Addendum to the 2006-12-19 item - you may not even need to install a DNS server at all - I read something that said that all you have to do is load the C:\Windows\System32\Drivers\etc\hosts file into any plain text editor (such as Notepad) and add the following to the end of the file:
192.168.0.1 ls.tftp.vonage.net
192.168.0.1 httpconfig.vonage.net
(You will probably need to substitute the actual IP address of the computer you are using for the unlock process in place of 192.168.0.1, and if you change the computer's IP address to pretend to be the DNS server that the device wants to see, don't forget to change the address in these two lines as well). This has not been tested, but looks like it should work - if it doesn't then you can always try using a standalone DNS server as described below.
2006-12-19
When following the instructions in the next section (dated 2006-11-14), be aware that things don't always go as smoothly as you might expect - we tried this with a PAP-2 that also came with firmware 3.1.9(LSc) out-of-the-box. After it went out to the "special" webserver to get the ersatz PAP2-bin-03-01-09-LSc.bin, we found that the unit's internal web server had been disabled AND the unit demanded a password to turn it back on. It also wanted a password to do a complete factory reset. We had no idea what password it was looking for (it was NOT one of the several common user passwords), so all we knew was that we had a unit that obviously had the SPA-2000 firmware loaded, but we could not access the web browser, nor factory reset the unit, nor basically do anything except listen to the responses in the * * * * menu. It also appeared that it was not attempting to load any additional files.
We had read that you could change the user and admin passwords to known values by feeding it an XML file that looks like this:
4321
Yes
80
Yes
No
1234
The above is a plain text file that should be saved using the filename 666666666666.xml (where the 6's are the MAC of your PAP-2) - basically it replaces the XML file you obtained from Vonage in an earlier step, and should be placed in the TFTP server root directory and any other directory where you had to place the original XML file (be sure you delete/overwrite any copies of the original XML file that you downloaded earlier). Note that ONLY the Sipura firmware mentioned below will take a plain text XML file, so you have to have at least been successful in getting the unit to take that firmware for the plain-text XML file to work. N.B. Make sure that if you save this file using a text editor, you save it in ANSI format, not UNICODE - the resulting file should be approximately 363 bytes in length.
The problem was that the PAP-2 wouldn't come and get the file. After much head scratching we finally realized that the PAP-2 was now looking for a DNS server at a specific new address (which the packet sniffer never revealed, but which we finally discovered by going to the * * * * menu and entering 160#) and therefore we had to change the IP address of the computer to match, then go into the "special" DNS server to tell it to repoint the other addresses to the new IP address. And then, after much more head scratching we figured out that there was a checkbox in the DNS server options that had to be checked or it wouldn't work at the new address (even though it worked fine without the box checked when the computer was set to an address in the 192.168.0.x range) - go figure.
Oh, and we had to restart the TFTP server so it would pick up the new address, and disable our firewall software, and maybe a couple more things I've forgotten.
For any Windows users attempting to do this, the software used was the Solar Winds TFTP server, Ethereal (now Wireshark) as the packet sniffer, AnalogX SimpleServer:WWW as the web server (I wish this one had at least some output to let you know that the files have been downloaded, but you can't get much simpler to set up, just don't forget to click the button to start the server!) and Simple DNS Plus as the DNS server (the latter has a 14 day trial period, we would have preferred something open source but since we were only using it once, we didn't feel the need to search all over for something else, and it WAS pretty simple to use except for the aforementioned checkbox that caused us some grief).
2006-11-14
Bought an off the shelf Vonage locked PAP-2 with the intent of unlocking. Came with firmware 3.1.9(LSc) out-of-the-box. The instructions for unlocking found on the FWD forum listed below did not work exactly as documented but provided a basis for what worked for me. There are so many tid-bits of information in various forums, all for various versions of the PAP-2, its challenging to determine exactly what to try.
Unlocking: Its not some voodoo, the goal is the replace the firmware on the PAP-2 device with the Sipura firmware that allows full administrative view so that you may oogle the settings. Now, I suppose you could just leave the Sipura firmware, but I replaced mine with another Linksys version.
You need to sandbox your PAP-2, it CANNOT (well, I assume this... this experiment was out-of-the-box, clean no Vonage call-home) see the 'net just yet. Once I was ready, I just shutdown my WAN card on my linux box.... you'll need to be careful as you don't want Vonage to provision the PAP-2.
You'll also need a DNS server, add a vonage.net zone so we can spoof out their servers.
$ORIGIN .
$TTL 3600 ; 1 hour
vonage.net IN SOA XXXX.ca. XXXX.XXXX.com. (
75 ; serial
900 ; refresh (15 minutes)
600 ; retry (10 minutes)
86400 ; expire (1 day)
172800 ; minimum (1 hour)
)
NS ns1.XXXX.ca.
A 10.10.50.224
MX 10 mail.XXXXX.ca.
$ORIGIN vonage.net.
httpconfig A 10.10.50.224
ls.tftp A 10.10.50.224
time A 10.10.50.224
ccivr A 10.10.50.224
-Setup a TFTP server on a host, and adjust the ls.tftp record to point to it.
-Setup an HTTP server on a host, and adjust the httpconfig record to point to it.
-Get firmwares from http://www.bargainshare.com/index.php?showtopic=69607 ...
--Sipura Firmware &
--Linksys 3.1.6 ..
Pull down your Vonage config file from their http provisioning server http://httpconfig.vonage.net/spa666666666666.xml (where the 6's are the MAC of your PAP-2) (do this BEFORE you spoof the DNS!!). Copy this file to the root of the tftp server root.
Create a directory +666666666666 on the spoofed httpconfig.vonage.net server (add a PLUS (+) to the MAC address). In my case, this is where the device downloaded a new firmware.
We now need to reset the PAP-2 so we can specify our fake nameserver.
Plug a phone into line 1 of the PAP. Plug in the power but not the ethernet.
- Dial **** for the IVR
- Dial 73738# (R E S E T #)
You may be prompted for a password, I was not (yet). See http://www.bargainshare.com/index.php?showtopic=69607&st=90&p=687285entry687285 for some known passwords. Press #1 to confirm. The PAP-2 reboots.
Ok, shut down your internet... I just take down eth0 and flush my iptables.
Plug the PAP into your network, let it get an IP. Access the weberface on the PAP-2: the DNS fields should now be enabled allowing you to specify your "special" DNS server. I power cycled it and fired up TCPDUMP to see what was going on. The PAP device calls to a number of hard-coded vonage IPs, then begins to query DNS for the records listed in the zone file above.
The TFTP is the first to be hit:
11/11/2006 19:47 :Sent spa666666666666.xml to (10.10.50.209), 29456 bytes
Then it looks for a "special" directory:
11/11/2006 19:47 :TFTP Error from 10.10.50.209 requesting KzBDrz5zLz\spa666666666666.xml : File does not exist
So, you want, you get (created the KzBDrz5zLz directory and copied the file), your directory name will be different; consult the tftp logs:
11/11/2006 19:50 :Sending KzBDrz5zLz\spa666666666666.xml to (10.10.50.209)
Sometime after this, the following occurs on the "special" webserver for httpconfig.vonage.net (yes, I have some clock drift on my play server)
01:01:29 10.10.50.224 GET /+666666666666/PAP2-bin-03-01-09-LSc.bin 404
01:02:49 10.10.50.224 GET /+666666666666/PAP2-bin-03-01-09-LSc.bin 200
This is the important part: I simply renamed the Sipura firmware to PAP2-bin-03-01-09-LSc.bin and hoped... and it totally ate the firmware and rebooted.
The Sipura web interface came right up, from there its a matter of disabling all the provisioning stuff and follow the normal firmware upgrade procedures to get 3.1.6(Ls) (working great here) installed. When you reload the Linksys firmware, you may have to re-do the reset procedure and be confronted with a password thru the IVR (see http://www.bargainshare.com/index.php?showtopic=69607&st=90&p=687285entry687285) , or I suppose you could get the GPP_K and use VuckFonage to get the admin password.
2006-02-24
I have a PAP2-NA Firmware Version: 3.1.9(LSc). The unit was locked by the provider but they gave me the password to make changes due to the problem I am having. I was able to get a dump of the provisioning nfo from the provider by executing the link under provisioning profile rule. I just added my mac address to the string and used IE to get the provisioning nfo. The admin password is in plain text and I was able to easily locate it in the dump (since I knew what the password was). The trick is to isolate the password in the dump because the position varies depending on the information going to the unit. Map the dump and you should be able determine the password. BTW, can't get my problem fixed, go figure.
2006-02-12
I only have had to deal with a 2.0.9 and a 2.0.12 so far. But the .12 was admined locked. This forced me to work out how to 'provision' admin password from other's notes. For those of you with a 3.1.9 and the wherewithall to do the packet sniffing, put ut a spoofed DNS and tftp server (if tftp is used for 3.1.9), it would be interesting to see if this gets you past the admin blockaid.
My notes on admin password setting can be found at: http://www.dslreports.com/forum/remark,15458239.
Notes on provisioning PAP2s in general are at http://www.freeworlddialup.com/community/forum/viewtopic.php?t=3748&sid=b1fc477dab538155656d7cee5cb96880
2006-02-04
The default admin password seems to be based on the GPP_K field and the MAC of the unit. I don't believe there is a 'master' password because that would be a security issue.
Currently Vonage is pushing 3.1.9 and currently there is no known way to unlock your device if it was not already once unlocked and you have your GPP_K written down. If you recently bought a PAP2 and you can return it, return it. You will be better off buying a PAP2-NA (unlocked already) from eBay or an online store (as suggested already). The 3.1.9 firmware may never be unlocked and/or it may be quite a while so again if you can I suggest returning the device.
Complain isn't going to help the situation at the same time it would be a good idea to let people know on the PAP2 mailing list http://groups.yahoo.com/group/Linksys_Pap2 that you have a 3.1.9 unit just so the people who are working on a workaround know there are others out there that need their device unlocked.
2006-02-04
Some brainstorming is necessary... I've read the guides from Linksys and it works like this: The file supplied by Vonage is either signed and/or gzipped (vendor's choice) and all the new Vonage units have the key (the guy below supposes it's the GPP_K field which is the key) and only recognize firmware that's supplied to it which is signed with that string and possibly gzipped. Now, since a license agreement is no longer necessary to get your PAP2-NAs you should just get a new one, or if you're really hung up on the Vonage one you have, brute force the admin password on yours (my ticker has been running for a week with no matches). My guess is that the default admin password on a Vonage PAP2 is either the same on all of them or something to do with either the serial number or the mac address or both (perhaps an md5 hash... backwards) it really could be anything.
2006-02-04
That's not really fair - the previous poster has the same issue that everyone has right now. The current firmware has an admin password which has not been bypassed yet. It would be helpful and productive if the next post could be how to bypass this.
2006-02-02
Like 99% of unlocked PAP2 owners, the steps laid out on some of unlocking pages are easy to follow. You should be able to unlock your own PAP2 easily. too. If you feel unlocking your PAP2 is so frustrating, please don't do it. If you do, you may end up re-locking your PAP2 further by Vonage. Instead, pay someone to do this dirty work for you for some prices. BTW, if you think to pay $60 for a Linksys/Vonage locked PAP2 to get it unlock, don't do it mainly because a PAP2-NA (unlocked version) is about $60 + S/H charges. I hope this helps you.
2006-01-26
This is SO Frustrating.
Everyone always writes in here like it's so easy.
They point you to pages where you can download the new firmware and explain it's easy, you just need the admin password, then they tell you that you can get the admin password by getting this GPP_K, which is simple to get after you unlock your PAP2.
Does anyone realize and the VuckFonage and the binary are all USELESS unless you have the admin password, AND IF YOU HAVE THE ADMIN PASSWORD YOUR DEVICE IS UNLOCKED, and there are no further steps!?!?!?!?!
Can ANYONE explain it without putting in sentences like: "To unlock your PAP2 use your admin password from your unlocked PAP2" - Actual line from one of the pages most referenced!!
2006-01-22
I was trying to do some hacking today and accidentally allowed the PAP2 to connect online after a factory reset and just like you, got upgraded to 3.1.9LSc. At first, I was stuck like you, since they've disallowed the user from changing the firmware. However, and I'm going to be brief and assume that you already know these tools and terms (I may elaborate on my homepage later on how I did it), I was able to modify the settings because I already knew my GPP_K. I'm not sure if you could figure out what your GPP_K is without having admin priviledges and maybe someone can help me out here.
With the GPP_K, just like how VuckFonage was able to decrypt the xml and show it in plain text, I was able to use it to encrypt the xml into something the PAP2 would be able to decrypt and read. Apparently, in the newest firmware, they no longer allow plain text xml settings uploads. To trick the PAP2 into downloading your encrypted xml instead of Linksys/Vonage, you need a TFTP server and a DNS server. Disconnect your internet connection and then FACTORY RESET your PAP2. Web Interface will be enabled and you can point the DNS server to the machine you have it setup. In the DNS server, point ls.tftp.vonage.net to the machine with the TFTP server. Reboot your PAP2 and it should now download your encrypted file.
I notice, even with this hack, I was unable to replace any firmware with it for it appears to have a firmware validation check before it actually flashes.
But with the admin and user password changed to anything that I wanted to (leave it blank and it won't even ask you for a password), I was able to set up line 1 with Telepacket and line 2 with VoipBuster.
2006-01-12
I was hacking a couple units for some firends. Two days ago on the 10th the box came preconfigured with 3.1.8(LS). The normal method didn't work. Provissioned by Vonage it went to 3.1.6. Factory reset, and we are on our way. Today got another unit 3.1.8. Provisioned by vonage and now it's a 3.1.9(LSc). Tried everything I could, including the "Firmware and FREE UPLOADER utility that lets you flash the PAP2 and turn it into a vanilla SPA-1000 Sipura box" no go. It all hinges on that stupid admin password. Is there a short circut that can be performed to wipe out the password? Or perhaps a packet sniff that could see what traffic (spacificly password) vonage sends the unit when it provisions it?
2006-01-10
I know it's not much fun, but did anyone go here, download the firmware and FREE UPLOADER utility that lets you
flash the PAP2 and turn it into a vanilla SPA-1000 Sipura box ??
http://www.sipura.com/
2006-01-10
Vonage is still pushing 3.1.6 firmware so it is possible to hookup a 3.1.8 PAP2 device to the internet so Vonage will automatically downgrade it to the unlockable 3.1.6 firmware. http://groups.yahoo.com/group/Linksys_Pap2/message/477 (requires registration) for more info.
2006-01-09
Here is an article, SPA2K/PAP2 firmwares for unlocking a PAP2, that I wrote on the BBR VoIP forum to show readers the links where to obtain an SPATools.zip and SPA2K/PAP2 firmware files to unlock a Linksys/Vonage locked PAP2. Once your PAP2 unlocked, please pin it on Frappr Map for PAP2 to show how many PAP2 units Vonage has lost due to the unlocking hack.
2006-01-09
Actually, I have discovered some tricks to re-unlock a PAP2 locked with firmware v3.1.7LSd/e a month ago. I don't have a firmware v3.1.8 to test, yet. I need some victims as guinea pigs to test my discoveries.
2005-12-06
New Linksys PAP2 Devices ship with Firmware 3.1.8(LS) which require admin password to TFTP upgrade. No work-around known. This also applies to firmwares of 3.1.7(LSe) or later.
2005-10-11
A simple method of upgrading is provided here: http://www.telephreak.org/PAP2/. This is similar to the FatWalletForums version but has less steps. This works on 2.0.11 firmware with a 'virgin' unit (never connected to the internet — supposedly it can work even after being connected, but requires additional resets). This has been around for a week or two at this point, but was not linked from here.
2005-09-27
For those who do not have Linux experience, you can find the 'patched' firmwares here: BBR though they disappear from time to time. Also step by step instructions and other links to binaries here at FatWalletForums.
2005-09-26
There is now a way to unlock PAP2 boxes with later firmware. Patching and applying an SPA2000 firmware update binary, tested with version 2.0.9 removes the admin password (they must have different configuration layouts?). Here is the patcher. Note that the LEDs won't work properly, and Line2 is unavailable. Another patcher (pap2spa) is available to convert PAP2 firmware upgrade binaries to SPA2k format. This allows reverting back to PAP2 firmware after the SPA firmware has been applied.
2005-09-11
there is currently no known way to unlock the recent Linksys PAP2 Vonage boxes. These have firmware version 2.0.10(LSc) and a rev 3 board which doesn't have the jumpers referred to in some unlocking guides. Various threads may have solutions by the time you read this as these boxes have recently been available quite cheaply ($20 after rebate).
2005-08-08
Firmware upgrades for the PAP2-NA can be found at (requires registration):
http://groups.yahoo.com/group/Linksys_Pap2
2005-07-22
PAP2-EU (PAP2-NA locked) is locked to the PhoneSystems.net service.
There is a password if you try to login on the admin web.
There is no jumper on this version (REV 3 board), so PAP2 trick won't work.
This is how I did a reset on my locked PAP2-EU:
As PAP2 is a Sipura clone, so we used the SPA2000 user guide...
Reset to Factory Settings : **** then 73738#1#1
And there you go, you can now access the web admin and you are no more locked to a specific network.
2005-07-06
Reportedly, PAP2 can be unlocked with a simple procedure:
This is how I did a reset on my PAP2:
I opened the box to find a two pin jumper for three pins available on
the board. I kept the device ON, (I used NONSTATIC gloves) pluged off
the jumper from the second and the third pins and connected it to the
first and second pins. Then I punched in "****" and "FACTRESET" and
then "1" on the telephone connected to the PAP2. It announced that it
did RESET successfully. I then switched of the PAP2 and reverted the
jumper back to its second and third pin position and closed the box. I
had the PAP2 unlocked!
--------
It should be noted that we (Telephreak) did not come up with this method. We are just trying to spread the good word. I apologize for the crappy web page :) If you have any questions, use your new PAP2 to call the Telephreak conference ( http://www.telephreak.org), or hit us up via IRC [server: irc.telephreak.org #telephreak]
[Note: We do _NOT_ host firmware files locally!]
-[From: http://www.broadbandreports.com/forum/remark,14450684~root=voip~mode=flat]-
A BIG Thanks to Matt for this one...
Follow these steps and your Linksys PAP2 will be unlocked. Provider settings do not get erased.
Several assumptions:
1. you can get to the WEB interface and set the USER password.
2. Ideally, the device has never downloaded updates, or talked to the provider.
3. You have a TFTP server setup on your network
For this example, Assumptions:
PAP2 is at IP: 192.168.1.5
TFTP server is : 192.168.1.110
OK, lets go for it:
1. Put the following two files in the TFTP root folder. [File one: PAP2SP2K.bin and SP2KPAP2.bin.]
2. Disconnect from the Internet (avoids downloading cfg files)
3. Boot your PAP2 in your network.
4. Browse to the web page of the PAP2.
5. In SYSTEM, set a User password of 1234
6. Click the SAVE SETTINGS button.
7. Refresh the link (you login with user and 1234)
8. Modify the link to show (in your web browser!): http://192.168.1.5/upgrade?tftp://192.168.1.110/PAP2SP2K.bin
9. Examine the status leds.. Power should turn RED when it is done. Give it a minute or two, dont interrupt it.
10. Once red, point browser at your PAP2. (our IP in this example is 192.168.1.5)
11. Click the "admin login" link near the top-right.
12. Click the PROVISIONING tab and set PROVISION ENABLE=NO.
13. Click SAVE SETTINGS.
14. Now, modify the link to show: http://192.168.1.5/upgrade?tftp://192.168.1.110/SP2KPAP2.bin
15. Done. Your Linksys PAP2 will eventually reboot (2 blue LEDs) (BE PATIENT) and you can click the "admin login" near the top-right. No PW needed.
This test uses specific firmwares.. These are not for any other use, so if you are looking for upgrade firmware for your PAP2, DO NOT assume that this will be them.. These are for unlocking your PAP2 unit.
Oh yeah. I was able to unlock two without any troubles.. your mileage may vary.
Again, Thanks Matt for all the work you put into making this possible.
-[End of post]---
* - I've read that if you factory reset the unit, it'll go back to its old Vonage ways.
FIRST TIME READERS: It's suggested you start with the 2006-11-14 post below, then read up (newer posts), then if you have the interest read the older posts (nearer the bottom).
Methods for unlocking the Linksys PAP2
The following is a list of updates tracking the progress of unlocking the Linksys PAP2:
2009-1-24
Should you still be able to find one of these PAP2 in its original packaging (strangely, they do turn up now and then, but remember you want an UNOPENED one in a box with an ORANGE band, not the SILVER one) here are a few additional hints (especially for those of us who haven't done this in a while and may have forgotten what we did).
1) Make sure that at NO time until the unlock is completed do you ever connect the PAP2 to the Internet, or to a computer, switch, or router that is connected to the Internet. The PAP2 and the computer you are using to configure it MUST remain as a network unto themselves, with NO way to gain access to the net. MAKE SURE YOU TOTALLY DISABLE ANY WIRELESS NETWORKING CAPABILITY IN THE COMPUTER!!!
2) Do NOT succumb to the temptation to set the adapter to a static IP address. Set up Internet Connection Sharing on the computer (of course you are NOT really sharing the Internet) or do whatever you have to do to get the computer to act as a DHCP server and feed the adapter its IP address and (most important) DNS server information. If you don't do this, you may find yourself in a situation from which it is very difficult to recover.
3) Do NOT get the binary files confused and download the PAP2 binary first. You MUST download the Sipura binary first.
4) If you did not see my above warning (for #2 and/or #3) until it was too late, all may not be lost as long as the adapter did not see the Internet. The very first thing to do is try to reset the device again by using **** and then 73738# as per the original instructions - if you can do this it will (hopefully) dump the firmware you loaded by mistake and bring in the original firmware from ROM, letting you start over from scratch (well, almost). But a problem arises - when you pick up the phone, you hear a short ring followed by a ghastly sounding busy signal, and hitting **** does nothing! Just have patience - you just have to wait a few seconds (after the trashy busy signal starts) and then the **** may work! By the way, if you are prompted for a password, try any of these: 78196365#, 50274537#, 7756112#, 8995523#, 5465866# (and if one works, then hit 1 to confirm).
5) If you tried to use a static IP address and then got into the situation in #4, you may have to do the procedure in the 2006-12-19 post below. But it may be harder because, since the device isn't trying to pull addresses from a DHCP server, it may actually looking for two (or more) different IP addresses - one is the DNS server itself, and the other is one or more of the addresses you entered manually. You can use Wireshark to see what it's trying to access. You will have to make your computer pretend to be the DNS server it wants to see as described in the 2006-12-19 post below, but you may have to actually create a mini-network consisting of the PAP2 and TWO other computers, one acting as the DNS server and the other being the other address it's trying to get to (note that it IS possible to make one NIC respond to multiple IP addresses, by using advanced TCP/IP options, but this can cause other complications, particularly since Windows assumes you don't know what you're doing and will sometimes block you from doing the very thing you really need to do!). Now, if you happen to have two NIC cards in your computer, then you should set one to be the DNS server, set the other to be the other address(es) that the device is looking for, and set up your Internet Connectiong Sharing or DHCP server on that last one. It's probably easier with two computers and a small switch or hub, but remember that under NO circumstances can ANY of the devices be allowed to connect to the Internet while you are trying to recover!!!!!
6) If #5 sounds like a royal pain in the neck (or perhaps a lower part of the anatomy), believe me when I say it IS! Unless, of course, you are a networking guru, in which case you probably wouldn't make these types of dumb mistakes in the first place. I strongly suggest you heed the warnings in #2 and #3, and I only post this to let you know that if you DID make such a mistake, the unit may still be recoverable if you stop and think about what you are doing and IF YOU DO NOT AT ANY POINT CONNECT THE DEVICE TO THE INTERNET, OR TO A COMPUTER THAT IS CONNECTED TO THE INTERNET until it is FULLY unlocked. But whether it is worth the extra time it will take you to figure out what works is another matter altogether!
2009-1-6
Don't buy locked pap2, the latest firmware is very hard to unlock. bot unlocked from Mutualphone , for $45
2008-04-16
I can confirm the odd packet size mentioned in the 2007-05-03 entry below. I got my PAP2 off eBay. It was listed as unlocked, but it turned out to be locked. It came with firmware 3.1.9 LSc. For me it lists the total packet size as 27990, but only grabbing 100 bytes on the wire. I'm not uber enough to find the TCP window size on linux, so I am unable to continue my unlock attempt.
2007-07-03
Hello All,
I did the Short Jumper at the PAP2v1 (like the figure below) this only do a Reset like the reset by the IVR **** 73738# 1 to Confirm it doen´t work. I will keep trying
2007-06-21
For whatever it's worth, rumor has it that the PAP2v1 units run a little-known operating system that comes from Green Hills Software
2007-05-03
After hours of trying to upload the Sipura to my PAP2 with 3.1.9Lsc, I took a closer look at the packets with Ethereal. One of the response packets from my HTTP server was basically that the packet was fragmented or too big (I don't remember the actual message, but that was what i meant when I looked it up). The way I finally got around this and forced it to eat the Sipura firmware was by using DrTCP (normally used to change MTU) to change the window size of the TCP packets to 20000 on the ethernet adapter the HTTP was listening on. After this, the download of the .bin worked. I presume they made the http request with a huge TCP packet size to attempt to prevent "unauthorized" upload of firmware. I'd like to know if anyone else has gotten it to work this way.
2007-02-25
The PAP2v1 units I have are all based on v0.03.4 board where the SW1 block has four jumper PINs (exactly as shown on the snapshot below). I took a working PAP2v1 unit configured with FWD accounts and shorted out the outer two PINs (red circles) and my PAP2v1 seemed to perform a factory reset (the power LED activities indicated so). However, upon returning from this factory reset, all the configured parameters were still there and Line 1/2 were still registered to FWD as if the unit was never factory reset. To this date, my PAP2v1 unit that undergone this jumper shorting is still operating normally as before. This is all I can say about shorting the two outer PINs on the SW1 block. So, if you want to do this, do it at your own discretions and I take no responsibility of any mishaps.
2007-02-23
There is a graphic that I saw that purports to show the location of reset jumper pads on the majority of newer PAP-2 version 1 boards, which apparently do not have the jumper pins and shorting block that older boards have. In the photo below, there are red circles around the purported jumper pads (to the right of the phone line jacks). I do not know precisely how these are used (I've never had to use that method), but I would suppose either you short the pads while powering the unit up, or perhaps while doing a factory reset (of course you would only do that while the adapter is not connected to the Internet). I do not recommend that anyone experiment with this because if the information I received is wrong, you could damage your adapter. But if it's a choice between using a unit as a paperweight and trying the jumpers, I suppose I'd try them at least. If anyone can provide more information on unlocking a PAP-2 by using the jumper pads, please post it.
Image
2007-01-17
Addendum to 2006-11-14 notes:
If you're lucky enough to be running a wireless router — such as the Linksys WRT-54G — and it uses the DD-WRT open-source firmware, the simplest way to do this is in the "Administration / Services" menu. Enable DNSMasq, Enable Local DNS, and enter something similar to "address=/vonage.net/10.10.50.224" into the Additional DNS Options box. Any machines that use the router's DNS server to resolve IPs will then report the IP 10.10.50.224 for the entire vonage.net domain, so put in your tftp's IP address instead.
With the wireless router's WAN port disconnected and the PAP2 behind it's firewall, it will try (and fail) to reach Vonage's hard-coded DNS ip addresses, then fall back to using the router's DNS which we've redirected to our tftp server.
2006-12-23
Addendum to the 2006-12-19 item - you may not even need to install a DNS server at all - I read something that said that all you have to do is load the C:\Windows\System32\Drivers\etc\hosts file into any plain text editor (such as Notepad) and add the following to the end of the file:
192.168.0.1 ls.tftp.vonage.net
192.168.0.1 httpconfig.vonage.net
(You will probably need to substitute the actual IP address of the computer you are using for the unlock process in place of 192.168.0.1, and if you change the computer's IP address to pretend to be the DNS server that the device wants to see, don't forget to change the address in these two lines as well). This has not been tested, but looks like it should work - if it doesn't then you can always try using a standalone DNS server as described below.
2006-12-19
When following the instructions in the next section (dated 2006-11-14), be aware that things don't always go as smoothly as you might expect - we tried this with a PAP-2 that also came with firmware 3.1.9(LSc) out-of-the-box. After it went out to the "special" webserver to get the ersatz PAP2-bin-03-01-09-LSc.bin, we found that the unit's internal web server had been disabled AND the unit demanded a password to turn it back on. It also wanted a password to do a complete factory reset. We had no idea what password it was looking for (it was NOT one of the several common user passwords), so all we knew was that we had a unit that obviously had the SPA-2000 firmware loaded, but we could not access the web browser, nor factory reset the unit, nor basically do anything except listen to the responses in the * * * * menu. It also appeared that it was not attempting to load any additional files.
We had read that you could change the user and admin passwords to known values by feeding it an XML file that looks like this:
The above is a plain text file that should be saved using the filename 666666666666.xml (where the 6's are the MAC of your PAP-2) - basically it replaces the XML file you obtained from Vonage in an earlier step, and should be placed in the TFTP server root directory and any other directory where you had to place the original XML file (be sure you delete/overwrite any copies of the original XML file that you downloaded earlier). Note that ONLY the Sipura firmware mentioned below will take a plain text XML file, so you have to have at least been successful in getting the unit to take that firmware for the plain-text XML file to work. N.B. Make sure that if you save this file using a text editor, you save it in ANSI format, not UNICODE - the resulting file should be approximately 363 bytes in length.
The problem was that the PAP-2 wouldn't come and get the file. After much head scratching we finally realized that the PAP-2 was now looking for a DNS server at a specific new address (which the packet sniffer never revealed, but which we finally discovered by going to the * * * * menu and entering 160#) and therefore we had to change the IP address of the computer to match, then go into the "special" DNS server to tell it to repoint the other addresses to the new IP address. And then, after much more head scratching we figured out that there was a checkbox in the DNS server options that had to be checked or it wouldn't work at the new address (even though it worked fine without the box checked when the computer was set to an address in the 192.168.0.x range) - go figure.
Oh, and we had to restart the TFTP server so it would pick up the new address, and disable our firewall software, and maybe a couple more things I've forgotten.
For any Windows users attempting to do this, the software used was the Solar Winds TFTP server, Ethereal (now Wireshark) as the packet sniffer, AnalogX SimpleServer:WWW as the web server (I wish this one had at least some output to let you know that the files have been downloaded, but you can't get much simpler to set up, just don't forget to click the button to start the server!) and Simple DNS Plus as the DNS server (the latter has a 14 day trial period, we would have preferred something open source but since we were only using it once, we didn't feel the need to search all over for something else, and it WAS pretty simple to use except for the aforementioned checkbox that caused us some grief).
2006-11-14
Bought an off the shelf Vonage locked PAP-2 with the intent of unlocking. Came with firmware 3.1.9(LSc) out-of-the-box. The instructions for unlocking found on the FWD forum listed below did not work exactly as documented but provided a basis for what worked for me. There are so many tid-bits of information in various forums, all for various versions of the PAP-2, its challenging to determine exactly what to try.
Unlocking: Its not some voodoo, the goal is the replace the firmware on the PAP-2 device with the Sipura firmware that allows full administrative view so that you may oogle the settings. Now, I suppose you could just leave the Sipura firmware, but I replaced mine with another Linksys version.
You need to sandbox your PAP-2, it CANNOT (well, I assume this... this experiment was out-of-the-box, clean no Vonage call-home) see the 'net just yet. Once I was ready, I just shutdown my WAN card on my linux box.... you'll need to be careful as you don't want Vonage to provision the PAP-2.
You'll also need a DNS server, add a vonage.net zone so we can spoof out their servers.
$ORIGIN .
$TTL 3600 ; 1 hour
vonage.net IN SOA XXXX.ca. XXXX.XXXX.com. (
75 ; serial
900 ; refresh (15 minutes)
600 ; retry (10 minutes)
86400 ; expire (1 day)
172800 ; minimum (1 hour)
)
NS ns1.XXXX.ca.
A 10.10.50.224
MX 10 mail.XXXXX.ca.
$ORIGIN vonage.net.
httpconfig A 10.10.50.224
ls.tftp A 10.10.50.224
time A 10.10.50.224
ccivr A 10.10.50.224
-Setup a TFTP server on a host, and adjust the ls.tftp record to point to it.
-Setup an HTTP server on a host, and adjust the httpconfig record to point to it.
-Get firmwares from http://www.bargainshare.com/index.php?showtopic=69607 ...
--Sipura Firmware &
--Linksys 3.1.6 ..
Pull down your Vonage config file from their http provisioning server http://httpconfig.vonage.net/spa666666666666.xml (where the 6's are the MAC of your PAP-2) (do this BEFORE you spoof the DNS!!). Copy this file to the root of the tftp server root.
Create a directory +666666666666 on the spoofed httpconfig.vonage.net server (add a PLUS (+) to the MAC address). In my case, this is where the device downloaded a new firmware.
We now need to reset the PAP-2 so we can specify our fake nameserver.
Plug a phone into line 1 of the PAP. Plug in the power but not the ethernet.
- Dial **** for the IVR
- Dial 73738# (R E S E T #)
You may be prompted for a password, I was not (yet). See http://www.bargainshare.com/index.php?showtopic=69607&st=90&p=687285entry687285 for some known passwords. Press #1 to confirm. The PAP-2 reboots.
Ok, shut down your internet... I just take down eth0 and flush my iptables.
Plug the PAP into your network, let it get an IP. Access the weberface on the PAP-2: the DNS fields should now be enabled allowing you to specify your "special" DNS server. I power cycled it and fired up TCPDUMP to see what was going on. The PAP device calls to a number of hard-coded vonage IPs, then begins to query DNS for the records listed in the zone file above.
The TFTP is the first to be hit:
11/11/2006 19:47 :Sent spa666666666666.xml to (10.10.50.209), 29456 bytes
Then it looks for a "special" directory:
11/11/2006 19:47 :TFTP Error from 10.10.50.209 requesting KzBDrz5zLz\spa666666666666.xml : File does not exist
So, you want, you get (created the KzBDrz5zLz directory and copied the file), your directory name will be different; consult the tftp logs:
11/11/2006 19:50 :Sending KzBDrz5zLz\spa666666666666.xml to (10.10.50.209)
Sometime after this, the following occurs on the "special" webserver for httpconfig.vonage.net (yes, I have some clock drift on my play server)
01:01:29 10.10.50.224 GET /+666666666666/PAP2-bin-03-01-09-LSc.bin 404
01:02:49 10.10.50.224 GET /+666666666666/PAP2-bin-03-01-09-LSc.bin 200
This is the important part: I simply renamed the Sipura firmware to PAP2-bin-03-01-09-LSc.bin and hoped... and it totally ate the firmware and rebooted.
The Sipura web interface came right up, from there its a matter of disabling all the provisioning stuff and follow the normal firmware upgrade procedures to get 3.1.6(Ls) (working great here) installed. When you reload the Linksys firmware, you may have to re-do the reset procedure and be confronted with a password thru the IVR (see http://www.bargainshare.com/index.php?showtopic=69607&st=90&p=687285entry687285) , or I suppose you could get the GPP_K and use VuckFonage to get the admin password.
2006-02-24
I have a PAP2-NA Firmware Version: 3.1.9(LSc). The unit was locked by the provider but they gave me the password to make changes due to the problem I am having. I was able to get a dump of the provisioning nfo from the provider by executing the link under provisioning profile rule. I just added my mac address to the string and used IE to get the provisioning nfo. The admin password is in plain text and I was able to easily locate it in the dump (since I knew what the password was). The trick is to isolate the password in the dump because the position varies depending on the information going to the unit. Map the dump and you should be able determine the password. BTW, can't get my problem fixed, go figure.
2006-02-12
I only have had to deal with a 2.0.9 and a 2.0.12 so far. But the .12 was admined locked. This forced me to work out how to 'provision' admin password from other's notes. For those of you with a 3.1.9 and the wherewithall to do the packet sniffing, put ut a spoofed DNS and tftp server (if tftp is used for 3.1.9), it would be interesting to see if this gets you past the admin blockaid.
My notes on admin password setting can be found at: http://www.dslreports.com/forum/remark,15458239.
Notes on provisioning PAP2s in general are at http://www.freeworlddialup.com/community/forum/viewtopic.php?t=3748&sid=b1fc477dab538155656d7cee5cb96880
2006-02-04
The default admin password seems to be based on the GPP_K field and the MAC of the unit. I don't believe there is a 'master' password because that would be a security issue.
Currently Vonage is pushing 3.1.9 and currently there is no known way to unlock your device if it was not already once unlocked and you have your GPP_K written down. If you recently bought a PAP2 and you can return it, return it. You will be better off buying a PAP2-NA (unlocked already) from eBay or an online store (as suggested already). The 3.1.9 firmware may never be unlocked and/or it may be quite a while so again if you can I suggest returning the device.
Complain isn't going to help the situation at the same time it would be a good idea to let people know on the PAP2 mailing list http://groups.yahoo.com/group/Linksys_Pap2 that you have a 3.1.9 unit just so the people who are working on a workaround know there are others out there that need their device unlocked.
2006-02-04
Some brainstorming is necessary... I've read the guides from Linksys and it works like this: The file supplied by Vonage is either signed and/or gzipped (vendor's choice) and all the new Vonage units have the key (the guy below supposes it's the GPP_K field which is the key) and only recognize firmware that's supplied to it which is signed with that string and possibly gzipped. Now, since a license agreement is no longer necessary to get your PAP2-NAs you should just get a new one, or if you're really hung up on the Vonage one you have, brute force the admin password on yours (my ticker has been running for a week with no matches). My guess is that the default admin password on a Vonage PAP2 is either the same on all of them or something to do with either the serial number or the mac address or both (perhaps an md5 hash... backwards) it really could be anything.
2006-02-04
That's not really fair - the previous poster has the same issue that everyone has right now. The current firmware has an admin password which has not been bypassed yet. It would be helpful and productive if the next post could be how to bypass this.
2006-02-02
Like 99% of unlocked PAP2 owners, the steps laid out on some of unlocking pages are easy to follow. You should be able to unlock your own PAP2 easily. too. If you feel unlocking your PAP2 is so frustrating, please don't do it. If you do, you may end up re-locking your PAP2 further by Vonage. Instead, pay someone to do this dirty work for you for some prices. BTW, if you think to pay $60 for a Linksys/Vonage locked PAP2 to get it unlock, don't do it mainly because a PAP2-NA (unlocked version) is about $60 + S/H charges. I hope this helps you.
2006-01-26
This is SO Frustrating.
Everyone always writes in here like it's so easy.
They point you to pages where you can download the new firmware and explain it's easy, you just need the admin password, then they tell you that you can get the admin password by getting this GPP_K, which is simple to get after you unlock your PAP2.
Does anyone realize and the VuckFonage and the binary are all USELESS unless you have the admin password, AND IF YOU HAVE THE ADMIN PASSWORD YOUR DEVICE IS UNLOCKED, and there are no further steps!?!?!?!?!
Can ANYONE explain it without putting in sentences like: "To unlock your PAP2 use your admin password from your unlocked PAP2" - Actual line from one of the pages most referenced!!
2006-01-22
I was trying to do some hacking today and accidentally allowed the PAP2 to connect online after a factory reset and just like you, got upgraded to 3.1.9LSc. At first, I was stuck like you, since they've disallowed the user from changing the firmware. However, and I'm going to be brief and assume that you already know these tools and terms (I may elaborate on my homepage later on how I did it), I was able to modify the settings because I already knew my GPP_K. I'm not sure if you could figure out what your GPP_K is without having admin priviledges and maybe someone can help me out here.
With the GPP_K, just like how VuckFonage was able to decrypt the xml and show it in plain text, I was able to use it to encrypt the xml into something the PAP2 would be able to decrypt and read. Apparently, in the newest firmware, they no longer allow plain text xml settings uploads. To trick the PAP2 into downloading your encrypted xml instead of Linksys/Vonage, you need a TFTP server and a DNS server. Disconnect your internet connection and then FACTORY RESET your PAP2. Web Interface will be enabled and you can point the DNS server to the machine you have it setup. In the DNS server, point ls.tftp.vonage.net to the machine with the TFTP server. Reboot your PAP2 and it should now download your encrypted file.
I notice, even with this hack, I was unable to replace any firmware with it for it appears to have a firmware validation check before it actually flashes.
But with the admin and user password changed to anything that I wanted to (leave it blank and it won't even ask you for a password), I was able to set up line 1 with Telepacket and line 2 with VoipBuster.
2006-01-12
I was hacking a couple units for some firends. Two days ago on the 10th the box came preconfigured with 3.1.8(LS). The normal method didn't work. Provissioned by Vonage it went to 3.1.6. Factory reset, and we are on our way. Today got another unit 3.1.8. Provisioned by vonage and now it's a 3.1.9(LSc). Tried everything I could, including the "Firmware and FREE UPLOADER utility that lets you flash the PAP2 and turn it into a vanilla SPA-1000 Sipura box" no go. It all hinges on that stupid admin password. Is there a short circut that can be performed to wipe out the password? Or perhaps a packet sniff that could see what traffic (spacificly password) vonage sends the unit when it provisions it?
2006-01-10
I know it's not much fun, but did anyone go here, download the firmware and FREE UPLOADER utility that lets you
flash the PAP2 and turn it into a vanilla SPA-1000 Sipura box ??
http://www.sipura.com/
2006-01-10
Vonage is still pushing 3.1.6 firmware so it is possible to hookup a 3.1.8 PAP2 device to the internet so Vonage will automatically downgrade it to the unlockable 3.1.6 firmware. http://groups.yahoo.com/group/Linksys_Pap2/message/477 (requires registration) for more info.
2006-01-09
Here is an article, SPA2K/PAP2 firmwares for unlocking a PAP2, that I wrote on the BBR VoIP forum to show readers the links where to obtain an SPATools.zip and SPA2K/PAP2 firmware files to unlock a Linksys/Vonage locked PAP2. Once your PAP2 unlocked, please pin it on Frappr Map for PAP2 to show how many PAP2 units Vonage has lost due to the unlocking hack.
2006-01-09
Actually, I have discovered some tricks to re-unlock a PAP2 locked with firmware v3.1.7LSd/e a month ago. I don't have a firmware v3.1.8 to test, yet. I need some victims as guinea pigs to test my discoveries.
2005-12-06
New Linksys PAP2 Devices ship with Firmware 3.1.8(LS) which require admin password to TFTP upgrade. No work-around known. This also applies to firmwares of 3.1.7(LSe) or later.
2005-10-11
A simple method of upgrading is provided here: http://www.telephreak.org/PAP2/. This is similar to the FatWalletForums version but has less steps. This works on 2.0.11 firmware with a 'virgin' unit (never connected to the internet — supposedly it can work even after being connected, but requires additional resets). This has been around for a week or two at this point, but was not linked from here.
2005-09-27
For those who do not have Linux experience, you can find the 'patched' firmwares here: BBR though they disappear from time to time. Also step by step instructions and other links to binaries here at FatWalletForums.
2005-09-26
There is now a way to unlock PAP2 boxes with later firmware. Patching and applying an SPA2000 firmware update binary, tested with version 2.0.9 removes the admin password (they must have different configuration layouts?). Here is the patcher. Note that the LEDs won't work properly, and Line2 is unavailable. Another patcher (pap2spa) is available to convert PAP2 firmware upgrade binaries to SPA2k format. This allows reverting back to PAP2 firmware after the SPA firmware has been applied.
2005-09-11
there is currently no known way to unlock the recent Linksys PAP2 Vonage boxes. These have firmware version 2.0.10(LSc) and a rev 3 board which doesn't have the jumpers referred to in some unlocking guides. Various threads may have solutions by the time you read this as these boxes have recently been available quite cheaply ($20 after rebate).
2005-08-08
Firmware upgrades for the PAP2-NA can be found at (requires registration):
http://groups.yahoo.com/group/Linksys_Pap2
2005-07-22
PAP2-EU (PAP2-NA locked) is locked to the PhoneSystems.net service.
There is a password if you try to login on the admin web.
There is no jumper on this version (REV 3 board), so PAP2 trick won't work.
This is how I did a reset on my locked PAP2-EU:
As PAP2 is a Sipura clone, so we used the SPA2000 user guide...
Reset to Factory Settings : **** then 73738#1#1
And there you go, you can now access the web admin and you are no more locked to a specific network.
2005-07-06
Reportedly, PAP2 can be unlocked with a simple procedure:
This is how I did a reset on my PAP2:
I opened the box to find a two pin jumper for three pins available on
the board. I kept the device ON, (I used NONSTATIC gloves) pluged off
the jumper from the second and the third pins and connected it to the
first and second pins. Then I punched in "****" and "FACTRESET" and
then "1" on the telephone connected to the PAP2. It announced that it
did RESET successfully. I then switched of the PAP2 and reverted the
jumper back to its second and third pin position and closed the box. I
had the PAP2 unlocked!
--------
It should be noted that we (Telephreak) did not come up with this method. We are just trying to spread the good word. I apologize for the crappy web page :) If you have any questions, use your new PAP2 to call the Telephreak conference ( http://www.telephreak.org), or hit us up via IRC [server: irc.telephreak.org #telephreak]
[Note: We do _NOT_ host firmware files locally!]
-[From: http://www.broadbandreports.com/forum/remark,14450684~root=voip~mode=flat]-
A BIG Thanks to Matt for this one...
Follow these steps and your Linksys PAP2 will be unlocked. Provider settings do not get erased.
Several assumptions:
1. you can get to the WEB interface and set the USER password.
2. Ideally, the device has never downloaded updates, or talked to the provider.
3. You have a TFTP server setup on your network
For this example, Assumptions:
PAP2 is at IP: 192.168.1.5
TFTP server is : 192.168.1.110
OK, lets go for it:
1. Put the following two files in the TFTP root folder. [File one: PAP2SP2K.bin and SP2KPAP2.bin.]
2. Disconnect from the Internet (avoids downloading cfg files)
3. Boot your PAP2 in your network.
4. Browse to the web page of the PAP2.
5. In SYSTEM, set a User password of 1234
6. Click the SAVE SETTINGS button.
7. Refresh the link (you login with user and 1234)
8. Modify the link to show (in your web browser!): http://192.168.1.5/upgrade?tftp://192.168.1.110/PAP2SP2K.bin
9. Examine the status leds.. Power should turn RED when it is done. Give it a minute or two, dont interrupt it.
10. Once red, point browser at your PAP2. (our IP in this example is 192.168.1.5)
11. Click the "admin login" link near the top-right.
12. Click the PROVISIONING tab and set PROVISION ENABLE=NO.
13. Click SAVE SETTINGS.
14. Now, modify the link to show: http://192.168.1.5/upgrade?tftp://192.168.1.110/SP2KPAP2.bin
15. Done. Your Linksys PAP2 will eventually reboot (2 blue LEDs) (BE PATIENT) and you can click the "admin login" near the top-right. No PW needed.
This test uses specific firmwares.. These are not for any other use, so if you are looking for upgrade firmware for your PAP2, DO NOT assume that this will be them.. These are for unlocking your PAP2 unit.
Oh yeah. I was able to unlock two without any troubles.. your mileage may vary.
Again, Thanks Matt for all the work you put into making this possible.
-[End of post]---
* - I've read that if you factory reset the unit, it'll go back to its old Vonage ways.
jueves, 17 de septiembre de 2009
SHARP 1631 error H4
PROBLEMA
hola colegas tengo un problema con una fotocopiadora sharp A-1631 estube leyendo este problema pero era de una sharp 1641 que presentaba el mismo problema pero creo que esta que tongo es diferente y me marca el mismo error H4 un cologa escrivio que el la charp 1641 debia eliminar el codigo presionando c-a-c-a pero la 1631 no tiene el boton A ni el boton asterisco que debo de hacer para borrar este herror ya que ete modelo es un poco diferente al de la sharp 1641
AYUDA
se entra a servicio con cancelar-exposicion automatica cancelar -exposicion automatica ( exposicion es la dichosa A ) debes notar que el panel se apaga y despues pones 14 e impresion y listo...suerte...saludos atte: carlos robles
mira es correcto lo que te menciona el colega en su mensaje, y te comento que la sharp al 1631 y la al 1642 manejan los mimos codigos de error y por lo tanto son las mismas simulaciones, para entrar a servicio presiona c auto c auto, el display se apaga en tonces ingresa 14 y luego la tecla print, la maquina se reseetea y listo. pero te sugiero que antes de resetear limpies los termistores ya que generalmente pasa que s acumula toner por esos muchas veces presenta esta falla, bueno suerte y cualquier cosa estoy a tu servicio ya que conosco bien esos modelos. mi e mail es solito_fsp(arroba)hotmail.com suerte bay.....
hola colegas tengo un problema con una fotocopiadora sharp A-1631 estube leyendo este problema pero era de una sharp 1641 que presentaba el mismo problema pero creo que esta que tongo es diferente y me marca el mismo error H4 un cologa escrivio que el la charp 1641 debia eliminar el codigo presionando c-a-c-a pero la 1631 no tiene el boton A ni el boton asterisco que debo de hacer para borrar este herror ya que ete modelo es un poco diferente al de la sharp 1641
AYUDA
se entra a servicio con cancelar-exposicion automatica cancelar -exposicion automatica ( exposicion es la dichosa A ) debes notar que el panel se apaga y despues pones 14 e impresion y listo...suerte...saludos atte: carlos robles
mira es correcto lo que te menciona el colega en su mensaje, y te comento que la sharp al 1631 y la al 1642 manejan los mimos codigos de error y por lo tanto son las mismas simulaciones, para entrar a servicio presiona c auto c auto, el display se apaga en tonces ingresa 14 y luego la tecla print, la maquina se reseetea y listo. pero te sugiero que antes de resetear limpies los termistores ya que generalmente pasa que s acumula toner por esos muchas veces presenta esta falla, bueno suerte y cualquier cosa estoy a tu servicio ya que conosco bien esos modelos. mi e mail es solito_fsp(arroba)hotmail.com suerte bay.....
sharp al 1631, copias salen con una franja negra
PROBLEMA
hola cambie tambor de la sharp 1631, haceya tiempo y hoy cambie cuchilla , pero las copias salen con una franja negra que puedo hacer por que asi no me sirben , gracias.....
AYUDA
hola fijate si la franja negra esta en el tambor,si no entonces te pregunto cuando cambiaste la cuchilla,antes de instalarla la lubricaste con un poco de toner nuevo,ya que si no lo hiciste posiblemente la cuchilla se despego o de viro sobre el cilindro,revisa eso, puedes tambien hacer una copia y detener el proceso cuando calcules que esta en medio de la maquina y verificas si la franja esta en el cilindro o sale cuando pasa por fusor.
hola cambie tambor de la sharp 1631, haceya tiempo y hoy cambie cuchilla , pero las copias salen con una franja negra que puedo hacer por que asi no me sirben , gracias.....
AYUDA
hola fijate si la franja negra esta en el tambor,si no entonces te pregunto cuando cambiaste la cuchilla,antes de instalarla la lubricaste con un poco de toner nuevo,ya que si no lo hiciste posiblemente la cuchilla se despego o de viro sobre el cilindro,revisa eso, puedes tambien hacer una copia y detener el proceso cuando calcules que esta en medio de la maquina y verificas si la franja esta en el cilindro o sale cuando pasa por fusor.
SHARP AL1631 codigo L1
PROBLEMA
tengo una copiadora sharp la limpie como simpre los espejos el laser, los conectores pero me marca el codigo L1 cual podria ser la causa de dicho problema. de antemalno les agradesco
AYUDA
mira tu problema de L1 es del scaner donde se ubican las lamparas de expocision talves por ahi se te movio algo, o tu scaner se te atoro por eso la makina no hace su reconocimiento de exploracion, o en el peor de los casos se te dañaron las lamparas o alguna pieza del scaner. chekalo y me avisas cualquier cosa acerka de sharp te puedo ayudar suerte
tengo una copiadora sharp la limpie como simpre los espejos el laser, los conectores pero me marca el codigo L1 cual podria ser la causa de dicho problema. de antemalno les agradesco
AYUDA
mira tu problema de L1 es del scaner donde se ubican las lamparas de expocision talves por ahi se te movio algo, o tu scaner se te atoro por eso la makina no hace su reconocimiento de exploracion, o en el peor de los casos se te dañaron las lamparas o alguna pieza del scaner. chekalo y me avisas cualquier cosa acerka de sharp te puedo ayudar suerte
Diagnóstico simple en fotocopiadoras
as copiadoras presentan distintos tipos de problemas , pero el mas comun de todos es por calidad de copia siendo seguido el problema por codigos de servicio o codigos d errores.
En el dia de hoy presentaré como realizar un diagnóstico simple y sencillo que le ayudará a minimizar la busqueda .
Esto sirve tanto para usuarios como para técnicos.
Copias claras
1. Revisar que tenga toner o que este colocado correctamente
2. Revisar que el papel no tenga humedad
A. Forma sencilla de saberlo es sacando una copia por la otra cara
del papel luego de la primera vez que salió clara. Si sale igual de
clara ,descartas lo del papel humedo. Si sale bien entonces se acabo la
busqueda ,reemplaza el papel.
3. Revisar que los hilos de corona esten limpios y/o bloques ( técnico )
4. El revelador puede que haya expirado ya.
El tiempo de vida util del revelador dependerá de :
A. Modelo y marca (cada fotocopiadora tiene su propia caracteristicas o
condición a considerar).
B. Tipo de toner que es usado (original , genérico bueno y/o genérico
no tan bueno)
5. Copias Claras en copiadoras digitales
A. Contrario a las análogas , cuando los espejos estan sucios (ppalmente el cristal del laser) ,la copia sale clara.
6.Copias Claras:
Se ha derramado el Revelador: causa copias pálidas con manchas blancas de formas aleatorias. Revisar la caja de Revelado y ver el porque se derrama: V rings o retenes y bocinas gastados, ejes agitadores o rodillo magnético gastados en sus extremos, causan se caiga el revelador, sellos laterales rotos o gastados(técnico).
Copias oscuras
1. Revisar condición de la lampara de exposición ,anillas negras o
amarillas oscuras afectan la calidad de copia causando que oscurezca
las copias.
2. Espejos sucios causan copias oscuras. Los modelos análogos cuentan
con espejos que solo se ven cuando se saca el cilndro u otras
unidades internas.
3.Caja de revelado sobrecargada de toner: verificar la vida útil del revelador y cambiarlo si es necesario, verificar si el usuario no ha echado toner reciclado o toner de otra marca o modelo diferentes del equipo en cuestión, esto contamina el revelador, verificar el nivel automático de calibración de Toner si está dentro de los limites normales(técnico).
Revisar el rodillo esponjoso de suministro de toner, si esta podrido o roto se sobrecarga de toner la caja de revelado en forma acumulativa(técnico).
Verificar y alinear los slips reflectores en la lámpara de copia.
Verificar la vida útil del Cilindro y Cuchilla.
Copias sucias o con manchas
1. Es el mas comun de los problemas y la mayoria de las veces es por la
cuchilla de limpieza ( pieza que va en la unidad de limpieza que sirve
para limpiar los residuos de toner del cilindro. Estas cuchillas tambien
se encuentran en unidad de transferencia o polea de transferencia de
equipos análogos y digitales y causan copias sucias. La forma mas facil
de saber si la cuchilla de limpieza necesita reemplazo es cuando la
misma se ve algo curveada ( la goma)y/o amarillosa.
2. Rolo de fusión o rolo de calor por lo general se deteriora y se marca el
mismo por unas uñas separadoras que lo van marcando o por que
simplemente expiró el tiempo de reemplazo. Esto pudiera causar
problemas de calidad de copias tambien.
3.Espejos totalmente sucios: espejos ópticos totalmente llenos de tierra o toner causan copias muy sucias.
Verificar que el cliente no haya usado toner residual o toner genérico de dudosa calidad.
Revisar el blade o sello de jebe en la caja de revelado: sello totalmente amarillento o podrido causa que el toner “vuele” hacia la unidad de Cilindro y otras partes cercanas, ensuciándola de toner(técnico).
Revisar el sello o blade que esta debajo del Cilindro: si esta muy amarillento, doblado o roto se derrama el toner en el interior de la maquina, ensuciando con puntos de toner que se esparcen en las copias resultantes, ensuciando de toner los papeles por ambas caras además(técnico).
Copias blancas
1. Por lo general es porque la corona de transferencia esta mal insertada
roto o problemas con los bloques.
2.
Revisar también la corona principal o de Cilindro, mal contacto o con fuga da copias blancas al no “cargar” al Cilindro para iniciar el proceso de copia(técnico).
Revisar la caja de Revelado que no esté vacía: si no hay revelador da copias blancas.
Revisar si esta colocado el original sobre el vidrio de exposición, parece algo muy tonto pero a algunos clientes les ha sucedido y llaman al técnico a veces por ese motivo.
Papel totalmente húmedo, estas llamadas suelen hacerlas algunos clientes en especial los días Lunes y es porque dejaron el papel de copia todo el fin de semana en las bandejas o casseteras de las maquinas.
Adiestrar a los clientes para que retiren los papeles de las bandejas al final de su jornada, lo envuelvan en una bolsa plástica, lo guarden en su empaque original en un armario o escritorio. Este consejo toma mayor importancia en ciudades donde el clima es muy húmedo.
Estos son datos sencillos para descartar areas en la fotocopiadora pero las mismas condiciones pudieran ser tambien otros factores no mencionado aqui que requiera un diagnóstico mas profundo.
Luis
P.R. Very Happy
y la colaboración de técnicos colegas Carlos Marenco de Venezuela y Ricardosharp de Perú.
En el dia de hoy presentaré como realizar un diagnóstico simple y sencillo que le ayudará a minimizar la busqueda .
Esto sirve tanto para usuarios como para técnicos.
Copias claras
1. Revisar que tenga toner o que este colocado correctamente
2. Revisar que el papel no tenga humedad
A. Forma sencilla de saberlo es sacando una copia por la otra cara
del papel luego de la primera vez que salió clara. Si sale igual de
clara ,descartas lo del papel humedo. Si sale bien entonces se acabo la
busqueda ,reemplaza el papel.
3. Revisar que los hilos de corona esten limpios y/o bloques ( técnico )
4. El revelador puede que haya expirado ya.
El tiempo de vida util del revelador dependerá de :
A. Modelo y marca (cada fotocopiadora tiene su propia caracteristicas o
condición a considerar).
B. Tipo de toner que es usado (original , genérico bueno y/o genérico
no tan bueno)
5. Copias Claras en copiadoras digitales
A. Contrario a las análogas , cuando los espejos estan sucios (ppalmente el cristal del laser) ,la copia sale clara.
6.Copias Claras:
Se ha derramado el Revelador: causa copias pálidas con manchas blancas de formas aleatorias. Revisar la caja de Revelado y ver el porque se derrama: V rings o retenes y bocinas gastados, ejes agitadores o rodillo magnético gastados en sus extremos, causan se caiga el revelador, sellos laterales rotos o gastados(técnico).
Copias oscuras
1. Revisar condición de la lampara de exposición ,anillas negras o
amarillas oscuras afectan la calidad de copia causando que oscurezca
las copias.
2. Espejos sucios causan copias oscuras. Los modelos análogos cuentan
con espejos que solo se ven cuando se saca el cilndro u otras
unidades internas.
3.Caja de revelado sobrecargada de toner: verificar la vida útil del revelador y cambiarlo si es necesario, verificar si el usuario no ha echado toner reciclado o toner de otra marca o modelo diferentes del equipo en cuestión, esto contamina el revelador, verificar el nivel automático de calibración de Toner si está dentro de los limites normales(técnico).
Revisar el rodillo esponjoso de suministro de toner, si esta podrido o roto se sobrecarga de toner la caja de revelado en forma acumulativa(técnico).
Verificar y alinear los slips reflectores en la lámpara de copia.
Verificar la vida útil del Cilindro y Cuchilla.
Copias sucias o con manchas
1. Es el mas comun de los problemas y la mayoria de las veces es por la
cuchilla de limpieza ( pieza que va en la unidad de limpieza que sirve
para limpiar los residuos de toner del cilindro. Estas cuchillas tambien
se encuentran en unidad de transferencia o polea de transferencia de
equipos análogos y digitales y causan copias sucias. La forma mas facil
de saber si la cuchilla de limpieza necesita reemplazo es cuando la
misma se ve algo curveada ( la goma)y/o amarillosa.
2. Rolo de fusión o rolo de calor por lo general se deteriora y se marca el
mismo por unas uñas separadoras que lo van marcando o por que
simplemente expiró el tiempo de reemplazo. Esto pudiera causar
problemas de calidad de copias tambien.
3.Espejos totalmente sucios: espejos ópticos totalmente llenos de tierra o toner causan copias muy sucias.
Verificar que el cliente no haya usado toner residual o toner genérico de dudosa calidad.
Revisar el blade o sello de jebe en la caja de revelado: sello totalmente amarillento o podrido causa que el toner “vuele” hacia la unidad de Cilindro y otras partes cercanas, ensuciándola de toner(técnico).
Revisar el sello o blade que esta debajo del Cilindro: si esta muy amarillento, doblado o roto se derrama el toner en el interior de la maquina, ensuciando con puntos de toner que se esparcen en las copias resultantes, ensuciando de toner los papeles por ambas caras además(técnico).
Copias blancas
1. Por lo general es porque la corona de transferencia esta mal insertada
roto o problemas con los bloques.
2.
Revisar también la corona principal o de Cilindro, mal contacto o con fuga da copias blancas al no “cargar” al Cilindro para iniciar el proceso de copia(técnico).
Revisar la caja de Revelado que no esté vacía: si no hay revelador da copias blancas.
Revisar si esta colocado el original sobre el vidrio de exposición, parece algo muy tonto pero a algunos clientes les ha sucedido y llaman al técnico a veces por ese motivo.
Papel totalmente húmedo, estas llamadas suelen hacerlas algunos clientes en especial los días Lunes y es porque dejaron el papel de copia todo el fin de semana en las bandejas o casseteras de las maquinas.
Adiestrar a los clientes para que retiren los papeles de las bandejas al final de su jornada, lo envuelvan en una bolsa plástica, lo guarden en su empaque original en un armario o escritorio. Este consejo toma mayor importancia en ciudades donde el clima es muy húmedo.
Estos son datos sencillos para descartar areas en la fotocopiadora pero las mismas condiciones pudieran ser tambien otros factores no mencionado aqui que requiera un diagnóstico mas profundo.
Luis
P.R. Very Happy
y la colaboración de técnicos colegas Carlos Marenco de Venezuela y Ricardosharp de Perú.
domingo, 6 de septiembre de 2009
Ocultar o eliminar barra de blogger (navbar)
Hoy también les publico un comentario que explica como ocultar o eliminar totalmente la bara que blogger. Básicamente hay dos alternativas, la primera es mucho más recomendable, ya que no sé hasta que punto es justo y legal eliminar una barra que blogger pone para un servicio gratuito. En mi caso por ejemplo no tengo ningún problema en mostrarla siempre y no creo que sea inconveniente alguno.
Sin embargo, a continuación les mostraré cual es la manera para eliminar totalmente la barra de blogger, o para ocultarla cuando el usuario no pase por encima el ratón.
Para eliminar totalmente la barra de blogger hemos de hacer lo siguiente:
1. Iremos a nuestro blogger y seleccionaremos la pestaña diseño.
2. Dentro de la pestaña Diseño seleccionaremos la opción “Edición de HTML”.
3. Posteriormente buscamos la etiqueta
4. Copiamos el siguiente código:
Para ocultar simplemente la barra de blogger, y que al pasar el ratón por la zona donde está se active y aparezca el procedimiento es el siguiente (muy similar al anterior).
1. Seguimos los dos primeros puntos del proceso anterior.
2. Buscamos el fragmento de código
3. Insertamos el siguiente fragmento de código justamente encima:
Sin embargo, a continuación les mostraré cual es la manera para eliminar totalmente la barra de blogger, o para ocultarla cuando el usuario no pase por encima el ratón.
Para eliminar totalmente la barra de blogger hemos de hacer lo siguiente:
1. Iremos a nuestro blogger y seleccionaremos la pestaña diseño.
2. Dentro de la pestaña Diseño seleccionaremos la opción “Edición de HTML”.
3. Posteriormente buscamos la etiqueta
.4. Copiamos el siguiente código:
Para ocultar simplemente la barra de blogger, y que al pasar el ratón por la zona donde está se active y aparezca el procedimiento es el siguiente (muy similar al anterior).
1. Seguimos los dos primeros puntos del proceso anterior.
2. Buscamos el fragmento de código
body{
.3. Insertamos el siguiente fragmento de código justamente encima:
#navbar-iframe {
opacity:0.0;
filter:alpha(Opacity=0)
}
#navbar-iframe:hover {
opacity:1.0;
filter:alpha(Opacity=100,FinishedOpacity=100)
}
Entradas relacionadas
- No hay entradas relacionadas.
escritor por admin
Suscribirse a:
Entradas (Atom)