FIRST TIME READERS: It's suggested you start with the 2006-11-14 post below, then read up (newer posts), then if you have the interest read the older posts (nearer the bottom).
Methods for unlocking the Linksys PAP2
The following is a list of updates tracking the progress of unlocking the Linksys PAP2:
2010-2-7 WARNING!!! Do not buy PAP2 v1 boxes at this time, since there is too much of a risk you will get a v3.1.7 box or higher. These boxes CANNOT be unlocked unless you sign up for vonage service to get the provisioning xml. Vonage has stopped sending provisioning xml's for devices that are not active. They do have a 30 day money back guarantee though, but I'm not sure how often you can use that...
2009-1-24 Should you still be able to find one of these PAP2 in its original packaging (strangely, they do turn up now and then, but remember you want an UNOPENED one in a box with an ORANGE band, not the SILVER one) here are a few additional hints (especially for those of us who haven't done this in a while and may have forgotten what we did).
1) Make sure that at NO time until the unlock is completed do you ever connect the PAP2 to the Internet, or to a computer, switch, or router that is connected to the Internet. The PAP2 and the computer you are using to configure it MUST remain as a network unto themselves, with NO way to gain access to the net. MAKE SURE YOU TOTALLY DISABLE ANY WIRELESS NETWORKING CAPABILITY IN THE COMPUTER!!!
2) Do NOT succumb to the temptation to set the adapter to a static IP address. Set up Internet Connection Sharing on the computer (of course you are NOT really sharing the Internet) or do whatever you have to do to get the computer to act as a DHCP server and feed the adapter its IP address and (most important) DNS server information. If you don't do this, you may find yourself in a situation from which it is very difficult to recover.
3) Do NOT get the binary files confused and download the PAP2 binary first. You MUST download the Sipura binary first.
4) If you did not see my above warning (for #2 and/or #3) until it was too late, all may not be lost as long as the adapter did not see the Internet. The very first thing to do is try to reset the device again by using **** and then 73738# as per the original instructions - if you can do this it will (hopefully) dump the firmware you loaded by mistake and bring in the original firmware from ROM, letting you start over from scratch (well, almost). But a problem arises - when you pick up the phone, you hear a short ring followed by a ghastly sounding busy signal, and hitting **** does nothing! Just have patience - you just have to wait a few seconds (after the trashy busy signal starts) and then the **** may work! By the way, if you are prompted for a password, try any of these: 78196365#, 50274537#, 7756112#, 8995523#, 5465866# (and if one works, then hit 1 to confirm).
5) If you tried to use a static IP address and then got into the situation in #4, you may have to do the procedure in the 2006-12-19 post below. But it may be harder because, since the device isn't trying to pull addresses from a DHCP server, it may actually looking for two (or more) different IP addresses - one is the DNS server itself, and the other is one or more of the addresses you entered manually. You can use Wireshark to see what it's trying to access. You will have to make your computer pretend to be the DNS server it wants to see as described in the 2006-12-19 post below, but you may have to actually create a mini-network consisting of the PAP2 and TWO other computers, one acting as the DNS server and the other being the other address it's trying to get to (note that it IS possible to make one NIC respond to multiple IP addresses, by using advanced TCP/IP options, but this can cause other complications, particularly since Windows assumes you don't know what you're doing and will sometimes block you from doing the very thing you really need to do!). Now, if you happen to have two NIC cards in your computer, then you should set one to be the DNS server, set the other to be the other address(es) that the device is looking for, and set up your Internet Connectiong Sharing or DHCP server on that last one. It's probably easier with two computers and a small switch or hub, but remember that under NO circumstances can ANY of the devices be allowed to connect to the Internet while you are trying to recover!!!!!
6) If #5 sounds like a royal pain in the neck (or perhaps a lower part of the anatomy), believe me when I say it IS! Unless, of course, you are a networking guru, in which case you probably wouldn't make these types of dumb mistakes in the first place. I strongly suggest you heed the warnings in #2 and #3, and I only post this to let you know that if you DID make such a mistake, the unit may still be recoverable if you stop and think about what you are doing and IF YOU DO NOT AT ANY POINT CONNECT THE DEVICE TO THE INTERNET, OR TO A COMPUTER THAT IS CONNECTED TO THE INTERNET until it is FULLY unlocked. But whether it is worth the extra time it will take you to figure out what works is another matter altogether!
2009-1-6 Don't buy locked pap2, the latest firmware is very hard to unlock. bot unlocked from Mutualphone , for $45
2008-04-16 I can confirm the odd packet size mentioned in the 2007-05-03 entry below. I got my PAP2 off eBay. It was listed as unlocked, but it turned out to be locked. It came with firmware 3.1.9 LSc. For me it lists the total packet size as 27990, but only grabbing 100 bytes on the wire. I'm not uber enough to find the TCP window size on linux, so I am unable to continue my unlock attempt.
2007-07-03 Hello All, I did the Short Jumper at the PAP2v1 (like the figure below) this only do a Reset like the reset by the IVR **** 73738# 1 to Confirm it doen´t work. I will keep trying
2007-06-21 For whatever it's worth, rumor has it that the PAP2v1 units run a little-known operating system that comes from Green Hills Software
After hours of trying to upload the Sipura to my PAP2 with 3.1.9Lsc, I took a closer look at the packets with Ethereal. One of the response packets from my HTTP server was basically that the packet was fragmented or too big (I don't remember the actual message, but that was what i meant when I looked it up). The way I finally got around this and forced it to eat the Sipura firmware was by using DrTCP (normally used to change MTU) to change the window size of the TCP packets to 20000 on the ethernet adapter the HTTP was listening on. After this, the download of the .bin worked. I presume they made the http request with a huge TCP packet size to attempt to prevent "unauthorized" upload of firmware. I'd like to know if anyone else has gotten it to work this way.
The PAP2v1 units I have are all based on v0.03.4 board where the SW1 block has four jumper PINs (exactly as shown on the snapshot below). I took a working PAP2v1 unit configured with FWD accounts and shorted out the outer two PINs (red circles) and my PAP2v1 seemed to perform a factory reset (the power LED activities indicated so). However, upon returning from this factory reset, all the configured parameters were still there and Line 1/2 were still registered to FWD as if the unit was never factory reset. To this date, my PAP2v1 unit that undergone this jumper shorting is still operating normally as before. This is all I can say about shorting the two outer PINs on the SW1 block. So, if you want to do this, do it at your own discretions and I take no responsibility of any mishaps.
2007-02-23 There is a graphic that I saw that purports to show the location of reset jumper pads on the majority of newer PAP-2 version 1 boards, which apparently do not have the jumper pins and shorting block that older boards have. In the photo below, there are red circles around the purported jumper pads (to the right of the phone line jacks). I do not know precisely how these are used (I've never had to use that method), but I would suppose either you short the pads while powering the unit up, or perhaps while doing a factory reset (of course you would only do that while the adapter is not connected to the Internet). I do not recommend that anyone experiment with this because if the information I received is wrong, you could damage your adapter. But if it's a choice between using a unit as a paperweight and trying the jumpers, I suppose I'd try them at least. If anyone can provide more information on unlocking a PAP-2 by using the jumper pads, please post it.
2007-01-17 Addendum to 2006-11-14 notes: If you're lucky enough to be running a wireless router — such as the Linksys WRT-54G — and it uses the DD-WRT open-source firmware, the simplest way to do this is in the "Administration / Services" menu. Enable DNSMasq, Enable Local DNS, and enter something similar to "address=/vonage.net/10.10.50.224" into the Additional DNS Options box. Any machines that use the router's DNS server to resolve IPs will then report the IP 10.10.50.224 for the entire vonage.net domain, so put in your tftp's IP address instead.
With the wireless router's WAN port disconnected and the PAP2 behind it's firewall, it will try (and fail) to reach Vonage's hard-coded DNS ip addresses, then fall back to using the router's DNS which we've redirected to our tftp server.
2006-12-23 Addendum to the 2006-12-19 item - you may not even need to install a DNS server at all - I read something that said that all you have to do is load the C:\Windows\System32\Drivers\etc\hosts file into any plain text editor (such as Notepad) and add the following to the end of the file:
(You will probably need to substitute the actual IP address of the computer you are using for the unlock process in place of 192.168.0.1, and if you change the computer's IP address to pretend to be the DNS server that the device wants to see, don't forget to change the address in these two lines as well). This has not been tested, but looks like it should work - if it doesn't then you can always try using a standalone DNS server as described below.
2006-12-19 When following the instructions in the next section (dated 2006-11-14), be aware that things don't always go as smoothly as you might expect - we tried this with a PAP-2 that also came with firmware 3.1.9(LSc) out-of-the-box. After it went out to the "special" webserver to get the ersatz PAP2-bin-03-01-09-LSc.bin, we found that the unit's internal web server had been disabled AND the unit demanded a password to turn it back on. It also wanted a password to do a complete factory reset. We had no idea what password it was looking for (it was NOT one of the several common user passwords), so all we knew was that we had a unit that obviously had the SPA-2000 firmware loaded, but we could not access the web browser, nor factory reset the unit, nor basically do anything except listen to the responses in the * * * * menu. It also appeared that it was not attempting to load any additional files.
We had read that you could change the user and admin passwords to known values by feeding it an XML file that looks like this:
The above is a plain text file that should be saved using the filename 666666666666.xml (where the 6's are the MAC of your PAP-2) - basically it replaces the XML file you obtained from Vonage in an earlier step, and should be placed in the TFTP server root directory and any other directory where you had to place the original XML file (be sure you delete/overwrite any copies of the original XML file that you downloaded earlier). Note that ONLY the Sipura firmware mentioned below will take a plain text XML file, so you have to have at least been successful in getting the unit to take that firmware for the plain-text XML file to work. N.B. Make sure that if you save this file using a text editor, you save it in ANSI format, not UNICODE - the resulting file should be approximately 363 bytes in length.
The problem was that the PAP-2 wouldn't come and get the file. After much head scratching we finally realized that the PAP-2 was now looking for a DNS server at a specific new address (which the packet sniffer never revealed, but which we finally discovered by going to the * * * * menu and entering 160#) and therefore we had to change the IP address of the computer to match, then go into the "special" DNS server to tell it to repoint the other addresses to the new IP address. And then, after much more head scratching we figured out that there was a checkbox in the DNS server options that had to be checked or it wouldn't work at the new address (even though it worked fine without the box checked when the computer was set to an address in the 192.168.0.x range) - go figure.
Oh, and we had to restart the TFTP server so it would pick up the new address, and disable our firewall software, and maybe a couple more things I've forgotten.
For any Windows users attempting to do this, the software used was the Solar Winds TFTP server, Ethereal (now Wireshark) as the packet sniffer, AnalogX SimpleServer:WWW as the web server (I wish this one had at least some output to let you know that the files have been downloaded, but you can't get much simpler to set up, just don't forget to click the button to start the server!) and Simple DNS Plus as the DNS server (the latter has a 14 day trial period, we would have preferred something open source but since we were only using it once, we didn't feel the need to search all over for something else, and it WAS pretty simple to use except for the aforementioned checkbox that caused us some grief).
2006-11-14 Bought an off the shelf Vonage locked PAP-2 with the intent of unlocking. Came with firmware 3.1.9(LSc) out-of-the-box. The instructions for unlocking found on the FWD forum listed below did not work exactly as documented but provided a basis for what worked for me. There are so many tid-bits of information in various forums, all for various versions of the PAP-2, its challenging to determine exactly what to try.
Unlocking: Its not some voodoo, the goal is the replace the firmware on the PAP-2 device with the Sipura firmware that allows full administrative view so that you may oogle the settings. Now, I suppose you could just leave the Sipura firmware, but I replaced mine with another Linksys version.
You need to sandbox your PAP-2, it CANNOT (well, I assume this... this experiment was out-of-the-box, clean no Vonage call-home) see the 'net just yet. Once I was ready, I just shutdown my WAN card on my linux box.... you'll need to be careful as you don't want Vonage to provision the PAP-2.
You'll also need a DNS server, add a vonage.net zone so we can spoof out their servers.
$ORIGIN . $TTL 3600 ; 1 hour vonage.net IN SOA XXXX.ca. XXXX.XXXX.com. ( 75 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 172800 ; minimum (1 hour) ) NS ns1.XXXX.ca. A 10.10.50.224 MX 10 mail.XXXXX.ca. $ORIGIN vonage.net. httpconfig A 10.10.50.224 ls.tftp A 10.10.50.224 time A 10.10.50.224 ccivr A 10.10.50.224
-Setup a TFTP server on a host, and adjust the ls.tftp record to point to it. -Setup an HTTP server on a host, and adjust the httpconfig record to point to it. -Get firmwares from http://www.bargainshare.com/index.php?showtopic=69607 ... --Sipura Firmware & --Linksys 3.1.6 ..
Pull down your Vonage config file from their http provisioning server http://httpconfig.vonage.net/spa666666666666.xml (where the 6's are the MAC of your PAP-2) (do this BEFORE you spoof the DNS!!). Copy this file to the root of the tftp server root.
Create a directory +666666666666 on the spoofed httpconfig.vonage.net server (add a PLUS (+) to the MAC address). In my case, this is where the device downloaded a new firmware.
We now need to reset the PAP-2 so we can specify our fake nameserver.
Plug a phone into line 1 of the PAP. Plug in the power but not the ethernet.
- Dial **** for the IVR - Dial 73738# (R E S E T #)
Ok, shut down your internet... I just take down eth0 and flush my iptables.
Plug the PAP into your network, let it get an IP. Access the weberface on the PAP-2: the DNS fields should now be enabled allowing you to specify your "special" DNS server. I power cycled it and fired up TCPDUMP to see what was going on. The PAP device calls to a number of hard-coded vonage IPs, then begins to query DNS for the records listed in the zone file above.
The TFTP is the first to be hit:
11/11/2006 19:47 :Sent spa666666666666.xml to (10.10.50.209), 29456 bytes
Then it looks for a "special" directory:
11/11/2006 19:47 :TFTP Error from 10.10.50.209 requesting KzBDrz5zLz\spa666666666666.xml : File does not exist
So, you want, you get (created the KzBDrz5zLz directory and copied the file), your directory name will be different; consult the tftp logs:
11/11/2006 19:50 :Sending KzBDrz5zLz\spa666666666666.xml to (10.10.50.209)
Sometime after this, the following occurs on the "special" webserver for httpconfig.vonage.net (yes, I have some clock drift on my play server)
01:01:29 10.10.50.224 GET /+666666666666/PAP2-bin-03-01-09-LSc.bin 404 01:02:49 10.10.50.224 GET /+666666666666/PAP2-bin-03-01-09-LSc.bin 200
This is the important part: I simply renamed the Sipura firmware to PAP2-bin-03-01-09-LSc.bin and hoped... and it totally ate the firmware and rebooted.
The Sipura web interface came right up, from there its a matter of disabling all the provisioning stuff and follow the normal firmware upgrade procedures to get 3.1.6(Ls) (working great here) installed. When you reload the Linksys firmware, you may have to re-do the reset procedure and be confronted with a password thru the IVR (see http://www.bargainshare.com/index.php?showtopic=69607&st=90&p=687285&#entry687285) , or I suppose you could get the GPP_K and use VuckFonage to get the admin password.
I have a PAP2-NA Firmware Version: 3.1.9(LSc). The unit was locked by the provider but they gave me the password to make changes due to the problem I am having. I was able to get a dump of the provisioning nfo from the provider by executing the link under provisioning profile rule. I just added my mac address to the string and used IE to get the provisioning nfo. The admin password is in plain text and I was able to easily locate it in the dump (since I knew what the password was). The trick is to isolate the password in the dump because the position varies depending on the information going to the unit. Map the dump and you should be able determine the password. BTW, can't get my problem fixed, go figure.
I only have had to deal with a 2.0.9 and a 2.0.12 so far. But the .12 was admined locked. This forced me to work out how to 'provision' admin password from other's notes. For those of you with a 3.1.9 and the wherewithall to do the packet sniffing, put ut a spoofed DNS and tftp server (if tftp is used for 3.1.9), it would be interesting to see if this gets you past the admin blockaid.
Notes on provisioning PAP2s in general are at http://www.freeworlddialup.com/community/forum/viewtopic.php?t=3748&sid=b1fc477dab538155656d7cee5cb96880
2006-02-04 The default admin password seems to be based on the GPP_K field and the MAC of the unit. I don't believe there is a 'master' password because that would be a security issue.
Currently Vonage is pushing 3.1.9 and currently there is no known way to unlock your device if it was not already once unlocked and you have your GPP_K written down. If you recently bought a PAP2 and you can return it, return it. You will be better off buying a PAP2-NA (unlocked already) from eBay or an online store (as suggested already). The 3.1.9 firmware may never be unlocked and/or it may be quite a while so again if you can I suggest returning the device.
Complain isn't going to help the situation at the same time it would be a good idea to let people know on the PAP2 mailing list http://groups.yahoo.com/group/Linksys_Pap2 that you have a 3.1.9 unit just so the people who are working on a workaround know there are others out there that need their device unlocked.
2006-02-04 Some brainstorming is necessary... I've read the guides from Linksys and it works like this: The file supplied by Vonage is either signed and/or gzipped (vendor's choice) and all the new Vonage units have the key (the guy below supposes it's the GPP_K field which is the key) and only recognize firmware that's supplied to it which is signed with that string and possibly gzipped. Now, since a license agreement is no longer necessary to get your PAP2-NAs you should just get a new one, or if you're really hung up on the Vonage one you have, brute force the admin password on yours (my ticker has been running for a week with no matches). My guess is that the default admin password on a Vonage PAP2 is either the same on all of them or something to do with either the serial number or the mac address or both (perhaps an md5 hash... backwards) it really could be anything.
2006-02-04 That's not really fair - the previous poster has the same issue that everyone has right now. The current firmware has an admin password which has not been bypassed yet. It would be helpful and productive if the next post could be how to bypass this.
Like 99% of unlocked PAP2 owners, the steps laid out on some of unlocking pages are easy to follow. You should be able to unlock your own PAP2 easily. too. If you feel unlocking your PAP2 is so frustrating, please don't do it. If you do, you may end up re-locking your PAP2 further by Vonage. Instead, pay someone to do this dirty work for you for some prices. BTW, if you think to pay $60 for a Linksys/Vonage locked PAP2 to get it unlock, don't do it mainly because a PAP2-NA (unlocked version) is about $60 + S/H charges. I hope this helps you.
2006-01-26 This is SO Frustrating. Everyone always writes in here like it's so easy. They point you to pages where you can download the new firmware and explain it's easy, you just need the admin password, then they tell you that you can get the admin password by getting this GPP_K, which is simple to get after you unlock your PAP2.
Does anyone realize and the VuckFonage and the binary are all USELESS unless you have the admin password, AND IF YOU HAVE THE ADMIN PASSWORD YOUR DEVICE IS UNLOCKED, and there are no further steps!?!?!?!?!
Can ANYONE explain it without putting in sentences like: "To unlock your PAP2 use your admin password from your unlocked PAP2" - Actual line from one of the pages most referenced!!
I was trying to do some hacking today and accidentally allowed the PAP2 to connect online after a factory reset and just like you, got upgraded to 3.1.9LSc. At first, I was stuck like you, since they've disallowed the user from changing the firmware. However, and I'm going to be brief and assume that you already know these tools and terms (I may elaborate on my homepage later on how I did it), I was able to modify the settings because I already knew my GPP_K. I'm not sure if you could figure out what your GPP_K is without having admin priviledges and maybe someone can help me out here.
With the GPP_K, just like how VuckFonage was able to decrypt the xml and show it in plain text, I was able to use it to encrypt the xml into something the PAP2 would be able to decrypt and read. Apparently, in the newest firmware, they no longer allow plain text xml settings uploads. To trick the PAP2 into downloading your encrypted xml instead of Linksys/Vonage, you need a TFTP server and a DNS server. Disconnect your internet connection and then FACTORY RESET your PAP2. Web Interface will be enabled and you can point the DNS server to the machine you have it setup. In the DNS server, point ls.tftp.vonage.net to the machine with the TFTP server. Reboot your PAP2 and it should now download your encrypted file.
I notice, even with this hack, I was unable to replace any firmware with it for it appears to have a firmware validation check before it actually flashes.
But with the admin and user password changed to anything that I wanted to (leave it blank and it won't even ask you for a password), I was able to set up line 1 with Telepacket and line 2 with VoipBuster.
I was hacking a couple units for some firends. Two days ago on the 10th the box came preconfigured with 3.1.8(LS). The normal method didn't work. Provissioned by Vonage it went to 3.1.6. Factory reset, and we are on our way. Today got another unit 3.1.8. Provisioned by vonage and now it's a 3.1.9(LSc). Tried everything I could, including the "Firmware and FREE UPLOADER utility that lets you flash the PAP2 and turn it into a vanilla SPA-1000 Sipura box" no go. It all hinges on that stupid admin password. Is there a short circut that can be performed to wipe out the password? Or perhaps a packet sniff that could see what traffic (spacificly password) vonage sends the unit when it provisions it?
I know it's not much fun, but did anyone go here, download the firmware and FREE UPLOADER utility that lets you flash the PAP2 and turn it into a vanilla SPA-1000 Sipura box ??
Vonage is still pushing 3.1.6 firmware so it is possible to hookup a 3.1.8 PAP2 device to the internet so Vonage will automatically downgrade it to the unlockable 3.1.6 firmware. http://groups.yahoo.com/group/Linksys_Pap2/message/477 (requires registration) for more info.
Here is an article, SPA2K/PAP2 firmwares for unlocking a PAP2, that I wrote on the BBR VoIP forum to show readers the links where to obtain an SPATools.zip and SPA2K/PAP2 firmware files to unlock a Linksys/Vonage locked PAP2. Once your PAP2 unlocked, please pin it on Frappr Map for PAP2 to show how many PAP2 units Vonage has lost due to the unlocking hack.
Actually, I have discovered some tricks to re-unlock a PAP2 locked with firmware v3.1.7LSd/e a month ago. I don't have a firmware v3.1.8 to test, yet. I need some victims as guinea pigs to test my discoveries.
New Linksys PAP2 Devices ship with Firmware 3.1.8(LS) which require admin password to TFTP upgrade. No work-around known. This also applies to firmwares of 3.1.7(LSe) or later.
A simple method of upgrading is provided here: http://www.telephreak.org/PAP2/. This is similar to the FatWalletForums version but has less steps. This works on 2.0.11 firmware with a 'virgin' unit (never connected to the internet — supposedly it can work even after being connected, but requires additional resets). This has been around for a week or two at this point, but was not linked from here.
2005-09-27 For those who do not have Linux experience, you can find the 'patched' firmwares here: BBR though they disappear from time to time. Also step by step instructions and other links to binaries here at FatWalletForums.
2005-09-26 There is now a way to unlock PAP2 boxes with later firmware. Patching and applying an SPA2000 firmware update binary, tested with version 2.0.9 removes the admin password (they must have different configuration layouts?). Note that the LEDs won't work properly, and Line2 is unavailable. Another patcher (pap2spa) is available to convert PAP2 firmware upgrade binaries to SPA2k format. This allows reverting back to PAP2 firmware after the SPA firmware has been applied.
2005-09-11 there is currently no known way to unlock the recent Linksys PAP2 Vonage boxes. These have firmware version 2.0.10(LSc) and a rev 3 board which doesn't have the jumpers referred to in some unlocking guides. Various threads may have solutions by the time you read this as these boxes have recently been available quite cheaply ($20 after rebate).
2005-07-22 PAP2-EU (PAP2-NA locked) is locked to the PhoneSystems.net service. There is a password if you try to login on the admin web.
There is no jumper on this version (REV 3 board), so PAP2 trick won't work.
This is how I did a reset on my locked PAP2-EU: As PAP2 is a Sipura clone, so we used the SPA2000 user guide... Reset to Factory Settings : **** then 73738#1#1 And there you go, you can now access the web admin and you are no more locked to a specific network.
2005-07-06 Reportedly, PAP2 can be unlocked with a simple procedure:
This is how I did a reset on my PAP2: I opened the box to find a two pin jumper for three pins available on the board. I kept the device ON, (I used NONSTATIC gloves) pluged off the jumper from the second and the third pins and connected it to the first and second pins. Then I punched in "****" and "FACTRESET" and then "1" on the telephone connected to the PAP2. It announced that it did RESET successfully. I then switched of the PAP2 and reverted the jumper back to its second and third pin position and closed the box. I had the PAP2 unlocked!
Created by: dotsam, Last modification: Wed 03 of Nov, 2010 (06:03 UTC) by admin
Please update this page with new information, just login and click on the
"Edit" or "Discussion" tab. Get a free login here:
Thanks! - Find us on Google+