Tuesday, February 28, 2012

How to unlock a vintage Vonage phone adapter

This post will describe the procedure for unlocking a Linksys RTP300 ATA running Vonage firmware version 12.0.1-r100920-3.4.2. There are currently no known exploits for this version or the wifi version (WRTP54G). Vonage pushed this version sometime in early 2011, and the only reasonable route is convincing Vonage to roll back the firmware to 5.01.04, which I successfully did and am now using this same hardware with a different VoIP provider, CallWithUs.

I've been using this same equipment since 11/2005, during which it has been running nearly continuously and only been shut off when being transported between the US and Japan (and occasionally Europe). That works out to well over 55,000 hours of nearly continuous uptime.

This won't be useful with providers that require the use of proprietary hardware or software clients, i.e., doesn't provide full SIP credentials. If you do this:
  • Your phone adapter will never work with Vonage again. Ever.
  • You run the risk of bricking your ATA and it will never work again. Ever (at least without special equipment and engineering knowledge).
  • You should proceed at your own risk - we aren't responsible if your break your device.
I am not to credit for any of this. Many other people figured out the means for unlocking and modifying the necessary firmware. This guide is copied primarily from here. All I've done is update the links to some of the necessary files, add some screenshots, and describe what to do for ATAs with the latest firmware.

Environment Requirements

  • MS Windows (virtual install is acceptable).
  • A current Vonage service plan if your router is running the updated version 12 firmware

Procedure Overview

The goal of this procedure is to flash the non-branded Cisco firmware to the RTP300. This allows manual SIP configuration so the ATA can be used with any provider.
  1. If running v. 12.0.1-r100920-3.4.2, convince Vonage to roll back your firmware to v 5.01.04.
  2. Exploit the "ping hack" to unlock the console
  3. Flash Vonage firmware 1.00.62,
  4. Use CYT to reset the firmware upgrade credentials (This is separate from the standard administrator password used to configure the device).
  5. Download from Cisco firmware version 3.1.24 for the RTP300. This will be the final version you flash.
  6. Use a HEX editor to make a slight modification to the firmware.
  7. Login to firmware admin page of the ATA with credentials set by CYT and flash the firmware modified with the hex editor.

Step 0: Roll back to vulnerable firmware version

If your firmware is v. 12.0.1-r100920-3.4.2 (as pictured below) or higher, with a black and orange skin with Vonage branding, your have the new firmware. You'll have to call vonage and ask them to roll back the firmware on your device, which they can only do if your device is actively connected to their network (i.e, you are a current customer). Once rolled back, DISCONNECT YOUR ATA FROM THE INTERNET BECAUSE VONAGE SERVERS WILL AUTOMATICALLY UPDATE IT BACK TO THE NEW FIRMWARE.

 Firmware version 12.0.1-r100920-3.4.2 will not work
Honestly, I actually can't believe this worked. I decided to wait until the Tier 1 service reps were at work, e.g., 9 to 5 on the East Coast. Then I called and said that I recently noticed that I had a new firmware version, and asked if they could roll it back to the old version. I used the excuse that I didn't like the new version (which is true). They said they only had "version 11" available and they could push that. Apparently their internal version numbering is inconsistent with that what is displayed because after they pushed "v 11", my ATA showed v. 5.01.04.

Step 1: Downloads and File Modifications

Part 1. Download Firefox and install the Web Developer Plugin. (This is needed to override maximum form input lengths.)

Part 2. Download and install TFTP32 This is a Windows based TFTP server that will push the firmware to the device. (While there are Mac and Linux alternatives, subsequent steps will require Windows.)

Part 3. Download the von10062.zip ZIP archive and extract to the folder TFTP32 was installed in (ex. C:\Program Files\TFTP32). Download this image file (MD5: 94705c6516420d5848e53984482b27c3) and:
  • Delete the original von10062.bin file in the extracted von10062 folder.
  • Rename the newly downloaded file to von10062.bin
  • Copy it to the extracted von10062 folder, replacing the original.
Part 4. Download CYT.

Part 5. Download RTP300 firmware version 3.1.24 from the Cisco Site. There is only one hardware revision (version 1.0). Unzip the file and confirm the MD5 sum (a430df5109cefc8daaa8ef97720fb3b1) of the file rtp300_fw_3.1.24_US.img.

Part 6. Use a hex editor to make the following changes and overwrite the file when done:
  • Change offset 0x17 from 4D to 4C
  • Change offset 0x3B0004 from 85 DA 20 BB to 3B A5 4D DA
When finished check the MD5 sum. If it is not b15b248145a48e745afd5003c88eee17, you did something wrong.

Step 2: Configure TFTP32

Run TFTP32, and Click settings, then setup the base directory. Use the directory into which you installed the program (ex. C:\Program Files\TFTP32), and make sure the extracted files from the ZIP (Step 1, part 3) are in this directory. Change security to none, and set the timeout and max retransmit to 10 and then hit OK.

Step 3: Unlock the Console

Part 1. Disconnect from the internet and connect directly to the RTP300, making sure the device is also not connected to the internet (i.e,. pull the Ethernet cord out of the WAN port). Also make sure to disable any Anti-Virus and firewall programs that may be running. If running Windows as a virtual machine, you'll need to bridge the guest and host networks, the settings should be fairly obvious.

Part 2. Use a paperclip to reset the ATA by pressing for 10 to 15 seconds. (Note, this is not necessary if you edit the "rf" file to reflect your client IP address and make appropriate changes below.) Login to with user/pass of admin/admin and go to Administration/Ping. Make sure TFTP32 is running.

Firmware version 5.01.04 will work

Part 3. In the text box where you enter the IP address to ping, right click and select Web Developer > Forms > Remove Maximum Lengths, then enter the following and click ping: &&cd /var/tmp &&wget tftp://

Right click and select Web Developer > Forms > Remove Maximum Lengths, then enter the following and click ping (Yes, you must do this each time.): &&cd /var/tmp &&chmod 755 wr

Right click and select Web Developer > Forms > Remove Maximum Lengths, then enter the following and click ping: &&sh /var/tmp/wr

After a few seconds you should see some information in the output box. Scroll down to the last line and look for CONSOLE_STATE unlocked.

Step 4: Downgrade Firmware to 1.00.62

Part 1. Unplug the RTP300 and leave off for at least 5 seconds.

Part 2. Login to with admin/admin and go to Administration/Ping. Make sure TFTP32 is running.

Part 3. In the text box where you enter the IP address to ping, right click and select Web Developer > Forms > Remove Maximum Lengths, then enter the following and click ping: &&cd /var/tmp &&wget tftp://

Right click and select Web Developer > Forms > Remove Maximum Lengths, then enter the following and click ping: &&cd /var/tmp &&chmod 755 rf

Right click and select Web Developer > Forms > Remove Maximum Lengths, then enter the following and click ping: &&sh /var/tmp/rf

You should now see a file transfer in progress under TFTP32. After the firmware has been transferred the power light on the RTP300 will start to blink if everything is successful. DO NOT INTERRUPT THIS PROCESS. IT MAY TAKE UP TO 2-4 MINUTES TO COMPLETE. WAIT FOR THE POWER LIGHT TO RETURN SOLID AND FOR AN ETHERNET LINK TO BE ESTABLISHED.

Step 5: Unlock with CYT and Load New Firmware

Part 1. Login to using admin/admin and leave this window open. Ensure that firmware 1.00.62 has loaded successfully.

Firmware version 1.00.62

Part 2. Open cyt35.exe. Select Option 1. Wait for CYT to provision the RTP300. The output for a successful provision will be fairly obvious. This process will take 1-2 minutes.

Path at top indicates this is running in VirtualBox.

Part 3. Open a new window and head over to Login with Admin/Admin or admin/admin.

Part 4. Locate the modified RTP300 3.1.24 firmware and initiate the upgrade process. (Note: the first time I did this, the firmware didn't take. Clicking the "More..." link brinks up a troubleshooting menu that said to reboot the router and try again. The second time it worked.)

Using CYT makes this window accessible.
Part 5. Wait a few minutes and the device will reset itself and take you back to the login page.

The moment of truth.

Part 6. Login to with admin/admin. Ensure that the firmware is 3.1.24.

Part 7. Cancel your Vonage service and configure SIP for new VoIP provider.

1 comment:

  1. Do you still have von10062.zip? Can't find it anywhere and the original link is down.