Unlocking PAP2 Adventure

So I had quite some fun unlocking the PAP2. And by fun, I really meant headaches. First sign of trouble was when I noticed this PAP2 came with the 3.1.9 firmware which makes it impeccably harder to unlock than anything before.

However the guides posted on B$: Linksys PAP2 Unlock Info also included instructions on unlocking for firmwares 3.1.9 and higher, however they’re much more difficult. When unlocking my previous PAP2, all I had to do was setup a TFTP server and force it to upgrade the firmware. However the latest firmware prevents updating the firmware without administrator access and the admin password isn’t provided.

These new instructions required me to setup the following:

  • TFTP Server
  • DNS Server
  • HTTP Server

The instructions also called for setting up a DHCP server, but I decided to use my router to do that.

I ended up using SolarWinds TFTP Server, SHTTPD, and Simple DNS Plus. At first I wanted to use IIS that comes with XP, but I was hitting into issues with permissions and I just didn’t want to deal with that.

I pointed *.vonage.net to my main box that was hosting the the TFTP server and HTTP server. Following the directions, I created a similar environment that the PAP2 would try to connect and update the firmware with, which required getting the actual encrypted updated xml, but replacing at the location of where the new firmware is supposed to be, with something that I had.

After doing the 1st step, I hit into a snag. No longer was I able to access the PAP2 via the browser nor would **** access the IVR (interactive voice response) system. However, looking at my DNS and TFTP logs, I noticed that it would still try to connect to different address at *.vonage.net. I thought I’d just “bricked” my PAP2 and began looking replacements for it on Amazon. Meanwhile, I left a message for Diggler on the forums telling him about my situation and asking if it’s recoverable at all.

Diggler comes back and tells me the good news. Turns out I didn’t kill my PAP2 and this was expected if it was able to get the encrypted xml, but not the updated firmware. The updated xml file told it to disable web access and if I continue to hit *s, the IVR system will eventually come up. With the ability to reset the PAP2 now that I can access the IVR system, I would be able to repeat this for as many times as I want.

So I decided to check the logs on my SHTTP server and even though it was sending the file, the logs show 404. Someone else said they were having problems with SHTTP and said wxWebServer had worked for them. I also tried this, but it didn’t work and no logs were generated. I finally gave up and decided to go back to IIS and BAM! It worked!

The rest of the unlocking steps were pretty straight forward.

Other useful guides:

I then setup GrandCentral to IPKall to FWD and now line 1 at my parents house is a new number they can use to receive calls. I was surprised that sticking the PAP2 into a line 1 jack actually made all the line 1 jacks in the house work. Derek had told me that it’s worked for him, but I had little luck back at my place. Then again, I really just plugged it into a jack and then plugged in a phone in a different jack, and that didn’t work.

With the web UI, they can also make calls, but that’s a blog entry I’ve been meaning to post for some time. Maybe sometime soon.