About Unlocking PAP2(T) and SPA adapters

Many people come to my website hoping that they will find a method to unlock PAP2, PAP2T or SPAxxxx series of adapters.
Unfortunately these models are harder to unlock and there is no universal method that applies to all. This page attempts to give you a few guidelines only, which may or may not help unlocking your adapter.
These adapters are often customized from the factory to a VoIP provider and there are several types of customizations that could be implemented. The customizations are not embedded in the firmware, they are in a different area of the flash that doesn't get affected by firmware updates. Removing the customization is almost impossible unless one is able to write some code that causes the adapter to go into a stack overflow mode and execute external code that is specifically written for wiping the factory customization area of the flash memory. Or, if one has a very good soldering skills and a flash programmer, they can desolder the flash chip, wipe that area and then solder the chip back onto the ATA's board. None of these ATAs has a JTAG port for programming the flash without desoldering it first.
In all cases where an ATA is customized for a VoIP provider, it comes preconfigured from the factory with a unique URL (usually a base URL+a file name that contains the the unique MAC address of the ATA) that the ATA will use to download it's configuration (usually in form of an XML file) from the VoIP provider. In addition to that, further customized with one of these methods:

Method 1 - the ATA doesn't have any other locking mechanism, so if one has a brand new ATA that hasn't been connected to the Internet, they could disconnect his/her internet connection, connect the ATA to the network and access the web interface and clear the URL from the Profile Rule field in the Provisioning tab. Then the ATA can be safely connected to the internet and reconfigured for another provider. Note however that the provisioning URL is embedded in the ATA's factory defaults so if you reset the ATA to defaults, you need to clear the provisioning URL again before allowing the ATA to connect to the Internet.
I have seen this type of customization only on SPA2102s manufactured for Clearwire.

Method 2 - the ATA has a factory preset unique password for the admin account. It also contains a unique encryption key that needs to be used for decrypting the XML file, so even if a third party knows the path to the XML file and downloads it, he/she can't read it without knowing the encryption key.
This method is typical to Vonage and Verizon PAP2s.
The Vonage PAP2s can sometimes be unlocked by employing other vulnerabilities, but usually only if they have never been connected to the Internet before. If the ATA was ever provisioned by Vonage and has firmware version 3.1.9, this method just doesn't work, regardless of what those some articles (like the ones from the Bargainshare site) say.
The method is based on downgrading the firmware to a patched firmware version that ignores the preconfigured admin password. Normally the downgrade should not be possible without knowing the admin password. However, the version 3.1.6 and older of the firmware allow the downgrade even when the user account is logged in. There are two reasons why the Bargainshare claims don't work for PAP2 that hasve been used with Vonage:
- for version 3.1.9 of the firmware, if one doesn't know the admin password, the only way to make the ATA upgrade/downgrade the firmware is to feed it an XML configuration that points to the new firmware. However, the XML needs to be encrypted with the key that is already stored in the ATA (either from the factory if it's a brand new ATA, or from the previous provisioning from Vonage). That key is unique to every ATA and it changes with every provisioning step.
- the method also involves downloading an XML file from Vonage which contains the data for the first provisioning step. The Vonage servers have been modified so that do not serve the file for ATAs that are not in service.
- the ATA will download a new firmware only if the URL of the previous firmware upgrade has changed from the one used for the last firmware upgrade. If the ATA was provisioned by Vonage once, the firmware would be already upgraded with a URL pointing to the Vonage servers and that URL will never change in subsequent provisioning steps.
For firmware versions older or equal to 3.1.6 the method is as follows:
- first of all download the required files: the firmware package and the tftp server.
- disconnect your internet connection
- connect only the power and a phone to the PAP2 and do a factory reset by dialing ****73738# on the phone connected to the PAP2. You will be asked either to push 1 to confirm or enter a password and then push 1 to confirm. Possible passwords are 7756112 or 8995523.
- connect the Ethernet cord of the ATA, wait for a few seconds and dial ****110# to find out its IP address
- open the web interface using the IP address obtained above, go to the System tab and change the password for the user account. You should be asked immediately to login with the new password
- start the TFTP server and unzip the two firmware files in the root of the TFTP server. Also, make note of the IP address or the computer where the TFTP server is running, it will be displayed in the GUI
- now in the browser where you have the PAP2's web interface open, the URL should show something like http://pap2_ip_address/basic. Change the URL to http://pap2_ip_address/upgrade?tftp://tftp_server_ip/PAP2SP2K.bin
- the firmware update should take up to a minute. At the end, the adapter will rebot and the power light should stay on. At this time, you can login to the web interface again, which will look different (using the Sipura color scheme) and this time you can enter the section for the Admin settings. Now you can go to the the System tab and clear the password for the admin account and user account
- also go to the Provisioning tab and clear the Profile Rule and Profile Rule A,B,C fields. Copy to a safe place the value of the GPP K field and clear that too - now change again the URL in your browser to http://pap2_ip_address/upgrade?tftp://tftp_server_ip/SP2KPAP2.bin and watch the ATA upgrade the firmware again and revert to the original Linksys color scheme
Your PAP2 is now unlocked. However, keep in mind that any factory reset will bring it back to the locked state. If you don't allow it to connect to the internet after the reset, you can re-unlock it using the same procedure. If it reaches the internet and downloads the Vonage configuration, it will upgrade its firmware to 3.1.9, you must use the GPP K value saved earlier to create an encrypted provisioning file and feed it to the ATA in order to reset the passwords

Method 3 - sometimes the ATA is locked to a provider by using some host name(s) in the Restricted Access Domains field in the System tab which is sometimes grayed out so it can't be changed. In these cases, the Line 1 of the ATA will not connect to any VoIP service unless the server's host name matches one of the restricted domains. However, if you have access to the Admin page, you can use the Line 2 of the ATA with any provider.

Method 4 - if you absolutely can't access the web interface with any user and you don't know who is the provider, I would start by letting the ATA connect to the internet but capture all the traffic to and from it.
The easiest way to do this is with an old network hub. Please note this will not work with a network switch. The hubs broadcast the traffic from each port to all the other ports, while the switches don't. Hubs can be sometimes found at local thrift stores for just a few dollars.
Basically you have to connect one port from the hub to your router, another port to the ATA and another port to your PC. Then install Wireshark (free, www.wireshark.org) and start sniffing the traffic. Plug in the power to the ATA only when the hub is set up and your Wireshark is capturing traffic and wait about 5 minutes then stop the wireshark trace.
Then you need to analyze the trace. Watch for SIP, HTTP and TFTP requests coming from the ATA's IP address. First of all, they should give you a hint about the provider to whom your ATA is locked. Second, in the look for HTTP/TFTP requests for a URL to the provisioning file. If you can find such a URL, try to download the file using your computer and look at the file. There are a few options in what the file may look like:
- if the file is an unencrypted XML file (the best scenario, but rare) you can read it with a text editor or any modern web browser. Look for the Admin_Passwd token for your password
- the file might be generated with the Sipura SPC compiler but not encrypted (you should see SIPURA SPA in the beginning). In this case the beginning of the file looks scrambled but if you scroll down to the bottom you will see clear text and numerical values. The user and admin passwords will be at the beginning of the readable area
- if the file starts with the word Salted_ it is encrypted with OpenSSL and you're pretty much out of luck. The encryption key is stored inside the ATA and there's pretty much no way to obtain it
- sometimes the file is generated with Sipura SPC compiler (has the SIPURA SPA signature in the beginning) but the content is obfuscated. However, it's not always encrypted with a key stored in the ATA. In this case you may be able to spoof the provisioning server and trick the ATA to load an clear text XML file (a sample can be downloaded from here) from your TFTP or HTTP server. You can also try this method if the ATA requests a provisioning file that no longer exists. Again, this method works only sometimes, but I was able to apply it on a few lots of ATAs from VoIP providers that closed their businesses