If it's about VoIP, SIP or Internet Telephony but it doesn't seem to fit anywhere else, post it here.
User avatar
By WelshPaul
#1824
VDV21, VDV22 and VDV23 are some of the current ATA models that Vonage provides to their customers. The unlocking procedure described here (thanks to voipfan.net) has been tested on all three models for firmware versions up to 3.2.11.

Before you start anything, please note these facts:
  • Do not unlock your device if you are currently using it with Vonage as the procedure wipes some important data used by Vonage's provisioning system which you will not be able to restore.
  • The unlocked device merely gives you access to some admin pages including the provisioning settings. There are no web pages in the firmware for setting up the SIP accounts. In order to set up the SIP accounts, you must build an XML provisioning file, put it on a HTTP or TFTP server and instruct the adapter to download it from there.
Also the procedure it a bit complex and takes quite a bit of time, especially the first time you attempt it.

The tools required are a serial console cable, this firmware package and a TFTP server. Also, to avoid complications, make sure that your Windows firewall is off.

Note: The "safe" firmware contained in the package has been replaced with a newer one made from the Vonage firmware 3.2.6. With the previous version, made from Vonage version 3.2.3, the LEDs on VDV22 did not work correctly. I have also included a newer version, based on the Vonage firmware 3.2.11. I have not tested this extensively, but it appears to work. If you have any feedback about it please let me know via the Contact page.

To open the router remove the 4 rubber feet and the screws under them. The front plastic panel will come off and you will have access to the PCB. See the photos below for the location of the serial console.
vdv_console.png
Set your terminal emulation program at 115200bps, 8bit, no parity then connect the console cable to the ATA (the VCC pin should not be connected if you're using a USB to serial converter) and power on the device. Hit the "p" key as soon as you see anything logged on the serial console, to stop the boot loader from loading the firmware. You should see something like this:
Code: Select all
BcmEcosBfcAppl
BCM1111A1 TP1
1
Asymmetric VCDL shmoo: Passed
DDR1 DDR2 DDR3 DDR4 VCDL
0000 0000 0424 0000 0C0C
Reduced DDR drive strength
PI sync init:1
346890
MemSize: .........................32M

Signature: 1111


Broadcom BootLoader Version: 2.1.7b Release Gnu
Build Date: Oct 25 2006
Build Time: 17:38:04

Flash detected @0xbf000000
Image 1 Program Header:
   Signature: 1111
     Control: 0005
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2007/9/18 17:45:11 Z
 File Length: 1945098 bytes
Load Address: 80010000
    Filename: vdv21-2.5.1-0.1.1-r070918.bin
         HCS: 6b7c
         CRC: 148d3f6c


Image 2 Program Header:
   Signature: 1111
     Control: 0005
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2008/11/24 20:07:45 Z
 File Length: 2173130 bytes
Load Address: 80010000
    Filename: vdv21-3.0.1-0.2.10-r081124.bin
         HCS: e243
         CRC: b9e122a3


Enter '1', '2', or 'p' within 2 seconds or take default...
The Filename fields in Image 1 and Image 2 show the firmware versions loaded in the two image partitions. If both firmware versions are higher than 3.1.2, you must downgrade the firmware first. Otherwise skip to the next step.

Downgrading the firmware. The firmware versions higher than 3.1.2 use a random location for storing the Admin password. That's why in this step we will downgrade the firmware to version 3.0.1. The firmware file must have the digital certificate removed in order to work, so use the file 301u.bin included in the ZIP. Connect the ATA's blue port (WAN) to your network, then hit the key "i" (to initialize the network). You will be asked whether to use the internal (LAN) or external (WAN) interface and the IP address and mask:
Code: Select all
Board IP Address [192.168.15.1]:
Board IP Mask [255.255.254.0]:
Board IP Gateway [10.136.64.1]:
Board MAC Address [00:10:18:01:ff:9a]:
Internal/External phy? (e/i)[i] e
Init EMAC...


Main Menu:
==========
  b) Boot from flash
  d) Download and save to flash
  g) Download and run from RAM
  m) Set mode
  s) Store bootloader parameters to flash
  i) Re-init ethernet
  r) Read memory
  w) Write memory
  j) Jump to arbitrary address
  z) Reset
Make sure the IP address you enter is in your network range and is unused. If the interface was initialized properly, you should be able to ping that IP address from your PC and the console will show:
Code: Select all
Received ICMP
Received ICMP
If the interface did not initialize properly, retry the procedure a few times, also try specifying the internal interface (even though the external one is the one connected). Then start the TFTP server on your computer and issue the "d" command to download the firmware. Enter your computer's IP address in the Board TFTP Server IP Address and for the filename use 301u.bin.

The console should display something like this:
Code: Select all
TFTP Get Selected

Board TFTP Server IP Address [192.168.15.2]:
Enter TFTP filename [301U.BIN]:


Free store: a1700000
Starting TFTP of 301U.BIN from 192.168.15.2
Getting 301U.BIN using octet mode
....(many progress dots removed here)..
             Tftp complete
Received 2173222 bytes
Image 0 Program Header:
   Signature: 1111
     Control: 0005
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2008/11/24 20:07:45 Z
 File Length: 2173130 bytes
Load Address: 80010000
    Filename: vdv21-3.0.1-0.2.10-r081124.bin
         HCS: e243
         CRC: b9e122a3


CRC Verified

Destination image
  0 = bootloader
  1/2 = CM image
  3 = specify flash offset
(0-3)[2]:
Here you are asked to select where to store the image. Enter "1" to store the image in the first partition. Then repeat the TFTP procedure and enter "2" here to store the firmware in the second partition as well.

Now we'll let the adapter boot once using the 3.0.1 firmware in order to retrieve some settings from Vonage. You must be connected to the internet for this to work. To boot the adapter, enter the option "b" (Boot from flash ) and watch the console until you see something similar to this:
Code: Select all
0x0000f9f6 [WAN MAC-00:1f:3a:b0:64:65] [HttpServerThread] BcmRgHttpServerThread::ThreadMain:  (HttpServerThread) Recv'd event to resynchronize sockets!
                                                        Loaded 0 bytes.rver...
                                                        Loaded 14704 bytes....
Extracted Salt.
Parsing xml file ...
0x0000fb86 [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'altBwEstHost2'
0x0000fb86 [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'altBwEstHost3'
0x0000fb90 [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'bwestMgrSetup'
0x0000fb90 [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'localMos'
0x0000fb9a [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'remoteMos'
0x0000fb9a [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'priMaxSpeed'
0x0000fb9a [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'priMinSpeed'
0x0000fba4 [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'priMaxDiff'
0x0000fba4 [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'secMaxSpeed'
0x0000fba4 [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'secMinSpeed'
0x0000fbae [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'secMaxDiff'
0x0000fbb8 [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'autoRecoveryWanTimeout'
0x0000fbb8 [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'autoRecoveryExtTimeout'
0x0000fbb8 [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'autoRecoveryFastReboots'
0x0000fbc2 [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'dyDssHighQueueUtilRampdown'
0x0000fbc2 [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'sshEnable'
0x0000fbcc [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'includeLcdHomeWiringWizardOption'
0x0000fbcc [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'teleServer1'
0x0000fbfe [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'teleServer2'
0x0000fc08 [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'telePort'
0x0000fc08 [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'teleEnable'
0x0000fc08 [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'teleEncrypt'
0x0000fc44 [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'teleEnvTimeout'
0x0000fc44 [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'teleUserTimeout'
0x0000fc44 [WAN MAC-00:1f:3a:b0:64:65] [PROVCUST] BcmSmtaXmlDataParser::DebugIsTagFound:  (Smta Xml Data Parser) WARNING - No room for unknown tag 'teleHbTimeout'
Enter Password:        Time Server contents:
                       Name = (time.vonage.net)
                  IpAddress = 216.115.23.75

Connecting to SNTP ToD server 216.115.23.75...
Sending SNTP ToD request to server (216.115.23.75)
0x0000f848 [WAN MAC-00:1f:3a:b0:64:65] [Sntp Thread] BcmSntpThread::SendSntpPacket:  (Sntp Thread) Recv'd SNTP ToD successfully from (216.115.23.75)
        Version: 3
        Stratum: 3
        Mode: 4
        Timestamp: -784233315


Acquired SNTP Time of Day successfully!

07:53:07 04/02/2011  [VRGCMGR] (BOS) TaskCreate - spawn new task M5T::CTimerManager
07:53:07 04/02/2011  [VRGCMGR] (BOS) TaskCreate - spawn new task M5T::CSocketFactory
07:53:07 04/02/2011  [VRGCMGR] (BOS) TaskCreate - spawn new task SipEngine
07:53:07 04/02/2011  [VRGCMGR] (BOS) TaskCreate - spawn new task DnsResolver
07:53:07 04/02/2011  [VRGCMGR] (BOS) TaskCreate - spawn new task TransmissionMgr

sPS> /non/emtaSipOpts/auto_recovery true

auto_recovery = 1

sPS>
sPS> 07:53:07 04/02/2011  [VRGCMGR] (BOS) TaskCreate - spawn new task RTP0
07:53:07 04/02/2011  [VRGCMGR] (BOS) TaskCreate - spawn new task RTP1
07:53:07 04/02/2011  [VRGCMGR] (BOS) TaskCreate - spawn new task RTP2
07:53:07 04/02/2011  [VRGCMGR] (BOS) TaskCreate - spawn new task RTP3
sPS> /non/emtaSipOpts/auto_recovery_timeout 10

auto_recovery_timeout = 10

sPS>
sPS> /non/emtaSip/remote_disconnect_timer 30000

MTA SIP remote_disconnect_timer = 30000

sPS>
sPS> /non-vol/emtaCallOpt/emergency_digits 911

Call Option emergency_digits = 911

sPS>
sPS> /non/emtaProv/key 2 15f8c86a9568410306ff0199392fe17976ea507498a63d034cc50cf8f7a67307

MTA Provisioning key = 2 15f8c86a9568410306ff0199392fe17976ea507498a63d034cc50cf8f7a67307

sPS>
sPS> /non/emtaProv/fw_filename +001F3AB06465/vdv21-3.2.6-0.5.17-r101007_signed.bin

MTA Provisioning fw_filename = +001F3AB06465/vdv21-3.2.6-0.5.17-r101007_signed.bin
Watch for the messages starting with "sPS>". They mean that the adapter has retrieved the XML file from Vonage and it's reconfiguring its parameters. At this point disconnect the power and reconnect it. Stop the boot loader again with the "p" key and proceed to the next step.

Getting your Admin password. For the firmware 3.1.2 or older, the password is at a fixed location which can be read at the boot loader prompt. The password is stored as 1 digit length + 8 digits actual password at the address BF3D00FA. To read it, enter the "r" command (Read memory). You will be prompted to enter the memory address to read. Repeat the command 3 times (it will display 4 bytes each time), entering these memory locations: BF3D00FA BF3D00FE BF3D0102.

You will get a total of 12 bytes in hexadecimal format. The first byte is the length which for an adapter that has seen the internet should be 08. If the adapter is brand new and has never seen the internet, the first byte may be 09 or 00. If it's 00, read the memory from these alternate locations: BF7F0118 BF7F011C BF7F0120.

Then, take the next 8 or 9 bytes (each byte is 2 characters, so 16 or 18 characters, depending on the length specified in first next byte) and convert them to readable text using this ASCII converter.

For example, if the bytes read are 08717a62737935766d001522, we convert 717a62737935766d to ASCII and the password is qzbsy5vm

Installing a safe firmware. Next, you will install a "safe" firmware with all the links to Vonage removed. Follow the procedure in the first step (Downgrading the firmware) to replace the firmware in both partitions with the vdv21-3.2.6-na_boot.bin included in the ZIP file.

Wiping the Vonage settings. In this step we'll wipe the factory settings. Disconnect the WAN interface from your router and use the "b" command to boot the adapter again. Wait until the ATA starts up and hit Enter on the console. You will be presented with a login prompt. Enter Admin for the username and the password decoded earlier.

Now issue the following commands:
Code: Select all
cd non-vol
clear_device
The firmware will ask you if you are sure of what you're doing. Enter "yes"
Code: Select all
This will permanently clear/wipe out settings all from the device!
Are you sure? [no] yes
Clearing the Dynamic settings section...
Clearing the Permanent settings section...
Now, without entering any other command, power off the device for a couple seconds, then power it back on. Wait for it to boot, then hit Enter to login again, with username Admin and password Admin (if it doesn't accept it use the password decoded earlier). Then enter the following commands:
Code: Select all
cd non-vol
cd halif
mac_address 3 00:12:34:56:78:9a
mac_address 5 00:12:34:56:78:99
cd ../emtaProv
auto_enable 1
perm_server_addr http://192.168.15.10
perm_filename  brcm00123456789a.xml
perm_hash_dir brcm
perm_key 2 YOURENCRYPTIONKEY
write
Note that mac_address 3 should be replaced by the WAN MAC address printed on the back of your unit and mac_address 5 is the the WAN MAC minus 1. Also, replace the proper WAN MAC address in the filename brcm00123456789a.xml. The perm_key 2 parameter is the encryption key used for your XML provisioning and may be omitted if you don't plan to encrypt your configuration files.

Now, reboot the ATA again and login to its web interface as Admin and password Admin (if it doesn't accept it use the password decoded earlier), then go to Advanced / Factory Defaults, enable all checkboxes and click Apply.

After reboot, your ATA will be unlocked and factory reset safe and you can login as Admin with password Admin.

Programming the adapter. I will present three ways to do this, using an XML file (manual and semi-automated) or through the serial console.

Manual XML file method: for this you will need the XML file included in the ZIP.
  • connect your computer to the yellow port of the ATA
  • set your computer's IP address to to 192.168.15.10
  • download hfs.exe from http://www.rejetto.com/hfs/download (this is a very simple to use web server)
  • create a folder on your HDD called vdv21
  • create another folder inside vdv21 called brcm
  • unzip the brcm001122334455.xml to the brcm folderand and rename it to match your WAN MAC address
  • edit the XML file with Notepad. In the beginning you will find the two accounts, change them as you wish
  • start hfs.exe and go to Menu -> Add folder from disk -> select the vdv21 folder. It will ask you if it's a real or virtual folder, click Real folder. Leave the hfs.exe running
  • open a browser login to the web interface of the vdv21 at http://192.168.15.1. Login with username Admin and password Admin - go to Advanced Setup, then Voice
  • enter http://192.168.15.10 in Current Profile URL and Current Firmware URL, then Apply the settings (see attachment to see what that page looks like). Sometimes I found that the settings don't save unless you change one of the DNS servers in that page. Use a public DNS such as 4.2.2.4 or 8.8.8.8
Wait a few minutes and watch for activity on the HFS web server. Once the adapter has downloaded the config file, it should show the ports as register and you can begin testing your unlocked ATA.

Please note that the http client in the VDV21/VDV22 will not send the host name in the HTTP request. Instead, it will resolve the host name to an IP address and request the file from that IP.

If you wish to put your XML provisioning file(s) on a public web server in an encrypted format, you can encrypt the files using OpenSSL with the following command:
  • for Windows:
    openssl aes-256-cbc -e -in source.xml -out dest.xml -k "key"
  • for Linux:
    openssl aes-256-cbc -in source.xml -out dest.xml -k key
You need the OpenSSL library to encrypt the file. In Linux you can install the openssl package with the appropriate package manager for your distribution. For Windows, you can download the tool from here.

Semi-automated XML file method: for this you need to download and unzip this tool which basically runs all the steps above into a more friendly GUI.

A PDF file containing instructions is included in the ZIP.

Note that the tool is far from being perfect. It's very bare bones (put together one afternoon with a friend who's a software developer) and allows setting up only the SIP server, SIP account and password and dial plan. For any other settings you may want to tweak, you have to edit the template file before running the tool.

Serial console method: with the serial console connected, issue the following commands (replace things like sip.someserver.com or sip_username_1 with the appropriate values):
Code: Select all
cd non-vol
cd emtaProv
auto_enable 0
write
cd ../emtaSip
timer_reg 300
local_port 5060
nat_keepalive_message 1
nat_keepalive_interval 15
sip_ua_header 1
sip_ua_name VPortal
proxy_address 1 sip.someserver.com
proxy_address 2 sip.someotherserver.com
reg_address 1 sip.someserver.com
reg_address 2 sip.someotherserver.com
user_id 1 sip_username_1
user_id 2 sip_username_2
user_pw 1 sip_password_1
user_pw 2 sip_password_2
proxy_port 1 5060
proxy_port 2 5060
reg_port 1 5060
reg_port 2 5060
dial_plan 1 *xx|[2-9]xxxxxxxxx|1[2-9]xx[2-9]xxxxxx|911|0xx.T
dial_plan 2 *xx|[2-9]xxxxxxxxx|1[2-9]xx[2-9]xxxxxx|911|0xx.T
voice_encoder 1 0
voice_encoder 2 0
write
Who is online

Users browsing this forum: CommonCrawl [Bot] and 0 guests

Supported Products: OBi504vs OBi508vs Firm…

Supported Products: OBi200 OBi202 OBi300 OB…

Enter your email address here: https://haveibeenpw…

Well, with VoiceHost you can! I needed to report …