VDV21 JTAG and unlock.

VDV21 JTAG and unlock.
Links: home · search · speed test · login · more ·

Links: Reply New Topic
Forums » Voice Over IP - VOIP » VOIP Tech Chat » VDV21 JTAG and unlock.
page: 1 · 2
usbjtag @ 23rd Oct 02:26AM:
VDV21 JTAG and unlock.

Finally I decide to make this work and find it is quite interesting.
1. You need to solder three pull-up resistors.
R55,R51 and R56. I used 4.7K resistor.
2. R53 needs to be sorted.
The admin user name and password are in plan text once you read the whole 8M flash.

I had this device for a long time and did not bother to solder resistors until today and it can be quite good device to play with.

Anyone interested in unlock this device?
reply

jravac @ 23rd Oct 05:28AM:
Re: VDV21 JTAG and unlock.

i would be interested. i've soldered other things before, but never tried jtaging or unlocking ATAs before. can you describe the types of cables, etc needed?
reply

usbjtag @ 23rd Oct 08:32AM:
Re: VDV21 JTAG and unlock.

Ths JTAG pinout is the same as RTP300, or WRTP54G. (VT2X42 are mirrored on back of the board).
If you just use PJTAG, it is standard 14 pin MIPS JTAG pinout. IDLength = 5. DMA supported.
The flash address starts at 0x9f400000 (or 0xBF400000).
The Admin password was at the router configuration area.

I will create a DLL for USB JTAG NT once I found how to unlock and configure the device. Finally we have another way to re-use this device. (Other than pull the chip and program it with a programmer).
reply

meister_sd @ 23rd Oct 01:53PM:
Re: VDV21 JTAG and unlock.

Very nice!

I have one that I can test this weekend, if I get time.
reply

usbjtag @ 23rd Oct 03:18PM:
Re: VDV21 JTAG and unlock.

This one has 8M of flash and 32M of ram. Sells quite cheap now on eBay and you might consider get one soon before the full unlock method was found.
reply

jravac @ 23rd Oct 05:25PM:
Re: VDV21 JTAG and unlock.

btw, is the admin user name and pw same across all the vdv21 devices?
reply

mazilo @ 23rd Oct 05:39PM:
Re: VDV21 JTAG and unlock.

said by jravac :

btw, is the admin user name and pw same across all the vdv21 devices?

Looking at the comment made by usbjtag regarding the location of the Admin password and I quoted below, I believe it is safe to say the Admin password is put there by Vonage through a provisioning process. As such, Vonage can just put any password there. OTOH, the factory default settings for the Admin password may be different.

said by usbjtag :

The Admin password was at the router configuration area.

--
Mazilo always prays for FREEBIES!
UK Phone: +44-703-194-2574

reply

meister_sd @ 23rd Oct 11:45PM:
Re: VDV21 JTAG and unlock.

said by jravac :

btw, is the admin user name and pw same across all the vdv21 devices?

No.

Vonage has agreements with all their hardware providers to have different Admin passwords for all their devices. That said, many will have the same User (or equivalent) password. Here is the password from mine:

router / router
Admin / Xs9j1Z8mX

And another:

router / router
Admin / gyhf9m0x
reply

usbjtag @ 26th Oct 12:25AM:
Re: VDV21 JTAG and unlock.

Some interesting found.
If you have the admin password you can view your SIP setting at

»192.168.15.1/VoiceSetup.asp

The sb5101 tool can be used to unzip the firmware. That means it can also patch the firmware to allow changes to the SIP setting. I have just unziped (LZMA) vdv21-2.8.1-2.2.8-r080730.bin. The latest version is vdv21-3.0.1-0.2.10-r081124.bin.
Anyone know what is the difference?
reply

toro @ 26th Oct 09:08AM:
Re: VDV21 JTAG and unlock.

Can you give me some details about the tool you used to unpack the firmware ?
Maybe we can change it so that it ignores the factory set password for the Admin user (similarly to the way it was done for D-Link VTA, PAP2v2 and others).
reply

usbjtag @ 26th Oct 01:29PM:
Re: VDV21 JTAG and unlock.

I will recompile latter and allow to download. Yes it is possible unlock without using JTAG but use tweaked firmware.
reply

usbjtag @ 26th Oct 10:39PM:
Re: VDV21 JTAG and unlock.

Just upload
»www.usbjtag.com/vbforum/download···e&id=100.
I will start to disassemble the firmware now.
reply

meister_sd @ 27th Oct 01:02AM:
Re: VDV21 JTAG and unlock.

My firmware I've downloaded end in "_signed" and won't work with your program.

vdv21-2.5.1-0.1.1-r070918_signed.bin

I'm getting mine from the httpconfig website.
reply

usbjtag @ 27th Oct 01:03AM:
Re: VDV21 JTAG and unlock.

I saved with USB JTAG NT. The signed one has a header and need to be removed.
reply

usbjtag @ 27th Oct 01:57AM:
Re: VDV21 JTAG and unlock.

Everything is in the non-vol setting. Here is a dump

+--------------------------+
| EMTA SIP NonVol Settings |
+--------------------------+
Magic Number = 0x4d536970 'MSip'
Version (Permanent) = 0.2
Version (Dynamic) = 0.20
Is Default (Permanent) = 0
Is Default (Dynamic) = 0
Is Manufactured (Permanent) = 1
Is Manufactured (Dynamic) = 1

EMTA SIP Permanent NonVol Settings:

EMTA SIP Dynamic NonVol Settings:

Number of Active Voice Ports = 2
Is Line 1 Enabled = 1
Is Line 2 Enabled = 1
User 1 ID = >1818955xxxx1818955xxx18189558530ZHR8Z5CJb6
Proxy Server Address Line 1 = e.voncp.com
Proxy Server Address Line 2 =
Proxy Server Port Line 1 = 10000
Proxy Server Port Line 2 = 10000
Reg Server Address Line 1 = e.voncp.com
Reg Server Address Line 2 =
Reg Server Port Line 1 = 10000
Reg Server Port Line 2 = 10000
Reg Retry Time Line 1 = 20 seconds
Reg Retry Time Line 2 = 20 seconds
Outbound Proxy Address Line 1 = 0.0.0.0
Outbound Proxy Address Line 2 = 0.0.0.0
Outbound Proxy Port Line 1 = 0
Outbound Proxy Port Line 2 = 0
Dial Plan 1 = *69|*[78]x|*xxT|*[123]xx|[2-9]11|1xxx[2-9]xxxxxx|[2-9]xxxxxxT|[2-9]xxxxxxxxx|011x.T|*xxx+T|xx+#|958T|933T
Dial Plan 2 = *69|*[78]x|*xxT|*[123]xx|[2-9]11|1xxx[2-9]xxxxxx|[2-9]xxxxxxT|[2-9]xxxxxxxxx|011x.T|*xxx+T|xx+#|958T|933T
Digit Timer Line 1 = 4000
Digit Timer Line 2 = 4000
Partial Digit Timer Line 1 = 16000
Partial Digit Timer Line 2 = 16000
Flash Digit Timer Line 1 = 1000
Flash Digit Timer Line 2 = 1000
Is Service Enabled = no
Service Url =
Service Value =
Voice Encoder Line 1 = 0 (G.711 u-Law)
Voice Encoder Line 2 = 0 (G.711 u-Law)
Emergency Voice Encoder = 0 (G.711 u-Law)
Packetization Period Line 1 = 20
Packetization Period Line 2 = 20
Fax Packetization Period Line 1 = 10
Fax Packetization Period Line 2 = 10
VAD Mode Line 1 = 0
VAD Mode Line 2 = 0
Voice Band Data Line 1 = 2 (T.38)
Voice Band Data Line 2 = 2 (T.38)
Tx Volume Line 1 = 0
Tx Volume Line 2 = 0
Rx Volume Line 1 = -2
Rx Volume Line 2 = -2
Session Expiration Timer = 0
Minimum Session Expiration Timer = 0
Registration Timer = 20
Registered Address of Record Line 1 = 0.0.0.0
Registered Address of Record Line 2 = 0.0.0.0
CPC Timer = 500
Remote Disconnect Timer = 30000
SIP Debugging On = false
Provisioning Debugging On = false
Adaptive Codec On Line 1= 0
Adaptive Codec On Line 2= 0
Adaptive Packetization Period On Line1= 0
Adaptive Packetization Period On Line2= 0
Critical Discarded Packet Threshold = 180
Warning Discarded Packet Threshold = 100
Minimum Adaptive Setting Wait Time = 120
SIP User Agent = VDV21
User Agent Header Control = 2 (SIP UA Name + MAC + Firmware Version + File Name with Path that remotely manages this device)
SIP Server Name =
SIP Accept Language =
Dtmf Relay Power Level = 5
Dtmf Relay Payload Type = 101
Dtmf Relay State = 1 (RFC2833)
Hook Flash Relay State = 0 (Inband)
Dtmf Relay Mime Type =
Hook Flash Relay Mime Type =
Proxy-Require =
NAT Keep Alive Message = 0 (Disable)
NAT Keep Alive Interval = 0
NAT WAN Server Address = 0.0.0.0
NAT WAN Server Port = 0
NAT Keep Alive FQDN = 0.0.0.0
STUN Server Address =
STUN Server Port = 0
SIP Stack State =
Power source = 0
Echo cancelling enabled Line 1 = 1
Echo cancelling enabled Line 2 = 1
IP Dialing Enabled Line 1 = 1
IP Dialing Enabled Line 2 = 1
Euro Call Flow Line 1 = 0
Euro Call Flow Line 2 = 0
Feature String Line 1 =
Feature String Line 2 =
SIP Signaling Transport = 1 (UDP Only)
Local SIP Port = 10000
Signalling TOS = 0
Rtp TOS = 184
Resync via. SIP NOTIFY enabled = 1

It will be very easy to play with the non-vol to allow SIP configuration to be changed.
reply

usbjtag @ 27th Oct 08:50AM:
Re: VDV21 JTAG and unlock.

I think the way to unlock it will be similar to VT2X42 and I will continue latter.
1. There is a factory non-vol area, we need to MAKE the Admin password in this area. Erase the keys.
2. There are TWO copies of local non-vol. Factory reset this area. (This needs to be double checked, Make Admin password and remove the keys may be better).
3. Use xml decrypted from Vonage site and put to a local TFTP server.

The way to patch the firmware seems possible but need quite a bit of work. VDV21 will always try to connect to "home" to get the latest firmware and its configuration. Only remove the hash directory and the keys then it will fail to get the files. The patched firmware need to remove the keys and hash directory also.
reply

usbjtag @ 28th Oct 12:57AM:
Re: VDV21 JTAG and unlock.

The bcmXXXXXXXXXXXX.xml download from vonage is encrypted. We only have Hash key and Key. How to generate K key to decrypt the xml. If we were not able to decrypt the xml then the only way to unlock the device (SIP) is to use console to add the SIp information.
reply

mazilo @ 28th Oct 08:23AM:
Re: VDV21 JTAG and unlock.

said by usbjtag :

The bcmXXXXXXXXXXXX.xml download from vonage is encrypted. We only have Hash key and Key. How to generate K key to decrypt the xml. If we were not able to decrypt the xml then the only way to unlock the device (SIP) is to use console to add the SIp information.

IIRC, on a TI-AR7 based VoIP device, i.e. PAP2v2, WRTP54G, etc., the RC4 utility (included in the firmware source) can be used to decrypt the encrypted XML provision file along with the GPP_K string. Perhaps, you may want to try and let us know.
--
Mazilo always prays for FREEBIES!
UK Phone: +44-703-194-2574

reply

usbjtag @ 28th Oct 11:50AM:
Re: VDV21 JTAG and unlock.

I know, but the GPP_K value is known. We can have the hash directory easily and the factory key easily. But not the GPP_K value.
reply

meister_sd @ 29th Oct 09:58PM:
Re: VDV21 JTAG and unlock.

said by usbjtag :

I saved with USB JTAG NT. The signed one has a header and need to be removed.

For anyone else who has signed firmware, look for the name of the firmware version, ie vdv21-2.5.1-0.1.1-r070918.bin, and go back about 20 bytes to where you see the two bytes "11 11". Leave that as your beginning and remove everything before that.
reply

usbjtag @ 30th Oct 12:03AM:
Re: VDV21 JTAG and unlock.

If you use serial hit "p' at boot up within 3 seconds.
Then read following address
bfbd00f8 bfbd00fC bfbd0100
You will be able to get Admin password.
The length of password is one byte at bfbd00fa. Then followed plane text ASCII password.
reply

usbjtag @ 30th Oct 01:36AM:
Re: VDV21 JTAG and unlock.

Finally I can enable both port of this device.
The current method is similar to VT2X42. Use JTAG to erase hash and Keys (both factory and dynamic non-vol).
Use serial port to add user id and password. The TFTP method does not work yet.
This device now have TWO port with call ID. A very nice toy.
reply

meister_sd @ 2nd Nov 10:27AM:
Re: VDV21 JTAG and unlock.

What value resisters did you use?

Seems you had to add R53, R51 and R56.
reply

usbjtag @ 2nd Nov 10:41AM:
Re: VDV21 JTAG and unlock.

In theory this box can be unlocked without JTAG but someone need to write the assembly code to do so.
The bootblock allows you to use serial port to run your own code in ram. You can write code to write legit non-vol and remove the keys. You then can be able to use console command to add your SIP information.

Since I am only interested in unlocking with JTAG, I will not be interested in writing code to unlock with serial port. If anyone one want to do the serial port unlocking, I can provide information how to program both dynamic and perm non-vol to remove the keys.
reply