How to Provision a PAP2

[bobpaul]

This thread includes Step by Step, or links to, instructions for Linux and Windows. I'm using a Linksys router, but this should be compatible with most consumer routers. Special thanks to pap2boy and TheDiggler, as I wouldn't have figured this out their original posts.

I'm starting this thread because of my disappointment in the original, now locked thread, by pap2boy. Rather than the thread continuing with specifics, it seems a Voxilla representative found it a better use to hijack the thread and bicker with a forum member. Awesome. Please keep this thread on topic.

Provisioning the PAP2

• Ulocking the PAP2v1
• Obtain the factory fresh GPP_K (included in unlocking instructions)
• Setup a local TFTP server (Linux (How to Provision a PAP2), Windows (How to Provision a PAP2))
• Setup a local DNS server (Linux (How to Provision a PAP2), Windows (How to Provision a PAP2))
• Configure your router (How to Provision a PAP2)
• Obtaining a provider XML file (How to Provision a PAP2)
• Modifying the XML for your usage (How to Provision a PAP2)
• Changes required for non-Vonage devices (How to Provision a PAP2)
• Additional thoughts (How to Provision a PAP2)

This may also work on PAP2v2. I did not include a link to the PAP2v2 unlocking thread because I don't know the specifics on that unit, namely if the XML is encrypted the same way. This could also work with RTPs and other router combos as well. Again, I'm not sure how those encrypt their XML files.

[bobpaul]

TFTP Server, Debian Linux
These instructions should be helpful for any *nix, but are tailored to Debian Linux.
Install the TFTP server and client

Code:

$sudo aptitude install tftp tftpd

Create the TFTP root

Code:

$sudo mkdir /tftpboot

Configure the TFTP server
tftpd is a BSD program, and thus uses the inetd.conf file to configure and start the service. Edit /etc/inetd.conf

Code:

$sudo editor /etc/inetd.conf

Add/modify this line:

Code:

tftp dgram udp wait nobody /usr/sbin/tcpd in.tftpd -s /tftpboot

The -s is required so that /tftpboot is treated as the root folder when a client requests a file.

Start the Server
I'm not sure how the inetd system works, but rebooting seems to start the server.

Testing
Create or place a file in /tftpboot. We'll assume the file is called testfile.
Execute the following:

Code:

:/tftpboot $ cd
~$ tftp localhost
tftp> binary
tftp> get testfile
tftp> quit
~$ ls test*

If testfile is listed in the current folder, you're successful. You can also check for the report from syslog using:

Code:

tail /var/log/syslog

You should see a lines like

Code:

Apr  7 13:39:56 mythtv in.tftpd[20471]: connect from 127.0.0.1 (127.0.0.1)
Apr  7 13:39:56 mythtv tftpd[20472]: tftpd: trying to get file: testfile 
Apr  7 13:39:56 mythtv tftpd[20472]: tftpd: serving file from /tftpboot

You may want to configure iptables to restrict access to this service. That's up to you.

[bobpaul]

TFTP Server, Windows
These instructions should be helpful for any Windows, but are tailored to WinXP.

Install a free TFTP server
I recommend Solarwinds.net's TFTP server. I don't know of one that runs as a service.

Configure

• If you're using Solarwinds, you will need to set the root directory to the folder you plan to store XML files and possibly firmware updates.
• You also need to set either "Transmit Only" or "Transmit and Receive"
• You might want to enable logging, restrict IPs, etc.

Testing
Create or place a file in if your TFTF root folder. We'll assume the file is called testfile.
Execute the following:
Start-> Run: cmd [OK]

Code:

C:\>tftp -i localhost get testfile
Transfer successful: 0 bytes in 1 second, 0 bytes/s

You should also see a notification in the TFTP Server main window indicating a success or failure.

[bobpaul]

DNS Server, Debian Linux
These instructions should be helpful for any *nix, but are tailored to Debian Linux. 192.168.1.11 is the IP address I'm using for my TFTP/HTTP/DNS server. You will need to modify this to fit your network.

I've found it's MUCH easier to setup a DNS cache than a full blown authoritative DNS server.

Install DNSMasq and set your computer to use it

Code:

$ sudo aptitude install dnsmasq

Edit /etc/dhcp3/dhclient.conf and tell your computer to use the local cache in the future "prepend domain-name-servers 127.0.0.1;"

Edit /etc/resolv.conf a tell your computer to use the local cache immediately by adding "nameserver 192.168.1.11" at the top of the name server list.

Add entries for Vonage servers
dnsmasq checks /etc/hosts and treats entries there as absolute. All other requests are made with a real dns server and then cached for the future.

Add the following lines:

Code:

192.168.1.11    httpconfig.vonage.net
192.168.1.11   ls.tftp.vonage.net
192.168.1.11   vonage.net

Test
Run the following

Code:

nslookup ls.tftp.vonage.net 192.168.1.11

If you receive an address that is not your TFTP server, STOP, and figure out the problem! You're device will, too.

[bobpaul]

DNS Server, Windows Method 1
These instructions should be helpful for any Windows, but are tailored to WinXP. 192.168.0.1 is the IP address I'm using for my DNS/TFTP server. You will need to modify this to fit your network.

Download a Third Part DNS server. I've found [http://www.simpledns.com/]SimpleDNS[/url] to be really easy, but it's $80 after 14 days. If someone knows of a free alternative, that would be awesome.

Configure the DNS records
Type: A Point httpconfig.vonage.net to 192.168.0.1
Type: A Point ls.tftp.vonage.net to 192.168.0.1
Type: A Point *.vonage.net to 192.168.0.1
Type: A Point vonage.net to 192.168.0.1
A TTL (time to live) of 24 hours should be fine. That's 86400 seconds.

Test
Execute the following

Code:

C:\>nslookup ls.tftp.vonage.net 192.168.0.1
Server:  httpconfig.vonage.net
Address:  192.168.0.1

Name:    ls.tftp.vonage.net
Address:  192.168.0.1

If you receive an address that is not your TFTP server, STOP, and figure out the problem! You're device will, too.


DNS Server, Windows Method 2
These instructions should are for WinXP, but may work on any Windows that allows Internet Connection Sharing. This idea came from TheDiggler's Example Unlocking setup

If you have 2 network adapters in your computer, you can use WinXP's Internet Connection Sharing as a dhcp/router/dns cache. I think WinXP even lets you run on an address other than 192.168.0.1, so a tricksy user might be able to get by using it with a consumer router.

Enable ICS

1. Start-> Control Panel-> Network Conections
2. Right click on your network adapter connected to the internet and choose properties.
3. On the advanced tab, enable "Share this Connect" and choose the correct network adapter to share to.

Setup the DNS Entries
ICS functions similar to DNSMasq in that it checks the local hosts file, then the cache, and then asks a DNS server.
Using Notepad, add the following lines to C:\Windows\System32\Drivers\etc\hosts

Code:

192.168.0.1 ls.tftp.vonage.net
192.168.0.1 httpconfig.vonage.net

Test
Execute the following

Code:

C:\>nslookup ls.tftp.vonage.net 192.168.0.1
 Server:  httpconfig.vonage.net
 Address:  192.168.0.1
 
 Name:    ls.tftp.vonage.net
 Address:  192.168.0.1

If you receive an address that is not your TFTP server, STOP, and figure out the problem! You're device will, too.

[bobpaul]

Configure your router
These instructions work on my Linksys router. They should work on others. In this example, 192.168.1.11 is my DNS server I setup earlier, and 192.168.1.1 is my router.

Configure DHCP
Setup the DHCP section on your router to dish out the following:
Static DNS 1: 192.168.1.11
Static DNS 2: 192.168.1.1
It is important that the first address is the address of the DNS server we configured earlier.

Configure Routing
PAP2s shipped to work with Vonage include default DNS servers that Vonage controls. The unit will check our DNS server because of DHCP only if the checks to the two Vonage DNS servers fail. We need to redirect that traffic.

On my router is a section called "Advanced Routing" I setup the following:
Route Name: VonageDNS1
Destination LAN IP: 216.115.24.230
Subnet Mask: 255.255.255.255
Default Gateway: 192.168.1.11

Route Name: VonageDNS2
Destination LAN IP: 216.115.31.140
Subnet Mask: 255.255.255.255
Default Gateway: 192.168.1.11

The subnet mask of all 255s says this applies to the given destination only. By pointing the default gateway of our DNS server, we actually route all requests of that IP to our own computer. Nice. Other routers may cause the requests to drop instead, which is also acceptable.

Test
Execute the following at a command prompt/terminal:

Code:

nslookup ls.tftp.vonage.net 216.115.31.140

If you get "Connection Timed out" or a response pointing to your own TFTP server, you're good.

[bobpaul]

Obtain your Providers XML file
Windows Users
This step is easiest with VuckFonage, which is a windows program. That thread gives the best instructions I've found, as well as the binary. This is really just a way of automating a TFTP get, and openssl decrypt.

Linux Users
If you don't want to use VuckFonage, the following works:

Code:

$ tftp ls.tftp.vonage.net
tftp> binary
tftp> get spa0000000000.xml
tftp>quit
$ openssl aes-256-cbc -d -in

Code:

spa0000000000.xml -out spa0000000000.plaintext.xml -k "MyFactoryFreshKey"

Obviously, you'll need to replace MyFactoryFreshKey with your actual key, but leave the quotes. 0000000000 needs to be replaced with your mac address, capitals for any letters.

[bobpaul]

Modify the XML file to suit your needs
You can edit the plaintext XML file with a text editor. The file has Unix line endings, so notepad won't be too friendly. I recommend Textpad or WordPad.

I've attached the config I use, stripped of passwords, etc, to run both Vonage and Vitelity on my PAP2, as an example.

• Modify the Admin_Password and User_Password fields.
• Set Enable_Web_server and Enable_Web_Admin_Access to Yes
• Set Forced_Rsync_Delay to 0
• Set Profile_Rule_C to
  
  Code:

  (GPP_E = "$D";)!
  [--key $K] tftp://<Your TFTP Server>:$P/spa$MAU.xml

• GPP_K should be the key you're encrypting your files with. I just use my Factory Fresh GPP_K for simplicity, and this must be the initial encryption after a reset.
• You can change Upgrade_Rule if you want to do your own firmware updates. I'm using 3.1.22 from Linksys.com, and my rule is:
  Code:

  (!3.1.22)?tftp://192.168.1.11/PAP2-3-1-22-LS.bin

  This means if the current version is not 3.1.22, download the firmware from tftp.
• Continue modifying any other values you deem necessary. I'll update this message like a FAQ and add additional settings inquired about.

Encrypting the Config File
With your Plaintext file completed, you need to encrypt it using the key your adapter is expecting. After a reset, this is your factory fresh GPP_K. Encrypt the file using the command:

Code:

$ openssl aes-256-cbc -e -in [/color][/size][/color][/size]spa0000000000.custom.xml -out spa0000000000.xml[size=5][color=Red][size=2][color=black] -k "MyFactoryFreshKey"

Where spa0000000000.custom.xml is the plaintext file you just created/modified and the 00s are your PAP2's mac address with capitals for any letters. Copy/move your new spa0000000000.xml to your TFTP root folder.

Other Useful Notes
I like to run static IPs for devices on my network.

Code:

<DHCP ua="rw">No</DHCP>
<Static_IP ua="rw">192.168.1.9</Static_IP>
<NetMask ua="rw">255.255.255.0</NetMask>
<Gateway ua="rw">192.168.1.1</Gateway>

You'll notice every XML entity has ua="na" or ua="rw" in the tag opener. ua="na" means Not Available in user mode, whereas ua="rw" means it's re-writable. This defines whether or not you'll see a config option on the WebUI when logged in with the user account. There are probably other options, but be sure to set something valid.

Gotchas
In my dialplan, I use replacements, like <411:18003733411>. XML uses <>, so be sure to replace those with &lt; and &gt; or your device won't accept your config. Any other syntax errors will also cause the config to be rejected, so it might be good to configure a few things at a time.

[bobpaul]

Changes required for non-Vonage devices
If you aren't using Vonage, you will need to

• change the A records you setup for DNS
• change the DNS server IPs you're blocking/redirecting when configuring your router.
• Possibly change the name of the xml file you download, and definately the server you download it from.

If anyone knows specifics for providers, I can post that here or link to your post.

[bobpaul]

Additional thoughts
If you're router is supported by the OpenWRT project you can run the TFTP server, DNSMasq, and even a Webserver directly from your router. Then you could edit /etc/user.firewall to block Vonage's DNS servers. This would mean only your router, and not your router and a server, need to be on to safetly factory reset your device.

I know I haven't accounted for everything, and so thus far this only reflects my particular needs. With it setup like this, I can factory reset my device and it instantly pulls the encrypted XML file from my TFTP server setting it up for my use. A different device might have additional IPs that need to be blocked to prevent it from pulling from Vonage. I just don't know. It's still safest to perform a factory reset only with your cable/dsl modem disconnected and turned off.