This message describes the configuration and recovery process for Cisco ATA-186 adapters provided by Vonage.
"Every Vonage Customer Gets a Cisco Phone Adapter for Free." The unadvertised detail is that this adapter is never under your control, even after completing the terms of your customer agreement and ending your relationship with Vonage. Rather than pollute landfills with perfectly good hardware, some ex-customers would like to recover use of their Cisco ATA and recycle it for other applications. TOS RESTRICTION Note that it is a violation of the Vonage Terms of Service to tamper with or reset your Cisco ATA while subscribing: 1.6 Tampering with the Device You agree not to change the electronic serial number or equipment identifier of the Device, or to perform a factory reset of the Device, without express permission from Vonage in each instance. Vonage reserves the right to terminate your Service should you tamper with the Device, leaving you responsible for the full month's charges to the end of the current term, including without limitation unbilled charges, plus a disconnect fee, all of which immediately become due and payable. Of course, former Vonage customers that have fulfilled the terms of their contract, paid all fees, and are no longer Vonage subscribers are not bound by these Terms of Service. This information is intended to help only those former customers recover the utility of the otherwise-useless ATA device. LOCKOUT IMPLEMENTATION The Cisco ATA provides a number of features to control access. First, Vonage disables the HTTP server in the ATA by setting Bit 7 (Bitmask: 0x00000080) in the OpFlags parameter. (IVR Code 323) Details here: http://www.cisco.com/univercd/cc/td/doc/product/voice/ata/atarn/186rn214.htm This makes it impossible to connect to the configuration web page that is normally available at http://{ATA IP address}/dev Also, the "UI Password" is required to access all configuration parameters in the voice-prompt menu. The UI password is an eight-digit number requested with "PASSWD" by the IVR. This UI Password is unique to every ATA and changes with every configuration update from Vonage. It is stored in the flash device along with the other configuration parameters. Beginning with ATA firmware version 2.16, the UI Password is also required to perform a Factory Reset. Earlier versions of the firmware would allow a Factory Reset to erase memory (including the password) without prompting for the password. An older Vonage ATA that has not been connected to the network since June 2003 may still allow a factory reset this way. This is the factory reset procedure: A) Take the phone off hook. The red button on the top of the ATA-186 will illuminate. B) Press the illuminating red button on the ATA and dial 322873738#. (The numbers spell FACTRESET# on the telephone) C) If you hear "P A S S W D", you have firmware 2.16 or newer and can NOT perform the reset without the password. If the prompt asks you to dial * to save changes, press * on your phone's keypad and hang up the phone. You either did not have a UI Password set, or have firmware 2.15 or older. DEFAULT CONFIGURATION The Vonage ATA configuration uses DHCP to acquire the IP address for the ATA, but has other services hardcoded by IP number or address. It will not use the DNS, TFTP, or NTP servers provided via DHCP. CONFIGURATION PATHNAME By default, Cisco ATA devices will attempt to fetch two files from the TFTP server for configuration: ata000c30a4f276 (the ATA's MAC address) atadefault.cfg (common default) These defaults can be overridden with Option 150 in the DHCP Offer. Instead, Vonage configures the ATA to fetch a file named something like: bsOWFaqFCa/ata000c30a4f276 There are 10 random characters before the MAC filename. This file exists on the Vonage TFTP server only when needed and is usually Not Found. ENCODING AND ENCRYPTION The configuration files are written as text, and then converted to a more compact binary format by the Cisco 'cfgfmt' tool. This tool provides an option to encrypt the configuration binary using Cisco's RC4 implementation. The RC4 key is provided on the command line as up-to 32 ASCII characters and repeated to build a 256-bit RC4 seed value. Vonage encrypts all configuration files this way. KEY ROTATION Each configuration file is encrypted with the current RC4 key. Any file that does not decrypt with the current RC4 key is discarded by the ATA. Inside any new file is a parameter titled "EncryptKey" that is the RC4 key used for subsequent configuration files. When Vonage wants to publish a change to a customer ATA, the requested TFTP file will be posted to their server. Instead of the usual "100 NOTIFY: Event noevent" polling SIP Event, Vonage will immediately send a "NOTIFY: Event check-sync" from ProvisionServer to the ATA. This causes the ATA to immediately TFTP the (encrypted) file, just as it tried at boot time. This time the file exists. If the ATA is not connected to receive the check-sync, it will pick up the new config at its next scheduled poll, or at boot time. This file will contain only three changes: - A new RC4 key - A new UI Password - A new TFTP filename The new filename has a different 10-character prefix bsOWFaqFCa/ata000c30a4f276 ---> ssBySDwerb/ata000c30a4f276 The ATA resets after receiving the configuration file. At reset, it tries to download the second configuration filename. This file too will exist, and it is encrypted with the new RC4 key. This file contains the other requested configuration changes and keeps the same Key and Password. When the second file is downloaded, Vonage deletes BOTH files from the TFTP server. The ATA will continue to poll for ssBySDwerb/ata000c30a4f276 until that file is again present with new data. ACQUIRING THE CONFIGURATION FILE The configuration file does not change often, so it is not frequently available for download. A subscriber can trigger a configuration update by changing the Bandwidth Saver option between 30k and 90k on the Dashboard Features. This generates a pair of config files with changed PrfCodec, TxCodec, and LBRCodec parameters. An ethernet sniffer like tcpdump or ethereal can be used to observe the requested filename from the ATA at boot time. If the ATA is blocked from the internet, any TFTP client can be used to download this file from the Vonage server before the ATA gets to it. This configuration file is of interest because it contains in it the RC4 key used by the NEXT configuration file and the new UI Password. This file by itself does NOT contain the current UI Password, filename, or RC4 key! It contains the NEXT passwords. This file is special only because it is encrypted with the current RC4 key expected by the ATA. If this file is to be useful, it must be passed on to the ATA so that these settings can be accepted and loaded into flash. Immediately after doing so, the ATA will load the second file update. This file contains configuration changes, but retains the same UI Password and Key as the first file. PREPARATION BEFORE UNSUBSCRIBING Before unsubscribing from Vonage and completing the term of your subscription, it would be sensible to acquire a configuration file that matches the contents of your ATA. To obtain the encrypted file, you must cause a configuration event, make a copy of the file before the ATA downloads it, then allow the ATA to find and load the configuration file. You may allow the ATA to download the second file as usual, since it does not change the keys. KEY WEAKNESS A proper RC4 cipher using a 256-bit key on about 800 bytes of configuration data could be very hard to decrypt. The biggest weakness in the Vonage encryption system is that they do not use this entire keyspace. Instead, every file is encrypted with a six-digit key ranging from 000000 to 999999 decimal. This brings the keyspace down from impossibly huge to quite small. A brute-force search can be done in minutes. Further, since each configuration file starts with the known plaintext "#ata", only a small portion of the file actually needs to be decrypted for testing. In seconds. Once the key has been determined, the Cisco 'cfgfmt' program can be used to decrypt the file and reveal the entire configuration state. A new configuration file can be prepared using the same RC4 key, or the visible UI Password can be used to reset the device and configure anew. It's likely Vonage will expand their RC4 keyspace very soon, but in the meantime hopefully some ex-customers can restore their ATA device to useful service. __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com _______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users