Unlocking HT701 the BasicTalk ATA

Important NOTE: a better unlocking method has been posted later in this thread.  My soft unlock may help in some cases if the ATA has "called home".

I have some good news for those of you looking for an inexpensive ATA.

I've just got my hands yesterday on a couple of BasicTalk ATAs (I've had my eyes on them for a few months but I live in Canada and don't go to US that often) and I put together a small tutorial for unlocking them.

The ATA is a Grandstream HT701 with a customized firmware.

I posted it on my website at »voipfan.net/unlock/ht701bt.php

http://voipfan.net/unlock/ht701bt.php

I will leave the access open to everyone for a couple months then make it available to registered users (like my other unlocking tutorials).

Enjoy and if you run into any trouble please post here.

Grandstream HT502 for Freephoneline

Before you start configuring the adapter, make sure you have the following settings for your SIP account:
- SIP Server address (sometimes called SIP Proxy)
- SIP User ID (in most cases this is the phone number)
- The password for the SIP account
To obtain these settings, you must contact Freephoneline and ask for your configuration file. There's a one time charge for this, currently $50 CAD + tax. They will send you a Word document with the settings.

Connect all the cables: power cord, an ethernet cable from your router (or modem) to the WAN port of the HT502, an ethernet cable from the LAN port to your PC and a phone to the Phone 1 port. Open a web browser and type in http://192.168.2.1. The login page will come up, enter admin to log in then click Advanced Settings:



Change the following settings:
- STUN server is: enter the host name or IP address of a publicly available STUN server, such as stunserver.org
- Keep-alive interval: change to 10
Click Update at the bottom of the page, but don't reboot yet. Click FXS Port1 to configure the settings for the Line 1.

Grandstream HT502 for VBuzzer

Connect all the cables: power cord, an ethernet cable from your router (or modem) to the WAN port of the HT502, an ethernet cable from the LAN port to your PC and a phone to the Phone 1 port. Open a web browser and type in http://192.168.2.1. The login page will come up, enter admin to log in then click Advanced Settings:



Change the following settings:
- STUN server is: enter the host name or IP address of a publicly available STUN server, such as stunserver.org
- Keep-alive interval: change to 10
Click Update at the bottom of the page, but don't reboot yet. Click FXS Port1 to configure the settings for the Line 1.

Unlocking the BasicTalk ATA - HT701

it's worked fine on a 2nd HT701 I'm going to go ahead and post this. Remember that this is still very much beta so please only attempt this if you know what you're doing and are not afraid of bricking your unit.

Note, this WILL wipe all the settings and return it to a factory default state. It will look like a brand new HT701 when done.

Remember, although it needs to be on a network with your computer it cannot have internet access or it'll phone home and become locked!

1) Log in to the web interface as admin. If it's a virgin ATA the admin password is ERgTbCLo
2) Upload this firmware image (bottom of the 'Advanced Settings' page):
download

ht701fw.bin.zip 3676664 bytes  (copy and paste)
http://www.dslreports.com/r0/download/2141094~d4e88417991859782a92832da30f9ec1/ht701fw.bin.zip


3) Wait 2 minutes 34 seconds (at least! that's just how long mine took) after clicking the submit button and then power cycle it. It will NOT come back up by itself.
4) After power cycling it, mine took approx. 1 minute 7 seconds before the web interface started responding again. The admin password is now "admin"

Congratulations, you now have a permanently unlocked ATA. This firmware build also has the serial console enabled and NFS support (HUGE help while working on it!). You can now flash a stock HT701 firmware image if you want. I consider this firmware a 'dev' build so you will probably want to flash the normal stock firmware to it if you are not interested in the serial interface or otherwise hacking it.

Grandstream HT286 for Freephoneline

Before you start configuring the adapter, make sure you have the following settings for your SIP account:
- SIP Server address (sometimes called SIP Proxy)
- SIP User ID (in most cases this is the phone number)
- The password for the SIP account
To obtain these settings, you must contact Freephoneline and ask for your configuration file. There's a one time charge for this, currently $50 CAD + tax. They will send you a Word document with the settings.

Connect all the cables: power cord, an Ethernet cable to router and a phone to the Phone port. Then pick up the phone and either push the white button on the adapter or dial *** from the phone. The adapter should start playing some menu options. Dial ** and the adapter will read back (with voice) the IP address it has obtained from your router. Open a web browser and type in that IP address. The login page will come up, enter admin to log in. You will be automatically taken to the Advanced Settings page:

Grandstream HT-496 Supervisor password

[Unlock] Here is Comwave Supervisor password (Grandstream HT-496)


MUST BE DISCONNECTED FROM THE INTERNET - to prevent RE-DOWNLOAD and the lock "Provisioning"

If you are looking to unlock supervisor password for Comwave VOIP adapter, here it is, will work with Grandstream HT-496 & may be other models also.

14ackhvy

(please note comwave does change password from time to time, so if you able to get in, change "Config Server Path:" to something dummy like
Example: Config Server Path: 192.168.0.1

ADVANCED SETTINGS -> Config Server Path:

By default it should connect to comtftpsrv.comwave.net, so change that to 192.168.0.1

Unlocking the BasicTalk ATA [Unlock]

[Unlock] Unlocking the BasicTalk ATA

The Vonage provisioning scheme generally looks like this:
- the ATA has a "root" encryption key stored in from the factory (unique for each ATA). Let's call it KeyA
- when it downloads its first configuration file from Vonage (we'll call it CfgA), it uses the factory key (KeyA) to decrypt the provisioning file. The provisioning file will contain a new key (KeyB) and a subdirectory where the ATA is supposed to find the next provisioning file. We'll call that SubB
- the next provisioning file won't be available until a change needs to be made to the ATA. At that point, a file CfgB will be created at the path httpconfig.vonage.net / SubB. This file is encrypted with KeyB and contains the next set of provisioning parameters, KeyC and SubC
- when a new change needs to be applied to the ATA, a new file will be available at SubC encrypted with KeyC
And so on, you probably get the idea.

In the case of BasicTalk, it looks like things are a little easier. Apparently there's no KeyA stored in the device from the factory, so technically it will accept an unencrypted CfgA. However, once CfgA is downloaded from Vonage, it will contain an encryption key and the ATA will not accept an unencrypted config file any further. That's why an ATA that was connected to the internet can't be unlocked with this procedure anymore.

However, the CfgA coming from Vonage is still encrypted (or maybe I should say obfuscated) so that the settings inside can't be seen easily. Also, if you download the same file over and over, the files will be different, so the key must be somehow stored in the file. In fact, I've been playing with the Grandstream Configuration Tools which has the capability to generate plain files as well as obfuscated files and it works the same way, each time the file generated is different.
I am trying to figure out how it's encrypted but didn't have much luck so far.

Grandstream HT286 for VBuzzer

Connect all the cables: power cord, an Ethernet cable to router and a phone to the Phone port. Then pick up the phone and either push the white button on the adapter or dial *** from the phone. The adapter should start playing some menu options. Dial ** and the adapter will read back (with voice) the IP address it has obtained from your router. Open a web browser and type in that IP address. The login page will come up, enter admin to log in. You will be automatically taken to the Advanced Settings page:



Enter the following settings:
- SIP Server: vbuzzer.com:80
- Outbound proxy: leave blank
- SIP User ID: enter your vbuzzer username
- Phone number: enter your vbuzzer username
- Authenticate Password: enter your vbuzzer password
- Name: you can leave it blank or enter your name here (note that this does not change the Caller ID)
- Register Expiration: change to 120
- (optional) Local SIP port: the default value is 5060. If you have other VoIP adapters in your LAN, or computers running softphones, you may have to change this to a value between 5060-5069 in order to avoid conflicts

Grandstream HandyTone-502 unlock

Grandstream HandyTone-502 unlock

DISCONNECT FROM THE INTERNET

Try this password 1st for locked Comwave VOIP box...
14ackhvy
then try factory reset if this does not work.

DISCONNECT FROM THE INTERNET

Follow these steps carefully...