[Unlock] Unlocking the BasicTalk ATA
The Vonage provisioning scheme generally looks like this:
- the ATA has a "root" encryption key stored in from the factory (unique for each ATA). Let's call it KeyA
- when it downloads its first configuration file from Vonage (we'll call it CfgA), it uses the factory key (KeyA) to decrypt the provisioning file. The provisioning file will contain a new key (KeyB) and a subdirectory where the ATA is supposed to find the next provisioning file. We'll call that SubB
- the next provisioning file won't be available until a change needs to be made to the ATA. At that point, a file CfgB will be created at the path httpconfig.vonage.net / SubB. This file is encrypted with KeyB and contains the next set of provisioning parameters, KeyC and SubC
- when a new change needs to be applied to the ATA, a new file will be available at SubC encrypted with KeyC
And so on, you probably get the idea.
In the case of BasicTalk, it looks like things are a little easier. Apparently there's no KeyA stored in the device from the factory, so technically it will accept an unencrypted CfgA. However, once CfgA is downloaded from Vonage, it will contain an encryption key and the ATA will not accept an unencrypted config file any further. That's why an ATA that was connected to the internet can't be unlocked with this procedure anymore.
However, the CfgA coming from Vonage is still encrypted (or maybe I should say obfuscated) so that the settings inside can't be seen easily. Also, if you download the same file over and over, the files will be different, so the key must be somehow stored in the file. In fact, I've been playing with the Grandstream Configuration Tools which has the capability to generate plain files as well as obfuscated files and it works the same way, each time the file generated is different.
I am trying to figure out how it's encrypted but didn't have much luck so far.
- the ATA has a "root" encryption key stored in from the factory (unique for each ATA). Let's call it KeyA
- when it downloads its first configuration file from Vonage (we'll call it CfgA), it uses the factory key (KeyA) to decrypt the provisioning file. The provisioning file will contain a new key (KeyB) and a subdirectory where the ATA is supposed to find the next provisioning file. We'll call that SubB
- the next provisioning file won't be available until a change needs to be made to the ATA. At that point, a file CfgB will be created at the path httpconfig.vonage.net / SubB. This file is encrypted with KeyB and contains the next set of provisioning parameters, KeyC and SubC
- when a new change needs to be applied to the ATA, a new file will be available at SubC encrypted with KeyC
And so on, you probably get the idea.
In the case of BasicTalk, it looks like things are a little easier. Apparently there's no KeyA stored in the device from the factory, so technically it will accept an unencrypted CfgA. However, once CfgA is downloaded from Vonage, it will contain an encryption key and the ATA will not accept an unencrypted config file any further. That's why an ATA that was connected to the internet can't be unlocked with this procedure anymore.
However, the CfgA coming from Vonage is still encrypted (or maybe I should say obfuscated) so that the settings inside can't be seen easily. Also, if you download the same file over and over, the files will be different, so the key must be somehow stored in the file. In fact, I've been playing with the Grandstream Configuration Tools which has the capability to generate plain files as well as obfuscated files and it works the same way, each time the file generated is different.
I am trying to figure out how it's encrypted but didn't have much luck so far.
No comments:
Post a Comment