Unlocking HT701 the BasicTalk ATA

Important NOTE: a better unlocking method has been posted later in this thread.  My soft unlock may help in some cases if the ATA has "called home".

I have some good news for those of you looking for an inexpensive ATA.

I've just got my hands yesterday on a couple of BasicTalk ATAs (I've had my eyes on them for a few months but I live in Canada and don't go to US that often) and I put together a small tutorial for unlocking them.

The ATA is a Grandstream HT701 with a customized firmware.

I posted it on my website at »voipfan.net/unlock/ht701bt.php

http://voipfan.net/unlock/ht701bt.php

I will leave the access open to everyone for a couple months then make it available to registered users (like my other unlocking tutorials).

Enjoy and if you run into any trouble please post here.

Unlocking the BasicTalk ATA - HT701

it's worked fine on a 2nd HT701 I'm going to go ahead and post this. Remember that this is still very much beta so please only attempt this if you know what you're doing and are not afraid of bricking your unit.

Note, this WILL wipe all the settings and return it to a factory default state. It will look like a brand new HT701 when done.

Remember, although it needs to be on a network with your computer it cannot have internet access or it'll phone home and become locked!

1) Log in to the web interface as admin. If it's a virgin ATA the admin password is ERgTbCLo
2) Upload this firmware image (bottom of the 'Advanced Settings' page):
download

ht701fw.bin.zip 3676664 bytes  (copy and paste)
http://www.dslreports.com/r0/download/2141094~d4e88417991859782a92832da30f9ec1/ht701fw.bin.zip


3) Wait 2 minutes 34 seconds (at least! that's just how long mine took) after clicking the submit button and then power cycle it. It will NOT come back up by itself.
4) After power cycling it, mine took approx. 1 minute 7 seconds before the web interface started responding again. The admin password is now "admin"

Congratulations, you now have a permanently unlocked ATA. This firmware build also has the serial console enabled and NFS support (HUGE help while working on it!). You can now flash a stock HT701 firmware image if you want. I consider this firmware a 'dev' build so you will probably want to flash the normal stock firmware to it if you are not interested in the serial interface or otherwise hacking it.

Unlocking the BasicTalk ATA [Unlock]

[Unlock] Unlocking the BasicTalk ATA

The Vonage provisioning scheme generally looks like this:
- the ATA has a "root" encryption key stored in from the factory (unique for each ATA). Let's call it KeyA
- when it downloads its first configuration file from Vonage (we'll call it CfgA), it uses the factory key (KeyA) to decrypt the provisioning file. The provisioning file will contain a new key (KeyB) and a subdirectory where the ATA is supposed to find the next provisioning file. We'll call that SubB
- the next provisioning file won't be available until a change needs to be made to the ATA. At that point, a file CfgB will be created at the path httpconfig.vonage.net / SubB. This file is encrypted with KeyB and contains the next set of provisioning parameters, KeyC and SubC
- when a new change needs to be applied to the ATA, a new file will be available at SubC encrypted with KeyC
And so on, you probably get the idea.

In the case of BasicTalk, it looks like things are a little easier. Apparently there's no KeyA stored in the device from the factory, so technically it will accept an unencrypted CfgA. However, once CfgA is downloaded from Vonage, it will contain an encryption key and the ATA will not accept an unencrypted config file any further. That's why an ATA that was connected to the internet can't be unlocked with this procedure anymore.

However, the CfgA coming from Vonage is still encrypted (or maybe I should say obfuscated) so that the settings inside can't be seen easily. Also, if you download the same file over and over, the files will be different, so the key must be somehow stored in the file. In fact, I've been playing with the Grandstream Configuration Tools which has the capability to generate plain files as well as obfuscated files and it works the same way, each time the file generated is different.
I am trying to figure out how it's encrypted but didn't have much luck so far.