Zyxel Prestige 2302R VoIP adapter/router hacking

Destinations
My stuff:
.wgz.org:
.wgz.com:
Other stuff:
Publications:

Disclaimer

I am providing this information for the sole purpose of enabling further use of discarded Analog Telephone Adapter devices. These instructions are specific to the firmware used by Verizon VoiceWing service, which has been terminated, and customers were allowed to keep the adapters. Therefore these instructions are intended only to enable the owners of these devices to use them for their own legitimate purposes instead of discarding them.

I do not support using these devices to avoid paying for any services. I do not believe these instructions enable such use. They simply allow re-use of hardware that was bound to a service that no longer exists.

Background

In 2008, I decided to try VoIP service to replace our expensive land line service. After reviewing the options, I picked Verizon-branded VoiceWing service. They shipped me a Zyxel Prestige 2302R ATA with integrated router. I plugged it in, and quickly had phone service. After a few days' testing, I decided to port our land-line number, and enjoyed acceptable service at a much lower price. Side note: I use VOIPo now -- it's even cheaper and offers better features.

In January of 2009, Verizon announced that it would be shutting down VoiceWing by the end of March. They explicitly allowed early port-outs without ETF, and stated that customers could keep the VoiceWing-provided ATAs.

This is a summary of my efforts to save the Zyxel device from abandonment.

Locked

As is common with provider-issued ATAs, the Zyxel device attempts to connect to Verizon's server (www36.verizon.com) during boot, to retrieve general configuration, provisioning information, and firmware updates. This auto-provisioning mechanism survives configuration reset. There is also a web configuration interface. The default account information (admin/1234) allows basic setup, including networking parameters. It provides no access to SIP or other VoIP settings.

There is another account, VW_Admin, which has full access. The password for this account is apparently generated randomly on first boot (and regenerated after configuration reset). It can also be set via auto-provisioning.

Administrative interfaces into the device include web, telnet, FTP, and SNMP. In fact, the admin account can retrieve the current configuration via FTP by requesting the file rom-0 (binary form), or rom-t. Only the VW_Admin account has permission to write files, with which you can write a new configuration.

Passwords are obscured in the configuration backup, except for the System Password. This is VW_Admin's password, in clear text. As I said before, this is randomly generated upon first boot or configuration reset, so you'll have to find it yourself.

Using the newly-determined full-access account, you can use the web, FTP, or telnet interface to access the full configuration. From any of these interfaces, you can set a new System Password, and disable auto-provisioning.

For the fastest results, use the System Password to access the web interface. Under the VOIP entry in the left-hand menu, access the Auto Provision tab. Uncheck Active, Apply, and now your P2302R will no longer try to update its configuration from Verizon (although the servers no longer return anything useful).

Configuration

While the web interface is easy to use, and the telnet interface is great for people who are used to arcane telecom hardware, the FTP interface offers great power. As mentioned before, retrieving rom-t gives you the nearly complete configuration (except domain name). You can also write to this file to replace the configuration. In fact, you need only write the specific variables you wish to change. Once you logout from the FTP session, the device parses the new configuration, stores it, and reboots.

Gotchas

Even after unlocking my P2302R and registering it with Asterisk and Freeswitch, I could place calls but not answer them. Finally I had an aha moment. There is a hidden section in the configuration that was blocking me. In "Menu 98.13 SIP Authentication Setting", there are settings to restrict incoming calls and notifications to specific servers, or to require authentication. These parameters were used to allow only VoiceWing's servers to send calls, message waiting indicators, and so on to my device. By disabling these options as follows, I can now place calls directly to it.

        981301027 = Challenge SIP Invite <0(No) | 1(Yes)> = 0
        981301028 = Challenge SIP Notify <0(No) | 1(Yes)> = 0
  

The quick way

I've created a shell script that uses the FTP interface to retrieve the System Password. It sends a short configuration update, including a new, pre-known System Password, that also disables auto-provisioning and the incoming SIP challenges.

Further experimentation

I've been playing with auto-provisioning. The rom-t file is a good starting point, picking out just the parts I want to change from the default configuration. One gotcha is that the box does not like when the provisioning URL has a hostname that resolves to a non-routable address. I haven't investigated this much, but it works fine when I set a local IP address in the URL instead.