Disclaimer: You might be violating the terms and conditions with
your service provider by unlocking the device. I am not responsible if
you are sued or for the losses incurred if any.
I ended up buying a locked Grandstream HT486 ATA from Amazon.com. I requested to return the item to the seller and the seller refunded money without asking any question and allowed me to keep the adapter. It was locked with a specific unknown service provider so I couldn't use it with any other services.You won't be able to access the advanced settings page (in order to configure the device for a different service) in a locked device with the default administrator password 'admin'. This happened twice and I ended up having two unusable ATAs for free.
I was about to throw away these two adapters while cleaning the house the other day. That's when I thought about the possibility of hacking these ATAs. I went through the manual and noticed (Section 6.3) that device could be configured to download the configuration automatically from a remote server automatically during bootup - This configuration information includes administrator password! I hooked it up to my computer and fired up Wireshark to see what is happening when the device boots up. I could see that followed by some DHCP and DNS configuration traffic the device requesting a configuration file from a remote server with IP adress something like 67.xxx.xxx.xxx (This would be the server of service provider). In my case the server was responding to that request with a 'Not found' response as file was no longer present on that server.
Now to unlock the device, all I had to do was to setup a webserver and serve a custom config file with a custom admin password.When the file is requested by the device the old admin passwrod will be overwritten by the new password you have set in the new configuration file there by unlocking the device. Granstream provides a device configuration file generator to generate configuration files for the device. This is originally intended for service providers to configure the device before they are sold to the customers. This tool can be used to generate your custom configuration file.
1.Find config server
Connect the device WAN port of the device to a free ethernet port(say eth0) of linux computer with atleast two network connections. This ethernet port should be configured to share internet connection. I used an Ubuntu machine as I wrote the webserver for Linux.(Windows users can easily set up a ubuntu machine on their existing machine easily using LinuxLive without modifying the machine and use the same script.) Use the other ethernet (or wireless) port on this computer to connect to internet. Start Wireshark and monitor the eth0 to see whether the device is fetching any configuration files. You should see something like the following (No. 51 in Green section) if it does. We will need the path of the file which is being accessed and the destination IP address where device is fetching from in step 3. If device is not fetching a configuration file - Bad luck. This hack will not work in that case. Make sure that you can ping the device from terminal using its IP address('Source' address shown in No.51).I ended up buying a locked Grandstream HT486 ATA from Amazon.com. I requested to return the item to the seller and the seller refunded money without asking any question and allowed me to keep the adapter. It was locked with a specific unknown service provider so I couldn't use it with any other services.You won't be able to access the advanced settings page (in order to configure the device for a different service) in a locked device with the default administrator password 'admin'. This happened twice and I ended up having two unusable ATAs for free.
I was about to throw away these two adapters while cleaning the house the other day. That's when I thought about the possibility of hacking these ATAs. I went through the manual and noticed (Section 6.3) that device could be configured to download the configuration automatically from a remote server automatically during bootup - This configuration information includes administrator password! I hooked it up to my computer and fired up Wireshark to see what is happening when the device boots up. I could see that followed by some DHCP and DNS configuration traffic the device requesting a configuration file from a remote server with IP adress something like 67.xxx.xxx.xxx (This would be the server of service provider). In my case the server was responding to that request with a 'Not found' response as file was no longer present on that server.
Now to unlock the device, all I had to do was to setup a webserver and serve a custom config file with a custom admin password.When the file is requested by the device the old admin passwrod will be overwritten by the new password you have set in the new configuration file there by unlocking the device. Granstream provides a device configuration file generator to generate configuration files for the device. This is originally intended for service providers to configure the device before they are sold to the customers. This tool can be used to generate your custom configuration file.
1.Find config server
2. Generate configuration file
Using the configuration generator and the configuration template file from Grandstream website, generate a configuration file for your device. Inorder to generate the config file you will need MAC address of the device and configuration template file.Delete everything from config template file except for the the entry P2,which is the admin password. Set the required admin password or leave it as default('admin'). Do not use any CSV file option. Once the config file is generated rename the file to 'config.txt' and put it the same area where you plan to run the script in next step.
3. Run the webserver script
Before running the script edit four lines in the script with values of your setup.
They are listed below.
# Path fetched by ATA after boot.Get this from Step 1 # Replace /cfg_data/cfg123456789abc with your path # 123456789abc was MAC address of the device in my case our $file_path = '/cfg_data/cfg123456789abc'; # Name of config file # Put this file where you run script our $cfg_file = 'config.txt'; # IP address of remote server.Get this from Step 1 # Replace this with the IP address fetched by handytone my $remote_server = '67.123.456.789' ; # Ethernet port to which handytone is connected # Check port name using sudo ./ifconfig my $ethernet_port = 'eth0';Once you have edited the above parameters run the script on a new terminal using
sudo ./http_server.plYou should have root privileges to run the script. If the script errors out saying unable to find xxx.pm module. Install those modules in computer using your favorite package manager in Ubuntu. To check if the script is running correctly, open the browser and type the following the address bar and enter
http://<$remote_server IP address set above>/helloIf everything goes well, you should be able to see 'hello!' in your browser.You are now ready to apply the hack. At this point turn the handytone off by removing the power plug from it and put it back on. Your device will boot up and request for the file. This request will be routed to the script and it will supply the new config file which will reset the admin password. You should be able to see a message printed on the terminal.
Handling [/cfg_data/cfg0123456789abc] request [0] OKThe device is unlocked at this point. You should be able to go the advance settings page in your browser using the admin password you added in configuration template.
http://<Source Address from Step 1>Make sure that you disable automatic configuration update in the advanced settings page or device configuration will be overwrote again when you reboot the device.
Happy Unlocking!
