Re: PAP2 admin password (unknown provisioning)

TonyD45471551 · ‎08-25-2019

I have a second-hand Cisco/Linksys PAP2 phone adapter which was donated to a non-profit where I volunteer. I know nothing about how it was previously used, but would like to restore it to a usable state. It seems to have an admin password set, which is preventing me from changing the configuration.

More information:

I can access its web interface and can change its user password. I don't see an "admin logon" button on the home screen.

I can access the IVR interface and can do a factory reset (73738#). The factory reset does not require a password and reports "option complete". It does reset the user password to blank, but even after the factory reset I can't log on with user name "admin" and a blank password, nor with any of my dumb guesses at an admin password, such as "password" or "admin".

The product information reported by the device is:

Product Name: PAP2
Serial Number: FH900EB31957
Software Version: 3.1.9(LSc)
Hardware Version: 0.03.4
MAC Address: 0014BF4E1C66
Client Certificate: Installed
Customization: Customized

Does any of you recognize these symptoms and (even better) know how to reset the PAP2 from this state so I can change its configuration?

Dan Lukes · ‎08-25-2019

Customization: Customized

Unfortunately, you have no stock PAP2 - the device you have has been manufactured for a large Cisco (well, Linksys) customer (probably a large ISP or so) and has been customized to satisfy it's specific requirements. In short, you just can't use.

Well, sometime, the burned-in configuration may not be 100% safe, so there MAY-BE chance to break-in, but it require skills, a lot of time, and it may not end in success. If you are skilled IT technician and you have two or three days of spare time, you can try it. But unless you take it as challenge, it's ineffective use of your time.

TonyD45471551 · ‎08-25-2019

Thanks for your reply. Do you have any tips for figuring out for which
provider the PAP2 was customized?

Dan Lukes · ‎08-25-2019

I'm not familiar with PAP2 - it's older than oldest Linksys product I meet ever. Never products have name of the customer shown as value of "Customization:" but PAP2 seems to show just "customized" here. Unless the name is shown elsewhere on status page, it may not be disclosed at all. You may try to catch network communication of PAP2 during power on. It should try to contact provisioning server of it's "owner" to fetch configuration update. It may disclose you who's behind.

But don't put so much hope on the name of device administrator - even in the case he will be willing to hand-over control to you (little chance) I'm almost sure he will be unable to do it - not only because age of device (employee familiar with PAP2 may no longer be on duty, provisioning server may not exist at all) but because original customization may be irreversible.

TonyD45471551 · ‎08-26-2019

Thanks for your reply. I fear you're correct; I'll put this issue on the
back burner unless/until I find enough enthusiasm to try to sniff its
network traffic, or until I get sufficiently tired of it to send it to
recycling.

Dan Lukes · ‎08-26-2019

If you have courage, you can try another round of lottery:

PAP2T or PAP2T

Both about $20 including international postage, both sellers seems not to be unskilled home-owners, so they should know what they are doing. Moreover, PAP2T is somewhat newer than PAP2, although still old and unsupported.

I don't guarantee those sellers are reputable, of course, but they looks good enough for me. Moreover it's not gift, so organization we are speaking of may not be interested. Just hint ...