in Telephony

hacking the Linksys PAP2 to work with Asterisk

My girlfriend and I are converting to a completely IP-based telephony setup in our new house, so it was time for me to get more IP phones, or to convert existing analog phones to IP using ATAs. I decided to go cheap and buy a Linksys PAP2 from Best Buy and see if I could hack it to work with Asterisk. These devices cost about CAD$65 and give you two analog ports; in retrospect, I should have checked at Canada Computers first, since they’re selling them for CAD$59.95. Oh well.

I read up quite a bit on unlocking your PAP2 to work with other SIP providers (like yourself!) but one key point that is missing from many of these articles is that there are two versions of the PAP2, version 1.0 and version 2.0. Version 1.0 is what is mentioned in the above unlocking article on; it was originally developed by Sipura, resembles the SPA-2000 in functionality, and loads its provisioning configuration (encrypted of course) from a Vonage TFTP server by the name of with filenames like spa00000000000.xml. Version 2.0 is what I have; it uses the TI AR7 chipset, loads provisioning configs from with filenames like ti0000000000.xml. My failure to make this distinction led me to waste a couple hours with tcpdump (via Ethereal) and my TFTP server before realizing that there must be some substance to the fact that the behaviour observed on the wire was distinctly different than what was described at the page… oops.

Once I actually ascertained what device I had, the rest was fairly straightforward. You obviously need a "lab" setup to unlock these devices; the last thing you want is for the thing to go out on the Internet and start provisioning itself with Vonage, which is what it will do if you just plug it in. What I did is set up a spare CardBus ethernet card on my laptop with a crossover cable, and run DHCP on that interface. Once the quarantined PAP2 had an IP address, I could log into it over HTTP and change it to a manually assigned address. I should note that the PAP2 comes with three "accounts" on it:

  • admin (password "admin")
  • user
  • Admin (yes, with an uppercase A)

admin/admin is what you can use to log into the device and modify a few basic parameters, but not the voice provisioning information.

Once the device has a static IP address, you can run the CYT Device Unlock Utility. Unfortunately, this utility only works under Windows, so you need a Windows lab box set up in the same way (maybe you could just do all this work under Windows, but I have no idea where you’d get a Windows DHCP server for XP or similar desktop-class Windows editions). Fortunately, my laptop is dual-boot so I had no trouble.

The CYT unlock utility requires you to perform an out-of-band login to the PAP2 over HTTP as admin/admin and then it will reset the user and Admin (sic) passwords respectively, and reset all the voice provisioning settings to their defaults, i.e. not Vonage. At this point, the device is "safe" and you can plug it back into your regular network without fear that it will go and provision itself on Vonage.

The end state of the PAP2 after unlocking is strange; you can’t log into the device directly as the Admin user. You must know the names of the "hidden" HTML pages within the firmware that let you change provisioning information, and then when prompted for the admin password to access those pages, you can enter Admin as the username and whatever password you assigned using the CYT utility. For the record, the hidden HTML pages are:

  • http://pap2ip/Provision.html for the voice provisioning page
  • http://pap2ip/Voice_adminPage.html for the page where you can program the SIP account information
  • http://pap2ip/update.html for firmware upgrading

Because the HTML pages are hidden, if you try to navigate away from them by clicking on the toolbar, etc. of the admin interface, you’ll be bounced back into the regular admin user interface, and you won’t easily be able to return to the hidden pages except by typing them into your browser.

In summary: this all worked fairly well, and I have two analog phones attached as new extensions. However, the way the device’s firmware was put together seems really shoddy; granted, they didn’t expect end-users to hack it, but it appears as though Linksys rushed something out the door just to meet Vonage’s specific business needs. Next time if I need an ATA, I’ll probably buy the already-unlocked version of this ATA, the PAP2T-NA; not because I’m not capable of hacking the ATA, but because the resultant user interface is awful to use, due to the navigational bizarreness. The PAP2T-NA is about $15 more, but I think it’s worth it.

Write a Comment


  1. hello Julian,

    I have a LINKSYS PAP2 and i want to use it with Asterisk but i don't have any idea about how to configure Asterisk to work with it.
    please help me.


  2. my pap2 is asking for user and apass how can i see what is that pass my is not vonage i bout it at ebay it stay unlocked they lie

  3. Jay: What I mean is that you need a private non-routable network segment on which to work, otherwise the PAP2-NA is going to try to contact Vonage and register itself – then you're screwed!