I'm an Aussie who moved to Ottawa, Canada in 2008. I'm always having a moan about something. This is where I moan and whinge about things. Enjoy.

Wednesday 8 July 2015

Thanks for nothing Comwave

I found an ATA (Analogue Telephone Adapter) at Value Village recently, which is a device that's used to convert analogue phones into VoIP phones, for a few dollars. I guess I didn't learn my lesson from last time, when I bought a Linksys PAP2T that was locked to Vonage..

This one is a Linksys 2102-R, where the -R means it's locked to someone. I setup my machine to block most network traffic from it, since that was how I got screwed last time, when the Vonage locked one phoned home and set itself in a state where I couldn't unlock it..

I plugged it in, and while running a packet capture I saw it attempting to perform DNS lookups for "dmsc.comwave.net", which appears to be Comwave's provisioning server.

I googled around on how to unlock the device, and for another provider which doesn't exist anymore, someone worked out a trick of how to unlock it. I wanted to see if that might work against this one, so I allowed it out to the Internet, but once I saw that it was attempting to provision over HTTPS to Comwave's provisioning server, I knew that trick wouldn't work against this unit, since I would need Comwave's SSL certificate private key.

More googling around didn't turn up anything useful for how to unlock it, so I figured I would contact Comwave's support, and ask them to unlock it for me, since this is an old unit.

Here's the email exchange I had with Comwave's support:

(note the timestamps, so you can see they take advantage of the "up to 2 business days" response time frame)..

JUN 30, 2015  |  02:09PM UTC
Original message
Simon wrote:

I bought a Linksys SPA2102-R from Value Village and it's locked to your services. It contacts your provisioning server, are you able to unlock this adapter as I wish to use it with an Asterisk PBX?

JUL 02, 2015  |  07:13PM UTC
Comwave Technical Support replied:
Dear Simon,
Thank you for taking the time to contact us. We will be glad to assist you.
We would like to get more information about the device. Could you please provide us the MAC and serial number of the Linksys SPA2102-R? You can find this information at the botton of the device.
We will be looking forward to hearing from you at your earliest convenience. Sincerely,
Herbert- eCare Team

JUL 02, 2015  |  07:59PM UTC
Simon replied:
Hello Herbert,

Thanks for your response. The MAC of the Linksys SPA2102-R is
00:0E:08:4C:7A:62. The S/N is FM500L882925.

Thanks very much,

JUL 06, 2015  |  04:32PM UTC
Comwave Technical Support replied:
Dear Simon,
Thank you for getting back to me.
The serial number and MAC address you provided are not linked to any Comwave account anymore. This means that we no longer have control over the device. In this case, please contact Cisco support center at 800-553-2447 or for more information you can also visit this website http://www.linksys.com/ca/support-product?pid=01t80000003K7fzAAC.
I hope this information helps. Should you have any further questions, please feel free to email us again.
Herbert – eCare Team

JUL 06, 2015  |  05:44PM UTC
Simon replied:
Hello Herbert,

Thanks for your response. I understand that the device would no longer be
linked with an active account with you, and that's why the previous account
owner who was using this device with your services would have donated it to
Value Village where I purchased it.

You do still have control of the device, as it contains the profile rule(s)
to contact your provisioning server, and has been configured with a non
standard admin password, so I am unable to login to change the profile rule
to point the device at my own provisioning server.

I have attached a packet capture which shows the device booting up and
performing DNS lookups for your provisioning server, "dmsc.comwave.net",
and attempting to perform an SSL handshake in order to download the config

If you were to place a config file on your provisioning server for the MAC
address of 00:0E:08:4C:7A:62 containing the following:


perhaps compiled with the SPC tool if necessary, then when the device next
contacts your provisioning server it should have the admin password reset
from the currently unknown to me value, to "admin", which would allow me to
login and clear/change the profile rules in the provisioning settings of
the device. Alternatively if you have the admin password on record, or are
able to generate the device's password based on its MAC address or serial
number, and provide that to me, then I would be able to login and reset the

The support link you provided was to a wireless router on Cisco's site. If
I search for the SPA2102 on their site, then there are some results,
however those pages have been removed, and the search results mention that
it is an end-of-life device which is not supported by them anymore, which
is why I need your assistance in unlocking the device.


JUL 08, 2015  |  08:05PM UTC
Comwave Technical Support replied:
Dear Simon,
Thank you for your reply.
The Linksys SPA2102-R FM500L882925 you received no longer works on our network, unfortunately, we cannot support it. We suggest you our Comwave Home Phone VoIP service , however, you would receive another device since we do not have control over the configuration of your Linksys.
Should you have any further questions, please let me know at your earliest convenience.
eCare Team

So, that's pretty much the end of that. Even though the device boots up, performs a DNS lookup, resolves to their provisioning server, and attempts an SSL handshake, they refuse to help me to unlock the device, even though it's no longer supported on their network, so it's not like I could even use it with an account with them. Instead they expect I'll signup for their services so they can send me some other device I have to pay for, completely defeating the purpose of what I'm trying to do by reusing this perfectly workable ATA, and instead they've just created more e-waste.

I'm currently trying to brute force the password on the device, but that's probably going to be a futile effort, since most of these passwords use extended characters, making the keyspace huge. I've already gone through all the 4 character passwords using combinations of uppercase letters, lowercase letters, and numbers, and that took 2 days.

I've now moved on to attempting all 5 character passwords, and that's estimated to take 70 days at the current rate..

The other option is to desolder the flash TSOP and use a programmer to reflash it with the unlocked "NA" firmware, and then resolder the flash chip, but since that requires a microscope and soldering equipment I don't have, it's not really a viable option.