xhausted110

Avaya definity

108 posts in this topic

3 hours ago, ThoughtPhreaker said:

Nope. The C-LAN board I bought wound up being a dud (just a few surface mount resistors will probably fix it. Sadly, I'm not especially great at soldering), and under the pre-R9/10 releases, there's pretty limited incentive to have one of those cards anyway; remote management over a C-LAN card wasn't a thing until relatively late.

 

We should clone my R11 board for you so you get licenses...;)

 

Unfortunately, the TN2402 seems to be all SMT flash with no sockets :(

 

3 hours ago, ThoughtPhreaker said:

With the weird CELP codec this instance of Audix records everything in, my interest in it is honestly sort of done for the moment. Especially since I can make a lot better use of the Dialogic card it uses with my own software.

 

I should get a second one of those...

0

Share this post


Link to post
Share on other sites
On 8/12/2016 at 10:00 PM, ThoughtPhreaker said:

Sure! I had to go through this myself, only without the benefit of an account on the translations card to work with. Depending on what software release you have (if you're trying to install a C-LAN card, I assume it's a fairly late release. I don't think it'll work with anything below release 7) you have a few different options here.

 

1) The easiest is to just boot the system with no translations card installed. Once you've got it running, log into it with the username inads and the password indspw. Go ahead and insert the memory card into the reader. Or just skip all this crap and if you have something that accepts linear flash (ATA flash for the later systems) PCMCIA cards, just stick it in that. Anyway, assuming you're doing the Definity method, type 'upload translation'. Or maybe it's download; I think they made it to be upload from the Definity instead of to the terminal emulator. On one, it'll copy the flash card's contents into RAM and say "Prepare to receive file". Use xmodem to receive the file, and you'll have a copy of the passwords (albeit XORed or something; it's not anything particularly sophisticated. I don't know the algorithm, but I can give you as many plaintexts as you want if you need them. It doesn't seem to be anything standard, but it looks like Base64 at first glance) from the switch.

 

2) If you have a release 6 or lower processor, you can boot with no translations card again, and overwrite the bytes for the init (superuser; the one that lets you activate any feature you feel like having) password with the ones of a password you know (there's no RAM protection; the rva command should let you do this. I'll attach a ramdump of the pam process to this post). For added shits and giggles, there's even a byte you can change to make a password expire. In some situations, that might be the only way you have to change it. I dunno a lot about the way the header works, but in release 6 and 8, there's a byte that indicates what type of account the username is - or maybe it's an account ID. By default, It's 0x00 for init, 0x01 for inads, 0x02 for craft, and I think the rest are in descending order of account privileges. It might be possible to have two init or inads accounts. However, if the init account is set to prompt for an ASG login (which in release 8/+, it is by default), it'll try and give you a challenge/response for the init account.

 

If you do have a release 8/+ translations card, one thing I've found you can do is change the account ID for the init account to 0x01 (so it doesn't prompt for an ASG challenge/response), write the password to one you know, and then write it back to 0x00 when you're logged in. Though you'll get slightly higher privileges than the inads account, it seems to know what you're doing, and disables the option to change purchased features. Or activate the switch to begin with >.< .


For release 8/+, I think there's really only one course of action that can be done at the moment; log in as inads (or init with the above method; the only difference is under inads, it'll try to hide this, but it'll still accept it) and type 'go debugger local'. The switch has a lot of nice things in here, including a simple disassembler. If you speak R3000 assembly, you can probably figure out why/how the switch knows you've been screwing around with the accounts. Judging by how it complains about my *cough* modded release 6 card, I assume the init password is derived from something specific to the software version, and newer releases, knowing that, will complain if you've changed it.

 

If you decide to take this route, lemme know. There's a bit more detail I can go into about the debugger and general Oryx/Pecos operation.

 

3) You can boot it with no translations card, and upload a fully unlocked release 6 translations backup I made to your card. On newer releases, this'll still work, but you'll be relegated to release 6 features, and it won't let you save; the newer processor releases seem to know something is up, and will claim the card is corrupted. Normally I'd just upload it, but there's some stuff I'd rather not have public on the translations backup I made. Lemme know if you want it.

pam.bin

pam_r8.bin

 

So I stumbled upon this post. I have a Definity Prologix switch I aquired. It has a release 6 processor (TN798B). I have now booted the switch with no translation card. I went into RVA, but I'm a little confused as to what command I would use to change the init password. Could you elaborate as to what I should do?

0

Share this post


Link to post
Share on other sites

Try booting the system without a card and logging in as inads. The command 'go debugger local' should be available from the command interface, though not listed. At the debug interface, type this: rd -f 2000000x pam 0x400000 . If you post the dump on here, I can filter the output to reflect the actual binary it's dumping pretty easily. If you want to just upload it, I can A) tell you the password, B ) tell you what ram address and commands you need to use to change it, or C) we can skip all this crap, and you can just try the password 'e5peranto'. If I remember right, that's the release 6 init password. A little less fun, but it gets you what you need.

0

Share this post


Link to post
Share on other sites

I recommend a sticky or a blog post or something where it's concise because I think many who have came here from a Google search are not Tier 3 admins.  I would ask CJ from PBX How Tos (since he was a Tier 3 Avaya guy) since he flaunted that he "defaulted his PBX" in a YouTube video a few years back; but I think he's ether dead or playing possum. :) 

0

Share this post


Link to post
Share on other sites

ThoughtPhreaker, the password in option C didn't work, unfortunately. I got in and went into the interface you mentioned. I didn't realize it was going to dump that much hex on me! How would you recommend I retrieve it and post it? I'm using a very old version of Procomm Plus to access the switch. 

0

Share this post


Link to post
Share on other sites


8 hours ago, grs033 said:


ThoughtPhreaker, the password in option C didn't work, unfortunately. I got in and went into the interface you mentioned. I didn't realize it was going to dump that much hex on me! How would you recommend I retrieve it and post it? I'm using a very old version of Procomm Plus to access the switch.



It dumps the entire RAM contents - so theres going to a lot of lines.

For me I tried to get the contents using HyperTerminal (was using an XP laptop) and checked the screen logging before logging in and performed the specific commands ThoughtPhreaker instructed. Procomm and Avaya are typically not the best marriage in heaven to manage.
0

Share this post


Link to post
Share on other sites

Ok.... so here is the dump from the processor. I hope I saved it in a way that it can be used (I checked it in notepad, and it looks like it captured everything).

grs033 dump

0

Share this post


Link to post
Share on other sites

I'll update this post with some more info when I'm not getting ready for work, but for now, the password for your release 6 card is '0nvacat10n'. Nothing like a cute little Definity word scramble to start your day. I guess you just had a different build than the other release 6 I unlocked.

1

Share this post


Link to post
Share on other sites

Wow! Thanks! I kinda wish I was on vacation tbh. And I feel like I owe you a [root] beer for this! 

And I’m also curious how you coverted the hex to usable info to extract that password. 

Edited by scratchytcarrier
friends don't let friends hack drunk.
0

Share this post


Link to post
Share on other sites
4 hours ago, MakeAvayaRedGreatAgain said:

 

It dumps the entire RAM contents - so theres going to a lot of lines. 

For me I tried to get the contents using HyperTerminal (was using an XP laptop) and checked the screen logging before logging in and performed the specific commands @ThoughtPhreaker instructed. Procomm and Avaya are typically not the best marriage in heaven to manage.

 

@MakeAvayaRedGreatAgain What do you use for regular admin tasks on the switch? I really haven’t had an issue using procomm for the stuff I was doing before this. It’s just annoying to have to use the escape codes in HyperTerminal. I tried PuTTY, but of course same issue with having to use escape codes. Of course I’d love to get my hands on a copy of Avaya Site Administration, but I don’t think Avaya would sell me a copy (it’s probably expensive, too). 

0

Share this post


Link to post
Share on other sites
14 minutes ago, grs033 said:

 

@MakeAvayaRedGreatAgain What do you use for regular admin tasks on the switch? I really haven’t had an issue using procomm for the stuff I was doing before this. It’s just annoying to have to use the escape codes in HyperTerminal. I tried PuTTY, but of course same issue with having to use escape codes. Of course I’d love to get my hands on a copy of Avaya Site Administration, but I don’t think Avaya would sell me a copy (it’s probably expensive, too). 

I use TuTTY, a variant of putty made by a Russian guy. If you set the keyboard to at&t 513, it will pop up a message box asking if you are connecting to an AT&T product, say yes and it will set itself up just like avaya terminal emulator.

0

Share this post


Link to post
Share on other sites
6 minutes ago, xhausted110 said:

I use TuTTY, a variant of putty made by a Russian guy. If you set the keyboard to at&t 513, it will pop up a message box asking if you are connecting to an AT&T product, say yes and it will set itself up just like avaya terminal emulator.

 

I’ve actually tried TuTTY. I saw a warning that the function keys weren’t fully operational in the latest version. I did encounter problems when I tried using them, the emulator would start acting weird. Is there a version of it that actually works properly?

0

Share this post


Link to post
Share on other sites

If you feel like using putty, one thing I've had some particular success with in minicom are the VT220 function codes. It's been a while since I've had a Windows machine hooked directly up to the Definity, but I think this works roughly the same. In VT220 mode, the shift+Fx keys should be mapped to the Definity function keys. For example, shift+F5 is help, shift+F7 is confirm. Page up/down are mapped normally, and cancel works as delete. On some notebooks, sometimes the function keys will move around a bit, so you'll wind up with shift+f3 or something doing what you want. It takes some trial and error, but once you've got it down, it relieves a lot of terminal headaches.

0

Share this post


Link to post
Share on other sites

I'm lucky to have ASA, but like Putty works too if you don't have access to a copy. I have not had issues with function keys when I had to Putty it for another situation. In any situation, I try to use AT&T's 513 or 4410 to get in because the switch revolved around AT&T's own dummy terminals. Safe to be native if you can!

 

It looks you've gotten the hang of it! :D

 

0

Share this post


Link to post
Share on other sites

I may have a copy that came as part of a backup of some super sketchy Russian FTP. When I get home, I'll look into that, among some other things, and finish writing up the aforementioned Definity unlocking stuff.

0

Share this post


Link to post
Share on other sites

@ThoughtPhreaker Thanks a billion!!! I'm in with the password you supplied!

1

Share this post


Link to post
Share on other sites

So here is an interesting thing... I have a few extra translation cards sitting here. One in particular actually came with the switch, and I was unable to crack the password for even the cust account since it was not set as the default passwords. I figured since I now had the init password for the processor that I would be able to get into that translation and mess around like I was able to the two other translation cards I have. Well it seems that the init password for this translation card is set different. I get the "INCORRECT LOGIN" message. So I decided to go into HyperTerminal to get the translation file as described in one of the first replies on this thread. I opened the file in notepad, but it doesn't look at all like what I had from the ram dump I posted the other day. I would like to be able to figure out the passwords for myself and not ask for help each time (though I very much appreciate the help thus far). But I wouldn't even know where to begin with this one. So I'm posting the file I have here to see if you can figure out if the translation has it's own init password set. 

grstrans

0

Share this post


Link to post
Share on other sites

@ThoughtPhreaker one other question I have.. I was reading the beginning of this thread about setting up Audix on a PC... I see it’s using some cards which I don’t think work on R6 prologix processors... is there a way to get that Audix setup working with R6? 

0

Share this post


Link to post
Share on other sites

I have a technical question about the Definity type of PBX systems (not the softswitch Auras)

 

Can a PPN run a release that is lower to the what's on the card? I have that finicky R12 PPN board, and I was wondering if I could take my R9 translations and "restore" them onto that board? And run R9 as a backup in case my other board decides to give up. (You never know.)

 

I'm surprised what's missing in this thread is about the "Sold to" number. This Avaya's answer to a serial number specific to a customer and site location. I should check with the individual, but both cards were from the same site, most likely with the same "Sold To number". I believe these numbers have to match in order to do something like this.

 

If the sold to number is important, is it easy to insert it at some point of a hard reset and all that complex hex cracking and stuff like that, or is this actually pretty trivial?

Edited by MakeAvayaRedGreatAgain
0

Share this post


Link to post
Share on other sites

@ThoughtPhreaker hope you’re ok.. haven’t heard anything from you in a while...

 

@MakeAvayaRedGreatAgain Is your copy of ASA on CD? Do you happen to know where one can get a copy on CD? I can’t find any for sale on eBay or anywhere. Google found a website where it’s supposedly available from, but it seems sketchy and I don’t want to risk getting a virus from it...

0

Share this post


Link to post
Share on other sites
Quote

Wow! Thanks! I kinda wish I was on vacation tbh. And I feel like I owe you a [root] beer for this!

 

Slip in some vanilla vodka, and we're _definitely_ in business. ;)

 

Quote

And I’m also curious how you coverted the hex to usable info to extract that password.

 

I detailed a bit about this on the first page; basically, there's just a substitution cipher that's used to encode the password; so like, it'll change all As to Zs, Bs to Xes, etcetera. After it's done with that, it'll switch around the byte order. I only had first several written down (fifth is first when unscrambled, sixth is second, fourth is third, seventh is fifth, first is sixth, third is seventh, ninth is eighth, eleventh is ninth, eighth is tenth, tenth is eleventh), so figuring out how to get the rest was mostly a matter of figuring out what word they were trying to put in there.

 

The Definity OS has no RAM protection, so once you figure out what address the password is stored at (which isn't hard; just ctrl+f for inads in the ramdump. You'll see two iterations of the obfuscated passwords next to their respective usernames. The first one is the current one, the next is the previous password you used; the idea being you aren't supposed to use it again), you can use the wva (write virtual address) command to overwrite the passwords if you want.

 

On that note, the ramdump can be translated back into binary data by filtering out all the crap from the dump program. There's probably an elegant way to do this with awk or some other Linux tool. It's times like these I can be more sloppy than I care to admit; I'll just use Openoffice. After getting rid of all the things that obviously aren't data, like the command you typed and the error message at the end, you do some find and replace functions; one for '0x' and another (with regular expressions enabled) for '004.....:' . When you're done, nothing should exist except the data (minus the 0x portion) it was spitting out. Paste this into a hex editor - I prefer HxD, and save it.

 

Quote

So I'm posting the file I have here to see if you can figure out if the translation has it's own init password set.

 

The answer to that is very likely yes. I'm mostly seeing a lot of blank bytes in that file, though. How're you uploading it?

 

Quote

ThoughtPhreaker one other question I have.. I was reading the beginning of this thread about setting up Audix on a PC... I see it’s using some cards which I don’t think work on R6 prologix processors... is there a way to get that Audix setup working with R6?

 

Yeah; you can just use mode codes (DTMF) instead of a C-LAN card. I *think* I talked about what RPMs to install at some point in this thread. Lemme know if I didn't/you'd like me to walk you through it.

 

Quote

Can a PPN run a release that is lower to the what's on the card? I have that finicky R12 PPN board, and I was wondering if I could take my R9 translations and "restore" them onto that board? And run R9 as a backup in case my other board decides to give up. (You never know.)

 

Nope. Release nine doesn't use any sort of key-based licensing, so while the R12 processor will accept the translations, it'll run in no license mode. In a word, it's no fun mode. The translations for the later systems also have a key that includes the processor's serial number. I dunno if/when there'll be any concrete success to work out, but for the moment, the processor I yanked off eBay had some encouraging things to say:

 

Quote


tcm1> klog
support your local Oryx (Oryx g4.34)$
support your local Pecos$
Boot image vintage: R011i.02.0.110.4$
Boot image build information: 10/21/02-21:24:30;gaz;fld;alawint;R11.pj$
23sep17 12:19:12|Pcd_vint_upd: slot 0 pcd lan_addr calc 0x6000, brd lan_addr 0x$
23sep17 12:19:12|Pcd_vint_upd: slot 1 pcd lan_addr calc 0x6100, brd lan_addr 0x$

 

If you play around (don't be shy; carrier grade telecom gear isn't exactly made of glass), you'll find the byte that tells the Definity to prompt you for ASG instead of a regular password. It should be about 112 bytes after the last character of a password, and will be a 0x01. There's like, six, so a minimal amount of trial and error will find it. When you get a copy of your translations file, change it to 00, and change another 00 in the file (most next to the first byte should be fine) to a 01 to satisfy the checksum and upload it. If you do this for, say, inads, you'll have permission to write to the system's RAM at will. You can change this for init, but the system will just ignore this. Sort of a moot point, since not much can be done in the way of activation without knowledge of the licensing.

 

Quote


hope you’re ok.. haven’t heard anything from you in a while...

 

Yup, sorry. It's just been an interesting week. Long story short, my hands have been a little tied. Even on the worst of days, I'll find time to hit the conf, but sometimes my ability to respond to forum stuff gets onto the chopping block.

Edited by ThoughtPhreaker
0

Share this post


Link to post
Share on other sites

@ThoughtPhreaker A bottle of Grey Goose La Vanille it is!

 

That file I uploaded was the file that HyperTerminal output to the target folder (which was just the program file folder). Did I do something wrong or use an incorrect setting? I followed instructions you had given in the beginning of the thread of using xmodem in HyperTerminal. I can try to download the translation from the switch again if there’s something I should have done differently. 

 

As far as setting up AUDIX like that, I would definitely appreciate being walked through the process. I am fairly new to running a Definity switch. I just got my first “lab switch” a few months ago and have pretty much just been feeling my way through and googling a lot of what I’ve encountered (Which is how I found this thread). All of my experience with switches up until this point has been primarily Nortel Norstar or occasionally Avaya Partner & Merlin Legend/Magix systems. Definity has always been something I’ve wanted to tackle and dabble around in. So I’m sorry if I’m being a little needy here, I’m just not 100% sure of what I’m doing. But I want to learn so I can do these things for myself. 

 

So what I think I’m understanding is that I’d have to do some cleanup of that ram dump to get rid of some of the extra data that it spit out. Then convert the hex to binary. I’m guessing you know which memory locations to look at to find the password then. 

 

And one one other thing.. any word on ASA? Like I said in the last reply, I can’t find a copy for sale anywhere. And the only thing I found was some website that had it which I’m sure would infect me. 

 

I sincerely appreciate all of the help. I wish there was something I could do to return the favor.

0

Share this post


Link to post
Share on other sites
3 minutes ago, grs033 said:

 

As far as setting up AUDIX like that, I would definitely appreciate being walked through the process. I am fairly new to running a Definity switch. I just got my first “lab switch” a few months ago and have pretty much just been feeling my way through and googling a lot of what I’ve encountered (Which is how I found this thread). All of my experience with switches up until this point has been primarily Nortel Norstar or occasionally Avaya Partner & Merlin Legend/Magix systems. Definity has always been something I’ve wanted to tackle and dabble around in. So I’m sorry if I’m being a little needy here, I’m just not 100% sure of what I’m doing. But I want to learn so I can do these things for myself. 

 

And one one other thing.. any word on ASA? Like I said in the last reply, I can’t find a copy for sale anywhere. And the only thing I found was some website that had it which I’m sure would infect me. 

 

I sincerely appreciate all of the help. I wish there was something I could do to return the favor.

 

Oh so you're experienced on the Key systems. They are pretty less open than a proprietary PBX. I am no nerd and these hex codes and cracking and stuff is way over my head. (hence please create a sticky with a walkthrough! A lot of us in tech do love visual documentations!) Also my G3 R9 is back on a production system - another VOIP fail in the house - don't have time anymore to deal with these finkeny systems. 

 

In re to the ASA  - PM'd you. Check your inbox.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now