I have got the phone hooked up to a raspberry pi and am using tcpdump and etherreal to sniff traffic. It does a DHCP request and tries to setup an openvpn tunnel. It doesn’t do any requests for a config file.
Possibly if it would get an OpenVPN tunnel, it might? But then you’d need a key for openvpn, which requires… the password.
What idiot of a company makes a phone which is not factory resettable with a button or button-combination.
The only option I see left, is to use the internal JTAG connector to erase the nvram. I had hoped there was another solution.
For instance… the phone has a card reader. Can one put a config on a card and would that override the config on there? file naming?