The WRTP54G has two ports to which one can connect telephones. The RTP300 is a version of the WRTP54G with the wireless radio omitted.
OpenWrt Version Supported
Model Specific Notes
patch required, see below
patch required, see below
4 x 1
It is necessary to download the OpenWrt source code, patch it, build it, and put the resulting image on a TFTP server. Serial console access is required to flash the firmware. (Though this this situation will improve when more of the proposed patches are integrated.)
To remove the cover, peel the rubber feet off of the bottom. Remove the screws found under the feet. Finally, lift off the top cover.
The router has a serial port connector inside the case. The pinout:
| Pin 1: GND ---> @ |
| Pin 2: Not Connected ---> @ |
| Pin 3: RX ----> @ | Front of RTP300 or WRTP54G
| Pin 4: TX ----> @ |
| Pin 5: VCC ----> @ led
Do not connect the router's serial port directly to your computer's RS232 port. The signal voltage levels are not the same and you may damage the router's serial port. This is because your computer's serial port has a line driver which converts the computer's signal voltage levels to RS232 levels while the line driver was left out of the router to save money. So, you will have to attach a line driver to your router and plug your computer into the line driver. If you are handy with a soldering iron you can order a AD233AK 233A kit and assemble it to make a line driver.
The default settings for the serial port are 115200 BPS, 8-bit words, no parity, and hardware flow control. These settings may be changeable by setting the boot environment variable MODETTY.
If you have Kermit on Unix or Linux and if the router is connected to “/dev/ttyS0” on your computer, the Kermit commands to connect to it are:
C-Kermit>set port /dev/ttyS0
C-Kermit>set speed 115200
C-Kermit>set carrier-watch off
The serial port is the boot loader console. If the boot-loader environment variable CONSOLE_STATE is set to “unlocked” (rather than “locked”), then you will have three seconds to stop the boot (by pressing ESC) and receive a boot loader prompt.
If CONSOLE_STATE is set to “locked”, you must find a way to execute the command:
echo "CONSOLE_STATE unlocked" >/proc/ticfg/env
… from the existing firmware, either by installing a hacked Linksys firmware, which allows logins on the console, or by using the ping hack documented in RTP300 and WRTP54G Explored.
JTAG is a standard way to gain access to the system bus of an embedded device. It can be used to reprogram the flash even if the boot loader has been damaged. The AR7 implements EJTAG version 2.6.
This EJTAG layout should apply to all AR7-based boards with a 14-pin JTAG pinout. The same cable, used for the WRT54G (based on the xilinx III/dlc-5) as described by HairyDairyMaid, can be used with the RTP300. Debug INT pin 13 is optional. A 100-Ohm resister should be connected between pins 1 and 14.
A patched version of the JTAG utility written by HairyDairyMaid for the WRT54G can be used to reprogram the flash. A link to it and instructions will be posted here shortly.
Writing to flash using JTAG and a passive cable is slow. Writing a firmware would take hours. For this reason, it is generally used to repair only the boot loader. Once the boot loader is working again, the TFTP client in the boot loader can be used to flash a new firmware much more quickly.
The nearly complete contents of a RTP300 router's mounted file system (version 1.00.55) were dumped, zipped and uploaded to here
The nearly complete contents of a WRTP54G router's mounted file system present on firmware version 1.00.60 has been dumped, zipped and uploaded to here
All of the entries in a RTP300's /proc directory were cat-ed out to a log file found here
A dump of all the flash blocks from an RTP300 with firmware 1.0.55 is available here! This is different the mounted file system dumps which contain only the files from the mounted root
The root file system extracted from firmware version 3.1.17 is available here attachment:wrtp54g-3.1.17-root.tar.bz2
CyberTAN is a subcontractor for Linksys and their name appears in the router's source code (even the source code archive's name: _cyt_).
The VoIP daemon appears to be “RADVISION SIP TOOLKIT 188.8.131.52” (/usr/sbin/ggsip)
The telephony chip is the Microsemi Le88221, part of the VE880 series. Information on Microsemi Voice Products, Documentation and Software can be found here Microsemi Voice Products. Here are the GPL drivers for this hardware based on VP-API-II P2.11.3. Contact Microsemi Field Sales and Customer support for latest release of the VP-API-II.
A channel on Freenode #wrtp54g is where those devoted to hacking the wrtp54g and rtp300 hang out.
toh/linksys/rtp300_and_wrtp54g.txt · Last modified: 2019/10/13 11:19 by tmomas