Linksys RTP300 and WRTP54G

FIXME please merge this article with rtp300

The WRTP54G has two ports to which one can connect telephones. The RTP300 is a version of the WRTP54G with the wireless radio omitted.

Version/Model S/N OpenWrt Version Supported Model Specific Notes
RTP300 v1.0 - trunk r18447 patch required, see below
WRTP54G v1.0 - trunk r18447 patch required, see below
CPU RAM Flash Network USB Serial JTAG
AR7 16 MiB 8 MiB 4 x 1 No Yes Yes

It is necessary to download the OpenWrt source code, patch it, build it, and put the resulting image on a TFTP server. Serial console access is required to flash the firmware. (Though this this situation will improve when more of the proposed patches are integrated.)

  • please use the “Titan”-Images, see r19022

The code in OpenWrt trunk (as of May 2010) cannot build a firmware image that can be flashed using the web interface in the Linksys firmware. Flashing firmware requires serial console access.

Architecture: MIPS
Vendor: Lantiq
bootloader: pspboot
System-On-Chip: Texas Instruments TNETV1060
CPU/Speed 163 MHz
Flash size: 8192 KiB
RAM: 16 MiB
Wireless: ? Atheros AR9103 2.4ghz 802.11bgn
Ethernet: RealTek RTL8366RB Gigabit w/ vlan support
Serial: Yes
Other: Yes, 2x FXS-ports

Note: This will void your warranty!

To remove the cover, peel the rubber feet off of the bottom. Remove the screws found under the feet. Finally, lift off the top cover.

The router has a serial port connector inside the case. The pinout:

|                                         |
|                                         led
|                   Pin 1: GND   ---> @   |
|                                         led
|         Pin 2: Not Connected   ---> @   |
|                                         led
|                   Pin 3: RX   ----> @   |                 Front of RTP300 or WRTP54G
|                                         led
|                   Pin 4: TX   ----> @   |
|                                         |
|                   Pin 5: VCC  ----> @   led
|                                         |
|                                         |
|                                         |

Do not connect the router's serial port directly to your computer's RS232 port. The signal voltage levels are not the same and you may damage the router's serial port. This is because your computer's serial port has a line driver which converts the computer's signal voltage levels to RS232 levels while the line driver was left out of the router to save money. So, you will have to attach a line driver to your router and plug your computer into the line driver. If you are handy with a soldering iron you can order a AD233AK 233A kit and assemble it to make a line driver.

The default settings for the serial port are 115200 BPS, 8-bit words, no parity, and hardware flow control. These settings may be changeable by setting the boot environment variable MODETTY.

If you have Kermit on Unix or Linux and if the router is connected to “/dev/ttyS0” on your computer, the Kermit commands to connect to it are:

 C-Kermit>set port /dev/ttyS0
 C-Kermit>set speed 115200
 C-Kermit>set carrier-watch off

The serial port is the boot loader console. If the boot-loader environment variable CONSOLE_STATE is set to “unlocked” (rather than “locked”), then you will have three seconds to stop the boot (by pressing ESC) and receive a boot loader prompt.

If CONSOLE_STATE is set to “locked”, you must find a way to execute the command:

 echo "CONSOLE_STATE unlocked" >/proc/ticfg/env

... from the existing firmware, either by installing a hacked Linksys firmware, which allows logins on the console, or by using the ping hack documented in RTP300 and WRTP54G Explored.

JTAG is a standard way to gain access to the system bus of an embedded device. It can be used to reprogram the flash even if the boot loader has been damaged. The AR7 implements EJTAG version 2.6.


|                     J3                  |
|                                         led
| Pin 1: TRST  ----> @   @ <-- Pin 2:GND  |
|                                         led
| Pin 3: TDI   ----> @   @ <-- Pin 4:GND  |
|                                         led
| Pin 5: TDO   ----> @   @ <-- Pin 6:GND  |
|                                         led
| Pin 7: TMS   ----> @   @ <-- Pin 8:GND  |   Front of WRTP54G
|                                         |
| Pin 9: TCK   ----> @   @ <-- Pin 10:GND led
|                                         |
| Pin 11:RST   ----> @   @ <-- Pin 12:NC  |
|                                         |
| Pin 13:DINT  ----> @   @ <-- Pin 14:VIO*|
     *voltage reference @ 3.3 volts

This EJTAG layout should apply to all AR7-based boards with a 14-pin JTAG pinout. The same cable, used for the WRT54G (based on the xilinx III/dlc-5) as described by HairyDairyMaid, can be used with the RTP300. Debug INT pin 13 is optional. A 100-Ohm resister should be connected between pins 1 and 14.

A patched version of the JTAG utility written by HairyDairyMaid for the WRT54G can be used to reprogram the flash. A link to it and instructions will be posted here shortly.

Writing to flash using JTAG and a passive cable is slow. Writing a firmware would take hours. For this reason, it is generally used to repair only the boot loader. Once the boot loader is working again, the TFTP client in the boot loader can be used to flash a new firmware much more quickly.

The default network configuration is:

Interface Name Description Default configuration
br-lan LAN & WiFi
eth1 LAN ports (1 to 4) None
eth0 WAN port DHCP
  • The nearly complete contents of a RTP300 router's mounted file system (version 1.00.55) were dumped, zipped and uploaded to here
  • The nearly complete contents of a WRTP54G router's mounted file system present on firmware version 1.00.60 has been dumped, zipped and uploaded to here
  • All of the entries in a RTP300's /proc directory were cat-ed out to a log file found here
  • A dump of all the flash blocks from an RTP300 with firmware 1.0.55 is available here! This is different the mounted file system dumps which contain only the files from the mounted root
  • The root file system extracted from firmware version 3.1.17 is available here attachment:wrtp54g-3.1.17-root.tar.bz2
  • CyberTAN is a subcontractor for Linksys and their name appears in the router's source code (even the source code archive's name: _cyt_).
  • The VoIP daemon appears to be “RADVISION SIP TOOLKIT” (/usr/sbin/ggsip)
  • The telephony chip is the Microsemi Le88221, part of the VE880 series. Information on Microsemi Voice Products, Documentation and Software can be found here Microsemi Voice Products. Here are the GPL drivers for this hardware based on VP-API-II P2.11.3. Contact Microsemi Field Sales and Customer support for latest release of the VP-API-II.
  • A channel on Freenode #wrtp54g is where those devoted to hacking the wrtp54g and rtp300 hang out.
  • There is information about Linux on AR7 at
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2019/10/13 11:19
  • by tmomas