Linksys RTP300 and WRTP54G
| please merge this article with rtp300
The WRTP54G has two ports to which one can connect telephones. The RTP300 is a version of the WRTP54G with the wireless radio omitted.
| Version/Model || S/N || OpenWrt Version Supported || Model Specific Notes
| RTP300 v1.0 || - || trunk r18447 || patch required, see below
| WRTP54G v1.0 || - || trunk r18447 || patch required, see below
| CPU || RAM || Flash || Network || USB || Serial || JTAG
| AR7 || 32 MiB || 8 MiB || 4 x 1 || No || Yes || Yes
It is necessary to download the OpenWrt source code, patch it, build it, and put the resulting image on a TFTP server. Serial console access is required to flash the firmware. (Though this this situation will improve when more of the proposed patches are integrated.)
please use the "Titan"-Images, see r19022
The code in OpenWrt trunk (as of May 2010) cannot build a firmware image that can be flashed using the web interface in the Linksys firmware. Flashing firmware requires serial console access.
Opening the case
Note: This will void your warranty!
To remove the cover, peel the rubber feet off of the bottom. Remove the screws found under the feet. Finally, lift off the top cover.
The router has a serial port connector inside the case. The pinout:
| Pin 1: GND ---> @ |
| Pin 2: Not Connected ---> @ |
| Pin 3: RX ----> @ | Front of RTP300 or WRTP54G
| Pin 4: TX ----> @ |
| Pin 5: VCC ----> @ led
Do not connect the router's serial port directly to your computer's RS232 port. The signal voltage levels are not the same and you may damage the router's serial port. This is because your computer's serial port has a line driver which converts the computer's signal voltage levels to RS232 levels while the line driver was left out of the router to save money. So, you will have to attach a line driver to your router and plug your computer into the line driver. If you are handy with a soldering iron you can order a AD233AK 233A kit and assemble it to make a line driver.
The default settings for the serial port are 115200 BPS, 8-bit words, no parity, and hardware flow control. These settings may be changeable by setting the boot environment variable MODETTY.
If you have Kermit on Unix or Linux and if the router is connected to "/dev/ttyS0" on your computer, the Kermit commands to connect to it are:
C-Kermit>set port /dev/ttyS0
C-Kermit>set speed 115200
C-Kermit>set carrier-watch off
The serial port is the boot loader console. If the boot-loader environment variable CONSOLE_STATE is set to "unlocked" (rather than "locked"), then you will have three seconds to stop the boot (by pressing ESC) and receive a boot loader prompt.
If CONSOLE_STATE is set to "locked", you must find a way to execute the command:
echo "CONSOLE_STATE unlocked" >/proc/ticfg/env
… from the existing firmware, either by installing a hacked Linksys firmware, which allows logins on the console, or by using the ping hack documented in RTP300 and WRTP54G Explored.
JTAG is a standard way to gain access to the system bus of an embedded device. It can be used to reprogram the flash even if the boot loader has been damaged. The AR7 implements EJTAG version 2.6.
WRTP54G JTAG Pinout
| J3 |
| Pin 1: TRST ----> @ @ <-- Pin 2:GND |
| Pin 3: TDI ----> @ @ <-- Pin 4:GND |
| Pin 5: TDO ----> @ @ <-- Pin 6:GND |
| Pin 7: TMS ----> @ @ <-- Pin 8:GND | Front of WRTP54G
| Pin 9: TCK ----> @ @ <-- Pin 10:GND led
| Pin 11:RST ----> @ @ <-- Pin 12:NC |
| Pin 13:DINT ----> @ @ <-- Pin 14:VIO*|
*voltage reference @ 3.3 volts
This EJTAG layout should apply to all AR7-based boards with a 14-pin JTAG pinout. The same cable, used for the WRT54G (based on the xilinx III/dlc-5) as described by HairyDairyMaid, can be used with the RTP300. Debug INT pin 13 is optional. A 100-Ohm resister should be connected between pins 1 and 14.
A patched version of the JTAG utility written by HairyDairyMaid for the WRT54G can be used to reprogram the flash. A link to it and instructions will be posted here shortly.
Writing to flash using JTAG and a passive cable is slow. Writing a firmware would take hours. For this reason, it is generally used to repair only the boot loader. Once the boot loader is working again, the TFTP client in the boot loader can be used to flash a new firmware much more quickly.
The default network configuration is:
| Interface Name || Description || Default configuration
| br-lan || LAN & WiFi || 192.168.1.1/24
| eth1 || LAN ports (1 to 4) || None
| eth0 || WAN port || DHCP
Firmware Dumps for Study
CyberTAN is a subcontractor for Linksys and their name appears in the router's source code (even the source code archive's name: _cyt_).
The VoIP daemon appears to be "RADVISION SIP TOOLKIT 18.104.22.168" (/usr/sbin/ggsip)
The telephony chip is the Microsemi Le88221, part of the VE880 series. Information on Microsemi Voice Products, Documentation and Software can be found here Microsemi Voice Products
are the GPL
drivers for this hardware based on VP-API
-II P2.11.3. Contact Microsemi Field Sales and Customer support for latest release of the VP-API
A channel on Freenode #wrtp54g is where those devoted to hacking the wrtp54g and rtp300 hang out.