said by Velund :

The trick is to unlock serial console (ping hack), then downgrade firmware from bootloader.

said by Velund :

Used firefox with web dev. plugin to work with ping hack. First uploaded small shell file with command to change env. var to /var/tmp using wget, then chmod this file to make executable, then run it. Three groups of commands via ping hack hole. The rest of unlocking is as usual.

said by Velund :

But the result is unlocked serial console,

said by mazilo :

A serial console can only be accessed through a USB/serial port with a USB/serial-console cable.

said by Velund :

Hm... It's exactly what I have here. I used ping hack only to change bl env variable and get access to bootloader command prompt using serial cable (yes, the one connected to 5-pin header inside of the box, through a adm3202-based level converter, if you still in doubt). ;) Does we talking different languages? ;)

said by goodchefro :

Velund, or Liviu, would you guys care to explain in more layman's terms how you exactly do the procedure?

said by goodchefro :

I guess I can make some sense of it now, tks Mazi.

said by Velund :

... I don't like to publish detailed explanation of that sort because in next firmware release found holes usually disappears..

said by mbuugg :

I then got the -ER dump from Mazi (thanks Mazi) and JTAG flashed the whole dump. After flashing, the router will only respond to ping, nothing else will it do. This looks like the same situation boredwild had met (»wrtP54g unbrick restore help). So I emailed him how he got his to work. He told me he bricked his wrtp54g a second time, and the second time he flashed the -ER dump, the router did not work. However, he got a Vonage 5.01.04 dump which worked with user/user and had Admin password blanked, and he flashed that dump. Now I am waiting for his Vonage 5.01.04 dump to see if it will revive my wrtp54g. Any idea or flash dump that may save the wrtp54g are welcomed. Thanks.

said by mbuugg :

I do see some changes in the boot partition 0xb0000000-0xb000ffff, and it appended a default set of boot_env after the original boot_env that is already in the boot_env partition 0xb0010000-0xb001ffff.

said by mbuugg :

Loaded the modded firmware 3.1.24 then 3.1.27.

said by mbuugg :

Yep. The mod is in the same way as previous versions.

offset 17H: 4D -> 4C
offset 3b0004: B0 C9 8B 1C -> 0E B6 E6 7D

Thanks, I modded the firmware version 3.1.27 NA and successully upgraded my vonage wrtp54g originally with 3.1.27 ETSI.

said by toro :

..., does anyone know what "ETSI" means in some of the firmware versions for the RTP300/WRTP54G ?

said by toro :

Thanks, I think you're on the right track, it may also be European Telecommunications Standards Institute (according to »en.wikipedia.org/wiki/ETSI).

Either way, something do do with European regulations.
And it kind of make sense, because all the ETSI firmware links at »wiki.openwrt.org/OpenWrtDocs/Har···/WRTP54G point to European VoSPs.

said by wolfboy :

Successfully unlocked the serial console on WRTP54G with Firmware 5.01.04 using the methods Velund mentions in the prior page

However 0.0.0.0 did not work I had to use 127.0.0.1 instead in all the places he had 0.0.0.0

Can someone point me to instructions on how to use the serial console to unlock?

I second this. I have my serial voltage converter at the ready. I just need the pinout of the serial connector, and the commands needed to upload and flash the new firmware file. I have an rtp300 with v5.01.04, which does NOT revert to an earlier firmware when reset, and NONE of the previously posted un/pw combinations work in the web interface.

Another question i've got is about the CRYPT_KEY and ADMIN_PWD contained in the output from cat /proc/ticfg/env. The key displayed does not seem to allow me to decrypt either version of my ti001310xxxxxx.xml file (the router tftps two slightly different copies from two different directories), and the password doesn't work for anything in the web interface.

However I could not get my serial console to post anything. If you get this working let me know which jumper is the serial console on the board (J1 with pins or J3 needs soldering?)

said by herrdude :

I followed Velund's instructions on the first page using the ping hack. I had to substitute 0.0.0.0 with 127.0.0.1. I managed to get the message: control state unlocked.

I had read in another post that a quick way to get rid of the vonage provisioning was to use the following command through the ping hack with the following command: dd if=/dev/zero of=/dev/mtd/9. Would this work?

said by boredwild :

Dogface05, can you tell us what you charge to unlock the ACN SPA-2102?

said by jetzhu :

The following method is untested, just an idea:
Possible to change the firmware from 5.01.04 directly to modified 3.1.24 NA which is created by the following steps
»Re: New WRTP54G-NA firmware 3.1.24 released 3-27-07
For RTP300
1. Download the RTP300 3.1.24 firmware from the linksys site (»www.linksys.com/servlet/Satellit···ondetail)
2. use HexEditor change offset 0x17 from 4D to 4C.
3. At offset 0x3B0004, change 85 DA 20 BB to 3B A5 4D DA
For WRTP54G, WRTP54G have different pattern
2. Change HEX offset 0x17 from 4D to 4C
3. Change HEX offset 0x3B0004 from 71 FB 16 5F to CF 84 7B 3E

said by a94cobra :

I tried this on a WRTP54G with the 5.01.04 and was successfull. At first upon reboot the router seems bricked. Computer would not get an IP. Even after power cycle. But after the 10sec reset, it came up and I logged in to see 3.1.24 Voice section is there and reports 3.1.22

said by a94cobra :

I went from 5.01.04 to 3.1.24

Successful.

said by Phoenix2088 :

I have followed jetzhu's instructions and I think I almost got it. However at the last ping hack step
(127.0.0.1 &&sh /var/tmp/rf) I get the following.

wget: number of URLs: 1Trying URL 'tftp://192.168.15.100/von10062.bin'TFTP: opt.output_document is NULL!Retrieve - Success
The router's (WRTP54G) power light does not blink and is still running firmware 5.01.04. If anyone can help me and point out what I might have done wrong it would be greatly appreciated.

Background Info:
Running TFTPD32, AV and Firewall off during ping hack. Firmware is in Program Files/tftp32 directory as well as the rf file. TFTP32 is set to use the previously mentioned directory as root. I have already successfully ping hacked to unlock the console.

said by Phoenix2088 :

It blinks for about 2-3 minutes. If the power continues to blink, try doing a hard reset (paper clip for 10-15 seconds).

said by ogdensburg :

Tried to upgrade the firmware. For some reason,the upgrade failed and now my WRTP54G power light keeps blinking. Anyway to recover it?

said by mazilo :

Otherwise, you will probably need to ask someone to dump the whole Flash using a JTAG cable, modify the S/N and MAC Addresses, then upload to your WRTP54G using aJTAG cable. This may take more than 40 hours using an unbuffered JTAG cable.