nezarus
join:2008-02-07
Little Rock, AR
| [Unlock] WRTP54G with Firmware 5.01.04
A couple of days ago, I bought two WRTP54G (Vonage) units.
One with firmware 1.00.62, other 1.00.20
cyt46 worked fine with 1.00.62, within 15 minutes I had an unlocked unit with firmware 3.1.24
The second unit was not that lucky.
As predicted by rcilink cyt46 didn't work with 1.00.20
After messing with it a little bit, I connected the router to my modem and hit the reset button. As expected,
firmware provisioned to 5.xx (5.01.04)
I tried many things with no results, but finally the following procedure worked:
- browser tab,go 192.168.15.1 and login admin/admin
- at dos prompt run cty46 and option 1 (starts XML server) and leave it running
- browser tab, goto 192.168.15.1/update.html
- enter user/user
- upload modified firmware 3.1.24 (for WRTP54G-NA)
- dos prompt, ESC from cyt46
- browser tab, start upgrade
- wait until upgrade is loaded and the router resets.
- my router didn't reset automatically, so I waited 10 min. (until the browser is timed out) and hit the reset button.
Now, I have two unlocked WRTP54G with 3.1.24
PS: I'm not sure if cyt46 aid for this procedure is required or not. May be the password for 'user' in 5.01.04 is 'user' (instead of tivonpw). Someone else can test the user/user on a 5.xx router see if it works for firmware page.
WHEN YOU PLAY WITH FIRMWARE, THERE IS A POSSIBILITY TO BRICK YOUR ROUTER. USE THIS INFO AT YOUR OWN RISK. DON'T BLAME ME. |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA | Thanks for sharing and am sure others will benefit from this. Please do let us know if your device will operate without any instability. Some of our unlocked WRTP54G-ER (not from Vonage version) seem to have run into problems, i.e. auto reboot, etc. |
|
naskop
join:2004-06-18
Watertown, NY | reply to nezarus
I tried unlocking a RTP300 router, firmware version 5.01.04 according to the procedure nezaurus used but without success. Has anybody else had any luck unlocking routers with 5.01.04 firmware? |
|
keprianos
@fiberlink.ro | I have the same problem with RTP300 and 5.01.0 firmware... is locked. |
|
Velund
join:2007-12-02
124365 | reply to nezarus
Just unlocked RTP300 with 5.01.04. The trick is to unlock serial console (ping hack), then downgrade firmware from bootloader. When you have access to shell - you can do everything you want, and all this was discussed here many times. |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
| said by Velund  :The trick is to unlock serial console (ping hack), then downgrade firmware from bootloader. How do you unlock serial console? |
|
keprianos
@fiberlink.ro | reply to Velund
Can u please tell us how you unlocked the console? |
|
Velund
join:2007-12-02
124365
| reply to mazilo
Used firefox with web dev. plugin to work with ping hack. First uploaded small shell file with command to change env. var to /var/tmp using wget, then chmod this file to make executable, then run it. Three groups of commands via ping hack hole. The rest of unlocking is as usual.
Ping hack does not work with any commands that have redirection, so was forced to do this little bit tricky way.
Now have -NA freely upgradeable with stock -NA firmware. |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
| said by Velund :Used firefox with web dev. plugin to work with ping hack. First uploaded small shell file with command to change env. var to /var/tmp using wget, then chmod this file to make executable, then run it. Three groups of commands via ping hack hole. The rest of unlocking is as usual. LOL. This doesn't sound like a serial-console unlocking to me.
--
Mazilo always prays for FREEBIES!
US Phone: +1-678-601-0907
UK Phone: +44-703-194-2574
|
|
Velund
join:2007-12-02
124365
| But the result is unlocked serial console, and unit can be easily downgraded to a more useful firmware.  Much more can be done via ping hack (if you can throw in a shell file, you can do almost anything without opening unit, but I doubt that erasing and rewriting bootloader is safe using ping hack - I crashed router at least three times until found max. command line length that does not crash it).
So, I just feed 'echo "setenv CONSOLE_STATE unlocked" >>/proc/ticfg/env' that way and do the rest using serial console. |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
| said by Velund :But the result is unlocked serial console, I don't think you have a serial console. What you have is a shell. A serial console can only be accessed through a USB/serial port with a USB/serial-console cable. |
|
Velund
join:2007-12-02
124365
| said by mazilo : A serial console can only be accessed through a USB/serial port with a USB/serial-console cable. Hm... It's exactly what I have here. I used ping hack only to change bl env variable and get access to bootloader command prompt using serial cable (yes, the one connected to 5-pin header inside of the box, through a adm3202-based level converter, if you still in doubt). Does we talking different languages?
Anyway, those who need it got a confirmation that this version is unlockable and general idea about one of possible ways to go. I will be glad to see reports about other methods. |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
| said by Velund :Hm... It's exactly what I have here. I used ping hack only to change bl env variable and get access to bootloader command prompt using serial cable (yes, the one connected to 5-pin header inside of the box, through a adm3202-based level converter, if you still in doubt). Does we talking different languages? Excellent and we are in sync! So, the problem you had was unable to access the serial console because it was locked by default. Good job.
--
Mazilo always prays for FREEBIES!
US Phone: +1-678-601-0907
UK Phone: +44-703-194-2574
|
|
toro
join:2006-01-27
Scarborough, ON
edit:
April 19th, @10:43PM
| reply to nezarus
I haven't been too lucky using nezarus's method, but the one described by Velund worked great ! Very nice work ! |
|
goodchefro
join:2007-02-21
Macomb, IL | reply to nezarus
you guys really speak ....different languages!
Velund, or Liviu, would you guys care to explain in more layman's terms how you exactly do the procedure?
Of course, you have the right to not share...
thanks. |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
| said by goodchefro :Velund, or Liviu, would you guys care to explain in more layman's terms how you exactly do the procedure? If I understand Velund correctly, his method requires a USB/serial-console cable to unlock through the serial-console port. Since the serial-console port is disabled by default, you will first need to enable it using the SETENV through a login session. Velund used the ping hack to inject a shell to bring up a login session to enable the serial-console port using the SETENV. Once that was done, he used a USB/Serial-console cable to access the serial-console port to unlock his device.
Velund, please kindly verify what I mentioned above. Thanks.
--
Mazilo always prays for FREEBIES!
US Phone: +1-678-601-0907
UK Phone: +44-703-194-2574
|
|
goodchefro
join:2007-02-21
Macomb, IL | I guess I can make some sense of it now, tks Mazi. |
|
mazilo
From Mazilo
Premium
join:2002-05-30
Lilburn, GA
| said by goodchefro :I guess I can make some sense of it now, tks Mazi. No problem. |
|
Velund
join:2007-12-02
124365
| reply to mazilo
Well. Looks like some more details really necessary... I don't like to publish detailed explanation of that sort because in next firmware release found holes usually disappears.. But this time it doesn't really matters.
Assumed that you already have tftp server (like tftpd32) installed and running. Also, it is assumed that you have firefox with web developer plugin installed. Plugin is necessary to be able to remove field length limit after each ping page reload.
First, make a text file (it was named "wr" in my case, without extension) in a tftp root directory, with unix-style line terminations.
Now, login to router, go to "Administration" tab, then to "Diagnostics". Click "Ping", new window will be open.
Right click on new window, select web developer plugin entry from menu, then forms, then remove limits.
Type the following in address field:
Window will reload. Now repeat removing of field length limit and type the following:
Window will reload again. Repeat removing of field length limit and, finally, type the following:
If everything went good, you'll see current state of bootloader environment vars in ping result window with CONSOLE_STATE unlocked.
Now, console is unlocked, and you can do anything with router. |
|
Velund
join:2007-12-02
124365
edit:
April 20th, @09:58AM
| PS: Attempts to feed all commands in one line caused router crash, looks like there is quite small line buffer somewhere, so I split it. I don't pretend that it is optimal, but it worked for me exactly that way, and I have no more locked RTP300's to verify something more optimised before publishing... Should work for both RTP300 and WRTP54G, but tested only on RTP300. |
|
