Anyone interested in unlock Vonage RTP300?

[usbbdm]

I want to create simple step to unlock RTP300 from Vonage. Anyone interested? I know there is a tool out there that can do the trick. I found only program the config should be all it needs but I only have one RTP300, if you have a locked RTP300 and would like to try let me know. You can always restore it back with backed up 4M flash.

[nando29]

I want to create simple step to unlock RTP300 from Vonage. Anyone interested? I know there is a tool out there that can do the trick. I found only program the config should be all it needs but I only have one RTP300, if you have a locked RTP300 and would like to try let me know. You can always restore it back with backed up 4M flash.

I think thats a good idea BDM.

[konnan]

Im interested USBBDM... I have one of those vonage voip.... it would be great...let us know if you need something else..

[usbbdm]

Did you keep the original 4M dump? I hope you did and next time I will ask you to try the procedure to unlock use USB JTAG NT.

BTW, did you unlock the device and what version of firmware you are running on the box now?

[usbbdm]

OK, here is my step by step turn Vonage RTP300 into RTP300-NA and please test to see if it works for you. This works with USB JTAG NT and please use latest software with RTP300 support.

1. Connect USB JTAG NT.
2. Save the boot to a file boot.bin

Code: Select all

detect
getram boot
save boot

3. Use hex editor or use USB JTAG NT edit at address 0x900d575 (USBJTAG NT) or 0xd575. Your address might be different. It is the key of ADMIN_PWD. Replace with AB/PLgjMdnCMg (null password) or ABW9wzpK6VV4Q (Admin). I used the first one.
4. You can also replace with HWA_0 key with another mac address. After unlocked this device will never get locked again. I used the address from an old network card.
5. Save the boot.bin.
6. program the boot and erase log and config.

Code: Select all

erase log
erase config
ldram boot (your save boot.bin)
program boot

7. Power off on the router.
8. Go to linksys to download the latest firmware.
http://www.linksysbycisco.com/US/en/sup ... 0/download. File name rtp300_fw_3.1.24_US.img.
9. Use hex editor change offset 0x17 from 4D to 4C and offset 0x3B0004 from 85 DA 20 BB to 3B A5 4D DA"
10. Go to http://192.168.15.1 and user name "admin",password "admin".
11. Go to http://192.168.15.1/update.html This time user name is "Admin" password empty (or Admin if you use ABW9wzpK6VV4Q in step 3.
12. Select modified firmware and wait. After the first time upload it will take a few minutes to boot the first time.
Not go to http://192.168.15.1 and your router is a NA version.

Warning, this is for testing purpose and I recommend you backup your initial 4M by getram 90000000 400000 and save it to a safe place in case you need it.

[Spudz76]

Mine is 8MB instead of 4MB. I had trouble flashing Kernel1 while device was running so I used a trick I usually do on surfboards when I have that problem, erase boot and then cycle power so it can't run anything at all (force CPU hang, kill watchdogs, etc). On the RTP300 though, this made it so flash can't detect properly. How do I force flash type when it is CFI mode (with USBJTAGNT), it doesn't look like normal flash.xml even has the original chip def in it (S29xx064xx something, 8MB) and I don't remember the exact chip it originally detected (can look on chip physically of course, just didn't yet). Now it detects as two separate S29xx320xx series 4MB chips and will not program (or sprogram even) boot. I know of flshset command but that doesn't seem valid for CFI devices.

How can I force program boot to get it running again? There are no CFI commands in the PDF manual.

[usbbdm]

RTP300 is 8M not 4M.
If you have USB JTAG NT use these commands.
tap c
tap a ffffffff
you should see now DEBUG ON.
Then type detect
if you cannot detect the flash
type flshdct 9fc00000
If you get the flash you are lucky. I am sure one of them will work. If your flash was detected at 9fc00000 then you need to reconfigure the xml to accept the 9fc00000 as boot to program.

[Spudz76]

I get unknown type 0004/1000 with the two tap commands. Both with regular detect and with flshdct 9fc00000

Any other debrick ideas? I am mad I erased the dumb boot block thinking it would still work like modems do. Would CE pin trick do any good?

Oh and the chip is Spansion S29GL064M90TAIR4-0514MBM

[usbbdm]

If you need help setup VNC and wait in the chat. I will be back in a couple hours.

[jamia744]

hey USBDM, i have the same one at home, i may need some help to set it up.let me know when you will be available this weekend.

[usbbdm]

I normally will be in chat at night.
I have many debrick request recently and I think it might be the time to develop a better tool to debrick the device only.

[xy-Zee]

yes that would be nice also. thanks

[xiaoxiangzi]

I think s29gl064m90tfir3 is the most used!but jtagnt can't detect it!

[usbbdm]

I think s29gl064m90tfir3 is the most used!but jtagnt can't detect it!

Impossible. You need to give the output window. \
Is it on RTP300? Is the RTP300 working? The CFI will detect regardless if it is known flash or not.
IF it is a dead one you need to debrick it.

[sambul41]

I wanted to try, but my RTP300 can't boot with no lights, probably a died capacitor. How to find out, which one is dead?