Anyone interested in unlock Vonage RTP300?
-
- Junior Member
- Posts: 8966
- Joined: Mon Jul 18, 2005 9:33 pm
Anyone interested in unlock Vonage RTP300?
I want to create simple step to unlock RTP300 from Vonage. Anyone interested? I know there is a tool out there that can do the trick. I found only program the config should be all it needs but I only have one RTP300, if you have a locked RTP300 and would like to try let me know. You can always restore it back with backed up 4M flash.
-
- Junior Member
- Posts: 376
- Joined: Sat Dec 23, 2006 7:10 am
I think thats a good idea BDM.usbbdm wrote:I want to create simple step to unlock RTP300 from Vonage. Anyone interested? I know there is a tool out there that can do the trick. I found only program the config should be all it needs but I only have one RTP300, if you have a locked RTP300 and would like to try let me know. You can always restore it back with backed up 4M flash.
-
- Junior Member
- Posts: 8966
- Joined: Mon Jul 18, 2005 9:33 pm
OK, here is my step by step turn Vonage RTP300 into RTP300-NA and please test to see if it works for you. This works with USB JTAG NT and please use latest software with RTP300 support.
1. Connect USB JTAG NT.
2. Save the boot to a file boot.bin
3. Use hex editor or use USB JTAG NT edit at address 0x900d575 (USBJTAG NT) or 0xd575. Your address might be different. It is the key of ADMIN_PWD. Replace with AB/PLgjMdnCMg (null password) or ABW9wzpK6VV4Q (Admin). I used the first one.
4. You can also replace with HWA_0 key with another mac address. After unlocked this device will never get locked again. I used the address from an old network card.
5. Save the boot.bin.
6. program the boot and erase log and config.
7. Power off on the router.
8. Go to linksys to download the latest firmware.
http://www.linksysbycisco.com/US/en/sup ... 0/download. File name rtp300_fw_3.1.24_US.img.
9. Use hex editor change offset 0x17 from 4D to 4C and offset 0x3B0004 from 85 DA 20 BB to 3B A5 4D DA"
10. Go to http://192.168.15.1 and user name "admin",password "admin".
11. Go to http://192.168.15.1/update.html This time user name is "Admin" password empty (or Admin if you use ABW9wzpK6VV4Q in step 3.
12. Select modified firmware and wait. After the first time upload it will take a few minutes to boot the first time.
Not go to http://192.168.15.1 and your router is a NA version.
Warning, this is for testing purpose and I recommend you backup your initial 4M by getram 90000000 400000 and save it to a safe place in case you need it.
1. Connect USB JTAG NT.
2. Save the boot to a file boot.bin
Code: Select all
detect
getram boot
save boot
4. You can also replace with HWA_0 key with another mac address. After unlocked this device will never get locked again. I used the address from an old network card.
5. Save the boot.bin.
6. program the boot and erase log and config.
Code: Select all
erase log
erase config
ldram boot (your save boot.bin)
program boot
8. Go to linksys to download the latest firmware.
http://www.linksysbycisco.com/US/en/sup ... 0/download. File name rtp300_fw_3.1.24_US.img.
9. Use hex editor change offset 0x17 from 4D to 4C and offset 0x3B0004 from 85 DA 20 BB to 3B A5 4D DA"
10. Go to http://192.168.15.1 and user name "admin",password "admin".
11. Go to http://192.168.15.1/update.html This time user name is "Admin" password empty (or Admin if you use ABW9wzpK6VV4Q in step 3.
12. Select modified firmware and wait. After the first time upload it will take a few minutes to boot the first time.
Not go to http://192.168.15.1 and your router is a NA version.
Warning, this is for testing purpose and I recommend you backup your initial 4M by getram 90000000 400000 and save it to a safe place in case you need it.
-
- Junior Member
- Posts: 13
- Joined: Tue May 13, 2008 1:34 pm
Mine is 8MB instead of 4MB. I had trouble flashing Kernel1 while device was running so I used a trick I usually do on surfboards when I have that problem, erase boot and then cycle power so it can't run anything at all (force CPU hang, kill watchdogs, etc). On the RTP300 though, this made it so flash can't detect properly. How do I force flash type when it is CFI mode (with USBJTAGNT), it doesn't look like normal flash.xml even has the original chip def in it (S29xx064xx something, 8MB) and I don't remember the exact chip it originally detected (can look on chip physically of course, just didn't yet). Now it detects as two separate S29xx320xx series 4MB chips and will not program (or sprogram even) boot. I know of flshset command but that doesn't seem valid for CFI devices.
How can I force program boot to get it running again? There are no CFI commands in the PDF manual.
How can I force program boot to get it running again? There are no CFI commands in the PDF manual.
-
- Junior Member
- Posts: 8966
- Joined: Mon Jul 18, 2005 9:33 pm
RTP300 is 8M not 4M.
If you have USB JTAG NT use these commands.
tap c
tap a ffffffff
you should see now DEBUG ON.
Then type detect
if you cannot detect the flash
type flshdct 9fc00000
If you get the flash you are lucky. I am sure one of them will work. If your flash was detected at 9fc00000 then you need to reconfigure the xml to accept the 9fc00000 as boot to program.
If you have USB JTAG NT use these commands.
tap c
tap a ffffffff
you should see now DEBUG ON.
Then type detect
if you cannot detect the flash
type flshdct 9fc00000
If you get the flash you are lucky. I am sure one of them will work. If your flash was detected at 9fc00000 then you need to reconfigure the xml to accept the 9fc00000 as boot to program.
-
- Junior Member
- Posts: 13
- Joined: Tue May 13, 2008 1:34 pm
-
- Junior Member
- Posts: 62
- Joined: Mon Dec 14, 2009 5:08 pm
I think s29gl064m90tfir3 is the most used!
I think s29gl064m90tfir3 is the most used!but jtagnt can't detect it!
-
- Junior Member
- Posts: 8966
- Joined: Mon Jul 18, 2005 9:33 pm
Who is online
Users browsing this forum: No registered users and 3 guests