RTP300/WRTP54G Finally Unlocked!

Discussion in 'Other Linksys Equipment' started by mazilo, Apr 10, 2006.

  1. mazilo

    mazilo Network Guru Member

    To all RTP300/WRTP54G owners,

    Here is how to can completely access (unlocking) your units: Read all posts right below this post (and on for its discussions), particularly where the mention of RC4 (link to rc4.c file) posted by czyc. If you read those posts, you will notice there's a link where you can download a copy of rc4.c file (Sorry, I don't want to risk myself to provide the link here). The reason is simply this particular rc4.c file was once released on to some of the cyberphunks boards by some crackers. Accordingly, it was a reverse-engineered code based on the RSA encryption code which is protected by the US gov. Be sure to download this rc4.c file. On a Linux machine, you can just type this cc -o rc4 rc4.c to compile the rc4.c file into a binary program.

    Anyway, once you obtained the code, here is what you need to do:
    1. Factory reset your RTP300/WRTP54G unit. Remember, you will need to perform a factory reset on the Router + Voice which may take more or less of 40 seconds to hold the pin reset button. If you just press the reset button for less than 30 seconds, you will only perform a factory reset on the router and all the provisioned information on your RTP300/WRTP54G by Vonage are still there.
    2. Use this trick to access the Voice_adminPage to retrieve all the information you will need, i.e. the encryption key, the TFTP/HTTP servers, firmware name, and the directory to obtain the XML file.
    3. On a Linux (you will have to port this to other OS platform other than Linux) machine, just compile the rc4.c file, i.e. cc -o rc4 rc4.c, and use it to decrypt the XML file, i.e. rc4c "key" < ti1234567890.xml > ti1234567890.xml.txt, where ti1234567890.xml.txt is your decrypted XML file.
    4. Once decrypted, you can see the Admin password, make the necessary changes to the Admin password, provision rules, re-encrypt the XML file, and have your unit provisioned with the newly re-encrypted XML file. This way, you can freely access your units; however, clicking the Voice menu will still lead you to the nasty message. To access the Voice page, your will point your browser to this Voice_adminPage page, instead. (NOTE: This was added later on).
    Please notice here: I provided the above mentioned information only for the shake of education here. If you render your device to useless and/or Vonage (or your VoSP) has terminated your accounts and starts charging you for some fees because you have modified your RTP300/WRTP54G based on the above information, you are responsible to what you have done. You have been warned!

    Good luck to you all.
  2. czyc

    czyc Network Guru Member

    RC4 was a trade secret that was leaked, but it was never patented so when it was leaked, there was no legal way for RSA to supress it. It is now so public that it is included in the linux kernel. Anyway I'm 99.9% sure there is no risk in linking to that source file. http://www.uqtr.ca/~delisle/Crypto/codes/rc4/rc4.c There is also a perl version there for those without a C compiler.
  3. mazilo

    mazilo Network Guru Member

    That's good to hear this information.
  4. mazilo

    mazilo Network Guru Member

    For those who use RTP300, you may want to consider flashing your units with this modded RTP300-NA v3.1.10 firmware. With this firmware, it's reported your RTP300 will turn into an RTP300-NA. Of course, if your RTP300 serves Vonage services, then it won't be a good idea to do so.
  5. zackmario

    zackmario LI Guru Member

    Ok, voice tab now unlocked and available for SIP settings

    I was able to flash the unit to get access to the voice tab. You have to unzip the file before you upgrade the firmware.

    Two questions.

    1. How do I flash the firmware again if I need to. The username password seems to have changed

    2. Im not able to get the unit to register with FWD. Is there some other way to tell if the SIP part is working ok?

  6. zackmario

    zackmario LI Guru Member

    Ok, the new userid is still admin and the password is empty.

    I still cannot get the SIP to register with FWD. Any suggestions?
  7. 0wned

    0wned Guest

    I did the webcm hack and I was able to view the filled in text boxes on the Voice - Provisioning page, but I can't figure out where the path to the xml file is. I have Vonage TFTP servers listed, and a provisioning file path. However the path is not sensical and is a random 10 digit string.

    I tried hard resetting the device again and got the same results.

    Any ideas? I can post up all the info from the page here if that is allowed.


  8. bigern

    bigern Guest

  9. Bill_S

    Bill_S Network Guru Member

  10. Tommate

    Tommate Guest

    how to upgrade the firmware, so?!

    This post didn´t teach how to upgrade the firmware.
    I have the file but I can´t log in with other permission to do the job!!

    I´ve tried:
    log/pw: admin, admin; user, tivonpw; Admin, ' ';

    I´m from Brasil, and we don´t have Vonage to use.
    Does anyone know how to unblock the WRTP54G?

    Thanks!! :)
  11. mazilo

    mazilo Network Guru Member

    A firmware upgrade is based on a USER_MODE that requires a user password.

    The tivonpw is a Vonage assigned user password. Unless you have connected your device to the Internet and let it phone home to get provisioned by Vonage, you really won't know the user password of your device, let alone trying to perform a firmware upgrade.

    There are several ways to unlock an RTP300/WRTP54G. One way is explained on the very first post in this thread. The other way is to use the CYT Unlocker program. Another way is to flash your device with a modded NA firmware.
  12. ittome

    ittome LI Guru Member

    A Success Story: Unlocking a Linksys RTP300

    I got a Linksys RTP300 on eBay. It was locked to Vonage (no access to the Voice tab) but I bought it to use for a bring your own VoIP provider. I started doing research, including a few forums such as this one, and I wanted to share what worked for me. It did have an older firmware on it (something like 1.00.62) so first thing I did was download the latest from Linksys (3.1.17 NA) but the unit will not allow it to load since I didn't have the NA version of the router (it will let you use a modified file).
    To gain access to the Firmware Update portion of the router use these steps:

    1. Download the firmware for your device that you wish to upgrade your device with.

    2. Using a web browser, open a page at: » (or use the IP you set on it)

    3. Login or use the default (username=admin password=admin)

    4. Change URL to: »

    5. At this 'login' screen, enter:
    username= user
    password= tivonpw

    6. Follow directions to upgrade firmware that show on screen.

    I found a modified version of the latest firmware (rtp300_fw_3.1.17_US.von.img) at http://www.dslreports.com/forum/remark,16739699 - (please refer to this post to get the firmware and instructions. Posted 2006-08-19 15:28:16). Thank you, meister_sd.

    After a few minutes, it did reset the router after it was finished (I did not have to do this manually like I saw listed on some posts). After that, I was able to log back into the router (everything reset to default) and the Voice tab was available (with advanced, user & admin links not having any password set). I reset it up for my LAN and I set it up with the settings I got from ViaTalk. I got a test number and my phone worked over the Internet. A few weeks later I had my number ported.

    Some possible logins/passwords:
    Admin / Admin or blank
    admin / admin
    user / user
    Support / tivonpw
    user / tivonpw

    Some other things I would have tried next include:
    = Downloading this mod'd firmware 3.1.10 to make it rtp300-NA accessible voice tab login: admin pw: is blank http://www.dslreports.com/r0/download/993700~cbeba4a5abc2610f975df0e907f104aa/rtp300-3-1-10.zip or find 1.00.62-NA.
    = Using the CYT unlocking software that works with more than just the RTP300 (just do a search in the forums for CYT).
    = Try VuckFonage.
    = Try using openwrt or tftp or command-line (but ssh did not work with the locked router or with the mod'd firmware).
  13. ittome

    ittome LI Guru Member

    Anyone know if there is a memory leak or other problem with this router (Linksys RTP300)? Because I have problems with the VoIP (voice breaking up) after running bit torrent on a computer connected to the router.
  14. dshinnick

    dshinnick Guest

    Safe to install latest Linksys firmware?

    Hey gang-

    I have an RTP300. I installed the 3.1.0 firmware which enabled me to unlock the Voice screens. Everything is fine, it's working, but the voice quality doesn't seem quite as good as with the PAP2 I was using. I'd like to install the latest Linksys firmware, the 3.1.24, but I don't want to risk re-locking the box and then being unable to unlock it again. Is it safe to install this latest firmware?

    Thanks much!

  15. ittome

    ittome LI Guru Member

    You may not be able to upgrade the firmware unless you get a modified (unlocked NA) version.
  16. pclinc

    pclinc LI Guru Member

    THANK YOU ! I recent tryed this on my RTP300. and it worked to a T. Got in to do what I wanted to do. Thank you Again
  17. monnewbie3

    monnewbie3 LI Guru Member

    modded firmware link.

    Hey guys, anyone have a link to the modded -NA firmware to unlock the RTP300. I can't seem to find it anywhere.

    Thanks :)
  18. mazilo

    mazilo Network Guru Member

    You can DIY and the link is here.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice