http://192.168.15.1/resync?C:\Documents%20and%20Settings\Jan\Desktop\spa001310126DCA.xml user/8995523 or user/7756112 7756112 8995523 78196365 50274537 5465866 user/8995523, 7756112, 78196365, 5465866 user/tivonpw for factory reset: administrator,8995523 for firmware upgrade user,7756112 Vonage: RT31P2_v1.30.01_000_VM_3.1.06_LI_combin_code.bin ROUTER_00001308.bin 0x0008955C - R31P NA: RT31P2_NA_v1.30.04_000_VM_3.1.07_LIa_combin_code.bin ROUTER_00001304.bin 0x00089E10 - P2NA What eeprom type in rt31p2 ? There are two chips to this device. RT31P2 SST - 39VF080 (TSOP 40) - VOICE ! ...Router MX - 29LV160BTTC-90 - Router ! ...Voice If people are interested in my ROM dump and xml file, I have posted it for others to try. It has the dump of the voice chip, the factory reset config file, the salted xml file and the decoded xml file. You can use this to flash your own chip and check out your router. The voice chip is the smaller SST - 39VF080 (TSOP 40). rt31p2 has an arm9 cpu+2m flash (mx29lv160) and vcd controller+1m(sst38vf080) flash. arm9 and vcd runs independently. All functions concerning router realized by arm9 and all functions concerning voice realized by vcd. When you try to config your voice, arm9 sends your password to vcd controller to verify it and then vcd send out the web to arm9. vcd never sends out password and just receives password for verification. The arm9 communicates vcd through IO bus ( it is nothing to do with the ethernet transformer). I dumped a NA 2m flash and burned to a locked 2m flash. The device is still locked. When I disassembled the 1m flash, the router worked well, click voice tab, "can't load web" displayed. This confirmed my analysis. When I try to burn the 1m flash, the device was broken due to short-circuit (my poor soldering). So if you don't know the communicating protocol between arm9 and vcd controller, don't waste your time to crack it. The only way is to disassemble the 1m flash and burn it. 1. Soldered in a header for the serial port. Dead- appears that it is disabled or not configured. Pinout for serial port is same as wrtp54g: pin1.... GND (this is nearest to flash chip) pin2.... n/c pin3.... RX pin4.... TX pin5.... 3.3v http://www.dslreports.com/forum/remark,14707195~start=100 Then try to identify the change locations in a dump of a -VD version. They are stored in the same location from 01000-0ffff and 11000-1ffff. I'll upload a dump I got from the yahoo group I'm in. You can read this with any hex editor. Also the areas to change that hold the serial and stuff are: F0000 - MAC address (In Hex) F0020 - Serial Number F0040 - ATA ID (ie. PAP2-NA) F0060 - Hardware Version ID (ie. 0.03.4) http://www.dslreports.com/r0/download/1003307~6a98a45211bc78b6024cd76f8c07c9e8/Linksys-PAP2-2.0.12(LS)_ROM%20DUMP%20of%20PAP2%20Flash%20Chip.zip Locked to Vonage Linksys-PAP2-2.0.12(LS)_ROM DUMP of PAP2 Flash Chip.rom vonagert31p2.zip 1,040,587 bytes I spent lots of time to study my rt31p2 through JTAG, RS232, tftp. I succeded to upload a NA firmware to it, but it didn't work. I think that the bootloader and config parameters in NA are different from VONAGE. Finally I disassembly the flash from RT31P2 and read out the whole flash. Here is the analysis of the image: 00000000h~001dffffh firmware 001e0000h~001effffh configuration 001f0000h~001fffffh bootloader The attached file is the whole image (based on vonage RT31P2_v1.30.01_000_VM_3.1.06_LI_combin_code.bin). This image doesn't woek due to the imcomplete part of configuration. Is there anyone can send me a NA image? Thank you. The following are some contents: 001e0000h: FE 02 00 98 00 00 00 00 00 00 00 00 C0 A8 0F 01 ; ?.?.......РЈ.. 001e0010h: FF FF FF 00 FF FF FF FF FF FF FF FF 00 00 00 00 ; џџџ.џџџџџџџџ.... 001e0020h: C0 A8 0F 64 32 00 01 00 61 64 6D 69 6E 00 00 00 ; РЈ.d2...admin... 254 2 0 152 192 168 15 1 255 255 255 0 192 168 15 100 50 admin 001e4800h: FE 02 00 40 00 00 00 00 00 00 00 00 C0 A8 0F 01 ; ?.@........РЈ.. 001e4810h: FF FF FF 00 FF FF FF FF FF FF FF FF 00 00 00 00 ; џџџ.џџџџџџџџ.... 001e4820h: C0 A8 0F 64 32 00 01 00 61 64 6D 69 6E 00 00 00 ; РЈ.d2...admin... 001e9000h: FE 02 00 40 00 00 00 00 00 00 00 00 C0 A8 0F 01 ; ?.@........РЈ.. 001e9010h: FF FF FF 00 FF FF FF FF FF FF FF FF 00 00 00 00 ; џџџ.џџџџџџџџ.... 001e9020h: C0 A8 0F 64 32 00 01 00 61 64 6D 69 6E 00 00 00 ; РЈ.d2...admin... 001f0000h: 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 ; .?amp;#159;??amp;#159;??amp;#159;??amp;#159;? 001f0010h: 18 F0 9F E5 00 00 A0 E1 18 F0 9F E5 18 F0 9F E5 ; .?amp;#159;?. с.?amp;#159;??amp;#159;? 001f0020h: 54 00 FF FF 40 00 FF FF 44 00 FF FF 48 00 FF FF ; T.џџ@.џџD.џџH.џџ 001f0030h: 4C 00 FF FF 00 00 00 00 AC BD 3C D0 50 00 FF FF ; L.џџ....ЌНаP.џџ 001f0040h: FE FF FF EA FE FF FF EA FE FF FF EA FE FF FF EA ; ?џъўџџъўџџъўџџ? 001f0050h: FE FF FF EA E0 00 9F E5 24 10 90 E5 DC 00 9F E5 ; ?џър.Ÿ?.??Ÿ? 001f0060h: 00 10 A0 E3 08 10 80 E5 00 10 E0 E3 0C 10 80 E5 ; .. у..€?.ру..€ A little something to end my day here with. This comes from the vonage 1.30.01 firmware. All these (with the proper permissions met) can be accessed by tailing this on the end of the IP: "http://192.168.15.1/[file].htm" Setup Tab Basic Setup - index.htm (also setup.htm) DDNS - DDNS.htm Mac Address Clone - WanMAC.htm Advanced Routing - Routing.htm Security Tab Filter - Filter.htm VPN Passthrough - PassThrough.htm Voice Tab System - Voice_Setup.htm Line1 - Voice_Line1.htm Line2 - Voice_Line2.htm Applications & Gaming Tab Port Range Forwarding - Forwarding.htm Port Triggering - PortTrigger.htm UPnP Forwarding - UPnPForward.htm DMZ - DMZ.htm QoS - QoS.htm Administration Tab Management - Management.htm Log - Log.htm Factory Defaults - FacDefaults.htm Firmware Upgrade - Upgrade.htm Status Tab Voice - Voice_Info.htm Router - RouterStatus.htm Local Network - LanStatus.htm Hidden Information: DebugInfo.htm Voice_adminPage.htm (This is what everyone is after. Just like the PAP2) Voice_adminPage_b.htm Voice_error.htm (Brings to Line1 config under Voice) SysInfo.htm LogManage.htm HideSystemMenu.htm InternetFilterIP.htm (Hidden or attached?) BetaConf.htm Pages in the ROM, but no page: PTTable.htm FilterMAC.htm Ping.htm index_UPnP.htm (Strange) Pages attached to other pages: Auth_req.htm (Password screen for Factory Reset) BackupnRestoreCfg.htm DHCPTable.htm RouteTable.htm FilterMACTable.htm outLogTable.htm inLogTable.htm reload.htm For the wireless router, not in rt31p2: Wireless Tab: Basic Wireless Settings - WLbasic.htm Wireless Security - WPA.htm Wireless Network Access - WLNetwork.htm Advanced Wireless Settings - WLAdvanced.htm Pages attached to other pages: WEP.htm Various Help Screens: HWPA.htm HVPNpassthrough.htm HUPnPForward.htm HUpgrade.htm Htriggering.htm HSetup.htm HRouterStatus.htm HRdefault.htm HRangeForward.htm Hmanagement.htm Hlog.htm HLocalStatus.htm HFilter.htm HelpRoute.htm HelpDDNS.htm HelpMac.htm HelpDMZ.htm Calls to XML files - can we use this? Are there others? Tail this on the end of your IP Example: "http://192.168.15.1/rootDesc.xml" rootDesc.xml Layer3Forwarding.xml WANCfg.xml WANIPCn.xml -------------------- Don't mix firmware, period. The chipsets used are different. With that said, I have dumped the firmware from a true RT31P2-NA with v1.20 FW. If someone can take this info and make an upgrade FW and change the headers to a vonage load - it would be greatly appreciated! This is from a virgin -NA.... The only real benefit you get with the router dump is the tag identifying as a -NA (P2NA) and not a -VD (R31P). The firmware is identical between Linksys and Vonage with exception to some page wording. The voice is the same between the two. I took my dev box which is a vonage and put the -NA router chip in and it booted just fine with the -VD voice chip - they are compatible. The only difference in the vonage voice chip is it is programmed to load the vonage config upon a factory reset - that's it! If you look page by page of the two - it's the same. The true -NA has the same pages as the unlocked -VD along with the same links. What makes this dump valuable is that is has the voice version of 2.0.10(LIc) which has the theory that if it is locked that it follows the same rules as a PAP2 with the same FW that it can be unlocked with plain XML. Since I can't make "applesauce" out of these "apples", maybe someone else can. All the information needed to extract the firmware and make an upgrade FW is here. Good luck! ------------------- If you have the unit open you should try resetting the SST flash memory by briefly taking SST pin #22 (CE#) high (3.3v?). This in theory should force the unit to grab a new FW from your TFTP server. Do _NOT_ try this if pin #22 is soldered down to the ground plane (you will damage the router!). This will _ONLY_ work if pin #22 on the SST39LF080 is connected to VSS with a soft pull (eg 4.7k resistor; looking at your picture it doesn't look like this pin is soldered into the ground plane; check with an ohmmeter what you see between pin #22 and VSS). Pin #22 is the adjacent pin next to the first pin on the opposite side of the chip key (the "circle" on the TSOP plastic package). Check the SST data-sheet if unsure. Hopefully this way you'll get the FW into the box. Good luck! BTW, forgot to mention: the shorting of SST pin #22 to VDD/3.3v should be done using a 5-10k ohms resistor. After you have the HW setup ready, just power up the box and it should take the new FW.