Linux on Realtek RTL8181 Logo
| home | devices | hacking | compat. | demo | toolchain | howto | participate | resources | | project page | news | forums | downloads |

Hacking RTL8181-based consumer devices

This page provides step-by-step instructions to convert an RTL8181-based appliance (access point, wireless router etc) into a minimalist development board for the purpose of loading and testing Linux kernels and applications.

Before following any of these instructions, before even reading any further, please be sure that you understand a few essential things:

1. Choosing a device

If you got that far, you probably have one already. If you don't, you may find this list useful.

2. Locating and identifying the serial port

If you have a device with an external serial port, you won't even have to open the box. This is the ideal situation, however it's not the most common. More likely you will have to open the box, expose the mainboard and locate the internal serial port header and/or test pins.
Some information regarding the serial port location, pinout and type for various devices is available from the devices page (as links in the "Serial" column). If your device is not listed, there's still hope: The internal serial port can operate at TTL levels (0/5V) or RS-232 levels (+/-12V). A TTL port requires an interface adapter that converts TTL levels into RS-232 levels.
Connecting a 5-volt device directly to your computer's serial port will damage your device, your computer or both.
If you don't know what kind of serial port you have, the devices page may already have this information for you. If you can't find your device in the list or if you want to be 100% sure, use an oscilloscope or even a voltmeter.

3. Connecting and testing the serial port

Connect the device's serial port to a free serial port on your computer, using a RS-232 adapter if required (see above). Set your terminal program to 38400, 8N1. No Ethernet connection is necessary at this stage.

Power on the device. If everything is OK, you will see the Linux kernel boot messages scrolling in your terminal.

Power-cycle the device, then press Esc within a few seconds from power on (before the kernel starts loading). The boot loader should interrupt and drop you to a command prompt.
You have a command prompt. W00t :)

4. The JTAG port

On RTL8181, the JTAG interface lines are multiplexed with the WLAN LED control lines and GPIOB pins 5-2. Selection of JTAG mode is made by pulling down GPIOB pin 11 at power-on.
While this project has not concerned itself so far with RTL8181's JTAG port, Jason Hecker's website has an interesting log of his experiments with RTL8181 and JTAG.

A. The serial level converter interface

Any plain MAX232 (or equivalent) adapter should work here.

[ to be completed ]

B. The boot loader command prompt

Type "help" for a list of available commands.

[ to be completed ]

WARNING: We know about several cases where people have PWNED their AP's by using the FLW command incorrectly. For everybody who's keen to play with new kernels and software on their (still functional) RTL8181 device, a short public service announcement:

Unless you're upgrading your primary boot code (not recommended unless you really-really know what you're doing), you must NEVER write to the flash ROM area between 0-0x10000, especially if the file being written is a firmware (CSYS) image.
Possible locations for the firmware image are: 0x10000, 0x20000 (recommended), 0x30000 and sometimes 0x40000. The area below 0x10000 is reserved to the primary boot loader (btcode) and some non-volatile system variables. Overwriting or otherwise damaging your primary boot loader will render your device unusable.

Thanks for your attention.

Copyright (c) 2003, 2004, Streetdata Pty Ltd