This page provides step-by-step instructions to convert an RTL8181-based
appliance (access point, wireless router etc) into a minimalist development
board for the purpose of loading and testing Linux kernels and applications.
Before following any of these instructions, before even reading any further,
please be sure that you understand a few essential things:
you will void your warranty
you may cause irreversible damage to your appliance, as well as any
other devices connected to it
the authors of this page are not affiliated with Realtek or any hardware
manufacturer and are not in position to provide authoritative advice in any
matter involving hardware and software modifications; therefore, all this
information must be regarded as speculative, incomplete and error-prone
you are following these instructions at your own risk and liability
you get to keep all pieces
1. Choosing a device
If you got that far, you probably have one already. If you don't, you
may find this list useful.
2. Locating and identifying the serial port
If you have a device with an external serial port, you won't even have to
open the box. This is the ideal situation, however it's not the most common.
More likely you will have to open the box, expose the mainboard and locate
the internal serial port header and/or test pins.
Some information regarding the serial port location, pinout and type for
various devices is available from the
devices page (as links in the "Serial" column).
If your device is not listed, there's still hope:
Review the documentation that is already available, perhaps your device
is a re-branded version of one that's already documented
Use a circuit tester to trace the connections from pins 15 (RxD) and 17
(TxD) of the RTL8181 to the corresponding pins of one of the on-board headers.
Document your findings, share them in the
The internal serial port can operate at TTL levels (0/5V) or RS-232 levels
(+/-12V). A TTL port requires an interface adapter that converts
TTL levels into RS-232 levels. Connecting a 5-volt device directly to your
computer's serial port will damage your device, your computer or both.
If you don't know what kind of serial port you have, the
devices page may already have this
information for you. If you can't find your device in the list or if
you want to be 100% sure, use an oscilloscope or even a voltmeter.
3. Connecting and testing the serial port
Connect the device's serial port to a free serial port on your computer,
using a RS-232 adapter if required (see above). Set your terminal program
to 38400, 8N1.
No Ethernet connection is necessary at this stage.
Power on the device. If everything is OK, you will see the Linux kernel
boot messages scrolling in your terminal.
Power-cycle the device, then press Esc within a few seconds from power
on (before the kernel starts loading). The boot loader should interrupt and
drop you to a command prompt. You have a command prompt. W00t :)
4. The JTAG port
On RTL8181, the JTAG interface lines are multiplexed with the WLAN LED
control lines and GPIOB pins 5-2. Selection of JTAG mode is made by pulling
down GPIOB pin 11 at power-on.
While this project has not concerned itself so far with RTL8181's JTAG port,
Jason Hecker's website has an interesting log of his
experiments with RTL8181 and
A. The serial level converter interface
Any plain MAX232 (or equivalent) adapter should work here.
[ to be completed ]
B. The boot loader command prompt
Type "help" for a list of available commands.
[ to be completed ]
WARNING: We know about several cases where people have PWNED their
AP's by using the FLW command incorrectly. For everybody who's keen
to play with new kernels and software on their (still functional) RTL8181
device, a short public service announcement:
Unless you're upgrading your primary boot code (not recommended unless you
really-really know what you're doing), you must NEVER write to the
flash ROM area between 0-0x10000, especially if the file being written
is a firmware (CSYS) image.
Possible locations for the firmware image are: 0x10000, 0x20000
(recommended), 0x30000 and sometimes 0x40000. The area below 0x10000 is
reserved to the primary boot loader (btcode) and some non-volatile system
variables. Overwriting or otherwise damaging your primary boot loader will
render your device unusable.