Support for RTL838x based managed switches

I thought so too. Im only seeing garbage data with every baud ive tried, im pretty sure ive got the right pins. Maybe this data has to do with that POE managment mcu that was mentioned that other switches had? (this one does not have poe)

grepping in the flash image for rtl gives


This is a standard rtl838x board.

Are you sure about the pins? On the pinout of the RTL8380 the uart pins are not close to the crystal pins. And on you photo the cryptal seems to be connected to where r100 is.
I would say the pins are on the lower left side of the chip in your photo.

I think you've connected to one of the SGMII ports.

Like @kobi noted, you'll need to connect to two pins in the bottom left of your picture (rightmost is pin 109)


Totally right! I was looking at it sideways. Well guys i have this now:

                *         TP-LINK  BOOTUTIL(v1.0.0)         *
                Copyright (c) 2016 TP-LINK Tech. Co., Ltd
                Create Date: Sep 22 2016 - 15:19:03

   Boot Menu
0  - Print this boot menu
1  - Reboot
2  - Reset
3  - Start
4  - Activate Backup Image
5  - Display image(s) info
6  - Password recovery

Enter your choice(0-6)


The baud rate is 38400. What can i do now? This was some tough soldering haha

Or if i let it boot:

 broadcast            - Write message to all users logged in,at most 256
 configure            - Enter Global Configuration Mode
 copy                 - Config file commands
 debug                - Debugging commands
 enable-admin         - Achieve the admin privilege
 firmware             - Firmware commands
 logout               - Logout the system
 ping                 - Ping command
 reboot               - Reboot the system
 remove               - Config file commands
 reset                - Reset the system
 tracert              - Tracet route to destination
 clear                - Reset functions
 exit                 - Exit current mode
 history              - Display command history
 show                 - Display system information

1 Like

OK, the 38400 baud seems to be TP-Link specific. On the T2500G-10ts this was also the case, but I thought it had to do with the UART-RS232 converter. There is a CISCO style RS232 plug.
Now you need to flash a new u-boot.
I assume you have a way of not only reading the flash but also writing it with some external flash programmer.

  • Download both the T2500G-10TS GPL source code as well as the one for the T1500G-8T.
  • save ldk_realtek/realtek_v2.1.4/u-boot-2011.12/common/bootapp.c of the T1500
  • cp ldk_realtek/realtek_v2.1.4/u-boot-2011.12/common/bootapp.c from the T2500 over to the
  • make e.g. do the reboot command in bootapp.c do what the exit bootapp command does in the T2500
  • alternatively copy also the flash* utilities over from the same directory as the bootapp.c and make sure they get built
  • go to t1500g-8t_gpl/tplink/buildroot-realtek
  • make O=build/t1500g-8t tplink-t1500g-8t_defconfig
  • make O=build/t1500g-8t
  • If something fails in the build, restart with: make O=build/t1500g-8t clean
  • The build will fail at some point but should produce ./tplink/buildroot-realtek/build/t1500g-8t/images/u-boot.bin
  • Verify there is the string Tftp in the u-boot image.
  • Flash the new u-boot to the flash
    You should get more commands in the Boot Menu including one to go to the realtek OEM boot menu.
    There do the usual "rtk network on", tftpload etc.

I tried building the 2500 to see if i could i even get it to build, but i seem to have failed. Im not very experienced in building from source, I am using WSL 2 since i dont have access to a full linux machine at the moment which may be the issue.

The error i ran into i was unsure how to solve is:

/bin/bash: -c: line 0: syntax error near unexpected token `('
 /bin/bash: -c: line 0: `(cd /home/ivo/tplink-t2500g-10ts-master/tplink/buildroot-realtek/build/t2500g-10ts/build/host-ccache-3.1.7/ && rm -rf config.cache; PATH=/hom........

which seems likely to be caused by WSL. Even if i were able to get a successful build, would the u boot image just go at beginning of the flash chip? or where does its address start? Is there anywhere i can grab a compiled uboot to try flashing?

Looking at the 2500 bootapp.c, it seems to me like we could use #define UBOOT_DEBUG to get a boot menu with flashing and other debug options.

Thanks so much for your help, its great to see openwrt expand to new hardware!

That error should not happen. I actually managed to make a u-boot for the T1500. I just needed to copy all of


to the respective directory for the t1500. Then in that directory edit bootapp.c and remove the define of UBOOT_DEBUG. Build and check that symbols like "Exit menu" or "Tftp" are in the resulting binary.

A WSL installation defaults to having a bunch of Windows directories in the PATH; remove them so PATH is only Linux directories.

After doing that I've had no problems building on WSL2 with Ubuntu 20.04.


Once you flashed a full version of TP-Links own boot menu, you can exit it to the u-boot prompt choosing "14":

Hit any key to stop autoboot:  0
                *         TP-LINK  BOOTUTIL(v1.0.0)         *
                Copyright (c) 2020 TP-LINK Tech. Co., Ltd
                Create Date: Feb 29 2020 - 18:09:29

   Boot Menu
0  - Print this boot menu
1  - Reboot
2  - Reset
3  - Start
4  - Activate Backup Image
5  - Display image(s) info
6  - Password recovery
7  - Set ip address
8  - Download a image file and update
9  - Set Tftp parameter
10 - Delete the Backup Image file
11 - Download u-boot.bin and update
12 - Download profile and update
13 - Download a configure file and update.
14 - Exit menu
15 - Test flash driver
16 - Test flash driver of read
17 - Download the image and startup from RAM
18 - Upload the Inner for flash image
19 - Load software to flash

Enter your choice(0-19)

tplink> 14
RTL838x# # help
?       - alias for 'help'
base    - print or set address offset
boardid - boardid  - Get/Set board model id

boota   - boota  - boot application image from one of dual images partition automatically

bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
cmp     - memory compare
cp      - memory copy
crc32   - checksum calculation
env     - environment handling commands
erase   - erase FLASH memory
flerase - Erase flash partition
flinfo  - print FLASH memory information
flshow  - Show flash partition layout
go      - start application at address 'addr'
help    - print command description/usage
iminfo  - print header information for application image
loadb   - load binary file over serial line (kermit mode)
loady   - load binary file over serial line (ymodem mode)
loop    - infinite loop on address range
md      - memory display
menu    - update the image from PC
mm      - memory modify (auto-incrementing address)
mtest   - simple RAM read/write test
mw      - memory write (fill)
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
printsys- printsys - print system information variables

protect - enable or disable FLASH write protection
reset   - Perform RESET of the CPU
rtk     - rtk     - Realtek commands

run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
savesys - savesys - save system information variables to persistent storage

setenv  - set environment variables
setsys  - setsys  - set system information variables

sf      - SPI flash sub-system
sleep   - delay execution for some time
tftpboot- boot image via network using TFTP protocol
tftpput - TFTP put command, for uploading files to a server
upgrade - Upgrade loader or runtime image
version - print monitor, compiler and linker version
RTL838x# # rtk network on
Enable network
Force port28 link up 1G
Please wait for PHY init-time ...

I noticed that today, support for the D-Link DGS 1210-16 landed. Unfortunately, the commit message does not mention which hardware revision it applies to.

Judging from this overview, there are two revisions of the 1210-16, and only "Version G" is based on the RTL838x, correct?

More confusingly, "Version G" has actually 20 ports (16 + 4 uplink ports) and 4 SFP ports? How are the additional ports handled in OpenWrt?

Yes, indeed. Only version G is supported. The -16 has indeed 20 ethernet ports, 4 of them duplexed with an SFP port. OpenWRT uses the PHYs default for handling these 4+4 special ports and I believe the Ethernet gets precedence over the SFP port if the corresponding ports are both connected. There is no way to choose at the moment.


Does it work on the -16 version only or can it also work on -10? I really need just something small factor, 8 ports would be plenty.

Could you please modify the submission to be specific as to the supported versions? The earlier versions use different SOCs that also could eventually gain support. The A and B versions use a Marvell Kirkwood SOC and there was a previous effort to support OpenWrt on those.

You can find everything that we know about which models and version are supported by the development branch for the rtl83xx chips here

Devices which we have tested already can be found here:

Unlike WiFi routers where there is a new generation of hardware every 2nd year, the designs of these switches have usually been stable since 10 years. However in particular DLink seems to be changing the platform for similarly named products on a regular basis, while the specs do not really change.
If you want to find out whether your device and version is supported, the easiest is to download the firmware from the vendor page for that version. Unpack it, use "binwalk -e" to extract the firmware into its components and then use "strings * | grep RTL" to look for signatures of the SDK.
If you find references to RTL8380 and RTL8390 plus maybe older versions like the RTL8328, then it is very likely supported with only some modifications in the .dts. If there are references also to RTL9300 and RTL9310, then it is probably supported, this is the latest version 3 of the SDK from Realtek also for multi-gig switches (which are presently not supported!) but might need some development still for modern features like newer PHYs or USB, even if these devices still use the RTL838X/9X chips.
If you learn something about a particular device, it would be great to post it, or edit the above wiki pages yourself (ask biot for write permission).

I recently bought a TP-Link T1600G-52PS V4 switch (48Port PoE+) that seems to be based on a Realtek chip (judging from the GPL dump). The firmware upgrade images look encrypted, at least binwalk outputs nothing.
I just did an initial disassembly and could identify a few components (the SoC is covered by a big heatsink that I don't want to remove):

  • 256MByte DDR3
  • 32MByte SPI Flash
  • RTL8214 (probably for the SFP slots)

There is a four-pin serial header, 38400 8n1. GND is easy to spot, it's either TX, RX, GND, VCC or RX, TX, GND, VCC I didn't check it further.

Unfortunately, the boot log is not very verbose:

Hit any key to stop autoboot:  1 <0x08><0x08><0x08> 0 

Begin to startup system, please wait a moment...

Starting kernel ...

***************** User Access Login ********************


Interrupting the boot loader leads to this:

Hit any key to stop autoboot:  1 <0x08><0x08><0x08> 0 
		*         TP-LINK  BOOTUTIL(v1.0.0)         *
		Copyright (c) 2019 TP-LINK Tech. Co., Ltd    
		Create Date: Aug 14 2019 - 09:58:42

   Boot Menu
0  - Print this boot menu
1  - Reboot
2  - Reset
3  - Start
4  - Activate Backup Image
5  - Display image(s) info
6  - Password recovery

This seems very similar to the T1500G posted above - I suppose, I have to flash a new (full) U-Boot. I've only got a cheap CH340-based SOIC-8 clip/flasher, but the flash IC is SOIC-16. What do you use/can I use to flash it?

I've got about a month to toy with the switch, then it needs to run our house network. I do have some experience in porting ath79 and lantiq targets, is there anything vastly different or important for this target?

1 Like

I got the T1600G-52PS v4 firmware decrypted (the firmware image is DES encrypted, the IV and KEY can be found in the U-Boot source code) and ran the binwalk -e -M command followed by string * | grep RTL on the files:

RTL8390/80/28 ICTL
RTL8390/80/28 IRQ cascade1
RTL8390/80/28 IRQ cascade2
RTL8390/80/28 IRQ cascade3
RTL8390/80/28 IRQ cascade4
RTL8390/80/28 IRQ cascade5

Grepping for boardmodel in the decrypted firmware upgrade outputs:


Looks promising, right? Now how to best flash a new U-Boot?


I would start with building a new u-boot based on the GPL-code
and make sure you get the full menu as posted above. Could you explain how you managed to extract the DES key? With regards to porting, the best starting point is to use the .dts of the Zyxel GS-1900-48 as the port-layout is probably identical and the board will be based on the RTL8393 SoC, too. Please keep us posted!

That was actually easy: I was poking through the GPL code and found the file ldk_realtek/realtek-V2.1.6.pre2/u-boot-2011.12/common/DesDecode.c. It contains the variables des_key and des_iv - to my big surprise, they were correct.
Then I used openssl to decode the image:

openssl enc -d -des-cbc -in encrypted.bin -out decrypted.bin -nosalt -nopad -p -iv $IV -K $KEY

Building it shouldn't be a problem, it seems that defining UBOOT_DEBUG might be sufficient (there is a #ifdef UBOOT_DEBUG in bootapp.c that guards most of the commands), but I have yet to find a way to transfer it to the chip. I'll order an SOIC16 testing clip and see if I can use the CH341 or a Raspberry Pi as flasher.

I've been thinking a bit about the other components: How did you figure out the protocol for configuring the PoE injector?

1 Like

Went to the wiki, but could not find a link to request an account. How do I get an account to add additional devices with detailed chipset information?