Linksys WRV54G

REDIRECT Linksys WRV54G v1

Wayback Machine: http://web.archive.org/web/20070419122346/http://www.seattlewireless.net/index.cgi/LinksysWrv54g Linksys WRV54G
 * http://www.seattlewireless.net/index.cgi/LinksysWrv54g • Seattle Wireless

Hardware Info

 * CPU: Intel FWIXP425AB (266MHz) • IXP425 A0 stepping chip
 * It is a real IXP425, and not a IXP422 (IXP425 sans ADSL components)


 * Flash: 8MB (64Mbit) Intel E28F640J3A120 (Strata flash J3)
 * RAM: 32MB (128Mbit x2), PC133 (6ns)

HardwareComparison | AccessPointsRouters/802.11g | LinksysWrv54g | LinksysWrt54g | WAP54G

Linksys wireless VPN router

General Info
Mailing list hosted at colliertech.org Notes on the LinksysWrv54g Got Shell? Files Examining the filesystem Basic Layout OpenRG Wireless Driver Useful Links License Issues Environment Setup Firmware File Format Replacing the Root Filesystem Environment Setup 2 C.J.'s observations Hardware Info JTAG Serial Port Notes Take-Apart Notes /proc Stuff GPIO Information Firmware RG Bootloader Firmware 2.10 notes Linux 2.6.13 kernel + jffs2 + 2 miniPCI slot working 1. General Info This is a Linksys wireless VPN router. [WWW] Homepage.

wrv54g

IMG_4172thumb

p403050915 [WWW] bigger image

p403050916 [WWW] bigger image

Linux Kernel: 2.4.19.openrg-rmk6-ds1

Ports: Power Internet: One 10/100 RJ-45 port for Cable/DSL Modem LAN: Four 10/100 RJ-45 switched ports Buttons: Power Switch, Reset Button Speed: 54Mbps (Wireless), 10/100 Mbps (Ethernet)

LED Indicators: Power DMZ: Diagnostics (RED) Internet: (Wireless) Link/Act Wireless-G: Link/Act LAN [1-4]: Link/Act Channels: 11 (USA)

Power: 19 dBm TX (claimed in manual) Dimentions: (WxHxD) 7.32" x 6.89" x 1.89"

We thank Linux Fund for kindly donating WRV54G hardware for testing

[WWW] LinuxFund Website

(This page is messy as it holds all my notes for now. I'll come around some time to clean it up)

1.1. Mailing list hosted at colliertech.org Mailman listinfo [WWW] wrv54g.

1.2. Notes on the LinksysWrv54g Firmware is a kernel (zImage) plus an initrd Initrd is hidden inside the firwmare - approximately 788041 bytes into 2.03 firmware is the gzip header. Decompress it and you'll get an ext2 filesystem image. Hardware appears to be an Intel [WWW] IXP425 CPU This is an ARM-based CPU, unlike the LinksysWrt54g and LinksysWAP54G, which use a Broadcom MIPS32 CPU. I would guess that there is 32MB of RAM on this device - the decompressed ext2 filesystem is 14MB in size. The card is probably a miniPCI card, and it looks to be built into the kernel. The miniPCI card in the kernel would probably be an Intersil 802.11g based card, given the numerous 'prism' strings See below for more details on this card - there's a Linux driver that's GPL! The hardware is operating in big endian mode. This is contrary to most ARM systems which run in little endian mode. The reason is that the IXP NPEs are only usable in big endian. The Intel access libraries do not support little endian mode. Software uses OpenRG [WWW] products which is based on MontaVista Hardhat Linux All /bin/init does is call /bin/main_task which appears to be it Strings to set up networking Strings for dynamic dns service eth0 is wireless Webserver is in here, it appears WAN might be eth2, leaving LAN as eth1 Everything is done here, not much else is done outside Other than main_task, the other supporting apps include pppd, snmpd, busybox and a few others. IPSEC provided by FreeS/WAN. The Intel page mentions RedBoot support - could that be the bootloader used? The IXP425 has hardware accelleration for encryption/decryption (AES, DES and 3DES), as well as ethernet accellerators. There is a software library that can be obtained from Intel (see link below) to get this library. 1.3. Got Shell? There doesn't appear to be a shell, other than what busybox might contain

There appears to be a shell in the OpenRG filesystem - dbc

file reports the binaries in the OpenRG directory are i386 binaries for some reason, so that won't work:

bash: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped

Interesting. I just confirmed this by executing every file in the /usr/local/openrg/armsaeb/armv4b-hardhat-linux/bin directory. The sbin directory is the same way.

Note: These are x86 binaries because they are linking onto you host system when you loop mount the file system:

/usr/local/openrg/armsaeb/armv4b-hardhat-linux -> // The real binaries for the system are under mnt/cramfs which is not actually a cramfs file system on this platform (though it is on some other OpenRG platforms).

(Firmware + source distro observation only)

1. Standard Busybox should contain lash (lame-ass shell), and the file sh.c is included in the source.

2. Interesting

/mnt/cramfs/bin# strings main_task |grep shell Exit from main_task and open a shell on the serial console main_task_exit_and_shell Spawn busybox shell in foreground shell 3. (taken from the openrg_features.txt file and the .rg_configure file)

[...] Web Based Management CONFIG_RG_WBM HTTP Server CONFIG_RG_HTTPS Telnet Server CONFIG_RG_TELNETS <-- Yay? SysLog CONFIG_RG_SYSLOG Command Line Interface CONFIG_RG_CLI [...]

(.rg_configure) CONFIG_RG_TELNETS=y cCONFIG_RG_TELNETS=1

4.

/mnt/cramfs/bin# strings main_task |grep telnet Can't open telnets Can't open telnet master server on port %d Error in mt_telnet_server_open(htons(23), 0) Error in mt_telnet_server_open(htons(8023), 0) Error in mt_telnet_server_open(htons(992), 1) sec_incom_telnet_992 < Telnet SSL? sec_incom_telnet_8023 < Telnet Proxy? sec_incom_telnet_23 < Telnet (23)? %s:%d: Remote telnet client contradiction %d telnets_send_if_need Remote telnet client doesn't support needed option %d %s:%d: Bad formatted telnet msg telnets_read %s:%d: Bad formatted telnet msg - unknown char It appears that [WWW] Busybox has been built with the shell in it, but they haven't given us any symbolic link to it.

All of the "spawn busybox shell" and "telnets" stuff seems interesting, also.

2. Files 2.10 Firmware has been released, WPA support is here. [WWW] Changelog

Firmware (2.03) [WWW] 2.03 (FTP)

Firmware (2.10) [WWW] 2.10 (FTP)

Source (2.03) [WWW] 2.03 (104MB!!)

Source (2.10) [WWW] 2.10

Pictures: Big. From FCC; sorry, uncompressed [WWW] http://linuxfund.org/~collord/wrv.pdf -JerrittCollord

2.1. Examining the filesystem Extract the compressed {ext2} filesystem from firmware 2.03 like this:

Extract the compressed {ext2, cramfs} filesystems from firmware 2.37 like this:
 * 1) dd if=wrv54g_2.03_fw.rmt of=ext2.img.gz bs=1c skip=788041c
 * 2) gunzip ext2.img.gz

> gunzip: layer1.img.gz: decompression OK, trailing garbage ignored
 * 1) dd if=wrv54g_v2.37_US.rmt of=layer1.img.gz bs=1c skip=12258c
 * 2) gunzip layer1.img.gz


 * 1) dd if=layer1.img of=ext2.img.gz bs=1c skip=1740800c
 * 2) dd if=layer1.img of=cramfs.img bs=1c skip=1761280c

> gunzip: ext2.img.gz: decompression OK, trailing garbage ignored
 * 1) gunzip ext2.img.gz

Mount:


 * 1) mount -t ext2 -o loop ext2.img /mnt/ext2

2.1.1. Basic Layout total 32 drwxr-xr-x 13 root root 1024 Aug 29 03:53. drwxr-xr-x 20 root root 4096 Jul 10 15:15 .. drwxr-xr-x 2 root root 2048 Oct 4 01:34 bin drwxr-xr-x 2 root root 4096 Aug 29 03:53 dev drwxr-xr-x 4 root root 1024 Aug 29 03:53 etc -rw-rw-rw- 1 root root 32 Feb 21 2001 fstab drwxr-xr-x 3 root root 1024 Aug 29 03:52 home drwxr-xr-x 3 root root 1024 Aug 29 03:53 lib drwx-- 2 root root 12288 Aug 29 03:53 lost+found drwxr-xr-x 4 root root 1024 Aug 29 03:53 mnt drwxr-xr-x 2 root root 1024 Aug 29 03:53 proc drwxrwxrwx 2 root root 1024 Aug 29 03:53 tmp drwxr-xr-x 3 root root 1024 Aug 29 03:53 usr drwxr-xr-x 6 root root 1024 Aug 29 03:53 var Everything in /bin, /etc, /home, /lib is symbolically linked to /mnt/cramfs/[bin | etc | home | lib]
 * 1) mount -t cramfs -o loop cramfs.img /mnt/cramfs
 * 1) ls -al

2.1.2. OpenRG /usr/local/openrg/armsaeb/armv4b-hardhat-linux/bin# ls -al total 2716 drwxr-xr-x 2 root root 4096 Jul 10 13:02. drwxr-xr-x 20 root root 4096 Jul 10 15:15 .. -rwxr-xr-x 1 root root 2492 Mar 21 2003 arch -rwxr-xr-x 1 root root 581100 Feb 28 2003 bash -rwxr-xr-x 1 root root 13912 Jun 16 17:00 cat -rwxr-xr-x 1 root root 16184 Jun 16 17:00 chgrp -rwxr-xr-x 1 root root 15800 Jun 16 17:00 chmod -rwxr-xr-x 1 root root 18040 Jun 16 17:00 chown -rwxr-xr-x 1 root root 42796 Jun 16 17:00 cp -rwxr-xr-x 1 root root 47656 Jun 22 2002 cpio lrwxrwxrwx 1 root root 21 Jul 10 13:02 csh -> /etc/alternatives/csh -rwxr-xr-x 1 root root 34648 Jun 16 17:00 date -rwxr-xr-x 1 root root 23948 Jun 16 17:00 dd -rwxr-xr-x 1 root root 26380 Jun 16 17:00 df -rwxr-xr-x 1 root root 63596 Jun 16 17:00 dir -rwxr-xr-x 1 root root 3804 Mar 21 2003 dmesg -rwxr-xr-x 1 root root 9732 Feb 8 2003 dnsdomainname -rwxr-xr-x 1 root root 10936 Jun 16 17:00 echo -rwxr-xr-x 1 root root 39544 Apr 2 2003 ed -rwxr-xr-x 1 root root 33 Apr 21 11:02 egrep -rwxr-xr-x 1 root root 8952 Jun 16 17:00 false -rwxr-xr-x 1 root root 33 Apr 21 11:02 fgrep -rwxr-xr-x 1 root root 16920 May 28 19:57 fuser -rwxr-xr-x 1 root root 67948 Apr 21 11:02 grep -rwxr-xr-x 4 root root 49580 Jun 7 11:35 gunzip -rwxr-xr-x 1 root root 4745 Jun 7 11:35 gzexe -rwxr-xr-x 4 root root 49580 Jun 7 11:35 gzip -rwxr-xr-x 1 root root 9732 Feb 8 2003 hostname -rwxr-xr-x 1 root root 11212 Jun 1 18:12 kill -rwxr-xr-x 1 root root 19480 Jun 16 17:00 ln -rwxr-xr-x 1 root root 34584 Mar 7 2003 loadkeys -rwsr-xr-x 1 root root 31480 Apr 26 14:50 login -rwxr-xr-x 1 root root 63596 Jun 16 17:00 ls -rwxr-xr-x 1 root root 35444 Mar 3 2003 lspci -rwxr-xr-x 1 root root 16376 Jun 16 17:00 mkdir -rwxr-xr-x 1 root root 15756 Jun 16 17:00 mknod -rwxr-xr-x 1 root root 4588 Jun 24 21:32 mktemp -rwxr-xr-x 1 root root 26328 Mar 21 2003 more -rwsr-xr-x 1 root root 76792 Mar 21 2003 mount lrwxrwxrwx 1 root root 20 Jul 9 18:59 mt -> /etc/alternatives/mt -rwxr-xr-x 1 root root 14616 Jun 22 2002 mt-gnu -rwxr-xr-x 1 root root 44652 Jun 16 17:00 mv -rwxr-xr-x 1 root root 88684 May 28 16:30 netstat lrwxrwxrwx 1 root root 16 Jul 9 19:31 pidof -> ../sbin/killall5 -rwsr-xr-x 1 root root 15244 Nov 18 2001 ping -rwxr-xr-x 1 root root 56780 Jun 1 18:12 ps -rwxr-xr-x 1 root root 9752 Jun 16 17:00 pwd lrwxrwxrwx 1 root root 4 Jul 9 19:31 rbash -> bash -rwxr-xr-x 1 root root 10360 Jun 16 17:00 readlink -rwxr-xr-x 1 root root 24216 Jun 16 17:00 rm -rwxr-xr-x 1 root root 10648 Jun 16 17:00 rmdir -rwxr-xr-x 1 root root 9940 Jun 24 21:32 run-parts -rwxr-xr-x 1 root root 32792 May 6 19:34 sed -rwxr-xr-x 1 root root 18968 Apr 17 16:50 setserial lrwxrwxrwx 1 root root 4 Jul 9 19:31 sh -> bash -rwxr-xr-x 1 root root 11224 Jun 16 17:00 sleep -rwxr-xr-x 1 root root 32728 Jun 16 17:00 stty -rwsr-xr-x 1 root root 22904 Apr 26 14:50 su -rwxr-xr-x 1 root root 9752 Jun 16 17:00 sync -rwxr-xr-x 1 root root 128744 Oct 29 2002 tar -rwxr-xr-x 1 root root 273964 May 24 14:32 tcsh -rwxr-xr-x 1 root root 5564 Jun 24 21:33 tempfile -rwxr-xr-x 1 root root 24344 Jun 16 17:00 touch -rwxr-xr-x 1 root root 8920 Jun 16 17:00 true -rwsr-xr-x 1 root root 39928 Mar 21 2003 umount -rwxr-xr-x 1 root root 10424 Jun 16 17:00 uname -rwxr-xr-x 4 root root 49580 Jun 7 11:35 uncompress -rwxr-xr-x 1 root root 63596 Jun 16 17:00 vdir -rwxr-xr-x 4 root root 49580 Jun 7 11:35 zcat -rwxr-xr-x 2 root root 1974 Jun 7 11:35 zcmp -rwxr-xr-x 2 root root 1974 Jun 7 11:35 zdiff -rwxr-xr-x 3 root root 2944 Jun 7 11:35 zegrep -rwxr-xr-x 3 root root 2944 Jun 7 11:35 zfgrep -rwxr-xr-x 1 root root 1525 Jun 7 11:35 zforce -rwxr-xr-x 3 root root 2944 Jun 7 11:35 zgrep -rwxr-xr-x 1 root root 103 Jun 7 11:35 zless -rwxr-xr-x 1 root root 1885 Jun 7 11:35 zmore -rwxr-xr-x 1 root root 3518 Jun 7 11:35 znew 2.2. Wireless Driver Again, from static firmware analysis, it appears that the WRV54G uses an Intersil Prism 802.11G driver. I could not find it in the sources, but it definitely is GPL'd, and from looking at the strings, part of the PrismGT/Duette/Indigo chipset Linux drivers, which are GPL'd. Project [WWW] page.

3. Useful Links Intel [WWW] IXP4xx Software Page--Contains the Intel Software Library. Intel [WWW] IXP425 Product Page. SourceForge [WWW] IXP4xx Linux Page Linksys [WWW] wrv54g-v203.tar.bz2 Toolchain & GPL Source Code. Original ARM-Linux [WWW] post about the IXP4xx Ethernet Code. praise the LORD, now that we have our own Yahoo group: [WWW] wrv54g 4. License Issues NOTE: The Ethernet driver for the IXP425 relies on a library that is NOT GPL. It relies on the Intel Access Software Library (see useful links above). Part of the licensing of the software library is that none of the code is to make it into GPL or LGPL. The IXP4xx CPU uses "Network Processing Engines" to handle the networking, and these co-processors are talked to via the library. Thus, be careful how you use the Intel library - it forbids you from making the code subject to the GPL and LGPL.

That said, csr.o is the library (a binary module). the ixp425_eth.o is a driver that uses that library. These are built with the kernel patches (see below).

5. Environment Setup Linksys has graciously given us the ARM-Linux Big-endian toolchain in their build. Thus at the very least, you'll need their source code release (see above for it). If you wish to have the Ethernet driver, you'll need to obtain from Intel:

Intel Hardware Access Software Linux Device Driver and Kernel Patches None of the Intel code is GPL'd, beware! And the access library cannot be placed into GPL. However, Intel makes it available to practically anyone if you register, so for the time being, this is what needs to be done. From available documentation, there does not seem to be sufficient information on how to use the NPEs by themselves in order to write a truly free driver.

6. Firmware File Format Here's what the firmware appears to be (based on 2.03):

Size of image - 4,837,745 bytes (0x49D171) Header size - 113 Bytes (0x71)

Offset 0x00-0x03 (4 Bytes) - Length of data section (0x0049D100). Offset 0x04-0x23 (0x20 Bytes) - Unknown. Offset 0x24-0x70 (0x4D Bytes) - Plain text: "start section\n" "rg_hw: GTWX5715\n" "dist: GTWX5715\n" "version: 20524\n" "Linksys: WRV54G\n" "\0" Offset 0x00071-0xB7100. - zImage (gzipped vmlinux with self-extractor) and initrd concatenated at end. Offset 0xB7101-0xC0550. - Airgap (Zeros). Offset 788041 -EOF (4,049,704 Bytes). - an ext2 file system compressed by gzip. Here's what the firmware appears to be (based on 2.37):

Size of image - 5,294,042 bytes

Offset 12258 -EOF. - an ext2 file system compressed by gzip. 6.1. Replacing the Root Filesystem Short of a complete kernel recompile and initrd build, one can imagine the desire to replace only bits and pieces of the filesystem. Since the kernel and initrd are in one bundle, it's necessary to break them apart, then reassemble the pieces. First, generate and mount rd.img as described above, and move the files around as you wish. Then unmount the image, and recompress:

Now, attach this rd.img to the old .rmt file
 * 1) gzip --best rd.img

It turns out that the ".rmt" file header has more checksums length info which make it hard to modify cleanly using "rmt_upd". Also, on my system, it appears not to even like the stock ".rmt" file. So, we remove the rmt header and load the firmware another way:
 * 1) dd if=wrv54g_2.03_fw.rmt of=hdr.raw bs=1c count=788041c
 * 2) cat hdr.raw rd.img.gz > wrv54g_2.03_mod_fw.rmt

One last step before we load. The kernel/initrd pair also contains length info for the ramdisk, which ends up being passed to the kernel as a length parameter for the gzip compression. If you rd.img.gz is larger than the original, you'll need to make this parameter larger. The old length is 4049704 (0x3dcb28). This parameter is repeated 3 times in the .raw file, between offsets 0xc0564-0xc05d8 (the start of the compressed image). For the curious, this is my breakdown of the .raw file:
 * 1) dd if=wrv54g_2.03_mod_fw.rmt of=wrv54g_2.03_mod_fw.raw bs=113 skip=1

0x00000: Kernel decompressor 0x02f68: Start of compressed code 0xb6fd4: End of compressed code/start of uncompressed text segment 0xb7090: Zeroes (air gap) 0xc04e0: Start of another block of ARM code (seems to be called by        kernel decompressor (this is probably ramdisk.o) 0xc0564: Kernel setup parameters (see arch/arm/kernel/setup.c,         include/asm-arm/setup.h). This contains refs to the         length of the compressed initrd 0xc0584: Parameters end, code continues. Includes default values         for initd_start and initrd_size 0xc05d8: Initird starts. At this point, you should be able to toss this up on an http or tftp server the wrv54g can see, and use "load -u -s 2" at the OpenRG prompt to replace the kernel/ramdisk pair. This step is a lot scarier if you don't know that you can back out of it! I'd suggest that you have already created a backup of the raw contents of the flash in section 2 (0x00140000-0x006C0000), and have a serial port connection sitting at the ready. If the boot fails, you can back out by hitting ESC as the first kernel (in section 1) loads, attach your tftp/http server to the WAN port (it expects to be 192.168.2.1) and "load -u  -r 0x140000"

6.2. Environment Setup 2 NOTE: These instructions are incomplete. The kernel will NOT link properly. There is an oddity in that the as-shipped source builds IPSec into the kernel, but the IPSec code requires the Intel library, which cannot be linked in. (GPL *and* Intel License violation?).

You will need the wrv54g source code, the Intel Access Library (ixp425AccessLibrary.zip) and the Intel Kernel Patches (ixp425LinuxDriversPatch*) to begin. Correction: You might need the access library with crypto. Correction 2: You will most likely need the crypto version. It also appears that the system was built using an older version of the code (1.2?), so changes are needed to get 1.3 working.

Unpack the wrv source code - there will be a 400MB tar file, the toolchain, and some littld other files extracted as well. (It creates the gpl_code_2.03/ directory).

Untar the toolchain.tgz file to /. It'll create /usr/local/openrg/ directory. You'll need to add /usr/local/openrg/armsaeb/bin and /usr/local/openrg/bin to your PATH. The compiler prefix is armv4b-hardhat-linux- (unlike the regular "arm-linux-" when dealing with other ARM-Linux based platforms).

Go back to where un you untarred the source code distirbution. Make a directory to hold the code, and untar it there - there are a few scripts and commands and files that will be created if you untar it in place. A few scripts will be placed in the root directory, as well as the kernel (under OS) and the few bits of GPL'd code (under pkg).

Unpack the Intel code - both the library and the patches. You will need to patch the Linux kernel in order to build the drivers and the access library modules. Go into the os/linux-2.4 directory, and run both patches (patch -p1 < /path/to/intel/ixp425MemoryMap.patch and patch -p1 < /path/to/intel/ixp425LinuxDrivers.patch). It will complain that there is a missing file (arch/arm/def-configs/ixpd425) - skip patching this file.

Now go into the ixp425_xscale_sw/buildUtils directory and edit the environment.linux.sh file. Edit LINUX_SRC to point to the os/linux-2.4 directory. Comment out the PATH line, and edit the IX_XSCALE_SW directory to point to the ixp425_xscale_sw directory (note - the release notes say it should be one directory up. This is wrong. The IX_XSCALE_SW must have "ixp425_xscale_sw" in it!). Source the file to set LINUX_SRC and IX_XSCALE_SW.

Copy the files in ixp425_xscale_sw/include and ixp425_xscale_sw/linux to the Linksys code vendor/intel/ixp425/csr/include and vendor/intel/ixp425/csr/linux directories. I've also had to edit linux/net/ipsec/ipsec_encap.h and ipsec_ipe4.h and include linux/in.h in order to get it to compile. They worked hard at making life difficult!

At this point, try run compile.sh and see if you can build without errors.

7. C.J.'s observations I've changed the Wrv54g's IP address to 192.168.1.2 so as not to stomp all over the Wrt54g.

$ telnet 192.168.1.2 Trying 192.168.1.2... Connected to 192.168.1.2. Escape character is '^]'. Username: admin Password: ***** <-- yes, that's "admin" OpenRG> help exit: Exit from the current cli die: exit from maintask ps: Print main-task tasks rg_conf_print: rg_conf_print - Print OpenRG configuration starting from - use / for the whole configuration rg_conf_set: rg_conf_set - Set rg_conf path to a value rg_conf_set_obscure: rg_conf_set_obscure - Set rg_conf path to an obscured value rg_conf_del: rg_conf_del - Del subtree path from rg_conf reconf: reconf  - Reconfigure the system according to the current rg_conf entity_close: entity_close - Close an entity host: host - Resolve host by name rgpf_config: rgpf_config [f|c|a] - Flush/Clean/Activate Firewall & NAT rgpf_info: rgpf_info - Display Firewall & NAT information flash_commit: Save configuration to flash restore_default: restore_defaults [-d] - Restore default configuration (use -d to avoid rebooting after) reboot: Reboot the system log_lev_on: log_lev_on - redirect rg_error output from severity equal or higher to to the current cli log_lev_off: Stop rg_error redirection to the current cli exec: exec - Execute path rmt_upd: Remotely upgrade the box rmt_upd_wget_close: rmt_upd_wget_close - Kill a remote upgrade processrg_ifconfig: rg_ifconfig  cat: Print file contents on console shell: Spawn busybox shell in foreground cat_log: cat_log [fw|varlog] | e[#buf_num] bridge_info: Prints bridge information flash_layout: Prints the flash layout and content flash_erase: flash_erase [-d] - erases a given section in the flashflash_dump: flash_dump [-s | -r ] [-l ] [-1|2|4] - dumps the flash content bset: Configure bootloader ifconfig: Configure network interface ping: Test network connectivity boot: boot -g {-s | -r } - Boot the system (-g boot with kgdb) load: load -u {-s | -r } - Load and burn image help: Print this menu 8021x_open: 8021x_open  - Open device 8021x_close: 8021x_close - Close last 802.1x device 8021x_status: 8021x_status  - Print 802.1x device status 8021x_set_mode: 8021x_set_mode   - Change operating mode of device 8021x_mac_auth: 8021x_mac_auth    - Add or remove authorization for a device (op==1->add, 0->remove) vlan_add: Add VLAN interface Returned 0 OpenRG> shell Returned 0 OpenRG> Busybox v0.50 (2003.08.12-11:17+0000) Built-in shell (lash) Enter 'help' for a list of built-in commands. / # ls bin fstab lost+found snmpd.conf var dev home mnt tmp etc lib proc usr / # exit OpenRG> flash_layout Flash layout: Section 00 Type BOOT Range 0x00000000-0x0013F000 MaxSize 0x0013F000 No more information. Section 01 Type FACTORY Range 0x0013F000-0x00140000 MaxSize 0x00000F6C Size 0x00000204 Name 'rg_factory' Checksum 0x00008FDF Counter 0x000000E2 Start Offset 0x00000000 Section 02 Type IMAGE Range 0x00140000-0x006C0000 MaxSize 0x0057FF6C Size 0x0049D100 Name 'Downloaded at: Wed Jan 1 00:01:24 2003' Checksum 0x26B2773B Counter 0x000000D8 Start Offset 0x00000000 Section 03 Type FLASH_SECT_BOOTCONF Range 0x006C0000-0x006E0000 MaxSize 0x0001FF6C Size 0x00000304 Name 'rg_conf' Checksum 0x00017EF1 Counter 0x00000096 Start Offset 0x00000000 Section 04 Type Unknown section type Range 0x006E0000-0x00700000 MaxSize 0x0001FF6C Size 0x00000070 Name 'vendor_log' Checksum 0x00003E34 Counter 0x00000000 Start Offset 0x00000000 Section 05 Type FLASH_SECT_CONF Range 0x00700000-0x00780000 MaxSize 0x0007FF6C Size 0x00001FEB Name 'rg_conf' Checksum 0x00104274 Counter 0x000000E7 Start Offset 0x00000000 Section 06 Type FLASH_SECT_CONF Range 0x00780000-0x00800000 MaxSize 0x0007FF6C Size 0x00001FFA Name 'rg_conf' Checksum 0x00103E32 Counter 0x000000E8 Start Offset 0x00000000 Total 7 sections found. Returned 0 OpenRG>

Damn.

8. Hardware Info CPU: Intel IXP425 (unknown MHz). It is a real IXP425, and not a IXP422 (IXP425 sans ADSL components) as previously thought. Update: CPU part number is FWIXP425AB, which appears to imply it's a 266MHz IXP425 A0 stepping chip. Flash: 8MB (64Mbit) Intel StrataFlash (J3?) Update: Intel Strataflash E28F640J3A120 chip. RAM: 32MB (128Mbit x2), PC133 (6ns)

Antenna Jack is RP-SMA

Differences Between production WRV54G and FCC Pictures:

Mini PCI type III connector is missing, solderpads visible though. A surface-mount type III miniPCI connector is required. Mini PCI WiFi card is soldered to the Mini PCI connector for grounding purposes. Card cannot be removed until the leg is desoldered. two 20-pin headers beside LEDs unpopulated All other unpopulated headers are missing Aux UFL connector on the Prism wireless card is missing. Antenna diversity can not work until this connector is reattached. There are four raised feet on the "bottom", and four rubber covers on the "top" (the large flat sides with "Linksys" on them). The 4 screws used to keep it shut are located under the 4 rubber covers on the top. Disassembly and internal pics to follow shortly.

JTAG appears to be J2, standard 20-pin ARM layout. Update: Confirmed. This is a JTAG header. Serial appears to be on J10, a 9 pin header. This is not a standard layout - pin 1 appears to be data from WRV to PC.

8.1. JTAG J2 is definitely JTAG. It is using the 20-pin standard ARM JTAG pin layout. Pin 1 on this header is on the edge of the board, closest to the LED.

Pinout: (from Intel)

c[] LED5 +3.3V -- 1o o2 -- nc      nTRST -- 3o o4 -- GND TDI -- 5o o6 -- GND TMS -- 7o o8 -- GND TCK -- 9o o10 - GND GND - 11o o12 - GND TDO - 13o o14 - GND nRESET - 15o o16 - GND nc - 17o o18 - GND nc - 19o o20 - GND Using the OpenWinCE JTAG application, you can connect it to a wiggler cable and boundary-scan in data to the flash. You will have to modify the PARTS file (/usr/local/share/jtag/intel/PARTS) to include the following line so that jtag can get the right CPU code:

1001001001110111 ixp425 IXP425 Thux, PARTS file looks like: /usr/local/share/jtag/intel/PARTS


 * 1) $Id: PARTS,v 1.3 2003/02/13 22:54:38 telka Exp $
 * 2) Copyright (C) 2002 ETC s.r.o.
 * 3) This program is free software; you can redistribute it and/or
 * 4) modify it under the terms of the GNU General Public License
 * 5) as published by the Free Software Foundation; either version 2
 * 6) of the License, or (at your option) any later version.
 * 7) This program is distributed in the hope that it will be useful,
 * 8) but WITHOUT ANY WARRANTY; without even the implied warranty of
 * 9) MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * 10) GNU General Public License for more details.
 * 11) You should have received a copy of the GNU General Public License
 * 12) along with this program; if not, write to the Free Software
 * 13) Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
 * 14) 02111-1307, USA.
 * 15) Written by Marcel Telka , 2002.
 * 16) Documentation:
 * 17) [1] Intel Corporation, "Intel StrongARM SA-1110 Microprocessor
 * 18) Developer's Manual", October 2001, Order Number: 278240-004
 * 19) [2] Intel Corporation, "Intel XScale Microarchitecture for the PXA250
 * 20) and PXA210 Applications Processors User's Manual", February 2002,
 * 21) Order Number: 278525-001
 * 1) Documentation:
 * 2) [1] Intel Corporation, "Intel StrongARM SA-1110 Microprocessor
 * 3) Developer's Manual", October 2001, Order Number: 278240-004
 * 4) [2] Intel Corporation, "Intel XScale Microarchitecture for the PXA250
 * 5) and PXA210 Applications Processors User's Manual", February 2002,
 * 6) Order Number: 278525-001

1001001001100001 sa1110 SA1110 # see 16.6.2 in [1] 1001001001100100 pxa250 PXA250 # see 9.4.3 in [2] 1001001001101100 pxa210 PXA210 # see 9.4.3 in [2] 1001001001110100 ixp425 IXP425 # see IXP425 bdsl file from the devel CD 1001001001110111 ixp425 IXP425 If you are using jtag, you'll need to use the cable command first (I have both a Macraigor Wiggler and an Intel JTAG (which works using the EA253 driver). Then you'll need to issue the detect command to scan the bus to find the CPU. YOu can continue with the instruction SAMPLE/PRELOAD, shift lr, shift dr, and dr commands as per the documentation. Or you can just do detectflash to make sure everything is working properly. You might want to issue endian big to switch it to big endian format, since that's what mode the IXP425 runs in. You can use the readmem command to dump the flash.
 * 1) bits 27-12 of the Device Identification Register

8.2. Serial Port Notes JerrittCollord found the following:

Serial Port Pinout

On the WRV-54G board, the 9 pins look like: - (ttyS1 tx) 1 | 0 o | 2 +3.3V 3 | o o | 4 +3.3V 5 | o o | 6 GND (ttyS1 rx) 7 | o o | 8 GND 9 | o  | - (I've renumbered the pins to the standard pin convention for these connectors)

Using a Radio Shack "FutureDial" USB Mobile Phone Data Cable ("Exclusively for SnapSync, SnapDialer & SnapMedia Software -- Software Sold Separately")

for Nokia 3285 and 5185 phones. Note 18 March 2005 - This part has been discontinued and Radio Shack is selling it on clear sale for $9.95. Other, similar Radio Shack models may work but compatibility is not assured. Snip the Nokia connector off. Brown is ground. Wire Red to pin 1, Orange to pin 4.

Using the Digital Nemesis RLC-1 Converter:

I added the power rails to the diagram above since they are needed for the RLC-1 level converter devices from Digital Nemesis--[WWW] catalogue--the connections between the RLC-1 and the WRV54G are as follows (using the pin numbers from the diagram above):

RLC-1 Pin  |  WRV54G Pin - 1 (white) |     2  (or 4) 2 (black) |     6  (or 8) 3 (orange) |    1 4 (green) |     7 5 (brown) |    N/C 6 (blue)  |    N/C 8.3. Take-Apart Notes For the purposes of this section, the "top" of the WRV54G is the side that is on the top should the WRV be laid down flat, rather than standing vertically. I.e., the bottom is where the four feet of the WRV is.

On the top, there are 4 rubber pads (which are in the same locations as the 4 rubber feet below), flush with the surface. Pop off each pad using a dull knife blade. Underneath each pad are 4 philips screws. Unscrew them all and remove. The top is now off the WRV.

The bottom is held onto the top by the screws, but the bottom also holds the circuit board in place. Pop the 4 tabs holding the bottom to the circuit board, Now remove the bottom cover slowly and straight out. The middle dark grey section and the circuit board stay together, while the bottom piece is removed as a whole.

Now you're left with the center case, and the circuit board. Simply unplug the antenna cable from the WiFi card, and remove the board.

You'll need to clear up the holes for the JTAG and serial (J10), as well as desolder the soldered grounding side clip of the WiFi board.

8.4. /proc Stuff Here's stuff in /proc

/proc/cpuinfo

Processor : Intel XScale-IXP425 rev 0 (v5b) BogoMIPS : 266.24 Features : swp half thumb fastmult edsp

Hardware : Gemtek IXP425 WX5715 Revision : 0000 Serial : 0000000000000000 /proc/mtd

dev: size erasesize name mtd0: 00800000 00020000 "openrg" /proc/meminfo

total: used: free: shared: buffers: cached: Mem: 31490048 25436160 6053888 0 266240 18980864 Swap: 0 0 0 MemTotal: 30752 kB MemFree: 5912 kB MemShared: 0 kB Buffers: 260 kB Cached: 18536 kB SwapCached: 0 kB Active: 1392 kB Inactive: 18972 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 30752 kB LowFree: 5912 kB SwapTotal: 0 kB SwapFree: 0 kB /proc/modules

hwdmz_conf 7560 0 (unused) krgldr_module 776 0 (unused) rg_ipv4 716 0 (unused) btn 2100 1 [hwdmz_conf] rg_auth1x_pktfil 5420 0 (unused) rg_dhcp_pktfil 3364 0 (unused) rg_bridge 23468 1 ipfilter 97472 0 (unused) log_chardev 5332 0 [ipfilter] igmp_proxy_mod 5964 0 ixp425_eth_mod 8536 2 ixp425_csr_init_mod 1708 0 [ixp425_eth_mod] csr 612040 0 [ixp425_eth_mod ixp425_csr_init_mod] bsd_comp 4240 0 (unused) ppp_deflate 44704 0 (unused) hwdmz 2968 0 [hwdmz_conf] ixp425_flash_mod 1272 1 kos_lib 14024 9 [rg_ipv4 btn rg_auth1x_pktfil rg_dhcp_pktfil rg _bridge ipfilter log_chardev igmp_proxy_mod] /proc/kmsg

<4>Linux version 2.4.19openrg-rmk6-ds1 (root@guava54-Desktop) (gcc version 2.95. 3 20010315 (release/MontaVista)) #68 Fri Aug 29 16:53:28 CST 2003 <4>CPU: Intel XScale-IXP425 revision 0 <4>Machine: Gemtek IXP425 WX5715 <4>Security risk: creating user accessible mapping for 0xc8000000 at 0xff000000 <4>Security risk: creating user accessible mapping for 0xc0000000 at 0xff00c000 <4>Security risk: creating user accessible mapping for 0xc4000000 at 0xff00d000 <4>On node 0 totalpages: 8192 <4>zone(0): 8192 pages. <4>zone(1): 0 pages. <4>zone(2): 0 pages. <4>Kernel command line: console=ttyS1,115200 root=/dev/ram0 rw nohalt <7>Relocating machine vectors to 0xffff0000 <4>Using IXP425 Timer 0 as timer source <4>Calibrating delay loop... 266.24 BogoMIPS <6>Memory: 32MB = 32MB total <5>Memory: 26580KB available (1361K code, 264K data, 216K init) <6>XScale Cache/TLB Locking Copyright(c) 2001 MontaVista Software, Inc. <6>Dentry cache hash table entries: 4096 (order: 3, 32768 bytes) <6>Inode cache hash table entries: 2048 (order: 2, 16384 bytes) <4>Mount-cache hash table entries: 512 (order: 0, 4096 bytes) <4>Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes) <4>Page-cache hash table entries: 8192 (order: 3, 32768 bytes) <4>POSIX conformance testing by UNIFIX <4>PCI Autoconfig: Found Bus 0, Device 1, Function 0 <4>PCI Autoconfig: BAR 0, Mem, size=0x2000, address=0x4bffe000 <6>PCI: bus0: Fast back to back transfers enabled <6>Linux NET4.0 for Linux 2.4 <6>Based upon Swansea University Computer Society NET3.039 <4>Initializing RT netlink socket <4>Starting kswapd <4> <4>Random: 0x2e7bd75d <4>pty: 256 Unix98 ptys configured <6>Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled <6>ttyS00 at 0xff000003 (irq = 15) is a IXP425 UART <6>ttyS01 at 0xff001003 (irq = 13) is a IXP425 UART <4>RAMDISK driver initialized: 16 RAM disks of 16384K size 1024 blocksize <6>loop: loaded (max 8 devices) <6>PPP generic driver version 2.4.2 <6>NET4: Linux TCP/IP 1.0 for NET4.0 <6>IP Protocols: ICMP, UDP, TCP, IGMP <6>IP: routing cache hash table of 512 buckets, 4Kbytes <6>TCP: Hash tables configured (established 2048 bind 2048) <6>klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 1.99 <6>NET4: Unix domain sockets 1.0/SMP for Linux NET4.0. <6>IPv6 v0.8 for NET4.0 <6>IPv6 over IPv4 tunneling driver <1>802.1Q VLAN Support v1.7 Ben Greear  <1>All bugs added by David S. Miller  <4>NetWinder Floating Point Emulator V0.95 (c) 1998-1999 Rebel.com <6>PPP MPPE compression module registered <5>RAMDISK: Compressed image found at block 0 <6>Freeing initrd memory: 3954K <4>VFS: Mounted root (ext2 filesystem). <6>Freeing init memory: 216K <7>0: offset=0x0,size=0x20000,blocks=64 <4>Using buffer write method <4>Using predefined MTD partitions. <5>Creating 1 MTD partitions on "ixp425 Flash": <5>0x00000000-0x00800000 : "openrg" <6>PPP Deflate Compression module registered <6>PPP BSD Compression module registered <4>Intel CSR module init. <4>Intel CSR QMGR & NPE(s) init done. <4>Initializing ixp425_eth driver 0.0.8 <4>PHY 0 MAC address is: 04:04:04:04:04:04 <4>PHY 1 MAC address is: 06:06:06:06:06:06 <4>IPV4 device driver registered <4>IP Filter: initialized. Default = block all <4>PHY 1 MAC address is: 00:0c:41:8f:87:2b <4>PHY 0 MAC address is: 00:0c:41:8f:87:2a <4>ixp0: Entering promiscuous mode <6>device ixp0 entered promiscuous mode <4>STP: ixp0 enters blocking mode <7>ixp0: no IPv6 routers present <7>ixp1: no IPv6 routers present <7>br0: no IPv6 routers present <4>STP: ixp0 exits blocking mode /proc/net/dev (Note: eth0 is wireless and isn't shown as I've disabled wireless. Too many APs ATM...)

Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo: 5253 62 0 0 0 0 0 0 5253 62 0 0 0 0 0 0 sit0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ixp0: 66066 780 0 0 0 0 0 0 681344 1067 0 0 0 0 0 0 ixp1: 0 0 0 0 0 0 0 0 11628 34 0 0 0 0 0 0 ipsec0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 br0: 73193 831 0 0 0 0 0 310 677947 1067 0 0 0 0 0 0 /proc/pci

PCI devices found: Bus 0, device 0, function 0: Co-processor: PCI device 8086:8500 (Intel Corp.) (rev 0). Prefetchable 32 bit memory at 0x0 [0xffffff]. Prefetchable 32 bit memory at 0x1000000 [0x1ffffff]. Prefetchable 32 bit memory at 0x2000000 [0x2ffffff]. Prefetchable 32 bit memory at 0x3000000 [0x3ffffff]. Prefetchable 32 bit memory at 0xff000000 [0xffffffff]. I/O at 0x0 [0xff]. Bus 0, device 1, function 0: Network controller: PCI device 1260:3890 (Harris Semiconductor) (rev 1). IRQ 28. Master Capable. Latency=128. Min Gnt=10.Max Lat=28. Non-prefetchable 32 bit memory at 0x4bffe000 [0x4bffffff]. 8.5. GPIO Information Here's a preliminary idea of the GPIO assignments for the unit:

0 - Power LED (a) 1 - ???  2 - Power LED (b) 3 - Factory reset button 4 - DMZ LED 5 - SPIS_N 6 - SPID 7 - SPIC 8 -  9 -  10 - PCI INTB 11 - PCI INTA 12 - SPIQ 13 - PCI reset 14 - PCI clock 15 - IXP expansion bus clock The SPI bus is connected to the Kendin KS8995M switch chip, which is the managed version and needs to be controlled via SPI. It also needs to be enabled before it can be used over this bus. The hwdmz.o module in the OpenRG release appears to be responsible for starting the switch; hwdmz_conf.o does more advanced things with it (presumably setting up the switch to enable the H/W DMZ feature that the box has as an option).

9. Firmware 9.1. RG Bootloader The OpenRG bootloader is another Linux kernel it appears, which boots into a restricted version of OpenRG that does a few things. To extract the bootloader, you'll need to get a copy of the flash contents (via JTAG or using flash_dump command.

The kernel is located at offset 12516 in the image:

dd if=wrv.bin of=rgkernel.gz bs=12516 skip=1 gzip -d rgkernel.gz The filesystem appears to be located at offset 597048 in the image"

dd if=wrv.bin of=rd.img.gz bs=597048 skip=1 gzip -d rd.img.gz Filesystem Contents (the other directories (/bin, /etc, etc) are either empty, or just contain symlinks to the files found here):

/

total 29 drwxrwxr-x 2 root root 1024 Aug 6 21:20 bin drwxrwxr-x 2 root root 4096 Aug 6 21:20 dev drwxrwxr-x 2 root root 1024 Aug 6 21:20 etc -rw-rw-r-- 1 root root 32 Feb 21 2001 fstab drwxrwxr-x 3 root root 1024 Aug 6 21:20 lib drwx-- 2 root root 12288 Aug 6 21:20 lost+found drwxrwxr-x 4 root root 1024 Aug 6 21:20 mnt drwxrwxr-x 2 root root 1024 Aug 6 21:20 proc drwxrwxrwx 2 root root 1024 Aug 6 21:20 tmp drwxrwxr-x 6 root root 1024 Aug 6 21:20 var /fstab

none /proc proc defaults 0 0 /mnt/cramfs/bin

total 362 drwxrwxr-x 2 root root 1024 Aug 6 21:20. drwxrwxr-x 5 root root 1024 Aug 6 21:20 .. -rwxr-xr-x 1 root root 60368 Aug 6 21:20 busybox -rwxrwxr-x 1 root root 3156 Aug 6 21:20 init -rwxrwxr-x 1 root root 299656 Aug 6 21:20 main_task /mnt/cramfs/etc

total 30 drwxrwxr-x 2 root root 1024 Aug 6 21:20. drwxrwxr-x 5 root root 1024 Aug 6 21:20 .. -rw-rw-r-- 1 root root 8 Feb 21 2001 hhl-arch -rw-rw-r-- 1 root root 3025 May 14 2001 inetd.conf -rw-rw-r-- 1 root root 158 Mar 15 2001 modules.conf -rw-rw-r-- 1 root root 1050 Feb 21 2001 nsswitch.conf -rw-rw-r-- 1 root root 1186 Feb 21 2001 protocols -rw-rw-r-- 1 root root 21 May 22 2002 resolv.conf -rw-rw-r-- 1 root root 1595 Feb 21 2001 rpc -rw-rw-r-- 1 root root 11191 May 14 2001 services -rw-rw-r-- 1 root root 4404 Apr 12 2001 termcap /mnt/cramfs/lib

total 3 drwxrwxr-x 3 root root 1024 Aug 6 21:20. drwxrwxr-x 5 root root 1024 Aug 6 21:20 .. drwxrwxr-x 2 root root 1024 Aug 6 21:20 modules /mnt/cramfs/lib/modules

total 321 drwxrwxr-x 2 root root 1024 Aug 6 21:20. drwxrwxr-x 3 root root 1024 Aug 6 21:20 .. -rw-rw-r-- 1 root root 263364 Aug 6 21:20 csr.o -rw-rw-r-- 1 root root 3268 Aug 6 21:20 ixp425_csr_init_mod.o -rw-rw-r-- 1 root root 13308 Aug 6 21:20 ixp425_eth_mod.o -rw-rw-r-- 1 root root 2752 Aug 6 21:20 ixp425_flash_mod.o -rw-rw-r-- 1 root root 33884 Aug 6 21:20 kos_lib.o -rw-rw-r-- 1 root root 1804 Aug 6 21:20 krgldr_module.o -rw-rw-r-- 1 root root 1788 Aug 6 21:20 rg_ipv4.o Bare minimum filesystem. There's not even a shell!

Interesting boot script in the bootloader's main_task executable:

(rg_conf (dev (ixp0     (enabled(1))      (type(1))      (logical_network(2))      (route_level(1))      (metric(50))      (mtu(1500))      (is_auto_mtu(1))      (is_trusted(1))      (is_sync(1))      (has_ip(1))      (is_support_promisc(1))      (static (ip(192.168.1.1)) (netmask(255.255.255.0)) )     (description(LAN Ethernet))    ) (ixp1     (enabled(1))      (type(1))      (logical_network(2))      (route_level(1))      (metric(50))      (mtu(1500))      (is_auto_mtu(1))      (is_trusted(1))      (is_sync(1))      (has_ip(1))      (is_support_promisc(1))      (static (ip(192.168.2.1)) (netmask(255.255.255.0)) )     (description(LAN Ethernet 2))    ) ) (admin (user     (0 (username(admin)) (password(&b7;X&5c;&b9;&a2;)) (full_name(Administrator)) (email) (permissions         (mgt(1))          (fs_read(1))          (fs_write(1))        ) (notify_level         (0(15))          (1(15))        ) )   )    (tz_name(Greenwich Mean Time)) (tz_offset(0)) (daylight_saving     (enabled(0))      (from(28&3b;2))      (to(28&3b;9))    ) ) (system (version(20404)) (hostname(openrg)) (release(Aug 7 2003)) (mac_cur(08:e8:da:0f:de:7e)) (distribution(DIST=RGLOADER_GTWX5715)) ) (bootloader (autoboot(1)) (timeout(3)) (url(tftp://192.168.1.10/openrg.img)) ) ) And:

(rg_conf (dev (ixp0     (enabled(1))      (type(1))      (logical_network(2))      (route_level(1))      (metric(50))      (is_trusted(1))      (is_sync(1))      (has_ip(1))      (static (ip(192.168.1.1)) (netmask(255.255.255.0)) )   )    (ixp1      (enabled(1))      (type(1))      (logical_network(2))      (route_level(1))      (metric(50))      (is_trusted(1))      (is_sync(1))      (has_ip(1))      (static (ip(192.168.2.1)) (netmask(255.255.255.0)) )   )  ) ) 9.2. Firmware 2.10 notes The telnet server is now disabled - no checkbox to enable it either.

A configuration file can now be saved/reloaded - it's plaintext, we should be able to tweak it (maybe re-enable telnet?)

WPA support is included, untested as of yet.

SNMP still doesn't work as far as I can tell.

No telnet obviously means no shell, so we either have to hack this firmware image, re-enable it via a config file tweak or exploit the HTTP server in some way.

nmap TCP scan output from internal LAN:

Port State Service 80/tcp open http 443/tcp open https 2555/tcp open unknown 8080/tcp open http-proxy 8443/tcp open unknown Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20 Uptime 0.168 days (since Mon Dec 22 19:37:10 2003) TCP Sequence Prediction: Class=random positive increments Difficulty=3606371 (Good luck!) IPID Sequence Generation: All zeros TCP port 2555 appears to be the UPnP HTTP server. The other ports are all the GUI.

adam at rift dot com

9.3. Linux 2.6.13 kernel + jffs2 + 2 miniPCI slot working More at phj.hu, [WWW] wrv54g.

Category:AccessPointHardware

last edited 2006-07-12 09:15:09 by 134