OpenWrt Forum Archive

Topic: NetGear WGT634U

The content of this topic has been archived between 2 Sep 2015 and 4 May 2018. Unfortunately there are posts – most likely complete pages – missing.

This little box runs Linux, too smile

kaloz@arrakis:~/downloads$ file wgt634u-1.1.0.6.img
wgt634u-1.1.0.6.img: ELF 32-bit LSB MIPS-I executable, MIPS, version 1 (SYSV), statically linked, stripped

kaloz@arrakis:~/downloads$ hexdump -C wgt634u-1.1.0.6.img |grep Linux
00006860  6d 70 72 65 73 73 69 6e  67 20 4c 69 6e 75 78 2e  |mpressing Linux.|

kaloz@arrakis:~/downloads$ hexdump -C wgt634u-1.1.0.6.img |grep samba
0031f600  bd 02 4c 92 73 61 6d 62  61 2e 6c 72 70 ff ff ff  |..L.samba.lrp...|

FCC stuff:
https://gullfoss2.fcc.gov/prod/oet/cf/e … 634U'

This little box runs Linux, too smile

What does WGT634U do? Is it a DSL router?

This little box runs Linux, too smile

What does WGT634U do? Is it a DSL router?

http://www.netgear.com/products/prod_details.php?prodID=242

It is a wireless router/firewall with a usb port for interfacing with a HDD or memory stick. It is a pretty cool little unit. With custom firmware this guy could do just about anything you could want out of an AP.

This little box runs Linux, too smile

What does WGT634U do? Is it a DSL router?

http://www.netgear.com/products/prod_details.php?prodID=242

It is a wireless router/firewall with a usb port for interfacing with a HDD or memory stick. It is a pretty cool little unit. With custom firmware this guy could do just about anything you could want out of an AP.

Does anyone know if it has serial port connectors inside like the Linksys WRT54G series ?

Anyone seen any source code for it yet ?

-- Rod

I've seen a site that mentions can also run the Linksys firmware/packages on the 634...  I have a 624.  But haven't tried to see if it will work for it as well.

What's the URL of that site?

I'll hopefully be getting a WGT634U next week and have already started tinkering with the Firmware images on the Netgear Site.

Kernel starts at 0x00000000 and a JFFS2 Filesystem at 0x00140000 with the following contents:

On the first look, I guess they use Linux Router Project stuff here.

[mike@junkyard mike]$ ./jffs2/mtd/util/jffs2dump -c wgt634u-1.0.0.11.rootfs |grep Dirent
         Dirent     node at 0x00000000, totlen 0x0000002f, #pino     1, version     0, #ino         2, nsize        7, name boa.lrp
         Dirent     node at 0x0000af04, totlen 0x00000032, #pino     1, version     1, #ino         3, nsize       10, name bridge.lrp
         Dirent     node at 0x0000da00, totlen 0x00000031, #pino     1, version     2, #ino         4, nsize        9, name dhcpd.lrp
         Dirent     node at 0x00019ba4, totlen 0x00000033, #pino     1, version     3, #ino         5, nsize       11, name dnsmasq.lrp
         Dirent     node at 0x0001fd0c, totlen 0x00000033, #pino     1, version     4, #ino         6, nsize       11, name ezipupd.lrp
         Dirent     node at 0x000264f4, totlen 0x00000030, #pino     1, version     5, #ino         7, nsize        8, name gpio.lrp
         Dirent     node at 0x00027508, totlen 0x00000033, #pino     1, version     6, #ino         8, nsize       11, name hotplug.lrp
         Dirent     node at 0x0002795c, totlen 0x00000031, #pino     1, version     7, #ino         9, nsize        9, name lrpkg.cfg
         Dirent     node at 0x00027a4c, totlen 0x00000034, #pino     1, version     8, #ino        10, nsize       12, name iptables.lrp
         Dirent     node at 0x0003b060, totlen 0x00000030, #pino     1, version     9, #ino        11, nsize        8, name mawk.lrp
         Dirent     node at 0x00048bcc, totlen 0x00000033, #pino     1, version    10, #ino        12, nsize       11, name modules.lrp
         Dirent     node at 0x000cd42c, totlen 0x00000033, #pino     1, version    11, #ino        13, nsize       11, name ntpdate.lrp
         Dirent     node at 0x000d8d2c, totlen 0x0000002f, #pino     1, version    12, #ino        14, nsize        7, name ppp.lrp
         Dirent     node at 0x000f8d2c, totlen 0x00000031, #pino     1, version    13, #ino        15, nsize        9, name pppoe.lrp
         Dirent     node at 0x000f9290, totlen 0x00000033, #pino     1, version    14, #ino        16, nsize       11, name proftpd.lrp
         Dirent     node at 0x00117d64, totlen 0x00000030, #pino     1, version    15, #ino        17, nsize        8, name pump.lrp
         Dirent     node at 0x0011f108, totlen 0x00000030, #pino     1, version    16, #ino        18, nsize        8, name root.lrp
         Dirent     node at 0x001d9b24, totlen 0x00000034, #pino     1, version    17, #ino        19, nsize       12, name rp-pppoe.lrp
         Dirent     node at 0x001dd844, totlen 0x00000031, #pino     1, version    18, #ino        20, nsize        9, name samba.lrp
         Dirent     node at 0x0021d37c, totlen 0x00000032, #pino     1, version    19, #ino        21, nsize       10, name udhcpd.lrp
         Dirent     node at 0x002219e8, totlen 0x00000037, #pino     1, version    20, #ino        22, nsize       15, name wgt634u-gui.lrp
         Dirent     node at 0x002493bc, totlen 0x0000003a, #pino     1, version    21, #ino        23, nsize       18, name wireless-tools.lrp
         Dirent     node at 0x00253d2c, totlen 0x00000031, #pino     1, version    22, #ino        24, nsize        9, name zebra.lrp
         Dirent     node at 0x0027d780, totlen 0x0000002f, #pino     1, version    23, #ino        25, nsize        7, name etc.lrp
         Dirent     node at 0x00283318, totlen 0x00000034, #pino     1, version    24, #ino        26, nsize       12, name shorwall.lrp
         Dirent     node at 0x0028ef10, totlen 0x00000038, #pino     1, version    25, #ino        27, nsize       16, name firmware.version

DrDisk,

Can you explain in more detail how you can get that information from the WGT634U firmware file?  I am interested to tinker with the firmware file, but do not understand how to take it apart and get the kernel and filesystem in separate pieces.  Can you explain for me how to uncompress the filesystem portion so I can mount it in my workstation and browse around?

Thanks much,
BBHomer

Can you explain in more detail how you can get that information from the WGT634U firmware file? I am interested to tinker with the firmware file, but do not understand how to take it apart and get the kernel and filesystem in separate pieces. Can you explain for me how to uncompress the filesystem portion so I can mount it in my workstation and browse around?

Well, as I wrote:

Kernel starts at 0x00000000 and a JFFS2 Filesystem at 0x00140000 with the following contents:

A WGT634U firmware image just has a raw kernel image in the range from offset 0x00000000 to 0x0013ffff, padded with 0xff if the kernel image is shorter than 0x140000. After that there's a plain JFFS2 filesystem with variable length (max is 0x620000 because of partitioning of the flash).

After that there's a CRC32 appended as plain text (8 bytes '0' - '9', 'a'-'f')

The kernel image has an embedded initrd. which mounts the jffs2 and unpacks everything into an 13MB ramdisk.

Netgear, or more precisely the OEM that built the 634U uses the LEAF "Bering" distribution as a base for the product.

Layout of the 8MB flash:

Part  Size  Contents
0     384k  bootloader (CFE)
1     128k  jffs2 (router config, tar.gz named config.lrp)
2    1280k  kernel (vmlinuz)
3    6272k  jffs2 (userspace bootstrap)
4     128k  flash simluated NVRAM

NVRAM Contents:

sdram_ncdl=0x00020080
boardtype=bcm95365r
et0mdcport=0
et0phyaddr=254
STARTUP=ifconfig eth0 -addr=192.168.1.1 -mask=255.255.255.0;boot -elf flash0.os:
kernel_args=console=ttyS1,115200 root=/dev/ram0 init=/linuxrc rw syst_size=8M
configvlan=0x1
et0macaddr=00-09-5b-xx-xx-xx
et1macaddr=00-09-5b-xx-xx-yy

This and strings inside the CFE bootloader indicate that the 634U is based on the "Broadcom BCM95365R Sentry5 VR/WAP/VPN GW Platform".

The CFE bootloader used here seems to be similar, though not identical, to the one used by Broadcom's SiByte processors.

More info when I succeed in interfacing the ttyS1 to another system. I think I know where the serial port is, just need to build the interface circuitry (using a 3.3v RS-232 transceiver, i.e. MAX3232CPE).

so any success with accessing the router?

Another question, how fast is the router's cpu?

found a gziped initrd.minix inside the kernel image:

total 4
drwxr-xr-x    4 root     root           96 May 27 11:22 var
drwxr-xr-x    4 root     root           96 May 27 11:22 usr
drwxr-xr-x    2 root     root           48 Oct 20  2002 sbin
lrwxrwxrwx    1 root     root           26 Jun 12 21:54 linuxrc -> var/lib/lrpkg/root.linuxrc
drwxr-xr-x    2 root     root          192 May 27 11:22 lib
-rw-------    1 root     michael         0 Jun 12 22:32 john.pot
drwxr-xr-x    2 root     root           72 May 27 11:22 dev
drwxr-xr-x    4 root     root           96 Oct 20  2002 boot
drwxr-xr-x    2 root     root          168 May 27 11:22 bin
michael@jomobil:~/Desktop/wgt/initrd.minix_extracted$ ls -r
var  usr  sbin  linuxrc  lib  john.pot  dev  boot  bin
michael@jomobil:~/Desktop/wgt/initrd.minix_extracted$ ls -l
total 4
drwxr-xr-x    2 root     root          168 May 27 11:22 bin
drwxr-xr-x    4 root     root           96 Oct 20  2002 boot
drwxr-xr-x    2 root     root           72 May 27 11:22 dev
-rw-------    1 root     michael         0 Jun 12 22:32 john.pot
drwxr-xr-x    2 root     root          192 May 27 11:22 lib
lrwxrwxrwx    1 root     root           26 Jun 12 21:54 linuxrc -> var/lib/lrpkg/root.linuxrc
drwxr-xr-x    2 root     root           48 Oct 20  2002 sbin
drwxr-xr-x    4 root     root           96 May 27 11:22 usr
drwxr-xr-x    4 root     root           96 May 27 11:22 var
michael@jomobil:~/Desktop/wgt/initrd.minix_extracted$ ls -lr
total 4
drwxr-xr-x    4 root     root           96 May 27 11:22 var
drwxr-xr-x    4 root     root           96 May 27 11:22 usr
drwxr-xr-x    2 root     root           48 Oct 20  2002 sbin
lrwxrwxrwx    1 root     root           26 Jun 12 21:54 linuxrc -> var/lib/lrpkg/root.linuxrc
drwxr-xr-x    2 root     root          192 May 27 11:22 lib
-rw-------    1 root     michael         0 Jun 12 22:32 john.pot
drwxr-xr-x    2 root     root           72 May 27 11:22 dev
drwxr-xr-x    4 root     root           96 Oct 20  2002 boot
drwxr-xr-x    2 root     root          168 May 27 11:22 bin
michael@jomobil:~/Desktop/wgt/initrd.minix_extracted$ ls -lR
.:
total 4
drwxr-xr-x    2 root     root          168 May 27 11:22 bin
drwxr-xr-x    4 root     root           96 Oct 20  2002 boot
drwxr-xr-x    2 root     root           72 May 27 11:22 dev
-rw-------    1 root     michael         0 Jun 12 22:32 john.pot
drwxr-xr-x    2 root     root          192 May 27 11:22 lib
lrwxrwxrwx    1 root     root           26 Jun 12 21:54 linuxrc -> var/lib/lrpkg/root.linuxrc
drwxr-xr-x    2 root     root           48 Oct 20  2002 sbin
drwxr-xr-x    4 root     root           96 May 27 11:22 usr
drwxr-xr-x    4 root     root           96 May 27 11:22 var

./bin:
total 641
-rwxr-xr-x    1 root     root       214096 May 27 11:22 ash
lrwxrwxrwx    1 root     root            3 Jun 12 21:54 bash -> ash
-rwxr-xr-x    1 root     root       386532 May 27 11:15 busybox
-rwxr-xr-x    1 root     root        46732 May 27 11:16 sed
lrwxrwxrwx    1 root     root            3 Jun 12 21:54 sh -> ash

./boot:
total 1
drwxr-xr-x    2 root     root           96 Oct 20  2002 etc
drwxr-xr-x    3 root     root           72 Oct 20  2002 lib

./boot/etc:
total 8
-rw-r--r--    1 root     root          404 Feb 19  2002 README
-rw-r--r--    1 root     root            8 May 27 11:22 modules

./boot/lib:
total 1
drwxr-xr-x    2 root     root           96 Mar  9 19:37 modules

./boot/lib/modules:
total 144
-rw-r--r--    1 root     root        60340 Mar  9 19:36 et.o
-rw-r--r--    1 root     root        83390 Mar  9 19:37 robo.o

./dev:
total 0
crw-r--r--    1 root     root       5,   1 Oct 23  2002 console

./lib:
total 401
-rwxr-xr-x    1 root     root        27104 May 27 11:15 ld-uClibc-0.9.19.so
lrwxrwxrwx    1 root     root           19 Jun 12 21:54 ld-uClibc.so.0 -> ld-uClibc-0.9.19.so
lrwxrwxrwx    1 root     root           19 Jun 12 21:54 libc.so.0 -> libuClibc-0.9.19.so
-rwxr-xr-x    1 root     root       378592 May 27 11:15 libuClibc-0.9.19.so

./sbin:
total 0

./usr:
total 1
drwxr-xr-x    2 root     root           48 Oct 20  2002 bin
drwxr-xr-x    2 root     root           48 Oct 20  2002 sbin

./usr/bin:
total 0

./usr/sbin:
total 0

./var:
total 1
drwxr-xr-x    3 root     root           72 Oct 20  2002 lib
drwxr-xr-x    2 root     root           48 Oct 20  2002 log

./var/lib:
total 1
drwxr-xr-x    2 root     root          368 May 27 11:22 lrpkg

./var/lib/lrpkg:
total 49
-rw-r--r--    1 root     root          167 Feb 17  2002 initrd.conf
-rw-r--r--    1 root     root          295 May 27 11:22 initrd.list
lrwxrwxrwx    1 root     root           12 Jun 12 21:54 initrd.version -> root.version
-rw-r--r--    1 root     root          960 Oct 21  2002 root.bb.links
-rw-r--r--    1 root     root         4542 May 27 11:22 root.dev.mk
-rw-r--r--    1 root     root          547 May 27 11:22 root.dev.mod
-rw-r--r--    1 root     root          485 May 27 11:22 root.dev.own
-rwxr-xr-x    1 root     root         9781 May 27 11:22 root.linuxrc
-rw-r--r--    1 root     root          175 Jun 14  1998 root.mount
-rw-r--r--    1 root     root            9 Jul  7  2002 root.version

./var/log:
total 0

Hi,

the CPU is a 200Mhz one. Before hacking around with the firmware please keep in mind that the bootloader doesn't have a boot_wait option and doesn't accept TFTP tranfers.

So if you upload a broken firmware your device is dead. The only way to recover it is to connect a serial console to it.

I've booted a Linksys kernel on the device but it requires heavy modifications. Looks like the BCM5364P CPU needs some special care.

I've contacted Neatgear and asked them to provide the sources. They immediately replied and made them available. You can find them on their .com site. Search for GPL. Thanks Netgear!

The CPU seems to have a VPN/Crypto accelerator core, but since we don't have any docs about it its useless. Maybe its even disabled.

I've encountered a major problem. The switch chip. It's a Broadcom based one and you guess it there is no spec available. So at the moment we can't write open source drivers for it.

Best,
  Florian

Hey there, i also own now an WGT634U, is there someone working on getting this router to run with openwrt?

greetings

micha

It is a wireless router/firewall with a usb port for interfacing with a HDD or memory stick. It is a pretty cool little unit. With custom firmware this guy could do just about anything you could want out of an AP.

What makes this guy think it has a USB port?  I don't see it listed anywhere on the netgear site.  Maybe it's internal not intended to be used by the consumer.

Can anyone confirm either way?

Also important to note is that USB is a host/client configuration.  A USB port is either a host (a perifial is to be connected to it) or  a client (the port is on a perifial like a printer or USB DSL modem, and can only be connected to a host).  This is not to be confused with Firewire in which all devices can behave peer-to-peer.  IE: Connecting 2 iPod together and transfering files.  (Stop drooling, no hack has been successful at enabling that.  Apple won't allow it.)

What makes this guy think it has a USB port? I don't see it listed anywhere on the netgear site. Maybe it's internal not intended to be used by the consumer.

Can anyone confirm either way?

The Product description does. The 634_U_ has one external USB port. the device itself has multiple USB controllers. The BCM5634 Sentry5 has USB integrated, but Netgear uses a different USB Coltreoller for the external port. Not sure why. Guess the integrated controllers are USB 1.1 and the external is USB 2.0.

I'm just in the process of interfacing the serial port(s) to get to the CFE. You'll need a 3.3V tranceiver though.

Salve,
as you may already have read:
http://www.openwrt.org/forum/viewtopic.php?t=316
I'm looking for a cheap and low-power system for running a firewall but also have some fun with scripts and I/0 - so this is why I'm very interested in have one (or more) USB ports.

Would somebody be so kind and make some pictures of the board, that its possible to see which chips are used by Neatgear?

Second what is the max speed that the Neatgear Routers with USB 2.0 can reach? Neatgears 108 MBit Wlan does not reach this in reality and all Routers based on Broadcom BCM47x2 does have only one 100MBit/s hardware ethernetport on the chip, so to use this routers as firewall Ethernet 2 Ethernet, they all will have less speed than 50 MBit/s.
Because of this, IMHO it doesn`t realy matter if the router has 11 MBit/s USB or theoreticaly 480 MBit/s wink

But USB would be realy nice, not ony for BT sticks, printers or multiple USB2RS232 adapters (9 Euro) - IMHO it is more easy, fexible and cheaper to add more flash to the router with USB sticks (64MB < 15 Euro).
Because of that OpenWRT is modular and the core very minimalistic, I like to see this core to be flash once - all scripts, tools, confic and most perferct kernel + /boot should be stored on the USB stick.
It could be flashed easyly and a fall back or restore a running system would be easy than.
BUT I fear that there is no trick, no hack to have a boot chain where one kernel (with usb-driver) will load another kernel.

I'm not the right person to hack this - but whant to give this idea and I found something in the "Linux bios archive"
---
Re: VIA issues
To: Ronald G Minnich <rminnich@lanl.gov>
Subject: Re: VIA issues
From: ebiederman@lnxi.com (Eric W. Biederman)
Date: 06 Oct 2000 08:05:35 -0600
Cc: linuxbios@lanl.gov

In-Reply-To: Ronald G Minnich's message of "Thu, 5 Oct 2000 20:38:51 -0600 (MDT

References: <Pine.LNX.4.21.0010052035270.30326-100000@white.acl.lanl.gov>
Sender: owner-linuxbios@listman.lanl.gov

[.....]

I'm fighting from another angle.  I have a kernel booting another
kernel working for an SMP kernel.  Now if I just need to get it to work
for a SMP kernel when more than 1 cpu is in the box and I'll be in good shape smile

Eric
---
So could a kernel boot another one and HOW? wink

Greetings
rob

Would somebody be so kind and make some pictures of the board, that its possible to see which chips are used by Neatgear?

Look at the "FCC stuff" link in the first post in this topic, there's all the pictures you need.

Just some information...

If you want access to the rootfs on the router, just create a ftp-login that shares the folder "/../.." and this will make you able to access the root-fs on the router.

When powering off the device it will restore the original firmware so no worry here if you modify the root-fs...

You will only have access as a normal user thoe, so you are unable to overwrite any of the configuration-files... But maybe someone can find a hack for the ftp-server smile

$ ncftp -u test 192.168.1.1
NcFTP 3.1.7 (Jan 07, 2004) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 192.168.1.1...                                                                             
ProFTPD 1.2.5 Server (ProFTPD Default Installation) [WGT634U]
Logging in...                                                                                             
Password requested by 192.168.1.1 for user "test".

    Password required for test.

Password: ****

User test logged in.
Logged in to 192.168.1.1.                                                                                 
ncftp / > ls
bin/         config_mnt/  initrd/      mnt/         root/        share/       var/
boot/        dev/         lib/         nfs/         samples/     tmp/
config/      etc/         linuxrc@     proc/        sbin/        usr/
ncftp / >

hmm... the security on the router looks a little bit wierd... they got a shadowfile, readable by anyone smile

$ more shadow
root:P7zoCUofE8GZo:10091:0:99999:7:::
daemon:*:10091:0:99999:7:::
bin:*:10091:0:99999:7:::
sys:*:10091:0:99999:7:::
sync:*:10091:0:99999:7:::
lp:*:10091:0:99999:7:::
mail:*:10091:0:99999:7:::
squid:*:10091:0:99999:7:::
sh-httpd:*:10091:0:99999:7:::
sshd:*:10091:0:99999:7:::
alias:*:10091:0:99999:7:::
qmaild:*:10091:0:99999:7:::
qmails:*:10091:0:99999:7:::
qmailr:*:10091:0:99999:7:::
qmailq:*:10091:0:99999:7:::
qmaill:*:10091:0:99999:7:::
qmailp:*:10091:0:99999:7:::
vpopmail:*:10091:0:99999:7:::
lrp:*:10091:0:99999:7:::
lrpqmail:*:10091:0:99999:7:::
dnslog:*:10091:0:99999:7:::
dnscache:*:10091:0:99999:7:::
tinydns:*:10091:0:99999:7:::
walldns:*:10091:0:99999:7:::
axfrdns:*:10091:0:99999:7:::
nobody:*:10091:0:99999:7:::

so if someone has a good pw-cracker we could get into the root-account

update on last post...
password for root is "password" as default, thoe the ftp-daemon does a chroot to the home-folder of users...

i'll get back as soon as i got anything more

add: We just need a shell or root exploit för the proftpd 1.2.5 server and then we would have a shell

update:

Bootup with USB Key plugged in.


Jan  1 08:00:57 WGT634U syslogd 1.4.1: restart.
Jan  1 08:00:57 WGT634U kernel: klogd 1.4.1, log source = /proc/kmsg started.
Jan  1 08:00:57 WGT634U kernel: Loaded 220 symbols from 15 modules.
Jan  1 08:00:57 WGT634U kernel: Memory: 30144k/32768k available (1504k kernel code, 2624k reserved, 488k data, 80k init, 0k highmem)
Jan  1 08:00:57 WGT634U kernel: Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)
Jan  1 08:00:57 WGT634U kernel: Inode cache hash table entries: 2048 (order: 2, 16384 bytes)
Jan  1 08:00:57 WGT634U kernel: Linux NET4.0 for Linux 2.4
Jan  1 08:00:57 WGT634U kernel: Based upon Swansea University Computer Society NET3.039
Jan  1 08:00:57 WGT634U kernel: NTFS driver 2.1.6a [Flags: R/O].
Jan  1 08:00:57 WGT634U kernel: JFFS2 version 2.1. (C) 2001 Red Hat, Inc., designed by Axis Communications AB.
Jan  1 08:00:57 WGT634U kernel: Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled
Jan  1 08:00:57 WGT634U kernel: ttyS00 at 0xb8000300 (irq = 0) is a 16550A
Jan  1 08:00:57 WGT634U kernel: ttyS01 at 0xb8000400 (irq = 3) is a 16550A
Jan  1 08:00:57 WGT634U kernel: loop: loaded (max 8 devices)
Jan  1 08:00:57 WGT634U kernel: Flash device: 0x800000 at 0x1c000000
Jan  1 08:00:57 WGT634U kernel: Physically mapped flash: Minix filesystem found at block 384
Jan  1 08:00:57 WGT634U kernel: Creating 5 MTD partitions on "Physically mapped flash":
Jan  1 08:00:57 WGT634U kernel: 0x00000000-0x00060000 : "cfe"
Jan  1 08:00:57 WGT634U kernel: 0x00060000-0x00080000 : "config"
Jan  1 08:00:57 WGT634U kernel: 0x00080000-0x001c0000 : "linux"
Jan  1 08:00:57 WGT634U kernel: 0x001c0000-0x007e0000 : "jffs"
Jan  1 08:00:57 WGT634U kernel: 0x007e0000-0x00800000 : "nvram"
Jan  1 08:00:57 WGT634U kernel: NET4: Linux TCP/IP 1.0 for NET4.0
Jan  1 08:00:57 WGT634U kernel: IP Protocols: ICMP, UDP, TCP, IGMP
Jan  1 08:00:57 WGT634U kernel: IP: routing cache hash table of 512 buckets, 4Kbytes
Jan  1 08:00:57 WGT634U kernel: TCP: Hash tables configured (established 2048 bind 4096)
Jan  1 08:00:57 WGT634U kernel: NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
Jan  1 08:00:57 WGT634U kernel: NET4: Ethernet Bridge 008 for NET4.0
Jan  1 08:00:57 WGT634U kernel: RAMDISK: Compressed image found at block 0
Jan  1 08:00:57 WGT634U kernel: Freeing initrd memory: 370k freed
Jan  1 08:00:57 WGT634U kernel: Freeing unused kernel memory: 80k freed
Jan  1 08:00:57 WGT634U kernel: ath_hal: 0.9.6.1
Jan  1 08:00:57 WGT634U kernel: ath_pci: 0.8.4.0 BETA
Jan  1 08:00:57 WGT634U kernel: ath0: Atheros 5212: mem=0x40010000, irq=2
Jan  1 08:00:57 WGT634U kernel: CSLIP: code copyright 1989 Regents of the University of California
Jan  1 08:00:57 WGT634U kernel: N_HDLC line discipline registered.
Jan  1 08:00:57 WGT634U kernel: PPP generic driver version 2.4.2
Jan  1 08:00:57 WGT634U kernel: SCSI subsystem driver Revision: 1.00
Jan  1 08:00:57 WGT634U kernel: usb.c: registered new driver usbdevfs
Jan  1 08:00:57 WGT634U kernel: usb.c: registered new driver hub
Jan  1 08:00:57 WGT634U kernel: eth0.6: add 01:00:5e:00:00:01 mcast address to master interface
Jan  1 08:00:57 WGT634U kernel: eth0.6: del 01:00:5e:00:00:01 mcast address from master interface
Jan  1 08:00:57 WGT634U kernel: eth0.6: del 01:00:5e:00:00:01 mcast address from vlan interface
Jan  1 08:00:57 WGT634U kernel: device eth0 entered promiscuous mode
Jan  1 08:00:57 WGT634U kernel: vlan6: add 01:00:5e:00:00:01 mcast address to master interface
Jan  1 08:00:57 WGT634U kernel: device ath0 entered promiscuous mode
Jan  1 08:00:57 WGT634U kernel: device eth0.1 entered promiscuous mode
Jan  1 08:00:57 WGT634U kernel: eth0.1: dev_set_promiscuity(master, 1)
Jan  1 08:00:57 WGT634U kernel: br0: port 2(eth0.1) entering learning state
Jan  1 08:00:57 WGT634U kernel: br0: port 1(ath0) entering learning state
Jan  1 08:00:57 WGT634U kernel: br0: port 2(eth0.1) entering forwarding state
Jan  1 08:00:57 WGT634U kernel: br0: topology change detected, propagating
Jan  1 08:00:57 WGT634U kernel: br0: port 1(ath0) entering forwarding state
Jan  1 08:00:57 WGT634U kernel: br0: topology change detected, propagating
Jan  1 08:01:03 WGT634U kernel: NETDEV WATCHDOG: ath0: transmit timed out
Jan  1 08:01:23 WGT634U last message repeated 2 times
Jan  1 08:01:27 WGT634U root: Shorewall Started
Jan  1 08:01:28 WGT634U /sbin/nfqueue[2931]: nfqueue started.
Jan  1 08:01:34 WGT634U kernel: Initializing USB Mass Storage driver...
Jan  1 08:01:34 WGT634U kernel: usb.c: registered new driver usb-storage
Jan  1 08:01:34 WGT634U kernel: USB Mass Storage support registered.
Jan  1 08:01:34 WGT634U kernel: ehci_hcd 01:02.2: PCI device 1033:00e0
Jan  1 08:01:34 WGT634U kernel: ehci_hcd 01:02.2: irq 2, pci mem c0074000
Jan  1 08:01:34 WGT634U kernel: usb.c: new USB bus registered, assigned bus number 1
Jan  1 08:01:34 WGT634U kernel: ehci_hcd 01:02.2: USB 2.0 enabled, EHCI 1.00, driver 2003-Dec-29/2.4
Jan  1 08:01:34 WGT634U kernel: hub.c: USB hub found
Jan  1 08:01:34 WGT634U kernel: hub.c: 2 ports detected
Jan  1 08:01:34 WGT634U kernel: usb-ohci.c: USB OHCI at membase 0xc018e000, IRQ 2
Jan  1 08:01:34 WGT634U kernel: usb-ohci.c: usb-01:02.0, PCI device 1033:0035
Jan  1 08:01:34 WGT634U kernel: usb.c: new USB bus registered, assigned bus number 2
Jan  1 08:01:34 WGT634U kernel: hub.c: USB hub found
Jan  1 08:01:34 WGT634U kernel: hub.c: 1 port detected
Jan  1 08:01:34 WGT634U kernel: usb-ohci.c: USB OHCI at membase 0xc0190000, IRQ 2
Jan  1 08:01:34 WGT634U kernel: usb-ohci.c: usb-01:02.1, PCI device 1033:0035
Jan  1 08:01:34 WGT634U kernel: usb.c: new USB bus registered, assigned bus number 3
Jan  1 08:01:34 WGT634U kernel: hub.c: USB hub found
Jan  1 08:01:34 WGT634U kernel: hub.c: 1 port detected
Jan  1 08:01:34 WGT634U kernel: hub.c: new USB device 01:02.2-1, assigned address 2
Jan  1 08:01:34 WGT634U kernel: scsi0 : SCSI emulation for USB Mass Storage devices
Jan  1 08:01:35 WGT634U kernel: Partition check:
Jan  1 08:01:35 WGT634U kernel:  sda: sda1
Jan  1 08:02:05 WGT634U usb.agent[3063]:      storage: loaded successfully
Jan  1 08:02:05 WGT634U root: who is calling usb-storage
Jan  1 08:02:05 WGT634U root: idvendor is 781
Jan  1 08:02:05 WGT634U root: idprod is 5150
Jan  1 08:02:05 WGT634U root: guid_str is GUID: 07815150
Jan  1 08:02:05 WGT634U root: we need to grep /proc/scsi/usb-storage-0/0
Jan  1 08:02:05 WGT634U root: grep string is GUID: 07815150
Jan  1 08:02:05 WGT634U root: Found in /proc/scsi/usb-storage-0/0
Jan  1 08:02:06 WGT634U root: scsid is scsi0
Jan  1 08:02:06 WGT634U root: out of while, sd is sda
Jan  1 08:02:06 WGT634U root: mounting /dev/sda
Jan  1 08:02:06 WGT634U root: mounting /dev/sda1
Jan  1 08:07:43 WGT634U maintenance_status.html: nameserver info in /var/run/resolv.conf: nameserver 10.65.65.65
Jan  1 09:22:53 WGT634U root: Shorewall Restarted
Jan  1 09:23:50 WGT634U root: Shorewall Restarted

You don't need root exploit for proftpd, try modifying the html+js page which checks the strings passing to the useradd cgi. So basicly you have to inject a line to /etc/passwd with 0 gid. /etc is on jffs2 partition so you can write it. An other try is to extract the settings saved from the router and modify them.
I played with a test device a few months ago, but i had to give it back in a few days, so i got no success.

Porting openwrt would be difficult, because of the different arch (not mipsel, can't remember what), and different endianess.

ps: afaik no boot wait or such thing enabled on boot
and root account is the admin passwd for the router, ftp login for root is just disabled in proftpd.conf

just found a way of modding the homepath of the rootuser,

it seems like the ftp-moduser script does not check if the user that i'm modding is root.. (just tried this with the sys user since that user is not even checked by the scripts) and it work... on the way of creating a modified page that will do a post with the rootuser instead.

Just a "small" update... just router has just been hacked smile

$ ncftp -u root 192.168.1.1
NcFTP 3.1.7 (Jan 07, 2004) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 192.168.1.1...                                                                                                                                             
ProFTPD 1.2.5 Server (ProFTPD Default Installation) [WGT634U]
Logging in...                                                                                                                                                             
Password requested by 192.168.1.1 for user "root".

    Password required for root.

Password: ****

User root logged in.
Logged in to 192.168.1.1.                                                                                                                                                 
ncftp / > ls
bin/         config/      dev/         initrd/      linuxrc@     nfs/         root/        sbin/        tmp/         var/
boot/        config_mnt/  etc/         lib/         mnt/         proc/        samples/     share/       usr/
ncftp / > pwd
  ftp://root:PASSWORD@192.168.1.1
ncftp / >



Will have a page up and running shortly on howto get access to the filesystem and later on how to upload and run stuff on it... stay tuned smile

just a small update that might be good to know...

The passwd file will be kept after a restart of the box, but all (atleast the cgi-folder and bin/sbin folders) files on it will be recreated and fs will be cleaned... Having some trouble of getting a valid dropbear binary for the box... thoe that might be because the local time here is 0:37 and i'm starting to work at 8:00 tongue

Will post an update tomorrow...