OpenWrt Forum Archive

Topic: Running Kamikaze on Linksys wag160n

The content of this topic has been archived between 4 Apr 2018 and 12 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

u can find the file in rapidshare link provied by VIRUS in this thread(posted:2010-06-12 23:26:02).
Regards wrote:

u can find the file in rapidshare link provied by VIRUS in this thread(posted:2010-06-12 23:26:02).

Thanks smile
With this firmware wag160n works like router with dsl support ok ?


biohazard wrote: wrote:

u can find the file in rapidshare link provied by VIRUS in this thread(posted:2010-06-12 23:26:02).

Thanks smile
With this firmware wag160n works like router with dsl support ok ?


          Regarding the adsl part,openwrt is yet to provide support for it.(correct me if im wrong). But things getting promising. Read this thread "".

xris wrote:

Thx for reup. Is there a way to flash it without jtag?

Thats my issue with ur .bin:
Upgrade file is not the correct type or version for this device.
Upgrade failed.

Please select the correct file and try again.

Could somebody tell me why I get this error, please?

All the rapidshare links appear to be dead, can someone repost the file somewhere.

Again, is it at all possible to flash with without JTAG? And how?

If this can be answered it would save me some effort and I will just get a JTAG adapter.



Hey, Virus,

I think I've read every documentation that there is out here. I'm pretty close but still have one problem.

I've downloaded the lateset GPL tarball from the Linksys website (1.00.14 tarball for Annex B)
I also have setup Ubuntu-6.06.1 (i386), installed and updated it with all the neccessary packages (via the Openwrt wiki)

Problem is, the wiki stops there... Can you explain me how it goes from this point on?

Do we actually need that Linksys GPL code? Or is that just for (extreme) advanced user who can port some of that code into the an Openwrt firmware?

For now I understad that we just need to fire up "make menuconfig", select the right hardware and packages/options we want to have,
and create an image. Is this correct?

Also, does linksys allow to flash Openwrt firmware via the webinterface? Or do we actually need to flash is, the first time, via JTAG?

I don't need ADSL support since we got VDSL now. Also DHCP/DNS capabilities are managed by another device.
Basically I just need a switch, wireless AP and the posibillity to run scripts on the router, that's the important one.

Thx in advance,

Hi kindt.nick,

U don't need Linksys source to build OpenWRT firmware. To make Backfire run on WAG160N there u have to modify source to add 96358GW support (board_bcm963xx.c) and make atheros drivers to load calibration data from mtd4 (mth9k drivers and bcm963xx-flash.c).

Compiled firmware should be flashed via serial console / eth, using CFE (tftp method).



Yes, but how on earth does one get to CFE on a device with the manufacturers firmware installed? The wiki makes me think that I still need a serial cable, the TFTP stuff doesn't reference CFE, just tells you to try the upload within a 1/2 second of turning the router on (I tried from both Windows and Linux and never got TFTP to work despite varying my timings etc.) Telnet takes me straight into Busybox (I did install a telnet enabled firmware through the web upgrade at least).

Can someone who put the image linked to above on the WAG160N just enlighten us newbies/blind people/idiots (whatever you want!) as to how to get into CFE and flash the image?



Hey Virus,

I've managed to flash the image, but I managed to have 3 problems...

1. very important, I can't enable the wifi device...

Wifi up
PHY for wifi device radio0 not found

2. Also, when I try to reflash the router with the original firmware download from the Linksys website (.img-file) it gives me an error, the flash utility sais:

Firmware tag version [0] is not compatible with the current Tag version [6].    
*** command status = -1

Ps: I've got the Annex B hardware version but the firmware is the correct one.
     I've googled for an img to bin converter it can't seem to find anything out there that works.

3.  I see that there is no GUI inside is, nore are there webpages in the www-directory. Is this correct? Or dit something went wrong during install?

could you help me out once more?
Below you can find a prinout of the startup. The only thing that looks wrong is the country code, I mean, as far as I can see...

Thx in advance.



I've managed to flash the bin file provided here. [openwrt-96358GW-squashfs-bc310-cfe.bin]

1. I've soldert the Serial port and made me a TTL to 3.3v serial converter with the MAX233 chip. (<10€)

2. I've downloaded "WinAgents TFTP Server for Windows", copied the bin file to "C:\ProgramData\WinAgents\TFTP Server 4\TFTPRoot"
    and renamed it to "bcm963xx_fs_kernel" (without an extenstion) and started the local TFTP server in the WinAgents Manager.

3. Next what I did was, I've fixed the IP of my NIC to "", as this is the default Host IP Address that is set in the CFE Loader.

4. connect the serial coverter and open RealTerm (or another Terminal program) and set it to "115200 8N1".

If you start the router you'll get the following screen:

CFE version 1.0.37-5.4 for BCM96358 (32bit,SP,BE)
Build Date: 四  1月 10 19:25:21 CST 2008 (root@9DavidZhang2)
Copyright (C) 2000-2005 Broadcom Corporation.

Boot Address 0xbfc00000

Initializing Arena.
Initializing Devices.
Parallel flash device: name MX29LV320AB, id 0x22a8, size 4096KB
CPU type 0x2A010: 300MHz, Bus: 133MHz, Ref: 64MHz
Total memory: 33554432 bytes (32MB)

Total memory used by CFE:  0x80401000 - 0x80528800 (1210368)
Initialized Data:          0x8041E550 - 0x8041FF60 (6672)
BSS Area:                  0x8041FF60 - 0x80426800 (26784)
Local Heap:                0x80426800 - 0x80526800 (1048576)
Stack Area:                0x80526800 - 0x80528800 (8192)
Text (code) segment:       0x80401000 - 0x8041E544 (120132)
Boot area (physical):      0x00529000 - 0x00569000
Relocation Factor:         I:00000000 - D:00000000

Board IP address                  :  
Host IP address                   :  
Gateway IP address                :   
Run from flash/host (f/h)         : f  
Default host run file name        : vmlinux  
Default host flash file name      : bcm963xx_fs_kernel  
Boot delay (0-9 seconds)          : 1  
Board Id Name                     : 96358GW  
Psi size in KB                    : 24
Number of MAC Addresses (1-32)    : 10  
Base MAC Address                  : 00:1d:7e:b3:9b:52  
Ethernet PHY Type                 : Internal
Memory size in MB                 : 32
CMT Thread Number                 : 0

*** Press any key to stop auto run (1 seconds) ***

5. Hit the "Enter" Key and press "f" followed by Enter.
    Now the WAG160N device tries to get the "bcm963xx_fs_kernel" from via TFTP over Ethernet.

6. Nex thing what is does is it flashes the image and reboots...

Another way is to download is via serrcom but I didn't managed to get that working since you have the HEX edit the bin file before the sercomm application will accept it


Auto run second count down: 99876543210
Code Address: 0x80010000, Entry Address: 0x80010000
Decompression OK!
Entry at 0x80010000
Closing network.
Starting program at 0x80010000
Linux version (virus@Virion) (gcc version 4.3.3 (GCC) ) #18 Mon Mar 15 16:16:55 CET 2010
Detected Broadcom 0x6358 CPU revision a1
CPU frequency is 300 MHz
32MB of RAM installed
registering 40 GPIOs
board_bcm963xx: CFE version: 1.0.37-5.4
bootconsole [early0] enabled
CPU revision is: 0002a010 (Broadcom BCM6358)
board_bcm963xx: board name: 96358GW
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00000000 -> 0x00002000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00002000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
Kernel command line: root=/dev/mtdblock2 rootfstype=squashfs,jffs2 noinitrd console=ttyS0,115200
PID hash table entries: 128 (order: -3, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Primary instruction cache 32kB, VIPT, 2-way, linesize 16 bytes.
Primary data cache 16kB, 2-way, VIPT, cache aliases, linesize 16 bytes
Memory: 29724k/32768k available (2050k kernel code, 3044k reserved, 363k data, 136k init, 0k highmem)
Hierarchical RCU implementation.
Calibrating delay loop... 299.00 BogoMIPS (lpj=598016)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
ath: Register ath_data_device at address 0x1ffe1000
registering PCI controller with io_map_base unset
bio: create slab <bio-0> at 0
Switching to clocksource MIPS
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
NET: Registered protocol family 1
audit: initializing netlink socket (disabled)
type=2000 audit(0.197:1): initialized
squashfs: version 4.0 (2009/01/31) Phillip Lougher
Registering mini_fo version $Id$
JFFS2 version 2.2. (NAND) (SUMMARY)  © 2001-2006 Red Hat, Inc.
msgmni has been set to 58
io scheduler noop registered
io scheduler deadline registered (default)
gpiodev: gpio device registered with major 254
gpiodev: gpio platform device registered with access mask FFFFFFFF
bcm63xx_uart.0: ttyS0 at MMIO 0xfffe0100 (irq = 10) is a bcm63xx_uart
console [ttyS0] enabled, bootconsole disabled
console [ttyS0] enabled, bootconsole disabled
bcm963xx_flash: 0x00400000 at 0x1fc00000
bcm963xx: Found 1 x16 devices at 0x0 in 16-bit bank
 Amd/Fujitsu Extended Query Table at 0x0040
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
bcm963xx_flash: Read Signature value of CFE1CFE1
bcm963xx_flash: CFE bootloader detected
bcm963xx_flash: CFE boot tag found with version 6, board type 96358GW, and tagid bc310.
bcm963xx_flash: Partition 0 is CFE offset 81ce1e48 and length 0
bcm963xx_flash: Partition 1 is kernel offset d2b and length 0
bcm963xx_flash: Partition 2 is rootfs offset d6c and length 0
bcm963xx_flash: Partition 3 is ath_data offset dad and length 0
bcm963xx_flash: Partition 4 is nvram offset df0 and length 0
bcm963xx_flash: Spare partition is 2a0000 offset and length 150000
Creating 5 MTD partitions on "bcm963xx":
0x000000000000-0x000000010000 : "CFE"
0x000000010100-0x0000000f0000 : "kernel"
mtd: partition "kernel" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
0x0000000f0000-0x0000003e0000 : "rootfs"
mtd: partition "rootfs" set to be root filesystem
mtd: partition "rootfs_data" created automatically, ofs=2A0000, len=140000 
0x0000002a0000-0x0000003e0000 : "rootfs_data"
0x0000003e0000-0x0000003f0000 : "ath_data"
0x0000003f0000-0x000000400000 : "nvram"
bcm63xx_enet MII bus: probed
bcm63xx_wdt started, timer margin: 30 sec
TCP westwood registered
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <>
All bugs added by David S. Miller <>
VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
Freeing unused kernel memory: 136k freed
Please be patient, while OpenWrt loads ...
- preinit -
Press f<ENTER> to enter failsafe mode
- regular preinit -
switching to jffs2
mini_fo: using base directory: /
mini_fo: using storage directory: /jffs
- init -

Please press Enter to activate this console. bcm63xx_enet bcm63xx_enet.0: attached PHY at address 1 [Broadcom BCM63XX (2)]
eth1: link forced UP - 100/full - flow control off/off
device eth1 entered promiscuous mode
br-lan: port 1(eth1) entering forwarding state
Generic kernel compatibility enabled based on linux-next next-20100113
cfg80211: Calling CRDA to update world regulatory domain
roboswitch: Probing device eth0: Failed to enable switch
roboswitch: Probing device eth1: found a 5325! It's a 5350.
cfg80211: World regulatory domain updated:
    (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
    (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
    (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
    (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
    (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
    (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
PCI: Enabling device 0000:00:01.0 (0000 -> 0002)
 # reading ath_data
ath: eepdata = 0x00000cb8, el = 0x0000065c,
ath: eepdata = 0x00008142, el = 0x0000065c,
ath: sum = 0x0000ffff, length = 0x00000cb8, checksum = 0x00008243
Registered led device: ath9k-phy0::radio
Registered led device: ath9k-phy0::assoc
Registered led device: ath9k-phy0::tx
Registered led device: ath9k-phy0::rx
phy0: Atheros AR5416 MAC/BB Rev:2 AR2122 RF Rev:81 mem=0xc0380000, irq=39
cfg80211: Calling CRDA for country: US
cfg80211: Regulatory domain changed to country: US
    (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
    (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2700 mBm)
    (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 1700 mBm)
    (5250000 KHz - 5330000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
    (5490000 KHz - 5600000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
    (5650000 KHz - 5710000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
    (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 3000 mBm)
PPP generic driver version 2.4.2
ip_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 24
nf_conntrack version 0.5.0 (466 buckets, 1864 max)
ath_hal: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
ath_hal: 2009-05-08 (AR5210, AR5211, AR5212, AR5416, RF5111, RF5112, RF2413, RF5413, RF2133, RF2425, REGOPS_FUNC, XR)
ath_pci: trunk
wlan: trunk
wlan: mac acl policy registered
ath_rate_minstrel: Minstrel automatic rate control algorithm 1.2 (trunk)
ath_rate_minstrel: look around rate set to 10%
ath_rate_minstrel: EWMA rolloff level set to 75%
ath_rate_minstrel: max segment size in the mrr set to 6000 us

(Last edited by kindt.nick on 13 Sep 2010, 23:17)

Hi kindt.nick!

Look's like everything goes ok with firmare. Now try to enable wifi. U have to edit /etc/config/wireless to look like this:

config 'wifi-device' 'radio0'
        option 'type' 'mac80211'
        option 'macaddr' '00:11:22:33:44:55'
        option 'hwmode' '11ng'
        option 'htmode' 'HT20'
        list 'ht_capab' 'SHORT-GI-40'
        list 'ht_capab' 'DSSS_CCK-40'
        option 'channel' '11'

config 'wifi-iface'
        option 'device' 'radio0'
        option 'ssid' 'kindt.nick'
        option 'network' 'lan'
        option 'mode' 'ap'
        option 'encryption' 'psk2'
        option 'key' 'deadbeef'

then reboot and check if it works.

U have to remove header (sErCoMm?) from the original firmware file. Just grab aby bin/hexeditor and trim first 10000h bytes from file. Final image should start with "6...Broadcom Corporatio".

There is no GUI by default. LuCi installation is described here.

Good luck!

Nice 'flashing manual' btw - thanks!

Hey Virus,

I'm supprised to here that everything works fine for you.

To resolve the "PHY for wifi device radio0 not found"issue, I had to mod the "/lib/wifi/" file

I replaced the following line
        local macaddr="$(config_get "$device" macaddr | tr 'A-Z' 'a-z')"
        local macaddr="$(cat /sys/class/ieee80211/phy0/macaddress)"

as explained here:

Next thing is connecting the LED big_smile


Virus, that changes did you make in boardparms file? I have a DSL-2740B (96358GW) and none of the images I tested works. The only one that worked was the one you uploaded for the WAG160N witch loads ok except the wireless part of course. Would I ask too much for an image like the one you created but with Broadcom wireless and Luci? Else could you tell me what you changed in source and made it work so I can compile my own? Thanks

Come on Virus give me something smile Please!!

Thanks a lot. I will try them asap. big_smile

It works!!! Super thanks.

Nice! Glad I could help :-)

I think you should submit the file to trac so that is implemented in future builds. Thanks a lot again.

Hello I am new here and I still don`t understand is there a firmware that works on wag 160n dsl?

Thank you!


either you download the firmware that Virus has made. The link is in one of the posts above.

Or download the Openwrt sources, set up a unix environment (everything is described in the wiki's)
and use the files that virus has provided to build your own custom firmware for the WAG160N

How to install the firmware is also described in one of the previous posts.



Anybody knows how to implement the board_bcm963xx.c file?
Cause if you edit the file, it is overwritten on the next build.
Which is, after reading, normal.

I've downloaded the backfire sources and the trunk sources,
still I can't figure out how to download the sources without a make command and even worse,
how tell the compiler to use the edited local board_bcm963xx.c file and not download it again.

thx in advance,

(Last edited by kindt.nick on 26 Sep 2010, 23:37)


I've faced same problem. As for now i'm editing mentioned file placed in ~/backfire/build_dir/linux-brcm63xx/linux-
After edit just run make V=99


Hello Nick
            Can i get a dump/copy of ur cfe(wag160n)?.Also please post a picture of ur serial console setup.
Anyone in here help me find a jtag software with cfe64 and bcm6358 support?.

The discussion might have continued from here.