Got this going now In the end it's quite simple but you need the serial console. Process is:
1. Connect via serial console.
2. Boot up into recovery mode by holding the reset button until green light flashes fast (and "The Router is in TFTP Server Firmware Recovery mode NOW!" appear on the serial console)
3. Transfer by TFTP the firmware image for WNR1000v2
4. When the device restarts, interrupt the boot process when prompted by pressing any key
5. Enter some commands to update the boot environment
6. Done! Reboot the device and telnet to 192.168.1.1 and set it up as you need.
For now, the firmware files are available here (hopefully WNR1000v2 will be a supported device in the future).
Serial pinout is here; I only needed TX/RX/Gnd connected and the header is already there.
Once the firmware file has been transferred, the commands required on the console are:
ar7240> setenv bootargs "squashfs init=/etc/preinit mtdparts=ar7240-nor0:256k(u-boot),64k(u-boot-env),3328k(rootfs),64k(config),128k(language_table),64k(pot),64k(traffic_meter),64k(ART),3473344@327744(mount_fs)"
ar7240> setenv bootcmd "fsload 80800000 image/uImage;bootm 80800000"
Saving Environment to Flash...
Protect off 9F040000 ... 9F04FFFF
Un-Protecting sectors 4..4 in bank 1
Un-Protected 1 sectors
Erasing Flash...Erase Flash from 0x9f040000 to 0x9f04ffff in Bank # 1
First 0x4 last 0x4 sector size 0x10000
Erased 1 sectors
Writing to Flash... write addr: 9f040000
Protecting sectors 4..4 in bank 1
Protected 1 sectors
This updates the bootargs and bootcmd line (factory original lines are posted higher up in this thread already); 3328k(rootfs) replaces the factory 704k(kernel),2624k(rootfs) parameters. The other information has been extracted from the environment variables set in the WNR1000v2 here.
Since the device only has 4MB flash there is very little free space available, however these are decent enough devices just crippled by utterly useless factory firmware.
For use as an AP with N150, disable firewall and dnsmasq:
chmod -x dnsmasq
chmod -x firewall
Set up the wireless - sample
(edit with vi):
config wifi-device radio0
option type mac80211
option channel 11
option hwmode 11g
option path 'pci0000:00/0000:00:00.0'
option htmode 'HT40-'
list ht_capab 'SHORT-GI-40'
list ht_capab 'TX-STBC'
list ht_capab 'RX-STBC1'
list ht_capab 'DSSS_CCK-40'
# option noscan '1'
option txpower '12'
option country 'GB'
# option disabled '1'
option device 'radio0'
option mode 'ap'
option network 'lan'
option ssid 'YourSSID'
option wmm '1'
option encryption 'mixed-psk+tkip+ccmp'
option key 'YourPassword'
option dtim_period '1'
option short_preamble '1'
WAN lines from network config file can be rem'd out as the device doesn't have a WAN port fitted. All wired connections seem to appear as eth1 so I'm also not sure if there is a programmable switch as such.
Anyway, hopefully that will help someone