OpenWrt Forum Archive

Topic: WGR614v6 hacking

The content of this topic has been archived on 13 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
moxfyre
7 Jul 2006, 21:57

Hi all,
I've been hacking on a NETGEAR WGR614v6 ... mostly because I got it for free :-)
There's a decent amount of info on it over at SeattleWireles: http://www.seattlewireless.net/NetgearWGR614

I've got a serial console working on it (running at 115kbps 8/N/1), and this is what it looks like on bootup:

CFEv6 1.10 Fri, 02 Sep 2005 19:53:57 +0                                      
et0: BCM47xx Ethernet Controller 3.90.23.0                                          
Decompressing... /muxDevLoad failed for device entry 1!                                                       
muxDevLoad failed for device entry 3!                                     
Failed to attach to device Attaching interface lo0...done                                                         
0x807ffdf0 (): task deadCan't attach unknown device  (unit 0).                                                              
CC module initialized successfully                                  

WAN Initialisation                                 [SUCCESS]                                                            

 PPTP Initialised                 
Firewall INIT completed                       
AD Init completed FW initalized                               
IGWIpRsmInit():  ....End                        
 vxBitsInit           
add interface mirror0                     
DNS redirect INIT                 
in abRegisterInputHook inputPktHook: 802250f0                                             
BlockSides keywords WebAppControl add successfully                                                  

Syslog configuration successfully updated                                         
Info: No FWPT default policies.                               
DHCPS: init dhcps: devname=mirror0                                  
DHCPS:Set the default Lease Time to 86400                                       
Set option ACOS_DHCP_OPT_ROUTER to 192.168.1.1:
Set option ACOS_DHCP_OPT_DNS_SERVER to 192.168.1.1:
Login: Gearguy
Password: *******
U12H04200> ?

Commands are:

bridge         ddns           exit           firewall       ip
lan            passwd         reboot         save           show
sntp           uptime         version        wan            web
wlan

 '..'    return to previous directory

U12H04200> version
Release version : Netgear Wireless Router WGR614v6
                  U12H04200/V1.0.11/1.0.7NA
         Time   : Nov 11 2005, 16:12:00
U12H04200> windsh
windsh : Command not found.
U12H04200>

I read somewhere on here that I can get a real CFE console using the command windsh, but that doesn't seem to work.  All I can do is use the crappy Netgear serial console.  Any idea why?  I heard that pressing ESC or CTRL-C right after bootup can get you into the CFE console, but that doesn't work either :-(

This router only has 1 MiB of flash:

U12H04200> show flashShow
base: 0xbfc00000 type 0x3 size 0x100000 blockSize 0x10000 width 2

This is an unprotected flash.
U12H04200>

I read in this post that it might be possible to get Linux onto this thing nonetheless, by TFTP-booting a kernel with nfsroot onto the WGR614.  Can anyone help me figure this out?

As far as I can tell, I would need to build a MIPS kernel with support for:
* nfsroot
* BCM47xx ethernet controller
* serial console
* anything else?

Can anyone give me some advice on how to get started with this?  I've got a working MIPS GCC compiler, but am otherwise clueless.  If I get things working, I'll gladly document them fully for this site!!!  Thanks in advance.

(Last edited by moxfyre on 7 Jul 2006, 22:01)

Post #2
moxfyre
9 Jul 2006, 04:11

*bump!!!*

So I tried doing "Backup Settings" on this router from the web interface, and got something interesting out of that: it's a file called netgear.cfg that looks like it contains NVRAM settings!

$ strings netgear.cfg | sort
@2;0;0;
@3;0;0;
aa0=1
ag0=255
all_service_tbl=AIM;6;5190;5190@Age-of-Empire;17;47624;47624@FTP;6;20;21@HTTP;6;80;80@ICUII;6;23566;23566@IP_Phone;6;6670;6670@NetMeeting;6;1720;1720@News;6;119;119@PPTP;-1;1723;1723@QuakeII/III;-1;27960;27960@Real-Audio;-1;6970;7170@Telnet;6;23;23@
backup_file_version=V1.1
blank_state=0
boardflags=0x2758
board_id=U12H042T00_NETGEAR
boardnum=110
boardrev=0x25
boardtype=0x456
boot_wait=on
bpa_dod=1
bpa_idletime=5
bpa_passwd=
bpa_self_policy_id=0
bpa_server=
bpa_username=
bs_enable=0
bs_enable_temp=0
bs_keyword=
bs_keywords=
bs_keywords_temp=
bs_trustedip=192.168.1.0
bs_trustedip_enable=0
bs_trustedip_enable_temp=0
bs_trustedip_temp=192.168.1.0
ccode=0
[b]clidebug=0[/b]
clkfreq=200
console_loglevel=1
countrycode_selected=0
d11b_psq_pkts_lo=1
d11g_psq_pkts_lo=1
ddns_enable=0
ddns_hostname=
ddns_passwd=
ddns_update_time=0
ddns_username=
ddns_wildcard=0
default_rule_ip=192.168.0.4
dhcp_devname=
dhcp_df_gw=192.168.1.1
dhcp_dns=192.168.1.1
dhcp_domain=
dhcp_end=192.168.1.51
dhcp_lease_time=86400
dhcp_mode=manual
dhcp_resrv_ip=
dhcp_resrv_mac=
dhcp_start=192.168.1.2
dl_ram_addr=a0001000
domain_name=
edit_ntp=12.7.210.177
et0macaddr=00:14:6C:46:8E:0E
et0mdcport=0
et0phyaddr=30
et1macaddr=00:14:6C:46:8E:0F
et_port=0
flag_Emin=0
flag_Smin=0
flashboot=0
FLSH
fw_bks_block_type=0
fw_dmz_enab=0
fw_dmz_ip4=0
fw_dmz_rid=-1
fw_email_email_addr=
fw_email_email_alert=0
fw_email_email_enable=0
fw_email_email_smtp_ip=0.0.0.0
fw_email_email_time_day=0
fw_email_email_time_hour=0
fw_email_email_time_type=0
fw_irule_number=-1
fw_orule_number=-1
fwpt0=1:dialpad_1:1:0:6:51200:I0:1:100:51200:51200:O0:0:0:0:0
fwpt1=1:dialpad_2:1:0:6:51201:I0:1:100:51201:51201:O0:0:0:0:0
fwpt2=1:paltalk_1:1:0:6:2090:I0:1:100:2090:2090:O0:0:0:0:0
fwpt3=1:paltalk_2:1:0:6:2091:I0:1:100:2091:2091:O0:0:0:0:0
fwpt4=1:starcraft:1:0:6:6112:I0:1:100:6112:6112:O0:0:0:0:0
fwpt_count=5
fwpt_enable=1
fwpt_timeout=1200
fw_rsp_ping=0
fw_rsp_rid=-1
fw_spi_enab=1
fw_version=U12H04200_V1.0.11
FXLH
http_fwMailSmtp=0.0.0.0
http_lanport=80
http_passwd=password
http_rmenable=0
http_rmendip=255.255.255.255
http_rmport=8080
http_rmstartip=0.0.0.0
http_timeout=5
http_username=admin
http_wanport=
il0macaddr=00:90:4c:7e:00:6e
inbound_policy_tbl=
inbound_record=2@0;0;0;
landevs=vlan0 wl0
lan_hwaddr=00:14:6C:46:8E:0E
lan_hwnames=
lan_ifname=mirror0
lan_ifnames=vl0 wl0
lan_ipaddr=192.168.1.1
lan_netmask=255.255.255.0
lan_proto=dhcp
lan_stp=1
log_level=0
ntp_server=12.7.210.177
nvram_ctrl_version=1
opo=0xc
os_flash_addr=bfc40000
os_name=vx
os_ram_addr=80001000
os_server=
os_version=3.90.26.0
outbound_policy_tbl=
pa0b0=0x1518
pa0b1=0xfa88
pa0b2=0xfe3e
pa0itssit=62
pa0maxpwr=76
pppoe_acname=
pppoe_authtype=0
pppoe_demand=0
pppoe_dod=1
pppoe_idletime=300
pppoe_ifname=
pppoe_keepalive=0
pppoe_localip=0.0.0.0
pppoe_mru=1492
pppoe_mtu=1492
pppoe_passwd=
pppoe_server_mac=
pppoe_servicename=
pppoe_session_id=0
pppoe_username=guest
pptp_conn_id=
pptp_dod=1
pptp_idletime=5
pptp_passwd=
pptp_self_pol_id=17:18
pptp_serv_ip=
pptp_user_ip=
pptp_username=
radius_acct_ip=
radius_acct_port=
radius_acct_secret=
radius_auth_ip=
radius_auth_mode=6
radius_auth_port=
radius_auth_secret=
radius_dwep=0
reset_gpio=7
restore_defaults=0
rip_dir=0
rip_enable=0
rip_filter_enable=0
rip_multicast=1
rip_self_pol_id=-1
rip_version=2
run_wiz=0
schedule_config=127:0:0:23:59
schedule_daylightadjust=0
schedule_enable=0
schedule_ntpenable=0
scratch=a0180000
sdram_config=0x32
sdram_init=0x2002
sdram_ncdl=0x2033e
sdram_refresh=0x0
service_name=
service_port_end=
service_port_start=
service_type=
snmp_get_comm_name=public
snmp_set_comm_name=private
sromrev=2
static_route=
stats_server=
super_passwd=Geardog
super_username=Gearguy
syslog_server=
system_name=WGR614v6
timer_interval=3600
time_zone=-8
upg_blk_size=5000
upnp_advert_period=30
upnp_advert_ttl=4
upnp_enable=0
upnp_self_policy_id=16
upnp_turn_on=1
user_passwd=
user_username=user
vlan0hwname=et0
vlan0ports=1 2 3 4 5*
vlan1hwname=et0
vlan1ports=0 5u
wandevs=et0
wan_dns=0.0.0.0
wan_dns1=0.0.0.0
wan_dns_sel=0
wan_domain=
wan_gateway=0.0.0.0
wan_hostname=dhcppc3
wan_hwaddr=00:14:6C:46:8E:0F
wan_hwaddr1=
wan_hwaddr2=00:14:6C:46:8E:0F
wan_hwaddr_sel=0
wan_hwname=
wan_ifname=et0
wan_ipaddr=0.0.0.0
wan_lease=864000
wan_mtu=1500
wan_netmask=0.0.0.0
wan_proto=dhcp
wan_wins=
watchdog=0
wl0_afterburner=off
wl0_antdiv=-1
wl0_ap_isolate=0
wl0_auth=0
wl0_auth_mode=open
wl0_bcn=100
wl0_channel=11
wl0_closed=0
wl0_corerev=9
wl0_country=
wl0_country_code=US
wl0_crypto=tkip
wl0_dtim=1
wl0_frag=2346
wl0_frameburst=off
wl0_gmode=1
wl0_gmode_protection=auto
wl0gpio0=0x82
wl0_hwaddr=00:90:4c:7e:00:6e
wl0id=0x4320
wl0_ifname=wl0
wl0_infra=1
wl0_key=1
wl0_key1=
wl0_key2=
wl0_key3=
wl0_key4=
wl0_lazywds=0
wl0_maclist=
wl0_macmode=disabled
wl0_mode=ap
wl0_phytype=g
wl0_phytypes=g
wl0_plcphdr=long
wl0_radio=1
wl0_radioids=BCM2050
wl0_radius_ipaddr=
wl0_radius_key=
wl0_radius_port=1812
wl0_rate=0
wl0_rateset=default
wl0_rts=2346
wl0_ssid=NETGEAR
wl0_unit=0
wl0_wds=
wl0_wep=disabled
wl0_wpa_gtk_rekey=0
wl0_wpa_psk=
wla_auth_usr=automatic
wlan_acl_dev0=
wlan_acl_dev1=
wlan_acl_dev10=
wlan_acl_dev11=
wlan_acl_dev12=
wlan_acl_dev13=
wlan_acl_dev14=
wlan_acl_dev15=
wlan_acl_dev16=
wlan_acl_dev17=
wlan_acl_dev18=
wlan_acl_dev19=
wlan_acl_dev2=
wlan_acl_dev20=
wlan_acl_dev21=
wlan_acl_dev22=
wlan_acl_dev23=
wlan_acl_dev24=
wlan_acl_dev25=
wlan_acl_dev26=
wlan_acl_dev27=
wlan_acl_dev28=
wlan_acl_dev29=
wlan_acl_dev3=
wlan_acl_dev30=
wlan_acl_dev31=
wlan_acl_dev4=
wlan_acl_dev5=
wlan_acl_dev6=
wlan_acl_dev7=
wlan_acl_dev8=
wlan_acl_dev9=
wlan_acl_mac0=
wlan_acl_mac1=
wlan_acl_mac10=
wlan_acl_mac11=
wlan_acl_mac12=
wlan_acl_mac13=
wlan_acl_mac14=
wlan_acl_mac15=
wlan_acl_mac16=
wlan_acl_mac17=
wlan_acl_mac18=
wlan_acl_mac19=
wlan_acl_mac2=
wlan_acl_mac20=
wlan_acl_mac21=
wlan_acl_mac22=
wlan_acl_mac23=
wlan_acl_mac24=
wlan_acl_mac25=
wlan_acl_mac26=
wlan_acl_mac27=
wlan_acl_mac28=
wlan_acl_mac29=
wlan_acl_mac3=
wlan_acl_mac30=
wlan_acl_mac31=
wlan_acl_mac4=
wlan_acl_mac5=
wlan_acl_mac6=
wlan_acl_mac7=
wlan_acl_mac8=
wlan_acl_mac9=
wlan_acl_num=32
wlan_region=11
wlan_wep_length=0
wla_passphrase=1
wla_temp_authType=automatic
wla_temp_broadcast=ssid_bc
wla_temp_channel=11
wla_temp_defaKey=0
wla_temp_enable=enable_ap
wla_temp_key1=
wla_temp_key2=
wla_temp_key3=
wla_temp_key4=
wla_temp_mode=g and b
wla_temp_passphrase=
wla_temp_region=0
wla_temp_setting=0
wla_temp_ssid=NETGEAR
wla_temp_wep=0
wla_wiredlan_bridge=1
wl_country_code=US
wlg_passphrase=1
wlg_wiredlan_bridge=1

Is this really an nvram dump??  I've tried editing it but it won't let me load an edited config file, it gives a "File Invalid" error ... the weird thing is that it gives the SAME error for a config file produced by the device itself!!!  Very annoying :-(

Can anybody give me hints for hacking this thing/ trying to boot a Linux kernel on it?  Please :-)

(Last edited by moxfyre on 9 Jul 2006, 04:11)

The discussion might have continued from here.