This is how I installed OpenWRT, a Linux distribution for embedded devices, on a Netgear DG834 v2 ADSL Router. Apparently the DG834G is the same but comes with a wireless interface too.

alt text

CPU: Texas Instruments AR7 @ 150MHZ
RAM: 16MB
Disk: 4MB flash

This modem was given to me by a friend who had been given a whole bunch of old network gear (destind for the dumpster :[). After some research on the web I decided to try installing OpenWRT, it looked fun and some pieces of documentation for this model existed already. My procedure is here. I mostly used these sites as a guide:

  • www.bobsbasement.co.uk/DG834G
  • www.earth.li/~noodles/hardware-dg834g.html
  • Glen Pitt-Pladdy :: Blog OpenWrt with native IPv6 on DG834 v2 (using AAISP)
  • OpenWRT old wiki page on the dg834g
  • Hacking

    The Netgear DG834 actually already runs a Linux kernel! You can enable telnet access to the device (a number of netgear routers support this) by logging into the web admin interface and then visiting this hidden page: http://192.168.0.1/setup.cgi?todo=debug

    There is also a vulnerability on the dg834g in setup.cgi?todo=ping_test that lets you do anything. Here is an example that executes busybox. http://192.168.0.1/setup.cgi?todo=ping_test&c4_IPAddr=%26/bin/busybox Apparently there is also a default account hard coded in with the password “zebra”.

    To reset the device to its factory state (if you don’t know its current password) hold down reset button on the back of the device for a few seconds as you power it on. Default IP is 192.168.0.1, default username “admin” with “password” to login

    $ telnet 192.168.0.1
    Trying 192.168.0.1...
    Connected to 192.168.0.1.
    Escape character is '^]'.
    
    BusyBox v0.61.pre (2006.02.20-10:34+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands.
    
    $ cat /proc/version
    Linux version 2.4.17_mvl21-malta-mips_fp_le (root@localhost.localdomain) (gcc version 2.95.3 20010315 (release/MontaVista)) #19 Fri Dec 9 17:16:36 CST 2005
    
    $ cat /proc/cpuinfo
    processor : 0
    cpu model : MIPS 4KEc V4.8
    BogoMIPS : 149.91
    wait instruction : no
    microsecond timers : yes
    extra interrupt vector : yes
    hardware watchpoint : yes
    VCED exceptions : not available
    VCEI exceptions : not available
    

    Telnet does not require a user name or password, and is left enabled until the device is rebooted! Here is an article with some more commands to play with: http://www.cyberciti.biz/tips/hacking-the-dlink-502t-router.html

    Patching the routers bootloader

    DAM2 (See http://www.seattlewireless.net/ADAM2 for more information) is the name of the bootloader on the DG834. In order for it to boot firmwares with non-standard checksums (eg anything not supplied by netgear) we need to modify it.

    Backup the device:

    before we modify the router firmware we should back it up. /tmp is the only place we can write to on the modem. To get the firmware off the modem we can start another instance of mini httpd:

    $ telnet 192.168.0.1
    $ cd /tmp/
    $ mini_httpd -p 1080
    $ cat /dev/mtdblock/0 > /tmp/mtd0.bin
    
    # On my laptop I retrieve the firmware one file at a time:
    $ wget http://192.168.0.1:1080/mtd0.bin
    
    # On modem:
    $ rm /tmp/mtd0.bin
    

    Do this for all five folders (0 1 2 3 4) in /dev/mtdblock

    The patch:

    First of all, do a md5sum the mtd2.bin file you downloaded off the device. It should be: 0530bfdf00ec155f4182afd70da028c1

    If not then find another guide! If yes then open up mtd2.bin in a hex editor. Go to offset 0x3944, and you should see: 44 09 00 0C

    Replace this with: 00 00 00 00

    Then save the file as mtd2.patched.bin, if you did this properly it will have the md5sum d8a2f4623bf6f64b7427812f0e849aa7

    Now the fun part, and warning: the next series of commands could brick your router so please follow this guide at your own risk.

    So place your patched mtd2.bin file on a local web server (sorry, need one of those too), so we can download it back onto the modem which has wget installed on it.

    $ telnet 192.168.0.1
    $ cd /tmp/
    $ wget http://192.168.0.10/mtd2-patched.bin
    $ dd if=mtd2-patched.bin of=/dev/mtdblock/2
    $ exit
    

    Now, power off the device. Turn it on again and it should reboot just fine. This procedure has worked fine for me.. .

    Compiling OpenWRT

    On my Ubuntu 9.10 Laptop I checked out the source code for the OpenWRT Kamikaze 8.09 branch with subversion and compiled it with:

    $ svn co svn://svn.openwrt.org/openwrt/branches/8.09
    $ cd 8.09
    $ make menuconfig
    $ make package/symlinks
    $ make menuconfig
    $ make v=99
    

    Using revision 21732 (the latest at the time) for my build. My config only has support for PPPoA (Most countries use PPPoE).

    You will get openwrt-ar7-squashfs.bin in the bin subdirectory after compiling has completed. Split this up into 2 files:

    $ dd if=openwrt-ar7-squashfs.bin of=ow-mtd0.bin skip=720896 bs=1
    $ dd if=openwrt-ar7-squashfs.bin of=ow-mtd1.bin count=720896 bs=1
    

    Flashing the router:

    You can flash the router with your OpenWRT image by using the ADAM2 FTP interface. Telnet to the router and issue this command:

    $ echo "my_ipaddress 192.168.0.1" > /proc/sys/dev/adam2/environment
    

    From now on when you reboot the router ftp will momentarily become available on 192.168.0.1 during boot (give yout client an IP in this range). The window where you get “21/tcp filtered ftp” is rather small, as I observed when running

     watch -n .4 "nmap -v 192.168.0.1 -p 21 | grep ftp"
    

    I only had success in gaining ftp access to the router after I did the following:

  • Plugged in a network switch between my Laptop and the Router.
  • Used Ethernet port 1, out of the 5, on the router.
  • Restricted the TCP window size on my Ubuntu 9.10 laptop (as show below):
  • root@laptop:~$ cat /proc/sys/net/ipv4/tcp_wmem tcp_wmem_orig
    root@laptop:~$ echo 0 512 512 > /proc/sys/net/ipv4/tcp_wmem
    
    # after ftp is done restore settings:
    root@laptop:~$ cat tcp_wmem_orig /proc/sys/net/ipv4/tcp_wmem
    

    After the above is done, power off the modem and unplug it. On the laptop I ready the command “ftp 192.168.0.1”, then plug the modem in (handy to have beside keyboard) and execute the ftp command - before the network light on the device came on worked best for me.

    Once you do get a login its time to ftp your compiled firmware to the device, in the directory containing your compiled OpenWRT files:

    $ ftp 192.168.0.1
    Connected to 192.168.0.1.
    220 ADAM2 FTP Server ready.
    Name (192.168.0.1:craig): adam2
    331 Password required for adam2.
    Password:
    230 User adam2 successfully logged in.
    Remote system type is UNIX.
    ftp> quote "MEDIA FLSH"
    200 Media set to FLSH.
    ftp> bin
    200 Type set to I.
    ftp> put ow-mtd0.bin "fs mtd0"
    local: ow-mtd0.bin remote: fs mtd0
    200 Port command successful.
    150 Opening BINARY mode data connection for file transfer.
    226 Transfer complete.
    1598607 bytes sent in 14.64 secs (106.7 kB/s)
    ftp> put ow-mtd1.bin "fs mtd1"
    local: ow-mtd1.bin remote: fs mtd1
    200 Port command successful.
    150 Opening BINARY mode data connection for file transfer.
    226 Transfer complete.
    720896 bytes sent in 6.56 secs (109.5 kB/s)
    ftp> quote REBOOT
    221-Thank you for using the FTP service on ADAM2.
    221 Goodbye.
    ftp> quit
    

    First boot of OpenWRT

    After the ftp commands above the orange light on the device will beat for a couple of minutes. This is hopefully OpenWRT configuring its system! Once this is done we can connect to the device:

    $ telnet 192.168.0.1
    Trying 192.168.0.1...
    Connected to 192.168.0.1.
    Escape character is '^]'.
    === IMPORTANT ============================
    Use 'passwd' to set your login password
    this will disable telnet and enable SSH
    ------------------------------------------
    root@OpenWrt:/# dmesg | grep jffs2 -A2 -B2
    root@OpenWrt:/# passwd
    root@OpenWrt:/# reboot
    

    Check that the jffs2 partition has been written - can take a minute or two after ftp. Once that has done set your password and reboot the device. Mine takes ~1 minute to boot up:

    alt text

    Now I have a working OpenWRT installation on my router! I can flash it via the ftp method above if I have to (which I did do again).

    Connecting to my ISP

    ssh to the device and use vim to edit the network settings in /etc/config/network. Here are my settings for a PPPoA ADSL connection with my New Zealand ISP:

    root@OpenWrt:~# cat /etc/config/network
    ## Localhost
       config 'interface' 'loopback'
            option 'ifname' 'lo'
            option 'proto' 'static'
            option 'ipaddr' '127.0.0.1'
            option 'mask' '255.0.0.0'             
    ## IP
       config 'interface' 'lan'
            option 'type' 'bridge'
            option 'ifname' 'eth0'
            option 'proto' 'static'
            option 'netmask' '255.255.255.0'
            option 'nat' '1'
            option 'dns' ''
            option 'ipaddr' '192.168.0.1'                                                   
    ## enable all 5 network ports on router switch
            config 'switch' 'eth0'
            option 'reset' '1'                                                                
    ## My ISP details
       config 'interface' 'wan'
            option 'ifname' 'atm0'
            option 'proto' 'pppoa'
            option 'encaps' 'vc'
            option 'vpi' '0'
            option 'vci' '100'
            option 'username' 'xxxx@adsl.xxxx.xxx'
            option 'password' 'xxxxxxxx'
            option 'keepalive' '5,5'
    

    Bring up the wan after editing network settings:

    root@OpenWrt:~# ifup wan
    

    Connection stats in this file:

    root@OpenWrt:~# cat /proc/avalanche/avsar_modem_stats | grep Rate -A1 -B1
    [DSL Modem Stats]
     US Connection Rate: 869 DS Connection Rate: 7658
     DS Line Attenuation: 34 DS Margin:  13
    --
     Frame mode:  0 Max Frame mode:  0
     Trained Path:  1 US Peak Cell Rate: 2049
     Trained Mode:  16 Selected Mode:  1
    --
     Hybrid Selected: 1 Trellis:  1
     Showtime Count:  1 DS Max Attainable Bit Rate: 8648 kbps
     BitSwap:  1 US Max Attainable Bit Rate: 869000 bps
     Annex:    AnxA psd_mask_qualifier: 0x0000
    

    I now have a usable router running my own custom firmware to connect to the Internet with. Clients on the LAN can get an internal IP with DHCP and use the routers DNS server.