This is how I installed OpenWRT, a Linux distribution for embedded devices, on a Netgear DG834 v2 ADSL Router. Apparently the DG834G is the same but comes with a wireless interface too.
CPU: Texas Instruments AR7 @ 150MHZ
Disk: 4MB flash
This modem was given to me by a friend who had been given a whole bunch of old network gear (destind for the dumpster :[). After some research on the web I decided to try installing OpenWRT, it looked fun and some pieces of documentation for this model existed already. My procedure is here. I mostly used these sites as a guide:
The Netgear DG834 actually already runs a Linux kernel! You can enable telnet access to the device (a number of netgear routers support this) by logging into the web admin interface and then visiting this hidden page: http://192.168.0.1/setup.cgi?todo=debug
There is also a vulnerability on the dg834g in setup.cgi?todo=ping_test that lets you do anything. Here is an example that executes busybox. http://192.168.0.1/setup.cgi?todo=ping_test&c4_IPAddr=%26/bin/busybox Apparently there is also a default account hard coded in with the password “zebra”.
To reset the device to its factory state (if you don’t know its current password) hold down reset button on the back of the device for a few seconds as you power it on. Default IP is 192.168.0.1, default username “admin” with “password” to login
$ telnet 192.168.0.1 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. BusyBox v0.61.pre (2006.02.20-10:34+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. $ cat /proc/version Linux version 2.4.17_mvl21-malta-mips_fp_le (firstname.lastname@example.org) (gcc version 2.95.3 20010315 (release/MontaVista)) #19 Fri Dec 9 17:16:36 CST 2005 $ cat /proc/cpuinfo processor : 0 cpu model : MIPS 4KEc V4.8 BogoMIPS : 149.91 wait instruction : no microsecond timers : yes extra interrupt vector : yes hardware watchpoint : yes VCED exceptions : not available VCEI exceptions : not available
Telnet does not require a user name or password, and is left enabled until the device is rebooted! Here is an article with some more commands to play with: http://www.cyberciti.biz/tips/hacking-the-dlink-502t-router.html
Patching the routers bootloader
DAM2 (See http://www.seattlewireless.net/ADAM2 for more information) is the name of the bootloader on the DG834. In order for it to boot firmwares with non-standard checksums (eg anything not supplied by netgear) we need to modify it.
Backup the device:
before we modify the router firmware we should back it up. /tmp is the only place we can write to on the modem. To get the firmware off the modem we can start another instance of mini httpd:
$ telnet 192.168.0.1 $ cd /tmp/ $ mini_httpd -p 1080 $ cat /dev/mtdblock/0 > /tmp/mtd0.bin # On my laptop I retrieve the firmware one file at a time: $ wget http://192.168.0.1:1080/mtd0.bin # On modem: $ rm /tmp/mtd0.bin
Do this for all five folders (0 1 2 3 4) in /dev/mtdblock
First of all, do a md5sum the mtd2.bin file you downloaded off the device. It should be: 0530bfdf00ec155f4182afd70da028c1
If not then find another guide! If yes then open up mtd2.bin in a hex editor. Go to offset 0x3944, and you should see: 44 09 00 0C
Replace this with: 00 00 00 00
Then save the file as mtd2.patched.bin, if you did this properly it will have the md5sum d8a2f4623bf6f64b7427812f0e849aa7
Now the fun part, and warning: the next series of commands could brick your router so please follow this guide at your own risk.
So place your patched mtd2.bin file on a local web server (sorry, need one of those too), so we can download it back onto the modem which has wget installed on it.
$ telnet 192.168.0.1 $ cd /tmp/ $ wget http://192.168.0.10/mtd2-patched.bin $ dd if=mtd2-patched.bin of=/dev/mtdblock/2 $ exit
Now, power off the device. Turn it on again and it should reboot just fine. This procedure has worked fine for me.. .
On my Ubuntu 9.10 Laptop I checked out the source code for the OpenWRT Kamikaze 8.09 branch with subversion and compiled it with:
$ svn co svn://svn.openwrt.org/openwrt/branches/8.09 $ cd 8.09 $ make menuconfig $ make package/symlinks $ make menuconfig $ make v=99
Using revision 21732 (the latest at the time) for my build. My config only has support for PPPoA (Most countries use PPPoE).
You will get openwrt-ar7-squashfs.bin in the bin subdirectory after compiling has completed. Split this up into 2 files:
$ dd if=openwrt-ar7-squashfs.bin of=ow-mtd0.bin skip=720896 bs=1 $ dd if=openwrt-ar7-squashfs.bin of=ow-mtd1.bin count=720896 bs=1
Flashing the router:
You can flash the router with your OpenWRT image by using the ADAM2 FTP interface. Telnet to the router and issue this command:
$ echo "my_ipaddress 192.168.0.1" > /proc/sys/dev/adam2/environment
From now on when you reboot the router ftp will momentarily become available on 192.168.0.1 during boot (give yout client an IP in this range). The window where you get “21/tcp filtered ftp” is rather small, as I observed when running
watch -n .4 "nmap -v 192.168.0.1 -p 21 | grep ftp"
I only had success in gaining ftp access to the router after I did the following:
root@laptop:~$ cat /proc/sys/net/ipv4/tcp_wmem tcp_wmem_orig root@laptop:~$ echo 0 512 512 > /proc/sys/net/ipv4/tcp_wmem # after ftp is done restore settings: root@laptop:~$ cat tcp_wmem_orig /proc/sys/net/ipv4/tcp_wmem
After the above is done, power off the modem and unplug it. On the laptop I ready the command “ftp 192.168.0.1”, then plug the modem in (handy to have beside keyboard) and execute the ftp command - before the network light on the device came on worked best for me.
Once you do get a login its time to ftp your compiled firmware to the device, in the directory containing your compiled OpenWRT files:
$ ftp 192.168.0.1 Connected to 192.168.0.1. 220 ADAM2 FTP Server ready. Name (192.168.0.1:craig): adam2 331 Password required for adam2. Password: 230 User adam2 successfully logged in. Remote system type is UNIX. ftp> quote "MEDIA FLSH" 200 Media set to FLSH. ftp> bin 200 Type set to I. ftp> put ow-mtd0.bin "fs mtd0" local: ow-mtd0.bin remote: fs mtd0 200 Port command successful. 150 Opening BINARY mode data connection for file transfer. 226 Transfer complete. 1598607 bytes sent in 14.64 secs (106.7 kB/s) ftp> put ow-mtd1.bin "fs mtd1" local: ow-mtd1.bin remote: fs mtd1 200 Port command successful. 150 Opening BINARY mode data connection for file transfer. 226 Transfer complete. 720896 bytes sent in 6.56 secs (109.5 kB/s) ftp> quote REBOOT 221-Thank you for using the FTP service on ADAM2. 221 Goodbye. ftp> quit
First boot of OpenWRT
After the ftp commands above the orange light on the device will beat for a couple of minutes. This is hopefully OpenWRT configuring its system! Once this is done we can connect to the device:
$ telnet 192.168.0.1 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. === IMPORTANT ============================ Use 'passwd' to set your login password this will disable telnet and enable SSH ------------------------------------------ root@OpenWrt:/# dmesg | grep jffs2 -A2 -B2 root@OpenWrt:/# passwd root@OpenWrt:/# reboot
Check that the jffs2 partition has been written - can take a minute or two after ftp. Once that has done set your password and reboot the device. Mine takes ~1 minute to boot up:
Now I have a working OpenWRT installation on my router! I can flash it via the ftp method above if I have to (which I did do again).
Connecting to my ISP
ssh to the device and use vim to edit the network settings in /etc/config/network. Here are my settings for a PPPoA ADSL connection with my New Zealand ISP:
root@OpenWrt:~# cat /etc/config/network ## Localhost config 'interface' 'loopback' option 'ifname' 'lo' option 'proto' 'static' option 'ipaddr' '127.0.0.1' option 'mask' '255.0.0.0' ## IP config 'interface' 'lan' option 'type' 'bridge' option 'ifname' 'eth0' option 'proto' 'static' option 'netmask' '255.255.255.0' option 'nat' '1' option 'dns' '' option 'ipaddr' '192.168.0.1' ## enable all 5 network ports on router switch config 'switch' 'eth0' option 'reset' '1' ## My ISP details config 'interface' 'wan' option 'ifname' 'atm0' option 'proto' 'pppoa' option 'encaps' 'vc' option 'vpi' '0' option 'vci' '100' option 'username' 'email@example.com' option 'password' 'xxxxxxxx' option 'keepalive' '5,5'
Bring up the wan after editing network settings:
root@OpenWrt:~# ifup wan
Connection stats in this file:
root@OpenWrt:~# cat /proc/avalanche/avsar_modem_stats | grep Rate -A1 -B1 [DSL Modem Stats] US Connection Rate: 869 DS Connection Rate: 7658 DS Line Attenuation: 34 DS Margin: 13 -- Frame mode: 0 Max Frame mode: 0 Trained Path: 1 US Peak Cell Rate: 2049 Trained Mode: 16 Selected Mode: 1 -- Hybrid Selected: 1 Trellis: 1 Showtime Count: 1 DS Max Attainable Bit Rate: 8648 kbps BitSwap: 1 US Max Attainable Bit Rate: 869000 bps Annex: AnxA psd_mask_qualifier: 0x0000
I now have a usable router running my own custom firmware to connect to the Internet with. Clients on the LAN can get an internal IP with DHCP and use the routers DNS server.