Hacking the Netgear wgt634u

From
Jump to navigation Jump to search

Abstract

OpenWRT is a Linux port (2.4 kernel) for embedded plattforms including the Netgear wgt634u wireless router.

Click is a modular software for implementing advanced router functionality on Linux systems.

Madwifi is a WLAN driver (802.11 wireless network) that runs on OpenWRT and can be integrated with the click system.

This tutorial describes the steps of downloading the source code for each of these 3 components, for compiling them, and for getting them to run (together) on a wgt634 Netgear wireless router platform.

This work has been done for the Berlin Roof Net project ( http://sarwiki.informatik.hu-berlin.de/wiki/BerlinRoofNet ), with substantial support from the MIT Roof Net project team ( http://pdos.csail.mit.edu/click/ )


Introduction

The Netgear wgt634u Wireless Router has a Broadcom (type 0x29007) CPU, running at 200MHz. This CPU is not compatible with the Pentium (or similar) on your desktop computer, i.e. you can not simply take a binary program file from your desktop and execute it on the Netgear router - the Broadcom CPU encodes instructions and data in a completely different way and would therefore not "understand" your Pentium-based program at all.

The operating system on the Router router is Linux - again, not the same Linux that you might run on your desktop, but a Linux that was specifically compiled for the Broadcom CPU. The operating system along with all other programs is stored in a regular Linux file system which physically resides on the Netgear router's 8MB of flash memory. Flash memory is nonvolatile RAM which does not lose its data when the device is powered-off. But it is RAM, i.e. it can be modified in much the same way as regular RAM - just at a slower speed. In addition to the 8MB of non-volatile flash memory for the file system, the Netgear router has 16MB of regular volatile RAM.

The content of the flash memory (i.e. the file system with all its data, including the operating system, programs and configuration data) is also called firmware. When we say that we replace the firmware of the Netgear router, we mean that we erase the content of the flash memory, i.e. it the entire file system that was stored in it - and replace it with an entirely new file system, which contains a completely new operating system, and a new set of programs and data files. Nothing from the old system will survive when the firmware is replaced.

For the initial setup of the Netgear router we will download the source code for the OpenWRT firmware and cross-compile it for the Broadcom CPU. Cross-compilation is a process where the compiler produces binary program files that are not meant to be executed on the local system, but rather on another platform (here the Netgear router with its Broadcom CPU). Then, using tricky configuration script, we will tinker with the original bootloader configuration and finally replace the Netgear firmware with our OpenWRT firmware.

Before you begin, one word of caution: Once you overwrite the original Netgear firmware, it is gone forever. No pressing of the reset button or power cycling will bring it back. If the new firmware does not work, then you have transformed your Netgear router into a nice paperweight. But fortunately, this does not happen often.

Installing SSH Daemon while keeping original Firmware

For many reasons its unnecessary to replace the original firmware of your WGT634 if you just want to run some Linux programs. (see below how to compile your program for WGT634 system with help of a toolchain) So you can install a remote shell (sshd aka dropbear) on the router an copy your favorite mips-binary via scp or netcat (nc in busybox) to /tmp directory and start it from there.

The Netgear web frontend supports to backup the router settings into a file. With the help of such a file your are able to bring files on the router. (these file are just gzipped files containing a minix filesystem container file. See below how to modify it.)

First you need to get the netgear-sar.cfg file form the follwing link: File:Netgear-sar.cfg and select the Backup Settings entry in your web frontend. Now select the downloaded file on your hard disk and press Restore. After waiting a couple of minutes the WGT634 should reboot again and you are able to request the page: http://192.168.1.1/cgi-bin/installer.sh where you can download and install the sshd-main package directly on the router. After a reboot you should be able to login via ssh with user root and your admin password.

$ ssh root@192.168.1.1

Modify netgear-sar.cfg

To add more files to the "restore" file, first loop mount it (require root privileges) on your development machine:

# mount -o loop netgear-sar.cfg /mnt

Then unpack the archive:

$ mkdir config.lrp.d
$ cd config.lrp.d
$ tar xvzf /mnt/config.lrp

Now you can find 2 subdirectories in the current working directory:

$ ls
etc usr

Add your files into the wished position. Further you have to tar the subdirectories:

$ tar cvf - * | gzip -9 -c > ../config-new.lrp

Replace the config-new.lrp in the mounted container (as root):

$ sudo cp ../config-new.lrp /mnt/config.lrp

Unmounting the container:

# umount /mnt

At this point the config-file is in principle ready to use, but the web frontend checks the file for a CRC32 sum in the last 8 Byte. To create a CRC32 you can use the jacksum collection. Get it from http://www.jonelo.de/java/jacksum/.

$ unzip jacksum-1.5.1.zip
$ java -jar jacksum.jar

CFE

Once you've got a serial console attached you can access the CFE which is a bit like the bios of the WGT634U. Start up minicom and apply power to the router while holding Control C. You should see something like the following:

CFE version 1.0.34 for BCM95365R (32bit,SP,LE)
Build Date: Tue Feb 24 03:21:41 CST 2004 (root@jackylinux)
Copyright (C) 2000,2001,2002 Broadcom Corporation.

Add MAC client version(DNI).
Initializing Arena.
Initializing Devices.
et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller
CPU type 0x29007: 200MHz
Total memory: 0x2000000 bytes (32MB)

Total memory used by CFE:  0x81BB1280 - 0x82000000 (4517248)
Initialized Data:          0x81BB1280 - 0x81BB3E90 (11280)
BSS Area:                  0x81BB3E90 - 0x81BB45D0 (1856)
Local Heap:                0x81BB45D0 - 0x81FB45D0 (4194304)
Stack Area:                0x81FB45D0 - 0x81FB65D0 (8192)
Text (code) segment:       0x81FB65E0 - 0x81FFFFB0 (301520)
Boot area (physical):      0x01B70000 - 0x01BB0000
Relocation Factor:         I:E23B65E0 - D:01BB0280

configure vlans
*****************************************************************
*********************** VLAN Driver initial  ********************
*****************************************************************
Process LAN port(2-5) vlan Architecture...
SUCCESS: trying to create VLAN 0 for switch
SUCCESS: trying to add LAN port

Process WAN port(2-5) vlan Architecture...
SUCCESS: trying to create VLAN 0 for switch
SUCCESS: trying to add WAN port
SUCCESS: enable ports  success
configure vlans...done
Automatic startup canceled via Ctrl-C
CFE>

Now you can get a listing of the available commands by typing "help". If you want to boot a kernel from a tftp server do the following:


CFE> ifconfig eth0 -addr=192.168.1.1 -mask=255.255.255.0;
CFE> boot -z -elf -tftp 192.168.1.10:vmlinux.gz

Or you can automate the process by setting STARTUP using:

CFE> setenv -p STARTUP "ifconfig eth0 -addr=192.168.1.1 -mask=255.255.255.0;boot -z -elf -tftp 192.168.1.10:vmlinux.gz;boot -elf flash0.os:"

For loading rootfs over NFS

CFE> setenv -p kernel_args "console=ttyS1,115200 root=/dev/nfs nfsroot=192.168.1.10:/wgtroot init=/etc/preinit syst_size=8M"


The router will now try and retrieve a kernel image called vmlinux.gz using tftp from 192.168.1.10. If this fails it will go ahead and boot the kernel on the flash. The is quite handy as in conjuction with a NFS root, it means you can do all your development without modifing the original firmware.

If your network has a DHCP server, you can do this:

CFE> ifconfig eth0 -auto
Device eth0:  hwaddr 00-0F-B5-0B-B7-DA, ipaddr 192.168.1.17, mask 255.255.255.0
        gateway 192.168.1.1, nameserver 192.168.1.1, domain lan

OpenWRT Toolchain

Getting Started

You need a Linux system with approximately 1GB free disk space to download and compile the OpenWRT source code and the toolchain.

What is a toolchain?

To build a Linux system for the Broadcom CPU, you need several tools that are not part of your normal Linux distribution. To obtain those tools, you have to download their source code and compile them on your Linux system. All these tools together make up the toolchain. Note, that the toolchain programs run on your local (Pentium-based) computer; they are only needed to build the OpenWRT firmware, but they will not be included in the firmware itself!

Downloading the OpenWRT toolchain sources

First of all you need to install the openwrt toolchain ( [1] ) on your build computer.

 cvs -d:pserver:anonymous@openwrt.org:/openwrt login
 cvs -d:pserver:anonymous@openwrt.org:/openwrt co buildroot

The following tools/libs are required:

  • wget, tftp
  • cvs, subversion
  • gcc, gcc-c++, bison, flex
  • patch, gettext
  • autoconf, automake
  • zlib-devel

Compiling the OpenWRT toolchain

We need a C++-compiler, so you’ll need to patch $OPENWRT/buildroot/Makefile.

 INSTALL_LIBSTDCPP:=true

That's all: run make

If you want to build click, madwifi or a new kernel for the wgt you have to fetch our Makefiles:

Checkout the files from your $OPENWRT/buildroot/ directory:

 svn co svn://merkur/brn/platform/wgt634u/openwrt/ make/

Compiling click

To build click you have to copy the Makefile (click.mk [2]) to the $OPENWRT/buildroot/make directory.

#############################################################
#
# click
#
#############################################################
CLICK_DIR:=$(BUILD_DIR)/click
DEPLOY_DIR:=/mnt/wgtroot/brn

click-source: $(CLICK_DIR)/.unpacked


$(CLICK_DIR)/.unpacked: $(DL_DIR)/$(CLICK_SOURCE)
	(cd $(BUILD_DIR); \
	svn co svn://merkur.sardmn.informatik.hu-berlin.de/brn/click)
	touch $(CLICK_DIR)/.unpacked


$(CLICK_DIR)/.configured: $(CLICK_DIR)/.unpacked
	(cd $(CLICK_DIR); rm -rf config.cache; \
		$(TARGET_CONFIGURE_OPTS) \
		CFLAGS="$(TARGET_CFLAGS)" \
		AR_CREATEFLAGS="cru" \
		./configure \
		--build=i686-pc-linux-gnu \
		--host=mipsel-linux \
		--disable-linuxmodule \
		--enable-brn \
		--enable-wifi \
		--enable-tools=mixed \
	);
	touch  $(CLICK_DIR)/.configured

$(CLICK_DIR)/click: $(CLICK_DIR)/.configured
	$(MAKE) CC=$(TARGET_CC) -C $(CLICK_DIR)

$(TARGET_DIR)/usr/bin/click: $(CLICK_DIR)/click
	install -c $(CLICK_DIR)/userlevel/click $(DEPLOY_DIR)
	$(STRIP) $(DEPLOY_DIR)/click > /dev/null 2>&1

click: uclibc $(TARGET_DIR)/usr/bin/click 

click-clean: 
	$(MAKE) -C $(CLICK_DIR) clean
	rm -rf $(TARGET_DIR)/usr/bin/click

click-dirclean: 
	rm -rf $(CLICK_DIR)

That's all: run make click to build click. Currently, I only tested the userlevel click binary.

Compiling Madwifi.stripped

The madwifi.stripped driver lets Click directly read and write raw frames from the wireless card, and strips out the usual driver logic. To build the madwifi.stripped driver you have to copy the following Makefile (madwifi.mk [3]) to the $OPENWRT/buildroot/make directory:

#############################################################
#
# madwifi.stripped
#
#############################################################
MADWIFI_DIR:=$(BUILD_DIR)/madwifi


$(DL_DIR)/$(MADWIFI_SOURCE):
	$(WGET) -P $(DL_DIR) $(MADWIFI_SITE)/$(MADWIFI_SOURCE)

madwifi-source: $(DL_DIR)/$(MADWIFI_SOURCE)

$(MADWIFI_DIR)/.unpacked: $(DL_DIR)/$(MADWIFI_SOURCE)
	(cd $(BUILD_DIR); \
	cvs -d :pserver:anoncvs@cvs.pdos.lcs.mit.edu:/cvs login)
	(cd $(BUILD_DIR); \
	cvs -z5 -d :pserver:anoncvs@cvs.pdos.lcs.mit.edu:/cvs co -d madwifi roofnet/release/stripped)
	touch $(MADWIFI_DIR)/.unpacked

$(MADWIFI_DIR)/madwifi: $(MADWIFI_DIR)/.unpacked
	$(MAKE) CC=$(TARGET_CC) TARGET=mips-le-elf KERNELPATH=$(BUILD_DIR)/WRT54GS/release/src/linux/linux/ -C $(MADWIFI_DIR)

$(TARGET_DIR)/usr/bin/madwifi: $(MADWIFI_DIR)/madwifi
	mkdir $(TARGET_DIR)/usr/bin/madwifi/
	cp $(MADWIFI_DIR)/madwifi/driver/ath_pci.o $(TARGET_DIR)/usr/bin/madwifi/
	cp $(MADWIFI_DIR)/madwifi/ath_hal/ath_hal.o $(TARGET_DIR)/usr/bin/madwifi/

madwifi: uclibc $(TARGET_DIR)/usr/bin/madwifi/

madwifi-clean: 
	$(MAKE) -C $(MADWIFI_DIR) clean
	rm $(MADWIFI_DIR)/.unpacked
	rm -rf $(TARGET_DIR)/usr/bin/madwifi/

madwifi-dirclean: 
	rm -rf $(MADWIFI_DIR)

That's all: run make madwifi to build the driver.

Compiling New Kernel

To build the linux kernel for the wgt634u-box you have to copy the following Makefile (wgtkernel.mk [4]) to the $OPENWRT/buildroot/make directory:

#############################################################
#
# linux kernel for wgt634
#
#############################################################
WGTKERNEL_DIR:=$(BUILD_DIR)/wgt634u-1.4.1.8-gpl-src
WGTKERNEL_SOURCE=wgt634u-1.4.1.8-gpl-src.tar.bz2
WGTKERNEL_SITE=ftp://downloads.netgear.com/files/GPL
WGTKERNEL_KERNEL=wgt634u-1.4.1.8-gpl-src/linux-2.4.x
WGTKERNEL_BROADCOM_SRC=wgt634u-1.4.1.8-gpl-src/broadcom-src
LINUX_DIR:=$(WGTKERNEL_DIR)/linux-2.4.x
UCLIBC_DIR:=$(BUILD_DIR)/staging_dir/mipsel-linux-uclibc/
STAGING_DIR:=$(BUILD_DIR)/staging_dir/

all: wgtkernel

$(DL_DIR)/$(WGTKERNEL_SOURCE):
	$(WGET) -P $(DL_DIR) $(WGTKERNEL_SITE)/$(WGTKERNEL_SOURCE)
 
$(WGTKERNEL_DIR)/.source: $(DL_DIR)/$(WGTKERNEL_SOURCE)
	bzcat $(DL_DIR)/$(WGTKERNEL_SOURCE) | tar -C $(BUILD_DIR) -xvf - $(WGTKERNEL_KERNEL) $(WGTKERNEL_BROADCOM_SRC)
	touch $(WGTKERNEL_DIR)/.source
	@echo "Patching the kernel"
	svn co svn://merkur.sardmn.informatik.hu-berlin.de/brn/platform/wgt634u/patches/
	(cd $(WGTKERNEL_DIR); patch -p7 < ../../patches/kernel_brn-2005-05-19.patch);
  
wgtkernel: dep zImage
  
dep: $(WGTKERNEL_DIR)/.source
	$(MAKE) CC=$(TARGET_CC) -C $(WGTKERNEL_DIR)/linux-2.4.x oldconfig include/linux/version.h
	$(MAKE) CC=$(TARGET_CC) -C $(WGTKERNEL_DIR)/linux-2.4.x SRCBASE=$(WGTKERNEL_DIR)/broadcom-src dep

zImage:
	$(MAKE) CC=$(TARGET_CC) -C $(WGTKERNEL_DIR)/linux-2.4.x SRCBASE=$(WGTKERNEL_DIR)/broadcom-src zImage
  
  
wgtkernel-clean: 
	$(MAKE) -C $(LINUX_DIR) clean
	rm $(WGTKERNEL_DIR)/.unpacked
  
wgtkernel-dirclean: 
	rm -rf $(WGTKERNEL_DIR)

If you cannot reach our repository, you have to patch the kernel by hand:

First, the stock kernel doesn’t link with gcc 3.3.3, so you’ll need to patch linux-2.4.x/arch/mips/brcm-boards/bcm947xx/cfe_flash_nvram.c.

 @@ -927,6 +927,12 @@
       struct page *page, *end;
       unsigned int i;
 
 +       /* Register char device */
 +       if ((nvram_major = devfs_register_chrdev(252, "nvram", &nvram_fops)) < 0) {
 +               ret = nvram_major;
 +               return ret;
 +       }
 +
         /* Allocate and reserve memory to mmap() */
         while ((PAGE_SIZE << order) < NVRAM_SPACE)
                 order++;
 @@ -955,21 +961,11 @@
         /* Initialize hash table */
         nvram_rehash();
 
 -       /* Register char device */
 -       if ((nvram_major = devfs_register_chrdev(252, "nvram", &nvram_fops)) < 0) {
 -               ret = nvram_major;
 -               goto err;
 -       }
 -
         /* Create /dev/nvram handle */
         nvram_handle = devfs_register(NULL, "nvram", DEVFS_FL_NONE, nvram_major, 0,
                                       S_IFCHR | S_IRUSR | S_IWUSR | S_IRGRP, &nvram_fops, NULL);
         return 0;
 -
 - err:
 -       nvram_exit();
 -       return ret;
  }
 
  module_init(nvram_init);


Third, you’ll need to patch linux-2.4.x/Makefile.

 27a28,29
 > MIPS_BASE     	= $(TOPDIR)/../../staging_dir/bin/
 > 
 29c31
 < LD		= $(CROSS_COMPILE)ld
 ---
 > LD		= $(MIPS_BASE)/$(CROSS_COMPILE)ld
 32,36c34,38
 < AR		= $(CROSS_COMPILE)ar
 < NM		= $(CROSS_COMPILE)nm
 < STRIP		= $(CROSS_COMPILE)strip
 < OBJCOPY		= $(CROSS_COMPILE)objcopy
 < OBJDUMP		= $(CROSS_COMPILE)objdump
 ---
 > AR		= $(MIPS_BASE)/$(CROSS_COMPILE)ar
 > NM		= $(MIPS_BASE)/$(CROSS_COMPILE)nm
 > STRIP		= $(MIPS_BASE)/$(CROSS_COMPILE)strip
 > OBJCOPY		= $(MIPS_BASE)/$(CROSS_COMPILE)objcopy
 > OBJDUMP		= $(MIPS_BASE)/$(CROSS_COMPILE)objdump


Fourth, you’ll need to patch linux-2.4.x/arch/mips/Makefile.

 69c69
 < GCCFLAGS	+= -mcpu=r4600 -mips2 -Wa,--trap
 ---
 > GCCFLAGS	+= -mips2 -Wa,--trap
 72c72
 < GCCFLAGS	+= -mcpu=r4600 -mips2 -Wa,--trap
 ---
 > GCCFLAGS	+= -mips2 -Wa,--trap
 75c75
 < GCCFLAGS	+= -mcpu=r4600 -mips2 -Wa,--trap
 ---
 > GCCFLAGS	+= -mips2 -Wa,--trap
 78c78
 < GCCFLAGS	+= -mcpu=r4600 -mips2 -Wa,--trap
 ---
 > GCCFLAGS	+= -mips2 -Wa,--trap
 81c81
 < GCCFLAGS	+= -mcpu=r4600 -mips2 -Wa,--trap
 ---
 > GCCFLAGS	+= -mips2 -Wa,--trap

Fifth, you’ll need to patch linux-2.4.x/arch/mips/brcm-boards/bcm947xx/compressed/Makefile.

 21d20
 < STRIP := $(CROSS_COMPILE)strip
 23c22,25
 < OBJCOPY		:= $(CROSS_COMPILE)objcopy -O binary -R .reginfo -R .note -R .comment -R .mdebug -S
 ---
 > MIPS_BASE	:= $(TOPDIR)/../../staging_dir/bin/
 > STRIP 		:= $(MIPS_BASE)/$(CROSS_COMPILE)strip
 > 
 > OBJCOPY		:= $(MIPS_BASE)/$(CROSS_COMPILE)objcopy -O binary -R .reginfo -R .note -R .comment -R .mdebug -S
 28c30
 < ASFLAGS		+= -G 0  -mno-abicalls -fno-pic -pipe -mcpu=r4600 -mips2 -Wa --trap -m4710a0kern
 ---
 > ASFLAGS		+= -G 0  -mno-abicalls -fno-pic -pipe -mips2


Last, if you’re planning to run userlevel click, edit the linux-2.4.x/.config file and change the CONFIG_ETHERTAP and CONFIG_TUN lines to y.

That's all: run make wgtkernel to build the kernel.

Install to Flash

There are two ways to install a flash upgrade; from Linux or from CFE.

Via Linux

This requires a working Linux installation. The contents of the flash should not be in use - that means this method is unsuitable for upgrading a mounted JFFS2 filesystem.

# cd /tmp
# eraseall /dev/mtd3
# cat rootfs.img > /dev/mtd3
# eraseall /dev/mtd2
# dd if=kernel of=/dev/mtd2

Via CFE

This is a little bit more complicated, however it will allow you to recover a completely hosed system. First of all, you need to have SerialConsole access in order to get into the CFE. Second of all, the CFE flash routine will only download and flash a maximum of 4194304 bytes (4MB) at a time. To get around the 4MB limit, we need to split the image into smaller chunks and then use the =-offset= flag to flash the two parts.

Split the image on the host:

# dd bs=128k if=netgear.img of=netgear.img.1 count=30
30+0 records in
30+0 records out
# dd bs=128k if=netgear.img of=netgear.img.2 skip=30
5+1 records in
5+1 records out

Flash the image in individual parts:

CFE> flash -noheader tftp_host:netgear.img.1 flash0.os
Reading tftp_host:netgear.img.1: Done. 3932160 bytes read
Programming...done. 3932160 bytes written
*** command status = 0
CFE> flash -noheader -offset=3932160 tftp_host:netgear.img.2 flash0.os
Reading tftp_host:netgear.img.2: Done. 786256 bytes read
Programming...done. 786256 bytes written
*** command status = 0

The image must contain both the kernel and the root filesystem payload. Furthermore, the root filesystem must be located at the right offset, as defined by the MTD partitioning within the kernel itself.

Troubleshooting

Sometimes you need to erase the flash (flash0.os) from within CFE first before installing a new image. First, try to create a file of size 3776k bytes and containing only 0xFF (e.g., with perl). Since flash0.os is of size 7552k bytes and 2*3776=7552, you can use the '-offset' flag to erase the two parts of flash0.os:

CFE> flash -noheader tftp_host:ff.img flash0.os
...
CFE> flash -noheader -offset=3866624 tftp_host:ff.img flash0.os
...

References