Hacking the Netgear wgt634u
Abstract
OpenWRT is a Linux port (2.4 kernel) for embedded plattforms including the Netgear wgt634u wireless router.
Click is a modular software for implementing advanced router functionality on Linux systems.
Madwifi is a WLAN driver (802.11 wireless network) that runs on OpenWRT and can be integrated with the click system.
This tutorial describes the steps of downloading the source code for each of these 3 components, for compiling them, and for getting them to run (together) on a wgt634 Netgear wireless router platform.
This work has been done for the Berlin Roof Net project ( http://sarwiki.informatik.hu-berlin.de/wiki/BerlinRoofNet ), with substantial support from the MIT Roof Net project team ( http://pdos.csail.mit.edu/click/ )
Introduction
The Netgear wgt634u Wireless Router has a Broadcom (type 0x29007) CPU, running at 200MHz. This CPU is not compatible with the Pentium (or similar) on your desktop computer, i.e. you can not simply take a binary program file from your desktop and execute it on the Netgear router - the Broadcom CPU encodes instructions and data in a completely different way and would therefore not "understand" your Pentium-based program at all.
The operating system on the Router router is Linux - again, not the same Linux that you might run on your desktop, but a Linux that was specifically compiled for the Broadcom CPU. The operating system along with all other programs is stored in a regular Linux file system which physically resides on the Netgear router's 8MB of flash memory. Flash memory is nonvolatile RAM which does not lose its data when the device is powered-off. But it is RAM, i.e. it can be modified in much the same way as regular RAM - just at a slower speed. In addition to the 8MB of non-volatile flash memory for the file system, the Netgear router has 16MB of regular volatile RAM.
The content of the flash memory (i.e. the file system with all its data, including the operating system, programs and configuration data) is also called firmware. When we say that we replace the firmware of the Netgear router, we mean that we erase the content of the flash memory, i.e. it the entire file system that was stored in it - and replace it with an entirely new file system, which contains a completely new operating system, and a new set of programs and data files. Nothing from the old system will survive when the firmware is replaced.
For the initial setup of the Netgear router we will download the source code for the OpenWRT firmware and cross-compile it for the Broadcom CPU. Cross-compilation is a process where the compiler produces binary program files that are not meant to be executed on the local system, but rather on another platform (here the Netgear router with its Broadcom CPU). Then, using tricky configuration script, we will tinker with the original bootloader configuration and finally replace the Netgear firmware with our OpenWRT firmware.
Before you begin, one word of caution: Once you overwrite the original Netgear firmware, it is gone forever. No pressing of the reset button or power cycling will bring it back. If the new firmware does not work, then you have transformed your Netgear router into a nice paperweight. But fortunately, this does not happen often.
Installing SSH Daemon while keeping original Firmware
For many reasons its unnecessary to replace the original firmware of your WGT634 if you just want to run some Linux programs. (see below how to compile your program for WGT634 system with help of a toolchain) So you can install a remote shell (sshd aka dropbear) on the router an copy your favorite mips-binary via scp or netcat (nc in busybox) to /tmp directory and start it from there.
The Netgear web frontend supports to backup the router settings into a file. With the help of such a file your are able to bring files on the router. (these file are just gzipped files containing a minix filesystem container file. See below how to modify it.)
First you need to get the netgear-sar.cfg file form the follwing link: File:Netgear-sar.cfg and select the Backup Settings entry in your web frontend. Now select the downloaded file on your hard disk and press Restore. After waiting a couple of minutes the WGT634 should reboot again and you are able to request the page: http://192.168.1.1/cgi-bin/installer.sh where you can download and install the sshd-main package directly on the router. After a reboot you should be able to login via ssh with user root and your admin password.
$ ssh root@192.168.1.1
Modify netgear-sar.cfg
To add more files to the "restore" file, first loop mount it (require root privileges) on your development machine:
# mount -o loop netgear-sar.cfg /mnt
Then unpack the archive:
$ mkdir config.lrp.d $ cd config.lrp.d $ tar xvzf /mnt/config.lrp
Now you can find 2 subdirectories in the current working directory:
$ ls etc usr
Add your files into the wished position. Further you have to tar the subdirectories:
$ tar cvf - * | gzip -9 -c > ../config-new.lrp
Replace the config-new.lrp in the mounted container (as root):
$ sudo cp ../config-new.lrp /mnt/config.lrp
Unmounting the container:
# umount /mnt
At this point the config-file is in principle ready to use, but the web frontend checks the file for a CRC32 sum in the last 8 Byte. To create a CRC32 you can use the jacksum collection. Get it from http://www.jonelo.de/java/jacksum/.
$ unzip jacksum-1.5.1.zip $ java -jar jacksum.jar
CFE
Once you've got a serial console attached you can access the CFE which is a bit like the bios of the WGT634U. Start up minicom and apply power to the router while holding Control C. You should see something like the following:
CFE version 1.0.34 for BCM95365R (32bit,SP,LE) Build Date: Tue Feb 24 03:21:41 CST 2004 (root@jackylinux) Copyright (C) 2000,2001,2002 Broadcom Corporation. Add MAC client version(DNI). Initializing Arena. Initializing Devices. et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller CPU type 0x29007: 200MHz Total memory: 0x2000000 bytes (32MB) Total memory used by CFE: 0x81BB1280 - 0x82000000 (4517248) Initialized Data: 0x81BB1280 - 0x81BB3E90 (11280) BSS Area: 0x81BB3E90 - 0x81BB45D0 (1856) Local Heap: 0x81BB45D0 - 0x81FB45D0 (4194304) Stack Area: 0x81FB45D0 - 0x81FB65D0 (8192) Text (code) segment: 0x81FB65E0 - 0x81FFFFB0 (301520) Boot area (physical): 0x01B70000 - 0x01BB0000 Relocation Factor: I:E23B65E0 - D:01BB0280 configure vlans ***************************************************************** *********************** VLAN Driver initial ******************** ***************************************************************** Process LAN port(2-5) vlan Architecture... SUCCESS: trying to create VLAN 0 for switch SUCCESS: trying to add LAN port Process WAN port(2-5) vlan Architecture... SUCCESS: trying to create VLAN 0 for switch SUCCESS: trying to add WAN port SUCCESS: enable ports success configure vlans...done Automatic startup canceled via Ctrl-C CFE>
Now you can get a listing of the available commands by typing "help". If you want to boot a kernel from a tftp server do the following:
CFE> ifconfig eth0 -addr=192.168.1.1 -mask=255.255.255.0; CFE> boot -z -elf -tftp 192.168.1.10:vmlinux.gz
Or you can automate the process by setting STARTUP using:
CFE> setenv -p STARTUP "ifconfig eth0 -addr=192.168.1.1 -mask=255.255.255.0;boot -z -elf -tftp 192.168.1.10:vmlinux.gz;boot -elf flash0.os:"
For loading rootfs over NFS
CFE> setenv -p kernel_args "console=ttyS1,115200 root=/dev/nfs nfsroot=192.168.1.10:/wgtroot init=/etc/preinit syst_size=8M"
The router will now try and retrieve a kernel image called vmlinux.gz using tftp from 192.168.1.10. If this fails it will go ahead and boot the kernel on the flash. The is quite handy as in conjuction with a NFS root, it means you can do all your development without modifing the original firmware.
If your network has a DHCP server, you can do this:
CFE> ifconfig eth0 -auto Device eth0: hwaddr 00-0F-B5-0B-B7-DA, ipaddr 192.168.1.17, mask 255.255.255.0 gateway 192.168.1.1, nameserver 192.168.1.1, domain lan
OpenWRT Toolchain
Getting Started
You need a Linux system with approximately 1GB free disk space to download and compile the OpenWRT source code and the toolchain.
What is a toolchain?
To build a Linux system for the Broadcom CPU, you need several tools that are not part of your normal Linux distribution. To obtain those tools, you have to download their source code and compile them on your Linux system. All these tools together make up the toolchain. Note, that the toolchain programs run on your local (Pentium-based) computer; they are only needed to build the OpenWRT firmware, but they will not be included in the firmware itself!
Downloading the OpenWRT toolchain sources
First of all you need to install the openwrt toolchain ( [1] ) on your build computer.
cvs -d:pserver:anonymous@openwrt.org:/openwrt login cvs -d:pserver:anonymous@openwrt.org:/openwrt co buildroot
The following tools/libs are required:
- wget, tftp
- cvs, subversion
- gcc, gcc-c++, bison, flex
- patch, gettext
- autoconf, automake
- zlib-devel
Compiling the OpenWRT toolchain
We need a C++-compiler, so you’ll need to patch $OPENWRT/buildroot/Makefile.
INSTALL_LIBSTDCPP:=true
That's all: run make
If you want to build click, madwifi or a new kernel for the wgt you have to fetch our Makefiles:
Checkout the files from your $OPENWRT/buildroot/ directory:
svn co svn://merkur/brn/platform/wgt634u/openwrt/ make/
Compiling click
To build click you have to copy the Makefile (click.mk [2]) to the $OPENWRT/buildroot/make directory.
############################################################# # # click # ############################################################# CLICK_DIR:=$(BUILD_DIR)/click DEPLOY_DIR:=/mnt/wgtroot/brn click-source: $(CLICK_DIR)/.unpacked $(CLICK_DIR)/.unpacked: $(DL_DIR)/$(CLICK_SOURCE) (cd $(BUILD_DIR); \ svn co svn://merkur.sardmn.informatik.hu-berlin.de/brn/click) touch $(CLICK_DIR)/.unpacked $(CLICK_DIR)/.configured: $(CLICK_DIR)/.unpacked (cd $(CLICK_DIR); rm -rf config.cache; \ $(TARGET_CONFIGURE_OPTS) \ CFLAGS="$(TARGET_CFLAGS)" \ AR_CREATEFLAGS="cru" \ ./configure \ --build=i686-pc-linux-gnu \ --host=mipsel-linux \ --disable-linuxmodule \ --enable-brn \ --enable-wifi \ --enable-tools=mixed \ ); touch $(CLICK_DIR)/.configured $(CLICK_DIR)/click: $(CLICK_DIR)/.configured $(MAKE) CC=$(TARGET_CC) -C $(CLICK_DIR) $(TARGET_DIR)/usr/bin/click: $(CLICK_DIR)/click install -c $(CLICK_DIR)/userlevel/click $(DEPLOY_DIR) $(STRIP) $(DEPLOY_DIR)/click > /dev/null 2>&1 click: uclibc $(TARGET_DIR)/usr/bin/click click-clean: $(MAKE) -C $(CLICK_DIR) clean rm -rf $(TARGET_DIR)/usr/bin/click click-dirclean: rm -rf $(CLICK_DIR)
That's all: run make click to build click. Currently, I only tested the userlevel click binary.
Compiling Madwifi.stripped
The madwifi.stripped driver lets Click directly read and write raw frames from the wireless card, and strips out the usual driver logic. To build the madwifi.stripped driver you have to copy the following Makefile (madwifi.mk [3]) to the $OPENWRT/buildroot/make directory:
############################################################# # # madwifi.stripped # ############################################################# MADWIFI_DIR:=$(BUILD_DIR)/madwifi $(DL_DIR)/$(MADWIFI_SOURCE): $(WGET) -P $(DL_DIR) $(MADWIFI_SITE)/$(MADWIFI_SOURCE) madwifi-source: $(DL_DIR)/$(MADWIFI_SOURCE) $(MADWIFI_DIR)/.unpacked: $(DL_DIR)/$(MADWIFI_SOURCE) (cd $(BUILD_DIR); \ cvs -d :pserver:anoncvs@cvs.pdos.lcs.mit.edu:/cvs login) (cd $(BUILD_DIR); \ cvs -z5 -d :pserver:anoncvs@cvs.pdos.lcs.mit.edu:/cvs co -d madwifi roofnet/release/stripped) touch $(MADWIFI_DIR)/.unpacked $(MADWIFI_DIR)/madwifi: $(MADWIFI_DIR)/.unpacked $(MAKE) CC=$(TARGET_CC) TARGET=mips-le-elf KERNELPATH=$(BUILD_DIR)/WRT54GS/release/src/linux/linux/ -C $(MADWIFI_DIR) $(TARGET_DIR)/usr/bin/madwifi: $(MADWIFI_DIR)/madwifi mkdir $(TARGET_DIR)/usr/bin/madwifi/ cp $(MADWIFI_DIR)/madwifi/driver/ath_pci.o $(TARGET_DIR)/usr/bin/madwifi/ cp $(MADWIFI_DIR)/madwifi/ath_hal/ath_hal.o $(TARGET_DIR)/usr/bin/madwifi/ madwifi: uclibc $(TARGET_DIR)/usr/bin/madwifi/ madwifi-clean: $(MAKE) -C $(MADWIFI_DIR) clean rm $(MADWIFI_DIR)/.unpacked rm -rf $(TARGET_DIR)/usr/bin/madwifi/ madwifi-dirclean: rm -rf $(MADWIFI_DIR)
That's all: run make madwifi to build the driver.
Compiling New Kernel
To build the linux kernel for the wgt634u-box you have to copy the following Makefile (wgtkernel.mk [4]) to the $OPENWRT/buildroot/make directory:
############################################################# # # linux kernel for wgt634 # ############################################################# WGTKERNEL_DIR:=$(BUILD_DIR)/wgt634u-1.4.1.8-gpl-src WGTKERNEL_SOURCE=wgt634u-1.4.1.8-gpl-src.tar.bz2 WGTKERNEL_SITE=ftp://downloads.netgear.com/files/GPL WGTKERNEL_KERNEL=wgt634u-1.4.1.8-gpl-src/linux-2.4.x WGTKERNEL_BROADCOM_SRC=wgt634u-1.4.1.8-gpl-src/broadcom-src LINUX_DIR:=$(WGTKERNEL_DIR)/linux-2.4.x UCLIBC_DIR:=$(BUILD_DIR)/staging_dir/mipsel-linux-uclibc/ STAGING_DIR:=$(BUILD_DIR)/staging_dir/ all: wgtkernel $(DL_DIR)/$(WGTKERNEL_SOURCE): $(WGET) -P $(DL_DIR) $(WGTKERNEL_SITE)/$(WGTKERNEL_SOURCE) $(WGTKERNEL_DIR)/.source: $(DL_DIR)/$(WGTKERNEL_SOURCE) bzcat $(DL_DIR)/$(WGTKERNEL_SOURCE) | tar -C $(BUILD_DIR) -xvf - $(WGTKERNEL_KERNEL) $(WGTKERNEL_BROADCOM_SRC) touch $(WGTKERNEL_DIR)/.source @echo "Patching the kernel" svn co svn://merkur.sardmn.informatik.hu-berlin.de/brn/platform/wgt634u/patches/ (cd $(WGTKERNEL_DIR); patch -p7 < ../../patches/kernel_brn-2005-05-19.patch); wgtkernel: dep zImage dep: $(WGTKERNEL_DIR)/.source $(MAKE) CC=$(TARGET_CC) -C $(WGTKERNEL_DIR)/linux-2.4.x oldconfig include/linux/version.h $(MAKE) CC=$(TARGET_CC) -C $(WGTKERNEL_DIR)/linux-2.4.x SRCBASE=$(WGTKERNEL_DIR)/broadcom-src dep zImage: $(MAKE) CC=$(TARGET_CC) -C $(WGTKERNEL_DIR)/linux-2.4.x SRCBASE=$(WGTKERNEL_DIR)/broadcom-src zImage wgtkernel-clean: $(MAKE) -C $(LINUX_DIR) clean rm $(WGTKERNEL_DIR)/.unpacked wgtkernel-dirclean: rm -rf $(WGTKERNEL_DIR)
If you cannot reach our repository, you have to patch the kernel by hand:
First, the stock kernel doesn’t link with gcc 3.3.3, so you’ll need to patch linux-2.4.x/arch/mips/brcm-boards/bcm947xx/cfe_flash_nvram.c.
@@ -927,6 +927,12 @@ struct page *page, *end; unsigned int i; + /* Register char device */ + if ((nvram_major = devfs_register_chrdev(252, "nvram", &nvram_fops)) < 0) { + ret = nvram_major; + return ret; + } + /* Allocate and reserve memory to mmap() */ while ((PAGE_SIZE << order) < NVRAM_SPACE) order++; @@ -955,21 +961,11 @@ /* Initialize hash table */ nvram_rehash(); - /* Register char device */ - if ((nvram_major = devfs_register_chrdev(252, "nvram", &nvram_fops)) < 0) { - ret = nvram_major; - goto err; - } - /* Create /dev/nvram handle */ nvram_handle = devfs_register(NULL, "nvram", DEVFS_FL_NONE, nvram_major, 0, S_IFCHR | S_IRUSR | S_IWUSR | S_IRGRP, &nvram_fops, NULL); return 0; - - err: - nvram_exit(); - return ret; } module_init(nvram_init);
Third, you’ll need to patch linux-2.4.x/Makefile.
27a28,29 > MIPS_BASE = $(TOPDIR)/../../staging_dir/bin/ > 29c31 < LD = $(CROSS_COMPILE)ld --- > LD = $(MIPS_BASE)/$(CROSS_COMPILE)ld 32,36c34,38 < AR = $(CROSS_COMPILE)ar < NM = $(CROSS_COMPILE)nm < STRIP = $(CROSS_COMPILE)strip < OBJCOPY = $(CROSS_COMPILE)objcopy < OBJDUMP = $(CROSS_COMPILE)objdump --- > AR = $(MIPS_BASE)/$(CROSS_COMPILE)ar > NM = $(MIPS_BASE)/$(CROSS_COMPILE)nm > STRIP = $(MIPS_BASE)/$(CROSS_COMPILE)strip > OBJCOPY = $(MIPS_BASE)/$(CROSS_COMPILE)objcopy > OBJDUMP = $(MIPS_BASE)/$(CROSS_COMPILE)objdump
Fourth, you’ll need to patch linux-2.4.x/arch/mips/Makefile.
69c69 < GCCFLAGS += -mcpu=r4600 -mips2 -Wa,--trap --- > GCCFLAGS += -mips2 -Wa,--trap 72c72 < GCCFLAGS += -mcpu=r4600 -mips2 -Wa,--trap --- > GCCFLAGS += -mips2 -Wa,--trap 75c75 < GCCFLAGS += -mcpu=r4600 -mips2 -Wa,--trap --- > GCCFLAGS += -mips2 -Wa,--trap 78c78 < GCCFLAGS += -mcpu=r4600 -mips2 -Wa,--trap --- > GCCFLAGS += -mips2 -Wa,--trap 81c81 < GCCFLAGS += -mcpu=r4600 -mips2 -Wa,--trap --- > GCCFLAGS += -mips2 -Wa,--trap
Fifth, you’ll need to patch linux-2.4.x/arch/mips/brcm-boards/bcm947xx/compressed/Makefile.
21d20 < STRIP := $(CROSS_COMPILE)strip 23c22,25 < OBJCOPY := $(CROSS_COMPILE)objcopy -O binary -R .reginfo -R .note -R .comment -R .mdebug -S --- > MIPS_BASE := $(TOPDIR)/../../staging_dir/bin/ > STRIP := $(MIPS_BASE)/$(CROSS_COMPILE)strip > > OBJCOPY := $(MIPS_BASE)/$(CROSS_COMPILE)objcopy -O binary -R .reginfo -R .note -R .comment -R .mdebug -S 28c30 < ASFLAGS += -G 0 -mno-abicalls -fno-pic -pipe -mcpu=r4600 -mips2 -Wa --trap -m4710a0kern --- > ASFLAGS += -G 0 -mno-abicalls -fno-pic -pipe -mips2
Last, if you’re planning to run userlevel click, edit the linux-2.4.x/.config file and change the CONFIG_ETHERTAP and CONFIG_TUN lines to y.
That's all: run make wgtkernel to build the kernel.
Install to Flash
There are two ways to install a flash upgrade; from Linux or from CFE.
Via Linux
This requires a working Linux installation. The contents of the flash should not be in use - that means this method is unsuitable for upgrading a mounted JFFS2 filesystem.
# cd /tmp # eraseall /dev/mtd3 # cat rootfs.img > /dev/mtd3 # eraseall /dev/mtd2 # dd if=kernel of=/dev/mtd2
Via CFE
This is a little bit more complicated, however it will allow you to recover a completely hosed system. First of all, you need to have SerialConsole access in order to get into the CFE. Second of all, the CFE flash routine will only download and flash a maximum of 4194304 bytes (4MB) at a time. To get around the 4MB limit, we need to split the image into smaller chunks and then use the =-offset= flag to flash the two parts.
Split the image on the host:
# dd bs=128k if=netgear.img of=netgear.img.1 count=30 30+0 records in 30+0 records out # dd bs=128k if=netgear.img of=netgear.img.2 skip=30 5+1 records in 5+1 records out
Flash the image in individual parts:
CFE> flash -noheader tftp_host:netgear.img.1 flash0.os Reading tftp_host:netgear.img.1: Done. 3932160 bytes read Programming...done. 3932160 bytes written *** command status = 0 CFE> flash -noheader -offset=3932160 tftp_host:netgear.img.2 flash0.os Reading tftp_host:netgear.img.2: Done. 786256 bytes read Programming...done. 786256 bytes written *** command status = 0
The image must contain both the kernel and the root filesystem payload. Furthermore, the root filesystem must be located at the right offset, as defined by the MTD partitioning within the kernel itself.
Troubleshooting
Sometimes you need to erase the flash (flash0.os) from within CFE first before installing a new image. First, try to create a file of size 3776k bytes and containing only 0xFF (e.g., with perl). Since flash0.os is of size 7552k bytes and 2*3776=7552, you can use the '-offset' flag to erase the two parts of flash0.os:
CFE> flash -noheader tftp_host:ff.img flash0.os ... CFE> flash -noheader -offset=3866624 tftp_host:ff.img flash0.os ...
References
- madwifi.stripped driver ( http://pdos.csail.mit.edu/~jbicket/madwifi.stripped/ )
- openwrt ( http://openwrt.org )
- General information about the router ( http://pdos.csail.mit.edu/roofnet/doku.php?id=wgt634u )
- MIT Roof Net ( http://pdos.csail.mit.edu/roofnet/ )
- Berlin Roof Net ( http://sarwiki.informatik.hu-berlin.de/wiki/BerlinRoofNet )