Quick aside: I tried to download the official source code from NetGear. If you follow the links to the source on their support site you get to this page. If you email them, you get this response:
Delivery has failed to these recipients or groups:opensourcesw@netgear.comYour message can't be delivered because delivery to this address is restricted.Is this a poor attempt to avoid the GPL to me by making users jump through hoops to nowhere? At the very least it's extremely poor after-sale service.
On to business... I take no responsibility for you frying your box, etc, etc..
Before beginning, I wanted to back up the existing firmware in case things go horribly wrong. This router has a debug mode that will enable telnet access by visiting http://192.168.0.1/setup.cgi?todo=debug:
Debug Enable!Done! Now we can telnet in:
$ telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
login: admin
Password:<your password>
BusyBox v1.00 (2009.08.03-11:30+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
# dmesg
Linux version 2.6.8.1 (root@suzhou-build-server) (gcc version 3.4.2) #1 Mon Aug 3 18:12:28 CST 2009
Parallel flash device: name AM29LV320MB, id 0x2200, size 4096KB
96348W3 prom init
CPU revision is: 00029107
Determined physical RAM map:
memory: 00fa0000 @ 00000000 (usable)
On node 0 totalpages: 4000
DMA zone: 4000 pages, LIFO batch:1
Normal zone: 0 pages, LIFO batch:1
HighMem zone: 0 pages, LIFO batch:1
Built 1 zonelists
Kernel command line: root=31:0 ro noinitrd
brcm mips: enabling icache and dcache...
Primary instruction cache 16kB, physically tagged, 2-way, linesize 16 bytes.
Primary data cache 8kB 2-way, linesize 16 bytes.
PID hash table entries: 64 (order 6: 512 bytes)
Using 120.000 MHz high precision timer.
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 13696k/16000k available (1454k kernel code, 2284k reserved, 222k data, 84k init, 0k highmem)
Calibrating delay loop... 239.20 BogoMIPS
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Checking for 'wait' instruction... unavailable.
NET: Registered protocol family 16
Total Flash size: 4096K with 71 sectors
File system address: 0xbfc30100
No flash for scratch pad!
Can't analyze prologue code at 8017a074
devfs: 2004-01-31 Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
PPP generic driver version 2.4.2
NET: Registered protocol family 24
IMQ starting with 2 devices...
IMQ driver loaded successfully.
Hooking IMQ before NAT on PREROUTING.
Hooking IMQ after NAT on POSTROUTING.
Using noop io scheduler
bcm963xx_mtd driver v1.0
kernel_addr == 0xbff73100 rootfs_addr == 0xbfc30100
Physically mapped flash: Found 1 x16 devices at 0x0 in 16-bit bank
Amd/Fujitsu Extended Query Table at 0x0040
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
Creating 6 MTD partitions on "Physically mapped flash":
0x00030100-0x00373100 : "fs"
mtd: partition "fs" doesn't start on an erase block boundary -- force read-only
0x00030000-0x00400000 : "tag+fs+kernel"
0x00000000-0x00010000 : "bootloader"
0x00020000-0x00030000 : "nvram"
0x00000000-0x00010000 : "bootloader"
0x00010000-0x00020000 : "DPF_file"
brcmboard: brcm_board_init entry
SES: LED GPIO 0x8022 is enabled
Serial: BCM63XX driver $Revision: 3.00 $
ttyS0 at MMIO 0xfffe0300 (irq = 10) is a BCM63XX
Broadcom BCMPROCFS v1.0 initialized
NET: Registered protocol family 2
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 512 bind 1024)
ip_conntrack version 2.1 (125 buckets, 0 max) - 384 bytes per conntrack
ip_conntrack_h323: init
ip_conntrack_rtsp v0.01 loading
ip_nat_h323: initialize the module!
ip_nat_rtsp v0.01 loading
ip_tables: (C) 2000-2002 Netfilter core team
NET: Registered protocol family 1
NET: Registered protocol family 17
NET: Registered protocol family 8
NET: Registered protocol family 20
VFS: Mounted root (squashfs filesystem) readonly.
Mounted devfs on /dev
Freeing unused kernel memory: 84k freed
Algorithmics/MIPS FPU Emulator v1.5
bcm_enet: module license 'Proprietary' taints kernel.
Broadcom BCM6348B0 Ethernet Network Device v0.3 Aug 3 2009 18:11:24
Config Ethernet Switch Through MDIO Pseudo PHY Interface
ethsw: found bcm5325e!
dgasp: kerSysRegisterDyingGaspHandler: eth0 registered
eth0: MAC Address: 30:46:9A:2A:10:28
blaadd: blaa_detect entry
adsl: adsl_init entry
netfilter PSD loaded - (c) astaro AG
ipt_random match loaded
device eth0 entered promiscuous mode
BcmAdsl_Initialize=0xC00733A8, g_pFnNotifyCallback=0xC008C2A4
AnnexCParam=0x7FFF7E68 AnnexAParam=0x00003987 adsl2=0x00000003
pSdramPHY=0xA0FFFFF8, 0xFFFFFDFF 0xFFFFFFFF
AdslCoreHwReset: AdslOemDataAddr = 0xA0FFA4D4
AnnexCParam=0x7FFF7E68 AnnexAParam=0x00003987 adsl2=0x00000003
dgasp: kerSysRegisterDyingGaspHandler: dsl0 registered
ATM proc init !!!
PCI: Setting latency timer of device 0000:00:01.0 to 64
PCI: Enabling device 0000:00:01.0 (0004 -> 0006)
wl: srom not detected, using main memory mapped srom info (wombo board)
wl0: wlc_attach: use mac addr from the system pool by id: 0x776c0000
wl0: MAC Address: 30:46:9A:2A:10:28
wl0: Broadcom BCM4322 802.11 Wireless Controller 4.174.64.12.cpe1.1
dgasp: kerSysRegisterDyingGaspHandler: wl0 registered
br0: port 1(eth0) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
AnnexCParam=0x7FFF7E88 AnnexAParam=0x00003987 adsl2=0x00000003
ATM proc init !!!
ADSL G.994 training
ADSL G.992 started
ADSL G.992 channel analysis
ADSL G.992 message exchange
ADSL link down
ADSL G.994 training
ADSL G.992 started
ADSL G.992 channel analysis
ADSL G.992 message exchange
ADSL link up, interleaved, us=1022, ds=16200
First backup the original flash contents:
# dd if=/dev/mtdblock/1 of=/tmp/mtd1.binDownload http://192.168.0.1:1080/mtd1.bin.
7808+0 records in
7808+0 records out
# cd /tmp
# mini_httpd -p 1080
# rm mtd1.binDownload http://192.168.0.1:1080/mtd0.bin.
# dd if=/dev/mtdblock/0 of=/tmp/mtd0.bin
6680+0 records in
6680+0 records out
# rm mtd0.bin
# dd if=/dev/mtdblock/2 of=/tmp/mtd2.bin
128+0 records in
128+0 records out
# dd if=/dev/mtdblock/3 of=/tmp/mtd3.bin
128+0 records in
128+0 records out
# dd if=/dev/mtdblock/4 of=/tmp/mtd4.bin
128+0 records in
128+0 records out
# dd if=/dev/mtdblock/5 of=/tmp/mtd5.bin
128+0 records in
128+0 records out
This router uses CFE. A glance over these flash files shows:
- mtd0 contains a squashfs filesystem of some kind (~3MB).
- mtd1 contains a squashfs filesystem image in CFE format (~3.5MB). The string "SeCoMm" at the end of this file makes me suspect this is just a rebadged Secomm device - yet another reason to steer clear of this device (...if you needed another one).
- mtd2 contains what looks like a bootloader and/or arguments (64KB).
- mtd3 contains local system settings (64KB).
- mtd4 contains a backup of mtd2 (64KB).
- mtd5 is empty (0xff...) (64KB)
As others have reported, this is similar to the DG834GT device. We've got BCM6348B0 ethernet, broadcom wifi and ADSL. So time give the Openwrt DG834GT firmware a spin! Download the openwrt trunk and build a custom DG834GT firmware:
$ svn co svn://svn.openwrt.org/trunk
$ make menuconfig
Select BCM63xx target
Select Image builder.
Select BCM6348B0 network (built-in)
$ make
$ ls bin/bcm63xx
...
openwrt-DG834GT_DG834PN-jffs2-128k-cfe.bin
openwrt-DG834GT_DG834PN-jffs2-64k-cfe.bin
openwrt-DG834GT_DG834PN-squashfs-cfe.bin
...
I've run out of time tonight and don't want to brick my modem before bed so more firmware flipping fun tomorrow. Fingers crossed!
Edit: Sadly my modem died before I got a chance to finish this (R.I.P you P.O.S.) and given the low build quality I was not interested in replacing it with the same model. My next steps were going to be to attempt to flash the squashfs-cfe.bin file to the device. If that worked OK and I didn't screw up the ethernet driver options, then look at getting wifi and adsl working. Best of luck and if you give it a go I'd love to hear how you get on.
Edit (20111007): My shiny new Linksys (Cisco) WAG160Nv2 looks to be yet another crappy Secomm device! This time I get poor Wifi performance and random reboots in addition to running very hot. This is better than a hard lock-up but not by much.. Sigh... I've switched back to my faithful DLink DIR-600 WiFi AP running OpenWRT and PPPoE. The Linksys is just running in bridged mode as a modem. Now I have another brand to Boycott. Seriously Cisco, I wish you could explain why you bought a decent consumer brand and turned it into a steaming pile of crap... My ancient WRT54G was a brilliant, rock solid device.
Edit: Sadly my modem died before I got a chance to finish this (R.I.P you P.O.S.) and given the low build quality I was not interested in replacing it with the same model. My next steps were going to be to attempt to flash the squashfs-cfe.bin file to the device. If that worked OK and I didn't screw up the ethernet driver options, then look at getting wifi and adsl working. Best of luck and if you give it a go I'd love to hear how you get on.
Edit (20111007): My shiny new Linksys (Cisco) WAG160Nv2 looks to be yet another crappy Secomm device! This time I get poor Wifi performance and random reboots in addition to running very hot. This is better than a hard lock-up but not by much.. Sigh... I've switched back to my faithful DLink DIR-600 WiFi AP running OpenWRT and PPPoE. The Linksys is just running in bridged mode as a modem. Now I have another brand to Boycott. Seriously Cisco, I wish you could explain why you bought a decent consumer brand and turned it into a steaming pile of crap... My ancient WRT54G was a brilliant, rock solid device.
Did you finish this?
ReplyDeleteWhere did you find details about the API?
ReplyDeleteI've never seen the http://192.168.0.1/setup.cgi?todo=debug call, but it works!