DG834G
From Bob's Basement
Contents |
Intro
This is pretty much a page for notes on naxxtor's experiments on getting a custom firmware onto a Netgear DG834G router - namely OpenWrt BIG SCARY DISCLAIMER: All my testing has been on a DG834G v2, so if you've got a different version then don't rely on anything I reference to here!
NOTE: A lot of this stuff is available from the links at the bottom, however I'm consolidating the notes on the subject for group projects and so forth.
The great thing about this router is it runs Linux natively. It also has a wireless card, a 4 port switch (well actually it's a 6 port switch but 2 of the ports are used on board, the other 4 being connected to RJ45 connectors), and an ADSL modem. It uses a MIPS based processor, clocking at 150MHz
processor : 0 cpu model : MIPS 4KEc V4.8 BogoMIPS : 149.91 wait instruction : no microsecond timers : yes extra interrupt vector : yes hardware watchpoint : yes VCED exceptions : not available VCEI exceptions : not available
It's got 16MB of RAM and 4MB of ROM
# cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 14802944 13271040 1531904 0 1687552 4358144
Swap: 0 0 0
MemTotal: 14456 kB
MemFree: 1496 kB
MemShared: 0 kB
Buffers: 1648 kB
Cached: 4256 kB
SwapCached: 0 kB
Active: 2296 kB
Inactive: 5184 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 14456 kB
LowFree: 1496 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Preparations
First of all I enabled debugmode on the router by going to http://10.0.0.3/setup.cgi?todo=debug where I'm prompted for a username and password. Once this has been entered, a message saying "Debug enable!" is displayed. You can then telnet into the router on the usual telnet port. You'll be presented with a busybox prompt (yay!).
Modifying ADAM2
ADAM2 is the name of the bootloader on the DG834G, and in order for it to boot non-checksummed firmwares we need to modify it.
Backing up
Before modifying the firmware it's a really good idea to back up the old firmware in case you screw things up. This is pretty easy to do once you've enabled the busybox prompt (See Preparations)
- Telnet into the router and get your busybox prompt.
- cd to /tmp (this is the only writable part of the filesystem) and dump the current partitions to binary files
# cat /dev/mtdblock/0 > mtd0.bin # cat /dev/mtdblock/1 > mtd1.bin # cat /dev/mtdblock/2 > mtd2.bin # cat /dev/mtdblock/3 > mtd3.bin # cat /dev/mtdblock/4 > mtd4.bin
- Start a http server on an odd port
# mini_httpd -p 8080
Now you should be able to browse to http://10.0.0.3:8080/ and have a file listing, which includes your binary images for download. Grab em while you can.
Patching ADAM2
Now the fun part. First of all, do a md5sum on mtd2.bin. It should be
0530bfdf00ec155f4182afd70da028c1
If not then you're on your own.
If you're good to go, then open up mtd2.bin in a hex editor (say, hexedit, Hex Workshop, Axe, gHex, whatever)
Go to offset 0x3944, and you should see
44 09 00 0C
This is the bit that makes the bootloader fail out after identifying a failed checksum. For the interested, under MIPS this is
jal 0x90002510
Which is a J-type opcode, which "jumps" to the 32-bit offset 0x90002510. This (presumably) jumps to some sort of failiure code to output the error through the serial console and put the machine into a failsafe mode (where all the "external" devices like the switch, wireless card and ADSL modem are powered up, but not interconnected - seems odd I know but this is indeed the case).
Once you've applied this patch, save it and md5sum it. It should be ...
d8a2f4623bf6f64b7427812f0e849aa7
Rename the file (I changed it to mtd2-patch.bin). Then we have to reflash ADAM2 to the new version
Flashing ADAM2
!!! THIS BIT COULD BRICK YOUR ROUTER !!! The latest Netgear firmware for this router has wget built into busybox. So, simply set up a httpd on your machine (thttpd is great for this) and then ...
# wget http://10.0.0.200/mtd2-patch.bin # dd if=mtd2-patch.bin of=/dev/mtdblock/2
With some luck this should go ok (pray to the Power gods to be nice to you and not to have a powercut during the dd process). `exit` from the shell, and turn the router off, then back on again. Hopefully, your router should boot up as normal! The only difference is that the bootloader won't be checking for checksums - or rather it will but if it finds an invalid one it won't abort the boot process.
Building OpenWrt
AR7 isn't supported by OpenWrt officially, yet, so we need to checkout the development tree. So, lets fire up subversion and check it out to the directory of your choice.
$ svn checkout https://svn.openwrt.org/openwrt/trunk/ .
Then we need to configure it
$ make menuconfig
`WORK IN PROGRESS` : I'm not sure of a "known working" configuration yet, so I won't say anything about this process yet.
Once you've configured everything, make sure you've got an active Internet connection and do this:
$ make V=99 world download
The V=99 should make it show you everything that it's doing, and download should make make download any missing packages.
A few minutes later you should have some compiled binaries in the bin/ directory. The one we're looking for will be called `openwrt-ar7-2.6-squashfs.bin` (or something similar).
Now to flash the new firmware into place.
Flashing OpenWrt
By far the easiest way to flash the firmware is using the ADAM2 FTP interface. Getting to this is a little tricky.
The ADAM2 IP address will probably not have an IP configured initially. So enable debugging, log into busybox and do the following to set the IP:
# echo "my_ipaddress 192.168.0.1" > /proc/sys/dev/adam2/environment
Set this IP to whatever you like (and will work with your IP settings).
- Pull the power from the router
- Ready the command `ftp 192.168.0.1` on another box
- Power up the router
- Wait about 2 seconds
- Run the FTP command
You should be greeted by a FTP login screen to ADAM2. The username is adam2, and the password is also adam2. At this point you have FTP access to the bootloader.
There are 2 methods as how to flash the firmware. You could either split the image into two, and write into mtd0 and 1, or you could make a new partition, mtd5 which overwrites both.
This is the point I have got up to, and I've had no success from here on. If you want to keep going, I say look at the articles on the OpenWrt wiki on the DG834, and note the exceptions about this device.
