OpenWrt Forum Archive

Topic: WGR614v5 - In search of a back door...

The content of this topic has been archived on 8 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Well, I was hoping for one of the Atheros models, strangely enough, but I landed one of these instead.  I'm presently on the hunt for any trick to gain access without opening the case.  (Too lazy to solder, up for the challenge...)

So far, it's obvious that it's listening on port 23 by default (though rejecting telnet connections), and that netgear.cfg contains many environment variables used by the vxWorks preload and associated software.

It's also obvious that there are quite a few CGI scripts present to handle the interface... and perhaps even some 'secret' ones or options thereto, judging by other Netgear products?

So... While I'll continue to poke and prod, may I ask anyone who *has* gotten in via the serial method to provide some hint of what's present?  Is it possible to get something like a ls -R of the filesystem?  Some hint of what's /reading/ those nvram variables would be nice.... (Could telnet access be as easy as a shell ` ` injection? ... Is there even a real telnetd present in the ROM?)

-Thanks!

More teaser info -- I just got impatient and popped mine open, and lo - there're solder points for two vertical-style USB connectors!  (similar to the one seen on this Asus WL-500G -- thanks to the Wiki for the link.)

Downside is that a number of passives are missing that would be required to connect these (B304/B305, B301/B303, and probably at least B302, U303, and the small mess of parts around that -- are 'B' parts just bridges?), not to mention software, software, software.

This board is a U12H029 REV:4 LF by the silkscreen, and a U12H029T00 by sticker.

...And even more news:  the U303 pad seems to be intended for an AP1212 or AP1210 USB switch part, with two quirks -- the power pad nearby is +12V straight from the DC input, not +5, and I can't determine if the 'enable' lines are wired through to anything.  The USB data pairs run through the R306/R307 and R301/R302 areas, respectively -- something will have to happen to complete the circuit there, too (USB termination + whatever padding the chip needs).

All this remains academic as I wait to start attacking the thing via serial, but the power quirk has me puzzled.  Is there something pin-compatible to the AP1212 that includes a voltage regulator?  Did the designers just assume a regulated 5V supply would be used?  (What's the output voltage on the power bricks for the USB-enabled models?)

Can You post some photos from the board? I'm currently trying to get the v6 to accept a kerel image to make NFSrooting possible. If USB is also possible, that would make things easier.

On the v6, I've only found a 12pin connector, which is the serial port.

My camera sucks, but I'll see what I can do and edit something in here later.  The USB pads are right behind the vent holes, between the reset button and WAN port, unmistakable on my V5.

Edit:  These came out even worse than I expected, so I'll leave them over here.  I've tried to highlight the USB pads, U303 beneath them, and 12 pin serial header, not that it makes the closeup version any more intelligible.

(Last edited by Floid on 23 Oct 2005, 10:57)

Hmz.. The layout is different, and the v6 is missing those pads. Anyway, can You check, if Your v5 tries to download a file called "vxWorks" from tftp on bootup? Just run a tftp server, and check the messages.

Thanks!

tcpdump: listening on fxp0, link-type EN10MB (Ethernet), capture size 1500 bytes
13:56:10.725318 arp who-has 192.168.1.2 tell 192.168.1.1
13:56:10.725410 arp reply 192.168.1.2 is-at XX:XX:XX:XX:XX:XX
13:56:10.726341 IP (tos 0x0, ttl 100, id 1, offset 0, flags [none], length: 44) 192.168.1.1.2446 > 192.168.1.2.tftp: [udp sum ok]  16 RRQ "vxworks" octet 
13:56:10.726481 IP (tos 0x0, ttl  64, id 60217, offset 0, flags [none], length: 56) 192.168.1.2 > 192.168.1.1: icmp 36: 192.168.1.2 udp port tftp unreachable
13:56:10.726929 IP (tos 0x0, ttl 100, id 2, offset 0, flags [none], length: 44) 192.168.1.1.2446 > 192.168.1.2.tftp: [udp sum ok]  16 RRQ "vxworks" octet 
13:56:10.727028 IP (tos 0x0, ttl  64, id 50731, offset 0, flags [none], length: 56) 192.168.1.2 > 192.168.1.1: icmp 36: 192.168.1.2 udp port tftp unreachable
...

Why yes, I'd say it does. smile

Edit: Is there a photo of the v6 layout anywhere?  This asked right before I check the wiki...

(Last edited by Floid on 23 Oct 2005, 19:04)

Floid wrote:

Why yes, I'd say it does. smile

Edit: Is there a photo of the v6 layout anywhere?  This asked right before I check the wiki...

Yay! If it works the same way, You can tftpboot with it without any risk like on the v5 (okay, theoritically, I need to create an nfsroot first).

I didn't make a photo yet, but I try to get a camera smile

I should be able to take photos later this week or weekend if Kaloz doesn't beat me to it!      smile

WGR614v6 photo:
http://www.tahoma.com/~wrtinfo/netgearwgt614v6.jpg

Erik

(Last edited by beckolamuffin on 26 Dec 2005, 21:37)

I've got a WGR614v5 as well. I've gotten the serial port to work as well using an inverting op-amp circuit and an inverting summing op-amp. I'll draw up the schematic if anyone wants but I think there's enough info on how to go the 74HC14 route. My circuit's not much safer than the 74HC14 either. However I haven't been able to detect any traces of the tftp requests. I've used tcpdump listening during boot up on both the WAN port and the regular LAN ports. I only get ARP and DHCP requests. I'm hoping to make some progress on getting OpenWRT on this thing and in a usable state along with a custom TCP/IP application. But I don't have my hopes up- just getting a usable shell would be amazing! Here are some pictures I took to help augment the ones Floid took.

Small version of a close up of the USB pads.
http://tzilla.is-a-geek.com/galleries/wgr614v5/WGR614v5-usb-pads-small.jpg

Small version of the router and circuit board.
http://tzilla.is-a-geek.com/galleries/wgr614v5/WGR614v5-circuit-router-small.jpg

The full 3MP pictures are at http://tzilla.is-a-geek.com/galleries/w … router.jpg and http://tzilla.is-a-geek.com/galleries/w … b-pads.jpg .

Please feel free to PM me.

(Last edited by aliasptr on 30 Oct 2005, 04:37)

beckolamuffin wrote:

I have posted a photo at the following URL:

http://www.tahoma.com/~erikbeck/

Wow, at first glance, that's lame -- the only 'benefit' I see to that layout is the total loss/obfuscation of any hope for USB... and of course, the switch to the 5352 with whatever new feature that brings.  Perhaps the bottom of the board holds more secrets? ... How many traces run to the 12-pin header on that variant? 

(The bottom of the V5 is boring unless anyone's interested in the other 3 traces to the JTAG.)

D-Ying are just a PCB manufacturing firm, boringly enough, not an engineer we can try to shake down for information. wink

---

Also, I've gone over some packet dumps with aliasptr, and it seems 192.168.1.2 is fixed in the firmware by default -- if you want to tftp to at least the v5, your server must reside at that address on the LAN side.

The discussion might have continued from here.