Has anyone managed to get OpenWRT on the Netgear WN604 AP? It apparently is the same hardware as the the WNR1000v2 and WNR612v2, but telnet enable doesn't seem to work unfortunately. Also applying OpenWRT via OEM firmware update also fails with an error in the web GUI.

Many thanks!

SaltwaterC has produced a working image for WNR1000v2 - see this thread.

For the WN604, some progress is that the same image can be flashed via TFTP method, so the magic number is also 0x31303031 as well, however the router cannot then boot. Here's the serial console output.

U-Boot 1.1.4-g12193fce-dirty (Dec 14 2009 - 13:39:19)

WN604 (ar7240) U-boot dni7 V0.8
...
## Booting image at 9f050000 ...
   Image Name:   MIPS OpenWrt Linux-3.10.49
   Created:      2015-01-24  22:37:25 UTC
   Image Type:   MIPS Linux Unknown Image (uncompressed)
   Data Size:    1123328 Bytes =  1.1 MB
   Load Address: bf070000
   Entry Point:  bf070000
   Verifying Checksum ... OK
Wrong Image Type for bootm command
Trying eth1
eth1 link down
FAIL
Trying eth0
eth0 link down
FAIL

The Router is in TFTP Server Firmware Recovery mode NOW!
Listening on Port : 69, IP Address: 192.168.1.1...

Here is the boot from the factory firmware:

## Booting image at 9f050000 ...
   Image Name:   Linux Kernel
   Created:      2012-02-16  11:08:50 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    655360 Bytes = 640 kB
   Load Address: 80002000
   Entry Point:  801b8000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 801b8000) ...
## Giving linux memsize in bytes, 33554432

Starting kernel ...

Booting AR7240(Python)...
Linux version 2.6.15--LSDK-7.3.0.387-WN604_V3.0.2 (root@build) (gcc version 3.4.4) #199 Thu Feb 16 16:35:45 IST 2012
flash_size passed from bootloader = 4

So the issue is the 'Wrong Image Type for bootm command'. Here is the bdinfo:

ar7240> bdinfo
boot_params = 0x81F67FA4
memstart    = 0x80000000
memsize     = 0x02000000
flashstart  = 0x9F000000
flashsize   = 0x00400000
flashoffset = 0x0003BE38

And, printenv:

ar7240> printenv
bootdelay=4
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
filesize=a0040
fileaddr=80800000
memtmp_addr=0x80800000
download=tftp
serverip=192.168.1.12 [your tftpservers IP]
ipaddr=192.168.1.11 [ Ip of the board]
uboot_size=+0x40000
uboot_addr=0x9f000000
erase_uimage=erase ${uboot_addr} ${uboot_size}
uimage=${download} ${memtmp_addr} u-boot.bin;run erase_uimage;cp.b ${memtmp_addr} ${uboot_addr} ${filesize}
kimagename=vmlinux.lzma.uImage
kernel_addr=0x9f050000
kernel_size=+0xB0000
erase_kimage=erase ${kernel_addr} ${kernel_size}
kimage=${download} ${memtmp_addr} ${kimagename};run erase_kimage;cp.b ${memtmp_addr} ${kernel_addr} ${filesize}
rimagename=rootfs.squashfs
rootfs_addr=0x9f100000
rootfs_size=+0x290000
erase_rimage=erase ${rootfs_addr} ${rootfs_size}
rimage=${download} ${memtmp_addr}  ${rimagename};run erase_rimage;cp.b ${memtmp_addr} ${rootfs_addr} ${filesize}
clear_var=era 0x9f390000 +0x50000
bootargs=console=ttyS0,115200 rootfstype=squashfs root=31:03 init=/sbin/init mtdparts=ar7240-nor0:256k(u-boot),64k(u-boot-env),704k(kernel),2624k(rootfs),320k(var),64k(manufacturing-data),64k(ART)
flash_rootfs=run rimage
flash_kernel=run kimage
flash_all=run flash_kernel flash_rootfs clear_var
bootcmd=bootm 0x9f050000
stdin=serial
stdout=serial
stderr=serial
ethact=eth1

Environment size: 1293/65532 bytes
ar7240> printenv
Unknown command 'printenv' - try 'help'
ar7240> printenv
bootdelay=4
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
filesize=a0040
fileaddr=80800000
memtmp_addr=0x80800000
download=tftp
serverip=192.168.1.12 [your tftpservers IP]
ipaddr=192.168.1.11 [ Ip of the board]
uboot_size=+0x40000
uboot_addr=0x9f000000
erase_uimage=erase ${uboot_addr} ${uboot_size}
uimage=${download} ${memtmp_addr} u-boot.bin;run erase_uimage;cp.b ${memtmp_addr} ${uboot_addr} ${filesize}
kimagename=vmlinux.lzma.uImage
kernel_addr=0x9f050000
kernel_size=+0xB0000
erase_kimage=erase ${kernel_addr} ${kernel_size}
kimage=${download} ${memtmp_addr} ${kimagename};run erase_kimage;cp.b ${memtmp_addr} ${kernel_addr} ${filesize}
rimagename=rootfs.squashfs
rootfs_addr=0x9f100000
rootfs_size=+0x290000
erase_rimage=erase ${rootfs_addr} ${rootfs_size}
rimage=${download} ${memtmp_addr}  ${rimagename};run erase_rimage;cp.b ${memtmp_addr} ${rootfs_addr} ${filesize}
clear_var=era 0x9f390000 +0x50000
bootargs=console=ttyS0,115200 rootfstype=squashfs root=31:03 init=/sbin/init mtdparts=ar7240-nor0:256k(u-boot),64k(u-boot-env),704k(kernel),2624k(rootfs),320k(var),64k(manufacturing-data),64k(ART)
flash_rootfs=run rimage
flash_kernel=run kimage
flash_all=run flash_kernel flash_rootfs clear_var
bootcmd=bootm 0x9f050000
stdin=serial
stdout=serial
stderr=serial
ethact=eth1

Environment size: 1293/65532 bytes

So it looks that the configured sizes are the issue? As the OpenWRT kernel, at 1.1MB, is too big for the 704KB allowed in the configuration:

kernel_addr=0x9f050000
kernel_size=+0xB0000
erase_kimage=erase ${kernel_addr} ${kernel_size}
rimagename=rootfs.squashfs
rootfs_addr=0x9f100000
rootfs_size=+0x290000

Can this be fixed by setenv/saveenv commands? Or, is it possible to reduce the size of the kernel image to suit somehow?

(Last edited by J1mbo on 27 Jan 2015, 09:27)

Well, based on what printenv is saying and how the firmware archive looks like for WN604 (separated files for kernel and rootfs), I don't think it uses any "magic number" at all.

Interesting, I assumed the number was important as it wouldn't accept the version of the firmware with 1000 set.

So it seems I understand even less about all this than I thought

(Last edited by J1mbo on 28 Jan 2015, 09:20)

Got this going now In the end it's quite simple but you need the serial console. Process is:

1. Connect via serial console.
2. Boot up into recovery mode by holding the reset button until green light flashes fast (and "The Router is in TFTP Server Firmware Recovery mode NOW!" appear on the serial console)
3. Transfer by TFTP the firmware image for WNR1000v2
4. When the device restarts, interrupt the boot process when prompted by pressing any key
5. Enter some commands to update the boot environment
6. Done! Reboot the device and telnet to 192.168.1.1 and set it up as you need.

For now, the firmware files are available here (hopefully WNR1000v2 will be a supported device in the future).

Serial pinout is here; I only needed TX/RX/Gnd connected and the header is already there.

Once the firmware file has been transferred, the commands required on the console are:

ar7240> setenv bootargs "squashfs init=/etc/preinit mtdparts=ar7240-nor0:256k(u-boot),64k(u-boot-env),3328k(rootfs),64k(config),128k(language_table),64k(pot),64k(traffic_meter),64k(ART),3473344@327744(mount_fs)"
ar7240> setenv bootcmd "fsload 80800000 image/uImage;bootm 80800000"
ar7240> saveenv
Saving Environment to Flash...
Protect off 9F040000 ... 9F04FFFF
Un-Protecting sectors 4..4 in bank 1
Un-Protected 1 sectors
Erasing Flash...Erase Flash from 0x9f040000 to 0x9f04ffff in Bank # 1 
First 0x4 last 0x4 sector size 0x10000
   4
Erased 1 sectors
Writing to Flash... write addr: 9f040000
done
Protecting sectors 4..4 in bank 1
Protected 1 sectors
ar7240> 

This updates the bootargs and bootcmd line (factory original lines are posted higher up in this thread already); 3328k(rootfs) replaces the factory 704k(kernel),2624k(rootfs) parameters. The other information has been extracted from the environment variables set in the WNR1000v2 here.

Since the device only has 4MB flash there is very little free space available, however these are decent enough devices just crippled by utterly useless factory firmware.

For use as an AP with N150, disable firewall and dnsmasq:

cd /etc/init.d
chmod -x dnsmasq
chmod -x firewall

Set up the wireless - sample

/etc/config/wireless

(edit with vi):

config wifi-device  radio0
    option type     mac80211
    option channel  11
    option hwmode    11g
    option path    'pci0000:00/0000:00:00.0'
        option htmode 'HT40-'
        list ht_capab 'SHORT-GI-40'
        list ht_capab 'TX-STBC'
        list ht_capab 'RX-STBC1'
        list ht_capab 'DSSS_CCK-40'
        # option noscan '1'
        option txpower '12'
        option country 'GB'
    # option disabled '1'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option network 'lan'
        option ssid 'YourSSID'
        option wmm '1'
        option encryption 'mixed-psk+tkip+ccmp'
        option key 'YourPassword'
        option dtim_period '1'
        option short_preamble '1'

WAN lines from network config file can be rem'd out as the device doesn't have a WAN port fitted. All wired connections seem to appear as eth1 so I'm also not sure if there is a programmable switch as such.

Anyway, hopefully that will help someone

To add, the profile for WNR1000v2 in trunk builds OK for the WN604 (subject to the boot variables change). By excluding the firewall, IPv6 and other router bits there is a bit more space available then too (about 700KB).

J1mbo, thanks so much for this post. I'm a newb but I managed to follow all of your steps and get barrier breaker installed on my WN604's.

I was given 10 on these units recently from a company that had deployed them only to discover how useless the factory firmware was. I've been running them on OpenWRT without a hitch.

You the man!

Congratulations for getting the device working under OpenWrt.

It is, since r44221.

I think it may be used as a router if you repurpose one of the LAN ports. AR7240 (same SoC as WNR1000v2) has a five port switch, but with only four wired ports on WN604.

Interesting, how would that be done?

Sorry for the delay. I was a little bit busy this week.

If this is possible, you need to play with the switch config (/etc/config/network). A good starting point is the wiki page about the switch: http://wiki.openwrt.org/doc/uci/network/switch

In fact, when I researched the switch config, I was looking for turning an ordinary router into a dual-wan device. Eventually I ended up buying a router that does this out of the box (Cisco RV042G), but I remember reading these pages:

http://wiki.openwrt.org/doc/uci/multiwan
http://wiki.openwrt.org/doc/howto/multiwan.failower

They contain information about configuring a WAN port from a previous LAN port.

However, I started my first statement with an "if" because I checked the switch config from WNR1000v2. I don't see any tagged ports there, and the WAN and LAN have distinct network interfaces which suggests that WN604 may not support this kind of configuration. Unless you're a network wizard (I know I ain't), experimenting with the device is the only way to find out. Unfortunately, the answer is from the realm of trial and error.

For the record, this is the switch config from WNR1000v2:

Thanks, I will check this out!

I have two of these from a failed wireless access point install, as the stock firmware is useless.

Will see if I can tftp to Openwrt

working perfectly, thank you

that prepopulated serial header makes it a breeze

I've been using the WN604 as a layer-3 switch for some lab work. It works OK as such, but there is one gotcha... all defined vlan interfaces appear with the same MAC address unless you tell it otherwise! So for each interface definition, we need a macaddr line.

Switch port 0 is the link to the CPU and the accessible port numbers in software match the labels on the device (1-4).

seems to be a lot of packages you can remove from this, if using as a wireless access point.

anyone using the chaos calmer build?

Hi J1mbo,

We could remove dnsmasq and firewall from the wn604 image, this would free up more space, in fact, it may be possible to strip the image down to about 212K if I'm reading this correctly: https://ohnomoregadgets.wordpress.com/2 … re-images/

a minimal image would include telnet, ssh and wifi, and optional luci

The WNR1000v2 is fully supported in Chaos Calmer, it is available here http://downloads.openwrt.org/chaos_calm … x/generic/

this image works perfectly on the WNR604 and resolves a lot of issues with the Barrier Breaker build.

To use the WN604 as an access point (and switch) only with OpenWRT, Image Generator can be used to build a cut-down install for the WN604. With the stock WNR1000V2 image, there is only about 200KB free which, for example, is not enough to replace wpad-mini with hostapd via opkg.

'AP' build with hostapd (and nano to ease configuration) like so:

make image PROFILE=WNR1000V2 PACKAGES="hostapd nano -wpad-mini -firewall -dnsmasq -ip6tables -kmod-pppoe -ppp -ppp-mod-pppoe -odhcpd -odhcp6c -kmod-ppp -kmod-ipt-nat -kmod-ipv6 -kmod-nf-conntrack6 -kmod-nf-conntrack -kmod-ipt-conntrack -kmod-ipt-core -iptables -kmod-nf-ipt -kmod-nf-ipt6 -kmod-nf-nathelper -kmod-pppox -luci-proto-ipv6 -luci-proto-ppp"

This leaves 876K free.

I’m currently running LEDE 17.01.4 r3560 successfully on a WNR1000V2-VC. I built the image using Image Builder and removed packages so the final size is ~3.4MB. If an image is much larger than that the device will bootloop or not preserve settings upon reboot.

Search the LEDE forum for details.