Hacking the Cisco/Linksys WRT52G Wireless Router

I have been trying to hack on my old Wireless Access Point (Cisco/Linksys WRT52G) pretty much ever since I got done with the Leviton from last year. Finally, something today clicked and got in!

Couple of caveats before I get going:

• Make sure you ground the Bus Pirate, or you will get noise in the UART output
• When trying to find the UART RX pin, start with a multimeter, find all of the pins that have some voltage on them, then either go straight to an oscilloscope or use the multi-meter looking for any drop in voltage when booting the device - it will not go to 0v on the multimeter because the drop in voltage to 0v is too quick for the multimeter, but you will see it go to 0v on a oscilloscope just to make sure.
• If the jumpers are just pads, once you find the RX port, solder on a header so you can have your hands free to find the appropriate TX pad.

OK, on to the WRT52G.

Pretty barren inside as you can see below, but there are two headers - J8 and J9. Looking at the 14 pins on J8 and 5 on J9, J9 looked a bit more interesting. Pin 1 (left most) was 3.3v, pin 2=2.5v, pin3=1.2v and the others were 0v. Found pin 2 to be the RX and pin3 the TX.

J9

3.3v

RX (2.5v)

TX (1.2v)

0v

0v

Here is the initial boot sequence. You see that “BOARD IS NOT CALIBRATED”???? Yeah, I accidentally pasted a bunch of text into the device and lo-and-behold, there is a command to erase the config… Opps… Well, you can still enter a ‘@‘ and it boots to my old config… (This is kind of long output, be sure to scroll down for more of the blog):

VxWorks System Boot CPU: WRT54G2 Creation date: Apr 16 2009, 14:56:12 Press any key to stop auto-boot... 0 auto-booting... BOARD IS NOT CALIBRATED!!! boot device          : ae unit number          : 1 processor number     : 0 host name            : host file name            : APIMG1 inet on ethernet (e) : 192.168.1.20:0xffffff00 host inet (h)        : 192.168.1.254 flags (f)            : 0x80 Attaching interface lo0... done ATHRS26: resetting s26 ATHRS26: s26 reset done Attached IPv4 interface to ae unit 1 Loading... ERR [TFTP] tftpSend:424: Transfer Timed Out. ERR [TFTP] tftpGet:996: File transfer error. Erroneous header read Error loading file: errno = 0x610001. Can't load ART file!! [VxWorks Boot]: @ boot device          : tffs: unit number          : 0 processor number     : 0 host name            : host file name            : /fl/vxWorks.bin inet on ethernet (e) : 192.168.1.1:ffffff00 host inet (h)        : 192.168.1.100 user (u)             : target flags (f)            : 0x8 target name (tn)     : targetname Attaching to TFFS... done. Loading /fl/vxWorks.bin...1169376 Starting at 0x80501a24... usrNetDevNameGet: no network device Attaching interface lo0... done ATHRS26: resetting s26 ATHRS26: s26 reset done Adding 8772 symbols for standalone. ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]      ]]]]]]]]]]]  ]]]]     ]]]]]]]]]]       ]]              ]]]]         (R) ]     ]]]]]]]]]  ]]]]]]     ]]]]]]]]       ]]               ]]]] ]]     ]]]]]]]  ]]]]]]]]     ]]]]]] ]     ]]                ]]]] ]]]     ]]]]] ]    ]]]  ]     ]]]] ]]]   ]]]]]]]]]  ]]]] ]] ]]]]  ]]   ]]]]] ]]]]     ]]]  ]]    ]  ]]]     ]] ] ]]]]]]   ]] ]]]]]]] ]]]] ]]   ]]]] ]]]]]     ]  ]]]]     ]]]]]      ]]]]]]]] ]]]]   ]] ]]]]    ]]]]]]]    ]]]] ]]]]]]      ]]]]]     ]]]]]]    ]  ]]]]]  ]]]]   ]] ]]]]    ]]]]]]]]    ]]]] ]]]]]]]    ]]]]]  ]    ]]]]]]  ]    ]]]   ]  ]] ]]]]    ]]]] ]]]]    ]]]] ]]]]]]]]  ]]]]]  ]]]    ]]]]]]]      ]     ]]]]]]]  ]]]]    ]]]]  ]]]] ]]]]] ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]       Development System ]]]]]]]]]]]]]]]]]]]]]]]]]]]] ]]]]]]]]]]]]]]]]]]]]]]       VxWorks version 5.5 ]]]]]]]]]]]]]]]]]]]]]]]]]]       KERNEL: WIND version 2.6 ]]]]]]]]]]]]]]]]]]]]]]]]]       Copyright Wind River Systems, Inc., 1984-2002                               CPU: WRT54G2.  Processor #0.                              Memory Size: 0x1000000.  Bersion 1.0. /fl/  - Volume is OK Detect: eth wan(ae0) has been loaded to MUX layer Detect: eth lan(ae1) has been loaded to MUX layer pingLog.txt exist. tracertLog.txt exist. -> Http Server Start! DHCP server started. Dhcps_IpStart=192.168.1.100 Dhcps_IpEnd=192.168.1.109 temp =snmk=255.255.255.0:rout=192.168.1.1:dnsv=192.168.1.1 8.8.8.8 208.67.222.222:dnsd=localnet.localdomain:maxl=3600:dfll=86400 can't get ifpWAN | ifpLAN DMZ disable remote management disable Filter Internet NAT Redirection  enabled!!! FTP ALG registered with NAT RTSP ALG registered with NAT H323 ALG registered with NAT Msn ALG registered with NAT SNMP ALG registered with NAT NAT configuration and initialization complete! PPPOE init......seccess L2TP init......seccess PPTP init......seccess APCFG task id 80c463f0 [system is runing for 5 seconds] MSG_WAN_SHOULD_START WAN TYPE:DHCP usrDhcpcStart Start... usrDhcpcStart End sysWlanInit ... check PIN ... get pin from broaddata... Reading Flash Setting the IP address AP_IPADDR=192.168.1.1 Bridge IP Address: 192.168.1.1 Entering Task Loop LLTD: wireless interface argument is ath0. Start Create MEM Drv to LLTD ico AP_AUTOSTART=1 Automatic WLAN start! sending message 80c1a430,10 Starting WLAN !!!! AP_ENABLE=1 ATH_COUNTRYCODE=840 Tlb Load Exception Exception Program Counter: 0x8001c934 Status Register: 0x0000f401 Cause Register: 0x00000008 Access Address : 0x00002cc0 Task: 0x80c463f0 "tAPCfg" !!! Create Trap Monitor Task !!

So, couple of things, you can see in the first about 10% of the output a [VxWorks Boot]: prompt (hitting any key within the first couple seconds of the boot. The following are commands available - be careful on some of them like the F, L, E, etc - I know my pasting of random text (on accident, damn SecureCRT and its right click and paste…) formatted some things that I really did not want formatted…:

[VxWorks Boot]: h ?                     - print this list @                     - boot (load and go) p                     - print boot params c                     - change boot params d adrs[,n]            - display memory m adrs                - modify memory e                     - print fatal exception v                     - print boot logo with version S                     - show board data B                     - change board data R                     - reboot E                 - erase board data F                     - quick format on the file system L                     - low level format on file system C                     - clean up Radio's EEPROM configuration O                     - save R's EEPROM configuration to file T                     - restore Radio's EEPROM configuration from file n netif               - print network interface device address $dev(0,procnum)host:/file h=# e=# b=# g=# u=usr [pw=passwd] f=#                      tn=targetname s=script o=other boot device: tffs=drive,removable     file name: /tffs0/vxWorks Boot flags:   0x02  - load local system symbols   0x04  - don't autoboot   0x08  - quick autoboot (no countdown)   0x20  - disable login security   0x40  - autocgure: NOT AVAILABLE (no method installed)   0x80  - use tftp to get boot image   0x100 - use proxy arp available boot devices:Enhanced Network Devices ae0 ae1 tffs

On a normal boot, hit enter a couple of times and you will get the shell prompt (->). Type in ‘help’ to see what can be used:

-> help help                           Print this list ioHelp                         Print I/O utilities help info dbgHelp                        Print debugger help info nfsHelp                        Print nfs help info netHelp                        Print network help info spyHelp                        Print task histogrammer help info timexHelp                      Print execution timer help info h         [n]                  Print (or set) shell history i         [task]          Summary of tasks' TCBs ti        task                 Complete info on TCB for task sp        adr,args...          Spawn a task, pri=100, opt=0x19, stk=20000 taskSpawn name,pri,opt,stk,adr,args... Spawn a task td        task                 Delete a task ts        task                 Suspa task tr        task                 Resume a task d         [adr[,nunits[,width]]] Display memory m         adr[,width]          Modify memory mRegs     [reg[,task]]         Modify a task's registers interactively pc        [task]           Return task's program counter Type <CR> to continue, Q<CR> to stop: iam       "user"[,"passwd"]     Set user name and passwd whoami                         Print user name devs                           List devices ld        [syms[,noAbort][,"name"]] Load stdin, or file, into memory                               (syms = add symbols to table:                               -1 = none, 0 = globals, 1 = all) lkup      ["substr"]         List symbols in system symbol table lkAddr    address              List symbol table entries near address cStack  [task]             List task stack sizes and usage printErrno  value              Print the name of a status value period    secs,adr,args... Spawn task to call function periodically repeat    n,adr,args...    Spawn task to call funn n times (0=forever) version                        Print VxWorks version info, and boot line NOTE:  Arguments specifying 'task' can be either task ID or name. value = 1 = 0x1

So, play around with some of the commands, but obviously the most interesting is reading (‘d’) and writing (‘m’) memory:

-> d 0x80001000 80001000:  1000 0023 0000 0000 0000 0000 0000 0000   *...#............* 80001010:  4e4f 524d 414c 5f43 4f44 455f 4441 5441   *NORMAL_CODE_DATA* 80001020:  0805 0001 4732 5633 244c 414e 4750 4143   *....G2V3$LANGPAC* 80001030:  4b5f 434f 4445 5f44 4154 413d 0100 0001   *K_CODE_DATA=....* 80001040:  244d 4f44 454c 5f4e 414d 453d 5752 5435   *$MODEL_NAME=WRT5* 80001050:  3447 3200 244f 454d 5f4e 414d 453d 4c49   *4G2.$OEM_NAME=LI* 80001060:  4e4b 5359 535f 656e 0043 6f70 7972   *NKSYS_en.Copyrig* 80001070:  6874 2032 3030 392d 3230 3130 2043 7962   *ht 2009-2010 Cyb* 80001080:  6572 5441 4e20 4c69 6d69 7465 6400 0000   *erTAN Limited...* 80001090:  3c08 1000 4088 6000 0000 0000 4080 6800   *<...@.`.....@.h.* 800010a0:  2402 0001 4082 4800 0000 0000 4080 5800   *$...@..@.X.* 800010b0:  3c0f b806 35ef 001c 2418 2328 adf8 0000   *<...5...$.#(....* 800010c0:  3c0f b806 35ef 001c 2418 0028 adf8 0000   *<...5...$..(....* 800010d0:  3c0f b900 2418 0035 adf8 0000 3c0f b900   *<...$..5....<...* 800010e0:  35ef 0004 2418 7135 adf8 0000 3c0f b806   *5...$.q5....<...* 80f0:  35ef 001c 2418 0000 adf8 0000 3c1d 8000   *5...$.......<...* -> m 0x80001010 80001010:  4e4f-4141 80001012:  524d-4141 80001014:  414c-4141 80001016:  5f43-4141 80001018:  4f44- 8000101a:  455f-4141^D -> d 0x80001000 80001000:  1000 0023 0000 0000 0000 0000 0000 0000   *...#............* 80001010:  4141 4141 4141 4141 4f44 4141 4441 5441   *AAAAAAAAODAADATA* 80001020:  0805 0001 4732 5633 244c 414e 4750 4143   *....G2V3$LANGPAC* 80001030:  4b5f 434f 4445 5f44 4154 413d 0100 0001   *K_CODE_DATA=....* 80001040:  244d 4f44 454c 5f4e 414d 453d 5752 5435   *$MODEL_NAME=WRT5* 80001050:  3447 3200 244f 454d 5f4e 414d 453d 4c49   *4G2.$OEM_NAME=LI* 80001060:  4e4b 5359 535f 656e 0043 6f70 7972 69 *NKSYS_en.Copyrig* 80001070:  6874 2032 3030 392d 3230 3130 2043 7962   *ht 2009-2010 Cyb* 80001080:  6572 5441 4e20 4c69 6d69 7465 6400 0000   *erTAN Limited...* 80001090:  3c08 1000 4088 6000 0000 0000 4080 6800   *<...@.`.....@.h.* 80a0:  2402 0001 4082 4800 0000 0000 4080 5800   *$...@.H.....@.X.* 800010b0:  3c0f b806 35ef 001c 2418 2328 adf8 0000   *<...5...$.#(....* 800010c0:  3c0f b806 35ef 001c 2418 0028 adf8 0000   *<...5...$..(....* 800010d0:  3c0f b900 2418 00df8 0000 3c0f b900   *<...$..5....<...* 800010e0:  35ef 0004 2418 7135 adf8 0000 3c0f b806   *5...$.q5....<...* 800010f0:  35ef 001c 2418 0000 adf8 0000 3c1d 8000   *5...$.......<...* value = 21 = 0x15

That was about all the time I had yesterday to play around with it. Will try and post some more once I get back to it.