CategoryAccessPointHardware

HardwareComparison | AccessPointsRouters/802.11g | LinksysWrt54g | LinksysWrv54g | WAP54G

Product Info

http://www.comparestoreprices.co.uk/images/li/linksys-wap54g.jpg

You can find the latest OFFICIAL firmware at: http://www.linksys.com/download/firmware.asp?fwid=206

Product: WAP54G

Classification: Firmware Release History

Release Date: 11/01/05

Last Firmware Version: v3.04, Oct 31, 2005

Version 3.04, Oct 31, 2005
- Fix: Mac address disappears in Mac filter tab
- Fix: Increase the number of shared secret characters in Radius and WPA Enterprise

Version 3.03, Sept 1, 2005
- Improve Hardware SES push button response time (ver.3 only)
- Adds SES support to version 1 & ver 2 in user interface.

Version 3.01 (ver.3 initial release)
- Adds SES supportVersion 2.08, Jan 24, 2005
- Improves performance when used with WRE54G
- Adds WPA PSK support in Wireless Repeater mode
- Fix: System log displays incorrect log time
- Fix: When security is enabled in AP Client mode, it does not show enabled in basic page
- Fix: In AP client mode, connection drops when connected to another WAP54G
- Fix: IP fragmentation security vulnerability

Version 2.08, Jan 24, 2005
- Improves performance when used with WRE54G
- Adds WPA PSK support in Wireless Repeater mode
- Fix: System log displays incorrect log time
- Fix: When security is enabled in AP Client mode, it does not show enabled in basic page
- Fix: In AP client mode, connection drops when connected to another WAP54G
- Fix: IP fragmentation security vulnerability

ftp://ftp.linksys.com/pub/network/WAP54g_fw_2.08.zip

Version 2.07, April 28, 2004
- Adds Linksys Wireless Guard support

Note:WPA does not work in Wireless Bridge/Repeater mode in this release

Version 2.06, December 16, 2003 (ver.2 initial release)
- Updated User Interface format and layout
- Updated wireless driver to support all versions of WAP54G hardware
- Adds AP Client Mode
- Adds Wireless Repeater Mode for WAP54G and WRT54G (requires fw 2.02.2 or above)

Note:WPA does not work in Wireless Bridge/Repeater mode in this release

Version 1.08, August 5, 2003 (ver.1 & 1.1 only)
- Complies with final 802.11g standard
- Added Wi-Fi Protected Access(TM) support including AES and TKIP encryption
- Adds UI control to enable/disable frame bursting
- Adds UI control for antenna selection
- Added "B-Only" option to wireless modes
- Added "Default" option to Basic Rate settings

Note:WPA does not work in Wireless Bridge mode in this release

Version 1.06, February 18, 2003 (ver.1 only)
- Improves Stability and Performance
- Improves Performance in mixed environment
- Improves compatibility with Legacy Client Adapter
- Fix Event Log (Records client MAC Address)
- Fix Bridging with WAP11 on some channels

Version 1.05 (ver.1 only)
- Initial Release

=====NEW RELEASE 1.08 PROBLEMS======= Unable to load 1.07 firmware from http://hyperwap.org as listed on the bottom of this forum. I only needed to be able to change two things, the antenna selection (Which Linksys fixed with the 1.08 firmware release) and the TX Power, which I do not know how to do. Can someone e-mail me a link for a 1.08 firmware hack to up the TX power to the 84mW?

Thanks, Cooljoe04@yahoo.com

Hardware modifications

Standard disclaimer: As always, if you mess the unit up it's your fault, you are voiding your warranty, etc...

Replacement Power Supply

In case yours is misplaced, it is 5VDC 2.5A (polarity?)

WAP54G v1.1:

12V 500mA

Polarity: (+ on the tip) - on the barrel

Linksys model number AD12/05A

P/N 110-100-0045

Model No:WD411200500

Opening the device

The device can be opened in a similar fashion to the WRT54g, except for the fact that there *DO* are a couple of screws (at least in my version, 1.0) under the front legs. See some pictures here.

Serial Port

Here's the pinout of the serial port jumper on the version 2.0 hardware: (labeled "J5")

  O O O O left to right: +3.3v +3.3v grnd grnd

  O O O O O ttyS0 output, unknown, unknown, ttyS0 input, unknown
  ^

Two of those 'unknown' pins above are probably the second serial port (I've not tried it). I'll update this info once I find out the rest of the pinouts.

The output is cmos-level (3.3v) so you'll need a max233 chip to convert to +/- 5v. Luckily the max233 chip can take 3.3v input in place of a 5v input. (http://www.rwhitby.net/wrt54gs/serial.html has wiring info on the max233 chip itself, although it appears that the wrt54g serial pinouts are different)

Also note that rwhitby's approach uses a serial kit that provides the "wrong" (IMHO) serial pinouts and connector. Your 54G is a DTE-- it should have a MALE DE9 with DTE pinouts. But the kit offers a DCE (female DE9) which has the signals backwards. I guess you can use a straight-through cable to connect to your PC, but it's just not right. I rolled my own and got the signals right way round-- I use a crossover cable to connect it to a PC.

Some who are not as adept with soldering may want an IDCHeaderInstallTrick

Also note a really hacky version of this in Wrt54gSerial -- no soldering required at all.

Default com settings are 115200 8N1. You'll want to hold control-C while plugging the unit in... then you can use the "magic incantation":

nvram set boot_wait=on
nvram commit
reboot

Additional note: The CFE console is much easier to use than PMON was. You can actually change from one to the other using the serial port hack and a tftp server, but be EXTRA careful when flashing using the command line, as you can easily wipe out CFE/PMON. (CFE/PMON is stored in flash1.boot, the linux.trx file resides in flash1.trx. Stay away from flash0. Not sure what that would do....)


On my v1.1 device there isn't an UART on board or in the CPU. However, the large 20-pin jumper (label: J25, it is also on v1.0 units) connects to the CPU I/O data lines, which can be connected to an external UART (ie, a PC16650D), from there to a MAX232 transceiver, and from there to the computer serial port. Check their datasheets if in doubt about how to do it. Use a 12.75 MHz crystal for 115200 baud (the uart clock divider is 7).

in this post that a MAX241 be used, but this doesn't seem to make sense, as the caps (C158-C162) would be connected to TX and RX lines. More likely that the transceiver was meant to be a SN75LV4737A, as the capacitors seem to line up with the correct pins as do the signal lines. I'm also not sure that 12.75MHz is the correct speed to use - by the UART data sheet, 115200baud * 16 * divider(7) = 12.9024MHz, but 12.75MHz should be close enough to work. -- HaveBlue]]]

One could also try to solder the UART directly on board. The chip (a PC16552D) goes on U25, along with the clock on X1 and a few other capacitors and resistors around it (check the datasheet for their typical values). Note that then you'll probably have to solder a couple of wires to the UART serial interface pins (SIN and SOUT) directly, since there don't seem to be any jumpers connecting to both of them. There is actually one which goes to SIN, perhaps intended for factory firmware uploading?

Here is the pinout (each pin named according to the UART datasheet).

                 J25
                -----
     D0 1>| 0 o | 20 A0
     D1 2 | o o | 19 A1
     D2 3 | o o | 18 A2
     D3 4 | o o | 17 CHSL
     D4 5 | o o | 16 /CS
     D5 6 | o o | 15 /RD
     D6 7 | o o | 14 /WR
     D7 8 | o o | 13 MR
     VDD 9 | o o | 12 INTR1, INTR2 via r521*
  VSS (GND) 10 | o o | 11 SIN via r8*
                -----

* These pins also seem to go to the MiniPCI card. They are originally not connected to the UART since r521 and r8 are not on the board. I don't really know what they are used for, although I'd guess they provide an interface between the BCM4702 CPU and the BCM4306...

For some kind of obscure reason, I was unable to type "boot_wait" properly over the serial line (some characters were echoed as junk over the connection, although everything else was fine). I had much better luck doing the following sequence. During bootup, use Ctrl-C to break the kernel load from the flash. Then do

Gemtek > h (if you feel like seeing what else can be done)
Gemtek > set

Which displays a long list of all the nvram variables. (Notice the "boot_wait=off", if it was "on" then just tftp upload the image). Write down the value of the following variables:

wan_ipaddr (this will be the address of the linksys once fixed) os_flash_addr

Now break that damn non-functional firmware and overwrite it with some junk. Let's suppose that os_flash_addr=bfc40000. Then do:

Gemtek > cp2fl 0 bfc40000 1000

That's it! Now PMON will probably see that the OS has a bad CRC, and will automatically accept tftp transfers (to the default ip address, 192.168.1.1) from the ethernet port.

This same stuff probably applies to early versions of the Linksys WRT54g router too.

--AleixSole

Hardware Tx power mod

March 20, 2004 Hi all! I have a solution for increasing the output power of WAP54G without changing its firmware (Hardware solution). I have tested it now, and it works !!! It's so simple !

Look at this pictures :

http://milengeorgiev.tripod.com/index.html

This is the RF part of mini PCI module on WAP54G (and may be others :)) )

Firmware: v1.08, Aug 05, 2003

Be very careful! Do this at your own risk! It is illegal in some countries!

  1. Solder 1k resistor as shown on pictures. That's ALL :)

  2. If you don't use 2 antennas, you may win 1-2dB with removing the antenna switch, and short the pads on PCB... (you can skip this step)
  3. And at last, you can fill the space between power amplifier and top metal shield with some plastic thermoconductor material. (PA don't heat for me, so you can skip this step)

That's ALL ! 30-60 sec. after power on it increases it's power ... I recommend to do only step 1, and if it works, then you can make step 2 and 3 (optionally) Please, tell me the results.

Today I add a picture of NetStumbler with original and patched device . Look at the last picture on

http://milengeorgiev.tripod.com/index.html

soft4gsm at yahoo dot com

P.S. This mod is for old hardware only ! I don't test it on new one ! (17.May.2005)


29 March 2004 This hardware mod rox! It works flawlessly on my WAP54G, and also on my Dell mPCI WiFi card. I can add, that every mPCI card that is made with Broadcom chipset and follows the Broadcom reference design is "tunable" :)

Inside the WAP54G Version 2

Want to see some high-resolution pictures of the inside of the WAP54G, version 2 model?

  1. Here's the front of the circuit board: Component Side

  2. Here's the back of the circuit board: Solder Side

  3. Here's a close-up of the J5 (RS232 serial) connector: J5 Detail

I've added some details to the J5 image to aid in connecting up a serial circuit. I've ordered part A232DBH3v from http://www.compsys1.com/workbench/On_top_of_the_Bench/Max233_Adapter/max233_adapter.html as this looks to be the perfect serial circuit for the new V2 WAP54G models. I'll update my mod results when it's up and running.

--BitBasher

Device Firmwares

HyperWap Firmware Hack

Another nicely working firmware hack based on the Linksys 3.04 firmware. It is downloadable via the forum at http://www.hyperwap.org/forum/viewtopic.php?id=53. The features are equal to those of the Neo- and MustDie-hacks (antenna selection configurable, power output configurable, channels 12/14 selectable, boot wait flash protection).

Neo Firmware Hack

The first working hack is available for the WAP54G AP thanks to Leroy (Netherlands – Europe) from the Wirelessnederland forum (http://forum.wirelessnederland.nl)

It basically leaves the original firmware as it is. And only changes the power output to it's maximum at 84mw (default it's at 22mw). Next to this, it will also turn off the antenna diversity & lock the TX & RX to the right antenna. This makes the WAP54G suitable for use over greater distances with use of one external antenna.

Please keep in mind that this firmware is for testing purposes ONLY and that the author/editor is NOT IN ANY WAY responsible for your actions or the firmware. There have been several reports of signal drops, if this happens to your accesspoint, you can easily flash it back to the original firmware.

Do not forget to RESET the accesspoint BEFORE flashing to clear some RAM.

OLD version --> http://www.startwireless.nl/neo.rar

NEW version --> scroll down!!

Below a screenshot of NetStumbler showing the before an after thing. On the left the Linksys firmware, and on the right the new and improved Neo firmware.

http://www.dartsplayer.com/wa/neo.jpg

The Neo firmware has the following changes in the cramfs image:

/usr/bin/wlneo.sh contains: #!/bin/sh /usr/sbin/wl txpwr 84 /usr/sbin/wl antdiv 0 /usr/sbin/wl txant 0 /usr/sbin/wl assoclist >/tmp/assoclist

Structure of entire firmware:

Offset:

Description:

0..3

'HDR0' - Magic value

4..7

Length of entire firmware in bytes in 32bit little endian format

8..11

Bit inverted crc32 of bytes 12..end

12..27

?? Always seems to be 0x8000, 0, 0, 0 (as 32bit little endian)

28..786431

gzip compressed Linux kernel (zero padded)

786431..end

cramfs image of root fs

See LinksysWrt54g HDR0 section.


MustDie Firmware (Version 2.07)

Aug 31, 2004

Folks,

First of all I'd like to thank the great people of Linksys Info, and Jim personally for letting me post the firmware there. Please send him "thank you" cards/flowers/money/beer.

Now, the firmware:

MustDie 2.07 revision 1

THIS FIRMWARE IS PROVIDED "AS IS" WITH ABSOLUTELY NO WARRANTIES. While this firmware is based on Linksys/Cisco 2.07 GPL tar-ball, the modifications made allow user to force WAP54G to work outside of the parameters specified by manufacturer of the WAP54G or its components, which in turn may cause damage to the WAP54G. In such cases Linksys/Cisco may (and probably will) refuse warranty service for the damaged WAP54G.

Setting "Transmitter Power" to the level above the one allowed by the FCC (or a similar agency of your country/region) MAY CAUSE HARMFUL INTERFERENCE AND A PUBLIC HEALTH HAZARD. You and you alone are responsible for all damages to yourself, your property, others and/or property of others caused by setting the "Transmitter Power" to the illegal levels of RF emissions.

Setting "Channel" to one not approved by the FCC (or a similar agency of your country/region) for use in your region MAY CAUSE HARMFUL INTERFERENCE and MAY result in you being prosecuted by the FCC (or a similar agency of your country/region).

Direct links:

Firmware: here

Source: here

Official support forum: here

As a sign of gratitude from us all, please browse through Linksys Info, click on their banners and/or buy through them.


added Jun 25 2003 (vertical AT wireless.com.pt) 4..7 is size of firmware divided by 4096 ex firmware file has size 2101248 divide by 4096=513 513 in hex is 201 you edit (with hex editor) in firmware and put "10 20" in location 5 & 6

8..11 is crc32 checksum of the file from location 12...end and then inversed bits

ex crc32 of rest of file is 473D75C1 then location 8..11 will be "3E 8A C2 B8"


if 32bits int at pos 12 is 0x00010000L instead of 0x00008000L

Then kernel offset if found at pos 16 and cramfs image is found at pos 20.

12..15

Maybe PMON Version with minor/major version ?

16..19

Kernel offset

20..23

CramFS offset

24..27

00000000

In firmware 1.08 this version is set to 0x00010000L The utility provided by LinkSys also creates .trx files in this format.

Jean-Baptiste Vignaud

(added 04 Nov 2003 by jbv at freesurf dot fr)


Calculate the crc32 and one's complement with this code:

{{{#!/usr/bin/perl

use String::CRC32;

scalar(@ARGV) || die "Usage: crc32 [file]\n";

for my $file (@ARGV) {

} }}}


ok hope this helps p.s. the executables from the WAP54G run on the playstation2 linux file /bin/busybox ELF 32-bit LSB executable, MIPS R3000_BE - invalid byte order, version 1, dynamically linked (uses shared libs)


Great!! Apparently this works!! But is there anyway to get reports of signal strength / quality to connect to these clients, or even another WAP54G in WDS Bridge mode!! hohoh


NEW !!!!!!!!!!!!! NEO VERSION 1.0 !!!!!!! 30-7-2003

neo-1_0-LinksysWAP54G-1_06_03.zip available on http://www.wirelessnederland.nl

(user/pass) = (wlnl/download)

thread http://forum.wirelessnederland.nl/viewtopic.php?t=1674

Neo firmware v1.0, July 30 2003 Device: WAP54G

Modifications:

- Increased available channels from 11 to 13

- Dynamic TX Power selection

- RX & TX Antenna selection (separated)

- Connection stability improvement


with this syntax you can change rts and obviously see change in advanced wireless setup

http://192.168.1.245/apply.cgi?submit_button=Wireless&change_action=&action=Apply&d11g_rts=2342

this is syntax where you can change power, 3 and 4 are larger by netstumbler default 0. you can see change in dummy.asp

http://192.168.1.245/apply.cgi?submit_button=Wireless&change_action=&action=Apply&wl_TransmitPower_5G=4

this is command for selections of antenna, i think this is for left, not sure need more probing this change cant confirm on any setup pages :).

http://192.168.1.245/apply.cgi?submit_button=Wireless&change_action=&action=Apply&antdiv=0&txant=0

analyzing changes on netstumbler i see variations in signal strength after


01 Jan 2004 Got version 1.1 of this unit running 1.08 firmware. The webupdate interface rejects the modified fw and previous versions. Only accepts the v1.08 (1.48Mb) one from linksys. No tftp server to upload to. All I get is "error during update when i try any other firmware. Even the WRT54G just as a long shot. The only interesting thing I can do is look at the NVram http://192.168.1.245/dummy.asp Unfortunately "wl_TransmitPower_5G" parameter doesn't appear to exist in this unit. 03 Jan Just finished reading the forum, known issue. If you want it any sooner give the man a donation. Other wise it when he get around to it ;-)


24 Sep 2004 I also have v1.1 and no luck loading either of the Neo firmwares... tried the "Downgrade Heade


DD-WRT Firmware

8 May 2007

http://www.dd-wrt.com

Tested DD-WRT v23 SP1 Micro on my WAP54G V1.1 successfully. The web GUI seems to lock up occasionally, probably due to lack of memory resources. See notes below to free up resources. To unlock, unplug, wait several seconds, then replug the power cable.

Only the Micro edition is small enough to fit on the WAP54g.

Important: Don't attempt to upgrade from DD-WRT Micro SP1 to SP2 via the DD-WRT web interface. I think I (temporarily?) bricked my WAP54g. However, the SP1 install from the original Linksys firmware went smoothly.

Here are the exact steps:

1) Setup your computer with static IP 192.168.1.5 and connect an ethernet cable directly to the WAP54G.

2) Reset WAP54G to factory default, power off for about 5 seconds and power on again. The default IP is now 192.168.1.245

3) In a web browser, go to 192.168.1.245 to load the linksys web GUI. Go to the Help tab. Press the firmware upgrade button. Choose the dd-wrt.v23_micro_generic.bin file and click upgrade.

4) After a successful upgrade, DD-WRT will be installed now, IP 192.168.1.1, username root, password admin.

Notes:

I didn't bother to upgrade to the latest linksys firmware before flashing. If your device happens to be brand new, you can skip step #2.

Since there's no WAN port, set WAN to disabled and firewall to off, and disable other stuff you can find that uses the WAN. Turn off DHCP server, set gateway to Router instead, disable routing, and so forth. This will also free up some memory, which will help your stability.

Additional Notes ( 5 July 2007 ):

The previous limitations have been lifted in DD-WRT version 23sp3 ( in the beta builds ). It now supports ALL WAP54G devices currently known and you can even use the ethernet port as a WAN port to make a single port Wireless router.


Sept. 19, 2008. How to debrick WAP54G v1.1 after bad flash?

I installed dd-wrt.v24-9517_VINT_micro.bin. Web GUI was normal after hard 30-30-30 reset and all looked normal. After further testing, settings (nvram) were lost on every power cycle. Changes to IP or MAC would go back to defaults after unplugging the device from the wall wart. Assuming it was a bad flash, I attempted to reflash the same bin using the dd-wrt web firmware upgrade function. The result was a bad flash and a bricked router (unresponsive to ping, tftp, etc.). I have a JTAG cable, but this device, as per above, does not have a header. The only header available is J25. I tried the pin shorting method on the flash chip with no success (AMD chip is difficult to access as it is mounted under the mini PCI on this version). This may have caused further damage as the yellow ethernet light does not respond now when connected. Red power light is the only led currently functioning. Question: is there someone who has successfully crafted a UART serial connection for this device (WAP54G v1.1) who might be willing to help me perform CPR on this puppy or loan out the cable(I'm in Seattle)? --matt_o Email: mattbo[at]comcast[dot]net


CategoryAccessPointHardware

WAP54G (last edited 2010-08-15 13:47:16 by JasonMcArthur)