HardwareComparison | AccessPointsRouters/802.11g | LinksysWrv54g | LinksysWrt54g | WAP54G

Linksys wireless VPN router

1. General Info

This is a Linksys wireless VPN router. Homepage.



http://bilder.fliegl.de/misc/2004-03-05-wlan/thumb/p403050915.jpg bigger image

http://bilder.fliegl.de/misc/2004-03-05-wlan/thumb/p403050916.jpg bigger image

Linux Kernel: 2.4.19.openrg-rmk6-ds1



Speed: 54 Mbps (wireless), 10/100 Mbps (Ethernet)

LED Indicators:

Channels: 11 (USA)

Power: 19 dBm TX (claimed in manual)


We thank Linux Fund for kindly donating WRV54G hardware for testing

LinuxFund Website

(This page is messy as it holds all my notes for now. I'll come around some time to clean it up)

1.1. Mailing list hosted at colliertech.org

Mailman listinfo wrv54g.

1.2. Notes on the LinksysWrv54g

1.3. Got Shell?

There doesn't appear to be a shell, other than what busybox might contain

There appears to be a shell in the OpenRG filesystem - dbc

file reports the binaries in the OpenRG directory are i386 binaries for some reason, so that won't work:

bash: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped

Interesting. I just confirmed this by executing every file in the /usr/local/openrg/armsaeb/armv4b-hardhat-linux/bin directory. The sbin directory is the same way.

Note: These are x86 binaries because they are linking onto you host system when you loop mount the file system:

The real binaries for the system are under mnt/cramfs which is not actually a cramfs file system on this platform (though it is on some other OpenRG platforms).

(Firmware + source distro observation only)

1. Standard Busybox should contain lash (lame-ass shell), and the file sh.c is included in the source.

2. Interesting

/mnt/cramfs/bin# strings main_task |grep shell
Exit from main_task and open a shell on the serial console
Spawn busybox shell in foreground

3. (taken from the openrg_features.txt file and the .rg_configure file)

Web Based Management CONFIG_RG_WBM
Telnet Server CONFIG_RG_TELNETS <-- Yay?
Command Line Interface CONFIG_RG_CLI



/mnt/cramfs/bin# strings main_task |grep telnet
Can't open telnets
Can't open telnet master server on port %d
Error in mt_telnet_server_open(htons(23), 0)
Error in mt_telnet_server_open(htons(8023), 0)
Error in mt_telnet_server_open(htons(992), 1)
sec_incom_telnet_992 <---- Telnet SSL?
sec_incom_telnet_8023 <---- Telnet Proxy?
sec_incom_telnet_23 <---- Telnet (23)?
%s:%d: Remote telnet client contradiction %d
Remote telnet client doesn't support needed option %d
%s:%d: Bad formatted telnet msg
%s:%d: Bad formatted telnet msg - unknown char

It appears that Busybox has been built with the shell in it, but they haven't given us any symbolic link to it.

All of the "spawn busybox shell" and "telnets" stuff seems interesting, also.

2. Files

2.10 Firmware has been released, WPA support is here. Changelog

Firmware (2.03) 2.03 (FTP)

Firmware (2.10) 2.10 (FTP)

Source (2.03) 2.03 (104MB!!)

Source (2.10) 2.10

Pictures: Big. From FCC; sorry, uncompressed http://linuxfund.org/~collord/wrv.pdf -JerrittCollord

2.1. Examining the filesystem

Extract the compressed {ext2} filesystem from firmware 2.03 like this:

# dd if=wrv54g_2.03_fw.rmt of=ext2.img.gz bs=1c skip=788041c
# gunzip ext2.img.gz

Extract the compressed {ext2, cramfs} filesystems from firmware 2.37 like this:

# dd if=wrv54g_v2.37_US.rmt of=layer1.img.gz bs=1c skip=12258c
# gunzip layer1.img.gz
> gunzip: layer1.img.gz: decompression OK, trailing garbage ignored

# dd if=layer1.img of=ext2.img.gz bs=1c skip=1740800c
# dd if=layer1.img of=cramfs.img bs=1c skip=1761280c

# gunzip ext2.img.gz
> gunzip: ext2.img.gz: decompression OK, trailing garbage ignored


# mount -t ext2 -o loop ext2.img /mnt/ext2

# mount -t cramfs -o loop cramfs.img /mnt/cramfs

2.1.1. Basic Layout

# ls -al
total 32
drwxr-xr-x 13 root root 1024 Aug 29 03:53 .
drwxr-xr-x 20 root root 4096 Jul 10 15:15 ..
drwxr-xr-x 2 root root 2048 Oct 4 01:34 bin
drwxr-xr-x 2 root root 4096 Aug 29 03:53 dev
drwxr-xr-x 4 root root 1024 Aug 29 03:53 etc
-rw-rw-rw- 1 root root 32 Feb 21 2001 fstab
drwxr-xr-x 3 root root 1024 Aug 29 03:52 home
drwxr-xr-x 3 root root 1024 Aug 29 03:53 lib
drwx------ 2 root root 12288 Aug 29 03:53 lost+found
drwxr-xr-x 4 root root 1024 Aug 29 03:53 mnt
drwxr-xr-x 2 root root 1024 Aug 29 03:53 proc
drwxrwxrwx 2 root root 1024 Aug 29 03:53 tmp
drwxr-xr-x 3 root root 1024 Aug 29 03:53 usr
drwxr-xr-x 6 root root 1024 Aug 29 03:53 var

Everything in /bin, /etc, /home, /lib is symbolically linked to /mnt/cramfs/[bin | etc | home | lib]

2.1.2. OpenRG

/usr/local/openrg/armsaeb/armv4b-hardhat-linux/bin# ls -al
total 2716
drwxr-xr-x 2 root root 4096 Jul 10 13:02 .
drwxr-xr-x 20 root root 4096 Jul 10 15:15 ..
-rwxr-xr-x 1 root root 2492 Mar 21 2003 arch
-rwxr-xr-x 1 root root 581100 Feb 28 2003 bash
-rwxr-xr-x 1 root root 13912 Jun 16 17:00 cat
-rwxr-xr-x 1 root root 16184 Jun 16 17:00 chgrp
-rwxr-xr-x 1 root root 15800 Jun 16 17:00 chmod
-rwxr-xr-x 1 root root 18040 Jun 16 17:00 chown
-rwxr-xr-x 1 root root 42796 Jun 16 17:00 cp
-rwxr-xr-x 1 root root 47656 Jun 22 2002 cpio
lrwxrwxrwx 1 root root 21 Jul 10 13:02 csh -> /etc/alternatives/csh
-rwxr-xr-x 1 root root 34648 Jun 16 17:00 date
-rwxr-xr-x 1 root root 23948 Jun 16 17:00 dd
-rwxr-xr-x 1 root root 26380 Jun 16 17:00 df
-rwxr-xr-x 1 root root 63596 Jun 16 17:00 dir
-rwxr-xr-x 1 root root 3804 Mar 21 2003 dmesg
-rwxr-xr-x 1 root root 9732 Feb 8 2003 dnsdomainname
-rwxr-xr-x 1 root root 10936 Jun 16 17:00 echo
-rwxr-xr-x 1 root root 39544 Apr 2 2003 ed
-rwxr-xr-x 1 root root 33 Apr 21 11:02 egrep
-rwxr-xr-x 1 root root 8952 Jun 16 17:00 false
-rwxr-xr-x 1 root root 33 Apr 21 11:02 fgrep
-rwxr-xr-x 1 root root 16920 May 28 19:57 fuser
-rwxr-xr-x 1 root root 67948 Apr 21 11:02 grep
-rwxr-xr-x 4 root root 49580 Jun 7 11:35 gunzip
-rwxr-xr-x 1 root root 4745 Jun 7 11:35 gzexe
-rwxr-xr-x 4 root root 49580 Jun 7 11:35 gzip
-rwxr-xr-x 1 root root 9732 Feb 8 2003 hostname
-rwxr-xr-x 1 root root 11212 Jun 1 18:12 kill
-rwxr-xr-x 1 root root 19480 Jun 16 17:00 ln
-rwxr-xr-x 1 root root 34584 Mar 7 2003 loadkeys
-rwsr-xr-x 1 root root 31480 Apr 26 14:50 login
-rwxr-xr-x 1 root root 63596 Jun 16 17:00 ls
-rwxr-xr-x 1 root root 35444 Mar 3 2003 lspci
-rwxr-xr-x 1 root root 16376 Jun 16 17:00 mkdir
-rwxr-xr-x 1 root root 15756 Jun 16 17:00 mknod
-rwxr-xr-x 1 root root 4588 Jun 24 21:32 mktemp
-rwxr-xr-x 1 root root 26328 Mar 21 2003 more
-rwsr-xr-x 1 root root 76792 Mar 21 2003 mount
lrwxrwxrwx 1 root root 20 Jul 9 18:59 mt -> /etc/alternatives/mt
-rwxr-xr-x 1 root root 14616 Jun 22 2002 mt-gnu
-rwxr-xr-x 1 root root 44652 Jun 16 17:00 mv
-rwxr-xr-x 1 root root 88684 May 28 16:30 netstat
lrwxrwxrwx 1 root root 16 Jul 9 19:31 pidof -> ../sbin/killall5
-rwsr-xr-x 1 root root 15244 Nov 18 2001 ping
-rwxr-xr-x 1 root root 56780 Jun 1 18:12 ps
-rwxr-xr-x 1 root root 9752 Jun 16 17:00 pwd
lrwxrwxrwx 1 root root 4 Jul 9 19:31 rbash -> bash
-rwxr-xr-x 1 root root 10360 Jun 16 17:00 readlink
-rwxr-xr-x 1 root root 24216 Jun 16 17:00 rm
-rwxr-xr-x 1 root root 10648 Jun 16 17:00 rmdir
-rwxr-xr-x 1 root root 9940 Jun 24 21:32 run-parts
-rwxr-xr-x 1 root root 32792 May 6 19:34 sed
-rwxr-xr-x 1 root root 18968 Apr 17 16:50 setserial
lrwxrwxrwx 1 root root 4 Jul 9 19:31 sh -> bash
-rwxr-xr-x 1 root root 11224 Jun 16 17:00 sleep
-rwxr-xr-x 1 root root 32728 Jun 16 17:00 stty
-rwsr-xr-x 1 root root 22904 Apr 26 14:50 su
-rwxr-xr-x 1 root root 9752 Jun 16 17:00 sync
-rwxr-xr-x 1 root root 128744 Oct 29 2002 tar
-rwxr-xr-x 1 root root 273964 May 24 14:32 tcsh
-rwxr-xr-x 1 root root 5564 Jun 24 21:33 tempfile
-rwxr-xr-x 1 root root 24344 Jun 16 17:00 touch
-rwxr-xr-x 1 root root 8920 Jun 16 17:00 true
-rwsr-xr-x 1 root root 39928 Mar 21 2003 umount
-rwxr-xr-x 1 root root 10424 Jun 16 17:00 uname
-rwxr-xr-x 4 root root 49580 Jun 7 11:35 uncompress
-rwxr-xr-x 1 root root 63596 Jun 16 17:00 vdir
-rwxr-xr-x 4 root root 49580 Jun 7 11:35 zcat
-rwxr-xr-x 2 root root 1974 Jun 7 11:35 zcmp
-rwxr-xr-x 2 root root 1974 Jun 7 11:35 zdiff
-rwxr-xr-x 3 root root 2944 Jun 7 11:35 zegrep
-rwxr-xr-x 3 root root 2944 Jun 7 11:35 zfgrep
-rwxr-xr-x 1 root root 1525 Jun 7 11:35 zforce
-rwxr-xr-x 3 root root 2944 Jun 7 11:35 zgrep
-rwxr-xr-x 1 root root 103 Jun 7 11:35 zless
-rwxr-xr-x 1 root root 1885 Jun 7 11:35 zmore
-rwxr-xr-x 1 root root 3518 Jun 7 11:35 znew

2.2. Wireless Driver

Again, from static firmware analysis, it appears that the WRV54G uses an Intersil Prism 802.11G driver. I could not find it in the sources, but it definitely is GPL'd, and from looking at the strings, part of the PrismGT/Duette/Indigo chipset Linux drivers, which are GPL'd. Project page.

3. Useful Links

4. License Issues

NOTE: The Ethernet driver for the IXP425 relies on a library that is NOT GPL. It relies on the Intel Access Software Library (see useful links above). Part of the licensing of the software library is that none of the code is to make it into GPL or LGPL. The IXP4xx CPU uses "Network Processing Engines" to handle the networking, and these co-processors are talked to via the library. Thus, be careful how you use the Intel library - it forbids you from making the code subject to the GPL and LGPL.

That said, csr.o is the library (a binary module). the ixp425_eth.o is a driver that uses that library. These are built with the kernel patches (see below).

5. Environment Setup

Linksys has graciously given us the ARM-Linux Big-endian toolchain in their build. Thus at the very least, you'll need their source code release (see above for it). If you wish to have the Ethernet driver, you'll need to obtain from Intel:

None of the Intel code is GPL'd, beware! And the access library cannot be placed into GPL. However, Intel makes it available to practically anyone if you register, so for the time being, this is what needs to be done. From available documentation, there does not seem to be sufficient information on how to use the NPEs by themselves in order to write a truly free driver.

6. Firmware File Format

Here's what the firmware appears to be (based on 2.03):

Size of image - 4,837,745 bytes (0x49D171) Header size - 113 Bytes (0x71)

    "start section\n"
    "rg_hw: GTWX5715\n"
    "dist: GTWX5715\n"
    "version: 20524\n"
    "Linksys: WRV54G\n"

Here's what the firmware appears to be (based on 2.37):

Size of image - 5,294,042 bytes

6.1. Replacing the Root Filesystem

Short of a complete kernel recompile and initrd build, one can imagine the desire to replace only bits and pieces of the filesystem. Since the kernel and initrd are in one bundle, it's necessary to break them apart, then reassemble the pieces. First, generate and mount rd.img as described above, and move the files around as you wish. Then unmount the image, and recompress:

# gzip --best rd.img

Now, attach this rd.img to the old .rmt file

# dd if=wrv54g_2.03_fw.rmt of=hdr.raw bs=1c count=788041c
# cat hdr.raw rd.img.gz > wrv54g_2.03_mod_fw.rmt

It turns out that the ".rmt" file header has more checksums length info which make it hard to modify cleanly using "rmt_upd". Also, on my system, it appears not to even like the stock ".rmt" file. So, we remove the rmt header and load the firmware another way:

# dd if=wrv54g_2.03_mod_fw.rmt of=wrv54g_2.03_mod_fw.raw bs=113 skip=1

One last step before we load. The kernel/initrd pair also contains length info for the ramdisk, which ends up being passed to the kernel as a length parameter for the gzip compression. If you rd.img.gz is larger than the original, you'll need to make this parameter larger. The old length is 4049704 (0x3dcb28). This parameter is repeated 3 times in the .raw file, between offsets 0xc0564-0xc05d8 (the start of the compressed image). For the curious, this is my breakdown of the .raw file:

0x00000: Kernel decompressor
0x02f68: Start of compressed code
0xb6fd4: End of compressed code/start of uncompressed text segment
0xb7090: Zeroes (air gap)
0xc04e0: Start of another block of ARM code (seems to be called by
         kernel decompressor (this is probably ramdisk.o)
0xc0564: Kernel setup parameters (see arch/arm/kernel/setup.c,
         include/asm-arm/setup.h). This contains refs to the
         length of the compressed initrd
0xc0584: Parameters end, code continues. Includes default values
         for initd_start and initrd_size
0xc05d8: Initird starts.

At this point, you should be able to toss this up on an http or tftp server the wrv54g can see, and use "load -u <url> -s 2" at the OpenRG prompt to replace the kernel/ramdisk pair. This step is a lot scarier if you don't know that you can back out of it! I'd suggest that you have already created a backup of the raw contents of the flash in section 2 (0x00140000-0x006C0000), and have a serial port connection sitting at the ready. If the boot fails, you can back out by hitting ESC as the first kernel (in section 1) loads, attach your tftp/http server to the WAN port (it expects to be and "load -u <raw-section-2-dump-url> -r 0x140000"

6.2. Environment Setup 2

NOTE: These instructions are incomplete. The kernel will NOT link properly. There is an oddity in that the as-shipped source builds IPSec into the kernel, but the IPSec code requires the Intel library, which cannot be linked in. (GPL *and* Intel License violation?).

You will need the wrv54g source code, the Intel Access Library (ixp425AccessLibrary.zip) and the Intel Kernel Patches (ixp425LinuxDriversPatch*) to begin. Correction: You might need the access library with crypto. Correction 2: You will most likely need the crypto version. It also appears that the system was built using an older version of the code (1.2?), so changes are needed to get 1.3 working.

Unpack the wrv source code - there will be a 400MB tar file, the toolchain, and some littld other files extracted as well. (It creates the gpl_code_2.03/ directory).

Untar the toolchain.tgz file to /. It'll create /usr/local/openrg/ directory. You'll need to add /usr/local/openrg/armsaeb/bin and /usr/local/openrg/bin to your PATH. The compiler prefix is armv4b-hardhat-linux- (unlike the regular "arm-linux-" when dealing with other ARM-Linux based platforms).

Go back to where un you untarred the source code distirbution. Make a directory to hold the code, and untar it there - there are a few scripts and commands and files that will be created if you untar it in place. A few scripts will be placed in the root directory, as well as the kernel (under OS) and the few bits of GPL'd code (under pkg).

Unpack the Intel code - both the library and the patches. You will need to patch the Linux kernel in order to build the drivers and the access library modules. Go into the os/linux-2.4 directory, and run both patches (patch -p1 < /path/to/intel/ixp425MemoryMap.patch and patch -p1 < /path/to/intel/ixp425LinuxDrivers.patch). It will complain that there is a missing file (arch/arm/def-configs/ixpd425) - skip patching this file.

Now go into the ixp425_xscale_sw/buildUtils directory and edit the environment.linux.sh file. Edit LINUX_SRC to point to the os/linux-2.4 directory. Comment out the PATH line, and edit the IX_XSCALE_SW directory to point to the ixp425_xscale_sw directory (note - the release notes say it should be one directory up. This is wrong. The IX_XSCALE_SW must have "ixp425_xscale_sw" in it!). Source the file to set LINUX_SRC and IX_XSCALE_SW.

Copy the files in ixp425_xscale_sw/include and ixp425_xscale_sw/linux to the Linksys code vendor/intel/ixp425/csr/include and vendor/intel/ixp425/csr/linux directories. I've also had to edit linux/net/ipsec/ipsec_encap.h and ipsec_ipe4.h and include linux/in.h in order to get it to compile. They worked hard at making life difficult!

At this point, try run compile.sh and see if you can build without errors.

7. C.J.'s observations

I've changed the Wrv54g's IP address to so as not to stomp all over the Wrt54g.

$ telnet
Connected to
Escape character is '^]'.
Username: admin
Password: ***** <-- yes, that's "admin"
OpenRG> help
exit: Exit from the current cli
die: exit <ret> from maintask
ps: Print main-task tasks
rg_conf_print: rg_conf_print <root> - Print OpenRG configuration
        starting from <root> - use / for the whole configuration
rg_conf_set: rg_conf_set <path> <value> - Set rg_conf path to a value
rg_conf_set_obscure: rg_conf_set_obscure <path> <value> - Set rg_conf path to an obscured value
rg_conf_del: rg_conf_del <path> - Del subtree path from rg_conf
reconf: reconf <flash_delay 1(=NOW) to 4> - Reconfigure the
        system according to the current rg_conf
entity_close: entity_close <entity ptr> - Close an entity
host: host <name> - Resolve host by name
rgpf_config: rgpf_config [f|c|a] - Flush/Clean/Activate Firewall & NAT
rgpf_info: rgpf_info - Display Firewall & NAT information
flash_commit: Save configuration to flash
restore_default: restore_defaults [-d] - Restore default configuration
        (use -d to avoid rebooting after)
reboot: Reboot the system
log_lev_on: log_lev_on <severity> - redirect rg_error output from severity
        equal or higher to <sevrerity> to the current cli
log_lev_off: Stop rg_error redirection to the current cli
exec: exec <path> - Execute path
rmt_upd: Remotely upgrade the box
rmt_upd_wget_close: rmt_upd_wget_close <ptr> - Kill a remote upgrade processrg_ifconfig: rg_ifconfig <details_level>
cat: Print file contents on console
shell: Spawn busybox shell in foreground
cat_log: cat_log [fw|varlog] | e[#buf_num]
bridge_info: Prints bridge information
flash_layout: Prints the flash layout and content
flash_erase: flash_erase [-d] <section> - erases a given section in the flashflash_dump: flash_dump [-s <section> | -r <address>] [-l <length>] [-1|2|4] - dumps the flash content
bset: Configure bootloader
ifconfig: Configure network interface
ping: Test network connectivity
boot: boot -g {-s <section> | -r <address>} - Boot the system (-g boot with kgdb)
load: load -u <url> {-s <section> | -r <address>} - Load and burn image
help: Print this menu
8021x_open: 8021x_open <dev_name> - Open device
8021x_close: 8021x_close - Close last 802.1x device
8021x_status: 8021x_status <dev_name> - Print 802.1x device status
8021x_set_mode: 8021x_set_mode <dev_name> <dir> <auth_control> <promiscuous> - Change operating mode of device
8021x_mac_auth: 8021x_mac_auth <dev_name> <MAC> <op> - Add or remove authorization for a device (op==1->add, 0->remove)
vlan_add: Add VLAN interface
Returned 0
OpenRG> shell
Returned 0
[http://www.busybox.net/about.html Busybox] v0.50 (2003.08.12-11:17+0000) Built-in shell (lash)
Enter 'help' for a list of built-in commands.
/ # ls
bin fstab lost+found snmpd.conf var
dev home mnt tmp
etc lib proc usr
/ # exit
OpenRG> flash_layout
Flash layout:
Section 00 Type BOOT Range 0x00000000-0x0013F000 MaxSize 0x0013F000
        No more information.
Section 01 Type FACTORY Range 0x0013F000-0x00140000 MaxSize 0x00000F6C
        Size 0x00000204 Name 'rg_factory'
        Checksum 0x00008FDF Counter 0x000000E2 Start Offset 0x00000000
Section 02 Type IMAGE Range 0x00140000-0x006C0000 MaxSize 0x0057FF6C
        Size 0x0049D100 Name 'Downloaded at: Wed Jan 1 00:01:24 2003'
        Checksum 0x26B2773B Counter 0x000000D8 Start Offset 0x00000000
Section 03 Type FLASH_SECT_BOOTCONF Range 0x006C0000-0x006E0000 MaxSize 0x0001FF6C
        Size 0x00000304 Name 'rg_conf'
        Checksum 0x00017EF1 Counter 0x00000096 Start Offset 0x00000000
Section 04 Type Unknown section type Range 0x006E0000-0x00700000 MaxSize 0x0001FF6C
        Size 0x00000070 Name 'vendor_log'
        Checksum 0x00003E34 Counter 0x00000000 Start Offset 0x00000000
Section 05 Type FLASH_SECT_CONF Range 0x00700000-0x00780000 MaxSize 0x0007FF6C
        Size 0x00001FEB Name 'rg_conf'
        Checksum 0x00104274 Counter 0x000000E7 Start Offset 0x00000000
Section 06 Type FLASH_SECT_CONF Range 0x00780000-0x00800000 MaxSize 0x0007FF6C
        Size 0x00001FFA Name 'rg_conf'
        Checksum 0x00103E32 Counter 0x000000E8 Start Offset 0x00000000
Total 7 sections found.
Returned 0


8. Hardware Info

CPU: Intel IXP425 (unknown MHz). It is a real IXP425, and not a IXP422 (IXP425 sans ADSL components) as previously thought. Update: CPU part number is FWIXP425AB, which appears to imply it's a 266MHz IXP425 A0 stepping chip. Flash: 8MB (64Mbit) Intel StrataFlash (J3?) Update: Intel Strataflash E28F640J3A120 chip. RAM: 32MB (128Mbit x2), PC133 (6ns)

Antenna Jack is RP-SMA

Differences Between production WRV54G and FCC Pictures:

There are four raised feet on the "bottom", and four rubber covers on the "top" (the large flat sides with "Linksys" on them). The 4 screws used to keep it shut are located under the 4 rubber covers on the top. Disassembly and internal pics to follow shortly.

JTAG appears to be J2, standard 20-pin ARM layout. Update: Confirmed. This is a JTAG header. Serial appears to be on J10, a 9 pin header. This is not a standard layout - pin 1 appears to be data from WRV to PC.

8.1. JTAG

J2 is definitely JTAG. It is using the 20-pin standard ARM JTAG pin layout. Pin 1 on this header is on the edge of the board, closest to the LED.

Pinout: (from Intel)

               c[] LED5
       +3.3V -- 1o o2 -- nc
       nTRST -- 3o o4 -- GND
         TDI -- 5o o6 -- GND
         TMS -- 7o o8 -- GND
         TCK -- 9o o10 - GND
         GND - 11o o12 - GND
         TDO - 13o o14 - GND
      nRESET - 15o o16 - GND
          nc - 17o o18 - GND
          nc - 19o o20 - GND

Using the OpenWinCE JTAG application, you can connect it to a wiggler cable and boundary-scan in data to the flash. You will have to modify the PARTS file (/usr/local/share/jtag/intel/PARTS) to include the following line so that jtag can get the right CPU code:

1001001001110111 ixp425 IXP425

Thux, PARTS file looks like: /usr/local/share/jtag/intel/PARTS

# $Id: PARTS,v 1.3 2003/02/13 22:54:38 telka Exp $
# Copyright (C) 2002 ETC s.r.o.
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
# 02111-1307, USA.
# Written by Marcel Telka <marcel@telka.sk>, 2002.
# Documentation:
# [1] Intel Corporation, "Intel StrongARM SA-1110 Microprocessor
# Developer's Manual", October 2001, Order Number: 278240-004
# [2] Intel Corporation, "Intel XScale Microarchitecture for the PXA250
# and PXA210 Applications Processors User's Manual", February 2002,
# Order Number: 278525-001

# bits 27-12 of the Device Identification Register
1001001001100001 sa1110 SA1110 # see 16.6.2 in [1]
1001001001100100 pxa250 PXA250 # see 9.4.3 in [2]
1001001001101100 pxa210 PXA210 # see 9.4.3 in [2]
1001001001110100 ixp425 IXP425 # see IXP425 bdsl file from the devel CD
1001001001110111 ixp425 IXP425

If you are using jtag, you'll need to use the cable command first (I have both a Macraigor Wiggler and an Intel JTAG (which works using the EA253 driver). Then you'll need to issue the detect command to scan the bus to find the CPU. YOu can continue with the instruction SAMPLE/PRELOAD, shift lr, shift dr, and dr commands as per the documentation. Or you can just do detectflash to make sure everything is working properly. You might want to issue endian big to switch it to big endian format, since that's what mode the IXP425 runs in. You can use the readmem command to dump the flash.

8.2. Serial Port Notes

JerrittCollord found the following:

Serial Port Pinout

On the WRV-54G board, the 9 pins look like:
(ttyS1 tx) 1 | 0 o | 2  +3.3V
           3 | o o | 4  +3.3V
           5 | o o | 6  GND
(ttyS1 rx) 7 | o o | 8  GND
           9 | o   |
(I've renumbered the pins to the standard pin convention for these connectors)

Using a Radio Shack "FutureDial" USB Mobile Phone Data Cable ("Exclusively for SnapSync, SnapDialer & SnapMedia Software -- Software Sold Separately")

to pin 4.

Using the Digital Nemesis RLC-1 Converter:

I added the power rails to the diagram above since they are needed for the RLC-1 level converter devices from Digital Nemesis--catalogue--the connections between the RLC-1 and the WRV54G are as follows (using the pin numbers from the diagram above):

RLC-1 Pin   |  WRV54G Pin
 1 (white)  |     2  (or 4)
 2 (black)  |     6  (or 8)
 3 (orange) |     1
 4 (green)  |     7
 5 (brown)  |    N/C
 6 (blue)   |    N/C

8.3. Take-Apart Notes

For the purposes of this section, the "top" of the WRV54G is the side that is on the top should the WRV be laid down flat, rather than standing vertically. I.e., the bottom is where the four feet of the WRV is.

On the top, there are 4 rubber pads (which are in the same locations as the 4 rubber feet below), flush with the surface. Pop off each pad using a dull knife blade. Underneath each pad are 4 philips screws. Unscrew them all and remove. The top is now off the WRV.

The bottom is held onto the top by the screws, but the bottom also holds the circuit board in place. Pop the 4 tabs holding the bottom to the circuit board, Now remove the bottom cover slowly and straight out. The middle dark grey section and the circuit board stay together, while the bottom piece is removed as a whole.

Now you're left with the center case, and the circuit board. Simply unplug the antenna cable from the WiFi card, and remove the board.

You'll need to clear up the holes for the JTAG and serial (J10), as well as desolder the soldered grounding side clip of the WiFi board.

8.4. /proc Stuff

Here's stuff in /proc


Processor : Intel XScale-IXP425 rev 0 (v5b)
BogoMIPS : 266.24
Features : swp half thumb fastmult edsp

Hardware : Gemtek IXP425 WX5715
Revision : 0000
Serial : 0000000000000000


dev: size erasesize name
mtd0: 00800000 00020000 "openrg"


        total: used: free: shared: buffers: cached:
Mem: 31490048 25436160 6053888 0 266240 18980864
Swap: 0 0 0
MemTotal: 30752 kB
MemFree: 5912 kB
MemShared: 0 kB
Buffers: 260 kB
Cached: 18536 kB
SwapCached: 0 kB
Active: 1392 kB
Inactive: 18972 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 30752 kB
LowFree: 5912 kB
SwapTotal: 0 kB
SwapFree: 0 kB


hwdmz_conf 7560 0 (unused)
krgldr_module 776 0 (unused)
rg_ipv4 716 0 (unused)
btn 2100 1 [hwdmz_conf]
rg_auth1x_pktfil 5420 0 (unused)
rg_dhcp_pktfil 3364 0 (unused)
rg_bridge 23468 1
ipfilter 97472 0 (unused)
log_chardev 5332 0 [ipfilter]
igmp_proxy_mod 5964 0
ixp425_eth_mod 8536 2
ixp425_csr_init_mod 1708 0 [ixp425_eth_mod]
csr 612040 0 [ixp425_eth_mod ixp425_csr_init_mod]
bsd_comp 4240 0 (unused)
ppp_deflate 44704 0 (unused)
hwdmz 2968 0 [hwdmz_conf]
ixp425_flash_mod 1272 1
kos_lib 14024 9 [rg_ipv4 btn rg_auth1x_pktfil rg_dhcp_pktfil rg
_bridge ipfilter log_chardev igmp_proxy_mod]


<4>Linux version 2.4.19openrg-rmk6-ds1 (root@guava54-Desktop) (gcc version 2.95.
3 20010315 (release/MontaVista)) #68 Fri Aug 29 16:53:28 CST 2003
<4>CPU: Intel XScale-IXP425 revision 0
<4>Machine: Gemtek IXP425 WX5715
<4>Security risk: creating user accessible mapping for 0xc8000000 at 0xff000000
<4>Security risk: creating user accessible mapping for 0xc0000000 at 0xff00c000
<4>Security risk: creating user accessible mapping for 0xc4000000 at 0xff00d000
<4>On node 0 totalpages: 8192
<4>zone(0): 8192 pages.
<4>zone(1): 0 pages.
<4>zone(2): 0 pages.
<4>Kernel command line: console=ttyS1,115200 root=/dev/ram0 rw nohalt
<7>Relocating machine vectors to 0xffff0000
<4>Using IXP425 Timer 0 as timer source
<4>Calibrating delay loop... 266.24 BogoMIPS
<6>Memory: 32MB = 32MB total
<5>Memory: 26580KB available (1361K code, 264K data, 216K init)
<6>XScale Cache/TLB Locking Copyright(c) 2001 MontaVista Software, Inc.
<6>Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)
<6>Inode cache hash table entries: 2048 (order: 2, 16384 bytes)
<4>Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
<4>Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
<4>Page-cache hash table entries: 8192 (order: 3, 32768 bytes)
<4>POSIX conformance testing by UNIFIX
<4>PCI Autoconfig: Found Bus 0, Device 1, Function 0
<4>PCI Autoconfig: BAR 0, Mem, size=0x2000, address=0x4bffe000
<6>PCI: bus0: Fast back to back transfers enabled
<6>Linux NET4.0 for Linux 2.4
<6>Based upon Swansea University Computer Society NET3.039
<4>Initializing RT netlink socket
<4>Starting kswapd
<4>Random: 0x2e7bd75d
<4>pty: 256 Unix98 ptys configured
<6>Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI
<6>ttyS00 at 0xff000003 (irq = 15) is a IXP425 UART
<6>ttyS01 at 0xff001003 (irq = 13) is a IXP425 UART
<4>RAMDISK driver initialized: 16 RAM disks of 16384K size 1024 blocksize
<6>loop: loaded (max 8 devices)
<6>PPP generic driver version 2.4.2
<6>NET4: Linux TCP/IP 1.0 for NET4.0
<6>IP Protocols: ICMP, UDP, TCP, IGMP
<6>IP: routing cache hash table of 512 buckets, 4Kbytes
<6>TCP: Hash tables configured (established 2048 bind 2048)
<6>klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 1.99
<6>NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
<6>IPv6 v0.8 for NET4.0
<6>IPv6 over IPv4 tunneling driver
<1>802.1Q VLAN Support v1.7 Ben Greear <greearb@candelatech.com>
<1>All bugs added by David S. Miller <davem@redhat.com>
<4>NetWinder Floating Point Emulator V0.95 (c) 1998-1999 Rebel.com
<6>PPP MPPE compression module registered
<5>RAMDISK: Compressed image found at block 0
<6>Freeing initrd memory: 3954K
<4>VFS: Mounted root (ext2 filesystem).
<6>Freeing init memory: 216K
<7>0: offset=0x0,size=0x20000,blocks=64
<4>Using buffer write method
<4>Using predefined MTD partitions.
<5>Creating 1 MTD partitions on "ixp425 Flash":
<5>0x00000000-0x00800000 : "openrg"
<6>PPP Deflate Compression module registered
<6>PPP BSD Compression module registered
<4>Intel CSR module init.
<4>Intel CSR QMGR & NPE(s) init done.
<4>Initializing ixp425_eth driver 0.0.8
<4>PHY 0 MAC address is: 04:04:04:04:04:04
<4>PHY 1 MAC address is: 06:06:06:06:06:06
<4>IPV4 device driver registered
<4>IP Filter: initialized. Default = block all
<4>PHY 1 MAC address is: 00:0c:41:8f:87:2b
<4>PHY 0 MAC address is: 00:0c:41:8f:87:2a
<4>ixp0: Entering promiscuous mode
<6>device ixp0 entered promiscuous mode
<4>STP: ixp0 enters blocking mode
<7>ixp0: no IPv6 routers present
<7>ixp1: no IPv6 routers present
<7>br0: no IPv6 routers present
<4>STP: ixp0 exits blocking mode

/proc/net/dev (Note: eth0 is wireless and isn't shown as I've disabled wireless. Too many APs ATM...)

Inter-| Receive | Transmit
 face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
    lo: 5253 62 0 0 0 0 0 0 5253 62 0 0 0 0 0 0
  sit0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
  ixp0: 66066 780 0 0 0 0 0 0 681344 1067 0 0 0 0 0 0
  ixp1: 0 0 0 0 0 0 0 0 11628 34 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
   br0: 73193 831 0 0 0 0 0 310 677947 1067 0 0 0 0 0 0


PCI devices found:
  Bus 0, device 0, function 0:
    Co-processor: PCI device 8086:8500 (Intel Corp.) (rev 0).
      Prefetchable 32 bit memory at 0x0 [0xffffff].
      Prefetchable 32 bit memory at 0x1000000 [0x1ffffff].
      Prefetchable 32 bit memory at 0x2000000 [0x2ffffff].
      Prefetchable 32 bit memory at 0x3000000 [0x3ffffff].
      Prefetchable 32 bit memory at 0xff000000 [0xffffffff].
      I/O at 0x0 [0xff].
  Bus 0, device 1, function 0:
    Network controller: PCI device 1260:3890 (Harris Semiconductor) (rev 1).
      IRQ 28.
      Master Capable. Latency=128. Min Gnt=10.Max Lat=28.
      Non-prefetchable 32 bit memory at 0x4bffe000 [0x4bffffff].

8.5. GPIO Information

Here's a preliminary idea of the GPIO assignments for the unit:

   0 - Power LED (a)
   1 - Internet LED
   2 - Power LED (b)
   3 - Factory reset button
   4 - DMZ LED
   5 - SPIS_N
   6 - SPID
   7 - SPIC
   8 - LED (not populated but could be)
   9 - Wireless-G LED
  10 - PCI INTB
  11 - PCI INTA
  12 - SPIQ
  13 - PCI reset
  14 - PCI clock
  15 - IXP expansion bus clock

The SPI bus is connected to the Kendin KS8995M switch chip, which is the managed version and needs to be controlled via SPI. It also needs to be enabled before it can be used over this bus. The hwdmz.o module in the OpenRG release appears to be responsible for starting the switch; hwdmz_conf.o does more advanced things with it (presumably setting up the switch to enable the H/W DMZ feature that the box has as an option).

9. Firmware

9.1. RG Bootloader

The OpenRG bootloader is another Linux kernel it appears, which boots into a restricted version of OpenRG that does a few things. To extract the bootloader, you'll need to get a copy of the flash contents (via JTAG or using flash_dump command.

The kernel is located at offset 12516 in the image:

dd if=wrv.bin of=rgkernel.gz bs=12516 skip=1
gzip -d rgkernel.gz

The filesystem appears to be located at offset 597048 in the image"

dd if=wrv.bin of=rd.img.gz bs=597048 skip=1
gzip -d rd.img.gz

Filesystem Contents (the other directories (/bin, /etc, etc) are either empty, or just contain symlinks to the files found here):


total 29
drwxrwxr-x 2 root root 1024 Aug 6 21:20 bin
drwxrwxr-x 2 root root 4096 Aug 6 21:20 dev
drwxrwxr-x 2 root root 1024 Aug 6 21:20 etc
-rw-rw-r-- 1 root root 32 Feb 21 2001 fstab
drwxrwxr-x 3 root root 1024 Aug 6 21:20 lib
drwx------ 2 root root 12288 Aug 6 21:20 lost+found
drwxrwxr-x 4 root root 1024 Aug 6 21:20 mnt
drwxrwxr-x 2 root root 1024 Aug 6 21:20 proc
drwxrwxrwx 2 root root 1024 Aug 6 21:20 tmp
drwxrwxr-x 6 root root 1024 Aug 6 21:20 var


none /proc proc defaults 0 0


total 362
drwxrwxr-x 2 root root 1024 Aug 6 21:20 .
drwxrwxr-x 5 root root 1024 Aug 6 21:20 ..
-rwxr-xr-x 1 root root 60368 Aug 6 21:20 busybox
-rwxrwxr-x 1 root root 3156 Aug 6 21:20 init
-rwxrwxr-x 1 root root 299656 Aug 6 21:20 main_task


total 30
drwxrwxr-x 2 root root 1024 Aug 6 21:20 .
drwxrwxr-x 5 root root 1024 Aug 6 21:20 ..
-rw-rw-r-- 1 root root 8 Feb 21 2001 hhl-arch
-rw-rw-r-- 1 root root 3025 May 14 2001 inetd.conf
-rw-rw-r-- 1 root root 158 Mar 15 2001 modules.conf
-rw-rw-r-- 1 root root 1050 Feb 21 2001 nsswitch.conf
-rw-rw-r-- 1 root root 1186 Feb 21 2001 protocols
-rw-rw-r-- 1 root root 21 May 22 2002 resolv.conf
-rw-rw-r-- 1 root root 1595 Feb 21 2001 rpc
-rw-rw-r-- 1 root root 11191 May 14 2001 services
-rw-rw-r-- 1 root root 4404 Apr 12 2001 termcap


total 3
drwxrwxr-x 3 root root 1024 Aug 6 21:20 .
drwxrwxr-x 5 root root 1024 Aug 6 21:20 ..
drwxrwxr-x 2 root root 1024 Aug 6 21:20 modules


total 321
drwxrwxr-x 2 root root 1024 Aug 6 21:20 .
drwxrwxr-x 3 root root 1024 Aug 6 21:20 ..
-rw-rw-r-- 1 root root 263364 Aug 6 21:20 csr.o
-rw-rw-r-- 1 root root 3268 Aug 6 21:20 ixp425_csr_init_mod.o
-rw-rw-r-- 1 root root 13308 Aug 6 21:20 ixp425_eth_mod.o
-rw-rw-r-- 1 root root 2752 Aug 6 21:20 ixp425_flash_mod.o
-rw-rw-r-- 1 root root 33884 Aug 6 21:20 kos_lib.o
-rw-rw-r-- 1 root root 1804 Aug 6 21:20 krgldr_module.o
-rw-rw-r-- 1 root root 1788 Aug 6 21:20 rg_ipv4.o

Bare minimum filesystem. There's not even a shell!

Interesting boot script in the bootloader's main_task executable:

      (description(LAN Ethernet))
      (description(LAN Ethernet 2))
    (tz_name(Greenwich Mean Time))
    (release(Aug 7 2003))



9.2. Firmware 2.10 notes

The telnet server is now disabled - no checkbox to enable it either.

A configuration file can now be saved/reloaded - it's plaintext, we should be able to tweak it (maybe re-enable telnet?)

WPA support is included, untested as of yet.

SNMP still doesn't work as far as I can tell.

No telnet obviously means no shell, so we either have to hack this firmware image, re-enable it via a config file tweak or exploit the HTTP server in some way.

nmap TCP scan output from internal LAN:

Port State Service
80/tcp open http
443/tcp open https
2555/tcp open unknown
8080/tcp open http-proxy
8443/tcp open unknown
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 0.168 days (since Mon Dec 22 19:37:10 2003)
TCP Sequence Prediction: Class=random positive increments
                         Difficulty=3606371 (Good luck!)
IPID Sequence Generation: All zeros

TCP port 2555 appears to be the UPnP HTTP server. The other ports are all the GUI.

adam at rift dot com

9.3. Linux 2.6.13 kernel + jffs2 + 2 miniPCI slot working

More at phj.hu, wrv54g.


LinksysWrv54g (last edited 2008-04-13 16:36:47 by localhost)