NetgearAccessPoint

Description

NETGEAR WG602 54Mbps Wireless Access Point

WG602 v1, NetgearWG602v2 and NetgearWG602v3 hardware versions are known. The firmware is not interchangable!

NETGEAR WG602 54Mbps Wireless Access Point Review at tom's guide.

Hardware

Software

Linux 2.2.14, prism54.org driver

Mini-PCI card Intersil 54g (3890)

Netgear GPL

Serial Console

The serial console is available on J4 (the row of 10 pins nearest to the mini-PCI connector). The pinout is as follows:

   1     GND
   2     Vcc
   3     Data In   [from RS232 -> CPU]
   4     N/C
   5     Data Out  [from CPU -> RS232]
   6     N/C
   7     N/C
   8     N/C
   9     N/C
  10     N/C

The signals are logic level, so a level converter such as the RLC-1 from Digitalnemesis catalogue will be needed. If you use the RLC-1, you can carefully extract the "pins" from the plastic housing and re-arrange them to match the arrangement above. On the RLC-1 I had, the colour mapping ended up like this:

   1     Black
   2     White
   3     Green
   4     N/C
   5     Orange
   6     N/C

Pins 7 through 10 are not needed, so the 6 pin housing (and a corresponding 6 pin header) will work okay. I just cut the RTS & CTS lines off (blue & brown wires on my RLC-1).

The console settings are 9600, 8N1.
You will need the same username & password as the web interface to get in.
Once in, you will have the OpenRG prompt that is available via Telnet (if your firmware version includes the telnetd process); type shell to get a regular Busybox shell prompt.

Telnet Console

see Getting a Telnet Console on the NetgearWGR614

Hacking

The BSDL of IDT can help us have JTAG access on this box. Unfortunately, the JTAG port can not be used for simply flashing the ROM like it is possible with other devices which use JTAG for directly accessing data and address lines going to the flash. The MIPS integrated processor used in the WG602 actually consists of a CPU core and an interface controller, each one having its own JTAG Interface. They are using the same lines, but a signal is needed to select the apropiate JTAG Interface. This line is unfortunately not available on the WG602. To be able to access the external data and address lines, one would need access to the JTAG interface of the system controller, but on the WG602 we can only access the (E)JTAG interface of the CPU core. However, this interface can be used for debugging purposes, and we might be able to use it to run our own externally-held program, which might be able to flash the ROMs.

There's Telnet running, but I don't have a box. Is it the prism54.org driver running there with iwconfig tools?
Answer: Yes, it is, although it is a preliminary version which was built before the prism54.org driver became public available.

We need to have the booter. The bootloader does some strange ARP request on bootup, asking for a specific IP address while being ping-able on the same address at the same time.

When booted with the reset button pressed, the behavior is a bit different: WG602v1 tries to download an image file from 192.168.1.98 via TFTP. It tries to download three different files. But the format of these image files, named "idtrom", "config.bin" and "image.idts334", is unknown. We need more info. "image.idts334" can be a standard firmware, the one you can download on netgear website, which starts with an header of '0939146708WG-602' followed by lot of unknown bytes. See also here

The IDT devboard name xxx is distributed with sources, so we can probably use it to recompile the whole stuff.

79RC32334 BSDL

Sources of IDT devboard

For kernel 2.6.14

 lftp ftp2.idt.com
 user: apps
 pass: 29apps28
 cd /pub
 get linux.txt
 cat linux.txt
 cd LINUX26
 get idt_linux26_docs.tar.bz2 initrd.linux-2.6.14.tar.bz2 linux-2.6.14.tar.bz2 mipstools.tar.bz2 mipseltools.tar.bz2

For kernel 2.4.18

 lftp ftp2.idt.com
 user: apps
 pass: 29apps28
 cd /pub
 get linux.txt
 cat linux.txt
 cd LINUX
 get idt_linux_docs.tar.gz initrd.linux-2.4.18.tar.gz linux-2.4.18.tar.gz mipstools.tar.bz2 mipseltools.tar.bz2

The WG602v1 firmware is "little endian", so only mipseltools toolchain should be necessary. Kernel 2.6.14 does not compile on gcc 4: it requires gcc 3.

Upcoming Custom Firmware

kju has managed to reverse engineer most of the WG602 internals. A custom kernel (v2.6.6) has already been successfully booted, but currently some problems remain with the initial console.

kju, please share what you found out!

Edit of September 2010: After 2 years, kju never left any info to the public. The main problem is how to put a compiled kernel+initrd image inside a WG602v1. See the Hacking section.

How did kju do it ?

Here's the kju bootlog:

Launch OpenRG....

Uncompressing Linux...
Ok, booting the kernel.
Linux version 2.6.6-idt20040702 (kju@teriyaki) (gcc version 2.96-sdelinuxmips-040127) #15 Wed Dec 8 17:48:48 CET 2004
CPU revision is: 00001800
Determined physical RAM map:
 memory: 00fb0000 @ 00000000 (usable)
On node 0 totalpages: 4016
  DMA zone: 4016 pages, LIFO batch:1
  Normal zone: 0 pages, LIFO batch:1
  HighMem zone: 0 pages, LIFO batch:1
Built 1 zonelists
Kernel command line: console=ttyS0,9600 root=/dev/nfs nfsroot=192.168.1.98:/wg602 ip=192.168.1.68:192.168.1.98
Primary instruction cache 8kB, physically tagged, 2-way, linesize 16 bytes.
Primary data cache 2kB 2-way, linesize 16 bytes.
Initializing IRQ's: 88
PID hash table entries: 64 (order 6: 512 bytes)
calculating r4koff... 000b71b0(750000)
CPU frequency 150.00 MHz
Using 75.000 MHz high precision timer.
Memory: 8360k/16064k available (1841k kernel code, 7684k reserved, 393k
data, 96k init, 0k highmem)
Calibrating delay loop... 149.50 BogoMIPS
Dentry cache hash table entries: 1024 (order: 0, 4096 bytes)
Inode-cache hash table entries: 1024 (order: 0, 4096 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Checking for 'wait' instruction...  unavailable.
POSIX conformance testing by UNIFIX
NET: Registered protocol family 16
Can't analyze prologue code at 806cb2e8
Initializing PCI
JFFS2 version 2.2. (C) 2001-2003 Red Hat, Inc.
Serial: 8250/16550 driver $Revision: 1.90 $ 6 ports, IRQ sharing disabled
ttyS0 at MMIO 0xb8000800 (irq = 37) is a 16550A
8139too Fast Ethernet driver 0.9.27
eth0: RealTek RTL8139 at 0x18800000, 00:09:5b:41:00:f5, IRQ 6
Loaded prism54 driver, version 1.2
Using anticipatory io scheduler
NET: Registered protocol family 2
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 512 bind 512)
NET: Registered protocol family 1
NET: Registered protocol family 17
eth0: link up, 100Mbps, full-duplex, lpa 0x45E1
IP-Config: Guessing netmask 255.255.255.0
IP-Config: Complete:
      device=eth0, addr=192.168.1.68, mask=255.255.255.0, gw=255.255.255.255,
     host=192.168.1.68, domain=, nis-domain=(none),
     bootserver=192.168.1.98, rootserver=192.168.1.98, rootpath=
Looking up port of RPC 100003/2 on 192.168.1.98
Looking up port of RPC 100005/1 on 192.168.1.98
VFS: Mounted root (nfs filesystem) readonly.
Freeing unused kernel memory: 96k freed


CategoryAccessPointHardware

NetgearWG602 (last edited 2012-04-10 19:07:19 by stgt-5f70abf6)