Description

NETGEAR WGR614 54Mbps Wireless Router

http://support.netgear.com/images/wgr614v6_tcm122-53072.jpg

Hardware

v1

Beginning the investigation into WGR614v1 hardware...

Here is a Korean page that likely has some info. The pictures closer to the bottom of the page that show the heatsinks removed are most telling. The 14-pin JTAG connector labeled JP1 is partially obscured by the antenna clip next to the reset button. The 12-pin serial connector from later hardware is nowhere to be found, but there is a 4-pin connector labeled JP2 that may or may not be serial. The netgear.cfg file this unit saves contains nothing human-readable. The MSP2007 chip pictured on the Korean page is now talked about on this wiki page. Google translation of the Korean page seems to indicate that the unit has 1MB flash and 4MB RAM.

The firmware images Netgear distributes for use with the upgrade function from the browser-based interface replace the entire contents of the 1MB flash chip, but they are compressed. To convert such an image to a raw form suitable for JTAG, use the following code, as "./a.out < inputfile.img > outputfile.bin" once compiled.

#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#define stringify(x) #x
#define tryme(x) if ((x)<0) { perror(stringify(__LINE__)); exit(1); }
int main(void){
        tryme(lseek(0,512,SEEK_SET));
        while(1){
                unsigned char buf[65536];
                off_t off;
                size_t len;
                ssize_t num;
                tryme(num=read(0,buf,6));
                if (!num) return 0;//no, processing did NOT fail; this means a SUCCESSFUL operation
                errno=EINVAL;
                tryme((num==6)-1);
                off=(buf[0]<<24)|(buf[1]<<16)|(buf[2]<<8)|(buf[3]);
                len=(buf[4]<<8)|(buf[5]);
                tryme(num=read(0,buf,len));
                errno=EINVAL;
                tryme((num==len)-1);
                tryme(lseek(1,off,SEEK_SET));
                tryme(write(1,buf,len));
        }
}
/*
Some programming novice saw the above (which works correctly out-of-the-box), and not only thought
the following code was better, but also thought that it could somehow work correctly. S/he should
learn how to read bad code better...

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char* argv[]){
        int fdi = open(argv[1], O_RDONLY);
        int fdo = open(argv[2], O_WRONLY | O_EXCL | O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH);
        lseek(fdi,512,SEEK_SET);
        while(1){
                unsigned char buf[65536];
                off_t off;//unsigned long
                size_t len;//unsigned int
                ssize_t num;//signed int
                num=read(fdi,buf,6);
                if (!num) return 0;//einlesen fehlgeschlagen
                (num==6)-1;
                off=(buf[0]<<24)|(buf[1]<<16)|(buf[2]<<8)|(buf[3]);
                len=(buf[4]<<8)|(buf[5]);
                num=read(fdi,buf,len);
                (num==len)-1;
                lseek(fdo,off,SEEK_SET);
                write(fdo,buf,len);
        }
}*/

Stay tuned for more...

v2

Confirmed that the serial interface works on the WGT 624 v2 unit as described below, using inverters in RS232 TX and RX data lines. Superusername and password were not changed. These are also visible in the netgear.cfg back-up file that can be made from the http interface. Apply a long word (4 bytes) byte swap to change Little/Big-endian and make this readable on a x86 machine. The config file 'apcfg', accessible via FTP, can be edited when one makes sure that Byte count and Checksum at the end are corrected. Byte count applies to the bytes up to and including the period before 'Bytes'. Checksum applies to the bytes up to and including the period just before 'checksum'. I used 'Hex workshop' that provides the counts. In wla directory the ftp routine can be invoked to load up and down the various files. Had hoped to be able to activate Telnet by changing the Disable into Enable, but no change noted. Also tried Timeout from 0 to 180, and that has an effect on e.g. the serial connection going to sleep after 3 minutes. Not being a VxWorks expert I have not figured out yeat how to get telnet to respond from port 23. Further suggestions appreciated!

v3

Pic of circuit board in high res http://www.linux-hacker.net/misc/wgr614v3.jpg
Other hardware info http://www.linux-hacker.net/cgi-bin/UltraBoard/UltraBoard.pl?Action=ShowBoard&Board=RG

Seems to run from 10V to 20V input at about 3W draw. Internal 3.5V power drops off at < 5V input, wireless won't come up till 10V is applied for some reason. Solar power or car battery operation is possible with this box.

v4

is based on a Marvell Semiconductors 88W8510 802.11g baseband chip (with an ARM9 core) and an 88E6060 fast ethernet MAC/switch.

v5

v6

Software

Netgear GPL: http://kbserver.netgear.com/kb_web_files/open_src.asp
WGR614 downloads: http://kbserver.netgear.com/products/WGR614.asp

Serial Console

Confirmed that this is correct for the internal serial port (on a v3 box, go look at pic) (also confirmed for a v2 & v5 box).

Username / default password is not known! I tried all the typical, "netgear", "netman", "admin", "console", "root", "system", and so on.

Please call 1-888-NETGEAR and bug them till they give us the default username and password for the serial debug console!

The serial console is available on (the row of 12 pins to the right side in the picture). The pinout is as follows:

   1     3.5V
   2     3.5V
   3     Data In   [from RS232 -> CPU] (3V logic levels)
   4     N/C
   5     N/C
   6     N/C
   7     N/C
   8     N/C
   9     Data Out  [from CPU -> RS232]
  10     N/C
  11     Gnd
  12     Gnd

I used a 74HC14 chip, VCC and GND were connected to use the 3.5V. I dangerously connected the TX and RX pins from my laptop directly to the in/out of two inverters on the chip and it worked! Most laptops can handle 5v like levels on the RS-232 pins (no -V needed GND is good enough), I used minicom (laptop with Linux) set to 9600 8N1 and no hardware handshaking. I didn't care at 3V on a 35 cent chip and it just works. Remember that there are some protections on the RS-232 port and resistors for protection plus the current we are talking about here is very low and well within RS232 spec and the chip would probably be first to go anyway and it's inputs are probably diode protected, it's been running now for more than 3 hours. I don't know why I have to explain myself here, don't you people try stuff anymore or does it have to be perfect and store bought? So put a resistor (10K ?) and/or a clamping diode (for -V) on the TX side into the HC14 chip if you are so worried, but don't go pay for some converter board unless you are really stupid.

I will post the startup text that comes out at boot soon.

The console settings are 9600, 8N1. Username is "Gearguy" and password is "Geardog". Once in, you will have a logon. Type 'windsh' to get a regular VxWorks shell.

Hacking

What looks like a jtag port is the 14 pin connector near the WAN port.

The following are notes from the WG602 page and may apply:

may apply, may apply, it's just info that may apply, the word is MAY

The BSDL of IDT can help us to have JTAG access on this box.

There's telnet running, but I don't have a box. Is it the prism54.org driver running there with iwconfig tools?

The config file of a v5 can be read as plaintext, but there is a checksum that looks like it is somewhere in the first 40 bytes... anyone able to figure out what this checksum is calculated based on? (Maybe someone with a working serial connection can find this out). Without a good checksum the router won't load a hand-edited config file.

If we can edit the config file on the v5, perhaps we can change "clidebug" to 1 and get telnet access?

We need to have the booter...

The IDT devboard name xxx is distributed with sources, so we can probably use it to recompile the whole stuff...

The NTP server address can be changed from the default one (12.7.210.243, which seems to go down frequently as of 2008/10/13) by using the Telnet Console below, going to the sntp "directory" (where commands are server, gettime, timezone) and entering "server 192.43.244.18" (for example) and then press enter. Check by typing "server" and then test with "gettime" to make sure that server is working.

Telnet Console

Some Netgear routers run a telnet daemon which can be accessed from any computer on its local subnet after unlocking it (see below). The following devices are currently known or assumed to support this:

Please add to this list, so people will know which are supported and which are not!

Unlocking the Telnet Cosole

On Windows

Netgear provides a developer tool for unlocking the console access from a Windows client. Windows NT and later versions are assumed to work, administrator privileges are required. This was successfully tested on Windows XP SP2.

Here's the process:

telnetEnable.exe 192.168.1.1 000FB5A2BE26 Gearguy Geardog

Correct character case is important here.

U12H02900>

On Un*x

Netgear uses free software to make their products, but has not provided information or free software tools to enable them to be used. One needs to either use the Windows binary-only program or reverse engineer its operation in order to discover what magic packets Netgears' tool sends to the router to enable the telnet interface.

Unfortunately, there is no ready to go tool for Un*x, - yet. However, thanks to yoshac_at_member_dot_fsf_dot_org the following could be determined on the data format and transforms performed by Netgears' telnetEnable.exe and a work is in progress to implement the entire tool as open source. See OpenWrt Wiki for C code to generate the enable packet, which can be sent to the Netgear using the (Linux) nc command.

A probe packet is built using the data supplied on the command line, and is then signed using the RCA MD5 hashing algorithm. After signing, the entire probe packet is encrypted using the Blowfish algorithm, using a private key.

The probe packet payload format is as follows:

struct payload
{
char signature[0x10];
char mac[0x10];
char username[0x10];
char password[0x10];
char reserved[0x40];
}

The above payload format is transformed by the tool algorithms as follows:

The MD5 checksum is calculated for the contents of the probe payload MAC, username and password fields only, and is done using the normal 3 passes (MD5init, MD5update, MD5final) with the default RCA seed. The resulting 16 byte MD5 checksum/hash is then stored into the signature array of the probe payload.

The entire probe payload (including the reserved area, which is always null for this example) is then ENCRYPTED using the blowfish algorithm. The secret key used for the blowfish encyption is: AMBIT_TELNET_ENABLE but prior to encryption, a '+' followed by the password is appended to the secret key.

The encrypted probe packet is then sent to telnet port (23) on the router using raw TCP sockets in the standard manner. Curiously, the telnetenable.exe program also includes the necessary support to decode packets incoming from the router, but there does not appear to be any two-way handshake implemented, it is simple a raw TCP send from the client to the router.

Note: The encrypted probe packet is sized as char output_Buf[0x640] but only an encoded data length of size of 0x80 appears to be used by the code. It is unknown what other capabilities may be similarly enabled via the 'reserved' field, or by other passwords.

[ Source code for a 'C' re-implementation of these algorithms has been released by yoshac under the GPL, for use as the basis of a Un*x version of the tool currently in development. Instructions and download here: http://seattlewireless.net/telnetenable.c ]

Sources of IDT devboard

 lftp ftp2.idt.com
 user: apps
 pass: 29apps28
 cd /pub
 get linux.txt
 cat linux.txt
 cd LINUX
 get idt_linux_docs.tar.gz initrd.linux-2.4.18.tar.gz linux-2.4.18.tar.gz mipstools.tar.bz2 mipseltools.tar.bz2

Hmmm... This device is Broadcom BCM47xx based, not IDT.

Boot up log for v5

CFE ver 1.0.1(Top) Wed Jun 30 07:26:46 CST 2004
et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 2004.4.28.0
Decompressing... \muxDevLoad failed for device entry 1!
muxDevLoad failed for device entry 2!
muxDevLoad failed for device entry 4!
Failed to attach to device Attaching interface lo0...done
BCM47xx VxWorks BSP - Jul 23 2004 14:08:58
Flash : MX29LV800B 1Mx8 TopB
pinglib init
configure vlans
configure vlans...done
0x807ffdf0 (): task deadCan't attach unknown device  (unit 0).
Enable wan port ok!
CC module initialized successfully

WAN Initialisation                                 [SUCCESS]

 PPTP Initialised
Firewall INIT completed
AD Init completed FW initalized
IGWIpRsmInit():  ....End
 vxBitsInit
add interface mirror0
DNS redirect INIT
in abRegisterInputHook inputPktHook: 80214788
add interface mirror0
add interface et0
add interface mirror0
add interface et0
BlockSides keywords WebAppControl add successfully

Syslog configuration successfully updated
Info: No FWPT default policies.
DHCPS: init dhcps: devname=mirror0
DHCPS:Set the default Lease Time to 86400
Set option ACOS_DHCP_OPT_ROUTER to 192.168.5.1:
Set option ACOS_DHCP_OPT_DNS_SERVER to 204.127.202.19:216.148.227.79:
Set option ACOS_DHCP_OPT_NNTP_SERVER to wan:
NAS task tNASlan started.
Login: add interface mirror0
add interface et0
add interface et0
add interface mirror0
add interface et0

Login: Gearguy
Password: *******
U12H02900> ?

Commands are:

bridge         ddns           exit           firewall       ip
lan            passwd         reboot         save           show
sntp           uptime         version        wan            web
wlan

 '..'    return to previous directory

U12H02900> version
Release version : Netgear Wireless Router WGR614v5
                  U12H02900/V1.0.3RC7/1.0.3
         Time   : Jul 23 2004, 14:09:03


v9 Info

The TelnetEnable tool above worked to enable telnet on the v9 of this router. However, once logged in via telnet it was clear this router runs Linux instead of VxWorks:

BusyBox v0.60.0 (2008.09.30-11:37+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

#

Some other interesting things about the hardware:

# cat /proc/cpuinfo
system type             : Broadcom BCM5354 chip rev 3
processor               : 0
cpu model               : BCM3302 V2.9
BogoMIPS                : 237.56
wait instruction        : no
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : no
hardware watchpoint     : no
VCED exceptions         : not available
VCEI exceptions         : not available
unaligned_instructions  : 0
dcache hits             : 0
dcache misses           : 0
icache hits             : 0
icache misses           : 0
instructions            : 0

# cat /proc/version
Linux version 2.4.20 (max@coolteam.cs) (gcc version 3.2.3 with Broadcom modifications) #415 Tue Sep 30 19:37:11 CST 2008

# ifconfig
br0       Link encap:Ethernet  HWaddr 00:24:B2:05:82:1C
          inet addr:10.4.1.250  Bcast:10.4.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5554437 errors:0 dropped:0 overruns:0 frame:0
          TX packets:62147 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:864879780 (824.8 Mb)  TX bytes:26569296 (25.3 Mb)

eth0      Link encap:Ethernet  HWaddr 00:24:B2:05:82:1D
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:52329319 errors:80 dropped:0 overruns:16 frame:16
          TX packets:35048069 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:676672517 (645.3 Mb)  TX bytes:2763290538 (2635.2 Mb)
          Interrupt:4 Base address:0x1000

eth1      Link encap:Ethernet  HWaddr 00:24:B2:05:82:1C
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:34842434 errors:3 dropped:0 overruns:0 frame:38345588
          TX packets:51867406 errors:780308 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:2485129592 (2370.0 Mb)  TX bytes:679073760 (647.6 Mb)
          Interrupt:13 Base address:0x5000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

vlan0     Link encap:Ethernet  HWaddr 00:24:B2:05:82:1C
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:52329320 errors:0 dropped:0 overruns:0 frame:0
          TX packets:34819401 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4029712168 (3843.0 Mb)  TX bytes:2628375886 (2506.6 Mb)

vlan1     Link encap:Ethernet  HWaddr 00:24:B2:05:82:1C
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

I was able to copy the flash filesystems by doing the following once logged in:

# cd /dev/mtdblock
# tftp put 0 x.x.x.x:/mtdblock0
# tftp put 1 x.x.x.x:/mtdblock1
# tftp put 2 x.x.x.x:/mtdblock2
# tftp put 3 x.x.x.x:/mtdblock3
# tftp put 4 x.x.x.x:/mtdblock4
# tftp put 5 x.x.x.x:/mtdblock5

mtdblock2 contains the root filesystem which is squashfs, you can mount it under linux by doing:

# mount -o loop /root/mtdblock2 /mnt/netgearmtd2/
# cd /mnt/netgearmtd2
# ls -al

total 0
drwxrwxr-x 1 503 503  112 Sep 30  2008 bin
drwxrwxr-x 1 503 503    0 Sep 30  2008 dev
drwxr-xr-x 1 503 503   51 Sep 30  2008 etc
drwxr-xr-x 1 503 503   87 Sep 30  2008 lib
drwxrwxr-x 1 503 503    0 Sep 30  2008 mnt
drwxrwxr-x 1 503 503    0 Sep 30  2008 proc
drwxrwxr-x 1 503 503  241 Sep 30  2008 sbin
drwxrwxr-x 1 503 503    0 Sep 30  2008 tmp
drwxr-xr-x 1 503 503   29 Sep 30  2008 usr
lrwxrwxrwx 1 503 503    7 Sep 30  2008 var -> tmp/var
drwxr-xr-x 1 503 503 2969 Sep 30  2008 www
#

Another interesting thing appears to be the configuration stored on one of the flash blocks. I am not sure exactly what the format is, but it is pretty readable thanks to "strings":<br>

FLSH $
wl_radius_port=1812
wlan_acl_dev24=
wlan_acl_dev25=
opo=8
wlan_acl_dev26=
wan_unit=0
wlan_acl_dev27=
os_ram_addr=80001000
wla_temp_ssid=<REDACTED>
wlan_acl_dev28=
wan_route=
bs_trustedip=10.4.1.0
wla_region=11
wlan_acl_dev29=
wl0_frameburst=off
wla_repeater=0
potValue=4320
bs_keywords=
bs_enable=0
log_ipaddr=
boardrev=0x11
il0macaddr=00:24:B2:05:82:1C
br0_ifnames=vlan0 eth1
wl_nctrlsb=none
ddns_enable=0
wla_temp_key1=
et0macaddr=00:24:B2:05:82:1C
wl0_leddc=0x640000
wiz_dhcp_wait_time=5
wla_temp_passphrase=
wla_temp_key2=
wla_temp_key3=
wl_maxassoc=128
wla_temp_key4=
wl0_akm=psk psk2
boot_wait=off
watchdog=3000
pptp_idletime=5
wl_leddc=0x640000
wl_phytypes=
wl0_infra=1
fw_disable=0
et0mdcport=0
wl0_country_code=US
pppoe_keepalive=1
wla_wds_ptp_mac=
ddns_wildcard=0
rip_multicast=1
wl_infra=1
bxa2g=1
run_test=0
reset_gpio=7
wlan_acl_dev30=
pmon_ver=CFE 4.139.1.0
restore_defaults=0
wlan_acl_dev31=
wan_lease=86400
wl0_nctrlsb=none
wl0_wme_sta_be=15 1023 3 0 0 off off
wsc_device_pin=12345670
wl_wme_apsd=on
bs_trustedip_temp=10.4.1.0
ddns_hostname=
wl_radius_ipaddr=
http_wanport=
buildin_registrar=0
upnp_DHCPServerConfigurable=1
wl0_ifname=eth1
wla_xr=Enable
lan_domain=
timer_interval=3600
wl0_wme_sta_bk=15 1023 7 0 0 off off
pptp_username=
wl_net_reauth=36000
forward_port0=
wla_temp_enable=enable_ap
pppoe_mtu=1492
upnp_advert_period=30
vlan0ports=1 2 3 4 5*
dhcp_devname=
filter_rule_tbl=
lan_route=
fw_email_email_enable=0
schedule_daylightadjust=0
wl0_mrate=0
wla_secu_type=WPA-AUTO-PSK
wan_gateway=0.0.0.0
wl0_mode=ap
dhcp_start=10.4.1.240
wan_hwaddr_sel=0
wl0_ap_isolate=0
wl_mrate=0
dhcp_end=10.4.1.249
ntp_update_interval=86400
wl_akm=psk psk2
os_flash_addr=bfc40000
sromrev=3
wl0_gmode=1
wl0_wme_no_ack=off
wla_wds_enable=0
wla_temp_region=11
pptp_passwd=
boardtype=0x048e
is_default=1
wl_gmode=1
et1macaddr=00:24:B2:05:82:1D
wl0_nband=2
stats_server=
wan_status=down
wla_auth_type=automatic
static_route=
ver_check_ftp_password=WGR614V9@
bs_enable_temp=0
wl0_nreqd=0
ver_check_enable=1
lan_netmask=255.255.255.0
wl_nband=2
wl_wme_sta_vi=7 15 2 6016 3008 off off
http_username=admin
wl0_ssid=<REDACTED>
wl0_dtim=3
wan_ipaddr_old=0.0.0.0
super_passwd=Geardog
wl_wme_ap_be=15 63 3 0 0 off off
wl_nreqd=0
pptp_serv_ip=10.0.0.138
http_rmenable=0
os_date=Sep 30 2008
wl0_dfs_preism=60
http_lanport=80
wl_wme_sta_vo=3 7 2 3264 1504 off off
wl_plcphdr=long
wan_hwaddr2=00:24:B2:05:82:1D
wl_macmode=disabled
wl_wme_ap_bk=15 1023 7 0 0 off off
wlan_acl_dev0=
wan_domain=
wan_hwname=
wl_phytype=b
wlan_acl_dev1=
wan_netmask=0.0.0.0
lan_lease=86400
wl0id=0x4318
wl0_key1=
wl_lazywds=0
wlan_acl_dev2=
wl0_key2=
wl0_vlan_prio_mode=off
wl_dfs_postism=60
wlan_acl_dev3=
wl0_key3=
wlan_acl_mac0=
wlan_acl_dev4=
wl0_key4=
wla_temp_broadcast=ssid_bc
wlan_acl_mac1=
wlan_acl_dev5=
filter_client0=
wlan_acl_mac2=
wlan_acl_dev6=
filter_maclist=
inbound_record=
pptp_conn_id=
wl_auth_mode=none
wlan_acl_mac3=
wlan_acl_dev7=
wlan_acl_mac4=
wlan_acl_dev8=
wlan_acl_mac5=
wlan_acl_dev9=
wlan_acl_mac6=
wlan_acl_mac7=
bpa_passwd=
http_rmstartip=0.0.0.0
http_passwd=password
wl_wpa_psk=<REDACTED>
wlan_acl_mac8=
ag0=2
wlan_acl_mac9=
lan_stp=1
wl0_wme_ap_vi=7 15 1 6016 3008 off off
wl_mode=ap
pppoe_acname=
wan_dns1=
wla_prime_periodin=120
wlan_acl_mac10=
wlan_acl_mac11=
wl0_closed=0
wl0_plcphdr=long
wl0_rate=0
wl_wpa_gtk_rekey=0
wla_temp_setting=0
wlan_acl_mac12=
xtalfreq=25000
wl0gpio0=11
wl0_macmode=disabled
wsc_modelname=NETGEAR
wlan_acl_mac13=
wl0gpio1=11
wl0_radioids=BCM2062
wl0_wme_ap_vo=3 7 1 3264 1504 off off
wlan_acl_mac14=
wl0gpio2=11
wl0_phytype=l
wla_abolt=0
wlan_acl_mac15=
wl0gpio3=11
wl0_lazywds=0
fw_email_email_alert=0
wla_wirelessmode=11g
wlan_acl_mac16=
wl0gpio5=0x82
wlan_acl_mac17=
wlan_acl_mac18=
boardflags2=0
wlan_acl_mac19=
wl0_afterburner=off
nat_inbound_filtering=1
fwpt_count=0
wl_wds_timeout=1
lan_hwaddr=00:24:B2:05:82:1C
wl0_antdiv=-1
fw_spi_enab=1
wsc_mode=enabled
wan_dns=0.0.0.0
wla_preamble=long
board_id=U12H094T00_NETGEAR
pptp_dod=1
wl_dtim=3
wl_ssid=<REDACTED>
wl0_wpa_psk=<REDACTED>
schedule_config=127:0:0:23:59
bpa_idletime=5
wait_time=3
potMaxValue=4320
bpa_server_temp=
wla_wme=1
dhcp_mode=manual
dhcp_wins=
wsc_mfstring=NETGEAR
wla_prime_periodout=70
os_server=
wan_bpa_minheartbeat=2
wla_mode=g and b
ver_check_config_file=fileinfo.txt
bs_keyword=
wsc_device_name=WGR614v9 (Wireless AP)
wl_key1=
wan_proto=dhcp
wl_key2=
wla_defaKey=0
wl_key3=
wla_temp_defaKey=0
wl0_unit=0
tftp_serv_ipaddr=192.168.1.2
all_service_tbl=
wl_key4=
wl_country_code=US
dhcp_serv_ip=0.0.0.0
wl_wsc_reg=enabled
wl_hwaddr=00:24:B2:05:82:1C
wl0_net_reauth=36000
rssismc2g=2
wl_vlan_prio_mode=off
wlan_acl_mac20=
wlan_acl_mac21=
wl0_nmode=0
wlan_acl_mac22=
pa0itssit=62
wlan_acl_mac23=
wlan_acl_mac24=
wl0_wsc_mode=enabled
bpa_dod=1
wlan_acl_mac25=
wla_wds_pmp_sta=1
rxpo2g=0xfff8
wsc_config_state=0
wl_nmode=0
wlan_acl_mac26=
rssisav2g=2
fw_bks_block_type=0
wlan_acl_mac27=
bpa_username=
wlan_acl_mac28=
wla_ssid=<REDACTED>
wlan_acl_mac29=
upnp_portmap_entry=0
wl0_wds=
wl_rate=0
wsc_sta_pin=0
log_level=0
ntp_server=192.5.41.40 192.5.41.41 133.100.9.2
wl0_reg_mode=off
wan_hwaddr=00:24:B2:05:82:1D
lan_ifnames=vlan0 eth1
pppoe_ifname=ppp0
wla_key1=
wl0_auth=0
wl0_wme=on
wl0_radius_port=1812
wla_key2=
wl0_wsc_reg=enabled
wla_key3=
wl0_radius_ipaddr=
wla_key4=
wl_country=US
wlan_acl_num=32
ure_disable=1
wl0_wme_sta_vi=7 15 2 6016 3008 off off
pa0maxpwr=82
ver_check_ftp_svr1=updates1.netgear.com
ver_check_ftp_svr2=updates1.netgear.com
ver_check_ftp_svr3=updates1.netgear.com
wla_cfgfile1=
wla_cfgfile2=
wan_ifnames=eth0
http_timeout=5
wl_crypto=tkip+aes
wl_rateset=default
wla_cfgfile3=
wl0_wme_sta_vo=3 7 2 3264 1504 off off
wla_cfgfile4=
wla_channel=10
wla_temp_channel=0
wlan_acl_mac30=
pppoe_max_echo_fail=3
pptp_user_ip=
wlan_acl_mac31=
wl_radius_key=
dhcp_resrv_mac=
lan_proto=static
os_name=linux
clkfreq=240
lan_ipaddr=10.4.1.250
vlan1hwname=et0
aa0=3
wl0_maxassoc=128
wl_unit=0
wla_superg=0
ddns_last_ip=0.0.0.0
wl0_phytypes=l
wan_bpa_maxheartbeat=20
router_disable=0
wl0_wep=disabled
wl0_frag=2346
ddns_username=
wla_rts=2347
ddns_passwd=
http_rmport=8080
pppoe_passwd=
ver_check_ftp_username=anonymous
wl0_nbw=20
sdram_config=0x0032
psq_pkts=128
logo_enable=1
wl0_country=US
dmz_ipaddr=
vlan1ports=0 5u
wl_wds=
bpa_status=0
scratch=a0180000
dhcp_resrv_ip=
ccode=0
pppoe_servicename=
wl0_rateset=default
wl0_wme_apsd=on
wiz_pppoe_wait_time=5
wl_wme=on
pppoe_idletime=300
rip_enable=0
system_name=WGR614V9
wl_wme_ap_vi=7 15 1 6016 3008 off off
wan_primary=0
lan_ifname=br0
rssismf2g=0
fw_rsp_ping=0
boardflags=0x750
sdram_refresh=0x0
wandevs=et0
ddns_checked=0
wla_wep_length=0
dhcp_domain=
fwpt_enable=1
wl_auth=0
wan_dns_sel=0
sdram_ncdl=0x20424
wl_wme_ap_vo=3 7 1 3264 1504 off off
fw_sip_enab=1
wl_frameburst=off
pppoe_session_id=0
ezc_enable=1
is_modified=0
pppoe_echo_interval=30
fwpt_df_count=0
upnp_duration=3600
wla_wlanstate=Enable
wan_ipaddr=0.0.0.0
fw_email_email_addr=
wl0_rts=2347
blk_srv_tbl=
wl_ifname=
wan_wins=
ipv6_enable=0
wl_wep=
wl_nbw_cap=0
potInterval=60
pppoe_username=guest
os_version=4.131.28.0
wl_nbw=20
wl_gmode_protection=auto
wl0_wpa_gtk_rekey=0
wla_wds_pmp_mac=
upnp_advert_ttl=4
wl0_sta_retry_time=5
pf_services_tbl=
fw_dmz_enab=0
wsc_uuid=0x000102030405060708090A0B0C0D0EBB
wl_frag=2346
wan_mtu=1500
wan_bpa_localport=5050
wl0_key=1
run_wiz=0
friendly_name=WGR614v9
wl_maclist=
filter_macmode=deny
wla_passphrase=<REDACTED>
pppoe_server_mac=
console_loglevel=1
et0phyaddr=30
rip_version=2
bpa_server=login-server
time_zone=-8
wsc_modelnum=123456
wla_wds_ptp_sta=1
upnp_turn_on=1
wan_ifname=eth0
wsc_option=1
wl_wme_sta_be=15 1023 3 0 0 off off
inbound_policy_tbl=
wl_radioids=
wan_hostname=
landevs=vlan0 wl0
wl0_dfs_postism=60
wl_nmcsidx=-1
wl_corerev=
wl0_radio=1
wl0_nbw_cap=0
wsc_timeout_enable=0
wl_channel=0
pppoe_dod=1
wl_wme_sta_bk=15 1023 7 0 0 off off
wl0_bcn=100
fw_email_email_smtp=
fw_email_pid=-1
wl_afterburner=off
wl_radio=1
wl0_hwaddr=00:24:B2:05:82:1C
wsc_addER=0
port_tr_conf=
ezc_version=2
wlan_acl_dev10=
pa0b0=0x164B
wl0_gmode_protection=auto
wlan_acl_dev11=
pa0b1=0xFA66
wl0_maclist=
wla_frag=2346
wlan_acl_dev12=
pa0b2=0xFE86
fw_dmz_ip4=2
wl_rts=2347
wlan_acl_dev13=
sdram_init=0x0002
wlan_acl_dev14=
wl_ap_isolate=0
wlan_acl_dev15=
wan_desc=
lan_wins=
vlan0hwname=et0
lanip_setup_changed=0
fwpt_timeout=1200
wlan_acl_dev16=
lan_hwnames=
dl_ram_addr=a0001000
rip_filter_enable=0
wlan_acl_dev17=
allow_registrar_config=1
bpa_debug_level=1
wl_wme_no_ack=off
wlan_acl_dev18=
wlan_acl_dev19=
wl0_radius_key=
tri2g=78
wl0_wme_ap_be=15 63 3 0 0 off off
wla_prime_periodhold=6
wl0_corerev=13
wl0_nmcsidx=-1
pptp_gateway=
wl_key=1
pppoe_mru=1492
wl0_channel=0
wl0_wds_timeout=1
wla_wds_mode=1
upnp_enable=1
wl0_wme_ap_bk=15 1023 7 0 0 off off
rip_dir=
wl_wsc_mode=enabled
wla_friendly=0
bs_keywords_temp=
blank_state=0
wl_dfs_preism=60
wla_temp_mode=g and b
wl_sta_retry_time=5
wl_closed=0
wl0_auth_mode=none
autofw_port0=
lanip_wds_setup_changed=0
wlan_acl_enable=0
boardnum=83258
wl0_crypto=tkip+aes
lanip_changed=0
http_rmendip=255.255.255.255
wl_bcn=100
wl_reg_mode=off
super_username=Gearguy
wlan_acl_dev20=
ddns_update_time=0
wlan_acl_dev21=
pppoe_localip=0.0.0.0
wlan_acl_dev22=
wl_antdiv=-1
wla_temp_secu_type=WPA-AUTO-PSK
wlan_acl_dev23=

--canderson


CategoryAccessPointHardware

NetgearWGR614 (last edited 2012-08-09 04:34:03 by 195)