wireless hack :: known to run linux
:: mission: create a own bootable firmware image
wg602 pcb


the following describtion only applies to the netgear wg602-v2 wireles accesspoint and is not compatible with any other version. like every hack, be carefull not to toast your equipment, i take no liability for whatever happens to your hardware

things needed:

original firmware:

the original firmware consists of a 1024byte boot block (xBOOT) followed by the MVC Image (xMVC) which is kind of a hardware abstraction layer to the running linux image and finaly the system image (xSYS) which holds the kernel, and a rootfs. the whole firmware image has a CRC that is stored in the 1024 byte boot block. it seems that this CRC is only checked while flashing the image, but the ap will try to boot anything you give him. currently i have not extracted the CRC, as it is good enough for me to boot it via tftp.

booting:

how do you apply your own firmware image without flashing it ? - make your ap powerless, and hold down the little reset button on the backside. then plug in power and release the button after about 2 seconds. voila, the ap will start to do a bootp/tftp boot.

root filesystem:

the root fs is of type romfs. you need the genromfs tool to create your own image. the stock firmware uses a loopback mounted flash filesystem for its webpages, i guess thats thought for easier updating the html content on the ap.

serial interface:

To ease development (especially before telnetd access was possible ;) i created a serial interface which allowed me to see if the thing boots/fails ... its a simple 3,3V to 12V MAX232 interface, port settings are 8,N,1 115kBaud. Sorry for the simply image, its a top view on the pcb of the AP with the 4 port connector on the right side, and the RF antenna jack on top. You can use the +/- pins from the pcb to power the circuit (not drawed).



binaries:

mostly an old version of busybox and some custom binaries for ap configuration (strange snmp to cfg file interface) i've done a very simple telnetd and inetd which is included in my firmware image so you can telnet into the ap

compile your own firmware image

1. fix the netgear sources to get a working 'make' process
2. extract a xBOOT and xMVC out of the original firmware image for later reassembly
3. modify the root filesystem of the ap and regen a romfs
4. plug it all together
5. boot it ;-)

scripts & telnet enabled firmware

on the example firmware image there are 2 users defined: nobody with blank password and root with 'sable' as password. please note that you can not flash this firmware image, as the CRC is not correct.