1. Change the IP-Address of your computer into: 192.168.1.10
2. Flash to Stock-Firmware version 1.0.0.58:
→ Here's where you can get it: http://kb.netgear.com/app/answers/detail/a_id/26592/~/wnr2000v4-firmware-version-1.0.0.58
3. Start running a TFTP Server on your local machine.
4. Download and use a pre-made u-boot-env image
Warning: There is a slight chance to brick your router by using this pre-made u-boot-env image. It is 100% your own decision to try this method at your own risk. However, it worked for me.
Download this u-boot-env into your TFTP downloads directory: https://drive.google.com/file/d/0B7VI0K9knyDiNnJNUE1VU21wNnc/view
Alternatively, you can create your own u-boot-env image. A tutorial can be found here: https://forum.openwrt.org/viewtopic.php?pid=273444#p273444
5. Download the current OpenWrt image (15.05.1 - Chaos Calmer):
wget http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/openwrt-15.05.1-ar71xx-generic-wnr2000v4-squashfs-sysupgrade.bin
Download this file into your TFTP downloads directory and maybe for usability rename it into: sysfsupgrade.bin
6. Create and Use the UDPtelnetenable.py Script
In Linux there's a python script that you run to enable access to telnet with. You need a modified version of it which allows you to UDPtelnetenable. This script is written in python2 and requires the Python Cryptography Toolkit (pycrypto).
This is the source code for the UDPtelnetenable.py:
# Copyright (c) 2009 Paul Gebheim # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal # in the Software without restriction, including without limitation the rights # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell # copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in # all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN # THE SOFTWARE. import sys import socket import array from optparse import OptionParser from Crypto.Cipher import Blowfish from Crypto.Hash import MD5 TELNET_PORT = 23 # The version of Blowfish supplied for the telenetenable.c implementation # assumes Big-Endian data, but the code does nothing to convert the # little-endian stuff it's getting on intel to Big-Endian # # So, since Crypto.Cipher.Blowfish seems to assume native endianness, we need # to byteswap our buffer before and after encrypting it # # This helper does the byteswapping on the string buffer def ByteSwap(data): a = array.array('i') if(a.itemsize < 4): a = array.array('L') if(a.itemsize != 4): print "Need a type that is 4 bytes on your platform so we can fix the data!" exit(1) a.fromstring(data) a.byteswap() return a.tostring() def GeneratePayload(mac, username, password=""): # eventually reformat mac mac = mac.replace(":","").upper() # Pad the input correctly assert(len(mac) < 0x10) just_mac = mac.ljust(0x10, "\x00") assert(len(username) <= 0x10) just_username = username.ljust(0x10, "\x00") assert(len(password) <= 0x10) just_password = password.ljust(0x10, "\x00") cleartext = (just_mac + just_username + just_password).ljust(0x70, '\x00') md5_key = MD5.new(cleartext).digest() payload = ByteSwap((md5_key + cleartext).ljust(0x80, "\x00")) secret_key = "AMBIT_TELNET_ENABLE+" + password return ByteSwap(Blowfish.new(secret_key, 1).encrypt(payload)) def SendPayload(ip, payload): for res in socket.getaddrinfo(ip, TELNET_PORT, socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_IP): af, socktype, proto, canonname, sa = res try: s = socket.socket(af, socktype, proto) except socket.error, msg: s = None continue try: s.connect(sa) except socket.error, msg: s.close() s= None continue break if s is None: print "Could not connect to '%s:%d'" % (ip, TELNET_PORT) else: s.send(payload) s.close() print "Sent telnet enable payload to '%s:%d'" % (ip, TELNET_PORT) def main(): args = sys.argv[1:] if len(args) < 3 or len(args) > 4: print "usage: python telnetenable.py <ip> <mac> <username> [<password>]" ip = args[0] mac = args[1] username = args[2] password = "" if len(args) == 4: password = args[3] payload = GeneratePayload(mac, username, password) SendPayload(ip, payload) main()
Now run the UDPtelnetenable through the following command:
python UDPtelnetenable.py 192.168.1.1 $(Your MAC-ADRESS found by running `arp -a` as root) admin password
7. Connect to your router through Telnet
telnet 192.168.1.1
8. Flash the u-boot-env through TFTP
Now, from WNR2000V4 root shell, assuming TFTP server at 192.168.1.10:69
cd /tmp tftp -g -r uboot_env_bootcmd_nocrc.backup 192.168.1.10 69 mtd -f write uboot_env_bootcmd_nocrc.backup u-boot-env
9. Upload the new sysupgrade bin file and reboot
To do so, we use the following commands:
tftp -g -r sysfsupgrade.bin 192.168.1.10 69 mtd -f -r write sysfsupgrade.bin firmware
If everything worked, the router will reboot by itself with the new firmware.
The original U-Boot bootloader runs a CRC check on the flash before it executes the bootcmd command. This prevents OpenWrt from being run from flash. As long as you do not replace the OEM bootloader, you can only create an OpenWrt ramdisk image and load it via tftp. This requires access to the serial console which you can get by doing the following:
configure the NIC of a PC with a tftp server at 192.168.1.12 copy openwrt-ar71xx-uImage-initramfs-lzma.bin into the directory of the tftp server (e.g. /tftpboot)
On the WNR2000v4 serial console:
Press any key after Hit any key to stop autoboot tftpboot 0x81000000 openwrt-ar71xx-uImage-initramfs-lzma.bin - This should print a couple of # signs setenv bootargs board=WNR2000v4 bootm - This boots the kernel
If you should happen to need source code for any of your current stock firmware versions you can get those from one of the following:
Main link to all Netgear GPL files (all devices): Netgear KB Article 2649 - Netgear Open Source Code for Programmers - GPL
For 1.0.0.30
http://www.downloads.netgear.com/files/GPL/WNR2000v4-V1.0.0.30_gpl_src.zip
For 1.0.0.40
http://www.downloads.netgear.com/files/GPL/wnr2000v4-V1.0.0.40_gpl_src.zip
For 1.0.0.50
http://www.downloads.netgear.com/files/GPL/wnr2000v4-V1.0.0.50_GPL.zip
For 1.0.0.58
http://www.downloads.netgear.com/files/GPL/WNR2000v4-V1.0.0.58_GPL.zip
For 1.0.0.60
http://www.downloads.netgear.com/files/GPL/wnr2000v4-V1.0.0.60_gpl_src.zip
For 1.0.0.70
http://www.downloads.netgear.com/files/GPL/wnr2000v4-V1.0.0.70_gpl_src.zip
cat /proc/cpuinfo shows
system type : Atheros AR934x processor : 0 cpu model : MIPS 74Kc V4.12 BogoMIPS : 267.26 wait instruction : yes microsecond timers : yes tlb_entries : 32 extra interrupt vector : yes hardware watchpoint : yes, count: 4, address/irw mask: [0x0000, 0x0ff8, 0x0013, 0x0830] ASEs implemented : mips16 dsp shadow register sets : 1 core : 0 VCED exceptions : not available VCEI exceptions : not available
cat /proc/athversion shows:
9.2.0_U10.1020
cat /proc/buddyinfo shows:
Node 0, zone Normal 8 21 9 8 4 2 2 2 1 1 1
cat /proc/devices shows:
Character devices: 1 mem 4 ttyS 5 /dev/tty 5 /dev/console 5 /dev/ptmx 10 misc 77 ATH_GPIOC 90 mtd 108 ppp 128 ptm 136 pts 240 atherosgpio
Block devices: 259 blkext 31 mtdblock
cat /proc/mtd shows:
dev: size erasesize name mtd0: 00030000 00010000 "u-boot" mtd1: 00010000 00010000 "u-boot-env" mtd2: 000d0000 00010000 "kernel" mtd3: 00290000 00010000 "rootfs" mtd4: 00060000 00010000 "rootfs_data" mtd5: 00020000 00010000 "language" mtd6: 00010000 00010000 "pot" mtd7: 00010000 00010000 "traffic_meter" mtd8: 00010000 00010000 "config" mtd9: 00010000 00010000 "art" mtd10: 00360000 00010000 "firmware"
cat /proc/partitions shows:
major minor #blocks name 31 0 192 mtdblock0 31 1 64 mtdblock1 31 2 832 mtdblock2 31 3 2624 mtdblock3 31 4 384 mtdblock4 31 5 128 mtdblock5 31 6 64 mtdblock6 31 7 64 mtdblock7 31 8 64 mtdblock8 31 9 64 mtdblock9 31 10 3456 mtdblock10
cat /proc/mounts shows:
rootfs / rootfs rw 0 0 /dev/root / squashfs ro,relatime 0 0 proc /proc proc rw,relatime 0 0 sysfs /sys sysfs rw,relatime 0 0 tmpfs /tmp tmpfs rw,nosuid,nodev,relatime 0 0 tmpfs /dev tmpfs rw,relatime,size=512k 0 0 devpts /dev/pts devpts rw,relatime,mode=600 0 0 root /tmp/root tmpfs rw,relatime 0 0 /dev/root /mnt squashfs ro,relatime 0 0 root /mnt tmpfs rw,relatime 0 0