The original WRT54G was first released as a SOHO router in December 2002. The product line supports WiFi and five switched Ethernet ports. (The WAN port is part of the same internal network switch, but on a different VLAN.) The devices have two removable antennas connected through Reverse Polarity TNC connectors. For additional background information, see Linksys WRT54G series.
The different models within the WRT54G series may all look identical. Please refer to the model information sticker on the underside of the unit in order to determine the precise model number and hardware version of your device.
in order to get the correct wireless configuration created.
For versions of the OpenWrt “brcm47xx” target prior to “Attitude Adjustment” 12.09-final, you may wish to use Broadcom's proprietary wl driver due to longstanding issues with the b43 driver in Linux kernel versions 2.6 and newer (https://dev.openwrt.org/ticket/7552). After installing the brcm47xx image, you will need to execute the following commands while logged into the router over TELNET or SSH:
opkg install kmod-brcm-wl wlc nas
After rebooting the router, configure wireless as usual, only using the Broadcom driver instead of the b43 driver.
Notes on specific WRT54G hardware versions
* The Linksys WRT54G 1.1 hardware (4 MB of flash) has trouble with OpenWrt 10.03.1-rc6 and maybe all 10.03 releases as of 2011-12-08. In a test with OpenWrt 10.03.1-rc6, the OS will install but LuCI will be unable to update settings because there isn't enough flash left free.
Testing with the WRT54GL 1.1 (16MB RAM, 4MB flash) showed it can run the following versions:
works (somewhat unstable)
works (somewhat unstable)
very low free ram & jffs
see note below
unviable, not enough RAM to run wifi
* 10.03.1 brcm-2.4 had frequent WiFi drops when in client mode w/ psk2 (did not drop when connecting to same AP w/ encryption disabled). Setting encryption to WPA-PSK/WPA2-PSK Mixed Mode succeeds, but afterwards the LuCI web interface drop down shows WPA-PSK. If support for mixed WPA/WPA2 PSK (CCMP) (without TKIP) is required, one way to achieve it is to edit /lib/wifi/broadcom.sh:
* 12.04 almost certainly needs to rebuilt with unnecessary packages (e.g. LuCI) and daemons (uhttpd) removed to make enough free ram & jffs to obtain long uptimes.. — tc424 2013/08/26 17:28
* 12.09 “Only have 688kb available on filesystem /overlay, pkg kmod-brcm-wl needs 695” Impossible to install proprietary wl driver into 12.09 — jikuja 2013/11/18 12:29
* 14.07 had slow LuCI web interface, after enabling Wifi, the entire router became inaccessible. A custom cut-down image worked slightly better, but would not let WAN and Wifi work at the same time due to low system RAM. Ref: Forum Thread
As the WRT54GL has only 4Mb flash, any image sent to the device must be 3866624 bytes or smaller.
According to the Linksys WRT54G series, the WRT54G-TM is nothing but a renamed WRT54GS v3.0. Because these models have additional RAM and FLASH they do not suffer from the constraints of the WRT54G and WRT54GL series and can run all versions of OpenWRT as of 11/1/2014. *Tested WRT54GS v3.0 can run bcm47xx-legacy version of OpenWRT 15.05.1 as of Aug 11, 2016.
Switch port numbers 1-4 are LAN Ports 1-4 as labeled on the unit, number 0 is the Internet (WAN) port, and number 5 is the internal connection to the router's CPU (labeled “CPU” in LuCI). Use these switch port numbers when specifying a VLAN's ports via the UCI (i.e., in the ports option of a VLAN's config switch_vlan section, in /etc/config/network).
Switch port numbers 0-3 are LAN Ports 4-1 as labeled on the unit, number 4 is the Internet (WAN) port, and number 5 is the internal connection to the router's CPU (labeled “CPU” in LuCI). Use these switch port numbers when specifying a VLAN's ports via the UCI (i.e., in the ports option of a VLAN's config switch_vlan section, in /etc/config/network). Don't Be Fooled: LAN Port 1 on the unit is switch port 3 when configuring VLANs on the switch.
If you forget your password, have broken one of the startup scripts, firewalled yourself out, or corrupted the JFFS2 partition, you can get back in by using OpenWrt's failsafe mode:
* Unplug the power cord, press and hold the reset button, put in the power cord, when DMZ-LED lits up release the reset button. When done right, both Power-LED and DMZ-LED will start blinking. Now you can ping and telnet into 192.168.1.1
The Linksys WRT54G has two buttons. They are Reset and Secure Easy Setup. The buttons can be used with hotplug events. Please see the WiFi toggle Wiki page.
Secure Easy Setup
Opening the case
To remove the front cover you simply pop the front of the case off after removing the antennas. Please note that this will void the warranty.
Usually there are two screws holding the PCB to the bottom cover, but on some newer versions (e.g. v2.2) there's only a single screw.
The WRT54G/S/L has a 10 pin connection slot on the board called JP1 (JP2 on some v1.1 boards). This slot provides two TTL serial ports at 3.3V. Neither of the ports use hardware flow control, you need to use software flow control instead. Other routers may have similar connections. These two TTL serial ports on the WRT54GL router can be used as standard Serial Ports similar to the serial ports you may have on your PC. In order to do this though you need a line driver chip that can raise the signal levels to RS-232 levels. You can not directly connect a serial port header to the board and expect it to work. That method will only work with devices that can connect to TTL serial ports at 3.3V. Connecting two which have 3.3V directly will work (TX - RX, RX - TX, GND - GND). Standard RS-232 devices cannot be directly connected which accounts for nearly all serial PC devices.
Once the modification is made you can have at most two serial ports to use for connecting devices etc. By default, OpenWrt uses the first serial port to access the built-in serial console on the router. You can connect to it at 115200,8,N,1 using a terminal program like Putty, SecureCRT or minicom for example. This is helpful because if you have problems communicating with your router this method will allow you easy access connecting over a serial console. By default this leaves you with one serial port left, however, there is a method to turn the console off giving you access to both ports if you really need them. It isn't recommended but it can be done.
The JTAG port is a unpopulated 12-pin header and is located next to the serial port header. A simple unbuffered should work fine.
The GPIO (General Purpose Input/Output) lines can be used to add a SD card in SPI mode. Please see the GPIO page in the oldwiki.
To add an SD card with backfire and kernel 2.6, You need to mask GPIO's from b43 module. To achieve it, edit:
… putting masking just after b43, so content of above file looks like:
What's presented above, is a failsafe examaple, that masks *all* GPIO diodes from b43. in reality, You're using only 4 GPIO's, so after ensuring that card work properly, You may tweak gpiomask to mask *only* used GPIO's. For example, value '0x1' disables all diodes except WiFi and power (+ 4 port switch, wchich isn't connected to GPIO at all). After doing that, reboot, and install following packages (install one by one, as for reasons unknown, device does like to crash when provided with many packages to install at once):
…setting 'enable' to “1”, and providing GPIO numbers for SD's clock, data-in, data-out and select-chip. Actually, You may use other GPIO's, presented here are just example. This setup, render amber/white SES and DMZ diodes unusable, with the latter, hoever, working properly during boot. You could as good “sacrifice” connection to WiFi and power diodes, in any combination - it's up to You.
Then, just run:
, and You should see message like one presented below:
gpio-mmc: MMC-Card "default" attached to GPIO pins di=2, do=4, clk=3, cs=7
mmc_spi spi32766.0: can't change chip-select polarity
mmc0: host does not support reading read-only switch. assuming write-enable.
mmc0: new SD card on SPI
mmcblk0: mmc0:0000 00000 1.88 GiB
You can mount it with
mount /dev/mmcblk0p1 /mnt/
…or, mount it anywhere else, add it to be automatically enabled at startup, do some extroot, etc… There are, literally, gigabytes of possibilities :)
Adding USB ports.
Yes it is possible to add USB ports on WRT54 GSv3/GL, only downside are that it is only USB v 1.1.
So how then?
You will need this.
4x 15 kohm resistors
4x 22 ohm resistors
2x female usb connectors
You should also be confident with a soldering iron and basic knowledge with a multimeter will always help.
This circuit also needs 5 volt output which is standard for USB, 5 Volt Regulator. It's recommended to add heatsink to 7805 chip.
12 volt source:
USB source soldered:
RH21 = USB1 Data +
RH23 = USB1 Data -
RH25 = USB2 Data +
RH26 = USB2 Data -
When the circuits are done and everything is soldered onto the pcb of the router, it's time to install the software.
(Disclaimer: this has only been tested on WRT54G v1.1 and a WRT54GL v2, it should be the same for other models but I can't be certain. If in doubt check voltages with a multimeter.)
If you've lost your power brick or want to power the WRT54G from an alternate source its possible to solder power cables directly to the power jack connectors. The WRT54G seems to run on anything from 5 to 12 (maybe more) volts. At 5 volts it needs about 800 milliamps, I had thought it might be possible to run it off USB but USB only (officially) supplies 500 milliamps. However, some USB ports will supply 800 milliamps and a lot of USB mains adaptors (e.g. the one for the Amazon Kindle or iPhone) supply 1 amp.
To connect up an alternative power supply, open up the case and locate the small black connector where the power input goes.
You can (as shown in the picture above) desolder the power connector (this took quite a lot of effort and I broke the connector in the process). If you want to keep it just solder to the underside of the board instead, you might need to file away a bit of plastic from the outer casing to make room for the wires.
There are 3 legs to the power connector, each just under 1cm long. The one closest towards the front of the router (the LED side) and running across the router is the positive (red wire in the picture). The one in the middle, running from back to front is the ground (black wire in the picture). Just solder a wire to each of these and connect to your power supply of choice.
If you want to run the WRT54G from USB, cut up a USB cable and solder the black wire to negative and the red wire to the positive. Or you can run it from a PC power supply by getting a male 4 pin molex hard disk power connector (as found on some PC fans or molex splitter/extension cables). Connect the yellow wire (12 volts) to the positive side and one (or both) of the black wires to the ground. Now connect this to a spare hard disk power connector on a PC power supply and your WRT54G will power up.
You can also use a 12 volt lead acid battery (e.g. a car battery) to run the WRT54G. These can peak at around 14 volts when fully charged, but this doesn't seem to cause any problems for the router.
Using the Linksys web GUI
It is possible to install OpenWrt on to your router via the supplied Linksys web GUI. If you are installing OpenWrt for the first time, the easiest way is to use the Linksys web GUI.
Download the openwrt-wrt54g-squashfs.bin firmware image from the brcm-2.4 folder to your PC.
Actually the safest version to use would be 8.09. Hmmm, it looks like 10.03.1 is safe but you must use the brcm-2.4 variant like in the link above. I am not risking bricking my router for the initial flash, so I am going with 8.09. Just tested flashing 10.03.1 (brcm-2.4) directly from the Linksys stock firmware, it worked perfectly (Xiloynaha, 2017-09-28).
Wait for the router to reboot and login! In case you somehow found out that you can't telnet, then ssh should be possible since your previous settings before flashing remained (unless you used sysupgrade -n)
Using the TFTP method
Right after flashing at your first login to OpenWrt set the following NVRAM parameters to enable tftpd at bootup:
nvram set boot_wait=on
nvram set boot_time=10
nvram set wait_time=10
nvram commit && reboot
NOTE: Do not touch any other NVRAM parameters. NVRAM is only used as environment for the bootloader. OpenWrt ignores NVRAM parameters.
NOTE: On WRT54GL (at least), you should probably use 'wait_time' instead of 'boot_time'. bg300: Added.
NOTE: On WRT54GS v1.1 too you have to use 'wait_time' instead of 'boot_time', anyway if in doubt add both parameters.
Once you have set the NVRAM parameters above it is possible to use a TFTP client to flash OpenWrt. The TFTP method is also the recommended way to restore the original Linksys firmware or switch to other third-party firmwares.
First download a firmware image file ending in “.bin”, e.g. openwrt-wrt54g-squashfs.bin.
If you have already installed OpenWrt and like to reflash for e.g. upgrading to a new OpenWrt version. It is important that you put the firmware image into the ramdisk (/tmp) before you start flashing.
wget http://downloads.openwrt.org/backfire/10.03.1/brcm47xx/openwrt-brcm47xx-squashfs.trx # The file must be the trx file.
mtd write /tmp/openwrt-brcm47xx-squashfs.trx linux && reboot
wget http://downloads.openwrt.org/backfire/10.03.1/brcm47xx/openwrt-brcm47xx-squashfs.trx # The file must be the trx file.
Feel free to explore the rest of sysupgrade options by typing 'sysupgrade' in the terminal.
Select Administration in the top right corner
Choose the System > Flash Firmware tab
Click Browse and navigate to the firmware (it must be a .trx file) you wish to flash to
This page or section contains unverified information. Remove this notice if you can ensure its correctness.
Kamikaze/White Russian Recovery
After successfully running a late model version of Kamikaze. I had some stability issues decided to go with white russian, I downgraded with the web gui to the latest default version of openwrt-brcm-2.4-squashfs.trx and got bricked. These instructions are linux specific, if you are running any other OS your mileage may vary.
Enter Failsafe Mode:
I was able to get into failsafe mode consistently by hitting the reset button for 2 seconds after the DMZ led lights up.
Power on the WRT.
Wait for the DMZ light first (failing to wait for DMZ on before button press would end up completely Linksys-destroying the nvram contents, i.e. boot wait off (ouch), 192.168.1.1, SSID linksys).
Then press and hold the reset button on the back until the DMZ light blinks.
Unit is now available at 192.168.1.1. If, for any reason (like interface configuration being totally messed up), the WRT doesn't show up on that IP in failsafe mode, see section “Last Resort Recovery” below.
Get Your Kit in Order:
Get the proper code into the tmp directory of your computer, for me this was:
Update the OpenWrt Image from Failsafe:
Get the code into the tmp directory of the WRT from the failsafe telnet session and then overwrite the firmware with the new image using mtd.
scp email@example.com:/tmp/openwrt-brcm-2.4-squashfs.trx ./
mtd -r write openwrt-brcm-2.4-squashfs.trx linux
I found that the machine would not reboot itself nor would it reboot using /sbin/reboot.
I had to unplug to make it reload. Make sure the commands you have previously typed have finished completely before you pull the juice.
According to Internet sources your WRT may be fixed at this point. Mine still would not come up, it seems that I had some nvram variables mucked up, so back to failsafe again.
Backing up your nvram variables:
It is a good idea to save these just in case you need to refer to anything previously set.
nvram show | sort
I copied the output to my laptop using
cat > nvram-broke
and pasting the output of the “nvram show” command to my terminal.
make sure you got the code by doing:
Running the Clean Up Script:
The cleanup script gets your nvram variables back to a sane state and gets rid of anything not used by OpenWrt.
Throw the bones on the floor and reboot. Your WRT should be up and running.
Wireless broken by default because of wrong macaddr:
There's something wrong with mac address settings in the default /etc/config/wireless
Make sure the mac address line reads the mac you find in /sys/class/ieee80211/phy0/macaddress
Read only filesystem
If the file system stays in read only mode type
mtd unlock rootfs_data
Put this command in /etc/init.d/nvram for example, so that it is called on every start up.
The aircrack package doesn't fit on the router with the OpenWRT 10.03 Backfire image.
Using the OpenWRT 8.09.2 Kamikazeaircrack fits, but the wl package needed as well doesn't. By moving libcrypto from the aircrack dependency package libopenssl into the ramdisk (and backlinking into original directory) you can install wl as well, but airodump freezes on start and causes the router to reset.
So this guide is using Kamikaze 7.09 as latest known OpenWRT version that supports the aircrack suite on WRT54G.
Install Kamikaze 7.09
If you already have a (newer) version of OpenWRT installed, the easiest way is using sysupgrade as described in generic.sysupgrade
Be aware that 7.09 still uses the ipkg package manager, not opkg.
IPKG backports source
You need the aircrack from whiterussian backports, because there are no aircrack packages available for 7.09 (anymore?). Edit your /etc/ipkg.conf to look like this:
src release http://downloads.openwrt.org/kamikaze/7.09/brcm-2.4/packages
dest root /
dest ram /tmp
src whiterussian http://downloads.openwrt.org/backports/0.9
Install aircrack and wl
ipkg install aircrack-ng wl
ifconfig should tell you the wifi interface is down (use ifconfig -a to show down interfaces as well). We use the wl tool for configuring the wifi to use monitor mode needed for airodump-ng, not airmon-ng.
wl monitor 1
Now ifconfig -a should show a prism0 interface.
ifconfig prism0 up
And that's it - airodump should show you networks in range.
For your wardriving purposes, you need to start airodump in background and save IVs to files. Make sure you're not in /tmp (i use / as location) and run airodump like this:
airodump-ng --ivs --write wep prism0 &
Instead of wep you can use any prefix you like, it is used as a prefix to the files with IVs like wep-01.ivs.
The & at the end makes airodump run in the background (it still spams your console with information). You can just close your terminal and abort the telnet session, airodump will still run as long as the router is powered or until you manually stop/kill it.
view IV list
Use aircrack-ng to list the networks and number of captured IVs for each: