This device is NOT RECOMMENDED for future use with OpenWrt due to low flash/ram. DO NOT BUY DEVICES WITH 4MB FLASH / 32MB RAM if you intend to flash an up-to-date and secure OpenWrt version (18.06 or later) onto it! See 4/32 warning for details.
1) This device does not have sufficient resources (flash and/or RAM) to provide secure and reliable operation.
This means that even setting a password or changing simple network settings might not be possible any more, rendering the device effectively useless. See OpenWrt on 4/32 devices what you can do now.
2) OpenWrt support for this device will end after 2019.
19.07 will be the last official build for 4/32 devices. After 19.07, no further OpenWrt images will be built for 4/32 devices. See OpenWrt on 4/32 devices what you can do now.
The Linksys WRT54G3GV2-VF is a 3G Router consisting of a Broadcom board with a PC-Card slot for 3G-Modems.
Compared to its predecessor WRT54G3G it has additional USB slots and much more flash and RAM.
You can ask Linksys for a link to the original firmware tarball using the mailaddress in their GPL-Codecenter.
CFE tries to verify if the started image is working by writing to the special bin-header at the end of the image. There is a structure of 8 byte with the following “meaning”:
2 byte “stable”
2 byte “try1”
2 byte “try2”
2 byte “try3”
The CFE sets “try1” to 0x0074 == 't' when it executes the image for the first time. If everything works fine the running system sets the value for “stable” to 0x0073 == 's'.
When CFE does not find the 's' it continues with setting 't' to 'try2' and so on.
Finally when try1 to try3 are set and stable is still unset CFE assumes that the image is broken and won't start anymore. It now starts listening on TFTP for a new firmware image. Nevertheless you can still force the CFE to load the current image with the followin command: “boot -raw -z -addr=0x80001000 -max=0xf40000 flash0.os:”.
When I try to set 'stable' manually it will accept it but check if there is a valid second image as fallback. If not CFE simply copies the first 8MB over the second 8MB destroying any jffs2 data the former running system might have written there.
NOTE: If you need an image for one of the other WRT54G3GV2 variants besides the -VF one (such as -ST), download the image builder, and copy the line for the -VF model in the image makefile (target/linux/brcm47xx/image/Makefile) and change 3G2V for the correct “magic” string for your model (3G2S for the -ST), and firmware file name, then make the image. Simply editing the header at the top of the .bin file with a hex editor isn't enough. The header at the top will allow you to flash the file, but it won't boot - the 'magic' string is at the end of the file too, and used by the bootloader to make sure it's the right image. To change that one, you have to recalculate the CRC, and thus the easiest way is to just build the image with the correct 'magic' string in it with the proper tool. — hwgasdfasdf 2012/05/01 15:45
The new CFE expects the flash to be split in two 8MB chunks containing a valid firmware image each.
To manage those Broadcom/Linksys introduced an new TRX header format (v2) containing an additional offset where the CFE expects a modified bin-header.
Thus you have two choices to get a running firmware on the device:
run the original web-interface and select openwrt-wrt54g3gv2-vf-squashfs.bin for firmware upgrade (see OEM easy installation)
Trouble so far is: the jffs2 is not aware of the 2x8MB layout and completely grabs all the space available. While it is nice to have all 16MB you won't be able to boot the second fallback-firmware any more.
boot_wait=yes as it is known by other Linksys routers is still available but behaves differently. It copies a raw firmware image to a RAM area and tries to execute it afterwards.
Maybe we can use this to provide a kind of rescue system over TFTP from within which you can flash a new firmware.
OEM easy installation
This section deals with how you install OpenWrt from a device freshly opened. Plus the steps required such as reset to factory defaults if the device has already been configured
Note: Reset router to factory defaults if it has been previously configured.
: make sure this is correct
Numbers 0-3 are Ports 1-4 as labeled on the unit, number 4 is the Internet (WAN) on the unit, 5 is the internal connection to the router itself. Don't be fooled: Port 1 on the unit is number 3 when configuring VLANs. vlan0 = eth0.0, vlan1 = eth0.1 and so on.
If you forgot your password, broken one of the startup scripts, firewalled yourself or corrupted the JFFS2 partition, you can get back in by using OpenWrt's failsafe mode.
Boot into failsafe mode
Unplug the router's power cord.
Connect the router's LAN1 port directly to your PC.
Configure your PC with a static IP address between 192.168.1.2 and 192.168.1.254. E. g. 192.168.1.2 (gateway and DNS is not required).
Plug the power on and wait for the DMZ LED to light up.
While the DMZ LED is on immediately press any button (Reset and Secure Easy Setup will work) a few times .
If done right the DMZ LED will quickly flash 3 times every second.
You should be able to telnet to the router at 192.168.1.1 now (no username and password)
What to do in failsafe mode?
NOTE: The root file system in failsafe mode is the SquashFS partition mounted in readonly mode. To switch to the normal writable root file system run mount_root and make any changes. Run mount_root now.
Forgot/lost your password and you like to set a new one
Forgot the routers IP address
uci get network.lan.ipaddr
You accidentally run 'ipkg upgrade' or filled up the flash by installing to big packages (clean the JFFS2 partition and start over)
mtd -r erase rootfs_data
If you are done with failsafe mode power cycle the router and boot in normal mode.
The Linksys WRT54G3GV2-VF has two buttons. They are Reset and 3G/UMTS. The buttons can be used with hotplug events. E. g. [#wifitoggle WiFi toggle].
toh/linksys/wrt54g3gv2-vf.txt · Last modified: 2019/11/13 16:23 by datenritter