NETGEAR WNR2000 v4

→ Install OpenWrt (generic explanation)

1. Change the IP-Address of your computer into: 192.168.1.10

2. Flash to Stock-Firmware version 1.0.0.58:

→ Here's where you can get it: http://kb.netgear.com/app/answers/detail/a_id/26592/~/wnr2000v4-firmware-version-1.0.0.58

3. Start running a TFTP Server on your local machine.

4. Download and use a pre-made u-boot-env image

Warning: There is a slight chance to brick your router by using this pre-made u-boot-env image. It is 100% your own decision to try this method at your own risk. However, it worked for me.

Download this u-boot-env into your TFTP downloads directory: https://drive.google.com/file/d/0B7VI0K9knyDiNnJNUE1VU21wNnc/view

Alternatively, you can create your own u-boot-env image. A tutorial can be found here: https://forum.openwrt.org/viewtopic.php?pid=273444#p273444

5. Download the current OpenWrt image (15.05.1 - Chaos Calmer):

wget http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/openwrt-15.05.1-ar71xx-generic-wnr2000v4-squashfs-sysupgrade.bin

Download this file into your TFTP downloads directory and maybe for usability rename it into: sysfsupgrade.bin

6. Create and Use the UDPtelnetenable.py Script

In Linux there's a python script that you run to enable access to telnet with. You need a modified version of it which allows you to UDPtelnetenable. This script is written in python2 and requires the Python Cryptography Toolkit (pycrypto).

This is the source code for the UDPtelnetenable.py:

# Copyright (c) 2009 Paul Gebheim
# 
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# 
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
# 
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
import sys
import socket
import array
from optparse import OptionParser
from Crypto.Cipher import Blowfish
from Crypto.Hash import MD5

TELNET_PORT = 23

# The version of Blowfish supplied for the telenetenable.c implementation
# assumes Big-Endian data, but the code does nothing to convert the
# little-endian stuff it's getting on intel to Big-Endian
#
# So, since Crypto.Cipher.Blowfish seems to assume native endianness, we need
# to byteswap our buffer before and after encrypting it
#
# This helper does the byteswapping on the string buffer
def ByteSwap(data):
  a = array.array('i')
  if(a.itemsize < 4):
    a = array.array('L')
  
  if(a.itemsize != 4):
    print "Need a type that is 4 bytes on your platform so we can fix the data!"
    exit(1)
  
  a.fromstring(data)
  a.byteswap()
  return a.tostring()

def GeneratePayload(mac, username, password=""):
  # eventually reformat mac
  mac = mac.replace(":","").upper()

  # Pad the input correctly
  assert(len(mac) < 0x10)
  just_mac = mac.ljust(0x10, "\x00")
  
  assert(len(username) <= 0x10)
  just_username = username.ljust(0x10, "\x00")
  assert(len(password) <= 0x10)
  just_password = password.ljust(0x10, "\x00")
  
  cleartext = (just_mac + just_username + just_password).ljust(0x70, '\x00')
  md5_key = MD5.new(cleartext).digest()
  
  payload = ByteSwap((md5_key + cleartext).ljust(0x80, "\x00"))
  
  secret_key = "AMBIT_TELNET_ENABLE+" + password
  return ByteSwap(Blowfish.new(secret_key, 1).encrypt(payload))


def SendPayload(ip, payload):
  for res in socket.getaddrinfo(ip, TELNET_PORT, socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_IP):
    af, socktype, proto, canonname, sa = res
    try:
      s = socket.socket(af, socktype, proto)
    except socket.error, msg:
      s = None
      continue

    try:
      s.connect(sa)
    except socket.error, msg:
      s.close()
      s= None
      continue
    break

  if s is None:
    print "Could not connect to '%s:%d'" % (ip, TELNET_PORT)
  else:
      s.send(payload)
      s.close()
      print "Sent telnet enable payload to '%s:%d'" % (ip, TELNET_PORT)

def main():
  args = sys.argv[1:]
  if len(args) < 3 or len(args) > 4:
   print "usage: python telnetenable.py <ip> <mac> <username> [<password>]"

  ip = args[0]
  mac = args[1]
  username = args[2]
  
  password = ""
  if len(args) == 4:
    password = args[3]

  payload = GeneratePayload(mac, username, password)
  SendPayload(ip, payload)
  
main()

Now run the UDPtelnetenable through the following command:

python UDPtelnetenable.py 192.168.1.1 $(Your MAC-ADRESS found by running `arp -a` as root) admin password

7. Connect to your router through Telnet

telnet 192.168.1.1

8. Flash the u-boot-env through TFTP

Now, from WNR2000V4 root shell, assuming TFTP server at 192.168.1.10:69

cd /tmp
tftp -g -r uboot_env_bootcmd_nocrc.backup 192.168.1.10 69
mtd -f write uboot_env_bootcmd_nocrc.backup u-boot-env 

9. Upload the new sysupgrade bin file and reboot

To do so, we use the following commands:

tftp -g -r sysfsupgrade.bin 192.168.1.10 69
mtd -f -r write sysfsupgrade.bin firmware

If everything worked, the router will reboot by itself with the new firmware.

The original U-Boot bootloader runs a CRC check on the flash before it executes the bootcmd command. This prevents OpenWrt from being run from flash. As long as you do not replace the OEM bootloader, you can only create an OpenWrt ramdisk image and load it via tftp. This requires access to the serial console which you can get by doing the following:

  configure the NIC of a PC with a tftp server at 192.168.1.12
  copy openwrt-ar71xx-uImage-initramfs-lzma.bin into the directory of the tftp server (e.g. /tftpboot)

On the WNR2000v4 serial console:

  Press any key after Hit any key to stop autoboot
  tftpboot 0x81000000 openwrt-ar71xx-uImage-initramfs-lzma.bin - This should print a couple of # signs
  setenv bootargs board=WNR2000v4
  bootm - This boots the kernel

If you should happen to need source code for any of your current stock firmware versions you can get those from one of the following:

Main link to all Netgear GPL files (all devices): Netgear KB Article 2649 - Netgear Open Source Code for Programmers - GPL

For 1.0.0.30

http://www.downloads.netgear.com/files/GPL/WNR2000v4-V1.0.0.30_gpl_src.zip

For 1.0.0.40

http://www.downloads.netgear.com/files/GPL/wnr2000v4-V1.0.0.40_gpl_src.zip

For 1.0.0.50

http://www.downloads.netgear.com/files/GPL/wnr2000v4-V1.0.0.50_GPL.zip

For 1.0.0.58

http://www.downloads.netgear.com/files/GPL/WNR2000v4-V1.0.0.58_GPL.zip

For 1.0.0.60

http://www.downloads.netgear.com/files/GPL/wnr2000v4-V1.0.0.60_gpl_src.zip

For 1.0.0.70

http://www.downloads.netgear.com/files/GPL/wnr2000v4-V1.0.0.70_gpl_src.zip

cat /proc/cpuinfo shows

system type             : Atheros AR934x
processor               : 0
cpu model               : MIPS 74Kc V4.12
BogoMIPS                : 267.26
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : yes
hardware watchpoint     : yes, count: 4, address/irw mask: [0x0000, 0x0ff8, 0x0013, 0x0830]
ASEs implemented        : mips16 dsp
shadow register sets    : 1
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

cat /proc/athversion shows:

9.2.0_U10.1020

cat /proc/buddyinfo shows:

Node 0, zone   Normal      8     21      9      8      4      2      2      2      1      1      1

cat /proc/devices shows:

Character devices:
1   mem
4   ttyS
5   /dev/tty
5   /dev/console
5   /dev/ptmx
10  misc
77  ATH_GPIOC
90  mtd
108 ppp
128 ptm
136 pts
240 atherosgpio

Block devices:
  259 blkext
   31 mtdblock

cat /proc/mtd shows:

dev:   size     erasesize     name
mtd0:  00030000 00010000      "u-boot"
mtd1:  00010000 00010000      "u-boot-env"
mtd2:  000d0000 00010000      "kernel"
mtd3:  00290000 00010000      "rootfs"
mtd4:  00060000 00010000      "rootfs_data"
mtd5:  00020000 00010000      "language"
mtd6:  00010000 00010000      "pot"
mtd7:  00010000 00010000      "traffic_meter"
mtd8:  00010000 00010000      "config"
mtd9:  00010000 00010000      "art"
mtd10: 00360000 00010000      "firmware"

cat /proc/partitions shows:

major minor  #blocks  name
31    0       192     mtdblock0
31    1       64      mtdblock1
31    2       832     mtdblock2
31    3       2624    mtdblock3
31    4       384     mtdblock4
31    5       128     mtdblock5
31    6       64      mtdblock6
31    7       64      mtdblock7
31    8       64      mtdblock8
31    9       64      mtdblock9
31    10      3456    mtdblock10

cat /proc/mounts shows:

rootfs / rootfs rw 0 0
/dev/root / squashfs ro,relatime 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
tmpfs /tmp tmpfs rw,nosuid,nodev,relatime 0 0
tmpfs /dev tmpfs rw,relatime,size=512k 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
root /tmp/root tmpfs rw,relatime 0 0
/dev/root /mnt squashfs ro,relatime 0 0
root /mnt tmpfs rw,relatime 0 0

How to add tags