Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
toh:netgear:wnr2000v4 [2015/01/06 01:06] – Added the proper tag Umeaboytoh:netgear:wnr2000v4 [2019/10/14 16:04] – 432 warning added tmomas
Line 1: Line 1:
 +====== Netgear WNR2000 v4 ======
  
 +{{section>meta:infobox:432_warning#infobox_for_dataentries&noheader&nofooter&noeditbutton}}
 +
 +===== Supported Versions =====
 +---- datatable ----
 +cols    : Brand, Model, Versions, Supported Current Rel, OEM device homepage URL_url, OWrt Forum Topic URL_url, Device Techdata_pageid
 +headers : Brand, Model, Version, Current Release, OEM Info, Forum Topic, Technical Data
 +align   : c,c,c,c,c,c,c
 +filter  : Model=WNR2000
 +filter  : Versions~v4
 +----
 +
 +
 +===== Hardware Highlights =====
 +---- datatable ----
 +cols    : Model, Versions, CPU, CPU MHz, Flash MB_mbflashs, RAM MB_mbram, WLAN Hardware, WLAN 2.4GHz, WLAN 5.0GHz, Ethernet 100M ports_, Ethernet Gbit ports_, Modem, USB ports_
 +header  : Model, Version,SoC,CPU MHz,Flash MB,RAM MB,WLAN Hardware,WLAN2.4,WLAN5.0,100M ports,Gbit ports,Modem,USB
 +align   : c,c,c,c,c,c,c,c,c,c,c,c,c
 +filter  : Model=WNR2000
 +filter  : Versions~v4
 +----
 +
 +
 +===== Installation =====
 +---- datatable ----
 +cols    : Model, Versions, Supported Current Rel, Firmware OpenWrt Install URL_url, Firmware OpenWrt Upgrade URL_url, Firmware OEM Stock URL_url
 +headers : Model, Version, Current Release, Firmware OpenWrt Install, Firmware OpenWrt Upgrade, Firmware OEM Stock
 +align   : c,c,c
 +filter  : Model=WNR2000
 +filter  : Versions~v4
 +----
 +
 +-> [[docs:guide-user:installation:generic.flashing|Install OpenWrt (generic explanation)]]
 +
 +
 +====How to Install OpenWrt on the Netgear wnr2000v4 through u-boot-env modification on Linux:====
 +
 +**1.** Change the IP-Address of your computer into: 192.168.1.10
 +
 +**2.** Flash to Stock-Firmware version 1.0.0.58:
 +
 +-> Here's where you can get it: http://kb.netgear.com/app/answers/detail/a_id/26592/~/wnr2000v4-firmware-version-1.0.0.58
 +
 +**3.** Start running a TFTP Server on your local machine.
 +
 +**4.** Download and use a pre-made u-boot-env image
 +
 +Warning: There is a slight chance to brick your router by using this pre-made u-boot-env image. It is 100% your own decision to try this method at your own risk. However, it worked for me.
 +
 +Download this u-boot-env into your TFTP downloads directory: https://drive.google.com/file/d/0B7VI0K9knyDiNnJNUE1VU21wNnc/view
 +
 + Alternatively, you can create your own u-boot-env image. A tutorial can be found here: https://forum.openwrt.org/viewtopic.php?pid=273444#p273444
 +
 +**5.** Download the current OpenWrt image (15.05.1 - Chaos Calmer):
 +
 +  wget http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/openwrt-15.05.1-ar71xx-generic-wnr2000v4-squashfs-sysupgrade.bin
 +
 +Download this file into your TFTP downloads directory and maybe for usability rename it into: sysfsupgrade.bin
 +
 +**6.** Create and Use the UDPtelnetenable.py Script
 +  
 +In Linux there's a python script that you run to enable access to telnet with. You need a modified version of it which allows you to UDPtelnetenable. This script is written in python2 and requires the Python Cryptography Toolkit (pycrypto).
 +
 +This is the source code for the UDPtelnetenable.py:
 +
 +  # Copyright (c) 2009 Paul Gebheim
 +  # 
 +  # Permission is hereby granted, free of charge, to any person obtaining a copy
 +  # of this software and associated documentation files (the "Software"), to deal
 +  # in the Software without restriction, including without limitation the rights
 +  # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 +  # copies of the Software, and to permit persons to whom the Software is
 +  # furnished to do so, subject to the following conditions:
 +  # 
 +  # The above copyright notice and this permission notice shall be included in
 +  # all copies or substantial portions of the Software.
 +  # 
 +  # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 +  # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 +  # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 +  # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 +  # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 +  # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 +  # THE SOFTWARE.
 +  import sys
 +  import socket
 +  import array
 +  from optparse import OptionParser
 +  from Crypto.Cipher import Blowfish
 +  from Crypto.Hash import MD5
 +  
 +  TELNET_PORT = 23
 +  
 +  # The version of Blowfish supplied for the telenetenable.c implementation
 +  # assumes Big-Endian data, but the code does nothing to convert the
 +  # little-endian stuff it's getting on intel to Big-Endian
 +  #
 +  # So, since Crypto.Cipher.Blowfish seems to assume native endianness, we need
 +  # to byteswap our buffer before and after encrypting it
 +  #
 +  # This helper does the byteswapping on the string buffer
 +  def ByteSwap(data):
 +    a = array.array('i')
 +    if(a.itemsize < 4):
 +      a = array.array('L')
 +    
 +    if(a.itemsize != 4):
 +      print "Need a type that is 4 bytes on your platform so we can fix the data!"
 +      exit(1)
 +    
 +    a.fromstring(data)
 +    a.byteswap()
 +    return a.tostring()
 +  
 +  def GeneratePayload(mac, username, password=""):
 +    # eventually reformat mac
 +    mac = mac.replace(":","").upper()
 +  
 +    # Pad the input correctly
 +    assert(len(mac) < 0x10)
 +    just_mac = mac.ljust(0x10, "\x00")
 +    
 +    assert(len(username) <= 0x10)
 +    just_username = username.ljust(0x10, "\x00")
 +    assert(len(password) <= 0x10)
 +    just_password = password.ljust(0x10, "\x00")
 +    
 +    cleartext = (just_mac + just_username + just_password).ljust(0x70, '\x00')
 +    md5_key = MD5.new(cleartext).digest()
 +    
 +    payload = ByteSwap((md5_key + cleartext).ljust(0x80, "\x00"))
 +    
 +    secret_key = "AMBIT_TELNET_ENABLE+" + password
 +    return ByteSwap(Blowfish.new(secret_key, 1).encrypt(payload))
 +  
 +  
 +  def SendPayload(ip, payload):
 +    for res in socket.getaddrinfo(ip, TELNET_PORT, socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_IP):
 +      af, socktype, proto, canonname, sa = res
 +      try:
 +        s = socket.socket(af, socktype, proto)
 +      except socket.error, msg:
 +        s = None
 +        continue
 +  
 +      try:
 +        s.connect(sa)
 +      except socket.error, msg:
 +        s.close()
 +        s= None
 +        continue
 +      break
 +  
 +    if s is None:
 +      print "Could not connect to '%s:%d'" % (ip, TELNET_PORT)
 +    else:
 +        s.send(payload)
 +        s.close()
 +        print "Sent telnet enable payload to '%s:%d'" % (ip, TELNET_PORT)
 +  
 +  def main():
 +    args = sys.argv[1:]
 +    if len(args) < 3 or len(args) > 4:
 +     print "usage: python telnetenable.py <ip> <mac> <username> [<password>]"
 +  
 +    ip = args[0]
 +    mac = args[1]
 +    username = args[2]
 +    
 +    password = ""
 +    if len(args) == 4:
 +      password = args[3]
 +  
 +    payload = GeneratePayload(mac, username, password)
 +    SendPayload(ip, payload)
 +    
 +  main()
 +
 +Now run the UDPtelnetenable through the following command:
 +
 +  python UDPtelnetenable.py 192.168.1.1 $(Your MAC-ADRESS found by running `arp -a` as root) admin password
 +
 +**7.** Connect to your router through Telnet
 +
 +  telnet 192.168.1.1
 +  
 +  
 +**8.** Flash the u-boot-env through TFTP
 +
 +Now, from WNR2000V4 root shell, assuming TFTP server at 192.168.1.10:69
 +
 +  cd /tmp
 +  tftp -g -r uboot_env_bootcmd_nocrc.backup 192.168.1.10 69
 +  mtd -f write uboot_env_bootcmd_nocrc.backup u-boot-env 
 +
 +**9.** Upload the new sysupgrade bin file and reboot
 +
 +To do so, we use the following commands:
 +
 +  tftp -g -r sysfsupgrade.bin 192.168.1.10 69
 +  mtd -f -r write sysfsupgrade.bin firmware
 +
 +If everything worked, the router will reboot by itself with the new firmware.
 +
 +
 +====Installing OpenWrt onto a RAMdisk on WNR2000v1====
 +
 +The original U-Boot bootloader runs a CRC check on the flash before it executes the bootcmd command.
 +This prevents OpenWrt from being run from flash.
 +As long as you do not replace the OEM bootloader, you can only create an OpenWrt ramdisk image and load it via tftp.
 +This requires access to the serial console which you can get by doing the following:
 +
 +    configure the NIC of a PC with a tftp server at 192.168.1.12
 +    copy openwrt-ar71xx-uImage-initramfs-lzma.bin into the directory of the tftp server (e.g. /tftpboot)
 +
 +On the WNR2000v4 serial console:
 +
 +    Press any key after Hit any key to stop autoboot
 +    tftpboot 0x81000000 openwrt-ar71xx-uImage-initramfs-lzma.bin - This should print a couple of # signs
 +    setenv bootargs board=WNR2000v4
 +    bootm - This boots the kernel
 +
 +
 +====Source code for the stock firmware versions====
 +If you should happen to need source code for any of your current stock firmware versions you can get those from one of the following:
 +
 +Main link to all Netgear GPL files (all devices): [[http://kb.netgear.com/app/answers/detail/a_id/2649/~/netgear-open-source-code-for-programmers-%28gpl%29|Netgear KB Article 2649 - Netgear Open Source Code for Programmers - GPL]]
 +
 +For 1.0.0.30
 +
 +  http://www.downloads.netgear.com/files/GPL/WNR2000v4-V1.0.0.30_gpl_src.zip
 +
 +For 1.0.0.40
 +
 +  http://www.downloads.netgear.com/files/GPL/wnr2000v4-V1.0.0.40_gpl_src.zip
 +
 +For 1.0.0.50
 +
 +  http://www.downloads.netgear.com/files/GPL/wnr2000v4-V1.0.0.50_GPL.zip
 +
 +For 1.0.0.58
 +
 +  http://www.downloads.netgear.com/files/GPL/WNR2000v4-V1.0.0.58_GPL.zip
 +
 +For 1.0.0.60
 +
 +  http://www.downloads.netgear.com/files/GPL/wnr2000v4-V1.0.0.60_gpl_src.zip
 +  
 +For 1.0.0.70
 +  http://www.downloads.netgear.com/files/GPL/wnr2000v4-V1.0.0.70_gpl_src.zip
 +  
 +===== Misc =====
 +
 +cat /proc/cpuinfo shows
 +
 +  system type             : Atheros AR934x
 +  processor               : 0
 +  cpu model               : MIPS 74Kc V4.12
 +  BogoMIPS                : 267.26
 +  wait instruction        : yes
 +  microsecond timers      : yes
 +  tlb_entries             : 32
 +  extra interrupt vector  : yes
 +  hardware watchpoint     : yes, count: 4, address/irw mask: [0x0000, 0x0ff8, 0x0013, 0x0830]
 +  ASEs implemented        : mips16 dsp
 +  shadow register sets    : 1
 +  core                    : 0
 +  VCED exceptions         : not available
 +  VCEI exceptions         : not available
 +
 +cat /proc/athversion shows:
 +
 +  9.2.0_U10.1020
 +
 +cat /proc/buddyinfo shows:
 +
 +  Node 0, zone   Normal      8     21      9      8      4      2      2      2      1      1      1
 +
 +cat /proc/devices shows:
 +  Character devices:
 +  1   mem
 +  4   ttyS
 +  5   /dev/tty
 +  5   /dev/console
 +  5   /dev/ptmx
 +  10  misc
 +  77  ATH_GPIOC
 +  90  mtd
 +  108 ppp
 +  128 ptm
 +  136 pts
 +  240 atherosgpio
 +
 +  Block devices:
 +    259 blkext
 +     31 mtdblock
 +
 +cat /proc/mtd shows:
 +  dev:   size     erasesize     name
 +  mtd0:  00030000 00010000      "u-boot"
 +  mtd1:  00010000 00010000      "u-boot-env"
 +  mtd2:  000d0000 00010000      "kernel"
 +  mtd3:  00290000 00010000      "rootfs"
 +  mtd4:  00060000 00010000      "rootfs_data"
 +  mtd5:  00020000 00010000      "language"
 +  mtd6:  00010000 00010000      "pot"
 +  mtd7:  00010000 00010000      "traffic_meter"
 +  mtd8:  00010000 00010000      "config"
 +  mtd9:  00010000 00010000      "art"
 +  mtd10: 00360000 00010000      "firmware"
 +  
 +cat /proc/partitions shows:
 +  major minor  #blocks  name
 +  31    0       192     mtdblock0
 +  31    1       64      mtdblock1
 +  31    2       832     mtdblock2
 +  31    3       2624    mtdblock3
 +  31    4       384     mtdblock4
 +  31    5       128     mtdblock5
 +  31    6       64      mtdblock6
 +  31    7       64      mtdblock7
 +  31    8       64      mtdblock8
 +  31    9       64      mtdblock9
 +  31    10      3456    mtdblock10
 +
 +cat /proc/mounts shows:
 +  rootfs / rootfs rw 0 0
 +  /dev/root / squashfs ro,relatime 0 0
 +  proc /proc proc rw,relatime 0 0
 +  sysfs /sys sysfs rw,relatime 0 0
 +  tmpfs /tmp tmpfs rw,nosuid,nodev,relatime 0 0
 +  tmpfs /dev tmpfs rw,relatime,size=512k 0 0
 +  devpts /dev/pts devpts rw,relatime,mode=600 0 0
 +  root /tmp/root tmpfs rw,relatime 0 0
 +  /dev/root /mnt squashfs ro,relatime 0 0
 +  root /mnt tmpfs rw,relatime 0 0
 +  
 +===== Tags =====
 +[[meta:tags|How to add tags]]
 +{{tag>AR9341 4flash 32ram}}
  • Last modified: 2024/02/12 08:58
  • by 127.0.0.1