WR850G v1

From DD-WRT Wiki

(Redirected from DD-WRT on WR850G v1)
Jump to: navigation, search

This is work in progress.
In fact I have not been able to work on it for a long time since I created this page, and failed to fill in the missing links.
Although I will work on this page as often as my time allows - which does not happen very often - I have to wait for the upgrade to v23sp1final before I can give any more information.

If items are missing or outdated, please don't hesitate to fill them in - but make sure they apply to hardware version 1 of the WR850G.

Contents


[edit] Aim of this document

The page Flash_Your_Motorola_WR850G gives a nice overview how to convert Motorola routers into DD-WRT boxes. Unfortunately, there are a few pitfalls if you own a hardware version 1 (the one with the AC/DC converter in the middle of the power cord, and no indication of the version on the label). See that page to get some idea first.
I'm no Windows user, but I know Linux quite well. If you don't understand what the commands below are doing, please check with a good Linux/Unix textbook first, then search the forum and Wiki.
DISCLAIMER: There is no warranty at all: the procedure outlined below worked for me (several times), but it may kill your cat or wife, smash your windows, or make your boss angry etc. You are completely on your own!

[edit] Starting point

I bought a WR850G, version 1, on e***. It came with firmware version 2.00 installed, and I - before and after changing its configuration, and resetting to defaults - made some config backups (which are encrypted in some way I don't understand yet, hopefully the GPL source of fw 5.13 will give me some clues: all bytes are with the MSB set, and all byte values between 128 and 255 do occur, I'm afraid it's some "base128" encoding. Suggestions welcome.), and started reading FAQs.

On the BroadbandReports forum Motorola FAQ page I found some firmware binaries released by Motorola: 4.03 and 5.13 (which fixes some security issues with 4.03), and 6.1.4 is available for download from (FIXME: URL) Motorola.
There are GPL sources for 5.12, 5.13, and 6.1.4. (FIXME: URL)
(FIXME:URL) Several security sites mention that there's an "easter egg" in the 4.03 firmware which can be used to get limited shell access (the frame_debug.asp page). (Later addition: there's a ver.asp page as well which gives access to all NVRAM settings.)
BATBOX is a nice tool that allows you to run a telnetd (and other nice stuff) on a WRT54G, exploiting the Ping.asp bug present in many Linksys firmwares; this one does not work on the Motorola though (I've got some ideas to make it work with fw 4.03 - but at the moment I'm too lazy).
Somehow I got DD-WRT (the mini_moto image) installed on the router, and I did a firmware reset - this is where trouble started. Having read the sources, I now know why: this particular hardware is not handled properly yet, and one will end up with wrong VLAN assignments and worse.
So it took only hours to brick my WR850Gv1 for the first time...

(What makes it really hard: 4.03, with more than 1000 NVRAM entries created by DD-WRT, doesn't allow to restore previous configuration backups anymore; 5.13 seems to behave the same.)

Fortunately, after installing DD-WRT, I had backed up all four mtd partitions, so together with the GPL'd source I had a starting point what to expect from hard resets.


[edit] Step by step from Motorola FW Version < 4.03

I was lucky to get a couple of used Motorola WR850G, after they were shipped to me I figured out that they were all indeed V1.
NOTE:</br>All my v1 had a firmware prior to V4.03

[edit] What didn´t work

After flashing the device to original Motorola firmware 6.1.4 (which was the latest version when this was written) and then to DD-Wrt-mini-moto, I ended up with some kind of "half-bricked" device. It was only reachable through Wlan and all LAN Leds were solid green and the power-led was green and flashing red from time to time. Again, there was no LAN working. The following text outlines my way of flashing the v1 to fully working DD-WRT (though I didn´t test out all features yet)

[edit] Step by step

1. Obtain Motorola firmwares: V4.03 and V6.1.4

2. Obtain DD-WRT-Firmware which should be in this case the mini-moto image (dd-wrt.v23_mini_moto.bin) and some "Full-featured" firmware eg. dd-wrt.v23_generic.bin from HERE

3. I suggest you also read this Flash_Your_Motorola_WR850G

4. Flash via webinterface to V4.03. Note that the firmware flashes and then prompts you to reboot with the flashing "Restart" button after that you can proceed.

5. Flash via webinterface to V6.1.4. Note that the firmware flashes and then prompts you to reboot with the flashing "Restart" button after that you can proceed. You should now have a different webfrontend which looks, lets say, less sophisticated.

6. As precaution I did reset to factory defaults and , after that, I unplugged the router and plugged it back in.

7. Flash via webinterface to dd-wrt.v23_mini_moto.

!!!!!NOTE: don't use the sp1!! it takes always a factory reset while flashing from v.6.1.4!!!!!!!

NOTE: After the flashing is completed and the router restarted the behaviour of the leds should be different: I my case all leds were off, except the LAN leds worked properly.

8. Flash now to any DD-wrt-gerneric image you like, all of them should work now.

NOTE: It is IMPORTANT to flash to V4.03 original FW first or you will end up with some kind of half-bricked router.--Berni 10:49, 14 Apr 2006 (CEST)

[edit] Upgrading to dd-wrt.v23 SP1/2 and dd-wrt.v24 beta

Don't upgrade to this firmware versions without having read the following paragraph!

It is noted in the above paragraph to not flash dd-wrt sp1 or later. Indeed flashing to any version of dd-wrt sp1 and later (including the new v24 beta) cannot be done without special steps. This is, because the later firmware version use encrypted username and password, and therefore require to do a factory/firmware reset to write this encrypted strings to the nvram. But, as stated below we can never do a factory/firmware reset on WR850G v1 as this will brick the router.On the other hand, without having the encrpyted username/password strings in your router, you wont be able to login to the webinterface or via telnet after upgrading to those new firmware versions! Nevertheless i found a solution to get the beast working with firmwares more recent than v23 (i can confirm this is working with v24 beta, but probably also works with the other releases that use encrpyted passwords):

1. Make you sure you have successfully flashed dd-wrt v23 mini or standard (see instructions above).

2. via telnet or webinterface, clear the username/password variables in the nvram, by executing the following commands

nvram set http_username=
nvram set http_passwd=
nvram commit

3. Now unplug the router and plug it back in.

4. Login to the webinterface to confirm the new password is working. Login with no username and no password.

5. Go to the firmware update tab, and choose the firmware you want to flash on the router (i used dd-wrt.v24_generic.bin). Be sure you have selected to NOT reset after flashing. Click "upgrade" and wait until the flashing process is finished.

6. Now you should be able to login to the new web-interface with no username and no password.

7. Now change the username and password to the defaults or what ever you need.

--SOLiBRA 00:30, 12 Dec 2006 (CET)

[edit] Restore of a Motorola WR850G v1 which is "half-bricked"

[edit] What is "half-bricked"?

The device is "half-bricked" when it is only reachable through Wlan and all LAN Leds are solid green and the power-led is green and flashing red from time to time.

Edited By Seth7

Verrify the brick

The WR850G V1 has a seperate 10/100 Eithernet controller from the 4 port switch ...

You may still have access to the router Via the WAN port.... set a Static IP 192.168.10.50 , Subnet 255.255.255.0 , Default Gateway 192.168.10.1

Launch IE to 192.168.10.1 .. see if you have a login screen of either the moto or dd-wrt ....

(or the dd-wrt default .. 192.168.1.50, 255.255.255.0, 192.168.1.1) <---- try them both

If not ... try a telnet --- same address

If not ... use the command prompt continuios ping --- you know the "ping -t 192.168.10.1" listed else where in the WIKI about setting a static ip

(I used two command windows with a continous ping to 192.168.1.1 and the other to 192.168.10.1)

Debricking the WR850G is verry similar to the WRT54G/S ....

[edit] Step by Step

1. Obtain Motorola firmwares: V4.03 and V6.1.4

2. Obtain DD-WRT-Firmware which should be in this case the mini-moto image (dd-wrt.v23_mini_moto.bin) and some "Full-featured" firmware eg. dd-wrt.v23_generic.bin from HERE

3. I suggest you also read this Flash_Your_Motorola_WR850G

4. Convert the original V4.03 FW from TRX file format to BIN file format with this command on linux machines:

dd if=firmware.trx bs=8 skip=1 of=firmware.bin

Windows users can download unx Tools free from SourceForge to add the functionality of the dd command. Link to the SourceForge project page is HERE

More about TRX and BIN format: HERE DD-WRT Webfrontend will reject the TRX file.

5. Connect to your router the only way left: via WLAN

NOTE: When you do this the 2nd time because you ended up with a "half-bricked" router again, select now "Restore to factory defaults" in the Firmware tab of dd-wrt. This did the trick for me.

Flash the device over web-interface with the original FW V4.03 which has been converted into a .bin file the step before.

6. After the router is restarted, connect to the web-interface. You should see the original Motorola design and you should be able to get to the tab where you can restore factory defaults. If you can´t reach that tab you probably have somekinda mess in your nvram variables and you didn´t choose "Restore to factory defaults" when flashing from the "half-bricked" state. If you are able to reach that tab, restore factory defaults.

7. Resume flashing as outlined in [[Step by step from Motorola FW Version < 4.03]]

Have fun! --Berni 17:41, 14 Apr 2006 (CEST)

[edit] Analysis of the CFE

The CFE (common firmware environment?) is acting the same as the BIOS does for a PC: hardware init, interactive setup, boot operating system.
As in virtually every CFE around, there's a small flash image embedded which will put into the NVRAM section when corruption is detected or the box gets reset "the hard way".
Mine (256KB in size, uncompressed) at an offset of 0x0400--0x2400 contains the following fixed settings:

boardtype=bcm94710dev
boardnum=2
clkfreq=125
sdram_init=0x0419
sdram_config=0x0000
sdram_refresh=0x8040
et0phyaddr=30
et0mdcport=0
et1phyaddr=0
et1mdcport=1
dl_ram_addr=a0001000
os_ram_addr=80001000
os_flash_addr=bfc40000
lan_ipaddr=192.168.10.1
lan_netmask=255.255.255.0
wan_ipaddr=192.168.10.1
wan_netmask=255.255.255.0
scratch=a0180000
boot_wait=off
watchdog=1000
GemtekPmonVer=9

Note that WAN and LAN addresses are set the same. This allows to TFTP flash over all ports at the back. (I didn't try though.)

In the subsequent code, at about 71% into the whole file, another settings are mentioned (obviously they will be inserted into the NVRAM image, there's a string "Starting to restore all default valus" (sic) just before):

DefaultEthPort  1
et0macaddr lan_hwaddr  00:11:22:33:44:55
et1macaddr wan_hwaddr  00:11:22:33:44:56

Since the v1 doesn't have a serial port (could not find a UART chip), I cannot check this by running a serial console, and the ordering of the strings is not necessarily related to their assignments, so be careful... (There is serial console support inside the CFE, up to 921600 baud!)
Motorola firmware may detect such bogus settings and convert them to other ones (bogus as well, but who cares).

Visit www.gemtek.com for updates.

They are at www.gemtek.com.tw now (www.gemtek.com points to an environmental services company), and there's no download available - what did you expect?

[edit] Firmware reset in Motorola code

There's no GPL source for 4.03. Check 5.13 or 6.1.4 (the latter one may have some clues in src/router/rc/rc.c).

[edit] What one should avoid

The WR850Gv1 is such a nice toy, so why shouldn't I start playing with it? Set to firmware defaults, play with the gpio utility to switch on/off the LEDs, ...

[edit] No GPIO tricks please

Unfortunately, the v1 is a bit different in many cases, so don't expect it won't break/brick!
Polling the GPIO ports (0-7 seem to be connected, with a wraparound at 32) will return 01 for all ports, except port 1 which will alternate between 00 and 01 very rapidly.
By dis-/enabling ports, I found the following assignments:

gpio portfunction
0no change ?
1no change ?
2all LAN LEDs
3red blinking POWER LED
4DON'T TOUCH!!!
5no change ?
6DON'T TOUCH!!!
7DON'T TOUCH!!!

Ports 4 and 6 are mentioned in resetbutton.c, and they obviously can do harm to your system.
Port 7 may be used for DMZ LED, be careful here as well. It at least reset my box. (Feedback welcome: I've got no use of this feature.)
You may brick your router by playing games with gpio. Even the system itself can.

[edit] No mtd tricks

As BrainSlayer also mentioned (FIXME: where?), NEVER EVER run mtd erase nvram on a WR850G. This is not limited to v1 hardware, and will assign strange MAC addresses.

[edit] Take care with setting to firmware defaults

The v1 is almost fully supported starting from 02/2007. Cause the MAC addresses are stored in the nvram they were set to 00:11:22:33:44:5x while you reset to firmware fefauls. Its necessary to restore the MACs manualy to those that are labeled on the router. watch Fix MAC addresses and more

[edit] LEDs can be misleading

On my box, I found that the LED pattern may be misleading a lot.
With a fully functional WR850Gv1, running DD-WRT v23final ("Xmas edition" 2005-12-25) I see:

  • POWER is blinking red (coming up last)
  • MODEM (which is connected via DHCP) shows "orange" (red and green) first blinking but solid when connected (XOR traffic)
  • WLAN is off all the time
  • LAN# are solid green (XOR traffic) if connected (interface up)

Don't take the blinking POWER light too seriously, it doesn't have the same meaning as with a WRT54G! It's DD-WRT, and BrainSlayer said (FIXME: link) there was no LED support for WR850G in DD-WRT at all, so they could be all off as well.

[edit] How to revive the dead beast

Now, you got a dead WR850Gv1, and want to revive it? Don't worry, there's no need for JTAG (sorry, (FIXME:URL) HairyDairyMaid, and there's no need to open the box (which is (FIXME:URL) a hard job) at all!

[edit] Prerequisites for debricking

[edit] Hardware

I own a laptop, running Linux, a wireless card (good old Avaya, with Orinoco chip), a switch (which is very important to have, I don't have a hub to test with), and a WRT54G where I can run site surveys (a Kismet/*Stumbler box will also do).
With Linux, you may have an IP assigned by your DHCP server, and additional (aliased) addresses (use

ifconfig eth0:1 192.168.10.5
ifconfig eth0:2 192.168.1.5

to be able to access the default address 192.168.10.1 of a "virginized" WR850G, and the 192.168.1.1 assigned by DD-WRT, without losing your other connections.
The switch will keep your interface up even if the router is resetting its ports.
A wireless card will be needed if the wired interfaces become badly misconfigured, and are not accessible anymore.

[edit] Software

Get firmware

If necessary, unpack. (*.exe can be unpacked using unzip -x under Linux.)
Using

dd if=firmware.trx bs=8 skip=1 of=firmware.bin

create versions that can be flashed via TFTP and/or DD-WRT firmware upgrade web page.

[edit] Check what's left unbroken, collect the pieces

Run a SiteSurvey on another router, or Kismet, or another WLAN detection tool to check whether the wireless interface of the WR850G is still up. Remember that you cannot trust the LEDs.
While power cycling the WR850G, run ping 192.168.10.1 (This is where the switch proves to be helpful!). Remember that you have to set your wired interface to a 192.168.10.xxx address.
Connect the cable to the WAN port, and repeat the previous step, if necessary.
If you got any response, there's a lot of hope for you!
If not, you may have to keep the Reset Button on the back of the router pressed while powering it on.
With DD-WRT flashed, you will probably not see anything. This doesn't necessarily mean that nothing happens.
To check whether you succeeded, go back to the beginning of this section.

[edit] WLAN is there, but no wired access

Check the WLAN MAC address shown by your WLAN detector. It should be the one you can read off the label, it may be off by one though.
Remove the aliases from your wired interface, and check:

ifconfig eth0:1 down
ifconfig eth0:2 down
ifconfig -a

Then insert your wireless card, and check with iwconfig whether it can see the access point. Do not "up" the interface yet!
Now try to get an address via DHCP (how to do this depends on your Linux distribution - on Debian you'd have to edit /etc/network/interfaces). If you don't succeed, assign an address by hand. (You may have to try twice, once for the network the router belonged to before, and once for 192.168.10.xxx.)
Flush your ARP cache often by running a broadcast ping.
Try to connect to the HTTP port of the router. (You may also run nmap to check which ports are there.) If you are successful, proceed to "Flash back from Web" below.

[edit] Wired access works

Try to get a DHCP address. Then connect to the HTTP port. Don't forget to flush your ARP cache.

[edit] No Web access to the router

If you cannot manage to get a DHCP address, and assigning a fixed address from the (hopefully correct) adddress range doesn't give you access to the Web pages either,
but you may have seen a short response to the ping before
you may TFTP a firmware to the router directly. This has been described may times before, but repetition doesn't hurt:

  • Unplug the router.
  • On your Linux box, connected by wire to one of the LAN ports, run
    tftp 192.168.10.1
    bin
    trace
    put firmware403.bin
    

    (make sure you use the stripped version of the 4.03 firmware here, it's the only one that will allow you to fix things!) and at almost the same time you press ENTER, plug in the router power.


Continue with "Restore virginity" below.

[edit] Flash back from Web

... FIXME: to be written yet ... (use *.bin on DD-WRT, *.trx on Moto FW - you get the picture)

[edit] Restore virginity

(This may not be necessary, but it at least defines the state of the router.)
Let the LEDs come to a rest.
Power off the router.
Hold Reset, power on, let the router cycle through its reset twice (look at the red power light), then release.
Let things settle down a bit.
Power cycle the router.

[edit] Fix MAC addresses and more

Login into the router, you may have to try a few username/password combinations (root or admin, admin or motorola or your_previously_set_password).
Do NOT try to restore old config backups. There's a bug in 4.03 (and 5.13 as well) firmware which will hang the HTTP server if you go to the config page. (This will only work if all DD-WRT entries have been removed from the NVRAM. But what gives?)
Go to the frame_debug.asp page. (This is a hidden feature, you will have to enter the URL by hand.)
Type

nvram show | grep ..:..:

into the input field and don't press ENTER - click APPLY instead!
The output window will show some lines:

et0macaddr=00:11:22:33:44:55
et1macaddr=00:11:22:33:44:56
lan_hwaddr=...
wan_hwaddr=...
wan0_hwaddr=...

wl0_hwaddr=...

- the et*macaddr values may be different, 00:0C:10:21:32:0x have been encountered as well.
Get the two MAC addresses from the router's bottom side label (WAN and WLAN).
Now comes the tricky part: use the lowest number for LAN (the lowest hex one, labeled WAN), the next higher one for WAN (labeled WLAN), and use the highest one for the WLAN address (the real WAN + 1 hex). Don't ask me why the routers have been shipped with the wrong order: both the CFE, and DD-WRT do it right. Trust me.
Now set all addresses to proper values, by entering the following commands one by one (replace the MAC addresses by your own values) and sending them by APPLY:

nvram set et0macaddr=00:0C:E5:46:00:3E
nvram set lan_hwaddr=00:0C:E5:46:00:3E

nvram set et1macaddr=00:0C:E5:46:00:3F
nvram set wan_hwaddr=00:0C:E5:46:00:3F
nvram set wan0_hwaddr=00:0C:E5:46:00:3F

nvram set wl0_hwaddr=00:0C:E5:46:00:40

Note that there is no il0macaddr setting, as opposed to later versions, and the wan0_* setting may be obsolete! Check again:

nvram show | grep ..:..:

and if everything is correct, then

nvram commit

Do not reset the router yet!
I have discovered that in rare cases, the port-to-VLAN mapping may be wrong. Check:

nvram show | grep vlan

and confirm you've got

vlan0ports=0 1 2 3 5*
vlan1ports=4 5

- if you have different settings you will have to

nvram set vlan0ports="0 1 2 3 5*"

(quotation marks!), and similarly for vlan1ports. Check the values of port*vlans as well (they can be safely removed)!

By default BootWait ist set to OFF, so activate it with

nvram set boot_wait=on 

Check if it is set correctly

nvram show | grep boot



New DD_WRT verions store username/password encrypted in the NVRAM! So if you upgrade for the Motorrola FW to DD-WRT you maybe will be locked out of your router! To avoid this change the default username/password. Check the set username.

nvram show | grep http_username

Clear the username.

nvram set http_username=

Recheck the setting.

nvram show | grep http_username

Check the set password.

nvram show | grep http_passwd

Clear the password.

nvram set http_passwd=

Recheck the setting.

nvram show | grep http_passwd

If all changes have been reviewed, and committed, reboot (power cycle).

[edit] Upgrade to 6.1.4

If you upgrade to 6.1.4 all additional NVRAM settings you changed in 4.03 will be set to there defaults (e.g if you changed the username/password/bootwait.)! In my opinion its not necessary to upgrade to 6.1.4. I debricked my wr850g several times and upgraded directly from 4.03 to dd-wrt without problems.
It has been said that by flashing DD-WRT from 6.1.4, some LED functionality may be preserved. I cannot confirm this.
Don't go to the configuration backup/restore page, the httpd will hang!
Use the Firmware Upgrade page to flash 6.1.4 (the trx file).
When ready, click the RESTART button already winking at you.
The router will automatically restart and show its main page.
Click "Restore Factory Configuration", which will do its best at cleaning the NVRAM from junk. You cannot check though.
This is the last chance to safely do this. Let me repeat: DD-WRT does not know about proper factory/firmware settings yet.

[edit] Upgrade to DD-WRT

Using the Firmware tab, flash mini_moto.trx. Newer versions are called _moto.bin or _wr850g.bin. If they are not accepted by the Motorola Webinterface rename the file to *.trx.
In Firefox, a window pops up asking me what to do with upgrade.cgi. I chose to open it in a text editor: It contains three lines of text before some proper HTTP:

WR found
Mem: 14950400
Motorola CRC correct...
HTTP/1.0 200 Ok
Server: httpd
...

Since it told you it'd be rebooting, it's now time to flush the ARP cache again, and possibly restart your network interface as well.
Reconnect to the router, and you will get the status page in Cyan.
Reboot the router. Possibly restart eth0, and flush the ARP cache once more.
The username/password pair is now "root/motorola".
Make backups of your configuration, and tag them with dates. Disk space is cheap these days, you may need each one of them.

[edit] Congratulations!

You've done it. You got what you deserve! A hard day's night, it was... Now: Enjoy, and avoid the pitfalls.