WR850G v1
From DD-WRT Wiki
Revision as of 13:50, 22 February 2006 (edit) Stephen (Talk | contribs) (→Fix MAC addresses and more) ← Previous diff |
Revision as of 14:51, 22 February 2006 (edit) (undo) Stephen (Talk | contribs) Next diff → |
||
Line 9: | Line 9: | ||
middle of the power cord, and no indication of the version on the label). See that page to get some idea first.<br> | middle of the power cord, and no indication of the version on the label). See that page to get some idea first.<br> | ||
I'm no Windows user, and I know Linux quite well. If you don't understand what the commands below are doing, please check with a good Linux/Unix textbook first.<br> | I'm no Windows user, and I know Linux quite well. If you don't understand what the commands below are doing, please check with a good Linux/Unix textbook first.<br> | ||
- | There is no warranty at all: it worked for me, but it may kill your cat or wife, smash your | + | There is no warranty at all: it worked for me, but it may kill your cat or wife, smash your windows, or make your boss angry etc. |
=Starting point= | =Starting point= | ||
Line 16: | Line 16: | ||
changes to its configuration, and resetting to defaults, make some config backups (which are encrypted in some way | changes to its configuration, and resetting to defaults, make some config backups (which are encrypted in some way | ||
I don't understand yet, hopefully the GPL source of fw 5.13 will give me some clues: all bytes are with the MSB set, | I don't understand yet, hopefully the GPL source of fw 5.13 will give me some clues: all bytes are with the MSB set, | ||
- | and all byte values between 128 and 255 do occur, I'm afraid it's some "base128" encoding.), and started reading | + | and all byte values between 128 and 255 do occur, I'm afraid it's some "base128" encoding. Suggestions welcome.), and started reading FAQs.<br> |
- | FAQs.<br> | + | |
On (FIXME: fill in the URL of the Motorola download page) | On (FIXME: fill in the URL of the Motorola download page) | ||
Line 25: | Line 24: | ||
mentions that there's an "easter egg" in the 4.03 firmware which can be used to get limited shell access (the | mentions that there's an "easter egg" in the 4.03 firmware which can be used to get limited shell access (the | ||
<code>frame_debug.asp</code> page).<br> | <code>frame_debug.asp</code> page).<br> | ||
- | http://www.batbox.org/wrt54g/ | + | [http://www.batbox.org/wrt54g/ BATBOX] is a nice tool that allows you to run a telnetd (and other nice stuff) on a WRT54G, |
- | exploiting the Ping.asp bug present in many Linksys firmwares; this one does not work on the Motorola though (I've | + | exploiting the <code>Ping.asp</code> bug present in many Linksys firmwares; this one does not work on the Motorola though (I've |
- | got some ideas to make it work with fw 4.03 | + | got some ideas to make it work with fw 4.03 - but at the moment I'm too lazy).<br> |
Somehow I got DD-WRT (the mini_moto image) installed on the router, and I did a firmware reset - this is where | Somehow I got DD-WRT (the mini_moto image) installed on the router, and I did a firmware reset - this is where | ||
trouble started. Having read the sources, I now know why: this particular hardware is not handled properly yet, | trouble started. Having read the sources, I now know why: this particular hardware is not handled properly yet, | ||
and one will end up with wrong VLAN assignments and worse.<br> | and one will end up with wrong VLAN assignments and worse.<br> | ||
So it took only hours to brick my WR850Gv1 for the first time...<br> | So it took only hours to brick my WR850Gv1 for the first time...<br> | ||
- | Fortunately, after installing DD-WRT, I had backed up all four mtd partitions, so I had a starting point what to | + | (What makes it really hard: 4.03, with more than 1000 NVRAM entries created by DD-WRT, doesn't allow to restore previous configuration backups anymore; 5.13 seems to behave the same.)<br> |
- | expect from hard resets. | + | Fortunately, after installing DD-WRT, I had backed up all four mtd partitions, so together with the GPL'd source I had a starting point what to expect from hard resets. |
=Analysis of the CFE= | =Analysis of the CFE= | ||
Line 72: | Line 71: | ||
et1macaddr wan_hwaddr 00:11:22:33:44:56 | et1macaddr wan_hwaddr 00:11:22:33:44:56 | ||
</pre> | </pre> | ||
- | Since the v1 doesn't have a serial port (could not find a UART chip) I cannot check this by running a serial console, and the ordering of the strings is not necessarily related to their assignments, so be careful... | + | Since the v1 doesn't have a serial port (could not find a UART chip), I cannot check this by running a serial console, and the ordering of the strings is not necessarily related to their assignments, so be careful... |
(There is serial console suppport inside the CFE, up to 921600 baud!)<br> | (There is serial console suppport inside the CFE, up to 921600 baud!)<br> | ||
Line 78: | Line 77: | ||
Visit www.gemtek.com for updates. | Visit www.gemtek.com for updates. | ||
</pre> | </pre> | ||
- | They are at www.gemtek.com.tw now, and there's no download available - what did you expect?<br> | + | They are at www.gemtek.com.tw now (www.gemtek.com points to an environmental services company), and there's no download available - what did you expect?<br> |
+ | |||
+ | =Firmware reset in Motorola code= | ||
+ | There's no GPL source for 4.03. Check 5.13 or 6.1.4 (the latter one may have some clues in src/router/rc/rc.c). | ||
=What one should avoid= | =What one should avoid= | ||
- | The | + | The WR850Gv1 is such a nice toy, so why shouldn't I start playing with it? Set to firmware defaults, play with |
the <code>gpio</code> utility to switch on/off the LEDs, ...<br> | the <code>gpio</code> utility to switch on/off the LEDs, ...<br> | ||
==No GPIO tricks please== | ==No GPIO tricks please== | ||
Unfortunately, the v1 is a bit different in many cases, so don't expect it won't break/brick!<br> | Unfortunately, the v1 is a bit different in many cases, so don't expect it won't break/brick!<br> | ||
- | Polling the GPIO ports (0 | + | Polling the GPIO ports (0-7 seem to be connected, with a wraparound at 32) will return 01 for all ports, except port 1 which will alternate between 00 and 01 very rapidly.<br> |
By dis-/enabling ports, I found the following assignments: | By dis-/enabling ports, I found the following assignments: | ||
<table> | <table> | ||
Line 101: | Line 103: | ||
</table> | </table> | ||
Ports 4 and 6 are mentioned in <code>resetbutton.c</code>, and they obviously can do harm to your system.<br> | Ports 4 and 6 are mentioned in <code>resetbutton.c</code>, and they obviously can do harm to your system.<br> | ||
- | <b>You may brick your router by playing games with gpio.</b><br> | + | Port 7 may be used for DMZ LED, be careful here as well. It at least reset my box. (Feedback welcome: I've got no use of this feature.)<br> |
+ | <b>You may brick your router by playing games with gpio.</b> Even the system itself can.<br> | ||
==No mtd tricks== | ==No mtd tricks== | ||
As BrainSlayer also mentioned (FIXME: where?), <b> NEVER EVER </b> run <code>mtd erase nvram</code> on a WR850G. | As BrainSlayer also mentioned (FIXME: where?), <b> NEVER EVER </b> run <code>mtd erase nvram</code> on a WR850G. | ||
- | This is not limited to v1 hardware, and will assign strange MAC addresses.<br> | + | <b>This is not limited to v1 hardware, and will assign strange MAC addresses.</b><br> |
==No firmware defaults== | ==No firmware defaults== | ||
- | Although this is recommended in most instructions, <b> NEVER EVER </b> reset a v1 to Firmware Defaults - DD-WRT firmware does not know about the specifics of a | + | Although this is recommended in most instructions, <b> NEVER EVER </b> reset a v1 to Firmware Defaults - <b>DD-WRT firmware does not know about the specifics of a WR850Gv1 yet</b> (checked with SVN code 2006-02-19)!<br> |
=LEDs can be misleading= | =LEDs can be misleading= | ||
On my box, I found that the LED pattern may be misleading a lot.<br> | On my box, I found that the LED pattern may be misleading a lot.<br> | ||
- | I see: | + | With a fully functional WR850Gv1, I see: |
<ul> | <ul> | ||
<li>POWER is blinking red | <li>POWER is blinking red | ||
Line 119: | Line 122: | ||
<li>LAN# are solid green (XOR traffic) if connected (interface up) | <li>LAN# are solid green (XOR traffic) if connected (interface up) | ||
</ul> | </ul> | ||
- | Don't take the blinking POWER light too seriously. It's DD-WRT, and BrainSlayer said there was no LED support for | + | Don't take the blinking POWER light too seriously. It's DD-WRT, and BrainSlayer said (FIXME: link) there was no LED support for WR850G in DD-WRT at all, so they could be all off as well. |
- | WR850G in DD-WRT at all, so they could be all off as well. | + | |
+ | =How to revive the dead beast= | ||
+ | Now, you got a dead WR850Gv1, and want to revive it? Don't worry, there's no need for JTAG (sorry, HairyDairyMaid), and there's no need to open the box (which is a hard job) at all!<br> | ||
=Prerequisites for debricking= | =Prerequisites for debricking= | ||
==Hardware== | ==Hardware== | ||
I own a laptop, running Linux, a wireless card (good old Avaya, with Orinoco chip), a switch (which is very | I own a laptop, running Linux, a wireless card (good old Avaya, with Orinoco chip), a switch (which is very | ||
- | important to have), and a WRT54G where I can run site surveys.<br> | + | important to have), and a WRT54G where I can run site surveys (a Kismet/*Stumbler box will also do).<br> |
With Linux, you may have an IP assigned by your DHCP server, and additional (aliased) addresses (use | With Linux, you may have an IP assigned by your DHCP server, and additional (aliased) addresses (use | ||
<pre> | <pre> | ||
Line 142: | Line 147: | ||
<li>DD-WRT mini_moto (FIXME: copy URL from WR850G document) | <li>DD-WRT mini_moto (FIXME: copy URL from WR850G document) | ||
</ul> | </ul> | ||
- | Using < | + | Using |
- | + | <pre> | |
- | + | dd if=firmware.trx bs=8 skip=1 of=firmware.bin | |
- | + | </pre> | |
+ | create versions that can be flashed via TFTP and/or DD-WRT firmware upgrade web page. | ||
- | + | =Check what's left= | |
Run a Site Survey on another router, or Kismet, or another WLAN detection tool to check whether the wireless interface of the WR850G is still up. Remember that you cannot trust the LEDs.<br> | Run a Site Survey on another router, or Kismet, or another WLAN detection tool to check whether the wireless interface of the WR850G is still up. Remember that you cannot trust the LEDs.<br> | ||
- | While power cycling the WR850G, run <code>ping 192.168.10.1</code>. Remember that you have to set | + | While power cycling the WR850G, run <code>ping 192.168.10.1</code>. Remember that you have to set your wired |
interface to a 192.168.10.xxx address.<br> | interface to a 192.168.10.xxx address.<br> | ||
Connect the cable to the WAN port, and repeat the previous step.<br> | Connect the cable to the WAN port, and repeat the previous step.<br> | ||
Line 183: | Line 189: | ||
bin | bin | ||
trace | trace | ||
- | put | + | put firmware403.bin |
</pre> | </pre> | ||
(make sure you use the stripped version of the 4.03 firmware here, it's the only one that will allow you to fix things!) and at almost the same time you press ENTER, plug in the router power.<br> | (make sure you use the stripped version of the 4.03 firmware here, it's the only one that will allow you to fix things!) and at almost the same time you press ENTER, plug in the router power.<br> | ||
+ | Continue with "Restore virginity" below. | ||
+ | |||
+ | ==Flash back from Web== | ||
+ | ... FIXME: to be written yet ... (use *.bin on DD-WRT, *.trx on Moto FW) | ||
+ | |||
+ | ==Restore virginity== | ||
+ | (This may not be necessary, but it at least defines the state of the router.)<br> | ||
Let the LEDs come to a rest.<br> | Let the LEDs come to a rest.<br> | ||
Power off the router.<br> | Power off the router.<br> | ||
Hold Reset, power on, let the router cycle through its reset twice (look at the red power light), then release.<br> | Hold Reset, power on, let the router cycle through its reset twice (look at the red power light), then release.<br> | ||
Let things settle down a bit.<br> | Let things settle down a bit.<br> | ||
- | Power cycle the router. | + | Power cycle the router. |
- | + | ||
- | + | ||
- | + | ||
==Fix MAC addresses and more== | ==Fix MAC addresses and more== | ||
Login into the router, you may have to try a few username/password combinations (root/admin, root/motorola, | Login into the router, you may have to try a few username/password combinations (root/admin, root/motorola, | ||
root/your_previously_set_password).<br> | root/your_previously_set_password).<br> | ||
- | Go to the <code> | + | <b>Do NOT try to restore old config backups.</b> There's a bug in 4.03 (and 5.13 as well) firmware which will hang |
+ | the HTTP server if you go to the config page.<br> | ||
+ | Go to the <code>frame_debug.asp</code> page. (This is a hidden feature, you will have to enter the URL by hand.)<br> | ||
Type | Type | ||
<pre> | <pre> | ||
nvram show | grep ..:..: | nvram show | grep ..:..: | ||
</pre> | </pre> | ||
- | into the input field and <b>don't press ENTER</b> | + | into the input field and <b>don't press ENTER</b> - click <b>APPLY</b> instead!<br> |
The output window will show some lines: | The output window will show some lines: | ||
<pre> | <pre> | ||
Line 213: | Line 225: | ||
wl0_hwaddr=... | wl0_hwaddr=... | ||
</pre> | </pre> | ||
- | - the et | + | - the et*macaddr values may be different, depending on how you got here (00:0C:10:21:32:0x have been encountered as well).<br> |
Get the two MAC addresses that are printed on the label of the router (WAN and WLAN, they usually differ by two in hex maths).<br> | Get the two MAC addresses that are printed on the label of the router (WAN and WLAN, they usually differ by two in hex maths).<br> | ||
- | Now comes the tricky part: use the lowest number for LAN, the next for WAN, and keep the WLAN address. Don't ask me why the routers have been shipped with the wrong order: both the CFE, and DD-WRT do it right. Trust me.<br> | + | Now comes the tricky part: use the <b>lowest number for LAN</b>, the next for WAN, and keep the WLAN address. Don't ask me why the routers have been shipped with the wrong order: both the CFE, and DD-WRT do it right. Trust me.<br> |
- | Now set <b>all</b> addresses, by entering the following commands one by one (replace the MAC addresses by your | + | Now set <b>all</b> addresses to proper values, by entering the following commands one by one (replace the MAC addresses by your own values) and sending them by <b>APPLY</b>: |
- | own values) and sending them by APPLY: | + | |
<pre> | <pre> | ||
nvram set et0macaddr=00:0C:E5:46:00:3E | nvram set et0macaddr=00:0C:E5:46:00:3E | ||
Line 244: | Line 255: | ||
vlan1ports=4 5 | vlan1ports=4 5 | ||
</pre> | </pre> | ||
- | - if you have | + | - if you have different settings you will have to |
<pre> | <pre> | ||
nvram set vlan0ports="0 1 2 3 5*" | nvram set vlan0ports="0 1 2 3 5*" | ||
</pre> | </pre> | ||
- | (quotation marks!), and similarly for vlan1ports. Check the values of | + | (quotation marks!), and similarly for vlan1ports. Check the values of port*vlan as well!<br> |
If all changes have been reviewed, and committed, reboot (power cycle). | If all changes have been reviewed, and committed, reboot (power cycle). | ||
==Upgrade to 6.1.4== | ==Upgrade to 6.1.4== | ||
+ | <b>Don't go to the configuration backup/restore page, the httpd will hang!</b><br> | ||
+ | Use the Firmware Upgrade page to flash 6.1.4 (the trx file).<br> | ||
+ | When ready, click the RESTART button already winking at you.<br> | ||
+ | The router will automatically restart and show its main page.<br> | ||
+ | Click "Restore Factory Configuration". | ||
+ | <b>This is the last chance to safely do this.</b> Let me repeat: DD-WRT does not know about proper factory/firmware settings. | ||
==Upgrade to DD-WRT== | ==Upgrade to DD-WRT== | ||
+ | Using the Firmware tab, flash <code>mini_moto.trx</code>.<br> | ||
+ | In Firefox, a window pops up asking me what to do with <code>upgrade.cgi</code>. I chose to open it in a text editor: It contains three lines of text before some proper HTTP: | ||
+ | <pre> | ||
+ | WR found | ||
+ | Mem: 14950400 | ||
+ | Motorola CRC correct... | ||
+ | HTTP/1.0 200 Ok | ||
+ | Server: httpd | ||
+ | ... | ||
+ | </pre> | ||
+ | Since it told you it'd be rebooting, it's now time to <b>flush the ARP cache again</b>, and possibly restart your network interface as well.<br> | ||
+ | Reconnect to the router, and you will get the status page in Cyan.<br> | ||
+ | Reboot the router. Possibly restart eth0, and flush the ARP cache once more.<br> | ||
+ | The username/password pair is now "root/motorola".<br> | ||
+ | <b>Make backups of your configuration, and tag them with dates.</b> Disk space is cheap these days, you may need each one of them. | ||
=Congratulations!= | =Congratulations!= | ||
- | You've done it. You got what you deserve! Enjoy, and avoid the pitfalls. | + | You've done it. You got what you deserve! A hard day's night, it was... Now: Enjoy, and avoid the pitfalls. |
+ | |||
+ | |||
+ | ---- | ||
+ | Last edit: [[User:Stephen|Stephen]] 15:51, 22 Feb 2006 (CET) |
Revision as of 14:51, 22 February 2006
This is work in progress. I will work on this page as often as my time allows. If items are missing, please don't hesitate to fill them in - but make sure they apply to hardware version 1 of the WR850G.
Contents |
Aim of this document
The page Flash_Your_Motorola_WR850G gives a nice overview how to convert Motorola routers into DD-WRT boxes.
Unfortunately, there are a few pitfalls if you own a hardware version 1 (the one with the AC/DC converter in the
middle of the power cord, and no indication of the version on the label). See that page to get some idea first.
I'm no Windows user, and I know Linux quite well. If you don't understand what the commands below are doing, please check with a good Linux/Unix textbook first.
There is no warranty at all: it worked for me, but it may kill your cat or wife, smash your windows, or make your boss angry etc.
Starting point
I bought a WR850G, version 1, on e***. It came with firmware version 2.00 installed, and I - before and after making
changes to its configuration, and resetting to defaults, make some config backups (which are encrypted in some way
I don't understand yet, hopefully the GPL source of fw 5.13 will give me some clues: all bytes are with the MSB set,
and all byte values between 128 and 255 do occur, I'm afraid it's some "base128" encoding. Suggestions welcome.), and started reading FAQs.
On (FIXME: fill in the URL of the Motorola download page)
I found the GPL sources for 5.12, 5.13, and 6.1.4, and some firmware binaries released by Motorola as well: 4.03,
5.13, and 6.1.4.
(FIXME: fill in URL)
mentions that there's an "easter egg" in the 4.03 firmware which can be used to get limited shell access (the
frame_debug.asp
page).
BATBOX is a nice tool that allows you to run a telnetd (and other nice stuff) on a WRT54G,
exploiting the Ping.asp
bug present in many Linksys firmwares; this one does not work on the Motorola though (I've
got some ideas to make it work with fw 4.03 - but at the moment I'm too lazy).
Somehow I got DD-WRT (the mini_moto image) installed on the router, and I did a firmware reset - this is where
trouble started. Having read the sources, I now know why: this particular hardware is not handled properly yet,
and one will end up with wrong VLAN assignments and worse.
So it took only hours to brick my WR850Gv1 for the first time...
(What makes it really hard: 4.03, with more than 1000 NVRAM entries created by DD-WRT, doesn't allow to restore previous configuration backups anymore; 5.13 seems to behave the same.)
Fortunately, after installing DD-WRT, I had backed up all four mtd partitions, so together with the GPL'd source I had a starting point what to expect from hard resets.
Analysis of the CFE
As in virtually every CFE around, there's a small flash image embedded which will put into the NVRAM section when corruption is detected or the box gets reset "the hard way".
Mine (256KB in size, uncompressed) at an offset of 0x0400--0x2400 contains the following fixed settings:
boardtype=bcm94710dev boardnum=2 clkfreq=125 sdram_init=0x0419 sdram_config=0x0000 sdram_refresh=0x8040 et0phyaddr=30 et0mdcport=0 et1phyaddr=0 et1mdcport=1 dl_ram_addr=a0001000 os_ram_addr=80001000 os_flash_addr=bfc40000 lan_ipaddr=192.168.10.1 lan_netmask=255.255.255.0 wan_ipaddr=192.168.10.1 wan_netmask=255.255.255.0 scratch=a0180000 boot_wait=off watchdog=1000 GemtekPmonVer=9
Note that WAN and LAN addresses are set the same. This will allow to TFTP flash even if the port-vlan assignment
is wrong for some reason.
In the subsequent code, at about 71% into the whole file, another settings are mentioned (obviously they will be inserted into the NVRAM image, there's a string "Starting to restore all default valus" (sic) just before):
DefaultEthPort 1 et0macaddr lan_hwaddr 00:11:22:33:44:55 et1macaddr wan_hwaddr 00:11:22:33:44:56
Since the v1 doesn't have a serial port (could not find a UART chip), I cannot check this by running a serial console, and the ordering of the strings is not necessarily related to their assignments, so be careful...
(There is serial console suppport inside the CFE, up to 921600 baud!)
Visit www.gemtek.com for updates.
They are at www.gemtek.com.tw now (www.gemtek.com points to an environmental services company), and there's no download available - what did you expect?
Firmware reset in Motorola code
There's no GPL source for 4.03. Check 5.13 or 6.1.4 (the latter one may have some clues in src/router/rc/rc.c).
What one should avoid
The WR850Gv1 is such a nice toy, so why shouldn't I start playing with it? Set to firmware defaults, play with
the gpio
utility to switch on/off the LEDs, ...
No GPIO tricks please
Unfortunately, the v1 is a bit different in many cases, so don't expect it won't break/brick!
Polling the GPIO ports (0-7 seem to be connected, with a wraparound at 32) will return 01 for all ports, except port 1 which will alternate between 00 and 01 very rapidly.
By dis-/enabling ports, I found the following assignments:
gpio port | function |
0 | no change ? |
1 | no change ? |
2 | all LAN LEDs |
3 | red blinking POWER LED |
4 | DON'T TOUCH!!! |
5 | no change ? |
6 | DON'T TOUCH!!! |
7 | DON'T TOUCH!!! |
Ports 4 and 6 are mentioned in resetbutton.c
, and they obviously can do harm to your system.
Port 7 may be used for DMZ LED, be careful here as well. It at least reset my box. (Feedback welcome: I've got no use of this feature.)
You may brick your router by playing games with gpio. Even the system itself can.
No mtd tricks
As BrainSlayer also mentioned (FIXME: where?), NEVER EVER run mtd erase nvram
on a WR850G.
This is not limited to v1 hardware, and will assign strange MAC addresses.
No firmware defaults
Although this is recommended in most instructions, NEVER EVER reset a v1 to Firmware Defaults - DD-WRT firmware does not know about the specifics of a WR850Gv1 yet (checked with SVN code 2006-02-19)!
LEDs can be misleading
On my box, I found that the LED pattern may be misleading a lot.
With a fully functional WR850Gv1, I see:
- POWER is blinking red
- MODEM (which is connected via DHCP) shows "orange" (red and green) solid (XOR traffic)
- WLAN is off all the time
- LAN# are solid green (XOR traffic) if connected (interface up)
Don't take the blinking POWER light too seriously. It's DD-WRT, and BrainSlayer said (FIXME: link) there was no LED support for WR850G in DD-WRT at all, so they could be all off as well.
How to revive the dead beast
Now, you got a dead WR850Gv1, and want to revive it? Don't worry, there's no need for JTAG (sorry, HairyDairyMaid), and there's no need to open the box (which is a hard job) at all!
Prerequisites for debricking
Hardware
I own a laptop, running Linux, a wireless card (good old Avaya, with Orinoco chip), a switch (which is very
important to have), and a WRT54G where I can run site surveys (a Kismet/*Stumbler box will also do).
With Linux, you may have an IP assigned by your DHCP server, and additional (aliased) addresses (use
ifconfig eth0:1 192.168.10.5 ifconfig eth0:2 192.168.1.5
to be able to access the default address 192.168.10.1 of a "virginized" WR850G, and the 192.168.1.1 assigned by DD-WRT.
The switch will keep your interface up even if the router is resetting its ports.
A wireless card will be needed if the wired interfaces become badly misconfigured.
Software
Get Motorola firmware
- version 4.03 (FIXME: add download URL)
- version 6.1.4 (FIXME: add download URL) - it's ugly, it lacks several features, but it's said to preserve the functionality of a few LEDs
- DD-WRT mini_moto (FIXME: copy URL from WR850G document)
Using
dd if=firmware.trx bs=8 skip=1 of=firmware.bin
create versions that can be flashed via TFTP and/or DD-WRT firmware upgrade web page.
Check what's left
Run a Site Survey on another router, or Kismet, or another WLAN detection tool to check whether the wireless interface of the WR850G is still up. Remember that you cannot trust the LEDs.
While power cycling the WR850G, run ping 192.168.10.1
. Remember that you have to set your wired
interface to a 192.168.10.xxx address.
Connect the cable to the WAN port, and repeat the previous step.
If you got any response, then there's a lot of hope for you! If not, you may have to keep the Reset Button on the back of the router pressed while powering it on. With DD-WRT flashed, you will probably not see anything. This doesn't necessarily mean that nothing happens. To check whether you succeeded, go back to the beginning of this section.
WLAN is there, but no wired access
Check the WLAN MAC address shown by your WLAN detector. It should be the one you can read off the label, it may be off by one though.
Remove the aliases from your wired interface, and check:
ifconfig eth0:1 down ifconfig eth0:2 down ifconfig -a
Then insert your wireless card, and check with iwconfig
whether it can see the access point. Do not "up" the interface yet!
Now try to get an address via DHCP (how to do this depends on your Linux distribution - on Debian you'd have to
edit /etc/network/interfaces
). If you don't succeed, assign an address by hand. (You may have to try
twice, once for the network the router belonged to before, and once for 192.168.10.xxx.)
Flush your ARP cache often by running a broadcast ping.
Try to connect to the HTTP port of the router. (You may also run nmap
to check which ports are there.) If you are successful, proceed to "Flash back from Web" below.
Wired access works
Try to get a DHCP address. Then connect to the HTTP port. Don't forget to flush your ARP cache.
No Web access to the router
If you cannot manage to get a DHCP address, and assigning a fixed address from the (hopefully correct) adddress range doesn't give you access to the Web pages either,
but you may have seen a short response to the ping before
you may TFTP a firmware to the router directly. This has been described may times before, but repetition doesn't hurt:
- Unplug the router.
- On your Linux box, connected by wire to one of the LAN ports, run
tftp 192.168.10.1 bin trace put firmware403.bin
(make sure you use the stripped version of the 4.03 firmware here, it's the only one that will allow you to fix things!) and at almost the same time you press ENTER, plug in the router power.
Continue with "Restore virginity" below.Flash back from Web
... FIXME: to be written yet ... (use *.bin on DD-WRT, *.trx on Moto FW)
Restore virginity
(This may not be necessary, but it at least defines the state of the router.)
Let the LEDs come to a rest.
Power off the router.
Hold Reset, power on, let the router cycle through its reset twice (look at the red power light), then release.
Let things settle down a bit.
Power cycle the router.Fix MAC addresses and more
Login into the router, you may have to try a few username/password combinations (root/admin, root/motorola, root/your_previously_set_password).
Do NOT try to restore old config backups. There's a bug in 4.03 (and 5.13 as well) firmware which will hang the HTTP server if you go to the config page.
Go to theframe_debug.asp
page. (This is a hidden feature, you will have to enter the URL by hand.)
Typenvram show | grep ..:..:
into the input field and don't press ENTER - click APPLY instead!
The output window will show some lines:et0macaddr=00:11:22:33:44:55 et1macaddr=00:11:22:33:44:56 lan_hwaddr=... wan_hwaddr=... wan0_hwaddr=... wl0_hwaddr=...
- the et*macaddr values may be different, depending on how you got here (00:0C:10:21:32:0x have been encountered as well).
Get the two MAC addresses that are printed on the label of the router (WAN and WLAN, they usually differ by two in hex maths).
Now comes the tricky part: use the lowest number for LAN, the next for WAN, and keep the WLAN address. Don't ask me why the routers have been shipped with the wrong order: both the CFE, and DD-WRT do it right. Trust me.
Now set all addresses to proper values, by entering the following commands one by one (replace the MAC addresses by your own values) and sending them by APPLY:nvram set et0macaddr=00:0C:E5:46:00:3E nvram set et1macaddr=00:0C:E5:46:00:3F nvram set lan_hwaddr=00:0C:E5:46:00:3E nvram set wan_hwaddr=00:0C:E5:46:00:3F nvram set wan0_hwaddr=00:0C:E5:46:00:3F nvram set wl0_hwaddr=00:0C:E5:46:00:40
Note that there is no il0macaddr setting! Check again:
nvram show | grep ..:..:
and if everything is correct, then
nvram commit
Do not reset the router yet!
I have discovered that in rare cases, the port-to-VLAN mapping may be wrong. Check:nvram show | grep vlan
and confirm you've got
vlan0ports=0 1 2 3 5* vlan1ports=4 5
- if you have different settings you will have to
nvram set vlan0ports="0 1 2 3 5*"
(quotation marks!), and similarly for vlan1ports. Check the values of port*vlan as well!
If all changes have been reviewed, and committed, reboot (power cycle).Upgrade to 6.1.4
Don't go to the configuration backup/restore page, the httpd will hang!
Use the Firmware Upgrade page to flash 6.1.4 (the trx file).
When ready, click the RESTART button already winking at you.
The router will automatically restart and show its main page.
Click "Restore Factory Configuration". This is the last chance to safely do this. Let me repeat: DD-WRT does not know about proper factory/firmware settings.Upgrade to DD-WRT
Using the Firmware tab, flash
mini_moto.trx
.
In Firefox, a window pops up asking me what to do withupgrade.cgi
. I chose to open it in a text editor: It contains three lines of text before some proper HTTP:WR found Mem: 14950400 Motorola CRC correct... HTTP/1.0 200 Ok Server: httpd ...
Since it told you it'd be rebooting, it's now time to flush the ARP cache again, and possibly restart your network interface as well.
Reconnect to the router, and you will get the status page in Cyan.
Reboot the router. Possibly restart eth0, and flush the ARP cache once more.
The username/password pair is now "root/motorola".
Make backups of your configuration, and tag them with dates. Disk space is cheap these days, you may need each one of them.Congratulations!
You've done it. You got what you deserve! A hard day's night, it was... Now: Enjoy, and avoid the pitfalls.
Last edit: Stephen 15:51, 22 Feb 2006 (CET)