WR850G v1

From DD-WRT Wiki

(Difference between revisions)

Revision as of 11:07, 25 February 2006

This is work in progress. I will work on this page as often as my time allows. If items are missing, please don't hesitate to fill them in - but make sure they apply to hardware version 1 of the WR850G.

Aim of this document

The page Flash_Your_Motorola_WR850G gives a nice overview how to convert Motorola routers into DD-WRT boxes. Unfortunately, there are a few pitfalls if you own a hardware version 1 (the one with the AC/DC converter in the middle of the power cord, and no indication of the version on the label). See that page to get some idea first.
I'm no Windows user, but I know Linux quite well. If you don't understand what the commands below are doing, please check with a good Linux/Unix textbook first, then search the forum and Wiki.
DISCLAIMER: There is no warranty at all: the procedure outlined below worked for me (several times), but it may kill your cat or wife, smash your windows, or make your boss angry etc. You are completely on your own!

Starting point

I bought a WR850G, version 1, on e***. It came with firmware version 2.00 installed, and I - before and after changing its configuration, and resetting to defaults - made some config backups (which are encrypted in some way I don't understand yet, hopefully the GPL source of fw 5.13 will give me some clues: all bytes are with the MSB set, and all byte values between 128 and 255 do occur, I'm afraid it's some "base128" encoding. Suggestions welcome.), and started reading FAQs.

On the BroadbandReports forum Motorola FAQ page I found some firmware binaries released by Motorola: 4.03 and 5.13 (which fixes some security issues with 4.03), and 6.1.4 is available for download from (FIXME: URL) Motorola.
There are GPL sources for 5.12, 5.13, and 6.1.4. (FIXME: URL)
(FIXME:URL) Several security sites mention that there's an "easter egg" in the 4.03 firmware which can be used to get limited shell access (the frame_debug.asp page). (Later addition: there's a ver.asp page as well which gives access to all NVRAM settings.)
BATBOX is a nice tool that allows you to run a telnetd (and other nice stuff) on a WRT54G, exploiting the Ping.asp bug present in many Linksys firmwares; this one does not work on the Motorola though (I've got some ideas to make it work with fw 4.03 - but at the moment I'm too lazy).
Somehow I got DD-WRT (the mini_moto image) installed on the router, and I did a firmware reset - this is where trouble started. Having read the sources, I now know why: this particular hardware is not handled properly yet, and one will end up with wrong VLAN assignments and worse.
So it took only hours to brick my WR850Gv1 for the first time...

(What makes it really hard: 4.03, with more than 1000 NVRAM entries created by DD-WRT, doesn't allow to restore previous configuration backups anymore; 5.13 seems to behave the same.)

Fortunately, after installing DD-WRT, I had backed up all four mtd partitions, so together with the GPL'd source I had a starting point what to expect from hard resets.

Analysis of the CFE

The CFE (common firmware environment?) is acting the same as the BIOS does for a PC: hardware init, interactive setup, boot operating system.
As in virtually every CFE around, there's a small flash image embedded which will put into the NVRAM section when corruption is detected or the box gets reset "the hard way".
Mine (256KB in size, uncompressed) at an offset of 0x0400--0x2400 contains the following fixed settings:

boardtype=bcm94710dev
boardnum=2
clkfreq=125
sdram_init=0x0419
sdram_config=0x0000
sdram_refresh=0x8040
et0phyaddr=30
et0mdcport=0
et1phyaddr=0
et1mdcport=1
dl_ram_addr=a0001000
os_ram_addr=80001000
os_flash_addr=bfc40000
lan_ipaddr=192.168.10.1
lan_netmask=255.255.255.0
wan_ipaddr=192.168.10.1
wan_netmask=255.255.255.0
scratch=a0180000
boot_wait=off
watchdog=1000
GemtekPmonVer=9

Note that WAN and LAN addresses are set the same. This allows to TFTP flash over all ports at the back. (I didn't try though.)

In the subsequent code, at about 71% into the whole file, another settings are mentioned (obviously they will be inserted into the NVRAM image, there's a string "Starting to restore all default valus" (sic) just before):

DefaultEthPort  1
et0macaddr lan_hwaddr  00:11:22:33:44:55
et1macaddr wan_hwaddr  00:11:22:33:44:56

Since the v1 doesn't have a serial port (could not find a UART chip), I cannot check this by running a serial console, and the ordering of the strings is not necessarily related to their assignments, so be careful... (There is serial console support inside the CFE, up to 921600 baud!)
Motorola firmware may detect such bogus settings and convert them to other ones (bogus as well, but who cares).

Visit www.gemtek.com for updates.

They are at www.gemtek.com.tw now (www.gemtek.com points to an environmental services company), and there's no download available - what did you expect?

Firmware reset in Motorola code

There's no GPL source for 4.03. Check 5.13 or 6.1.4 (the latter one may have some clues in src/router/rc/rc.c).

What one should avoid

The WR850Gv1 is such a nice toy, so why shouldn't I start playing with it? Set to firmware defaults, play with the gpio utility to switch on/off the LEDs, ...

No GPIO tricks please

Unfortunately, the v1 is a bit different in many cases, so don't expect it won't break/brick!
Polling the GPIO ports (0-7 seem to be connected, with a wraparound at 32) will return 01 for all ports, except port 1 which will alternate between 00 and 01 very rapidly.
By dis-/enabling ports, I found the following assignments:

gpio port	function
0	no change ?
1	no change ?
2	all LAN LEDs
3	red blinking POWER LED
4	DON'T TOUCH!!!
5	no change ?
6	DON'T TOUCH!!!
7	DON'T TOUCH!!!

Ports 4 and 6 are mentioned in resetbutton.c, and they obviously can do harm to your system.
Port 7 may be used for DMZ LED, be careful here as well. It at least reset my box. (Feedback welcome: I've got no use of this feature.)
You may brick your router by playing games with gpio. Even the system itself can.

No mtd tricks

As BrainSlayer also mentioned (FIXME: where?), NEVER EVER run mtd erase nvram on a WR850G. This is not limited to v1 hardware, and will assign strange MAC addresses.

No firmware defaults

Although this is recommended in most instructions, NEVER EVER reset a v1 to Firmware Defaults - DD-WRT firmware does not know about the specifics of a WR850Gv1 yet (checked with SVN code 2006-02-19)!

LEDs can be misleading

On my box, I found that the LED pattern may be misleading a lot.
With a fully functional WR850Gv1, running DD-WRT v23final ("Xmas edition" 2005-12-25) I see:

POWER is blinking red (coming up last)
MODEM (which is connected via DHCP) shows "orange" (red and green) first blinking but solid when connected (XOR traffic)
WLAN is off all the time
LAN# are solid green (XOR traffic) if connected (interface up)

Don't take the blinking POWER light too seriously, it doesn't have the same meaning as with a WRT54G! It's DD-WRT, and BrainSlayer said (FIXME: link) there was no LED support for WR850G in DD-WRT at all, so they could be all off as well.

How to revive the dead beast

Now, you got a dead WR850Gv1, and want to revive it? Don't worry, there's no need for JTAG (sorry, (FIXME:URL) HairyDairyMaid, and there's no need to open the box (which is (FIXME:URL) a hard job) at all!

Prerequisites for debricking

Hardware

I own a laptop, running Linux, a wireless card (good old Avaya, with Orinoco chip), a switch (which is very important to have, I don't have a hub to test with), and a WRT54G where I can run site surveys (a Kismet/*Stumbler box will also do).
With Linux, you may have an IP assigned by your DHCP server, and additional (aliased) addresses (use

ifconfig eth0:1 192.168.10.5
ifconfig eth0:2 192.168.1.5

to be able to access the default address 192.168.10.1 of a "virginized" WR850G, and the 192.168.1.1 assigned by DD-WRT, without losing your other connections.
The switch will keep your interface up even if the router is resetting its ports.
A wireless card will be needed if the wired interfaces become badly misconfigured, and are not accessible anymore.

Software

Get firmware

(FIXME:URL) Motorola version 4.03
ad libitum (FIXME:URL) Motorola version 6.1.4 - it's ugly, it lacks several features, but it's said to preserve the functionality of a few LEDs
(FIXME:URL) DD-WRT mini_moto

If necessary, unpack. (*.exe can be unpacked using unzip -x under Linux.)
Using

dd if=firmware.trx bs=8 skip=1 of=firmware.bin

create versions that can be flashed via TFTP and/or DD-WRT firmware upgrade web page.

Check what's left unbroken, collect the pieces

Run a SiteSurvey on another router, or Kismet, or another WLAN detection tool to check whether the wireless interface of the WR850G is still up. Remember that you cannot trust the LEDs.
While power cycling the WR850G, run ping 192.168.10.1 (This is where the switch proves to be helpful!). Remember that you have to set your wired interface to a 192.168.10.xxx address.
Connect the cable to the WAN port, and repeat the previous step, if necessary.
If you got any response, there's a lot of hope for you!
If not, you may have to keep the Reset Button on the back of the router pressed while powering it on.
With DD-WRT flashed, you will probably not see anything. This doesn't necessarily mean that nothing happens.
To check whether you succeeded, go back to the beginning of this section.

WLAN is there, but no wired access

Check the WLAN MAC address shown by your WLAN detector. It should be the one you can read off the label, it may be off by one though.
Remove the aliases from your wired interface, and check:

ifconfig eth0:1 down
ifconfig eth0:2 down
ifconfig -a

Then insert your wireless card, and check with iwconfig whether it can see the access point. Do not "up" the interface yet!
Now try to get an address via DHCP (how to do this depends on your Linux distribution - on Debian you'd have to edit /etc/network/interfaces). If you don't succeed, assign an address by hand. (You may have to try twice, once for the network the router belonged to before, and once for 192.168.10.xxx.)
Flush your ARP cache often by running a broadcast ping.
Try to connect to the HTTP port of the router. (You may also run nmap to check which ports are there.) If you are successful, proceed to "Flash back from Web" below.

Wired access works

Try to get a DHCP address. Then connect to the HTTP port. Don't forget to flush your ARP cache.

No Web access to the router

If you cannot manage to get a DHCP address, and assigning a fixed address from the (hopefully correct) adddress range doesn't give you access to the Web pages either,
but you may have seen a short response to the ping before
you may TFTP a firmware to the router directly. This has been described may times before, but repetition doesn't hurt:

Unplug the router.
On your Linux box, connected by wire to one of the LAN ports, run
```
tftp 192.168.10.1
bin
trace
put firmware403.bin
```
(make sure you use the stripped version of the 4.03 firmware here, it's the only one that will allow you to fix things!) and at almost the same time you press ENTER, plug in the router power.

Continue with "Restore virginity" below.

Flash back from Web

... FIXME: to be written yet ... (use *.bin on DD-WRT, *.trx on Moto FW - you get the picture)

Restore virginity

(This may not be necessary, but it at least defines the state of the router.)
Let the LEDs come to a rest.
Power off the router.
Hold Reset, power on, let the router cycle through its reset twice (look at the red power light), then release.
Let things settle down a bit.
Power cycle the router.

Fix MAC addresses and more

Login into the router, you may have to try a few username/password combinations (root or admin, admin or motorola or your_previously_set_password).
Do NOT try to restore old config backups. There's a bug in 4.03 (and 5.13 as well) firmware which will hang the HTTP server if you go to the config page. (This will only work if all DD-WRT entries have been removed from the NVRAM. But what gives?)
Go to the frame_debug.asp page. (This is a hidden feature, you will have to enter the URL by hand.)
Type

nvram show | grep ..:..:

into the input field and don't press ENTER - click APPLY instead!
The output window will show some lines:

et0macaddr=00:11:22:33:44:55
et1macaddr=00:11:22:33:44:56
lan_hwaddr=...
wan_hwaddr=...
wan0_hwaddr=...
wl0_hwaddr=...

- the et*macaddr values may be different, 00:0C:10:21:32:0x have been encountered as well.
Get the two MAC addresses from the router's bottom side label (WAN and WLAN).
Now comes the tricky part: use the WAN number for LAN, the next for WAN, and use the WLAN address. Don't ask me why the routers have been shipped with the wrong order: both the CFE, and DD-WRT do it right. Trust me.
Now set all addresses to proper values, by entering the following commands one by one (replace the MAC addresses by your own values) and sending them by APPLY:

nvram set et0macaddr=00:0C:E5:46:00:3E
nvram set et1macaddr=00:0C:E5:46:00:3F
nvram set lan_hwaddr=00:0C:E5:46:00:3E
nvram set wan_hwaddr=00:0C:E5:46:00:3F
nvram set wan0_hwaddr=00:0C:E5:46:00:3F
nvram set wl0_hwaddr=00:0C:E5:46:00:40

Note that there is no il0macaddr setting, as opposed to later versions, and the wan0_* setting may be obsolete! Check again:

nvram show | grep ..:..:

and if everything is correct, then

nvram commit

Do not reset the router yet!
I have discovered that in rare cases, the port-to-VLAN mapping may be wrong. Check:

nvram show | grep vlan

and confirm you've got

vlan0ports=0 1 2 3 5*
vlan1ports=4 5

- if you have different settings you will have to

nvram set vlan0ports="0 1 2 3 5*"

(quotation marks!), and similarly for vlan1ports. Check the values of port*vlans as well (they can be safely removed)!
If all changes have been reviewed, and committed, reboot (power cycle).

Upgrade to 6.1.4

It has been said that by flashing DD-WRT from 6.1.4, some LED functionality may be preserved. I cannot confirm this. Nevertheless it's just another way to sort out NVRAM issues.
Don't go to the configuration backup/restore page, the httpd will hang!
Use the Firmware Upgrade page to flash 6.1.4 (the trx file).
When ready, click the RESTART button already winking at you.
The router will automatically restart and show its main page.
Click "Restore Factory Configuration", which will do its best at cleaning the NVRAM from junk. You cannot check though.
This is the last chance to safely do this. Let me repeat: DD-WRT does not know about proper factory/firmware settings yet.

Upgrade to DD-WRT

Using the Firmware tab, flash mini_moto.trx.
In Firefox, a window pops up asking me what to do with upgrade.cgi. I chose to open it in a text editor: It contains three lines of text before some proper HTTP:

WR found
Mem: 14950400
Motorola CRC correct...
HTTP/1.0 200 Ok
Server: httpd
...

Since it told you it'd be rebooting, it's now time to flush the ARP cache again, and possibly restart your network interface as well.
Reconnect to the router, and you will get the status page in Cyan.
Reboot the router. Possibly restart eth0, and flush the ARP cache once more.
The username/password pair is now "root/motorola".
Make backups of your configuration, and tag them with dates. Disk space is cheap these days, you may need each one of them.

Congratulations!

You've done it. You got what you deserve! A hard day's night, it was... Now: Enjoy, and avoid the pitfalls.

Last edit by Stephen: 12:07, 25 Feb 2006 (CET)

Retrieved from "http://wiki.dd-wrt.com/wiki/index.php/WR850G_v1"

 Unfortunately, there are a few pitfalls if you own a hardware version 1 (the one with the AC/DC converter in the
 middle of the power cord, and no indication of the version on the label). See that page to get some idea first.<br>
-I'm no Windows user, and I know Linux quite well. If you don't understand what the commands below are doing, please check with a good Linux/Unix textbook first.<br>
+I'm no Windows user, but I know Linux quite well.
-There is no warranty at all: it worked for me, but it may kill your cat or wife, smash your windows, or make your boss angry etc.
+If you don't understand what the commands below are doing, please check with a good Linux/Unix textbook first,
+then search the forum and Wiki.<br>
+DISCLAIMER: There is no warranty at all: the procedure outlined below worked for me (several times), but it may kill your cat
+or wife, smash your windows, or make your boss angry etc. You are completely on your own!
 =Starting point=
-I bought a WR850G, version 1, on e***. It came with firmware version 2.00 installed, and I - before and after making
+I bought a WR850G, version 1, on e***. It came with firmware version 2.00 installed, and I - before and after
-changes to its configuration, and resetting to defaults, make some config backups (which are encrypted in some way
+changing its configuration, and resetting to defaults - made some config backups (which are encrypted in some way
 I don't understand yet, hopefully the GPL source of fw 5.13 will give me some clues: all bytes are with the MSB set,
 and all byte values between 128 and 255 do occur, I'm afraid it's some "base128" encoding. Suggestions welcome.), and started reading FAQs.<br>
-On (FIXME: fill in the URL of the Motorola download page)
+On [http://www.dslreports.com/faq/motorola/all#12097 the BroadbandReports forum Motorola FAQ page]
-I found the GPL sources for 5.12, 5.13, and 6.1.4, and some firmware binaries released by Motorola as well: 4.03,
+I found some firmware binaries released by Motorola: 4.03 and 5.13 (which fixes some security issues with 4.03), and 6.1.4
-.13, and 6.1.4.<br>
+is available for download from [http://x (FIXME: URL) Motorola].<br>
-(FIXME: fill in URL)
+There are GPL sources for 5.12, 5.13, and 6.1.4. (FIXME: URL)<br>
-mentions that there's an "easter egg" in the 4.03 firmware which can be used to get limited shell access (the
+[http://x (FIXME:URL) Several security sites]
-<code>frame_debug.asp</code> page).<br>
+mention that there's an "easter egg" in the 4.03 firmware which can be used to get limited shell access (the
+<code>frame_debug.asp</code> page).
+<i>(Later addition: there's a <code>ver.asp</code> page as well which gives access to all NVRAM settings.)</i><br>
 [http://www.batbox.org/wrt54g/ BATBOX] is a nice tool that allows you to run a telnetd (and other nice stuff) on a WRT54G,
 exploiting the <code>Ping.asp</code> bug present in many Linksys firmwares; this one does not work on the Motorola though (I've
 and one will end up with wrong VLAN assignments and worse.<br>
 So it took only hours to brick my WR850Gv1 for the first time...<br>
-(What makes it really hard: 4.03, with more than 1000 NVRAM entries created by DD-WRT, doesn't allow to restore previous configuration backups anymore; 5.13 seems to behave the same.)<br>
+<i>(What makes it really hard: 4.03, with more than 1000 NVRAM entries created by DD-WRT, doesn't allow to restore previous configuration backups anymore; 5.13 seems to behave the same.)</i><br>
 Fortunately, after installing DD-WRT, I had backed up all four mtd partitions, so together with the GPL'd source I had a starting point what to expect from hard resets.
 =Analysis of the CFE=
+The CFE (common firmware environment?) is acting the same as the BIOS does for a PC: hardware init, interactive setup, boot operating system.<br>
 As in virtually every CFE around, there's a small flash image embedded which will put into the NVRAM section when corruption is detected or the box gets reset "the hard way".<br>
 Mine (256KB in size, uncompressed) at an offset of 0x0400--0x2400 contains the following fixed settings:
 </pre>
-Note that WAN and LAN addresses are set the same. This will allow to TFTP flash even if the port-vlan assignment
+Note that WAN and LAN addresses are set the same.
-is wrong for some reason.<br>
+This allows to TFTP flash over all ports at the back. (I didn't try though.)<br>
 In the subsequent code, at about 71% into the whole file, another settings are mentioned (obviously they will be inserted into the NVRAM image, there's a string "Starting to restore all default valus" (sic) just before):
 </pre>
 Since the v1 doesn't have a serial port (could not find a UART chip), I cannot check this by running a serial console, and the ordering of the strings is not necessarily related to their assignments, so be careful...
-(There is serial console suppport inside the CFE, up to 921600 baud!)<br>
+(There is serial console support inside the CFE, up to 921600 baud!)<br>
+Motorola firmware may detect such bogus settings and convert them to other ones (bogus as well, but who cares).
 <pre>
 =Firmware reset in Motorola code=
-There's no GPL source for 4.03. Check 5.13 or 6.1.4 (the latter one may have some clues in src/router/rc/rc.c).
+There's no GPL source for 4.03. Check 5.13 or 6.1.4 (the latter one may have some clues in <code>src/router/rc/rc.c</code>).
 =What one should avoid=
 Ports 4 and 6 are mentioned in <code>resetbutton.c</code>, and they obviously can do harm to your system.<br>
 Port 7 may be used for DMZ LED, be careful here as well. It at least reset my box. (Feedback welcome: I've got no use of this feature.)<br>
-<b>You may brick your router by playing games with gpio.</b> Even the system itself can.<br>
+<b>You may brick your router by playing games with <code>gpio</code>.</b> Even the system itself can.<br>
 ==No mtd tricks==
 =LEDs can be misleading=
 On my box, I found that the LED pattern may be misleading a lot.<br>
-With a fully functional WR850Gv1, I see:
+With a fully functional WR850Gv1, running DD-WRT v23final ("Xmas edition" 2005-12-25) I see:
 <ul>
-<li>POWER is blinking red
+<li>POWER is blinking red (coming up last)
-<li>MODEM (which is connected via DHCP) shows "orange" (red and green) solid (XOR traffic)
+<li>MODEM (which is connected via DHCP) shows "orange" (red and green) first blinking but solid when connected (XOR traffic)
 <li>WLAN is off all the time
 <li>LAN# are solid green (XOR traffic) if connected (interface up)
 </ul>
-Don't take the blinking POWER light too seriously. It's DD-WRT, and BrainSlayer said (FIXME: link) there was no LED support for WR850G in DD-WRT at all, so they could be all off as well.
+Don't take the blinking POWER light too seriously, <b>it doesn't have the same meaning as with a WRT54G!</b>
+It's DD-WRT, and BrainSlayer said (FIXME: link) there was no LED support for WR850G in DD-WRT at all, so they could be all off as well.
 =How to revive the dead beast=
-Now, you got a dead WR850Gv1, and want to revive it? Don't worry, there's no need for JTAG (sorry, HairyDairyMaid), and there's no need to open the box (which is a hard job) at all!<br>
+Now, you got a dead WR850Gv1, and want to revive it? Don't worry, there's no need for JTAG
+(sorry, [http://x (FIXME:URL) HairyDairyMaid], and there's no need to open the box (which is [http://x (FIXME:URL) a hard job]) at all!<br>
 =Prerequisites for debricking=
 ==Hardware==
-I own a laptop, running Linux, a wireless card (good old Avaya, with Orinoco chip), a switch (which is very
+I own a laptop, running Linux, a wireless card (good old Avaya, with Orinoco chip),
-important to have), and a WRT54G where I can run site surveys (a Kismet/*Stumbler box will also do).<br>
+a switch (which is very important to have, <i>I don't have a hub to test with</i>),
+and a WRT54G where I can run site surveys (a Kismet/*Stumbler box will also do).<br>
 With Linux, you may have an IP assigned by your DHCP server, and additional (aliased) addresses (use
 <pre>
 ifconfig eth0:2 192.168.1.5
 </pre>
-to be able to access the default address 192.168.10.1 of a "virginized" WR850G, and the 192.168.1.1 assigned by DD-WRT.<br>
+to be able to access the default address 192.168.10.1 of a "virginized" WR850G, and the 192.168.1.1 assigned by DD-WRT,
+without losing your other connections.<br>
 The switch will keep your interface up even if the router is resetting its ports.<br>
-A wireless card will be needed if the wired interfaces become badly misconfigured.
+A wireless card will be needed if the wired interfaces become badly misconfigured, and are not accessible anymore.
 ==Software==
-Get Motorola firmware
+Get firmware
 <ul>
-<li>version 4.03 (FIXME: add download URL)
+<li>[http://x (FIXME:URL) Motorola version 4.03]
-<li>version 6.1.4 (FIXME: add download URL) - it's ugly, it lacks several features, but it's said to preserve the functionality of a few LEDs
+<li><i>ad libitum</i> [http://x (FIXME:URL) Motorola version 6.1.4] - it's ugly, it lacks several features, but it's said to preserve the functionality of a few LEDs
-<li>DD-WRT mini_moto (FIXME: copy URL from WR850G document)
+<li>[http://x (FIXME:URL) DD-WRT mini_moto]
 </ul>
+If necessary, unpack. (*.exe can be unpacked using <code>unzip -x</code> under Linux.)<br>
 Using
 <pre>
 create versions that can be flashed via TFTP and/or DD-WRT firmware upgrade web page.
-=Check what's left=
+=Check what's left unbroken, collect the pieces=
-Run a Site Survey on another router, or Kismet, or another WLAN detection tool to check whether the wireless interface of the WR850G is still up. Remember that you cannot trust the LEDs.<br>
+Run a SiteSurvey on another router, or Kismet, or another WLAN detection tool to check whether the wireless interface of the WR850G is still up.
-While power cycling the WR850G, run <code>ping 192.168.10.1</code>. Remember that you have to set your wired
+Remember that you cannot trust the LEDs.<br>
-interface to a 192.168.10.xxx address.<br>
+While power cycling the WR850G, run <code>ping 192.168.10.1</code> (This is where the switch proves to be helpful!).
-Connect the cable to the WAN port, and repeat the previous step.<br>
+Remember that you have to set your wired interface to a 192.168.10.xxx address.<br>
-If you got any response, then there's a lot of hope for you! If not, you may have to keep the Reset Button on the back of the router pressed while powering it on. With DD-WRT flashed, you will probably not see anything. This doesn't necessarily mean that nothing happens. To check whether you succeeded, go back to the beginning of this section.
+Connect the cable to the WAN port, and repeat the previous step, if necessary.<br>
+If you got any response, there's a lot of hope for you! <br>
+If not, you may have to keep the Reset Button on the back of the router pressed while powering it on. <br>
+With DD-WRT flashed, you will probably not see anything. This doesn't necessarily mean that nothing happens. <br>
+To check whether you succeeded, go back to the beginning of this section.
 ==WLAN is there, but no wired access==
 put firmware403.bin
 </pre>
-(make sure you use the stripped version of the 4.03 firmware here, it's the only one that will allow you to fix things!) and at almost the same time you press ENTER, plug in the router power.<br>
+(make sure you use the stripped version of the 4.03 firmware here, it's the only one that will allow you to fix things!) and at almost the same time you press ENTER, plug in the router power.
+</ul>
+<br>
 Continue with "Restore virginity" below.
 ==Flash back from Web==
-... FIXME: to be written yet ... (use *.bin on DD-WRT, *.trx on Moto FW)
+... FIXME: to be written yet ... (use *.bin on DD-WRT, *.trx on Moto FW - you get the picture)
 ==Restore virginity==
-(This may not be necessary, but it at least defines the state of the router.)<br>
+<i>(This may not be necessary, but it at least defines the state of the router.)</i><br>
 Let the LEDs come to a rest.<br>
 Power off the router.<br>
 ==Fix MAC addresses and more==
-Login into the router, you may have to try a few username/password combinations (root/admin, root/motorola,
+Login into the router, you may have to try a few username/password combinations (root or admin, admin or motorola or your_previously_set_password).<br>
-root/your_previously_set_password).<br>
+<b>Do NOT try to restore old config backups.</b>
-<b>Do NOT try to restore old config backups.</b> There's a bug in 4.03 (and 5.13 as well) firmware which will hang
+There's a bug in 4.03 (and 5.13 as well) firmware which will hang the HTTP server if you go to the config page.
-the HTTP server if you go to the config page.<br>
+<i>(This will only work if all DD-WRT entries have been removed from the NVRAM. But what gives?)</i><br>
 Go to the <code>frame_debug.asp</code> page. (This is a hidden feature, you will have to enter the URL by hand.)<br>
 Type
 wl0_hwaddr=...
 </pre>
-- the et*macaddr values may be different, depending on how you got here (00:0C:10:21:32:0x have been encountered as well).<br>
+- the et*macaddr values may be different, 00:0C:10:21:32:0x have been encountered as well.<br>
-Get the two MAC addresses that are printed on the label of the router (WAN and WLAN, they usually differ by two in hex maths).<br>
+Get the two MAC addresses from the router's bottom side label (WAN and WLAN).<br>
-Now comes the tricky part: use the <b>lowest number for LAN</b>, the next for WAN, and keep the WLAN address. Don't ask me why the routers have been shipped with the wrong order: both the CFE, and DD-WRT do it right. Trust me.<br>
+Now comes the tricky part: use the <b>WAN number for LAN</b>, the <b>next</b> for WAN, and use the WLAN address.
+Don't ask me why the routers have been shipped with the wrong order: both the CFE, and DD-WRT do it right. Trust me.<br>
 Now set <b>all</b> addresses to proper values, by entering the following commands one by one (replace the MAC addresses by your own values) and sending them by <b>APPLY</b>:
 <pre>
 nvram set wl0_hwaddr=00:0C:E5:46:00:40
 </pre>
-Note that there is no il0macaddr setting! Check again:
+Note that there is no il0macaddr setting, as opposed to later versions, and the wan0_* setting may be obsolete! Check again:
 <pre>
 nvram show | grep ..:..:
 nvram set vlan0ports="0 1 2 3 5*"
 </pre>
-(quotation marks!), and similarly for vlan1ports. Check the values of port*vlan as well!<br>
+(quotation marks!), and similarly for vlan1ports. Check the values of port*vlans as well <i>(they can be safely removed)</i>!<br>
 If all changes have been reviewed, and committed, reboot (power cycle).
 ==Upgrade to 6.1.4==
+<i>It has been said that by flashing DD-WRT from 6.1.4, some LED functionality may be preserved. I cannot confirm this. Nevertheless it's just another way to sort out NVRAM issues.</i><br>
 <b>Don't go to the configuration backup/restore page, the httpd will hang!</b><br>
 Use the Firmware Upgrade page to flash 6.1.4 (the trx file).<br>
 When ready, click the RESTART button already winking at you.<br>
 The router will automatically restart and show its main page.<br>
-Click "Restore Factory Configuration".
+Click "Restore Factory Configuration", which will do its best at cleaning the NVRAM from junk. You cannot check though.<br>
-<b>This is the last chance to safely do this.</b> Let me repeat: DD-WRT does not know about proper factory/firmware settings.
+<b>This is the last chance to safely do this.</b> Let me repeat: DD-WRT does <b>not</b> know about proper factory/firmware settings yet.
 ==Upgrade to DD-WRT==
 =Congratulations!=
-You've done it. You got what you deserve! A hard day's night, it was... Now: Enjoy, and avoid the pitfalls.
+You've done it. You got what you deserve! A hard day's night, it was... Now: Enjoy, and <b>avoid the pitfalls</b>.
 ----
-Last edit: [[User:Stephen|Stephen]] 15:51, 22 Feb 2006 (CET)
+Last edit by [[User:Stephen|Stephen]]: 12:07, 25 Feb 2006 (CET)