Hacking With Gum

Today a friend and I were struggling to re-flash an Asus WL-520GU with OpenWRT via TFTP. The router had been previously flashed with DD-WRT, and of course the Web-based firmware update did not recognize the OpenWRT trx file as a valid image (there is currently no OpenWRT .bin file available for the WL-520GU); this left TFTP as the next best option for flashing the firmware.

Usually, it is helpful to have a serial console connected to the router while doing a TFTP transfer, so that you can see when the bootloader (CFE, in the case of the Asus) is listening for TFTP connections, as with the Linksys WRT54G:

CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Thu Mar 24 16:31:45 CST 2005 (motoplayer@cvs.gemtek.com.tw)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.

Initializing Arena
Initializing Devices.
et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.90.39.0
CPU type 0×29008: 200MHz
Total memory: 8192 KBytes

Total memory used by CFE:  0×80300000 – 0×80399700 (628480)
Initialized Data:          0x8032F870 – 0x80331F50 (9952)
BSS Area:                  0x80331F50 – 0×80333700 (6064)
Local Heap:                0×80333700 – 0×80397700 (409600)
Stack Area:                0×80397700 – 0×80399700 (8192)
Text (code) segment:       0×80300000 – 0x8032F870 (194672)
Boot area (physical):      0x0039A000 – 0x003DA000
Relocation Factor:         I:00000000 – D:00000000

Committing NVRAM…done
Device eth0:  hwaddr 00-40-77-BB-55-10, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
Reading ::

Unlike the WRT54G however, the WL-520GU bootloader did not specify its IP address, and the usual 192.168.1.1 did not work; watching the network traffic while attempting the TFTP transfer revealed that this address was not responding to ARP requests at all. Additionally, while the WRT54G waits for a TFTP connection for a few seconds before timing out, the WL-520GU only listens for about one second before timing out and loading the kernel. Such a short time period, coupled with not knowing the bootloader’s IP address, made flashing via TFTP nearly impossible.

The solutions to both these problems were found (directly and indirectly) through DD-WRT’s WL-520GU Wiki page. By holding down the reset button on the router on boot up, the bootloader will enter hardware restoration mode and perpetually listen for TFTP connections rather than continuing with the boot process. This can be confirmed by watching the serial console output; you should see repeating messages that read: “Reading :: Failed.: Timeout occured”. The power LED should also be blinking slowly when the router is in hardware restoration mode.

Once you have the router constantly listening for TFTP connections, you still need to know the IP. This was discovered by downloading the Asus restoration utility and monitoring the network traffic it generated. This revealed that the router’s bootloader IP address was 192.168.1.49. With the router in hardware restoration mode and knowledge of the bootloader IP address, it was easy to upload the firmware via TFTP:

tftp> mode binary
tftp> trace
tftp> connect 192.168.1.49
tftp> put openwrt-brcm-2.4-squashfs.trx
sent DATA <block=1, 512 bytes>
received ACK <block=1>
sent DATA <block=2, 512 bytes>
received ACK <block=2>
…