Platform: Texas Instruments AR7, 150MHz
Flash: 4MB
RAM: 16MB
Ethernet: 4 Ports
Wireless: TI ACX111, 802.11b/g

The firmware install is pretty straightforward, once you get the commands right. The process is very similar to that documented for generic AR7 devices, but not exactly the same. It helps to have a terminal connected to the JP603 serial port (ttys0, 38400, 8N1)during this process as well, but it is not necessary:

The serial port on the right (JP603) is ttys0

The pinout for the serial port is, as pictured, from bottom to top: ground, transmit, receive, unknown, Vcc, unknown.

In order to flash the firmware, you’ll need to get access to the Adam2 bootloader. The easiest way to do this is to turn off the router, hold down the reset button, and turn the router back on. Keep holding the reset button until you see the Power and Internet LEDs stay on; this indicates that the router has dropped into the Adam2 shell prompt.

The prompt can be accessed via the serial connection, or via FTP. To connect via FTP, simply FTP to the router and login with the user name of ‘adam2′ and password ‘adam2′. The default adam2 IP address is 192.168.0.1. If this IP address does not work, you will have to connect via the serial connection and issue the following command:

printenv
 

Look for the variable named ‘my_ipaddress’, which will list the Adam2 IP.

Once you have access to Adam2 (either via FTP or serial), you will have to set a couple of environment variables. First, you need to create a partition to install OpenWRT to. The existing partitions can be viewed by issuing the printenv command at the serial console. They are:

mtd2                  0×90000000,0×90010000
mtd1                  0×90010000,0x900d0000
mtd0                  0x900d0000,0x903e0000
mtd4                  0x903e0000,0x903f0000
mtd3                  0x903f0000,0×90400000

Since the OpenWRT image contains both the kernel and the file system, your new partition should cover both the existing kernel and file system partitions (mtd1 and mtd0, respectively). To create the partition via the serial console, run:

setenv mtd5,0×90010000,0x903f0000
 

Or via the FTP connection:

quote SETENV mtd5,0×90010000,0x903f0000
 

You will also have to set the MAC_PORT environment variable in order to enable the internal ethernet port. From the serial console:

setenv MAC_PORT,0
 

Or from FTP:

quote SETENV MAC_PORT,0
 

With that done, you’re ready to FTP your new firmware to the router; other reports on the GT-701 and GT-704 have noted that the ActionTec recovery utility sends a message to UDP port 5035 (actually, two messages in the case of the GT-704). However this appears to be simply for discovery of the router’s IP address and is not necessary for loading firmware onto the router.

Go to OpenWRT’s download page, and get the latest release of openwrt-ar7-squashfs.bin (currently Kamikaze 8.09.1). If you haven’t already, FTP to the router and login with the previously described credentials. You will need to issue the following commands:

ftp> binary
200 Type set to I.
ftp> quote MEDIA FLSH
200 Media set to FLSH
ftp> quote STOR openwrt-ar7-squashfs.bin mtd5
226 Transfer complete
ftp> quote REBOOT

It will take the router a minute or two to clear the flash and load the firmware. Note that you do NOT want to enter passive mode for the file transfer; doing so will slow the file transfer significantly (it would have taken about a week by my estimation). You can monitor the router’s progress via the serial console, or by watching the file transfer in Wireshark. Once the firmware transfer is complete, the reboot command will reboot the router, and you should have a working OpenWRT install:

Please press Enter to activate this console.

BusyBox v1.11.2 (2009-05-28 18:22:45 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 KAMIKAZE (8.09.1, r16278) ----------------------------
  * 10 oz Vodka       Shake well with ice and strain
  * 10 oz Triple sec  mixture into 10 shot glasses.
  * 10 oz lime juice  Salute!
 ---------------------------------------------------
root@OpenWrt:/#

So far everything checks out OK using the generic firmware image; ethernet and wireless works, opkg updates and installs packages fine. The only downside is that the wireless doesn’t seem to support WPA, possibly due to the poor open source support from TI. I haven’t tested the USB port, but it appears to be a client-only USB device, so it’s of limited use.

Usually, it is helpful to have a serial console connected to the router while doing a TFTP transfer, so that you can see when the bootloader (CFE, in the case of the Asus) is listening for TFTP connections, as with the Linksys WRT54G:

CFE version 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Thu Mar 24 16:31:45 CST 2005 (motoplayer@cvs.gemtek.com.tw)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.

Initializing Arena
Initializing Devices.
et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.90.39.0
CPU type 0×29008: 200MHz
Total memory: 8192 KBytes

Total memory used by CFE:  0×80300000 – 0×80399700 (628480)
Initialized Data:          0x8032F870 – 0x80331F50 (9952)
BSS Area:                  0x80331F50 – 0×80333700 (6064)
Local Heap:                0×80333700 – 0×80397700 (409600)
Stack Area:                0×80397700 – 0×80399700 (8192)
Text (code) segment:       0×80300000 – 0x8032F870 (194672)
Boot area (physical):      0x0039A000 – 0x003DA000
Relocation Factor:         I:00000000 – D:00000000

Committing NVRAM…done
Device eth0:  hwaddr 00-40-77-BB-55-10, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
Reading ::

Unlike the WRT54G however, the WL-520GU bootloader did not specify its IP address, and the usual 192.168.1.1 did not work; watching the network traffic while attempting the TFTP transfer revealed that this address was not responding to ARP requests at all. Additionally, while the WRT54G waits for a TFTP connection for a few seconds before timing out, the WL-520GU only listens for about one second before timing out and loading the kernel. Such a short time period, coupled with not knowing the bootloader’s IP address, made flashing via TFTP nearly impossible.

The solutions to both these problems were found (directly and indirectly) through DD-WRT’s WL-520GU Wiki page. By holding down the reset button on the router on boot up, the bootloader will enter hardware restoration mode and perpetually listen for TFTP connections rather than continuing with the boot process. This can be confirmed by watching the serial console output; you should see repeating messages that read: “Reading :: Failed.: Timeout occured”. The power LED should also be blinking slowly when the router is in hardware restoration mode.

Once you have the router constantly listening for TFTP connections, you still need to know the IP. This was discovered by downloading the Asus restoration utility and monitoring the network traffic it generated. This revealed that the router’s bootloader IP address was 192.168.1.49. With the router in hardware restoration mode and knowledge of the bootloader IP address, it was easy to upload the firmware via TFTP:

tftp> mode binary
tftp> trace
tftp> connect 192.168.1.49
tftp> put openwrt-brcm-2.4-squashfs.trx
sent DATA <block=1, 512 bytes>
received ACK <block=1>
sent DATA <block=2, 512 bytes>
received ACK <block=2>
…

But what if you want to use WPA and allow anyone to connect to your WiFi network? Well, you’d simply have to keep pusing the WPS button once every two minutes (WPS has a two minute time-out period). Granted, there probably aren’t many (any?) legitimate uses for this, but it would be a great opportunity for some nefarious individual: with such a system in place, he can always get in no matter how strong you make your WPA key.

This hack is very simple; you just have to create a circuit that “pushes” the WPS button on the router. With some routers, such as Linksys, you can simply short out the pins on the WPS button, causing WPS to remain permanently on. This can be done very easily using the foil wrapper from a stick of gum; note that since WPS will always be activated, the WPS LED will be constantly blinking, so it’s probably a good idea to cover up the LED:

Placing the foil in the Linksys' case

When the board is placed back in the case, the foil shorts the pins on the WPS button

Use the remaining foil to cover up the WPS LED

Although a simple hack, using gum to back door a router is not the best solution. In the routers tested, the gum hack only worked on our Linksys router; the rest require us to push, hold, and release the WPS button before they would activate WPS. Even in the Linksys device, this is a non-stealthy hack, as the administrative interface will (rather obnoxiously) indicate that WPS is activated whenever an administrator logs in to view the wireless settings.

A far better solution can be found by using a simple NE555 timer circuit. The push buttons are typically configured with one contact connected to ground, and the other contact connected to something else that reads the button’s state. Using an NE555, we can connect the non-ground pin on the button to ground for a second or two, and then return the pin to it’s open state. The following circuit will push the WPS button for 1.5 seconds every 2.5 minutes:

NE555 Schematic

Vcc and ground are connected to the router’s DC power supply. Since the 555 can be powered from a wide range of voltage sources (4.5v – 16v), no voltage regulator should be required (routers typically run off of 5 – 12 volt DC power adapters). Conn1 is connected to the non-grounded pin on the WPS button.

The output (pin 3) stays high for 2.5 minutes and goes low (i.e., is grounded) for 1.5 seconds. D1 ensures that there is no charge flowing into pin 3 (probably not likely, but we don’t know exactly what the WPS button is connected to). When pin 3 goes low, it effectively grounds the button connected to Conn1; resistor R3 limits any current flowing through D1 during this period. The circuit can be modified to stay high for much longer periods of time by increasing the value of the R1 resistor.

Although the NE555 is not very precise when used to time long periods, precision is not really a concern in this application, so activating WPS once every 10-12 hours is possible. This has the added benefit of making such a back door more difficult to detect; WPS has a two minute time out period (if no client is found within two minutes, the router stops looking for a client until the button is pushed again), so the light will only be blinking for two two-minute intervals throughout a 24 hour period.

Below are pictures of the above circuit connected to several routers from various vendors. Since the WPS button works the same way on basically all routers, this circuit is a universal hardware back door for practically any router that has WPS support:

The circuit connected to a Linksys WRT160N

The circuit connected to a D-Link DIR-628 The circuit soldered up and placed inside a Belkin router

The circuit soldered up and placed inside a Belkin F5D8233-4v3

Now, you just wait for WPS to be activated (WPS state can be passively monitored real-time using WPSpy) and use a WPS-capable WiFi card (or software) to retrieve the key:

Using a Belkin WiFi card to retrieve the WPA key via WPS