Jonathan's earth.li presence

This page is intended to document various useful bits of info about hacking at the Netgear DG834G (and possibly the non G variant as well). I own a v2 device, but most of this should apply to v1 as well. It's based on a TI AR7 chipset and runs Linux out of the box.

Enabling telnet on it

With the stock firmware you can go to http://192.168.0.1/setup.cgi?todo=debug (assuming the device has an IP of 192.168.0.1, which is the default) and that will cause it to spawn telnetd.

Enabling "boot_wait"

boot_wait isn't really the right term, as that's from Linksys WRT devices. By default ADAM2 on the Netgear doesn't have an IP address configured. You can configure one by doing:

echo "my_ipaddress 192.168.0.1" > /proc/sys/dev/adam2/environment

This will set the ip to 192.168.0.1. Then, immediately after you reset the device you can FTP to it and login with username adam2 / password adam2. There are more ADAM2 details at Seattle Wireless.

Backing up the flash

Backing up the flash is probably a good move; if you do cd /tmp ; mini_httpd -p 1080 while connected via telnet you'll start up a httpd on port 1080. You can then do cat /dev/mtdblock/2 > /tmp/mtd2.bin which will dump the ADAM2 partition to a file, which can be obtained with wget http://192.168.0.1:1080/mtd2.bin from your desktop machine. Repeat this for devices 0 through 4 and you'll get the entire set.

Patching ADAM2

*PLEASE NOTE THE BELOW COULD PERMANENTLY BREAK YOUR ROUTER*

The boot loader for the DG834 is called ADAM2. It's used on a number of other AR7 based routers, such as the D-Link 502T and G604T. However the Netgear variant has a rather annoying feature; it calculates a checksum over flash and refuses to boot if it doesn't match what's stored. This is fine for the stock Netgear firmware, where the filesytem doesn't change (config is stored in a separate flash partition). It causes the router to huff after the first OpenWRT boot however. Unless we patch ADAM2 to ignore an incorrect checksum...

The mtd2.bin image you retrieve from your Netgear should be 128K and is the ADAM2 bootload. The md5sum is 0530bfdf00ec155f4182afd70da028c1. If it's not then stop. This is for 0.18.01 as distributed by Netgear.

Assuming the md5sum matches you should go to offest 0x3944 where the 4 bytes should be 44 09 00 0C (representing a jal 0x90002510 during execution). Replace these 4 bytes with 0 (representing nop) and you should end up with a new image with an md5sum of d8a2f4623bf6f64b7427812f0e849aa7. I used hexedit to do this.

If your new md5sum matches up ok then you should copy the patched mtd2.bin over to the Netgear; wget is installed on it, so assuming you can put the image on a web/ftp server somewhere that shouldn't be hard. Then you can do dd if=adam2-fix.bin of=/dev/mtdblock/2 (assuming you called the patched image adam2-fix.bin) on the Netgear, which should patch the ADAM2 image. At this point you cross your fingers and hope it went ok, and restart the device. If it comes up, fantastic. If not, then you're unfortunately a bit stuck - my version of the DG834G has no obvious JTAG port and as such if the bootloader dies there's no way to get in. FWIW I've had a couple of success reports though, as well as my own attempt. Don't attempt this if you don't know what you're doing though.

Putting an OpenWRT image on it.

OpenWRT don't have support for the Netgear in their releases yet, but they have an active AR7 Port. I have successfully run SVN r10685 (in fact it's powering the connection I'm using to type this); however wireless support is still a bit iffy. I couldn't get it to work as an access point, but there's a suggestion that it'll work as a client ok. You can grab my config - it doesn't enable wireless, only has PPPoA support included and will come up on 192.168.42.1. You should just need to drop it in the root of an OpenWRT checkout as .config and type make. Please don't email me asking for images; this information should be enough for you to build your own.

You'll end up with a openwrt-ar7-squashfs.bin file out at the end in the bin subdirectory. Split this up into 2 files for the DG834:

dd if=openwrt-ar7-squashfs.bin of=ow-mtd1.bin count=720896 bs=1
dd if=openwrt-ar7-squashfs.bin of=ow-mtd0.bin skip=720896 bs=1

Then upload to the Netgear via ADAM2:

ftp 192.168.0.1
Connected to 192.168.0.1.
220 ADAM2 FTP Server ready.
Name (192.168.0.1:noodles): adam2
331 Password required for adam2.
Password:
230 User adam2 successfully logged in.
Remote system type is UNIX.
ftp> quote "MEDIA FLSH"
200 Media set to FLSH.
ftp> bin
200 Type set to I.
ftp> put ow-mtd0.bin "fs mtd0"
local: ow-mtd0.bin remote: fs mtd0
200 Port command successful.
150 Opening BINARY mode data connection for file transfer.
226 Transfer complete.
1598607 bytes sent in 14.64 secs (106.6 kB/s)
ftp> put ow-mtd1.bin "fs mtd1"
local: ow-mtd1.bin remote: fs mtd1
200 Port command successful.
150 Opening BINARY mode data connection for file transfer.
226 Transfer complete.
720896 bytes sent in 6.56 secs (107.3 kB/s)
ftp> quote REBOOT
221-Thank you for using the FTP service on ADAM2.
221 Goodbye.

Note that putting the images can take a while, as the device has to erase and program the flash. Also the first boot takes a while while OpenWRT sets itself up. However after a few minutes at most you should be able to telnet to 192.168.1.1 and have access.