WRt54G with JTAG and Serial Connections

Blast from the past – WRT54G v5 ‘hack’ that made me briefly famous

MANY years ago, the Linksys WRT54G was the most popular wireless router because it was easy to apply third-party firmwares to, such as OpenWrt (a fully-fleshed out linux distro for wireless routers!) or DD-WRT (a bit more ad-hoc, but does the job) , and extend functionality.

Then the WRT54G v5 came and Linksys went to VxWorks instead of Linux as their native boot firmware. This meant no more boot loader compatible with a Linux image was possible, excepting using a JTAG hardware mod as shown in the featured image. They perhaps did not do this to lock things down, but further reduce costs, as they lowered the ROM and RAM sizes as well – to the point you could barely do anything even with the most stripped down renditions of Linux.

Anyway, I reverse engineered the ROM, derived the VxWorks firmware file format, checksum algorithm, and finally – much to my surprise – found a hidden feature of the firmware file format — that was the ability to over-write the boot-loader. YES! No more having to use hardware hacks, a person can simply upload a ‘switch-over’ firmware!

… found a hidden feature of the firmware file format — that was the ability to over-write the boot-loader. YES! No more having to use hardware hacks, a person can simply upload a ‘switch-over’ firmware!

So, I wrote a full suite of utilities and ‘switch over’ firmware to replace the boot loader, etc… Thus, my 15 minutes of fame.

It was during this year of F/OSS work that I learned the truth — donations just don’t cut it. I had worked my butt off and hopefully helped millions of people who wanted DD-WRT micro on their Linksys router, but sure was broke. Donations don’t cut it. Freeware really for FREE w/o tricks or tactics is rare and is either sponsored (e.g. Microsoft now sponsors SysInternals) or merely a hobby for someone. Our Freemium cuts as close to free as possible, while still retaining the ability to generate revenue to keep us in business! The digital signing certs, MSDN subscription, web site, and more get quite expensive.

For more info on the technical aspects of this old WRT54G hack click here.

  • RedPill

    Fascinating! I’m super interested how you went about reverse-engineering the BIOS + derived the VxWorks + found the secret function? I’d love to do this myself (or similar), even as just an exercise for developing the ability. Thanks!

  • It has been many years now, but it was achieved using the usual tools (e.g. IDA). First, dump to ROM and disassemble to see what it is looking for as it parses a firmware update. During such, I had to determine the checksum algorithm, so while going through the logic and documenting the firmware file format, I noticed a variable that seemed supported and appeared to replace the boot loader. Some experimentation and exploration later, I found it did just that. Then I had to write all the tools to easily create firmware images compatible with VxWorks, etc… It was quite the job. Too bad it paid so poorly, lol.

    And FWIW I spent many years as a teenager reverse engineering, so there is that… ;)

Error: Please enter a valid email address

Error: Invalid email

Error: Please enter your first name

Error: Please enter your last name

Error: Please enter a username

Error: Please enter a password

Error: Please confirm your password

Error: Password and password confirmation do not match