WRt54G with JTAG and Serial Connections

Blast from the past – WRT54G v5 ‘hack’ that made me briefly famous

MANY years ago, the Linksys WRT54G was the most popular wireless router because it was easy to apply third-party firmwares to, such as OpenWrt (a fully-fleshed out linux distro for wireless routers!) or DD-WRT (a bit more ad-hoc, but does the job) , and extend functionality.

Then the WRT54G v5 came and Linksys went to VxWorks instead of Linux as their native boot firmware. This meant no more boot loader compatible with a Linux image was possible, excepting using a JTAG hardware mod as shown in the featured image. They perhaps did not do this to lock things down, but further reduce costs, as they lowered the ROM and RAM sizes as well – to the point you could barely do anything even with the most stripped down renditions of Linux.

Anyway, I reverse engineered the ROM, derived the VxWorks firmware file format, checksum algorithm, and finally – much to my surprise – found a hidden feature of the firmware file format — that was the ability to over-write the boot-loader. YES! No more having to use hardware hacks, a person can simply upload a ‘switch-over’ firmware!

… found a hidden feature of the firmware file format — that was the ability to over-write the boot-loader. YES! No more having to use hardware hacks, a person can simply upload a ‘switch-over’ firmware!

So, I wrote a full suite of utilities and ‘switch over’ firmware to replace the boot loader, etc… Thus, my 15 minutes of fame.

It was during this year of F/OSS work that I learned the truth — donations just don’t cut it. I had worked my butt off and hopefully helped millions of people who wanted DD-WRT micro on their Linksys router, but sure was broke. Donations don’t cut it. Freeware really for FREE w/o tricks or tactics is rare and is either sponsored (e.g. Microsoft now sponsors SysInternals) or merely a hobby for someone. Our Freemium cuts as close to free as possible, while still retaining the ability to generate revenue to keep us in business! The digital signing certs, MSDN subscription, web site, and more get quite expensive.

For more info on the technical aspects of this old WRT54G hack click here.

  • RedPill

    Fascinating! I’m super interested how you went about reverse-engineering the BIOS + derived the VxWorks + found the secret function? I’d love to do this myself (or similar), even as just an exercise for developing the ability. Thanks!

  • It has been many years now, but it was achieved using the usual tools (e.g. IDA). First, dump to ROM and disassemble to see what it is looking for as it parses a firmware update. During such, I had to determine the checksum algorithm, so while going through the logic and documenting the firmware file format, I noticed a variable that seemed supported and appeared to replace the boot loader. Some experimentation and exploration later, I found it did just that. Then I had to write all the tools to easily create firmware images compatible with VxWorks, etc… It was quite the job. Too bad it paid so poorly, lol.

    And FWIW I spent many years as a teenager reverse engineering, so there is that… ;)

  • jeyoung439

    I know it is nitpicking, but I think the error in this penultimate sentence, “I know, some people will always be mad that something is 100% free, but we pay for everything else in life.” dilutes the message enough to warrant pointing it out in a comment.

    Although I don’t use Process Lasso as much as I used to (because of newer machines), I have bought Process Lasso for all my computers and have even gifted licences. Keep up the good work!

  • Thank you for your business and for pointing out my grammatical error. I am doing so many things at once, wearing so many hats, that sometimes grammatical and other errors get by (though not for long).

  • I assume you are not the FBI? I studied the DCMA at the time and my reversing met the ‘interoperability’ exception, and now that law has been further nullified, and statute of limitations elapsed. If it is illegal to take things apart, then we never know what something may be doing!

  • RedPill

    I am not. Just a wannabe reverse-engineer! The ability to reverse things, especially a tech device like this, is a skill I’ve wanted for a long time. It just seems hard to find resources on how to go about doing this :/

  • RedPill

    Awesome, thanks! I’ve been wanting the ability to reverse engineer electronics – I’ve also got a Yamaha receiver that I’m wanting to decipher its firmware and modify/inject different HDMI backgrounds into it (to prevent plasma burn). Do you know of any resources on how I could do this, particularly with IDA

  • Well, first you could, or should, reverse engeineer the format of any updates they’ve pushed out to the firmware. I co-authored the Firmware Mod Kit for this, but it hasn’t been fully maintained over the years, so doubt it will be of use. Still, the tools they use are usually open-source, or close derivatives. IDA use would encompass a book, but it was my first experience with non-x86 assembly.

Error: Please enter a valid email address

Error: Invalid email

Error: Please enter your first name

Error: Please enter your last name

Error: Please enter a username

Error: Please enter a password

Error: Please confirm your password

Error: Password and password confirmation do not match