During my Christmas holiday I came across a couple of discarded NetGear WN602v2 boxes. They are clearly marked with NetGear, but also seem to self-identify as a ViasatOnDemand wireless device. From what I can gather, they are used as a wireless network bridge, wirelessly connecting a satellite receiver to a wired ethernet network. Viasat is a Scandinavian television distributor.
I was curious as to how the device was configured, so I set out on a quest searching for answers. NMAP confirmed my suspicions that the IP was set to 192.168.1.1. I tried connecting to the device both with a browser and a console application with no success. After wading through some misses I came across this forum post revealing that the WN602v2 was in fact a special edition of the WNR612 B: https://dd-wrt.com/phpBB2/viewtopic.php?p=871408. Further research brought me to the OpenWrt page for the WNR612 v2: http://wiki.openwrt.org/toh/netgear/wnr612v2. Here I found a pinout for a serial port jumper that should be located on the board. I pulled out my trusty screwdriver kit and located the T9 screws underneath the rubber feet.
T9 is a bit of an odd Torx size, as Torx bit sets usually go from T10 and upward. Thus, you either have a boatload of these laying around or you have never heard about them. They can usually be found in comprehensive mobile repair toolkits or in “specialty bit sets” at your local low cost hardware monstrosity.
Once into the box, the jumper was easy to locate. The leftmost pin appears to be labeled 4, but I suspect this is really part of CA114. Anyways, it will henceforth be known as pin four as that corresponds with the data from OpenWrt.
I connected my BusPirate, making sure to not connect the 3.3V line to decrease the risk of releasing the magic blue smoke. After putting the BusPirate in UART pass-through and rebooting the board I was greeted with a OpenWrt console. Version 7.09 Kamikaze to be exact.
I was still unable to log in though, but the bootloader supports overwriting the firmware using TFTP. First I tried loading the latest OpenWrt, v15 at the time of writing. That failed miserably. No matter what I did, the upload would fail after a few seconds. I tried multiple TFTP clients, different cables and whatnot, but to no avail. A Wireshark capture revealed that the TFTP did not receive any ACK-messages as soon as the transfer started. After some time I tried changing the network connection to half duplex 100MB on the client side. That did the trick and the firmware upload completed successfully. Or so I thought until the board restarted…
[ 7.280000] Kernel panic – not syncing: VFS: Unable to mount root fs on unknown-block(31,4)
[ 7.280000] —[ end Kernel panic – not syncing: VFS: Unable to mount root fs on unknown-block(31,4)
[ 82.490000] random: nonblocking pool is initialized
Not really what I call a success… But I persevered and decided to try the latest NetGear fw image for the WNR612v2. To my astonishment it worked perfectly, no problems at all. Some digging around in forums indicated that the load screen messages was probably caused by the firmware image being too big for the flash memory on the board. It was indicated that it was possible to reduce the size of the OpenWrt image by building your own custom image, but that was a bit far from my end goal. All I wanted was access to the box, and possibly to make it usable as a backup router. I knew it was able to run OpenWrt 7, so I decided to just try versions until I found one that worked, starting with v 14, the previous one. And it worked like a charm, ten minutes later I was greeted with the OpenWrt Barrier Breaker console.
I sourced a fitting ethernet RJ45 jack from the usual suspects in Hong Kong and soldered it to the board (shown fitted on the image above). From what I can figure out it should have been blue, but who cares? The next chapter details the process from start to finish without all the dead ends.
Flashing new firmware using TFTP and BusPirate
Just a side note: If you do not possess a BusPirate, do not get one for the sole purpose of flashing this router. The FTDI Friend + from AdaFruit is a lot cheaper and easier to work with. You may also need some jumper wires.
This procedure requires a basic understanding of electronics, ESD shielding and working with exposed circuit boards.
- Windows Computer acting as TFTP client and terminal. You can probably use apples or penguins as an alternative in a pinch.
- BusPirate to interface with the console. (FTDI Friend+ from AdaFruit also works, and probably other FTDI adapters as well.)
- Software: RealTerm and TFTPD64.
- Optional: USB Ethernet adapter.
- Optional: RJ45 PCB connector, 20 x 15,5 x 14 mm, EAN 4894462487914 or similar.
- Dismantle the WN602v2. Four torx T9 screws are located under the rubber feet.
- Remove the board from the case.
- Wire the BusPirate to the console jumper. I did not connect the 3.3V line. Black wire to pin 2, Gray wire to pin 3 and Brown wire to pin 4.
- Serial bus interface pinout, pin 4 closest to the heatsink:
- 1. 3.3 V (Not connected to BusPirate)
- 2. TX
- 3. RX
- 4. GND
- If you use an FTDI Friend, refer to its manual for pinout. Remember to connect RX to TX and vice versa.
- Connect to one of the yellow ethernet ports from the TFTP client computer. Use a USB ethernet dongle to reduce the risk of destroying your computer if something fails.
- Power on the board.
- Check for magic blue smoke. If you see it, abort.
- Set the ethernet connection to 100mbps, half duplex. If you forget this, you get timeout error messages as the router is in half duplex mode and unable to transmit ACK-messages.
- Set the IP for the connection to 192.168.1.2/24 or anything other than 192.168.1.1 (the router IP).
- Connect to the BusPirate terminal, use Ansi mode in RealTerm.
- Enter UART mode
- Connect to the router console at 115200 baud, default settings for the other parameters.
- Start UART passthrough macro (1).
- (If you use a FTDI Friend, just connect it at 115200 baud)
- Press a key when requested to interrupt boot and enter the bootloader
- Execute “protect off all” to remove any write protection on the firmware memory.
- Execute “fsload” to enter firmware recovery mode.
- Send the firmware image using TFTP client mode on the computer.
- Wait for the update process to complete. The router boots automatically once the process has finished.
- Look at the boot messages to make sure the flash was successful.
- Solder in a plug for the WAN ethernet port if you want to use it. I could only find a shielded version of a connector in the correct size, but the shielding was easily removed. The PCB does not support shielded connectors.
- Dremel out a hole in the backplate for the new connector
- Log in to OpenWrt and configure your new router.