WN602v2 / WNR612v2 and OpenWrt

clip_image001

During my Christmas holiday I came across a couple of discarded NetGear WN602v2 boxes. They are clearly marked with NetGear, but also seem to self-identify as a ViasatOnDemand wireless device. From what I can gather, they are used as a wireless network bridge, wirelessly connecting a satellite receiver to a wired Ethernet network. Viasat is a Scandinavian television distributor.

clip_image002

Research

I was curious as to how the device was configured, so I set out on a quest searching for answers. NMAP confirmed my suspicions that the IP was set to 192.168.1.1. I tried connecting to the device both with a browser and a console application with no success. After wading through some misses I came across this forum post revealing that the WN602v2 was in fact a special edition of the WNR612 B: https://dd-wrt.com/phpBB2/viewtopic.php?p=871408. Further research brought me to the OpenWrt page for the WNR612 v2: http://wiki.openwrt.org/toh/netgear/wnr612v2. Here I found a pinout for a serial port jumper that should be located on the board. I pulled out my trusty screwdriver kit and located the T9 screws underneath the rubber feet. Update: Did another one today, and it had T8 screws. Either the factory changed the screws at some point, or they are all T9¾ with really bad tolerances.

T9 is a bit of an odd Torx size, as Torx bit sets usually go from T10 and upward. Thus, you either have a boatload of these laying around or you have never heard about them. They can usually be found in comprehensive mobile repair toolkits or in “specialty bit sets” at your local low cost hardware monstrosity. The same goes for T8.

Once into the box, the jumper was easy to locate. The leftmost pin appears to be labeled 4, but I suspect this is really part of CA114. Anyways, it will henceforth be known as pin four as that corresponds with the data from OpenWrt.

clip_image003

I connected my BusPirate, making sure to not connect the 3.3V line to decrease the risk of releasing the magic blue smoke. After putting the BusPirate in UART pass-through and rebooting the board I was greeted with a OpenWrt console. Version 7.09 Kamikaze to be exact.

clip_image004

I was still unable to log in though, but the bootloader supports overwriting the firmware using TFTP. First I tried loading the latest OpenWrt, v15 at the time of writing. That failed miserably. No matter what I did, the upload would fail after a few seconds. I tried multiple TFTP clients, different cables and whatnot, but to no avail. A Wireshark capture revealed that the TFTP did not receive any ACK-messages as soon as the transfer started. After some time I tried changing the network connection to half duplex 100MB on the client side. That did the trick and the firmware upload completed successfully. Or so I thought until the board restarted…

[ 7.280000] Kernel panic – not syncing: VFS: Unable to mount root fs on unknown-block(31,4)


[ 7.280000] —[ end Kernel panic – not syncing: VFS: Unable to mount root fs on unknown-block(31,4)


[ 82.490000] random: nonblocking pool is initialized

Not really what I call a success… But I persevered and decided to try the latest NetGear fw image for the WNR612v2. To my astonishment it worked perfectly, no problems at all. Some digging around in forums indicated that the load screen messages was probably caused by the firmware image being too big for the flash memory on the board. It was indicated that it was possible to reduce the size of the OpenWrt image by building your own custom image, but that was a bit far from my end goal. All I wanted was access to the box, and possibly to make it usable as a backup router. I knew it was able to run OpenWrt 7, so I decided to just try versions until I found one that worked, starting with v 14, the previous one. And it worked like a charm, ten minutes later I was greeted with the OpenWrt Barrier Breaker console.

clip_image005

I sourced a fitting ethernet RJ45 jack from the usual suspects in Hong Kong and soldered it to the board (shown fitted on the image above). From what I can figure out it should have been blue, but who cares? The next chapter details the process from start to finish without all the dead ends.

Flashing new firmware using TFTP and BusPirate

Just a side note: If you do not possess a BusPirate, do not get one for the sole purpose of flashing this router. The FTDI Friend + from AdaFruit is a lot cheaper and easier to work with. You may also need some jumper wires.

This procedure requires a basic understanding of electronics, ESD shielding and working with exposed circuit boards.

Equipment list

  • Windows computer acting as a TFTP client and terminal. You can probably use apples or penguins as an alternative in a pinch.
  • BusPirate to interface with the console. (FTDI Friend+ from AdaFruit also works, and probably other FTDI/UART adapters as well.)
  • Software: RealTerm and TFTPD64.
  • Optional: USB Ethernet adapter.
  • Optional: RJ45 PCB connector, 20 x 15,5 x 14 mm, EAN 4894462487914 or similar.

Procedure

  • Dismantle the WN602v2. Four torx T9 or T8 screws are located under the rubber feet.
  • Remove the board from the case.
  • Wire the BusPirate to the console jumper. I did not connect the 3.3V line.
  • Black wire to pin 2
  • Gray wire to pin 3
  • Brown wire to pin 4
  • clip_image007
    • Serial bus interface pinout, pin 4 closest to the heatsink:
    • 1: 3.3 V (Not connected to BusPirate)
    • 2: TX
    • 3: RX
    • 4: GND
    • BusPirate probe color codes:
    • clip_image006

    • If you use an FTDI Friend, refer to its manual for pinout. Remember to connect RX to TX and vice versa.
    • Connect to one of the yellow ethernet ports from the TFTP client computer. Use a USB ethernet dongle to reduce the risk of destroying your computer if something fails.
    • Power on the board.
    • Check for magic blue smoke. If you see it, abort.
    • Set the Ethernet connection to 100mbps, half duplex. If you forget this, you get timeout error messages as the router is in half duplex mode and unable to transmit ACK-messages.
    • Set the IP for the connection to 192.168.1.2/24 or anything other than 192.168.1.1 (the router IP).
    • Connect to the BusPirate terminal, use Ansi mode in RealTerm.
    • Enter UART mode
    • Connect to the router console at 115200 baud, default settings for the other parameters.
    • Start UART pass-through, macro (1).
    • (If you use a FTDI Friend, just connect it at 115200 baud)
    • Press a key when requested to interrupt the boot process and enter the bootloader
    • Execute “protect off all” to remove any write protection on the firmware memory.
    • Execute “fsload” to enter firmware recovery mode.
    • Send the firmware image using TFTP client mode on the computer.

    • image
    • image

    • Wait for the update process to complete. The router boots automatically once the process has finished.

    • image

    • Look at the boot messages to make sure the flash was successful.
    • Solder in a plug for the WAN ethernet port if you want to use it. I could only find a shielded version of a connector in the correct size, but the shielding was easily removed. The PCB does not support shielded connectors.
    • clip_image009
    • Dremel out a hole in the backplate for the new connector
    • Log in to OpenWrt and configure your new router.
    • image 

    Author: DizzyBadger

    SQL Server DBA, Cluster expert, Principal Analyst

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.