Table of Contents

Preface, Warnings, don't try this at home

There is a problem that I have no one with serial console to assist with testing these firmwares before I post them. Thus, it is all at your risk. I do limited tested beforehand.

I have looked at our bootloader, and it has no method to attempt a failsafe TFTP flash as Broadcom's does. The WRT54G I believe will load a TFTP image from bootloader if kernel is broke without intervention. Our current bootloader will not. If you attempt to start a TFTP transfer, it will try again and again and again indefinitely, thus it will never start the flashed image. I am trying to find solution to this, and the best I can think of now is replacing the bootloader. This is tricky as well and may produce a real brick requiring a JTAG which I don't have! :(

neutronscott tight

code name “neutronscott tight” (for now, heh) - lean busybox system for client or AP mode.

simple busybox with a few tools sprinked in. flash layout maximized for jffs2 partition. on first boot it creates a 5.5MB jffs2 writable partition, overlays it on top of the read-only squashfs partition, and you can change any file! there is limited web configuration! this is for advanced users, or users that wish to learn linux, and are able to setup their system using shell commands and scripts.

Most recent changes: ChangeLog (12/sept/2010)

Look at all that room! :)

Filesystem                Size      Used Available Use% Mounted on
/dev/root                 1.3M      1.3M         0 100% /oldroot
/dev/mtdblock2            5.8M    324.0K      5.5M   5% /oldroot/.jffs
/                         1.3M      1.3M         0 100% /
tmpfs                    30.8M     16.0K     30.8M   0% /tmp

installation

from official firmware

simply download the binary from below, and use the router's firmware upgrade page. it may work over wifi, but firmware upgrades are always suggested to be done over wired ethernet. (tho i don't adhere to this). the first boot will take awhile. First, the SES light will be orange when the kernel passes control to start-up script. Next, the light blinks orange/green as your recovery partition is formatted for jffs (takes about 60secs). Then, the light blinks green as dropbear is loading. RSA/DSS keys take 30sec to generate. Finally, the light will be green when everything is done! All together I counted 2minutes. Just give it a 1-2 more tho before you consider it dead and want to try when things go wrong

from my previous versions

  1. cd /tmp
  2. flashcp -v latest.bin /dev/mtd0
  3. cross your fingers…
  4. reboot

initial setup

  1. Plug a PC into any of the LAN or WAN ports. You should be assigned an IP via DHCP in the 192.168.2.50-150 range.
  2. SSH to root@192.168.2.1, password is 'password'
  3. change your root password! type 'passwd'
  4. configure the wireless interfaces: have a look at /etc/wireless/iwpriv_usage.txt
    • also can place defaults in /etc/wireless/rt61ap.dat
  5. maybe setup more firewall rules with iptables, google it. it's beyond the scope of this document. :(

client mode

you should only have to change /etc/init.d/S20network to setup the bridge differently and load rt61 vs rt61ap.

WAN=ra0
LAN=adm1
modprobe rt61

then edit /etc/wireless/rt61sta.dat to set your SSID and encryption settings.

Installing programs

run ipkg-cl update and try to install stuff. ipkg-cl list gives my few packages. look at /etc/ipkg.conf and uncomment the openwrt source for more. library versions might conflict and things might segfault though a lot of packages worked for me…

To build sources you'll need a mipsel toolchain with uClibc-0.9.31… It's almost the default buildroot config. Just select MIPS32 cpu. It's a pain to setup, feel free to email me any requests. I'm building with an ancient iBook G4 so my toolchain binaries are PowerPC and worthless to just about anyone. :(

when things go wrong

i tried to incorporate a failsafe in case you mess up your configuration and no longer can access the box, and don't have a serial cable. simply hold down the SES button (the big button with a key on top) while applying power, until the SES light turns green. the system will boot without mounting jffs.

prior to build 30

  1. Start with router unplugged.
  2. Set ethernet interface on PC to 10.3.0.2
  3. Plug into any LAN port of router
  4. Turn on the router. SES LED should turn orange, then blinking orange if it sensed 10.3.0.2
  5. Begin an ssh connection to root@10.3.0.1, password is 'password'

Your shell will be using the read-only root filesystem. You'd probably want to mount the jffs system next: mount -t jffs2 /dev/mtdblock2 /mnt and your broken files will be in /mnt/.overlay ;)

CAUTION You should not directly mess with the /jffs/.overlay files unless in failsafe mode, or you'll break stuff. If you'd like to start clean, touch /jffs/.rm-rf and the preinit script will format it for you during the next power-on.

Known Issues

These might take more time:

Revert to offical

I have a full image of what shipped on my WRTU54G-TM (v1.00.04). It's some old firmware. This will restore your tmobile cert, and recovery partition. Then you can use normal web interface to upgrade to latest from Linksys site:

  1. cd /tmp
  2. flashcp -v revert.bin /dev/mtd0

Download

Think first: you probably don't want this!! try OpenWRT builds.

wrtu54g-tm_tight_20100912.bin (12/sept/2010)

MagicJack proxy

Based on the binary of v1.00.21, I simply injected mjproxy and dropbear. The root password is 'mjproxy' but your ssh port shouldn't be reachable via the WAN interface.

Setup

I source /nv/rc.custom during the startup scripts so you place any of your startup in there. Cut and paste this into notepad, edit it, and paste it into the SSH terminal.

cat >/nv/rc.custom <<__EOF__
/usr/sbin/iptables -I INPUT -p udp --dport 5070 -j ACCEPT
/usr/sbin/mjproxy 0.0.0.0 5070 proxy01.tampa.talk4free.com 5070 PASSWORD
__EOF__

/usr/sbin/rawaccess -s

Reboot.

Download

wrtu54g-v1.00.21-mjproxy.bin