Articles for Developer by Paolo Medici [PMX.it]. See License on bottom of this page.

This web page describes my experiments with DG834. If you have any trouble or discover something of important about this device, write me an e-email (see on main web page).

USE OF THIS INFORMATION IS ENTIRELY AT YOUR OWN RISK.
YOU ARE LIKELY TO VOID YOUR WARRANTY.

 

DG834 (DG834v2)

First of all to enable TELNET service on DG834, ask in a web browser the following URL:

http://192.168.0.1/setup.cgi?todo=debug

after you connect using telnet (also PuTTY in telnet mode) to your router. (192.168.0.1 is the IP address of DG834).

BusyBox v0.61.pre (2006.11.22-05:34+0000) Built-in shell (ash)

(ok I have now some trouble, and sometimes telnet connection freezes/fail)

Some information can you receive from Linux Kernel: 

# cat /proc/cpuinfo 
processor : 0
cpu model : MIPS 4KEc V4.8
BogoMIPS : 149.91
wait instruction : no
microsecond timers : yes
extra interrupt vector : yes
hardware watchpoint : yes
VCED exceptions : not available
VCEI exceptions : not available

# cat /proc/meminfo
        total:    used:    free:  shared: buffers:  cached:
Mem:  14577664 11329536  3248128        0  1355776  4399104
Swap:        0        0        0
MemTotal:        14236 kB
MemFree:          3172 kB
MemShared:           0 kB
Buffers:          1324 kB
Cached:           4296 kB
SwapCached:          0 kB
Active:           2736 kB
Inactive:         4476 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:        14236 kB
LowFree:          3172 kB
SwapTotal:           0 kB
SwapFree:            0 kB

# cat /proc/version
Linux version 2.4.17_mvl21-malta-mips_fp_le (root@localhost.localdomain) 
(gcc version 2.95.3 20010315 (release/MontaVista)) #2 五 11月 17 11:22:45 CST 2006

# cat /proc/ticfg/env
maca    **:**:**:**:**:**
macb    **:**:**:**:**:**
memsize 0x01000000
flashsize       0x00400000
modetty0        115200,n,8,1,hw
modetty1        115200,n,8,1,hw
bootserport     tty0
cpufrequency    150000000
sysfrequency    125000000
bootloaderVersion       0.18.01
ProductID       DG834
HWRevision      Unknown
SerialNumber    none
prompt  DGB34
firstfreeaddress        0x9402e088
req_fullrate_freq       125000000
mtd0    0x900d0000,0x903e0000
mtd1    0x90020000,0x900d0000
mtd2    0x90000000,0x90020000
mtd3    0x903e0000,0x903f0000
oam_lb_timeout  100
autoload
mtd4    0x903f0000,0x90400000

Detailed Analysis

See http://malphx.free.fr/dotclear/index.php/2005/05/10/6-la-structure-de-l-image-du-firmware-dg834g

Processor MIPS 4KEc is an Texas Instruments AR7.

Bootloader should be ADAM2 (for both DG834 and DG834G v2).

File System (since Firmware 3.1.25) is SquashFS + LZMA (NETGEAR home made).

from http://doomed.profusehost.net/dg834_1.html :

Chipset: AR7
CPU: MIPS 4KEc
SDRAM: 16MB RAM (Model IC42S16800 possible the 7ns version due to the -7T on the chip?)
Flash: 4MB - AMD AM29LV320
Ethernet: Marvell 88E6060-RCJ (5 port switch)
ADSL WAN Interface: "based on TI C62x DSP, with integrated transceiver, codec, line driver, and line receiver"
WLAN (DG834G only): TI TNETW1130 GWF

Firmware should be 4.063.232 bytes long (4Mb FLASH)

Dump FLASH

Flash are divided in several chunk: 

# cat /proc/mtd 

dev:    size   erasesize  name
mtd0: 00310000 00010000 "mtd0"
mtd1: 000b0000 00010000 "mtd1"
mtd2: 00020000 00010000 "mtd2"
mtd3: 00010000 00010000 "mtd3"
mtd4: 00010000 00010000 "mtd4"
MTD Contain Size Address
0 Filesystem 3136kb 0x900d0000
1 Kernel 704kb 0x90020000
2 Code ADAM2 (and 0x400 bootloader) 128kb 0x90000000
3 Variables Nvram 64kb 0x903e0000
4 Variables ADAM2 64kb 0x903f0000

on DG834 run another one HTTP web server to expose tmp folder:

# /usr/sbin/mini_httpd -d /tmp -p 8000

can you dump any mtd? device on a file in /tmp and download throught web server.

# cat /dev/mtdblock/2 > /tmp/adam2.bin 
# cat /dev/mtdblock/1 > /tmp/kernel.bin 
# cat /dev/mtdblock/0 > /tmp/fs.bin

How To Rebuild Firmware

Using LINUX, download the Firmware (link below) and follow the README file contained in tar.bz2 package.

You need a little-endian MIPS targeted toolchain with uClibc.

Obtain LinkSys WRT54G Developer Kit or an AR7 cross compiler. For Example download V2.02.7 WRT54g toolchain ( ~ 150 Mb ) for 32 bit Linux distribution (from this package copy only the folder WRT54G/tools/brcm in /opt/brcm). I think GCC MIPSEL cross compiler should fit our needs. GCC 3.0 and uCLibc 0.9.19 [Tested to work]

Montavista Linux toolchain http://mcmcc.bat.ru/dlinkt/cross_utils/ GCC 2.95.4 and uClibc 0.9.19 [to test]

http://seattlewireless.net/NetgearDG834G suggest to get toolchain from ToolChain

Alternatively you can compile your Toolchain: follow the istruction here: uClibc

Mount Image

For example: 
mount -o loop -t cramfs DG834_V3.01.xx.img /tmp/image
You need cramfs file system module.
Starting from frimware Ver. 3.1.25 squashfs with LZMA compression is used. See SquasfFS-LZMA module, but maybe different and cannot be mount.

How To Rebuild Firmware

decompress the source:

tar xvjf DG834\(G\).V3.01.32_src.bz2

(for example).

entry in the directory and follow README.
Apply patch:

patch -p0 < patch-apps
patch -p0 < patch-knl

As root decompress target.tar.gz.

Modify application, and so on and copy in target directory (as root).

Rebuild firmware using

./build.sh "DG834_V3.01.32.img" target newimage.img

try to upload new image on router.

md5sum of original NETGEAR image is d4acbd5d83eb07d3c1aa32b903566de3

md5sum of rebuild image is 2dc68b95f799034aae46853fae44b912

(maybe different compression options).

Rebuild Kernel

You can rebuild kernel... however kernel need a special way to be installed on Image.

Modify 

.hhl_cross_compile

with the path of cross compiler (ok... you do not need to change if is correct).

if autoconf.h not found copy from

touch include/linux/autoconf.h
make menuconfig
if you use WRT BRCM go in /opt/brcm/hndtools-mipsel-linux/bin and make symbolic link to gcc, as, nm and so on
type
 
make

continue..........

 

Rebuild Application

setenv/export mipsel PATH or modify Makefile

"$PATH":/opt/brcm/hndtools-mipsel-uclibc-0.9.19/bin if you using WRT54G or

"$PATH":/opt/mcmcc-mipsel/mipsel-linux-uclibc/bin if you using MontaVista 2.95.4

open patch-apps and look for changes (usually cross compiler, path and options)

utelnetd (0.1.2 -> 0.1.9)

go to apps/utelnetd-0.1.2 and type 

make

Rebuild utelnetd.... COMPILE OK ( vs 17776 original)... TEST OK

copy the executable in /usr/sbin directory in the target folder

download a new version of utelnetd: http://www.pengutronix.de/software/utelnetd/

for example: 

wget http://www.pengutronix.de/software/utelnetd/utelnetd-0.1.9.tar.gz

patch Makefile:

CROSS := mipsel-uclibc-
CFLAGS+= -Os

Build utelnetd... COMPILE OK
TEST...

mini_httpd

rebuild 1.17beta1 OK. (67492 bytes vs 63048 original 31)

go to and download last version http://www.acme.com/software/mini_httpd/

wget http://www.acme.com/software/mini_httpd/mini_httpd-1.19.tar.gz
change many files (Makefile, port.h ... and many others... urgh!)

patch Makefile: 
 # CRYPT_LIB = 
 CC = mipsel-uclibc-gcc 
 CFLAGS = -Wall -Os ${CDEFS}

and force compile htpasswd.* using gcc instead of ${CC}

continue..... maybe

busybox

rebuild

porting from 0.61 pre to version 1.7.2 (ahahaha!)

Reference

NetgearDG834G

Netgear DG834v2 Hacking Page

NetGear's DG834 WebSite

NetGear's DG834 Kernel Source

Wake on lan utility for DG834(G) routers by Alessandro Soggia

Walli Wiki

The Little DG834 Page

Customising the Netgear DG834G MIPS 4KEc

 

Ultimo Aggiornamento: 25 Sep 2007