NETGEAR DG834G

Image of Tux sitting on a large plastic sardine can.

ADSL Modem, 802.11b/g Wireless AP, 4 Port Switch, Router, and Linux in a Can.

Here is all the information I have put down so far. It should be just as applicable to the DG834 unit. Firstly the basics, information on the unit, hardware and software makeup and the like. Lower down is information on firmware makeup and details for getting inside the unit to play.

Please note that the information on this page hasn't be updated since early 2004 and some of it does not apply to the latest firmware.

This page is being served from a DG834G as a proof of conept. The reason for the high port number is privelaged port filtering by my ISP.

Specifications

To get it out of way and start with the basics these are the specs provided by Netgear. It is prety much an all in one product, there is no point repeating the information here. A better overview can be found in the DG834G Reference manual.

Hardware Specs

CPU

Look ma, no fans! This little thing has more power than a Pentium.

# cat /proc/cpuinfo
processor               : 0
cpu model               : MIPS 4KEc V4.8
BogoMIPS                : 149.91
wait instruction        : no
microsecond timers      : yes
extra interrupt vector  : yes
hardware watchpoint     : yes
VCED exceptions         : not available
VCEI exceptions         : not available

Memory

There is a total of 14Mb but only 1.5Mb of that appears to be free after startup with all the standard services running. There isn't much room left to play.

# cat /proc/meminfo
        total:    used:    free:  shared: buffers:  cached:
Mem:  14802944 13271040  1531904        0  1687552  4358144
Swap:        0        0        0
MemTotal:        14456 kB
MemFree:          1496 kB
MemShared:           0 kB
Buffers:          1648 kB
Cached:           4256 kB
SwapCached:          0 kB
Active:           2296 kB
Inactive:         5184 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:        14456 kB
LowFree:          1496 kB
SwapTotal:           0 kB
SwapFree:            0 kB

Interfaces

One thing to note is that the MAC address on all the interfaces is identical. The Texas Instruments wlan is not always available. It disapears when disabled from the web interface.

# ifconfig
br0       Link encap:Ethernet  HWaddr 0x:0x:0x:0x:0x:0x
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:70970 errors:0 dropped:0 overruns:0 frame:0
          TX packets:81136 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:6632892 (6.3 Mb)  TX bytes:50376330 (48.0 Mb)

eth0      Link encap:Ethernet  HWaddr 0x:0x:0x:0x:0x:0x
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:70978 errors:0 dropped:0 overruns:0 frame:0
          TX packets:146776 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:7911066 (7.5 Mb)  TX bytes:54314377 (51.7 Mb)
          Base address:0x2800

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8976 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8976 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1510089 (1.4 Mb)  TX bytes:1510089 (1.4 Mb)

ppp0      Link encap:Point-Point Protocol
          inet addr:210.23.154.165  P-t-P:203.9.190.190  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:35226 errors:0 dropped:0 overruns:0 frame:0
          TX packets:28458 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:28212764 (26.9 Mb)  TX bytes:3649100 (3.4 Mb)

tiwlan0   Link encap:Ethernet  HWaddr 0x:0x:0x:0x:0x:0x
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1734 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:162996 (159.1 kb)

Software Specs

Netgear may have provided the sourcecode to the kernel and any OS applications they have used but not to any of their addon applications used in managing the system. From what most of the closed source applications appear to do it should not be too difficult to rewrite from scratch if anyone wanted to create a more powerful interface to iptables for example.

Linux Kernel

It runs linux? This is from a DG834G loaded with firmware v1.03.07 but all revisions appear to be based on 2.4.17.

# cat /proc/version
Linux version 2.4.17_mvl21-malta-mips_fp_le (root@Run-P4) (gcc version 2.95.3 20010315 (release/MontaVista)) #8 Thu Jan 29 17:42:41 CST 2004

Free Software

Netgear has chosen an interesting set of applications. Not being familier with the limitations of most of them I can't realy comment. There are a comple of limitations implemented like no ftpget/ftpput included in busybox and no other file transfer available, or using mini_httpd instead of busybox's httpd.

  1. bridge-utils-0.9.5 - bridging between the various interfaces
  2. busybox - unix shell and command line utilities (in firmware 1.02.00 also includes tftp!)
  3. cron - sheduler (no version information available)
  4. dproxy-nexgen - smart caching nameserver, used as DNS proxy
  5. ez-ipupdate-3.0.11b7 - dynamic DNS update client
  6. iptables-1.2.8 - state based firewall
  7. libupnp-1.2.1 - universal plug and play, port forwarding on request
  8. linux-atm-2.4.0 - ATM on Linux, release 2.4.0 (beta), basically an ADSL interface
  9. micro_inetd - inetd supporting only a single app, used to lauch micro telnetd
  10. mini_httpd-1.17beta1 - http server for web interface
  11. nbtscan-1.5.1a - netbios scan, gathers information on computers connected to router
  12. ppp-2.4.1.pppoe4.orig - pppd, used for pppoa connections
  13. rp-pppoe-3.5 - ppp over ethernet client
  14. smtpclient-1.0.0 - smtp client, for email notification
  15. udhcp-0.9.7 - dhcp server
  16. zebra-0.93b - router, supports BGP4, BGP4+, OSPFv2, OSPFv3, RIPv1, RIPv2, and RIPng.
  17. utelnetd-0.1.2 - micro telnetd

NETGEAR Software

All of Netgear's control applications are unfortunately closed source so no simple modification is possible. A complete reqrite would be required to reimplement the functionality of the web interface. The limitation of the shell permits only very basic cgi.

HTML

The HTML interface and and associated files take up around 2MB in total. Removing files for other languages will free up about 1.5MB from the ROM image. The image files are quite small and the gain in space doesn't justify their removal.

File System Layout

I apologise about the long file list but it's included for reference. This is the file list as extracted from firmware (1.02.10) not the actual device, that is why things like proc appear empty but are filled at runtime.

You will notice netgear have been a little sloppy with ~ files left in there. Also one of two files in the www subdirectories are corrupted. At first I thought it may be a cramfs compatibility issue when mounting the image but the files are corrupted on the device also. As an example look at http://192.168.0.1/upload.gif an notice it won't load. It probably slipped by Netear's QA because it doesn't actually appear to be used anywhere, using wait.gif instead.

.:
total 20
drwxr-xr-x    1      436 Feb 15 23:53 bin
drwxr-xr-x    1        0 Jan  1  1970 dev
lrwxrwxrwx    1        8 Feb 15 23:53 etc -> /tmp/etc
drwxr-xr-x    1      680 Jan  1  1970 lib
drwxr-xr-x    1        0 Jan  1  1970 proc
drwxr-xr-x    1      196 Jan  1  1970 sbin
drwxr-xr-x    1        0 Jan  1  1970 tmp
drwxr-xr-x    1       80 Jan  1  1970 usr
lrwxrwxrwx    1        8 Feb 15 23:53 var -> /tmp/var
lrwxrwxrwx    1        8 Feb 15 23:53 www -> /tmp/www
drwxr-xr-x    1     3404 Jan  1  1970 www.deu
drwxr-xr-x    1     3372 Jan  1  1970 www.eng
drwxr-xr-x    1     3348 Jan  1  1970 www.fre
drwxr-xr-x    1     3428 Jan  1  1970 www.ita

./bin:
total 286
lrwxrwxrwx    1        7 Jan  1  1970 ash -> busybox
-rwxr-xr-x    1   280112 Feb 15 23:55 busybox
lrwxrwxrwx    1        7 Feb 15 23:54 cat -> busybox
lrwxrwxrwx    1        7 Feb 15 23:55 chmod -> busybox
lrwxrwxrwx    1        7 Feb 15 23:54 cp -> busybox
lrwxrwxrwx    1        7 Jan  1  1970 dd -> busybox
lrwxrwxrwx    1        7 Jan  1  1970 dmesg -> busybox
lrwxrwxrwx    1        7 Jan  1  1970 echo -> busybox
lrwxrwxrwx    1        7 Jan  1  1970 false -> busybox
lrwxrwxrwx    1        7 Jan  1  1970 grep -> busybox
lrwxrwxrwx    1        7 Jan  1  1970 kill -> busybox
lrwxrwxrwx    1        7 Jan  1  1970 ln -> busybox
lrwxrwxrwx    1        7 Jan  1  1970 ls -> busybox
lrwxrwxrwx    1        7 Jan  1  1970 mkdir -> busybox
lrwxrwxrwx    1        7 Jan  1  1970 more -> busybox
lrwxrwxrwx    1        7 Jan  1  1970 mount -> busybox
lrwxrwxrwx    1        7 Jan  1  1970 mv -> busybox
lrwxrwxrwx    1        7 Jan  1  1970 ping -> busybox
lrwxrwxrwx    1        7 Jan  1  1970 ps -> busybox
lrwxrwxrwx    1        7 Jan  1  1970 rm -> busybox
lrwxrwxrwx    1        7 Jan  1  1970 sh -> busybox
lrwxrwxrwx    1        7 Jan  1  1970 sleep -> busybox
lrwxrwxrwx    1        7 Jan  1  1970 touch -> busybox
lrwxrwxrwx    1        7 Jan  1  1970 true -> busybox
lrwxrwxrwx    1        7 Jan  1  1970 umount -> busybox

./dev:
total 0

./lib:
total 742
-rwxr-xr-x    1    22400 Jan  1  1970 ld-uClibc-0.9.19.so
lrwxrwxrwx    1       19 Jan  1  1970 ld-uClibc.so.0 -> ld-uClibc-0.9.19.so
lrwxrwxrwx    1       15 Jan  1  1970 libatm.so -> libatm.so.1.0.0
lrwxrwxrwx    1       15 Jan  1  1970 libatm.so.1 -> libatm.so.1.0.0
-rwxr-xr-x    1    45180 Jan  1  1970 libatm.so.1.0.0
lrwxrwxrwx    1       19 Jan  1  1970 libc.so.0 -> libuClibc-0.9.19.so
-rw-r--r--    1    13040 Jan  1  1970 libcrypt-0.9.19.so
lrwxrwxrwx    1       18 Jan  1  1970 libcrypt.so.0 -> libcrypt-0.9.19.so
-rw-r--r--    1     8064 Jan  1  1970 libdl-0.9.19.so
lrwxrwxrwx    1       15 Jan  1  1970 libdl.so.0 -> libdl-0.9.19.so
-rwxr-xr-x    1    55056 Jan  1  1970 libixml.so
-rw-r--r--    1     1972 Jan  1  1970 libnsl-0.9.19.so
lrwxrwxrwx    1       16 Jan  1  1970 libnsl.so.0 -> libnsl-0.9.19.so
-rwxr-xr-x    1    10208 Jan  1  1970 libpppoatm.so
-rwxr-xr-x    1    34100 Jan  1  1970 libpppoe.so
-rw-r--r--    1    96476 Jan  1  1970 libpthread-0.9.19.so
lrwxrwxrwx    1       20 Jan  1  1970 libpthread.so.0 -> libpthread-0.9.19.so
-rw-r--r--    1     1976 Jan  1  1970 libresolv-0.9.19.so
lrwxrwxrwx    1       19 Jan  1  1970 libresolv.so.0 -> libresolv-0.9.19.so
-rwxr-xr-x    1    22864 Jan  1  1970 libthreadutil.so
-rw-r--r--    1   289436 Jan  1  1970 libuClibc-0.9.19.so
-rwxr-xr-x    1   144964 Jan  1  1970 libupnp.so
-rw-r--r--    1     5140 Jan  1  1970 libutil-0.9.19.so
lrwxrwxrwx    1       17 Jan  1  1970 libutil.so.0 -> libutil-0.9.19.so
drwxr-xr-x    1      136 Jan  1  1970 modules

./lib/modules:
total 294
drwxr-xr-x    1       20 Jan  1  1970 2.4.17_mvl21-malta-mips_fp_le
-rw-r--r--    1   195986 Jan  1  1970 ar0700xx.bin
-rw-r--r--    1    10328 Jan  1  1970 led.o
-rw-r--r--    1     6268 Jan  1  1970 push_button.o
-rw-r--r--    1    86096 Jan  1  1970 tiwlan.o

./lib/modules/2.4.17_mvl21-malta-mips_fp_le:
total 1
drwxr-xr-x    1       36 Jan  1  1970 kernel

./lib/modules/2.4.17_mvl21-malta-mips_fp_le/kernel:
total 1
drwxr-xr-x    1       16 Jan  1  1970 drivers
drwxrwxr-x    1       16 Jan  1  1970 net

./lib/modules/2.4.17_mvl21-malta-mips_fp_le/kernel/drivers:
total 1
drwxr-xr-x    1       20 Jan  1  1970 atm

./lib/modules/2.4.17_mvl21-malta-mips_fp_le/kernel/drivers/atm:
total 144
-rw-r--r--    1   147436 Jan  1  1970 tiatm.o

./lib/modules/2.4.17_mvl21-malta-mips_fp_le/kernel/net:
total 1
drwxrwxr-x    1       24 Jan  1  1970 ipv4

./lib/modules/2.4.17_mvl21-malta-mips_fp_le/kernel/net/ipv4:
total 1
drwxrwxr-x    1      176 Jan  1  1970 netfilter

./lib/modules/2.4.17_mvl21-malta-mips_fp_le/kernel/net/ipv4/netfilter:
total 58
-rw-r--r--    1    13016 Jan  1  1970 ip_conntrack_pptp.o
-rw-r--r--    1     9116 Jan  1  1970 ip_conntrack_proto_gre.o
-rw-r--r--    1     7076 Jan  1  1970 ip_nat_pptp.o
-rw-r--r--    1     6156 Jan  1  1970 ip_nat_proto_gre.o
-rw-r--r--    1    16352 Jan  1  1970 ipt_REJECT.o
-rw-r--r--    1     6052 Jan  1  1970 ipt_string.o

./proc:
total 0

./sbin:
total 32
lrwxrwxrwx    1       14 Jan  1  1970 ifconfig -> ../bin/busybox
lrwxrwxrwx    1       14 Jan  1  1970 init -> ../bin/busybox
lrwxrwxrwx    1       14 Jan  1  1970 insmod -> ../bin/busybox
lrwxrwxrwx    1        7 Jan  1  1970 klogd -> syslogd
lrwxrwxrwx    1       14 Jan  1  1970 lsmod -> ../bin/busybox
lrwxrwxrwx    1       14 Jan  1  1970 modprobe -> ../bin/busybox
lrwxrwxrwx    1       14 Jan  1  1970 reboot -> ../bin/busybox
lrwxrwxrwx    1       14 Jan  1  1970 rmmod -> ../bin/busybox
lrwxrwxrwx    1       14 Jan  1  1970 route -> ../bin/busybox
-rwxr-xr-x    1    27552 Jan  1  1970 syslogd

./tmp:
total 0

./usr:
total 4
drwxr-xr-x    1       68 Jan  1  1970 bin
drwxr-xr-x    1      640 Jan  1  1970 dev
drwxr-xr-x    1      428 Jan  1  1970 etc
drwxr-xr-x    1      772 Jan  1  1970 sbin
drwxr-xr-x    1      120 Jan  1  1970 upnp

./usr/bin:
total 2
lrwxrwxrwx    1       17 Jan  1  1970 [ -> ../../bin/busybox
lrwxrwxrwx    1       17 Jan  1  1970 free -> ../../bin/busybox
lrwxrwxrwx    1       17 Jan  1  1970 killall -> ../../bin/busybox
lrwxrwxrwx    1       17 Jan  1  1970 test -> ../../bin/busybox

./usr/dev:
total 32
crw-rw-rw-    1   2,   0 Feb 15 23:56 ptyp0
crw-rw-rw-    1   2,   1 Jan  1  1970 ptyp1
crw-rw-rw-    1   2,   2 Jan  1  1970 ptyp2
crw-rw-rw-    1   2,   3 Jan  1  1970 ptyp3
crw-rw-rw-    1   2,   4 Jan  1  1970 ptyp4
crw-rw-rw-    1   2,   5 Jan  1  1970 ptyp5
crw-rw-rw-    1   2,   6 Jan  1  1970 ptyp6
crw-rw-rw-    1   2,   7 Jan  1  1970 ptyp7
crw-rw-rw-    1   2,   8 Jan  1  1970 ptyp8
crw-rw-rw-    1   2,   9 Jan  1  1970 ptyp9
crw-rw-rw-    1   2,  10 Jan  1  1970 ptypa
crw-rw-rw-    1   2,  11 Jan  1  1970 ptypb
crw-rw-rw-    1   2,  12 Jan  1  1970 ptypc
crw-rw-rw-    1   2,  13 Jan  1  1970 ptypd
crw-rw-rw-    1   2,  14 Jan  1  1970 ptype
crw-rw-rw-    1   2,  15 Jan  1  1970 ptypf
crw-rw-rw-    1   3,   0 Jan  1  1970 ttyp0
crw-rw-rw-    1   3,   1 Jan  1  1970 ttyp1
crw-rw-rw-    1   3,   2 Jan  1  1970 ttyp2
crw-rw-rw-    1   3,   3 Jan  1  1970 ttyp3
crw-rw-rw-    1   3,   4 Jan  1  1970 ttyp4
crw-rw-rw-    1   3,   5 Jan  1  1970 ttyp5
crw-rw-rw-    1   3,   6 Jan  1  1970 ttyp6
crw-rw-rw-    1   3,   7 Jan  1  1970 ttyp7
crw-rw-rw-    1   3,   8 Jan  1  1970 ttyp8
crw-rw-rw-    1   3,   9 Jan  1  1970 ttyp9
crw-rw-rw-    1   3,  10 Jan  1  1970 ttypa
crw-rw-rw-    1   3,  11 Jan  1  1970 ttypb
crw-rw-rw-    1   3,  12 Jan  1  1970 ttypc
crw-rw-rw-    1   3,  13 Jan  1  1970 ttypd
crw-rw-rw-    1   3,  14 Jan  1  1970 ttype
crw-rw-rw-    1   3,  15 Jan  1  1970 ttypf

./usr/etc:
total 14
prw-r--r--    1        0 Jan  1  1970 cmd_agent
-rw-r--r--    1       83 Jan  1  1970 crontab
-rw-r--r--    1     2469 Jan  1  1970 default
-rw-r--r--    1       25 Jan  1  1970 group
-rw-r--r--    1      147 Jan  1  1970 hosts
lrwxrwxrwx    1       21 Jan  1  1970 nocache.cgi -> /usr/sbin/nocache.cgi
-rw-r--r--    1       57 Jan  1  1970 passwd
drwxr-xr-x    1       88 Jan  1  1970 ppp
-rwxr-xr-x    1     1987 Jan  1  1970 rcS
-rw-r--r--    1        0 Jan  1  1970 resolv.conf
lrwxrwxrwx    1       28 Jan  1  1970 restore_config.cgi -> /usr/sbin/restore_config.cgi
lrwxrwxrwx    1       19 Jan  1  1970 setup.cgi -> /usr/sbin/setup.cgi
-rw-r--r--    1      167 Jan  1  1970 syslog.conf
-rwxr-xr-x    1      815 Jan  1  1970 udhcpc.fix.script
-rwxr-xr-x    1      989 Jan  1  1970 udhcpc.script
-rwxr-xr-x    1      372 Jan  1  1970 udhcpc.wizard.script
lrwxrwxrwx    1       27 Jan  1  1970 upgrade_flash.cgi -> /usr/sbin/upgrade_flash.cgi
-rw-r--r--    1        9 Jan  1  1970 version

./usr/etc/ppp:
total 2
-rwxr-xr-x    1       92 Jan  1  1970 ip-down
-rwxr-xr-x    1      115 Jan  1  1970 ip-up
-rwxr-xr-x    1      168 Jan  1  1970 ip-up-demand
lrwxrwxrwx    1       14 Jan  1  1970 resolv.conf -> ../resolv.conf

./usr/sbin:
total 2935
drwxr-xr-x    1       56 Jan  1  1970 adsl_test
-rwxr-xr-x    1     5344 Jan  1  1970 atm_monitor
-rwxr-xr-x    1    13584 Jan  1  1970 atmarp
-rwxr-xr-x    1    55072 Jan  1  1970 atmarpd
-rwxr-xr-x    1    13624 Jan  1  1970 br2684ctl
-rwxr-xr-x    1    34760 Jan  1  1970 brctl
-rwxr-xr-x    1     5328 Jan  1  1970 cmd_agent_ap
-rwxr-xr-x    1     9472 Jan  1  1970 cpu
-rwxr-xr-x    1    26132 Jan  1  1970 crond
-rwxr-xr-x    1    25516 Jan  1  1970 dproxy
-rwxr-xr-x    1    56492 Jan  1  1970 ez-ipupdate
drwxr-xr-x    1      128 Jan  1  1970 fw-scripts
-rwxr-xr-x    1   138272 Jan  1  1970 iptables
-rwxr-xr-x    1     9472 Jan  1  1970 micro_inetd
-rwxr-xr-x    1    58696 Jan  1  1970 mini_httpd
-rwxr-xr-x    1    22976 Jan  1  1970 nbtscan
-rwxr-xr-x    1    19880 Jan  1  1970 netgear_ntp
-rwxr-xr-x    1    21900 Jan  1  1970 nocache.cgi
-rwxr-xr-x    1    13620 Jan  1  1970 nvram
-rwxr-xr-x    1     5328 Jan  1  1970 pb_ap
-rwxr-xr-x    1   245420 Jan  1  1970 pppd
-rwxr-xr-x    1    34868 Jan  1  1970 pppoe
-rwxr-xr-x    1   104576 Jan  1  1970 rc
-rwxr-xr-x    1     9472 Jan  1  1970 restore_config.cgi
-rwxr-xr-x    1   363008 Jan  1  1970 ripd
-rwxr-xr-x    1    17844 Jan  1  1970 scfgmgr
-rwxr-xr-x    1   173088 Jan  1  1970 setup.cgi
-rwxr-xr-x    1    13664 Jan  1  1970 smtpc
lrwxrwxrwx    1        6 Jan  1  1970 udhcpc -> udhcpd
-rwxr-xr-x    1    45676 Jan  1  1970 udhcpd
-rwxr-xr-x    1    13640 Jan  1  1970 upgrade_flash.cgi
-rwxr-xr-x    1    38936 Jan  1  1970 upnpd
-rwxr-xr-x    1  1112048 Jan  1  1970 user_drv
-rwxr-xr-x    1    13648 Jan  1  1970 utelnetd
-rwxr-xr-x    1    13744 Jan  1  1970 wizard
-rwxr-xr-x    1   260192 Jan  1  1970 zebra

./usr/sbin/adsl_test:
total 322
-rw-r--r--    1   164778 Jan  1  1970 ar0700mp_diag.bin
-rw-r--r--    1   164484 Jan  1  1970 tiadiag.o

./usr/sbin/fw-scripts:
total 14
-rwxr-xr-x    1      801 Jan  1  1970 algs
-rwxr-xr-x    1      987 Jan  1  1970 cfilter
-rwxr-xr-x    1      152 Jan  1  1970 dmz
-rwxr-xr-x    1     2216 Jan  1  1970 dos
-rwxr-xr-x    1     6754 Jan  1  1970 firewall
-rwxr-xr-x    1      696 Jan  1  1970 rcontrol
-rwxr-xr-x    1      178 Jan  1  1970 rping

./usr/upnp:
total 22
-rw-------    1     4430 Jan  1  1970 cmnicfg.xml
-rw-rw-rw-    1     3064 Jan  1  1970 gateway.mod
lrwxrwxrwx    1       16 Jan  1  1970 gateway.xml -> /etc/gateway.xml
-rw-rw-rw-    1    13113 Jan  1  1970 ipcfg.xml
-rw-rw-rw-    1      704 Jan  1  1970 osinfo.xml

./www.eng:
total 510
lrwxrwxrwx    1       13 Feb 15 23:59 .htpasswd -> /etc/htpasswd
-rw-------    1     2427 Jan  1  1970 adsl_test.htm
-rw-------    1     1713 Jan  1  1970 back_cfm.htm
-rw-------    1     3217 Jan  1  1970 backup.htm
-rw-------    1     2217 Jan  1  1970 basic.htm
-rw-------    1     2362 Jan  1  1970 basictop.htm
-rw-------    1      445 Jan  1  1970 blank.htm
-rw-r--r--    1       43 Jan  1  1970 darkblue.gif
-rw-------    1     4362 Jan  1  1970 ddns.htm
-rw-------    1     1216 Jan  1  1970 detwan.htm
-rw-------    1     1819 Jan  1  1970 devices.htm
-rw-------    1     5345 Jan  1  1970 diag.htm
-rw-------    1     1994 Jan  1  1970 diag_rt.htm
-rw-------    1     2197 Jan  1  1970 diagping.htm
-rw-------    1     2845 Jan  1  1970 dsl_cfg.htm
-rw-------    1     7357 Jan  1  1970 email.htm
-rw-------    1      865 Jan  1  1970 err401.html
-rw-------    1      825 Jan  1  1970 err888.html
-rw-------    1     6223 Jan  1  1970 err_msg
-rw-------    1    15261 Jan  1  1970 ether.htm
-rw-r--r--    1     1392 Jan  1  1970 fcc.htm
-rw-------    1     1122 Jan  1  1970 form.css
-rw-------    1     9365 Jan  1  1970 fw_rules.htm
-rw-------    1     2415 Jan  1  1970 fw_serv.htm
-rw-------    1     2001 Jan  1  1970 h_diag.htm
-rw-------    1      871 Jan  1  1970 h_dslcfg.htm
-rw-------    1     3069 Jan  1  1970 h_fwrl.htm
-rw-------    1     1691 Jan  1  1970 h_fwsv.htm
-rw-------    1     2493 Jan  1  1970 h_log.htm
-rw-------    1     1110 Jan  1  1970 h_redit.htm
-rw-------    1     2454 Jan  1  1970 h_rm.htm
-rw-------    1     2982 Jan  1  1970 h_rulein.htm
-rw-------    1     3273 Jan  1  1970 h_ruleinat.htm
-rw-------    1     3177 Jan  1  1970 h_ruleou.htm
-rw-------    1     2874 Jan  1  1970 h_secu.htm
-rw-------    1     1395 Jan  1  1970 h_svinfo.htm
-rw-------    1     2724 Jan  1  1970 h_upnp.htm
-rw-------    1     1822 Jan  1  1970 h_wadd.htm
-rw-r--r--    1     5991 Jan  1  1970 h_wire.htm
-rw-------    1     3529 Jan  1  1970 h_wmac.htm
-rw-------    1      761 Jan  1  1970 hatdev.htm
-rw-------    1     3459 Jan  1  1970 hbackup.htm
-rw-------    1     1915 Jan  1  1970 hddns.htm
-rw-------    1      964 Jan  1  1970 help.css
-rw-------    1     2813 Jan  1  1970 hemail.htm
-rw-------    1     6054 Jan  1  1970 hether.htm
-rw-------    1     3160 Jan  1  1970 hkeyword.htm
-rw-------    1     4965 Jan  1  1970 hlanip.htm
-rw-r--r--    1     6165 Jan  1  1970 hm_icon.gif
-rw-------    1     1537 Jan  1  1970 hpasswd.htm
-rw-------    1     1414 Jan  1  1970 hph_fail.htm
-rw-------    1     5316 Jan  1  1970 hpppoa.htm
-rw-------    1     4438 Jan  1  1970 hpppoe.htm
-rw-------    1     1656 Jan  1  1970 hreserv.htm
-rw-------    1     2678 Jan  1  1970 hschedul.htm
-rw-------    1     2258 Jan  1  1970 hsroutes.htm
-rw-------    1     2952 Jan  1  1970 hsstatus.htm
-rw-------    1     3536 Jan  1  1970 hsstatus_w.htm
-rw-------    1     2339 Jan  1  1970 hupgrd.htm
-rw-------    1     2100 Jan  1  1970 hw_cip.htm
-rw-------    1     1356 Jan  1  1970 hw_dyn.htm
-rw-------    1     1045 Jan  1  1970 hw_fail.htm
-rw-------    1      984 Jan  1  1970 hw_fix.htm
-rw-------    1      887 Jan  1  1970 hw_msg.htm
-rw-------    1     2056 Jan  1  1970 hw_pppoa.htm
-rw-------    1     1992 Jan  1  1970 hw_pppoe.htm
-rw-------    1     1511 Jan  1  1970 hwiz_cfm.htm
-rw-------    1     1611 Jan  1  1970 hwizard.htm
-rw-------    1      569 Jan  1  1970 index.htm
-rw-------    1      550 Jan  1  1970 index1.htm
-rw-------    1     2855 Jan  1  1970 interval.htm
-rw-------    1     1368 Jan  1  1970 jsmsg.htm
-rw-------    1     6618 Jan  1  1970 keyword.htm
-rw-------    1     7679 Jan  1  1970 lan.htm
-rw-------    1    12232 Jan  1  1970 linux.js
-rw-r--r--    1       95 Jan  1  1970 liteblue.gif
-rw-------    1     5560 Jan  1  1970 log.htm
-rw-------    1     1266 Jan  1  1970 logout.htm
-rw-------    1     5128 Jan  1  1970 m_access.htm
-rw-------    1     6416 Jan  1  1970 menu.htm
-rw-r--r--    1      823 Jan  1  1970 menublue.gif
-rw-------    1      784 Jan  1  1970 message.htm
lrwxrwxrwx    1       16 Jan  1  1970 netgear.cfg -> /tmp/netgear.cfg
lrwxrwxrwx    1       16 Jan  1  1970 nocache.cgi -> /etc/nocache.cgi
-rw-------    1     2922 Jan  1  1970 password.htm
-rw-------    1     1525 Jan  1  1970 ph_fail.htm
-rw-------    1    11418 Jan  1  1970 pppoa.htm
-rw-------    1     8435 Jan  1  1970 pppoe.htm
-rw-------    1      658 Jan  1  1970 ptimeout.htm
-rw-------    1     1012 Jan  1  1970 pwarning.htm
-rw-r--r--    1      864 Jan  1  1970 rbullet.gif
-rw-------    1     2538 Jan  1  1970 reboot_pg.htm
-rw-r--r--    1      170 Jan  1  1970 redbull.gif
-rw-------    1     6657 Jan  1  1970 remotemg.htm
-rw-------    1     3138 Jan  1  1970 resedit.htm
-rw-------    1     4811 Jan  1  1970 reserv.htm
lrwxrwxrwx    1       23 Jan  1  1970 restore_config.cgi -> /etc/restore_config.cgi
-rw-------    1     2526 Jan  1  1970 routes.htm
-rw-------    1     5165 Jan  1  1970 routinfo.htm
-rw-------    1     8096 Jan  1  1970 rule_in.htm
-rw-------    1    10416 Jan  1  1970 rule_out.htm
-rw-------    1     5060 Jan  1  1970 s_status.htm
-rw-------    1    14364 Jan  1  1970 schedule.htm
-rw-------    1     4860 Jan  1  1970 security.htm
-rw-------    1     3222 Jan  1  1970 servinfo.htm
-rw-r--r--    1     6710 Jan  1  1970 settingsDG834.gif
-rw-r--r--    1     6770 Jan  1  1970 settingsDG834B.gif
-rw-r--r--    1     7072 Jan  1  1970 settingsDG834G.gif
-rw-r--r--    1     7113 Jan  1  1970 settingsDG834GB.gif
lrwxrwxrwx    1       14 Jan  1  1970 setup.cgi -> /etc/setup.cgi
-rw-r--r--    1       43 Jan  1  1970 spacer.gif
-rw-------    1      457 Jan  1  1970 st_ddns.htm
-rw-------    1     2920 Jan  1  1970 st_dhcp.htm
-rw-------    1     2142 Jan  1  1970 st_fixip.htm
-rw-------    1     2713 Jan  1  1970 st_poe.htm
-rw-------    1     1212 Jan  1  1970 start.htm
-rw-------    1     1212 Jan  1  1970 start1.htm
-rw-------    1     4058 Jan  1  1970 stattbl.htm
-rw-------    1      730 Jan  1  1970 system.htm
-rw-------    1      569 Jan  1  1970 top.htm
-rw-------    1     2632 Jan  1  1970 upg_pg.htm
-rw-------    1     3140 Jan  1  1970 upgrade.htm
lrwxrwxrwx    1       22 Jan  1  1970 upgrade_flash.cgi -> /etc/upgrade_flash.cgi
-rw-r--r--    1    11250 Jan  1  1970 upload.gif
-rw-------    1     5559 Jan  1  1970 upnp.htm
-rw-------    1    11496 Jan  1  1970 utility.js
-rw-r--r--    1     8831 Jan  1  1970 wait.gif
-rw-------    1      439 Jan  1  1970 wanstat.htm
-rw-r--r--    1    15175 Jan  1  1970 wireless.htm
-rw-r--r--    1    15211 Jan  1  1970 wireless.htm~
-rw-------    1     1565 Jan  1  1970 wiz_cfm.htm
-rw-------    1     5585 Jan  1  1970 wiz_cip.htm
-rw-------    1     2663 Jan  1  1970 wiz_dyn.htm
-rw-------    1     1724 Jan  1  1970 wiz_fail.htm
-rw-------    1     2157 Jan  1  1970 wiz_msg.htm
-rw-------    1     3249 Jan  1  1970 wiz_sel.htm
-rw-------    1     3172 Jan  1  1970 wizpppoa.htm
-rw-------    1     3127 Jan  1  1970 wizpppoe.htm
-rw-------    1     1717 Jan  1  1970 wtest_d.htm
-rw-------    1     2972 Jan  1  1970 wtest_l.htm

./www.deu:
total 533
[MINOR VARIATIONS FROM WWW.ENG]

./www.fre:
total 520
[MINOR VARIATIONS FROM WWW.ENG]

./www.ita:
total 529
[MINOR VARIATIONS FROM WWW.ENG]

Runtime

Startup

This is a quick rundown of the rcS startup script.

  1. /proc is mounted and /tmp is mounted in ram
  2. directories have to be recreated since ram is volatile
  3. file are copied to ram and /dev
  4. modules are installed
  5. interfaces are brought up
  6. logging is started
  7. services are started (some hardcoded into rc)
  8. various devices are configured by sending parameters to /proc

Script is included below.


#!/bin/sh
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin/scripts

UTC=yes

mount -n -t proc proc /proc
mount -n -t ramfs ramfs /tmp

# build var directories 
/bin/mkdir -m 0777 /tmp/var
/bin/mkdir -m 0777 /var/lock
/bin/mkdir -m 0777 /var/log
/bin/mkdir -m 0777 /var/run
/bin/mkdir -m 0777 /var/tmp
/bin/mkdir -m 0777 /tmp/etc

/bin/cp -a /usr/etc/* /etc
/bin/cp -a /usr/dev/* /dev/

# insert modules
/sbin/insmod /lib/modules/2.4.17_mvl21-malta-mips_fp_le/kernel/drivers/atm/tiatm.o
/sbin/insmod /lib/modules/push_button.o
/sbin/insmod /lib/modules/led.o
/sbin/insmod ipt_REJECT 
/sbin/insmod ipt_string 

# start services

/usr/sbin/brctl addbr br0
/usr/sbin/brctl stp br0 yes
/sbin/ifconfig eth0 up
/usr/sbin/brctl addif br0 eth0

# stamp lan start time
/bin/cp /proc/uptime /tmp/lan_uptime

ifconfig lo 127.0.0.1
route add -net 127.0.0.0 netmask 255.255.0.0 lo

# debug staff 
#/usr/sbin/micro_inetd 23 /usr/sbin/utelnetd&

/sbin/klogd

/usr/sbin/rc start

/sbin/syslogd -f /etc/syslog.conf

/usr/sbin/dproxy -c /etc/resolv.conf&


/usr/sbin/crond &
/usr/sbin/scfgmgr
/usr/sbin/atm_monitor init
/usr/sbin/cmd_agent_ap
/usr/sbin/pb_ap&


echo "0 0" > /proc/sys/vm/pagetable_cache
# router
echo 1 > /proc/sys/net/ipv4/ip_forward
# pppox
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

# add more conntrack 
echo 2048 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max

# ignore_all not yet used: this should be satisfactory
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# drop spoofed addr: turn this off when rip is on ?
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# do not honor source route flags
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# this needs proper sampling on av_blog to determine optimal value
# for now just observe softnet_stats to see # time was throttled
# historical value was 300
echo 100 > /proc/sys/net/core/netdev_max_backlog

/proc

There are no utilities provided for control or monitoring but a lot is thankfuly accessible through /proc. Some very interesting things are accesible through prox, even the front LED status can be determined.

PS Output

Here is typical PS output. Obviously under normal conditions utelnetd, sh, and micro_inetd are not running. PS is also truncating the output. Command line options are fully visible under /proc/PID/cmdline if required.

# ps
  PID  Uid     VmSize Stat Command
    1 root        876 S    init
    2 root            S    [keventd]
    3 root            R    [ksoftirqd_CPU0]
    4 root            S    [kswapd]
    5 root            S    [bdflush]
    6 root            S    [kupdated]
    7 root            S    [mtdblockd]
   21 root            D    [adsl]
   38 root        620 S    /sbin/klogd
   48 root       4296 S    /usr/sbin/user_drv
   49 root       4296 S    /usr/sbin/user_drv
   50 root       4296 S    /usr/sbin/user_drv
   51 root       4296 S    /usr/sbin/user_drv
   52 root       4296 S    /usr/sbin/user_drv
   55 root       4296 S    /usr/sbin/user_drv
   68 root        680 S    /usr/sbin/mini_httpd -d /www -r NETGEAR DG834 -c *.c
   76 root        616 S    /usr/sbin/netgear_ntp -z GMT-10 -h 210.23.158.201
   87 root        624 S    /usr/sbin/dproxy -c /etc/resolv.conf
   88 root        624 S    /usr/sbin/crond
   89 root        644 S    /sbin/syslogd -f /etc/syslog.conf
   90 root        628 S    /usr/sbin/dproxy -c /etc/resolv.conf
   93 root        612 S    /usr/sbin/scfgmgr
  101 root        604 S    /usr/sbin/cmd_agent_ap
  102 root        604 S    /usr/sbin/pb_ap
  117 root        876 S    init
  125 root       2344 S    /usr/sbin/pppd plugin pppoa 8.35 user username@dsl
  147 root       2132 S    /usr/sbin/upnpd ppp0 br0 30 4
  149 root       2132 S    /usr/sbin/upnpd ppp0 br0 30 4
  150 root       2132 S    /usr/sbin/upnpd ppp0 br0 30 4
  153 root       2132 S    /usr/sbin/upnpd ppp0 br0 30 4
  157 root       2132 S    /usr/sbin/upnpd ppp0 br0 30 4
  158 root       2132 S    /usr/sbin/upnpd ppp0 br0 30 4
  325 root        604 S    /usr/sbin/micro_inetd 23 /usr/sbin/utelnetd
  498 root        648 S    /usr/sbin/udhcpd /etc/udhcpd.conf
  544 root        616 S    /usr/sbin/utelnetd
  545 root        888 S    /bin/sh

Typical IP Tables State

This router includes IPtables 1.2.8 and most of the control is carried out by scripts that take their parameters from shell variables, supplied by cgi binaries.

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere           state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
INPUT_UDP  udp  --  anywhere             anywhere
INPUT_TCP  tcp  --  anywhere             anywhere
DOS        icmp --  anywhere             anywhere           icmp echo-request
ACCEPT     all  --  anywhere             anywhere           state NEW

Chain FORWARD (policy DROP)
target     prot opt source               destination
HTTP       tcp  --  anywhere             anywhere           tcp dpt:80
TCPMSS     tcp  --  anywhere             anywhere           tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
FORWARD_UDP  udp  --  anywhere             anywhere
FORWARD_TCP  tcp  --  anywhere             anywhere
DOS        icmp --  anywhere             anywhere           icmp echo-request
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
DROP       icmp --  anywhere             anywhere           state INVALID

Chain ALGS (5 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain BLOCK (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere           LOG level warning prefix `[BLOCK]'
REJECT     tcp  --  anywhere             anywhere           tcp dpt:80 reject-with http-block
DROP       all  --  anywhere             anywhere

Chain CONCHK (1 references)
target     prot opt source               destination

Chain DOS (6 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           limit: avg 1/sec burst 5 tcp flags:SYN,RST,ACK/SYN
ACCEPT     udp  --  anywhere             anywhere           limit: avg 1/sec burst 5
DROP       icmp --  anywhere             anywhere           icmp echo-request limit: avg 1/sec burst 60
LOG        all  --  anywhere             anywhere           limit: avg 5/sec burst 60 LOG level warning prefix `[DOS] '
DROP       all  --  anywhere             anywhere

Chain FORWARD_TCP (1 references)
target     prot opt source               destination
ALGS       tcp  --  anywhere             anywhere           multiport sports 389,522,1503,1720,1731
ALGS       tcp  --  anywhere             anywhere           tcp spt:6701
ALGS       tcp  --  anywhere             anywhere           tcp spt:80
ALGS       tcp  --  anywhere             anywhere           multiport sports 1863,6891,1503,7001
SCAN       all  --  anywhere             anywhere           psd weight-threshold: 21 delay-threshold: 300 lo-ports-weight: 3 hi-ports-weight: 1
DOS        tcp  --  anywhere             anywhere           limit: avg 20/sec burst 10 state INVALID,NEW tcp flags:SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere

Chain FORWARD_UDP (1 references)
target     prot opt source               destination
ALGS       udp  --  anywhere             anywhere           udp spt:5060
SCAN       all  --  anywhere             anywhere           psd weight-threshold: 21 delay-threshold: 300 lo-ports-weight: 3 hi-ports-weight: 1
DOS        udp  --  anywhere             anywhere           limit: avg 20/sec burst 10 state INVALID,NEW
RETURN     udp  --  anywhere             anywhere

Chain HTTP (1 references)
target     prot opt source               destination
CONCHK     all  --  anywhere             anywhere           STRING match GET

Chain INPUT_TCP (1 references)
target     prot opt source               destination
SCAN       all  --  anywhere             anywhere           psd weight-threshold: 21 delay-threshold: 300 lo-ports-weight: 3 hi-ports-weight: 1
DROP       tcp  --  anywhere             anywhere           multiport dports 23,80,32764
DOS        tcp  --  anywhere             anywhere           limit: avg 20/sec burst 10 state INVALID,NEW tcp flags:SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere

Chain INPUT_UDP (1 references)
target     prot opt source               destination
SCAN       all  --  anywhere             anywhere           psd weight-threshold: 21 delay-threshold: 300 lo-ports-weight: 3 hi-ports-weight: 1
DOS        udp  --  anywhere             anywhere           limit: avg 20/sec burst 10 state INVALID,NEW
RETURN     udp  --  anywhere             anywhere

Chain SCAN (4 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere           LOG level warning prefix `[PORT SCAN]'
DROP       all  --  anywhere             anywhere

Resources

Official Files from NETGEAR

Other File Sources

Documentation

Online Help

Firmware

Firmware Structure

The firmware appears to be broken up into 5 sections. Each section is cearly delimited by padding of 1's (all bits on).

  1. 0x0 - Header and bootloader
  2. 0x17000 - kernel decompressor or second stage bootloader?
  3. 0x20000 - Kernel
  4. 0xD0000 - Compressed ROMFS (cramfs)
  5. 0xDFFB2 - CRC? ends at offset 0x3DFFFF

Firmware Decomposition

I'm still analysing the firmware. The last few bytes of the file are very likely some kind of CRC checksum and end of file marker. The CRC section of the file containts the phrase sercomm twice, DG834 once, and two double byte values. The values may in fact be two consecutive single byte values and a double byte just because they appear to sit at an odd offset. The file is very likely to be little endian throughout and when taken as such one of the values is increasing across firmware revisions so it may be a time, date, or revision value. The other 16bit word has no discernable pattern so far so it may be a CRC value, especially as it occupies the second last 16 bit word. The sercomm string may indicate that the tail is in fact two sections, each with sercomm as the start, the first being zero padded and the last being 0xff or 1 padded.

File Extraction

File extraction from the firmware is fairly straightforward using the offsets above converted to decimal. The example provided is for firmware 1.02.10. but the offsets are consistent for all revisions.

# dd if=DG834.a1.02.10.img of=cramfs.img bs=1 skip=851968 count=3211186
# mkdir /mnt/cramfs
# mount -o loop cramfs.img /mnt/cramfs
# cd /mnt/cramfs

CramFS Reconstruction

CramFS Reconstruction is fairly straightforward, either using a precompiled mkcramfs or building one from source. Cramfs 1.0 and 1.1 are available as source but the file created seems a little different from the firmware extracted version. Cramfsck from thesese sources actually throws up a warning that the firmware uses an older version FS. I have also attempted to use the cramfs version found in the netgear source code but the final file differs even more drastically from the extracted version with the file order scrambled. This may not adversely affect the actual performance of the router if used but I can't tell until I try it. Finaly I have tried a precompiled binary from handhelds.org and the final image is exact, at least as far as the compressed section of the image goes. There were only minor differences in the header of the file so this seems to be the safest bet. The generated file needs to be 0xFF padded before being concatenated to the rest of the firmare image.

Firmware Reconstruction

Reconstruction of the firmware hasn't been attempted yet but it may be as easy as concatination of the 4 sections and generating the CRC section once the algoritm is discovered. Until someone actually attempts to upload modified firmware this can't be confirmed.

Tricks and Hacks

Here are a few discoveries made while trying to fix an issue I had with the router, but which ended up being an ISP problem instead. Some were discovered from looking at extracted firmware binaries, some while playing with the router.

Displaying Arbitrary Files

It is possible to display an arbitrary file on the router using nocache.cgi. These files do not have to be in the http document root folder and can be /proc or other device files. The caveat is that binaries appear get truncated.

To access any file on the system simply use http://192.168.0.1/nocache.cgi?next_file=/etc/htaccess and you should be able to see your admin password. This is not as bad as it sounds since the htaccess file restrictions are applied to nocache.cgi before it will let you display any file so in this case you have to enter your password before you can see it. The file structure listed above can be used as a reference to location of files on the system.

There doesn't appear to be any way to execute arbitrary code from the web interface. All cgi binaries seem to take a parameter and then execute prcompiled instructions based on that. I have not found any aparameters so far that get passed directly down to the shell from cgi.

Getting Shell Access

Getting shell access is surprisingly simple once you know how. It was very frustrating looking at /etc/rcS and seeing utelnetd commented out. However after some time looking through the CGI binaries I noticed the debug keyword near the logout word. You can also see the way logout is used by the web interface. So after using http://192.168.0.1/setup.cgi?todo=debug I tried telnet to 192.168.0.1 and what do you know you have root. No password, nothing. I haven't carried out a portscan to see if any other services such as tftpd are enabled but the service does not appear to be running. Hopefully it should be possible to add a password by modifying /etc/passwd. There doesn't seem to be an /etc/shadow even though it appears to be enabled in the source config.

Transferring Files

There is no real way to upload files to the router except as part of the firmware file system. The easiest way to transfer text file to the system is using "cat > somefile" then pasting the file in and hitting ctrl-d when done. This does not work with binary files, telnet likes to interpret and translate certain characters and echo back the file requiring a terminal reset. One way, and not a very good way, it upload binaries such as images is via mini-httpd. This means first creating a simple web form and cgi shell script composed of dd or cat to dump the file onto router. Also mini-httpd needs to be restarted with a different document root. Of course the file will now contain a text header and footer so dd has to be used to remove it. Since the size of the file is known and it is possible to determine the size of the header up to a point, dd can then be used to strip out the file. It can be fiddly but the offset only varies by one or two bytes from the predetermined header size between files.

Hosting Pages

It is possible to host pages from the DG834G without modifying the firmware. There are several problems associated with doing this. The first is that a reboot of the router will require a re-upload of the content since the files are stored in the router's ram. The second is that because there is a timout hardcoded into micro-httpd to limit access to only person at a time you can either have a usable configuration interface or you can serve pages to anyone without authentication.

So to serve pages pages first the pages need to be uploaded and correct permissions set. See above. Next the server needs to be shutdown using either "rc httpd stop" or killing the appropriate proccess. Assuming the pages are located in /tmp/htdoc the command to run would be "/usr/sbin/mini-httpd -d /tmp/htdoc" -t '-1'". The -1 timeout is required otherwise most people will receive an "Another administrator is already logged on" message. The -1 timeout also means that if for example virtual domains were turned on to serve both web content and the configuration interface locally the password would have to be entered for every page in every frame every time it is accessed, making it infesible to do both. Long term solutions to this problem would be to use busybox httpd to serve web content or fix the mini-httpd patch that is currently applied.

Compiling Custom Kernel and Applications

Slowly getting there!

Getting the Source Code

Insert netgear urls and toolchain urls

Cross Compiler Toolchain

Various ways to do this. This part is mostly working with some bad hacks in place. Need to document and refine it.

Compiling ucLibc libraries

This part is also done. Needs to be documented.

Compiling the Kernel

Not quite there yet. Fails near the end. Using default config provided with source.

Compiling Applications

Not quite there yet. Library and header issues.