I recently ripped apart my WCG200. built a serial cable for it, and had some fun. I am posting my findings here to see if anyone has any insight on getting both off and onto the device through the serial port, as it doesnt appear to have pinouts for jtag and because its a ball grid array I cant get access to pins directly. Board photos on request because of image size. Runs vxworks, unknown version, I would assume vxworks 2.1 or 2.2. Board version is 1.2b and uses the broadcom docsis 2.0 system on chip. Mini-pci wireless card, the usual broadcom suspect, an intel flash chip, and the rest of the chips are broadcom or noname ddram. Ram is 16MB, On the software side it uses a QoStek bootloader, and runs the default vxworks/broadcom cable modem software combo that most cable modem run. I have a full shell I can exploit from the serial console, and can try suggestions and post logs on request. A log of startup can be found at http://www.geocities.com/zabb65/cablemodem.txt (Garbled part is when I accidentally touched the casing of the ethernet switch and disrupted the ground, causing a segfault) HTTP interface is unexploitable as far as I can tell due to the fact that it doesnt directly execute commands throught the vxworks shell. As you might notice there is a telnet daemon that can be enabled, and it provides a shell, but I havent gotten it working yet. Another interesting tidbit is the matrix reference during the startup of the cable modem application. Hope somebody can help me, and if not, I will figure something out on my own and get a project started. (Rambling post, I know, have never been good at expressing info in a fully coherent way) Edit: Its tornado 2.2 or a vxworks 5.x distribution. Can be netbooted fairly easily, and internal pictures will be posted tomorrow. Shame that nobody is interested.
I'm 100% interested. I have a WCG200 V2 with the comcast firmware... would LOVE to do something with this thing to get some decent firmware on to it. Is there anything that I can do to help? Thanks Andrew
If you know of any way to get the firmware off of the device it would be appreciated, because I know how to get new firmware onto it, but I dont have a copy to rip apart and figure out if I can somehow use the web interface to do stuff with it, to allow normal users to add new firmware without making a serial cable.
Aim I picked up v1 of the WCG200 at Fry's last year but it's been sitting in my closet due to constant brief disconnects that knock me off AIM. I've read a lot of other people's posts with the exact same problem but have not seen any solutions. I would love to get new firmware for this thing, assuming firmware is the issue. It's a shame that Linksys thinks it's cool to push out an expensive product and never provide firmware updates for it.
Just to give my 2 cents, I think the reason why Linksys did not mad any new firm ware to the WCG200 is to allow cable Internet Service Providers more control over there clients letting the ISP make there own firmware if they what to. It must be pretty attractive for some cable ISP network administrator to know exactly how there clients connect to there network.
Hey, great job. Can you share the serial pinout / connection points? I'd like to make a cable see what I can do.
http://photos1.blogger.com/blogger/5843/3384/1600/intel-TE28F640-Flash.jpg In regards to this image, you are looking at the pins "backwards" to how I am used to describing, them, it should be from right to left there, 3.3v<->ground<->receive<->transmit You will have to play with the 3.3v and ground, because I know that was a pain to find, because they both register as 3.3v on a voltmeter, but one ACTUALLY is a ground. I have not touched this project in a fair bit of time, something that I quickly ran out of when school started up again, I will look into it for you all again, and see if I cant get something worked out for this. If you press p during boot, you have full options of loading firmware from a plethora of places, the most useful being a tftp server. The most difficult part of this project will be getting the CM HAL device into an open source form, much like the trouble we are going through getting the wireless card into an open source form right now. You will have to create your own ttl to serial converter cable, but the device is fully capable of receiving data from the serial connection, unlike the surfboard 5120 sitting next to it in my pile of project boxes.
i have the wcg200 v2 from cox cable company in kansas. i moved to iowa which uses mediacom. mediacom internet does not work with my router/modem eventhough it is listed on their site as compliant with their network. i am definately intrested in this project and if there is anything i can do to help let me know. i did contact linksys and i have an rma but i never sent in my modem/router...its been a few months since they issued me the rma# but i prob could still send the unit in for replacement anyhow im thinking about taking it apart thanks to your pics. PLEASE PLEASE PLEASE do this project. my firmware version is "Firmware Version: 2.0.3.4.2-50428" i looked in the user guide on the linksys website (for ver2.0) and it shows "2.0.3.4.2-1111" if that means anything at all. note: my modem/router has areas missing in the routers configuration such as opbtain ip address automatically (dhcp) in the setup/internet connection/ area. simply put i do not even have a "setup/internet connection" area at all as im sure cox cable disabled that area. i think there is another area that i also can not change in my router that shows in the user guide. one more thing my firmware might be ok (some features might be just disabled) if you see a master login/password could you post it so i can enable some features i so need....or would my master l/p be unique to cox cable co? if you tell me how to pull my firmware off ill do it and email it to you
OMG if I could get ddwrt installed on my wcg200 I would get a boner. Mine is a retail version, not issued by a ISP - it works great even tho many have troubles with them. I would gladly pay the author of any such firmware for thier efforts. I assume mine is ver. 1.0 - there isn't a ver # given. Need to know someting about it? I'll tear it open and take pics or whatever you want! I know zip - but would love to see it happen or help or 'donate' or whatever!
i would pay $50.00 right freaking now if i could just get the "REATAIL" firmware on mine. someone tell me how to do it and if it is successful i would gladly pay the $$$$ better freaking hurry cause if i cant get it dont then i will just go buy a different router.
My wcg200 v2 has Firmware Version: 2.0.3.5.10-0425 where can I find another firmware please. I run linux on all my machines and some problems occur for clients using linux hosts.
i've been researching this for about 3 weeks (trying to help my friend out with his wcg200v2, and, in turn, myself) and nobody seems to have a way to get the firmware off of linksys modems. but if anybody still wants to work on it, i have a few ideas that i would like to run by everyone. let me know if you guys are still interested.
i didn't think anybody was still reading this thread. wow! anyway, i've got a few ideas and i've been trying out a few different possibilities as far as how to access this thing. just so everybody knows, my telnet/hyperterminal/session commands and protocols are lousy, but if anybody that knows what they're doing can help me out on the command side, we should be able to get this to work. my friend and i are on time warner's turbo high speed. we went to get him a new wcg200v2 (retail), but because of where i am, i had to get tw's leased SA model. i didn't want to tear his box up until i figured this out, so i am using my old befcmu10 docsis 1.0 as a test bench. i figure if i get the firmware off of mine, it should be pretty similar to getting it off the wcg200v2 that he's got. what i've got so far is this: - tried a cisco console cable (db9 to rj45) -> no good, couldn't get a session - tried an iogear serial to usb converter in reverse with a female usb A to male usb B -> no good, converter only works one way and it is the other way with usb A as host end - tried regular usb cable, loaded drivers for modem from linksys site and connected to my system -> no good, modem loaded and was recocognized, but couldn't maintain a session for more than 30 seconds and the only port that i could connect with was 21 (why ftp worked, i don't know, but NONE of the other ports would take) i'm a little stumped at this point, but have any of you guys noticed how the header on the wcg200v1 and v2 look like the connector on a motherboard for the cd-rom audio cord? i thought, "why not, nothing to lose, right?" found an old audio cord and it plugged right in PERFECTLY!!!!! so no soldering necessary and pinouts are EXACTLY the same with the befcmu10 as they are with the wcg200! 3.3v-ground-Rx-Tx (having the audio cord attached made the readings VERY easy with a voltmeter! now i just need to connect the other end to an old serial cable like zabb65 had and i can see what i can get off of it. by the way, if anyone can get a hold of zabb65, that would be great, because i sent him a message and haven't heard back yet...unless someone else knows how to program and can rewrite the firmware like he was describing. also, i noticed in his text file from the wcg200 that the http admin login is administrator/administrator. i had my friend try that and he couldn't get in...tw must have changed it with their firmware push. if anyone has any ideas about ANY of this stuff, let me know. my friend and i would REALLY like to get this working because the router is a piece of bs and my wrt160n has been cranking like a champ since i flashed it with dd-wrt! (i have two boxes, my friend just has the one) c'mon people, i know we can get this working if we all get together on this! one more thing...if we can't get any of this serial or terminal or anything else stuff to work, i have another alternative. only the isp is supposed to be able to access and flash the modems, right? and they do it through the coax, right? i have a tv tuner card in my system. if anybody can figure out how to do it...and nothing else works...try to write a windows executable program (sorry, my linux isn't for sh*t) that can try to read the firmware, configurations, whatever (preferably just copy the ENTIRE contents of the flash) back through the coax, into the tv tuner card, and save it as a file on the system. mask it like tw is requesting a recall or dump of the flash or something so that the modem itself won't think anything of it and hopefully will process and send it without a login or encryption or anything (just the raw data or firmware file) let me know what you think, everyone! and thanks for the interest! p.s. i've completely scoured the net and i can't get a copy of ANY linksys firmware ANYWHERE, so this looks like the only option.
o.k. i went out and got a serial plug and stripped the ends and connected a cd-rom audio wire to the pins to connect it to my befcmu10. no breadboards or resistors or soldering or anything...just straight wires into the serial plug and into the wire to the modem. i'm using PuTTY to try to access the bootloader and my settings (according to a little research) are 115200,8,1,N. The problem is that all i'm getting on the screen when I open the session is random ASCII characters. So I know that I'm getting something off of the modem and the connection is good, but how do I get legitimate, readable text instead of just code translated into ASCII? (like what zabb65 got in his text file from post #1 of this thread)
1. Many of us need to fix the random reset of this modem. 2. This would allow us to install one of those mjmd5 proxies, which would allow internet phone calls without having the computer turned on via ata for some providers that require crappy auths and running software.
