1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WMB54G: Exposed!

Discussion in 'Other Linksys Equipment' started by emuman100, Aug 31, 2006.

  1. emuman100

    emuman100 LI Guru Member

    Ok, welp, this device runs the 2.4 linksys kernel which apparently has support for the realtek NIC and flash driver as well as the audio device attached to it's PCI bus. It contains 2mb of flash and 16mb of ram. The rootfs is loaded into a ramdisk. It runs the busybox distro with some binaries that are specefic to the network audio driver, binaries like raspplay and raspmonitor. It's settings are stored in nvram in which scripts invoke the nvram binary to parse the variables from nvram to configure the network devices. These values included domain name, wlan config including which operating mode, channel, etc, dhcp or not, etc. It runs Dante's TFTP Server which is a tftpd that takes a file it receives and attempts to flash it if it's valid firmware. Here is what ps aux shows:
    # ps aux
    PID Uid VmSize Stat Command
    1 root 240 S init
    2 root SW [keventd]
    3 root SWN [ksoftirqd_CPU0]
    4 root SW [kswapd]
    5 root SW [bdflush]
    6 root SW [kupdated]
    7 root SW [mtdblockd]
    8 root 276 S -sh
    480 root 168 S raspmonitor -v v1.09.0.4 -m WMB54G -M Linksys -s 8
    483 root 328 S < raspplay -e 0 -s 8 -M Linksys
    489 root 132 S sys_monitor
    490 root 800 S httpd
    752 root 116 S restore_defaultsd
    847 root 280 S easyconf
    848 root 188 S tftpd
    851 root 188 S udhcpc -i br0 -p /etc/udhcpc/udhcpc-br0.pid -s /usr/s
    869 root 224 R ps aux

    No telnet, ftp, nfs, or samba daemon comes preloaded, so no way to get files to and from the WMB54G. Even if you put files on the filesystem, once you turn off the unit they will be gone because the rootfs is a ram disk, and actual settings are stored via the nvram.

    My goals and intentions of this device is to simply put music player daemon and required libs, telnet daemon, ssh daemon, nfs and samba clients, and if possible, mplayer on the device and store configs of samba, nfs, mpd, telnet, and ssh on the nvram as well as network settings if possible. The audio driver seems to be already in the kernel loaded on it, so mpd should work fine without the need for ALSA.

    Linksys was kind enough to comply with GPL and provide everything needed to build a firmware image in the downloads section for the WMB54G under GPL code. The programs used for the audio streaming from the PC like raspplay and raspmonitor and some other programs are already prebuilt and no source code or documentation is provided. Seems to be that the source is already in MIPS binary because the source files are .o and you just need to build them into an image. I suppose what will be required is to cross compile mpd, ssh, nfs, samba, telnet, and ftp to MIPS binary and include them in the built image. I'm not sure if I should get rid of the httpd and the linksys web config crap, but since I found the serial port, everything can be done via the serial port. The scripts could be rewritten to configure the network a better way, through the command line or something. The silly prebuilt programs can be removed and thrown to teh wind, as they take up resources.

    Now the thing is that I can't code because I don't know how to and doing this might require help of the 3rd party firmware devs for the WRT firmwares. The network, flash, and audio drivers seem to be built into the kernel, so they have to be in there somewhere. I'm not sure what the next step is, but I think that this little device will be one sweet network audio player thats small, fanless, and consumes little power. Again, the serial pinout of J9 on it's PCB is:

    1 2
    3 4
    5 6
    7 8
    9

    2 and 4 are Vcc
    6 and 8 are Gnd
    1 is TX
    7 is RX

    And the serial output of first boot is:

    UART1 output test ok
    Uart init
    mfid=000000c2 devid=00002249
    Found 1 x 2M flash memory

    ---RealTek(RTL8186)at 2005.11.08-15:14+0800 version 1.3c [16bit](180MHz)
    no sys signature at 00010000!
    Jump to image start=0x80300000...
    early printk enabled
    Determined physical RAM map:
    memory: 01000000 @ 00000000 (usable)
    Initial ramdisk at: 0x8017d000 (3584000 bytes)
    On node 0 totalpages: 4096
    zone(0): 4096 pages.
    zone(1): 0 pages.
    zone(2): 0 pages.
    Kernel command line: root=/dev/ram console=0 ramdisk_start=0 single
    Calibrating delay loop... 178.99 BogoMIPS
    Memory: 10956k/16384k available (1341k kernel code, 5428k reserved, 3616k data,
    52k init, 0k highmem)
    Dentry-cache hash table entries: 2048 (order: 2, 16384 bytes)
    Inode-cache hash table entries: 1024 (order: 1, 8192 bytes)
    Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
    Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
    Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
    check_wait... unavailable.
    POSIX conformance testing by UNIFIX
    Probe PCI Bus : There must be one device at the slot.
    PCI device exists: slot 0 function 0 VendorID 13f6 DeviceID 111 bd710000
    Find Total 1 PCI function
    pcibios_fixup_resources IO form 1d500000 to 4f0000
    Linux NET4.0 for Linux 2.4
    Based upon Swansea University Computer Society NET3.039
    Initializing RT netlink socket
    Starting kswapd
    Serial driver version 6.02 (2003-03-12) with no serial options enabled
    ttyS00 at 0x00c3 (irq = 3) is a rtl_uart1
    state->flags=00000000
    Realtek GPIO Driver for Flash Reload Default
    ezWAVE Mini-Driver v1.0.0.8
    cpu_clock = 180
    vendor=0x13f6, device=0x0111, iobase=0x004f0000
    chip version = 055
    initialize_chip ok.
    block: 64 slots per queue, batch=16
    RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
    RealTek E-Flash System Driver. (C) 2002 RealTek Corp.
    Found 1 x 2M Byte MXIC MX29LV160AB at 0xbe000000
    RTL8185 driver version 1.8 (2005-11-18)
    8186NIC Ethernet driver v0.0.2 (Jan 30, 2004)
    eth0: RTL8186-NIC at 0xbd200000, 00:01:02:03:04:05, IRQ 4
    eth1: RTL8186-NIC at 0xbd300000, 04:05:06:07:08:09, IRQ 5
    NET4: Linux TCP/IP 1.0 for NET4.0
    IP Protocols: ICMP, UDP, TCP
    IP: routing cache hash table of 512 buckets, 4Kbytes
    TCP: Hash tables configured (established 1024 bind 2048)
    NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
    NET4: Ethernet Bridge 008 for NET4.0
    RAMDISK: ext2 filesystem found at block 0
    RAMDISK: Loading 3500 blocks [1 disk] into ram disk... done.
    Freeing initrd memory: 3500k freed
    VFS: Mounted root (ext2 filesystem).
    Freeing unused kernel memory: 52k freed
    mount /proc file system ok!
    serial console detected. Disabling virtual terminals.
    init started: BusyBox v1.00-pre8 (2005.11.30-07:10+0000) multi-call binary


    BusyBox v1.00-pre8 (2005.11.30-07:10+0000) Built-in shell (msh)
    Enter 'help' for a list of built-in commands.

    rm: cannot remove `/tmp/params': No such file or directory
    rm: cannot remove `/tmp/static_flash_params': No such file or directory
    killall: restore_defaultsd: no process killed
    killall: raspmonitor: no process killed
    killall: raspplay: no process killed
    killall: wizard: no process killed
    Initialize wlan0 interface
    killall: syslogd: no process killed
    killall: klogd: no process killed
    SIOCGIFFLAGS: No such device
    bridge br0 doesn't exist; can't delete it
    Setup bridge...
    device eth0 entered promiscuous mode
    eth0:phy is 8201
    SIOCDELRT: No such process
    device wlan0 entered promiscuous mode
    SIOCDELRT: No such process
    br0: port 2(wlan0) entering listening state
    br0: port 1(eth0) entering listening state
    SIOCDELRT: No such process
    waiting for bridge initialization...
    Usage:: not found
    start raspmonitor
    raspmonitor 1.09.00.04
    raspplay start !Allocate play buffer 262144 bytes
    !
    ----------------> ezmn_open : 1
    Allocate play buffer 1048576 bytes
    send notify pkt
    send notify pkt
    br0: port 2(wlan0) entering learning state
    br0: port 1(eth0) entering learning state
    br0: port 2(wlan0) entering forwarding state
    br0: topology change detected, sending tcn bpdu
    br0: port 1(eth0) entering forwarding state
    br0: topology change detected
    send notify pkt
    send notify pkt
    489
    # Osborne in dhcpc.sh going to run udhcpc
    Osborne in br0.sh deconfig
    Osborne in br0.deconfig 1
    SIOCDELRT: No such process
    SIOCADDRT: Invalid argument
    rm: cannot remove `/tmp/params': No such file or directory
    rm: cannot remove `/tmp/static_flash_params': No such file or directory
    killall: easyconf: no process killed
    killall: tftpd: no process killed
    Dante's tiny TFTP Server is ready on port 69
    Osborne in br0.sh bound
    lan_ipaddr is 192.168.0.101, now setting the NVRAM vars for br0 as a DHCP client
    ..
    deleting routers
    SIOCDELRT: No such process

    Finished setting NVRAM vars for br0.
    adding dns 71.250.0.12
    adding dns 151.197.0.30
    rm: cannot remove `/tmp/params': No such file or directory
    rm: cannot remove `/tmp/static_flash_params': No such file or directory
    Dante's tiny TFTP Server is ready on port 69
    Osborne in dhcpc.sh running udhcpc GOOD
     
  2. emuman100

    emuman100 LI Guru Member

    With nvram, there is a program "nvram" which gives you full managability of the nvram.
    # nvram
    usage: nvram [get name] [set name=value] [unset name] [show] [erase] [convert] [restore]

    "nvram show" prints this:

    customer_firmware_version=v2.11 (Jan. 17, 2006)
    MyFirmwareVersion=4.3
    sys_name=WMB54G
    lan_mode=dhcp
    lan_ipaddr=192.168.0.101
    lan_netmask=255.255.255.0
    lan_gateway=192.168.0.1
    wl0_ssid=myssid
    wl0_type=client
    wl0_network_type=infra
    wl0_channel=6
    wl0_wirelessmode=11g
    wl0_security_idx=enabled
    wl0_security_mode=wep
    wl0_key=0
    wl0_key_format=hex
    wl0_wep_length=64
    wl0_passphrase=
    wl0_encryption=
    wl0_wep_passphrase=
    wl0_key1=
    wl0_key2=
    wl0_key3=
    wl0_key4=
    login_username=myuser
    login_password=mypass
    restore_defaults=0
    wl0_trans_rate=auto
    wl0_auth_type=auto
    wl0_rts_threshold=2347
    wl0_frag_threshold=2346
    clone_mode=disabled
    clone_macaddr=00:00:00:00:00:00
    basic_realm=Linksys WMB54G
    what_is_flag=0
    what_is_data=
    site_survey_tmp=0
    lan_mac=XX:XX:XX:XX:XX:XX
    wlan_mac=XX:XX:XX:XX:XX:XX
    reg_domain=1
    wl0_ssid_tmp=myssid
    wl0_security_idx_tmp=enabled

    I edited out some values, and as you can see it's configured with WEP security (Damn Nintendo DS).
     
  3. emuman100

    emuman100 LI Guru Member

    Here is what "flash all" prints:

    HW_BOARD_ID=1
    HW_NIC0_ADDR=XXXXXXXXXXXX
    HW_NIC1_ADDR=XXXXXXXXXXXX
    HW_WLAN0_WLAN_ADDR=XXXXXXXXXXXX
    HW_WLAN0_REG_DOMAIN=1
    HW_WLAN0_RF_TYPE=7
    HW_WLAN0_TX_POWER_CCK=0404040404040404040404040404
    HW_WLAN0_TX_POWER_OFDM=0c0c0c0c0c0c0c0c0c0c0c0c0c0c00000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000
    HW_WLAN0_ANT_DIVERSITY=0
    HW_WLAN0_TX_ANT=0
    HW_WLAN0_INIT_GAIN=4
    HW_WLAN0_CCA_MODE=0
    HW_WLAN0_LED_TYPE=0
    HW_WLAN1_WLAN_ADDR=XXXXXXXXXXXX
    HW_WLAN1_REG_DOMAIN=1
    HW_WLAN1_RF_TYPE=7
    HW_WLAN1_TX_POWER_CCK=0404040404040404040404040404
    HW_WLAN1_TX_POWER_OFDM=0c0c0c0c0c0c0c0c0c0c0c0c0c0c00000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000
    HW_WLAN1_ANT_DIVERSITY=0
    HW_WLAN1_TX_ANT=0
    HW_WLAN1_INIT_GAIN=4
    HW_WLAN1_CCA_MODE=0
    HW_WLAN1_LED_TYPE=0
    DEF_DNS1=0.0.0.0
    DEF_DNS2=0.0.0.0
    DEF_DNS3=0.0.0.0
    DEF_DHCP_CLIENT_START=192.168.1.100
    DEF_DHCP_CLIENT_END=192.168.1.200
    DEF_ELAN_MAC_ADDR=000000000000
    DEF_DEVICE_NAME="Realtek Wireless AP"
    DEF_IP_ADDR=192.168.1.210
    DEF_SUBNET_MASK=255.255.255.0
    DEF_DEFAULT_GATEWAY=0.0.0.0
    DEF_DHCP=0
    DEF_STP_ENABLED=0
    DEF_SUPER_NAME="super"
    DEF_SUPER_PASSWORD="super"
    DEF_USER_NAME=""
    DEF_USER_PASSWORD=""
    DEF_SCRLOG_ENABLED=0
    DEF_AUTODISCOVERY_ENABLED=0
    DEF_OP_MODE=0
    DEF_WISP_WAN_ID=0
    DEF_REMOTELOG_ENABLED=0
    DEF_REMOTELOG_SERVER=0.0.0.0
    DEF_WLAN0_WLAN_MAC_ADDR=000000000000
    DEF_WLAN0_SSID="any"
    DEF_WLAN0_CHANNEL=11
    DEF_WLAN0_WEP=0
    DEF_WLAN0_WEP64_KEY1=0000000000
    DEF_WLAN0_WEP64_KEY2=0000000000
    DEF_WLAN0_WEP64_KEY3=0000000000
    DEF_WLAN0_WEP64_KEY4=0000000000
    DEF_WLAN0_WEP128_KEY1=00000000000000000000000000
    DEF_WLAN0_WEP128_KEY2=00000000000000000000000000
    DEF_WLAN0_WEP128_KEY3=00000000000000000000000000
    DEF_WLAN0_WEP128_KEY4=00000000000000000000000000
    DEF_WLAN0_WEP_DEFAULT_KEY=0
    DEF_WLAN0_WEP_KEY_TYPE=0
    DEF_WLAN0_FRAG_THRESHOLD=2346
    DEF_WLAN0_SUPPORTED_RATES=4095
    DEF_WLAN0_BEACON_INTERVAL=100
    DEF_WLAN0_PREAMBLE_TYPE=0
    DEF_WLAN0_BASIC_RATES=15
    DEF_WLAN0_RTS_THRESHOLD=2347
    DEF_WLAN0_AUTH_TYPE=2
    DEF_WLAN0_HIDDEN_SSID=0
    DEF_WLAN0_WLAN_DISABLED=0
    DEF_WLAN0_INACTIVITY_TIME=30000
    DEF_WLAN0_RATE_ADAPTIVE_ENABLED=1
    DEF_WLAN0_DTIM_PERIOD=3
    DEF_WLAN0_MODE=0
    DEF_WLAN0_NETWORK_TYPE=0
    DEF_WLAN0_IAPP_DISABLED=0
    DEF_WLAN0_PROTECTION_DISABLED=0
    DEF_WLAN0_DEFAULT_SSID=""
    DEF_WLAN0_WDS_ENABLED=0
    DEF_WLAN0_WDS_NUM=0
    DEF_WLAN0_WDS_ENCRYPT=0
    DEF_WLAN0_WDS_WEP_FORMAT=0
    DEF_WLAN0_WDS_WEP_KEY=""
    DEF_WLAN0_WDS_PSK_FORMAT=0
    DEF_WLAN0_WDS_PSK=""
    DEF_WLAN0_ENCRYPT=0
    DEF_WLAN0_ENABLE_SUPP_NONWPA=0
    DEF_WLAN0_SUPP_NONWPA=0
    DEF_WLAN0_WPA_AUTH=2
    DEF_WLAN0_WPA_CIPHER_SUITE=1
    DEF_WLAN0_WPA_PSK=""
    DEF_WLAN0_WPA_GROUP_REKEY_TIME=86400
    DEF_WLAN0_MAC_AUTH_ENABLED=0
    DEF_WLAN0_RS_IP=0.0.0.0
    DEF_WLAN0_RS_PORT=1812
    DEF_WLAN0_RS_PASSWORD=""
    DEF_WLAN0_RS_MAXRETRY=3
    DEF_WLAN0_RS_INTERVAL_TIME=5
    DEF_WLAN0_ACCOUNT_RS_ENABLED=0
    DEF_WLAN0_ACCOUNT_RS_IP=0.0.0.0
    DEF_WLAN0_ACCOUNT_RS_PORT=1813
    DEF_WLAN0_ACCOUNT_RS_PASSWORD=""
    DEF_WLAN0_ACCOUNT_RS_UPDATE_ENABLED=0
    DEF_WLAN0_ACCOUNT_RS_UPDATE_DELAY=60
    DEF_WLAN0_ACCOUNT_RS_MAXRETRY=3
    DEF_WLAN0_ACCOUNT_RS_INTERVAL_TIME=5
    DEF_WLAN0_ENABLE_1X=0
    DEF_WLAN0_PSK_FORMAT=0
    DEF_WLAN0_WPA2_PRE_AUTH=0
    DEF_WLAN0_WPA2_CIPHER_SUITE=0
    DEF_WLAN0_MACAC_NUM=0
    DEF_WLAN0_MACAC_ENABLED=0
    DEF_WLAN0_BLOCK_RELAY=0
    DEF_WLAN0_MACCLONE_ENABLED=0
    DEF_WLAN0_BAND=3
    DEF_WLAN0_FIX_RATE=0
    DEF_WLAN0_EASYCFG_ENABLED=97
    DEF_WLAN0_EASYCFG_MODE=110
    DEF_WLAN0_EASYCFG_SSID="y"
    DEF_WLAN0_EASYCFG_KEY=""
    DEF_WLAN0_EASYCFG_DIGEST=""
    DEF_WLAN0_EASYCFG_ALG_REQ=32
    DEF_WLAN0_EASYCFG_ALG_SUPP=36
    DEF_WLAN0_EASYCFG_ROLE=0
    DEF_WLAN0_EASYCFG_SCAN_SSID="REALTEK_EASY_CONFIG"
    DEF_WLAN0_EASYCFG_WLAN_MODE=0
    DEF_WLAN1_WLAN_MAC_ADDR=000000000000
    DEF_WLAN1_SSID="802.11g-SSID"
    DEF_WLAN1_CHANNEL=11
    DEF_WLAN1_WEP=0
    DEF_WLAN1_WEP64_KEY1=0000000000
    DEF_WLAN1_WEP64_KEY2=0000000000
    DEF_WLAN1_WEP64_KEY3=0000000000
    DEF_WLAN1_WEP64_KEY4=0000000000
    DEF_WLAN1_WEP128_KEY1=00000000000000000000000000
    DEF_WLAN1_WEP128_KEY2=00000000000000000000000000
    DEF_WLAN1_WEP128_KEY3=00000000000000000000000000
    DEF_WLAN1_WEP128_KEY4=00000000000000000000000000
    DEF_WLAN1_WEP_DEFAULT_KEY=0
    DEF_WLAN1_WEP_KEY_TYPE=0
    DEF_WLAN1_FRAG_THRESHOLD=2346
    DEF_WLAN1_SUPPORTED_RATES=4095
    DEF_WLAN1_BEACON_INTERVAL=100
    DEF_WLAN1_PREAMBLE_TYPE=0
    DEF_WLAN1_BASIC_RATES=15
    DEF_WLAN1_RTS_THRESHOLD=2347
    DEF_WLAN1_AUTH_TYPE=2
    DEF_WLAN1_HIDDEN_SSID=0
    DEF_WLAN1_WLAN_DISABLED=0
    DEF_WLAN1_INACTIVITY_TIME=30000
    DEF_WLAN1_RATE_ADAPTIVE_ENABLED=1
    DEF_WLAN1_DTIM_PERIOD=3
    DEF_WLAN1_MODE=0
    DEF_WLAN1_NETWORK_TYPE=0
    DEF_WLAN1_IAPP_DISABLED=0
    DEF_WLAN1_PROTECTION_DISABLED=0
    DEF_WLAN1_DEFAULT_SSID=""
    DEF_WLAN1_WDS_ENABLED=0
    DEF_WLAN1_WDS_NUM=0
    DEF_WLAN1_WDS_ENCRYPT=0
    DEF_WLAN1_WDS_WEP_FORMAT=0
    DEF_WLAN1_WDS_WEP_KEY=""
    DEF_WLAN1_WDS_PSK_FORMAT=0
    DEF_WLAN1_WDS_PSK=""
    DEF_WLAN1_ENCRYPT=0
    DEF_WLAN1_ENABLE_SUPP_NONWPA=0
    DEF_WLAN1_SUPP_NONWPA=0
    DEF_WLAN1_WPA_AUTH=2
    DEF_WLAN1_WPA_CIPHER_SUITE=1
    DEF_WLAN1_WPA_PSK=""
    DEF_WLAN1_WPA_GROUP_REKEY_TIME=86400
    DEF_WLAN1_MAC_AUTH_ENABLED=0
    DEF_WLAN1_RS_IP=0.0.0.0
    DEF_WLAN1_RS_PORT=1812
    DEF_WLAN1_RS_PASSWORD=""
    DEF_WLAN1_RS_MAXRETRY=3
    DEF_WLAN1_RS_INTERVAL_TIME=5
    DEF_WLAN1_ACCOUNT_RS_ENABLED=0
    DEF_WLAN1_ACCOUNT_RS_IP=0.0.0.0
    DEF_WLAN1_ACCOUNT_RS_PORT=1813
    DEF_WLAN1_ACCOUNT_RS_PASSWORD=""
    DEF_WLAN1_ACCOUNT_RS_UPDATE_ENABLED=0
    DEF_WLAN1_ACCOUNT_RS_UPDATE_DELAY=60
    DEF_WLAN1_ACCOUNT_RS_MAXRETRY=3
    DEF_WLAN1_ACCOUNT_RS_INTERVAL_TIME=5
    DEF_WLAN1_ENABLE_1X=0
    DEF_WLAN1_PSK_FORMAT=0
    DEF_WLAN1_WPA2_PRE_AUTH=0
    DEF_WLAN1_WPA2_CIPHER_SUITE=0
    DEF_WLAN1_MACAC_NUM=0
    DEF_WLAN1_MACAC_ENABLED=0
    DEF_WLAN1_BLOCK_RELAY=0
    DEF_WLAN1_MACCLONE_ENABLED=0
    DEF_WLAN1_BAND=3
    DEF_WLAN1_FIX_RATE=0
    DEF_WLAN1_EASYCFG_ENABLED=0
    DEF_WLAN1_EASYCFG_MODE=1
    DEF_WLAN1_EASYCFG_SSID=""
    DEF_WLAN1_EASYCFG_KEY=""
    DEF_WLAN1_EASYCFG_DIGEST=""
    DEF_WLAN1_EASYCFG_ALG_REQ=32
    DEF_WLAN1_EASYCFG_ALG_SUPP=36
    DEF_WLAN1_EASYCFG_ROLE=0
    DEF_WLAN1_EASYCFG_SCAN_SSID="REALTEK_EASY_CONFIG"
    DEF_WLAN1_EASYCFG_WLAN_MODE=0
    DNS1=0.0.0.0
    DNS2=0.0.0.0
    DNS3=0.0.0.0
    DHCP_CLIENT_START=192.168.1.100
    DHCP_CLIENT_END=192.168.1.200
    ELAN_MAC_ADDR=000000000000
    DEVICE_NAME="WMB54G"
    IP_ADDR=192.168.0.101
    SUBNET_MASK=255.255.255.0
    DEFAULT_GATEWAY=192.168.0.1
    DHCP=1
    STP_ENABLED=1
    SUPER_NAME="super"
    SUPER_PASSWORD="super"
    USER_NAME=""
    USER_PASSWORD="admin"
    SCRLOG_ENABLED=0
    AUTODISCOVERY_ENABLED=0
    OP_MODE=0
    WISP_WAN_ID=0
    REMOTELOG_ENABLED=0
    REMOTELOG_SERVER=0.0.0.0
    WLAN0_WLAN_MAC_ADDR=000000000000
    WLAN0_SSID="river-lemon"
    WLAN0_CHANNEL=6
    WLAN0_WEP=1
    WLAN0_WEP64_KEY1=0000000000
    WLAN0_WEP64_KEY2=0000000000
    WLAN0_WEP64_KEY3=0000000000
    WLAN0_WEP64_KEY4=0000000000
    WLAN0_WEP128_KEY1=00000000000000000000000000
    WLAN0_WEP128_KEY2=00000000000000000000000000
    WLAN0_WEP128_KEY3=00000000000000000000000000
    WLAN0_WEP128_KEY4=00000000000000000000000000
    WLAN0_WEP_DEFAULT_KEY=0
    WLAN0_WEP_KEY_TYPE=1
    WLAN0_FRAG_THRESHOLD=2346
    WLAN0_SUPPORTED_RATES=4095
    WLAN0_BEACON_INTERVAL=100
    WLAN0_PREAMBLE_TYPE=0
    WLAN0_BASIC_RATES=15
    WLAN0_RTS_THRESHOLD=2347
    WLAN0_AUTH_TYPE=2
    WLAN0_HIDDEN_SSID=0
    WLAN0_WLAN_DISABLED=0
    WLAN0_INACTIVITY_TIME=30000
    WLAN0_RATE_ADAPTIVE_ENABLED=1
    WLAN0_DTIM_PERIOD=3
    WLAN0_MODE=1
    WLAN0_NETWORK_TYPE=0
    WLAN0_IAPP_DISABLED=0
    WLAN0_PROTECTION_DISABLED=0
    WLAN0_DEFAULT_SSID=""
    WLAN0_WDS_ENABLED=0
    WLAN0_WDS_NUM=0
    WLAN0_WDS_ENCRYPT=0
    WLAN0_WDS_WEP_FORMAT=0
    WLAN0_WDS_WEP_KEY=""
    WLAN0_WDS_PSK_FORMAT=0
    WLAN0_WDS_PSK=""
    WLAN0_ENCRYPT=1
    WLAN0_ENABLE_SUPP_NONWPA=0
    WLAN0_SUPP_NONWPA=0
    WLAN0_WPA_AUTH=2
    WLAN0_WPA_CIPHER_SUITE=1
    WLAN0_WPA_PSK=""
    WLAN0_WPA_GROUP_REKEY_TIME=86400
    WLAN0_MAC_AUTH_ENABLED=0
    WLAN0_RS_IP=0.0.0.0
    WLAN0_RS_PORT=1812
    WLAN0_RS_PASSWORD=""
    WLAN0_RS_MAXRETRY=3
    WLAN0_RS_INTERVAL_TIME=5
    WLAN0_ACCOUNT_RS_ENABLED=0
    WLAN0_ACCOUNT_RS_IP=0.0.0.0
    WLAN0_ACCOUNT_RS_PORT=1813
    WLAN0_ACCOUNT_RS_PASSWORD=""
    WLAN0_ACCOUNT_RS_UPDATE_ENABLED=0
    WLAN0_ACCOUNT_RS_UPDATE_DELAY=60
    WLAN0_ACCOUNT_RS_MAXRETRY=3
    WLAN0_ACCOUNT_RS_INTERVAL_TIME=5
    WLAN0_ENABLE_1X=0
    WLAN0_PSK_FORMAT=0
    WLAN0_WPA2_PRE_AUTH=0
    WLAN0_WPA2_CIPHER_SUITE=0
    WLAN0_MACAC_NUM=0
    WLAN0_MACAC_ENABLED=0
    WLAN0_BLOCK_RELAY=0
    WLAN0_MACCLONE_ENABLED=0
    WLAN0_BAND=3
    WLAN0_FIX_RATE=0
    WLAN0_EASYCFG_ENABLED=0
    WLAN0_EASYCFG_MODE=110
    WLAN0_EASYCFG_SSID="y"
    WLAN0_EASYCFG_KEY=""
    WLAN0_EASYCFG_DIGEST=""
    WLAN0_EASYCFG_ALG_REQ=32
    WLAN0_EASYCFG_ALG_SUPP=36
    WLAN0_EASYCFG_ROLE=0
    WLAN0_EASYCFG_SCAN_SSID="REALTEK_EASY_CONFIG"
    WLAN0_EASYCFG_WLAN_MODE=1
    WLAN1_WLAN_MAC_ADDR=000000000000
    WLAN1_SSID="802.11g-SSID"
    WLAN1_CHANNEL=11
    WLAN1_WEP=0
    WLAN1_WEP64_KEY1=0000000000
    WLAN1_WEP64_KEY2=0000000000
    WLAN1_WEP64_KEY3=0000000000
    WLAN1_WEP64_KEY4=0000000000
    WLAN1_WEP128_KEY1=00000000000000000000000000
    WLAN1_WEP128_KEY2=00000000000000000000000000
    WLAN1_WEP128_KEY3=00000000000000000000000000
    WLAN1_WEP128_KEY4=00000000000000000000000000
    WLAN1_WEP_DEFAULT_KEY=0
    WLAN1_WEP_KEY_TYPE=0
    WLAN1_FRAG_THRESHOLD=2346
    WLAN1_SUPPORTED_RATES=4095
    WLAN1_BEACON_INTERVAL=100
    WLAN1_PREAMBLE_TYPE=0
    WLAN1_BASIC_RATES=15
    WLAN1_RTS_THRESHOLD=2347
    WLAN1_AUTH_TYPE=2
    WLAN1_HIDDEN_SSID=0
    WLAN1_WLAN_DISABLED=0
    WLAN1_INACTIVITY_TIME=30000
    WLAN1_RATE_ADAPTIVE_ENABLED=1
    WLAN1_DTIM_PERIOD=3
    WLAN1_MODE=0
    WLAN1_NETWORK_TYPE=0
    WLAN1_IAPP_DISABLED=0
    WLAN1_PROTECTION_DISABLED=0
    WLAN1_DEFAULT_SSID=""
    WLAN1_WDS_ENABLED=0
    WLAN1_WDS_NUM=0
    WLAN1_WDS_ENCRYPT=0
    WLAN1_WDS_WEP_FORMAT=0
    WLAN1_WDS_WEP_KEY=""
    WLAN1_WDS_PSK_FORMAT=0
    WLAN1_WDS_PSK=""
    WLAN1_ENCRYPT=0
    WLAN1_ENABLE_SUPP_NONWPA=0
    WLAN1_SUPP_NONWPA=0
    WLAN1_WPA_AUTH=2
    WLAN1_WPA_CIPHER_SUITE=1
    WLAN1_WPA_PSK=""
    WLAN1_WPA_GROUP_REKEY_TIME=86400
    WLAN1_MAC_AUTH_ENABLED=0
    WLAN1_RS_IP=0.0.0.0
    WLAN1_RS_PORT=1812
    WLAN1_RS_PASSWORD=""
    WLAN1_RS_MAXRETRY=3
    WLAN1_RS_INTERVAL_TIME=5
    WLAN1_ACCOUNT_RS_ENABLED=0
    WLAN1_ACCOUNT_RS_IP=0.0.0.0
    WLAN1_ACCOUNT_RS_PORT=1813
    WLAN1_ACCOUNT_RS_PASSWORD=""
    WLAN1_ACCOUNT_RS_UPDATE_ENABLED=0
    WLAN1_ACCOUNT_RS_UPDATE_DELAY=60
    WLAN1_ACCOUNT_RS_MAXRETRY=3
    WLAN1_ACCOUNT_RS_INTERVAL_TIME=5
    WLAN1_ENABLE_1X=0
    WLAN1_PSK_FORMAT=0
    WLAN1_WPA2_PRE_AUTH=0
    WLAN1_WPA2_CIPHER_SUITE=0
    WLAN1_MACAC_NUM=0
    WLAN1_MACAC_ENABLED=0
    WLAN1_BLOCK_RELAY=0
    WLAN1_MACCLONE_ENABLED=0
    WLAN1_BAND=3
    WLAN1_FIX_RATE=0
    WLAN1_EASYCFG_ENABLED=0
    WLAN1_EASYCFG_MODE=1
    WLAN1_EASYCFG_SSID=""
    WLAN1_EASYCFG_KEY=""
    WLAN1_EASYCFG_DIGEST=""
    WLAN1_EASYCFG_ALG_REQ=32
    WLAN1_EASYCFG_ALG_SUPP=36
    WLAN1_EASYCFG_ROLE=0
    WLAN1_EASYCFG_SCAN_SSID="REALTEK_EASY_CONFIG"
    WLAN1_EASYCFG_WLAN_MODE=0

    Isn't anyone here at all interested in this device?
     
  4. willn

    willn Guest

    Hi, I'm trying to get a UART wired up for a WMB54G but I'm having a little trouble getting into the case (I'd rather not destroy it!). I've taken the two torx bolts out of the bottom of the unit but the top and bottom sections of the casing seem still firmly held together. Can anyone suggest how I might open it up?

    Thanks,
     
  5. gashog7

    gashog7 Guest

    WMB54G as an access point

    I stumbled upon this only because I was wanting to find out the full capabilities of this device. I have connected the bridge to a router via wired port and set it to a static ip outside dhcp range but still within the router's subnet. I then set the wireless portion to infrastructure and applied the settings to reboot the unit. I wanted to see if a wireless pc could detect the wireless signal but nothing. So then I set the wireless portion of the bridge to ad-hoc mode and my computer as well then gave the pc an SSID and left it set to dhcp. I went back to the bridge and checked for signals and it picked up the PC, which I connected to and the PC picked up an address from the router!
    This means the router is handing out dhcp addresses through the bridge in ad-hoc mode only (I tried in "infra" mode but no go). I am now hoping there is someway to get the internet signal coming from the router through the bridge. I have not yet tested to see if it still will stream the audio to it but since I don't have an actual AP or router I'm hoping there might be someone else who can take this a bit further.
     
  6. kuangeleven

    kuangeleven LI Guru Member

    @emuman100: thanks for posting all of the information, with this I was able to resurrect a dead wmb54g.

    @willn: I had to remove the "label" that wraps around the outside of the device, and then it's pretty clear where you must push to get the top panel to pop off. You might be able to find this without removing the label, it's a 1/2" by 1/4" rectangle just above the lights. I also had to remove the back panel label to get the top and bottom parts of the device apart.

    Sorry, no pictures to post, but that should be enough to give you the idea.

    To hook up the UART pins, I purchased a RS232 shifter from sparkfun. Pin 1, tx gets hooked up to rx on the shifter, 7 rx, gets hooked up to tx on the shifter. Vcc/Ground connect to the same ports on the shifter. The shifter has a DB-9 port which gets hooked up to your serial port, of course.

    I fired up a RealTerm at 38400 8-n-1 and had no problems getting terminal output.

    If you hit the reset button when you see the following in your terminal:

    ---RealTek(RTL8186)at 2005.11.08-15:14+0800 version 1.3c [16bit](180MHz)
    no sys signature at 00010000!

    You get dropped to a <RealTek> prompt, that gives you a limited number of options:

    ---Escape booting by user
    <RealTek>help
    ----------------- COMMAND MODE HELP ------------------
    HELP (?) : Print this help message
    D <Address> <Len>
    EW <Address> <Value1> <Value2>...
    EH <Address> <Value1> <Value2>...
    EB <Address> <Value1> <Value2>...
    EC <Address> <Value1> <Length>...
    CMP: CMP <dst><src><length>
    IPCONFIG:<TargetAddress>
    J: Jump to <TargetAddress>
    FLW: FLW <dst><src><length>
    FLR: FLR <dst><src><length>
    LOADADDR: <Load Address>
    AUTOBURN: 0/1

    From this prompt, you can set the WMB's ip address using IPCONFIG and then tftp new firmware to the device.

    In my case I was able to tftp the newest stock firmware image from the Linksys website. I did:

    tftp -i 192.168.1.6 put WMB54G_v2.18_200801295.bin

    Where 192.168.1.6 was the ip I'd assigned at the RealTek prompt.

    If someone figured out how to rebuild the stock firmware with customizations this might be the way to flash the device without having to use linksys's firmware updater.

    Also this might be the way to fix bricked units too -- mine was bricked. I wasn't able to reset it or get linksys' setup tool to find it no matter what I tried. Once I hooked up the serial port I discovered that it was caught in an endless loop of reboots due to a corrupt nvram but it would get a SIGSEGV when trying to re-init the nvram.

    Unfortunately, I messed up pin 1 on the connector and was only able to get a good serial connection with a temporary solder point to one of the SMD resistors connected to the same trace, so I don't have a good, reusable serial connection to my unit. I >do< have a working unit, which I'm very happy about. Thanks for taking the time to post this info.
     
  7. mmarshall

    mmarshall Guest

    I'm interested in purchasing one of these to play with. Did anyone ever have success with flashing a custom firmware?

    I downloaded the firmware source and was able to build the image, even with a modification, but I would like to know if the device accepts non-linksys firmware without a problem.

    If someone is willing to try it out I've a modified build here: http://media.matthewmarshall.org/Linksys_WMB54G_v2.18_hacked.bin (Use tftp like kuangeleven shows.)

    If it works, loading index.asp in the browser should have the message "custom firmware" pop up.

    MWM
     

Share This Page