Linksys WRT54G3G Firmware-Clone / Mac address

Discussion in 'X-WRT - OpenWRT Firmware' started by chloderic, Apr 3, 2008.

  1. chloderic

    chloderic Addicted to LI Member


    i flashed my bricked WRT54G3G with the complete firmware (incl. CFE, NVRAM...really ALL) with an image of my first router; in about 2,5 hours it was done; (JTAG cable...)

    I dit this is this way, because i had no success with other solutions,
    now i have access to this second router and i flashed x-wrt.. so long, no prop...:smile:

    Because i tried to load different packages in this X-WRT-router via the WEB-interface, i have to have access to the Internet with it.

    I plugged this second router into my PC, which has access to the net via a mobile-Net and now it happens, that my wireless access to the first router with access break down in the moment, not once but ever !
    Now i can only communicate with the second router (XWRT), which is plugged direct to the pc, it means, i have no access to the internet therefor.

    I think i have cloned while flashing the MAC-Adress too and so this problem.... 2 identical MAC in one net...

    Here my question, i found several tools to change the mac adress of a WRT54XXX, but no tool to this with a WRT54G3G, i think this is nesessary, because in der CFE.BIN i can find an enty MAC, but it seems to be encoded; the numer i can see has nothing to do with the mac of my first or second router .....

    Has anyboby a solution here ?
  2. mstombs

    mstombs Network Guru Member

  3. chloderic

    chloderic Addicted to LI Member

    Thanks, i have seen this before, but it is not the question for me to get a cfe.bin, i have my own from the first router and as i said it works well with the second router, but in the cfe.bin you linked you can find the entry .... et0macaddr=00:90:4C:60:00:2A .... il0macaddr=00:90:4c:5f:00:2a .

    In My cfe.bin i can find also such entries (shure ... other numbers ..), but this entries are NOT my mac-adresses although this cfe.bin i used was grabbed by me from this first my own router.

    Therefor i think the mac-adress in these files are krypted ?


  4. mstombs

    mstombs Network Guru Member

    I doubt it they are crypted, I guess Lucar has changed the default, which may only be used when communicating directly with the router in bootloader tftp mode.

    I have just checked the source-code which I happen to have on my hard-disk. The Mac address seems to be stored in the nvram:-

    strcpy(mac, nvram_safe_get("et0macaddr"));
    MAC_ADD(mac);	// The wireless mac equal lan mac add 2
    ether_atoe(mac, ifr.ifr_hwaddr.sa_data);
    ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER;
    strncpy(ifr.ifr_name, wl_face, IFNAMSIZ);
    if (ioctl(s, SIOCSIFHWADDR, &ifr) == -1)
    perror("Write wireless mac fail : ");
    cprintf("Write wireless mac successfully\n");
    One value where the wireless is calculated by adding two.

    Can you get to a command line in this router? Or maybe backup the config and find it there?
  5. chloderic

    chloderic Addicted to LI Member

    Hi, me again,

    yes, the wireless mac is calulated by this way and then stored in nvram, after that you can modify this entries...
    But it seems to me, that these changings in this ram for the lan-mac (the device-mac)
    are ignored after saving and rebooting, because i am "sitting" on this port while changing via lan.
    So I guess, that i have to change the base-entry in the crypted cfe.bin BEFORE the system is booting.
    In the other linksys-routers (not G3G) you can use tools to do this, but for this/my device i cound not find such a tool... because this entry is crypted und not plain text link in the cfe.bin of the other routers ?


  6. mstombs

    mstombs Network Guru Member

    I see only reads of nvram variable "et0macaddr", can you not change it with

    nvram set et0macaddr 00:00:00:00:00:00
    nvram commit
    and reboot?
  7. chloderic

    chloderic Addicted to LI Member

    Thanks for your idea, i tried this; after the reboot i found the same result as after changing this value via the x-web-interface.
    The mac-adress is only temporary changed and after the reboot the device has the old settings in the nvram.
    As i know the nvram is being written while the rebot, so it is here for this value to, the old "wrong" mac (of my other device) was written in this value again ...

    Other ideas ?

  8. mstombs

    mstombs Network Guru Member

            if(nvram_match("mac_clone_enable","1") &&
    	   nvram_invmatch("def_hwaddr", "00:00:00:00:00:00") &&
    	   nvram_invmatch("def_hwaddr", "")){
    		ether_atoe(nvram_safe_get("def_hwaddr"), ifr.ifr_hwaddr.sa_data);
    		unsigned char mac[20];
    		strcpy(mac, nvram_safe_get("et0macaddr"));
    		MAC_ADD(mac);	// The wan mac equal lan mac add 1
    		ether_atoe(mac, ifr.ifr_hwaddr.sa_data);
    There's this bit of code just above a use of et0macaddrr so you could try

    nvram set mac_clone_enable 1
    nvram set def_hwaddr 00:00:00:00:00:00 <your desired mac address
    nvram commit
    but it is possible there's a web screen way of doing this which will over-ride?
  9. Bill_MI

    Bill_MI Network Guru Member

    Not sure if this helps or not...

    Looking at CFEs from a WRT54G v4 and identically laid out WRT54GS v3 they both agree on this. The 00:90:4C:60:00:2A seems to be a universal placeholder for nvram values et0macaddr and il0macaddr in both these units. It's appeared in actual nvram a few times on diagnostic posts, too, so it's pretty universal.

    The individual/unique MAC address of the unit is at offset 0x1E00, also in ASCII. A good hex editor can search for it.

    CFE size in both these is 256K.

    What I DON'T know is if some checksum or CRC must change somewhere else. Just a wild hunch this could be the case. With JTAG you can certainly attempt editing it and see what happens.

    EDIT: The base MAC at 0x1E00 is usually assigned to LAN and et0macaddr.
    WAN gets either same or +1
    Wireless and il0macaddr +2
    ...from standard initialization scripting.
  10. chloderic

    chloderic Addicted to LI Member

    Me again, I found a way ...

    First i tried the different ways from mstombs (thx, nice to learn for me ...),
    but these changings seems to be temporary, because after reset or new boot they were changed to the old values ...

    Then i pached an copy on an original cfe.bin at the adress 0x1E00 (yess seems to be in the right direction ...), I was a litte bit confused while doing this, because the mac here was not exact the mac on the housing of the original device...

    OK...i flashed the secon device via jtag and it was bricked ...****....,
    now i tried different known ways to relive the device result.
    At about 12:30 PM i started a new flash of THE WHOLE FLASH (4096kb) via jtag with a modified image i grabbed and layed dows for 3 hours ....., after this the router was living again.
    I pached this flash at the adress 0x1E00 with the mac at the housing;


    The Result: The Device is living and has the mac XX:XX:XX:XX:XX:31 ...!

    Ok, i thought, here it the trick of the routine mstombs told us... to this baseadress ONE was added !!! (THX for the idea!)

    Now I grabbed the bootloader from this wrong device and etited the mac to:
    After this i erased the whole NVRAN as usual und rebooted, ET VOILA:
    The device is still living and the macadress is really XX:XX:XX:XX:XX:30 !!!!

    "Ziel erreicht ..."

    Thanks you both for the ideas, now I am on the way, but the solved prob "2 identical MAC in one net" was not all...

    If i connect this second device to the w-lan-net ... the wlan is not longer reachabel

    hm ... its going on , lets learn about this ..


  11. Bill_MI

    Bill_MI Network Guru Member

    Chloderic, do you have the original CFE from the unit with the known MAC? I have seen interaction with the proper setting of the et0macaddr and il0macaddr on WRT54G(S) units. The proprietary stuff (like wireless drivers, etc.) likes things just so. For example, can you verify if that unit has that +1 offset?

    These variables initialize, i believe, directly from the CFE code using CFE data:
    et0macaddr (sets same as CFE 0x1e00)
    il0macaddr (always sets et0macaddr+2)

    These variables seem to be *firmware* entities related to MACs.
    I've seem wireless operation affected by their proper setting.
    lan_hwaddr (et0macaddr)
    wan_hwaddr (et0macaddr+1 and changeable for MAC cloning)
    wl0_hwaddr (il0macaddr)

    You may consider erasing NVRAM and see how the unit boots up. The CFE code should initialize NVRAM to what it wants.

    Of course, I realize that's a WRT54G3G that may act differently. But you have full recovery available.
  12. chloderic

    chloderic Addicted to LI Member

    Hello Bill_MI;

    I verified all, here the result:

    The original WRT54G3G:

    MAC at the housing: XX:XX:XX:XX:XX:5D
    Original MAC at 0x1E00 CFE.BIN: XX:XX:XX:XX:XX:5C
    Webinterface Linksys MAC-ROUTER: XX:XX:XX:XX:XX:5D
    Webinterface Linksys MAC-WLAN: XX:XX:XX:XX:XX:5E
    Webinterface Linksys MAC-LocalNet: XX:XX:XX:XX:XX:5C

    I cleared the whole flash of the second router, then i flashed the whole dump of the first router on it, then i cleared CFE.BIN und NVRAM.BIN at this second router, then i modified the original CFE of the first Router and flashed it to this secon router, here the result after rebooting:

    MAC at the housing: YY:YY:YY:YY:YY:30
    Original MAC at 0x1E00 CFE.BIN: YY:YY:YY:YY:YY:2F
    Webinterface Linksys MAC-ROUTER: YY:YY:YY:YY:YY:30
    Webinterface Linksys MAC-WLAN: YY:YY:YY:YY:YY:31
    Webinterface Linksys MAC-LocalNet: YY:YY:YY:YY:YY:2F



    By the way ... it seems so, that the MAC on the housing is NOT the base-mac, it is the WAN-MAC ....
  13. Bill_MI

    Bill_MI Network Guru Member

    Interesting finding. Is everything now working?
  14. chloderic

    chloderic Addicted to LI Member

    Now I am online with this debricked device with the Linksysfirmware, seems so that everything is running well with the korrect MAC.

    I have inserted my Option-Datacard in the slot of the device and am connected via WPA2-W-Lan to this device.
    So I am online via UMTS in the mobile-net with about 360kbps.

    Next I will try to flash XWRT Whiterussian again to this WRT54G3G and try to get it to run..

    So long

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice