WCG200 Firmware Project Started.

  1. zabb65

    zabb65

    I recently ripped apart my WCG200. built a serial cable for it, and had some fun.

    I am posting my findings here to see if anyone has any insight on getting both off and onto the device through the serial port, as it doesnt appear to have pinouts for jtag and because its a ball grid array I cant get access to pins directly.

    Board photos on request because of image size.

    Runs vxworks, unknown version, I would assume vxworks 2.1 or 2.2.

    Board version is 1.2b and uses the broadcom docsis 2.0 system on chip.

    Mini-pci wireless card, the usual broadcom suspect, an intel flash chip, and the rest of the chips are broadcom or noname ddram. Ram is 16MB,

    On the software side it uses a QoStek bootloader, and runs the default vxworks/broadcom cable modem software combo that most cable modem run. I have a full shell I can exploit from the serial console, and can try suggestions and post logs on request.

    A log of startup can be found at http://www.geocities.com/zabb65/cablemodem.txt
    (Garbled part is when I accidentally touched the casing of the ethernet switch and disrupted the ground, causing a segfault)

    HTTP interface is unexploitable as far as I can tell due to the fact that it doesnt directly execute commands throught the vxworks shell.

    As you might notice there is a telnet daemon that can be enabled, and it provides a shell, but I havent gotten it working yet.

    Another interesting tidbit is the matrix reference during the startup of the cable modem application.

    Hope somebody can help me, and if not, I will figure something out on my own and get a project started.

    (Rambling post, I know, have never been good at expressing info in a fully coherent way)

    Edit: Its tornado 2.2 or a vxworks 5.x distribution. Can be netbooted fairly easily, and internal pictures will be posted tomorrow. Shame that nobody is interested.
  2. skippy76

    skippy76

    I'm 100% interested. I have a WCG200 V2 with the comcast firmware... would LOVE to do something with this thing to get some decent firmware on to it.

    Is there anything that I can do to help?


  3. zabb65

    zabb65

    If you know of any way to get the firmware off of the device it would be appreciated, because I know how to get new firmware onto it, but I dont have a copy to rip apart and figure out if I can somehow use the web interface to do stuff with it, to allow normal users to add new firmware without making a serial cable.
  4. skippy76

    skippy76

    Does the device support anything like TFTP?
  5. Dachannien

    Dachannien

    Any progress on figuring out this device?
  6. hans_gregor

    hans_gregor

    I made some photos, and i will post them tonight.
  7. hans_gregor

    hans_gregor

  8. driz

    driz


    I picked up v1 of the WCG200 at Fry's last year but it's been sitting in my closet due to constant brief disconnects that knock me off AIM. I've read a lot of other people's posts with the exact same problem but have not seen any solutions. I would love to get new firmware for this thing, assuming firmware is the issue. It's a shame that Linksys thinks it's cool to push out an expensive product and never provide firmware updates for it.
  9. rachpoil

    rachpoil

    Just to give my 2 cents, I think the reason why Linksys did not mad any new firm ware to the WCG200 is to allow cable Internet Service Providers more control over there clients letting the ISP make there own firmware if they what to. It must be pretty attractive for some cable ISP network administrator to know exactly how there clients connect to there network.
  10. pat_vrs

    pat_vrs

    can you share the way you push firmware onto it ? tftp ? serial cable ?
  11. SygnusX1

    SygnusX1

    I need this.
    I hate my WCG200 the way it is now.
  12. davebirr

    davebirr

    Hey, great job.

    Can you share the serial pinout / connection points? I'd like to make a cable see what I can do.
  13. zabb65

    zabb65


    In regards to this image, you are looking at the pins "backwards" to how I am used to describing, them, it should be from right to left there, 3.3v<->ground<->receive<->transmit
    You will have to play with the 3.3v and ground, because I know that was a pain to find, because they both register as 3.3v on a voltmeter, but one ACTUALLY is a ground.

    I have not touched this project in a fair bit of time, something that I quickly ran out of when school started up again, I will look into it for you all again, and see if I cant get something worked out for this. If you press p during boot, you have full options of loading firmware from a plethora of places, the most useful being a tftp server. The most difficult part of this project will be getting the CM HAL device into an open source form, much like the trouble we are going through getting the wireless card into an open source form right now.

    You will have to create your own ttl to serial converter cable, but the device is fully capable of receiving data from the serial connection, unlike the surfboard 5120 sitting next to it in my pile of project boxes.
  14. nunyerb

    nunyerb

    i have the wcg200 v2 from cox cable company in kansas.
    i moved to iowa which uses mediacom.
    mediacom internet does not work with my router/modem eventhough it is listed on their site as compliant with their network.

    i am definately intrested in this project and if there is anything i can do to help let me know.

    i did contact linksys and i have an rma but i never sent in my modem/router...its been a few months since they issued me the rma# but i prob could still send the unit in for replacement

    anyhow im thinking about taking it apart thanks to your pics.
    PLEASE PLEASE PLEASE do this project.

    my firmware version is "Firmware Version:" i looked in the user guide on the linksys website (for ver2.0) and it shows "" if that means anything at all.

    note: my modem/router has areas missing in the routers configuration such as opbtain ip address automatically (dhcp) in the setup/internet connection/ area.
    simply put i do not even have a "setup/internet connection" area at all as im sure cox cable disabled that area.
    i think there is another area that i also can not change in my router that shows in the user guide.

    one more thing my firmware might be ok (some features might be just disabled) if you see a master login/password could you post it so i can enable some features i so need....or would my master l/p be unique to cox cable co?
    if you tell me how to pull my firmware off ill do it and email it to you
  15. iluvmopeds

    iluvmopeds

    OMG if I could get ddwrt installed on my wcg200 I would get a boner. Mine is a retail version, not issued by a ISP - it works great even tho many have troubles with them. I would gladly pay the author of any such firmware for thier efforts. I assume mine is ver. 1.0 - there isn't a ver # given. Need to know someting about it? I'll tear it open and take pics or whatever you want! I know zip - but would love to see it happen or help or 'donate' or whatever!
  16. nunyerb

    nunyerb

    i would pay $50.00 right freaking now if i could just get the "REATAIL" firmware on mine.

    someone tell me how to do it and if it is successful i would gladly pay the $$$$
    better freaking hurry cause if i cant get it dont then i will just go buy a different router.
  17. jokker

    jokker

    My wcg200 v2 has Firmware Version: where can I find another firmware please. I run linux on all my machines and some problems occur for clients using linux hosts.
  18. tzm1

    tzm1

    i've been researching this for about 3 weeks (trying to help my friend out with his wcg200v2, and, in turn, myself) and nobody seems to have a way to get the firmware off of linksys modems. but if anybody still wants to work on it, i have a few ideas that i would like to run by everyone. let me know if you guys are still interested.
  19. jokker

    jokker

    Interested !
  20. tzm1

    tzm1

    i didn't think anybody was still reading this thread. wow! anyway, i've got a few ideas and i've been trying out a few different possibilities as far as how to access this thing. just so everybody knows, my telnet/hyperterminal/session commands and protocols are lousy, but if anybody that knows what they're doing can help me out on the command side, we should be able to get this to work. my friend and i are on time warner's turbo high speed. we went to get him a new wcg200v2 (retail), but because of where i am, i had to get tw's leased SA model. i didn't want to tear his box up until i figured this out, so i am using my old befcmu10 docsis 1.0 as a test bench. i figure if i get the firmware off of mine, it should be pretty similar to getting it off the wcg200v2 that he's got. what i've got so far is this:

    - tried a cisco console cable (db9 to rj45) -> no good, couldn't get a session

    - tried an iogear serial to usb converter in reverse with a female usb A to male usb B -> no good, converter only works one way and it is the other way with usb A as host end

    - tried regular usb cable, loaded drivers for modem from linksys site and connected to my system -> no good, modem loaded and was recocognized, but couldn't maintain a session for more than 30 seconds and the only port that i could connect with was 21 (why ftp worked, i don't know, but NONE of the other ports would take)

    i'm a little stumped at this point, but have any of you guys noticed how the header on the wcg200v1 and v2 look like the connector on a motherboard for the cd-rom audio cord? i thought, "why not, nothing to lose, right?" found an old audio cord and it plugged right in PERFECTLY!!!!! :) so no soldering necessary and pinouts are EXACTLY the same with the befcmu10 as they are with the wcg200! 3.3v-ground-Rx-Tx (having the audio cord attached made the readings VERY easy with a voltmeter! now i just need to connect the other end to an old serial cable like zabb65 had and i can see what i can get off of it.

    by the way, if anyone can get a hold of zabb65, that would be great, because i sent him a message and haven't heard back yet...unless someone else knows how to program and can rewrite the firmware like he was describing. also, i noticed in his text file from the wcg200 that the http admin login is administrator/administrator. i had my friend try that and he couldn't get in...tw must have changed it with their firmware push.

    if anyone has any ideas about ANY of this stuff, let me know. my friend and i would REALLY like to get this working because the router is a piece of bs and my wrt160n has been cranking like a champ since i flashed it with dd-wrt! (i have two boxes, my friend just has the one) c'mon people, i know we can get this working if we all get together on this! :)

    one more thing...if we can't get any of this serial or terminal or anything else stuff to work, i have another alternative. only the isp is supposed to be able to access and flash the modems, right? and they do it through the coax, right? i have a tv tuner card in my system. if anybody can figure out how to do it...and nothing else works...try to write a windows executable program (sorry, my linux isn't for sh*t) that can try to read the firmware, configurations, whatever (preferably just copy the ENTIRE contents of the flash) back through the coax, into the tv tuner card, and save it as a file on the system. mask it like tw is requesting a recall or dump of the flash or something so that the modem itself won't think anything of it and hopefully will process and send it without a login or encryption or anything (just the raw data or firmware file) let me know what you think, everyone! and thanks for the interest!

    p.s. i've completely scoured the net and i can't get a copy of ANY linksys firmware ANYWHERE, so this looks like the only option.
  21. tzm1

    tzm1

    o.k. i went out and got a serial plug and stripped the ends and connected a cd-rom audio wire to the pins to connect it to my befcmu10. no breadboards or resistors or soldering or anything...just straight wires into the serial plug and into the wire to the modem. i'm using PuTTY to try to access the bootloader and my settings (according to a little research) are 115200,8,1,N. The problem is that all i'm getting on the screen when I open the session is random ASCII characters. So I know that I'm getting something off of the modem and the connection is good, but how do I get legitimate, readable text instead of just code translated into ASCII? (like what zabb65 got in his text file from post #1 of this thread)
  22. degarb

    degarb

    1. Many of us need to fix the random reset of this modem.
    2. This would allow us to install one of those mjmd5 proxies, which would allow internet phone calls without having the computer turned on via ata for some providers that require crappy auths and running software.
  23. Artephak

    Artephak

    Province of Quebec, Canada

    Hi, 8 years after you started the project, and regarding the nowadays political restrictions and austerity that I'm worried about and affected by, I'm looking to re-affect old pieces of communication devices that can help me (or us) in case of internet blackout and lack of service.

    So I got this WCG200 and I wish to know if progress were made to get it act as a client for example.

    I searched the web a lot about it and you seem to be the only one who try something serious with it.

    PLEASE let me know if you got something or know someone who get it. My little usb dongle will die soon and hot spots here are likely to be far and hard to seek.

    Tank you

  24. nunyerb

    nunyerb

    here is alot more info that is more clear as far as serial data
    currently my setup is:
    ubuntu 16.04 desktop x64
    usb to serial adapter (PL2303HX)
    pinout (looking at the serial header from the side)
    front of device is to the left (all the lights)
    read of device is to the right (all the lan ports)
    <3.3v>, <ground>, <Tx>, <Rx>
    moserial app
    Device /dev/ttyUSB0
    Baud Rate 115200
    Data Bits 8
    Stop Bits 1
    Parity none
    Handshake (both hardware and software leave unchecked)
    Local Echo (leave unchecked)

    these settings also work in windows 10 x64 with Putty

    here is a sample of the ascii output:


    Flash detected @0xbe000000
    Askey BootLoader Version: V2.1.6dr
    Build Date: Aug 4 2004
    Build Time: 21:47:10
    IMG1 Program Header:
    Major Rev:0002
    Minor Rev:0000
    Build Time:2005/4/26 02:12:22 Z
    File Len:1923866 bytes
    Load Addr:80010000
    IMG2 Program Header:
    Major Rev:0002
    Minor Rev:0000
    Build Time:2005/4/26 02:12:22 Z
    File Len:1923866 bytes
    Load Addr:80010000

    Enter '1','2', or 'p' within 2 seconds or take default..

    as you can see that '1','2', or 'p' looooooks very interesting.

    had to come back on and add a little more since i having so much fun!

    CM> help

    Instance: ( 0 )Console Thread (0x80fd6194)

    ! ? REM cd dir
    find_command help history instances ls
    man pwd sleep syntax system_time
    mbufShow memShow ping read_memory reset
    routeShow run_app shell stackShow taskDelete
    Scanning DS Channel at 165000000 Hz...
    taskInfo taskPrioritySet taskResume taskShow taskSuspend
    taskTrace usfsShow version write_memory writenonvol
    [80211_hal] [HeapManager] [cablemedea] [cm_hal] [docsis_ctl]
    [embedded_target] [enet_hal] [event_log] [flash] [forwarder] [ip_hal]
    [msgLog] [non-vol] [pingHelper] [snmp] [snoop] [usb_hal] [vendor]


    it just keeps getting better and better

    Board IP Gateway []:
    Board MAC Address [xx:xx:xx:xx:xx:
    cd /
    Internal/External phy? (i/e)[e]
    Init EMAC,DMA,and MII PHY.. Set HalfDuplex
    Main Menu: ========== d) Download and save to flash g) Download and run from RAM c) Store icePROM bootloader to flash b) Boot from flash s) Store bootloader parameters to flash i) Re-init ethernet r) Read memory w) Write memory
    Main Menu: ========== d) Download and save to flash g) Download and run from RAM c) Store icePROM bootloader to flash b) Boot from flash s) Store bootloader parameters to flash i) Re-init ethernet r) Read memory w) Write memory

    Last edited: Sep 28, 2016
