Get access to a flashed Linksys WRT610n

A friend of mine had given a Linksys WRT610n long time ago to build my home network but it was so much time that we’ve forgotten root credentials for my router, in this entry I’m going to write the steps that I followed to be able to access the router.

The first thing that you have to know is that this router has two hardware versions V1 and V2, just to identify them see the serial number:
V1 units have serial numbers that start with CTG01. V2 units have serial numbers that start with CTG11.

The WRT610n comes with this hardware:

    Dual-radio (two BCM4322) allows to operate 2.4 Ghz B/G/N and 5 Ghz A/N simultaneously
      4+1 port Gigabit switch (BCM53115)

V1 300 MHz (BCM4705)

    / V2 533MHz (BCM4718) or 480MHz (BCM4716)
    USB 2.0 host port
    64 MByte RAM, 8 MByte Flash

Quick note from openwrt web page: There are two basic types of flash memory: NOR flash and NAND flash.
If the flash chip (no matter what type) is connected directly with the SoC and has to be addressed directly by Linux, we call it “raw flash”. If there is an additional controller chip between flash chip and the SoC, we call it “FTL (Flash Translation Layer) flash”. Embedded systems almost exclusively use “raw flash”, while SSDs and also USB memory sticks, almost exclusively use FTL flash!

My friend selected to install dd-wrt but checking the known issues I decided to test OpenWrt.

OpenWrt is a highly extensible GNU/Linux distribution for embedded devices (typically wireless routers). Unlike many other distributions for these routers, OpenWrt is built from the ground up to be a full-featured, easily modifiable operating system for your router. In practice, this means that you can have all the features you need with none of the bloat, powered by a Linux kernel that’s more recent than most other distributions.

I followed the next steps to unbrick the device from this guide which worked like a charm:

    Unplug all ethernet ports (Important!)
    Unplug power
    Plug power in
    Wait between 2 and 2.5 seconds
    Press the reset button and keep it pressed for 5 seconds, then release it (I used a pen for this)
    Reconnect ethernet (DHCP shoud give IP address to computer, e.g. 192.168.1.x)

When you access to http://192.168.1.1 is needed to upload a new firmware, in our case we have choosen openwrt-wrt610n_v1-squashfs.bin.

Once the process has been finished we’re ready to access to our device:

$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
=== IMPORTANT ============================
Use 'passwd' to set your login password
this will disable telnet and enable SSH
------------------------------------------

BusyBox v1.22.1 (2015-03-29 11:50:06 UTC) built-in shell (ash)
Enter ‘help’ for a list of built-in commands.
_______ ________ __
| |.—–.—–.—–.| | | |.—-.| |_
| – || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
—————————————————–
CHAOS CALMER (Bleeding Edge, r45097)
—————————————————–
* 1 1/2 oz Gin Shake with a glassful
* 1/4 oz Triple Sec of broken ice and pour
* 3/4 oz Lime Juice unstrained into a goblet.
* 1 1/2 oz Orange Juice
* 1 tsp. Grenadine Syrup
—————————————————–
root@OpenWrt:/#

The Common Firmware Environment (or CFE) is basically the BIOS of the WRT610N. It’s responsible for initial hardware configuration and subsequently for booting the actual firmware. Here is how to know our version:

root@OpenWrt:/# nvram show|egrep 'bootnv|pmon'
pmon_ver=CFE 4.175.64.16
bootnv_ver=7

The next thing would be change root password:
root@OpenWrt:/# passwd
Changing password for root
New password:
Bad password: similar to hostname
Retype password:
Password for root changed by root

Now it’s time to test SSH access to the router:
root@OpenWrt:/# exit
Connection closed by foreign host.

$ ssh root@192.168.1.1
The authenticity of host ‘192.168.1.1 (192.168.1.1)’ can’t be established.
The authenticity of host ‘192.168.1.1 (192.168.1.1)’ can’t be established.
RSA key fingerprint is 70:17:42:6a:f7:1a:51:c6:b7:ff:84:7c:62:2c:28:24.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.1.1’ (RSA) to the list of known hosts.
root@192.168.1.1’s password:

root@OpenWrt:/#

If you you want to dig deeper about firmware, concepts here you have some useful links:
OpenWrt Firmware for Linksys WRT610n V1
OpenWrt Configuration
Official Firmware to Linksys WRT610n
OpenWRT Images Layout
OpenWRT Image Filesystems
OpenWrt Github
CFE


“Be the change that you wish to see in the world.”
–Mahatma Gandhi

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s