Porting OpenWrt on the Netgear WN3500RP
I had an old Netgear WN3500RP WiFi repeater laying around unused and, considering its interesting "plug computer" form factor, I wanted to use the WN3500RP as more than a basic WLAN repeater.
Since I was already using OpenWrt on my router and was impressed by its capabilites, I decided to install OpenWrt on the device. However, OpenWrt has no support for this device. In addition to being a guide on hacking the WN3500RP, this article will also show the process of porting OpenWrt to a new device.
Left: The WN3500RP repeater. Right: The box.
Factory-reset the repeater
Insert a pen or screwdriver in the reset hole and hold for 5 seconds. The LED will then turn orange and the device will be factory reset. To configure the repeater, connect to the NETGEAR_EXT network, and go to http://192.168.1.250/.
After configuring the WN3500RP, you can then connect to your regular WLAN and access the somewhat terse web interface of the repeater with the username and login: admin/password.
Getting a shell
A nmap port scan shows that the telnet port is open:
val@pc ~> nmap 192.168.0.127
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-21 23:06 CET
Nmap scan report for 192.168.0.127
Host is up (0.017s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
20005/tcp open btx
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
Yet connecting does not produces any result. Download the telnetEnable
utility and execute the following command:
telnetEnable.exe <IP adress> <MAC adress> Gearguy Geardog
This will enable access to a basic busybox-based shell through telnet, from which we can learn more about the device:
$ telnet 192.168.0.122
Connected to 192.168.0.122.
Escape character is '^]'.
BusyBox v1.7.2 (2012-08-30 14:21:10 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# cat /proc/cpuinfo
system type : Broadcom BCM5357 chip rev 2
processor : 0
cpu model : MIPS 74K V4.9
BogoMIPS : 264.60
wait instruction : no
microsecond timers : yes
tlb_entries : 64
extra interrupt vector : no
hardware watchpoint : yes
ASEs implemented : mips16 dsp
VCED exceptions : not available
VCEI exceptions : not available
unaligned_instructions : 81091
dcache hits : 2147483648
dcache misses : 4024172535
icache hits : 2147483648
icache misses : 4143304174
instructions : 2147483648
total used free shared buffers
Mem: 61588 20128 41460 0 236
Swap: 0 0 0
Total: 61588 20128 41460
The WN3500RP contains a Broadcom BCM5357 SoC and about 64 MB of RAM. Considering this device is half a decade old, this is not too shabby. In the /sbin/ directory, we can also find various utilies related to the device, to control GPIO or show the WLAN and admin password among others:
# ls /sbin
acos_init gpio read_bd
acos_service halt reboot
bd hotplug reset_no_reboot
burn5gpass hotplug2 resolve_domain
burn5gssid ifconfig restart_all_processes
burn_hw_rev init rmmod
burnboardid insmod route
burnethermac leddown routerinfo
burnpass ledup showconfig
burnpin lsmod sysctl
burnrf mount.ntfs-3g udevtrigger
burnsku ntpclient uptime
burnsn parser version
burnssid poweroff write
Release version : Netgear Wireless Router WN3500RP
Time : Aug 30 2012 14:22:06
CFE version : v1.0.9
usage: set GPIO: gpio <pin> <value> [<need_disconnect>]
get GPIO: gpio <pin>
Building OpenWrt for the BCM5356
Writing in progress...
Go back to the home page.