Valerian Daul's blog

Porting OpenWrt on the Netgear WN3500RP

I had an old Netgear WN3500RP WiFi repeater laying around unused and, considering its interesting "plug computer" form factor, I wanted to use the WN3500RP as more than a basic WLAN repeater.

Since I was already using OpenWrt on my router and was impressed by its capabilites, I decided to install OpenWrt on the device. However, OpenWrt has no support for this device. In addition to being a guide on hacking the WN3500RP, this article will also show the process of porting OpenWrt to a new device.

Left: The WN3500RP repeater. Right: The box.

Factory-reset the repeater

Insert a pen or screwdriver in the reset hole and hold for 5 seconds. The LED will then turn orange and the device will be factory reset. To configure the repeater, connect to the NETGEAR_EXT network, and go to

After configuring the WN3500RP, you can then connect to your regular WLAN and access the somewhat terse web interface of the repeater with the username and login: admin/password.

Getting a shell

A nmap port scan shows that the telnet port is open:
val@pc ~> nmap
Starting Nmap 7.80 ( ) at 2019-12-21 23:06 CET
Nmap scan report for
Host is up (0.017s latency).
Not shown: 997 closed ports
23/tcp    open  telnet
80/tcp    open  http
20005/tcp open  btx

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
Yet connecting does not produces any result. Download the telnetEnable utility and execute the following command:
telnetEnable.exe <IP adress> <MAC adress> Gearguy Geardog
This will enable access to a basic busybox-based shell through telnet, from which we can learn more about the device:
$ telnet
Connected to
Escape character is '^]'.

BusyBox v1.7.2 (2012-08-30 14:21:10 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cat /proc/cpuinfo 
system type             : Broadcom BCM5357 chip rev 2
processor               : 0
cpu model               : MIPS 74K V4.9
BogoMIPS                : 264.60
wait instruction        : no
microsecond timers      : yes
tlb_entries             : 64
extra interrupt vector  : no
hardware watchpoint     : yes
ASEs implemented        : mips16 dsp
VCED exceptions         : not available
VCEI exceptions         : not available

unaligned_instructions  : 81091
dcache hits             : 2147483648
dcache misses           : 4024172535
icache hits             : 2147483648
icache misses           : 4143304174
instructions            : 2147483648
# free
              total         used         free       shared      buffers
  Mem:        61588        20128        41460            0          236
 Swap:            0            0            0
Total:        61588        20128        41460

The WN3500RP contains a Broadcom BCM5357 SoC and about 64 MB of RAM. Considering this device is half a decade old, this is not too shabby. In the /sbin/ directory, we can also find various utilies related to the device, to control GPIO or show the WLAN and admin password among others:
# ls /sbin
acos_init              gpio                   read_bd
acos_service           halt                   reboot
bd                     hotplug                reset_no_reboot
burn5gpass             hotplug2               resolve_domain
burn5gssid             ifconfig               restart_all_processes
burn_hw_rev            init                   rmmod
burnboardid            insmod                 route
burnethermac           leddown                routerinfo
burnpass               ledup                  showconfig
burnpin                lsmod                  sysctl
burnrf                 mount.ntfs-3g          udevtrigger
burnsku                ntpclient              uptime
burnsn                 parser                 version
burnssid               poweroff               write
erase                  preinit
getchksum              rc
# /sbin/version
Release version : Netgear Wireless Router WN3500RP
           Time : Aug 30 2012 14:22:06
    CFE version : v1.0.9
# /sbin/gpio
usage: set GPIO: gpio <pin> <value> [<need_disconnect>]
       get GPIO: gpio <pin> 

Building OpenWrt for the BCM5356

Writing in progress...

Go back to the home page.