Valerian Daul's blog


Porting OpenWrt on the Netgear WN3500RP

I had an old Netgear WN3500RP WiFi repeater laying around unused and, considering its interesting "plug computer" form factor, I wanted to use the WN3500RP as more than a basic WLAN repeater.

Since I was already using OpenWrt on my router and was impressed by its capabilites, I decided to install OpenWrt on the device. However, OpenWrt has no support for this device. In addition to being a guide on hacking the WN3500RP, this article will also show the process of porting OpenWrt to a new device.


Left: The WN3500RP repeater. Right: The box.

Factory-reset the repeater

Insert a pen or screwdriver in the reset hole and hold for 5 seconds. The LED will then turn orange and the device will be factory reset. To configure the repeater, connect to the NETGEAR_EXT network, and go to http://192.168.1.250/.

After configuring the WN3500RP, you can then connect to your regular WLAN and access the somewhat terse web interface of the repeater with the username and login: admin/password.


Getting a shell

A nmap port scan shows that the telnet port is open:
val@pc ~> nmap 192.168.0.127
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-21 23:06 CET
Nmap scan report for 192.168.0.127
Host is up (0.017s latency).
Not shown: 997 closed ports
PORT      STATE SERVICE
23/tcp    open  telnet
80/tcp    open  http
20005/tcp open  btx

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
Yet connecting does not produces any result. Download the telnetEnable utility and execute the following command:
telnetEnable.exe <IP adress> <MAC adress> Gearguy Geardog
This will enable access to a basic busybox-based shell through telnet, from which we can learn more about the device:
$ telnet 192.168.0.122
Trying 192.168.0.122...
Connected to 192.168.0.122.
Escape character is '^]'.



BusyBox v1.7.2 (2012-08-30 14:21:10 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cat /proc/cpuinfo 
system type             : Broadcom BCM5357 chip rev 2
processor               : 0
cpu model               : MIPS 74K V4.9
BogoMIPS                : 264.60
wait instruction        : no
microsecond timers      : yes
tlb_entries             : 64
extra interrupt vector  : no
hardware watchpoint     : yes
ASEs implemented        : mips16 dsp
VCED exceptions         : not available
VCEI exceptions         : not available

unaligned_instructions  : 81091
dcache hits             : 2147483648
dcache misses           : 4024172535
icache hits             : 2147483648
icache misses           : 4143304174
instructions            : 2147483648
# free
              total         used         free       shared      buffers
  Mem:        61588        20128        41460            0          236
 Swap:            0            0            0
Total:        61588        20128        41460

The WN3500RP contains a Broadcom BCM5357 SoC and about 64 MB of RAM. Considering this device is half a decade old, this is not too shabby. In the /sbin/ directory, we can also find various utilies related to the device, to control GPIO or show the WLAN and admin password among others:
# ls /sbin
acos_init              gpio                   read_bd
acos_service           halt                   reboot
bd                     hotplug                reset_no_reboot
burn5gpass             hotplug2               resolve_domain
burn5gssid             ifconfig               restart_all_processes
burn_hw_rev            init                   rmmod
burnboardid            insmod                 route
burnethermac           leddown                routerinfo
burnpass               ledup                  showconfig
burnpin                lsmod                  sysctl
burnrf                 mount.ntfs-3g          udevtrigger
burnsku                ntpclient              uptime
burnsn                 parser                 version
burnssid               poweroff               write
erase                  preinit
getchksum              rc
# /sbin/version
Release version : Netgear Wireless Router WN3500RP
                  U12H21400/V1.0.0.12/1.0.49
           Time : Aug 30 2012 14:22:06
    CFE version : v1.0.9
# /sbin/gpio
usage: set GPIO: gpio <pin> <value> [<need_disconnect>]
       get GPIO: gpio <pin> 

Building OpenWrt for the BCM5356

Writing in progress...

Go back to the home page.