view · edit · print · history

The Linksys WRP400 is a Wireless-G Broadband Router with 2 Phone Ports.

There are no known software-only exploits for this device. For ProvisionedDevices? there are no known unlock methods yet.

At the moment, it is not yet supported by Optware.

By default, this box is locked down so tight that you can't even get into it by soldering on a SerialPort (see the VendorBootLog and VendorRecoveryBootLog), however it turns out you can UnlockTheConsole and enable the TftpServer by using some SecretCGICommands and the ShadowDataHack to change the UBootVariables and enable login as the "admin" user (which is equivalent to root on this device) on the SerialPort. The KernelCmdline informs the kernel of the console lock state and the serial console driver is consequently enabled or disabled. It does have an interesting set of OpenPorts though.

There is no known way to access the command line or install custom firmware or packages on this device without performing hardware modifications to add a SerialPort. The firmware upgrade images are protected with an encrypted hash of the contents, and the encryption algorithm is not known. Therefore there is no way to create modified firmware upgrade images at the moment. Even after you have achieved root access, to flash custom firmware partial images onto the device you need to revert back to the 1.00.04.c firmware to be able to install an unencrypted firmware partial image.

An OpenWrt Forum thread at http://forum.openwrt.org/viewtopic.php?pid=67961 documents the initial investigations into the locking technology used in this device.

Here are some high resolution PhotosOfTheInternals, and the Linksys GPL SourceCode is available.

You can find an EncapsulatedFirmware image at http://firmware.linksys-cisco.cz/WRP400/WRP400_v1.00.04.c_ETSI.zip - this firmware has been verified to contain the same image contents as extracted from the BootFlash of a WRP400 purchased in Australia in May 2008, and has been found safe to use for a Web Firmware Upgrade (as can be seen by the UpgradeLog).

The firmware binary corresponding to the later version 1.00.6 source code has been located at ftp://ftp.linksys.com/downloads/NA/firmware/WRP400_v1%5B1%5D.00.06_fw.bin - this and the newer 2.00.05 firmware has been flashed and will not undo any actions you've taken to UnlockTheConsole or apply the ShadowDataHack. You are also able to downgrade/upgrade from 2.00.05, 1.00.06 and 1.00.04c at any time. However after a 2.00.05 firmware upgrade it seems that the boot loader is replaced with a more limited version of uboot and you can not revert by downgrading.

We have so far been able to UnpackTheFirmware and ModifyTheRootFS to enable an ssh server on the device.

view · edit · print · history · Last edited by krim.
Based on work by krim and rwhitby.
Originally by rwhitby.
Page last modified on September 03, 2010, at 12:21 AM