Content

Dissecting the WRT54G version 8

[Note: This was the original post to www.wrt54ghacks.com, with two more to follow! The blog hosted there has been merged with this site. All WRT54G hacking related posts can be found at http://secweekly2.wpengine.com/wrt54g/. All book material can still be accessed on the www.wrt54ghacks.com site. Please contact us if you have questions! psw /at/ securityweekly.com]
Linksys has officially released the WRT54G version 8 here in the US, and Paul was able to find one at our local big box computer retailer. Of course the first thing that we did was to tear it apart and see what is inside, in typical hacker fashion. We’ve sucessfully voided the warranty without even pluging the darned thing in!

Without further ado: Inside the WRT54G version 8!

Before we get to the juicy bits, this version will be very easy to identify on the store shelves. Linksys has totaly redesigned the packaging:

box.jpg

The power supply has remained the same here in the US, with 12 volt output. Nothing to see here folks. The front panel also remains the same as the last few versions:

front.jpg

Before we even get this bad boy apart, we can see some very significant design changes. No more removable antennas! (we’ll get to this more in a bit)

fixed_antennas.jpg

When we open up the case, we can immediately see that the board design looks different from some of the earlier versions. I’m not sure of how it stacks up to the version 7, as we’ve been unable to locate one locally. The front of the board looks different:

whole_board.jpg

The reverse side of the board actually features some components, even if they are SMT resistors:

underside.jpg

With some closer inspection, we may be drawn to the traces for the wireless antennas. It looks like the traces still exist for the removable connectors. Possibly for future board revisions, or a hold over from the v7 design:

ufl_traces.jpg

Guess what! Those traces also contain, what looks like a U.FL antenna connector! Certainly we can find a pigtail online to convert to something we can use. Add a little de-soldering braid, and a soldering iron to that mix and we’ve got a removable antenna, at least on the primary connenctor. Looks like we’d also need to disable antenna diversity too. Here’s a good look at the U.FL connector:

ufl.jpg

Further examination of the board reveals some more of the standard features we’ve come to expect. The first is the JTAG header:

jtag.jpg

There is also another set of headers, which would appear to be a single serial port. this remains unconfirmed by us at this point, but all signs point to yes: capability in the chipsets (the BRCM5354 spec sheet states that it has two UARTs available), and the proper pin count. Why only one port? Who knows, but I would bet that the other serial port could be found on the board, just not at a header. Here’s a good look at the possible serial port:

serial.jpg

The RAM installation seems to be fairly typical With a Samsung chip:

ram.jpg

But wait! What’s that you say? You read the Samsung chip documentation, and is says the chip is 64M? Well, sure! We still need to confirm that some open source firmware (say…OpenWrt) can take advantage of the additional RAM, if the extra RAM meets up to the documentation. All available reports state that this unit only has 8M!

Even more changes to the design for the version 8 is a diversion from the Intel based flash chip. Linksys has opted to drop the Intel brand for a company named Spansion, which is apparently a subsidiary of AMD. The new Spansion S29AL016D90TF chip is listed as being 16M, however other available documenation only lists flash as 2M! It looks as though the chip is modifiable to protect some sectors, limiting the amount usable memory sectors. Overall, this device may be quite nice for hacking, given the alleged 64M RAM and 8M of flash. Here’s a good look at the the Spansion flash chip:

flash.jpg

Again the Broadcom SoC has changed to the BCM5354KFBG, which operates at 240Mhz! This chipset contains all of the goodies: ethernet switch, main processor, and wireless processor. Here is a shot of the chip:

proc.jpg

In combination with the wireless processor, the wireless power amp chipset can be located under the nice metal shielding, and is of the SiGe SE2528L RangeCharger variety, which is rated at 24dBm for 802.11b networks and 21dBm for 802.11g networks. Here is a look of this sneaky little animal:

wireless_power_amp.jpg

In even more modifications, we have some additional changes related to the power conversion and regulation chipset. The main power conversion chip has remained the same with the AnaChip AP1513 which can take an input voltage of between 3.6 and 18 volts DC, in combination with the SK33B Schottky Rectifier, it utilizes a separate resistor to regulate maximum power output. While I have been unable to confirm, I’d suspect that like the board requirement has been capped at between 3.3 and 3.6 volts, the optimal voltage range for many of the other components. Here’s a close-up of the chip combination:

power.jpg

While I thought that this new release would be very disappointing for my hacking pleasure, there are clearly a few questions that need answering in relation to RAM and Flash. The wireless antenna situation can apparently be rectified, and apparently reduced power requirements make alternate power sources very tempting.

We hope that you have enjoyed our willful voiding of our warranty for your viewing pleasure! Any questions, comments or updates are appreciated.
– Larry

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.