| Clues on hacking DG824M So anyway - one bored evening alone with a free
Unix variant, it takes all of half an hour to pull
apart the dg824m's .bin file, strip the header,
run the remainder through gzip and strings, and
there it is, a nice little packed image file
that tells me all sorts of things about this
fantastic piece of kit.
Like - first, it seems to be a fairly stock concoction
of parts from a company called Virata; it's powered
by a StrongARM variant, running Virata's "ATMOS"
embedded kernel.
Interestingly though - the only thing between you and
fully fledged CLI (Telnet) or SNMP functionality on your
DG824M appears to be the fact that the protocols have
not been enabled at boot - they're evidently there, from
the text strings in the kernel, just not enabled.
So - more downtime, and a quick whip around the case
with a screwdriver later (warranty voiding sticker
piercing is required), shows me a rather well laid out
board with a 4port Ethernet controller, the aforementioned
StrongARM CPU, what looks like a stock PCMCIA slot with
802.11b adapter (itself having a micro TNC connector for
the external aerial), and much more interestingly, an
8pin DIP header.
At this point I ask myself what the odds are... and
with a bit of surgery on a Cisco console cable start
looking for TXD/ RXD/ GND with the old {9600,4800,2400)
n81 line coding.
No joy - brick wall; more parsing of the strings in the
firmware tells me that ATMOS uses a private region of
the flash for the boot time settings, and deductive
reasoning tells me that it's unlikely that having a go
at the Netgear ".cfg" file will let me enable/ disable
ATMOS protocols.
So - me, here, having programmed the sardine can and
not particularly wanting to share its web server with
my neighbours (ie wanting to turn it off), and, wanting
to collect MIB-II (which strings tells me ATMOS supports)
for fault management, I get the mad idea that if I post
here maybe someone has maybe cracked the nut...
Well - here goes - anyone know what that magic DIP is
for? Anyone managed to get to the ATMOS console login
prompt, either through a serial console or via telnet
or other means? I'm mostly just wanting to enable the
SNMP agent, but it'd be interesting to take a poke about
with the other ATMOS features too for a lark.
Over to you lot... |
|
 Sr TechPremium
join:2003-01-19
New Fairfield, CT
 ·PHONE POWER
| I played around with mu DG824, found out that the Pcmcia card inside is a model XI-325 Zcom.. »www.zcom.com.tw/product/product11.htm I was hoping to be able to use it as it has 2 rf ports on the card seperatly from the router since I do not use the router any more. I dl the drivers but they do not reconize the card. ( probaly because it was built for netgear). Otherwise that is far as I have gone. |
|
| Try using the Netgear MA401 drivers, I've got the wireless card in my DG824M working on Win2K ok. Model number of this card is XJ-325 |
|
Sr TechPremium
join:2003-01-19
New Fairfield, CT | reply to plover
interesting. I think I will try that and if it works I can order the antenna that fits on the end of the unit... |
|
|
|
| So for those of us that have a DG824M and want to get 802.11G, what card can we replace with ~I wonder?
Any suggestions? |
|
 V3GAN
@148.182.25.75, 148.1 | reply to plover
Hey,
Do you have nay more info on what you did to the DG824M ??
How did you pull apart the .bin file? Any tool in particular to strip the header?
Did you happen to take any photos of the internals of the unit?? I have been super curious since getting it...but it has already had one warranty job on it...if I break the seal and it dies again im screwed. |
|
| reply to plover
Unfortunately, you can't upgrade the DG824M to 11g by swapping the card because 11b cards are 16 bit while 11g cards are 32 bit. Netgear will be releasing an 11g version soon (it is already on some UK e-commerce sites with availability in November). |
|
| What is the gateway model name for the 802.11g. I'm interested in knowing.
--
Thanks,
Romany Saad |
|
 wzoo1
join:2001-06-28
MI, USA | reply to plover
Hey how did you strip apart the strings and finally decompress the firmware image? I would *LOVE* to know thanks!  |
|
| reply to plover
Ok, sorry for the lag - been doing other things, y'know
how it is.
So anyway - stripping the image file is dead simple; for
v1.4.05 image, try the following...
dd if=dg824m_1405.IMG bs=16 skip=32 | gzip -dc | strings -a
... the trick is to figure out what part of the raw image
file is the bootloader, and what part the actual kernel;
once you can distinguish the two (and heck, "od -x" and
four seconds worth of direct inspection coupled with a bit
of background experience in such things will get you there
pretty quickly) the only remaining issue is figuring out
if the kernel is hashed, encrypted, or compressed - and
fortunately the more common compression formats have fairly
readily identifiable fingerprints (again if you know how to
look at such things).
So anyway - has anyone had a chance to figure out how to
get a serial console attached to that Virata ARM CPU yet? |
|
| reply to plover
The 11g version (available in November) will be called DG834G. |
|
| reply to plover
Hi
Netgear have created the DG824M so that u cant disable the NAT! Which means I cant use it in any sort of routed mode (I have a block of 8 ips and want to run a firewall behind it)
Does anyone know any way of getting into the router to change the config? It must be possible to disable the NAT in some way.
Thanks
- Eric. |
|
fung
join:2003-06-14
Simi Valley, CA | reply to plover
Magic prayers and voodoo magic.
Essentially, probably not. |
|
