Microsoft MN700 hack project

[3chansen]

I have been looking for a custom firmware for this router...but haven't found anything on the net! Microsofts firmware for this thing SUCKS! But I think it could be an awesome router with the right firmware. (great signal and range). I knew it was a broadcom, so I took a few snaps of the innards to see if it was another router branded with the "microsoft" name.


sure enough, the Microsoft name is on the PCB...but all the chips look very standard...like they could run Linux!

Here is the radio (wireless card):


PLEASE let me know if you find ANY compatible firmware for this thing...even if it is a stock netgear/buffalo/etc. Stock Linksys wouldn't be bad. Most of all, I want to enable wireless bridge/AP Client mode. Please email me if you find out anything
email me
Thanks
Chuck

[Antiloop]

to me it looks very familair to the WL500g, if you are willing to risk you can try to flash a custom WL500g or WLHDD firmware into it

but you should not do this when you are not familair recovering the unit from dead

[Oleg]

Linksys firmware will not run, cause it uses different design for ethernet ports. Asus, Belkin, Buffalo firmwares are potentially able to run. Openwrt also.
Are you familar with hardware? Your device has JTAG port, so you could save current flash content (to analyze bootloader - one option is really make sense) and then flash whatever you want. This is risk free.

[3chansen]

I don't know what kind of pinout the jtag has...could you point me to a site that gives the pinout? I assume I just have to solder a DB-9 cable to the jtag header with the right pinout. If you could help me with that and saving the firmware, I could email it to you for analysis (since I don't know what I'm looking for in the firmware) Soldering is no biggie for me. (don't tell M$ since its Windows CE
Chuck

[3chansen]

http://openwince.sourceforge.net/jtag/iPAQ-3600/

Scrolling down through the article, the hack got this simple cable to work on his ipaq. Of course, my JTAG is 12pin, not 10pin. I assume the pinout is the same??? And can someone point the flash chip out on this thing? (maybe under the wireless card)....the software on the site says it supports intel or amd flash chips...maybe it would work.

It has 16MB RAM, and im guessing 4MB flash (M$ can't fit CE on less than that im guessing)

Chips seem to be the same, minus the layout.

So I wonder if there is any opperational difference between this and an Asus WL500g...

Also, the BCM4702 natively supports USB...so I can add a usb port to this router? Maybe someone can figure out the connections to do such a thing

[Oleg]

http://openwince.sourceforge.net/jtag/iPAQ-3600/

Scrolling down through the article, the hack got this simple cable to work on his ipaq. Of course, my JTAG is 12pin, not 10pin. I assume the pinout is the same??? And can someone point the flash chip out on this thing? (maybe under the wireless card)....the software on the site says it supports intel or amd flash chips...maybe it would work.

Check this:
http://www.openwrt.org/forum/viewtopic.php?t=647

It has 16MB RAM, and im guessing 4MB flash (M$ can't fit CE on less than that im guessing)

Chips seem to be the same, minus the layout.

So I wonder if there is any opperational difference between this and an Asus WL500g...

The difference are in GPIO mappings (this includes LEDs, reset buttons, etc...).

[3chansen]

I have the cable made, but have been looking for easy to use, compatible software. What JTAG programs are best for the BCM4702? For Windows?

[Oleg]

well, you need linux box and the package from the above link, which supports access based on the ejtag specs. to my knoweledge broadcom does not publically release any detailed specs for the bcm47xx.

[3chansen]

Thanks for the link to the pdf!

I am trying to run the wrt54g flash tool on windows under Cygwin, but I can't figure out how to compile it. I don't know much about Linux either, that is why I was trying to find a jtag flashing program for windows. Is there a link to a pre-compiled version? I assume I can't just compile it under any C compiler since it was written to be compiled under Linux.

Im a newb when it comes to using Unix and Linux.

[Oleg]

this program uses direct access to printer port, so you should use real linux for this to work. You could try distros like Knoppix, which are booting right from CD. As for compiling - just decompress the zip and type "make".

[3chansen]

Thanks for steering me clear of Cygwin for this project! The "make" command was absent from cygwin (or I wasn't using it right???). I compiled the source without a hitch in Knoppix, and ran it (gave me the options), but after running -backup:wholeflash (with options) it said something of the sort "access to port0 not allowed". So I thought AH root user! So I read im supposed to use su and that loggs me on as root. So I do, browse to the Desktop folder, type DIR and enter, and I see the wrt54g exe I compiled. So I simply type "wrt54g" and hit enter like I had before and it said "FIle not found".

Maybe I need to be logged into desktop as "root" instead of "knoppix"
How do I do that?

How do I gain access to read/write to hard drive/flash drive in Knoppix?

As soon as I get this figured out, I will try to flash. I noticed in the c code, his program does a check for a BCM47xx processor and displays an error if one isn't found. So hopefully this bit of code works on the MN700 BCM4702.

I know I gotta be doing something stupid...

Thanks,
Chuck

[Oleg]

hi! so any news so far? I've yet another guy, which is trying to get wl500g running, so far he was able to download entire flash, but bootloaded looks like corrupted.
I suspect problems with his cable.
So, I'm looking for your whole flash.

Your problems is probably due to loaded lp module - try doing
lsmod
and if it's there - rmmod lp, then run it again.

[3chansen]

Good point on device access/ 1p module. I will try to disable the module if running.

Is that what is causing "file not found" when I try to run the exe under root?
It runs ok otherwise. (but no access to parallel port...which could be fixed by what you are saying, so I wouldn't have to worry about running it as root)

I am confident my cable is good as I have checked/double checked it, and I have made cables before too. I made it overly short--with cat5 too boot--, which probably wasn't needed, but should ensure a good connection (and it looks nice

I should be able to dink around with it tomorrow. I will keep you posted and thanks for the good help.
Chuck

[Oleg]

well, looks like your problem is that it should be launched like this: ./wrt54g, not just wrt54g, i.e. you should prepend path to the name.
Please try to extract current flash (I have one, but bootloaded seems to be corrupted, other parts could be identified - non-volatile params, registry, runtime image). Also, upgrade to latest microsoft firmware, so it would be possible to identify firmware parts in the flash.

[3chansen]

I wonder why knoppix ran just "wrt54g" fine under the knoppix user, as I didn't have to typ ./ infront. Well, I knew it had to be something stupid. I will try that and let you know where I get tomorrow.

My MN700 is updated, (as I was hoping to see AP client mode in it) and I will see about saving a copy of the fw. I wonder if there is another possible source of the corruption besides his cable...different flash chip maybe? But if the program only depends on the BCM47xx, and if the BCM47xx has standard flash interface, I don't see a problem there, but this is purely a guess on my part.
Chuck