NWR04B: Back from the dead!

Welp, thanks to a suggestion from Mike and Varu,I managed to rescuscitate the dead NWR04B router. It had gone silent and unreponsive -- no web server, no response to pings -- after applying the firmware on the Network Everywhere FTP site. (Some upgrade!)

Today, I picked up some header pins at the closest thing to a local electronics store. After a bit of work -- getting the solder out of header pins is tricky -- I got them attached, and sure enough the serial port worked fine. It was stuck at the bootloader menu, with this message:

Verifying product code...FAIL
* WARNING *
Need to reprogram the flash.

That reminded me of the bit on this page on the Linksys WAP-11. Apparently, firmware for other products using the same hardware would work much better than the Linksys firmware. To prevent this sort of thing, the bootloader was changed to check for a product code, to make sure it wasn't another company's firmware. Almost makes me wonder if that's what happened with the NE firmware. Pretty huge screwup, though...

So I tried uploading the Runtop firmware to the router via Xmodem...and it worked! I got the usual command line back, and everything seemed fine. I didn't try the web pages yet, but I don't expect any surprises there. I've checked the Runtop firmware with splitgzip, and it has the same kind of embedded Gzip archive the NE firmware does. It'll be interesting to compare the rest of it.

I've also tried fooling around with the rmem (read memory) command, and I think this might be promising. You can run "rmem 0 400", and it'll print out 0x400 bytes of memory, nicely formatted, starting at address 0. 0x400 seems to be the biggest chunk it'll print, but you can incrmement it and keep going. (Managed to crash it, too, by running "rmem 99900000 400"...the command line was completely unresponsive, and one of the LEDs on the front started flashing rapidly. Fortunately, the reset button set everything right.)

I'm thinking that this might be a way of reading out (what I hope will be) the bootloader code, and thus maybe getting the checksum code out of there somehow. I should be able to hack together an Expect script that'll cycle through the memory, capture the formatted output to a file, then turn that into a copy of the memory suitable for passing to a disassembler. And if that works, maybe we can look at overwriting flash with the wmem command...