The Netfaster WLAN 3 is an ADSL modem/router provided by greek ISP Hellas Online. Internally the device is identified as AR7505SW11 7-A-LIC and built around the following hardware:

Type Part Notes
CPU Lantiq PSB 50601 HL v1.2 133/266 MHz
Flash Macronix (MXIC) MX25L1606E M2 2 MB, SPI, 200mil 8-SOP
RAM Winbond W9812G6JH-6 16MB @ 166 MHz
Switch Lantiq PSB 6970V v1.3
WiFi Atheros AR9271-ALJA

The admin page of this modem will not give you the option to backup the firmware the device is running (you can only backup your configuration), and you won’t be able to find it anywhere on the internet either, which means that if you accidentally erase or in any way corrupt the firmware, you won’t have a clean, working version to restore. The purpose of this post is to show you how you can get this backup.

Serial Connection

To get the firmware backup we first need to connect to the modem’s serial port. To implement this connection you’ll need a USB-to-UART serial converter such as this one.

The modem board and the serial port are pictured below. (Note you will need to do a little soldering in order to use the serial port).

Netfaster WLAN 3 PCB

The Netfaster WLAN 3 PCB. The serial port pin positions are shown.

Assuming you have the USB-to-UART converter I mentioned above or similar, with the modem powered off, implement a straight connection between converter and serial port:

  • Converter GND to modem GND (pin 4)
  • Converter Rx to modem Rx (pin 3)
  • Converter Tx to modem Tx (pin 2)

Do not power on the modem yet. Launch your preferred terminal emulator (I’ll be using PuTTY in this post) and point it to the serial line (/dev/ttyUSB0 in my case). Set connection speed 115200, data bits 8, parity None, stop bits 1 (8N1) and open the connection.

PuTTY serial connection settings.

PuTTY serial connection settings.

Note: For PuTTY to be able to open /dev/ttyUSB0 on Ubuntu you need to run it as root. To do so, open a command terminal and enter gksudo putty & .

With the PuTTY connection opened power on the modem. You will receive the following output:

ROM VER: 1.2.0
CFG 04

Wireless ADSL Gateway AMAZON_SE Loader 7505.03 build Sep 20 2010 11:36:23
                      Arcadyan Technology Corporation
RDID: c22015

Copying boot params.....DONE

Press Space Bar 3 times to enter command mode ...

Immediately press spacebar 3 times. This will halt the boot process and take you to the bootloader prompt. At the bootloader prompt press ! to enter administrator mode.

Press Space Bar 3 times to enter command mode ...123
Yes, Enter command mode ...

[AMAZON_SE Boot]:!

Enter Administrator Mode !

Once you enter administrator mode close PuTTY but do not disconnect the modem from the converter. To perform the backup we will use a different program called ‘brntool’. You can download brntool from

Performing the Backup

Before running brntool we need to make a few modifications to its code, so that it is compatible with this modem. Open with a text editor and comment-out lines 22-23, 29-31 and 59-60 by inserting a ‘#’ at the beginning of each line. Conversely, uncomment line 58 and, optionally, change the value of bs to 2048 or to any other number you prefer, as long as it is less than 10000 (bs denotes the number of bytes the program will read at a time). In the screenshots below I’ve set bs to 2048.



Comment-out lines 22-23, 29-31 and 59-60. Uncomment line 58 and, optionally, change bs to 2048.

With the changes detailed above completed, the modem at the administrative bootloader prompt and PuTTY closed, open a command terminal and run brntool by issuing the following command:

$sudo ./ --read=fw.bin --addr=0x0 --verbose --size=0x200000

If all has gone well you should see a series of dots appear as the firmware is being read. Each ‘.’ represents a successful read of ‘bs’ bytes. A ‘!’ means the read attempt failed, and the program will retry until the read succeeds. When reading is complete, the firmware will be saved as ‘fw.bin’. I recommend you perform a second backup and then compare the two backups to make sure no errors occurred (for example, in my case, the Rx pin had come loose after some point, and I only found out when I performed two successive backups and compared them; the loose Rx pin was distorting the output, so each new backup differed from the previous one).

For your reference I have uploaded my backup to .

If you followed the instructions above you should now have a backup of the Netfaster WLAN 3 firmware. In my next post I’ll show you how to restore the firmware to the modem.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

A Team Cymru report published on Monday finds more than 300,000 SOHO routers hacked, having their DNS settings modified to point to DNS servers controlled by the attackers. The affected devices come from various manufacturers, including, but not limited to, D-Link, Micronet, Tenda and TP-Link.

The vast majority of the compromised routers (more than 160,000) is found in Vietnam; other locations with large infections include India, Italy, Thailand, Colombia, Bosnia and Herzegovina, Turkey, Ukraine, Serbia and Ecuador.

The exploit techniques used include Cross-Site Request Forgery (CSRF) for TP-Link devices and an authentication bypass vulnerability in devices running ZyXEL firmware (ZynOS). The routers exploited have their DNS settings point to ip addresses and

You can find the Team Cymru report here. There’s also a post by Ars Technica here.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

A new post by Ars Technica published yesterday reports two critical vulnerabilities affecting a series of ASUS RT routers. According to the report almost 13,000 routers have been exploited in the 8 months since the vulnerabilities were publicly disclosed, and the users of those routers have had files leaked online. ASUS is said to have patched the routers late last week.

As if that wasn’t enough, the same article makes mention of an attack that infects Linksys routers with self-replicating malware. The worm doesn’t seem to be stealing any data though.

Dan Gooding, the post’s author, notes in his closing paragraph:

Taken together, the attacks are a sign that routers and other Internet-connected devices are being subject to the same in-the-wild attacks that have plagued PCs—and in some cases Macs—for years. Readers are advised to lock down their routers by installing any available firmware updates, changing any default passwords, and ensuring that remote administration, Cloud, and FTP options are set to off if they’re not needed

You can find Ars’ post here.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

I recently bricked a Netgear DG834G v3 by modifying the bootloader’s environment variables*. I purposefully set mtd1 to a bogus starting address (0x90120000), to see if ADAM2, unable to locate the OS, would drop me to the prompt. I did this because, with this particular modem, you cannot interrupt the boot process and talk to the bootloader; it always starts the OS. The result, however, was not what I expected. Upon rebooting the modem I received the following through my serial connection:

ADAM2 Revision 0.22.02
(C) Copyright 1996-2003 Texas Instruments Inc. All Rights Reserved.
(C) Copyright 2003 Telogy Networks, Inc.
memsize == 0x01000000
Usage: setmfreq [-d] [-s sys_freq, in MHz] [cpu_freq, in MHz]
maca                  00:1b:2f:78:bb:d2
macb                  00:1b:2f:78:bb:d3
memsize               0x01000000
flashsize             0x00400000
modetty0              115200,n,8,1,hw
modetty1              115200,n,8,1,hw
bootserport           tty0
cpufrequency          211968000
sysfrequency          105984000
bootloaderVersion     0.22.02
ProductID             DG834
HWRevision            Unknown
SerialNumber          none
prompt                ADAM2
firstfreeaddress      0x9401bd20
req_fullrate_freq     125000000
mtd0                  0x900d0000,0x903e0000
mtd1                  0x90120000,0x900d0000
mtd2                  0x90000000,0x90020000
mtd3                  0x903e0000,0x903f0000
mtd4                  0x903f0000,0x90400000
oam_lb_timeout        100
modulation            MMODE
autoload              0
autoload_timeout      45

ADAM2 > addr=90120000
File for wrong Endian!
gocommand even2
Copying download from b0017000 to b4020000

Then the process froze, with the power and check mark (√) leds blinking continuously. The modem was bricked.

Time to debrick

To recover from this state you need to connect to the modem through its JTAG interface. You can see the JTAG header pictured below.

The Netgear DG834G v3 board. You can see the JTAG interface top right. Note you will need to solder the header on the board.

The Netgear DG834G v3 board. You can see the JTAG interface top right. Note you will need to solder the header on the board.

According to this modem’s wiki page on OpenWrt (where you can also find another picture of the JTAG header, probably better than mine too), the interface’s pinout is as follows:

Pin # Function Function Pin #
9 TCK GND 10
11 nSRST KEY 12

This corresponds to MIPS EJTAG 2.5.

Assuming that your computer does not have a parallel port, to implement this connection you need a USB-to-JTAG adapter, such as the TUMPA. With modem and TUMPA powered off, make the following connections:

TUMPA DG834G Notes
Pin 5 Pin 3 TDI to TDI
Pin 7 Pin 7 TMS to TMS
Pin 9 Pin 9 TCK to TCK
Pin 13 Pin 5 TDO to TDO
Pin 4 Pin 4 GND to GND

Lastly download zJTAG from


What I want to do in my case is use zJTAG to grab the part of memory that holds the environment variables, save it on my computer, edit it with a hex editor to undo the change I made that bricked the router, and, finally, write it back to memory. (Of course there are other ways you can brick/debrick your router and not everyone will be in the same type of situation as me. For those other cases check this. Please note: I haven’t tried the other methods described there, so I can’t comment on them.)

Connect TUMPA (I suppose you have already installed its drivers) to your computer and power on the modem. Now, assuming you messed up the bootloader’s environment variables like I did, proceed as follows:

1. Run zJTAG to get the environment variables.

C:\zjtag 1.8>zjtag.exe -backup:custom /start:0x903f0000
              /length:0x10000 /window:0x90000000 /L1:3 /fc:030
              /nodma /LE

               zJTAG EJTAG Debrick Utility v1.8 RC3

Dev 0:
 Description=TIAO USB Multi-Protocol Adapter A
 Set I/O speed to 7500 KHz

USB TAP device has been initialized. Please confirm VREF signal
Press any key to continue... ONCE target board is powered on!

Detected IR chain length = 32

There are 1 device(s) in the JTAG chain
 IDCODE for device 1 is 0x0000100F (IR length:1)

Probing bus ... Done

Defined IR Length is 5 bits

CPU assumed running under LITTLE endian

CPU Chip ID: 00000000000000000001000000001111 (0x0000100F)
*** Found a TI manufactured TNETD7300GDU(AR7WRD) REV 01 CPU ***

    - EJTAG IMPCODE ....... : 01000001010000000100000000000000
    - EJTAG Version ....... : 2.6
    - EJTAG DMA Support ... : No
    - EJTAG Implementation flags: R4k DINTsup ASID_8 NoDMA MIPS32
    *** DMA Mode Forced Off ***

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ...  ... Done
Clearing Watchdog ... Done
Loading CPU Configuration Code ... Skipped
*** Manually Selected a MX29LV320AB 2Mx16 BotB   (4MB) from Macronix

    - Flash Chip Window Start .... : 90000000
    - Flash Chip Window Length ... : 00400000
    - Selected Area Start ........ : 903F0000
    - Selected Area Length ....... : 00010000

*** You Selected to Backup the CUSTOM.BIN ***

Backup Routine Started

Saving CUSTOM.BIN.SAVED_20140130_223245 to Disk...
Done  (CUSTOM.BIN.SAVED_20140130_223245 saved to Disk OK)

bytes written: 65536
Backup Routine Complete
elapsed time: 121 seconds


C:\zjtag 1.8>

2. Open the file zJTAG just generated (CUSTOM.BIN.SAVED_X_Y) with a hex-editor.

3. Locate the bogus entry. In my case the offending line is located at 0xd80.

The mtd variable I modified, thus bricking the router.

The mtd variable I modified, thus bricking the modem.

4. Undo the changes you made. In my case I find that the original mtd1 value is still present at 0x900, so I can safely remove my entire new entry, by filling those bytes with ff. Save the file as custom.bin.

5. Write back the edited and corrected environment variables.

C:\zjtag 1.8>zjtag.exe -flash:custom.bin /start:0x903f0000
              /length:0x10000 /window:0x90000000 /L1:3 /fc:030
              /nodma /LE

6. Reboot the modem.

If all went well your modem should now be debricked. Congrats!

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

* There are a few ways to modify the bootloader’s environment variables, even when you can’t get to the bootloader prompt. The variables are stored in /proc/sys/dev/adam2/environment and in /proc/ticfg/env. You can read and write either of those at runtime, once the OS has loaded, through your serial connection, or through telnet (provided you’ve enabled telnet first).

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

Updated January 04, 2014 – added link to Naked Security.

An Ars Technica post reports a Linksys WAG200G vulnerability, discovered by Eloi Vanderbeken, which, if exploited, provides the attacker with admin access. To take advantage of the backdoor the attacker needs to be on the local network and talk to TCP port 32764.

The WAG200G is not the only modem affected by this vulnerability. According to Ars the backdoor has been found on other Linksys models and on Netgear DSL modems as well.

You can read more about it on Ars Technica.

Vulnerabilities like this one are the reason why you need to make sure your modem/router is always running the latest firmware or switch to an open source alternative.

Update: Naked Security posted a nice write-up for this issue. You can find it here.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

First order of business after installing OpenWrt is to telnet to your device and set a root password. To do so telnet to and, once you get the OpenWrt prompt, issue the passwd command. Now set a password and close the telnet connection.

$ telnet
Connected to
Escape character is '^]'.
 === IMPORTANT ============================
  Use 'passwd' to set your login password
  this will disable telnet and enable SSH

BusyBox v1.15.3 (2011-11-24 00:44:13 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 Backfire (10.03.1, r29592) ------------------------
  * 1/3 shot Kahlua    In a shot glass, layer Kahlua 
  * 1/3 shot Bailey's  on the bottom, then Bailey's, 
  * 1/3 shot Vodka     then Vodka.
root@OpenWrt:/# passwd
Changing password for root
New password:
Retype password:
Password for root changed by root
root@OpenWrt:/# exit
Connection closed by foreign host.

With a root password set telnet access will be disabled and for all subsequent connections you will use ssh. All further telnet connection attempts will fail, because the connection will be refused. This is standard OpenWrt behavior.

$ telnet
Connected to
Escape character is '^]'.
Login failed.
Connection closed by foreign host.
$ ssh root@
The authenticity of host ' (' can't be established.
RSA key fingerprint is e3:74:ff:f7:54:45:12:ba:94:66:08:8f:40:05:a4:71.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts.
root@'s password: 

BusyBox v1.15.3 (2011-11-24 00:44:13 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 Backfire (10.03.1, r29592) ------------------------
  * 1/3 shot Kahlua    In a shot glass, layer Kahlua 
  * 1/3 shot Bailey's  on the bottom, then Bailey's, 
  * 1/3 shot Vodka     then Vodka.

Now that we’ve established our connection to the router I suggest you change its default ip address so that it doesn’t conflict with any other routers you may be using. I’ll use To change the ip address issue the following commands (you can read more about UCI here):

root@OpenWrt:~# uci set network.lan.ipaddr=
root@OpenWrt:~# uci commit

Now reboot your router. The results of the above configuration are the following:

  • Router ip set to
  • DHCP addresses served in range 192.168.100.x

Bringing up the ADSL Interface

To bring up the ADSL interface we need to add the configuration below to /etc/config/network (I assume here that your ISP employs PPPoE bridged over ATM – occasionally called PPPoEoA. I also assume that the ATM PVC uses vpi 8, vci 35 and encapsulation LLC)*:

config 'interface' 'wan'
        option 'ifname' 'nas0'
        option 'proto' 'pppoe'
        option 'username' 'USERNAME'
        option 'password' 'PASSWORD'

config 'atm-bridge' 'atm'
        option 'unit' '0'
        option 'vpi' '8'
        option 'vci' '35'
        option 'encaps' 'llc'
        option 'payload' 'bridge'

To add the configuration above we can either edit the /etc/config/network file directly or issue the following commands at the OpenWrt prompt:

root@OpenWrt:~# uci set network.wan=interface          #add wan section
root@OpenWrt:~# uci set network.wan.ifname=nas0
root@OpenWrt:~# uci set network.wan.proto=pppoe
root@OpenWrt:~# uci set network.wan.username=USERNAME
root@OpenWrt:~# uci set network.wan.password=PASSWORD
root@OpenWrt:~# uci set network.atm=atm-bridge         #add atm section
root@OpenWrt:~# uci set network.atm.unit=0
root@OpenWrt:~# uci set network.atm.vpi=8
root@OpenWrt:~# uci set network.atm.vci=35
root@OpenWrt:~# uci set network.atm.encaps=llc
root@OpenWrt:~# uci set network.atm.payload=bridge
root@OpenWrt:~# uci commit

Don’t forget to replace USERNAME and PASSWORD with the ones provided by your ISP. Confirm by issuing uci show network or cat /etc/config/network.

Now run /etc/init.d/br2684ctl start to create the nas0 interface and bring up the wan interface:

root@OpenWrt:~# /etc/init.d/br2684ctl start
br2684ctl[1728]: Interface "nas0" created sucessfully
br2684ctl[1728]: Communicating over ATM 0.8.35, encapsulation: LLC
br2684ctl[1728]: Interface configured

You should now be connected to the internet. If you check the router’s log by issuing logread, you’ll see pppd establishing a PPP session with your ISP:

root@OpenWrt:~# logread
<output omitted> pppd[1485]: PPP session is 17049 pppd[1485]: Using interface pppoe-wan
daemon.notice pppd[1485]: Connect: pppoe-wan  nas0
daemon.notice pppd[1485]: PAP authentication succeeded
daemon.notice pppd[1485]: peer from calling number 00:90:1A:A4:08:72
daemon.notice pppd[1485]: local  IP address xx.xx.xx.xx
daemon.notice pppd[1485]: remote IP address xx.xx.xx.xx
daemon.notice pppd[1485]: primary   DNS address xx.xx.xx.xx
daemon.notice pppd[1485]: secondary DNS address xx.xx.xx.xx
user.notice ifup: Enabling Router Solicitations on wan (pppoe-wan) firewall: adding wan (pppoe-wan) to zone wan

If you run ifconfig you should have a nas0 and a pppoe-wan interface.

root@OpenWrt:~# ifconfig
<output omitted>
nas0      Link encap:Ethernet  HWaddr 00:E0:A0:A6:66:70  
          RX packets:342 errors:0 dropped:0 overruns:0 frame:0
          TX packets:478 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:31331 (30.5 KiB)  TX bytes:28629 (27.9 KiB)

pppoe-wan Link encap:Point-to-Point Protocol  
          inet addr:xx.xx.xx.xx  P-t-P:xx.xx.xx.xx  Mask:
          RX packets:9 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:885 (885.0 B)  TX bytes:498 (498.0 B)

And last but not least, you should be able to ping outside addresses:

root@OpenWrt:~# ping
PING ( 56 data bytes
64 bytes from seq=0 ttl=54 time=94.505 ms
64 bytes from seq=1 ttl=54 time=95.070 ms
64 bytes from seq=2 ttl=54 time=95.265 ms
--- ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 94.505/94.946/95.265 ms

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

* Multiprotocol encapsulation over AAL5 is defined in RFC 2684. For more information check

In my previous post we installed OpenWrt 10.03.1 on D-Link’s DSL-G624T. In this post I’ll show you, just in case you’re not happy with OpenWrt, how you can uninstall it and go back to the original D-Link firmware. The procedure is simple. You connect to the bootloader again, open an ftp connection, flash the original D-Link firmware and reset the mtd variables to their original values (you did make a note of the original mtd values, didn’t you?).

Before we begin we need to grab the original DSL-G624T firmware. You can find v3.10 of the original firmware on the router’s product support page (I’ve also uploaded it to OneDrive in case D-Link decides to remove it. SHA1: 73867582db7120ed1a3d5a59afb4ad395dda21f8). Download the zip archive and extract the firmware image ‘DLinkEU-A_DSL-G624T_singleimage_kernel_fs_-V3.10B01T02.EU–A.20070613’. Rename the image to something more manageable like ‘original.bin‘.

Now that we have the firmware let’s connect to the modem. Connect your USB-to-UART converter to the modem’s serial port as before:

  • Converter GND to modem pin 4 or pin 2 (either one will do)
  • Converter Rx to modem pin 1
  • Converter Tx to modem pin 5

Launch your preferred terminal emulator (I’ll be using PuTTY) and open the serial connection. Power on the router (I use the terms ‘modem’ and ‘router’ interchangeably) and stop the bootloader from running the OS (just press any key). Set an ip address in the 192.168.1.x range for your NIC and connect to the router via UTP. Next, if you’re running Ubuntu, make sure that F-RTO is disabled (more info in my previous post), change to the directory where you extracted the original firmware and open an ftp connection to

With the ftp connection established, issue, as before, the following commands:

ftp> binary
200 Type set to I.
ftp> hash
Hash mark printing on (1024 bytes/hash mark).
ftp> quote MEDIA FLSH
200 Media set to FLSH.

Finally execute:

ftp> put original.bin "fw mtd1"

Just like when we flashed OpenWrt, the memory will be erased first, and then the transfer will begin. You can monitor the progress of the erase in PuTTY.

With the transfer of the original firmware completed, we need to reset mtd1 to its original value. At the bootloader prompt issue the following command:

Adam2_AR7RD > setenv mtd1 0x90010090,0x900a1000

Make sure that the mtd variables now have the values given below:

Adam2_AR7RD > printenv
mtd0  0x900a1000,0x903f0000
mtd1  0x90010090,0x900a1000
mtd2  0x90000000,0x90010000
mtd3  0x903f0000,0x90400000
mtd4  0x90010000,0x903f0000

At this point we are ready to run the original D-Link firmware. Disconnect the UTP cable. Switch to PuTTY and enter go:

Adam2_AR7RD > go

Good job, your modem is now running the original D-Link firmware.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.