I purchased a NETGEAR Centria N900 router at a fire sale nearly a year ago. I’m happy with its functionality but was always disappointed that I wasn’t able to flash a community created firmware such as DD-WRT or Tomato onto it.

Luckily, the official firmware is forked from OpenWrt and as per the GPL the sources need to be publically available. Armed with those sources, a hacker name shibby managed to create an alternative 1.0.0.52 firmware which includes the dropbear ssh server that we can use to gain root access to the router.

Edit 11/22/2016: This guide is now irrelevant. Follow the new LEDE guide.

After flashing the shibby firmware (mirrored here) I was able to SSH into the router with no difficulty. I saw that it ran a 1GHz single core PowerPC APM82181 CPU built by AppliedMicro:

root@WNDR4700:~ # cat /proc/cpuinfo

processor : 0

cpu : APM82181

clock : 1000.000010MHz

revision : 28.131 (pvr 12c4 1c83)

bogomips : 2000.00

timebase : 1000000010

platform : PowerPC 44x Platform

model : amcc,wdnr4700

Memory : 256 MB

It isn’t much but it is plenty fast to host a wide range of services. Now if only I can get some packages installed on the router! In order to do that I first need some location to install it. I plugged a USB drive into my router and the drive was happily automounted on /tmp/mnt/sda1:

root@WNDR4700:~ # mount

rootfs on / type rootfs (rw)

/dev/root on / type squashfs (ro,relatime)

none on /proc type proc (rw,relatime)

sysfs on /sys type sysfs (rw,relatime)

none on /tmp type tmpfs (rw,nosuid,nodev,relatime)

tmpfs on /dev type tmpfs (rw,relatime,size=128k)

none on /proc/bus/usb type usbfs (rw,relatime)

/dev/sda1 on /tmp/mnt/sda1 type ext4 (rw,noexec,relatime,barrier=1,data=ordered)

This is a good start! But we need to ensure that some basic directories are writable so let’s remount our USB drive to allow it to execute files, copy over any configuration and libraries that might need altering, and remount those copies over the read only filesystem as writable:

root@WNDR4700:~ # umount /mnt/sda1

root@WNDR4700:~ # mount -o rw,exec /dev/sda1 /mnt/sda1/

root@WNDR4700:~ # cd /tmp/mnt/sda1

root@WNDR4700:~ # mkdir opt etc root usr/lib -p

root@WNDR4700:~ # cp -ar /etc/* /mnt/sda1/etc

root@WNDR4700:~ # cp -ar /usr/lib/* /mnt/sda1/usr/lib

root@WNDR4700:~ # cp -ar /opt/* /mnt/sda1/opt

root@WNDR4700:~ # mount -o bind /mnt/sda1/opt/ /opt

root@WNDR4700:~ # mount -o bind /mnt/sda1/etc/ /etc

root@WNDR4700:~ # mount -o bind /mnt/sda1/root/ /root

root@WNDR4700:~ # mount -o bind /mnt/sda1/usr/lib /usr/lib

Cool, now I have a system that is fairly hackable! I could now spend several days trying to cross compile packages for my router but hopefully I could leverage an existing package manager such as optware to download precompiled binaries. Luckily OpenWrt already comes packaged with Busybox which includes the ipkg binary so the only thing that was missing was a repository. After some searching I found out that the Synology DS101G device, which has great ipkg support, coincidentally also has a PowerPC CPU. I was further encourged by finding another hacker named Pinchii who had succesfully hacked his PowerPC NAS by using the Synology repository.

After some reading of the DS101G bootstrap instructions and Pinchii’s directions I discovered that their scripts aren’t compatible. To save anyone the trouble just download the following packages, copy them to the router (scp or onto the flash drive):

Finally, I installed the packages with Busybox ipkg and then updated my paths so that the router was aware of optware:

root@WNDR4700:~ # /usr/bin/ipkg install *.ipk

Installing ipkg-opt (0.99.163-10) to root...

Installing libidn (1.25-1) to root...

Installing openssl (0.9.7m-6) to root...

Installing wget-ssl (1.12-2) to root...

Configuring ipkg-opt

Configuring libidn

Configuring openssl

Configuring wget-ssl

Done.

root@WNDR4700:~ # export LD_LIBRARY_PATH='/opt/lib:/opt/usr/lib:/lib:/usr/lib:/opt/usr/local/lib'

root@WNDR4700:~ # export PATH='/sbin:/opt/bin:/opt/usr/bin:/opt/sbin:/opt/usr/sbin:/bin:/usr/bin:/usr/sbin:/opt/usr/local/bin'

root@WNDR4700:~ # ipkg update

Downloading http://ipkg.nslu2-linux.org/feeds/optware/ds101g/cross/stable/Packages.gz

Inflating http://ipkg.nslu2-linux.org/feeds/optware/ds101g/cross/stable/Packages.gz

Updated list of available packages in /opt/lib/ipkg/lists/optware

Successfully terminated.

If you have been following my instructions you now have an unlocked WNDR4700 router! I’ve installed vim, screen, bash, coreutils from ipkg onto the router to make it more functional. If you do install bash yourself, make sure you install crosstool-native and compile a newer version of bash to fix the shellshock bug!

Did you run into trouble? No sweat, just reboot your router and your mucking about will disappear because its localized to the USB stick.

Granted, this is somewhat of an annoyance though because any changes will be undone each time there is a power outage. At that point you just need to remount the necessary folders in order to get your environment back. I might take a stab at making everything more permanent in the future by modifying the nvram.

Happy hacking!

Disclaimer: I am not responsible for any damage caused to your device.