DISCLAIMER: FLASHING YOUR NETGEAR ROUTER WITH CUSTOM FIRMWARE IS DANGEROUS. YOU MIGHT VERY WELL FRY THE DEVICE. THE BELOW PROCEDURE WORKED FOR ME. I CANNOT GUARANTEE YOU WILL BE AS SUCCESSFUL. I ACCEPT NO RESPONSIBILITY FOR ANY PROBLEMS THAT MAY ARISE FROM YOUR USE OF THIS INFORMATION.
To create custom firmware, first get the latest firmware from Netgear. Unpack the userland from the firmware:
nsmagt@honningsvag netgear $ hexdump -C DG834.a1.03.01.img |grep "Compressed ROMFS" 000d0010 43 6f 6d 70 72 65 73 73 65 64 20 52 4f 4d 46 53 |Compressed ROMFS| nsmagt@honningsvag netgear $ perl -e"print ((hex(d0010))/32-.5)";echo 26624First we find where the CRAMFS userland image begins. Then we convert this from hex to decimal. Divide by 32, substract 0.5, and then do:
nsmagt@honningsvag netgear $ dd if=DG834.a1.03.01.img of=cramfs.img bs=32 skip=26624cYou'll have the CRAMFS image in cramfs.img. You can mount this image by doing:
nsmagt@honningsvag netgear $ mkdir cramfsroot nsmagt@honningsvag netgear $ sudo mount -o loop cramfs.img ./cramfsroot/You've now got the DG834G userland in ./cramfsroot. Copy it to a new directory (you can't write to the loop-mounted image):
nsmagt@honningsvag netgear $ cp -pr cramfsroot/ newrootReplace, delete, modify and insert any files you'll want to this directory. More on this later. Binaries need to be little-endian, compiled against uClibc.
Repack the filesystem by doing: mkfs.cramfs newroot/ newroot.img. Get the boot code (kernel etc.) from the original Netgear firmware, and put the two together:
dd if=DG834.a1.03.01.img of=boot.img bs=32 count=26624c cat newroot.img >> boot.imgWe will now generate a checksum of the file, which needs to be added into the firmware. Compile checksum.c, and run it:
nsmagt@honningsvag netgear $ ./checksum boot.img Computed checksum is bd7a Stored checksum is ffff WARNING: checksum does not match!You'll now have to hexedit the new image, to make it valid for the binary which takes care of the flashing from the webinterface. Open the image in hexedit. Fill from the end of the file until 0x3E0000 with 'FF'. Then change the last four lines in hexedit to look like this:
003DFFB0 FF FF 73 45 72 43 6F 4D 6D 00 00 00 00 44 47 38 33 34 00 00 00 00 00 00 ..sErCoMm....DG834...... 003DFFC8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........................ 003DFFE0 00 00 00 00 00 00 00 00 00 00 00 83 00 00 00 00 00 73 45 72 43 6F 4D 6D .................sErCoMm 003DFFF8 FF FF FF FF 7A BD FF FF ....z...
This is some sort of fingerprint, the firmware will not be accepted if this isn't in place. Bytes 0x3DFFEB and 0x3DFFEC describe the version of the firmware, in this case (83 00) it's 1.03.00. 84 07 would've ment firmware version 1.04.07. I'm not sure yet what uses this though. Bytes 0x3DFFFC and 0x3DFFFD are used to determine the integrity of the file. Swap the byteorder on the checksum (big -> little endian), and put these in. Checksum in this case is bd7a, so put 7A BD in the bytes.
Save your firmware, upload it through the webinterface, and you are running your customized firmware!
In my firmware the Netgear proprietary binaries are still available, so I'm not sure if I can publish it for download. It's not a lot different from the original firmware yet anyway. Firmware downloads might be available later.
First TODO is create a crosscompiling environment, and flash a new firmware with some binaries, I was thinking of wget first, so we can get stuff in the device without reflashing.