Alternate firmware for the Linksys WRT54

August 4, 2013

I have a Linksys WRT54GS version 5 router, and believe that I would like to run DD-WRT on it. This leads to a myriad of issues, in large part because of issues with the version 5 units. The deal is that beginning with version 5, Linksys switched from linux based firmware to VxWorks based firmware. Apparently this has a significantly reduced memory footprint, allowing them to save money by in some cases cutting the size of both RAM and flash in half. Good for them maybe, but bad for people who want to run alternate firmware.

And the word is that the VxWorks based firmware is not as reliable as the linux based firmware that Linksys shipped in the good old days. I do not blame this on VxWorks (I use VxWorks myself for embedded projects in my professional work and like it very much). But the end result is what counts, and the word is that it was a step backwards in several ways. It is worth noting that Linksys now also offers a WRT54GL version that has 4M of flash and 16M of ram. I see these selling on Amazon for $50 or so. Compare this to the WR54G with 2M of flash and 8M of ram for $40. My WRT54GS v5 has 2M of flash and 16M of ram (they sell on Amazon for $95, which seems silly).

There is lots of information, and I am still sorting it out. Here are some links:

You should essentially ignore the information in the router database. If you look up (as I did) the wrt54gs v5 router, it will suggest that you use build 13064. If you go look at the stickies at the top of the Broadcomm forum (as you should), they will tell you that you are a bonehead if you use this build.

Why this inconsistency? Well, you can get some glimmer of an explanation by reading the just mentioned stickies. Here is my take on it: at some point the dd-wrt project transitioned from an open source community project to a closed project with a insider group of developers and a for profit fork of dd-wrt. It may be of some advantage to the for profit group to have users grabbing faulty "free" versions and getting frustrated. There may be some reluctance to call a spade a spade in the forums for fear of alienating the dd-wrt developers. The people who are truly fed up with all of this are running openWRT.

I have a general impression that build 15962 may be a good choice (in the generic micro version) for the wrt54gs. It is hard to get concrete recommendations. Beyond that, it is hard to find build images. It is a mess. For my wrt54gs I know I need a micro generic build; and build 15962 is recommended, See below, I ended up using 14929 and this worked out fine.

Read the sticky threads at the top of the Broadcomm forums. The "Peacock Thread" has a lot of valuable information, and most people asking sensible questions simply find themselves not having their questions answered and getting referred back to the Peacock Thread.

There is a lot to read and digest here. I am not rushing into installing dd-wrt on my router until I really feel I understand all the issues.

My router - The WRT54GS version 5.0

This router is one of the undesirable VxWorks based units with reduced RAM and flash (16M of ram and 2M of flash). This means that only the "micro" (not mini!) version of the DD-WRT firmware can be used, and the path to installing the firmware is tricky.

Here is one fellows story about how he tried to do this and made a brick of his router. I like his quote "I'm not rich enough to buy cheap things.".

The game for these is that you cannot just do the usual firmware upgrade, you need to first load something called "VxWorks Killer", then you can pull in the firmware you really want. The forum talks about needing CFE instead of the VxWorks BSP (board support package). What I picture is that the flash is partitioned in two sections. One section holds some unchanging stuff, the other section holds stuff that changes (namely the firmware you hope to upgrade). The DD-WRT firmware expects the unchanging section to hold the CFE firmware. So, if you just load new DD-WRT firmware into a VxWorks based router, the DD-WRT firmware finds itself trying to talk to the VxWorks BSP and you have a bricked router. So, you have to do a clever dance to replace the VxWorks BSP and to install the DD-WRT firmware without painting yourself in a corner.

What the heck is CFE anyway, I hear you asking! It is not the the council of five elders in Japan, like you were perhaps thinking, but the Common Firmware Environment, developed by Broadcom. You could sort of think of it as the moral equivalent of a "bios" in the world of routers.

How to put DD-WRT on a WRT54GS version 4 router

As near as I can tell, the game goes like this. This is an outline, with details following.

Before you even touch your router, you need to do this:

  1. Set up the machine you will upgrade from to use a static IP address.
  2. Obtain tftp client software for that machine.
  3. Obtain the vxworks prep and killer images.
  4. Modify the VxWorks killer image to hold your MAC address.
  5. Select the version of dd-wrt you want to run
Once all this is done and you are ready to dive in, the actual install process is supposed to take only 14 minutes or so:
  1. Pull the "prep" image into the router.
  2. Pull the "killer" image into the router.
  3. Push the dd-wrt image into the router.
  4. Enable the full 16M on the wrt54gs.
  5. Backup the CFE.

The static IP address

I will be doing the upgrade from a linux machine, which I already have set up with a static IP, so this involves nothing extra for me. The basic idea here is that if you were doing the machine from a machine which had obtained its IP via DHCP from the router you were upgrading, you very well might end up pulling the rug out from under your feet when the router dropped off the network at various times during the upgrade. Pretty obvious when you think about it. The different procedures recommend various specific IP numbers. It should be on the 192.168.1.x subnet and should not be 192.168.1.1, almost anything else would be fine.

Here are some tips for the linux user doing this. I put the linux machine I intend to do this from onto 192.168.1.8 via a static IP setup. However, my current internet router is on 10.0.0.1, and it would be nice to be able to view instructions on the internet while doing the firmware update, so ... 

su
ip addr add 10.0.0.8/24 brd + dev em1 label em1:router
route del default
route add default gateway 10.0.0.1
route -n
After doing this I once again have access to the internet, and my machine and the linksys are the only devices on the 192.168.1.x LAN.

And here are some tips on setting up Windows static IP numbers. On windows 7, this gets you to the screens you use: 

Control Panel
Network and Internet
Network and Sharing Center
Local Area Connection
Properties
IPv4

tftp client for linux

This is easy on my fedora 19 system: 
yum install tftp
To send a file to the wrt54, a command something like the following will do. The "-v" is optional, but will give more information. 
tftp 192.168.1.1 -c put yada.bin

Obtaining "VxWorks prep and killer" images

I originally found these by following the router database for the wrt54gs, and obtained: I ended up not using these, there is a better way: You go to the link in the forum post above and fetch Gv5Flash.zip. This contains This "prep" file is different (both in name and content) from the one given you get following the router database. I have no clue what this is all about.

Make a custom "VxWorks killer" image which contains your MAC address

You could use a generic "killer" image like the one the database will lead you to, but you really should generate one that has your very own MAC address in it.

Even though I am doing all of this from a linux machine, I took the easy way out here and downloaded Gv5Flash.zip onto a Windows 7 machine, unzipped the vximgtoolgui.zip file and ran the executable contained therein. At the top of the GUI you get to select whether you have a wrt54g or a wrt54gs, and there is an entry field where you type your MAC address. You give a name to the output file (I chose mymac.bin) and you click a button that says "generate" or some such. Then I put mymac.bin onto a USB flash drive and moved it to my linux machine. Then I washed my hands with strong soap and water. This file is the custom "killer" image.

Select the version of dd-wrt you want to run

This is pretty hard, maybe the hardest part. We already have learned that if we choose the 13064 image the router database leads us to, that we are a bonehead. We carefully read the posts at the head of the broadcomm forum and get the idea that the 14929 build by brainslayer is the recommended choice. Then we look inside Gv5Flash.zip and find dd-wrt.v24-12548_NEWD_micro.bin. I think I will still go with the 14929 brainslayer build. I did and it seems just swell.

Go for it

I did and it worked!

Enable 16M of ram

Once you have dd-wrt up and running, it is probably (certainly?) only using 8M of ram. You can tell it to use the 16M of ram you should have by following the instructions given in this post: Note that they say ' it will work for sure only if your RAM chip is "mira p2v28s40btp"'.

Telnet into the router and give the following commands. Be aware that if you do this on anything other than a wrt54gs v5 with the chip mentioned, you will probably be making a brick of your router. 

nvram set sdram_init=0x0A
nvram set sdram_ncdl=0
nvram commit
reboot
This worked just fine for me (and my unit has exactly the chip indicated).

Linux tools for screwing with the VxWorks Killer

I ended up not using these, and resorting to windows to generate the killer image with my mac address, as well as to run the tftp client, but here is the info for your perusal anyway.

The procedure above recommends installing the MAC address of your router into the vxworks killer image. The story here is that if you don't do this your router will have heaven knows what for a MAC address (perhaps all zeros), and your ISP is likely to refuse to allow you to connect if you come on acting like an anonymous zombie router. Most of the documented procedures instruct you to obtain and use a little GUI that is intended to run on Windows. This is frustrating for a linux guy like myself, but apparently this issue can be solved in several ways:

I wondered if perhaps I wasn't the first linux user who wanted to cross this bridge, and a search led me to: I did the following, and got a lot more than just the wrt_vx_imgtool: 
git clone git://github.com/mirror/firmware-mod-kit
cd firmware-mod-kit/src/wrt_vx_imgtool
make


This produces the wrt_vx_imgtool executable, but the git clone pulled down a lot of other stuff
that bears looking at (more twisty paths to roam down!).  There is a file documenting what this
is in the root of the cloned tree named firmware_mod_kit.htm.  This document points to
some forums at:



The author of all this seems to be (among others)  Jeremy Collake (db90h) and Craig Heffner. 
Jeremy is the original author of the VxWorks killer tool.


JTAG


If you really screw up and make a brick of your router, you can probably recover it
by getting a JTAG cable/dongle and loading firmware via a JTAG port.
We are hoping to avoid ending up in this position, but it is good to know that
we can recover our investment of $0 in this way if necessary.



The situation with a bricked router boils down to this.
It takes working firmware to load new firmware.
Without working firmware, the normal options are impossible, but
connecting a special cable opens up new ways of doing things.
JTAG cables are cheap, and along with loading firmware are a great way
to do remote debugging and lots of cool stuff.  But we hope we can update
our WRT54GS firmware without being forced into learning all about this right now.




Feedback? Questions?
Drop me a line!





Tom's Computer Info / tom@mmto.org