I own a Netgear WGT624 v4 router. This router runs a MIPS embedded version of Linux and I was curious whether it is possible to get shell access.
So far, I have failed, but in case anyone else is interested, I did find these things:
- There is a useful webpage with details about a similar router at http://www.castalie.org/projects/DM111P.html
- The latest firmware image is available from Netgear at ftp://downloads.netgear.com/files/WGT624v4-V2.0.13_2.0.14.chk.
Using Fedora Core 9, it is possible to mount the root filesystem from this image.
dd if=WGT624v4-V2.0.13_2.0.14.chk of=rootfs.image bs=1 skip=58
mount rootfs.image /mnt/WGT624_rootfs -o loop
Here is a tarball containing these files from the root filesystem.
(It will be mounted using the squashfs LZMA filesystem.)
The router has a back door from the local LAN. A telnet server can be activated using the telnetenable utility.
Unfortunately, I do not know the username and password to log on to the router with telnet.
There is a file in the above image called “shadow”, this holds an entry for the router root password:
This is a FreeBSD MD5 password hash ($1$$zdlNHiCDxYDfeF4MZL.H3/) i.e. the MD5 checksum of the password is 7f1a6793eb3c3df9ac6a6460e5054c45.
I have not yet been able to determine the password from this hash.