Subscribe to
Posts
Comments

I own a Netgear WGT624 v4 router. This router runs a MIPS embedded version of Linux and I was curious whether it is possible to get shell access.

So far, I have failed, but in case anyone else is interested, I did find these things:

  • There is a useful webpage with details about a similar router at http://www.castalie.org/projects/DM111P.html
  • The latest firmware image is available from Netgear at ftp://downloads.netgear.com/files/WGT624v4-V2.0.13_2.0.14.chk.
  • Root filesystem

    Using Fedora Core 9, it is possible to mount the root filesystem from this image.
    dd if=WGT624v4-V2.0.13_2.0.14.chk of=rootfs.image bs=1 skip=58
    mount rootfs.image /mnt/WGT624_rootfs -o loop

    Here is a tarball containing these files from the root filesystem.

    (It will be mounted using the squashfs LZMA filesystem.)

  • Telnet access

    The router has a back door from the local LAN. A telnet server can be activated using the telnetenable utility.

    Unfortunately, I do not know the username and password to log on to the router with telnet.

  • Root password

    There is a file in the above image called “shadow”, this holds an entry for the router root password:

    root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::

    This is a FreeBSD MD5 password hash ($1$$zdlNHiCDxYDfeF4MZL.H3/) i.e. the MD5 checksum of the password is 7f1a6793eb3c3df9ac6a6460e5054c45.

    I have not yet been able to determine the password from this hash.

34 Responses to “Hacking the Netgear WGT624 v4 router”

  1. on 12 Sep 2008 at 3:27 pmAlberto

    Hi Chris!
    I have the same router and I’m thinking of hacking the unit.
    Have you tried the username/password provided at:
    http://wiki.openwrt.org/OpenWrtDocs/Hardware/Netgear/TelnetConsole

    Cheers

    Alberto

  2. on 28 Sep 2008 at 10:46 pmThom

    Alberto:
    I have the same router and want to load OpenWrt or DD-WRT, I tried the username/password provided and it did not work. I’m currently attempting to BF the MD5.

    Thom

  3. on 06 Oct 2008 at 8:35 pmsmileboot

    any progress on this or did you give up on it?

  4. on 06 Oct 2008 at 9:25 pmchris

    Hi smileboot

    If you contact me via the form on this site, I’ll let you know the latest.

    Chris.

  5. on 09 Oct 2008 at 4:43 amkerdrek

    I’m also interested in knowing the latest news about your research

  6. on 12 Oct 2008 at 4:04 amBenjamin

    I was able to activate telnet on this type of router. I’m very interested in getting the login/password for it. Although it would be better if you could open up port 22 instead. Telnet sends everything in cleartext. I’m wondering what sort of Opersource firmware will fit & work on it. Also I want to find out what the hardware specifications are for the WGT624 v4.

  7. on 03 Nov 2008 at 1:19 amDoug

    Hello there Chris. My name is Doug Young and I was wondering if you got any further with your quest to hack your netgear wgt624 v4. I have the same router and an trying to figure out what the username and password combination are for the telnetEnable to enable my router to be a repeater, I understand they changed from Gearguy and Geardog in v4. Any luck so far?

    Cheers,
    Doug

  8. on 05 Nov 2008 at 1:13 amDave

    I have been everywhere and can’t find the user/password either for telnet. Has any had success yet for V4?

  9. on 09 Nov 2008 at 9:37 amZeke

    Hi Chris,

    I’m trying to use telnetEnable on a WGT624 v4 (like many of your other readers). Were you ever able to figure out how to get into the router through telnet? I am having the same problem as Doug.

    Thanks!

    Zeke

  10. on 21 Nov 2008 at 2:20 amBob

    I am also looking for telnet user/password for the WGT624v4 router. Any info would be great!

    Cheers,

    Bob

  11. on 05 Dec 2008 at 1:50 pmStefan E.

    Hello Chris,

    to access the router via telnet, use
    User: Gearguy
    Password: Geardog
    as the credentials.

    Regards,

    Stefan

  12. on 12 Dec 2008 at 2:32 amOmar

    Well, the combination of:
    Username: Gearguy
    Password: Geardog
    Doesn’t seem to work with the latest firmware.

    Did anyone manage to get the right combination?

  13. on 20 Dec 2008 at 2:40 pmolee

    Hello Chris

    Have you some news about the WGT624v4 telnet password. I would be interested to run my WGT624v4 in Clien mode, and i heard that it will be possible to do with CLI. News would be great!!

    Thanks
    olee

  14. on 27 Dec 2008 at 2:41 amBoB

    Chris,

    Any luck finding the password?

  15. on 06 Feb 2009 at 2:19 amjohn

    any updates on the username and password? thanks

  16. on 07 Feb 2009 at 4:01 amsmileboot

    Hi i opened a post on the DDWRT forum if some one could take detailed pictures of the inside of their wgt624 v4 and post them id really appreciate it (my camera sucks :/ ). Or contribute in any way. TY

    http://www.dd-wrt.com/phpBB2/viewtopic.php?t=46569

  17. on 17 Feb 2009 at 7:53 pmandy

    hi all,

    i have a bricked netgear WGT624 V4. Tried to update firmware and computer froze. Now the router will not work. Ive seen guides to recover a V1/2 netgear router but assume that wont work for a V4.

    can anyone help?

    Thank You

  18. on 13 Mar 2009 at 7:41 amsmileboot

    this may be dumb but i just realised that my router has an extra label before mac and serial called. Security pin. now call me stupid but has anyone tried using. user: root pass: ? or user as Gearguy even

    Just a thought…..

    also head over to
    http://www.dd-wrt.com/phpBB2/viewtopic.php?t=46569 if you think you can help out

  19. on 13 Mar 2009 at 7:44 amsmileboot

    should have said

    user= root
    pass= security pin

  20. on 26 Mar 2009 at 7:45 amtyr

    For the hash root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::

    password is 5up
    I guess ;)

  21. on 10 May 2009 at 6:19 amJHPArizona

    Chris,

    Do you know how to convert the rootfs.image back to .chk file?
    Why would I want to do that you ask? Well….I have a WGT624v4 that apparently has bad NVRAM. I can get any settings to save. I updated to the lasted version of firmware in case the preloaded image had become corrupted. I am able to connect to the router via telnet and make all the changes I want (those that I have found anyway) and they work. The issue is of course they all go away on a reset. What I want to do is modify the config files in the rootfs.image and then convert it back to .chk image I can upload to the router.

    Thanks,
    Jim

  22. on 10 May 2009 at 9:56 amchris

    I believe that there is a tool to do this provided amongst the GPL
    toolchain provided on the Netgear website along with the router source code.

    I’m afraid that I’ve never actually done this, though.

    Good luck!

    Chris.

  23. on 07 Jul 2009 at 8:18 pmAman

    Hi Chris,

    Have you been able to use the WGT624 v4, as a repeater with D-link Router?
    I have a v3 working great, but since the v3′s are hard to find, had to purchase the v4, and now I have been waiting for months to install this router as a repeater, but have been unsuccessful.

    Please let me know if you have any updates

    Thanks

    Aman

  24. on 09 Jul 2009 at 2:19 amAman Singh

    Thanks for your quick reply Chris.

    After messaging you, I worked on the WGT624 v4 and was able to make it work as a repeater with D-Link WBR-2310.
    Its working great.

    I use the routers as repeaters, as the work best and cheapest with Free To Air Satellite Receivers that need to access the internet.

    Cheers,

    Aman Singh

  25. on 17 Aug 2009 at 5:20 amDave G

    Hi Chris,

    In reading the above posts (esp. 20 and up), it appears that the password problem is solved. Any insight?

    Thanks,
    Dave

  26. on 28 Aug 2009 at 6:13 amBenjamin

    Gearguy Geardog is for use with Telnetenable.exe

    User: root
    pass: 5up

    This knowledge base article contains a Redboot source zipped file if anyone cares to check it out.

    http://kb.netgear.com/app/answers/detail/a_id/2649

  27. on 02 Sep 2009 at 12:53 amReuben

    I’ve been able to get shell access to my WGT624v4 using Gearguy Geardog with Telnetenable.exe and then telneting with username root and password 5up.

    However, after that, I can’t figure out how to enable client mode. The directions from here don’t seem to work because there is no “wla” command: http://www.beatjunkie.de/Router_eng.htm

    Poster 24 above seems to have it working — how did you do it?

    If anyone could help me turn on client mode I’d really appreciate it!

  28. on 06 Feb 2010 at 7:07 pmMarc

    How did you manage to access Telnet on your v4 router? Did you have to use the Serial/JTAG interface? When I try telnetEnable it gives me a bind error… 10058 I believe…

  29. on 09 Aug 2010 at 12:46 amLil' Bobby

    I managed to gain telnet access to the WGT624 v4 by using the instructions here:
    http://www.beatjunkie.de/Router_eng.htm

    I’ll post them here so you don’t have to make the hyperspace, uhhh, hyperlink jump. :^)

    1.
    Go and download telnetable.exe, from http://www.megaupload.com/?d=6EHY2MCH

    2. Get the MAC address of the WGT624 (at cmd line – arp-a, or off the WGT624)

    3. From console, run telnetenable
    e.g.
    D:\_t5>telnetenable
    Version:2.1, 2003/10/17
    Usage:
    telnetenable
    ——————————
    username = Gearguy
    password = Geardog
    [note - username/password is case sensitive]
    ——————————
    If all went well, no message will appear
    ——————————

    4. then from console, telnet to the WGT624
    telnet

    5. You will be presented with a login prompt
    (none) login:
    ——————————–
    Use these credentials and you should be good to go.
    username = root
    password = 5up

    ——————————–
    ——————————–
    My thanks to all that made shell access to the WGT624 a breeze (above mentioned web page and this site here. You guys rock!)

  30. on 09 Aug 2010 at 12:56 amLil' Bobby

    OK, so, now that I am in the console, all I really want to do right now is to set the time and date on the WGT624. I’m not seeing any commands that will allow me to do that, bit I did find this command, “cli”, in
    wlan[0,0]-> ls usr/sbin

    So, being curious, I type in cli and am presented with -
    —————————————-
    Welcome to Foxconn
    login:
    —————————————-
    Anyone familiar with this, what it’s purpose is, know what the user name is?

    Thanks, Lil’ Bobby

  31. on 09 Aug 2010 at 3:08 amLil' Bobby

    Ahhh, more info. More than I had imagined. :^)
    I\’m really supposed to be doing homework, but having my Linksys WAP11 fail yesterday, and setting up an idle WGT264 as an AP is proving to be too irresistible.

    I stumbled on this page –
    http://oldwiki.openwrt.org/OpenWrtDocs%282f%29Hardware%282f%29Netgear%282f%29WGT624v4.html
    which, is of interest, an interestingly enough, leads right back here. heheh

    Last post for now, as I\’m sure many of you know all about this anyway.

    If anyone knows how to set the date and time directly from console, please let me know.

    Thanks, Ciao, Lil’ Bobby

  32. on 23 Dec 2010 at 10:15 pmjim

    Has anyone been able to setup WGT624v4 as a client/bridge/repeater with WPA2 enabled?
    WEP is really unsecure… nor is WPA completely safe

  33. on 22 Apr 2011 at 7:49 amChris

    On the bind error… 10058

    I was getting the same problem when using the TelnetEnable utility in XP.

    I had my XP Telnet service enabled, and stopping it also stopped the bind error for whatever reason, it works now.

    And on the Telnet l/p, the Netgear WGR614 routers telnet login is Gearguy/Geardog, but will only work from the LAN port. It could be the same for other NG routers, I don’t know.

  34. on 01 Jun 2012 at 6:27 pmCarl

    So I’ve run telnetenable.exe, and it returns with no error, but I’m still unable to telnet to my WGT624(v4).

    When I
    telnet 192.168.1.1
    under a Windows command console, telnet just hangs there… no login prompt, no error.

    I’ve also tried telneting using putty, same thing.

    Any ideas why this might be?

    Most of the other instructions I’m seeing on the web state that you need to telnet to port :9000, but I’m assuming that telnetenable is activating a telnet server on the standard port.

Leave a Reply

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Anti-spam image