I own a Netgear WGT624 v4 router. This router runs a MIPS embedded version of Linux and I was curious whether it is possible to get shell access.

So far, I have failed, but in case anyone else is interested, I did find these things:

  • There is a useful webpage with details about a similar router at http://www.castalie.org/projects/DM111P.html
  • The latest firmware image is available from Netgear at ftp://downloads.netgear.com/files/WGT624v4-V2.0.13_2.0.14.chk.
  • Root filesystem

    Using Fedora Core 9, it is possible to mount the root filesystem from this image.
    dd if=WGT624v4-V2.0.13_2.0.14.chk of=rootfs.image bs=1 skip=58
    mount rootfs.image /mnt/WGT624_rootfs -o loop

    Here is a tarball containing these files from the root filesystem.

    (It will be mounted using the squashfs LZMA filesystem.)

  • Telnet access

    The router has a back door from the local LAN. A telnet server can be activated using the telnetenable utility.

    Unfortunately, I do not know the username and password to log on to the router with telnet.

  • Root password

    There is a file in the above image called “shadow”, this holds an entry for the router root password:

    root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::

    This is a FreeBSD MD5 password hash ($1$$zdlNHiCDxYDfeF4MZL.H3/) i.e. the MD5 checksum of the password is 7f1a6793eb3c3df9ac6a6460e5054c45.

    I have not yet been able to determine the password from this hash.