Hacking the Netgear WGT624 v4 router
August 31st, 2008 by chris
I own a Netgear WGT624 v4 router. This router runs a MIPS embedded version of Linux and I was curious whether it is possible to get shell access.
So far, I have failed, but in case anyone else is interested, I did find these things:
- There is a useful webpage with details about a similar router at http://www.castalie.org/projects/DM111P.html
- The latest firmware image is available from Netgear at ftp://downloads.netgear.com/files/WGT624v4-V2.0.13_2.0.14.chk.
-
Root filesystem
Using Fedora Core 9, it is possible to mount the root filesystem from this image.
dd if=WGT624v4-V2.0.13_2.0.14.chk of=rootfs.image bs=1 skip=58
mount rootfs.image /mnt/WGT624_rootfs -o loopHere is a tarball containing these files from the root filesystem.
(It will be mounted using the squashfs LZMA filesystem.)
-
Telnet access
The router has a back door from the local LAN. A telnet server can be activated using the telnetenable utility.
Unfortunately, I do not know the username and password to log on to the router with telnet.
-
Root password
There is a file in the above image called “shadow”, this holds an entry for the router root password:
root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
This is a FreeBSD MD5 password hash ($1$$zdlNHiCDxYDfeF4MZL.H3/) i.e. the MD5 checksum of the password is 7f1a6793eb3c3df9ac6a6460e5054c45.
I have not yet been able to determine the password from this hash.
Hi Chris!
I have the same router and I’m thinking of hacking the unit.
Have you tried the username/password provided at:
http://wiki.openwrt.org/OpenWrtDocs/Hardware/Netgear/TelnetConsole
Cheers
Alberto
Alberto:
I have the same router and want to load OpenWrt or DD-WRT, I tried the username/password provided and it did not work. I’m currently attempting to BF the MD5.
Thom
any progress on this or did you give up on it?
Hi smileboot
If you contact me via the form on this site, I’ll let you know the latest.
Chris.
I’m also interested in knowing the latest news about your research
I was able to activate telnet on this type of router. I’m very interested in getting the login/password for it. Although it would be better if you could open up port 22 instead. Telnet sends everything in cleartext. I’m wondering what sort of Opersource firmware will fit & work on it. Also I want to find out what the hardware specifications are for the WGT624 v4.
Hello there Chris. My name is Doug Young and I was wondering if you got any further with your quest to hack your netgear wgt624 v4. I have the same router and an trying to figure out what the username and password combination are for the telnetEnable to enable my router to be a repeater, I understand they changed from Gearguy and Geardog in v4. Any luck so far?
Cheers,
Doug
I have been everywhere and can’t find the user/password either for telnet. Has any had success yet for V4?
Hi Chris,
I’m trying to use telnetEnable on a WGT624 v4 (like many of your other readers). Were you ever able to figure out how to get into the router through telnet? I am having the same problem as Doug.
Thanks!
Zeke
I am also looking for telnet user/password for the WGT624v4 router. Any info would be great!
Cheers,
Bob
Hello Chris,
to access the router via telnet, use
User: Gearguy
Password: Geardog
as the credentials.
Regards,
Stefan
Well, the combination of:
Username: Gearguy
Password: Geardog
Doesn’t seem to work with the latest firmware.
Did anyone manage to get the right combination?
Hello Chris
Have you some news about the WGT624v4 telnet password. I would be interested to run my WGT624v4 in Clien mode, and i heard that it will be possible to do with CLI. News would be great!!
Thanks
olee
Chris,
Any luck finding the password?
any updates on the username and password? thanks
Hi i opened a post on the DDWRT forum if some one could take detailed pictures of the inside of their wgt624 v4 and post them id really appreciate it (my camera sucks :/ ). Or contribute in any way. TY
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=46569
hi all,
i have a bricked netgear WGT624 V4. Tried to update firmware and computer froze. Now the router will not work. Ive seen guides to recover a V1/2 netgear router but assume that wont work for a V4.
can anyone help?
Thank You
this may be dumb but i just realised that my router has an extra label before mac and serial called. Security pin. now call me stupid but has anyone tried using. user: root pass: ? or user as Gearguy even
Just a thought…..
also head over to
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=46569 if you think you can help out
should have said
user= root
pass= security pin
For the hash root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
password is 5up
I guess
Chris,
Do you know how to convert the rootfs.image back to .chk file?
Why would I want to do that you ask? Well….I have a WGT624v4 that apparently has bad NVRAM. I can get any settings to save. I updated to the lasted version of firmware in case the preloaded image had become corrupted. I am able to connect to the router via telnet and make all the changes I want (those that I have found anyway) and they work. The issue is of course they all go away on a reset. What I want to do is modify the config files in the rootfs.image and then convert it back to .chk image I can upload to the router.
Thanks,
Jim
I believe that there is a tool to do this provided amongst the GPL
toolchain provided on the Netgear website along with the router source code.
I’m afraid that I’ve never actually done this, though.
Good luck!
Chris.
Hi Chris,
Have you been able to use the WGT624 v4, as a repeater with D-link Router?
I have a v3 working great, but since the v3′s are hard to find, had to purchase the v4, and now I have been waiting for months to install this router as a repeater, but have been unsuccessful.
Please let me know if you have any updates
Thanks
Aman
Thanks for your quick reply Chris.
After messaging you, I worked on the WGT624 v4 and was able to make it work as a repeater with D-Link WBR-2310.
Its working great.
I use the routers as repeaters, as the work best and cheapest with Free To Air Satellite Receivers that need to access the internet.
Cheers,
Aman Singh
Hi Chris,
In reading the above posts (esp. 20 and up), it appears that the password problem is solved. Any insight?
Thanks,
Dave
Gearguy Geardog is for use with Telnetenable.exe
User: root
pass: 5up
This knowledge base article contains a Redboot source zipped file if anyone cares to check it out.
http://kb.netgear.com/app/answers/detail/a_id/2649
I’ve been able to get shell access to my WGT624v4 using Gearguy Geardog with Telnetenable.exe and then telneting with username root and password 5up.
However, after that, I can’t figure out how to enable client mode. The directions from here don’t seem to work because there is no “wla” command: http://www.beatjunkie.de/Router_eng.htm
Poster 24 above seems to have it working — how did you do it?
If anyone could help me turn on client mode I’d really appreciate it!
How did you manage to access Telnet on your v4 router? Did you have to use the Serial/JTAG interface? When I try telnetEnable it gives me a bind error… 10058 I believe…
I managed to gain telnet access to the WGT624 v4 by using the instructions here:
http://www.beatjunkie.de/Router_eng.htm
I’ll post them here so you don’t have to make the hyperspace, uhhh, hyperlink jump. :^)
1.
Go and download telnetable.exe, from http://www.megaupload.com/?d=6EHY2MCH
2. Get the MAC address of the WGT624 (at cmd line – arp-a, or off the WGT624)
3. From console, run telnetenable
e.g.
D:\_t5>telnetenable
Version:2.1, 2003/10/17
Usage:
telnetenable
——————————
username = Gearguy
password = Geardog
[note - username/password is case sensitive]
——————————
If all went well, no message will appear
——————————
4. then from console, telnet to the WGT624
telnet
5. You will be presented with a login prompt
(none) login:
——————————–
Use these credentials and you should be good to go.
username = root
password = 5up
——————————–
——————————–
My thanks to all that made shell access to the WGT624 a breeze (above mentioned web page and this site here. You guys rock!)
OK, so, now that I am in the console, all I really want to do right now is to set the time and date on the WGT624. I’m not seeing any commands that will allow me to do that, bit I did find this command, “cli”, in
wlan[0,0]-> ls usr/sbin
So, being curious, I type in cli and am presented with -
—————————————-
Welcome to Foxconn
login:
—————————————-
Anyone familiar with this, what it’s purpose is, know what the user name is?
Thanks, Lil’ Bobby
Ahhh, more info. More than I had imagined. :^)
I\’m really supposed to be doing homework, but having my Linksys WAP11 fail yesterday, and setting up an idle WGT264 as an AP is proving to be too irresistible.
I stumbled on this page –
http://oldwiki.openwrt.org/OpenWrtDocs%282f%29Hardware%282f%29Netgear%282f%29WGT624v4.html
which, is of interest, an interestingly enough, leads right back here. heheh
Last post for now, as I\’m sure many of you know all about this anyway.
If anyone knows how to set the date and time directly from console, please let me know.
Thanks, Ciao, Lil’ Bobby
Has anyone been able to setup WGT624v4 as a client/bridge/repeater with WPA2 enabled?
WEP is really unsecure… nor is WPA completely safe
On the bind error… 10058
I was getting the same problem when using the TelnetEnable utility in XP.
I had my XP Telnet service enabled, and stopping it also stopped the bind error for whatever reason, it works now.
And on the Telnet l/p, the Netgear WGR614 routers telnet login is Gearguy/Geardog, but will only work from the LAN port. It could be the same for other NG routers, I don’t know.