Hacking Viasat branded version of Netgear WN602 v2 wireless bridge

Viasat WN602 v2
Viasat WN602 v2

The Viaplay package of my satellite receiver contained two Netgear WN602 v2 wireless network bridges to connect the satellite box to my network. These are a Viasat branded version with custom software for easy setup. To get the wireless bridge working I just had to connect the network cables, power them up and press the WPS setup button.

My house will soon get a fiber internet connection, to prepare for that I’m installing a wired network instead in the house and these boxes became superfluous. Instead I was thinking of using these as access points to extend my wireless network. This should be possible with the original Netgear firmware, but the Viasat firmware did not expose any interface for changing settings or update firmware.

Opening up the device i found a pin header with 4 pins, and i know these units often expose a TTL-serial port. Pin #1 is marked with a white dot and I could measure 3.3 V between pin 1 & 4, and made the assumption that pin 2 & 3 was the Rx & Tx pins. Using an FTDI-based serial adapter with 3,3V TTL levels I detected by trial and error that I could get a console bye connecting the adapter Rx to pin 2 (Tx) and the adapter Tx to pin 3 (Rx). The communication settings should be 115200 baud, 8 databits, no parity and one stop bit, otherwise you would just receive garbage.

Serial port on PCB
The serial port is accessible on the PCB. Pinout is:
1. 3.3 V
2. Tx
3. Rx
4. GND

The console access was not very helpful since i needed the root password to perform anything useful, this password was most likely kept secret by Viasat. Directly after power up the bootloader, U-Boot, instead called the router WRN612, which seemed very similar. Some googling verified that the WN602 essentially is a WNR612 with the WAN port removed. U-Boot also prompted for a key-press together with a down counter to abort the normal boot and enter a command prompt for the bootloader:

U-Boot
U-Boot

Luckily U-Boot is rather well documented, from here, loading a new firmware should be easy.

My first choice would have been to install dd-wrt instead which is an open source firmware for routers. Sadly dd-wrt had no support for neither WN602 nor WNR612, the D-Link DIR-601 A1 would perhaps work since it is based on the exact same chips, and these units are usually very similar to the chipset manufacturer reference design. The main processor in these are an Atheros AR7240 and the wireles network chip is an Atheros  AR9285. I decided to try OpenWRT instead, which is a similar project that had an excellent wiki entry for WNR612 on which most of this guide is based.

To flash the router with Open WRT I did like this:

  1. Connect a serial console to the hardware serial port described above. I used a FTDI based USB to Serial adapter from Sparkfun together with PuTTY as a terminal application. Be sure not to connect the 3,3 V pin, GND, Rx and Tx is enough. Connecting the power pin could damage the router, serial adapter and/or your USB-port
  2. Power up the router and be ready to press the “any key” when the bootloader asks for it.
  3. When the boot have been interrupted and you are in the boootloader console enter:

    to disable flash write protection, and then:

    to activate a TFTP server waiting for firmware upload
  4. Enter a static IP address from the 192.168.1.0/24 series on your computer and connect it to one of the network ports on the device.
  5. Use a TFTP client on your computer to upload the firmware to address 192.168.1.1, i used TFTP Utility to upload the file named openwrt-ar71xx-generic-wnr612v2-squashfs-factory.img from the openwrt firmware repository.

    TFTP Util
    TFTP Util

DONE!

Firmware flashed successfully
Firmware flashed successfully

Now I can use both wireless bridge devices as wireless access points instead of putting them on a shelf somewhere and forget about them.