Linux on the WRT54G

Linux on the WRT54G


Jim Buzbee

BatBox wrt54g distribution Version 0.61

This is a mini Linux distribution for the Linksys wrt54g. In about 20 seconds, you can install a small set of Linux tools to your access point's ramdisk. The distribution is geared towards those who are curious about casually exploring the internal workings of this device. The installation is strictly to the ram disk of the box. No permanent changes are made. If you mess something up, power-cycle the box.

Upon completion of the installation, you'll be able to telnet into the box and have a system with basic tools such as syslog, httpd (with cgi-bin support), vi, snort, mount, insmod, rmmod, top, grep, ls, ifconfig, iptables, ssh, iptraf etc.

To install from MS Windows, see the README file. To install from Linux or OSX, do the following : Either modify the script "" for the ip address and password of your router, or pass them in as arguments to the script. By default the script uses Java to move files to the wrt54g. If you would prefer wget or curl, uncomment the appropriate lines in the script. I had a problem with older version of wget translating escaped characters before passing the URL on to the server. Your mileage may vary. The WAN port of the box must be configured for the installation to succeed.

The distribution has been tested on Linksys firmware up to version version 4.00.7. I believe it will work on most other versions of official Linksys firmware. My installation has been tested on Linux, OSX, and Windows (with the addition of the Cygwin toolset). I have had reports that my distribution also works on wrt54gs boxes.

Upon successful execution of the script, you will be able to telnet to your box and start exploring its capabilities. Note that there is no login prompt, you telnet directly in as root. Be careful. This is for development use and is not meant to be deployed on the open Internet. You may want to review the iptables commands executed in the install script. They work for my Version 1 wrt54g, but later versions may have different logical ethernet devices. With my Version 1 box, the telnet daemon is not available on the WAN side of the box. A small wrt54g ssh daemon is included ( but not installed by default ) for those that need security.

The alternate web server is installed on port 8000 of the box.

In current versions of the distribution, the tar file "distro.tar" is quite sparse. If you wish to change the files sent to the box, untar distro.tar and add or subtract files from the "options" subdirectory, then recreate the tar file. Normally you should not run the install script more than once for a power-cycle of the box. i.e. if you want to run the install again, reset the wrt54g first.

I have attempted to limit all changes to the ram disk, but there are no guarantees that you will not damage your unit by using these tools.

Not much news on the wrt54g in quite a while. As for me, I've been a bit busy trying my hand at writing an iPhone and iPod touch application. It's a bit of a different endeavor for me, but I had a good time doing it. The application was inspired by the AppleTV that I reviewed a while back. It doesn't make rude noises or calculate your tips for you, but you can check it out here.

For you weather fans, I now have my weather station online being served up through my wrt54g and my NSLU2


12/31/2006 Updated version: 0.61

I uploaded a new version of my scripts that use the "/tmp/var/bin" directory as discussed below. This change is backward compatible so it shouldn't hurt anything on all boxes where the scripts run. I tested the change on my ancient version 1 box on firmware version 4.00.7 and it works fine. I also attempted to run with version 4.30.5 and failed, but I was able to downgrade back to version 4.00.7. If anyone knows of a way to make it work on this newer firmware, let me know. I've also had some correspondence with Rob Wentwork who has been doing some work to enhance my distro with some very cool packages. His pages can be found here.

7/30/2006 Workaround?

I've had a report that the reason my distro fails on the newer firmware is due to a change in the diretory structure. Evidently the "/var/bin" needs to be changed to "/tmp/var/bin" to make the scripts operational. I haven't tested this myself and have not changed the scripts. If you have an issue where my distro fails to work, try changing all instances of "/var/bin" to "/tmp/var/bin". When I get the chance I'll make the change in my scripts because I think this will be backward compatible. Thanks to Lionel Widdifield for the info!

4/2/2006 Hole Fixed?

I've had a couple of reports that the Linksys bug I use to install my distribution has been fixed in the latest firmware. So even the WRT54GL may not work. The alternatives are to use an alternate firmware or to downgrade to an older firmware which may or may not be possible. Let me know what works for you.

12/10/2005 New wrt54g model

If you are interesting in hacking this device, make sure you buy the WRT54GL model. Linksys has moved away from Linux in their standard WRT54G version. In addition, I am not sure if my distro will work with the new WRT54GL. Let me know if it works for you.

I just finished my review of the TRENDnet TS U200. The TS-U200 is a device similar to the Linksys NSLU2 with Ethernet and two USB 2.0 ports. And like the NSLU2, I was able to "get root" on it by using a flaw on one of the configuration web pages. The hole was very similar to the Linksys bug I use to install my distro on the WRT54G.

11/19/2005 FYI

Not much new with my wrt54g work, but I came across an interesting Network Attached Storage device that has the same type of security hole that I use with my "Batbox Distribution". I've been able to exploit the hole in mostly the same way. You know the drill, get root, run new code, etc. Since it's also a MIPS-based box, its somewhat compatible with the wrt54g. I was able to run wrt54g binaries on it. I'll post more info when I get it on my NSLU2 page.

7/16/2005 Release 0.6

Version 0.6 of the distribution has been uploaded. I've verified that this version will install on the latest (as of now) Linksys firmware, 4.00.7. There have been several cleanups made in scripts,, and and some additional logic has been added for installing under Cygwin. I do my testing on a wrt54g but I understand it will also work on the wrt54gs Thanks to Steven Stewart for assistance with this release.

7/14/2005 Release 0.6 coming soon !

Thanks to Steven Stewart, I have new release underway that I have tested with firmware all the way up to 4.00.7! It seems that Linksys is not so hot at fixing the bug that allows me to install my little hack. I hope to have the release done in the next couple of days.

3/30/2005 News

I've still been too busy to do much with my wrt54g , but I've had some feedback that Linksys may have finally closed the "ping bug" that allowed me to install my distribution so if you are thinking about upgrading, keep that in mind.

I've done a few more reviews of network devices for TomsNetworking and with several of the media type devices, I was able to use my NSLU2 as a server. See my NSLU2 page for details.

1/15/2005 What I've been up to

I've been quite busy lately and have not had a chance to do much playing with the wrt54g. Luckily, there are lots of others out there making this little box sing. I have heard that my distribution still works with the latest firmwares being released by Linksys. If you have a different experience, let me know. There are so many toys out there to play with these days. I've been spending a lot of time with the NSLU2 and I've been doing a lot of writing for TomsNetworking. Here's a list of my articles :

7/11/2004 New NSLU2 page

I created a new page for info on the NSLU2 I can now telnet into the running device and start exploring!

7/10/2004 New device

I've been hacking on a new Linksys device, the NSLU2. It's a tiny Linux-based network storage device that can be had for less than $100. I just got it yesterday and have not had a whole lot of time with it, but I've verified that it uses an ext3 formatted filesystem that I can mount under OSX. I've also found a couple of hidden options including the ability to enable telnet on it. So far, I have not cracked a password for any account with a shell. If anyone has a good password cracker, the accounts with shells on the box are :

root:WeeOvKUvbQ6nI:0:0:root:/root:/bin/sh ourtelnetrescueuser:scNn.3AteBFc.:100:100::/home/user:/bin/sh

6/27/2004 Version 0.51 released

Added FAQ

5/30/2004 Version 0.5 released

Added two user-contributed pcakages: dropbear, a small ssh daemon and iptraf, an IP traffic monitoring utility. Neither pacakge is installed by default. To install either, add their files to the "distro.tar" file and perhaps modify the script to set them up on each install. Added additional iptables commands to the startup script to account for pppoe. Small cleanups.

4/11/2004 Windows installation

Added Installation instructions for those who wish to install the distribution from a Windows machine using the Cygwin tools. See the included README file for instructions.

3/23/2004 New Linksys firmware

Linksys has released a new firmware, Version 2.02.7. Testing shows my distribution still works with this new release. I've also gotten a couple of reports that people were not able to use my distribution at all. On further investigation, it appears as if both cases were due to the fact that the WAN port on their wrt54g had not been configured. Once the WAN port was set up, the distro installed and ran normally.

3/11/2004 Version 0.4 Released

First full support for the "fixed" Linksys firmware This version has no new functionality but now fully supports current Linksys firmware.

3/6/2004 Version 0.4 Alpha Released

First attempt to support the "fixed" Linksys firmware. I'll call this version 0.4 alpha, but it currently has no relationship to previous releases. The release is strictly geared toward people who wish to experiment with their router, but don't want to make permament changes. Linksys has "fixed" the bug in their firmware that allowed my distribution to run :-( Routers purchased today will likely have the fixed firmware installed on them. But fortunately it has been discovered that they still left a little hole. I've had some trouble getting my full distribution to work but I've created a little "command shell" so you can at least poke around a bit.

My "shell" is bit of a bizarre thing. It sends commands to the box via the Linksys web server and then it parses the html output for display. Nothing is installed on the router, and no modifications are made to the router. It's just a remote tool to execute Linux commands on the box. Simple commands like "ps -ax", "ls -al", "echo", "cat", etc. will work. I have not been able to properly start up the receive tool, "epi_ttcp". Due to this, I cannot install new software on the box. If anyone has any success with starting up this tool, let me know. Once I can get past this problem, I can port the rest of my distro to the new firmware.

My command shell does not capture error messages so if your command generates an error, you will see no output. I also do not maintain state, so a "cd" command will not carry over from one command to the next.

Requirements : I'm running this tool on firmware version v2.02.2. It will likely work on other versions. The tool is written in bash and relies on sed, wget or curl (only curl tested). I've tested on OSX and Linux. To use the tool, just modify the router password and IP address in the file, Execute the script and enter your commands.

Anyone interested in going further with the router and making permanent changes should visit the sveasoft forums listed below.

1/1/2004 Happy New Year!

I've been experimenting with a custom wrt54g firmware develped by James Ewing at It has many features such as ssh, traffic shaping, power adjustment, client mode, etc. If you are interested in using a custom firmware on your wrt54g, visit his wrt54g forum.

12/6/2003 Version 0.3 released

Added dproxy-nextgen, a caching nameserver. I'm using it a bit differently than designed, but it allows you to use your wrt54g as your DNS server and also allows you to have private name resolution. By adding your own entries to /var/etc/hosts, you can refer to your machines on your home LAN by name. You can also add "blacklist" names to the file to prevent proper name resolution, i.e. "". Note that like everything else in this distribution, this is experimental. If dproxy runs long enough, it may fill up the ram disk with its cache.

This is likely the last release supporting the 1.30.7 version of flash. The new releases from Linksys have important bug fixes and I need to move to them. This means that in order to use my future distributions you will need to install a modified Linksys flash that allows new code to be installed. This can be risky but it also opens up the possibilty to make permament changes to the box. I've been building my own flashes with some success (and some failure). Stay tuned.

11/2/2003 I have some good news and some bad news.

First the bad news : The new "fixed" firmware (version 1.42.2) is out and is the default Linksys upgrade for the box. This means that if you buy a box and then upgrade it to the recommended version, my distribution will not work.

Now the good news : The old firmware is still available from Linksys here. And even better news : Kudos to Linksys and Broadcom who have released everything (including directions!) to build your own flash. This includes the toolchain and source for everything except for a few binary drivers and utilities. This means that it is now possible to make permanent changes to your access point for additional functionality. The toolchain and source is available in version 1.42.2 from Linksys. This option is not for the timid, as it is easy to turn your box into an expensive doorstop. Personally, I have succeeded in building a flash, but have not yet installed it. My distribution does not yet attempt to do anything other than a RAM install.

Show your support for the decision of Linksys and Broadcom by buying one.

Download the distribution

Visit my wrt54g snort page

Martha Ruszkowski did a Belorussian translation of this page!

Adrian Pantilimonu did a Romanian translation of this page!

Thanks to Ross Jordan, C. J. Collier, Ben Grech, Dan Kegel and others who did the heavy lifting in figuring out how to get new code on the box

Jim Buzbee