The Linksys WAG160N is an ADSL gateway with wireless acccess point integrated.

The source code tarball is available from the Linksys GPL Code Center:

WAG160N 1.00.15 Annex A

WAG160N 1.00.15 Annex B

The PCB is a bit redesigned. Most noticeable points are the presence of an actual power button (top left in photos), and that J10 is labeled (anyway, I've not been able to get anything from there neither with 115200 8N1 nor with other speeds). There is also a plastic sheet covering the bottom of the PCB, maybe to help heat dissipation.

Not so noticeable is the fact that the LED corresponding to port1 is doubled, being similar to the power led. Also the wireless seems different, as chip is labelled as AR9223-AC1A.

Tftp upload of firmware seems not straightforward. According to information found on the linksys forums, requires the "password enabled" tftp utility from linksys.

See this page for details and pictures of the WAG160Nv2.

Remove the four screws on the base of the case. The case is then secured by one small and one large gray clip (from rear to front) on each side of the case. At the front of the case, there are two large black clips.

Prise the top of the router from the bottom using a small screwdriver - I found this easier by starting at the front. It's not a nice process!

Even if all of the gray clips are broken or removed, the case is perfectly adequately sealed using only the front black clips and the four screws. This also makes the case far easier to open. I found this easiest to do by working around the case from the back with a medium-sized screwdriver, being careful not to be upsetting the antennas and wires which are located around the edges of the case. Once the top has been removed, using pliers, the broken or remaining gray clips can be tidied up by twisting off what remains of them.

Serial console can be attached to J10 which is located at the bottom right of the board (when looking at the unit from the front). On my unit; the J10 label was obscured by a sticky pad.

There is no connector soldered to the board. If you want to add one, it needs to be of pitch 2.5mm.

Legend (in arrow direction):
1  GND
2  Tx
3  VCC (3,3V)
4  RX

NOTE: You cannot plug directly those pins to your pc serial port. You need a RS232-TTL level adapter. See serial_console

The settings for the serial console are "115200 bauds, 8 bits, no parity, 1 stop bit (115200 8N1)", with hardware and software flow control both disabled.

The default network configuration is:

Linux version 2.6.32.9 (virus@Virion) (gcc version 4.3.3 (GCC) ) #18 Mon Mar 15 16:16:55 CET 2010
Detected Broadcom 0x6358 CPU revision a1
CPU frequency is 300 MHz
32MB of RAM installed
registering 40 GPIOs
board_bcm963xx: CFE version: 1.0.37-5.4
bootconsole [early0] enabled
CPU revision is: 0002a010 (Broadcom BCM6358)
board_bcm963xx: board name: 96358GW
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00000000 -> 0x00002000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00002000
On node 0 totalpages: 8192
free_area_init_node: node 0, pgdat 8026b500, node_mem_map 81000000
  Normal zone: 64 pages used for memmap
  Normal zone: 0 pages reserved
  Normal zone: 8128 pages, LIFO batch:0
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
Kernel command line: root=/dev/mtdblock2 rootfstype=squashfs,jffs2 noinitrd console=ttyS0,115200
PID hash table entries: 128 (order: -3, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Primary instruction cache 32kB, VIPT, 2-way, linesize 16 bytes.
Primary data cache 16kB, 2-way, VIPT, cache aliases, linesize 16 bytes
Memory: 29724k/32768k available (2050k kernel code, 3044k reserved, 363k data, 136k init, 0k highmem)
Hierarchical RCU implementation.
NR_IRQS:128
Calibrating delay loop... 299.00 BogoMIPS (lpj=598016)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
ath: Register ath_data_device at address 0x1ffe1000
registering PCI controller with io_map_base unset
bio: create slab <bio-0> at 0
pci 0000:00:01.0: reg 10 32bit mmio: [0x000000-0x00ffff]
Switching to clocksource MIPS
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
NET: Registered protocol family 1
audit: initializing netlink socket (disabled)
type=2000 audit(0.197:1): initialized
squashfs: version 4.0 (2009/01/31) Phillip Lougher
Registering mini_fo version $Id$
JFFS2 version 2.2. (NAND) (SUMMARY)  © 2001-2006 Red Hat, Inc.
msgmni has been set to 58
io scheduler noop registered
io scheduler deadline registered (default)
gpiodev: gpio device registered with major 254
gpiodev: gpio platform device registered with access mask FFFFFFFF
bcm63xx_uart.0: ttyS0 at MMIO 0xfffe0100 (irq = 10) is a bcm63xx_uart
console [ttyS0] enabled, bootconsole disabled
bcm963xx_flash: 0x00400000 at 0x1fc00000
bcm963xx: Found 1 x16 devices at 0x0 in 16-bit bank
 Amd/Fujitsu Extended Query Table at 0x0040
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
bcm963xx_flash: Read Signature value of CFE1CFE1
bcm963xx_flash: CFE bootloader detected
bcm963xx_flash: CFE boot tag found with version 6, board type 96358GW, and tagid bc310.
bcm963xx_flash: Partition 0 is CFE offset 81ce1e48 and length 0
bcm963xx_flash: Partition 1 is kernel offset d2b and length 0
bcm963xx_flash: Partition 2 is rootfs offset d6c and length 0
bcm963xx_flash: Partition 3 is ath_data offset dad and length 0
bcm963xx_flash: Partition 4 is nvram offset df0 and length 0
bcm963xx_flash: Spare partition is 2a0000 offset and length 150000
Creating 5 MTD partitions on "bcm963xx":
0x000000000000-0x000000010000 : "CFE"
0x000000010100-0x0000000f0000 : "kernel"
mtd: partition "kernel" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
0x0000000f0000-0x0000003e0000 : "rootfs"
mtd: partition "rootfs" set to be root filesystem
mtd: partition "rootfs_data" created automatically, ofs=2A0000, len=140000 
0x0000002a0000-0x0000003e0000 : "rootfs_data"
0x0000003e0000-0x0000003f0000 : "ath_data"
0x0000003f0000-0x000000400000 : "nvram"
bcm63xx_enet MII bus: probed
bcm63xx_wdt started, timer margin: 30 sec
TCP westwood registered
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
Freeing unused kernel memory: 136k freed
Please be patient, while OpenWrt loads ...
mini_fo: using base directory: /
mini_fo: using storage directory: /jffs
eth1: link forced UP - 100/full - flow control off/off
Generic kernel compatibility enabled based on linux-next next-20100113
device eth1.1 entered promiscuous mode
device eth1 entered promiscuous mode
br-lan: port 1(eth1.1) entering forwarding state
cfg80211: Calling CRDA to update world regulatory domain
roboswitch: Probing device eth0: 
roboswitch: [/home/virus/kamikaze/build_dir/linux-brcm63xx/kmod-switch/switch-robo.c:130] SIOCGETCPHYRD failed!
roboswitch: [/home/virus/kamikaze/build_dir/linux-brcm63xx/kmod-switch/switch-robo.c:130] SIOCGETCPHYRD failed!
No Robo switch in managed mode found, phy_id = 0xffffffff
roboswitch: Probing device eth1: found a 5325! It's a 5350.
PCI: Enabling device 0000:00:01.0 (0000 -> 0002)
 # reading ath_data
ath: eepdata = 0x00000cb8, el = 0x0000065c,
ath: eepdata = 0x000081fe, el = 0x0000065c,
ath: sum = 0x0000ffff, length = 0x00000cb8, checksum = 0x000063d1
ath: EEPROM regdomain: 0x0
ath: EEPROM indicates default country code should be used
ath: doing EEPROM country->regdmn map search
ath: country maps to regdmn code: 0x3a
ath: Country alpha2 being used: US
ath: Regpair used: 0x3a
phy0: Selected rate control algorithm 'minstrel_ht'
Registered led device: ath9k-phy0::radio
Registered led device: ath9k-phy0::assoc
Registered led device: ath9k-phy0::tx
Registered led device: ath9k-phy0::rx
phy0: Atheros AR5416 MAC/BB Rev:2 AR2122 RF Rev:81 mem=0xc0360000, irq=39
cfg80211: Calling CRDA for country: US
PPP generic driver version 2.4.2
cfg80211: Regulatory domain changed to country: US
    (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
    (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2700 mBm)
    (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 1700 mBm)
    (5250000 KHz - 5330000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
    (5490000 KHz - 5600000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
    (5650000 KHz - 5710000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
    (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 3000 mBm)
ip_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 24
nf_conntrack version 0.5.0 (466 buckets, 1864 max)
ath_hal: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
ath_hal: 2009-05-08 (AR5210, AR5211, AR5212, AR5416, RF5111, RF5112, RF2413, RF5413, RF2133, RF2425, REGOPS_FUNC, XR)
ath_pci: trunk
wlan: trunk
wlan: mac acl policy registered
ath_rate_minstrel: Minstrel automatic rate control algorithm 1.2 (trunk)
ath_rate_minstrel: look around rate set to 10%
ath_rate_minstrel: EWMA rolloff level set to 75%
ath_rate_minstrel: max segment size in the mrr set to 6000 us
device wlan0 entered promiscuous mode
br-lan: port 2(wlan0) entering forwarding state
device wlan0 left promiscuous mode
br-lan: port 2(wlan0) entering disabled state
device wlan0 entered promiscuous mode
br-lan: port 2(wlan0) entering forwarding state

Before flashing OpenWrt make sure to backup "ath_data" (/dev/mtdblock4). It's calibration data for wireless device. You have to include this data into OpenWrt, and modify ath9k driver to read it durning device initialisation.

Normally the dd command would be used for copying such data; however the Linksys provided OS does not include this command. Using the cp command would result in just the inode information being copied, so instead use the cat command - placing the result within the /tmp directory which is a writable part of the filesystem,

cat /dev/mtdblock4 > /tmp/ath_data

You then need to get this image off the router. As there is no ftp client installed; use the in-built web server. As you can't write to the directory currently used by the http server, let's just hijack the daemon for a short while,

/usr/sbin/rc httpd stop /usr/sbin/mini_httpd -d /tmp

You should now be able to download mtdblock4 from another system, using something smilar to,

wget –user=admin –password=adminpass -O ath_data http://192.168.1.1/ath_data

Once you've downloaded mtdb4 kill the mini-httpd and restart the web server using its normal configuration,

killall mini_httpd /usr/sbin/rc httpd start