The WAG160N is currently not supported!.

The Linksys WAG160N is an ADSL gateway with wireless acccess point integrated.

The source code tarball is available from the Linksys GPL Code Center:
WAG160N 1.00.15 Annex A
WAG160N 1.00.15 Annex B

Version/Model	wifi	Supported
WAG160Nv1	AR5416	WIP
WAG160Nv2	AR9223	WIP

Architecture:	MIPS
Vendor:	Broadcom
Bootloader:	CFE
Board Id:	96358GW
System-On-Chip:	Broadcom BCM6358SKFBG
CPU/Speed	BMIPS4350 V1.0 / 300 Mhz BMIPS Dual Core
Flash-Chip:	MX29LV320AB
Flash size:	4MB
RAM-Chip:	EtronTech EM6AA160TS-5G / DDR-400
RAM size:	32MB
Wireless:	Atheros AR5416
Ethernet:	Broadcom BCM5325 w/ vlan support swconfig
USB:	No
Serial:	Yes
JTAG:	?

The PCB is a bit redesigned. Most noticeable points are the presence of an actual power button (top left in photos), and that J10 is labeled (anyway, I've not been able to get anything from there neither with 115200 8N1 nor with other speeds). There is also a plastic sheet covering the bottom of the PCB, maybe to help heat dissipation.

Not so noticeable is the fact that the LED corresponding to port1 is doubled, being similar to the power led. Also the wireless seems different, as chip is labelled as AR9223-AC1A.

Tftp upload of firmware seems not straightforward. According to information found on the linksys forums, requires the "password enabled" tftp utility from linksys.

See this page for details and pictures of the WAG160Nv2.

LED	Color	GPIO
Internet	green	0
Internet	red	1
Power	red	3
Power	green	4
DSL	green	28
WPS	green	36
Wireless	green	37

Button	GPIO
WPS	34

Remove the four screws on the base of the case. The case is then secured by one small and one large gray clip (from rear to front) on each side of the case. At the front of the case, there are two large black clips.

Prise the top of the router from the bottom using a small screwdriver - I found this easier by starting at the front. It's not a nice process!

Even if all of the gray clips are broken or removed, the case is perfectly adequately sealed using only the front black clips and the four screws. This also makes the case far easier to open. I found this easiest to do by working around the case from the back with a medium-sized screwdriver, being careful not to be upsetting the antennas and wires which are located around the edges of the case. Once the top has been removed, using pliers, the broken or remaining gray clips can be tidied up by twisting off what remains of them.

Top of PCB	Bottom of PCB (JTAG encircled)

Serial console can be attached to J10 which is located at the bottom right of the board (when looking at the unit from the front). On my unit; the J10 label was obscured by a sticky pad.

Serial Port (J10)

There is no connector soldered to the board. If you want to add one, it needs to be of pitch 2.5mm.

Legend (in arrow direction):
1  GND
2  Tx
3  VCC (3,3V)
4  RX

The settings for the serial console are "115200 bauds, 8 bits, no parity, 1 stop bit (115200 8N1)", with hardware and software flow control both disabled.

NOTE: You cannot plug directly those pins to your pc serial port. You need a RS232-TTL level adapter. See serial_console

JTAG Port (J1)

CFE version 1.0.37-5.4 for BCM96358 (32bit,SP,BE) Build Date: 四 1月 10 19:25:21 CST 2008 (root@9DavidZhang2) Copyright (C) 2000-2005 Broadcom Corporation. Boot Address 0xbfc00000 Initializing Arena. Initializing Devices. Parallel flash device: name MX29LV320AB, id 0x22a8, size 4096KB CPU type 0x2A010: 300MHz, Bus: 133MHz, Ref: 64MHz Total memory: 33554432 bytes (32MB) Total memory used by CFE: 0x80401000 - 0x80528800 (1210368) Initialized Data: 0x8041E550 - 0x8041FF60 (6672) BSS Area: 0x8041FF60 - 0x80426800 (26784) Local Heap: 0x80426800 - 0x80526800 (1048576) Stack Area: 0x80526800 - 0x80528800 (8192) Text (code) segment: 0x80401000 - 0x8041E544 (120132) Boot area (physical): 0x00529000 - 0x00569000 Relocation Factor: I:00000000 - D:00000000 Board IP address : 192.168.1.1 Host IP address : 192.168.1.100 Gateway IP address : Run from flash/host (f/h) : f Default host run file name : vmlinux Default host flash file name : bcm963xx_fs_kernel Boot delay (0-9 seconds) : 1 Board Id Name : 96358GW Psi size in KB : 24 Number of MAC Addresses (1-32) : 10 Base MAC Address : 00:1d:7e:b3:9b:52 Ethernet PHY Type : Internal Memory size in MB : 32 CMT Thread Number : 0 *** Press any key to stop auto run (1 seconds) ***

Linux version 2.6.32.9 (virus@Virion) (gcc version 4.3.3 (GCC) ) #18 Mon Mar 15 16:16:55 CET 2010 Detected Broadcom 0x6358 CPU revision a1 CPU frequency is 300 MHz 32MB of RAM installed registering 40 GPIOs board_bcm963xx: CFE version: 1.0.37-5.4 bootconsole [early0] enabled CPU revision is: 0002a010 (Broadcom BCM6358) board_bcm963xx: board name: 96358GW Determined physical RAM map: memory: 02000000 @ 00000000 (usable) Initrd not found or empty - disabling initrd Zone PFN ranges: Normal 0x00000000 -> 0x00002000 Movable zone start PFN for each node early_node_map[1] active PFN ranges 0: 0x00000000 -> 0x00002000 On node 0 totalpages: 8192 free_area_init_node: node 0, pgdat 8026b500, node_mem_map 81000000 Normal zone: 64 pages used for memmap Normal zone: 0 pages reserved Normal zone: 8128 pages, LIFO batch:0 Built 1 zonelists in Zone order, mobility grouping on. Total pages: 8128 Kernel command line: root=/dev/mtdblock2 rootfstype=squashfs,jffs2 noinitrd console=ttyS0,115200 PID hash table entries: 128 (order: -3, 512 bytes) Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) Primary instruction cache 32kB, VIPT, 2-way, linesize 16 bytes. Primary data cache 16kB, 2-way, VIPT, cache aliases, linesize 16 bytes Memory: 29724k/32768k available (2050k kernel code, 3044k reserved, 363k data, 136k init, 0k highmem) Hierarchical RCU implementation. NR_IRQS:128 Calibrating delay loop... 299.00 BogoMIPS (lpj=598016) Mount-cache hash table entries: 512 NET: Registered protocol family 16 ath: Register ath_data_device at address 0x1ffe1000 registering PCI controller with io_map_base unset bio: create slab at 0 pci 0000:00:01.0: reg 10 32bit mmio: [0x000000-0x00ffff] Switching to clocksource MIPS NET: Registered protocol family 2 IP route cache hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 1024 (order: 1, 8192 bytes) TCP bind hash table entries: 1024 (order: 0, 4096 bytes) TCP: Hash tables configured (established 1024 bind 1024) TCP reno registered NET: Registered protocol family 1 audit: initializing netlink socket (disabled) type=2000 audit(0.197:1): initialized squashfs: version 4.0 (2009/01/31) Phillip Lougher Registering mini_fo version $Id$ JFFS2 version 2.2. (NAND) (SUMMARY) © 2001-2006 Red Hat, Inc. msgmni has been set to 58 io scheduler noop registered io scheduler deadline registered (default) gpiodev: gpio device registered with major 254 gpiodev: gpio platform device registered with access mask FFFFFFFF bcm63xx_uart.0: ttyS0 at MMIO 0xfffe0100 (irq = 10) is a bcm63xx_uart console [ttyS0] enabled, bootconsole disabled bcm963xx_flash: 0x00400000 at 0x1fc00000 bcm963xx: Found 1 x16 devices at 0x0 in 16-bit bank Amd/Fujitsu Extended Query Table at 0x0040 number of CFI chips: 1 cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness. bcm963xx_flash: Read Signature value of CFE1CFE1 bcm963xx_flash: CFE bootloader detected bcm963xx_flash: CFE boot tag found with version 6, board type 96358GW, and tagid bc310. bcm963xx_flash: Partition 0 is CFE offset 81ce1e48 and length 0 bcm963xx_flash: Partition 1 is kernel offset d2b and length 0 bcm963xx_flash: Partition 2 is rootfs offset d6c and length 0 bcm963xx_flash: Partition 3 is ath_data offset dad and length 0 bcm963xx_flash: Partition 4 is nvram offset df0 and length 0 bcm963xx_flash: Spare partition is 2a0000 offset and length 150000 Creating 5 MTD partitions on "bcm963xx": 0x000000000000-0x000000010000 : "CFE" 0x000000010100-0x0000000f0000 : "kernel" mtd: partition "kernel" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only 0x0000000f0000-0x0000003e0000 : "rootfs" mtd: partition "rootfs" set to be root filesystem mtd: partition "rootfs_data" created automatically, ofs=2A0000, len=140000 0x0000002a0000-0x0000003e0000 : "rootfs_data" 0x0000003e0000-0x0000003f0000 : "ath_data" 0x0000003f0000-0x000000400000 : "nvram" bcm63xx_enet MII bus: probed bcm63xx_wdt started, timer margin: 30 sec TCP westwood registered NET: Registered protocol family 17 802.1Q VLAN Support v1.8 Ben Greear All bugs added by David S. Miller VFS: Mounted root (squashfs filesystem) readonly on device 31:2. Freeing unused kernel memory: 136k freed Please be patient, while OpenWrt loads ... mini_fo: using base directory: / mini_fo: using storage directory: /jffs eth1: link forced UP - 100/full - flow control off/off Generic kernel compatibility enabled based on linux-next next-20100113 device eth1.1 entered promiscuous mode device eth1 entered promiscuous mode br-lan: port 1(eth1.1) entering forwarding state cfg80211: Calling CRDA to update world regulatory domain roboswitch: Probing device eth0: roboswitch: [/home/virus/kamikaze/build_dir/linux-brcm63xx/kmod-switch/switch-robo.c:130] SIOCGETCPHYRD failed! roboswitch: [/home/virus/kamikaze/build_dir/linux-brcm63xx/kmod-switch/switch-robo.c:130] SIOCGETCPHYRD failed! No Robo switch in managed mode found, phy_id = 0xffffffff roboswitch: Probing device eth1: found a 5325! It's a 5350. PCI: Enabling device 0000:00:01.0 (0000 -> 0002) # reading ath_data ath: eepdata = 0x00000cb8, el = 0x0000065c, ath: eepdata = 0x000081fe, el = 0x0000065c, ath: sum = 0x0000ffff, length = 0x00000cb8, checksum = 0x000063d1 ath: EEPROM regdomain: 0x0 ath: EEPROM indicates default country code should be used ath: doing EEPROM country->regdmn map search ath: country maps to regdmn code: 0x3a ath: Country alpha2 being used: US ath: Regpair used: 0x3a phy0: Selected rate control algorithm 'minstrel_ht' Registered led device: ath9k-phy0::radio Registered led device: ath9k-phy0::assoc Registered led device: ath9k-phy0::tx Registered led device: ath9k-phy0::rx phy0: Atheros AR5416 MAC/BB Rev:2 AR2122 RF Rev:81 mem=0xc0360000, irq=39 cfg80211: Calling CRDA for country: US PPP generic driver version 2.4.2 cfg80211: Regulatory domain changed to country: US (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp) (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2700 mBm) (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 1700 mBm) (5250000 KHz - 5330000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) (5490000 KHz - 5600000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) (5650000 KHz - 5710000 KHz @ 40000 KHz), (300 mBi, 2000 mBm) (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 3000 mBm) ip_tables: (C) 2000-2006 Netfilter Core Team NET: Registered protocol family 24 nf_conntrack version 0.5.0 (466 buckets, 1864 max) ath_hal: module license 'Proprietary' taints kernel. Disabling lock debugging due to kernel taint ath_hal: 2009-05-08 (AR5210, AR5211, AR5212, AR5416, RF5111, RF5112, RF2413, RF5413, RF2133, RF2425, REGOPS_FUNC, XR) ath_pci: trunk wlan: trunk wlan: mac acl policy registered ath_rate_minstrel: Minstrel automatic rate control algorithm 1.2 (trunk) ath_rate_minstrel: look around rate set to 10% ath_rate_minstrel: EWMA rolloff level set to 75% ath_rate_minstrel: max segment size in the mrr set to 6000 us device wlan0 entered promiscuous mode br-lan: port 2(wlan0) entering forwarding state device wlan0 left promiscuous mode br-lan: port 2(wlan0) entering disabled state device wlan0 entered promiscuous mode br-lan: port 2(wlan0) entering forwarding state

Before flashing OpenWrt make sure to backup "ath_data" (/dev/mtdblock4). It's calibration data for wireless device. You have to include this data into OpenWrt, and modify ath9k driver to read it durning device initialisation.

Normally the dd command would be used for copying such data; however the Linksys provided OS does not include this command. Using the cp command would result in just the inode information being copied, so instead use the cat command - placing the result within the /tmp directory which is a writable part of the filesystem,

cat /dev/mtdblock4 > /tmp/ath_data

You then need to get this image off the router. As there is no ftp client installed; use the in-built web server. As you can't write to the directory currently used by the http server, let's just hijack the daemon for a short while,

/usr/sbin/rc httpd stop /usr/sbin/mini_httpd -d /tmp

You should now be able to download mtdblock4 from another system, using something smilar to,

wget –user=admin –password=adminpass -O ath_data http://192.168.1.1/ath_data

Once you've downloaded mtdb4 kill the mini-httpd and restart the web server using its normal configuration,

killall mini_httpd /usr/sbin/rc httpd start