Hacking the Linksys WMB54G

Today we’re going to take a look at an interesting little device, the Linksys WMB54G wireless music bridge.


This is a pretty specialized device, so it’s likely a fairly minimalistic system. Even the administrative interface is small and simple:

WMB54G Administrative Interface

The Linksys support page doesn’t have any firmware updates available, so let’s take a peek at the hardware.

Opening the case reveals an expectedly limited system, with just 2MB of flash, 8MB of RAM and a small processor covered up by a heat sink:

WMB54G Internals

There are two connectors on the right hand side of the board, labelled J5 and J9. J5 appears to be a JTAG connector, while J9 shows promise of being a serial port:

J5 and J9 Connectors

Continue reading

A Better Way to TFTP

Working with embedded devices, I end up using TFTP quite a bit. While most operating systems offer TFTP clients, they tend to be a bit archaic and lack simple features that we hacker types might find useful. So of course, I rolled my own.

Tfcp is a TFTP client utility written in Python using the excellent tftpy module. Usage is simple and mimics that of scp:

Uploading file ‘foo’ to ‘/tmp/bar’:

$ tfcp ./foo.txt

Downloading ‘/tmp/bar’ to your current working directory:

$ tfcp .

There are two key features that I like about tfcp:

  1. It is non-interactive, which means it’s easily scriptable and all tfcp commands get stored in your command history
  2. It allows you to specify both the local and remote file names

Although these are simple, seemingly innocuous features, they are severely lacking in most TFTP client utilities, and as we’ll soon see, they can be key features when analyzing/exploiting embedded systems.

You can grab tfcp from the Google Code page; you’ll need to install tftpy first, either from source, or through apt-get (python-tftpy).