Hotrod Your Linksys WAP with Linux (Part 2) | #linux | #linuxsecurity | #education | #technology | #infosec

Author: NCSTA Category: News

[ad_1]

By Carla Schroder

November 01, 2005

Those little, blue consumer-grade WAPS make nice experimental Linux boxes. This week we show you how to make it happen.

Last week we rambled over the OpenWRT landscape, issued dire warnings and concluded with the easy, but risky, installation method. Today we’ll learn the harder, but much safer, installation method. This one is fun, because it depends on an unpatched bug in the Linksys firmware.

Installing OpenWRT the Hard but Safe Way

You’ll need an FTP client to upload the OpenWRT firmware (See Part 1 to learn what to download and where to get it), and your router should have a static IP. We’ll use atftp just like in the OpenWRT documentation, because every FTP client has different commands; it would be cruel to introduce yet another potential trouble spot. Be sure to do all this with a Linux PC over a wired Ethernet connection; don’t even try it over wireless. (This also works from Windows using PuTTY; see the OpenWRT docs for howto.) For additional safety, do this with only the router and your Linux PC connected to each other, and keep the router off the network until you can configure it with SSH and an administrator login and password.

The key to making this work is setting the boot_wait=yes variable. This creates a 3-second delay when the router boots, giving you a window of opportunity to upload new firmware. Your little router has a BIOS and a bootloader that are independent of the firmware, just like the BIOS and bootloader on a PC. If anything goes wrong, you can re-flash the old firmware or try uploading OpenWRT again.

There is no official way to set boot_wait=yes; it depends entirely on a bug in the firmware. The bug is confirmed up through version 3.01.3 for the WRT54G, and version 3.37.2 for WRT54GS. However, users report that it exists in later versions as well. The safest thing to do, if you have a newer version, is to first download and install an older version of the Linksys firmware, then install OpenWRT. Your existing firmware version is displayed on the top of the Linksys Web administration pages.

Next, make sure your router has a valid IP address. The default is 192.168.1.1, so you access a new Linksys router via any Web browser with http://192.168.1.1. A username is not required, and the default password is “admin”. If you assign it a different IP, it will retain it as the default even after installing OpenWRT.

Next, navigate to Administration -> Diagnostics -> Ping to enable boot_wait=yes. Enter the following lines one at a time in the IP address field and hit the Ping button after each one:

;cp${IFS}*/*/nvram${IFS}/tmp/n
;*/n${IFS}set${IFS}boot_wait=on
;*/n${IFS}commit
;*/n${IFS}show>tmp/ping.log

Much text will scroll by, including “boot_wait=on.” When it is finished unplug the router and enter these atftp commands on your connected Linux box:

tftp 192.168.1.1
tftp> binary
tftp> rexmt 1
tftp> timeout 60
tftp> trace
Packet tracing on.
tftp> put openwrt-wrt54g-squashfs.bin

Then immediately plug the router back in. These commands tell atftp to continually try to upload openwrt-wrt54g-squashfs.bin. It should quickly succeed.

Testing the New Firmware

Wait a few minutes to let the firstboot script run and the router reboot, then telnet into the new firmware:

$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.

BusyBox v1.00 (2004.12.24-03:19+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
          
root@OpenWrt:/#

The OpenWRT developers didn’t bother with requiring a telnet password, because telnet transmits in cleartext, so using a password is pretty much pointless. Don’t connect the router to the network yet, there is some work to do first. A lot of familiar Linux commands are available, such as ls, df, dh, cd, find, and grep, so you can cruise up and down the file tree and see what you have, and see how much storage space is available.

Your first job is to give it your correct network settings. OpenWRT installs with roughly the same functionality as the original Linksys firmware, so you can configure basic network settings without installing additional packages. Keep in mind that you can set variables and run commands without writing them to NVRAM, so they will be lost after reboot. You can get locked out of your router if you input incorrect networking parameters, so test them first before committing them to NVRAM. Then if it gets messed up, reboot and try again. You can set and test a new LAN IP address:

Related Articles

# ifconfig vlan0 192.168.1.15

vlan0 is the LAN-facing network port. Changing the IP will kick you off the router, so you’ll have to telnet back in. Set the netmask, DNS, default gateway, whatever you need to do. Once everything works, commit it to NVRAM with the nvram set command. This example shows a number of different settings:

# nvram set lan_proto=static
# nvram set lan_ipaddr=192.168.1.15
# nvram set lan_netmask=255.255.255.0
# nvram set lan_gateway=192.168.1.0
# nvram set lan_dns=192.168.1.50
# nvram commit
# reboot

Check your settings with the nvram command:

# nvram show

Installing SSH
Administering your nice remodeled router via insecure telnet is a bad idea, so we’ll install the Dropbear SSH server. Dropbear is a tiny little thing designed for embedded devices, yet with all the important SSH features. OpenWRT has its own package manager/installer, ipkg, so installing dropbear is this easy:

# ipkg update
# ipkg list
# ipkg install dropbear

You’ll set a root password during the Dropbear installation. After installation, reboot the router, and test dropbear by logging in. If it works, remove telnet from startup, and stop the daemon:

# rm /etc/init.d/S50telnet
# killall telnetd

You don’t need to use Dropbear on client machines; you can log in just fine using OpenSSH.

Now your little blue box is ready to go work. Stay tuned for future howtos on configuring it as a secure wireless access point and Internet gateway.

Troubleshooting
Visit the OpenWRT troubleshooting page.

Resources

  • Be sure to visit the the OpenWRT home page for the latest news, releases, and important information.
  • OpenWRT’s NVRAM commands
  • See this page OpenWRT Packages to see package lists and how to connect to package repositories.
  • If you lost your Linksys manual, visit Linksys.com.
  • Linksysinfo.org. Lots of great information, including autopsy reports.
  • Seattle Wireless, a great resources for wireless users

Latest posts by Eric Sandler (see all)

[ad_2]

Source link