Hackers Perspective: The Linksys WRT54G
Jon Baer
[email protected] 7/1/04
Discussion Outline
WRT54G WRT54GS OpenWRT (Barebones) Sveasoft (WDS) Wi-Fi Box (SNMP) Ewrt (Captive Portal) MIPS Compiling Simple HelloWorld Snort Demo Kismet Drone Demo Pros/Cons Resources
How It All Started In Fall 2003, Seattle Wireless group discovered a bug in admin diagonostics tool (Ping.asp) which allowed for uploading of binary files. After Ver. 1.42.2 the bug was fixed via firmware release and Linksys released the source and toolkit (in accordance with the GNU Public License). *Mention offshoring here for Ben ;-)
Linksys WRT54G Linux 2.4.5 Kernel 16 MB of RAM (4 MB for Flash) Firmware 125 Mhz MIPS processor (Broadcom) – Ver 1.0,1.1 200 Mhz MIPS processor (Broadcom) – Ver 2.0 802.11 b/g Versions are pretty different, 2.0 CPU/MAC on chip, Radio is seperate, 1.1 all on main board Currently ~$79
Linksys WRT54GS Linux 2.4.5 Kernel 32 MB of RAM (8 MB for Flash) Firmware 200 Mhz MIPS processor (Broadcom) 802.11 b/g with “Speedbooster” Currently ~$129
“Speedboosting” works by compressing a majority of 802.11 overhead (by ~35%) and is proprietary, it is not part of the 802.11 standard.
Quick Warning Before you load ANY 3rd party firmware you should set “Boot Wait” to ON (varies on setup), very important because in case you corrupt the flash you can upload firmware before boot process. Otherwise you will have to end up “shorting” special pins inside the router to get it back from the dead. This setting allows you a short amount of time before anything to revert your firmware. # nvram set boot_wait on # nvram commit
And never, never, never ...
Upgrade any firmware through a wireless connection, always through a wired NIC. You can seriously “brick” your AP this way :-)
OpenWRT OpenWrt is a free and open linux distribution for the Linksys WRT54G. Instead of trying to cram every possible feature into one firmware, OpenWrt provides only a minimal firmware with support for add-on packages. For users this means the ability to custom tune features, removing unwanted packages to make room for other packages and for developers this means being able to focus on packages without having to test and release an entire firmware.
OpenWRT (cont.) The OpenWrt firmware contains two filesystems, a small readonly squashfs partition and a larger writable jffs2 partition. The squashfs filesystem is the core of OpenWrt, it provides a minimal linux environment suitable for booting the router and providing basic functionality. Specifically, the core provides: - network initalization (ethernet and wireless) - firewalling - dhcp client / server - caching dns server (with hooks to dhcp to lookup dhcp client hostnames) - telnet server and busybox environment That's it. Everything else (ssh, http administration, etc) can be done in the form of a package on the jffs2 filesystem; openwrt's goal is to provide a minimal base which can be expanded through the use of software packages. Not based on the Linksys source code, built from the ground up.
Sveasoft Based in Sweden and develops feature rich firmware for the WRT54G/S that is openly available. They offer support through forums and upgrades for ~$20 per year. Very active development with tools that include: SSH, OpenVPN, WDS (Mesh), Radio TX/RX Power Adjustment, OSPF, PPTP, QoS, Shorewall, NoCat, IPSec, 802.1x. You can increase the milliwatt output to a maximum of 83 mW from the default 28 mW.
Sveasoft (WDS) Wireless Distribution System (Layer 2) allows for a repeating or bridge between 2 or more WRT54Gs (also called “mesh networking”)
Wifi-Box Also based on Linksys 2.0 firmware release, offers SNMP daemon, subnetting, VPN (passthrough), local DNS caching, profiling, enhanced status pages, telnet/ssh . Very similar to Sveasoft but more geared towards the actual “networking”. Also active development community (French based I think). Offers US version and EU version.
Ewrt (Portless Networks) At the time of writing, ewrt differentiates itself from the other WRT54G distributions by providing a captive portal based on NoCatSplash, has many bugs fixed over Linksys and Sveasoft, and provides an open, transparent development model. Key Features: * NoCatSplash -based captive portal * Traffic shaping with Wondershaper+iproute2 * SSH and telnet management * Wireless TX power selection, client mode, Adhoc, WDS * RSSI stats reporting for invidual clients * Remote syslogging
MIPS Compiling Static based uclibc compiling tools come with the Linksys firmware download. You can also download GNU binutils, gcc, and create your own cross-compiler. These tools will take code and put them into MIPS (little endian) format for the Linksys WRT54G to use. Cross compiler setup can be a little difficult to start so I'd recommend using the Linksys toolset (gcc, ldd, strip, etc). http://www.linux-mips.org
HelloWorld on WRT54G A simple demo program: int main() { printf(“Hello NYCwireless!\n”); return(0); } /opt/Linksys/bin/gcc -o Hello Hello.c /opt/Linksys/bin/strip Hello
Snort Demo Jim Buzbee was able to compile Snort IDS to MIPS (static libs) and it is able to do minimal intrusion detection. However due to lack of RAM space you can only get a few good rules in. scp snort
[email protected]:/tmp # /tmp/snort -dev (sniffing) # /tmp/snort -c snort.conf (ids)
Kismet Drone Demo The WRT54G can be placed in “monitor mode” and act as a drone/slave to a Kismet server for processing alerts (a better alternative to Snort). scp kismet_drone
[email protected]:/tmp scp kismet_drone
[email protected]:/tmp/etc # kismet_server -C wrt54g (source) source=kismet_drone,192.168.1.1:3501,wrt54g
Pros of WRT54G Linux kernel based. Active development community. Extremely cheap (for 802.11g). Extremely flexible solution. Great to learn more about embedded systems. In the long run, most likely to be a more secure solution as software implementations grow.
Source code, compilers, tools, are available free from Linksys website for anyone to tinker with.
Cons Very limited RAM (NFS still buggy) Possibly voids your warranty as Linksys offers rd NO support for 3 party firmware. Apps can be unstable USE AT YOUR OWN RISK!
NO DRIVER SOURCE CODE* Broadcom has not yet released any source code for the radio drivers not modifications to the gcc compiler. * They are not required to.
Resources http://www.linksys.com http://www.linksys.com/support/gpl.asp http://www.batbox.org/wrt54g.html http://www.sveasoft.com http://openwrt.ksilebo.net http://www.sourceforge.net/projects/wifi-box http://www.portless.net/ewrt/ http://www.nycwireless.net http://www.seattlewireless.net/index.cgi/LinksysWrt54g http://www.linuxunwired.com Remember, FREE wireless rules! So have fun!
Questions?
