Ultimate WRT54G Hacking

Adding a removable Antenna to your WRTSL54GS

Mon, 31 Mar 2008 08:49:24 -0500

Over the past few months I've been contemplating a few projects for some WRTSL54GS routers with OpenWrt, however I really need these to have a high gain antenna on the WRTSL54GS. As you may recall, this model has a fixed antenna, with no option for adding one. I decided that I needed to fix that "design flaw". Note: By adding various antennas to this device it may become possible to violate your local or federal regulations on output power. Be careful! First off, we need to open the WRTSL54GS up. The screws are located under the rubber feet. Once apart, we need to de-solder the current, fixed antenna from the board. Follow the LMR cable from the antenna to the board, and de-solder both strands of the LMR from the board. Once removed, the board should reveal two pads on which we need to solder our new connector. Once de-soldered, we can remove the antenna from the case by pinching the end of the antenna on the inside of the connector. This will compress the size so that the outer locking ring will pass through the mount.

We need to make sure that we have an appropriate connector to attach a new antenna to. I happened to have scavenged parts from an old Linksys BEFSX series model. This old router had an internal PCMCIA card with two pigtails, one end with the standard RP-TNC antenna connector.

I removed the connector at the other end of the cable, as it is not important. I gave it a good pull, but certainly a pair of wire cutters will get the job done. Strip the LMR cable back so that the inner and outer conductors are staggered. Match up the lengths that you need with the two pads to verify your length - the smaller inner conductor will be attached to the smaller pad on the board, while the outer conductor will be attached to the larger pad. Don't solder them together! This will create a short, and render your antenna inoperable, possibly even frying your router!

We also need to modify the case so that the external portion of the connector will fit through. My connector at the base was 3/4 of an inch, so I drilled a 3/4 inch hole into the edge of the case, right near the original connector.

Part of the selection of this location was so that it would still be at the top of the unit, and the board has a notch out of it at this location. The notch leaves a handy place to be able to fit the additional portion of the connector between the board and the edge of the case.

Once mounted, solder the LMR form our new connector to the board as described earlier. I utilized some electrical tape to maintain the bend in the LMR and to hold it down to the board. This allows me to have both hands free to solder!

Once complete we can reassemble our router and show off our new connector.

One of the nice features of using the RP-TNC connector is that we can reuse antennas from most of our other Linksys devices!

Have fun adding new antennas! - Larry "haxorthematrix" Pesce larry /at/ pauldotcom.com

How-To: Building a Guest Wireless Network For Under $300 - Part I

Thu, 05 Jul 2007 16:46:48 -0500

So, here is the scenario, you need a wireless network for guests, it has to be easily accessible (i.e. can't require a WPA supplicant) and be secure. This is a common problem, and one that is not-so-easily solved. For example, you may want a separate wireless network for training rooms, on-site visitors, consultants, or for just general guests to your organization. Guest such as these typically only require access to the Internet and nothing else. The nice part is, all this can be done for under $300 (on a small scale with two access points), and its all open-source! This is a great, cheap, fast, and easy way to handle guests that may be coming into your network. Of course, this is only the first step. In future parts we will show you how to add the security measures, such as captive portals, bandwidth shaping, intrusion detection, and firewalling. To get us started you will need:

Below are the step-by-step guidelines for getting the initial setup going: Step 1 - Unbox and flash the routers. For the WRT54GL, you must use the web interface to put the initial OpenWrt image on them. (Question, why does Linksys not enable boot_wait by default?). Also, do not use the PoE adapters when flashing! Step 2 - Change the IP address of the routers, enable boot_wait, and set the hostname:

nvram set lan_ipaddr="10.10.10.5" nvram set boot_wait="on" nvram set wan_hostname="myap1" nvram set wan_proto="none" nvram commit

Step 3 - Create a separate VLAN or physical network, preferably with a separate Internet connection. Put that APs on that subnet. Step 4 - Harden and perfomance tune OpenWrt - Remove the packages that are not required:

ipkg update
ipkg remove ppp ppp-mod-ppoe webif haserl kmod-ppp kmod-pppoe
ipkg upgrade

Disable services not required:

cd /etc/init.d
mv S50httpd disabled_S50httpd
mv S50telnet disabled_S50telnet

Step 5 - Enable DHCP on each of the access points:

cat > /etc/init.d/S60dnsmasq #! /bin/ash /usr/sbin/dnsmasq & CTRL-D

Now, remove the DHCP configuration from the /etc/dnsmasq.conf, and replace it with:

# enable dhcp (start,end,netmask,leasetime) dhcp-authoritative dhcp-range=10.10.10.100,10.10.10.150,255.255.255.0,12h dhcp-leasefile=/tmp/dhcp.leases # use /etc/ethers for static hosts; same format as --dhcp-host # read-ethers # other useful options: # Default Gateway dhcp-option=3,10.10.10.1 # DNS Servers dhcp-option=6,10.10.10.6,10.10.10.7

Step 6 - Reboot the WRT54GL, make sure all is well. Now, connect the POE adapaters and place the APs where you want them. Step 7 - Configure Wireless - Place the access points on their respecitve channels using the command nvram set wl0_channel=1. Ideally, you could have 3 APs, one on channel 1, 6, and 11. Now, set all of the SSIDs to the same value using the command nvram set wl0_ssid="guestwireless. Finally be certain to run nvram commit to commit your changes, and /sbin/wifi so that the wireless system picks up the new values. You should now be able to associate to the given SSID. Which access point you associate with will depend heavily on the wireless driver that you are using, and other factors that require too much math. In Part II, we will show you how to implement a captive portal for guest authentication, and add additional layers of security such as intrusion detection and IP filtering. PaulDotCom (Edits by Larry Pesce)

Our First Review!

Mon, 02 Jul 2007 15:02:48 -0500

All: A listener of the PaulDotCom Security Weekly show, Robert Wesley McGrew, posted the very first review of our book: Review: Linksys WRT54G Ultimate Hacking He says many good things, such as: "It’s very well written and brings together a body of knowledge that you won’t find in one place anywhere else. I would especially recommend it to security professionals who might be able to use OpenWRT as a platform for remote access, reconnaissance and exploitation." Keep the reviews coming! (Only if they are good ;-) PaulDotCom

Dissecting the WRT54G version 8

Wed, 27 Jun 2007 08:35:42 -0500

Linksys has officially released the WRT54G version 8 here in the US, and Paul was able to find one at our local big box computer retailer. Of course the first thing that we did was to tear it apart and see what is inside, in typical hacker fashion. We've sucessfully voided the warranty without even pluging the darned thing in!

Without further ado: Inside the WRT54G version 8!

Before we get to the juicy bits, this version will be very easy to identify on the store shelves. Linksys has totaly redesigned the packaging:

The power supply has remained the same here in the US, with 12 volt output. Nothing to see here folks. The front panel also remains the same as the last few versions:

Before we even get this bad boy apart, we can see some very significant design changes. No more removable antennas! (we'll get to this more in a bit)

When we open up the case, we can immediately see that the board design looks different from some of the earlier versions. I'm not sure of how it stacks up to the version 7, as we've been unable to locate one locally. The front of the board looks different:

The reverse side of the board actually features some components, even if they are SMT resistors:

With some closer inspection, we may be drawn to the traces for the wireless antennas. It looks like the traces still exist for the removable connectors. Possibly for future board revisions, or a hold over from the v7 design:

Guess what! Those traces also contain, what looks like a U.FL antenna connector! Certainly we can find a pigtail online to convert to something we can use. Add a little de-soldering braid, and a soldering iron to that mix and we've got a removable antenna, at least on the primary connenctor. Looks like we'd also need to disable antenna diversity too. Here's a good look at the U.FL connector:

Further examination of the board reveals some more of the standard features we've come to expect. The first is the JTAG header:

There is also another set of headers, which would appear to be a single serial port. this remains unconfirmed by us at this point, but all signs point to yes: capability in the chipsets (the BRCM5354 spec sheet states that it has two UARTs available), and the proper pin count. Why only one port? Who knows, but I would bet that the other serial port could be found on the board, just not at a header. Here's a good look at the possible serial port:

The RAM installation seems to be fairly typical With a Samsung chip:

But wait! What's that you say? You read the Samsung chip documentation, and is says the chip is 64M? Well, sure! We still need to confirm that some open source firmware (say...OpenWrt) can take advantage of the additional RAM, if the extra RAM meets up to the documentation. All available reports state that this unit only has 8M!

Even more changes to the design for the version 8 is a diversion from the Intel based flash chip. Linksys has opted to drop the Intel brand for a company named Spansion, which is apparently a subsidiary of AMD. The new Spansion S29AL016D90TF chip is listed as being 16M, however other available documenation only lists flash as 2M! It looks as though the chip is modifiable to protect some sectors, limiting the amount usable memory sectors. Overall, this device may be quite nice for hacking, given the alleged 64M RAM and 8M of flash. Here's a good look at the the Spansion flash chip:

Again the Broadcom SoC has changed to the BCM5354KFBG, which operates at 240Mhz! This chipset contains all of the goodies: ethernet switch, main processor, and wireless processor. Here is a shot of the chip:

In combination with the wireless processor, the wireless power amp chipset can be located under the nice metal shielding, and is of the SiGe SE2528L RangeCharger variety, which is rated at 24dBm for 802.11b networks and 21dBm for 802.11g networks. Here is a look of this sneaky little animal:

In even more modifications, we have some additional changes related to the power conversion and regulation chipset. The main power conversion chip has remained the same with the AnaChip AP1513 which can take an input voltage of between 3.6 and 18 volts DC, in combination with the SK33B Schottky Rectifier, it utilizes a separate resistor to regulate maximum power output. While I have been unable to confirm, I'd suspect that like the board requirement has been capped at between 3.3 and 3.6 volts, the optimal voltage range for many of the other components. Here's a close-up of the chip combination:

While I thought that this new release would be very disappointing for my hacking pleasure, there are clearly a few questions that need answering in relation to RAM and Flash. The wireless antenna situation can apparently be rectified, and apparently reduced power requirements make alternate power sources very tempting.

We hope that you have enjoyed our willful voiding of our warranty for your viewing pleasure! Any questions, comments or updates are appreciated. - Larry

Contest Winner and Book Availability

Mon, 25 Jun 2007 15:21:10 -0500

All: First, let me welcome all of you to the official web site and blog for our "Linksys WRT54G Ultimate Hacking" book! We are very excited to have completed the book, and even more excited to continue to provide information on embedded device hacking via this web site and blog. First order of business, our book is shipping! W00t! You can purchase it via the links on the front page via Amazon. Next, we have a winner of our book contest! The contest was to be the first person to send us a picture of themselves with the book. Doing so would win you (Compliments of the PaulDotCom Security Weekly Crew):

An autographed copy of Wireshark & Ethereal Network Protocol Analyzer Toolkit
An autographed copy of Network Security Hacks, 2nd Edition by Andrew Lockhart
An official PaulDotCom Security Weekly Hack Naked beer drinking mug and t-shirt

And the winner is......Dave! Who submitted a wonderful picture of himself holding the book and two WRT54G routers (whoops, don't drop one :). Congrats Dave! Stay tuned, good things coming... Paul "PaulDotCom" Asadoorian

How-Tos On the Way

Thu, 07 Jun 2007 18:45:15 -0500

We will be showing you how to do some interesting stuff from the book, and maybe some things not in the book right here... Stay tuned!

No, our book isn't perfect...

Thu, 07 Jun 2007 18:34:23 -0500

While we tried very hard to produce a technically accurate book, it is inevitable that there will be corrections. If you find something, please let us know ASAP and we will post it here! So far everything is good :) Cheers, PaulDotCom