Flashing to OpenWrt Firmware
On Friday, November 1, 2013 Labels: Cracking WEP with BackTrack, Flashing to OpenWrt Firmware
Flashing to OpenWrt Firmware
This page contains an overview on flashing OpenWrt firmware onto a Linksys WRT54GS, from a Windows PC.
Obtaining OpenWrt Firmware
The OpenWrt firmware is available as a compiled binary, or as source. As recommended on the OpenWrt website, download the binary for the latest stable version, referred to as whiterussian.
When these pages were last updated, white russian 0.9 was available, so download openwrt-wrt54gs-squashfs.bin, from the white russian binary downloads directory.
Flashing to OpenWrt
Network Connectivity
The WRT54GS's default IP address is 192.168.1.1, so configure a PC with a static IP address in the same subnet, such as 192.168.1.2, and connect it to one of the WRT's LAN ports.
Before flashing with OpenWrt, apparently the WAN (aka internet) port must be configured with a valid IP address.
Configure WAN IP
Using the PC, I point a web browser at the web interface for the WRT's Linksys firmware, available at http://192.168.1.1. Default logon details consist of a blank username, and a password of admin.
Using the web interface, navigate to Setup -> Basic Setup, and change the type to "Static IP", and configure it with a valid IP address, netmask and default gateway (I used an IP of 10.10.10.10, netmask 255.255.255.0 and gateway 10.10.10.1).
Enable boot_wait
The boot_wait variable needs to be set, to cause the WRT to delay the boot process for a few seconds, allowing a new firmware to be installed through the bootloader.
Note that WRT54GS firmware versions newer than 3.37.2 cannot have the boot_wait variable enabled through the "normal" method of exploiting the ping hack through the web interface.
If you have a newer firmware than 3.37.2, you'll need to downgrade the firmware to version 3.37.2 first.
The 3.37.2 firmware for the WRT54GS is available on Linksys' ftp server.
The boot_wait variable needs to be set via a "hack" using the ping functionality in the web interface. In the web interface, navigate to the Administration -> Diagnostics page, and hit the Ping button.
Enter each of these lines into the "ip address or domain name" text box, and hit "ping" after each entry:
;cp${IFS}*/*/nvram${IFS}/tmp/n
;*/n${IFS}set${IFS}boot_wait=on
;*/n${IFS}commit
;*/n${IFS}show>tmp/ping.log
After the last command, a long list of configuration parameters is shown, and it should include
boot_wait=on
Uploading New Firmware
When these pages were originally written in February 2005, there was minimal information about flashing OpenWrt firmware to a WRT using a Windows PC, with almost all references mentioning linux TFTP servers only. I have enough linux boxes at home, but was using my Windows 2000 laptop to initially configure the WRT, and wanted to be able to flash the firmware from it.
Windows 2000 and Windows XP come with a TFTP server, and it can be used to flash with OpenWrt firmware. Note that the Windows PC needs to be configured with a static IP address in the 192.168.1.0/24 subnet, and cannot use a DHCP IP address when flashing the firmware.
Note that the WRT's IP address while in boot_wait mode is always 192.168.1.1.
Note that the Windows TFTP server doesn't support retries (most linux TFTP servers allow you to configure it to keep retrying to send the firmware image), so you need to get TFTP started at the right time when booting the WRT.
Use the following command on a Windows PC:
tftp -i 192.168.1.1 PUT openwrt-wrt54gs-squashfs.bin
This command needs to be executed from a command prompt, and run this command at exactly the same time as you apply power to the WRT to start it's boot cycle.
The easiest way to determine the timing is to open a command prompt and run the following:
ping -w 5 -t 192.168.1.1
and start the upload as soon as the ping starts responding after powering on the WRT.
If the flashing is successful, the TFTP server should respond with a message similar to:
Transfer successful: 1549312 bytes in 4 seconds, 387328 bytes/sec
and the WRT will be rebooted.
If TFTP responds with an invalid password error, then you ran the TFTP command too late in the WRT's boot cycle, and have connected to the secure TFTP server in the firmware, rather than the TFTP server in the boot loader, so you'll need to power the WRT off, and try again.
If you repeatedly get invalid password errors, the network card in your PC may be re-establishing its link too slowly, so try connecting both the PC and the WRT to eachother via a hub or switch.
The First Boot with OpenWrt
Boot Status
The DMZ LED on the front of the WRT is used by OpenWrt to indicate the boot status. The LED is on while OpenWrt is booting, and is turned off once the boot process is complete.
Firstboot Script
When your WRT boots for the first time after it's been reflashed with OpenWrt firmware, the firstboot script is automatically run, and will create the jffs2 partition.
Accessing the WRT
Telnet Access
Once the boot process is complete (and the DMZ LED is off), you should be able to telnet into the WRT on 192.168.1.1.
Security
Note that the telnet server in OpenWrt does not have any password protection. This has been done to emphasise the insecurity of telnet. You should set an SSH password immediately by running
passwd
This will also cause the telnet server to be disabled, and you'll then need to use SSH instead of telnet to access the WRT.
Configuring the WRT
Installing Packages
OpenWrt uses the ipkg lightweight package manager to download and install OpenWrt packages.
Basic syntax for installing packages is:
ipkg install [http://website/path/]packagename[.ipkg]
OpenWrt packages are available from OpenWrt's whiterussian package repositry.
Changing Configuration with nvram
Most configurable settings are stored in Non-Volatile RAM (nvram), and their values can be viewed and modified via the use of the nvram command.
To view the current configuration, you can use:
nvram show | more
nvram get keyname
Values can be modified using
nvram set keyname=value
Note that changes are not permament until they are committed to memory. To commit the nvram configuration and reboot, run
nvram commit
reboot
No comments:
Post a Comment