Run a Linux distribution or other custom code on many models of wireless routers.
The release of the Linksys WRT54G wireless router back in 2003 was kind of a watershed moment for wireless hackers and Linux hackers alike. It was quickly determined that the WRT54G was running a Linux kernel. Source code for the unit was demanded (and eventually released), hacks were found to pass arbitrary commands to the unit, and an entire community slowly emerged around modifications to the Linksys firmware. In addition, complete Linux kernel distributions have become available, allowing all sorts of functionality that Linksys (probably) never imagined.
There are now wireless routers on the market from Linksys, Netgear, Asus, Buffalo, Belkin, Motorola, and Siemens. All of these routers use chipsets from Broadcom. Some use Broadcom radios as well, while others use Prism or Atheros radios. A pretty complete list of these devices can be found at http://openwrt.org/TableOfHardware.
This hack covers the Linksys-based alternate firmware for these wireless routers, and shows how to install a complete Linux distribution, as well as some of the cool things that will let you do.
When Linksys finally released the modified Linux kernel and utilities they had included with the WRT54G, and made the code available as required by the General Public License (GPL), it became possible for software developers around the world to start modifying this code to suit their purposes. Code for all Linksys products that use Linux internally is available at http://www.linksys.com/support/gpl.asp.
We don't have the space to cover all of the alternate firmware available for Linksys and other Broadcom-based wireless routers. Two good places to go for information on other firmware, as well as to find updated releases, are http://linksysinfo.org and http://www.wrt54g.com.
5.6.1. Sveasoft Firmware
One of the first modified versions of the Linksys firmware came from a Swedish company, Sveasoft. They have continued to improve their product and now have two different offerings. Their stable tested code is released to the public with source code, free of charge, as required by the GPL. Newer code under development and access to their support forums are available for a $20 yearly subscription fee.
Early in the development process, access to the development code and the forums was freely available, and the conversion from a free to a paid service met with a lot of resistance from the community. One result of this is that there are now several forks of the Sveasoft firmware, by different developers, and over time these forks have developed different feature sets. You can find many of these forked firmware images on the web sites mentioned in the previous section.
At the time of this writing, the freely available Sveasoft firmware is known as Alchemy. We obtained our copy from http://linksysinfo.org. Converting your wireless router to the Alchemy firmware is fairly trivial and follows the same process for installing upgraded Linksys firmware.
Use a web browser to load the Linksys administrative web pages. The default IP address for a Linksys router is 192.168.1.1. Login with the username and password you set. (You did change the default password from admin, didn't you?) Choose Administration images/U2192.jpg border=0> Firmware Upgrade, as shown in Figure 5-1.
Click Browse and locate the unzipped firmware file Alchemy-V1.0.bin. Select Upgrade to begin the firmware upload and upgrade. Do not interrupt this process! Upon completion, the router will reboot and load the new firmware.
The Sveasoft firmware gives your WRT54G some advanced features. We can't cover them all here, but we'll try to hit some of the high points. One of the most useful features for anyone who is sharing their broadband connection is the Quality of Service (QoS) capabilities now available. Anyone who's tried to make a VoIP phone call over a congested ADSL line will know exactly why QoS is so great.
Figure 5-1. WRT54G firmware upgrade
As shown in Figure 5-2, you can set the maximum uplink and downlink speeds for your WAN or LAN/Wireless connections. Once enabled, you can set QoS service priorities for protocols such as SSH, VoIP, and many others. This means that you can set the service priority for VoIP to High to ensure no other traffic takes priority. You can also set priorities for specific netmasks, MAC addresses, or the four Ethernet ports on the WRT54G.
Among the other features the Sveasoft firmware gives you are the ability to do OSPF routing, enable communication between access points using the Wireless Distribution System [Hack #69], run a SSH client and server, and finally, enable a Client Mode that allows you to connect to other access points.
OpenWRT is the antithesis of all the Linksys-based firmware projects. It is a minimal Linux distribution with basic command-line tools and support for adding functionality via a package manager. While not practical for basic home use, OpenWRT is a powerful option for anyone who wants to have specific features enabled on their wireless router.
Figure 5-2. QoS settings
The project is under heavy development. As of this writing, the stable release has been removed from the web site, and the experimental code is available at http://openwrt.org/downloads/experimental/bin. The original OpenWRT code booted using a small partition in RAM, then created a secondary partition for loading the full firmware. The experimental release offers a second option of a single jffs2 (Journaling Flash File System) partition, which makes operations of the distribution much more simple.
In order to install the experimental release of OpenWRT you'll need to get the right version for your wireless router hardware. There are specific versions for WRT54G and WRT54GS hardware, as well as Motorola routers, and a generic version for other hardware models. Our units were both WRT54G models, so we downloaded the openwrt-wrt54g-jffs.bin file.
You can install the OpenWRT firmware using the Linksys web-based administration tools, as shown previously in Figure 5-1, or from any of the Linksys-based projects, all of which support firmware upgrades from their web pages. An alternative method involves enabling the boot_wait parameter in the NVRAM of your Linksys router and using a tftp client to send firmware to the Linksys during the boot process. Unless you have already installed an alternate firmware such as Sveasoft Alchemy, which allows you to set boot_wait from the web interface, this involves taking advantage of a bug in Ping.asp in the standard Linksys firmware. Details on this method can be found at http://openwrt.org/OpenWrtDocs/Installing.
The jffs2 versions of the OpenWRT firmware will take several minutes for the first bootup and will reboot before becoming usable. While booting, the DMZ LED will be lit and will turn off once the firmware has booted. The firmware configures the network interfaces, using DHCP for the WAN interface, and sets up a basic NAT/firewall. Once booted, you can telnet to the router using the last LAN IP address it was configured for.
As the documentation says:
Why no telnet password? Telnet is an insecure protocol with no encryption, we try to make a point of this insecurity by not enabling a password. If you're in an environment that requires password protection we suggest using the dropbear ssh server.
Setting up the dropbear SSH server is as simple as setting the root password:
# passwd foo
Once a password has been set, the telnet daemon is disabled, sshd is enabled, and you can now use any SSH client to access your router. You now have a complete, albeit small, Linux distribution running. What can you do with it?
The first thing you should do is see what packages come installed by default, using the ipkg package manager:
Anyone who's used apt-get in Debian or Ubuntu distributions will be familiar with the syntax of ipkg. You'll want to update the list of available packages, and then you can list them:
ipkg update ipkg list
5.6.3. Hacking the Hack
Your options are really unlimited at this point, especially if you've loaded OpenWRT. This is a complete Linux distribution, and short of running things like a window manager, just about anything is possible. There are packages available to run a web server, FreeRADIUS for authentication, IPSec VPN software, and at least two different captive portal packages: NoCatSplash [Hack #75] and WiFiDog (http://old.ilesansfil.org/wiki/WiFiDog). For even more fun with OpenWRT, you can set up true mesh networking [Hack #68] using the OLSR mesh networking protocol.
Bluetooth, Mobile Phones, and GPS
Network Discovery and Monitoring
Wireless Network Design
Appendix A. Wireless Standards
Appendix B. Wireless Hardware Guide