Normally I post stuff that is working, so I have instructions to repeat it. This seems to be a saga to TRY to get something working, and a large fail has caused a lot of effort just to return to where I started, which is starting to become a project in itself, so I'm posting my progress as I go. So these instructions are an attempt to revive my dead router, to get it back to a usable state.
Goal: Get a WRT set up for pentesting and defensive purposes (Snort, Nmap, TCPdump, Nessus, etc). I wanted a wifi IDS, and an IDS even for the wired side, which wouldn't require me dedicating a PC (more power, noise, expensive, etc)
Hardware: WRT54GL V1.1
Problem: Bricked router
I recently bought two routers, a WRT54GS V7.2 (~$30), and a WRT54GL V1.1 (~$70)
I tried putting a captive portal on the GS, but with only 2MB of RAM, it was crippled (see previous post). So I made it into a guest network without a portal, and moved on to my GL.
The firmware for the GL which appealed to me the most (and which was suggested by the Linksys WRT54G Hacking book), was the Fairuzawrt firmware. This is mostly undocumented firmware, and I knew I was getting to murky waters installing it. I looked around their site to try to find out documentation to what versions were supported, and they don't mention it at all. That worried me. But since I had success bringing my GS back from the dead (due to a corrupt NVRAM) previously, I thought I'd still try. I had corrupted the NVRAM on the GS a handful of times trying to find captive portal firmware, and had always managed to bring it back. Besides, I really wanted a WIDS and a pentesting suite on a WRT.
As a trial run, I enabled the boot loading option in case I ran into problems, and I installed eWRT. That was to check out the NoCatSplash portal, which I couldn't get working in the GS. It seemed like I COULD set up a portal with the GL using NoCatSplash, but I had already set up a guest network with the GS, and I wanted to use this hardware for something with more umph. Besides, I didn't want to spend $70 on a router just for a guest portal.
I installed Openwrt-wrt54g3g-squash.bin, and that seemed to be a pretty nice platform. It seemed very stable and usable, as a router. I looked through their packages, and didn't see Snort anywhere, so that firmware seemed out. I could have gone down the dd-wrt route, and this may be a project in the future, but since Fairuzawrt seemed to have the applications I wanted, I thought I'd try that. I used the seemingly stable web interface of OpenWRT to upload the Fairuzawrt-02.bin firmware, and here is where my problems started. The firmware upload hung in the middle of the upload.
Rebooted the router. Power light blinks steadily (indicating bad firmware). Tried to tftp up the afore-mentioned OpenWRT firmware several times, no success. Tried to ping the router=fail. An arp table shows an "incomplete hardware address"--not good. The Ethernet port that I'm plugged into on the router is solid, and it blinks when I ping it, which is a good sign. It is also a good sign that ALL the Ethernet ports are not solid, which indicates a bricked router. But it still won't ping or upload firmware.
I tried holding down the reset button for 30 seconds, unplugging power, holding for 30 more seconds, plugging power back in, and holding the reset for 30 more seconds, to reset the NVRAM in case the configuration file was corrupt. No help.
I voided the warranty on the two-day-old router, and pulled out the motherboard. Shorted out pins 15-16, 16-ground, and 16-17. No help.
So now I have a steadily blinking power light, and can't communicate it. The steady one Ethernet port, which blinks when I ping it is promising, but the lack of address in the arp table is disheartening. I thought I'd at least get the switch port to show something in the arp table (I installed a switch between my router and my laptop to make it more stable). It looks like a JTAG cable is my only choice.
I'm currently doing research to build a JTAG cable. This seems like a lot of work, but something geeky, so I tried it anyway. Plus, I hated to have a two-day old, $70 brick.
Using The WRT book, the HairyDairyMaid Guide, also this URL to build a JTAG cable, I came up with the below necessary parts. I was surprised when I looked at my Geek inventory that I had no parallel printer cables anywhere! So I thought of going to Radio Shack with the below parts list.
Radio Shack:
PN 276-1547 25 pin make solder D-sub connector
PN 276-1549 25-pin D-Sub hood
PN 271-1131 100 Ohm resistors (pack of 5)
and then ordering the rest from Digikey.
Digikey:
PN WM 8124-ND 2 by 6 pin header ($1.28)
PN MSC-12K Socket Connector (can't find)
PN MSSR-12-ND Socket Connector Strain Relief (Can't find)
But that seemed like too much of a pain, and the Radio Shacks around here kind of blow, and in the end I'd probably spend more in gas driving to Radio Shacks, so I decided to just order the JTAG cable for $10.90 (including shipping) from eBay.
I got the JTAG cable, and was all set to solder the header pin to the board. Here is what the equipment looked like:
Here is a closeup of the board without any connector:
OK, from here I broke out the Soldering Iron, and soldered on the Pin Header. Here are a couple of pics:
OK, so my Soldering needed a little work. Actually, this was the first attempt. I then installed the JTAG reading software on a Windows box with a parallell port (installed the driver). That looked like this:
After I plugged in the cable and probed the card, I couldn't read the CPU. So I broke out the Soldering Iron again and fixed a few connectors. After that, I plugged the board in and probed it with success!!! I tried to erase the NVRAM, but couldn't. See the screenshot:
The NVRAM Erase just sat there forever. Since I couldn't erase the NVRAM, I tried to erase the flash. Still no success, as below shows.
Like the NVRAM, erasing the flash hung forever also. Since I couldn't get to the NVRAM, or to the FLASH, the next logical place was the bootloader. In Linksys it's called a CFE. Luckily, I had the CFE for my current router, and I just replaced the one on the WRT with my file by using the command:
>tjtagv2.ext -backup:cfe /noemw /noreset.
Success! The tjtag program happily stomped all over the bootloader, and I replaced it completely. This scrolled off the screen, so I have no screen capture but the end. Then, when I tried to erase the NVRAM, it worked! See below:
I tried to erase the Flash, but it still hung. It was really screwed if the JTAG couldn't replace it. So, I thought I'd just reboot the router and tftp up the original Linksys firmware image (FW_WRT54GL_4.30.12.3_US_EN_code.bin). Luckily, that tftp'd up with no issues! So, I rebooted the router, and it came up like a champ! SUCCESS at last!
The JTAG Cable worked GREAT! I recommend it for bricked routers!
Goal: Get a WRT set up for pentesting and defensive purposes (Snort, Nmap, TCPdump, Nessus, etc). I wanted a wifi IDS, and an IDS even for the wired side, which wouldn't require me dedicating a PC (more power, noise, expensive, etc)
Hardware: WRT54GL V1.1
Problem: Bricked router
I recently bought two routers, a WRT54GS V7.2 (~$30), and a WRT54GL V1.1 (~$70)
I tried putting a captive portal on the GS, but with only 2MB of RAM, it was crippled (see previous post). So I made it into a guest network without a portal, and moved on to my GL.
The firmware for the GL which appealed to me the most (and which was suggested by the Linksys WRT54G Hacking book), was the Fairuzawrt firmware. This is mostly undocumented firmware, and I knew I was getting to murky waters installing it. I looked around their site to try to find out documentation to what versions were supported, and they don't mention it at all. That worried me. But since I had success bringing my GS back from the dead (due to a corrupt NVRAM) previously, I thought I'd still try. I had corrupted the NVRAM on the GS a handful of times trying to find captive portal firmware, and had always managed to bring it back. Besides, I really wanted a WIDS and a pentesting suite on a WRT.
As a trial run, I enabled the boot loading option in case I ran into problems, and I installed eWRT. That was to check out the NoCatSplash portal, which I couldn't get working in the GS. It seemed like I COULD set up a portal with the GL using NoCatSplash, but I had already set up a guest network with the GS, and I wanted to use this hardware for something with more umph. Besides, I didn't want to spend $70 on a router just for a guest portal.
I installed Openwrt-wrt54g3g-squash.bin, and that seemed to be a pretty nice platform. It seemed very stable and usable, as a router. I looked through their packages, and didn't see Snort anywhere, so that firmware seemed out. I could have gone down the dd-wrt route, and this may be a project in the future, but since Fairuzawrt seemed to have the applications I wanted, I thought I'd try that. I used the seemingly stable web interface of OpenWRT to upload the Fairuzawrt-02.bin firmware, and here is where my problems started. The firmware upload hung in the middle of the upload.
Rebooted the router. Power light blinks steadily (indicating bad firmware). Tried to tftp up the afore-mentioned OpenWRT firmware several times, no success. Tried to ping the router=fail. An arp table shows an "incomplete hardware address"--not good. The Ethernet port that I'm plugged into on the router is solid, and it blinks when I ping it, which is a good sign. It is also a good sign that ALL the Ethernet ports are not solid, which indicates a bricked router. But it still won't ping or upload firmware.
I tried holding down the reset button for 30 seconds, unplugging power, holding for 30 more seconds, plugging power back in, and holding the reset for 30 more seconds, to reset the NVRAM in case the configuration file was corrupt. No help.
I voided the warranty on the two-day-old router, and pulled out the motherboard. Shorted out pins 15-16, 16-ground, and 16-17. No help.
So now I have a steadily blinking power light, and can't communicate it. The steady one Ethernet port, which blinks when I ping it is promising, but the lack of address in the arp table is disheartening. I thought I'd at least get the switch port to show something in the arp table (I installed a switch between my router and my laptop to make it more stable). It looks like a JTAG cable is my only choice.
I'm currently doing research to build a JTAG cable. This seems like a lot of work, but something geeky, so I tried it anyway. Plus, I hated to have a two-day old, $70 brick.
Using The WRT book, the HairyDairyMaid Guide, also this URL to build a JTAG cable, I came up with the below necessary parts. I was surprised when I looked at my Geek inventory that I had no parallel printer cables anywhere! So I thought of going to Radio Shack with the below parts list.
Radio Shack:
PN 276-1547 25 pin make solder D-sub connector
PN 276-1549 25-pin D-Sub hood
PN 271-1131 100 Ohm resistors (pack of 5)
and then ordering the rest from Digikey.
Digikey:
PN WM 8124-ND 2 by 6 pin header ($1.28)
PN MSC-12K Socket Connector (can't find)
PN MSSR-12-ND Socket Connector Strain Relief (Can't find)
But that seemed like too much of a pain, and the Radio Shacks around here kind of blow, and in the end I'd probably spend more in gas driving to Radio Shacks, so I decided to just order the JTAG cable for $10.90 (including shipping) from eBay.
I got the JTAG cable, and was all set to solder the header pin to the board. Here is what the equipment looked like:
Here is a closeup of the board without any connector:
OK, from here I broke out the Soldering Iron, and soldered on the Pin Header. Here are a couple of pics:
After I plugged in the cable and probed the card, I couldn't read the CPU. So I broke out the Soldering Iron again and fixed a few connectors. After that, I plugged the board in and probed it with success!!! I tried to erase the NVRAM, but couldn't. See the screenshot:
Like the NVRAM, erasing the flash hung forever also. Since I couldn't get to the NVRAM, or to the FLASH, the next logical place was the bootloader. In Linksys it's called a CFE. Luckily, I had the CFE for my current router, and I just replaced the one on the WRT with my file by using the command:
>tjtagv2.ext -backup:cfe /noemw /noreset.
Success! The tjtag program happily stomped all over the bootloader, and I replaced it completely. This scrolled off the screen, so I have no screen capture but the end. Then, when I tried to erase the NVRAM, it worked! See below:
I tried to erase the Flash, but it still hung. It was really screwed if the JTAG couldn't replace it. So, I thought I'd just reboot the router and tftp up the original Linksys firmware image (FW_WRT54GL_4.30.12.3_US_EN_code.bin). Luckily, that tftp'd up with no issues! So, I rebooted the router, and it came up like a champ! SUCCESS at last!
The JTAG Cable worked GREAT! I recommend it for bricked routers!
Comments
Post a Comment