About

Sunday, June 6, 2010

Installing OpenWRT Kamikaze on a Netgear DG834 v2 ADSL Router


This is how I installed OpenWRT, a Linux distribution for embedded devices, on a Netgear DG834 v2 ADSL Router. Apparently the DG834G is the same but comes with a wireless interface too.

CPU: Texas Instruments AR7 @150MHZ
RAM: 16MB
Disk: 4MB flash

This modem was given to me by a friend who had been given a whole bunch of old network gear. After some research on the web I decided to try installing OpenWRT, it looked fun and some pieces of documentation for this model existed already.

My procedure is here. I mostly used these sites as a guide:
Hacking
The Netgear DG834 actually already runs a Linux kernel! You can enable telnet access to the device (a number of netgear routers support this) by logging into the web admin interface and then visiting this hidden page: http://192.168.0.1/setup.cgi?todo=debug

There is also a vulnerability on the dg834g in setup.cgi?todo=ping_test that lets you do anything. Here is an example that executes busybox.
http://192.168.0.1/setup.cgi?todo=ping_test&c4_IPAddr=%26/bin/busybox
Apparently there is also a default account hard coded in with the password "zebra".

To reset the device to its factory state (if you don't know its current password) hold down reset button on the back of the device for a few seconds as you power it on. Default IP is 192.168.0.1, default username "admin" with "password" to login.
$ telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.

BusyBox v0.61.pre (2006.02.20-10:34+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands.

# cat /proc/version
Linux version 2.4.17_mvl21-malta-mips_fp_le (root@localhost.localdomain) (gcc version 2.95.3 20010315 (release/MontaVista)) #19 Fri Dec 9 17:16:36 CST 2005

# cat /proc/cpuinfo
processor : 0
cpu model : MIPS 4KEc V4.8
BogoMIPS : 149.91
wait instruction : no
microsecond timers : yes
extra interrupt vector : yes
hardware watchpoint : yes
VCED exceptions : not available
VCEI exceptions : not available
Telnet does not require a user name or password, and is left enabled until the device is rebooted! Here is an article with some more commands to play with: http://www.cyberciti.biz/tips/hacking-the-dlink-502t-router.html

Patching the routers bootloader
ADAM2 (See http://www.seattlewireless.net/ADAM2 for more information) is the name of the bootloader on the DG834. In order for it to boot firmwares with non-standard checksums (eg anything not supplied by netgear) we need to modify it.

Backup the device:
before we modify the router firmware we should back it up. /tmp is the only place we can write to on the modem. To get the firmware off the modem we can start another instance of mini httpd:
$ telnet 192.168.0.1
# cd /tmp/
# mini_httpd -p 1080
# cat /dev/mtdblock/0 > /tmp/mtd0.bin

On my laptop I retrieve the firmware one file at a time:
$ wget http://192.168.0.1:1080/mtd0.bin

On modem:
# rm /tmp/mtd0.bin
Do this for all five folders (0 1 2 3 4) in /dev/mtdblock

The patch:
First of all, do a md5sum the mtd2.bin file you downloaded off the device. It should be: 
0530bfdf00ec155f4182afd70da028c1
If not then find another guide! If yes then open up mtd2.bin in a hex editor. Go to offset 0x3944, and you should see: 44 09 00 0C

Replace this with: 00 00 00 00

Then save the file as mtd2.patched.bin, if you did this properly it will have the md5sum
d8a2f4623bf6f64b7427812f0e849aa7
Now the fun part, and warning: the next series of commands could brick your router so please follow this guide at your own risk.

So place your patched mtd2.bin file on a local web server (sorry, need one of those too), so we can download it back onto the modem which has wget installed on it.
$ telnet 192.168.0.1
# cd /tmp/
# wget http://192.168.0.10/mtd2-patched.bin
# dd if=mtd2-patched.bin of=/dev/mtdblock/2
# exit
Now, power off the device. Turn it on again and it *should* reboot just fine. This procedure has worked fine for me.. .

Compiling OpenWRT
On my Ubuntu 9.10 Laptop I checked out the source code for the OpenWRT Kamikaze 8.09 branch with subversion:
$ svn co svn://svn.openwrt.org/openwrt/branches/8.09  
$ cd 8.09 
$ make menuconfig 
$ make package/symlinks  
$ make menuconfig  
$ make v=99
Using revision 21732 (the latest at the time) for my build. My config only has support for PPPoA (Most countries use PPPoE).

You will get openwrt-ar7-squashfs.bin in the bin/ subdirectory after compiling has completed. Split this up into 2 files:

$ dd if=openwrt-ar7-squashfs.bin of=ow-mtd0.bin skip=720896 bs=1
$ dd if=openwrt-ar7-squashfs.bin of=ow-mtd1.bin count=720896 bs=1

Flashing the router:
You can flash the router with your OpenWRT image by using the ADAM2 FTP interface. Telnet to the router and issue this command:
# echo "my_ipaddress 192.168.0.1" > /proc/sys/dev/adam2/environment
From now on when you reboot the router ftp will momentarily become available during boot.

The window where you get "21/tcp filtered ftp" as I observed when running watch -n .4 "nmap -v 192.168.0.1 -p 21 | grep ftp" is quite small. I only had success in gaining ftp access to the device after I did the following:
  • Plugged in a network switch between my Laptop and the Router.
  • Used Ethernet port 1, out of the 5, on the router.
  • Restricted the TCP window size on my Ubuntu 9.10 laptop (as show below):
root@laptop:~$ cat /proc/sys/net/ipv4/tcp_wmem tcp_wmem_orig
root@laptop:~$ echo 0 512 512 > /proc/sys/net/ipv4/tcp_wmem

after ftp is done restore settings:
root@laptop:~$ cat tcp_wmem_orig /proc/sys/net/ipv4/tcp_wmem
After the above is done, power off the modem and unplug it. On the laptop I ready the command "ftp 192.168.0.1", then plug the modem in (handy to have beside keyboard) and execute the ftp command - before the network light on the device came on worked best for me.

Once you do get a login its time to ftp your compiled firmware to the device, in the directory containing your compiled OpenWRT files:
$ ftp 192.168.0.1
Connected to 192.168.0.1.
220 ADAM2 FTP Server ready.
Name (192.168.0.1:craig): adam2
331 Password required for adam2.
Password:
230 User adam2 successfully logged in.
Remote system type is UNIX.
ftp> quote "MEDIA FLSH"
200 Media set to FLSH.
ftp> bin
200 Type set to I.
ftp> put ow-mtd0.bin "fs mtd0"
local: ow-mtd0.bin remote: fs mtd0
200 Port command successful.
150 Opening BINARY mode data connection for file transfer.
226 Transfer complete.
1598607 bytes sent in 14.64 secs (106.7 kB/s)
ftp> put ow-mtd1.bin "fs mtd1"
local: ow-mtd1.bin remote: fs mtd1
200 Port command successful.
150 Opening BINARY mode data connection for file transfer.
226 Transfer complete.
720896 bytes sent in 6.56 secs (109.5 kB/s)
ftp> quote REBOOT
221-Thank you for using the FTP service on ADAM2.
221 Goodbye.
ftp> quit

First boot of OpenWRT
After the ftp commands above the orange light on the device will beat for a couple of minutes. This is hopefully OpenWRT configuring its system! Once this is done we can connect to the device:
$ telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
=== IMPORTANT ============================
Use 'passwd' to set your login password
this will disable telnet and enable SSH
------------------------------------------
root@OpenWrt:/# dmesg | grep jffs2 -A2 -B2
root@OpenWrt:/# passwd
root@OpenWrt:/# reboot
Check that the jffs2 partition has been written - can take a minute or two after ftp. Once that has done set your password and reboot the device. Mine takes ~1 minute to boot up:



Now I have a working OpenWRT installation on my router! I can flash it via the ftp method above if I have to (which I did do again).

Connecting to my ISP
ssh to the device and use vim to edit the network settings in /etc/config/network. Here are my settings for a PPPoA ADSL connection with my New Zealand ISP:
root@OpenWrt:~# cat /etc/config/network
## Localhost
   config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'mask' '255.0.0.0'             
## IP
   config 'interface' 'lan'
        option 'type' 'bridge'
        option 'ifname' 'eth0'
        option 'proto' 'static'
        option 'netmask' '255.255.255.0'
        option 'nat' '1'
        option 'dns' ''
        option 'ipaddr' '192.168.0.1'                                                   
## enable all 5 network ports on router switch
        config 'switch' 'eth0'
        option 'reset' '1'                                                                
## My ISP details
   config 'interface' 'wan'
        option 'ifname' 'atm0'
        option 'proto' 'pppoa'
        option 'encaps' 'vc'
        option 'vpi' '0'
        option 'vci' '100'
        option 'username' 'xxxx@adsl.xxxx.xxx'
        option 'password' 'xxxxxxxx'
        option 'keepalive' '5,5'
Bring up the wan after editing network settings
root@OpenWrt:~# ifup wan
Connection stats in this file:
root@OpenWrt:~# cat /proc/avalanche/avsar_modem_stats | grep Rate -A1 -B1
[DSL Modem Stats]
 US Connection Rate: 869 DS Connection Rate: 7658
 DS Line Attenuation: 34 DS Margin:  13
--
 Frame mode:  0 Max Frame mode:  0
 Trained Path:  1 US Peak Cell Rate: 2049
 Trained Mode:  16 Selected Mode:  1
--
 Hybrid Selected: 1 Trellis:  1
 Showtime Count:  1 DS Max Attainable Bit Rate: 8648 kbps
 BitSwap:  1 US Max Attainable Bit Rate: 869000 bps
 Annex:    AnxA psd_mask_qualifier: 0x0000
I now have a usable router running my own custom firmware to connect to the Internet with. Clients on the LAN can get an internal IP with DHCP and use the routers DNS server.

To do:
  • Customize the Firewall, better logging etc. Setup a vlan on the routers switch and have one network port for a DMZ zone.
  • adsl connection does not automatically start on boot yet. Also I want something to regularly check the connection health.
  • Explore half bridge with pppoa [wlug.org.nz] - I have another router that supports half-bridging.
Labels: , ,