jailbreaking soho routers dennis little @ cplug | 2010 aug 10

JAILBREAKING SOHO ROUTERS

Dennis Little @ CPLUG | 2010 Aug 10

Thank you!

Jim Capp @ Anteil - Asus router loan for demoshttp://www.Anteil.com

Open source programming& integration

Asterisk digital voice solutions

Customer Relationship Management software

Thank you!

tapestry technologies, LLC – food sponsorhttp://TapestryTech.com

Expertise: DoD STIG (Security Technical Implementation

Guide)

Security Training

Technology Management Partner – full-service technology acquisition, integration and management services

Terms

Firmware – “a term often used to denote the fixed, usually rather small, programs and/or data structures that internally control various electronic devices” – Wikipedia.org

TFTP – trivial file transfer protocol; used to load firmware to a lot of routers/devices with little RAM

JTAG – troubleshooting port useful for fixing “bricked” (ie: corrupted) devices, converter required

Alternative firmware – WHY? Extend functionality beyond stock

firmware

OpenVPN – server and client endpoint

Advanced QoS – service, MAC and port-based

VLAN

SSH server

Alternative Firmware – WHY?

Advanced wireless functionality – AP, client bridge, repeater, WDS

SIP proxy

More advanced port-forwarding and triggering (origination lock-out)

Network traffic graphing

Alternative Firmware – WHY?

Dynamic DNS – sane updates

Hotspot portal / captive portal

Transmit power control / boost (don’t burn out!)

Site survey & Rx/Tx antenna selection

Compatible Hardware

Demo of 3 different models in this talk

Wireless-G router: WRT54G (v1.1) – WRT54GL is a known good candidate, regardless of version

Wireless-G access point: EOC-1650 – requires activation of DD-WRT (~$30 US)

Wireless-N router: Asus RT-N16

WRT54G / WRT54GL

~$60 shipped, hard to find in brick and mortar

1 WAN, 4 LAN Not all versions of WRT54G are compatible! WRT54GL v1.0 / 1.1 compatible BCM5352 – 200 MHz RAM: 16MB FLASH: 4MB 100 mW max (?)

Senao / Engenius EOC-1650

~$50 shipped, hard to find brick and mortar Wireless AP with internal 7dBi panel and 5

dBi external SMA omni antenna (selectable), 300’ PoE injector included, 200 mW max radio

Requires purchase of DD-WRT Professional Atheros AR2315 – 180 Mhz RAM: 32MB Flash: 8MB

Asus RT-N16

~$95 shipped Wireless N router 1 WAN, 4 LAN, 2 USB BCM4718A – 500 MHz RAM: 128 MB Flash: 32 MB

Alternative Firmware

We will cover: Tomato

http://www.PolarCloud.com/tomato

OpenWRT http://www.OpenWRT.org

DD-WRT http://www.dd-wrt.com

Alternative Firmware

Also available…

FreeWRT http://www.FreeWRT.org“meant to be an appliance development kit (ADK) especially designed for embedded system developers and advanced users.”

Tomato – PolarCloud.com

Simple replacement for Linksys, Buffalo, BCMxxx

Extends Linksys WRT54GL GPL firmware

License ? – author’s permission?

Simpler of the 3 with some powerful features

Linksys WRT54G v1-4, GS v1.-4, GL, Buffalo G54/G54s, Asus WL500G

OpenWRT – OpenWRT.org

GPL license

Latest version: Backfire (v10.03)

Very large HCL (hardware compatibility list)

Perhaps a bit more complicated, as many functions as command-line only

DD-WRT – DD-WRT.com

Nice HCL database search and compatibility

Lots of functionality, 99% GUI-driven

Controversial - “GPL”; does not follow GPL 100%, accusations of stolen code, encrypted GUI code

Commercial version available

HCL – Am I compatible?

Tomatohttp://www.polarcloud.com/tomatofaq

OpenWRThttp://wiki.openwrt.org/toh/start

DD-WRThttp://www.dd-wrt.com/site/support/router-database

Demo Time!

GUI of Tomato, OpenWRT and DD-WRT