Transcript JAILBREAKING THE SOHO ROUTER

JAILBREAKING SOHO
ROUTERS
Dennis Little @ CPLUG | 2010 Aug 10
Thank you!

Jim Capp @ Anteil - Asus router loan for demos
http://www.Anteil.com
 Open
source programming
 Asterisk
& integration
digital voice solutions
 Customer
Relationship Management software
Thank you!

tapestry technologies, LLC – food sponsor
http://TapestryTech.com
 Expertise:
 DoD
STIG (Security Technical Implementation Guide)
 Security
Training
 Technology
Management Partner – full-service technology
acquisition, integration and management services
Terms



Firmware – “a term often used to denote the fixed,
usually rather small, programs and/or data
structures that internally control various electronic
devices” – Wikipedia.org
TFTP – trivial file transfer protocol; used to load
firmware to a lot of routers/devices with little RAM
JTAG – troubleshooting port useful for fixing
“bricked” (ie: corrupted) devices, converter required
Alternative firmware – WHY?

Extend functionality beyond stock firmware
 OpenVPN
– server and client endpoint
 Advanced
QoS – service, MAC and port-based
 VLAN
 SSH
server
Alternative Firmware – WHY?
 Advanced
wireless functionality – AP, client
bridge, repeater, WDS
 SIP
proxy
 More
advanced port-forwarding and triggering
(origination lock-out)
 Network
traffic graphing
Alternative Firmware – WHY?
 Dynamic
DNS – sane updates 
 Hotspot
portal / captive portal
 Transmit
power control / boost (don’t burn out!)
 Site
survey & Rx/Tx antenna selection
Compatible Hardware

Demo of 3 different models in this talk
 Wireless-G
router: WRT54G (v1.1) – WRT54GL is a
known good candidate, regardless of version
 Wireless-G
access point: EOC-1650 – requires
activation of DD-WRT (~$30 US)
 Wireless-N
router: Asus RT-N16
WRT54G / WRT54GL








~$60 shipped, hard to find in brick and mortar
1 WAN, 4 LAN
Not all versions of WRT54G are compatible!
WRT54GL v1.0 / 1.1 compatible
BCM5352 – 200 MHz
RAM: 16MB
FLASH: 4MB
100 mW max (?)
Senao / Engenius EOC-1650






~$50 shipped, hard to find brick and mortar
Wireless AP with internal 7dBi panel and 5 dBi
external SMA omni antenna (selectable), 300’ PoE
injector included, 200 mW max radio
Requires purchase of DD-WRT Professional
Atheros AR2315 – 180 Mhz
RAM: 32MB
Flash: 8MB
Asus RT-N16






~$95 shipped
Wireless N router
1 WAN, 4 LAN, 2 USB
BCM4718A – 500 MHz
RAM: 128 MB
Flash: 32 MB
Alternative Firmware

We will cover:
 Tomato
 http://www.PolarCloud.com/tomato
 OpenWRT
 http://www.OpenWRT.org
 DD-WRT
 http://www.dd-wrt.com
Alternative Firmware

Also available…
 FreeWRT
http://www.FreeWRT.org
“meant to be an appliance development kit (ADK)
especially designed for embedded system developers
and advanced users.”
Tomato – PolarCloud.com

Simple replacement for Linksys, Buffalo, BCMxxx

Extends Linksys WRT54GL GPL firmware

License ? – author’s permission?

Simpler of the 3 with some powerful features

Linksys WRT54G v1-4, GS v1.-4, GL, Buffalo
G54/G54s, Asus WL500G
OpenWRT – OpenWRT.org

GPL license

Latest version: Backfire (v10.03)

Very large HCL (hardware compatibility list)

Perhaps a bit more complicated, as many functions
as command-line only
DD-WRT – DD-WRT.com

Nice HCL database search and compatibility

Lots of functionality, 99% GUI-driven


Controversial - “GPL”; does not follow GPL 100%,
accusations of stolen code, encrypted GUI code
Commercial version available
HCL – Am I compatible?



Tomato
http://www.polarcloud.com/tomatofaq
OpenWRT
http://wiki.openwrt.org/toh/start
DD-WRT
http://www.dd-wrt.com/site/support/routerdatabase
Demo Time!

GUI of Tomato, OpenWRT and DD-WRT