DebConf9/OpenWRT
Contents |
[edit] Documentation for the OpenWRT setup at DebConf9
This page describes the accesspoint configuration for DebConf9. We're using the Kamikaze version of OpenWRT.
The accesspoints will be bridging two networks and provide unencrypted wireless on the ESSID debconf and a WPA encrypted wireless on debconf_wpa . On the b+g network we'll use the channels 1, 6 and 11, maps with the locations will be linked later. snmpd is installed for monitoring.
[edit] Hardware list
- 12x Foneras (1.0 and 2.0)
- 15x Buffalo WHR-G54
[edit] Image Source
[edit] Buffalo Configurations
We're using the standard images from Kamikaze 8.09.1 here. On the buffalo the needed file is the broadcom 2.4 .trx file.
[edit] /etc/config/network
config 'switch' 'eth0'
option 'vlan0' '1 2 3 4 5*'
option 'vlan1' '0 5'
config 'interface' 'loopback'
option 'ifname' 'lo'
option 'proto' 'static'
option 'ipaddr' '127.0.0.1'
option 'netmask' '255.0.0.0'
config 'interface' 'lan'
option 'type' 'bridge'
option 'ifname' 'eth0.0'
option 'proto' 'static'
option 'netmask' '255.255.255.0'
option 'ipaddr' '192.168.145.1??' ### The IP Address for management is from 131 onwards
option 'gateway' '192.168.145.1'
option 'dns' '192.168.145.1'
config 'interface' 'wan'
option 'ifname' 'eth0.1'
option 'proto' 'static'
option 'ipaddr' '192.168.144.1' ### The IP Address for the WAN port is always this, for management from a laptop.
option 'netmask' '255.255.255.128'
[edit] /etc/config/wireless
config 'wifi-device' 'wl0' option 'type' 'broadcom' option 'channel' '6' # or 1 or 11 option 'disabled' '0' config 'wifi-iface' option 'device' 'wl0' option 'network' 'lan' option 'mode' 'ap' option 'encryption' 'none' option 'ssid' 'debconf' config 'wifi-iface' option 'device' 'wl0' option 'ssid' 'debconf_wpa' option 'network' 'lan' option 'mode' 'ap' option 'encryption' 'psk+psk2' option 'key' 'debconf9'
[edit] FON 2200
This looks almost identical to a FON2100 except their redboot configuration allows to use redboot through ethernet port.
We're using the standard images from Kamikaze 8.09.1 here. The images needed are the atheros ones for the kernel and root .squashfs seperately. A tftpd server is needed, which must be hosted on 192.168.1.254 .
[edit] /etc/config/wireless
config 'wifi-device' 'wifi0' option 'type' 'atheros' option 'channel' 'auto' option 'disabled' '0' config 'wifi-iface' option 'device' 'wl0' option 'ssid' 'debconf_wpa' option 'network' 'lan' option 'mode' 'ap' option 'encryption' 'psk+psk2' option 'key' 'debconf9'
[edit] /etc/config/network
config interface loopback option ifname lo option proto static option ipaddr 127.0.0.1 option netmask 255.0.0.0 config interface lan option ifname eth0 option type bridge option proto static option ipaddr 192.168.145.165 option netmask 255.255.255.0 option gateway 192.168.145.1 option dns 192.168.145.1
[edit] FON 2202
This has two ethernet ports and a USB port. We use the black port as 'LAN' (in our case 'uplink') and the white port as 'WAN' (in our case it is configured as 192.168.144.1 for emergency configuration).
[edit] /etc/config/wireless
config 'wifi-device' 'wifi0' option 'type' 'atheros' option 'channel' 'auto' option 'disabled' '0' config 'wifi-iface' option 'device' 'wl0' option 'ssid' 'debconf_wpa' option 'network' 'lan' option 'mode' 'ap' option 'encryption' 'psk+psk2' option 'key' 'debconf9'
[edit] /etc/config/network
config 'interface' 'loopback' option 'ifname' 'lo' option 'proto' 'static' option 'ipaddr' '127.0.0.1' option 'netmask' '255.0.0.0' config 'interface' 'lan' option 'type' 'bridge' option 'proto' 'static' option 'ipaddr' '192.168.145.161' option 'netmask' '255.255.0.0' option 'ifname' 'eth0.0' config 'interface' 'wan' option 'ifname' 'eth0.1' option 'proto' 'static' option 'ipaddr' '192.168.144.1' option 'netmask' '255.255.255.128'
[edit] Flashing
[edit] Buffalo
#!/bin/sh
IP=${1:-"192.168.11.1"}
ME="`echo ${IP} | cut -f1-3 -d.`.254"
sudo ip addr add ${ME}/24 dev eth0
echo "Unplug power, press button on top and replug power"
echo "Release the button when the upload starts after about 3 seconds"
atftp --trace --option "mode octet" -p -l openwrt-brcm-2.4-squashfs.trx ${IP}
sudo ip addr del ${ME}/24 dev eth0
sudo ip addr add 192.168.1.254/24 dev eth0
echo "Waiting for flashing"
sleep 40
echo "Waiting for reboot"
sleep 40
echo "Telnet to assign passwd"
telnet 192.168.1.1
echo "Edit to assign IP address"
gvim -f buffalo/etc/config/network
echo "Edit to assign Hostname"
gvim -f buffalo/etc/config/system
echo "Push configuration to device"
scp buffalo/etc/config/* root@192.168.1.1:/etc/config
[edit] Fonera 2200
Once you have gained access to RedBoot either by telnet or the serial console you can install OpenWrt with the following method.
You have to download two files (right click and save as).
Copy openwrt-atheros-vmlinux.lzma and openwrt-atheros-root.squashfs to /tftpboot/ and flash them like this:
== Executing boot script in 1.460 seconds - enter ^C to abort
^C
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-vmlinux.lzma
Using default protocol (TFTP)
Raw file loaded 0x80041000-0x800f0fff, assumed entry at 0x80041000
RedBoot> fis init
The values for the -e and -r switches in the 'fis create' RedBoot command below is the Kernel entry point. Do not change this value.
RedBoot> fis create -e 0x80041000 -r 0x80041000 vmlinux.bin.l7 An image named 'vmlinux.bin.l7' exists - continue (y/n)? y ... Erase from 0xa8730000-0xa87e0000: ........... ... Program from 0x80041000-0x800f1000 at 0xa8730000: ........... ... Erase from 0xa87e0000-0xa87f0000: . ... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
Next step describes how to flash de root filesystem:
RedBoot> load -r -b %{FREEMEMLO} openwrt-atheros-root.squashfs
Using default protocol (TFTP)
|
Raw file loaded 0x80041000-0x80200fff, assumed entry at 0x80041000
RedBoot> fis create -l 0x006F0000 rootfs
An image named 'rootfs' exists - continue (y/n)? y
... Erase from 0xa8030000-0xa8730000: ................................................................................................................
... Program from 0x80041000-0x80741000 at 0xa8030000: ..............................................................................................................
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> reset
[edit] Fonera 2100
As this model has redboot though ethernet port disabled, we have to downgrade the original version firmware, use "the html trick" to enable SSH, then flash another kernel, reboot and then flash redboot's config to enable telnet while redboot is runing.
To do the downgrade, you must press and keep the bottom button, then plug the power and wait 1 min. Then unplug the power (while pressing the button and keep it pressed for 5 sec. more). Then press the button and keep it, then plug the power. Keep the button pressed until the internet led is on and not flashing. Then wait 15 sec. and unplug the power. The next time you turn on the fonera, it will we downgrated.
To enable RedBoot, we need to get a shell on the default firmware. There’s not an SSH server listening by default, but we’re going to turn one on through a command injection exploit on the web interface. It’s pretty trivial, and it works well on the 0.7.1-r1 version. If you have a newer version, you’ll want to check around to see how to revert it (it might be as simple as holding down the reset button to reset it back to 0.7.1-r1), or if there are new exploits.
You’ll create two html files that submit the right input to the web interface. Go ahead and connect to the Fon’s private network SSID “MyPlace”. First, we want to set up iptables to allow traffic on the SSH port (just save this HTML to your hard drive in a .html file, view it in your web browser, and click submit):
<html>
<head>
</head>
<body>
<center>
<form method="post" action="http://192.168.10.1/cgi-bin/webif/connection.sh" enctype="multipart/form-data">
<input name="username" value="$(/usr/sbin/iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT)" size="68" >
<input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='";' + this.form.wifimode.value +';"'}" />
</form>
</body>
</html>
Now, we want to actually start the dropbear SSH server:
<html>
<head>
</head>
<body>
<center>
<form method="post" action="http://192.168.10.1/cgi-bin/webif/connection.sh" enctype="multipart/form-data">
<input name="username" value="$(/etc/init.d/dropbear)" size="68" >
<input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='";' + this.form.wifimode.value +';"'}" />
</form>
</body>
</html>
You should be able to SSH into your Fon on port 22 of its IP address (192.168.10.1). You’ll want to set up dropbear to run whenever you reboot the Fon, too:
weasel@hacktop:~$ ssh root@192.168.10.1 The authenticity of host '192.168.10.1 (192.168.10.1)' can't be established. RSA key fingerprint is 69:52:42:17:fd:b0:97:1a:5f:33:8d:5a:f0:5b:8a:dc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.10.1' (RSA) to the list of known hosts. root@192.168.10.1's password:
BusyBox v1.1.3 (2006.11.21-19:49+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands.
_______ _______ _______ | ____|| || _ | | ____|| - || | | | | | |_______||__| |__| |___|
Fonera Firmware (Version 0.7.1 rev 1) ------------- * * Based on OpenWrt - http://openwrt.org * Powered by FON - http://www.fon.com --------------------------------------------------- root@OpenWrt:~#
To enable RedBoot over Ethernet, you’ll need a modified kernel and a new RedBoot config. For convenience, I set up a web server on the computer I configured my Fon on, downloaded those files, and placed them in the root directory. From here on out, I’ll assume you’ve done the same, know what IP address it’s listening on, and will substitute it in as needed.
Next, get the modified kernel and RedBoot config onto your Fon and apply them:
weasel@hacktop:~$ scp openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7 192.168.10.1:/tmp weasel@hacktop:~$ scp out.hex 192.168.10.1:/tmp root@OpenWrt:~# mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7 Unlocking vmlinux.bin.l7 ... Erasing vmlinux.bin.l7 ... Writing from openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma to vmlinux.bin.l7 ... [w] root@OpenWrt:~# reboot
After it finishes rebooting, SSH in and continue…
root@OpenWrt:~# mtd -e "RedBoot config" write out.hex "RedBoot config" Unlocking RedBoot config ... Erasing RedBoot config ... Writing from out.hex to RedBoot config ... [w]
Now redboot's telnet is activated. We just only need to configure redboot properly:
== Executing boot script in 9.460 seconds - enter ^C to abort ^C RedBoot> fconfig -d RedBoot> Run script at boot: true ? Boot script: .. fis load -l vmlinux.bin.l7 .. exec Enter script, terminate with empty line >> fis load -l vmlinux.bin.l7 >> exec >> Boot script timeout (1000ms resolution): 10 ? 2 Use BOOTP for network configuration: false ? Gateway IP address: ? Local IP address: 192.168.1.254 ? 192.168.1.1 Local IP address mask: 255.255.255.0 ? Default server IP address: ? 192.168.1.254 Console baud rate: 9600 ? GDB connection port: 9000 ? Force console for special debug messages: false ? Network debug at boot time: false ? Update RedBoot non-volatile configuration - continue (y/n)? y ... Erase from 0xa87e0000-0xa87f0000: . ... Program from 0x80ff0000-0x81000000 at 0xa87e0000: . RedBoot>
Reboot the fonera and continue exactly as fonera 2200 procedure.
Also see OpenWRT documentation
en & alxhh for all the fish! Document written by Holger Levsen and Faidon Liambotis with the help of nbd and ryd.
