V0.1 – DB9 Parasite
V0.25 – Integrated GPS, Serial
Text comment
root@OpenWRT:~# - Router command line through terminal emulator
user@host:~$ - Linux computer command line
Italicized text Command to type
Blue Text command return info
|
Bold user entered text |
|
Something to Take Note of |
|
|
|
|
V0.1 – DB9 Parasite |
V0.25 – Integrated GPS, Serial |
Install OpenWRT
o I suggest Renderman's Guide
o Skip the part about kismet_drone since we’ll be using kismet_server instead
Working internet connection
This document was originally written for the SquashFS version of OpenWrt. If you use the JFFS2 version you can still follow the instructions but your not dealing with a readonly file system that is sym-linked so you JFFS2'ers have it easier.
|
Part# |
Description |
|
SchmartBoard 7100-0001-01 Populated RS-232 Module Fry’s Electronics |
|
|
10-pin flat ribbon cable (multi-colour) |
|
|
|
Soldering pencil, or soldering iron with small/defined tip |
|
Lead-free solder; 0.032" diameter |
|
|
OPTIONAL: Desoldering braid (copper-based) |
|
|
|
Wire strippers, scissors, or strong fingernails |
|
|
Needle-nosed pliers, or something very similar (for crimping) |
|
OEM GPS Receiver |
Ebay Seller mjc312 Ask for a Rev K if possible to ensure 3.0 VDC operation |
|
GPS Antenna |
|
|
Breakout Board for SD-MMC Cards |
The addition of the serial port is probably one of the easiest mods to do to the router. The serial port is already there. The only problem is the voltage levels are wrong so we need to fix that. The WRT is a 3 volt Serial, some laptops are 5 volts some computers are 12v. If you going to hook up a computer to the serial port then you'll want the RS232 converter circuit. It's a good idea to use it with the GPS altough you probably could get away with just some current limit resistors.
Crimp some cable into the 10 pin IDC female cable-mount header (make sure the wire marked in red is orientated to pin 1 which is normally marked with an arrow). You can either solder directly to the board or solder in the 6 pin header and use it or use a push friction header connector as I did. The connections/instructions provide for the usage of 2 serial ports, however I only have 1 hooked up at this time. If you wish to use 2 serial ports then read up on it at Jake Borden's Site or buy the dual serial port adapter.
Wire it to the AD233BK PCB as follows:
Connect wires 1 and 2 (both VCC) to "+5V" on the PCB. Note that the voltage supplied by the WRT54G is 3.3V, but the MAX233 chip on the PCB can handle both 3.3V and 5V.
|
ttyS0 = /dev/tts/0 – 115200,N,8,1,No Handshaking - Console login default |
|
ttyS1 = /dev/tts/1 – 9600,N,8,1,No Handshaking. - Spare for serial device such as GPS |
Why the 6 pin header?
Well, if you only do a single port mod and want to GPS there are some caveats, See GPSD section. Or make up two cables. One wired for tts/0 and the other tts/1 if you ever need the serial console (say you brick the router and can't get PuTTY to work on the ethernet) just unplug the tts/1 cable and plug in the other cable. Use some Velcro, to keep the spare cable from rattling around inside.
Dual Serial –requires modification to AD233BK PCB see linked guide above
|
Connect wire 3 (ttyS1 TXD) to "Rt" on the PCB |
|
Connect wire 4 (ttyS0 TXD) to "Tx" on the PCB |
|
Connect wire 5 (ttyS1 RXD) to "Ct" on the PCB |
|
Connect wire 6 (ttyS0 RXD) to "Rx" on the PCB |
|
Leave wires 7 and 8 unconnected |
|
Connect wires 9 and 10 (both GND) to "-" on the PCB |
Single Serial – No Serial Console tts/1
|
Connect wire 3 (ttyS1 TXD) to "Tx" on the PCB |
|
Leave unconnected |
|
Connect wire 5 (ttyS1 RXD) to "Rx" on the PCB |
|
Leave wire 6 unconnected |
|
Leave wires 7 and 8 unconnected |
|
Connect wires 9 and 10 (both GND) to "-" on the PCB |
Single Serial – Serial Console tts/0 v0.2
|
Leave wire 3 unconnected |
|
Connect wire 4 (ttyS0 TXD) to "Tx" on the PCB |
|
Leave wire 5 unconnected |
|
Connect wire 6 (ttyS0 RXD) to "Rx" on the PCB |
|
Leave wires 7 and 8 unconnected |
|
Connect wires 9 and 10 (both GND) to "-" on the PCB |
|
|
|
|
v0.1 |
V0.25 |
6 pin header connector close up wired for dual serial v0.1
|
|
|
|
v0.1 |
v0.25 |
Older Wrts follow guides Here
Note: Your board my be labeled differently double check
|
SD |
WRT54GS V3 / WRT54G V4 |
||
|
1 |
CS |
GPIO7 |
DMZ LED |
|
2 |
DI |
GPIO2 |
White LED |
|
3 |
Vcc |
PWR (3.3v) |
JP2 (1) |
|
4 |
CLK |
GPIO3 |
Amber LED |
|
5 |
GND |
GND |
JP2 (9) |
|
6 |
DO |
GPIO4 |
Cisco SW |
|
7 |
IRQ |
Not Used |
|
|
8 |
P9 |
Not Used |
|
|
9 |
WP |
Not Used |
|
SD card mount with a small piece of acrylic hot glued. Circuit board is also hot glued to shell v0.1
For the sake of demonstration I’ll be using the Win32 version of PuTTY but you can use the Linux version
Using your favorite telnet client log into your router
root@OpenWRT:~# passwd root
Enter a password for root and now you can use a more secure login method.
So, start up PuTTY
Click Yes
Enter the user: root
Enter the password for root and you’re in.
Vfat/Fat
root@OpenWrt:~# ipkg list | grep vfat
kmod-vfat - 2.4.30-brcm-2 - Kernel modules for VFAT filesystem support
root@OpenWrt:~# ipkg install kmod-vfat
mmc.o
Now depending on the version of you’re router you may or may not have located GPIO 5
Well, there’s two versions of mmc.o. From your PuTTY session if your router is hooked up to
an active internet connection you can typ in the wget statements.
GPIO2 Version – Version 3 routers such as WRT54GS CGN5
wget http://support.warwick.net/~ryan/wrt54g-v4/mmc.o
Local Mirror: wget http://www.frontiernet.net/~beakmyn/openwrt/mmc/mmc - gpio2.tar
GPIO5 Version – Older then Version 3 routers
Local Mirror: wget http://www.frontiernet.net/~beakmyn/openwrt/mmc/mmc - gpio5.tar
Using Secure Copy on your Linux machine to copy file from computer to router if router doesn't have active
internet connection
user@host:~$ scp /tmp/mmc.o root@192.168.0.252:/tmp
In your PuTTy session copy it to correct directory.
Depending on on when your reading this 2.4.30 may not be the current directory
after typing /lib/modules/ use the <TAB> key to use auto-complete to help.
root@OpenWRT:~# cp /tmp/mmc.o /lib/modules/2.4.30
root@OpenWrt:~# lsmod
|
Module |
Size |
Used by |
Tainted: P |
|
vfat |
11692 |
0 |
(unused) |
|
fat |
36840 |
0 |
[vfat] |
|
wlcompat |
14896 |
0 |
(unused) |
|
wl |
423640 |
0 |
(unused) |
|
et |
32064 |
0 |
(unused) |
|
diag |
2560 |
0 |
(unused) |
If Vfat and fat aren’t loaded already, load them
root@OpenWrt:~# insmod fat
root@OpenWrt:~# insmod vfat
root@OpenWrt:~# insmod mmc
Using /lib/modules/2.4.30/mmc.o
root@OpenWrt:~# dmesg
mmc Hardware init
mmc Card init
mmc Card init *1*
mmc Card init *2*
Size = 14400, hardsectsize = 512, sectors = 28800
Partition check:
mmca:
The amber light should light up on the router also.
If dmesg shows an error make sure you have the correct mmc.o and everything is wired correctly
root@OpenWrt:~# mkdir /tmp/mmc
root@OpenWrt:~# mount /dev/mmc/disc0/<whatever>
For my router with (256 MB card) it was /dev/mmc/disc0/part1
If you're not sure just type /dev/mmc/ then press <TAB> Linux will do the rest, unless there are multiple options, in that case you’ll get a listing
Make it mount at boot
To load your mmc module during boot automatically, you can create a new file in the /etc/modules.d/ directory. You’ll also need to create the fstab entry. Don’t worry if you can’t find /etc/fstab, it doesn’t exist by default. You’ll then need to create a script to mount the card at boot
Load the module
|
root@OpenWrt:~# vi /etc/modules.d/40-mmc |
|
mmc |
Create fstab entry
|
root@OpenWrt:~# vi /etc/fstab |
/dev/mmc/disc0/part1 /tmp/mmc vfat defaults 0 0 |
Create the script
|
root@OpenWrt:~# vi /etc/init.d/S51mount |
|
#!/bin/sh mkdir /tmp/mmc - For SquashFS only mount /tmp/mmc |
Make it executable
root@OpenWrt:~# chmod 777 /etc/init.d/S51mount
Depending on the image you installed intially, whether it be SquashFS or JFF2 you have one of two choices
The files marked squashfs include a small compressed filesystem within the firmware itself. The disadvantage is that Squashfs is a readonly filesystem, so a separate JFFS2 partition has to be used to store changes and make the filesystem appear writable; the advantage is that Squashfs gets better compression than JFFS2, and you'll always have the original files on the readonly filesystem which can be used as a boot device for recovery.
The files marked JFFS2 make the entire filesystem JFFS2. The disadvantage is that this takes a few hundred kilobytes more space; the advantage is that changes to included files no longer leaves behind an old copy on the readonly filesystem.
SquashFS users will use /tmp/mmc
JFFS2 users can create a /mnt/mmc directory once and have to worry about the script creating every reboot
There is an GPSD package in the OpenWRT repository and buildroot it is the a recent if not current version of GPSD. If you’re going to use Kismet I highly suggest you DON’T use it. Post version 2.10 GPSD took a fork and introduced auto-baud hunting to their code, this doesn't work well with Kismet. I have compiled and packaged the 2.10 version of GPSD that is considered the compatible version for you.
Note: the 2.3x versions of GPSD have introduced a pre-compile baud locking function however there are still some bugs and this version has been reported to use 98% CPU on embedded systems.
GPSD 2.30 – doesn’t play well with Kismet, you've been warned
root@OpenWrt:~# wget http://downloads.openwrt.org/people/nico/testing/mipsel/packages/gpsd_2.30-1_mipsel.ipk
root@OpenWrt:~# ipkg install gpsd_2.30-1_mipsel.ipk
GPSD 2.10 – Plays well with Kismet
root@OpenWrt:~# wget http://www.frontiernet.net/~beakmyn/openwrt/package/gpsd/gpsd_2.10_mipsel.ipk
root@OpenWrt:~# ipkg install gpsd_2.10_mipsel.ipk
Caveats:
With only 1 serial port we first have to disable console login from /dev/tts/0 because you can’t do 2 things on the port at once. The issue with this:
boot messages are still directed to the serial console but only at boot-up so GPSD should be ok, but some GPS units have been reported to lock up when they see console boot up text.
Inittab needs to be changed to disable console login. If you don't want the kernel output you'll have to roll your own kernel. Good luck.
You have 3 options
Perform the dual port mod, thus keeping tts/0 for console login and using tts/1 for GPS
Use tts/1 for the single port mod instead of tts/0 and never look back
Use tts/0 for GPS and hope your GPS is good. (Ok so you could, not wire the Tx but what fun is that and the GPS sourced in the Parts list doesn't care and works fine with on tts/0
Modify system files:
root@OpenWrt:~# cd /tmp
root@OpenWrt:~# wget http://tobe.mine.nu/software/openwrt/stty.tgz
root@OpenWrt:~# ipkg install setserial
GPS on tts/1
root@OpenWrt:~# setserial /dev/tts/1 irq 3 root@OpenWrt:~# stty -F /dev/tts/1 raw speed 4800 -clocal cs8 -parenb -cstopb
GPS on tts/0
root@OpenWrt:~# stty -F /dev/tts/0 raw speed 4800 -clocal cs8 -parenb -cstopb
Make sure your port is configured at boot
setserial creates a startup script in /etc/init.d/S15serial that sets both ports to 4800 baud
|
root@OpenWrt:~# vi /etc/init.d/S15serial |
|
#!/bin/sh /usr/sbin/setserial /dev/tts/1 irq 3 stty –F /dev/tts/0 raw speed 4800 stty –F /dev/tts/1 raw speed 4800 |
Single Port Mod:
By default all files on the SquashFS image are actually symlinks to the real (readonly) files over on /rom, to edit a file you will need to delete the symlink and copy the file from /rom.
If your using the JFFS2 filesystem then there isn’t a symlink to remove or file to cp so just vi /etc/inittab
root@OpenWrt:~# rm /etc/inittab root@OpenWrt:~# cp /rom/etc/inittab /etc/inittab root@OpenWrt:~# vi /etc/inittab |
|
::sysinit:/etc/init.d/rcS ::shutdown:/sbin/halt #tts/0::askfirst:/bin/ash --login |
By design Openwrt’s home directory is /tmp so Kismet is going to assuming most things are in /tmp/etc. But /tmp is temporary and will be lost at boot (on a SquashFS)
root@OpenWrt:~# cd
/tmp
root@OpenWrt:~# wget
http://kismetwireless.net/code/kismet-2006-04-R1-wrt54.tar.gz
GPSD support is patched out in the Buildroot (Patch 120) ,I've compiled a version of Kismet without this patch, there's also just the server binary in the testing directory
root@OpenWrt:~# ipkg
install libpcap
root@OpenWrt:~#
ipkg intstall
http://www.frontiernet.net/~beakmyn/openwrt/package/kismet/kismet-server_2006-04-R1-1_mipsel.ipk
If you are using a v1.0
or v1.1 router, edit the
/tmp/kismet-2005-08-R1-wrt54/conf/kismet.conf file source line to use
'eth2'
source=wrt54g,eth2,wrt54g
If your using a v2.0 make
sure it's ' eth1'
source=wrt54g,eth1,wrt54g
If you are using a v3.0
router, change it to:
source=wrt54g,eth1:prism0,wrt54g
Some users with
Whiterussian RC3 & RC4 have reported that the above values don't
work all the time. If you try the above and it doesn’t work, double
check your settings and try the
following:
source=wrt54g,prism0,wrt54g
Other items that will
need attention:
suiduser=root
channelhop=false
logtypes=csv,gps
logtemplate=/tmp/mmc/%n-%d-%i.%l or logtemplate=/mnt/mmc/%n-%d-%i.%l
You don’t necessarily need the following files. Kismet will run without ap_manuf and client_manuf and it will use less memory and processor (from not having to search it on AP detection) but you’ll loose the ability to label a client or AP based on its MAC. Of course the OpenWRT package doesn’t include these files so if you want them you’ll need to get them from a kismet tarball.
ap_manuf=/etc/ap_manuf
client_manuf=/etc/client_manuf
This one is tricky as you’ll most likely be powering down the WRT by pulling the plug rather then through a controlled shutdown (shrunken head). You’ll want to be sure your data is saved before shutting down somehow and you want to shutdown while leaving little chance for file corruption. It’s a buried shovel sort of predicament.
writeinterval=60
root@OpenWrt:~# cp /tmp/kismet-2005-08-R1-wrt54/kismet_server /usr/bin/kismet_server
root@OpenWrt:~# cp /tmp/kismet-2005-08-R1-wrt54/kismet.conf /etc/kismet.conf.
If you run the kismet binary now, it will fail in 2 ways. It cannot find the kismet_server.conf file and it cannot find the 'wl' command (Broadcom Binary Driver for the Wireless chipset) to enter monitor mode. The 'wl' command is easy to install with ipkg. Just type:
root@OpenWrt:~# ipkg
update
root@OpenWrt:~# ipkg
install wl
Using vi on the router I just added a script called 'runserver.sh' on the root with the following:
|
root@OpenWrt:~# vi runserver.sh |
|
wl ap 0 |
and made it executable. Now I just have to telnet in and run one command to start the drone.
Joshua Wright of SANS.org came up with an alternate channel hopping script that allows for a little finer control of what channels are monitored. Just place this in your /etc/init.d/S70JW_scan file, tweak to your hearts content:
|
root@OpenWrt:~# vi /etc/init.d/S70JW_scan |
|
#!/bin/sh |
You can just download this file from Here, or use wget with:
root@OpenWrt:~# wget http://www.renderlab.net/projects/wrt54g/S70JW_scan
Either way, just put the file in the /etc/init.d/ directory and make it executable with:
root@OpenWrt:~# chmod 777 /etc/init.d/S70JW_scan
If you want to get really fancy. Turn your WRT54G into a kismet_server appliance by having the kismet_server start up on boot as a service!
To do this, use vi to create the file /etc/init.d/S60kismet_server on the router with the following:
|
root@OpenWrt:~# vi /etc/init.d/S60kismet_server |
|
#! /bin/sh |
just put the file in the /etc/init.d/ directory and make it executable with:
root@OpenWrt:~# chmod 777 /etc/init.d/S60kismet_server
Reboot and verify it’s running. You should be able to plug into the Ethernet and issue the top command through PuTTY
root@OpenWrt:~# top
|
Mem: |
9360K |
used, |
21224K |
free, |
0K |
shrd, |
868K |
buff, |
3256K |
cached |
|
|
Load |
average: |
0.15, |
0.08, |
0.02 |
(State: |
S=sleeping |
R=running, |
W=waiting) |
|
||
|
|
PID |
USER |
STATUS |
RSS |
PPID |
%CPU |
%MEM |
COMMAND |
|
||
|
|
865 |
root |
R |
408 |
517 |
3.8 |
1.3 |
top |
|
|
|
|
|
867 |
root |
S |
300 |
501 |
1.9 |
0.9 |
sleep |
|
|
|
|
|
491 |
root |
R |
392 |
1 |
0.9 |
1.2 |
kismet_server |
X |
||
|
|
508 |
root |
S |
636 |
469 |
0 |
2 |
dropbear |
|
|
|
|
|
517 |
root |
S |
464 |
508 |
0 |
1.5 |
ash |
|
|
|
|
|
51 |
root |
S |
420 |
1 |
0 |
1.3 |
rcS |
|
|
|
|
|
469 |
root |
S |
420 |
1 |
0 |
1.3 |
dropbear |
|
|
|
|
|
501 |
root |
S |
412 |
51 |
0 |
1.3 |
S70JW_scan |
X |
||
|
|
464 |
nobody |
S |
408 |
1 |
0 |
1.3 |
dnsmasq |
|
|
|
|
|
429 |
root |
S |
396 |
1 |
0 |
1.2 |
udhcpc |
|
|
|
|
|
1 |
root |
S |
392 |
0 |
0 |
1.2 |
init |
|
|
|
|
|
55 |
root |
S |
392 |
1 |
0 |
1.2 |
init |
|
|
|
|
|
475 |
root |
S |
384 |
1 |
0 |
1.2 |
httpd |
|
|
|
|
|
49 |
root |
S |
376 |
1 |
0 |
1.2 |
syslogd |
|
|
|
|
|
52 |
root |
S |
368 |
1 |
0 |
1.2 |
logger |
|
|
|
|
|
50 |
root |
S |
340 |
1 |
0 |
1.1 |
klogd |
|
|
|
|
|
482 |
root |
S |
300 |
1 |
0 |
0.9 |
telnetd |
|
|
|
|
|
7 |
root |
SW |
0 |
1 |
0 |
0 |
mtdblockd |
|
||
|
|
4 |
root |
SW |
0 |
1 |
0 |
0 |
kswapd |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
So after building the headless version I decided that I really wanted a way to be able to interact with the WRT but not have it hooked up to my laptop through PuTTY and since I removed the DB9 serial adapter I needed a more elegant solution. That’s when I got out the Xacto knife and soldering iron.
For this mod I cut the traces on the original RJ45 WAN adapter and wired it directly to TTL level serial port (/dev/tts/0) on the WRT. Now a word of CAUTION you can only do this if your serial port is 3.3v otherwise you’ll need to use the RS232 converter. For the Handspring Visor this works out well as its serial port is already at 3.3 volts (2.7v to be exact). I picked up a serial only hotsync cable on ebay. After trying to figure out why the cable wouldn’t work I decided to pry open the shell and found that it had some built in level shifting components that used the computer’s port for parasitic power. I removed all this and scavenged two 1500 ohm resistors to use as current limiters and wired them in.
For the software side on the Visor I’ve settled with PVTerm as it does the best job at displaying the text and has a tiny little onscreen keyboard. There are other programs out there (pTelnet, CS Online, PocketTerm) that you might have varying amounts of success with.
