Hacking your Linksys WRT54G

[sde]

If you have one, check this link out: http://www.batbox.org/wrt54g-linux.html

It adds telnet to your router so you can explore and modify stuff. If you do this and telnet in, try typing 'wl' to see a complete list of its capabilities. Here is the result of a wl:

Code:

shmem   Get/Set a shared memory location.

antdiv  Set antenna diversity for rx
        0 - force use of antenna 0
        1 - force use of antenna 1
        3 - automatic selection of antenna diversity

txant   Set the transmit antenna
        0 - force use of antenna 0
        1 - force use of antenna 1
        3 - use the RX antenna selection that was in force during
            the most recently received good PLCP header

plcphdr Set the plcp header.
        "long" or "auto" or "debug"

phytype Get phy type

scbdump print driver scb state to stdout

ratedump
        print driver rate selection tunables and
        per-scb state to stdout, valid scb values are
        0 through NSCB-1

rateparam
        set driver rate selection tunables
        arg 1: tunable id
        arg 2: tunable value

wepstatus
        Set or Get WEP status
        wepstatus [on|off]

addwep  Set an encryption key.  The key must be 5, 13 or 16 bytes long, or
        10, 26, 32, or 64 hex digits long.  The encryption algorithm is
        automatically selected based on the key size. keytype is accepted
        only when key length is 16 bytes/32 hex digits and specifies
        whether AES-OCB or AES-CCM encryption is used. Default is ccm.
        addwep <keyindex> <keydata> [ocb | ccm] [notx] [xx:xx:xx:xx:xx:xx]

rmwep   Remove the encryption key at the specified key index.

scan    Initiate an active scan across all channels.
        Optional SSID argument specifies a particular SSID to scan.
        With no SSID argument, a broadcast SSID scan is performed.

passive Puts scan engine into passive mode

regulatory
        Get/Set regulatory domain mode (802.11d). Driver must be down.

scanresults
        Return results from last scan.

assoc   Print information about current network association.
        (also known as "status")

status  Print information about current network association.
        (also known as "assoc")

disassoc
        Disassociate from the current BSS/IBSS.

chanlist
        Return valid channels for the current settings.

evm     Start an EVM test on the given channel, or stop EVM test.
        Arg 1 is channel number 1-14, or "off" or 0 to stop the test.
        Arg 2 is optional rate (1, 2, 5.5 or 11)

rateset Returns or sets the supported and basic rateset, (b) indicates basic
        With no args, returns the rateset. Args are
        rateset "default" | "all" | <arbitrary rateset>
                default - driver defaults
                all - all rates are basic rates
                arbitrary rateset - list of rates
        List of rates are in Mbps and each rate is optionally followed
        by "(b)" or "b" for a Basic rate. Example: 1(b) 2b 5.5 11
        At least one rate must be Basic for a legal rateset.

roam_trigger
        Set the roam trigger RSSI threshold.  (integer)

roam_delta
        Set the roam candidate qualification delta.  (integer)

roam_scan_period
        Set the roam candidate qualification delta.  (integer)

suprates
        Returns or sets the 11g override for the supported rateset
        With no args, returns the rateset. Args are a list of rates,
        or 0 or -1 to specify an empty rateset to clear the override.
        List of rates are in Mbps, example: 1 2 5.5 11

scan_channel_time
        Get/Set scan channel time

scan_unassoc_time
        Get/Set unassociated scan channel time

scan_home_time
        Get/Set scan home channel time

scan_passes
        Get/Set scan pass count

prb_resp_timeout
        Get/Set probe response timeout

channel_qa
        Get last channel quality measurment


channel_qa_start
        Start a channel quality measurment


country Select Country code for use with 802.11d.  Use either long name
or abbreviation from ISO 3166. Use 'wl country list' for the complete list.

locale  Select the country:
        Worldwide
        Thailand
        Israel
        Jordan
        China
        Japan
        USA/Canada/ANZ
        Europe
        USAlow
        JapanHigh
        All

join    Join a specified network SSID.
        Join syntax is: join <name|ssid> [key xxxxx] [imode bss|ibss] [amode open|shared]

mac     Set or get the list of source MAC address matches.
        wl mac xx:xx:xx:xx:xx:xx [xx:xx:xx:xx:xx:xx ...]
        To Clear the list: wl mac none

macmode Set the mode of the MAC list.
        0 - Disable MAC address matching.
        1 - Deny association to stations on the MAC list.
        2 - Allow association to stations on the MAC list.

wds     Set or get the list of WDS member MAC addresses.
        Set using a space separated list of MAC addresses.
         wl wds xx:xx:xx:xx:xx:xx [xx:xx:xx:xx:xx:xx ...]

lazywds Set or get "lazy" WDS mode (dynamically grant WDS membership to anyone).

noise   Get noise (moving average) right after tx in dBm

fqacurcy
        Manufacturing test: set frequency accuracy mode.
        freqacuracy syntax is: fqacurcy <channel>
        Arg is channel number 1-14, or 0 to stop the test.

crsuprs Manufacturing test: set carrier suppression mode.
        carriersuprs syntax is: crsuprs <channel>
        Arg is channel number 1-14, or 0 to stop the test.

int     Interrupt Test - remember to precede by 'wl down' and follow by 'wl up'

lbt     Loopback Test - remember to precede by 'wl down' and follow by 'wl up'

band    Returns or sets the current band
        auto - auto switch between available bands (default)
        a - force use of 802.11a band
        b - force use of 802.11b band

bands   Return the list of available 802.11 bands

phylist Return the list of available phytypes

shortslot
        Get 11g Short Slot Timing mode. (0=long, 1=short)

shortslot_override
        Get/Set 11g Short Slot Timing mode override. (-1=auto, 0=long, 1=short)

shortslot_restrict
        Get/Set AP Restriction on associations for 11g Short Slot Timing capable STAs.
        0 - Do not restrict association based on ShortSlot capability
        1 - Restrict association to STAs with ShortSlot capability

ignore_bcns
        AP only (G mode): Check for beacons without NONERP element 
        (0=Examine beacons, 1=Ignore beacons)

pktcnt  Get the summary of good and bad packets.

upgrade Upgrade the firmware on an embedded device

gmode   Set the 54g Mode (LegacyB|Auto||GOnly|BDeferred|Performance|LRS)

gmode_protection
        Get G protection mode. (0=disabled, 1=enabled)

gmode_protection_control
        Get/Set 11g protection mode control alg. 
        (0=always off, 1=monitor local association, 2=monitor overlapping BSS)

gmode_protection_cts
        Get/Set 11g protection type to CTS (0=disable, 1=enable)

gmode_protection_override
        Get/Set 11g protection mode override. (-1=auto, 0=disable, 1=enable)

legacy_erp
        Get/Set 11g legacy ERP inclusion (0=disable, 1=enable)

scb_timeout
        AP only: inactivity timeout value for authenticated stas

assoclist
        AP only: Get the list of associated MAC addresses.

rssi    Get the current RSSI val, for an AP you must specify the mac addr of the STA

isup    Get driver operational state (0=down, 1=up)

fasttimer
        Get/Set High frequency watchdog timeout (tx_power) [15 sec]

slowtimer
        Get/Set Low frequency watchdog timeout (nrssislope) [60 sec]

glacialtimer
        Get/Set Very Low frequency watchdog timeout (measurelo) [120 sec]

interference
        Get/Set interference mitigation mode. Choices are:
        0 = none
        1 = non wlan
        2 = wlan manual
        3 = wlan automatic


frameburst
        Disable/Enable frameburst mode

pwr_percent
        Get/Set power output percentage

wet     Get/Set wireless ethernet bridging mode

It runs in ram so if you screw up, you can just reset the router. Also, it gives you root access, so you may want to setup some security with iptables.

For me it is just exploring for fun. you can do things like modifying your radio settings. default is 28 milliwatts, but it can be adjusted from 1 to 84. ( higher settings may violate laws in some areas )

I'll attach a screen shot of a bit of the file system.

[Belisarius]

Cool, I forgot that it ran Linux. I'm going to have to see if I can statically assign IPs now.

[idx]

Sweeeeeeeeeeeeeeeeeeet. For once: something cool regarding a product I actually have.

-r

[sde]

there is a way to put files on your router with the wrt54g_put.sh script, but i'm not sure where exactly it puts them. any ideas?

[Belisarius]

How? Through TFTP or something?

[Belisarius]

I went and bought a subscription at Sveasoft (20 bucks per year, auto renewing, for those interested), and installed their firmware update. It's friggin amazing. They include static IP assignment, filtering based on *protocol* (I've blocked FastTrack to keep my brother from hogging bandwidth with Kazaa), QoS should I want to throttle based on port/protocol), it even has VLAN support. This upgrade turned a pretty good home-router into a serious networking router!

[ender]

Speaking of linksys products that are being modified. The NSLU2 is a network file server which serves windows shares. The funny part is it does this through linux and samba. While development for this platform is still in the beta stage, it is interesting nonetheless. At work we are trying to do some cool stuff with these things, turning them into $80 IXP450 development boards. For more information, check out: www.nslu2-linux.org

-Ted

[Coyote-X]

Hi

I know this is kind of an old post, but two questions, if anybody knows. Came across this on Google while trying to figure out if I could reset my router's timeout to something that wasn't so short.

I have a Linksys WRK54G, it's similar to the WRT54G in appearance but with only one antenna. Not sure if it uses the same firmware or not. Have upgraded to the newest Linksys firmware to fix a problem I had with the router freezing a couple times a day. Seems to be working so far.

Anyway, does anybody know if it will work on mine? and...
Can I use it to reset the timeout from say, 20 minutes to maybe an hour?

I play on MUD's and MUSHes and it keeps disconnecting me if I have to go get up and do something. No fun.

[sde]

i couldn't tell ya if it will work or not. let us know if you try it. also, above is the list of available functions, .. maybe the 'fasttimer' option is what you're looking for. i'm not sure.

[Belisarius]

The impression I'm getting on the Sveasoft boards is that it doesn't even run Linux.

[ender]

It may be just me, but I don't think the router is the issue here. 'Timeouts,' or at least the ones you are describing have nothing to do with the router. To the router, you are connected, and it will keep you connected for as long as it can. The remote server may have a timeout for idle activity, which would be the issue. That can't be fixed by a router setting. Unless I'm just totally off base here, which may be the case. Anyway, the way to fix this is to get a good MUD client that supports 'pinging' .. well.. something like that anyway, just to keep the connection going, sending a packet every once in a while. Even just sending the 'look' command every 5 minutes would do the trick.

Again, just tell me if I'm completely nuts. Yes, my spelling is horrible.

[Coyote-X]

Right now I'm using SimpleMU, and have been for years. I switched from a cheap generic router to the one I got for christmas, nothing else changed, and now it disconnects me every twenty minutes or so. I /think/ I have the problem fixed with a simple timer that pings the server every 10 minutes (did that last night), but some of the places I play on are anal and don't allow the use of timers. As well, a couple of the places seem to still be disconnecting anyways.

(And I'm just a masochist when it comes to this sort of thing, I guess. I thought this sounded neat. )

I've been talking to people and reading other tech sites and it seems that most routers have a 'timeout' feature where if a connection is idle for more than a certain amount of time, it cuts it off. I stay on just fine when I'm connected with no router and just a software firewall/cable modem.

Anyways, I got everything I needed and tried to install and got some java errors, so I'm thinking it's either not gonna work, or not gonna work without some modifications that I don't know how to do yet. :\

[sde]

sorry if this sounds lame, but are you 100% you don't have a bad cable or nic? do you have another computer you can try to play with using different cables too?

[Coyote-X]

Better not have a bad NIC. It's a laptop. That would not be cool. I guess I could leave my old PC on for a while and see if that did it too. Gonna try that now. I really think it's the router itself though. Does not have any problems when I use the old router or just connect directly to the modem. Oh, and sorry for botherin' you guys with this, I know it's not exactly code or linux related, particularly. Your site just came up on google while I was looking around, looked like a likely place. Thanks for the help.

[sde]

not a bother, this is what the site is all about

good luck, post results please.