Sunday, 13 April 2008

Some notes on DD-WRT

While I've got a spare minute, I'll jot down some notes on upgrading the 'La Fonera' Wireless Access Point to DD-WRT.

'Upgrading' one of these little wireless access points with DD-WRT was something I did a week or two ago, it was quite interesting. It's been working reliably with good signal and performance since. It happens to be hooked up to the Purple' network on a Smoothwall V3 firewall.'. Here are some notes and links for future reference:

The 'Fonera' comes with some built in management software. It's locked down and gets its configuration from the Fon network once it gets a connection. The unit hardware isn't too bad, wireless 802/11 b/g radio, single 10/100 Ethernet port, reverse SMA antenna connector and a power connector. The unit is small, small enough to fit in the palm of your hand!

The software loaded on to the Fonera is stored in Flash memory. The software is signed by a secret key that's never been released into the public domain.

However, various flaws in the implementation allow the Flash to be formatted and a new software image loaded instead (such as the rather good DD-WRT).

Depending what firmware the unit comes with, the exploits differ - as new versions of firmware are released they tend to close found vulnerabilities (and often inadvertantly introduce new ones instead!).

An excellent guide can be found here - I followed this and it worked flawlessly! The unit I had was revision 1 and this method worked perfectly with it.

The starting point is exploiting a vulnerability such that SSH access can be opened up, from there on in it's a matter of formatting the Flash memory and then loading the new software on the unit.

The source of the information is here

The DD-WRT site has a good guide too

The easiest exploit being the DNS exploit, where a special DNS server has been set up for public use. For this the firmware must be revision 2.

DD-WRT can be found here

Images for DD-WRT for the Fonera can be found here

No comments: