Tuesday, 16 June 2015

DD-WRT: Hack a wireless router

DD-WRT

Router firmware take control of your home router with a custom firmware. Matt Beilby gives a rundown on how to power up the device at the heart of your home network with your very own software.

Nowadays a decent router can be relied on to do its own thing without bothering you, making it a great time for home networking. However, it can still be a challenge to get it to do your particular thing instead. If you’re ready for a change, the world of custom firmware opens up an embarrassment of configuration choices, as well as an enticing catalogue of new functionality.


With DD-WRT as our firmware of choice, we’re going to firmly encourage these sleek and unassuming embedded devices to reach their full huffing, wheezing potential. There will be sweat, there may be tears, but we’ll guide you through the process of selecting and installing a firmware, show you some of the nattiest ways to trick it out, and open the door for your own challenges to follow.

DD-WRT is one among many custom firmware for wireless routers, but it beats at the heart of the custom firmware movement, with a broad range of support, relative ease of use, consistent development and a treasure trove of features. Installing DD-WRT isn’t a minor tweak, though – it will completely rewrite the way your router operates, potentially opening up functionality, such as: SSH; file and media serving; guest networks; QoS; VLANs; and VPNs in more flavours than you could find in a bag of Revels. However, there are risks commensurate with the scope of the change.

While installing a custom firmware is almost always a beautiful learning experience, sometimes what you learn is how it feels to break a perfectly good router. It probably won’t even seem like it’s your fault when it happens, but implicit in your willingness to continue is the understanding that it will be your fault, because you were the one who poked it.

Now that’s clear, we can continue and the most advisable way forward is to use an older, spare router. Look at it this way – you’re going to end this process without a manufacturer’s warranty, so you may as well start it without one. You’re also less likely to feel a sense of gnawing, visceral guilt if you sneeze and pull out the power adaptor during a firmware update, and proportionally more likely to unlock new features. By contrast, it can take a reasonably long time for custom firmware such as DD-WRT to adapt to new technology (and longer still to make it run reliably), so you may be on a hiding to nothing with this year’s super router, even if you’re cavalier enough to try it.

Router support


We’ll deliver the bad news up front. With no notable exceptions, combination router/modems won’t work – BT’s famous range of Home Hubs, for example, aren’t supported. But all is not lost if you’re on VDSL/BT fibre, because you should be able to arrange to use a standalone OpenReach modem instead, and connect up a router of your choice. Other ISPs’ combination devices may even have a modemonly mode that enables you to plug in your own router – eg, Virgin Media’s Super Hubs fall into this category.

If you do have a standalone router, you can’t necessarily just go ahead and plonk a new firmware on it. Some routers don’t have the right chipset, some don’t have enough flash storage, and some don’t have the RAM. Some, frankly, don’t have the moxie. All that said, a surprisingly wide range of routers are supported. So how do you know whether yours is one of them?

Your first port of call should be DD-WRT’s router database (www.dd-wrt.com/site/support/router-database). Simply put your model number into the search field, and then cross your fingers. The database will usually give you a straight yes or no answer, but don’t jump for joy when you see your model appear in this list until you have checked that the revision column also matches up with your router – some manufacturers change out the internals almost completely between revisions of the same router model.

Just for fun, try searching for the WRT54G in the router database, and count the iterations. The WRT54G is the granddaddy of DD-WRT, and it has a lot of history. But note that at least one revision isn’t supported at all, and that the specs can be wildly different between others. Many have reduced flash storage space, for instance, and will be limited in which features they can support.

Once you’ve established that your router is supported, there are two major lights in the darkness: DD-WRT’s wiki, and the community forums. The wiki is great for getting a baseline understanding of any issues which might affect your particular router. Start with the Supported Devices page (www.dd-wrt.com/wiki/index.php/Supported_Devices). Links from this page often indicate that your router has a specific installation guide, which might just mean that it’s a popular model, but it could mean that the flashing process comes with some caveat or special requirement, so be aware.

Firm forum friends


The forums are the best place to find out what’s working, right now, for other people using the same hardware (see www.dd-wrt.com/phpBB2). You should pay particular attention to threads where users trade blows over their favourite or most stable builds. Look out for the guru posters, who often have long signatures containing details of the many different routers they run, and which firmware versions they’re running on them. These guys have done their homework, so make sure you do yours, too, even if that sometimes means leaning across the metaphorical desk to copy their notes.

DD-WRT exists in an ongoing beta, and the newest release is not always going to be the best one for your own particular hardware. There’s no shame or loss in using a build which might be significantly behind the bleeding edge. If it’s the right fit for your kit, just go for it. With older releases, the main thing you need to concern yourself with is to make sure that you’re not exposing yourself and your hardware to any critical security flaws. As a starting point, build revisions between 19163 and 23882 are a poor vintage; any components making use of OpenSSL will be affected by the Heartbleed bug. The good news is that none of the vanilla builds are affected by the Bash-specific Shellshock vulnerability; like many embedded device firmwares, DD-WRT relies on BusyBox to provide A Shell.

Likewise, the use of uclibc means that the glibc Ghost vulnerability is no concern for today. However, running a custom firmware does tend to send the  security ball zipping over the next into your side of the court, so you really do need to keep abreast of any emerging vulnerabilities.

Now, let’s go through a worked example. We have a Cisco Linksys E3000 router, which treads a decent balance between age and relevance. It’s around five years old and there’s none of that new-fangled wireless AC technology, but it was a powerhouse in its day, with support for simultaneous 2.4GHz and 5GHz wireless bands. The router database shows a firm yes, and there is some specific information on the wiki relating to it. Particular points of note are the implications of it having 60K of NVRAM, and the requirement to flash a trailed build (see below). We’ll need to take both of these things into account.

We’re lucky, as it happens; on the forums, a build from February 2015 (build 26138) is being touted as stable with the Linksys E series. There’s some debate about a bug in the Guest Wi-Fi implementation, but it sounds as though it’s going to be worth our time.

The main area for new DD-WRT releases is at ftp://ftp.dd-wrt.com/betas and we know from the wiki that E3000-compatible builds are to be found in the broadcom_K26 subfolder. We can pick a mini-trailed release for the E3000 from here with no problem, so we’ll get that now, but if we want to move to a larger general build afterwards, then we’ll need to remember our 60K NVRAM limit, and pick one of the 60K builds from the same folder. The mega 60K build is (just!) too large for our 8MB flash storage – It’s a good job we checked that out, because it came down to counting the bytes – so we’ll go with the so-called ‘big build’ instead.

Trailed builds and TFTP


A trailed build could quite accurately be described as a custom custom firmware. It’s a firmware that’s been built specifically for one particular model of router (which is mentioned in the filename). Trailed builds contain headers that check out as legitimate with the manufacturer’s own firmware, which then conveniently and quite cleverly enables you to use the existing interface to overwrite itself. A trailed build might not be your end point, however, but more like a transitional step between using stock and custom firmware. Once you have installed a trailed build of DD-WRT, you’re generally able to move more freely between different firmware builds – you still need to pick the correct ones, though.

Now let’s take a look at tftp, which is quite literally a trivial file transfer protocol. This is necessary for the initial flash of a few routers – older Linksys, Buffalo and Belkin models being the prime examples. It’s comparatively rare to require this on Wireless N or newer routers. If you don’t need to use tftp, then it’s not recommended, regardless of whether or not it’s available.

However, it’s worth remembering that lots of different routers have a tftp connection available for a limited window during the boot process, because it could be one of the first ports of call if you need to try to recover from a bad flash. Although it’s never to be relied upon, it may help bring you back from the brink in a pinch.

Firmware update time


Now it’s time for us to check and double-check all our sources of information, because we’re ready to do the firmware update. The steps that follow are usually applicable, but you should read up on your model to see where any differences might occur.

First, you need to connect your computer to the router using a wired connection, and then configure it to have a static IP address on the same subnet as the router. Things are not guaranteed to go wrong if you don’t do this, but do you really want to leave the router in charge of business while you’re in the process of brainwashing it? The answer is a definite no. No, you don’t.

Do a 30-30-30 reset (see below), and then log in to your router’s web configuration page (with the now factory default username and password). Find wherever your manufacturer has hidden the firmware update section, and browse your computer to find the DD-WRT firmware file you prepared earlier, which is probably a trailed build specific to your router.

Go ahead and do the update using the built-in firmware updater. There may or may not be a progress bar, but ignore it either way. You’re going to wait at least five minutes. Use a clock and not your patience to gauge this. Then turn the router off and on again, giving it time to reboot and get its bearings – then, and only then, do another 30-30-30.

Open up a web browser and go to 192.168.1.1, which is the default IP address for a DD-WRT router, and check that you are indeed looking at a DD-WRT interface. That’s the first good sign, and the second is whether it’s asking you to change the password, which shows that the 30-30-30 reset after the update has also worked properly.

If all is well, decide whether you’re sticking with the build you’ve just installed or, if you were using a trailed build as an intermediary step, repeat the process again in full, until you have reached your final destination.

The 30-30-30 reset


Don’t underestimate how skew-whiff things can become when the vestigial variables of firmware A come out to play with custom firmware B. The 30-30-30 is a catch-all hard reset for clearing NVRAM and returning most routers to their firmware defaults, which you’ll do before and after flashing each new firmware version.

Your router’s Reset button is probably on the back of the unit, sometimes inset. Grab a paperclip if you need one, and get into a comfortable position; you are going to be holding your router’s reset button down for 90 seconds or more, which is a long, long time for someone with cramp.

Start holding down your router’s reset button, and count a full 30 seconds. Not letting go of the reset button, pull the AC plug out of the back of the router. Count 30 more seconds. Keep holding that reset button, and plug the router back in. Count 30 more seconds. Finally, let go of the reset button and throw up some jazz hands to brighten the mood and get your circulation flowing again. Your router should be back to default values for whichever firmware you currently have installed. (You can put your hands down now.)

A handful of older routers, but an ever-increasing number of new AC routers, need to be hard reset in other ways. If the 30-30-30 doesn’t return yours to default values, check what does work for your router, and use that method instead.

Configuration work


Now that you’re up and running, feel free to do some basic configuration. Get the router set up the way you like it; that’s what we came here for. DD-WRT’s interface is neat and functional, and you should be able to find the options you’re comfortable with, albeit buddying along with a raft of new features. Get your wireless security set up, and then give it a test drive. Now are you ready to try something that you couldn’t do before?

How about logging directly into your router via SSH? Yeah, we can do that. We can even do it without a password, using the public key method. To generate an appropriate public/private key pair, enter the following into a terminal on your local machine.

ssh-keygen -t rsa -f ~/.ssh/id_rsa_ddwrt

You’re prompted to set a passphrase, but hitting Enter twice enables you to continue without – choose your balance of security and convenience. Two new files are created under your home directory, in the ~/.ssh/ hidden folder: id_rsa_ddwrt and id_rsa_ddwrt.pub, which contain your newly generated private and public keys, respectively. Make sure you keep prying eyes away from the private key, but we’ll use the public key to set up easy password-free access to your router.

Go to the Services tab in your new DD-WRT Web GUI, and then click the enable checkbox for SSHd. This expands some new options. It’s up to you whether or not you leave password authentication active, but what you do want to do is copy the contents of your id_rsa_ddwrt.pub file into the Authorized Keys box. Make sure the entire sequence occurs on a single line. Save and apply these changes. At this point, one simple terminal command on your local machine should let you in through the door:

ssh root@192.168.1.1

Substitute in the correct local IP of your router, if you’ve changed it. If you see the DD-WRT message in the terminal, well done, you’re in. But you didn’t think we were going to stop there, did you? Getting the local access is only half the battle. How about an interesting and powerful way to manage your router from the outside world? Remote access to your router is always going to be a controversial subject but, let’s be honest, sometimes it’s useful enough to be worth the risk you are taking doing it.

DD-WRT will happily support remote access to the GUI via HTTP or HTTPS. There’s no way in this life that you’d want to give the world a shot at the core of your home network without a single security layer, but you might be thinking about allowing HTTPS connections.

Wait, though. Here’s a neat trick instead: why not disallow remote Web GUI access altogether, and just connect via SSH? You can then log in and administer the router remotely by command line or set up an SSH tunnel to give you, effectively, local access to the Web GUI. This will work from any location – and you only have to open one door to enable both types of access. Let’s look at how this can be done.

First, setting up the remote access to SSH is done in a different part of the DD-WRT GUI to enabling the service. This time you’ll want to go to the Management tab under Administration. There’s a remote access section here. Don’t bother enabling the remote Web GUI Management. Instead, enable SSH Management. You’re given the option to select a port for this. You don’t need to – and, in fact, shouldn’t – use the typical SSH port 22; we’ll use port 19198 in this example. We made this up so feel free to make up your own, but don’t worry – the connection made on this port will forward through to the SSH service on your router without any extra work on your part.

Now you can SSH to your router from the outside world, in the same way that you do from your local network – the only differences are that you need to specify the port, and use the outward facing IP rather than the local one:

ssh -p 19198 root@WANIP

You should replace WANIP with the global address of your local network. This can be a DNS name, or an IP address. In the highly likely event that your ISP doesn’t provide you with a static IP address, you won’t necessarily need to keep track of every change of IP address. DD-WRT supports automatically updating of a number of different dynamic DNS services – take a look at DDNS under the Setup tab for the various options.

So we’ve come this far, but what about that Web GUI? Well, try starting your SSH session with this command:

ssh -p 19198 root@WANIP -L 8080:localhost:80

This starts an SSH session as before, but the last part of the command creates a tunnel from port 8080 on your local machine, to port 80 on the router. Now try opening a browser window to the following URL: http://localhost:8080/

Wow. Presto. There it is. You’ve got your Web GUI from a remote location, and it’s all encrypted through your SSH session. Now the world, quite literally, is at your disposal.

The gauntlet


Now you’ve got access via the Web GUI and SSH, what new things are worth trying? Actually, what new things are not worth trying? If that sounds like a challenge, read it as one.

How about building on the SSH tunnelling method we looked at, to have your home router run a SOCKS5 proxy, via which you can encrypt your traffic when you’re away from home? If you’ve got a VPN account, how about connecting with your router as the client? (This can be great for hooking up other, less hackable embedded devices which might not support VPN natively.) Maybe you have a USB mobile broadband dongle? DD-WRT can play with those. Why not try creating an alternative internet feed through your router, for those days when your main ISP connection dies?

If you really want to start playing with fire, you might even find a way to host your own cloud-style file service from a USB hard drive, hanging off the back of your router. It’s not like you were planning on turning your router off, were you?

So there we have it. Some absolutely astounding possibilities that would previously have taken all kinds of wizardry to arrange, running on something you probably already had sitting in a cupboard. Remember that routing network traffic is this device’s bread and butter, so don’t be afraid to make it earn a living!