Today, I bought a Linksys WRT54G V3.1 Wireless Router from my usual local store. Although it uses a heavily customized Linux version internally, it is quited limited. For instance, it does not allow remote administration via SSH, only through a nice Web interface. So, after playing a little bit with it, I decided to install OpenWRT onto it. At the time of this writing, the only stable, binary release was WhiteRussian -RC2 from July, 19th.
Installing OpenWRT is a little bit tricky. Before being able to flash the OpenWRT firmware, you are instructed to set a NVRAM variable named boot_wait to on since this will introduce a three second delay, just after the router is powered up, for the administrator to upload a new firmware image via TFTP. Also, enabling boot_wait makes troubleshooting and recovery a little bit easier.
The problem is that changing this NVRAM variable is not easy, since the router’s Web interface does not offer that ability. Instead, as instructed by the OpenWRT documentation Wiki, I exploited a bug in the Ping.asp page of the Web interface which allows injecting shell-code to the router. Shortly, the shell code makes a copy of the file /usr/sbin/nvram into /tmp/n and then subsequently uses it to run the following commands:
/tmp/n set boot_wait=on /tmp/n commit
The next step is launcing a TFTP client on a workstation attached to one of the four LAN ports of the WRT54G and have it prepared to upload the firmware binary image to the router at its factory-default address 192.168.1.1.
The OpenWRT download page offers firmware binary images for several hardware platforms in two formats:
SquashFS is the preferred one, since it’s the most mature and allows for an easier recovery in case the routers filesystem gets corrupted.
The SquashFS firmware is composed of two parts: the combination of a SquashFS ROM filesystem and a JFFS2 writeable flash filesystem. The SquashFS ROM is mounted at /root while JFFS2 is used as / containing a lot of symbolic links to files located under /root (that is, in the ROM).
JFFS2 uses JFFS2 filesystem entirely. Thus, the whole filesystem is writeable, which can lead to accidental corruption. Recovery is a more difficult, since critical configuration or binary files could get destroyed or corrupted.
So, I chose the SquashFS firmware. I fired up my TFTP client and configured it to auto-retransmit the firmware file continuously, for 60 seconds, to the router’s IP (which, by default, is 192.168.1.1):
tftp 192.168.1.1 tftp> binary tftp> rexmt 1 tftp> timeout 60 tftp> trace Packet tracing on tftp> put openwrt-wrt54g-squashfs.bin
Once the router is powered up, it will wait for three seconds for the firmware to be uploaded, so there is a small time window for this to succeed. In fact, it took me twice to get the firmware downloaded properly to the WRT54G. The router rebooted itself, set the DMZ led on for a while, then set it off, which means the router is ready. Once the firmware was uploaded, the router rebooted itself into OpenWRT, a pure Linux box.
OpenWRT gives so much freedom when compared to the original firmware. By default, it bridges wired LAN and wireless traffic together, while still having a WAN interface, but it can be easily reconfigured to act as a three-leg router acting as Wireless AP, or it can be reconfigured so the Wireless interface behaves as a client instead.
I’m still playing with it, but I have a lot of expectations about it.