Linux on the Linksys

by Rob Flickenger

A number of SeattleWireless geeks and I have been working on getting a shell on the Linksys WRT54G access point. It is in fact running Linux 2.4.5 with a number of interesting bits in the filesystem (namely full iptables support, zebra, bridging, and even a Rendezvous responder).


Of course, that's not nearly enough for me. I want NoCat running on this puppy (probably NoCatSplash or Cheshire first, NoCatAuth to follow) along with IP tunnels, maybe vtun, some monitoring code, and maybe even some mesh bits. Since their kernel apparently supports loadable modules, this is all entirely possible. Almost.


We're very close to getting a custom firmware on this puppy, but I'm currently stuck trying to compute a CRC value that the AP will accept (details are up on the SeattleWireless site).


I've just sent this comment to Linksys. It probably won't amount to much, but you never know.


Hello--

I am very excited about your decision to include Linux and other GPL
code in your recent 54G line. It appears from recent firmware updates
that you have very interesting and ambitious plans for this line of
equipment.

I was wondering if you have published the format of your firmware
update files. Parts of it are obviously a CramFS archive and Linux kernel,
as well as various header bits. I imagine a CRC of the file is involved for
error checking purposes, and required for the AP to accept new
firmware.

If the open source community were provided technical details about your
firmware file format, I believe you would see an unprecedented interest
in your 54G line. The ability to run custom Linux software on a
commercial access point would certainly make it one of the most
desirable access points on the market. The lack of documentation for
the firmware header (particularly the CRC and other error checking)
currently make it difficult to fully customize the 54G line.

My particular interest is in extending your hardware to support
NoCatAuth (http://nocat.net/), the open source captive portal
implementation, as well as other community network oriented software.
This may be outside the scope of your original plans with the 54G line,
but please consider the potential benefit of providing the wireless
community networkers with this information.

Best regards,

--Rob Flickenger

So, while we wait for a reply from Linksys/Cisco, who in the audience is good with bit math?

Had any luck dissecting the Linksys WRT54G firmware?


10 Comments

anonymous2
2003-07-17 07:55:40
Terms and Conditions page
Hi,


I'm trying to set up a free public WiFi hotspot in Birmingham, England. Trouble is that I *need* to have a "terms and conditions" page viewed and accepted by all users before they actually surf the web.


The combination of the WRT54G and NoCatSplash seems like it would meet my requirement admirably. I'm therefore *very* interested to keep tabs on your progress. I'm not too familiar with firmware updates but I'm happy with compiling and running software using cygwin. Hopefully this will be enough to produce a customised "terms and conditions" page and upload it.


Thanks for all your hard work!


Best Regards,
Dave Boden
http://www.emobus.com

anonymous2
2003-07-18 10:01:01
But where are your broadcomm drivers?
When Linksys announced the release of the linux components I went and downloaded them poking through looking to see if they had included any sort of driver for broadcomm's radio, but I didn't see anything.


So, even if you were to get your new firmware onto the WRT54G, wouldn't you still be lacking support for the Radio/MAC?

rflicken
2003-07-18 22:03:29
But where are your broadcomm drivers?
The broadcomm drivers are in the firmware itself, in the form of loadable kernel modules. I can't see a good reason (yet) to change the kernel, but adding some open source software to the (mostly) open source firmware is very straightforward. Mount the CramFS, copy it out, add what you want, and build another one.


But that is all to come, once this CRC issue is resolved.

anonymous2
2003-07-20 04:29:48
Terms and Conditions page
Not sure whether this is what is needed...

/**
* Utility to calculate what should be put in bytes 8..11
* within linksys firmware. It takes the CRC32 of locations
* 12..end and calculates what should be put in bits 8..11.
*


* From http://seattlewireless.net/index.cgi/WAP54G
*
* 8..11 is crc32 checksum of the file from location 12...end and then inversed bits
* ex crc32 of rest of file is 473D75C1 then location 8..11 will be "3E 8A C2 B8"


* @author dave@emobus.com
*/
public class ConvertCRC {


public static void main(String[] args) {
if(args.length != 1 || args[0].length() != 8) {
System.out.println("Usage: java -cp . ConvertCRC 473D75C1");
return;
}

//input is definitely an 8 character string
String input = args[0];

//Get 4 bytes from the 8 characters on the command line
byte[] crc32 = new byte[4];
try {
crc32[0] = (byte)Integer.parseInt(input.substring(0, 2), 16);
crc32[1] = (byte)Integer.parseInt(input.substring(2, 4), 16);
crc32[2] = (byte)Integer.parseInt(input.substring(4, 6), 16);
crc32[3] = (byte)Integer.parseInt(input.substring(6, 8), 16);
}
catch(NumberFormatException ex) {
System.out.println(input + " does not contain only hex numeric characters");
return;
}

//Compile the output by moving the bits around
//Swap the order and invert the bits (~ = not)
byte[] output = new byte[4];
output[0] = (byte)~crc32[3];
output[1] = (byte)~crc32[2];
output[2] = (byte)~crc32[1];
output[3] = (byte)~crc32[0];

System.out.println("Result is: " +
toHexString(output[0]) +
toHexString(output[1]) +
toHexString(output[2]) +
toHexString(output[3]));
}


private static String toHexString(byte b) {
String returnMe = Integer.toHexString(b);
switch(returnMe.length()) {
case 0:
return "00";
case 1:
return "0" + returnMe;
default:
return returnMe.substring(returnMe.length() - 2, returnMe.length());
}
}
}

anonymous2
2003-07-20 07:52:56
Terms and Conditions page
Hmmm... With my last post (java program) I was getting confused with the WAP54G, which has already been successfully hacked. Doesn't seem to work with the WRT54G unfortunately.


I'm interested in the fact that the reported file size is the actual file size - 1024 bytes. I've therefore been doing CRC checks on the firmware file after removing the first 1024 bytes:


$ dd if=WRT54G_1.30.1_US_code.bin of=crcme bs=32c skip=32c


I get a CRC32 of b2b654c8 and the size of the crcme file is 2740224, the same as what is reported in the header.

rflicken
2003-07-20 11:37:45
Calculating the CRC
Interesting idea. Unfortunately, the magic CRC is at 0x28-0x2C is 78 53 6C D5. I wonder if they're slicing it some other way to be 1k smaller and CRC'ing that...


I noticed that about the reported file size as well (how it's 1024 smaller than the actual size.) Coincidentally, this always makes it end in 00 in big endian (29D000), and has for all three versions of the firmware I could find.


Thanks for the code! And for those playing at home who prefer perl to java, here's the crc program I'm using:



#!/usr/bin/perl


use String::CRC32;


scalar(@ARGV) || die "Usage: crc32 [file]\n";


for my $file (@ARGV) {
open(SOMEFILE, "<$file") || die "Couldn't open $file: $!\n";
$crc = crc32(*SOMEFILE);
close(SOMEFILE);


print sprintf('%08x',$crc) . " $file (" . sprintf('%08x', (0xffffffff - $crc)) . ")\n";
}


The first number reported is the CRC32, the second (in parenthesis at the end) is the one's complement.

anonymous2
2003-07-23 05:04:44
Calculating the CRC
Good to see that the Seattle Wireless guys seem to have solved it:


$ dd if=WRT54G_1.30.1_US_code.bin of=crcme bs=1c skip=44c count=2740212c


Gives you a CRC of: 2a93ac87


When you flip the bits and 1s compliment (using the bit of Java that I posted if you wish) you get the required 78536CD5.


Looks like you strip the 0xFF values from the end of the file (leaving the 0x00 padding where it is) and then take the CRC from byte 44 to the new end of the file.


Cheers,
Dave

anonymous2
2003-07-23 18:03:43
WRT55AG
Dunno, if anyone noticed, but the Linksys WRT55AG (tri-mode router) is running linux, too..


Imre Kaloz

anonymous2
2003-12-03 13:26:02
Close look up in paris
hi here in paris wifi man (joke roaming on o'reilly) and his sidekicks are very interesting in the development of a custom made firmware with nocatsplash and why not a mesh networking protocol on the blue/black box delivered by linksys


but i try to understand seattlewireless' pages about what has been done and at which point it is now and i must confess i've some troubles to get (surely langage fence :)


so where is it now ? we are on starting blocks here in paris to set it up

anonymous2
2003-12-10 12:21:43
WEP/WPA Splash Screen
Would it be possible for me to instead of locking out people without my key, let them connect... but if they are not using the key when they try to goto a website they just get a page that basically tells them they need to connect using our keys, contact the netadmin for them, etc etc... Sounds like what I want to do would be similar to NoCatSplash but isnt that basically just a terms/login system? That might suffice but would'nt it be better to use WPA and just tell them to enter the key?


I don't know much about wifi technologies yet, I am trying to read up on it... but the fact that I can load stuff on my linksys router should make this much easier...