Router hacking: adventures in DD-WRT land
Mark Pickavance tries his hand at hacking wi-fi routers, but not in the way that most people would immediately assume
I mulled long and hard about putting the words ‘router hacking’ in the title of this feature, because it gives entirely the wrong impression. If you’re looking to use your neighbours wi-fi by hacking his router, then move along please - these are not the droids you’re looking for.
No, what I’m talking about is actually gutting the firmware in a branded router, replacing it with a custom ROM, and then having available a truck-load of features that the router doesn’t normally come with. Sounds like fun. Let’s begin with why I wanted to do this, apart from the obvious kudos of doing crazy things in this publication.
Last year I sent my eldest away to university, loaded down with all manner of wonderful tech, including a monster PC that I built specifically for his needs. It works wonderfully, with one small exception: he can’t get it connected to the internet in his student accommodation. The problem is the wi-fi protocol they’ve chosen to use, which is the annoying Enterprise administered version of WPA2.
With the PC I’d provided a Belkin N300 wi-fi adapter that should have done the job, but for whatever reason, it won’t install correctly on the PC. So I sent a Netgear wi-fi adapter that plugs into the LAN, but that doesn’t support WPA2-EAP (Enterprise protcols).
I even sent him a PCI-E adapter, to no avail, and tried to get him to use USB tethering on his Android phone. I think along the way the wireless networking part of Windows has become mashed, and it won’t work.
If he had a laptop, I could share the network to the desktop machine, but he doesn’t have one, and it seems a massive expense to get around the snag.
For a brief time he ran a long LAN cable to the local router, but that annoyed the university’s IT department, which accused him of ‘hacking’. Really? On that basis, what I have planned is probably cyber-warfare designed to destabilise the Western world as we know it.
What I concluded was that I needed some piece of equipment, like the Netgear Universal Wi-fi Internet Adapter, but which supports Enterprise protocols. These are words I associate with two others: ‘very expensive’. That sort of equipment isn’t made to simply connect an Xbox 360 to the internet; it’s made to solve corporate communication problems.
After a bout of head scratching and chin rubbing, I eventually formulated an audacious plan, so cunning that it would be illegal to hunt it down in open countryside; I’d make the device myself using an old router. I was going to say an ‘old cocoa tin’ there, but I’m not MacGyver.
For this experiment I needed a router, specifically one that I knew could be subverted to my needs, and I’d need a firmware with greater features than you might normally expect on a home device. The firmware I’m referring to is called DD-WRT, a third-party router solution made for hardware that’s based on the Broadcom or Atheros chip reference designs. If you’re interested, the firmware, instructions and a compatible hardware list can be found at dd-wrt.com, which is where my journey started.
What’s critical to know about DD-WRT is that almost every router maker has, at some point or another, made hardware based on the two chips it supports, so it’s entirely possible that you have one gathering dust that’s compatible with it. A favourite for DD-WRT enthusiasts is the Linksys WRT54G series, but it has also been compiled for lots of Asus, Belkin, Buffalo, D-Link, Netgear and TP-Link kit, among others.
It comes in three flavours, depending on how much flash memory the router has to store the code. There’s a ‘micro’ version that fits in just 2MB, a standard build that requires 4MB, and the ‘Mega’ build that requires 8MB or more.
Being averse to limitations, I searched for a router that would support the Mega install but that was also cheap and easily purchasable. That router turned out to be the Buffalo AirStation N300 V2, which I bought for the princely sum of £31, including delivery.
A few days after I ordered it, the Airstation arrived, although it looked like something very heavy had been dropped on the packaging while it transited our noble postal service. Amazingly, even with this excessively abusive treatment, it still worked.
In the greater scheme of Buffallo cable routers, the AirStation N300 is just one rung from the bottom of their AirStation ladder, having ‘n’ class wi-fi, but no external antennas. What it does give me is a platform for development, with a four-port 10/100 router
In looking at the feature grid that Buffalo put on the rear of the box, it’s also interesting to note that on the next rung up, the AirStation HighPower N150 and above, Buffalo itself uses a version of the DD-WRT firmware, but not on this model. That’s fine, because I can fix that. To do so, it is critical that I know the exact version of this box, which in my particular case is the WHR-G300N V2. Why is that important? Because the firmware is compiled on a per router version basis, and getting the wrong firmware on board could be terminal for it, and a massive waste of my time and money.
The DD-WRT.com website is full of useful information, but the really critical stuff is about flashing the firmware, and there’s even a page specifically for my router, at tinyurl.com/d3y4kqd.
Before starting the process, it’s critical that you connect a PC to the router and establish web access to it, bringing up the Buffalo firmware interface. You’ll also need to go the File Download section of the DD-WRT site and locate the correct files for the upgrade. That can be slightly tricky, because it doesn’t just offer you one or even a couple of choices. In fact, every version of DD-WRT ever compiled for this and every other supported router is on there.
When I first tried this, I got the wrong file, mistaking the buffalo_whr_hp_g300nh2 for the one I actually wanted, the buffalo_whr_g300nv2. This wasn’t a fatal error, as it turned out, because it just wouldn’t flash, thankfully. You might not be so lucky, so triple-check you have the right folder and files. The fact that even after warning you, and fully understanding myself how important it was to get this right, I still got it wrong is pretty abysmal, I accept. Of course, I do these stupid things so you don’t need to - at least that’s the argument I’m going to make.
In the designated folder are two files, one called buffalo-to-dd-wrt_webflash-MULTI.bin and another called whr-g300nv2-firmware-MULTI.bin. You need both. Buffalo, in its almost infinite wisdom, decided that it would allow only encrypted firmware on its routers, presumably to stop the likes of me doing what I’m about to do. However, the nice Mr BrainSlayer at DD-WRT made a special version of his firmware, the buffalo-to-dd-wrt_webflash-MULTI.bin version that will install through Buffalo’s own firmware upgrade option. Once that’s in place, you can install any version of DD-WRT directly.
Once I had the right file, all I did was go to the ‘Update’ part of the Buffalo firmware, selected the buffalo-to-dd-wrt_webflash-MULTI.bin file as the one to use, clicked the button marked ‘Update Firmware’, and crossed my fingers. A few minutes later, the router rebooted and asked me to provide a new admin password, before revealing the entirely new DD-WRT firmware.
For those who don’t like what they see and want the cosy Buffalo firmware back, then the instructions to do this are on the DD-WRT website. Just to warn you, though, they involve using an Ubuntu 9.04 desktop live CD and an application called TFTP, so if you’re concerned by the idea of using Linux, you should either not go down this route or be prepared to live with DD-WRT once it’s on the router.
If you ‘brick’ the equipment, either because the installation was interrupted by the power being removed or you flashed the wrong firmware, then it might be possible to resurrect the router using the Ubuntu methodology, but don’t quote me on that.
Trials and tribulations
What’s slightly daunting for even someone technically minded is the options that DD-WRT provides. There is so much here, and many of these features aren’t commonly found on end-user equipment, and some are rare even on professional kit.
As part of solving my problem, I first thought about creating a client bridge, which means creating another network joined to the existing infrastructure by wi-fi. I would document my attempts to create a client bridge, but they ended in failure, sadly. It later transpired that at some point in the development of DD-WRT, some features got broken, which it appears have yet to be fixed. I was advised to find an earlier version of DD-WRT where these things still worked, which I did and re-flashed.
As an alternative to the client bridge, I thought it might be better to try the much less ambitious ‘client mode’, where the router becomes a LAN-connected wi-fi adapter, which would solve my problem just as well.
The process for doing this is relatively straightforward, so I’ll describe what I did, which was relatively straightforward. Before I began, I entirely reset the router so that any settings from any previous attempts were erased. Then I logged into the router using the DD-WRT web interface from my test rig.
1. Opened the Wireless > Wireless Security page and put in the correct security mode and password for my existing BT wi-fi router.
2. Switched to Wireless > Basic Settings and selected ‘Client’ as the mode to use, and altered the SSID from dd-wrt to exactly the same name as my existing router. Saved those settings, NOT applied!
3. Went from there to Setup > Basic Setup and changed ‘Connection’, and made sure that DHCP was set to ‘Automatic’, which it should be.
4. On this same panel I also altered the IP from the default 192.168.1.1 to 192.168.2.1, because this router must be on a different sub-network to the existing BT router for this to all work. Again, ‘save’ not ‘apply’.
5. The last job is to disable the firewall, which you’ll find at Security > Firewall. It’s not really required to have multiple firewalls, and it could stop things working correctly. Once this is set, you can finally ‘Apply’ and after a short while the pc will connect to the internet through the ‘client mode’ router.
What was great about this, from purely a confidence perspective, was that it worked, and very well too. If it doesn’t, then I’d reset the router and start from scratch, and more instructions can be found on DD-WRT.com if you want the confidence of its more detailed job list. If it does work, then the best course of action is to back up the settings to your PC, so that should you want to deploy the router for that purpose you have a file that can do it in a single stroke.
My assumption was that if I could get this to work at home, then I should be able to do the same elsewhere, which annoyingly wasn’t the case. However, this isn’t the only trick that DD-WRT can do; it has an amazing selection of other applications that cover a wide range of wi-fi situations.
What else can DD-WRT do?
Given that I used the ‘Mega’ 8MB install, the version on the WHR-G300N (V2) has all the features that have so been baked into DD-WRT. That includes bandwidth monitoring, dynamic DNS, full IPv6 support, OpenVPN, QoS, Samba/CIFS client, SNMP, Telnetd, XLink Kai Console Gaming Network (for the Xbox 360), UPnP, WoL (Wake On LAN), WPA/WPA2 personal/enterprise and radius authentication.
You can also use the router to be a client, client bridge, repeater, repeater bridge, as part of a WDS (Wireless Distribution System), or OLSR (Optimized Link State Routing Protocol) mesh network where you have multiple connections to the internet on different routers.
If the router you use has USB (mine didn’t), then you can use it as a NAS box or for printer sharing. In short, if you can think of a job that a router might feasibly do, then one that’s running the Mega version of DD-WRT will probably do that, with a little encouragement.
It’s also worth noting that development of DD-WRT is ongoing, so it’s possible that new features might be added, and some of the less reliable ones improved or fixed.
The thinking behind it is to allow older equipment to be repurposed, and for routers to have their true power exposed for those that wish to wield it.
I’ve since travelled the 360 mile round trip to where my son is located and tried to deploy the equipment. It turned out to be a stressful exercise that entirely ignored all the effort I’d made in preparing this device.
Being a reformed optimist, I did consider that this might not work in situ and I came armed with a series of backup plans, like using a small PC with working wi-fi that I’ll turn into a bridge, and also a few other options. Disappointingly, in the end this solution didn’t work, because once I selected the correct wi-fi protocol, WPA2-Enterprise, other key features I needed disappeared from the menus. This is one of the idiosyncrasies of DD-WRT: features just don’t grey-out when they’re unavailable, but they no longer appear, making you wonder if you’re even in the right part of the configuration any longer. I tried a few variations on my original configuration but, for whatever reason, I wasn’t successful.
My backup plans didn’t work either, because along the way one of the installations that had previously been tried overwrote a critical system file with a 32-bit one, when the installation is 64-bit. Networking on the PC was therefore compromised, which impacted on both wi-fi and wired options.
With Windows networking entirely mucked up, I was forced to do a repair installation to get the system straight, which took more than three hours to complete. The alternative was to reinstall the image I’d made of the system when it was deployed, but that was a last resort based on all the changes that had occurred since that point.
Luckily, the repair installation did work, and I was able to then try out options that had previously failed to work. In the end I was able to use an old Android phone with USB tethering to actually establish a link, and convince Windows that the rest of the world still existed. I’m sure that some of the other options, like the Belkin N300 would now probably work too, but I’d run out of time to experiment.
I’ve since returned the router back home and intend to use it as a range extender, a feature that was actually in the Buffalo version of DD-WRT. I could return that router to that original firmware, but it is a more complicated exercise than ousting it, so I probably won’t bother.
As for this project in a wider context, it was fascinating. What it revealed is that most router makers start with almost identical hardware, which they box in different plastic cases and then decide what features they’ll give their customers.
What this all proves is that many cheap routers (often the cheaper the better) can be reprogrammed to have the feature that even the top-of-the-range equipment doesn’t have, and even stuff that’s held back for ‘Enterprise’ customers.
However, as with most things like this, there’s a caveat. It’s very possible through bad luck or a mistake to utterly brick a working piece of hardware for which you’ve paid good money. With that in mind, these adventures aren’t for those that get easily scared or can’t afford the odd disaster.
What this exercise also tells us is to never assume any plan will work, and always have a second plan and maybe even more alternatives should things not play out as you assumed.