So I thought I would tell you about a fairly new router firmware. This is not going to be an uber geek post, just a quick overview and my thoughts.
I like to play with new firmwares on my router. I have played with most stock firmwares, DDWRT, Tomato, and a few others. However; one day while looking for Vlan support on my Linksys WRTSL54GS I came across PacketProtector. I was intrigued, and thought I'd give it a go.
The folks that run the forum were very supportive and helpful when I ran into some Vlan problem and helped me as much as they could. Unfortunately no matter what I did or tried I could not get Vlan to work. However that was about a year ago, and here we are today!
PacketProtector is built on top of OpenWRT and aims for and easy and intuitive network security OS for a few different types of routers. PacketProtector is still in its infancy and has only been around for a few years with only a hand full of developers.
Considering the lack of users and developers that the packetprotector community has, the project has not slowed down one bit. They continue to push the security bar and have continued bug fixes, development, enhancements, and releases with loyal dedication some larger projects wish they had.
Installation is easy as you can tell by their documentation.
On my WRTSL54GS it was as simple as uploading the Packetprotector .bin file to the administrative "Upgrade Firmware" interface on tomato.
Side Note:
Before I installed PP, I did a backup of my routers config so if need be I could revert back to my original settings.
I eventual went back to Tomato just to test a few things out. (Just to see how easy it would be to revert back to tomato)
To get to back Tomato all I did was go to "system-Upgrade" in PP and uploaded the tomato.trx file. Once that was complete I uploaded tomato for the WRTSL54GS .
Now once I did that, I noticed something funny. All my original configurations were still there...nothing was lost or changed. This in theory could cause problems. It may be a good idea to do a system rest or clear the NVRAM on the router before installing PP.
Packetprotector by default is set with security in mind and automatically has https enabled at install, and has wireless disabled.
Once you log onto the Packet Protector Webif you will be greeted with a message stating "Default password hash Found!" With a link to change the password. However you should install the USB drive before you do anything.
So per the documentation we add the files from the USB tarball to the root of the drive. (Drive needs to be formatted Fat16, or ext3). So in the root of the drive you should have a "packetetprotector" directory and a "packetetprotector_home" directory.) From there we "turn off" the router and install the USB Drive. Once that is complete turn the router back on and wait for it to boot.
As you can see Packet Protector aims for a user friendly webif but falls short here for any noob. However if its power and control you seek its all right there under the hood! Packet protector allows you to install new packages (need to be connected online for that) and uses Opendns by default.
As you can see from the description from the main site this is not an average firmware.
a stateful firewall (iptables)
WPA/WPA2 Enterprise wireless (802.1X and PEAP with FreeRADIUS)
intrusion prevention (Snort-inline)
remote access VPN (OpenVPN)
content filtering/parental controls (DansGuardian)
web antivirus (DG + ClamAV)
a local certificate authority (OpenSSL)
secure management interfaces (SSH and HTTPS)
advanced firewall scripts for blocking IM and P2P apps
IP spoofing prevention (Linux rp_filter)
basic protocol anomaly detection (ipt_unclean)
anti-phishing (OpenDNS)
automatic signature/rule updates
Each of these services is automatically bootstrapped and configured with sensible defaults. A secure web interface makes common configuration tasks as simple as a point and click.
Not too bad ha....? Packet Protector has lots to offer for any security geek out there. However I would say noob's may want to hold off on this one for a while.
As with all things good there are a few downers. As I mentioned before the web interface needs a lot of work and may confuse or be difficult for a noob. There are also some things I'd like to see added to the Webif such as an easy way of turning the router into a secure proxy, add-blocking with a black and white list, an option for DNSOmatic in the dynDNS tab, as well as multiple DHCP servers for Vlans.
As of writing this there is currently a discussion going on about the Webif being updated. Feel free to join in!
In closing Packetprotector has major potential to be a major player in the 3rd party router firmware world. They could be a big hitter among security geeks everywhere, but could user a bigger developer and user base to get there. I look forward to being part of that community and hope you will join me.
Showing posts with label DDWRT. Show all posts
Showing posts with label DDWRT. Show all posts
Monday, December 7, 2009
Thursday, September 4, 2008
DDWRT....Fail....Well Kinda.
Updated 22Sep08
Revised- MAC address with skynet, and if update fails.
Update 05Oct08
There is now a non-JTAG flash look here.
Well I install DDWRT on one of my routers and had most of the features I wanted/needed. Only problem is the router that supports Vlan doesn't support HTTPS, and the router that does support HTTPS doesn't support Vlan.
So what to do???
Goto ebay!
I did a little reading and it looks like the Linksys T Mobile Model WRT54G-TM is a lot like the Linksys WRT54GS.
I decide to take a little gamble and buy one for $26. (You can buy these off ebay anywhere from $25-$60. Most of the $60 WRT54G-TM already have DDWRT installed.)
Revised- MAC address with skynet, and if update fails.
Update 05Oct08
There is now a non-JTAG flash look here.
Well I install DDWRT on one of my routers and had most of the features I wanted/needed. Only problem is the router that supports Vlan doesn't support HTTPS, and the router that does support HTTPS doesn't support Vlan.
So what to do???
Goto ebay!
I did a little reading and it looks like the Linksys T Mobile Model WRT54G-TM is a lot like the Linksys WRT54GS.
I decide to take a little gamble and buy one for $26. (You can buy these off ebay anywhere from $25-$60. Most of the $60 WRT54G-TM already have DDWRT installed.)
I dont know if Vlan works on it but the specs look dame good!
32 MB of Ram
8 MB of flash
200 MHz CPU.
Sounds good to me!
32 MB of Ram
8 MB of flash
200 MHz CPU.
Sounds good to me!
Update:
After I did the research and asked a few question, I made a post in a forum. Once I did that I noticed prices on ebay for these have more than doubled....guess I shouldn't post in forums...
Cheapest I've seen as of now is $50 with shipping and no ddwrt.
So part of the gamble includes not having any idea how to flash this thing. It seems that there are a few tools needed to do so. A JTAG cabel, and some other software.
If I'm lucky the folks over at DDWRT have the web GUI working. If not, there's a few things I can try.
So Lets See If The Web GUI Works Shall We?
If the Web GUI doesn't work we'll have to do a little hardware modification. So lets begin and see what happens!
Seems good so far!
Nice!!!
Not so Nice.... It lied to me!
Once the web interface came back up there was a popup basically saying its going to revert back to its original state.
Ok So Lets Mod The Hardware!
Well the Web interface didn't work, so I bought a JTAG cable from here.
I also went to Radioshack and bought some heat sinks for the routers processor model CL-C0025
To disassemble the router, take a look at the video below.
Now that the headers are soldered on , lets connect the JTAG.
Setup The Software:
Make A CFE File With Your MAC Address.
Open Skynet "Bootloader Creator"
Select WRT54GL v1 from the drop down list.
Enter you MAC address in the "Devices Labeled MAC Address"
NOTE: If your ISP gives you an IP based off of you mac address, you will need to set the MAC address -1 when creating the CFE.BIN.
Example:
If your MAC address is (the MAC that is needed) 00:0F:B9:AA:D1:C2
Create the CFE.BIN with the MAC Address 00:0F:B9:AA:D1:C1
By doing this your Wan MAC Address will automatically be assigned 00:0F:B9:AA:D1:C2 when the WRT54G-TM is flashed.
Click "Create CFE.BIN"
Save the file in the same directory as the tjtagv2.exe
Unplug then replug the router you are JTAG flashing. You should see the power light flashing and most or all of the LAN ports lit.
In a command prompt execute the following:
tjtagv2 -flash:cfe /noemw /noreset
Note: Total flash time for the CFE.bin file took around 8 minutes.
After it's done flashing wait a minute or so. Power cycle the router. You should see the power light flashing and no LAN ports lit. Plug an Ethernet cable from your PC (with a static IP) to the router. You should see the port you just plugged into light up on the router.
TFTP:
So part of the gamble includes not having any idea how to flash this thing. It seems that there are a few tools needed to do so. A JTAG cabel, and some other software.
If I'm lucky the folks over at DDWRT have the web GUI working. If not, there's a few things I can try.
So Lets See If The Web GUI Works Shall We?
If the Web GUI doesn't work we'll have to do a little hardware modification. So lets begin and see what happens!
Seems good so far!
Nice!!!
Not so Nice.... It lied to me!
Once the web interface came back up there was a popup basically saying its going to revert back to its original state.
Ok So Lets Mod The Hardware!
Well the Web interface didn't work, so I bought a JTAG cable from here.
I also went to Radioshack and bought some heat sinks for the routers processor model CL-C0025
To disassemble the router, take a look at the video below.
Next I install the headers on the router JP-1 (JTAG 12 pin)
The JTAG is always going to be the twelve pin (On the WRT54G-TM it is labeled JP-1)
There is also a ten pin for serial (JP-2 on the WRT54G-TM)
The JTAG is always going to be the twelve pin (On the WRT54G-TM it is labeled JP-1)
There is also a ten pin for serial (JP-2 on the WRT54G-TM)
I also installed the heat sink on the processor, and memory. (little overkill on the memory)
Now that the headers are soldered on , lets connect the JTAG.
Download some software:
Setup The Software:
tjtag
Extract tjtag. Once tjtag is extracted copy the giveio.sys that is located in tjtagv2-1-4\windows directory, to the C:\windows\system32\drivers.
Note: The skynet tool can supposedly do this automatically but always fails, so you better off doing it manually.
Execute the loaddrv.exe to load the tjtag driver.
Skynet tool can also do this, if you want to use a GUI skip this part and goto the skynet section and read about the "Parallel port driver loader".
Skynet
Install skynet
Open the "Bootloader Creator"
Check for updates. Click "Online Update"
Click "Seek for Updates"
Click "Cancel"
To load the driver using skynet, open the "Parallel port driver loader"
append the path c:\windows\system32\drivers\ with giveio.sys
example:
c:\windows\system32\drivers\giveio.sys
Click "Start", the driver should now be loaded.
Hook up the router via the JTAG cable to the parallel port. Open a CMD and make sure you're in the same directory where the tjtagv2.exe is located.
Execute this command "tjtagv2 -probeonly /noemw" (without the quotes).
If you get a response showing the chip set and flash info, then you've successfully installed the JTAG header and the giveio.sys file.
Now that the JTAG is connected and the driver is loaded, do the following:
tjtagv2 -backup:wholeflash /noemw /noreset
This will back up the whole flash to a file. It will take a while!
tjtagv2 -erase:wholeflash /noemw /noreset
This command will wipe out the flash.
Note: If erasing doesn't work the first time just Ctrl + C out. Power cycle the router and try again.
Make A CFE File With Your MAC Address.
Open Skynet "Bootloader Creator"
Select WRT54GL v1 from the drop down list.
Enter you MAC address in the "Devices Labeled MAC Address"
NOTE: If your ISP gives you an IP based off of you mac address, you will need to set the MAC address -1 when creating the CFE.BIN.
Example:
If your MAC address is (the MAC that is needed) 00:0F:B9:AA:D1:C2
Create the CFE.BIN with the MAC Address 00:0F:B9:AA:D1:C1
By doing this your Wan MAC Address will automatically be assigned 00:0F:B9:AA:D1:C2 when the WRT54G-TM is flashed.
Click "Create CFE.BIN"
Save the file in the same directory as the tjtagv2.exe
Unplug then replug the router you are JTAG flashing. You should see the power light flashing and most or all of the LAN ports lit.
In a command prompt execute the following:
tjtagv2 -flash:cfe /noemw /noreset
Note: Total flash time for the CFE.bin file took around 8 minutes.
After it's done flashing wait a minute or so. Power cycle the router. You should see the power light flashing and no LAN ports lit. Plug an Ethernet cable from your PC (with a static IP) to the router. You should see the port you just plugged into light up on the router.
TFTP:
Execute the TFTP program and enter the routers IP address in the Server field. The default factory router IP is 192.168.1.1. The default factory router password is admin. Now browse for the WRT54GL Linksys firmware.
It should look something like this, yours may look different.
Transfer the firmware image to the router by clicking "Upgrade". It should upload to the router fairly quick, but let it sit a minute or so. The router will reboot its self once complete.
Open a web browser and Enter 192.168.1.1. Log on to the router with the default password. (No user name and admin for the password.) Go to the firmware upgrade page and now browse for your DD-WRT v24 firmware.
If the firmware fails to up load from the web interface, reset the router by pressing the reset button on the back of the router next to the "Internet" port. Once the router comes back up try to upload the firmware again from the web interface. If it Fails again, download the mini and try to flash it. Once it has flashed go back to the firmware upgrade page and update to the mega.
Do the update,let it sit a minute or so. The router will reboot its self once complete.
There ya go!! All done!
A lot of this info was taken from the DDWRT forums. A user called dacman61 did all the hard work. I just cleaned it up, and updated it a bit.
Stay tuned, as my next project will be to create a VLAN for different devices on my network!
Open a web browser and Enter 192.168.1.1. Log on to the router with the default password. (No user name and admin for the password.) Go to the firmware upgrade page and now browse for your DD-WRT v24 firmware.
If the firmware fails to up load from the web interface, reset the router by pressing the reset button on the back of the router next to the "Internet" port. Once the router comes back up try to upload the firmware again from the web interface. If it Fails again, download the mini and try to flash it. Once it has flashed go back to the firmware upgrade page and update to the mega.
Do the update,let it sit a minute or so. The router will reboot its self once complete.
There ya go!! All done!
A lot of this info was taken from the DDWRT forums. A user called dacman61 did all the hard work. I just cleaned it up, and updated it a bit.
Stay tuned, as my next project will be to create a VLAN for different devices on my network!
Subscribe to:
Posts (Atom)