Welcome to the CSIR Meraka Institute's "COIN" Blog

Tuesday, August 17, 2004

My experience getting shell prompt on Linksys WRT54G

This amazing little cheap wireless router can be customized with a new version of linux or extra user applications by making use of a PING backdoor. The PING backdoor allows you to send commands to the box through a PING diagnostic command running from its httpd service.

Step 1:

Get the box connected your computer by plugging the supplied ethernet cable into a free network port on your PC and one of the 4 network ports on the Linksys (Not the port which is called internet)

Step 2:

Make sure the port you are using on your PC has DHCP enabled. Your machine will be given an IP address in the range 192.168.1.x. The Linksys is always 192.168.1.1 by default. Try to ping the Linksys box

#ping 192.168.1.1

Step 3:

Open a web browser (make sure your proxy is turned off or set a proxy exception for 192.168.1.1). Open the Linksys web administration page opening the following URL

http://192.168.1.1

Browse around here and check some its cool features.

Step 4:

Now it's time to test out the PING backdoor:

Go to the Administration - Diagnostic screen and click on PING
In the box "IP Address or Domain Name:", type

'ls>tmp/ping.log"

Wow - who would have thought you can execute commands on the box using PING - this backdoor will be exploited later to access the box and upload programs to it.

Step 5:

Download and configure the batbox installation

Batbox site (seems to be problem with dns at the moment)
Local site (alternative location)

Unzip this with

# gunzip < wrt54g-0.51.tar.gz.tar | tar xvf -

Look at the README file
Edit the script wrt54g.sh and make the following changes

PASSWORD=admin

If you have java installed you can leave the script as is If you don't have java but you do have wget installed uncomment the lines

# PROGRAM="wget --quiet ....
# EXTRA="" ....

if you don't have wget or java installed make sure you install these If you are using cygwin: MAke sure ttcp is installed and copy the ttcp program from /usr/bin to the current wrt54g directory

Step 6:

Execute the script # ./wrt54g.sh After the script executes, you should be able to telnet to the box # telnet 192.168.1.1

The script also installs a new page on the web server, access it by going to the following URL

http://192.168.1.1:8000/

Step 7:

Get the cross compiler tools for MIPS from

Batbox site

and start compiling and testing your own applications ...
soon to follow - instructions and transferring your own application - will be based on the batbox script


Friday, August 13, 2004

Wednesday, August 11, 2004

Quick Edit links enabled on this blog

Enabled Quick Edit links. This gives you quick and direct access to edit your posts after they've been published. You see the "pencil" icon on your own posts only. This requires that cookies are enabled on your browser so that the server knows who is logged in.

Tuesday, August 10, 2004

DAKnet a wireless store and forward solution in India

Interesting way of getting access to rural areas without the use of fixed access points. Information is stored and forwarded when the mobile access point vehicle drives past.

Media Lab Asia -- Research

Monday, August 09, 2004

Mesh, IP allocation and IP Routing

One of the ourstganding issues amongst the mesh gurus is the issue of IP allocation. The general approach is to assign each person in the mesh a staic Ip in the 10.x.x.x or 192.168.x.x range. The ideal is to give everyone a generic box - they install it, turn it on, and it automatically gets assigned an IP, updates it's routing table based on the mesh routing algorithm being used, gets a gateway and a dns (basically like DHCP)

Here is a discussion about handing out IP's between networked PC's with multiple hops

[BAWUG] Mesh, IP allocation and IP Routing

Wireless community network - definition

Good definitition with complete list of wireless community network activities in North Ameria, Europe and Australia

Wireless community network - Wikipedia, the free encyclopedia

Nice site with WiFi antenna summaries - Cisco

Cisco antennas summary

Cisco Aironet Antenna Reference Guide-Cisco Aironet Antennas and Accessories - Cisco Systems

MIT mesh networking home pages

This describes their grid project

The Grid Ad�Hoc Networking Project

This describes their outdoor rooftop network

MIT Rooftop

Let's download their software and test it

MIT software

MIT mesh networking Publications

More good publications from MIT on mesh networking

The Grid Ad�Hoc Networking Project: Publications

Setting up a Linux machine to become an access point

1. Make sure you install dhcpd off the Mandrake disks
2. Put the Wireless card into access point mode with the following example script /etc/sysconfig/network-scripts/ifcfg-wifi0

DEVICE=wifi0
BOOTPROTO=static
IPADDR=192.168.0.1
ONBOOT=yes
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
DHCP_TIMEOUT=5
WIRELESS_MODE=Master
WIRELESS_ESSID=mesh
WIRELESS_CHANNEL=10

3. run ifup wifi0
4. copy /etc/dhcpd.conf.sample (this file only exisits the first time you install dhcpd) to dhcpd.conf ... Change the IP address allocations in this file to suite your needs
5. start dhcpd with /etc/rc.d/init.d/dhcpd
6. Check the /var/lib/dhcpd/dhcpd.leases to check which IP addresses are being assigned

Sunday, August 08, 2004

Setting up the SANOA card in linux

1. Download the hostap driver from ftp://edna.icomtek.csir.co.za/pub/drivers ... This driver ensures that the SANOA card can run in Access point mode as well as Ad-Hoc and Infrastructure
2. Unzip using gunzip < hostap-driver-0.2.4.tar.gz | tar xvf -
3. Change Makefile to include KERNEL_PATH ... KERNEL_PATH=/usr/src/linux
4. Run 'make'
5. run 'make install'
6. Restart card manager using /etc/rc.d/init.d/pcmcia restart

If you are using the PCI to PCMCIA bridge card with the RLSC475 chipset follow these steps

1. Edit the file /etc/sysconfig/pcmcia to include these lines
PCMCIA=yes
PCIC=RLSC475
2. Run /etc/rc.d/init.d/pcmcia restart

Linux network configurations tips

Linux network configuration

1. Setting IP address and modes of interface

The file /etc/sysconfig/network-scripts/ifcfg-eth0 contains all the settingsfor interface eth0 including
IP allocation type (static or dynamic)
IP Address
Subnet mask
Broadcast address
Wireless mode
wireless channel

type
# man ifcfg
to see all the options for this config file

Use
# ifup eth0
to bring eth0 network interface up using the script ifcfg-eth0

#ifdown eth0
to pull the eth0 interface down


2. The DNS nameserver

The file /etc/resolve.conf contains the nameserver (dns) to use for the network

3. The gateway and other network routes

To see the current network routes type
# route
This will show you all the routes which the network is currently using

To add a new route for interface eth0 type
# route add -net 10.0.0.0 netmask 255.255.255.0 dev eth0

This adds a route to the network 10.0.0.0 using device eth0

# route add default gw 10.0.0.8
Adds a default route which will be used if no other route matches.

There should be an existing route, in this case, to 10.0.0.8 through some interface.

Good wireless and networking to install off the Mandrake CD's - and some install tips

1. Kismet: An 802.11 network sniffer and network detecter

Common applications Kismet is useful for:

- Wardriving: Mobile detection of wireless networks, logging and mapping
of network location, WEP, etc.
- Site survey: Monitoring and graphing signal strength and location.
- Distributed IDS: Multiple Remote Drone sniffers distributed throughout
an installation monitored by a single server, possibly combined with a
layer3 IDS like Snort.
- Rogue AP Detection: Stationary or mobile sniffers to enforce site policy
against rogue access points.

Setup tips

Make sure you set up the following in /etc/kismet.conf or they may be in /usr/local/etc/kismet.conf

1. Setup the target suiduser: eg. suiduser=djohnson
2. Setup the capture sources using the 'source' directive: eg. source=hostap_prism2,wifi0,david (this works for the SANOA cards)

Change to root
run kismet_monitor to put the wifi card into monitor mode
run kismet

When you are finished using kismet
run kismet_unmonitor to put the wifi card back into it's previous mode

2. Ethereal: A network traffic analyser - this is used to view the network packet dumps produced by Kismet

3. Etherape: A graphical network viewer

MeshDynamics--High Performance Mesh Networks for HotZones and Metro

This company claims that only their proprietry mesh network (Structured Mesh) can create useable city wide mesh networks.

MeshDynamics--High Performance Mesh Networks for HotZones and Metro

Daily Wireless - Ugly truth about mesh networks

This is why it is so important to build a real experimental mesh network which will be tested under high usage situations

Read the first argument and the counter-arguments to get the whole picture in this article

Daily Wireless - Ugly truth about mesh networks

Wednesday, August 04, 2004

IP addresses for the office mesh

It appears that we need to use static IP addresses for the mobile mesh network. For Computers in Building 43 - here are the current IP address assignments

10.0.0.2 - Lawrence: Free-BSD machine 1
10.0.0.3 - Lawrence: Mandrake Linux machine 2
10.0.0.4 - Andrew: Mandrake Linux machine
10.0.0.5 - David: Edna Mandrake Linux machine (can be used as a gateway)
10.0.0.6 - David: Mandrake Linux laptop
10.0.0.7 - Andrew/Kim: Debian Linux Digital doorway machine
10.0.0.8 - Albert: Laptop Windows machine
10.0.0.9 - David/Kim: Norbit Mandrake Linux machine
10.0.0.10 - Kim: Desktop Windows machine
10.0.0.11 - Ajay: Desktop windows machine
10.0.0.12 - Yusuf: Desktop windows machine
10.0.0.13 - Andrew: Desktop windows machine


Anyone that wants to become part of the mesh must contact me for an IP address

Sunday, August 01, 2004

Radio theory and link planning for Wireless LAN (WLAN) - good summary

Radio theory and link planning for Wireless LAN (WLAN)

Everyone should know the free space loss equation in their head

Loss [ dB] = 32.44 + 20(Log(distance[km]) + Log(freq[MHz]))

Useful cable losses

RG58 = 1 dB/m
RG213 = -.6 dB/m
RG174 = 2 dB/m (often used in pigtails)
LMR-400 = 0.22 dB/m

Typical WiFi sensitivity for orinoco cards

11Mbps = -82dBm
5.5Mbps = -87dBm
2Mbps = -92dBm
1Mbps = -94dBm

Typical allowed signal to noise ratios for orinoco cards

11Mbps = 16dB
5.5Mbps = 11dB
2Mbps = 7dB
1Mbps = 4dB

Typical Noise level at 2.4GHz = -100dBm. Compute S/N level eg. at 11Mbps = -84dBm but sensitivity is -82dBm so sensitivity is the limiting factor.

Just worked out that with our 2 8dBi omnis, 2dB loss in the RF cable each side of the link and the 200mW SANOA cards it is possible to acheive a theoretical distance of 5km with a 3dB margin (margin probably a bit tight), 4km will give you a 5dB margin - probably more realistic.