/2011/11/28/openwrt-reset/

{"item":{"status":"visible","url":"\/2011\/11\/28\/openwrt-reset\/","trash":"","name":"openwrt-reset","parent":"","title":"Notes on a brutal OpenWrt Reset","date":"2011-11-28 11:08:30","filepath":"posts\/2000832_openwrt-reset.xml.json","type":"post","content":"<img class=\"alignleft size-full wp-image-835\" style=\"margin-right: 10px; margin-bottom: 5px;\" title=\"wrt54gl\" src=\"http:\/\/www.8bitrobot.com\/media\/uploads\/2011\/11\/wrt54gl.jpg\" alt=\"wrt54gl\" width=\"160\" height=\"160\" \/>You would think that firmware created for a router would have a \"reset to default\" function. But, oh no, the guys working on <a href=\"https:\/\/openwrt.org\/\" target=\"_blank\">OpenWrt<\/a> didn't think it was important.\n\nIt isn't a stretch of the imagination to think there is a high chance you will forget your router password, especially since you don't log into admin mode except once every blue moon.\n\nWhat? Your <a href=\"http:\/\/en.wikipedia.org\/wiki\/Linksys_WRT54G_series\" target=\"_blank\">Wrt54g<\/a> router is working and you can access LuCI just fine? You simply don't have the password to log in through the web interface or through ssh (or telnet)?\n\nI bet you wish and expect<\/strong> a simple solution for that don't you? Not today. OpenWrt requires you to wipe your router and re-install Backfire 10.03 (or whatever version you had or want on it). Not only that, the process has the risk of bricking your router. You'd be better off buying a new router instead of investing the time to fix it.\n\nIn my case, I spent about 5-6 hours of research, trial and error, and\u00a0obscene\u00a0amounts of profanity. Using the <a href=\"http:\/\/www.dol.gov\/whd\/minwage\/america.htm\" target=\"_blank\">Federal Minimum Wage<\/a>, that adds up to $36.25-43.5 (in California it's $40-48). So yeah, I should have worked at a fast food joint for a day and just bought a new router. It would have been much less frustrating and the economy would get a big fat boner.\n<h3>Here's the lead up:<\/h3>\nI started with a Linksys WRT54GL<\/strong> that had Backfire 10.03 <\/em>(what a wonderful choice of a release name, by the way...).<\/p>\nI took the time a year ago to harden it so it was only administrated from within the network with SSL (https) or with SSH. This means no telnet. I also mixed up all the ports (e.g. SSH on 2022 instead of 22).<\/p>\nIn addition, I'm fond of inner network addresses of the 10.10.10.* form. This bit me in the crusty butthole. Laziness can pay off more often than you think.<\/p>\nI have a ton of passwords floating around in my head and since I thought someone close cracked my router. \u00a0So, I originally gave it something super secure like \"AngusYouAreAFucker\" or \"AngusEatsBagsODicks.\" \u00a0Oh the irony. Angus, you are a SOB. \u00a0 It's all because of you my security was compromised forcing me to go overboard. But I digress...<\/p>\n\n<h3>What you want to work, but never does:<\/h3>\n1. The OpenWrt.org website and wiki<\/em>. What the hell? This site is constantly down... For shame!<\/p>\n2. Fail safe. Power up your WRT54gl, wait for the DMZ light to brighten, then press the reset button in the back for a few seconds, and you still can't access via telnet or ssh (due to my hardening most probably...). At least the router starts using 192.168.1.1.<\/p>\n3. The <a href=\"http:\/\/downloads.openwrt.org\/people\/florian\/recvudp\/recvudp-win32.zip\" target=\"_blank\">recvudp tool<\/a>. \u00a0Don't waste your time. Even if your computer is on a static IP address (192.168.1.5), recvudp won't work... on windows 7 running in admin mode with windows firewall disabled... Again, don't waste your time.<\/p>\n4. SSH. Not sure, but when in failsafe mode, ssh would not work with putty<\/em>. Although I could telnet into 2022, but only to get the dropbear <\/em>message.<\/p>\n\n<h3>What you can do:<\/h3>\n1. Find out what ports you left open on the router. Use nmap on a linux machine. If you don't have it, just \"sudo apt-get install nmap\"<\/em> to install it.<\/p>\n\n<blockquote style=\"padding-left: 30px;\">\n<pre>nmap -v -sT localhost<\/pre>\n<\/blockquote>\n2. SSH\/Telnet into the proper port and try some passwords if you have a vague idea of what you are looking for. If you aren't, try a python script that uses a combination of your passwords or just brute force. You'll only need python <\/em>and paramiko<\/em>. If you don't have paramiko on your linux machine (virtual machine), just \"sudo apt-get install python-paramiko\"<\/em> to get it. Then use something like this (this is untested so see <a href=\"http:\/\/www.lag.net\/paramiko\/docs\/paramiko.SSHClient-class.html\" target=\"_blank\">the docs<\/a>):<\/p>\n\n<blockquote style=\"padding-left: 30px;\">\n<pre>import paramiko<\/pre>\n<pre>passwords = ['asdf','qwerty','jesuswasblack','openwrthell']<\/pre>\n<pre>for passw in passwords:\n\u00a0 try:\n\u00a0 \u00a0 client = paramiko.SSHClient()\n\u00a0 \u00a0 client.load_system_host_keys()\n\u00a0 \u00a0 client.connect(hostname='192.168.1.1', port=22, username='root', password=passw)\n\u00a0 except Exception:\n\u00a0 \u00a0 continue\n\u00a0 print \"the password is %s\" % (passw)\n\u00a0 break<\/pre>\n<\/blockquote>\nNote: I only put this source up here so that you can figure out how to brute force your OWN router... use this for good, not for evil.<\/p>\n3. Since safe mode didn't work, just wipe everything and re-install.<\/p>\n\n<h3>Re-install steps:<\/h3>\n1. sudo apt-get install tftp<\/em><\/p>\n2. Download your .bin firmware file. This is the one for my Wrt54gl: \u00a0<a href=\"http:\/\/downloads.openwrt.org\/backfire\/10.03\/brcm47xx\/openwrt-wrt54g-squashfs.bin\" target=\"_blank\">http:\/\/downloads.openwrt.org\/backfire\/10.03\/brcm47xx\/openwrt-wrt54g-squashfs.bin<\/a><\/p>\n3. Put your machine on a static IP like 192.168.1.5. If you have a Virtual Machine make sure<\/strong> your networking is bridged<\/strong> and not NAT.<\/p>\n4. Tell tftp (<a href=\"http:\/\/linux.die.net\/man\/1\/tftp\" target=\"_blank\">man page<\/a>) to constantly send the .bin file to the router at 192.168.1.1 (openwrt <a href=\"http:\/\/wiki.openwrt.org\/doc\/howto\/generic.flashing.tftp\" target=\"_blank\">wiki info<\/a>):<\/p>\n\n<blockquote>\n<pre style=\"padding-left: 30px;\">tftp\nconnect 192.168.1.1\nmode octet\ntrace\ntimeout 120\nrexmt 1\nput openwrt-wrt54g-squashfs.bin<\/pre>\n<\/blockquote>\n5. Unplug the router power and re-insert. When the DMZ light brightens, hold the reset button for about 3-5 seconds. The DMZ light will probably flicker (pulse) after you do this.<\/p>\n6. At this point, tftp wouldn't send it as expected. I tried it a couple of times, but what appears to have worked is to just do a regular reboot (not hitting the reset button) after that first attempt. However, it is all probably is dependent upon the boot_wait, which I didn't set... so, it was probably very short. My advice: try again and again and again.<\/p>\n7. Eventually tftp will send the file to your router, if you didn't brick it by hitting reset before the DMZ light shows at boot.<\/p>\n8. The router will install the image and reboot itself My Wrt54gl did in fact reboot. Some people say it doesn't happen all the time. So if it doesn't do so in 5-10 minutes, just power cycle it.<\/p>\n9. Connect to LuCI and don't supply a password and go through the <a href=\"http:\/\/wiki.openwrt.org\/toh\/linksys\/wrt54g\" target=\"_blank\">regular installation steps<\/a>.<\/p>\n10. Important Final Step:<\/strong> Write your new password on a piece of paper and tape it <\/strong>to the bottom of your router<\/strong>.<\/p>\nWas it worth it? Not sure. \u00a0Did you get your router working? \u00a0Well, in the end you still get to play around with nmap, paramiko, tftp,<\/em> and other tools.\n\ngo to <a href=\"https:\/\/openwrt.org\/\" target=\"_blank\">OpenWrt.org<\/a> and cry a little.<\/em>"}}

/2011/11/28/openwrt-reset/

Lorem Ipsum

Lorem