ReaverPro – Part 1

Fascinated about the topic how easy it is to attack a WPS based device, I’ve decided to buy a little hacking gadged to play with. It’s called ReaverPro and can be ordered directly from the developers website in the US.

Reaver_new

I’ve received the device with a US Powersupply which is useless in Europe. I had no poweradapter and because of that I’ve tried to use the power over ethernet port to power on the device. It was a quick and stupid decision to do that, because my Power over ethernet adapter crashed the routers board imediately because of too much output voltage! 🙁

This was a bit too fast for me to be game over, but I don’t give up! 😀

The hardware they used is a ALFA AP-121U from Alfa Networks. I’ve tried to find one over ebay with the goal to build my own. For 30CHF I’ve bought one, but I couldn’t flash the ReaverPro Firmware on it. The board that was in the router had only 8MB Flash and 32MB RAM instead of 16MB/64MB. I’ve searched for a seller where I could buy the 16MB version and I found only one shop in the US who sold that particular board. They made a special shipping fee for me that I paid only 13$.

This article will be splitted in two parts. Part 1 descibe to process how to flash OpenWRT on the board and Part 2 is the documentation how I did flash ReaverPro on it. I’m sure I’ll also find something for the router with the lower memory but this will be stuff for another article! Let’s go 😉

AP121U_app_1

The guide how to open the case can be found on the OPEN WRT Wiki page. The routers board is called Hornet-UB. Setup:

hornet-ub.1

front view

hornet-ub.2

back view

The next step is to flash the OpenWRT Firmware on the routers board. For that step I need a USB to UART TTL Cable. Red (VDD +5V), Black (GND), Green (RXD), White (TXD)

s-l1600

The next picture shows how to connect the pins to the board. Don’t connect the VDD Pin, otherwise the board will crash again! 😉

hornet-ub.8.-pins

Hornet-UB Serial Interface

After Connecting the pins I can start with the flashing process.

IMG_0406

Open Terminal and set baudrate to 115200. Then we should see something like this.

The Commands we have to type are in bold letters:

Please choose the operation:
   1: Entr boot command line interface.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).

You choosed 1

 0

ar7240>

Flash the Kernel and Filesystem (for Hornet 16M/64M)

ar7240> setenv ipaddr 192.168.1.1; setenv serverip 192.168.1.254
ar7240> tftp 0x80600000 kernel.bin
eth0 link down
FAIL
dup 1 speed 1000
Using eth1 device
TFTP from server 192.168.1.254; our IP address is 192.168.1.1
Filename 'kernel.bin'.
Load address: 0x80600000
Loading: #################################################################
         #################################################################
         #################################################################
         #######################

ar7240> erase 0x9fe50000 +0x190000
Erase Flash from 0x9fe50000 to 0x9ffdffff in Bank # 1
First 0xe5 last 0xfd sector size 0x10000                                     253
Erased 25 sectors

ar7240> cp.b 0x80600000 0x9fe50000 110000
Copy to Flash... write addr: 9fe50000
done
ar7240> tftp 0x80600000 rootfs.bin
dup 1 speed 100
Using eth0 device
TFTP from server 192.168.1.254; our IP address is 192.168.1.1
Filename 'rootfs.bin'.
Load address: 0x80600000
Loading: #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ######
done
Bytes transferred = 2359296 (240000 hex)
ar7240> erase 0x9f050000 +0xE00000
Erase Flash from 0x9f050000 to 0x9fe4ffff in Bank # 1
First 0x5 last 0xe4 sector size 0x10000                                      228
Erased 224 sectors
ar7240> cp.b 0x80600000 0x9f050000 240000
Copy to Flash... write addr: 9f050000
done
ar7240>

U-Boot 1.1.4 (Apr 25 2013 - 14:01:10)

AP121 (ar9331) U-boot

If everything works fine we should see the OpenWrt Logo after Reboot 🙂


BusyBox v1.22.1 (2014-09-20 22:01:35 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 BARRIER BREAKER (14.07, r42625)
 -----------------------------------------------------
  * 1/2 oz Galliano         Pour all ingredients into
  * 4 oz cold Coffee        an irish coffee mug filled
  * 1 1/2 oz Dark Rum       with crushed ice. Stir.
  * 2 tsp. Creme de Cacao
 -----------------------------------------------------
root@OpenWrt:/# df
Filesystem           1K-blocks      Used Available Use% Mounted on
rootfs                   12160       472     11688   4% /
/dev/root                 2304      2304         0 100% /rom
tmpfs                    30672        64     30608   0% /tmp
tmpfs                    30672        44     30628   0% /tmp/root
tmpfs                      512         0       512   0% /dev
/dev/mtdblock4           12160       472     11688   4% /overlay
overlayfs:/overlay       12160       472     11688   4% /
root@OpenWrt:/# 

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.