Actions

La Fonera

From HacDC Wiki

Revision as of 00:31, 2 March 2018 by Ubuntourist (talk | contribs) (WIP)

2018.01.25

As of 2018.01.25, Flint's comments on the wee white wireless wrouter:

ACCTON MR3201A.b
Model:  MR3201A-38NQ
MAC:    00:12:0F:A4:42:EE
IP:     5.104.66.238
FCC ID: HED-MR3201A
Input:  5 VDC, 2 A

Crappy photo

I have a high degree of confidence that Flint marked the ground wire with black marker.

nmap didn't help me because I don't know how to use it. However, arp, which I almost don't know how to use, did.

Using HacDC machine 7KDNKH1...

According to How to find live hosts on my network? use arp like so:

$ arp -a -n
? (192.168.26.93) at ...MAC... [ether] on wlan5
? (192.168.26.152) at ...MAC... [ether] on wlan5
? (192.168.1.1) at ...MAC... [ether] on eth5
? (192.168.26.175) at ...MAC... [ether] on wlan5
? (192.168.26.1) at ...MAC... [ether] on wlan5
? (192.168.26.141) at ...MAC... [ether] on wlan5

Note the line that ends in eth5...

So. Opening a web browser and browsing to that address reveals:

Webif^2 Administration Console
Redirecting to main page

Unfortunately, it wants a username and password I cannot guess. However, fortunately, it also says:

http://192.168.1.1 is requesting your username and password.
The site says "OpenWrt"

which suggests we don't need to install OpenWRT. ;-)

But we want to update it. A search of the OpenWRT wiki for ACCTON MR3201A.b redirects to La Fonera (FON2100 and FON2200) which claims the architecture we need is MIPS 4KEc.

Nothing about reinstalling OpenWRT on an already installed system... So far. However, there is an Installing OpenWRT with RedBoot article.

Julia's right: This is really painful. Now installing wireshark and tcpdump...

$ sudo tcpdump -Ani eth5 port 4919 and udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth5, link-type EN10MB (Ethernet), capture size 262144 bytes
21:12:16.189983 IP 192.168.1.1.59153 > 192.168.1.255.4919: UDP, length 1001
E.....@[email protected] reset now, to enter Failsafe!............
21:14:41.637517 IP 192.168.1.1.58542 > 192.168.1.255.4919: UDP, length 1001
E.....@[email protected]...|..Press reset now, to enter Failsafe!............
21:14:42.329525 IP 192.168.1.1.35221 > 192.168.1.255.4919: UDP, length 1001
E.....@[email protected] Failsafe!.............................
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel

$ telnet 192.168.1.1
Trying 192.168.1.1...
telnet: Unable to connect to remote host: Network is unreachable

$ sudo tcpdump -Ani eth5 port 4919 and udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth5, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

$ ssh 192.168.1.1
ssh: connect to host 192.168.1.1 port 22: Network is unreachable

$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:21:70:b8:a4:e9 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::c2ec:d64e:c244:47a/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
3: wlan5: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether ee:77:8a:df:f6:d1 brd ff:ff:ff:ff:ff:ff

$ ssh 192.168.1.1
ssh: connect to host 192.168.1.1 port 22: Network is unreachable
$ telnet 192.168.1.1
Trying 192.168.1.1...
telnet: Unable to connect to remote host: Network is unreachable

$ nmap -p 1-65535 192.168.1.1

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-22 21:32 EST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.1.1
Host is up (0.087s latency).
All 65535 scanned ports on 192.168.1.1 are closed

Nmap done: 1 IP address (1 host up) scanned in 20.43 seconds

The good news is that tcpdump did allow me to time the pressing of the reset button correctly, and verify that it did indeed get into failsafe mode. The bad news is that repeated attempts to communicate over the network with the beastie were rejected. So... old-school serial communication. On a box whose only serial "port" consists of a 10-pin header inside the box.

And... We're opening the box. The feet need to be removed and then the screws under them. Then the thin top can be removed by popping the two plastic clips on either side of the long edges, and the top then slid forward (away from the power, antenna and ethernet, to release it from the back corners before fully removing.

The serial pin-outs are available, albeit not clearly, on the LaFonera Hardware USB of the DD-WRT wiki.

Julia, armed with a multimeter, determined GND and VCC pins are those closest to the edge of the board.

    * *                   1  2
RX  * *              RX   3  4
TX  * *              TX   5  6
    * *                   7  8
GND * * Vcc          GND  9 10 Vcc

More important details at LaFonera Hardware Serial-Cable-Port like, for example, better pictures, and the serial settings:

9600-8-N-1 and no flow control

How to mung a USB cable

With a custom USB cable built, in place, and baud rate established:

$ screen /dev/usb0 9600

This brought up the serial console, which brought up the OpenWRT ASCII-art splash screen.

 root@OpenWrt:/# passwd
 Changing password for root
 [admin]
 [admin]
 Password for root changed by root
 root@OpenWrt:/#

Now the system can be reached via the web interface... But the update failed. See screenshots.

This forum thread looks... promising? But it's getting late.



2018.02.26

Looking at the WiFi setup it says that we need to install the wpa-supplicant package.

Attempting to ssh into the wee white wireless with

ssh [email protected]

yields a message saying it only offers diffie-hellman-group1-sha1 as a key exchange... So. Need to reconfigure ssh to use it?

ssh -oKexAlgorithms=+diffie-hellman-group1 \
    -c aes128-cbc                          \
    [email protected]

Or, using ~/.ssh/config:

Host 192.168.1.1
  User root
  KexAlgorithms +diffie-hellman-group1-sah1
  Ciphers aes128-cbc
Host whitebox
  Hostname 192.168.1.1
  User root
  KexAlgorithms +diffie-hellman-group1-sah1
  Ciphers aes128-cbc

TEMPORARILY changing to 192.168.26.222 DAMN IT! I forgot to set the default gateway!

route add default gw 192.168.26.1 br-lan

That didn't work. (It set it but didn't make use of it.)

vi /etc/config/network

  option 'gateway' '192.168.26.1'
  :wq

The BITS-fonera OpenWRT GitHub repository proved helpful in understanding that there was a opkg command... However, as supplied, it tried to update from a non-existent repo...

Comment out the last src line:

$ vi /etc/opkg.conf 
src/gz snapshots http://downloads.openwrt.org/kamikaze/8.09/atheros/packages
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /jffs
#src X-Wrt http://downloads.x-wrt.org/xwrt/kamikaze/8.09/atheros/packages

$ opkg update
Downloading http://downloads.openwrt.org/kamikaze/8.09/atheros/packages/Packages.gz
Connecting to downloads.openwrt.org (148.251.78.235:80)
Packages.gz          100% |*******************************|   143k --:--:-- ETA
Inflating http://downloads.openwrt.org/kamikaze/8.09/atheros/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/snapshots

$ opkg install wpa-supplicant
Installing wpa-supplicant (0.6.3-1) to root...
Downloading http://downloads.openwrt.org/kamikaze/8.09/atheros/packages/./wpa-supplicant_0.6.3-1_mips.ipk
Connecting to downloads.openwrt.org (148.251.78.235:80)
wpa-supplicant_0.6.3 100% |*******************************|   197k 00:00:00 ETA
Configuring wpa-supplicant

Bwah-ha-ha!

2018.02.28

Installing NTP client... Maybe. The web interface says it's installing it. (System -> Settings complained about it not being installed.) It never finished. ssh'ing in and poking around a bit:

root@OpenWrt:~# opkg print_installation_architecture
arch all 1
arch noarch 1
arch mips 10

root@OpenWrt:~# opkg print_architecture             
arch all 1
arch noarch 1
arch mips 10

Well. This bloody took forever to find:

The configuration edited above indicates we're looking for Atheros. However, according to https://openwrt.org/docs/targets/atheros

"The atheros target has been renamed to ath25. changeset / git-commit"

And then there's:

Comments: Releases past Backfire are essentially worthless because of lack of RAM

on the La Fonera page.

Specifically, according to the web interface, the board is a Atheros AR2315 with 30008 KiB RAM.

I think the next step is to see if I can go from Kamikaze to Backfire in one swell foop by following instructions on the OpenWrt OS upgrade procedure (LuCI or sysupgrade) page.



2018.03.01

Following the instructions on the afore-mentioned page yields:

User-installed packages are the following:
haserl
qos-scripts
webif
wpa-supplicant