Having Fun with your Home Router
NETWORKS
Having Fun with your Home Router
2016-04-12
By
David "DeMO" Martínez Oliveira

Do you know that your home router is actually a computer?. Even more, do you know that it is likely a Linux box or something that can be hacked to run Linux?. If you didn't know, keep reading and you will have hours of fun with your home router. So, if it is a computer then why not run some of our preferred application there?
So, in this post we will learn how to use your router as a computer, how to compile your own applications and install them and much more.

Routers

A router is just a computer. A specialized one. In general, home routers, those that you can buy in a shop for 20 bucks, make use of a SoC (System on Chip), combining a processor and some Wifi/Networking adapter. Atheros and Broadcom are two popular manufacturers of router SoCs, but there are more.

Those SoC, usually incorporate a MIPS processor. I do not know why MIPS is usually chosen, but most of those router use MIPS processors. There are some ARM based routers but, it MIPS is the king in the home routers realm.

Routers have to be cheap, so their specs are kept to the minimum. That means that the amount of memory in the device is pretty tight. That does not leave much room to install other applications. Or, in other words... it is better if you make your applications as small as possible.

You can just read this article, or you can try a more hands-on experience, trying by yourself what I'm going to tell you. If you chose the later, you may want to have a router to play with. These are some advices on how to choose one that will make your live easier.

  • Choose a router supported by one of the major Open Source Firmwares: DD-WRT or OpenWRT. This way you will be sure that any tool required for having fun with your router is available (namely toolchains) and it is possible to compile and run any software there.
  • If possible, choose one with an external USB port so you can attach a USB stick and add additional storage to the device. This will be useful later, in a future post, but it is not a strong requirement.
  • Choose one with a MIPS processor. That will probably be the case. The reason for this is that the rest of the article will assume we are using this kind of processor. If you choose a router with a different processor, that is fine, but some of the instructions I will give will be different.

Access your Router

The first thing we need to do, in order to run your own applications in the router is to get access to it. You should try to enable ssh if possible. Otherwise telnet should also work.

If your router does not allow that, then it is time to flash it with an Open Firmware in order to have full control of the device. Choose one, and follow the instructions in the official page. The process is usually very simple as far as your router is fully supported. Otherwise it may become a bit tricky and you will have to dive into the forums to find out what is possible.

For ssh access, it is recommended that you set up an authorized key. The firmware website will give you detailed instructions on how to do this. Basically you have to generate a ssh key in your computer, and copy over the public part to the router. This is usually done through the router control panel (the administrator web interface).

Setting up an authorized key will let you access your router without typing a password every time.

Which Processor is my router using?

Before continuing, you need to find out which processor is your router running. Depending on the router system, you may have to do different things. In this article we will only cover how to find out which MIPS processor is being used on a Linux based router. The reason.... well, this is the only hardware I have. If somebody wants to donate a VxWorks router with an ARM processor, or some Cisco IOS devices with a 68K or Intel... That will be nice.

So, the first command to try is uname.

$ ssh root@router-ip

# uname -a
Linux DD-WRT 2.6.24.111 #5185 Wed Apr 13 04:46:57 CEST 2011 mips unknown

If that works then you know that your router is running on a MIPS on an outdated Kernel (version 2.6.24).

That's a start.

Second, check the proc pseudo-filesystem.

# cat /proc/cpuinfo
system type		: Broadcom BCM4716 chip rev 1
processor		: 0
cpu model		: MIPS 74K V4.0
BogoMIPS		: 239.20
wait instruction	: no
microsecond timers	: yes
tlb_entries		: 64
extra interrupt vector	: no
hardware watchpoint	: yes
ASEs implemented	: mips16 dsp
shadow register sets	: 1
VCED exceptions		: not available
VCEI exceptions		: not available

dcache hits		: 2147483648
dcache misses		: 1823722103
icache hits		: 2147483648
icache misses		: 1207369727
instructions		: 2147483648

Here we found a lot of more interesting information. Now, we know that the SoC is a Broadcom BCM4716, using a MIPS 74K processor. That's good information. But what we are still missing is the endianness of the processor.

MIPS or MIPSel

MIPS processors may be Big Endian or Little Endian. The Little Endian version is usually known as MIPSel. When you cross-compile your application you have to provide the right endianness to the compiler in order to produce a compatible binary. We will come back to this a bit later.

The easiest way to find out the endianess and some more details about the processor's ISA, is to analyse one of the binaries installed in the router.

Linux based routers, run an embedded Linux version. These embedded Linux use to provide a very restricted shell provided by the busybox package. So go to /bin and check if you can find busybox in there. Otherwise any other binary should also work.

Now, download the file to your Linux box. If you had set up ssh access then you can just use scp.

$scp root@router-ip:/bin/busybox .

Otherwise, there are many chances that the netcat applet is included in the router's busybox.

router # cat /bin/busybox | nc -l -p 5000

linux $ nc router-ip 5000 > busybox

Otherwise take a look to /usr/bin to see what is there. You may have wget or ftpput/ftpget....

When you have your select binary file transferred into your linux box, you can run file program against it:

linuxbox $ file busybox
busybox: ELF 32-bit LSB executable, MIPS, MIPS32 version 1 (SYSV), dynamically linked (uses shared libs), corrupted section header size
MIPSel
linuxbox $ file busybox
busybox: ELF 32-bit MSB executable, MIPS, MIPS-II version 1 (SYSV), statically linked, stripped
MIPS

The boxes above show the output of file for two different busybox binaries from different routers. Both of them are 32-bits, but the first one is Little Endian (LSB) and the second one is Big Endian (MSB).

The outputs for your router may look different, but the LSB/MSB tag should be there.

Cross Compilation

Now that you have access to the router, and you know all the details about the processor it is using, it is time to compile our first application and deploy it. For doing that we need a toolchain compatible with our device.

There are different options to get a toolchain. Actually there are two option: donwload it or compile it. As this article is going to be long we will chose the downloading this time. For those that want to try to build they own, using Buildroot is probably one of the less painful options (I will cover this in a later post).

Let's download the Codesourcery MIPS toolchain from this page. I have chosen Codesourcery because it is one of the options that Buildroot use to provide as a toolchain for MIPS. On top, I had tested it and it works OK with MIPS and MIPSel routers. At least for this first stage.

So, download the latest version, uncompress it somewhere, and update your path to point to the binary folder. In case you do not know how to do that:

~ $ mkdir mips
~ $ cd mips
~/mips $ wget url-to-toolchain
~/mips $ tar xjvf toolchain-tarball
~/mips $ export PATH=${HOME}/mips/tarball-folder/bin:$PATH

Now we can start compiling our apps.

Hello World!

Indeed, we will first compile an awesome hello world application. So go and type the infamous program in your preferred text editor and save it as hello.c

Now let's compile for a Big Endian MIPS processor:

$ mips-linux-gnu-gcc -static -o hello hello.c
Compiling for MIPS

Or for a Little Endian MIPSel processor (whatever you are using):

$ mips-linux-gnu-gcc -static -EL -o hello hello.c
Compiling for MIPSel

Copy the binary hello into the /tmp folder in the router

$ scp hello root@router-ip:/tmp

Log into the router and try to run the program:

$ ssh root@router-ip
router # cd /tmp
router # ./hello
Hello World

Note: You may have to give execution permissions to your binary: chmod +x hello

Did it worked? Goodfor you?.... No?... then keep reading.

Troubleshooting

While trying all this stuff, in preparation for this article, I found quite some issues that I will describe in this section in case somebody else have to face them as well.

At the beginning of my tests, I didn't tested the endianness of my test router's processor, and I was using the wrong one. In that case, when I tried to run my binary on the router, I've got the following message:

router # ./hello
./hello: line 1: EL@4: not found
./hello: line 2: syntax error: "(" unexpected

It is a funny and cryptic message. Basically it means that your endianess is wrong. I guess this error message is not unique so, my bet is that you may get some other strange message in your system when your endianess is wrong.

Once the endiannes was fixed, I recompiled my program, and I got this other awesome error:

router # ./hello
FATAL: kernel too old
Bus error

Now the program is executing but something is wrong with it. After some search, I found out that, the router producing this error was quite old. It was running a 2.6 kernel. Looks like there were some changes in libc since that and the modern cross-compiler I was using cannot deal with the old interfaces.

I solved this downloading a previous version of CodeSourcery... the one from 2011 (the date mentioned by uname). Otherwise, if you cannot find and old cross-compiler, looks like you have to recompile libc using some special flag to specify the kernel version... I haven't tried that so I will just stop here.

That's it for now

There will be a second part of this. I was planning to include it here, but there are a couple of things I have to sort out to properly write it, so you have wait a bit before continuing your fun!

Stay tuned!

RELATED POSTS
Hardware Hacking Box. HELP
Hardware Hacking Box. Serial Access to Routers
Building Portable Devices