Hacking Your Linux-Based Wireless Router

 WRT54GL History
Linksys found a place in many a geek's heart when it released the original WRT54G router back in 2003. A network router, 10/100 Ethernet switch, and wireless access point all rolled into one, the WRT54G blazed a happy trail as one of the earliest home networking devices to have its firmware source code made publicly available under the GNU General Public License (GPL). Soon after, a number of third-party firmware options became available, letting networking and Linux enthusiasts utilize their routers in ever more powerful and creative ways.
Linksys WRT54GL Router
click on image for full view

Earlier this year, Linksys modified the design of its most recent WRT54G. They halved the amount of flash memory and RAM to just 2MB Flash and 8MB RAM and switched to a VxWorks firmware. According to Linksys, this change allowed them to decrease the memory footprint of the OS and reduce the hardware requirements while maintaining a similar feature set at a reduced cost.

Carrying on the Linux heritage for enthusiasts is the WRT54GL, a device with essentially the same Linux kernel, 200MHz processor, 4MB Flash, and 16MB RAM as the old WRT54G v4. Since the majority of aftermarket firmware won't work on the WRT54G v5's crippled hardware, the WRT54GL is now your only Linksys option for third-party-compatible fun if you can't score an older model. It's the same story with the neutered WRT54GS v5, Linksys's SpeedBooster–equipped line that flaunts enhanced Wireless-G speeds.

Here we'll show you how to use these firmware utilities to optimize your wireless internet performance for gaming, VOIP, security, or increased signal strength. Continued...


Aftermarket Firmware Options and Flashing the Firmware

Here's a list of some of the popular third-party firmware available for the WRT54GL:

Sveasoft (www.sveasoft.com): Comes in two versions: Alchemy  and Talisman. Alchemy is the free public release, but later versions of the WRT54G (v4.0 or higher), WRT54GS (v3.0 or higher), or the WRT54GL (v1.0) are not supported. If you own one of these, you can purchase the latest-release Talisman. The subscription fee is $20/year and includes unlimited support and access to new releases.

DD-WRT (www.dd-wrt.com): Created in response to Sveasoft's $20 fee, early versions of DD-WRT were based on Sveasoft's Alchemy. The current version (v23), however, is an entirely new project that boasts an extensive feature set. It comes in four flavors: Mini, Standard, VoIP (includes SIPatH, a tool for VoIP serving from a Broadcom-based router), and VPN (includes OpenVPN).

HyperWRT (Thibor, www.thibor.co.uk): Thibor 14, the latest version of HyperWRT, only works with the WRT54GS (v1-v4) and WRT54GL. The GUI retains the same look and feel of the Linksys factory firmware. It doesn't have as many features as DD-WRT, but the configuration instructions on the website are fairly straightforward.

OpenWRT (openwrt.org): Built from the ground up without using Linksys sources, this is a purely command-line-based firmware for the serious Linux enthusiast who doesn't need or want a GUI. Their warning states: "Users are expected to have working knowledge of the GNU/Linux command line and basic networking concepts".

This Linksys page has a nice breakdown of features supported by HyperWRT, Sveasoft Alchemy, Talisman, and DD-WRT.

Flashing the Firmware
You can install DD-WRT and HyperWRT using the Linksys firmware flashing utility in the GUI. It is highly recommended to flash over a wired connection. For command-line-only firmware, such as OpenWRT, you can use Trivial File Transfer Protocol (TFTP). This is also an option for restoring the firmware back to a working state if the GUI flashing utility is unreachable for some reason.

For the following examples, we tested DD-WRT.v23 and HyperWRT Thibor 14. We barely scratch the surface in terms of what one is capable of with the WRT54GL and various firmware options. Continued...

Flashing Firmware

Traffic Shaping Using DD-WRT

Traffic shaping  is a way of optimizing network performance with emphasis on latency and bandwidth. Normally, without any shaping, your home broadband router deals with requests on a first come, first served basis. This strategy works just fine at McDonald's, but it comes up short in situations where high and low-priority traffic compete for limited resources.

You may have noticed your network responsiveness suffer during heavy traffic. DSL modems employ large packet queues to maximize download speed and limit packet loss, but filling your upstream quota (mine is 384kbps at home) and maxing out the queue can result in high latency. That causes severe performance degradation for interactive applications where response time really matters—VoIP calls suck, VNC takes forever to respond, or you get killed easily when playing an online FPS. VoIP traffic is especially dependent on Quality of Service (QoS), a component of traffic shaping. Network aberrations like latency, packet loss, and jitter can have a crippling effect on call quality and cause delayed speech, overlapping, echoing, and other undesirable effects.

Lowering the uplink Kbps in DD-WRT's QoS settings is the first step to making traffic shaping more efficient. That is, we set aside some extra bandwidth to guarantee service for our high-priority applications. DD-WRT recommends limiting bandwidth allocation to 80% to 95% of maximum for uploads. The downlink speed is a different story, since downstream queuing is essentially controlled by the ISP. In other words, you don't have much say about when the packets arrive, but you can control how they go out. That's where you can free up the congestion bottleneck. DD-WRT suggests setting downlink Kbps between 80% to 100% of maximum.

Say you're sharing a DSL or cable connection over a WRT54GL with bandwidth-hogging BitTorrenters and need low pings for World of Warcraft and Battlefield 2. You can customize traffic prioritization by assigning different bandwidth classes to selected services, netmasks, MACs, or Ethernet ports. The four classes are broken down into premium, express, standard, and bulk. Premium, the highest priority class where you want minimum delay, should be assigned very selectively. It'll include top-priority traffic like ICMP, DNS, handshaking, maybe VoIP. Other interactive stuff that doesn't quite fit into premium, such as browsing and SSH, fits under express. Standard includes everything else. Down at the bottom there's the bulk classification for P2P, BitTorrent, FTP, and other applications for which latency isn't a vital consideration.


If you prefer the Telnet/SSH method, you could also classify packet priority with IPtables through the command line. Continued...

DD-WRT: Boosting Wireless Range

Under the Wireless>>Advanced Settings  tab, DD-WRT has a customizable setting for transmit power. Labeled "Xmit Power", this entry is 28Mw by default, but it can be set anywhere between 0 to 251mW. The "Help" menu indicates up to 70mW is safe for improving range. Raising the power level above that, they warn, may generate excess heat in the chipset, which could shorten the life of the router.

And setting it too high probably won't boost your wireless range by much. Additional power output might actually generate enough interference to diminish SNR, hurting range and throughput performance. Finally, clients, typically power-saving laptops, probably won't be able to generate an equivalent mW radio response at the edge of the router's maximum boosted range to capitalize on the gains on one side of the transmission anyway. Continued...

Transmit Power Tweaking
Wireless Repeating with WDS

Trying to extend your WiFi reach is by no means a lost cause. In fact, it's possible to get viable range extension with DD-WRT's Wireless Distribution System (WDS) protocol. WDS provides bridging and repeating capabilities for routers. For example, you might want to share a single broadband connection through two routers, using the second router to expand your wireless range.

With WDS, two or more routers are connected wirelessly by their MAC addresses. Both the router connected directly to the internet and the remote router can accept client connections. Regardless of which router they're on, clients share the same subnet and are visible to one another across the WDS link. They also share the same network channel and encryption keys. Under this configuration, if you're planning on using WPA encryption, the same SSID should be used for both routers. For WEP, assign a different SSID for each.

Because 802.11b/g radios are half-duplex and the routers share a single channel, the additional backhaul traffic for each additional node consumes some of the available bandwidth and degrades network performance to some degree.


Using directional or high-gain antennas with boosted signal power, WRT54G buffs have managed to extend stable WDS networks over distances of many miles. Such long links usually require line of sight, so you'll often find the routers perched high atop towers and buildings with some kind of protection from the elements.

DD-WRT: Other Features

Management: DD-WRT adds features like Samba FS Automount (to mount shared folders from Windows PCs), boot wait (creates a 5 second delay while booting for flashing new firmware, typically used when the firmware is unreachable through the web interface), and support for IPv6 and Journaling Flash File System 2 (JFFS2).

click on image for full view

Chillispot: This tool is useful for configuring your own captive portal hotspot with RADIUS server authentication support.

click on image for full view

Firewall: Additional filter settings for proxies, cookies, java applets, and cookies.

click on image for full view

Kai Daemon: Tunneling for LAN/system-link console gaming that works with the XBox, Playstation 2, PSP, and Gamecube.

HyperWRT Thibor: Screens

HyperWRT Thibor 14: Looks and feels just like the factory Linksys firmware with a few tweaks.

HyperWRT Thibor 14 Firmware
click on image for full view

Advanced Wireless Settings: Transmit power can be set to a maximum of 84mW. The transmission rate can also be set manually from 1 to 54Mbps.

Advanced Wireless Settings
click on image for full view

Port Triggers: Dynamically forward ports based on specific applications and customizable port ranges.

Port Triggering
click on image for full view

QoS: Additional QoS settings such as prioritizing ACK and ICMP. Low, medium, high, and highest classifications can be assigned to various P2P applications: BitTorrent, Kazaa, eDonkey, and Gnutella.

click on image for full view

Factory Defaults: There's an additional "Clear NVRAM" option added to "Restore factory defaults" option.

Restore Factory Defaults
click on image for full view

Firewall: Extra firewall options like filters for proxy, Java applets, cookies, ActiveX, P2P, and blocking port scans. Continued...

What to Do If You Brick It

With any kind of tweaking or modding, you run the risk of bricking (rendering your router useless) with a bad flash or buggy software. If that unfortunate circumstance befalls you, there are a few methods of last resort you can try before assigning the black and blue plastic box permanent paperweight status.

Pointer Graphic for FingerlinksRead more Wireless Networking articles on ExtremeTech.

Final Thoughts: Should You?

Not everyone needs a router that accepts customized firmware. Most home users would be perfectly happy with the lesser WRT54G. But the WRT54GL opens up a host of possibilities for more demanding users. So if your wireless networking environment needs more power, or if you're interested in VOIP, you need improved security for a Wi-Fi hotspot, or you have other needs not served by standard firmware in consumer routers, check out the WRT54GL and the wealth of emerging open-source firmware.
下一篇Passive Analysis of SSH (Secure Shell) Traffic
想对作者说点什么? 我来说一句

Hacking Exposed Wireless

2009年07月16日 12.24MB 下载


2012年08月10日 11.1MB 下载

Hacking Wireless

2016年04月20日 36.47MB 下载


2018年02月25日 599KB 下载

Swift Coding Challenges - Hacking with Swift

2018年05月07日 16.36MB 下载