WRTU54G » History » Version 6
laforge, 02/19/2016 10:47 PM
| 1 | 1 | laforge | [[PageOutline]] |
|---|---|---|---|
| 2 | = Information on the WRTU54G UMA TA = |
||
| 3 | |||
| 4 | == Getting shell / console access == |
||
| 5 | |||
| 6 | The easiest part is to flash a modified firmware image that removes the root password from the /etc/passwd file in the squashfs. |
||
| 7 | |||
| 8 | You can then access the serial console and log in as root without password. |
||
| 9 | |||
| 10 | == Changing the SEGW / GANC address == |
||
| 11 | |||
| 12 | On the shell of the device, change to the /nv directory and edit the two lines in rc.conf for UMA_SGW and UMA_UNC to: |
||
| 13 | {{{ |
||
| 14 | UMA_SGW="my.segw.host.name" |
||
| 15 | UMA_UNC="my.unc.host.name" |
||
| 16 | }}} |
||
| 17 | |||
| 18 | 6 | laforge | Then, use the {{{rawaccess -a rc.conf}}} command to store the changes to flash and reboot the system. |
| 19 | 1 | laforge | |
| 20 | 6 | laforge | == Enabling more logging == |
| 21 | 1 | laforge | |
| 22 | 6 | laforge | In /nv/rc.conf: |
| 23 | {{{ |
||
| 24 | LOG_ENABLE="1" |
||
| 25 | UMALOG_ENABLE="on" |
||
| 26 | UMA_LOG_SIZE="1" |
||
| 27 | }}} |
||
| 28 | |||
| 29 | Then, use the {{{rawaccess -a rc.conf}}} command to store the changes to flash and reboot the system. |
||
| 30 | |||
| 31 | 2 | laforge | == Adding a new CA Certificate == |
| 32 | |||
| 33 | While modifying the firmware, add your new CA root certificate in DER format to /ramdisk_copy/etc/kineto/ and then add the filename |
||
| 34 | and path into a new line in /ramdisk_copy/etc/kineto/init_ike.cfg, like this: |
||
| 35 | {{{ |
||
| 36 | ike ca /etc/kineto/my_new_ca.der |
||
| 37 | 1 | laforge | }}} |
| 38 | 3 | laforge | |
| 39 | 5 | laforge | Furthermore, edit /etc/rc.d/init.d/umaset and /etc/rc.d/init.d/RJ11_recovery to each include a line like this: |
| 40 | {{{ |
||
| 41 | echo "ike ca /etc/kineto/my_new_ca.der" >> $IKE_CONF |
||
| 42 | }}} |
||
| 43 | 3 | laforge | |
| 44 | == Enabling telnet == |
||
| 45 | |||
| 46 | Using the toolchain included in the Linksys WRTU54G GPL release, you can cross-compile utelnetd for a compatible uclibc: |
||
| 47 | {{{ |
||
| 48 | ./utelnetd-0.1.11 $ make CC=mipsel-linux-gcc |
||
| 49 | mipsel-linux-gcc -I. -pipe -DSHELLPATH=\"/bin/login\" -Wall -fomit-frame-pointer -c -o utelnetd.o utelnetd.c |
||
| 50 | mipsel-linux-gcc -I. -pipe -DSHELLPATH=\"/bin/login\" -Wall -fomit-frame-pointer utelnetd.o -o utelnetd |
||
| 51 | strip --remove-section=.comment --remove-section=.note utelnetd |
||
| 52 | ./utelnetd-0.1.11 $ |
||
| 53 | 1 | laforge | }}} |
| 54 | 3 | laforge | |
| 55 | 6 | laforge | You can then include this utelnetd binary into the squashfs image to /usr/sbin/utelnted. |
| 56 | 3 | laforge | |
| 57 | Furthermore, you have to edit /etc/rc.d/rc.proprietary and change the line |
||
| 58 | {{{ |
||
| 59 | [ "`uname -ar | grep diag`" ] && /usr/sbin/utelnetd& |
||
| 60 | }}} |
||
| 61 | into |
||
| 62 | 1 | laforge | {{{ |
| 63 | usr/sbin/utelnetd& |
||
| 64 | }}} |
||
| 65 | 6 | laforge | to unconditionally start the telnet daemon at every boot. Alternatively, you can set |
| 66 | {{{ |
||
| 67 | hostname="diag" |
||
| 68 | }}} |
||
| 69 | in /nv/rc.conf. |
||
| 70 | 1 | laforge | |
| 71 | = Setting up a SEGW = |
||
| 72 | 6 | laforge | |
| 73 | The SEGW needs to |
||
| 74 | * allocate a virtual IP to the remote end from a local pool |
||
| 75 | * use EAP-SIM to authenticate the peer, using tuples (IMSI/RAND/SRES/Kc) |
||
| 76 | * authenticate itself using a certificate that has been signed by the CA certificate installed on the WRT54U |
||
| 77 | * provide at least one DNS server via IKEv2 attributes to the peer |
||
| 78 | 4 | laforge | |
| 79 | == make sure your private key is not PKCS8 == |
||
| 80 | |||
| 81 | The default CA.pl script of opensl generates private keys in PKCS#8 format, which is not supported |
||
| 82 | by charon of OpenSWAN. you have to convert the PKCS#8 into raw RSA files like this: |
||
| 83 | {{{ |
||
| 84 | openssl pkcs8 -nocrypt < my_privatekey.pem > my_privatekey_raw.pem |
||
| 85 | }}} |
