Version 7 - History - WRTU54G - OpenBSC - Open Source Mobile Communications

WRTU54G » History » Version 7

laforge, 02/19/2016 10:47 PM

-laforge
+[[PageOutline]]
 = Information on the WRTU54G UMA TA =
 == Getting shell / console access ==
 The easiest part is to flash a modified firmware image that removes the root password from the /etc/passwd file in the squashfs.
 You can then access the serial console and log in as root without password.
 == Changing the SEGW / GANC address ==
 On the shell of the device, change to the /nv directory and edit the two lines in rc.conf for UMA_SGW and UMA_UNC to:
 {{{
 UMA_SGW="my.segw.host.name"
 UMA_UNC="my.unc.host.name"
 }}}
-laforge
+Then, use the {{{rawaccess -a rc.conf}}} command to store the changes to flash and reboot the system.
 laforge
-laforge
+== Enabling more logging ==
 laforge
-laforge
+In /nv/rc.conf:
 {{{
 LOG_ENABLE="1"
 UMALOG_ENABLE="on"
 UMA_LOG_SIZE="1"
 }}}
 Then, use the {{{rawaccess -a rc.conf}}} command to store the changes to flash and reboot the system.
-laforge
+== Adding a new CA Certificate ==
 While modifying the firmware, add your new CA root certificate in DER format to /ramdisk_copy/etc/kineto/ and then add the filename
 and path into a new line in /ramdisk_copy/etc/kineto/init_ike.cfg, like this:
 {{{
 ike ca /etc/kineto/my_new_ca.der
-laforge
+}}}
 laforge
-laforge
+Furthermore, edit /etc/rc.d/init.d/umaset and /etc/rc.d/init.d/RJ11_recovery to each include a line like this:
 {{{
 echo "ike ca /etc/kineto/my_new_ca.der" >> $IKE_CONF
 }}}
 laforge
 == Enabling telnet ==
 Using the toolchain included in the Linksys WRTU54G GPL release, you can cross-compile utelnetd for a compatible uclibc:
 {{{
 ./utelnetd-0.1.11 $ make CC=mipsel-linux-gcc
 mipsel-linux-gcc -I. -pipe -DSHELLPATH=\"/bin/login\" -Wall -fomit-frame-pointer   -c -o utelnetd.o utelnetd.c
 mipsel-linux-gcc  -I. -pipe -DSHELLPATH=\"/bin/login\" -Wall -fomit-frame-pointer utelnetd.o  -o utelnetd
 strip  --remove-section=.comment --remove-section=.note utelnetd
 ./utelnetd-0.1.11 $
-laforge
+}}}
 laforge
-laforge
+You can then include this utelnetd binary into the squashfs image to /usr/sbin/utelnted.
 laforge
 Furthermore, you have to edit /etc/rc.d/rc.proprietary and change the line
 {{{
 [ "`uname -ar | grep diag`" ] && /usr/sbin/utelnetd&
 }}}
 into
-laforge
+{{{
 usr/sbin/utelnetd&
 }}}
-laforge
+to unconditionally start the telnet daemon at every boot.  Alternatively, you can set
 {{{
 hostname="diag"
 }}}
 in /nv/rc.conf.
 laforge
 = Setting up a SEGW =
 laforge
 The SEGW needs to
  * allocate a virtual IP to the remote end from a local pool
  * use EAP-SIM to authenticate the peer, using tuples (IMSI/RAND/SRES/Kc)
  * authenticate itself using a certificate that has been signed by the CA certificate installed on the WRT54U
  * provide at least one DNS server via IKEv2 attributes to the peer
 laforge
-laforge
+== compiling strongswan ==
 laforge
-laforge
+You can use strongswan-4.4.1 and use the following compile-time configure options:
 {{{
 --enable-eap-radius --enable-eap-aka --enable-sqlite --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-sql
 }}}
 == strongswan configuration files ==
 === /etc/strongswan.conf ===
 {{{
 charon {
         threads = 16
         plugins {
                 attr {
                         dns = 213.95.46.69
+                }
+        }
+}
 libhydra {
   plugins {
     attr-sql {
       database = sqlite:///etc/ipsec.d/ipsec.db
+    }
+  }
+}
 }}}
 === /etc/ipsec.conf ===
 {{{
 config setup
         charonstart=yes
         plutostart=no
         charondebug="ike 2, knl 2, net 2, cfg 2"
 conn %default
         ikelifetime=60m
         keylife=20m
         rekeymargin=3m
         keyingtries=1
         keyexchange=ikev2
 conn uma-segw
         left=real.public.ip.of.segw
         leftsubnet=10.0.0.0/8
         leftcert=segw_cert.pem
         leftauth=pubkey
         rightauth=eap-sim
         right=%any
         rightsourceip=%hostpool
         rightsendcert=never
         auto=add
 }}}
 === /etc/ipsec.d/triplets.dat ===
 Populate this with SIM authentication triplets like this (identity derived of IMSI, RAND, SRES, Kc):
 {{{
 1901700000000402@uma.mnc700.mcc901.3gppnetwork.org,00000000000000000000000000000000,11111111,2222222222222222
 }}}
 === /etc/ipsec.secrets ===
 {{{
 : RSA /etc/ipsec.d/private/segw_key_raw.pem
 }}}
 === /etc/ipsec.d/certs/segw_cert.pem ===
 This is the PEM file of your certificate for the SEGW, using the CN of the FQDN.
 === /etc/ipsec.d/cacerts/my_ca.pem ===
 This is the CA root certificate of the CA that has issued your segw_cert.pem
 === /etc/ipesc.d/private/segw_key_raw.pem ===
 This is the '''raw''' RSA private key for your segw_cert.pem, and is '''not PKCS8'''.
 ==== make sure your private key is not PKCS8 ====
 The default CA.pl script of opensl generates private keys in PKCS8 format, which is not supported
 by charon of OpenSWAN.  you have to convert the PKCS8 into raw RSA files like this:
-laforge
+{{{
 openssl pkcs8 -nocrypt < my_privatekey.pem > my_privatekey_raw.pem
 }}}

IMPORTANT NOTICE: This page contains information about a legacy version of the Osmocom software. This legacy version is no longer maintained. If you use it, don't be surprised if it doesn't work. It was your choice to ignore man-years worth of developments, improvements and fixes. Please migrate to the active/supported software (Osmocom CNI, consisting of OsmoBSC, OsmoMSC, OsmoHLR, OsmoSTP, OsmoMGW - a NITB style setup is described at Osmocom_Network_In_The_Box).

Project

General

Profile

Cellular Network Infrastructure » cni-legacy » OpenBSC

WRTU54G » History » Version 7