How to hack the Wireless Fantastic

HERE IN the States, you can buy a stock Linksys Wireless-G router (WRT54G) for around $50 to $60 when the smoke clears with holiday rebates. You cna maybe even get one for free if you manage to get it thrown in with a broadband service bundle. It's a nice reliable piece of hardware out of the box and even better if you remember to change the default factory settings so the neighbours can't snoop on your LAN traffic.

Underneath the hood of the WRT54G is a 200MHz MIPS processor running Linux and anywhere from 16 to 32MB of RAM and 4 or 8MB of Flash RAM. Linksys, bless their Cisco-owned hearts, has quietly published the source code for its Linux-based devices for anyone to download and modify to their heart's content. There was a bit of a stink about Linksys violating the Linux GPL, but it seems to have been cleared up. As a result, there's a nice little percolating international open source community constantly improving the WRT54G's firmware, with a lot of discussion going on at this web site.

The de facto "God" of WRT54G hacking is a group calling themselves Sveasoft. For a $20 yearly subscription, you can get unlimited "aftermarket upgrades" (better firmware) from SveaSoft to turn a vanilla WRT54G or GS, the so-called "Speed Enhanced" version capable of up to 125 Mbps, into a full-blown firewall, bandwidth manager, VPN server, VLAN manager, and all kinds of other things. Called Alchemy, the custom firmware adds about three dozen new functions to the stock Wireless-G router.

One of the more interesting features of Alchemy is the ability to crank up the power of the radio through the web interface. Linksys fixes the power output in the factory firmware at 28 mw and there's no way to tinker with it. Alchemy allows adjustment from 0 to 251 mw - an increase by nearly a factor of 10 in power. If you're hacking a WRT54G for an outdoor/distance application (or just trying to blow out the neighbors), this tweak could come in quite handy.

Other features in the Alchemy toolbox include routines for a hotspot portal and quality of service (QoS) bandwidth management so you give priority to VoIP and IM traffic. Security enhancements are impressive and include a SSH client and server and WPA/TKIP with AES encryption. There's an extensive firewall to both track and block services on a protocol basis and support for IPTables. LAN managers love Alchemy for adding remote syslog, Ntop statistics, SNMP hooks, and statistical collection for system uptime and load averaging. There's also some tricks in the package to make the WRT act as a repeater.

Now, SveaSoft and Linksys aren't the only game(s) in town for Wi-Fi hacking. From the software end of things, there's also a Linux flavor called OpenWrt available for compilation. OpenWrt has a selection of package drop-ins to do many of the same things Alchemy does; if you like to play with source code, then OpenWrt is your cuppa. On the hardware side of things, since many consumer-grade Wi-Fi routers are based around Broadcom's chipsets and reference design, it may be possible to load up SveaSoft or OpenWrt on certain, but not all, G devices from Apple, Belkin, Dell, and Microsoft.

Finally, you can even go to class to learn how to hack a WRT54G. ShmooCon ( here) in February will have a session dedicated to all the fun (and some not-so-fun) things you can do by reprogramming the WRT54G, including what to do when firmware fails. Can you trust information given by two guys calling themselves Sysmin and QuiGon? Only the Force knows. µ