【FON2200 Openwrt reaver-wps aircrack-ng ソースビルド】

BackTrack 5 KDE(ubuntu)で，FON2200 用の openwrt をソースからビルドした。
（reaver-wps，aircrack-ng ソースも併せてコンパイル）
openwrt はビルド中にソースを ダウンロードするので，インターネットに接続する必要がある。
1) openwrt のソースをダウンロードする。

su – [一般ユーザ]
svn co svn://svn.openwrt.org/openwrt/trunk/

2) make menuconfig を実行する。

cd trunk
make menuconfig

Target System で Atheros Ar231x を選択する。

3) フルビルドする。（数時間

make world

4) ~/trunk/package ディレクトリ下に reaver, sqlite3, aircrack-ng ディレクトリを作成する。

cd ~/trunk/package
mkdir reaver sqlite3 aircrack-ng

5) reaver-wps, aircrack-ng, sqlite3 の openwrt 用 Makefile を 配置する。

~/trunk/package/reaver/Makefile
~/trunk/package/sqlite3/Makefile
~/trunk/package/aircrack-ng/Makefile

reaver-wps Makefile
https://dev.openwrt.org/browser/packages/libs/sqlite3/Makefile
https://dev.openwrt.org/browser/packages/net/aircrack-ng/Makefile

6) make menuconfig を実行して，パッケージ reaver, aircrack-ng を選択する。
   必須ライブラリ等も自動的に選択される。
   Networking –> Wireless

7) make する。

make V=99

~/trunk/bin/atheros ディレクトリに rootfs と kernel ファイルが出来上がる。

openwrt-atheros-root.squashfs
openwrt-atheros-vmlinux.lzma

8) 電源 Off 状態の FON2200 とパソコンをLANケーブルで直結し，fon-flash-gui を起動して，rootfs, kernel ファイルをセットする。 （fon-flash-gui は，root で実行する）Flash Router Now!ボタンを押して4,5秒後に FON の電源を入れる。
fon-flash-linux.tar.gz

ifconfig eth0 192.168.1.2 up
./fon-flash-gui

9) 約20分で書き込みが終了し，FON がリスタートする。数分後に telnet で接続する。（パスワード無し）

telnet 192.168.1.1

9) /etc/config/wireless の をコメントアウトして，再起動すると wireless が有効になる。

10) passwd コマンドでパスワードを設定すると，sshd が有効になり，telnet 接続が無効になる。

hostad, hotplug, dnsmasq 等不要なプロセスを終了し，reaver を実行する。

airmon-ng start wlan0
reaver  -i mon0 –b 00:18:84:AB:EA:34 –vv

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Waiting for beacon from 00:18:84:AB:EA:34
[+] Switching mon0 to channel 1
[+] Switching mon0 to channel 2
[+] Switching mon0 to channel 3
[+] Switching mon0 to channel 4
[+] Switching mon0 to channel 5
[+] Switching mon0 to channel 6
[+] Switching mon0 to channel 7
[+] Switching mon0 to channel 8
[+] Switching mon0 to channel 9
[+] Switching mon0 to channel 10
[+] Switching mon0 to channel 11
[+] Switching mon0 to channel 12
[+] Switching mon0 to channel 13
[+] Switching mon0 to channel 14
[+] Switching mon0 to channel 1
[+] Switching mon0 to channel 2

reaver はやっぱりだめだった。
チャネルの切り替えはできているが，ターゲット AP からのビーコンを受信できないみたいだ。
airodump-ng は正常に動作してビーコンも取れている。
aireplay-ng の fake auth も成功するので，無線デバイスは問題ないように見える。

PC と FON を USB-シリアル変換で接続し，minicom でブートシーケンスを表示。

minicom –s

デバイス /dev/ttyUSB0, ボーレート 9600 で接続する。

Welcome to minicom 2.4

OPTIONS: I18n                                                               
Compiled on Jan 25 2010, 06:49:09.                                          
Port /dev/ttyUSB0                                                           
                                                                            
Press CTRL-A Z for help on special keys                                      
                                                                            
Ethernet eth0: MAC address 00:18:84:83:9b:7c                              
IP: 192.168.1.1/255.255.255.0, Gateway: 0.0.0.0                             
Default server: 192.168.1.254                                               
                                                                            
RedBoot(tm) bootstrap and debug environment [ROMRAM]                        
Non-certified release, version V1.00 - built 10:37:27, Dec 12 2006
                                                           
Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.   
                                                           
Board: FON1                                                
RAM: 0x80000000-0x81000000, [0x80040aa0-0x80fe1000] available
FLASH: 0xa8000000 - 0xa87f0000, 128 blocks of 0x00010000 bytes each.
== Executing boot script in 2.000 seconds - enter ^C to abort
RedBoot> fis load -l vmlinux.bin.l7
Image loaded from 0x80041000-0x802a8d80
RedBoot> exec
Now booting linux kernel:
Base address 0x80030000 Entry 0x80041000
Cmdline :
[    0.000000] Linux version 2.6.37.6 (atc500@bt) (gcc version 4.6.3 20120201 (prerelease) (Linaro GCC2
[    0.000000] ar2315-gpio: registered 22 GPIOs
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU revision is: 00019064 (MIPS 4KEc)
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 01000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone PFN ranges:
[    0.000000]   Normal   0x00000000 -> 0x00001000
[    0.000000] Movable zone start PFN for each node
[    0.000000] early_node_map[1] active PFN ranges
[    0.000000]     0: 0x00000000 -> 0x00001000
[    0.000000] Built 1 zonelists in Zone order, mobility grouping off.  Total pages: 4064
[    0.000000] Kernel command line:  console=ttyS0,9600 rootfstype=squashfs,jffs2
[    0.000000] PID hash table entries: 64 (order: -4, 256 bytes)
[    0.000000] Dentry cache hash table entries: 2048 (order: 1, 8192 bytes)
[    0.000000] Inode-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.000000] Primary instruction cache 16kB, VIPT, 4-way, linesize 16 bytes.
[    0.000000] Primary data cache 16kB, 4-way, VIPT, no aliases, linesize 16 bytes
[    0.000000] Memory: 13372k/16384k available (1995k kernel code, 3012k reserved, 318k data, 148k ini)
[    0.000000] NR_IRQS:128
[    0.000000] console [ttyS0] enabled, bootconsole disabled
[    0.000000] console [ttyS0] enabled, bootconsole disabled
[    0.010000] Calibrating delay loop... 183.50 BogoMIPS (lpj=917504)
[    0.260000] pid_max: default: 32768 minimum: 301
[    0.270000] Mount-cache hash table entries: 512
[    0.290000] NET: Registered protocol family 16
[    0.980000] bio: create slab <bio-0> at 0
[    1.000000] pci 0000:00:00.0: BAR 1: can't assign mem (size 0x4000000)
[    1.010000] pci 0000:00:03.0: BAR 1: can't assign mem (size 0x4000000)
[    1.020000] pci 0000:00:00.0: BAR 2: assigned [mem 0x80800000-0x80bfffff]
[    1.030000] pci 0000:00:00.0: BAR 2: set to [mem 0x80800000-0x80bfffff] (PCI address [0x80800000-0x)
[    1.040000] pci 0000:00:03.0: BAR 2: assigned [mem 0x80c00000-0x80ffffff]
[    1.050000] pci 0000:00:03.0: BAR 2: set to [mem 0x80c00000-0x80ffffff] (PCI address [0x80c00000-0x)
[    1.060000] pci 0000:00:00.0: BAR 0: assigned [mem 0x81000000-0x8101ffff]
[    1.070000] pci 0000:00:00.0: BAR 0: set to [mem 0x81000000-0x8101ffff] (PCI address [0x81000000-0x)
[    1.080000] pci 0000:00:03.0: BAR 0: assigned [mem 0x81020000-0x8103ffff]
[    1.090000] pci 0000:00:03.0: BAR 0: set to [mem 0x81020000-0x8103ffff] (PCI address [0x81020000-0x)
[    1.100000] Switching to clocksource MIPS
[    1.130000] NET: Registered protocol family 2
[    1.180000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[    1.260000] TCP established hash table entries: 512 (order: 0, 4096 bytes)
[    1.350000] TCP bind hash table entries: 512 (order: -1, 2048 bytes)
[    1.420000] TCP: Hash tables configured (established 512 bind 512)
[    1.500000] TCP reno registered
[    1.540000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    1.610000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    1.680000] NET: Registered protocol family 1
[    1.740000] Radio config found at offset 0xf8(0x1f8)
[    1.840000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    1.910000] JFFS2 version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Ha.
[    2.020000] msgmni has been set to 26
[    2.070000] io scheduler noop registered
[    2.120000] io scheduler deadline registered (default)
[    2.180000] gpiodev: gpio device registered with major 254
[    2.250000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[    2.350000] serial8250: ttyS0 at MMIO 0xb1100003 (irq = 37) is a 16550A
[    2.450000] cmdlinepart partition parsing not available
[    2.510000] Searching for RedBoot partition table in spiflash at offset 0x7d0000
[    2.970000] Searching for RedBoot partition table in spiflash at offset 0x7e0000
[    3.430000] 6 RedBoot partitions found on MTD device spiflash
[    3.500000] Creating 6 MTD partitions on "spiflash":
[    3.560000] 0x000000000000-0x000000030000 : "RedBoot"
[    3.630000] 0x000000030000-0x000000700000 : "rootfs"
[    3.700000] mtd: partition "rootfs" set to be root filesystem
[    3.770000] mtd: partition "rootfs_data" created automatically, ofs=2A0000, len=460000
[    3.870000] 0x0000002a0000-0x000000700000 : "rootfs_data"
[    3.940000] 0x000000700000-0x0000007d0000 : "vmlinux.bin.l7"
[    4.020000] 0x0000007e0000-0x0000007ef000 : "FIS directory"
[    4.090000] 0x0000007ef000-0x0000007f0000 : "RedBoot config"
[    4.170000] 0x0000007f0000-0x000000800000 : "boardconfig"
[    4.320000] eth0: Atheros AR231x: 00:18:84:83:9b:7c, irq 4
[    4.450000] ar231x_eth_mii: probed
[    4.490000] eth0: attached PHY driver [Generic PHY] (mii_bus:phy_addr=0:01)
[    4.580000] TCP westwood registered
[    4.630000] NET: Registered protocol family 17
[    4.680000] 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
[    4.760000] All bugs added by David S. Miller <davem@redhat.com>
[    4.890000] VFS: Mounted root (squashfs filesystem) readonly on device 31:1.
[    4.980000] Freeing unused kernel memory: 148k freed
[    6.080000] eth0: Configuring MAC for full duplex
- preinit -
Press the [f] key and hit [enter] to enter failsafe mode
- regular preinit -
[   18.310000] JFFS2 notice: (271) jffs2_build_xattr_subsystem: complete building xattr subsystem, 1 o.
switching to jffs2
- init -

Please press Enter to activate this console. [   21.750000] Compat-wireless backport release: compat-w8
[   21.840000] Backport based on wireless-testing.git master-2012-02-27
[   22.310000] cfg80211: Calling CRDA to update world regulatory domain
[   27.690000] cfg80211: World regulatory domain updated:
[   27.750000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[   27.850000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   27.940000] cfg80211:   (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[   28.030000] cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[   28.130000] cfg80211:   (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   28.220000] cfg80211:   (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   28.330000] ath5k phy0: Atheros AR2315 chip found (MAC: 0x86, PHY: 0x48)
[   28.420000] cfg80211: Calling CRDA for country: US
[   28.990000] cfg80211: Regulatory domain changed to country: US
[   29.060000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[   29.160000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2700 mBm)
[   29.250000] cfg80211:   (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 1700 mBm)
[   29.340000] cfg80211:   (5250000 KHz - 5330000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   29.440000] cfg80211:   (5490000 KHz - 5600000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   29.530000] cfg80211:   (5650000 KHz - 5710000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   29.620000] cfg80211:   (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 3000 mBm)
[   29.890000] PPP generic driver version 2.4.2
[   30.740000] ip_tables: (C) 2000-2006 Netfilter Core Team
[   31.390000] NET: Registered protocol family 24

CTRL-A Z for help |  9600 8N1 | NOR | Minicom 2.4    | VT102 |      Offline