Saturday, 18 January 2014

How to hack your wireless router firmware

How to hack your wireless router firmware

Run feature-packed custom software instead of the default

Everyone likes being in control - we don't want to be told that we aren't allowed to do something with our own hardware. In this world of locked-down operating systems, proprietary software and rights-removed content, anything that gives us control over our hardware is a good thing.
One such area is the world of wireless router hacking. You might not have come across it before, but it's a well-established niche that provides fresh, Linux-powered firmware for a wide range of wireless routers, which wouldn't necessarily get updated otherwise.
It's something you should be interested in: it gives you total control over your wireless routers, and it's fun.

Suitably scared

Before you dip a toe into these murky waters, you should be aware of the potential dangers. Router hacking isn't without its risks - if you try to flash a router with the wrong firmware, you'll brick it and end up with something that's about as useful as a concrete kite. Because of this, we strongly recommend that you don't try it if you only have one router to hand.
However, if you have a suitable old one lying around, you'll be able to revitalise it with a raft of new features that might even push your current router into the background.
The idea here is simple: you circumvent the firmware upgrade process of an existing router to inject and run your own feature-packed software.

Over the years, certain manufacturers have made this job easier by making their router firmware and chipset software open source, thereby making it easier to implement third-party versions. This has led to the creation of a number of router-hacking projects. We'll be looking at the benefits of some of the most common ones, because they tend to cater for different segments of the market.


In the world of router hacking, the main branches of firmware code are OpenWRT and DD-WRT.
For our walkthrough, we're going to concentrate on DD-WRT, which tends to be more end-user orientated. Its main aim is to provide a working firmware that you can actually install.
OpenWRT takes a slightly more high-brow approach, wanting to provide framework and source code support for embedded devices that also happen to be gateways and wireless routers. Having said that, many devices have ready-compiled OpenWRT firmware, with comprehensive installation guides provided.
Going back to DD-WRT, the first and most important step is to identify your router's make and model. Make sure you've got the exact one - there may be several with similar model numbers and designs. Doing this will provide you with the correct firmware and tell you exactly how it should be installed.
It's important that you follow the installation instructions to the letter - if you're told to do a power cycle or reset, do it. These instructions are linked to clearing the NVRAM that stores tables and other settings. If these aren't cleared, they can play havoc with the new firmware, and cause you headaches trying to work out the source of the problem.
Failure state
Oddly, it can be quicker to come from the other direction and check if you have an incompatible router. There's a list of known incompatible devices here.
There are some quick rules that can quickly eliminate certain models from your search. For the UK, it's important to note that routers with a built-in ADSL modem won't work for DD-WRT. Don't despair, though - owners of ADSL routers can try, which supports various models that use the Texas Instrument AR7WRD platform. There's a list of compatible devices here. It isn't exhaustive, but it's worth a look.
If your model isn't listed as incompatible, don't get your hopes up just yet. The list also includes technical limitations for devices: less than 4MB of flash or less than 16MB RAM means you're out of luck unless it's a Broadcom device. Texas Instruments, Marvel, Ubicom, Realtek and Freescale chipsets are also incompatible.
To find out which chipset your router uses, look on the back of the unit for its FCC ID number, then search for this on This is a US database of electronic devices bound by law to submit to radio regulation.
The device's FCC entry will include photos of its internals, from which you can identify the manufacturer of the main IC and flash IC. If that doesn't work then you can always crack that hardware open and have a look inside for yourself.
By this point you should have either eliminated your router or confirmed that it's supported, but there's still a grey area of partially supported, or work-in-progress status devices. For routers in this bracket, forums are the best places to monitor progress.
Unto the breach

Let's assume we've had good news and our router is compatible. We've dug up an old Linksys WRT54GS v6 for this project, because its firmware installation process is relatively involved.
Installing the firmware can be a simple update process, or a multi-stage affair that requires the use of a 'kill' app to terminate the old software, with the new software transferred via a TFTP utility. If you've found your router on the list of compatible devices, or found a suitable forum post that outlines the installation process, then you're ready to go.
With DD-WRT, you'll find a host of builds and variants of the firmware. Many routers require a specific or later revision to be installed. This should be easy enough. The other element is based on the amount of VRAM and RAM a router has. Routers with sub-4MB VRAM are restricted to the 'micro' builds rather than OpenVPN, STD, 'big' or 'mega' builds.
This shouldn't make much difference, especially if you're just trying it out, but you might want to add more features at a later date. For instance, the mini build has specific variants that add hotspot, USB and NAS support. Having said that, even the base micro version provides most of the features you're likely to need, including repeater features, QoS, SPI firewall, UPnP, WPA1/2 support, bandwidth monitoring and more.

Changing firmware

Give your old router a new lease of life with a software upgrade
1. Router revisions

step 1
The first step is to identify your router. Go to and search for the make and model. It's not always straightforward - we had a Netgear WG602, which initially looked like it might be compatible. However, closer examination showed that it was an original v1 revision. The compatible v3 and v4 versions are white.

2. Identify your model

step 2
An alternative way to identify the model is to look at the huge list of routers hosted on this page. You need to find the manufacturer and scan down the list of FCC ID codes. You also need to double-check the hardware-specific list here, which will let you know if your particular router needs its own unique install.

3. Reset cycle

step 3
Before installing, do a 30-30-30 reset cycle. This is an important step, which involves powering the unit up and pressing the reset switch for 30 seconds. While pressing reset, disconnect the power and hold for 30 more seconds. Still holding the reset button, reconnect the power and hold for 30 more seconds. This is often accompanied by all the LEDs flashing.

4. Set the IP

step 4
Once the router has been reset, you're ready to connect your router to the PC you're using via a wired Ethernet cable. Ideally, you need to set your PC's IP to a static one, which helps to eliminate another area of potential issues. You should set it to either or, depending on its base range (usually the latter).
5. Flash time

step 5
For a number of routers, at this stage you can use the standard web-based interface to install the DD-WRT firmware provided by the database. Wait for it to install (up to five minutes), perform a hard reset and you're done. For our Linksys model, we also needed to use pre-install firmware, which sets the stage for the full firmware update.
6. The scary bit

step 6
The final DD-WRT firmware is installed using a TFTP tool - a Windows GUI version is provided. Enter the address, a blank password and choose the correct firmware. Power cycle the router, wait two seconds and click 'Upgrade'. Wait five minutes. If you can now access the router on, do a power cycle and a final 30-30-30 reset.