steveshacks (![[info]](http://p-stat.livejournal.com/img/userinfo.gif){kind=small} steveshacks) wrote,@ 2008-03-05 17:23:00 |
|
Roof-mounted hacked WRT router with serial console and wireless camera and DIY power over ethernet!
Click for full size (1280x960)
Project Goals:
-To mount a linux-based wireless device on the roof to scan the neighborhood open traffic, complete with ethernet and serial console connections
-To be able to provide an access point for when I'm outside
-To have a micro camera give me a look at the weather/my yard from anywhere in the world via the internet
-To do it all with just one cable between my desk and the router
Basics of acheiving the goals
The router will be a (now quite common) Linksys WRT54G (Mine is a GS v2) running OpenWRT linux. It has already been modified with a dual serial port using a MAX233 converter chip. The router was $160 a few years back (yes I was ripped off, I bought it in a hick-town tech store), and the converter chip was free courtesy of Maxim.
The micro camera is a slightly modified eBay mini wireless screw camera. This set me back about $60. By modified, I mean I resoldered the connection between the sensor and the transmitter, and added my own antenna. I also added a USB-power port to the receiver, and attached a small viewfinder from an old camera. These are very optional mods.
One cable
The ability to put it all on one cable is made possible by the fact that ethernet cables consist of 8 wires (4 twisted pairs), but only 4 wires (2 pairs) are actually used. So inside this long long ethernet cable (I am using a 100-foot length, four twisted pair for $19 at The Source) we have four wires to do anything we want with.
The next step was to figure out which wires were which. In any standard cable, you have to leave the orange and green pairs alone. They are what carries the network. You have a blue and brown pair in there that are fair game. Disconnect those from the plug so they don't interfere with your PC or router in any way.
The next step is to figure out what wires will carry what signals! YAY! The fun begins. This is what I was able to accomplish with my hours and hours of hard thinking and testing:
The camera needs only a power supply. It takes 9 volts. Two wires: +9V and GND. Thats it. The serial port of the router needs three. TX, RX, and GND. The router also needs a power supply, V+ and GND.
LUCKY for us, the router has a built-in voltage regulator. You can feed it anything from 6 to 13 volts, and it'll take it just fine. It can even run on batteries (FYI, five AA-NIMH batteries last a good five hours on a single charge). Because I believe the camera needs 9 volts precisely, I will use a single 9-volt power supply to power both devices. A 1 amp supply should be enough to power the router and camera without any issues. I'm using a 1.5 amp supply and it's never even gotten warm to the touch.
Next comes the serial line, it has to have two wires dedicated, but can share the ground with the power supply pair. So when we're done, we have two power supplies and a serial line sharing four wires:
1- TX
2- RX
3- GND
4- +9VDC
The wiring would look like this:
Pardon my lack of pictures, but I also lack a camera. Also by the time this writeup was an idea in my head the project had already been completed.
[Update] I was wrong about the screw camera. Because the power is regulated by the camera's transmitter, it can handle 12 volts just fine. With a quick wiring change, I can power the router and the camera directly from the desktop's PSU. The yellow wire carries 12 volts, the black is ground. Mine's been running four days with no problems at all.
Using it all
Now that we have an ethernet and serial connection to a router mounted on your roof (please be sure to wrap it in a plastic bag or something, if it gets wet it may not work very well), we can perform a variety of tasks. We could connect to an open neighbor in client mode (for using their internet connection or scanning their local network), or fire up kismet and scan the airwaves. Keep in mind that unless you have the permission of the owner of the connection you are connecting to / abusing, it could be illegal in your area.
Play safe kids.
TIPS
Obviously using a 3-pin null modem cable at lengths of 50 feet or higher unshielded is a stupid idea, you'll get nothing but garbage across the screen of your favorite terminal. Thats why I use a prolific based usb-serial adapter. It's more sensitive or something, or easier on the timing. Anyway I dont get any garbage at all with the adapter, compared to 40% garbage with the onboard COM1 port. At 115.2kbps and no flow control, a good adapter is really neccessary.
These micro cameras have no aperture adjustment, making them unusable in the dark, and washed out in direct sunlight. I will probably upgrade this soon. On a cloudy day, or in the evening, it works pretty well. The wireless mic is fun for listening to birds / passersby / etc. I (accidentally) removed the tiny infrared filter from inside, and so had to attach a much larger one on the front (from a large scrapped video camera), and it seems to work the same.
While I find it ridiculously difficult to perform a simple passive scan (say with kismet or airodump) using DD-Wrt, it's client-mode and samba automount is unbeatable. For passive scanning, one would need samba or CIFS to work flawlessly, and there are still some issues with OpenWRT regarding client mode and network filesystems. However, OpenWRTs scanning is unbeatable. I guess you just have to use what you are comfortable with. DD-WRT is easier to use and set up, but OpenWRT is way more flexible.
How you want to mount the router on the roof is up to you. I wrapped mine in a plastic bag, and duct-taped it to the back of one of my satellite dishes (making sure the routers antenna stuck up over the dish so it's not blocked) and ran the cable alongside the satellite wire. This summer I'll probably add a parabolic antenna to the router, which will be a whole other mod. It involves tweaking a MMDS Grid antenna and downconverter circuit for wifi use.
UPDATE - ABOUT MY ROUTER
My WRT54GS v2 has been on my mod desk ever since I got it in Fall 2005. My first set of mods were:
-1" 5V DC Brushless fan, connected to a single-transistor switch on GPIO 5
-Dual serial port mod (one console, one peripheral)
-A set of magnesium heatsinks for the CPU and radio chips
-MMC/SD-card mod
-Internal rechargeable battery (lasts 5 hours!)
To prepare it for the roof, I had to seal it airtight with hot glue and 5-minute-epoxy. I used a lighter instead of a glue-gun because it's faster, and I don't own a glue-gun. Just in case, I crammed one silica packet into the router, and sealed off the tiny fan. Theres not much room for air in there anymore, with the heatsinks, battery, wires, etc. But it does work flawlessly.
SUMMARY - ITS WORKING
Here's the summary of what I did:
-Set up a WRT router with the latest OpenWRT. I'm using a WRT54GS v2 (216MHz, 32MB Ram, 8MB Flash)
-use hyperterminal or the latest putty to access the router console (use serial, not tcp/ip)
-Connect it to the internet: http://wiki.openwrt.org/ClientModeH
-Create a shared folder on the attached desktop:
-Install and configure CIFS: http://wiki.openwrt.org/RemoteFileSyste
-Install wl and kismet:
/# ipkg install wl
/# ipkg install kismet
-Configure wl:
/# wl ap 0
/# wl disassoc
/# wl passive 1
/# wl promisc 1
-Set the channel (lets say, 6)
/# wl channel 6
-Enter your network folder (i set mine up as /tmp/smb)
/# cd /tmp/smb
-Start Kismet
/# kismet
-Wait a few days until you have something like this:
You may even see some freaky stuff along the way, like here I can see someone (possibly) attacking one of my neighbors. In fact I can see him sitting outside in his car with a laptop...
If you are doing some sniffing, fire up wireshark at your leisure. Be sure to use a filter upon opening the file to filter out all the hundreds of thousands of broadcasts and probes. Heres a good filter:
wlan.fc.type != 1 and wlan.fc.type != 0 and wlan.fc.subtype != 4
If you wanna do some cracking, you're in for some fun. You need the win32 aircrack suite, and you need to wait about a week. It will take that long on an unused wireless connection to get enough packets. Alternatively, if you have a strong cluster of computers, check out jc-wepcrack here. In my own experience, I've nailed a 40-bit key in about five hours using just one P4 laptop. And that was with vmware.
HELPFUL LINKS!
Maxim Integrated Circuits: http://www.maxim-ic.com/
Wireless screw camera: http://search.ebay.com/search/search.dl
WRT54G Serial mod: http://www.rwhitby.net/projects/wrt
OpenWRT Linux: http://openwrt.org/
DD-Wrt Linux: http://www.dd-wrt.com/
Click for full size (1280x960)
Project Goals:
-To mount a linux-based wireless device on the roof to scan the neighborhood open traffic, complete with ethernet and serial console connections
-To be able to provide an access point for when I'm outside
-To have a micro camera give me a look at the weather/my yard from anywhere in the world via the internet
-To do it all with just one cable between my desk and the router
Basics of acheiving the goals
The router will be a (now quite common) Linksys WRT54G (Mine is a GS v2) running OpenWRT linux. It has already been modified with a dual serial port using a MAX233 converter chip. The router was $160 a few years back (yes I was ripped off, I bought it in a hick-town tech store), and the converter chip was free courtesy of Maxim.
The micro camera is a slightly modified eBay mini wireless screw camera. This set me back about $60. By modified, I mean I resoldered the connection between the sensor and the transmitter, and added my own antenna. I also added a USB-power port to the receiver, and attached a small viewfinder from an old camera. These are very optional mods.
One cable
The ability to put it all on one cable is made possible by the fact that ethernet cables consist of 8 wires (4 twisted pairs), but only 4 wires (2 pairs) are actually used. So inside this long long ethernet cable (I am using a 100-foot length, four twisted pair for $19 at The Source) we have four wires to do anything we want with.
The next step was to figure out which wires were which. In any standard cable, you have to leave the orange and green pairs alone. They are what carries the network. You have a blue and brown pair in there that are fair game. Disconnect those from the plug so they don't interfere with your PC or router in any way.
The next step is to figure out what wires will carry what signals! YAY! The fun begins. This is what I was able to accomplish with my hours and hours of hard thinking and testing:
The camera needs only a power supply. It takes 9 volts. Two wires: +9V and GND. Thats it. The serial port of the router needs three. TX, RX, and GND. The router also needs a power supply, V+ and GND.
LUCKY for us, the router has a built-in voltage regulator. You can feed it anything from 6 to 13 volts, and it'll take it just fine. It can even run on batteries (FYI, five AA-NIMH batteries last a good five hours on a single charge). Because I believe the camera needs 9 volts precisely, I will use a single 9-volt power supply to power both devices. A 1 amp supply should be enough to power the router and camera without any issues. I'm using a 1.5 amp supply and it's never even gotten warm to the touch.
Next comes the serial line, it has to have two wires dedicated, but can share the ground with the power supply pair. So when we're done, we have two power supplies and a serial line sharing four wires:
1- TX
2- RX
3- GND
4- +9VDC
The wiring would look like this:
Pardon my lack of pictures, but I also lack a camera. Also by the time this writeup was an idea in my head the project had already been completed.
[Update] I was wrong about the screw camera. Because the power is regulated by the camera's transmitter, it can handle 12 volts just fine. With a quick wiring change, I can power the router and the camera directly from the desktop's PSU. The yellow wire carries 12 volts, the black is ground. Mine's been running four days with no problems at all.
Using it all
Now that we have an ethernet and serial connection to a router mounted on your roof (please be sure to wrap it in a plastic bag or something, if it gets wet it may not work very well), we can perform a variety of tasks. We could connect to an open neighbor in client mode (for using their internet connection or scanning their local network), or fire up kismet and scan the airwaves. Keep in mind that unless you have the permission of the owner of the connection you are connecting to / abusing, it could be illegal in your area.
Play safe kids.
TIPS
Obviously using a 3-pin null modem cable at lengths of 50 feet or higher unshielded is a stupid idea, you'll get nothing but garbage across the screen of your favorite terminal. Thats why I use a prolific based usb-serial adapter. It's more sensitive or something, or easier on the timing. Anyway I dont get any garbage at all with the adapter, compared to 40% garbage with the onboard COM1 port. At 115.2kbps and no flow control, a good adapter is really neccessary.
These micro cameras have no aperture adjustment, making them unusable in the dark, and washed out in direct sunlight. I will probably upgrade this soon. On a cloudy day, or in the evening, it works pretty well. The wireless mic is fun for listening to birds / passersby / etc. I (accidentally) removed the tiny infrared filter from inside, and so had to attach a much larger one on the front (from a large scrapped video camera), and it seems to work the same.
While I find it ridiculously difficult to perform a simple passive scan (say with kismet or airodump) using DD-Wrt, it's client-mode and samba automount is unbeatable. For passive scanning, one would need samba or CIFS to work flawlessly, and there are still some issues with OpenWRT regarding client mode and network filesystems. However, OpenWRTs scanning is unbeatable. I guess you just have to use what you are comfortable with. DD-WRT is easier to use and set up, but OpenWRT is way more flexible.
How you want to mount the router on the roof is up to you. I wrapped mine in a plastic bag, and duct-taped it to the back of one of my satellite dishes (making sure the routers antenna stuck up over the dish so it's not blocked) and ran the cable alongside the satellite wire. This summer I'll probably add a parabolic antenna to the router, which will be a whole other mod. It involves tweaking a MMDS Grid antenna and downconverter circuit for wifi use.
UPDATE - ABOUT MY ROUTER
My WRT54GS v2 has been on my mod desk ever since I got it in Fall 2005. My first set of mods were:
-1" 5V DC Brushless fan, connected to a single-transistor switch on GPIO 5
-Dual serial port mod (one console, one peripheral)
-A set of magnesium heatsinks for the CPU and radio chips
-MMC/SD-card mod
-Internal rechargeable battery (lasts 5 hours!)
To prepare it for the roof, I had to seal it airtight with hot glue and 5-minute-epoxy. I used a lighter instead of a glue-gun because it's faster, and I don't own a glue-gun. Just in case, I crammed one silica packet into the router, and sealed off the tiny fan. Theres not much room for air in there anymore, with the heatsinks, battery, wires, etc. But it does work flawlessly.
SUMMARY - ITS WORKING
Here's the summary of what I did:
-Set up a WRT router with the latest OpenWRT. I'm using a WRT54GS v2 (216MHz, 32MB Ram, 8MB Flash)
-use hyperterminal or the latest putty to access the router console (use serial, not tcp/ip)
-Connect it to the internet: http://wiki.openwrt.org/ClientModeH
-Create a shared folder on the attached desktop:
-Install and configure CIFS: http://wiki.openwrt.org/RemoteFileSyste
-Install wl and kismet:
/# ipkg install wl
/# ipkg install kismet
-Configure wl:
/# wl ap 0
/# wl disassoc
/# wl passive 1
/# wl promisc 1
-Set the channel (lets say, 6)
/# wl channel 6
-Enter your network folder (i set mine up as /tmp/smb)
/# cd /tmp/smb
-Start Kismet
/# kismet
-Wait a few days until you have something like this:
You may even see some freaky stuff along the way, like here I can see someone (possibly) attacking one of my neighbors. In fact I can see him sitting outside in his car with a laptop...
If you are doing some sniffing, fire up wireshark at your leisure. Be sure to use a filter upon opening the file to filter out all the hundreds of thousands of broadcasts and probes. Heres a good filter:
wlan.fc.type != 1 and wlan.fc.type != 0 and wlan.fc.subtype != 4
If you wanna do some cracking, you're in for some fun. You need the win32 aircrack suite, and you need to wait about a week. It will take that long on an unused wireless connection to get enough packets. Alternatively, if you have a strong cluster of computers, check out jc-wepcrack here. In my own experience, I've nailed a 40-bit key in about five hours using just one P4 laptop. And that was with vmware.
HELPFUL LINKS!
Maxim Integrated Circuits: http://www.maxim-ic.com/
Wireless screw camera: http://search.ebay.com/search/search.dl
WRT54G Serial mod: http://www.rwhitby.net/projects/wrt
OpenWRT Linux: http://openwrt.org/
DD-Wrt Linux: http://www.dd-wrt.com/
