Index of /c54brs4a_v2-firmwares

Icon  Name                    Last modified      Size  Description
[DIR] Parent Directory                             -   
[TXT] LEEME.HTML              07-Jul-2011 22:01  3.7K  
[DIR] by_conceptronics/       07-Jul-2011 22:34    -   
[IMG] cosmetics.png           04-Sep-2011 06:56  110K  
[DIR] custom_firmwares/       20-Jul-2011 21:20    -   
[TXT] leeme.txt               07-Jul-2011 22:32  2.2K  
[TXT] readme.txt              23-Jul-2011 22:52   12K  
[IMG] telnet.png              04-Sep-2011 06:56   82K  
[DIR] tools/                  25-Jan-2012 13:38    -
README Custom firmwares for Conceptronic c54brs4a 
Warning
=======

These firmwares are not intended for normal users, since some pose severe security risks.
If you don't fully understand what Telnet is or you have never heard of a "BackDoor",
please do not use them.

I decline all claims. Should you want to give them a try, please read carefully the license
terms.

These firmwares are supposed to be fit for any c54brs4a V1 or V2 router but I just can assure
that they do work with my Conceptronic c54brs4a V2 (model bought in Spain in 2008). Please,
report if they work with your particular model.

Since Conceptronic has not released the last version of the source code, I made them from the
V2.0 version. Here you have the changelog as for July 2011 or, in other words, those changes
missing in my firmwares:

   Release notes
   2.02
   Fixed:
   -   IP Filter does not work after setting a rule.
   Changed:
   -   Modify drop’s log info from ‘Drop’ to ‘Drop’/’Reject’.
   Added:
   -   Timer for specifying the time the PPPoE connection needs to be kept alive when idle.
   -   Reject option in firewall, filter and block functions.
   2.01
   Fixed:
   -   Unable to connect with MSN.
   -   IP Filter does not work after rebooting the device.
   2.00
   Added:
   -   Support for both Version 1.0 and 2.0 of the C54BRS4A

On a side note:

I've tried every official version. For me, and I guess for most users, the difference between
dropping of rejecting packets is not relevant, and same here with other changes. What I mean
is: most important bugs have never been fixed, so don't care about the missing latest changes.

Bugs that I found:
-Some features related to NAT and firewalling never have worked fine for me, regardless the
 version I used. Sometimes, unplugging some wires and/or rebooting did the trick but, so far,
 I still have no idea of how to make this thingy work as due.
-You must never use empty names when assigning DHCP static IPs; otherwise, you'll get sort of
 randomness instead.
-Remote web config only worked fine for me when I'm at a different external IP. Since I'm not
 familiar with this HTTP server, I still don't know the reason.
-If the router is set up for automatically updating time & date from a NTP server and it fails,
 it will end with lots of zombie procceses "ntp_run.sh".


Custom modifications applied to each firmware
=============================================

				A	B	C(1)	D	
GNU Netcat added		yes	yes	yes	no	
Telnet login user		admin	odin	(2)	(2)
Telnet password			nimda	valhalla(2)	(2)	
Pass in telnetpass (3)		yes	yes	no	no	
Pass in httpasswd  (3)		no	no	yes	yes	
Telnet timeout			300	0	0	0	
Shrinked banner in HTML		yes	yes	yes	yes	
Web config time-out		300	3600	3600	3600	
Add "custom" to branding	no	yes	yes	yes	
Remote live config		no	no	yes	no	
Autoexecutable FTP srvr.	no	no	no	yes	
FTP server login user		N/A	N/A	N/A	(2)	
FTP server login passwd		N/A	N/A	N/A	(2)	
Added extra tool		none	none	dvsnf	http_post
Size in bytes x 1000		1863	1859	1863	1847

(1) Until July the 13th it was a slightly different C version; current one fixes
    a bug in the "remote config" feature.
(2) Same value than the used for the Web Interface. Actually, user always is admin.
(3) The Telnet password may be stored in either file, see bellow.

Which should I choose?

In general terms, the safer is A, while C & D pose extra-risks. Only changes in A are the
added Netcat, replaced the original Telnet login (Alphanetworks/wrgg19_conceptronic_c54brs4a)
for a handier one and a few cosmetics/usability.

If you want to hack/sniff/audit, C is the one for you, as long as you know how to deal with
security issues.

Last, version D replaces Netcat for a tiny FTP server. Perhaps it is fit for development
or custom live configurations.

Apart from those, I also made a "ValidMAC" C version. You would only need that for
recoverying the device after having set up an invalid MAC. If not the case, forget about it.


Explanations
============

GNU netcat 0.7.1
	Added /bin/nc (144035 bytes)
	Tip 1: See bellow "Remote live config" how to tranfer files.
	Tip 2: As you may already know, Netcat is a powerful tool. Search the internet!

Replaced telnet login data
	Modified /etc/scripts/misc/telnetd.sh
		No Time-out: replaced 300 by 0
		Telnet login data may be read from:
			/etc/config/telnetpass as plain text (only the password)
			/var/etc/httpasswd as plain text (in the format user:password)
	Note 1: Telnet daemon may be avaliable quite late after a reboot.
	Note 2: Default for Web config is admin/admin

Shrinked "Conceptronic Logo" in all HTML pages from 180 to 20px
	Modified /www/locale/en/saving.html (<div> heigth)
	Modified /www/model/__template.php (<div> heigth)
	Cropped /www/pic/header.gif (from 35329 to 243 bytes=35kb saved!)
	Note: I hated the waste of 180 pixels in my screen.

Web config: extended time-out and re-branding
	Modified /etc/defnodes/S40brand.php:
		set("/sys/version", "Custom v1.0 / v2.0"); ("custom" was added)
		set("/sys/sessiontimeout", "3600"); (instead of "300")

Remote Live Config
	Added /etc/scripts/misc/remotecmd.sh which is
	called as the last action from etc/scripts/system.sh.
	It listens on 31337 ("elite" port), saves the received file,
	closes the connection and tries to run /var/receivedcmd.
	As you see, you can use this feature to "lively update" your
	router config as soon as it is alive but, on the other hand,
	this can be an open door for malicious actions.
	Tip 1: since netcat and programs using it may leave you Telnet console frozen,
	 you could send them to the background by appending a trailing &
	Tip 2: how to transfer your program from your computer:
	 Using Netcat v1.10 (NOT GNU version): cat mycmd.sh|nc -q 1 192.168.0.1 31337
	 Using GNU Cat (not verified by me): nc 192.168.0.1 31337 < mycmd.sh (CTRL-C needed?)
	 Note that mycmd.sh is just an example, you can send and get run any executable.
	Tip 3: how to control the router apart from opening a Telnet session:
	 1st: Router:nc --listen -p 31337 -e 'sh' (or just use Remote Config; in this case, you
	 will not see the first output in your computer's terminal)
	 2nd: Computer:echo "<command>;nc --listen -p 31337 -e 'sh'"|nc -q 1 192.168.0.2 31337
	 End the control session by omitting the nc --listen -p 31337 -e 'sh'.
	 This is a handy Bash function for repeteadly sending commands:
	 #!/bin/bash
	 EXECMARK="\`"
	 function send {
	 #IF USED MORE THAN A FEW TIMES YOU'LL NEED TO KILL ALL 'sh -c -sh' PROCCESSES
		echo "kill ${EXECMARK}ps|grep 'sh -c sh'|grep -v 'bin'|cut -d' ' -f2${EXECMARK}
		2>/dev/null;$1;nc --listen -p 31337 -e 'sh'"|nc -q 1 192.168.0.1 31337
		} # note that both lines above are one
	 send ifconfig # Just an example
	 send ls -l # Just another example
	 echo ""|nc -q 1 192.168.0.1 31337 # END THE REMOTE SESSION AND CLOSE
	 exit

FTP server
	Added /bin/stupid-ftpd (86647 bytes)
	Added /etc/stupid-ftpd.template, which will be used to make /var/etc/stupid-ftpd.conf
	Added /etc/scripts/misc/ftpd.sh which is called from etc/scripts/system.sh.
	Note: depending on your browser/FTPclient, the daemon may be faulty; the less faulty
	way is by including your ID data in the URL: ftp://user:pass@192.168.0.1
	
Extra tool (devsniff / http_post / none)
	It may be either http_post (I guess somehow it would be useful), devsniff or none.
	Warning: once started, you will not be able to stop devsniff using the keyboard:
	either send it to the background or open a 2nd session for "killall devsniff".
	Also, I guess that this tool quite stresses the router's CPU.
	Tip 1: How to sniff text from all traffic (edit for matching your config!):
	*Having loaded the C version of the firmware, telnet your router and type:
	 devsniff vlan2|grep [:alnum:][:alnum:]|nc -u -c 192.168.0.104 31333
	 Note 1: Here, my monitor box is at 192.168.0.104, listening on port 31333.
	 Note 2: Don't press <Enter> until you have started the listening netcat at 
	  your monitoring computer.
	*Open a terminal on your monitor computer and type nc -l -u -q 1 -p 31333
	 Note 1: I'm using Netcat 1.10 in my box, NOT the GNU one, syntax could vary.
	 On your monitor's terminal you'll see nothing but garbage: that's the raw dump of
	 traffic, despite a basic filtering has been already done by "grep [:alnum:][:alnum:]".
	*Use your tool of choice for further filtering it, as, for instance:
	 Your computer: nc -l -u -p 31333|strings -n 6|grep "what_you_are_interested_in"
	 "strings" will filter most garbage while grep will pick the text you are waiting for.
	 For instance, this will give out most email addresses:
	 grep --ignore-case --extended-regexp "(.*[@].*[.]org|.*[@].*[.]com|.*[@].*[.]net
	 Note 1: Try to avoid traffic apart of that of the incoming sniffed one in your monitor
	  box in order to reduce the amount of duplicated/corrupted data; this implies closing
	  Telnet sessions.
	 Note 2: devsniff has been built with a 1k buffer; therefore it can start sending data
	  within some seconds since started.
	 Other possibilities (not tested by me):
	  Your computer: nc -l -u -p 31333|dsniff
	  (dsniff and other tools are in http://www.monkey.org/~dugsong/)
	  Your computer: nc -l -u -p 31333|devspy
	  (script by me that is in /customized_features/devsniffer. Customize it!)
	  Your computer: nc -l -u -p 31333 > /dev/null
	  (perhaps some other monitor tool)
	

Experiments
===========

Although you are supposed to know the reasons for getting you firmware replaced,
let me tell you a few things you can do in an easier way, apart from those usual
when using the standard web interface:
-Use your router as a Wifi client (wlanconfig, iwpriv and iwconfig)
-Transfer files from/to your router FS (netcat or the "remote live config" feature)
-Use your router as a repeater (http://madwifi-project.org/wiki/UserDocs/WDSBridge)
-Use non standard Wireless frequencies (iwconfig)
-Lively change MACs (see my script "change_macs"), IPs (ifconfig), etc.
-Use your router as a mailbox (netcat)
-Redirect ports (netcat)
-Use the router for fooling wireless leechers (see my script "foolthem")
-Sniff trafic (choose firmware C and see above, netcat / devsniff)
-Turn the router into a switch (see layout.sh and layout_run.php in /etc/scripts)
-Make your own firmwares (see advanced.txt and/or download my workspace)
-Set up a "Captive portal" for your HotSpot
 (I'd suggest you to custom wifidog, run as much as possible in your computer
 and use remote config / netcat for controling the router; also, since you already
 have a built-in webserver, you wouldn't need its own)

And of course... try to fix some of the bugs of this crappy router.
Also, I'd like to hear about your hacks. Please, drop me a line!


License
=======

For those pieces of software made by me or wherever it could be applied,
think of my contribution as released under the MIT license terms:

Copyright (c) 2011 T.Ramirez

Permission is hereby granted, free of charge, to any
person obtaining a copy of this software and associated
documentation files (the "Software"), to deal in the
Software without restriction, including without limitation
the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the
Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice
shall be included in all copies or substantial portions of
the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY
KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.


Many thanks to
==============

http://www.aroundmyroom.com/2007/11/28/hacking-into-conceptronic-c54brs4a-router/
http://www.felixblanco.es/fonera/netcat_fonera.pdf (spanish)
http://www.adslzone.net/postp1906215.html (spanish)


Source code
===========

http://download.conceptronic.net/GNU-GPL/


Author and feedback:
====================

Teo Ramirez, Spain, Jul 2011
teoDELETEramirezME()gmail.com
http://galinux.myftp.org

Revised in July 2011, the 24th