Netgear WGT634U-based Network Stumbler
The Jason McArthur Version
As early as the summer or early autumn of 2005, JasonMcArthur began working on a Netgear WGT634U-based stumbler device, based on OpenWgt and a 2.4.20 kernel.
[Need OpenWgt-based stumbler construction instructions here]
The Russell Senior Version
In early March of 2006, RussellSenior began sponging off of JasonMcArthur's work and assistance. Eventually, because he didn't have access to JasonMcArthur's build environment, and because he was seeing some problems that he didn't understand and needed to fiddle with, he began diverging from JasonMcArthur's image, and began playing with an OpenWrt-derived stumbler instead, principally because he understood how to build packages using its buildroot environment.
This is a description of how RussellSenior goes about building a stumbler device based on the NetgearWgt643u and OpenWrt. This is experimental software. Follow these instructions at your own risk.
Hardware
- Netgear WGT634U
- USB2 hub
- USB storage device
USB GPS device (such as the GlobalSat BU-353)
- 3.3V serial console cable for WGT634U
- random, compact USB device (used as an enable-key)
Building OpenWrt Software
Currently, I am using the kamikaze svn tree. This description is based on the already obsolete r9512.
cd /src/openwrt
git clone git://nbd.name/openwrt.git
git clone git://nbd.name/packages.git
mkdir build
cd openwrt
git clone -l -s . ../build/r9512
cd ../build/r9512
ln -s /src_archive/openwrt/dl . # an existing archive of downloaded packages
cd package
for i in $(find ../../../packages -type d | grep -v .svn | awk -F/ 'NF==6') ; do echo $i ; ln -s $i $(echo $i | awk -F/ '{ print $6 }') ; doneRight now there are two tweaks I am doing to the stock trunk. One is that I am upgrading kismet to 2007-10-R1 and I am using a tweaked svn gpsd. If you disable enough stuff and reduce array sizes enough the current gpsd is usable. I am working on getting these accepted into openwrt. In the meantime, please contact me for my patches.
cd /src/openwrt/build/r9512 make menuconfig script make V=99 exit
In the menuconfig, I set the Target System to (Broadcom BCM947xx/953xx [2.6]), and for kicks I also "Select all packages by default" and enable a few things (which I am currently forgetting) that don't automatically get configured in. Often, you will find packages that won't build for some reason or another. In those cases, open a ticket, deconfigure the package in menuconfig and try again. Run make alone to see abbreviated messages, or make V=99 to get lots of information. The configuration I used for r9512 can be found here.
When the build is complete, the resulting files will be found thusly:
/src/openwrt/build/r9512/bin contains the flashable images
/src/openwrt/build/r9512/bin/packages contains the .ipk files
Now, you can copy the ipkg repository somewhere wget'able, e.g.:
rsync -v -a -H /src/openwrt/build/r9512/bin/packages/ donk.personaltelco.net:public_html/openwrt/r9512/
Checking out the WGT634U
If this is a new device, it is probably a good idea to check it out on the stock firmware first to make sure it functions.
- apply power
- use another computer to associate over the wireless
The Flash Environment
There is more than one way to flash the newly-built image onto the WGT634U.
CFE TFTP Flash-From-Console Method
This is the method I tend to use. For this, you will need a TFTP server and a serial console cable. On my debian/unstable box, I use the tftpd-hpa package.
- copy the image file to the TFTP server directory.
cp /src/openwrt/build/r9512/bin/openwrt-wgt634u-2.6-jffs2.bin /var/lib/tftpboot/wgt634u/openwrt-wgt634u-2.6-jffs2-r9512.bin
- open the WGT634U case by removing 4 screws from the bottom. These are either ordinary phillips (often seen on the refurbs) or T-8 torx screws.
- connect the serial console to the WGT634U
- connect a LAN network cable to the WAN port (nearest the USB port)
- while holding Ctrl-C on the serial console, apply power:
CFE version 1.0.34 for BCM95365R (32bit,SP,LE) Build Date: Tue Feb 24 03:21:41 CST 2004 (root@jackylinux) Copyright (C) 2000,2001,2002 Broadcom Corporation. Add MAC client version(DNI). Initializing Arena. Initializing Devices. et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller CPU type 0x29007: 200MHz Total memory: 0x2000000 bytes (32MB) Total memory used by CFE: 0x81BB1280 - 0x82000000 (4517248) Initialized Data: 0x81BB1280 - 0x81BB3E90 (11280) BSS Area: 0x81BB3E90 - 0x81BB45D0 (1856) Local Heap: 0x81BB45D0 - 0x81FB45D0 (4194304) Stack Area: 0x81FB45D0 - 0x81FB65D0 (8192) Text (code) segment: 0x81FB65E0 - 0x81FFFFB0 (301520) Boot area (physical): 0x01B70000 - 0x01BB0000 Relocation Factor: I:E23B65E0 - D:01BB0280 configure vlans ***************************************************************** *********************** VLAN Driver initial ******************** ***************************************************************** Process LAN port(2-5) vlan Architecture... SUCCESS: trying to create VLAN 0 for switch SUCCESS: trying to add LAN port Process WAN port(2-5) vlan Architecture... SUCCESS: trying to create VLAN 0 for switch SUCCESS: trying to add WAN port SUCCESS: enable ports success configure vlans...done Automatic startup canceled via Ctrl-C CFE> ^C CFE>
- Configure the network. This is easiest if there is a DHCP server on the network:
CFE> ifconfig eth0 -auto Device eth0: hwaddr 00-0F-B5-97-29-39, ipaddr 192.168.0.145, mask 255.255.255.0 gateway 192.168.0.1, nameserver 192.168.0.1, domain personaltelco.net *** command status = 0 - You can blank out the flash using specially prepared wipe images. Note that the file size that you can TFTP is limited so this must be done in two steps. This might in fact be unnecessary, but it works for me:
CFE> flash -noheader 192.168.0.5:wgt634u/wipe-1.img flash0.os CFE> flash -noheader -offset=3932160 192.168.0.5:wgt634u/wipe-2.img flash0.os
- Now, flash the image you want to use and reboot:
CFE> flash -noheader 192.168.0.5:wgt634u/openwrt-wgt634u-2.6-jffs2-r9512.bin flash0.os CFE> reboot
Configuration
- To get a console prompt, wait until the bootup has finished, and press enter to wake up a shell.
- In order to take advantage of your kamikaze ipkg's, you first need to modify /etc/ipkg.conf. The wget that is installed in the starting image is the busybox version, which currently shoots itself in the head if it finds an AAAA (ipv6) record and there is no ipv6 routing infrastructure available. So get around this by using an ipv4 ipaddr in the URL:
src snapshots http://206.163.122.98/~russell/openwrt/r9512 #src snapshots http://openwrt.org/downloads/snapshots/brcm-2.6/packages dest root / dest ram /tmp
- To update your WGT634U using this package archive:
ipkg update
- Now, start adding packages:
ipkg install ip kmod-usb-storage kmod-usb-serial-pl2303 gpsd-beta libstdcpp kismet-server kmod-fs-vfat kmod-nls-cp437 kmod-nls-iso8859-1 kmod-sound-core kmod-usb-audio madplay
- modify /etc/banner to reflect the svn snapshot.
- disable a few extraneous things:
mv /etc/init.d/httpd /etc/init.d/httpd_
- download the "extra" files:
cd /tmp wget http://206.163.122.98/~russell/r9512-extra-files.tar.gz cd / tar xzvf /tmp/r9512-extra-files.tar.gz
- Among the extra files are:
- /etc/init.d/setclock
# # /etc/init.d/S95setclock # # Find gps device and set clock via gpsd # # Russell Senior 2006 <russell@personaltelco.net> PLAY=/usr/bin/play SOUNDDIR=/usr/share/sounds DEV=/dev/ttyUSB0 # wait for a usb-serial device to appear while [ ! -c ${DEV} ]; do echo "waiting for usb-serial device" ${PLAY} ${SOUNDDIR}/insert-gps.mp3 sleep 2 done if ! pidof gpsd ; then gpsd -n ${DEV} fi sleep 5 ${PLAY} ${SOUNDDIR}/fixing.mp3 date -s $(awk -F, -f /usr/lib/setclock.awk ${DEV}) # kill any pre-existing gpsd if pidof gpsd ; then echo "killing gpsd" PID=$(pidof gpsd) kill ${PID} wait ${PID} fi ${PLAY} ${SOUNDDIR}/cleaned-up.mp3 - /usr/lib/setclock.awk
$1 ~ /GPRMC/ && $3 ~ /A/ { printf "%s%s%s%s20%s.%s",substr($10,3,2),substr($10,1,2),substr($2,1,2),substr($2,3,2),substr($10,5,2),substr($2,5,2) ; exit } $1 ~ /GPRMC/ && $3 !~ /A/ { nofix++ ; if (nofix % 5 == 0) { system("/usr/bin/play /usr/share/sounds/fixing.mp3") } } - /etc/init.d/kismet
if pidof kismet_wrapper ; then PID=$(pidof kismet_wrapper) kill ${PID} wait ${PID} fi /usr/sbin/kismet_wrapper & - /usr/bin/play
/usr/bin/madplay -Q -a -10 --no-tty-control $@
- /usr/sbin/kismet_wrapper
# watches for presence of a VENDOR ID on the usb bus to determine # whether ${CMD} should run CMD=kismet_server CMDSTR="/usr/bin/kismet_server -f /etc/kismet.conf" MNT=/mnt/usbdrive DEV=/dev/ttyUSB0 VENDOR="0a12" INTERVAL=5 PLAY=/usr/bin/play SOUNDDIR=/usr/share/sounds while ( true ); do echo "starting loop" if grep -q "Vendor=${VENDOR}" /proc/bus/usb/devices ; then # enable key is inserted echo "enable key inserted" if ! pidof ${CMD} ; then # ${CMD} isn't already running, so execute ${CMDSTR} to start if pidof gpsd ; then PID=$(pidof gpsd) echo "killing gpsd ${PID}" kill ${PID} wait ${PID} ${PLAY} ${SOUNDDIR}/gpsd-stopped.mp3 fi # wait for a usb-serial device to appear while [ ! -c ${DEV} ]; do echo "waiting for usb-serial device" ${PLAY} ${SOUNDDIR}/insert-gps.mp3 sleep 2 done # restarting gpsd in the normal waiting mode echo "restarting gpsd" gpsd ${DEV} ${PLAY} ${SOUNDDIR}/gpsd-started.mp3 while [ ! -b /dev/sda1 ]; do echo "waiting for /dev/sda1" ${PLAY} ${SOUNDDIR}/insert-storage.mp3 sleep 2 done while ! grep -q '^/dev/sda1' /proc/mounts ; do echo "mounting storage" ${PLAY} ${SOUNDDIR}/mounting-storage.mp3 mount /dev/sda1 ${MNT} sleep 1 done ${PLAY} ${SOUNDDIR}/storage-mounted.mp3 cd ${MNT} echo "starting ${CMD}" ${PLAY} ${SOUNDDIR}/starting-kismet.mp3 ${CMDSTR} & sleep 3 # check to see if kismet died (like after the 4th restart) if ! pidof ${CMD} ; then ${PLAY} ${SOUNDDIR}/kismet-stopped.mp3 cd /tmp while grep -q '^/dev/sda1' /proc/mounts ; do ${PLAY} ${SOUNDDIR}/unmounting-storage.mp3 umount ${MNT} sleep 1 done ${PLAY} ${SOUNDDIR}/storage-unmounted.mp3 ${PLAY} ${SOUNDDIR}/rebooting.mp3 reboot fi else # kismet is running, make sure gpsd is also if ! pidof gpsd ; then echo WARNING: gpsd is not running! ${PLAY} ${SOUNDDIR}/no-gpsd.mp3 if [ -c ${DEV} ]; then echo "restarting gpsd" gpsd ${DEV} ${PLAY} ${SOUNDDIR}/gpsd-started.mp3 fi fi fi else # enable key is NOT inserted echo "enable key not inserted" if pidof ${CMD} ; then # is running, so kill it echo "stopping ${CMD}" ${PLAY} ${SOUNDDIR}/stopping-kismet.mp3 PID=$(pidof ${CMD}) kill ${PID} wait ${PID} echo "finished waiting on ${PID}" ${PLAY} ${SOUNDDIR}/kismet-stopped.mp3 cd /tmp while grep -q '^/dev/sda1' /proc/mounts ; do echo "unmounting storage" ${PLAY} ${SOUNDDIR}/unmounting-storage.mp3 umount ${MNT} sleep 1 done ${PLAY} ${SOUNDDIR}/storage-unmounted.mp3 echo "stopping gpsd" ${PLAY} ${SOUNDDIR}/stopping-gpsd.mp3 PID=$(pidof gpsd) kill ${PID} wait ${PID} echo "finished waiting on ${PID}" ${PLAY} ${SOUNDDIR}/gpsd-stopped.mp3 else ${PLAY} ${SOUNDDIR}/waiting.mp3 fi fi echo "sleeping ${INTERVAL} seconds" sleep ${INTERVAL} done
- I used a combination of festival and toolame to create mp3's for madplay:
echo "string" | text2wave - > string.wav toolame string.wav string.mp3