Build a Hacking Gadget – ReaverPro P1

In this tutorial I want to show you how you can build a device that was former known as „ReaverPro“ which you can use to Crack Wifi Networks that use WEP Encryption or have WPS enabled.

I’ll split this tutorial in two parts. Part 1 shows all realated informations where to get the parts and what we need to flash OpenWRT on the device.

In Part 2 I’ll show you how we can flash the Reaver Firmware on the device and how we can extend our gadged that we can also perform the „WPS Pixi Dust“ Attack. 😉

Table of Contents:

SETUP:

Reaver Pro is based on the ALFA AP-121U Hardware (See Picture above)

This Device comes with different Mainboards:

CPU Ram Flash Network USB Serial JTag
Atheros AR9331@400MHz 32MiB 8MiB 2x 100Mbit Yes Yes With Hardwaremod
CPU Ram Flash Network USB Serial JTag
Atheros AR9331@400MHz 64MiB 16MiB 2x 100Mbit Yes Yes With Hardwaremod

To flash the Reaver Firmware we need the 64MB/16MB Version, otherwise it will fail.

If you decide to buy the ALFA AP-121U check with the shop vendor that’s the 64MB Version!

If you decide to buy the parts:

To flash the Firmware we need:

Let’s start:

Top open the Alfa case you need to remove the rubber feets (close to the USB Port) and remove two screws. If the case is open you’ve to look for the Serial Interface to connect the pins with help of the USB to TTL UART Cable.

Red (VDD +5V), Black (GND), Green (RXD), White (TXD)

Connect GND,RXD and TXD Pin.

Don’t connect the VDD Pin when it’s powered on. otherwise you’ll crash the board!

Set Ethernet Adress to 192.168.1.254 and start TFTP Server

Set Tftp to the directory where all the firmware files are located.

When UART Adapter is connected, start Putty, select the serial Interface and set Baudrate to 115200.

You should now see this:

Power on the Hornet-UB Board and you should see that the device is booting with a u-boot. If you don’t see anything here try to change the RXD and TXD Pin on the Hornet-UB Board.

If you get asked for a password it’s:

root / 80546334


Please choose the operation:
   1: Entr boot command line interface.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).

You choosed 1

 0

ar7240>


Flash the Kernel and Filesystem:

ar7240> setenv ipaddr 192.168.1.1; setenv serverip 192.168.1.254
ar7240> tftp 0x80600000 kernel.bin
eth0 link down
FAIL
dup 1 speed 1000
Using eth1 device
TFTP from server 192.168.1.254; our IP address is 192.168.1.1
Filename 'kernel.bin'.
Load address: 0x80600000
Loading: #################################################################
         #################################################################
         #################################################################
         #######################

ar7240> erase 0x9fe50000 +0x190000
Erase Flash from 0x9fe50000 to 0x9ffdffff in Bank # 1
First 0xe5 last 0xfd sector size 0x10000                                     253
Erased 25 sectors

ar7240> cp.b 0x80600000 0x9fe50000 110000
Copy to Flash... write addr: 9fe50000
done

ar7240> tftp 0x80600000 rootfs.bin
dup 1 speed 100
Using eth0 device
TFTP from server 192.168.1.254; our IP address is 192.168.1.1
Filename 'rootfs.bin'.
Load address: 0x80600000
Loading: #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ######
done
Bytes transferred = 2359296 (240000 hex)
ar7240> erase 0x9f050000 +0xE00000
Erase Flash from 0x9f050000 to 0x9fe4ffff in Bank # 1
First 0x5 last 0xe4 sector size 0x10000                                      228
Erased 224 sectors
ar7240> cp.b 0x80600000 0x9f050000 240000
Copy to Flash... write addr: 9f050000
done
ar7240>

U-Boot 1.1.4 (Apr 25 2013 - 14:01:10)

AP121 (ar9331) U-boot

If everything worked well, you should see that OpenWrt is booting up

BusyBox v1.22.1 (2014-09-20 22:01:35 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 BARRIER BREAKER (14.07, r42625)
 -----------------------------------------------------
  * 1/2 oz Galliano         Pour all ingredients into
  * 4 oz cold Coffee        an irish coffee mug filled
  * 1 1/2 oz Dark Rum       with crushed ice. Stir.
  * 2 tsp. Creme de Cacao
 -----------------------------------------------------
root@OpenWrt:/# df
Filesystem           1K-blocks      Used Available Use% Mounted on
rootfs                   12160       472     11688   4% /
/dev/root                 2304      2304         0 100% /rom
tmpfs                    30672        64     30608   0% /tmp
tmpfs                    30672        44     30628   0% /tmp/root
tmpfs                      512         0       512   0% /dev
/dev/mtdblock4           12160       472     11688   4% /overlay
overlayfs:/overlay       12160       472     11688   4% /
root@OpenWrt:/# 

Have fun and feel free to continue with Part 2 🙂

Kommentar hinterlassen

Schreib einen Kommentar

Ihre E-Mail-Adresse wird nicht veröffentlicht.


*