{"id":17,"date":"2018-03-03T13:54:26","date_gmt":"2018-03-03T12:54:26","guid":{"rendered":"https:\/\/cybercop-training.ch\/?p=17"},"modified":"2018-09-09T12:19:56","modified_gmt":"2018-09-09T11:19:56","slug":"build-a-hacking-gadget-reaverpro-p1","status":"publish","type":"post","link":"https:\/\/cybercop-training.ch\/?p=17","title":{"rendered":"Build a Hacking Gadget &#8211; ReaverPro P1"},"content":{"rendered":"<p>In this tutorial I want to show you how you can build a device that was former known as &#171;ReaverPro&#187; which you can use to Crack Wifi Networks that use WEP Encryption or have WPS enabled.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-19 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/AP121U_app_1.jpg\" alt=\"\" width=\"600\" height=\"214\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/AP121U_app_1.jpg 600w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/AP121U_app_1-300x107.jpg 300w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/p>\n<p>I&#8217;ll split this tutorial in two parts. Part 1 shows all realated informations where to get the parts and what we need to flash OpenWRT on the device.<\/p>\n<p>In Part 2 I&#8217;ll show you how we can flash the Reaver Firmware on the device and how we can extend our gadged that we can also perform the &#171;WPS Pixi Dust&#187; Attack. \ud83d\ude09<\/p>\n<p>Table of Contents:<\/p>\n<ul>\n<li>Build a Hacking Gadget &#8211; ReaverPro P1<\/li>\n<li><a href=\"https:\/\/cybercop-training.ch\/?p=17\" target=\"_blank\" rel=\"noopener\">Build a Hacking Gadget &#8211; ReaverPro P2<\/a><\/li>\n<\/ul>\n<p>SETUP:<\/p>\n<p>Reaver Pro is based on the ALFA AP-121U Hardware (See Picture above)<\/p>\n<p>This Device comes with different Mainboards:<\/p>\n<table class=\"inline\">\n<thead>\n<tr class=\"row0\">\n<th class=\"col0\">CPU<\/th>\n<th class=\"col1\">Ram<\/th>\n<th class=\"col2\">Flash<\/th>\n<th class=\"col3\">Network<\/th>\n<th class=\"col4\">USB<\/th>\n<th class=\"col5\">Serial<\/th>\n<th class=\"col6\">JTag<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr class=\"row1\">\n<td class=\"col0\">Atheros AR9331@400MHz<\/td>\n<td class=\"col1\">32MiB<\/td>\n<td class=\"col2\">8MiB<\/td>\n<td class=\"col3\">2x 100Mbit<\/td>\n<td class=\"col4\">Yes<\/td>\n<td class=\"col5\">Yes<\/td>\n<td class=\"col6\">With Hardwaremod<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table class=\"inline\">\n<thead>\n<tr class=\"row0\">\n<th class=\"col0\">CPU<\/th>\n<th class=\"col1\">Ram<\/th>\n<th class=\"col2\">Flash<\/th>\n<th class=\"col3\">Network<\/th>\n<th class=\"col4\">USB<\/th>\n<th class=\"col5\">Serial<\/th>\n<th class=\"col6\">JTag<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr class=\"row1\">\n<td class=\"col0\">Atheros AR9331@400MHz<\/td>\n<td class=\"col1\">64MiB<\/td>\n<td class=\"col2\">16MiB<\/td>\n<td class=\"col3\">2x 100Mbit<\/td>\n<td class=\"col4\">Yes<\/td>\n<td class=\"col5\">Yes<\/td>\n<td class=\"col6\">With Hardwaremod<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>To flash the Reaver Firmware we need the <strong>64MB\/16MB<\/strong> Version, otherwise it will fail.<\/p>\n<p><strong><span style=\"color: #000000;\">If you decide to buy the ALFA AP-121U check with the shop vendor that&#8217;s the 64MB Version!<\/span><\/strong><\/p>\n<ul>\n<li><span style=\"color: #000000;\"><a href=\"https:\/\/www.data-alliance.net\/alfa-ap-router-w-web-content-filtering-wifi-wireless-802-11n-hornet-ub\/\" target=\"_blank\" rel=\"noopener\">ALFA AP-121U (US Store)<\/a><\/span><\/li>\n<li><a href=\"http:\/\/varia-store.com\/Wireless-Systeme\/ALFA-Network\/ALFA-AP121U-802-11n-AP-Router-USB-Port::2641.html\" target=\"_blank\" rel=\"noopener\">ALFA AP-121U (EU Store)<\/a><\/li>\n<\/ul>\n<p><span style=\"color: #000000;\">If you decide to buy the parts:<\/span><\/p>\n<ul>\n<li><span style=\"color: #000000;\"><a href=\"https:\/\/www.data-alliance.net\/alfa-hornet-ub-wifi-board-atheros-ar9331-400mhz-802-11n-version-w-16mb-flash-64mb-ram\/\" target=\"_blank\" rel=\"noopener\">ALFA Hornet-UB Wifi Board 64MB\/16MB (US Store)<\/a><\/span><\/li>\n<li><a href=\"http:\/\/varia-store.com\/Wireless-Systeme\/ALFA-Network\/ALFA-Network-Hornet-UB-Embedded-Board-Atheros-802-11n::1591.html\" target=\"_blank\" rel=\"noopener\">ALFA Hornet-UB Wifi Board 64MB\/16MB (EU Store)<\/a><\/li>\n<li><a href=\"https:\/\/www.data-alliance.net\/antenna-2-4ghz-5dbi-omni-directional-w-rp-sma-connector-black-or-white\/\" target=\"_blank\" rel=\"noopener\">Antenna for Hornet-UB Board (US Store)<\/a><\/li>\n<li><a href=\"http:\/\/varia-store.com\/Antennen\/Antennen-2-4-2-5GHz\/Omni-Innenbereich-2-4-2-5GHz\/Omni-Antenne-5dBi-RP-SMA-Dualband-2-4GHz-und-5GHz::704.html\" target=\"_blank\" rel=\"noopener\">Antenna for Hornet-UB Board (EU Store)<\/a><\/li>\n<li><span style=\"color: #000000;\"><a href=\"https:\/\/www.data-alliance.net\/case-for-alfa-hornet-ub-board-make-openwrt-router\/\" target=\"_blank\" rel=\"noopener\">Case for Hornet-UB Board (US Store)<\/a><\/span><\/li>\n<li><span style=\"color: #000000;\"><a href=\"https:\/\/www.data-alliance.net\/power-supply-12-volt-18-watts-1-amp-ac-dc-power-adapter-std-dc-2-1mm-barrel-europe-style-plug\/\" target=\"_blank\" rel=\"noopener\">Power Supply for Hornet-UB \/EU Version (US Store)<\/a><\/span><\/li>\n<\/ul>\n<p>To flash the Firmware we need:<\/p>\n<ul>\n<li>1x <a href=\"https:\/\/www.adafruit.com\/product\/954\" target=\"_blank\" rel=\"noopener\">USB to TTL UART Cable<\/a><\/li>\n<li>Notebook with a running <a href=\"http:\/\/tftpd32.jounin.net\/tftpd32_download.html\" target=\"_blank\" rel=\"noopener\">TFTP Server<\/a> and a Terminal Software like <a href=\"https:\/\/www.chiark.greenend.org.uk\/~sgtatham\/putty\/latest.html\" target=\"_blank\" rel=\"noopener\">Putty<\/a><\/li>\n<li><a href=\"http:\/\/downloads.openwrt.org\/barrier_breaker\/14.07\/ar71xx\/generic\/openwrt-ar71xx-generic-hornet-ub-x2-kernel.bin\" target=\"_blank\" rel=\"noopener\">Open WRT Kernel for Hornet-UB<\/a><\/li>\n<li><a href=\"http:\/\/downloads.openwrt.org\/barrier_breaker\/14.07\/ar71xx\/generic\/openwrt-ar71xx-generic-hornet-ub-x2-rootfs-squashfs.bin\" target=\"_blank\" rel=\"noopener\">Open WRT Filesystem fot Hornet-UB<\/a><\/li>\n<li><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/staging_firmware.zip\" target=\"_blank\" rel=\"noopener\">Reaver Pro Firmware<\/a> \/ [Backup Mirror]<\/li>\n<\/ul>\n<p>Let&#8217;s start:<\/p>\n<p>Top open the Alfa case you need to remove the rubber feets (close to the USB Port) and remove two screws. If the case is open you&#8217;ve to look for the Serial Interface to connect the pins with help of the USB to TTL UART Cable.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-32 size-large\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/reaver_case-1024x765.jpg\" alt=\"\" width=\"1024\" height=\"765\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/reaver_case-1024x765.jpg 1024w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/reaver_case-300x224.jpg 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/reaver_case-768x574.jpg 768w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/reaver_case-326x245.jpg 326w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/reaver_case-80x60.jpg 80w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-34 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/s-l1600.jpg\" alt=\"\" width=\"808\" height=\"500\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/s-l1600.jpg 808w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/s-l1600-300x186.jpg 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/s-l1600-768x475.jpg 768w\" sizes=\"auto, (max-width: 808px) 100vw, 808px\" \/><\/p>\n<p>Red (VDD +5V), Black (GND), Green (RXD), White (TXD)<\/p>\n<p>Connect GND,RXD and TXD Pin.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-35 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/hornet-ub.8.-pins.jpg\" alt=\"\" width=\"400\" height=\"400\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/hornet-ub.8.-pins.jpg 400w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/hornet-ub.8.-pins-150x150.jpg 150w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/hornet-ub.8.-pins-300x300.jpg 300w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><\/p>\n<p><strong>Don&#8217;t connect the VDD Pin when it&#8217;s powered on. otherwise you&#8217;ll crash the board!<\/strong><\/p>\n<p>Set Ethernet Adress to 192.168.1.254 and start TFTP Server<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-36 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/ethernet_config.jpg\" alt=\"\" width=\"494\" height=\"317\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/ethernet_config.jpg 494w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/ethernet_config-300x193.jpg 300w\" sizes=\"auto, (max-width: 494px) 100vw, 494px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-37 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/tftp.jpg\" alt=\"\" width=\"488\" height=\"413\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/tftp.jpg 488w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/tftp-300x254.jpg 300w\" sizes=\"auto, (max-width: 488px) 100vw, 488px\" \/><\/p>\n<p>Set Tftp to the directory where all the firmware files are located.<\/p>\n<p>When UART Adapter is connected, start Putty, select the serial Interface and set Baudrate to 115200.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-41 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/putty1.png\" alt=\"\" width=\"742\" height=\"717\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/putty1.png 742w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/putty1-300x290.png 300w\" sizes=\"auto, (max-width: 742px) 100vw, 742px\" \/><\/p>\n<p>You should now see this:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-42 size-full\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/putty2.png\" alt=\"\" width=\"739\" height=\"469\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/putty2.png 739w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/putty2-300x190.png 300w\" sizes=\"auto, (max-width: 739px) 100vw, 739px\" \/><\/p>\n<p>Power on the Hornet-UB Board and you should see that the device is booting with a u-boot. If you don&#8217;t see anything here try to change the RXD and TXD Pin on the Hornet-UB Board.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-44\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/putty3.png\" alt=\"\" width=\"1002\" height=\"624\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/putty3.png 1002w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/putty3-300x187.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2018\/03\/putty3-768x478.png 768w\" sizes=\"auto, (max-width: 1002px) 100vw, 1002px\" \/><\/p>\n<p>If you get asked for a password it&#8217;s:<\/p>\n<p><em>root<\/em> \/ <strong>80546334<\/strong><\/p>\n<hr \/>\n<pre class=\"code\">Please choose the operation:\r\n   1: Entr boot command line interface.\r\n   2: Load system code then write to Flash via TFTP.\r\n   3: Boot system code via Flash (default).\r\n\r\nYou choosed 1\r\n\r\n 0\r\n\r\nar7240&gt;\r\n\r\n<\/pre>\n<hr \/>\n<p>Flash the Kernel and Filesystem:<\/p>\n<pre><code>ar7240&gt; <strong>setenv ipaddr 192.168.1.1; setenv serverip 192.168.1.254<\/strong>\r\nar7240&gt; <strong>tftp 0x80600000 kernel.bin<\/strong>\r\neth0 link down\r\nFAIL\r\ndup 1 speed 1000\r\nUsing eth1 device\r\nTFTP from server 192.168.1.254; our IP address is 192.168.1.1\r\nFilename 'kernel.bin'.\r\nLoad address: 0x80600000\r\nLoading: #################################################################\r\n         #################################################################\r\n         #################################################################\r\n         #######################\r\n\r\nar7240&gt; <strong>erase 0x9fe50000 +0x190000<\/strong>\r\nErase Flash from 0x9fe50000 to 0x9ffdffff in Bank # 1\r\nFirst 0xe5 last 0xfd sector size 0x10000                                     253\r\nErased 25 sectors\r\n\r\nar7240&gt; <strong>cp.b 0x80600000 0x9fe50000 110000<\/strong>\r\nCopy to Flash... write addr: 9fe50000\r\ndone<\/code><\/pre>\n<hr \/>\n<pre><code>ar7240&gt; <strong>tftp 0x80600000 rootfs.bin<\/strong>\r\ndup 1 speed 100\r\nUsing eth0 device\r\nTFTP from server 192.168.1.254; our IP address is 192.168.1.1\r\nFilename 'rootfs.bin'.\r\nLoad address: 0x80600000\r\nLoading: #################################################################\r\n         #################################################################\r\n         #################################################################\r\n         #################################################################\r\n         #################################################################\r\n         #################################################################\r\n         #################################################################\r\n         ######\r\ndone\r\nBytes transferred = 2359296 (240000 hex)\r\nar7240&gt; <strong>erase 0x9f050000 +0xE00000<\/strong>\r\nErase Flash from 0x9f050000 to 0x9fe4ffff in Bank # 1\r\nFirst 0x5 last 0xe4 sector size 0x10000                                      228\r\nErased 224 sectors\r\nar7240&gt; <strong>cp.b 0x80600000 0x9f050000 240000<\/strong>\r\nCopy to Flash... write addr: 9f050000\r\ndone\r\nar7240&gt;\r\n\r\nU-Boot 1.1.4 (Apr 25 2013 - 14:01:10)\r\n\r\nAP121 (ar9331) <strong>U-boot<\/strong><\/code><\/pre>\n<hr \/>\n<p>If everything worked well, you should see that OpenWrt is booting up<\/p>\n<pre><code>BusyBox v1.22.1 (2014-09-20 22:01:35 CEST) built-in shell (ash)\r\nEnter 'help' for a list of built-in commands.\r\n\r\n  _______                     ________        __\r\n |       |.-----.-----.-----.|  |  |  |.----.|  |_\r\n |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|\r\n |_______||   __|_____|__|__||________||__|  |____|\r\n          |__| W I R E L E S S   F R E E D O M\r\n -----------------------------------------------------\r\n BARRIER BREAKER (14.07, r42625)\r\n -----------------------------------------------------\r\n  * 1\/2 oz Galliano         Pour all ingredients into\r\n  * 4 oz cold Coffee        an irish coffee mug filled\r\n  * 1 1\/2 oz Dark Rum       with crushed ice. Stir.\r\n  * 2 tsp. Creme de Cacao\r\n -----------------------------------------------------\r\nroot@OpenWrt:\/# df\r\nFilesystem           1K-blocks      Used Available Use% Mounted on\r\nrootfs                   12160       472     11688   4% \/\r\n\/dev\/root                 2304      2304         0 100% \/rom\r\ntmpfs                    30672        64     30608   0% \/tmp\r\ntmpfs                    30672        44     30628   0% \/tmp\/root\r\ntmpfs                      512         0       512   0% \/dev\r\n\/dev\/mtdblock4           12160       472     11688   4% \/overlay\r\noverlayfs:\/overlay       12160       472     11688   4% \/\r\nroot@OpenWrt:\/# <\/code><\/pre>\n<hr \/>\n<p>Have fun and feel free to continue with Part 2 \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\"><p>In this tutorial I want to show you how you can build a device that was former known as &#171;ReaverPro&#187; which you can use to <a class=\"mh-excerpt-more\" href=\"https:\/\/cybercop-training.ch\/?p=17\" title=\"Build a Hacking Gadget &#8211; ReaverPro P1\">[&#8230;]<\/a><\/p>\n<\/div>","protected":false},"author":2,"featured_media":18,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,2,3],"tags":[6,5,7],"class_list":["post-17","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacking","category-hardware","category-wi-fi","tag-openwrt","tag-reaverpro","tag-wps-cracking"],"_links":{"self":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/17","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=17"}],"version-history":[{"count":19,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/17\/revisions"}],"predecessor-version":[{"id":290,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/17\/revisions\/290"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/media\/18"}],"wp:attachment":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=17"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=17"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=17"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}