The routers that Alice-DSL currently ships to customers for its broadband internet service are running embedded Linux. If you’re the owner of such a router, this means you should be able to install your own applications and make better use of the device than Alice intends you to.

The problem is that although you have console access, building and uploading your applications and generally changing anything is a bit tricky and requires some effort. This document provides the steps and additional things needed to get complete access to your router.

THIS DOCUMENT IS NOT FINISHED YET. The source is at index.txt and can be run through asciidoc to produce this HTML.

1. Introduction

The device I received with my Alice-DSL subscription was a Siemens-branded Broadcom ADSL router, SL2-141-I. A few links:

General info
Technical stuff

It is basically a brcmXXXX device, using a Big Endian MIPS 32bit system-on-a-chip.

The device comes configured as a simple bridge between the local network (Ethernet, Wifi, USB) and the DSL connection to the ISP. This means normally you will make PPPoE connections from each computer to your ISP. This is ok especially if you are the only user, but connecting your PPPoE connection each time you start your PC can be annoying.

The first step is, thus, making the router act as a router. That is, creating the PPPoE connection from the router and enabling DHCP for the computers connecting to it.

2. Admin accesss and Enabling PPPoE and DHCP

First of all, connecting to the web interface.

The router is configured with an IP set to 192.168.1.1. If you are connecting over wireless, you will also need the WEP key. On my router, it was written on the back of the device. You will have to set up your ethernet/wireless with a static IP above 192.168.1.10. No DNS, no gateway settings are needed.

Then, open http://192.168.1.1/. You will be prompted for a user/pass. There are two users configured: regular user and admin.

Regular user
  • username: user

  • password: user

Admin

I stumbled over this forum which has the password for the admin account: http://www.hansenet-user-forum.de/viewtopic.php?t=6370 (scroll down a bit). Basically:

Now you can’t do much with the user account besides set access control for wireless MACs. So log in with the admin account. Enable DHCP, enable PPPoE, set access controls, and have some fun browsing through the features.

3. Firmware

My firmware is 3.28p, running Linux 2.6.8.1. New firmware is available according to a firmware forum post but so far the one shipped works just fine.

This information is here as a heads-up so that if you have a different version and some of the steps below fail, you have a possible reason why. A couple guesses:

4. Full shell access

You can log in using ssh or telnet to 192.168.1.1. Use the same user and password as for the web interface.

There is busybox installed, so you can do a few things. But nothing useful is included (ls, chmod and netcat are notably missing).

To be able to run third-party applications on your router, you need two things:

5. File uploads

Since the ‘ssh` server on the router (dropbear) does not have scp support, you can’t trivially upload anything. One trick I came up with was to simply echo your files’ contents and redirect the output to a file. Dealing with binary characters is done by using escape codes. Since we can automate the generation of echo -en '\x..\x..' commands, uploading files becomes a possibility.

To improve upon this, we can also automate the process of running the echo commands, since telnet access is available. You could simply open a connection to the telnet server and send the commands from a script.

The idea of using a script to run the commands was found on Skaya’s website.

Here is the python script for uploading a file to the router, with minor changes by me (avoiding a hang at login):

octify.py

Run it as octify.py file and wait (it’s pretty slow). The uploaded file will be /var/run/upload (you can move it with cd /var/run; cat upload > other_file).

6. Chmod +x

To be able to execute an uploaded file, you need a chmod tool (or equivalent). Since busybox doesn’t include it, we need our own. One idea that comes to mind is with a kernel module (because we do have insmod available).

I was too lazy to try to write a module myself but seems that Skaya was more persistent. He has a binary and sources for a kchmod module that does exactly this (his idea for chmod'ing files turns out to be the same). Unfortunately, his module is for 2.4 kernels. I changed the sources a bit and recompiled for Linux 2.6.8.1. Also added a parameter to be able to say which file and mode you want when insmod'ing.

Below is the source and a binary for MIPS Big Endian Linux 2.6.8.1. Notes on how to build one for different kernels are also in the next section.

Source

TODO

Binary for Linux 2.6.8.1 MIPS bigendian gcc-3.4

kchmod.ko