Shell Access for Alice-DSL's Siemens SL2-141-I Router ===================================================== Bogdan Harjoc The routers that Alice-DSL currently ships to customers for its broadband internet service are running embedded Linux. If you're the owner of such a router, this means you should be able to install your own applications and make better use of the device than Alice intends you to. The problem is that although you have console access, building and uploading your applications and generally changing anything is a bit tricky and requires some effort. This document provides the steps and additional things needed to get complete access to your router. THIS DOCUMENT IS NOT FINISHED YET. The source is at link:index.txt[] and can be run through `asciidoc` to produce this HTML. Introduction ------------ The device I received with my Alice-DSL subscription was a Siemens-branded Broadcom ADSL router, SL2-141-I. A few links: General info:: - http://w5.siemens.ch/eip/public/QsG/QsG_SL2-141-I_ENG.pdf[quickstart] - http://w5.siemens.ch/eip/downloads/ADSL_SL2-141_SL2-141-I.pdf[datasheet] - http://www.ewetel.de/vkp/pdf/ADSL_SL2-141_User_Manual_DE.pdf[user manual (german)] Technical stuff:: - http://www.modemforum.de/[community, forum, firmware updates] - http://skaya.enix.org/wiki/BroadCom96345[useful tools and ideas] It is basically a brcmXXXX device, using a Big Endian MIPS 32bit system-on-a-chip. The device comes configured as a simple bridge between the local network (Ethernet, Wifi, USB) and the DSL connection to the ISP. This means normally you will make PPPoE connections from each computer to your ISP. This is ok especially if you are the only user, but connecting your PPPoE connection each time you start your PC can be annoying. The first step is, thus, making the router act as a router. That is, creating the PPPoE connection from the router and enabling DHCP for the computers connecting to it. Admin accesss and Enabling PPPoE and DHCP ----------------------------------------- First of all, connecting to the web interface. The router is configured with an IP set to 192.168.1.1. If you are connecting over wireless, you will also need the WEP key. On my router, it was written on the back of the device. You will have to set up your ethernet/wireless with a static IP above 192.168.1.10. No DNS, no gateway settings are needed. Then, open http://192.168.1.1/[]. You will be prompted for a user/pass. There are two users configured: regular user and admin. Regular user:: - username: user - password: user Admin:: I stumbled over this forum which has the password for the admin account: http://www.hansenet-user-forum.de/viewtopic.php?t=6370[] (scroll down a bit). Basically: - username: alice@13184 - password: hnto$mgmt@lice Now you can't do much with the user account besides set access control for wireless MACs. So log in with the admin account. Enable DHCP, enable PPPoE, set access controls, and have some fun browsing through the features. Firmware -------- My firmware is 3.28p, running Linux 2.6.8.1. New firmware is available according to a http://www.modemforum.de/forum/showthread.php?t=652[firmware forum post] but so far the one shipped works just fine. This information is here as a heads-up so that if you have a different version and some of the steps below fail, you have a possible reason why. A couple guesses: - if you have the same kernel, you can use the kernel module binaries provided here. - if you have a different kernel, you can probably recompile the modules (or ask me and I may recompile them for you and post them here). Basically it's more work since you need a toolchain for MIPS Full shell access ----------------- You can log in using `ssh` or `telnet` to `192.168.1.1`. Use the same user and password as for the web interface. There is `busybox` installed, so you can do a few things. But nothing useful is included (`ls`, `chmod` and `netcat` are notably missing). To be able to run third-party applications on your router, you need two things: - a way to upload files in there and - a way to make them executable (`chmod +x`) *********************************************************************** Additionally, to not have to wander through the filesystem in the +++'darkness'+++, you need a `ls`. Although the `busybox` in there does not have `ls` installed, you can use `echo *` as a replacement. *********************************************************************** File uploads ------------ Since the `ssh` server on the router (`dropbear`) does not have `scp` support, you can't trivially upload anything. One trick I came up with was to simply `echo` your files' contents and redirect the output to a file. Dealing with binary characters is done by using escape codes. Since we can automate the generation of `+++echo -en '\x..\x..'+++` commands, uploading files becomes a possibility. To improve upon this, we can also automate the process of running the `echo` commands, since telnet access is available. You could simply open a connection to the telnet server and send the commands from a script. The idea of using a script to run the commands was found on Skaya's website. Here is the python script for uploading a file to the router, with minor changes by me (avoiding a hang at login): http://TODO[] Run it as `octify.py file` and wait (it's pretty slow). The uploaded file will be `/var/run/upload` (you can move it with `cd /var/run; cat upload > other_file`). Chmod +x -------- To be able to execute an uploaded file, you need a `chmod` tool (or equivalent). Since `busybox` doesn't include it, we need our own. One idea that comes to mind is with a kernel module (because we do have `insmod` available). I was too lazy to try to write a module myself but seems that Skaya was more persistent. He has a binary and sources for a `kchmod` module that does exactly this (his idea for `chmod`'ing files turns out to be the same). Unfortunately, his module is for 2.4 kernels. I changed the sources a bit and recompiled for Linux 2.6.8.1. Also added a parameter to be able to say which file and mode you want when `insmod`'ing. Below is the source and a binary for MIPS Big Endian Linux 2.6.8.1. Notes on how to build one for different kernels are also in the next section. Source:: http://TODO[] Binary for Linux 2.6.8.1 MIPS bigendian gcc-3.4:: http://TODO[]