Monday, August 24, 2015

Installing TomatoUSB firmware on a Linksys WRT310N v1

Picked up a used WRT310N v1 for cheap, so thought I'd throw an alternative firmware on there.

Side note: If you want to know if your WRT310N is a v1 or v2, flip it over and look at the serial number on the label:
  • If the serial starts with "CSF0", then it's a v1
  • If the serial starts with "CSF1", then it's a v2
Fortunately, this model supports both DD-WRT and TomatoUSB. I find DD-WRT to be a bit overwhelming, and I've grown fond of the Tomato UI over the years, so TomatoUSB it is.

Weirdly enough, the TomatoUSB website doesn't really have any installation instructions except for one ASUS model, but here's what worked for me:

1. Download a supported build from the Download page. The site indicates only the Kernel 2.4 versions are compatible, so I picked the "NoUSB Std" build of the Kernel 2.4 version.

Update 10/28/15: Apparently Wireless-N (802.11n) support is broken in the build I was using, which meant that my download speeds were capped at 1 mbps. The workaround is to change the Wi-Fi mode to "B/G Mixed," but because I live an XTREME lifestyle, I instead switched to a Shibby build (catchily named "tomato-ND-1.28.5x-124-VPN.trx" and available here) that fixed the issue.

Of note, Shibby has an opt-in feature called TomatoAnon that reports basic stats on your router so people can see what kinds of hardware and builds are being used around the world. The feature uses an MD5 hash of your router's MAC addresses so that it can tell routers apart from each other. The code is open source and the hashing provides a high level of anonymity, so I didn't mind enabling it.

Update 7/12/16: The slow speeds ended up coming back even with the Shibby firmware, so I gave up on the box - perhaps the hardware was borked.

2. Extract TRX file from the RAR file you downloaded. You'll need an archiving utility like 7-Zip to open the RAR file.

3. Change the extension of the TRX file to BIN. So if it was named "tomato-blah-blah.trx" before, it will say "tomato-blah-blah.bin" after. Windows will warn you about changing the extension, but it's fine.

4. Make sure your PC is connected to the router over a wired connection, then log into the Linksys web interface.

5. Go to the Administration tab, then select Firmware Upgrade. Select the BIN file you just renamed, and then upload it to your router.

6. Wait for it to restart, then try to connect to your router again in your web browser. The IP address of your router is now (it might not have been before) and the username and password are admin/admin.

7. You should now be in the Tomato interface! Now that you're in, you'll want to nuke the NVRAM to clear out any cruft in there. It's under Administration > Configuration > Restore Default Configuration > "Erase all data in NVRAM Memory (thorough)." The router will reset again.

8. Log back in and change your admin password now before you forget. Then muck around and set up the router just the way you like it.


Linda Cooper said...

Thanks for your tutorial. I've found a great configuration guide for my tomato router. It helped me to setup it very fast.

drewver said...
This comment has been removed by the author.
Devon Sawatzky said...

"the hashing provides a high level of anonymity, so I didn't mind enabling it."

Just a heads up, while md5 is suitable for this task, hashing in general is not. the first 24 bits of the MAC address can be inferred by the model number of the router, and the remaining 24 bits take a fraction of a second to search. I have tested this using the output of 8 lines of not-optimized-at-all rust code piped into john the ripper running on my non-cracking-optimized (no nice GPU or anything) machine.

The issue is not the md5 hash (which still has strong preimage resistance), it's the fact that 24 bits is a trivially searchable space. If the brand and model number weren't given, it would have a bit larger of a search space (although only a few bits; there aren't that many popular router vendors out there!), but still easily within reach

TLDR: it is very easy to infer the MACs of a router given its model number and an md5 of its MAC address.

Other TLDR: if you are designing an anonymization system, don't just hash the data and call it a day.

Devon Sawatzky said...

i retract my previous comment.

i looked at the source and realized it concatenates two MACs and an IP address. while the IP address would add minimal entropy (there's like 8 or so addresses commonly used for a router in a household setting), the two macs together would provide 48 bits of entropy if you exclude the OUID portion which can be inferred from the other metadata. while the low 50s bits of entropy isn't greate in terms of assuring anonymity, it's not nearly as trivial to break as my experiment suggested.

Devon Sawatzky said...

also, thank you for this guide. it helped me get this set up really quick!