Edit: This has been fixed in the latest firmare update 4.5.10.25

The routers that you receive from your ISP are almost always garbage: not many options to configure and pitiful wifi range. The router/modem that Shaw customers receive is the Hitron CGNM-2250 thankfully isn't completely terrible, 802.11ac plus gigabit ports. I was poking about and researching the model and came upon an exploit for a similar model version for remote code execution. The CGNM-2250 is vulnerable as well, for reference my software version is 4.5.8.20 with hardware version 1A. The input for the ping utility through the web interface isn't sanitized so you can enter arbitrary input. I discovered that it has a few basic utilities, including Dropbear.

From there you can ssh into your router with

ssh mso@192.168.0.1 -p 29

The password is msopassword (go figure!)

You'll be greeted with a fun menu driven interface. 

Most of the menus are for debugging and initial programming purposes. There is a menu option to set the TFTP download image URL to flash the device, so it might be possible to flash your own firmware though I don't know how possible that is.

Going back to the web interface, I was able to see what tools and programs are available on the router.

It is your basic Linux system, busybox plus some manufacturer utilities. For a full list of binaries available see below: #/sbin wlanconfig wifitool wifirrm watchdog vconfig utelnetd udhcpd udhcpc udevstart udevsend udevd udev ti_udhcpc ti_todc ti_tftp ti_syslogd ti_dhcp6c start-stop-daemon route rmmod reboot radartool poweroff pktlogdump pktlogconf manufacture_ath_throughput_sta manufacture_ath_throughput_ap makeVAP lsmod klogd killVAP iwpriv iwlist iwconfig insmod init ifconfig ht_wifi_ioctl ht_atom_cmd hostapd_cli hostapd halt fsck.ext3 fdisk cfg blockdev atomcmdlist athstatsclr athstats athcfg_api arp apup apstats apdown apcfg activateVAP 80211stats #/usr/bin which uptime traceroute6 traceroute tr top tftp test renice pstree pmap mkfifo logger killall hexdump head free flock find expr dirname cut crontab basename awk add-shell [[ [ #/bin xmlwf umount touch tar sync sleep sh sed rm pwd ps ping6 ping pcap-config netstat mv mount more mknod mkdir luac lua ls login ln kill iptunnel iprule iproute iplink ipaddr ip hostname grep getopt false echo dnsdomainname dmesg df dd date cp clnkstat clnkrst clnkqos clnkpm clnkmocamib clnkmem clnkmcast clnkhwtst clnkfwupd clnkcfg clinkd chown chmod cat busybox bash ash DCAP.46 DCAP.45 DCAP.44 DCAP.42 DCAP.41 DCAP.40 DCAP.38 DCAP.37 DCAP.35 DCAP.19 DCAP.18 DCAP.16 DCAP.137 DCAP.132 DCAP.126 DCAP.125 DCAP.123 DCAP.122 DCAP.116 DCAP.115 DCAP.112 DCAP.111 DCAP.110 DCAP.109 DCAP.107 DCAP.104 DCAP.103 DCAP.102 DCAP.101 DCAP.08 DCAP.03 DCAP.02 DCAP CandDdvr.ko ##/usr/sbin watchdog_rt upstream_manager_1q upstream_manager upgradebox update testmode_handle.sh testmode sync_app_np_reboot swdl2 sw_dl snmpcmd snmp_agent_cm setstartup setkey setenv sched runall rpc_reverse_server_util rpc_reverse_server rpc_management_server rpc_ifconfig rfs.cfg rfs regs qos_dsx_sm productionmode printenv pp_fw_download portmap pmap_set pmap_dump pcd nvtst nvread mptint mlx logger ledcfg l2switch_iram.img l2switch_init l2switch_dram.img iostat iccctl icc_genEvent htxvendordb ht_iwcmd ht_buttond hal_tuner_mgr hal_event_mbox hal_cmd_mbox gptimer gim getenv getPortByMAC.sh flash_eraseall fdump ext_switch_init eventmgr_cm energy_manager_app dpp_dev_init.sh downstream_manager docsis_mac_manager docsis_mac_driver docsis_init_once docsis_dl_box docsis_config_to_text dmg_provisioning dl dispatcher dfltr_class_init.sh ddl dbridge_mdf_init.sh dbridge_l2vpn_ds_init.sh dbridge_init crond cmdl cm_status cli_net.sh cli_mem.sh cli chroot cefdk cc_init_once brctl bpi_tek bpi_sa_map bpi_auth MxL_HRCLS_FW_4.1.5.5.mbin MxL_HRCLS_FW.mbin FwUpstreamDocsis3_I.bin FwUpstreamDocsis3_D.bin FwUpstreamDocsis2_I.bin FwUpstreamDocsis2_D.bin Through digging in the CLI menu I found that /etc/scripts/sys_startup.sh is ran on startup, making it a easier to inject any commands you want to run at startup. I haven't been able to get to a shell yet, since logging in with the 'mso' user it takes you to the CLI menu. But cat /etc/passwd reveals:

root:$1$27272727:0:0::/:/bin/false
nobody:$1$27272727:65535:65535::/:/bin/false
mso:$1$1w7AswO3$IJCko5PwRk6ChJrIYgMQs/:100:100::/:/usr/sbin/cli

One should be able to symlink /bin/sh to /usr/sbin/cli so upon login it would drop to a shell. Entering commands via the web interface is a bit tricky since it doesn't like pipes (|), it's just a matter of getting around the JS validation. Once I can get to a shell I'll write a followup to this post Issue patched in version 4.5.10.25

 One of the servers that are at my disposal has a very low CPU usage percentage (if that makes sense). On my way to set up a PPTP VPN server on the box, I realized my router running pfSense could do it out of the box. In this short tutorial, I'll show you how to get a PPTP VPN working so that you can connect to it anywhere.

Head under VPN -> PPTP

Next, click on the Enable PPTP server radio button. For the Server address put in your WAN (public) IP. For the Remote address range, put in a local IP of which the range will start at. Near the end of the page, check Require 128-bit encryption.

Click save and click on the Users tab. Add a user, in this example, test and a password. You can enter an IP of which the user will be assigned but it's not neccesary.

And that's it! You now have a working PPTP server.

Now, I tried to connect with my iPhone 3G over Wifi. Worked fine. Over 3G? Nope. Did some Googling, it seems like you have to pay an additional $10 for a VPN option (I'm on Rogers) since Rogers gives you a LAN IP (such as 10.x.x.x) and firewalls the GRE protocol (of which is needed for a PPTP VPN to work).

It looks like the only way to get around this is to buy the $10 package, browse over to unlockit.co.nz on your iPhone, change your APN settings and voila.

Any comments are appreciated :)

^{Photo by gari.baldi}

With Ymas coming up, it makes me realize all the blogging I've done in the last year. I'm glad I got as much traffic as I did, surprised even. Anyway, here are some highlights of the last year or so.

Most viewed article: How I got Debian Lenny working on my Eee.
Debian is my favourite distro of all-time, so after getting it working on my Eee (which some people had problems with) I thought I'd write a post on it. And well, I did. Runner up is the Eee wallpapers that I made.

Most dugg post: How to: Turn a wireless router into an access point
This one surprised me. After turning two routers into an access point, I thought I might as well post about it. 36 diggs. I know that's not a lot, but a lot for me! It still continues to be a popular listing on Google.

Most popular project: WorkSimple
I can't believe people use this. Apparently, it's quite popular on Hot Scripts. It has stayed on the first page of the 'PHP blog categorey' for quite some time now, occasionally setting the to the second page. WorkSimple needs lots of work, version 1.3.2 needs releasing. The 1.3.x branch should have followed the 1.3.0 Solar beta (screenshot here), but didn't. 

Despite all my other projects, this stayed on top; which is still odd for me.

This post sounds exactly like this year, which is odd.

I guess that's about it, nothing else exciting really happened. As usual, any comments/thoughts are appreciated :)

I recently swapped out my router (a PIII) running Smoothwall with pfSense. I'll say that I'm glad I switched. Anyway, what I found is that Smoothwall wouldn't let me add another LAN interface, making it a real router.

So, once you get pfSense installed, go to Interfaces->(assign) 

Assuming you already configured both your LAN and WAN interfaces, it should be clear which interface to choose for the extra port.

Then go Interfaces-><interface name> in my case, OPT1. Enable the interface, change the Type to Static (static worked for me), change Bridge with to LAN and Gateway to your gateway address (ie, 192.168.0.1)

Apparently, I can't read and didn't read the small print at the bottom. I forgot to add the proper firewall rules to make it work. Go to Firewall->Rules, click on the new interface tab and configure appropriately. To make it exactly the same as your LAN, change the source to <interface name> Subnet.

This is a somewhat short tutorial. If you're using pfSense, you're probably already know what you're doing. Now I can eliminate the switch I was using and go directly to the router.

When I purchased my Linksys BEFSX41 I had two spare wireless routers a D-Link WBR-1310 and a WBR-2310 respectively. What to do? Turn them into wireless AP's (access points) of course! Increase your wireless coverage, look cool!

First thing's first, set up DHCP on your main router. For me it's the BEFSX41. Set your DHCP range, for example 192.168.0.150-199 giving you some room for wireless devices.


Now login to your router (most likely 192.168.x.1) which is converting to an AP, the WBR-1310/2310 for me. Turn DHCP off and set the router IP to below or above the DHCP range. So for example, 192.168.0.149, 192.168.0.200 etc.

Once you have configured your AP, plug the ethernet cable into one of the LAN ports, not the WAN port. See below.

Check the LAN connection then check the AP wireless connection.

This method can work with more access points as well (in my case, two AP's).

What now? Well, if you have two [802.11b/g] AP's set them to non-overlapping channels. Change them to either channels 1, 6 or 11. For more info see here.

Comments, ideas and so forth are appreciated :)

A new router wasn't really necessary, but I thought I'd get one anyway. I ended up purchasing a Linksys BEFSX41. Pretty cool router, it includes a firewall and VPN end point. What I thought was (for some reason) that the router would act as a VPN server. That's not the case. I'd need to run a server in my LAN for it to be accessible WAN wide.

Since you could do a round robin setup with a DNS server, could you not do the same but with a web server?

I have two spare wireless routers, which are now AP's around the  house.

Comments or aaaanything at all are appreciated.