Enabling telnet on a WNR2000 Router (OpenWRT install)

Leave a Comment
Enabling telnet on a
WNR2000v4 Router
(OpenWRT install)

Background:

   During late 2018 due to reasons, I temporarily moved back home into my parents' basement to look for better game development employment elsewhere while working at a few temp jobs. Previously I was living with my great roommates in an apartment, and fortunately my room was close enough to run a 20ft or so long Ethernet cable from the ISP's router to my room for Internet. Earlier in 2018, back at home, my father "upgraded" the shady Comcast router with a shadier, newer one, and gave me the old router, a Netgear WNR2000v4 router. At the apartment, I used this router as an overglorified network switch for the devices in my room, for giving Internet access to my laptop, a legacy PC, or any older video game consoles or devices that required wired Internet. I also prefer a wired Ethernet connection over WiFi when I can, since it can be more secure and have less overhead (faster and more reliable) than dealing with wireless Internet. Unfortunately, since this was a 2-router network setup, the network was somewhat complex (outer ISP router being on a 192.168.x.x subnet, with my inner router being on a 10.0.x.x subnet). This 2-router network prevented things such as connecting the PS2 versions of Star Wars Battlefront 1 & 2 to SWBFSpy (which requires getting an IP whitelisted by the server's admin for usage).

   Unfortunately, when I moved back home into my room, I didn't have the privilege of having wired Ethernet available, due to the ISP's router being on the other end of the house from my room and my "roommates" not going to like having a 50+ ft. length of Ethernet cable running across the houses to the ISP's router. This obviously wasn't a problem to give Internet access for devices that can use WiFi, but definitely one for devices that only have a wired connection (such as those older video game consoles). Most modern day routers have a web-based GUI for configuring the router (by connecting to the default router gateway in a web browser and logging in as the admin); the WNR2000v4 was no exception. Unfortunately, the default gateway's GUI (called "Genie" by Netgear) for this particular router model does not have a wireless bridging feature, just basic router functionality (via Ethernet or WiFi) for an Internet connection and network switch functionality between wired devices. Getting a wireless bridge function working would allow me to connect devices via wired Ethernet to my room's router and then forward the network data wirelessly (via WiFi) to the main router on the other side of the house. This would allow wired Internet connections from my room to connect to the Internet, and would additionally make the network appear as a single-router network from my router's perspective (with a single subnet; not having to use 2 subnets like at the apartment). Rather than wasting precious money on a dedicated wireless bridge to solve my problem, I was resourceful and used my brain instead, looking into hacking my spare Netgear WNR2000v4 router to install OpenWRT.



Telnet enable attempt/Installing OpenWRT

   For those whom are unaware, OpenWRT is a lightweight Linux distribution meant for embedded devices (especially routers). Installing OpenWRT as a replacement firmware on a router removes any restrictions with the stock firmware, and allows full control of the hardware, as well as beefed up security. Basically it can turn any router into a fully configurable business one (with telnet, VLan setting up, etc), just like the Cisco ones my classmates and I learned about in my networking class at college. Most importantly, OpenWRT has a few packages that can be installed to enable wireless bridging functionality on this router. This would solve my problem of connecting my wired devices to the ISP router on the other end of the house without using a double-router setup with 2 subnets and a very long Ethernet cable.

   Unfortunately, the stock firmware on the WNR2000v4 has its telnet feature locked. To summarize the basic process of installing OpenWRT on router devices, you need to telnet into the router (using software such as PuTTY) and flash the device with the new firmware. This file is sent to the router via a TFTP server on a computer, and the flashing is done through a Linux console on the router by running some Linux commands. Most Netgear routers have the telnet locked for security reasons, and in order to unlock the telnet, a special packet usually must be sent either over UDP or TCP (depending on the particular router model). Usually a special program is used to send the magic packet and unlock the telnet. More details about unlocking the telnet on Netgear routers can be found on this OpenWRT article, and full details about installing OpenWRT on the WNR2000v4 router (including an UDP telnet enable python script) can be found on this other OpenWRT article under "How to Install OpenWRT on the Netgear WNR2000v4 through u-boot-env modification on Linux" section.

  Also unfortunately, neither the UDPtelnetenable.py script worked within a Linux virtual machine, nor did any of the telnet enable programs for Windows in the other article were able to unlock the telnet on my router. Perhaps my particular router unit was a newer hardware revision that blocked telnet enabling altogehter, or some other weird networking issues were preventing the packet from being sent/received and properly unlocking the telnet. Fortunately, while doing a Google search about my problems, I came across a security vulnerability (CVE-2016-10174) for the similar WNR2000v5 router, which, when exploited, can allow an attacker to bruteforce the admin password, enable telnet, and then gain a Linux root console access. These privilege escalations through the exploit are a pretty serious security vulnerability, and you really should replace this router with a more secure one if you wish to use its stock firmware (or do the smart thing and replace the firmware with the much more secure OpenWRT like I'm doing). A person online also wrote up details about the security vulnerability and a PoC hack here. Most importantly, a formal exploit was published and included with the Metasploit framework for white hat hackers. This security vulnerability is confirmed to exist and to work on the v5 router, but only has static analysis to show possible existence on the v4 and v3 routers. Using this exploit to enable telnet and gain the Linux root console access, I could properly install OpenWRT fully without relying upon the broken telnet enable programs that weren't working for me. Since I know the admin password to my own router, I could bypass the password bruteforcing, and just use the exploit to enable telnet/gain Linux root console access, speeding up the exploit process.

Enabling Telnet the hard way
via the security exploit

    Since none of the UDP telnet enable programs were able to properly send the magic packet and enable telnet, I decided to enable telnet the hard way, by bruteforcing telnet enable and gain a root Linux console through the exploit. I did this through installing and using Pentestbox with Metasploit. Fortunately Metasploit has a penetration module to run the exploit on the WNR2000 series of routers; instructions and details on the module usage here. I also had to upgrade my router to firmware 10.0.0.58, which is required for installing OpenWRT (see the main OpenWRT install article for this router for the stock firmware link). If I remember correctly, basically I logged into my router's gateway interface (Genie) via the admin password (in order to get the timestamp from the router for the exploit), and then immediately ran the Metasploit module on the page that confirmed access was granted, and was able to get temporary telnet enable and a root Linux console access on the router after the exploit successfully ran. Then I ran all of the normal OpenWRT installation steps for the WNR2000v4 router (setup the TFTP server, send the OpenWRT firmware, run the Linux consoles commands to flash the firmware, etc).

  After all of this was done, I got OpenWRT installed on my spare WNR2000v4 router, and proceeded to setup wireless bridging to solve my original networking problem. So now this router has wireless bridging functionality, and a much more secure firmware (OpenWRT) without nasty, inexcusable security vulnerabilities like CVE-2016-10147. This installation also proves that the vulnerability exists and that the exploit does indeed work for not only the WNR2000v5 router, but also for the v4 router. (Meaning you really should replace this router if you have one or install the much more secure OpenWRT firmware on this model.) Hopefully anybody who runs across the same issue I had with being unable to unlock telnet for an OpenWRT install on a WNR2000 v3-v5 router with the special magic packet programs will find this article useful, and use the security vulnerability method to bruteforce telnet enable/root Linux console access as a last resort.

-Tamkis

Socket the Hedgeduck Progress: FZ & TCZ

Leave a Comment
Socket the Hedgeduck Progress: FZ & TCZ



  After nearly a 2 year hiatus (due to professional gamedev work), development on the Socket the Hedgeduck mod for Sonic 1 has resumed! Recently, Future Zone Acts 2 and 3 have been finished, as well as the entirety of the final zone, Time Castle Zone. A planned v0.4a demo will be released later this year and submitted to the 2019 Sonic Hacking Contest, after more polishing, bugfixes, and improvements will be made to the game.


    Future Zone acts 2 and 3 were previously empty, due to figuring out a way to implement the reverse-gravity gimmick used in the original game for act 2. After a few failed attempts at porting S3K's reverse-gravity gimmick to Sonic 1 (which would have been a high cost, low benefit feature to implement, due to only one level requiring it), I used some out-of-box thinking to implement the feature. Instead of vertically flipping Sonic's gravity and physics, why not vertically flip the entire level around Sonic 😮?

    Behind the scenes, in code, instead of implementing S3K's reverse-gravity gimmick, hitting an activated gravflip bridge instead transports Sonic between FZ2 and FZ4 levels, very similarly to the inter-level warp doors in Olein Cavern Zone 2 (OCZ2) or the boss doors in act 3 of each zone. (I call the types of warp doors that transport Sonic to a different location within the same level "inter-level warp doors".) FZ2 is the normal version of the level, while FZ4 is a copy of FZ2 that is vertically flipped (has vertically flipped level chunks and y positions of  objects mirrored about the level's middle y midpoint). The only difference in the warping functionality for the gravflip bridges is Sonic's new warp position. Sonic's new x position is kept the same, while his y position is calculated to be a new one mirrored about the levels y midpoint. This creates the illusion of gravity flipping. Similarly to the Bonus Fence Zone (BZF) levels, where pressing A button while in Debug Mode will send Sonic to the background layer for collision, pressing A button while in Debug Mode will send Sonic between FZ2 and FZ4 levels to implement the "gravity flip".

   Act 3 for each Zone is a unique remix I create using the existing chunks from the other 2 acts, since the original Socket game only has 2 level per zone (excluding High Speed Zone (HSZ) levels). Due to the fact that the Sonic engine (and Socket engine) use large 256x256 px chunks instead of Sonic 2 and later's more flexible 128x128 px chunks, these levels are usually remixed sections of the 2 previous acts, with a few unique chunks I design sprinkled in between to connect sections for smooth level graphics and layout flow. Unfortunately, gravity flipping act 3 would have consumed more than the zone limit of $FF Big ROM Chunks, so the reverse-gravity feature was only designed for act 2. All act 3 levels (except TCZ3) have a boss warp door leading to a boss area.

 FZ3 is an extremely difficult remix of acts 1 and 2, with a ton of traps, surprises, and difficult obstacles, and might actually be the hardest level in the hack. The final section of the level consists of a Labyrinth Zone (LZ)-styled wind tunnel, inside a few huge glass tube chunks. Sonic must float upwards and downwards to avoid painful torpedoes (the same ones as used in Antiquity Zone (AZ)), horizontally moving spiked blocks, collect rings, and cling onto Satebô BS-X Satellaview satellites. (These satellites have the same behavior as LZ wind tunnel poles). The level ends with hitting the boss warp door, which leads to the boss area and a to-be-implemented boss.

FZ1

FZ2

FZ3



  The entirety of Time Castle Zone, the final zone in the game, recently also has been finished. This zone was sitting at approximately 95% complete during the hiatus, and was just waiting on fully implementing 2 new custom objects (the hamster belts and clock platforms). This zone features some custom objects such as:

  • Beam bridges
    • Hit a button on the object, which unfurls a temporary solid bridge
  • Hamster belts
    • Operates like Metropolis Zone (MTZ) nuts in Sonic 2, but horizontally
    • Moving on the object will lock Sonic's position onto the belt
    • Moving Sonic left will move the hamster belt and Sonic right, and Sonic right move belt and Sonic left
    • Hamsterbelt will stop moving when it hits a wall either to the left or right
    • Makes squeaking noises as the object's art updates frames
  • Clown faces
    • Painful objects that rotate clockwise, counterclockwise, or upside down in either rotational direction
  • Clock platform
    • Platforms that rotate clockwise on clock faces in the level
    • 2 variants
      • Platform with a shorter radius that moves slower (hour hand)
      • Platform with a longer radius that moves faster (minute hand)
  •  Crusher blocks
    • Purple blocks that oscillate up and down, attempting to crush Sonic in various areas of the level
  • Collapsible platform
    •  Standard Sonic 1 collapsible platform, just updated graphics for zone
  • Runaway Saws
    • Standard Sonic 1 saws and pizza cutters object from Scrap Brain Zone.
    • Only runaway version used, with updated graphics
    • Same objects as used in FZ
 TCZ1 is a rather basic (but difficult) level, introducing the player to this zone's gimmicks. TCZ2 is a difficult labyrinth, and is the only level in the original Socket game to feature two bonus stage doors. TCZ3 is a remixed version of TCZ1 and TCZ2, with bottomless pits and a more difficult level layout. Currently TCZ has an odd memory leak bug somewhere where having too many clown faces and chained spikeballs on screen will cause the game to start corrupting object SSTs, not loading new objects, crash the game, or begin running arbitrary code. This bug happens often in TCZ2, and the bug will be investigated and fixed before the upcoming demo release. In the game mod's extended playlist, each act in TCZ features a song for both the bad ending (not having all 7 chaos emeralds) and the good ending (having all 7 emeralds). Some of these songs are currently WIP, while others are completed.

    TCZ goes over Sonic's original Scrap Brain Zone (SBZ) level slot. The original Sonic 1 game has a SBZ3 level which is actually a Labyrinth Zone (LZ) act 4 level. The real SBZ3 level is Final Zone, and is actually just SBZ2 but starting at a further level position and having the boss implemented. I found this setup to be BS, and undid it completely. (I call this the "Anti-SBZ3 BS feature".) TCZ3 is a real level in this mod. TCZ doesn't have a boss; the next and final zone (a 1-act Time Lord Zone (TLZ)) does feature the final boss, the evil Time Dominator! Time Lord Zone is technically SBZ4 in this mod. It uses some extra chunks from SBZ3 and a new palette for the level. This is a far more acceptable setup for the final zone than the SBZ3/LZ4 BS in the original game 😀.

  TLZ is currently just a level layout, with no final boss yet implemented. Like with TCZ, this level has both a good and bad ending song. I have plans down the road possibly to implement some cutscene screens in the game, replace the emeralds with Sonic CD Time Stones, and to explain a backstory as to why Sonic is in Socket's universe and as to why he is fighting the Time Dominator. In the bad ending, you just fight the Time Dominator; in the good ending, you fight both the Time Dominator and a brand new boss.


     Other changes behind the scenes include refactoring the mod's original warp system to fix screen tearing and BG deformation issues. Inter-level warp doors no longer clear object RAM. This means you can no longer use warp doors and continuously farm up on rings by having them respawn. Sonic is the only object destroyed, and then reloaded with a new warp position set (classical quantum teleportation lol).

  With both FZ and TCZ complete, all of the levels for the hack have been implemented 😀! All that is left to complete this hack is to fix bugs, polish the game, and to implement the remaining bosses.



   Stay tuned for more development on Socket the Hedgeduck this year!

-Tamkis

Thwimp v1.1 Update!

Leave a Comment
Thwimp v1.1 Update!




 Thwimp, the modification utility which allows one to view, to rip, and to encode Nintendo THP video files from/for Mario Kart Wii, has been updated to v1.1 today!

   This new update fixes a few bugs from the initial release (proper framerate not being applied to newly encoded THP video files, and improper ripping of the control BMP frames from battle_cup_select.thp), as well as refactors the THP Viewer/Ripping section! When cropping THP videos for ripping, users can now click radio buttons to select a subvideo cell to crop to. The section now includes a start/end frame field, for selecting a time period at which to clip the video to. A numeric up/down control has been added to select from which multiplicity time period for ripping subvideo frames from. Furthermore, the user's manual (on the Github page) has been updated with images, better spelling/grammar, and updates. Most importantly, an article for the application has been added to the Mario Kart Wiiki!




 You can view the changes with the THP Viewer/Ripper in this update video.


  I had been holding off on writing a MKWiiki article for the application until this v1.1 update was released. This application was quite challenging to write, due to the idiosyncrocies involved with the command line params for FFMPEG. I'm quite pleased with how this application turned out. Hopefully MKWii modders will find it quite useful for creating new THP videos for their menu-based THP files!

  You can download the application either from the Wiiki article, the Thwimp webpage, or get the source code from the Github page.

Enjoy!

-Tamkis

Copyright EagleSoft Ltd. Powered by Blogger.