From Rexploit
<================================>
|| Using wpa_supplicant and ||
|| Upgrading Prism Firmware ||
|| by ||
|| William M. Hidalgo ||
|| redkommie<@>gmail.com ||
|| 7/6/05 ||
|| UPDATED ||
<================================>
.: Contents :.
I. INTRODUCTION
- Disclaimer
- About
II. Upgrading Firmware
- Gathering Info
- Running the Upgrade
III. Running wpa_supplicant
- Configuring
- Running
.: I. INTRODUCTION :.
[-=] Disclaimer [=-]
Upgrading your wireless card could potentially render it useless. Follow the
steps contained in the paper with caution.
[-=] About [=-]
This paper focuses on configuring wpa_supplicant and upgrading the prism
firmware in your wireless card if it currenty does not support WPA. All the
required tools are found within the Auditor Security CD. For this particular paper
download the following version of the CD auditor-150405-04.
http://new.remote-exploit.org/index.php/Auditor_mirrors
.: II. Upgrading Firmware :.
(Both a SMC2532W-B and Senao NL-2511CD PLUS EXT2 were successfully upgraded
with the following instructions. The command outputs match those given by
both cards.)
[-=] Gathering info [=-]
The wpa_supplicant README states that a prism card requires at least station
firmware 1.7.0 or newer to work with WPA. While were are upgrading lets upgrade
the primary firmware also.
YOU MUST ALWAYS UPGRADE PRIMARY FIRMWARE TOGETHER WITH THE STATION FIRMWARE.
NEVER UPGRADE PRIMARY FIRMWARE ALONE.
First, begin by obtaining the current firmware version of the prism card.
root@computer:~# hostap_diag wlan0
Host AP driver diagnostics information for 'wlan0'
NICID: id=0x800c v1.0.0 (PRISM II (2.5) PCMCIA (SST parallel flash))
PRIID: id=0x0015 v1.1.0
STAID: id=0x001f v.1.4.9 (station firmware)
The firmware of this wireless card is 1.4.9. It is very important you check the
NICID id number since it will decide on which firmware version you use. If
the NICID of your wireless card differs from the output above refer to
http://linux.junsun.net/intersil-prism/firmware/ to get the appropriate firmware
version.
The following files are used:
Primary Firmware - pk010101.hex
Station Firmware - sf010804.hex
[-=] Running the Upgrade [=-]
The upgrade will be done with the prism2_srec command. A test run is in order
before running the permanent upgrade to verify the image will be taken by the
wireless card.
The syntaxes are as follows:
For test run:
prism2_srec -v wlan0 <primary firmware> <station firmware>
For permanent upgrade:
prism2_srec -v -f wlan0 <primary firmware> <station firmware>
--------
Test Run
--------
(OUTPUT MAY DIFFER FOR YOU)
root@computer:~# prism2_srec -v wlan0 pk010101.hex sf010804.hex
S3 CRC-16 generation record: start=0x007E1800 len=65414 prog=1
Start address 0x00000000
srec summary for sf010704.hex
Component: 0x001f 1.7.4 (station firmware)
Supported platforms:
0x800a 1.0.0, 0x800b 1.0.0, 0x800c 1.0.0, 0x800d 1.0.0, 0x8012 1.0.0
0x8013 1.0.0, 0x8014 1.0.0, 0x8016 1.0.0, 0x8017 1.0.0, 0x8018 1.0.0
0x801a 1.0.0, 0x801b 1.0.0, 0x801c 1.0.0, 0x8021 1.0.0, 0x8022 1.0.0
0x8023 1.0.0
Interface compatibility information:
role=Supplier variant=4 range=1-12 iface=Station Firmware-Driver (4)
role=Actor variant=1 range=1-1 iface=Modem-Firmware (1)
role=Actor variant=2 range=1-1 iface=Controller-Firmware (2)
role=Actor variant=1 range=4-4 iface=Primary Firmware-Driver (3)
Separate S3 data areas:
S3 area count: 3
addr=0x007E1800..0x007EE2DB (len=51932)
addr=0x007F0800..0x007F1785 (len=3974)
addr=0x007FE000..0x007FECC5 (len=3270)
Total data length: 59176
Start address 0x00000000
Wireless LAN card information:
Components:
NICID: 0x800c v1.0.0
PRIID: 0x0015 v1.1.0
STAID: 0x001f v1.7.4
Interface compatibility information:
PRI role=Supplier variant=1 range=1-1 iface=Modem-Firmware (1)
PRI role=Supplier variant=2 range=1-1 iface=Controller-Firmware (2)
PRI role=Supplier variant=1 range=4-4 iface=Primary Firmware-Driver (3)
STA role=Supplier variant=1 range=1-12 iface=Station Firmware-Driver (4)
PRI role=Actor variant=2 range=1-1 iface=Controller-Firmware (2)
STA role=Actor variant=2 range=1-1 iface=Controller-Firmware (2)
STA role=Actor variant=1 range=1-1 iface=Modem-Firmware (1)
Verifying update compatibility and combining data:
Plugging PDR 0xffffffff at 0x007ede00 (len=14)
Plugging PDR 0x0202 at 0x007f11ee (len=100)
Plugging PDR 0x0203 at 0x007f1252 (len=128)
Plugging PDR 0x0204 at 0x007f13d2 (len=80)
Plugging PDR 0x0405 at 0x007f1422 (len=4)
PDR 0x0405 not found from wlan card PDA. Using default data.
len=4: 00 00 00 30
Plugging PDR 0x0300 at 0x007f1426 (len=28)
Plugging PDR 0x0301 at 0x007f1442 (len=34)
Plugging PDR 0x0101 at 0x007f163a (len=6)
Plugging PDR 0x0103 at 0x007eddc2 (len=12)
Plugging PDR 0x0104 at 0x007edef8 (len=2)
Plugging PDR 0x0105 at 0x007f1646 (len=2)
Plugging PDR 0x0105 at 0x007edf2e (len=2)
Plugging PDR 0x0105 at 0x007f1742 (len=2)
Plugging PDR 0x0107 at 0x007eddd0 (len=2)
Plugging PDR 0x0006 at 0x007edd9c (len=10)
Plugging PDR 0x0406 at 0x007f16da (len=2)
PDR 0x0406 not found from wlan card PDA. Using default data.
len=2: 64 00
Plugging PDR 0x0302 at 0x007f146a (len=2)
PDR 0x0302 not found from wlan card PDA. Using default data.
len=2: 12 00
Plugging PDR 0x0303 at 0x007f146c (len=2)
PDR 0x0303 not found from wlan card PDA. Using default data.
len=2: ff 1f
Plugging PDR 0x0412 at 0x007edf50 (len=6)
PDR 0x0412 not found from wlan card PDA. Using default data.
len=6: ff ff 02 00 02 00
Generating CRC-16 (start=0x007e1800, len=65414) at 0x007e17fe
OK.
If you receive an output similar to above the firmware will work and you can
proceed with the permanent upgrade with the command below:
----------------
Permanent Uprade
----------------
(OUTPUT MAY DIFFER FOR YOU)
root@computer:~# prism2_srec -v -f wlan0 pk010101.hex sf010804.hex
S3 CRC-16 generation record: start=0x007E1800 len=65414 prog=1
Start address 0x00000000
srec summary for sf010704.hex
Component: 0x001f 1.7.4 (station firmware)
Supported platforms:
0x800a 1.0.0, 0x800b 1.0.0, 0x800c 1.0.0, 0x800d 1.0.0, 0x8012 1.0.0
0x8013 1.0.0, 0x8014 1.0.0, 0x8016 1.0.0, 0x8017 1.0.0, 0x8018 1.0.0
0x801a 1.0.0, 0x801b 1.0.0, 0x801c 1.0.0, 0x8021 1.0.0, 0x8022 1.0.0
0x8023 1.0.0
Interface compatibility information:
role=Supplier variant=4 range=1-12 iface=Station Firmware-Driver (4)
role=Actor variant=1 range=1-1 iface=Modem-Firmware (1)
role=Actor variant=2 range=1-1 iface=Controller-Firmware (2)
role=Actor variant=1 range=4-4 iface=Primary Firmware-Driver (3)
Separate S3 data areas:
S3 area count: 3
addr=0x007E1800..0x007EE2DB (len=51932)
addr=0x007F0800..0x007F1785 (len=3974)
addr=0x007FE000..0x007FECC5 (len=3270)
Total data length: 59176
Start address 0x00000000
Wireless LAN card information:
Components:
NICID: 0x800c v1.0.0
PRIID: 0x0015 v1.1.0
STAID: 0x001f v1.7.4
Interface compatibility information:
PRI role=Supplier variant=1 range=1-1 iface=Modem-Firmware (1)
PRI role=Supplier variant=2 range=1-1 iface=Controller-Firmware (2)
PRI role=Supplier variant=1 range=4-4 iface=Primary Firmware-Driver (3)
STA role=Supplier variant=1 range=1-12 iface=Station Firmware-Driver (4)
PRI role=Actor variant=2 range=1-1 iface=Controller-Firmware (2)
STA role=Actor variant=2 range=1-1 iface=Controller-Firmware (2)
STA role=Actor variant=1 range=1-1 iface=Modem-Firmware (1)
Verifying update compatibility and combining data:
Plugging PDR 0xffffffff at 0x007ede00 (len=14)
Plugging PDR 0x0202 at 0x007f11ee (len=100)
Plugging PDR 0x0203 at 0x007f1252 (len=128)
Plugging PDR 0x0204 at 0x007f13d2 (len=80)
Plugging PDR 0x0405 at 0x007f1422 (len=4)
PDR 0x0405 not found from wlan card PDA. Using default data.
len=4: 00 00 00 30
Plugging PDR 0x0300 at 0x007f1426 (len=28)
Plugging PDR 0x0301 at 0x007f1442 (len=34)
Plugging PDR 0x0101 at 0x007f163a (len=6)
Plugging PDR 0x0103 at 0x007eddc2 (len=12)
Plugging PDR 0x0104 at 0x007edef8 (len=2)
Plugging PDR 0x0105 at 0x007f1646 (len=2)
Plugging PDR 0x0105 at 0x007edf2e (len=2)
Plugging PDR 0x0105 at 0x007f1742 (len=2)
Plugging PDR 0x0107 at 0x007eddd0 (len=2)
Plugging PDR 0x0006 at 0x007edd9c (len=10)
Plugging PDR 0x0406 at 0x007f16da (len=2)
PDR 0x0406 not found from wlan card PDA. Using default data.
len=2: 64 00
Plugging PDR 0x0302 at 0x007f146a (len=2)
PDR 0x0302 not found from wlan card PDA. Using default data.
len=2: 12 00
Plugging PDR 0x0303 at 0x007f146c (len=2)
PDR 0x0303 not found from wlan card PDA. Using default data.
len=2: ff 1f
Plugging PDR 0x0412 at 0x007edf50 (len=6)
PDR 0x0412 not found from wlan card PDA. Using default data.
len=6: ff ff 02 00 02 00
Generating CRC-16 (start=0x007e1800, len=65414) at 0x007e17fe
OK.
Downloading to non-volatile memory (flash).
Note! This can take about 30 seconds. Do_not_remove card during download.
OK.
Components after download:
NICID: 0x800c v1.0.0
PRIID: 0x0015 v1.1.1
STAID: 0x001f v1.8.4
That is all. You are done upgrading your wireless card now just remove and
reinsert your wireless card.
.: III. Running wpa_supplicant :.
The following shows shows how to configure wpa_supplicant to utitlize WPA-PSK.
[-=] Configuring [=-]
The /etc/wpa_supplicant.conf contains a full set of examples you can use
to configure different types of setups. A quick configuration setup is
presented below to get WPA up and running quickly.
Create the file /etc/wpa_supplicant_1.conf and edit with the following
configuration:
network={
ssid="SSID_Here"
scan_ssid=1
key_mgmt=WPA-PSK
psk="wpa_passphrase"
}
[-=] Running wpa_supplicant [=-]
Once you have your configuration file created bring your wirlesss interface up
and run wpa_supplicant with the
following command.
root@computer:~# wpa_supplicant -i wlan0 -c /etc/wpa_supplicant_1.conf -D hostap -B
The -B option will background the task.
Syntax: wpa_supplicant -i <interface> -c <config file> -D <driver> -B
Now just run your dhcp client to obtain an IP address and your set.