adminze

Jan 112015
 

Let me show you how to build you own Tor router for 15€.
my-box
TL;DR;
– Get your device, e.g. from Aliexpress
– Telnet to the device using “nexxadmin” as user and “y1n2inc.com0755” as password

- cd /tmp ; wget http://onionwrt.link/download/openwrt-ramips-mt7620n-wt3020-8M-squashfs-sysupgrade.bin
- mtdwrite write openwrt-ramips-mt7620n-wt3020-8M-squashfs-sysupgrade.bin mtd3
- reboot

Intro / Anonabox connection
Building your own wireless mini router that connects to the Tor network has been very popular since the NSA revelations. One guy (August Germar) even tried to rip people off by creating a kickstarter project called Anonabox where he claims to build a mini router for Tor, while the hardware was already present and the operating system (OpenWRT) freely available. On Kickstarter he was able to raise more than half a million US dollar before his account got suspended. He then moved on to Indiegogo and unfortunatelly was successful. He received 54.000 US Dollar funding. It is a shame and this guy should be suspended from Indiegogo, too!

The boxes on Aliexpress
wt1520aliexpress-nexx

The rip off by August Germar
anonabox-kickstarterindiegogo-anonaboxanonabox-commr-rip-off

History / Hardware
The hardware he is using is the Nexx WT3020 which came out roughly a year ago. It is the successor to the Nexx WT1520, which was hacked to run OpenWRT by “hackru” in March 2014.

The system itself it quite powerful and relies on the MediaTek MT7620n which runs at 580 Mhz with 64 MB RAM and 4-8 MB ROM.
open1open2

Installing OpenWRT (the backdoor)
Both devices the WT1520 and WT3020 have a serial UART interface on the board which can be accessed to get to the base linux system. But why bother, when you can telnet into the box using a hardcoded user? :) When hackru dumped the firmware he found a hardcoded user (nexxadmin) and his password (y1n2inc.com0755) which can be used to telnet directly to the box. Luckily this backdoor from the WT1520 is still present on the WT3020 and we don’t need to open the box and connect to the serial console. There is enough space to download OpenWRT and run it, so all you need to do is (this is for the 8MB version, please verify your’s, there is a 4MB WT3020, too):

– telnet into the device using nexxadmin/y1n2inc.com0755
– cd /tmp
– wget http://onionwrt.link/download/openwrt-ramips-mt7620n-wt3020-8M-squashfs-sysupgrade.bin (verfied working) or https://downloads.openwrt.org/barrier_breaker/14.07/ramips/mt7620n/openwrt-ramips-mt7620n-wt3020-8M-squashfs-sysupgrade.bin (should work)
– mtd_write -r write openwrt-ramips-mt7620n-wt3020-8M-squashfs-sysupgrade.bin mtd3 (unfortunatelly I did not screen record it, so please verify this. Its just from my memory)
– reboot

Installing Tor
The guys at onionwrt.link and onionwrt.us.to have a script to install and run Tor, but it seems the website is abandoned. I have mirrored the script here. So please log into the router, verify that OpenWRT is running and run "wget -qO - https://blog.wirhabenstil.de/wp-content/uploads/2015/01/onionwrt.txt | sh -" to install Tor and the needed iptables rules.

That’s it, Tor should take a few seconds to establish the circuits but you can verify your Tor connection by visiting the Tor project check site. Remeber that Tor is TCP only!