Installing Kismet on the Linksys WAP54g
There's lots of articles out there about installing kismet and various other handy utilities on the wrt54g's, but what about the wap's? They have nearly the identical hardware, minus an extra Ethernet interface and a 5 port switch. I decided to take a crack at it. If you are looking for a way to run kismet on windows, this is a great way to do it. Paraphrase these instructions a bit to get it working on the other Linksys boxes.
These instructions are assuming that you're running some sort of win32 system, and using my WiFi Mapping software as a kismet client. However, if you're doing anything else, just ignore the client side parts.
Step 1: Get the SveaSoft firmware on there
Before this device is useful, we need to put some useful firmware on it. SveaSoft has slapped together some firmware that works quite nicely, and they've already got it wrapped up in a trx file good for uploading right to the wap. If you have a version 1 or 1.1 WAP54g, be sure to upgrade to the Linksys 1.09 firmware BEFORE proceeding!!! Be warned that if the flashing doesn't go properly, your device may be dead. You will also be voiding your warranty. Read the info on the SveaSoft Forum before continuing. You will probably also want to read the info at Seattle Wireless.
The firmware I used can be found here:
Unzip the file to somewhere on your hard drive. Login to your wap54g, click on help, and then click on upgrade firmware. Click browse, find the file, and upload it. Be patient while this happens, it's a slow process. It will tell you when it's done, and then it will reboot. You may notice your red diagnostic light on (if you have an older wap54g that has one). This is normal.
Step 2: Preparing the WAP54g Settings
Log into the web based administration of your wap54g. On the main basic setup page at the bottom, you will see a telnet option. Enable it, and hit save settings. Note: Telnet is NOT password protected on these waps, so I'd suggest doing this behind a router or firewall or something.
You also need to put the wap54g in client mode. On the big setup tab, choose AP Mode. Select AP client, and enter a bogus MAC address. I used 66:55:44:33:22:11.
Step 3: Getting Kismet and Sticking It Somewhere
Lately it seems that the newest version of the official kismet MIPS binaries haven't been working properly. Some people have had some success, but to make things easier I've put together a zip file for you.
Extract the 2 files. kismet_server is the main kismet binary. kismet.conf is the configuration file. Snag a copy of win32pad (69kb) and open up the config file. The reason you should use win32pad is so when you save that config file, linefeeds are used rather than a Cr/Lf. Many hours were wasted by me trying to figure out why kismet hated my windows-ized config file, and there are no clear obvious error messages about it. Anyway, change any options you see fit. If when you run kismet on the wap, and you get messages talking about not being able to enable monitor mode, then change your interface to eth1 rather than eth2.
Step 4: WGET Kismet to the WAP54g
You'll need a httpd of some sort on your host machine, as there's no way to permanently flash the kismet binary onto the wap using the freya firmware. If you wanted to get ambitious and roll your own trx, you could do that. I hear the OpenWRT firmware has built in ways for writing to the flashrom as well.
Anyway, so after your httpd server is running and working and what not, telnet into the wap and do something like this:
wl ap 0
Substitute the IP address of the machine with your httpd on it in place of 0.0.0.0. Depending on which version of the wap you're using, and which firmware etc., those commands may change slightly. Type them in one by one and watch for errors and problems and what not. If after typing those commands in you see kismet running and working, then congrats, you're good to go!
Step 5: Configuring the Musatcha.com Advanced WiFi Mapping Engine
Go into the options, and check hit the kismet tab. Fill in the ip address of your wap. Click on the linksys tab. Fill in the ip addressof your wap. Look over the startup script. If you had to change any commands when testing up in step 4, then change them here. The mapping engine simply telnets into the wap and sends everything in that startup script. Hit OK to save your options, then click on kismet, connect to kismet, and the wifi mapper should fire right up and start logging kismet data in the internal database. You'll know it's working if you see kismet data in the kismet log window down at the bottom. Look on the status bar to see if both the linksys control connection and the kismet connection are connected. The linksys side should be cycling channels. If you have speech output enabled, you should be hearing networks as they are found as well.
This setup is probably the best basic wardriving setup I've seen so far. Mainly because of the hardware advantages. The radios in those linksys boxes have a receive sensitivity down to -109dBm (last I heard anyway, this may have changed through revisions). Plus, you get a really solid TNC connector on the back to hook up your heavy coax. If you've been wardriving long, you've undoubtedly been through many pigtails. I used to wear them out about once every 2 months, and that was with only a few disconnects and reconnects. It was also always guess work as to whether or not the pigtail connection was good. With this setup, you don't have the extreme signal loss as you would have with a longer pigtail. The Linksys boxes only have a few inches of what looks to be something equivalent to LMR100a on the inside. I've noticed that some people have talked about finding a RP-TNC to N pigtail made out of smaller coax. This is not necessary, Fab-Corp sells custom length chunks of coax with the RP-TNC connector you need and N connector on the other end with LMR 400 UltraFlex all the way through. This setup cabling wise is fantastic, and has helped out my finds by 10 fold over other setups I've used. Drop an amp in the mix, and you'd be hard pressed to figure out something better.
If you have any tips, suggestions, ideas, rants, etc., drop me an e-mail at firstname.lastname@example.org.
Musatcha is pronounced moo-SA-cha. I have no
idea where it originated.