Weaponizing the GL.iNet GL-AR150

Hi all, so much time since I posted something here. I’ll try to post more regularly from now on.

Last week I was wondering if somebody had ported the latest Pineapple firmware (v.1.1.3) to the GL-AR150. As you may know, this small router has the same hardware of the WiFi Pineapple Nano (minus the second radio, of course, but there is an USB port to which you can plug a wifi adapter).

After spending some time looking for it without luck, I tried to build it myself.

Patrick Sapinski, on his own blog, posted earlier this year a small guide to do that, and it has been very helpful for me as starting point.

Those are the steps I followed to build a working WiFi Pineapple firmware for the GL-AR150:

Just remember, in make menuconfig, to select the GL-AR150 as target and to include the driver of the USB WiFi adapter you’re going to use (you must use one, the pineapple firmware is mostly useless without the second WiFi interface).

For your convenience, the firmware I built is available on my Github repo at https://github.com/SecurityAddicted/pineapple-ar150

I compiled it with support to all common USB WiFi adapters (I tested it with a TP-Link TL-WN722N).

Hope some of you will find this useful.

Enjoy!

Be Sociable, Share!

76 thoughts on “Weaponizing the GL.iNet GL-AR150”

  1. does this work very well ??? I was thinking of trying this out as a little project in the near future to start learning about wifi and security

  2. Thanks for the Build, could you detail how you configured openwrt-cc to work with the gl-ar150? all my builds always bootloop :-S

    1. Glad you found it useful. You must select the GL-AR150 from the Target Profile submenu in make menuconfig.
      If you still have problems, I can share my .config file πŸ˜‰

  3. Hi Alex, thanks for the build.
    I succeeded to upgrade my device (former 1.1.1 build from gopher2) with the sysupgrade -F -v .
    Nevertheless, the webinterface keeps saying: The Wifi Pineapple is still booting
    On the other hand, my Pine managment Wifi network is still operational, and Im able to login through SSH. From there I see my TL-WN722N is now recognized (reason for the upgrade).

    Any idea how I could solve the problem with the webinterface?

    Thank you!

      1. Thank you for respond Δ± understand this steps.but Δ± have few questions ..1. I have tp link wn722n whic has ar9271 and its tx power locked at 20 dbm, at this point Δ± need alfa card for better signal. because of this Δ± look ar150 if Δ± use ar150 will Δ± am need to use external card again like alfa?

          1. But how ? Wn722n just has 4 dbi antenna ?and gli alsp has 4 dbi antenna how they are working for long range ? Can you explain how ?

          2. If you need long-range performance, just use a better antenna. The stock one works flawlessly anyway.

          3. but Δ± read that gli has max output 18dbm so if Δ± use better antenna is it change anyway?
            Also have tp link like you Δ± contact with tp link support and asked them.
            “if Δ± use better antenna is it change anything ”
            they say
            “no because its antenna output power is low”
            ?

          4. Try that out by yourself, flash your AR150 with my firmware, plug you 722 into the USB port and have fun πŸ™‚

          5. Okay πŸ˜€ Δ± have two more question ? First Δ± hear that if we want nano module we need sd but ar150 dont have sd how to fix it ? And the other is whats difference between awus036nha with kali vs ar150 with pineapple?

          6. Never used modules, but I tried installing some and they seem to install fine. I guess you can try and see πŸ˜‰
            The Pineapple firmware makes the AR150 a very portable WiFi tool to attack wireless clients, but you can’t use it to crack WiFi networks. That’s where Kali + your WiFi card of choice come to help πŸ˜‰

          7. You mean crack “reaver”? My aim is just use for evil twin attack and long range do u have any advice to me usb card ?

          8. Pineapple is awesome for Evil Twin attacks. About range, I tested only the 722 with its antenna and it worked ok for my needs. You need to experiment in your own here I’m sorry πŸ™‚

  4. Finally received my little gl-ar150 in the post from aliexpress … within 30 minutes of opening the package I was installing modules .Thanx Alex for the bin file and Thanx Steven for the jffs2reset command ..Awesome now to learn how to drive this thing

      1. I started playing around I thought having more space would be better .Has anyone added usb storage with any success ?? .I looked at demsg and the device is plugged but nothing much else in the syslog or even /dev and there is no kernel modules loaded I get a error when I try to load ehci-hcd manually .The USB is working right cause all the wifi cards are happy .It’s just storage not working properly
        Any ideas or pointers would be muchly appreciated

        1. It isn’t straightforward to add new storage to the device, as the only USB port is used by the second WiFi card. It should at least involve some hardware hacking to add a SD card reader (click HERE for more details).
          Let me know if you’re going to do that πŸ™‚

  5. i think for usb storage u need a usb hub which have self powered power. like these:
    http://www.ebay.com/itm/Black-7-Port-USB-3-0-Hub-On-Off-Switches-AC-Power-Adapter-Cable-for-PC-Laptop-/311589458040

    back when i have old rpi 1st gen, kernel already detect the usb,my ext-hdd even turn its led,but i cant sense any movement/rotation from my hdd due lack of power. those hub solve that.

    my only question for ar150 is same as mehmet, what if i connect 24dbi grid antenna to this little killer, can it survive?

    i dont own the antenna, just plan to buy it only if these board can sustain it.
    i am fine with ar150 only use 60-70% antenna capacity, but it still works
    but what if funny thing happens? πŸ˜€
    since those antenna twice the cost of ar150 (from where i lived)

  6. I have mounted the USB memory stick as the SD card everything is working fine …I did look at the spi bit banging .. maybe later this also seems a useful website on the subject https://randomcoderdude.wordpress.com/2013/08/15/spi-over-gpio-in-openwrt/ .. I’m using a usb hub with no problems .The next part is looking at the LAN/WAN .I’m not sure if it’s working or not ….Once again Alex thanx very much for this project ..I also want to say I will buy a wifi pineapple nano as I really want to support the HAK5 guys they have put alot of time and effort into this product .Something I have learnt looking around inside the device .I am having a good time learning about routers and look forward learning about wifi security

      1. Ikk3
        you need to make sure that these kernel modules are loaded scsi_mod.ko,sd_mod.ko and usb-storage.ko .For the file system you need these ext4.ko,exfat.ko,ext4.ko and ntfs.ko .You prolly don’t need all those I just load them incase i might use them … I ended up compiling my own firmware as there was something a bit funky about loading and unloading Kernel modules in Alex’s firmware

        1. Hello Mary
          I compliled my own firmware too. I did all the steps in this tutorial but when i do install a module, appears only one button (install to internal storage). Could u help me to set this up properly?

  7. So I loaded the .bin and rebooted the device – I see no web interface when I try to go to the IP, just a blank interface and then I don’t know the password to SSH into the device. I tried the default creds for SSH for OpenWRT and they dont work. Any advice on what to try?

    1. connect your ethernet cable in the wan port, and make sure that ur default gatewat is 172.16.42.1

      1. Got it – that worked had it in wrong port, thank you – the webui is stuck at: The WiFi Pineapple is still booting. Trying to SSH – to issue the command “‘jffs2reset -y && reboot'” but cannot access do not know ssh credentials. Any thoughts? I have tried the default nano password, default root type passwords. I am feeling like I am overlooking something obvious.

          1. Ok…Figured it out. I was flashing the Pineapple firmware after doing the AR150 initial setup. You need to flash it after a factory reset(Before selecting language and password), then flash the Pineapple firmware from the uboot page(google for directions). When AR150 reboots itself, make sure to set your lan adapter back to obtain IP automatically. Direct
            your browser to: 172.16.42.1:1471, then follow the directions.

  8. Hi! I’m trying to compile my own firmware following this steps and everytime I try doesn’t matter the config I choose there’s an error compiling the uboot. Has anyone an idea of what’s going wrong?
    And thank you Alex for the firmware, it works like a charm πŸ˜€

  9. I ended compiling my own firmware adding all the kernel modules for usb storage, it works perfect. I haven’t tried to connect the wifi dongle and usb drive at the same time yet ( i donΒ΄t have a usb hub ), but it should work.
    I uploaded the firmware to github so you can test it ( and skip hours of compiling ) https://github.com/serxo/ar150-wifi_pineapple.
    Hope it helps someone.

    1. I added many wifi drivers, but I don’t have that specific model to test so you have to try out yourself.

  10. I flashed the AR150 with the firmware you’ve provided, but the recon function doesn’t work. ‘There was an error starting Recon. Please try again.’

    I’ve tried turning off management AP, turning on PineAP.. Nothing works.

    When looking under Networking it only shows wlan0 interface, on another Pineapple firmware version it shows wlan0 and wlan0-1.. Not sure if this has to do with it…

    What should I do to get it working?

    1. So, I re-read everything. Is it true that I need an external WiFi adapter? If yes, why? In version 1.0.6 (you can find it online for the AR150) it is not necessary, this version just works with the antenna of the AR150…

      1. To use the Pineapple firmware the right hardware is needed. Since the Pineapple has 2 wifi interfaces, you must have the same in your AR150 to get a fully working Pineapple-like device.

          1. I tried SFTP, and found some folders. Not sure if I can just drag and drop the drivers for WN822N.

  11. i just ordered the ar150 and i am trying to find a antenna i can buy locally any work on what drivers you added? i just want to know like a brand to look for that tp one i can only find online.

  12. Hi Alex,

    thank you for you excellent work! Flashed your prebuild firmware and it works like a charm… ALMOST ;-). Everything is working fine, however the device does not do any kind of DeAuthentications, neither with the DeAuth Feature from ReCon (PineAP), nor wih the DeAuth module. All stations keep connected rock solid to their assosiated APs. Also PineAP Logging does not pick up any Auth/Deauths. I am using a TP-Link 722N as second interface. Could you look into this and confirm? Many thanks in advance!

  13. I can second what Alexander said above. I installed serxo’s image from https://github.com/serxo/ar150-wifi_pineapple and DeAuth Feature didn’t work for me either.I’m also using TP-Link 722N v1. However, I should mention that I used an iPhone, Android and Windows phones as WiFi clients and there was a message on one of the phones (doen’t remember which one) that it’s not going to connect to open access point because there is a secure access point exists with the same name.

    1. DeAuth should work regardless of the device type (Phone, Workstation…) – however if you tried it with phones and have a router capable of 5Ghz it might have happened that your phones connected via 5Ghz instead of 2,4GHz. Our hardware can only DeAuth 2,4Ghz Clients. However I tried in a lab with 2,4Ghz equipment only and it did not work either – all clients stay assosiated.

  14. Hey, Alex,
    The firmware works like a charm, thank you. The only doubt I have is that when I try to install new modules says that I have no more internal memory storage available, do you know any way to increase storage to install new modules, such as using an external storage or even change the hardware to increase the storage?

    Thanks.

    1. Smit, you can connect an USB drive using USB hub (2.0 worked for me, 3.0 did not), mount it (mount /dev/sda1 /sd) and then create a softlink, for example (ln -s /sd/modules/ReconPlus/ /pineapple/modules). The result will look like this:
      [email protected]:~# ls -l /pineapple/modules/Recon*
      lrwxrwxrwx 1 root root 22 Sep 24 22:35 /pineapple/modules/ReconPlus -> /sd/modules/ReconPlus/
      Hope this helps.

  15. @vitpi, thanks! Mounting the USB-Stick like this works like a charm. Too bad that the DeAuth Issue still exists. :-/ Nobody seems to have a solution. I wonder what might be the reason for this and how it is possible to verify it. Is there any log one can skim through to find an indication what goes wrong? Maybe the 2nd Interface is named wrong? Maybe the Driver for the 2nd Interface is not able to packet inject? One could also try to login via SSH and try to deauth manually the way the scripts do (when one would know what the scripts exactly do). I tried to deauth manually like described here: https://www.aircrack-ng.org/doku.php?id=deauthentication – However it seems to get stuck before even starting (but no error message was given). Maybe we can isolate the problem this way? Unfortunately my Linux skills are rather limited. Hopefully we can get this sorted out together! Cheers!

    1. It’s not going to work since TL-WN727N v4 is based on MediaTek MT7601U. From what read, only 3 chipsets support packet injection and monitor mode: Atheros AR9271, Ralink RT3070, Ralink RT3572.
      TL-WN722N v1 (AR9271) works for sure also TL-WN727N v1 (RT3070) should work as well, if you could find those.

      1. I had to compile the OpenWRT firmware with the MT7601U driver enabled. Now i can use recon, but i have to continue exploring. Thanks.

  16. A solution to the “non working deauth capability” is not around the corner yet, right? I wonder if we have somebody here with enough skill to dig into this problem? I will perform some tests on the weekend regarding powering the AR-150 with another power supply to rule out a lack of power during packet injection. Could someone please look into the logs or scripts to help hunt the problem down? Thanks!

  17. Meanwhile I found out that DeAuth does in fact work when freshly booted… however “ReCon” and “PineAP” seem to mess up with each other. Since PineAP Deamon has to be turned on in order to use DeAuth in ReCon things start to get dodgy. Things like “Capture SSIDs to Pool” and “Logging” stop to work and can only be restored by Resetting the network interfaces to Default (Networking -> Advanced -> Dropdown Menu -> Reset WiFi Config to Defaults”). Hoever this reset comes along with strange side effects like the Nano suddenly broadcasting all SSIDs in the Pool even though the according checkboxes are not ticked.
    There are also tons of complaints in the Hak5 Forums about similar issues with the nano. Maybe we could try with an older version such as 1.1.2 or 1.1.0? Anyone has a compiled binary for this?

Leave a Reply