Picture this: You find yourself sitting in a hotel room that does not offer wireless internet… As you look out the window, you spot that the three hotels & a Starbucks across the street advertising “Free Wireless Internet” — if only you had known this when you booked! You fire up your wireless card, but the signal just is to weak to keep a consistent connection. What are you going to do?
The predator is a modified wireless router connected to a high-powered antenna and running custom firmware to actively seek out open wireless connections. Once they are found, it will test them for internet connectivity and then join and repeat the one with the strongest signal to secured wireless connection that YOU control. =)
*Note: It is illegal to use a wireless access point that you are not authorized to use.
Materials Needed:
* (1) Buffalo WHR-HP-G54
(or other DD-WRT compatible router with upgradeable SMA Male Reverse antenna)
* (1) HyperLink 2.4GHz 14.5 Yagi Antenna with N-Female Connection.
*Note: If you plan on using this antenna ONLY for a “predator� order it with an Reverse Polarity SMA Plug.
* (1) Reverse Polarity SMA Male to Male N-type adapter.
*Note: The use of adapters lowers the effective range of the antenna, however I preferred to order my antenna with a standard connector for re-use in the future.
* (1) Sears’s Ultra-Cheap camera tripod
* Misc screws & Velcro mounting strips
Step 1 : Preparation
Create an “Working Directory� on your workstation were you can store all required files. Windows users, I would suggest you make c:\predator and OSX/Linux users I would suggest ~/predator.
Windows users in a DOS prompt type:
cd\
mkdir predator
OSX/Linux users in a command terminal type:
cd ~
mkdir predator
Then download the “AutoAP� firmware into this directory. I-Hacked members can download this firmware directly from this link, others will need to download from Sourceforge. Once downloaded you should now have a file:
dd-wrt.V24_AAP-0130-generic.bin
Next, plug in your WHR-HP-G54 and connect your computer to it via a Cat5 network cable. It is important that you are directly connected and do not ever attempt to flash your router via a wireless connection.
If your WHR-HP-G54 is brand-new (or unmodified) its ip address will be 192.168.1.11. Verify that you can ping (or hit the web interface @
http://192.168.11.1)
this address before moving to step two.
If your router has been modified it might have a different IP address, and I would suggest restoring it to its factory default settings before moving forward. To reset press the red INIT button on the bottom of the router for 15 seconds. Do not let go of the INIT button until the red DIAG lights up or flashes. The restore process can take up to two minutes.
Step 2 : TFTP Flash upgrading the firmware
On the computer that is directly connected to the router, open two command windows.
In the first command window, ping the router permanently
ping –t 192.168.11.1
(OSX/Linux hosts do not need the -t parameter)
and you should see if it responding, e.g. like this (notice the ttl=64)
64 bytes from 192.168.11.1: icmp_seq=1 ttl=64 time=2.90 ms
64 bytes from 192.168.11.1: icmp_seq=2 ttl=64 time=0.264 ms
64 bytes from 192.168.11.1: icmp_seq=3 ttl=64 time=1.44 ms
Now in the second command window, change directories to where you saved the AutoAP firmware. (cd\predator or cd ~/predator) Type out the following command, but DO NOT HIT ENTER:
tftp -i 192.168.11.1 put dd-wrt.V24_AAP-0130-generic.bin
Now, we need to put the router into tftp update ready mode by rebooting the router. When power is first applied to the router, it enters a debug mode where it will accept tftp upgrades. Pull and re-insert the power, and watch for it to enter the debug mode. In the ping window, you will see the ping response will stop momentarily, and then finally restart like this: (notice the ttl=128)
From 192.168.11.1 icmp_seq=1 Destination Host Unreachable
From 192.168.11.1 icmp_seq=2 Destination Host Unreachable
64 bytes from 192.168.11.1: icmp_seq=3 ttl=128 time=2.90 ms
64 bytes from 192.168.1.11: icmp_seq=4 ttl=128 time=3.50 ms
64 bytes from 192.168.11.1: icmp_seq=5 ttl=128 time=0.90 ms
Once it comes back, check to insure the TTL has changed to 128. If it is responding to your pings with 128 TTLs, the router is ready for the TFTP upgrade. Finally press enter on the command you typed out in the TFTP window. You may have to try it a couple times to get the timing down correctly. If the router does not come back with ttl=128 you may have to reset the device using the reset button.
When the upload is successful WAIT AT LEAST THREE MINUTES. (BE PATIENT! DON’T RESET THE ROUTER!) Seriously, go grab a beer or something — let it set for awhile, the device needs to install the new custom firmware.
After the three minutes have passed, unplug and replug-in your router. The router will now be running a custom version of DD-WRT with AutoAP installed and responding at the IP address 192.168.1.1 (you may have to renew your ip address first to be in the 192.168.1.x subnet)
Step 3 : Configure the predator
Connect to the web-interface by opening your browser and going to
http://192.168.1.1
and login with:
username: root
pw: admin
First we need to do a hardware factory reset after the successful flash. Go to Administration / Factory Defaults / Check “Yes” to Restore Factory Defaults and click SAVE. This will reboot the router. (If it doesnt, manually reboot it)
Once the router returns, log in. We now need to enable “Universal Wireless Repeater Mode”
Go to tab “Setup”, sub-tab “Basic Setup”:
* Change Router Name to WPRED (or whatever you want to call it)
* Change Host Name to WPRED (or whatever you want to call it)
* Change “local IP address” to a unique subnet (different than device you wish to repeat), such as 192.168.69.1.
* Click SAVE. This should reboot the router. (if not, reboot it)
Point your browser to the new IP address
(http://192.168.69.1)
you chose in the previous step. (you may need to change/renew ip address) Login and go to tab “Security”, sub-tab “Firewall”: Uncheck all check boxes and THEN set firewall to “disable”. Save settings.
Then go to the Wireless Tab and change the Wireless Mode to Repeater. Clear SSID field and hit save.
Next add a Virtual Interface, this will be the Wireless SSID that YOU will connect to. (bridged to the open access points)
* Set SSID to: IHPred (your choice)
*Note: The SSID with “predator” in its name seems to make neighbors with kids understandably uncomfortable, I would not suggest doing that.
* Check SSID Broadcast (your choice)
* AP Isolation – Disabled
* Network Configuration (Bridged)
Then click SAVE.
Go to tab “Wireless”, subtab “Advanced Settings”. Set “Preamble” to “Short” and “Xmit Power” to higher than default (I use 200). Click “Save Settings”.
Finally configure and enable the “Predatory” features of your device. Go to tab “Wireless”, subtab “AutoAP”.
* Check “Enable AutoAP”
* Log type to your preference (html output) *See note below
* Scan Frequency to 60
* Max APs to Track to 10
* DHCP Renew Timeout to 15
* Find Open APs to Enable
* Internet Checking to Enable
* URL to check to
* Enable WEP Checking to Enable (if you have WEP encrypted APs you want it to join)
o Add any WEP keys you have
* Add any BSSID or MAC addresses you do NOT want the AP to associate with
* Click SAVE.
Note: When set to ‘syslog’, AutoAP will send all logdata to syslog. Depending on your log level settings, you will see more or less data. AutoAP has quite a bit of log data it sends, however if your log level is set to high, the router should only send out important autoap notices, like new connections, disconnections, or errors. If set to low, it will show you debug data. When set to ‘html’, the log data is written to a file available via the web interface at
. This log is kept trimmed to autoap_logsize lines.
Reboot your router. Wait for about 1 minute. At this point the router should be fully configured to be running in “Predator” mode. However before you start assembling it, take a few minutes to verify everything.
In one of your command windows, type:
telnet 192.168.69.1
(or whatever you set the IP address to)
Login using root/admin and type:
ps | grep autoap
and make sure that you see something similar to the one below (look for /bin/autoap)
If you do not see this, reboot your router and check again. If you still do not see it:
(This step should not be needed)
First make sure that you are typing the command right, copy and paste it. If you STILL do not see it, Log back into the web interface, go the the “Administration” Tab, “Commands” sub-tab. Paste the following command box:
/bin/autoap &
Make sure you hit the “Save Startup” button. (and not the “Save” button) Reboot the router, wait 1 minute and repeat the telnet “verification” step. Once you can verify that autoap is running on startup, you can unplug the router and move to the final step.
STEP 4 : ASSEMBLING THE PREDATOR
Connect the “L” mounting bracket that came with the Hyperlink antenna making sure that the connector cable is opposite the protruding bend. (see later pictures for clarification if needed)
Mount the Antenna assembly to the cheap tripod using some nuts and bolts you have laying around in that screw jar you have — I know that if you are reading THIS SITE you know the one. I would assume that every “cheap” tri-pod has different mounts, just make sure that the antenna assembly mounts securely and semi-level. You may need to drill a hole in the antenna assembly “L” mount to ensure that you use two mount points. I was able to use two long screws, and on the rear screw I used a nut and a washer as a spacer.
Then mount the WHR-HP-G54 to the top of the antenna assembly mount. Removed the screw found underneath the informational sticker (see below), and then using a slightly longer screw and some velcro strips, secure the router on top. Your predator should be looking pretty evil.
Finally, remove the stock Buffalo antenna and connect the hyperlink antenna to the router using the adapter if you chose to use one.
Congrats, you now have a wireless predator on your hands. Aim your antenna towards the area most likely to have open access points and let it sit for about 5 minutes.
When your predator powers up, it will start scanning for open access points, testing each one for internet connectivity and then finally will join the one with the strongest signal strength that can reach the internet. Then it will make this connection available to you via the AP SSID that you set previously.
Join the AP SSID that you created earlier. (IHPRED) If everything worked right (and there is available open wireless access points) you should have internet access. I suggest visiting what ever log you configured to see how it is working. If you chose the html log format visit http://192.168.69.1/user/autoap.htm.
Finally lock down your predator like you would do any other Access Point. Change the default admin password, enable SSHd & disable telnet. Enable WPA encryption if you want to protect your newly “acquired” internet access.
Note: Even if you enable encryption, your traffic can still be monitored (sniffed) via the link between the predator and the open access point. If you happen to know the WEP key of a particular AP, you can add it to the WEP keys section at Wireless”, subtab “AutoAP”. The predator will now attempt to try to join WEP encrypted networks using that key.
Additional Pictures:
Happy Hunting Guys and stay off my Wifi Modem lol
credit to: Evilb4st4rd