Hacking at the BT Voyager 205 adsl router modem

This started as a wee collection of miscellaneous telnet cli commands, tweaks, hacks and other fun for the BT Voyager 205 router. a.k.a. "Globespan Viking" (Globespan is now owned by conexant), but my original BT Voyager 205 text file started getting a lot of google-type action, so I eventually got around to doing a web page proper, as promised.


What we now have is pretty much Viking Central, and owners of all the viking chipset based routers; BT Voyager 205, of course, CastleNet AR502, Dynalink RTA100, RTA500-D51, GlobespanVirata, Netgear DM602, Solwise SAR100 & SAR130, Riger db102, Callisto 821, BT Voyager 205, CastleNet AR502, Cell pipe 22A (21A) -BX-AR, Dynalink RTA100 (Viking I), Dynalink RTA500-D51 (Viking II), Siemens E-010-I, Speed Modem 50, Speed Modem 100, Tenda TED8620R and probably many others; as well as folks with no pretence of owning anything even remotely similar, drop by with their router woes and triumphs. It's been a lot of fun. Check out the full story in the many hundreds (make that thousands! -ed) of comments.


I'm told the voyager pages are a good read for other network n00bs, too, so if you're looking to find out what a "Static IP" is, or learn a few proxy tricks, setup a webserver, or maybe just soak up some network basics, you may just find what you need right here. I'll let you be the judge.

As well as how to configure the voyager router, most folks seem to be looking for security and stealth, NAT rules (with examples), port-forwarding, and porn, well, apart from the porn, it's all here!

There's been some re-organising, splitting up the data into separate pages (please see the menu at the top), usually in response to the groovy comments at the foot, clarifying and expanding things as we go along, mainly so people don't have to keep asking the same questions over and again.

Fire away! but do bear in mind, if it's a technical issue that's already been covered here, the response is unlikely to be what you'd hoped for! At least run through the troubleshooting checklist before asking FAQs. Otherwise, feel free to add a comment, or just rant and flame. There's no such thing as a stupid question, though barney's come pretty close (hehe, just kiddin' dude! ;o)

meet the black box...

Model       : Viking
Name        : voyager
Domain Name : corz.ath.cx
Description : DSL Modem
Location    : Aberdeen, Scotland
Contact     : cor.. https://corz.org
Vendor      : GlobespanVirata Inc.,100 Schulz Drive, Red Bank,NJ 07701,U.S.A
LogThreshold: 1
Object-id   : 1.3.6.1.4.1.50000
HwVersion   : 810020
SwVersion   : V1.1
DSL Version : Y1921a
System Time : Sat Nov 27 14:11:44 2004
Time Zone   : GMT
DST         : On
Services    : physical datalink internet end-to-end applications
UpTime(HH:MM:SS)     : 13:37:23
Backup Interval      : Disable

Power Required	: 16V ~ 1A [16VA] AC

It's worth investing a little time in getting to know the unit, setting it up properly. With only a couple of simple commands you can create a hardware-firewalled, safe, internet-enabled LAN environment for your home or organisation. The box comes free with BT's current 1MB/2MB broadband package, possibly other packages. With free adsl connexion thrown in, it's actually not a bad deal. At least until the limits set in, circa May 2005. *sigh*

The BT Voyager 205 is a good wee box. As well as a simple USB modem (you won't need to remove that sticker, ever!), it's a "real" router, so you can just connect it to an ethernet switch and tada! your whole LAN has internet. No drivers required! I repeat: NO DRIVERS REQUIRED!!! The unit can act simultaneously as a router AND a modem, all by itself.

Using ethernet, the voyager works independently of any computer, so it doesn't matter if you're running OS X, BSD, Linux, Solaris, Classic Mac OS, Amiga OS, even Windows®; this box can act as your "always on" internet gateway. It's got NAT, a good IP filter firewall with stateful inspection (don't believe the rubbish they tell you elsewhere!), dhcp server, access control, comprehensive attack protection, automatic DUC, the works! It begs to be tweaked and hacked, and we've already discovered some useful undocumented functionality doing just that, as well as render at least one unit completely unusable!

NO USB past this point!

Before we go any further..

If you insist on using USB to connect to the router, expect to a) have lots of trouble with your internet connexion, b) be ignored here when you ask perfectly reasonable questions, and c) spend a lot of time at the troubleshooting page, on your own! Simon says, "Get a NIC!", or words to that effect, which is a "Network Interface Card" and will cost around three bucks in any currency. We really did have a Simon that said that! Check the comments.

But Kev tells us that if you go into your Windows Device Manager (run "devmgmt.msc") and bring up the properties for your USB root hubs, and on the "Power Management" tab, UNcheck the box where it says "Allow the computer to turn off this device to save power", you may at least not have to suffer the thing cutting out every five minutes. This will keep you going until you get a switch!

Okay, NOW we can start..

Getting Started..

Ironically, the best way to begin hacking this thing, is to start with the web interface..

http://192.168.1.1 (the preset default address, you can change this)

If you have a static IP on your puter, ensure you are in the same "subnet", in other words; 192.168.1.something (if your whole LAN uses static IP's and they are *not* on that subnet, you can change the IP of the router to match your LAN, though you will have to temporarily flip your computer's IP to 192.168.1.3 to alter the router's IP to 192.168.0.1 (or whatever), oh the pain! but you can also create "virtual" ethernet connexions, serving multiple subnets)

note: the 205, as supplied by BT comes insecure out of the box. I think BT imagined the ethernet port would be used only by XBox and PS2 gamers, or perhaps they wanted to drop in sometime. Anyway, the unit connects itself to your favourite ISP right at startup (remember this if you are trying to setup the 205 for different ISP, like Tiscali, or AOL (puleeze!) or whatever, you'll need to enter your login details before you connect the 205 to the phone line!) so first thing to set is..

set this to "High", which is better than it was, but not a lot. Apply, and Save your changes. (the oddly-placed red save button appears on all the advanced pages) now you can breathe a little while you get this thing properly secure and working the way you want it to. after enabling the basic security, setup any other stuff you understand, save again, then go to..

and click the 'Save Config' button, which will save the current configuration to your hard drive.

this exported file is no more than a list of cli commands for the voyager router. with this list of commands, you can recreate your router's current state at any time in the future. make a copy of that file, and start adding to it. Later you can upload it to the router via FTP, and use it as your default command set.

Let's Hack!

With our current configuration safely backed-up, we can start to really hack this thing.

There are two schools of thought as to how best to approach this task. Some folk prefer GUI tools, and others prefer a command line. Each has advantages and disadvantages. The main disadvantage of the cute web interface gui is that only some of the pages are available, however we have overcome this and though I personally prefer to use the command line to configure my router, I have created a couple of tools allowing GUI fans to access the "hidden" pages of the web interface, where you can now get to most every setting you will ever need to tweak. It's certainly easier to view the results in the web interface, anyway.

Those page selector tools are right below this article, above the comments. Conveniently, you can also open them in a separate window, and if you save the resultant page to your hard drive, you can use these tools at home, even when you're offline. If you have a webserver with php running, source is also provided.

But it's from the command line that ALL the settings are available. The ability to drag & drop commands into a telnet session, not to mention its scriptability, makes the shell ideal for a job like this. There's something wholesome about plain text commands, a particular clarity. So let's open a telnet session..

telnet

Telnet is just a protocol, like FTP is. It allows you to run a command line on a remote machine (in this case, the router). All modern operating systems have a Telnet program built-in, usually called simply "telnet". Only via telnet can we access the router's raw command line, where commands can be typed directly into the router's brain.

When I first dropped into the command line (from my mac) I was frustrated by the inability to delete characters, or move around with the arrow keys. One wee mistake, and BANG! you have to start again. I tried using Putty, and other tools on the peecee, but still the same effect, eventually I just accepted that it was "a router thing".

However, if you open a plain old telnet session from a plain old DOS box, at least on XP, you have a magic telnet session that allows all these things! BobR tells me it's because of the "Terminal Emulation" mode used, of course! XP defaults to the old DEC vt100 emulation, which works perfectly! Cheers Bob!

Scattered throughout this area of the site are clickable links (there's one coming right up) which will, in theory, open a telnet session on your machine. And if you are running windows, you'll likely get the same magic telnet session as me!

by default the router lives at 192.168.1.1 so go into your shell and do..

telnet 192.168.1.1   <-- click here to telnet into your router!


( note that inside my LAN "router" resolves to 192.168.1.1 )

The account login is the same as the web interface ( preset defaults are user: admin  password: admin ) very secure! you can ftp in, too, but although there's lots to see, there's not a lot to do, at least, so far. we'll see. with the right firmware it might even do ssh.

On a mac, you can select any command line from this page (or your own script), drag it into your terminal (connected via telnet to the router, of course) and your hacks go live!

telnet tip: before you drag-and-drop, when you select the command, select the whole line, including the following line-break; then <enter> will be pressed for you as well. in bbedit, TextPad, EditPlus, etc., this can be achieved by simply clicking to the left of the line. (this also works in certain Linux desktop configurations) note: if you drag-and-drop from this page, make sure the example IP matches yours!

another tip: Ctrl-D will close most telnet/ssh sessions.

IMPORTANT: when you login to a telnet session, you will not see your password being entered, no asterixes, nothing, but for sure, it's going in just fine! Hit <enter> as normal, and you'll login without any problem. It's not broken, it's a security feature!

I've used greyed-out text here, to differentiate between the telnet commands and my comments, to (hopefully) make things clearer, at least, clearer than they were to me when I started messing with this thing this morning, getting most of my clues from Chinese web sites! they've had the Viking chipset a while, apparently. okay ...

In a telnet session with the router, you can type any command and then a space and then a ? to get help for that command, like this..

get ?

which would produce a list of possible "get" commands, next you could do..

get ppp ?

for a list of "get ppp" commands, etc.. this tip will save you hours!

?

on it's own is the same as

help

which gets you a list of top-level commands.

use the UP key to recall the last input command. use this a lot!

after giving help, the cli puts that same command back on your current command line minus the "?", so you can build up long commands one command at a time, getting help all the way. neat. okay, first..

Stealth and Security..

You will probably want to begin by stealthing your router. A stealthed router sends a definite signal to any potential attacker, and also refuses to needlessly leak information about your computing environment. You can stealth a voyager 205 with just two simple commands.. create ipf rule entry ruleid 5 dir out act accept storestate enable seclevel high medium low
create ipf rule entry ruleid 500000 ifname public dir in act deny seclevel high medium low Much better! a simple start.

Now you got stealth, nothing's getting in! so if you want to run any servers, ftp server, web server, whatever, or effectively use any p2p application, you'll need to create individual rules to allow this inbound traffic, inserting them numerically between the two magic stealth rules above. an example BitTorrent rule..

create ipf rule entry ruleid 6881 ifname public dir in act accept destport range 6881 6899 transprot eq tcp seclevel high medium low


After dropping in another rule for the±wire it looks something like this..


this screen is here ..

You might want to enable standard attack protections..

modify fwl global blistprotect enable attackprotect enable dosprotect enable

these should be on by default, do check your model/settings (and exported .cfg file).

who da bad boys? ..

get fwl blacklist

to delete a firewall rule..

delete ipf rule entry ruleid 6881


check out the stealth page for a great deal more information about stealthing your router, including important notes on firewall testing.

NAT   (not an insect)

If there are a few or more users in your home/business/organisation, you'll likely want give them all internet access. broadband was made for sharing. this is where NAT comes in. NAT, or "Network Address Translation" is simply a way for multiple "private" computers to share a single "public" IP address.

The NAT "gateway" (our beloved BT voyager 205) translates all the outbound requests from our individual "private" computers (called 192.168.1.whatever, safely inside our Local Area Network, or "LAN") and alters the packets so they appear to originate from a single "public" IP address (which is all the folk on the outside can see). When the requested packets return, the NAT reverses the translation, and routes the data back to the originating "private" machine. clever stuff.

Because the Voyager can apply "stateful inspection", inbound packets are examined on arrival, and only those packets we requested are forwarded on inside the LAN. Essentially nothing gets through the NAT unless we asked for it first, or, like the BitTorrent rule above, we specifically open up a port.

So first we.. NAT everything!

create nat rule entry ruleid 100000 napt

I recently discovered that the voyager has a hidden NAT rule which does exactly this. Mine is rule ID no. 4294967295 ! I still add my own though, where I can see it.

port forwarding.. maximum 20 rules!

After opening ports to allow inward traffic, you need to route that traffic to a particular "private" computer inside your network. To do achieve this, we use port forwarding. It does exactly what is says on the can, forwarding the data packets on to the private machine.

In order for this to work as expected, your private machines (machines at this side of the firewall) need to have "Static IP's". Most computers will, by default, get their IP address dynamically, that is, it will be assigned by the gateway computer, which is our router (aye, there's a wee computer inside there!). You'll need to ensure that dynamic IP addressing (dhcp) is disabled on your computer, and you have instead manually  assigned a static IP to the computer, probably something like 192.168.1.3. For more information on how to do that, see here.

It could be argued that "my computer always gets assigned 192.168.1.3", but that's asking for trouble when, six months down the line, you add a laptop to the network and suddenly all your firewall rules stop working, and it takes you six hours of troubleshooting to figure out why! If you need DHCP, mindfully create a special pool of addresses, for "guests", or whatever. In a discipline with so many variables (networking) it makes a great deal of sense to convert as many as possible to constants. So with your target machine at a fixed, reliable, constant address; let's do it..

This example NAT rule will forward all inbound bittorrent traffic to a machine at IP address 192.168.1.3..

create nat rule entry ruleid 6881 rdr prot num 6 lcladdrfrom 192.168.1.3 lcladdrto 192.168.1.3 destportfrom num 6881 destportto num 6889

Something very similar would work for any p2p application and protocol; eMule, edonkey, kazaa, LimeWire, WinMX, Gnutella, Direct Connect, etc, etc. same for servers; FTP server, Web Server, whatever.


check out the recipes page for lots more details and a whole bag of ready-made NAT rules!


As well as simple redirection, you can create different kinds, or "flavours" of NAT rule, and put ranges of ports into one rule, too. handy, because you can only have twenty rules maximum. you can also create IP ranges (aka round-robin), more useful for sharing load on multiple servers. check out the PDF's at the foot for an almost complete list of all the NAT, and many many other rules.

A simple NAT configuration might look like this..

click the magnifying glass to look at stuff close up..



you'd think the "global address to" would need to be 255.255.255.255, but the voyager doesn't seem to care. I guess when neither are specified it just presumes you mean everything.

you can do..

create nat rule entry ?

for a list of all the NAT options. You can delete a nat port forwarding rule like this..

delete nat rule entry ruleid 6881

If you are looking for a particular solution, it's probably on the recipes page!

If not, consider making a donation, and request that it be added!

essential tweaks..

ppp link...

Enable ppp keepalive..

modify ppp global keepalive enable

ppp sessions time-out after thirty minutes inactivity. let's change that..

modify ppp global pppsesstimer nevertimeout

(for v1.8 firmware, replace "nevertimeout" with "99999")

time to live..

modify ip cfg ttl 64

network connexion limits...

The maximum number of IP sessions the modem can manipulate simultaneously is 512. the default is 192, let's fix that..

modify nbsize maxipsess 512

note: if you have upgraded to the v1.8 firmware (which I have not) you can only set that to 511, not 512.

for gamers..

Opening and closing lots of connexions quickly (like some p2p apps and most networked games do) can fill up that connexion table pretty fast, because you open new connexions before you have closed the old ones. exactly how long the old connexions stay open is up to you..

modify nat global tcpidletimeout 3600 tcpclosewait 45 tcptimeout 30 udptimeout 90

those are the default setting, but you can probably get off with using much lower values, especially if you search for game servers a lot, something like these..

modify nat global tcpidletimeout 1800 tcpclosewait 30 tcptimeout 10 udptimeout 15

or even less. Every setup is slightly different; experimentation is the key to success. There are other parameters that may be set, too, for more details, open a telnet session with your router and do..

modify nat global ?

replace a time server entry..

modify sntp cfg disable
delete sntp servaddr dname Time.apple.com
create sntp servaddr dname pool.ntp.org
modify sntp cfg enable
get sntp stats

etc..

Get stats on stuff..

get system
get nat stats
get ip stats
get sntp stats
get pfraw stats
get ethernet stats
get fwl stats
get dsl stats curr

get user
get ipf session


create a new user..

create user name boss passwd mypassword root

alg rules...

"Application Layer Gateways" are clever things, allowing you to run IRC and ICQ clients, FTP servers and the like without endless firewall hassles, thanks to the 205's "stateful inspection" mechanisms. Most of the common ones are already in place, but if you need something special, you can add it yourself.

This example would allow you to connect successfully to an IRC server running on a non-standard port, in this case port 7000..

create alg port portno 7000 prot num 6 algtype mirc


more than just for fun...

modify system contact "cor, https://corz.org"
modify system location "Aberdeen, Scotland"
modify system dname "corz.ath.cx"
modify system name "Starship Voyager 205"

you can do them all at once, too..

modify system contact "cor, https://corz.org/" location "Aberdeen, Scotland" dname "corz.ath.cx" name "Starship Voyager 205"

Would be fun to have a finger server on the unit, presenting this info to whoever asks. For more of these sorts of fun and games, don't forget to check out the tips & tricks page! (Hacks for Dynamic DNS, alternative DNS servers, ping, traceroute, custom logging and much more!)

cool it!

This box runs hot. There's enough anecdotal evidence going around to suggest that when things start to wonk out, heat can be a factor. In short, keep it somewhere cool, like under a window, or sit some nice flat-bottomed, metal object on top of it to act as a heat-sink, or both..



If you REALLY want to cool it, check out this.

lastly..

Don't forget to check out the router directory in my public archive for many interesting files ( including PDF's containing ALL the possible commands), firmware utilities, patches, shell scripts, and much more..

https://corz.org/public/docs/comms/router/

you can download the main two directly, here..

have fun!

;o) corz.org


ps.. the original protective sticker is still stuck over the USB socket of the Voyager 205,
and it's going to stay that way, too!

Useful Links..

Secret Page Selectors..

Telnet may be a superior tool for configuring your router, but your web browser is certainly a much cooler way to view the results. Don't forget to bookmark your favourites!

Secret Admin Page Selector!

Skip the tedious interfacing, and open all the "advanced" pages directly, including quite a few you can't get via the regular BT pages!

(opens in a cool windoid, or possibly a new tab)
(1)  Device Info (2)  IP Address Configuration (3)  Administration Password (4)  Reset (5)  IP Address Table (6)  System View (7)  IP Route Table (8)  DHCP Configuration (9)  NAT Configuration (10)  Routing Information Protocol Config (11)  Alarm (see your congestion messages!) (12)  DHCP Server Configuration (13)  DHCP Relay Configuration (14)  NAT Rule Configuration (15)  Network Address Translations (NAT) (16)  Point to Point Protocol (PPP) Config (17)  ATM VC Configuration (18)  DSL Status - it's go! go! go! (19)  IP Filter Configuration (20)  Intrusion Protection Configuration (21)  RFC1483/Ethernet over ATM(EoA) Config (22)  Bridge Configuration (23)  IP over ATM (IPoA) Configuration (24)  DNS Configuration (25)  Quick Configuration - neat! (26)  Local Image Upgrade (27)  Blocked Protocols - handy (28)  Diagnostics (29)  System server Port Settings (30)  Remote Image Upgrade (31)  System Mode (32)  Ethernet speed and duplex settings (33)  (User Not Authorized) (34)  System Log (35)  Backup/Restore Config (36)  Remote Image Upgrade (client side) (37)  Remote Image Upgrade Progress Status (38)  Management Control (39)  Autodetect (40)  Bridge Filter Configuration (41)  WLAN Interface (not supported) (42)  WLAN Key (supported) (43)  RADIUS (not supported) (44)  SNMP Configuration (45)  802.1X (not supported) (46)  Secure Shell (not supported) (47)  Dynamic Domain Name Service Config! (48)  Access Control (49)  WLAN Filter List (50)  DSL View (51)  System Time & Date

special pages..
viking firmware upgrade backup/restore config

get the source!   open this tool in its own window

Secret PopOut Page Selector!

More of the same fun, but this time, for the PopOut pages.

(opens in a cool windoid, or possibly a new tab)
(3)   System - Modify (4)   IP Global Statistics (5)   IP Route - Add (6)   DHCP Server Pool - Add (11)   DHCP Server Address Table (12)   NAT Rule - Add (15)   NAT Rule Global Statistics (16)   RIP Global Statistics (17)   Alarm Monitor (19)   PPP Interface - Add (22)   ATM VC - Add (23)   DSL Statistics (24)   DSL Parameter (26)   IP Filter Rule - Add (30)   IP Filter Session (31)   Firewall Blacklisted Hosts (32)   EOA Interface - Add (39)   User Config - Add (41)   Diagnostics - Ping! (42)   Diagnostics - Traceroute! (43)   Firewall - Log - The bad boys! VERY handy! (44)   Management Control - Add IP Address (45)   Bridge Filter Rule - Add (49)   Bridge Filter - Stats (51)   WLAN Configuration - Add (57)   Authentication Server Config - Add (58)   Authentication Server Config - Modify (59)   Authentication Server Statistics (60)   Accounting Server Config - Add (61)   Accounting Server Config - Modify (62)   Accounting Server Statistics (63)   RADIUS Global Statistics (65)   SNMP View Hosts (66)   SNMP Global Statistics (67)   802.1X Intf - Add (68)   802.1X Intf - Modify (69)   802.1X Intf - Detail (70)   802.1X Supplicant - Add (71)   802.1X Supplicant - Modify (72)   802.1X Supplicant - Detail (73)   802.1X Supplicant Auth - Stats (74)   802.1X Supplicant Session - Stats (75)   SSH Key File - Upload (77)   Dynamic DNS Service - Add - neat! (78)   Dynamic DNS View Services (81)   IPF Filter Rules - Modify - Delete - Add
get the source!   open this tool in its own window

modify nbsize maxipsess 511
modify nat global udptimeout 10
create ipf rule entry ruleid 1200 ifname public dir in act accept destport eq num 1200 transprot eq udp seclevel high medium low
create ipf rule entry ruleid 27000 ifname public dir in act accept destport range 27000 27015 transprot eq udp seclevel high medium low
create ipf rule entry ruleid 27020 ifname public dir in act accept transprot eq tcp destport range 27020 27050 seclevel high medium low

create nat rule entry ruleid 1200 rdr lcladdrfrom 192.168.1.3 lcladdrto 192.168.1.3 destportfrom num 1200 destportto num 1200
create nat rule entry ruleid 27000 rdr lcladdrfrom 192.168.1.3 lcladdrto 192.168.1.3 destportfrom num 27000 destportto num 27050
commit
reboot