Making a knockoff WiFi Pineapple from a GL-iNet AR150

Making a knockoff WiFi Pineapple from a GL-iNet AR150

Posted February 23, 2019

Last updated March 6, 2019 | 9a69d23


7 minute read

While I have known about the GL-iNet AR150’s ability to mimic a WiFi Pineapple Nano, I hadn’t had an extra laying around to play with, until I saw they they were on sale on Amazon (15%, but still a sale) and decided I’d like a weekend project.

It arrived, and even before I turned booted it into its native (and really awesome) stock GL-iNet stock firmware, I performed the steps to get it to boot into Uboot mode and uploaded the firmware that was compiled by al3xg on Security Addicted. This was great and all, but I noticed on the page that they had deprecated the project and I was wanting to see how far I can go to get this close to the current version of the WiFi Pineapple firmware as possible before getting caught by the reported hardware checks al3xg mentioned on the Security Addicted post.

There are a surprising number of great resources out there on this process, so I’d like to say thank you to Patrick Sapinski, KhasMek on GitHub, tomac on Medium, and Carson Seese for everything they’ve researched, found out, and published for anyone to look up and read.

While all of the guides I had found were referencing building the new firmware with the old Domino Team OpenWrt-CC repo (Domino Team was the precursor to GL-iNet I believe, but don’t quite me on it), I happened across the newer imagebuilder-cc-ar71xx repo and decided to take a crack at using the newer version. To start with, I tried out the version 2.0.2 WiFi Pineapple firmware, as that was confirmed working by al3xg on Security Addicted.

Building the firmware 🔗

Grab your files 🔗

Your first steps are to get these files on your local machine.

Follow along with the Asciicasts below (you can pause to copy and paste text straight out of the terminals if you’d like)

Extract with binwalk 🔗

Next, you’ll want to use binwalk with the -e flag to extract the contents of the WiFi Pineapple firmware.

Copy your files 🔗

After this, you’ll want to copy the contents of the squashfs-root folder into a folder called files inside of your imagebuilder-cc-ar71xx git directory that you cloned earlier (you’ll need to create this folder).

Build the firmware 🔗

After that, you’ll just want to build the firmware with imagebuilder-cc-ar71xx. I have chosen to run the command make image PROFILE=GL-AR150 PACKAGES="kmod-rtl8xxxu kmod-rtlwifi-usb" FILES=files/, as I’m building for the GL-iNet AR150 and I want to include the modules for Realtek USB adapters for the Netgear AC 6100 adapter I had on hand.

You can visit the fantastically well-documented OpenWrt wiki page to find more kernel modules you might want to install in the PACKAGES="" section of the command above.

 I recorded this terminal session with Asciinema, and it has a feature to reduce “dead air” to one second, so this seems to go by in a flash. In reality, this build took about 15-20 minutes.

Loading the firmware 🔗

Booting into Uboot 🔗

You’ll now want to follow the instructions from GL-iNet to boot into the Uboot interface. In summary, you’ll want to:

  1. Unplug any power cable that’s powering the device
  2. Hold down the Reset button on the side
  3. Plug the Micro USB power in while holding the button
    • you will hold until the red LED flashes five times
  4. Release the Reset button

Your router should now be booted to the Uboot interface.

Uploading the firmware 🔗

You will want to set your local computer’s IP address to 192.168.1.2 (subnet of 255.255.255.0) in order to communicate with the router when it’s booted into Uboot.

If you browse to http://192.168.1.1, it should load a page similar to this:

Uboot interface

Click the Browse… button, and you will be able to navigate your file system and select the firmware you have just generated. Click Update firmware to start the process.

The page will load for a second or two, and then you will get to this screen:

Uboot spinning wheel

You can now close your browser window and change your ethernet interface back to DHCP if you’d like.

Accessing PineAP 🔗

Connecting to your new Pineapple 🔗

Connecting over wireless 🔗

On your device, search for a new open wireless network named Pineapple_wxyz where wxyz will be the last four of your router’s MAC address. Once connected, open a browser and head to http://172.16.42.1:1471 to get to the web GUI of the pineapple.

Connecting over ethernet 🔗

It seems that in the building process, the WAN and LAN ports get swapped (or perhaps the LAN port is disabled completely – I haven’t confirmed it either way yet). If you’d like to connect via ethernet, plug into the WAN port, and head to http://172.16.42.1:1471 to get to the web GUI of the pineapple.

Initial setup of PineAP 🔗

On the initial welcome screen, go ahead and click the Get Started button to start the setup.

Get started

When you get to the Secure Setup screen, you will be prompted to either press the button once to disable wifi, or hold the reset button to continue with wifi.

If you chose to connect to the pineapple via wifi earlier, you will want to hold the same Reset button on the side of the router that you held to get into Uboot earlier for at least two seconds. The screen will automatically advance past this step after holding the button. Otherwise, you can just press the reset button one quick time. It doesn’t hurt to leave the wireless enabled, so that is what I will recommend.

Wifi choice

Next, you will want to enter the admin password for the pineapple, an unsuspecting SSID, and a password for the management SSID.

Management password and wifi

Agree to any other information, and Complete Setup.

After changing the management SSID, you will get an error in your browser, and you will need to reconnect to the new SSID name you just created.

HTTP error

Reconnect to the new SSID, browse back to http://172.16.42.1:1471, enter your new admin password, and now you can start using your pineapple!

Closing 🔗

Usage of the pineapple is beyond the scope of this post, but there is a lot of information out there for how to do all sorts of things with your new toy.

KhasMek, the author of one of the other articles I referenced at the beginning, has a repo on GitHub that is made to be an all-in-one script to support doing all of the firmware building steps above in a single shell script. I had some issues with it, but I think it’s an awesome idea and a lot of great work. Maybe some day I will fork and update it with all of the steps that I have above.

Troubleshooting 🔗

I haven’t had many errors that I’ve needed to work through, but one link I did find is to the tweet below, with a tip for kicking the pineapple into gear if it’s stuck at “wifi pineapple still booting”

Other than that, all I can suggest is that Google is your friend.

Happy WiFi Pineappleing!

Tags: gl-inet ar150m

Category: security