Router Misadventures: Dumping Superonline's ISP Fiber Router on a budget
Superonline, aka SOL, aka Turkcell Superonline, aka AS34984 is one of the largest ISPs in Turkey.
Let me tell you: I suffered a lot. Anything from random internet cuts to constant network-wide slowdowns whenever we watched anything on Netflix. I was constantly spammed with calls trying to sell me Turkcell TV+ (even when I told them that I don't watch TV countless times), and roughly 5 months before my contract expired, trying to sell me expensive and lengthy contract renewals*.
And even when it worked, it wasn't as fast as promised, at least over WiFi (5GHz):
Meet the routers
When I first got my Home Internet, I was given a Huawei HG253, a rather bad router: No 5GHz WiFi, horrible DHCP (can't even set static assignments), etc.
This is a rather hated router according to bad internet forums apparently (yes, I called donanimhaber bad, bite me).
Back then I set up a pihole instance at home just to deal with the DHCP issues (and ofc, also to block some ads).
All in all, this is how it looked like (before I did cable management
haha I never did):
Thankfully though, the HG253 had a security vulnerability that ended up in my favor: It sent the PPPoE password to the client on the UI, and just marked the field as a password. You can literally just check the page source and get the PPPoE password. Back then I realized this and noted down the credentials (more on this later).
The HG253 had at least one public firmware (link of my HG253 files archive, including a user guide and firmware), and had SSH enabled.
I extracted this firmware and pretty much just explored it Back Then™, but found nothing too interesting. I think I found some hashed credentials but never bothered with hashcat-ing them. SSH was also out of question, it was ancient and even when I forced ciphers it liked to error out, I couldn't get very far with it.
I don't remember exactly what happened to this router, but IIRC it just died one day, and upon calling the support line, they replaced it with a...
The HG255S, my current ISP Router, is a fairly decent router compared to HG253 and overall to other ISP routers I've used so far: It has 5 GHz WiFi (but it sucks, you saw the speedtests earlier), decent DHCP (after the HG253 it felt nice to have), 3G modem support, built-in SIP and DECT, USB port with Samba and FTP support, etc.
However, as you may expect, most of these features are either locked down or behind a paywall. I'd honestly love to be able to modify the SIP settings so that I can have a DECT network at home that connects to my SIP network, but SOL only allows buying phone service from them. The SIP settings menu is removed from UI. More on all this later, this is what finally brought me to the point of replacing the router.
I still kept my Pihole install with this setup in order to not lose my DHCP and DNS data if my ISP ever swapped my routers again, and at that point, I was already doing a bunch of other odd stuff on that Pi anyways (like running openhab2).
“So just replace the router”
Well... Superonline doesn't allow you to replace their router if you're a fiber customer. The PPPoE credentials are not given to you even if you ask for them unless you're an enterprise customer (Relevant page for enterprise customers).
They hate the idea of you replacing the router. Whenever I call the support line with a technical problem they ask if my router is the one they gave or not.
There's literally no technical reason for this I can see, it's all red tape: The fiber cable doesn't even plug into the router, they give you a free GPON:
The fiber cable goes into that and terminates as a female RJ45 port, which then gets plugged into the WAN port on their router. After that, it's just PPPoE.
I've previously looked into getting an inexpensive router that can run DD-WRT or OpenWRT to plug into the ISP router (and to limit the use of the ISP router to just serving the DD-WRT/OpenWRT router instead), but the things I found were either incredibly high end or simply unavailable. I ordered a router that can run OpenWRT couple months ago, and the order got canceled saying that they don't actually have any left. I gave up.
The straw that broke the camel's back
Couple weeks back, I was looking into messing with the HG255S again, mostly to figure out how I can get my own SIP stuff running on it so that I wouldn't have to worry about the horrible SIP implementation on my Cisco phone, and so that I could free an Ethernet port.
While doing my usual scouring to find any new information, I stumbled upon this specific post on a bad Turkish forum mentioning them running OpenWRT on the Xiaomi Mini router, and asking if moving to that would get them better performance. I quickly checked N11 (Turkish amazon, basically) and saw that there's some other Xiaomi Mi Routers, specifically the Mi Router 4 and 4A (Gigabit Edition). I checked their OpenWRT compatibility, and after seeing that they're supported, I ordered a 4A for merely 230TRY.
I considered getting something better that costs more, but due to COVID-19, I am trying to lower my expenses.
I also went ahead and dropped ~120TRY for a bunch of different programmers to have around, lol.
More on the Mi Router 4A
It's a Xiaomi Mi Router (to be called MiR) 3Gv2, in which 3Gv2 is just 3G, but worse. If you can get one of those, go ahead. Sadly though, they're not available in Turkey. It has 3 gigabit Ethernet ports, one for WAN. It has 2.4GHz and 5GHz WiFi.
It has support for OpenWRT snapshots, though it was broken as part of the move to Kernel 5.4 for over a week now. I talk more about this later.
It runs their own OpenWRT fork called MiWiFi:
MiWiFi is fairly decent and honestly, is pretty usable by default. However, as you might expect, it's not very extensible. I wanted to use Wireguard with this router, and MiWiFi simply didn't offer that (though it did have built-in PPTP and L2TP). There are also some privacy concerns I have with Xiaomi due to the amount of telemetry my Xiaomi Mi phone sends.
It has two ways of getting proper OpenWRT on it:
The physical way
You can go the physical way by opening up the device, dumping the SPI, changing the uboot parameters, then flashing it back.
This is safer as you have a point to recover to if you somehow manage to softbrick, but in the end, there are people who posted their own images on the Internet (which will change your MAC address btw, you'll need to edit your MAC back if you flash those images).
While noting down that I was unable to successfully dump the SPI as I couldn't get the programmer to see it, I was unable to find enough information on several parts of this process before I could even attempt it, so here are some tips:
- For the most part, follow this guide
- There are two Phillips screws on these spots, after you unscrew them you need to pry open the back, I recommend using a card to do this.
- Different versions of spiflash have different names for the
GD25Q128Cchip, for me, it was
GD25Q127C/GD25Q128C. Check yours with
flashrom -L | grep -B1 -A1 GD25Q128C. If it's on a newline (like this), then you have to include the string from the last line too.
The other approach is to take the lazy approach and use the software exploit, OpenWRTInvasion. This is what I ended up doing in the end.
FWIW, to get stok (session token), open the panel (http://192.168.31.1) and log in. It will be on the URL:
OpenWRT on MiR 4A time
Shortly after it arrived, I ended up installing a build from the OpenWRT forum, as the latest builds reportedly soft-bricked the device. I spent the day setting it up and learning how to use Luci (the Web UI) and OpenWRT.
Sadly though, I realized shortly after that I wouldn't be able to run Wireguard on it for some time as:
- MiR 4A doesn't have stable releases, just snapshots.
- The build I installed was an unofficial build (I later tried another build and it was one too).
- Snapshots do not have packages for older versions (except kmods, but obviously only for official builds— I tried force installing one with a matching kernel version, but it obviously didn't work as it couldn't match the symbols).
- The OpenWRT image builder uses the latest packages from the repo.
- Official snapshots do not get archived, which means that I couldn't switch to an official version.
So a couple days later, I decided to make my own build. Being scared of bricking my router (even if I could recover from it, I didn't want the hassle), I ended up hours trying to find which commit was the last safe one and then realized that the version I'm running included a git hash in the version code. Oops. I ended up going with that one.
So I set up an OpenWRT build environment and built it for the first time, and while praying to tech gods to not lead to a brick, I flashed it.
And it worked... though it was missing Luci and a bunch of other packages as I compiled them as modules, not as mandatory. Apparently, module means that you just get the ipks, while mandatory means that you get the ipks AND it gets built into the image.
I SSH'd in and installed the Luci modules I compiled (it was painful, it's like 10 packages), then did another build with everything set as mandatory.
And sure enough, it worked! I quickly posted my build and talked about my success in the OpenWRT forum.
All basic functionality worked as expected AND it had the wireguard kmod, so I could call it a success, right? Well, no.
I just couldn't get wireguard to work, it did show as connected on the router, but when I checked on the peers, it didn't show up. I never used OpenWRT before so I had no idea if I was doing something wrong or not, so I simply noted that down on the forum post and moved on.
The next day though, someone who's an OpenWRT dev posted about a patch they proposed to fix the issue on master. I quickly applied the patch, improved the set of packages I include, compiled, flashed, confirmed that it worked and posted a build to the forum.
I had to reset the settings to get it to work due to these DTS changes, and after a reconfiguration, I was happy to see that wireguard actually worked... mostly.
While it did work for IPv4, IPv6 just kept not working. This happened when I tried 6in4 too, which is rather annoying as I've been wanting IPv6 at home or some time. I think IPv6 is just broken somehow. I'll dig into it more later.
Edit, a couple days later: IPv6 on router was okay, however there were two issues:
- The server I was Wireguarding to ended up having constant issues due to upstream, leading to IPv6 downtime for some time (without me realizing it, oops).
- I had no idea how to properly distribute an IPv6 block to LAN with Wireguard, and I still don't. Yell at me with instructions here.
Anyhow, I got it working. See the conclusion for more details.
This is mostly where the state of affairs is right now. A modified version of the proposed patch was merged into master, and I also posted a build including that, but there's not much noteworthy there, nothing in the build was changed.
Extracting SOL's PPPoE creds
And as promised, what you came for: PPPoE magic.
Well, first of all, I tried using the PPPoE credentials I extracted from the HG253, but they didn't work. It'd probably work if I still had the HG253, but it probably changed when my router was being changed to an HG255S. That's all there is to the “I'll get to this later”. Yep.
There are guides out there that talk about how you can extract the credentials, but these are all aimed at people who don't use Linux, basically writing guides that are helpful to people who aren't familiar with Linux, but wasting the time of those who are familiar. Some are better tho, but IMO could be improved.
Here's my take at it:
- Log into your router, find the PPPoE username. It should look like this:
[email protected]. Note it down.
On Debian-based distros:
# apt install pppoe
On Arch-based distros:
# pacman -S rp-pppoe
Change the contents to:
# PPP options for the PPPoE server # LIC: GPL require-pap login lcp-echo-interval 10 lcp-echo-failure 2 show-password debug logfile /var/log/pppoe-server-log
Change the contents to (replace
REPLACETHISWITHYOURUSERNAME with your username):
# Secrets for authentication using PAP # client server secret IP addresses "REPLACETHISWITHYOURUSERNAME" * ""
- Create the log file for rp-pppoe:
# touch /var/log/pppoe-server-log; chmod 0774 /var/log/pppoe-server-log
- Find your ethernet interface with
ip a. Mine looks like enp3s0, it's what I'll use in the future commands, replace that with your own.
- Shut down your router, plug in a cable to the WAN port, plug the other end to your computer.
# pppoe-server -F -I enp3s0 -O /etc/ppp/pppoe-server-optionson a terminal, replace
enp3s0with your own interface.
# tail -f /var/log/pppoe-server-logon another terminal
- Turn on your router, wait for a little until you see lines like this:
rcvd [PAP AuthReq id=0x7 user="[email protected]" password="no"] sent [PAP AuthNak id=0x7 "Session started successfully"] PAP peer authentication failed for [email protected] sent [LCP TermReq id=0x2 "Authentication failed"]
script /usr/bin/pppoe -n -I enp3s0 -e 7:no:no:no:no:no:no -S '', pid 4767 Script /usr/bin/pppoe -n -I enp3s0 -e 7:no:no:no:no:no:no -S '' finished (pid 4767), status = 0x1
Take the password from the first block, and the MAC address from the second one (ignore the
7: or whatever number from the start).
Now you have everything you need to replace your SOL router.
Finally: Replacing the ISP router with a MiR 4A
This is the simple part.
Plug the cable from GPON to your router.
Log onto Luci, edit WAN (and disable WAN6), change type to PPPoE, put in the username and password we got earlier into the PAP/CHAP username and password fields like this:
Then save and apply.
ssh into your router, edit
config interface 'wan'. Add a line to it (with proper indents) with something like
option macaddr 'no:no:no:no:no:no'— replace
no:no:no:no:no:no with the MAC address we found earlier.
Then finally run
service network restart, and you'll be free from the curse that is Superonline's ISP routers.
My wifi speeds are MUCH better now :)
And I can connect to our internal network without needing to VPN on the device itself :D
Soon I'll even be able to have IPv6 at home :P
Also: Capitalism is a failure, and free market ideologies are a joke. You don't get companies competing for cheaper prices, better service and less restrictions, you get companies all limiting their customers and all of them fucking them over in different ways. I am forced to use SOL because VodafoneNet and TT both have a contract minimum of 2 years, TT is unreliable AF, and TurkNet Fiber is unavailable in 99% of Turkey, including where I live, and everyone else are just resellers.
*: I constantly turned down their offers as they were all worse than what I was already getting, or were slower than 100Mbps. I was also lied to, saying that fees would go up after the new year due to BTK, which was simply wrong, they still sell the same plan for the same price I started out my contract with. I ended up calling them 2 weeks before my contract expiry date, telling them exactly what I want (100Mbps, with contracts no longer than a year), they came up with a 15 month 100Mbps plan for 135TRY for the first 6 months, then 160TRY for the next 9. I kinda hesitated for the 15 months thing, but I said meh and agreed to it.