Kindle 3 WPA Supplicant

[RansomXvi]

Thanks for the helpful replies. I'll find some time this weekend to work on a script and get my home network foolery up and running. Sorry I'm talking so slow, I'm learning dvorak.

Ransom

[RansomXvi]

Well after a party hardy weekend I woke up to a broken kindle screen. Since then, I've got a replacement and have been working on getting it broken and submissive.

I've been researching installing an arm-linux build on the kindle for a little less restriction. Any tips would be appreciated as most threads I've seen seem outdated at best.

Anyway thanks for the tips and hope to bring some light to new topics soon.

Ransom

[Kozzi]

Is it possible to add more SSID to one script file ? Over here where I live it goes like this:
1. school
2. city
3. eduroam

So basically 3 networks that make use of same .cer and identification method. So is it possible to use the wpa_config.sh I made for ex. 1. option and just add more SSID to it? or is it possible to setup different wpa_config.sh files and include them separately on each network ?

Sorry if this is not clear enough, don't quite know how to describe it.

[Paddy-1]

Quote:

Originally Posted by otichy

After some more ICQ sessions with Caster, this seems to be a stable solution:

1. connect to your own network with the same ssid as the enterprise network you want to connect to (e.g. "eduroam")
2. do all the stuff described at: http://frakira.fi.muni.cz/~antos/201...e-and-eduroam/
3. replace the wpa_config.sh from the previous step with this code
...
Don't forget to change the LOGIN, PASSWORD and SSID (twice in the script).

I'm on Kindle FW v3.3 and tried this - but after all when I'm scanning for Networks - the kindle doesn't find any WiFi at all -and no timeout or error.

I edited the wpa_supplicant (chmod'ed: +x) as follows:

Quote:

do_start () {
start-stop-daemon -o -S -b -m -p $WPA_PIDFILE -x $WPA_SUP_BIN --
$WPA_SUP_CONF
msg "wpa supplicant started" I
/usr/local/wpa-enterprise-hack/wpa_config.sh &
}

And heres my wpa_config.sh (chmod'ed: +x):

Quote:

#!/bin/sh

sleep 6

id="`wpa_cli list_networks | grep eduroam | cut -f1 | sed -n '1p'`"

exec="`wpa_cli << EOF
set_network $id ssid \"eduroam\"
set_network $id scan_ssid 1
set_network $id key_mgmt WPA-EAP
set_network $id pairwise TKIP
set_network $id group TKIP
set_network $id eap PEAP
set_network $id identity \"MYUSERNAME@eduroam.XYZ.de\"
set_network $id password \"MYPASS\"
set_network $id phase1 \"peaplabel=0\"
set_network $id phase2 \"auth=MSCHAPV2\"
set_network $id ca_cert \"/usr/local/wpa-enterprise-hack/deutsche-telekom-root-ca-2.pem\"
enable_network $id
quit
EOF
`"
echo $exec

Can somebody help me?
Thanx,
Paddy

[tiger12506]

For some reason I had to disable wifid, dhcp, set the routes and everything. Here's currently what I have...

I turn on wireless and run this script from kiterm (could use launchpad).

In the script below, replace username, password, SSID, and IPADDRESS.1 with the appropriate values. IPADDRESS.1 is my lingo for the first three parts of your ip address and then dot 1, because that is most likely to be your gateway address.

Code:

#!/bin/sh

/etc/init.d/wifid stop

id="`wpa_cli add_network | sed -n '2p'`"

exec="`wpa_cli << EOF
set_network $id ssid \"SSID\"
set_network $id scan_ssid 1
set_network $id key_mgmt WPA-EAP
set_network $id pairwise TKIP
set_network $id group TKIP
set_network $id eap PEAP
set_network $id identity \"username\"
set_network $id password \"password\"
set_network $id phase1 \"peaplabel=0\"
set_network $id phase2 \"auth=MSCHAPV2\"
enable_network $id
quit
EOF
`"
echo $exec

sleep 5

udhcpc -i wlan0
route add default gw IPADDRESS.1
mntroot rw
cp /tmp/resolv.conf /etc/resolv.conf
mntroot ro

EDIT: I'd like to mention that this does NOT allow me to use the browser!! Anyone know how to do that?? Browser doesn't get the message that we're already connected and tries to connect to a wifi network. Can't bypass this.

[Caster]

Quote:

Originally Posted by tiger12506

For some reason I had to disable wifid, dhcp, set the routes and everything. Here's currently what I have...

EDIT: I'd like to mention that this does NOT allow me to use the browser!! Anyone know how to do that?? Browser doesn't get the message that we're already connected and tries to connect to a wifi network. Can't bypass this.

We've already been through this with otichy (well, mostly him Kindle really relies on wifid to set the things like routes and advertise to the browser etc. The solution so that you do't have to disable it is to make the network "known" to wifid by creating a simple WPA-PSK network with the same name as the desired enterprise network (e.g. using your home router) and connecting to it using the usual GUI. Then you can apply the hack without disabling any daemons.

[Mac_ON]

Quote:

Originally Posted by Paddy-1

I'm on Kindle FW v3.3 and tried this - but after all when I'm scanning for Networks - the kindle doesn't find any WiFi at all -and no timeout or error.

Can somebody help me?
Thanx,
Paddy

Hey Paddy,
I had the same problem as you did. The following script worked for me. I just used TTLS/PAP instead of PEAP/MSCHAPV2 and added an anonymous identity (not strictly speaking necessary, but good for privacy).

Code:

#!/bin/sh

sleep 6

id="`wpa_cli list_networks | grep eduroam | cut -f1 | sed -n '1p'`"

exec="`wpa_cli << EOF
set_network $id ssid \"eduroam\"
set_network $id scan_ssid 1
set_network $id key_mgmt WPA-EAP
set_network $id pairwise TKIP
set_network $id group TKIP
set_network $id eap TTLS
set_network $id identity \"LOGIN\"
set_network $id password \"PASSWORD\"
set_network $id anonymous_identity \"ANONYMOUS_IDENTITY\"
set_network $id phase1 \"peaplabel=0\"
set_network $id phase2 \"auth=PAP\"
set_network $id ca_cert \"CERTIFICATE\"
enable_network $id
quit
EOF
`"
echo $exec

[thatworkshop]

Quote:

Originally Posted by crader

It works!!!

I got WPA-Enterprise working on my Kindle. It wasn't as easy as I thought and it still needs improvement, but at least it works. I explain what I found out.

There is a wpa_supplicant.conf on the Kindle but it seems that it is not useful for us because the configuration for wifi networks is not stored there. If you delete something there your wifi will stop working (thanks @NiLuJe for the config) and if you add something it has no effect.

Then there is the file wifid.conf. Thats the file where the Kindle writes it's known wifi networks. The problem is: it's encrypted. And even if we can decrypt the file, it might not be useful. I doubt that you can write all the information that is needed for an WPA-Enterprise network in there.

The last option is wpa_cli. It's a command line interface for wpa_supplicant. You can add and delete wifi networks in there, but it will not change the wifid.conf or wpa_supplicant.conf. The changes are reverted if you turn your wifi off or restart the Kindle. But if you add a new network in there, the Kindle will use it.

So that is what I do. I wrote a script which adds my wifi network to wpa_cli and I start it when I enter ~usbNetwork in my kindle. The best way to execute the script would be in the start script for the wifi connection, but I don't want to mess with the system files.

Code:

#!/bin/sh

id="`wpa_cli add_network | sed -n '2p'`"

exec="`wpa_cli << EOF
set_network $id ssid \"YOURSSID\"
set_network $id key_mgmt WPA-EAP
set_network $id group TKIP
set_network $id eap PEAP
set_network $id identity \"YOURLOGIN\"
set_network $id anonymous_identity \"YOURANONYMOUSID\"
set_network $id password \"YOURPASSWORD\"
set_network $id phase2 \"auth=none\"
enable_network $id
quit
EOF
`"
echo $exec

Change the script and save it in usbnet/bin/

Add the following line to usbnetwork

Code:

${USBNET_BINDIR}/script

Just add it before "# Load IP config"


That's all, now you should have a working WPA-Enterprise wifi connection.

I don't have this USBNET_BINDIR which is supposed to be at /mnt/usbnet, correct? But I do have usbnetwork feature. Where should I put this script? I mean "${USBNET_BINDIR}/script"

[hawhill]

You should put it in usbnet/bin, as the post clearly tells you :-) Then there's a line you should add to another script (I think it's also in usbnet/bin). If you want to know what ${USBNET_BINDIR} does in that script after you added it, consult documentation on shell variables.

BTW: I think using launchpad is much more preferable than the more error-prone way to change scripts that do very different things...

[thatworkshop]

Quote:

Originally Posted by hawhill

You should put it in usbnet/bin, as the post clearly tells you :-) Then there's a line you should add to another script (I think it's also in usbnet/bin). If you want to know what ${USBNET_BINDIR} does in that script after you added it, consult documentation on shell variables.

BTW: I think using launchpad is much more preferable than the more error-prone way to change scripts that do very different things...

Well hawhill, as I said, I don't have the folder usbnet in /mnt/us/ but obviously have access to usbnetworking as we speak. (Touch 5.0.3)

Also, can you elaborate on the point you mentioned about launchpad please?

[ixtab]

Hi,

here's a script that I use for connecting to my WPA-EAP network. (Kindle-Touch 5.0.1) Some variables have been changed to protect the guilty. It works for me (sometimes only on the second attempt, after disabling/re-enabling WiFi), but maybe you want to give a modified version of it a try.

Code:

#!/bin/sh

CERTIFICATE=/mnt/us/wpa/ca.pem

getmonth() 
{
    case ${1} in
        Jan) echo 01 ;;
        Feb) echo 02 ;;
        Mar) echo 03 ;;
        Apr) echo 04 ;;
        May) echo 05 ;;
        Jun) echo 06 ;;
        Jul) echo 07 ;;
        Aug) echo 08 ;;
        Sep) echo 09 ;;
        Oct) echo 10 ;;
        Nov) echo 11 ;;
        Dec) echo 12 ;;
          *) echo 00 ;;
    esac
}

CERTIFDATE=$(openssl x509 -in ${CERTIFICATE} -noout -startdate|sed 's/notBefore\=//')
#remove this in production!
#CERTIFDATE='Jan 01 01:02:03 2017'

set -- ${CERTIFDATE}
MONTH=$(getmonth ${1})
CERTIFDATE="${4}-${MONTH}-${2} ${3}"
CERTIFTIME=$(date +%s -u -d "${CERTIFDATE}")

KINDLEDATE=$(date -u +"%F %T")
KINDLETIME=$(date +%s -u -d "${KINDLEDATE}")

#echo "cert3: " $CERTIFDATE $CERTIFTIME
#echo "kindle: " $KINDLEDATE $KINDLETIME

if [ ${CERTIFTIME} -gt ${KINDLETIME} ]
then
	echo "Kindle date is earlier than date of certificate!"
	echo "trying to set to 3 days past $CERTIFDATE"
	date -u "`date -u -D '%s' -d $((1323988093+60*60*24*3)) +'%F %T'`"
	sleep 3
fi


id="`wpa_cli add_network | sed -n '2p'`"

exec="`wpa_cli << EOF
set_network $id ssid \"MY_SSID\"
set_network $id scan_ssid 1
set_network $id key_mgmt WPA-EAP
set_network $id pairwise TKIP
set_network $id group TKIP
set_network $id eap PEAP
set_network $id identity \"MY_USERNAME\"
set_network $id password \"MY_PASSWORD\"
set_network $id phase1 \"peaplabel=0\"
set_network $id phase2 \"auth=MSCHAPV2\"
set_network $id ca_cert \"/mnt/us/wpa/ca.pem\"
enable_network $id
quit
EOF
`"
echo $exec

[thatworkshop]

Quote:

Originally Posted by ixtab

Hi,

here's a script that I use for connecting to my WPA-EAP network. (Kindle-Touch 5.0.1)
[/CODE]

Thank you ixtab!

Still no luck, I don't have any pem file (ca.pem)! Where should I get it? from admin of my campus?

So in hope someone will help I explain what I did:
My network is WPA2 Enterprise. I ran the following commands in my KT using ssh... here is output of "wpa_cli get_capability eap":
Selected interface 'wlan0'
MD5 TLS MSCHAPV2 PEAP TTLS GTC OTP WSC

And otput of "wpa_cli get_capability key_mgmt"
Selected interface 'wlan0'
NONE IEEE8021X

Then I put my SSID, username and password. Now, what changes should I make?
set_network $id key_mgmt WPA-EAP
or
set_network $id key_mgmt IEEE8021X

When I run your script this is what I get:

Quote:

Error opening Certificate /mnt/us/ca.pem
6502:error:02001002:system library:fopen:No such file or directory:bss_file.c:356:fopen('/mnt/us/ca.pem','r')
6502:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358:
unable to load certificate
date: invalid date '-00- '
sh: 1327554884: unknown operand
wpa_cli v0.6.10 Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi> and contributors This program is free software. You can distribute it and/or modify it under the terms of the GNU General Public License version 2. Alternatively, this software may be distributed under the terms of the BSD license. See README and COPYING for more details. Selected interface 'wlan0' Interactive mode > OK > OK > OK > OK > OK > OK > OK > OK > OK > OK > OK > OK >

Obviously don't have pem file so...

[ixtab]

Yes, you need to get the certificate file of the CA which signed the certificate that the access point is using. The entire point of WPA-EAP is to make use of a PKI infrastructure, so you're definitely not getting anywhere without that ca.pem.(*)

If it's a campus network, there usually is some information around on how to access it. That almost certainly includes the required certs, and possibly other hints concerning exactly which WPA settings you should use.

(*) Yes, I know that MacOS and Ubuntu will let you access it while only giving a warning about not trusting the AP. The Kindle is more picky and *requires* the cert. This is also the reason why I have these date checks in the script -- my device sometimes just resets back the time to somewhere in 2008, and consequently the cert is deemed not valid yet and the connection refused.

[hawhill]

Quote:

Originally Posted by cscat

Well hawhill, as I said, I don't have the folder usbnet in /mnt/us/ but obviously have access to usbnetworking as we speak. (Touch 5.0.3)

Also, can you elaborate on the point you mentioned about launchpad please?

As a postscriptum: Sorry, I thought you were talking about a Kindle up to version 3. Those had/have a different approach to USB networking and I think launchpad would also be specific for Kindles up to v3 (i.e. those with keyboards).

[thatworkshop]

Quote:

Originally Posted by ixtab

If it's a campus network, there usually is some information around on how to access it. That almost certainly includes the required certs, and possibly other hints concerning exactly which WPA settings you should use.

Thanks ixtab and hawhill!

I got the certificate from my univ which is like:
-----BEGIN CERTIFICATE-----
...1 LINE OF A VERY LONG STRING OF CODE...
-----END CERTIFICATE-----

Now I got this error:

Quote:

unable to load certificate
11303:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:759:
date: invalid date '-00- '
sh: 1327597317: unknown operand

I'm trying to search and find solution myself, but I'm helpless!