Dec 18, 2015

Hardened Builds of Chaos Calmer (15.05) Stable Branch for Yacom Arv4518pw R01A & Yacom Arv7518pw

The other day I suspected one of my routers got messed up in a suspicious way. I couldn't find any proof of an attack but there was no explanation to why the jffs2 partition got corrupted in that way either. I used OpenWrt for years now, not a single incident happened. But this time I've got the feeling that perhaps because I ran something of interest to the guys who tap the network here so maybe someone tried to fiddle with it. Again no proof just suspicions.

Well, alright, time to mount up some defenses.

I wanted to share these hardened builds of Chaos Calmer (15.05) Stable Branch for Yacom Arv4518pw R01A & Yacom Arv7518pw. These builds were built with just the essential parts mainly LuCi & DNSCrypt. I had to remove IPv6 support and Swap Support for Arv4518pw R01A because its flash size is 4MB.

These builds were generated with a focus on security and therefore would be in most cases incompatible with most apps in OpenWrt software repository.


I tried a couple of times building them with grsecurity but no luck. The effort to backport patches from the latest release of grsecurity (currently kernel 4.3.3) to OpenWrt 15.05 kernel 3.18.x is just too much. I'll wait till OpenWrt Trunk and grsecurity coincide then I'll give it another try.



After flashing consider hardening TCP/IP via systctl options and be strict in your firewall config and follow OpenWrt security recommendations and set up DNSCrypt.


I'll probably update this post later for newer Chaos Calmer builds.



OpenWrt 15.05.1 (Chaos Calmer) r49231 (April-26-2016)



OpenWrt 15.05.1 (Chaos Calmer) r49053 (March-20-2016)



OpenWrt 15.05 (Chaos Calmer) r48220 (Jan-12-2016)



OpenWrt 15.05 (Chaos Calmer) r48186 (Jan-10-2016)



OpenWrt 15.05 (Chaos Calmer) r47895 (Dec-18-2015)



Nov 21, 2015

OpenWrt 15.05 for Orange LiveBox 2.1 Arcadyan ARV7519RW22

I managed to generate a OpenWrt 15.05 image for Orange LiveBox 2.1 (Arcadyan ARV7519RW22) because the official one gives a kernel panic due to flash partitioning bugs.

This router supports both VDSL & ADSL and is quite powerful. Full specs here:

Details:
  • Synced with Chaos Calmer 15.05 Final (LuCI git-15.248.30277-3836b45)
  • Includes LuCi & default packages as the standard OpenWrt release.
  • Includes VDSL.bin firmware
  • added patches to fix:  VFS kernel panic / VLans switch, Led names/colors, secondary usb.
  • Enabled FPU Emulation


Here you can download it: (Works for both hardware versions R01 VR9 1.1 and R02 VR9 1.2

Note: This image come with VDSL support enabled by default. If you want to use this router with a ADSL line then:

  1. Edit this file:    /etc/config/network
  2. and look for this line   option xfer_mode 'ptm'     and  change it to     option xfer_mode 'atm'

.


Nov 19, 2015

OpenWrt 15.05 for Yacom Arcadyan ARV4518PW

I managed to generate a OpenWrt 15.05 image for ARV4518PW because the official one gives a kernel panic due to lack of space. The idea here is to get it running while stripping things that can be installed later with Extroot:

I had to do these steps to fit OpenWrt in less than 4 MB of that router total flash memory :

  • Synced with Chaos Calmer 15.05 Final (LuCI git-15.248.30277-3836b45)
  • Disabled IPv6 support (can be restored by installing IPv6 packages mainly luci-proto-ipv6 + odhcp6c)
  • Removed swconfig package (because VLANs support is somehow still buggy. Wiki refs: 1, 2)
  • Removed debugging (useless anyway if you're not a developer)
  • Optimized compiling for size
  • Enabled FPU Emulation
  • Included LuCi
  • Added : USB2 support + Ext4 Filesystem for Extroot + block-mount

The result is an image that fits well in ARV4518PW with 108 KB of free flash space.

Here you can download it (Pay attention to your router hardware version in its back: either R01A or R01):

or

Note: if you get a VFS not syncing kernel panic then check your router's MTD partitions size and probably you need to reflash a 64kb u-boot with the propre environment parameters.


what follows is just some details as a reference:

List of included packages    
$ opkg list-installed
atm-esi - 2.5.2-5
base-files - 157-r46767
block-mount - 2015-05-24-09027fc86babc3986027a0e677aca1b6999a9e14
br2684ctl - 2.5.2-5
busybox - 1.23.2-1
dnsmasq - 2.73-1
dropbear - 2015.67-1
firewall - 2015-07-27
fstools - 2015-05-24-09027fc86babc3986027a0e677aca1b6999a9e14
hostapd-common - 2015-03-25-1
iptables - 1.4.21-1
iw - 3.17-1
iwinfo - 2015-06-01-ade8b1b299cbd5748db1acf80dd3e9f567938371
jshn - 2015-06-14-d1c66ef1131d14f0ed197b368d03f71b964e45f8
jsonfilter - 2014-06-19-cdc760c58077f44fc40adbbe41e1556a67c1b9a9
kernel - 3.18.20-1-794b781336c70a9d477a86c93fdb83d7
kmod-ath - 3.18.20+2015-03-09-3
kmod-ath5k - 3.18.20+2015-03-09-3
kmod-atm - 3.18.20-1
kmod-cfg80211 - 3.18.20+2015-03-09-3
kmod-crypto-aes - 3.18.20-1
kmod-crypto-arc4 - 3.18.20-1
kmod-crypto-core - 3.18.20-1
kmod-crypto-hash - 3.18.20-1
kmod-fs-ext4 - 3.18.20-1
kmod-gpio-button-hotplug - 3.18.20-1
kmod-ipt-conntrack - 3.18.20-1
kmod-ipt-core - 3.18.20-1
kmod-ipt-nat - 3.18.20-1
kmod-leds-gpio - 3.18.20-1
kmod-ledtrig-usbdev - 3.18.20-1
kmod-lib-crc-ccitt - 3.18.20-1
kmod-lib-crc16 - 3.18.20-1
kmod-ltq-adsl-danube - 3.18.20+3.24.4.4-1
kmod-ltq-adsl-danube-fw-a - 0.1-1
kmod-ltq-adsl-danube-mei - 3.18.20-1
kmod-ltq-atm-danube - 3.18.20-1
kmod-ltq-hcd-danube - 3.18.20-1
kmod-mac80211 - 3.18.20+2015-03-09-3
kmod-nf-conntrack - 3.18.20-1
kmod-nf-ipt - 3.18.20-1
kmod-nf-nat - 3.18.20-1
kmod-nf-nathelper - 3.18.20-1
kmod-nls-base - 3.18.20-1
kmod-ppp - 3.18.20-1
kmod-pppoa - 3.18.20-1
kmod-pppoe - 3.18.20-1
kmod-pppox - 3.18.20-1
kmod-scsi-core - 3.18.20-1
kmod-slhc - 3.18.20-1
kmod-usb-core - 3.18.20-1
kmod-usb-storage - 3.18.20-1
kmod-usb2 - 3.18.20-1
libblobmsg-json - 2015-06-14-d1c66ef1131d14f0ed197b368d03f71b964e45f8
libc - 0.9.33.2-1
libgcc - 4.8-linaro-1
libip4tc - 1.4.21-1
libip6tc - 1.4.21-1
libiwinfo - 2015-06-01-ade8b1b299cbd5748db1acf80dd3e9f567938371
libiwinfo-lua - 2015-06-01-ade8b1b299cbd5748db1acf80dd3e9f567938371
libjson-c - 0.12-1
libjson-script - 2015-06-14-d1c66ef1131d14f0ed197b368d03f71b964e45f8
liblua - 5.1.5-1
libnl-tiny - 0.1-4
libpthread - 0.9.33.2-1
libubox - 2015-06-14-d1c66ef1131d14f0ed197b368d03f71b964e45f8
libubus - 2015-05-25-f361bfa5fcb2daadf3b160583ce665024f8d108e
libubus-lua - 2015-05-25-f361bfa5fcb2daadf3b160583ce665024f8d108e
libuci - 2015-04-09.1-1
libuci-lua - 2015-04-09.1-1
libxtables - 1.4.21-1
linux-atm - 2.5.2-5
ltq-adsl-app - 3.24.4.4-2
lua - 5.1.5-1
luci - git-15.248.30277-3836b45-1
luci-app-firewall - git-15.248.30277-3836b45-1
luci-base - git-15.248.30277-3836b45-1
luci-i18n-base-en - git-15.248.30277-3836b45-1
luci-i18n-firewall-en - git-15.248.30277-3836b45-1
luci-lib-ip - git-15.248.30277-3836b45-1
luci-lib-nixio - git-15.248.30277-3836b45-1
luci-mod-admin-full - git-15.248.30277-3836b45-1
luci-proto-ppp - git-15.248.30277-3836b45-1
luci-theme-bootstrap - git-15.248.30277-3836b45-1
mtd - 21
netifd - 2015-06-08-8795f9ef89626cd658f615c78c6a17e990c0dcaa
odhcpd - 2015-05-21-2ebf6c8216287983779c8ec6597d30893b914a7c
opkg - 9c97d5ecd795709c8584e972bfdf3aee3a5b846d-7
ppp - 2.4.7-6
ppp-mod-pppoa - 2.4.7-6
ppp-mod-pppoe - 2.4.7-6
procd - 2015-08-16-0da5bf2ff222d1a499172a6e09507388676b5a08
procd-nand - 2015-08-16-0da5bf2ff222d1a499172a6e09507388676b5a08
rpcd - 2015-05-17-3d655417ab44d93aad56a6d4a668daf24b127b84
ubi-utils - 1.5.1-2
ubox - 2015-07-14-907d046c8929fb74e5a3502a9498198695e62ad8
ubus - 2015-05-25-f361bfa5fcb2daadf3b160583ce665024f8d108e
ubusd - 2015-05-25-f361bfa5fcb2daadf3b160583ce665024f8d108e
uci - 2015-04-09.1-1
uhttpd - 2015-08-17-f91788b809d9726126e9cf4384fedbbb0c5b8a73
uhttpd-mod-ubus - 2015-08-17-f91788b809d9726126e9cf4384fedbbb0c5b8a73
usign - 2015-05-08-cf8dcdb8a4e874c77f3e9a8e9b643e8c17b19131
wpad-mini - 2015-03-25-1

    

$ df -h
Filesystem                Size      Used Available Use% Mounted on
rootfs                  320.0K    212.0K    108.0K  66% /
/dev/root                 3.0M      3.0M         0 100% /rom
tmpfs                    29.9M    308.0K     29.6M   1% /tmp
/dev/mtdblock5          320.0K    212.0K    108.0K  66% /overlay
overlayfs:/overlay      320.0K    212.0K    108.0K  66% /
tmpfs                   512.0K         0    512.0K   0% /dev
    
    
$ cat /proc/mtd 
dev:    size   erasesize  name
mtd0: 00010000 00002000 "uboot"
mtd1: 00010000 00010000 "uboot_env"
mtd2: 003d0000 00010000 "firmware"
mtd3: 001165fb 00010000 "kernel"
mtd4: 002b9a05 00010000 "rootfs"
mtd5: 00050000 00010000 "rootfs_data"
mtd6: 00010000 00010000 "boardconfig"

.






Mar 1, 2015

Flashing Yacom Arcadyan ARV4518PW with OpenWRT 14.07 / 12.09

Arcadyan ARV4518PW Router also known as SMC-7908-ISP is one of the few routers with Lantiq SoC capable of connecting to the Internet with their integrated xDSL modem.





There are guides and HowTos explaining how to flash this router with OpenWRT. A UART USB-to-TTL cable is a must to flashing.

Here is a recap for all the steps.
1. backup your routers original firmware and wifi calibaration data.
2. flash the bootloader u-boot.
3. from u-boot, we will issue commands to download and install OpenWRT into the flash.


Details:

1. Backup your router's firmware & WiFi calibration data

You will need a Serial Communication software like Putty, CuteCom or Screen installed on Linux.

Then need to get BrnDumper from here. (Works reliably on a 32bits Linux)

Connect your UART cable.



Open Terminal and issue:

screen /dev/ttyUSB0 115200


Power up your router

when text starts showing up on Terminal, hit spacebar 3 times

then hit  !  and quit  screen



now open another Terminal Tab/Window and run brndumper as follow:

sudo ./brndumper --port=/dev/ttyUSB0


and do a full dump and a Wifi calib data dump.
from  $b0000000  to  $b0400000 -> full dump
from  $b03F0000  to  $b0400000 -> wifi calib data dump

it's going to take approx 30mins.




2. flash the bootloader u-boot

when it finishes, power off the router. Start CuteCom or a Serial Comm software capable of sending files using XModem and change its Input Mode to "No Line End".

Power on the router. When the text starts showing up hit spacebar 3 times then hit respectively:

!
U
0 
Y

Then send u-boot file via XModem





When it's done restart the router



3. Installing OpenWRT from u-boot

Install a TFTP Server. Download either of these OpenWRT images, rename it to ARV4518PW-squashfs.image and put it into tftp folder.


Note: these images are custom compiled and patched to fix Wifi on 12.09 and let them fit well on the 4MB of flash while having extra drivers (USB2, Ext4, USB Storage) and still have enough free space to do other things.


Connect a network cable to the router, set a static ip like, i.e:

ifconfig eth0 192.168.144.100 netmask 255.255.255.0 up


the ip address 192.168.144.100 came from the output values of  printenv  which you can issue from CuteCom.


From CuteCom issue:

setenv kernel_addr 0xb0020000

saveenv

run update_openwrt




when it finish, issue:

reset


Enjoy.

Feb 28, 2015

Flashing Movistar Zyxel P870HNU-51B with OpenWRT 14.07

With enough coffee I managed to compile OpenWRT 14.07 for Zyxel P870HNU-51B distributed by Movistar.



It was the first time I ported a new router to OpenWRT. I learned a lot. Here are some references:
This router is the successor of ZyXEL P-870HW-51a and have almost the same hardware specs as ZyXEL P-870HN-5xb but with a 16MB of flash memory instead of 8MB. It's a VDSL-Only router.




Downloads:
  • Original Movistar Firmware (.bin file) or if needed, the original installable assistant (.exe) which includes that .bin file in its installation folder)
  • OpenWRT 14.07 (r42625) with LuCI, 3G Modems Support, RelayD, IPv6, NTFS-3G, vFat, Ext4, USB v2, USB 1.1 OHCI, usb-storage-extras, block-mout, fdisk, Kernel with FPU +  Drivers for USB Wifi Cards (ath9k-htc, brcmfmac, carl9170, libertas-usb, zd1201, zd1211rw, p54-usb, rt2500-usb, rt2800-usb, rt73-usb, rtl8187, rtl8192ce/cu/de/se)
  • A lighter OpenWRT 14.07 (r42625) with LuCI, 3G Modems Support, RelayD, IPv6, NTFS-3G, vFat, Ext4, USB v2, USB 1.1 OHCI, usb-storage-extras, block-mout, fdisk, Kernel with FPU. [WITHOUT] the extra USB Wifi cards support
  • A patch for Barrier Breaker if you need to compile it yourself.
  • OEM Bootlog if needed
  • OEM extra info if needed
  • OpenWRT Bootlog if needed

Flashing either from:
  • Router's web interface: Maintenance > Tools > Firmware
  • CFE (powering up the router while pressing the reset button a few seconds then access CFE web interface http://192.168.1.1  your OS needs a static network config)
  • Serial UART (USB-to-TTL) from CFE Bootloader. issue ATUR. Then send the firmware via XModem
  • tftp from telnet. login with 1234/1234. then issue sh to get a busybox shell, then: tftp -g -t i -f zz112BKW0b11.bin 192.168.1.2    or   tftp -g -t i -f openwrt-P870HNU-51b-squashfs-cfe.bin 192.168.1.2  (but you need to have a tftp server set up first)

The router is stable and running well. However:
  • This router's WIFI works only with b43 or with the proprietary driver, not with brcmsmac.
  • LEDs are working except for USB. I couldn't find its GPIO. Also, Lan LEDs  become on only if the cables were already attached when the router was booting up.


Enjoy it. 



Feb 18, 2015

Flashing DLink DSL-524T and DSL-G624T with OpenWRT 14.07

DLink DSL-524T was my first experience with a router that was able to connect to the Internet using OpenWRT. Its integrated DSL modem is fully support under OpenWRT. Later I bought DLink DSL-G624T which has the same hardware specs as DSL-524 but with an integrated wireless mini-pci card which is while supported offers no WPA/WPA2 encryption, only WEP which is insecure.

Both work great under OpenWRT 10.03.1 but not under 12.09 which feels slower. While 14.07 feels snappier, it consumes all the 4MB of flash memory.

Well, today I've got some time to build a lightweight OpenWRT 14.07 for both DSL-524T and DSL-G624T.

The installation steps are documented for both.

As reference, these are the steps I did for DLink G624T.
# under root or using sudo

echo 0 > /proc/sys/net/ipv4/tcp_frto

# just a second or two after the router is powered up

ftp -n 192.168.1.199

user adam2

# adam2 as a password also

quote "SETENV mtd1,0x90010000,0x903f0000"

binary

hash

quote MEDIA FLSH

put "openwrt-ar7-generic-squashfs.bin" "openwrt-ar7-generic-squashfs.bin mtd1"

quote REBOOT

bye

 
Notes: While both DSL-524T and DSL-G624T ran OK under 14.07 you should go easy with LuCi as 16MB of ram is really the minimum requirement. After setting things up consider disabling LuCi for better performance. A /etc/init.d/luci disable would suffice.




A USB-to-UART (USB-to-TTL) cable is not necessary but  would be helpful in case you want to know what happens while flashing it or setting it up.


Red is GND, Green is RX and White is TX

Usually you need to setup CuteCom or Putty to 38400 baud, 8 bit, no parity, 1 stop bit. Serial (/dev/ttyUSB0)



Jan 30, 2015

Flashing Movistar Zyxel P870HW-51Av2 with OpenWRT 14.07

Movistar Zyxel P870HW-51Av2 is a VDSL only router which isn't good for where I live but has a good CPU (BCM4350 V3.1 / 400MHz) and an acceptable amount of RAM (32MB) but with a limited flash space (4MB). However, it can get flashed with OpenWRT 14.07.


This router has CFE bootloader which makes flashing OpenWRT very easy using just a web browser. However, I wasn't able to trigger it by pressing Reset button for a few seconds during power on.

The trick to trigger CFE it is by flashing Zyxel unbranded firmware first using web admin console at http://192.168.1.1

After it finishes, flash this corrupted firmware like above to brick it and get CFE prompt afterwards.

When it get bricked you have to set a static IP for your PC (i.e: 192.168.1.2 / 255.255.255.0) and then access http://192.168.1.1

Get openwrt-P870HW-51a_v2-squashfs-cfe.bin from here and flash it. That's all



Just as a reference, I flashed the wrong firmware by accident and it became stuck in a boot loop. I had to try to unbrick it using a USB-to-TTL.


Red is GND ; Green is RX ; White is TX


This was the first time I interact with Zyxel ZLD command prompt. Unbricking was easy. just:

ATSH

ATHE

ATUR

then I sent this file via XModem (using CuteCom under GNU-Linux or TeraTerm under Windows)