Original Tomato 1.28 by PolarCloud and Heartbleed

Discussion in 'Tomato Firmware' started by schnappi, Apr 16, 2014.

  1. schnappi

    schnappi Networkin' Nut Member

    Posted this in the large "heartbleed" thread but it is pretty intense and I didn't receive a response (I will admit it is pretty trivial for most people here).

    I use the original Tomato 1.28 firmware by PolarCloud. Since they no longer update the firmware I am correct to assume that the heartbleed exploit will forever be present?

    Going further does anyone else use the original Tomato firmware by PolarCloud?
  2. Mate Rigo

    Mate Rigo Networkin' Nut Member

    The heartbleed bug appeared 2 years ago in the openssl releases. I think original 1.28 is way older than this, thus surely not suffering from this very bug.
    There are some sites that will check if a website is exposed to the heartbleed bug. Just config your router to be administrable from a remote connection and check it yourself. Set it to https connection of course.
  3. schnappi

    schnappi Networkin' Nut Member

    Most heartbleed website tests don't seem to work when a certificate is "invalid" (self-signed).

    Can you suggest a specific site?
  4. Mate Rigo

    Mate Rigo Networkin' Nut Member

    Last edited: Apr 18, 2014
  5. schnappi

    schnappi Networkin' Nut Member

    Hmmm....that is the site that I was using and I got (which is the same thing I got before posting here):

    "Uh-oh, something went wrong: remote error: illegal parameter"

    It's not a big deal though. Can access router through SSH and localhost instead of HTTPS (which I should be doing anyways).

    Unfortunately though just can't answer my original question if the original firmware is affected.
  6. Porter

    Porter LI Guru Member

  7. schnappi

    schnappi Networkin' Nut Member

    Will give that a try. Tomato SSH is a very limited shell. Will let everyone know if it works.
  8. MrSVT

    MrSVT LI Guru Member

    I use it, it's still my main router. I've just setup a new development environment so I did a search through all the source for the heartbeat code and I didn't find it. I think the sources are so old that they don't contain the heartbeat code in openssl.

    The tomato openssl sources seems to be from 2007 and I thinkk the heartbleed bug was introduce around 2011-2012; this tells me that Tomato original firmware is not affected since the heartbeat functionality wasn't existing at that time.

    I hope it helps.
  9. schnappi

    schnappi Networkin' Nut Member

    That does help. It may not be a definitive answer but I think your reasoning is correct. Thank you.

    Glad to find someone running the same "old" firmware (was everyone seems to like to remind me) as myself. Have you experienced any of the issues that I have with PolarCloud's Tomato (see link below)?

  10. MrSVT

    MrSVT LI Guru Member

    I don't have any connection problem with my router. Did you activated the mac address filter for WiFi and forgot to add your Samsung device in the whitelist? I also have have an Ubuntu desktop client without any problem. For Ubuntu, you have to make sure the DHCP client is activated. Usually, the router address is and not and it won't be accessible unless a valid IP address is properly set. When setting a static IP address, choose IP addresses that are not in the range of the DHCP server (I chose addresses between and and make sure that your gateway is set to; maybe set also your DNS server to

    Let me know if you get it working.
  11. schnappi

    schnappi Networkin' Nut Member

    Thanks for the suggestions...but wish it were so simple.

    It is the strangest most perplexing set of issues. Am going to clear the NVRAM and see if this resolves anything. Then will try a newer tomato version and even the old default linksys firmware.
  12. schnappi

    schnappi Networkin' Nut Member

    For anyone having similar issues who reads this:

    I upgraded to "tomato-WRT54G_WRT54GL-1.28.7635Toastman-IPT-ND-VPN.bin" and everything works perfectly. All issues have been resolved. Thank you to Toastman for great firmware! Tomato is the best!
  13. ntest7

    ntest7 Network Guru Member

    For the record, the original 1.28 (and earlier) polarcloud tomato is *NOT VULNERABLE* to the heartbleed bug, predating the bug introduction by many years.

    You can easily check for yourself which version of OpenSSL your tomato includes. Open an ssh or telnet session and type the command:
    strings /usr/lib/libcrypto.so | grep OpenSSL
    you can also run this from the Tools->System page if your router has one.

    The command will output several lines containing the version number of OpenSSL used. Only versions 1.0.1 through 1.0.1f are vulnerable.

    Earlier versions, such as 1.0.0 or 0.9.6, and version 1.0.1g and newer are not vulnerable to heartbleed.

    An old WRT54G with polarcloud tomato, still in service as an access point, shows it includes "OpenSSL 0.9.6d 9 May 2002", predating the heartbleed bug by 10 years or so.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice