Regarding flashing of firmware over wireless

Discussion in 'Tomato Firmware' started by Kiwi8, Apr 25, 2008.

  1. Kiwi8

    Kiwi8 LI Guru Member

    Yeah, I know that flashing over a wired connection is generally more stable.

    I just want to find out from those who know the router technical details and/or those who know the firmware coding, whether the router makes sure it receives the whole firmware image before starting to flash, or it flashes the image bit by bit as it receives? If it's the former, then it could be safe to just flash over wireless as there will be checks, but if it's the latter, then obviously it is not safe. Which is the case for Tomato firmware? :confused:
  2. F157

    F157 LI Guru Member

    I don't know the answer to your question, I'm eager to hear about that.

    I just want to mention, that I flashed tomato on my WRT54GL more than once over wireless and never had a problem...
  3. danix71

    danix71 LI Guru Member

    I think this is the case, otherwise it was suppose to use a some kind of buffer (router's RAM??)...
  4. mstombs

    mstombs Network Guru Member

    I am pretty sure it ensures it has the the whole file on ram disk before committing to flash, and there is some form of checksum on the whole file to minimize risk of bad flash. The router has to stop a number of services to free up memory to do this, but if something goes wrong you must have wired connection to recover so it is usually an unnecessary risk. If the power fails during the actual flash write the router is bricked, but the CFE should still be accessible by tftp. If you don't have sight of the router how can you be sure someone won't turn it off...?

    A simple config error normally recoverable via the reset button is of course impossible over wireless.

    There are posts in this forum describing how a user upgraded a whole range of distributed routers (some up tall poles?) via a script and wireless with great success. YMMV.
  5. Kiwi8

    Kiwi8 LI Guru Member

    Well, there should be enough RAM for the buffer, since most typical WRT54Gs have 4 MB flash and 16MB RAM.

    But we still do not know whether the router makes sure it receives the whole firmware image before starting to flash, or it flashes the image bit by bit as it receives.
  6. luke-san

    luke-san LI Guru Member

    Always have flashed it wireless since 1.07 never had any issues.
  7. Sunspark

    Sunspark LI Guru Member

    Yeah same here, I got lazy. This is the process I follow: Reboot router, wirelessly flash in firmware (router self reboots), reboot it again.

    The reason for the 2 extra reboots is to free up ram.
  8. bigclaw

    bigclaw Network Guru Member

    I'm security-paranoid and turn off wireless administration, so I can't flash over wireless. :)
  9. nvtweak

    nvtweak LI Guru Member


    The image is flashed from RAM. If RAM cannot hold the entire image, there is possibility of bricking the router, because the checksum is not checked until after the flash. Same goes for wired or wireless when using the web interface to flash.

    However, wired connection is safer because you're less likely to get a corrupt firmware image into the router.

    Flashing with TFTP is a little different. TFTP will load the entire binary into RAM, the bootloader checks the checksum before flashing and refuses to flash if it is corrupt. This is the safest method.

    If you absolutely have to use wireless, flashing from command line (i.e. SSH) is the safest way. You can

    1) upload/download the firmware image to the router's RAM with scp/wget
    2) verify the checksum with the md5sum command to make sure the upload was successful
    3) flash it with the mtd-write command
  10. Kiwi8

    Kiwi8 LI Guru Member

    I see. If that's the case, then perhaps we can look into programming the firmware to calculate the firmware image's checksum before the actual flash.
  11. nvtweak

    nvtweak LI Guru Member

    I agree, it's a good idea.

    It doesn't make sense to me why the router would flash an invalid/incomplete image. Or even an image that is too big to fit in router's flash.

    But all of that is what I've been lead to believe could happen.

    What would be a neat feature is if you could paste the calculated MD5 checksum into the web form, then press upgrade.

    string actual_MD5 = md5sum(tomato.trx);
    If (pasted_MD5 = actual_MD5 & firmware_size <= (flash_size - 256kB_CFE))
    Show error. Not safe to flash!

    Of course you could do this already, without having any programming skills. Just follow the steps in my previous post.
  12. mstombs

    mstombs Network Guru Member

    Well, I've looked in the code and I can see where it streams the received image into a fifo buffer - but I can't see where any checks are done on the whole file. I can see the header is checked, and bootloader CFE/ language update selected. Maybe something is done in the web/gui/cgi level!
  13. danix71

    danix71 LI Guru Member

    On second thought, I think you're right. Upload into RAM->checksum->flash write. Yeah seems right.
  14. Delta221

    Delta221 Addicted to LI Member

    A few questions:

    1) What is the command syntax to flash with mtd-write? ("mtd-write -i file -d part"; what is -d part? How should it be passed?)
    2) Will it reboot automatically after the flash is complete?
    3) What would I have to type in the command prompt to execute the operations performed with "Erase all data in NVRAM (thorough)"?

  15. fyellin

    fyellin LI Guru Member

    I can answer the first two of your questions.

    1) mtd-write -i <filename> -d linux
    2) No. You have to type the reboot command yourself.
  16. fyellin

    fyellin LI Guru Member

    Looking at the sources (httpd/config.c, function wo_defaults):

    To do a partial erase, the system sets the nvram variable restore_defaults to 1, commits the change, and reboots the system. Commented out is the command "nvram defaults --yes".

    To do a full erase, the code calls "mtd-erase -d nvram" and then reboots the system.

    Note: This is purely from looking at the source code. I have never actually done this, so I have no idea if it will actual work or not, or whether this could potentially brick your system.
  17. Delta221

    Delta221 Addicted to LI Member

    Only one way to find out :)

  18. Delta221

    Delta221 Addicted to LI Member

    I tried clearing nvram, and it seems to have worked fine. After reboot, everything was cleared.... Would I be able to restore a previous configuration by downloading the .cfg file and then typing in:

    mtd-write -i file -d nvram

    What does the code say about this? :) I think these steps are useful to know in the event the http server crashes/is inaccessible.
  19. rhester72

    rhester72 Network Guru Member

    *NO*. mtd operates directly on raw partitions, your cfg dump is a text file. There is a way to make a backup of the nvram "partition" using mtd, but not with native Tomato.

  20. Delta221

    Delta221 Addicted to LI Member

    I see. What then is used to restore old configuration files?
  21. fyellin

    fyellin LI Guru Member

    nvram restore <filename>
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice