1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WRV200 Firmware Source Code

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by CalledToConstruct, Jan 25, 2008.

  1. CalledToConstruct

    CalledToConstruct LI Guru Member

    The following is probably more detailed than most people are interested in... however, I'm hoping that the firmware developer(s) are continuing to improve and therefore will find it helpful.

    I'm wondering, is it necessary to allocate 10k on the stack here:

    Code:
    void
    send_authenticate( char* realm, FILE *conn_fp)
    {
        char header[10000];
    
        (void) snprintf(header, sizeof(header), "WWW-Authenticate: Basic realm=\"%s\"", realm );
        DBGMSG("header=<%s>", header);
        send_error( 401, "Unauthorized", header, "Authorization required.", conn_fp);
    }
    
    Maybe 'realm' often ends up with 9k or so, but I'm guessing not. Instead, it might be better to determine the strlen(realm) and tack on a few extra bytes for the rest of the text, then allocate the buffer to what is needed.

    It appears that realm may only be 64 bytes:

    Code:
    /* Basic authorization userid and passwd limit */
    #define AUTH_MAX_NAME 64
    ...
    static char auth_realm[AUTH_MAX_NAME];
    ...
    send_authenticate(auth_realm, conn_fp);
    
    but I haven't looked for every possible combination.

    // Joe

    -- so much source code, so little time...
     
  2. Toxic

    Toxic Administrator Staff Member

    Thanks for that, I'll pass it on.
     
  3. CalledToConstruct

    CalledToConstruct LI Guru Member

    Of course, now that I've had a few hours sleep, and I'm looking at my post again, I realize... I forgot the following pieces of info: (doh)

    send_authenticate is located in user/httpd/httpd.c
    and I'm looking through the last published source (firmware version 1.0.32.2)

    If it is ok with you Simon, I'll post further questions or suggestions in this thread... obviously, I don't have the latest source, nor an endless supply of WRV200s... so I doubt I'll be building updated versions and trying them out... but at least I will try to contribute by posting suggestions here.

    // Joe
     
  4. CalledToConstruct

    CalledToConstruct LI Guru Member

    VPN connection time is incorrect:

    When I connect via QuickVPN, then view the Status :: VPN Clients, it correctly shows the time that I connected (for instance: Fri Jan 25 22:42:21 2008), but the duration is off by 5 hours (I'm in Ohio, GMT - 5) and upon disconnect, the End Time is incorrect as well (for instance: Sat Jan 26 04:05:55 2008 ... should have been Fri Jan 25 23:05:55 2008)

    Can anyone else confirm this behavior with Firmware 1.0.36? Is it corrected in 1.0.37?

    // Joe
     
  5. Toxic

    Toxic Administrator Staff Member

    yes, please post any findings here.
     
  6. CalledToConstruct

    CalledToConstruct LI Guru Member

    As of firmware 1.0.32.2, the WRV200 is using: openswan-2.4.5dr3 for the IPSEC implementation... in poking around, I see that: openswan-2.4.9 is available at: http://www.openswan.org/code

    I am not sure that the issues fixed would be issues facing any of us... nor are we able to determine which version of openswan is being used in newer firmware versions (except perhaps by viewing the log (via logviewer) during the startup sequence)... maybe 1.0.37 already has the updates applied?

    //

    I found the following line(s) in the gemtek_config file to be quite interesting:

    CONFIG_RTL865X_LOADER_SUPPORT_TFTP=y

    Kind of indicates tftp support... anyone brave enough to try firmware upgrades via tftp? :D

    CONFIG_SERIAL=y
    CONFIG_SERIAL_CONSOLE=y

    Does this indicate that a serial port is available on the board somewhere? Perhaps only available on the dev. boards? IDK, just interesting.

    #
    # Code maturity level options
    #
    CONFIG_EXPERIMENTAL=y

    Now, THAT is funny. (maybe not)

    // Joe
     
  7. CalledToConstruct

    CalledToConstruct LI Guru Member

    Ok, now some nitty gritty...

    Code:
    static void
    handle_request(int conn_fd, FILE *conn_fp)
    {
        char line[10000], *cur;
    
        ...
    		
        /* Parse the first line of the request. */
        #ifdef USE_SSL
        if ( https_fgets( line, sizeof(line), conn_fp ) == (char*) 0 )
        ...
    
    Code:
    char *https_fgets(char *s , int size , FILE *stream)
    {
        ...
        char *p = s ;
        char c ;
        int r, len =0 ;
    
        while(1) {
            r = SSL_read(ssl, &c, 1);
            if( r <= 0 )
                break;
    
            *p++ = c ;
            len++;
            if( c == '\n' || len == size )
                break;
        }
    	
        *p='\0';
        ...
    
    Let's say line was declared as 1 byte in length instead of 10,000:

    char line[1], *cur;

    and the first packet of our request was 2 bytes and a carriage return... the above call to https_fgets would receive a pointer to a 1 byte buffer in memory, size = 1 and our connection pointer.

    The first pass through the while loop would read a single character from the input buffer (via the connection pointer) and would set the first (and only) byte of line to that character. Next, the p++ would cause *p to point to the byte just past the end of the line buffer... len is incremented to 1, which == size so the while loop is exited.

    Last, *p (pointed just past the end of line) is set to 0; thus corrupting memory.

    While this does not represent a major threat, it is a potential problem as any request whose first line meets or exceeds the 10k buffer size, will cause the 0 to be written past the end of the buffer.

    If the variables are allocated on the stack in the order they are declared, the corruption would likely effect the cur pointer, which is used shortly thereafter:

    Code:
    while ( https_fgets( cur, line + sizeof(line) - cur, conn_fp ) != (char*) 0 )
    
    or, if the stack grows downward (I can't remember at the moment), it could damage an unknown value pushed on the stack just prior to calling handle_request.

    I'm still looking to see if this code is executed before or after it determines whether the request is from the WAN port (requests from the WAN port are blocked, unless the request arrives on the Remote Administration port and Remote Admin is enabled).

    //////////

    One way to resolve the issue in the code above is to change:
    Code:
    if( c == '\n' || len == size )
        break;
    
    to:
    Code:
    if( c == '\n' || len == (size-1) )
        break;
    
    //////////

    GASP! This code is reachable via a login attempt to the VPN port (60443 or 443)... therefore any request sent to the WRV200 with VPN enabled on 60443 or 443 containing 10k or more before the first carriage return, would cause a buffer overrun; possibly crashing httpd, or worse.

    Now, I can't really blame the https_fgets author for not catching this... the basic fgets call suffers the same fate. :(

    However, I did discover this little gem in another implementation of fgets (found in two other places for this firmware, modified to show how it would look in https_fgets):

    Code:
        ...
        if (c == '\r') c='\n';
        *(p++)=c;
        len++;
        if( c == '\n' || len == (size-1) )
            break;
        ...
    
    In the first line, the character read from the buffer is converted from a '\r' to a '\n' so it can be detected in the last line of that block, thus catching carriage return or line feed characters equally.

    // Joe
     
  8. DerToob

    DerToob LI Guru Member

    1.0.37 is using 2.4.5dr3


    By the way:

    i would offer my WRV200 device to test your 'corrected' firmware if you get round compiling it, even if there is a risk to brick it...
    just sick of trying more and more beta's..
     
  9. CalledToConstruct

    CalledToConstruct LI Guru Member

    It appears that the base-64 decode routine suffers from the same issue as above (buffer overrun potential):

    Code:
        l = b64_decode( &(authorization[6]), authinfo, sizeof(authinfo) );
        authinfo[l] = '\0';
    
    as the function b64_decode will stop when it has filled authinfo to capacity (if the input meets or exceeds sizeof(authinfo)) and the line following will write the '\0' character beyond the end of the buffer.

    Lucky for us, the variable that would likely be corrupted, in this case, is quickly set (overwritten):

    Code:
        authpass = strchr( authinfo, ':' );
    
    I'd still feel better knowing that the buffer is not overrun in the first place.

    // Joe
     
  10. CalledToConstruct

    CalledToConstruct LI Guru Member

    I'm not sure if this next issue has an *easy* resolution. :(

    I see:

    Code:
    /* We create an auth_ip table to record the ipaddress which 
     * logs in the webui with wrong username and passwd.
     * Block ip at 3rd time authention fail. 
     */
    static int auth_fail_time[10];
    static char auth_ip[10][32];
    ...
    ...
    /* If array is full, we clean reset all array anyway, and then put this ip into the first array location */
    
    Which tells me that the router will block up to ten IP addresses if they attempt to login (remote admin or lan-side admin) with an invalid password. This is pretty good, but not fool proof... I now know, I can use eleven or more machines (or less if they are multi-homed) to circumvent the IP address blocking mechanism.

    One possible solution would be to use a linked list, so the list of IP addresses to block would grow as needed, but this introduces some overhead and would open the door to an attack involving a large number of IP addresses, which would chew up memory, until memory is full.

    Either way, it is a vulnerability.

    Perhaps the best solution is to simply go into a 'hyper blocking mode' after the 10 available slots are in use and block all login attemps regardless of IP address?

    // Joe

    p.s. I wouldn't be spending so much time here if httpd was only being used as the admin GUI (a.k.a. Web GUI)... but since this is also used by quickVPN to initiate the VPN login / connection (in addition to admin and remote admin GUI), it opens a door that I don't want to be vulnerable.
     
  11. Sfor

    Sfor Network Guru Member

    I tried the TFTP on the WRV200, but I failed. The TFTP utility always tells there is no connection with the router.
     
  12. HughR

    HughR LI Guru Member

    The first thing to do is attempt to build, from the source, a binary that matches the distributed one. That would be a safe-ish starting point.

    Step two would be to add sshd (dropbear?).

    Then the fun begins.

    So far I have been too lazy and unenthusiastic to try this. If someone else is interested, I might try to help.

    PS: Openswan has advanced a lot since the version used in the WRV200. I am not part of Openswan but have a good relationship with them. I wrote most of the IKE daemon (Pluto) of FreeS/WAN, the starting point of Openswan. I'm playing with Openswan under OpenWRT on wireless routers, but not very hard.
     
  13. CalledToConstruct

    CalledToConstruct LI Guru Member

    While I'm somewhat familiar with cross-compiling... I've used GCC before... and I would love to build firmware updates... I just can't bring myself to try it out as I need this router functioning (even if it's not working 100%) :|

    Oddly enough, after days of trying, I'm able to VPN in again (with quickvpnplus however). We'll see if this holds true over the next few days.

    Anyway, I'll continue to poke around and hopefully our research will be useful to those at linksys with the resources necessary to build and test the official firmware.

    Hopefully the next firmware release will have an updated openswan? :)

    // Joe
     
  14. HughR

    HughR LI Guru Member

    In message #8 in this thread you were offered another WRV200 with which to play. Consider accepting.
    You are so optimistic.

    The Openswan folks tried to interest Linksys in a new version when the WRV200 was much earlier in the product cycle (about a year and a half ago). As I understand it, they actually visited the California offices. Nothing came of this.

    Why would Linksys be interested now, so late in the cycle?

    If they are not interested in a version upgrade, why would they be interested in a few lines of changes?

    They have not even released a new version of the firmware (betas don't count) in quite some time.

    If the community can build replacement firmware, and there is sufficient interest to spread the effort, I think that there could be a good chance of improvement.

    I hope to get around to deploying a VPN on this class of hardware. Currently I use small form factor PCs. I think that I'm going to go with OpenWRT + Openswan on ASUS WL-500gP. I bought the WRV200 because I thought that it would do what I wanted out-of-the-box. One feature that I needed (public-key authentication) was mentioned in the manual but not enabled in the GUI. Easy to fix because it is in Openswan. I mistakenly assumed something else: reliability.

    Anyway, if somebody does the hard work of getting to a functional rebuild from the source, I'd be willing to help make that useful.
     
  15. CalledToConstruct

    CalledToConstruct LI Guru Member

    You make some very good points here. Perhaps I will make an effort to compile the source ... What are the chances of getting a release of the 1.0.37 beta, so we wouldn't be taking a step backward?

    :|

    // Joe
     
  16. Toxic

    Toxic Administrator Staff Member

    afaik beta firmware source code is coming (how long is anyones guess)
     
  17. Sfor

    Sfor Network Guru Member

    After reading many threads about WRV200 devices, I do believe Linksys does not maintain the WRV200 code. Pehaps we should talk to Gemtek directly. As, apparently they are the firmware creators and maintainers.

    I've been considering building a VPN gateway by myself with a PC computer. The problem was, I found no indication what hardware I would have to use in order to match the WRV200 VPN capabilities.

    My current work around is another IPSec pass through capable router as the Gateway, while WRV200 works just as VPN gateway behind it. The total cost of both devices is still lower than other IPSec VPN capable router with the same VPN related capabilities. The Internet access seems to be working much better, now.
    Also, the WRV200 does not have WOL capability. So, the Internet gateway with WOL adds even more than a WRV200 can do.
     
  18. pablito

    pablito Network Guru Member

    Just about any old clunker will do if you keep it to a non GUI OS. There is all manner of distributions out there that would do everything you need depending on how much you are willing to work at it. Easier == more power needed as a general rule. There are firewall specific distros out there but if you're handy with linux you can roll your own so you can also run an AP on it and replicate anything that the WRV can do. As a bonus you can have more VPN capabilities because you won't be tied down to the linksys GUI that prevents doing a proper star/hub config. If you want to spend a little bit then a micro board computer is the right way to go to conserve power and space. You essentially then have the same thing but at a higher price, but I'm tired of half baked off the shelf units like the 200. The 200's price is great, the VPN works ok as long as the WAN stays up, but the rest of the unit is for the birds.
     
  19. Toxic

    Toxic Administrator Staff Member

    Smoothwall or m0n0wall need very low end hardware for a reilable firewall/vpn gateway.

    there are some hardware facts on the Monowall within this link here: http://doc.m0n0.ch/quickstartpc/
     
  20. Sfor

    Sfor Network Guru Member

    A 266 Mhz computer is able to go up to 3.5 Mb/s. If the CPU power to VPN speed ratio is a linear function, then to match the WRV200 30Mb/s VPN speed it should be necesary to use a 2.3GHz CPU. So, it does not seem to be an old clunker, for me.
     
  21. pablito

    pablito Network Guru Member

    The 200 isn't anywhere near 2G so no, you wouldn't need a lot of horsepower to run 30/mbs.
     
  22. ccbadd

    ccbadd Network Guru Member

    I believe the 200 does have hardware accelleration to offload encryption/decryptions which your PC does not.
     
  23. Toxic

    Toxic Administrator Staff Member

    Also the speed of the VPN is only as fast as your upload/download speeds. so who has a 30Mb/s upload? I dont.
     
  24. pablito

    pablito Network Guru Member

    And it still doesn't take 1+Ghz of CPU to encrypt and decrypt. I'd love to have 30mbs of upstream.... The only time I could see that needed is for an internal router. Anyone with that bandwidth outside would not be running a 200 or any linksys device I can think of.

    FYI, after the first IPSEC tunnel is up it takes little additional overhead to run more tunnels.
     
  25. Sfor

    Sfor Network Guru Member

    I'm connected through a city wide ethernet WAN. So, I do have a 100Mb/s connection between two locations. 30Mb/s is fine, but I coud use more, as well.

    I've been reading about PC security addon cards. So, the 3DES encryption does take enough CPU power for a special security CPU to be a an useful improvemnt. Like a math coprocessors or a graphics cards CPUs, the security accelerators are built to handle a paticular task and they are extremely efficient with it. Matching the same results with plain CPUs takes a lot of calculation power. That's why a BEFVP41 can handle up to 32Mb/s VPN encryption with it's security accelerator CPU.

    A good example is the cpu family used in the RV042. The VPN throughput does not change much with the CPU speed. A 266Mhz CPU encodes data with almost the same speed as a 500Mhz one. The security encryption/decryption is done by a special acceleration unit, while other tasks are managed by all purposes CPU part. So, the RV042 and RV082 do have almost the same VPN throughput, while RV082 has almost twice as fast CPU clock speed.

    Also the security encoding speed does not change much with amount of tunnels used, but it is significantly dependant on the frame size.
     
  26. pablito

    pablito Network Guru Member

    In this case you could add a crypto card and keep the CPU needs low. No sense in being limited to 30MBs if you have more available...
     
  27. Sfor

    Sfor Network Guru Member

    It's quite possible such a card would be more expensive than a WRV200.

    I found the 30Mb/s to be a very satisfying.

    My WRV200 is very unstable when comes to the plain Intenet gateway duties. It is possible the device is faulty. But, I have no way to prove it. I would love it to break down completely, so I could replace it on the warranty. Unfortunatelly only 6 months of warranty time left, now.

    I do believe the improvement of the SysLog would be a significant change. As the range of reported events is not a wide one. For an instance, it is not possible to tell the reason of a self reboot, of the router. Only the hardware reset button is reported.
     
  28. ccbadd

    ccbadd Network Guru Member

    Has anyone actually compiled the source for the wrv200? I tried a long time ago,
    I don't even remember the version. The compile fail do to some of the source being missing. I will get a copy of the latest and try again just to see.
     
  29. CalledToConstruct

    CalledToConstruct LI Guru Member

    Well, I have some minor good news.... I've setup a machine, installed all the packages, installed all the source (from the firmware 1.0.32.2) and performed the make. It did produce a firmware.img file as the Q&A indicates it should.

    I'll compare mine against the released version tomorrow (as I'm too tired tonight).

    However, I saw quite a few warning messages; AND, 1.0.32.2 was quite unstable for me when I had it installed a few weeks ago. I sure hope we can get the source for 1.0.37 (or at least 1.0.36 as that is running well for me now).

    // Joe
     
  30. Sfor

    Sfor Network Guru Member

    I would go for 1.0.34 or 1.0.37. Because, 1.0.35 and 1.0.36 were just an attempt to do something with the FTP by resetting the Internet connection every hour. As the result the VPN traffic is interrupted every hour.
     
  31. CalledToConstruct

    CalledToConstruct LI Guru Member

    I'd love to have access to 1.0.34 or 1.0.37 firmware... but that's up to the developers to release an updated source. I'm trying to stay hopeful.

    Ok, now, the results of my endeavor to compile:

    firmware 1.0.32.2:
    -----------------
    Original image file from Linksys/Gemtek: 3,797 KB
    Version compiled from source: 3,773 KB

    firmware 1.0.29:
    ---------------
    Original image file from Linksys/Gemtek: 3,811 KB
    Version compiled from source: 3,771 KB

    When I get the chance, I'm going to recompile and capture the output... then try to clean up any compile warnings (if possible)... but right from the get-go... I'm not able to produce an exact copy of the image from the sources.

    I suppose it is possible that I have a newer version of gcc 3.3.x as compared to the Linksys/Gemtek developer(s)... but there sure is a discrepency between the file sizes.

    Has anyone else been able to compile from the sources? Do you get a similar result?

    // Joe
     
  32. CalledToConstruct

    CalledToConstruct LI Guru Member

    Current status:

    I´m seeing the following warnings when running the compile... from what I can tell, the issues are not ´life threatening´ and the File not found messages are either a configuration issue on my machine or intentional. If they are intentional, the firmware is likely to work, else a brick maker.

    Anyway, here is the output (short version):

    Code:
    + ./extra/scripts/fix_includes.sh -k /home/WRV200_060103/linux-2.4.x -t mips
    + TOPDIR=. CC=/opt/toolchain_mips/bin/mips-linux-gcc /bin/sh extra/scripts/gen_bits_syscall_h.sh
    + cmp include/bits/sysnum.h include/bits/sysnum.h.new
    + rm -f include/bits/sysnum.h.new
    + install -d ../lib
    + rm -f ../lib/libm.a
    + install -m 644 libm.a ../lib
    + install -d ../lib
    + rm -f ../lib/libm.a
    + install -m 644 libm.a ../lib
    + /opt/toolchain_mips/bin/mips-linux-ld -shared --warn-common --warn-once -z combreloc -soname=libm.so.0 -o libm-0.9.26.so --whole-archive libm.a --no-whole-archive ../libc/misc/internals/interp.o -L../lib -lc /opt/toolchain_mips_nofpu/bin-ccache/../lib/gcc-lib/mips-linux-uclibc/3.3.5/libgcc.a
    + install -d ../lib
    + rm -f ../lib/libm-0.9.26.so ../lib/libm.so.0
    + install -m 644 libm-0.9.26.so ../lib
    + ln -sf libm-0.9.26.so ../lib/libm.so
    + ln -sf libm-0.9.26.so ../lib/libm.so.0
    wc: /home/WRV200_060103/images/kernel.bin.gz: No such file or directory
    expr: syntax error
    
    In file included from src/modules/GetHostByName.c:1:
    src/modules/GetHostByName.h:71: warning: useless keyword or type name in empty declaration src/modules/GetHostByName.c: In function `open_nameservers':
    src/modules/GetHostByName.c:147: warning: `return' with a value, in function returning void
    src/modules/GetHostByName.c:157: warning: `return' with a value, in function returning void
    src/modules/GetHostByName.c:167: warning: `return' with a value, in function returning void
    
    In file included from tproxy.c:71:
    NvramMalloc.h:14:1: warning: "PeterChen" redefined
    tproxy.c:58:1: warning: this is the location of the previous definition
    NvramMalloc.h:38:7: warning: no newline at end of file
    
    In file included from tproxy.c:215:
    GetHostByName.h:87:1: warning: "PeterChen" redefined
    
    In file included from tproxy.c:116:
    HostCtrl.h:19:1: warning: this is the location of the previous definition
    
    In file included from tproxy.c:215:
    GetHostByName.h:95:3: warning: no newline at end of file
    
    In file included from tproxy.c:116:
    HostCtrl.h: In function `ResetARPMap':
    HostCtrl.h:183: warning: `return' with a value, in function returning void
    HostCtrl.h: In function `GenerateArpTable':
    HostCtrl.h:365: warning: `return' with a value, in function returning void
    
    In file included from tproxy.c:215:
    GetHostByName.h: At top level:
    GetHostByName.h:71: warning: useless keyword or type name in empty declaration
    
    tproxy.c: In function `rtl8651_queryRedirectOutboundNaptFlow':
    tproxy.c:390: warning: assignment makes integer from pointer without a cast
    tproxy.c:391: warning: assignment makes integer from pointer without a cast
    
    tproxy.c: In function `TransferToBeHttp1_0':
    tproxy.c:420: warning: `return' with a value, in function returning void
    tproxy.c:476: warning: `return' with a value, in function returning void
    tproxy.c:520: warning: `return' with a value, in function returning void
    tproxy.c:525: warning: `return' with a value, in function returning void
    tproxy.c:534: warning: `return' with a value, in function returning void
    
    tproxy.c: In function `ReadFilterTypeList':
    tproxy.c:673: warning: `return' with a value, in function returning void
    tproxy.c:693: warning: `return' with a value, in function returning void
    
    tproxy.c: In function `rtl8651_BlockedSpecifiedURL':
    tproxy.c:994: warning: comparison between pointer and integer
    tproxy.c:1002: warning: comparison between pointer and integer
    
    tproxy.c: In function `ParsingURLStr':
    tproxy.c:1151: warning: `return' with a value, in function returning void
    tproxy.c:1315: warning: `return' with a value, in function returning void
    
    tproxy.c: In function `ParsingTextStr':
    tproxy.c:1678: warning: `return' with a value, in function returning void
    
    tproxy.c: In function `ParsingWeekDayStr':
    tproxy.c:1694: warning: `return' with a value, in function returning void
    tproxy.c:1697: warning: `return' with a value, in function returning void
    tproxy.c:1704: warning: `return' with a value, in function returning void
    tproxy.c:1726: warning: `return' with a value, in function returning void
    
    tproxy.c: In function `TransferTimeStr':
    tproxy.c:1735: warning: `return' with a value, in function returning void
    
    tproxy.c: In function `FillAllItemIntoTimeMap':
    tproxy.c:1785: warning: `return' with a value, in function returning void
    
    tproxy.c: In function `RcvIPCMsg':
    tproxy.c:2018: warning: return from incompatible pointer type
    
    tproxy.c: In function `GetURLStartPoint':
    tproxy.c:2098: warning: passing arg 2 of `strncmp' from incompatible pointer type
    
    tproxy.c: In function `AddingBlockedURL':
    tproxy.c:2231: warning: `return' with a value, in function returning void
    tproxy.c:2234: warning: `return' with a value, in function returning void
    tproxy.c:2242: warning: `return' with a value, in function returning void
    tproxy.c:2257: warning: `return' with a value, in function returning void
    
    tproxy.c: In function `SearchSpecificString':
    tproxy.c:2313: warning: assignment from incompatible pointer type
    tproxy.c:2344: warning: passing arg 1 of `strstr' from incompatible pointer type
    
    tproxy.c: In function `BlockProxy':
    tproxy.c:2419: warning: passing arg 2 of `strncmp' from incompatible pointer type
    
    In file included from tproxy.c:2500:
    AllowedURL.h: In function `ResetAllowedURLPolicyList':
    AllowedURL.h:192: warning: `return' with a value, in function returning void
    AllowedURL.h: In function `DumpAllowedURLPolicyList':
    AllowedURL.h:241: warning: `return' with a value, in function returning void
    AllowedURL.h: In function `FillAllowedURLPolicyList':
    AllowedURL.h:341: warning: `return' with a value, in function returning void
    
    tproxy.c: In function `main':
    tproxy.c:2532: warning: assignment makes pointer from integer without a cast
    
    tproxy.c: In function `WebFilter':
    tproxy.c:3467: warning: assignment from incompatible pointer type
    
    tproxy.c: In function `process_client_request':
    tproxy.c:3594: warning: passing arg 1 of `sprintf' from incompatible pointer type
    tproxy.c:3595: warning: passing arg 1 of `system' from incompatible pointer type
    tproxy.c:3599: warning: passing arg 1 of `sprintf' from incompatible pointer type
    tproxy.c:3600: warning: passing arg 1 of `system' from incompatible pointer type
    tproxy.c:3604: warning: passing arg 1 of `sprintf' from incompatible pointer type
    tproxy.c:3605: warning: passing arg 1 of `system' from incompatible pointer type
    tproxy.c:4036: warning: passing arg 1 of `rtl8651_BlockedSpecifiedURL' from incompatible pointer type
    
    In file included from acl.c:11:
    GetHostByName.h:95:3: warning: no newline at end of file
    
    In file included from acl.c:11:
    GetHostByName.h:71: warning: useless keyword or type name in empty declaration
    
    In file included from GetHostByName.c:1:
    GetHostByName.h:95:3: warning: no newline at end of file
    
    In file included from GetHostByName.c:1:
    GetHostByName.h:71: warning: useless keyword or type name in empty declaration
    GetHostByName.c: In function `open_nameservers':
    GetHostByName.c:145: warning: `return' with a value, in function returning void
    Schedular.c: In function `ReadFlashScheduleList':
    Schedular.c:29: warning: assignment makes pointer from integer without a cast
    
    + install -m 755 lib/ld-uClibc-0.9.26.so /home/WRV200_060103/romfs/lib
    + romfs-inst.sh -s /lib/ld-uClibc-0.9.26.so /lib/ld-linux.so.2
    
    LZMA 4.21 Copyright (c) 1999-2005 Igor Pavlov  2005-06-08
    /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/lib/ld-linux.so.2: No such file or directory
    make[1]: [romfs] Error 1 (ignored)
    wc: /home/WRV200_060103/images/kernel.bin.gz: No such file or directory
    expr: syntax error
    cp: cannot stat `../../Generic/romfs/etc/services': No such file or directory
    5751 blocks
    2 blocks
    
    LZMA 4.21 Copyright (c) 1999-2005 Igor Pavlov  2005-06-08
    /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/usr/local/sbin/ipsec: File format not recognized
    make[2]: [ipkg_strip] Error 1 (ignored)
    /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/usr/local/libexec/ipsec/auto: File format not recognized
    /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/usr/local/libexec/ipsec/calcgoo: File format not recognized
    /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/usr/local/libexec/ipsec/manual: File format not recognized
    /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/usr/local/libexec/ipsec/secrets: File format not recognized
    /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/usr/local/libexec/ipsec/setup: No such file or directory
    make[2]: [ipkg_strip] Error 1 (ignored)
    
    LZMA 4.21 Copyright (c) 1999-2005 Igor Pavlov  2005-06-08
    wc: /home/WRV200_060103/images/kernel.bin.gz: No such file or directory
    expr: syntax error
    wc: /home/WRV200_060103/images/kernel.bin.gz: No such file or directory
    expr: syntax error
    /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/bin/boa: No such file or directory
    /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/bin/cfg: No such file or directory
    /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/bin/ip-down: No such file or directory
    /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/bin/ip-up: No such file or directory
    /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/bin/reboot: No such file or directory
    /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/bin/services_check: No such file or directory
    /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/bin/snmpd: No such file or directory
    /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/bin/snmpd.lz: File format not recognized
    /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/bin/wizard: No such file or directory
    make[1]: [rootfs_image] Error 1 (ignored)
    
    ** This is from the 1.0.29 source.

    // Joe
     
  33. HughR

    HughR LI Guru Member

    Right.
    Do try to duplicate the distributed binary. That may well mean using an old gcc.

    If you cannot duplicate the binary (or carefully account for each divergence) you cannot be confident that you have a working build.

    I would not try to improve anything until I created a baseline source and process that exactly matched the binary.

    Another interesting attack (complementary):

    It may be worth unpacking the binary. I don't know how to do that but I suspect that it isn't too hard. Then, for example, you might be able to tell what gcc was used (I think that it should appear as a string within the kernel since it shows up in /proc/version when the kernel is running).

    If you can unpack the binary, add a little change (telnet or sshd), and repack, even that is quite interesting.
     
  34. HughR

    HughR LI Guru Member

    The open source code is in ftp://ftp.linksys.com/opensourcecode/wrv200/

    You will note that ftp://ftp.linksys.com/opensourcecode/wrv200/1.0.29 is larger than the other tarballs. It has some extra files:

    -rw-r--r-- dino/dino 150815581 2007-02-12 15:19:27 rsdk.bz2
    -rw-r--r-- dino/dino 16166786 2007-02-12 15:16:38 toolchain_mips_nofpu-3.3.5.tar.bz2
    -rw-r--r-- dino/dino 135535281 2007-02-12 15:16:25 WRV200_1_0_29_GPL_20070207.tar.gz
    -rw-r--r-- dino/dino 1686 2007-02-12 15:16:50 WRV200_GPL_Installation&QA.txt

    This is probably useful stuff. Like the right toolchain to use.

    Judging from #32, CalledToConstruct may already know this.
     
  35. CalledToConstruct

    CalledToConstruct LI Guru Member

    Interesting Hugh...

    The packages linked to from the WRV200 support page both include the toolchain (1.0.29 and 1.0.32.2) So I wonder how these packages differ from those offered on the support page?

    I'll unpack and compare the two versions.

    I agree, having a baseline compile that matches the released firmware is the only way to start. I'm not about to try out a firmware on a router that has little if any "recover from brick" option.

    // Joe
     
  36. krol

    krol Addicted to LI Member

    Hi,

    I've compiled a image from 1.0.32.2 sources (without any make clean just make) next I've loaded this image on my wrv200 and the device still works :).

    Before it I did a little change in the StatusRouterStatic.asp (ModelName from wrv200 to wrv201) and now I can see this on the router Status Page.

    I'm also able to compile image with telnetd but I don't know what next, for example what about /dev/pts - I'm going to check some settings on my wag354g with neptune software where telnet is enabled.

    Regards
     
  37. HughR

    HughR LI Guru Member

    Congratulations! This is the first report that I've read of someone other than the manufacturer building and flashing the firmware. Having it work is a bonus :)

    Can you tell us a bit more?
    What was your host system?
    Is all you typed "make" or did you have to build or install the toolchain first?
    Did you compare the files in your build with those in the binary image distributed by Linksys?
     
  38. krol

    krol Addicted to LI Member

    hi,

    What I did:
    - I downloaded sources on my slackware 12.0.0
    - I extracted the sources (WRV200_v1.0.32.2.tgz) in my /home/
    - I extracted toolchain (oolchain_mips_nofpu-3.3.5.tar) in /opt,
    - I created link /opt/toolchain_mips -> /opt/toolchain_mips_nofpu/
    - I modified PATH in /etc/profile adding "/opt/toolchain_mips/bin/"
    - probably thats all, next I ran make in /home/WRV200_060103 directory


    After it I got a image (during compilation I had similar errors as reported on this forum, also image size is not exactly the same as original) - of course I repeated compilation a few times before I loaded the firmware :). Before I loaded my firmware I installed the original linksys image extracted from 1.0.32.2 sources on my wrv200 (I think it is not necessary).

    In the next step I recompiled and loaded the firmware once again but before it I modified the mentioned status page (/home/WRV200_060103/user/httpd/www/StatusRouterStatic.asp).

    Finally I ran "make config" in /home/WRV200_060103/user/busybox
    and I enabled telnetd so now I probably have a image with telened ls -al romfs/bin:
    Code:
    -rw-r--r--  1 root root   92866 2008-04-03 14:32 snmpd.lz
    lrwxrwxrwx  1 root root       7 2008-04-03 14:32 syslogd -> busybox*
    lrwxrwxrwx  1 root root       7 2008-04-03 14:32 tar -> busybox*
    lrwxrwxrwx  1 root root       7 2008-04-03 14:32 telnetd -> busybox*
    lrwxrwxrwx  1 root root       7 2008-04-03 14:32 test -> busybox*
    

    ls -al images/firmware.img
    Code:
    -rw-r--r-- 1 root root 3866688 2008-04-03 14:34 images/firmware.img
    
    but I didn't tried to load this image on my wrv200 yet :).
     
  39. krol

    krol Addicted to LI Member

    Hi,
    Yesterday I've installed image with telnetd enabled I also enabled /dev/pts i kernel (unfortunately I don't know how to check if kernel was build with this option) - anyway my wrv still works so I'm going to modify the startup script.
    Does anybody can tell me what is needed to run busybox telned?

    I'm going to add the following lines in the startup script (etc/rc):
    Code:
    cd /dev
    mkdir pts
    cd pts
    mknod  0       c   136   0
    cd /
    mount -t devpts devpts /dev/pts
    /bin/telnetd  -l /bin/sh &
    
     
  40. krol

    krol Addicted to LI Member

    Hi,

    I've telnet to my wrv200:
    Code:
    # uname -a
    Linux (none) 2.4.26-uc0 #447 Tue Apr 8 19:34:30 CEST 2008 mips unknown
    
    # mount
    /dev/root on / type squashfs (ro)
    none on /dev type devfs (rw)
    /proc on /proc type proc (rw)
    ramfs on /var type ramfs (rw)
    devpts on /dev/pts type devpts (rw)
    
    # cat /proc/cpuinfo
    system type             : Philips Nino
    processor               : 0
    cpu model               : R3000 V0.0
    BogoMIPS                : 199.06
    wait instruction        : no
    microsecond timers      : no
    tlb_entries             : 16
    extra interrupt vector  : no
    hardware watchpoint     : no
    VCED exceptions         : not available
    VCEI exceptions         : not available
    

    I can also access the devices without /dev/pts mounted, simply running /bin/telnetd -l /bin/sh & in /etc/rc.
     
  41. CalledToConstruct

    CalledToConstruct LI Guru Member

    Wow! That's awesome!

    Now, linksys (or whomever) can we get a copy of the latest firmware source? I think the latest beta is quite stable (not perfect, but quite stable) and would be great to be able to work from that point.

    Even better, has a hardware guru looked at this thing to see if an SD slot or other memory card device could be connected to load / reload the firmware from? Anything that would help us recover from a bad firmware attempt?

    I'd love to see some Open Source development for the WRV200; I bet there are some nifty things we could do.

    // Joe
     
  42. krol

    krol Addicted to LI Member

    hi,

    Because I wanted to increment TTL so in next step I applied TTL patch from patch-o-matic-20030107.
    I was able to recompile the image but probably it's all for nothing, it looks that routing is done in hardware.

    I checked and in wrv200 ip_forward is set to 0, the device forwards traffic even if I set FORWARD policy to drop, also statistics for FORWARD chain are empty. So using iptables I can change TTL or anything only for incoming and outgoing traffic.

    Does anybody know if it is possible to switch from hardware to software routing?

    Regards
     
  43. teky97

    teky97 LI Guru Member

    Hey everyone, I apologize if this is not the best place for this, but this thread seems to be the only one diving into the firmware on the WRV200.

    I confirmed what some people have believed (but I didn't see anyone confirm) to be serial on the WRV200. A dump of the system coming online is below. I did verify that you can enter the 'a' mode to change the config, but I haven't yet poked into what is possible. Just a note, the reset switch on the board must be at a higher level than the ROME Loader since it doesn't work while in the loader.

    Code:
    (c)Copyright Realtek, Inc. 2003
    Project ROME LOADER
    Version 00.00.15(uClinux) (Jan  4 2006 19:08:47)
    [865xB] CPU Clock Rate: 200MHz, Memory Clock Rate: 140MHz
    Detected flash size: total 4MB.
    SDRAM size: 32MB
    
    --== Loader Menu ==--
    'r' to update run image
    'a' to change config
    'l' to update loader
    'g' to load run image without updating Flash
    't' to test flash memory
    'e' to erase flash memory
    
    
    Loading runtime image ...
    
    Decompress image from address: 0xbe020000
    
    Start image at address: 0x80080000
    SDRAM size: 32MB
    
    CPU revision is: 0000ff00
    
    Init MMU (16 entries)
    
    Primary instruction cache 0kB, linesize 0 bytes.
    
    Primary data cache 0kB, linesize 0 bytes.
    
    Linux version 2.4.26-uc0 (root@smb1.gemtek.com.tw) (gcc version 3.3.5) #459 Fri May 9 18:04:39 CST 2008
    
    Determined physical RAM map:
    
     memory: 02000000 @ 00000000 (usable)
    
    NOFS reserved @ 0x803bcf00
    
    On node 0 totalpages: 8192
    
    zone(0): 8192 pages.
    
    zone(1): 0 pages.
    
    zone(2): 0 pages.
    
    Kernel command line: root=/dev/mtdblock2 noinitrd
    
    IRR(0)=c0000000
    
    Calibrating delay loop... 199.06 BogoMIPS
    
    Memory: 28580k/32768k available (2779k kernel code, 4188k reserved, 116k data, 96k init, 0k highmem)
    
    Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)
    
    Inode cache hash table entries: 2048 (order: 2, 16384 bytes)
    
    Mount cache hash table entries: 512 (order: 0, 4096 bytes)
    
    Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)
    
    Page-cache hash table entries: 8192 (order: 3, 32768 bytes)
    
    Checking for 'wait' instruction...  unavailable.
    
    POSIX conformance testing by UNIFIX
    
    NEW PCI Driver...isLinuxCompliantEndianMode=False(Big Endian)
    
    [PCI] Reset Bridge ..... Finish!
    
    Find Total 8 PCI functions
    
    Found 00:08 [1814/0401] 000280 00
    
    Linux NET4.0 for Linux 2.4
    
    Based upon Swansea University Computer Society NET3.039
    
    Initializing RT netlink socket
    
    Starting kswapd
    
    devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au)
    
    devfs: boot_options: 0x1
    
    Squashfs 2.1-r2 (released 2004/12/15) (C) 2002-2004 Phillip Lougher
    
    pty: 256 Unix98 ptys configured
    
    Serial driver version 5.05c (2001-07-08) with MANY_PORTS SERIAL_PCI enabled
    
    Probing RTL8651 home gateway controller...
    
    Initialize RTL865x ASIC and driver
    
    chip name: 8651B, chip revid: 1
    
       Initialize mbuf...
    
       creating default 2 interfaces...eth0 IRR(6)=c0040000
    
    ===> Request IRQ 6 for eth0, ret=0
    
    eth1 ...OK
    
       creating port0~port9 for 802.1d/1s/1w...0 1 2 3 4 5 6 7 8 ..OK!
    
    Hardware watchdog enabled
    
    PPP generic driver version 2.4.2
    
    flash device: 400000 at be000000
    
     Amd/Fujitsu Extended Query Table v1.1 at 0x0040
    
    number of CFI chips: 1
    
    cfi_cmdset_0002: Disabling fast programming due to code brokenness.
    
    Creating 5 MTD partitions on "Physically mapped flash":
    
    0x00000000-0x00020000 : "boot"
    
    0x00020000-0x003e0000 : "linux"
    
    0x00135400-0x003e0000 : "romfs"
    
    mtd: partition "romfs" doesn't start on an erase block boundary -- force read-only
    
    0x003e0000-0x003f0000 : "bdinfo"
    
    0x003f0000-0x00400000 : "cfg"
    
    NET4: Linux TCP/IP 1.0 for NET4.0
    
    IP Protocols: ICMP, UDP, TCP, IGMP
    
    IP: routing cache hash table of 512 buckets, 4Kbytes
    
    TCP: Hash tables configured (established 2048 bind 4096)
    
    GRE over IPv4 tunneling driver
    
    klips_info:ipsec_init: KLIPS startup, Openswan KLIPS IPsec stack version: 2.4.5dr3
    
    klips_info:ipsec_alg_init: KLIPS alg v=0.8.1-0 (EALG_MAX=255, AALG_MAX=251)
    
    klips_info:ipsec_alg_init: calling ipsec_alg_static_init()
    
    ipsec_aes_init(alg_type=15 alg_id=12 name=aes): ret=0
    
    ipsec_aes_init(alg_type=14 alg_id=9 name=aes_mac): ret=0
    
    ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0
    
    ip_conntrack version 2.1 (256 buckets, 2048 max) - 336 bytes per conntrack
    
    ip_tables: (C) 2000-2002 Netfilter core team
    
    NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
    
    NET4: Ethernet Bridge 008 for NET4.0
    
    Bridge firewalling registered
    
    emulate opcode 0x25 at 800f73b8 
    
    VFS: Mounted root (squashfs filesystem) readonly.
    
    Mounted devfs on /dev
    
    Freeing unused kernel memory: 96k freed
    
    IRR(4)=c0c40000
    
    ===> Request IRQ 4 for serial, ret=0
    
    Using /etc/hwctl.o
    System initializing...
    # BDINFO cloning finish.
    
    Tue Sep 13 10:17:rtl8651_user_pid set to 18
    
    53 EST 2005
    lzma decode has failed!
    Bring up ext  port 6..
    
    Rx shift=10002
    
    cfg wan to dhcp client ...
    wanlan_init 4607 MTU = 1500
    
    
    Set IGMP Default Upstream interface (eth0) ... SUCCESS!!
    
    info, client (v0.9.9-pre) started
    ra0       no privaPPPoE Passthru disabled.
    
    te Drop Unknown PPPoE PADT disabled.
    
    ioIPv6 Passthru disabled.
    
    ctIPX Passthru disabled.
    
    lsNETBIOS Passthru disabled.
    
    .
    
    dhcpc client deconfig
    RTL865x Port 1 state=BLOCKING
    
    RTL865x Port 1 state=DISABLED
    
    device eth1 entered promiscuous mode
    
    lzma decode has failed!
    
    
    BusyBox v1.00-pre2 (2008.02.27-15:42+0000) Built-in shell (ash)
    Enter 'help' for a list of built-in commands.
    
    # RTL865x Port 1 state=BLOCKING
    
    br0: port 1(eth1) entering learning state
    
    RTL865x Port 1 state=LEARNING
    
    RTL865x VLAN STP enabled
    
    info, server (v0.9.9-pre) started
    error, max_leases value (254) not sane, setting to 49 instead
    error, Unable to open /var/udhcpd.leases for reading
     ret:remoteMgmt_tableDriverAccess() : rtl8651_addProtoStackActions 1002
    target 239.0.0.0
    SIOCDELRT: No such process
    Using /etc/rt61ap.o
    pcibios_enable_resources: already enabled when device probed.
    
    pci_request_regions: PCI regions already reserved
    
    pcibios_set_master: already done when device probed.
    
    IRR(5)=c0c40000
    
    ===> Request IRQ 5 for ra0, ret=0
    
    => Register External Device (ra0) vid (9) extPortNum (6) -- Dev (0x81fea200)
    
    register external ra0 device on extPort 6, id  1
    
    ra0 -- (rtl865x_extDev_registerUcastTxDev [660]) Register Unicast Tx Device [81fea200].
    
    (rtl865x_extDev_regCallBack [845]) Register CallBack function -- Ucast Tx (c005bf6c) Free (c005c200).
    
    connect[radius]: Network is unreachable
    Using /lib/software_watchdog.o
    Easyconf : Start easyconf() 20060313-20:00 
    Easyconf : Create multicast socket succesded! 
    Easyconf : MYIP: 192.168.3.254
    Easyconf : start easyconf and mac writer
    
    Easyconf : MYIP is 192.168.3.254
    br0: port 1(eth1) entering forwarding state
    
    RTL865x Port 1 state=FWD
    
    br0: topology change detected, propagating
    
    checking httpd ... done
    checking VpnLog ... done
    checking sendmail ...checking rt61apd ... done
    checking rt61iappd ... done
    
    
    After the unit comes up, you do get console access to the OS (without needing to modify the firmware - in this case 1.0.39).

    The serial port uses 3.3 volt levels at 38400 81N. If you are looking at the card with the ethernet connectors up the pinout is below for the port just below the RTL8651B:

    Code:
    TX      3.3v
    n/a     3.3v
    n/a     GND
    RX      GND
    n/a     
    
    Is anyone making any progress in developing their own custom firmware since April?

    -John
     
  44. Sfor

    Sfor Network Guru Member

    This is a major break through, I believe. Now, it should be possible to load a test firmware image just to the device memory. It should be also a way to "unbrick" the device.

    The development of the alternative firmware was slow, because noone knew how to recover the unit from a faulty firmware update. Now it should be much safer to experiment with the new firmware compilations.

    I can confirm, the reset button has a relatively low priority. In some cases the WRV200 does not respond to the reset button. It looks like it is just a software level reset and the hardware level reset is available only through removing the power.

    Looks like the WRT54GX v2 is using the same Realtek ROME loader and 8651B CPU.
    It is possible ROME will accept GZIP'ed images of the firmware.
    http://wiki.openwrt.org/OpenWrtDocs/Hardware/Linksys/WRT54GX
    http://wiki.openwrt.org/RTL8651BPort
     
  45. Sfor

    Sfor Network Guru Member

    According to the OpenWRT documentation the WRT54GX v2 with Realtek RTL8651B CPU are supported, already.

    Since it is the same chip as WRV200 has, it could be possible to load the OpenWRT to a WRV200.
     
  46. Sfor

    Sfor Network Guru Member

    One of my WRV200 units is over two years old. I can open it without loosing the warranty, now. I'm curious what is inside of it, but I do not want to trash it. Does anyone know how to open it safely?
     
  47. teky97

    teky97 LI Guru Member

    All you have to do is carefully pry off the four rubber feet on the bottom to expose the screws. After the screws out out the top just lifts off. If you are careful you can easily stick the feet back on when you are done.

    I looked in detail at the hardware about a month ago. Based on resistance checks, voltage levels, and a bit of reverse engineering, I'm pretty sure I found the second serial port and determined which JTAG pins do what. Unfortunately I haven't found tool support or found a spec sheet for the 8651B so I haven't tried it out yet. If anyone can point me at either of the above I'd be interested. With access to the boot-loader, it may not be essential to play with JTAG yet (until someone bricks a unit).
     
  48. krol

    krol Addicted to LI Member

    Hi,

    Do you think that it is possible not to use hardware acceleration for routing/NAT on this device?
    I found that:
    ===
    The Linux Netfilter/Iptables is replaced by the binary only ROME drivers which provides an interface to the hardware accelerator for NAT/Firewall/routing.
    ====

    Regards
     
  49. krol

    krol Addicted to LI Member

    hi,

    I finally found solution for my TTL problem. It is possible to disable TTL-1 in routing. I did it modifying rtl8651_tblDrvFwd.c (in linux-2.4.x/drivers/net/re865x/rtl865x). Maybe it is not perfect solution but now I can use my router (after half a year) with my ISP who set TTL=1 :).
     
  50. krol

    krol Addicted to LI Member

    hi,

    I noticed something interesting in 1.0.32.2GPL there is also included source code of RTL8651B driver. In 1.0.39 there are only objects files.

    regards
     
  51. bjorni87

    bjorni87 Networkin' Nut Member

  52. Toxic

    Toxic Administrator Staff Member

    i suppose so, but why reply to a 2 year old post?
     

Share This Page