The following is probably more detailed than most people are interested in... however, I'm hoping that the firmware developer(s) are continuing to improve and therefore will find it helpful. I'm wondering, is it necessary to allocate 10k on the stack here: Code: void send_authenticate( char* realm, FILE *conn_fp) { char header[10000]; (void) snprintf(header, sizeof(header), "WWW-Authenticate: Basic realm=\"%s\"", realm ); DBGMSG("header=<%s>", header); send_error( 401, "Unauthorized", header, "Authorization required.", conn_fp); } Maybe 'realm' often ends up with 9k or so, but I'm guessing not. Instead, it might be better to determine the strlen(realm) and tack on a few extra bytes for the rest of the text, then allocate the buffer to what is needed. It appears that realm may only be 64 bytes: Code: /* Basic authorization userid and passwd limit */ #define AUTH_MAX_NAME 64 ... static char auth_realm[AUTH_MAX_NAME]; ... send_authenticate(auth_realm, conn_fp); but I haven't looked for every possible combination. // Joe -- so much source code, so little time...
Of course, now that I've had a few hours sleep, and I'm looking at my post again, I realize... I forgot the following pieces of info: (doh) send_authenticate is located in user/httpd/httpd.c and I'm looking through the last published source (firmware version 1.0.32.2) If it is ok with you Simon, I'll post further questions or suggestions in this thread... obviously, I don't have the latest source, nor an endless supply of WRV200s... so I doubt I'll be building updated versions and trying them out... but at least I will try to contribute by posting suggestions here. // Joe
VPN connection time is incorrect: When I connect via QuickVPN, then view the Status :: VPN Clients, it correctly shows the time that I connected (for instance: Fri Jan 25 22:42:21 2008), but the duration is off by 5 hours (I'm in Ohio, GMT - 5) and upon disconnect, the End Time is incorrect as well (for instance: Sat Jan 26 04:05:55 2008 ... should have been Fri Jan 25 23:05:55 2008) Can anyone else confirm this behavior with Firmware 1.0.36? Is it corrected in 1.0.37? // Joe
As of firmware 1.0.32.2, the WRV200 is using: openswan-2.4.5dr3 for the IPSEC implementation... in poking around, I see that: openswan-2.4.9 is available at: http://www.openswan.org/code I am not sure that the issues fixed would be issues facing any of us... nor are we able to determine which version of openswan is being used in newer firmware versions (except perhaps by viewing the log (via logviewer) during the startup sequence)... maybe 1.0.37 already has the updates applied? // I found the following line(s) in the gemtek_config file to be quite interesting: CONFIG_RTL865X_LOADER_SUPPORT_TFTP=y Kind of indicates tftp support... anyone brave enough to try firmware upgrades via tftp? CONFIG_SERIAL=y CONFIG_SERIAL_CONSOLE=y Does this indicate that a serial port is available on the board somewhere? Perhaps only available on the dev. boards? IDK, just interesting. # # Code maturity level options # CONFIG_EXPERIMENTAL=y Now, THAT is funny. (maybe not) // Joe
Ok, now some nitty gritty... Code: static void handle_request(int conn_fd, FILE *conn_fp) { char line[10000], *cur; ... /* Parse the first line of the request. */ #ifdef USE_SSL if ( https_fgets( line, sizeof(line), conn_fp ) == (char*) 0 ) ... Code: char *https_fgets(char *s , int size , FILE *stream) { ... char *p = s ; char c ; int r, len =0 ; while(1) { r = SSL_read(ssl, &c, 1); if( r <= 0 ) break; *p++ = c ; len++; if( c == '\n' || len == size ) break; } *p='\0'; ... Let's say line was declared as 1 byte in length instead of 10,000: char line[1], *cur; and the first packet of our request was 2 bytes and a carriage return... the above call to https_fgets would receive a pointer to a 1 byte buffer in memory, size = 1 and our connection pointer. The first pass through the while loop would read a single character from the input buffer (via the connection pointer) and would set the first (and only) byte of line to that character. Next, the p++ would cause *p to point to the byte just past the end of the line buffer... len is incremented to 1, which == size so the while loop is exited. Last, *p (pointed just past the end of line) is set to 0; thus corrupting memory. While this does not represent a major threat, it is a potential problem as any request whose first line meets or exceeds the 10k buffer size, will cause the 0 to be written past the end of the buffer. If the variables are allocated on the stack in the order they are declared, the corruption would likely effect the cur pointer, which is used shortly thereafter: Code: while ( https_fgets( cur, line + sizeof(line) - cur, conn_fp ) != (char*) 0 ) or, if the stack grows downward (I can't remember at the moment), it could damage an unknown value pushed on the stack just prior to calling handle_request. I'm still looking to see if this code is executed before or after it determines whether the request is from the WAN port (requests from the WAN port are blocked, unless the request arrives on the Remote Administration port and Remote Admin is enabled). ////////// One way to resolve the issue in the code above is to change: Code: if( c == '\n' || len == size ) break; to: Code: if( c == '\n' || len == (size-1) ) break; ////////// GASP! This code is reachable via a login attempt to the VPN port (60443 or 443)... therefore any request sent to the WRV200 with VPN enabled on 60443 or 443 containing 10k or more before the first carriage return, would cause a buffer overrun; possibly crashing httpd, or worse. Now, I can't really blame the https_fgets author for not catching this... the basic fgets call suffers the same fate. However, I did discover this little gem in another implementation of fgets (found in two other places for this firmware, modified to show how it would look in https_fgets): Code: ... if (c == '\r') c='\n'; *(p++)=c; len++; if( c == '\n' || len == (size-1) ) break; ... In the first line, the character read from the buffer is converted from a '\r' to a '\n' so it can be detected in the last line of that block, thus catching carriage return or line feed characters equally. // Joe
1.0.37 is using 2.4.5dr3 By the way: i would offer my WRV200 device to test your 'corrected' firmware if you get round compiling it, even if there is a risk to brick it... just sick of trying more and more beta's..
It appears that the base-64 decode routine suffers from the same issue as above (buffer overrun potential): Code: l = b64_decode( &(authorization[6]), authinfo, sizeof(authinfo) ); authinfo[l] = '\0'; as the function b64_decode will stop when it has filled authinfo to capacity (if the input meets or exceeds sizeof(authinfo)) and the line following will write the '\0' character beyond the end of the buffer. Lucky for us, the variable that would likely be corrupted, in this case, is quickly set (overwritten): Code: authpass = strchr( authinfo, ':' ); I'd still feel better knowing that the buffer is not overrun in the first place. // Joe
I'm not sure if this next issue has an *easy* resolution. I see: Code: /* We create an auth_ip table to record the ipaddress which * logs in the webui with wrong username and passwd. * Block ip at 3rd time authention fail. */ static int auth_fail_time[10]; static char auth_ip[10][32]; ... ... /* If array is full, we clean reset all array anyway, and then put this ip into the first array location */ Which tells me that the router will block up to ten IP addresses if they attempt to login (remote admin or lan-side admin) with an invalid password. This is pretty good, but not fool proof... I now know, I can use eleven or more machines (or less if they are multi-homed) to circumvent the IP address blocking mechanism. One possible solution would be to use a linked list, so the list of IP addresses to block would grow as needed, but this introduces some overhead and would open the door to an attack involving a large number of IP addresses, which would chew up memory, until memory is full. Either way, it is a vulnerability. Perhaps the best solution is to simply go into a 'hyper blocking mode' after the 10 available slots are in use and block all login attemps regardless of IP address? // Joe p.s. I wouldn't be spending so much time here if httpd was only being used as the admin GUI (a.k.a. Web GUI)... but since this is also used by quickVPN to initiate the VPN login / connection (in addition to admin and remote admin GUI), it opens a door that I don't want to be vulnerable.
I tried the TFTP on the WRV200, but I failed. The TFTP utility always tells there is no connection with the router.
The first thing to do is attempt to build, from the source, a binary that matches the distributed one. That would be a safe-ish starting point. Step two would be to add sshd (dropbear?). Then the fun begins. So far I have been too lazy and unenthusiastic to try this. If someone else is interested, I might try to help. PS: Openswan has advanced a lot since the version used in the WRV200. I am not part of Openswan but have a good relationship with them. I wrote most of the IKE daemon (Pluto) of FreeS/WAN, the starting point of Openswan. I'm playing with Openswan under OpenWRT on wireless routers, but not very hard.
While I'm somewhat familiar with cross-compiling... I've used GCC before... and I would love to build firmware updates... I just can't bring myself to try it out as I need this router functioning (even if it's not working 100%) :| Oddly enough, after days of trying, I'm able to VPN in again (with quickvpnplus however). We'll see if this holds true over the next few days. Anyway, I'll continue to poke around and hopefully our research will be useful to those at linksys with the resources necessary to build and test the official firmware. Hopefully the next firmware release will have an updated openswan? // Joe
In message #8 in this thread you were offered another WRV200 with which to play. Consider accepting. You are so optimistic. The Openswan folks tried to interest Linksys in a new version when the WRV200 was much earlier in the product cycle (about a year and a half ago). As I understand it, they actually visited the California offices. Nothing came of this. Why would Linksys be interested now, so late in the cycle? If they are not interested in a version upgrade, why would they be interested in a few lines of changes? They have not even released a new version of the firmware (betas don't count) in quite some time. If the community can build replacement firmware, and there is sufficient interest to spread the effort, I think that there could be a good chance of improvement. I hope to get around to deploying a VPN on this class of hardware. Currently I use small form factor PCs. I think that I'm going to go with OpenWRT + Openswan on ASUS WL-500gP. I bought the WRV200 because I thought that it would do what I wanted out-of-the-box. One feature that I needed (public-key authentication) was mentioned in the manual but not enabled in the GUI. Easy to fix because it is in Openswan. I mistakenly assumed something else: reliability. Anyway, if somebody does the hard work of getting to a functional rebuild from the source, I'd be willing to help make that useful.
You make some very good points here. Perhaps I will make an effort to compile the source ... What are the chances of getting a release of the 1.0.37 beta, so we wouldn't be taking a step backward? :| // Joe
After reading many threads about WRV200 devices, I do believe Linksys does not maintain the WRV200 code. Pehaps we should talk to Gemtek directly. As, apparently they are the firmware creators and maintainers. I've been considering building a VPN gateway by myself with a PC computer. The problem was, I found no indication what hardware I would have to use in order to match the WRV200 VPN capabilities. My current work around is another IPSec pass through capable router as the Gateway, while WRV200 works just as VPN gateway behind it. The total cost of both devices is still lower than other IPSec VPN capable router with the same VPN related capabilities. The Internet access seems to be working much better, now. Also, the WRV200 does not have WOL capability. So, the Internet gateway with WOL adds even more than a WRV200 can do.
Just about any old clunker will do if you keep it to a non GUI OS. There is all manner of distributions out there that would do everything you need depending on how much you are willing to work at it. Easier == more power needed as a general rule. There are firewall specific distros out there but if you're handy with linux you can roll your own so you can also run an AP on it and replicate anything that the WRV can do. As a bonus you can have more VPN capabilities because you won't be tied down to the linksys GUI that prevents doing a proper star/hub config. If you want to spend a little bit then a micro board computer is the right way to go to conserve power and space. You essentially then have the same thing but at a higher price, but I'm tired of half baked off the shelf units like the 200. The 200's price is great, the VPN works ok as long as the WAN stays up, but the rest of the unit is for the birds.
Smoothwall or m0n0wall need very low end hardware for a reilable firewall/vpn gateway. there are some hardware facts on the Monowall within this link here: http://doc.m0n0.ch/quickstartpc/
A 266 Mhz computer is able to go up to 3.5 Mb/s. If the CPU power to VPN speed ratio is a linear function, then to match the WRV200 30Mb/s VPN speed it should be necesary to use a 2.3GHz CPU. So, it does not seem to be an old clunker, for me.
I believe the 200 does have hardware accelleration to offload encryption/decryptions which your PC does not.
Also the speed of the VPN is only as fast as your upload/download speeds. so who has a 30Mb/s upload? I dont.
And it still doesn't take 1+Ghz of CPU to encrypt and decrypt. I'd love to have 30mbs of upstream.... The only time I could see that needed is for an internal router. Anyone with that bandwidth outside would not be running a 200 or any linksys device I can think of. FYI, after the first IPSEC tunnel is up it takes little additional overhead to run more tunnels.
I'm connected through a city wide ethernet WAN. So, I do have a 100Mb/s connection between two locations. 30Mb/s is fine, but I coud use more, as well. I've been reading about PC security addon cards. So, the 3DES encryption does take enough CPU power for a special security CPU to be a an useful improvemnt. Like a math coprocessors or a graphics cards CPUs, the security accelerators are built to handle a paticular task and they are extremely efficient with it. Matching the same results with plain CPUs takes a lot of calculation power. That's why a BEFVP41 can handle up to 32Mb/s VPN encryption with it's security accelerator CPU. A good example is the cpu family used in the RV042. The VPN throughput does not change much with the CPU speed. A 266Mhz CPU encodes data with almost the same speed as a 500Mhz one. The security encryption/decryption is done by a special acceleration unit, while other tasks are managed by all purposes CPU part. So, the RV042 and RV082 do have almost the same VPN throughput, while RV082 has almost twice as fast CPU clock speed. Also the security encoding speed does not change much with amount of tunnels used, but it is significantly dependant on the frame size.
In this case you could add a crypto card and keep the CPU needs low. No sense in being limited to 30MBs if you have more available...
It's quite possible such a card would be more expensive than a WRV200. I found the 30Mb/s to be a very satisfying. My WRV200 is very unstable when comes to the plain Intenet gateway duties. It is possible the device is faulty. But, I have no way to prove it. I would love it to break down completely, so I could replace it on the warranty. Unfortunatelly only 6 months of warranty time left, now. I do believe the improvement of the SysLog would be a significant change. As the range of reported events is not a wide one. For an instance, it is not possible to tell the reason of a self reboot, of the router. Only the hardware reset button is reported.
Has anyone actually compiled the source for the wrv200? I tried a long time ago, I don't even remember the version. The compile fail do to some of the source being missing. I will get a copy of the latest and try again just to see.
Well, I have some minor good news.... I've setup a machine, installed all the packages, installed all the source (from the firmware 1.0.32.2) and performed the make. It did produce a firmware.img file as the Q&A indicates it should. I'll compare mine against the released version tomorrow (as I'm too tired tonight). However, I saw quite a few warning messages; AND, 1.0.32.2 was quite unstable for me when I had it installed a few weeks ago. I sure hope we can get the source for 1.0.37 (or at least 1.0.36 as that is running well for me now). // Joe
I would go for 1.0.34 or 1.0.37. Because, 1.0.35 and 1.0.36 were just an attempt to do something with the FTP by resetting the Internet connection every hour. As the result the VPN traffic is interrupted every hour.
I'd love to have access to 1.0.34 or 1.0.37 firmware... but that's up to the developers to release an updated source. I'm trying to stay hopeful. Ok, now, the results of my endeavor to compile: firmware 1.0.32.2: ----------------- Original image file from Linksys/Gemtek: 3,797 KB Version compiled from source: 3,773 KB firmware 1.0.29: --------------- Original image file from Linksys/Gemtek: 3,811 KB Version compiled from source: 3,771 KB When I get the chance, I'm going to recompile and capture the output... then try to clean up any compile warnings (if possible)... but right from the get-go... I'm not able to produce an exact copy of the image from the sources. I suppose it is possible that I have a newer version of gcc 3.3.x as compared to the Linksys/Gemtek developer(s)... but there sure is a discrepency between the file sizes. Has anyone else been able to compile from the sources? Do you get a similar result? // Joe
Current status: I´m seeing the following warnings when running the compile... from what I can tell, the issues are not ´life threatening´ and the File not found messages are either a configuration issue on my machine or intentional. If they are intentional, the firmware is likely to work, else a brick maker. Anyway, here is the output (short version): Code: + ./extra/scripts/fix_includes.sh -k /home/WRV200_060103/linux-2.4.x -t mips + TOPDIR=. CC=/opt/toolchain_mips/bin/mips-linux-gcc /bin/sh extra/scripts/gen_bits_syscall_h.sh + cmp include/bits/sysnum.h include/bits/sysnum.h.new + rm -f include/bits/sysnum.h.new + install -d ../lib + rm -f ../lib/libm.a + install -m 644 libm.a ../lib + install -d ../lib + rm -f ../lib/libm.a + install -m 644 libm.a ../lib + /opt/toolchain_mips/bin/mips-linux-ld -shared --warn-common --warn-once -z combreloc -soname=libm.so.0 -o libm-0.9.26.so --whole-archive libm.a --no-whole-archive ../libc/misc/internals/interp.o -L../lib -lc /opt/toolchain_mips_nofpu/bin-ccache/../lib/gcc-lib/mips-linux-uclibc/3.3.5/libgcc.a + install -d ../lib + rm -f ../lib/libm-0.9.26.so ../lib/libm.so.0 + install -m 644 libm-0.9.26.so ../lib + ln -sf libm-0.9.26.so ../lib/libm.so + ln -sf libm-0.9.26.so ../lib/libm.so.0 wc: /home/WRV200_060103/images/kernel.bin.gz: No such file or directory expr: syntax error In file included from src/modules/GetHostByName.c:1: src/modules/GetHostByName.h:71: warning: useless keyword or type name in empty declaration src/modules/GetHostByName.c: In function `open_nameservers': src/modules/GetHostByName.c:147: warning: `return' with a value, in function returning void src/modules/GetHostByName.c:157: warning: `return' with a value, in function returning void src/modules/GetHostByName.c:167: warning: `return' with a value, in function returning void In file included from tproxy.c:71: NvramMalloc.h:14:1: warning: "PeterChen" redefined tproxy.c:58:1: warning: this is the location of the previous definition NvramMalloc.h:38:7: warning: no newline at end of file In file included from tproxy.c:215: GetHostByName.h:87:1: warning: "PeterChen" redefined In file included from tproxy.c:116: HostCtrl.h:19:1: warning: this is the location of the previous definition In file included from tproxy.c:215: GetHostByName.h:95:3: warning: no newline at end of file In file included from tproxy.c:116: HostCtrl.h: In function `ResetARPMap': HostCtrl.h:183: warning: `return' with a value, in function returning void HostCtrl.h: In function `GenerateArpTable': HostCtrl.h:365: warning: `return' with a value, in function returning void In file included from tproxy.c:215: GetHostByName.h: At top level: GetHostByName.h:71: warning: useless keyword or type name in empty declaration tproxy.c: In function `rtl8651_queryRedirectOutboundNaptFlow': tproxy.c:390: warning: assignment makes integer from pointer without a cast tproxy.c:391: warning: assignment makes integer from pointer without a cast tproxy.c: In function `TransferToBeHttp1_0': tproxy.c:420: warning: `return' with a value, in function returning void tproxy.c:476: warning: `return' with a value, in function returning void tproxy.c:520: warning: `return' with a value, in function returning void tproxy.c:525: warning: `return' with a value, in function returning void tproxy.c:534: warning: `return' with a value, in function returning void tproxy.c: In function `ReadFilterTypeList': tproxy.c:673: warning: `return' with a value, in function returning void tproxy.c:693: warning: `return' with a value, in function returning void tproxy.c: In function `rtl8651_BlockedSpecifiedURL': tproxy.c:994: warning: comparison between pointer and integer tproxy.c:1002: warning: comparison between pointer and integer tproxy.c: In function `ParsingURLStr': tproxy.c:1151: warning: `return' with a value, in function returning void tproxy.c:1315: warning: `return' with a value, in function returning void tproxy.c: In function `ParsingTextStr': tproxy.c:1678: warning: `return' with a value, in function returning void tproxy.c: In function `ParsingWeekDayStr': tproxy.c:1694: warning: `return' with a value, in function returning void tproxy.c:1697: warning: `return' with a value, in function returning void tproxy.c:1704: warning: `return' with a value, in function returning void tproxy.c:1726: warning: `return' with a value, in function returning void tproxy.c: In function `TransferTimeStr': tproxy.c:1735: warning: `return' with a value, in function returning void tproxy.c: In function `FillAllItemIntoTimeMap': tproxy.c:1785: warning: `return' with a value, in function returning void tproxy.c: In function `RcvIPCMsg': tproxy.c:2018: warning: return from incompatible pointer type tproxy.c: In function `GetURLStartPoint': tproxy.c:2098: warning: passing arg 2 of `strncmp' from incompatible pointer type tproxy.c: In function `AddingBlockedURL': tproxy.c:2231: warning: `return' with a value, in function returning void tproxy.c:2234: warning: `return' with a value, in function returning void tproxy.c:2242: warning: `return' with a value, in function returning void tproxy.c:2257: warning: `return' with a value, in function returning void tproxy.c: In function `SearchSpecificString': tproxy.c:2313: warning: assignment from incompatible pointer type tproxy.c:2344: warning: passing arg 1 of `strstr' from incompatible pointer type tproxy.c: In function `BlockProxy': tproxy.c:2419: warning: passing arg 2 of `strncmp' from incompatible pointer type In file included from tproxy.c:2500: AllowedURL.h: In function `ResetAllowedURLPolicyList': AllowedURL.h:192: warning: `return' with a value, in function returning void AllowedURL.h: In function `DumpAllowedURLPolicyList': AllowedURL.h:241: warning: `return' with a value, in function returning void AllowedURL.h: In function `FillAllowedURLPolicyList': AllowedURL.h:341: warning: `return' with a value, in function returning void tproxy.c: In function `main': tproxy.c:2532: warning: assignment makes pointer from integer without a cast tproxy.c: In function `WebFilter': tproxy.c:3467: warning: assignment from incompatible pointer type tproxy.c: In function `process_client_request': tproxy.c:3594: warning: passing arg 1 of `sprintf' from incompatible pointer type tproxy.c:3595: warning: passing arg 1 of `system' from incompatible pointer type tproxy.c:3599: warning: passing arg 1 of `sprintf' from incompatible pointer type tproxy.c:3600: warning: passing arg 1 of `system' from incompatible pointer type tproxy.c:3604: warning: passing arg 1 of `sprintf' from incompatible pointer type tproxy.c:3605: warning: passing arg 1 of `system' from incompatible pointer type tproxy.c:4036: warning: passing arg 1 of `rtl8651_BlockedSpecifiedURL' from incompatible pointer type In file included from acl.c:11: GetHostByName.h:95:3: warning: no newline at end of file In file included from acl.c:11: GetHostByName.h:71: warning: useless keyword or type name in empty declaration In file included from GetHostByName.c:1: GetHostByName.h:95:3: warning: no newline at end of file In file included from GetHostByName.c:1: GetHostByName.h:71: warning: useless keyword or type name in empty declaration GetHostByName.c: In function `open_nameservers': GetHostByName.c:145: warning: `return' with a value, in function returning void Schedular.c: In function `ReadFlashScheduleList': Schedular.c:29: warning: assignment makes pointer from integer without a cast + install -m 755 lib/ld-uClibc-0.9.26.so /home/WRV200_060103/romfs/lib + romfs-inst.sh -s /lib/ld-uClibc-0.9.26.so /lib/ld-linux.so.2 LZMA 4.21 Copyright (c) 1999-2005 Igor Pavlov 2005-06-08 /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/lib/ld-linux.so.2: No such file or directory make[1]: [romfs] Error 1 (ignored) wc: /home/WRV200_060103/images/kernel.bin.gz: No such file or directory expr: syntax error cp: cannot stat `../../Generic/romfs/etc/services': No such file or directory 5751 blocks 2 blocks LZMA 4.21 Copyright (c) 1999-2005 Igor Pavlov 2005-06-08 /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/usr/local/sbin/ipsec: File format not recognized make[2]: [ipkg_strip] Error 1 (ignored) /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/usr/local/libexec/ipsec/auto: File format not recognized /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/usr/local/libexec/ipsec/calcgoo: File format not recognized /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/usr/local/libexec/ipsec/manual: File format not recognized /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/usr/local/libexec/ipsec/secrets: File format not recognized /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/usr/local/libexec/ipsec/setup: No such file or directory make[2]: [ipkg_strip] Error 1 (ignored) LZMA 4.21 Copyright (c) 1999-2005 Igor Pavlov 2005-06-08 wc: /home/WRV200_060103/images/kernel.bin.gz: No such file or directory expr: syntax error wc: /home/WRV200_060103/images/kernel.bin.gz: No such file or directory expr: syntax error /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/bin/boa: No such file or directory /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/bin/cfg: No such file or directory /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/bin/ip-down: No such file or directory /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/bin/ip-up: No such file or directory /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/bin/reboot: No such file or directory /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/bin/services_check: No such file or directory /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/bin/snmpd: No such file or directory /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/bin/snmpd.lz: File format not recognized /opt/toolchain_mips/bin/mips-linux-strip: /home/WRV200_060103/romfs/bin/wizard: No such file or directory make[1]: [rootfs_image] Error 1 (ignored) ** This is from the 1.0.29 source. // Joe
Right. Do try to duplicate the distributed binary. That may well mean using an old gcc. If you cannot duplicate the binary (or carefully account for each divergence) you cannot be confident that you have a working build. I would not try to improve anything until I created a baseline source and process that exactly matched the binary. Another interesting attack (complementary): It may be worth unpacking the binary. I don't know how to do that but I suspect that it isn't too hard. Then, for example, you might be able to tell what gcc was used (I think that it should appear as a string within the kernel since it shows up in /proc/version when the kernel is running). If you can unpack the binary, add a little change (telnet or sshd), and repack, even that is quite interesting.
The open source code is in ftp://ftp.linksys.com/opensourcecode/wrv200/ You will note that ftp://ftp.linksys.com/opensourcecode/wrv200/1.0.29 is larger than the other tarballs. It has some extra files: -rw-r--r-- dino/dino 150815581 2007-02-12 15:19:27 rsdk.bz2 -rw-r--r-- dino/dino 16166786 2007-02-12 15:16:38 toolchain_mips_nofpu-3.3.5.tar.bz2 -rw-r--r-- dino/dino 135535281 2007-02-12 15:16:25 WRV200_1_0_29_GPL_20070207.tar.gz -rw-r--r-- dino/dino 1686 2007-02-12 15:16:50 WRV200_GPL_Installation&QA.txt This is probably useful stuff. Like the right toolchain to use. Judging from #32, CalledToConstruct may already know this.
Interesting Hugh... The packages linked to from the WRV200 support page both include the toolchain (1.0.29 and 1.0.32.2) So I wonder how these packages differ from those offered on the support page? I'll unpack and compare the two versions. I agree, having a baseline compile that matches the released firmware is the only way to start. I'm not about to try out a firmware on a router that has little if any "recover from brick" option. // Joe
Hi, I've compiled a image from 1.0.32.2 sources (without any make clean just make) next I've loaded this image on my wrv200 and the device still works . Before it I did a little change in the StatusRouterStatic.asp (ModelName from wrv200 to wrv201) and now I can see this on the router Status Page. I'm also able to compile image with telnetd but I don't know what next, for example what about /dev/pts - I'm going to check some settings on my wag354g with neptune software where telnet is enabled. Regards
Congratulations! This is the first report that I've read of someone other than the manufacturer building and flashing the firmware. Having it work is a bonus Can you tell us a bit more? What was your host system? Is all you typed "make" or did you have to build or install the toolchain first? Did you compare the files in your build with those in the binary image distributed by Linksys?
hi, What I did: - I downloaded sources on my slackware 12.0.0 - I extracted the sources (WRV200_v1.0.32.2.tgz) in my /home/ - I extracted toolchain (oolchain_mips_nofpu-3.3.5.tar) in /opt, - I created link /opt/toolchain_mips -> /opt/toolchain_mips_nofpu/ - I modified PATH in /etc/profile adding "/opt/toolchain_mips/bin/" - probably thats all, next I ran make in /home/WRV200_060103 directory After it I got a image (during compilation I had similar errors as reported on this forum, also image size is not exactly the same as original) - of course I repeated compilation a few times before I loaded the firmware . Before I loaded my firmware I installed the original linksys image extracted from 1.0.32.2 sources on my wrv200 (I think it is not necessary). In the next step I recompiled and loaded the firmware once again but before it I modified the mentioned status page (/home/WRV200_060103/user/httpd/www/StatusRouterStatic.asp). Finally I ran "make config" in /home/WRV200_060103/user/busybox and I enabled telnetd so now I probably have a image with telened ls -al romfs/bin: Code: -rw-r--r-- 1 root root 92866 2008-04-03 14:32 snmpd.lz lrwxrwxrwx 1 root root 7 2008-04-03 14:32 syslogd -> busybox* lrwxrwxrwx 1 root root 7 2008-04-03 14:32 tar -> busybox* lrwxrwxrwx 1 root root 7 2008-04-03 14:32 telnetd -> busybox* lrwxrwxrwx 1 root root 7 2008-04-03 14:32 test -> busybox* ls -al images/firmware.img Code: -rw-r--r-- 1 root root 3866688 2008-04-03 14:34 images/firmware.img but I didn't tried to load this image on my wrv200 yet .
Hi, Yesterday I've installed image with telnetd enabled I also enabled /dev/pts i kernel (unfortunately I don't know how to check if kernel was build with this option) - anyway my wrv still works so I'm going to modify the startup script. Does anybody can tell me what is needed to run busybox telned? I'm going to add the following lines in the startup script (etc/rc): Code: cd /dev mkdir pts cd pts mknod 0 c 136 0 cd / mount -t devpts devpts /dev/pts /bin/telnetd -l /bin/sh &
Hi, I've telnet to my wrv200: Code: # uname -a Linux (none) 2.4.26-uc0 #447 Tue Apr 8 19:34:30 CEST 2008 mips unknown # mount /dev/root on / type squashfs (ro) none on /dev type devfs (rw) /proc on /proc type proc (rw) ramfs on /var type ramfs (rw) devpts on /dev/pts type devpts (rw) # cat /proc/cpuinfo system type : Philips Nino processor : 0 cpu model : R3000 V0.0 BogoMIPS : 199.06 wait instruction : no microsecond timers : no tlb_entries : 16 extra interrupt vector : no hardware watchpoint : no VCED exceptions : not available VCEI exceptions : not available I can also access the devices without /dev/pts mounted, simply running /bin/telnetd -l /bin/sh & in /etc/rc.
Wow! That's awesome! Now, linksys (or whomever) can we get a copy of the latest firmware source? I think the latest beta is quite stable (not perfect, but quite stable) and would be great to be able to work from that point. Even better, has a hardware guru looked at this thing to see if an SD slot or other memory card device could be connected to load / reload the firmware from? Anything that would help us recover from a bad firmware attempt? I'd love to see some Open Source development for the WRV200; I bet there are some nifty things we could do. // Joe
hi, Because I wanted to increment TTL so in next step I applied TTL patch from patch-o-matic-20030107. I was able to recompile the image but probably it's all for nothing, it looks that routing is done in hardware. I checked and in wrv200 ip_forward is set to 0, the device forwards traffic even if I set FORWARD policy to drop, also statistics for FORWARD chain are empty. So using iptables I can change TTL or anything only for incoming and outgoing traffic. Does anybody know if it is possible to switch from hardware to software routing? Regards
Hey everyone, I apologize if this is not the best place for this, but this thread seems to be the only one diving into the firmware on the WRV200. I confirmed what some people have believed (but I didn't see anyone confirm) to be serial on the WRV200. A dump of the system coming online is below. I did verify that you can enter the 'a' mode to change the config, but I haven't yet poked into what is possible. Just a note, the reset switch on the board must be at a higher level than the ROME Loader since it doesn't work while in the loader. Code: (c)Copyright Realtek, Inc. 2003 Project ROME LOADER Version 00.00.15(uClinux) (Jan 4 2006 19:08:47) [865xB] CPU Clock Rate: 200MHz, Memory Clock Rate: 140MHz Detected flash size: total 4MB. SDRAM size: 32MB --== Loader Menu ==-- 'r' to update run image 'a' to change config 'l' to update loader 'g' to load run image without updating Flash 't' to test flash memory 'e' to erase flash memory Loading runtime image ... Decompress image from address: 0xbe020000 Start image at address: 0x80080000 SDRAM size: 32MB CPU revision is: 0000ff00 Init MMU (16 entries) Primary instruction cache 0kB, linesize 0 bytes. Primary data cache 0kB, linesize 0 bytes. Linux version 2.4.26-uc0 (root@smb1.gemtek.com.tw) (gcc version 3.3.5) #459 Fri May 9 18:04:39 CST 2008 Determined physical RAM map: memory: 02000000 @ 00000000 (usable) NOFS reserved @ 0x803bcf00 On node 0 totalpages: 8192 zone(0): 8192 pages. zone(1): 0 pages. zone(2): 0 pages. Kernel command line: root=/dev/mtdblock2 noinitrd IRR(0)=c0000000 Calibrating delay loop... 199.06 BogoMIPS Memory: 28580k/32768k available (2779k kernel code, 4188k reserved, 116k data, 96k init, 0k highmem) Dentry cache hash table entries: 4096 (order: 3, 32768 bytes) Inode cache hash table entries: 2048 (order: 2, 16384 bytes) Mount cache hash table entries: 512 (order: 0, 4096 bytes) Buffer cache hash table entries: 1024 (order: 0, 4096 bytes) Page-cache hash table entries: 8192 (order: 3, 32768 bytes) Checking for 'wait' instruction... unavailable. POSIX conformance testing by UNIFIX NEW PCI Driver...isLinuxCompliantEndianMode=False(Big Endian) [PCI] Reset Bridge ..... Finish! Find Total 8 PCI functions Found 00:08 [1814/0401] 000280 00 Linux NET4.0 for Linux 2.4 Based upon Swansea University Computer Society NET3.039 Initializing RT netlink socket Starting kswapd devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au) devfs: boot_options: 0x1 Squashfs 2.1-r2 (released 2004/12/15) (C) 2002-2004 Phillip Lougher pty: 256 Unix98 ptys configured Serial driver version 5.05c (2001-07-08) with MANY_PORTS SERIAL_PCI enabled Probing RTL8651 home gateway controller... Initialize RTL865x ASIC and driver chip name: 8651B, chip revid: 1 Initialize mbuf... creating default 2 interfaces...eth0 IRR(6)=c0040000 ===> Request IRQ 6 for eth0, ret=0 eth1 ...OK creating port0~port9 for 802.1d/1s/1w...0 1 2 3 4 5 6 7 8 ..OK! Hardware watchdog enabled PPP generic driver version 2.4.2 flash device: 400000 at be000000 Amd/Fujitsu Extended Query Table v1.1 at 0x0040 number of CFI chips: 1 cfi_cmdset_0002: Disabling fast programming due to code brokenness. Creating 5 MTD partitions on "Physically mapped flash": 0x00000000-0x00020000 : "boot" 0x00020000-0x003e0000 : "linux" 0x00135400-0x003e0000 : "romfs" mtd: partition "romfs" doesn't start on an erase block boundary -- force read-only 0x003e0000-0x003f0000 : "bdinfo" 0x003f0000-0x00400000 : "cfg" NET4: Linux TCP/IP 1.0 for NET4.0 IP Protocols: ICMP, UDP, TCP, IGMP IP: routing cache hash table of 512 buckets, 4Kbytes TCP: Hash tables configured (established 2048 bind 4096) GRE over IPv4 tunneling driver klips_info:ipsec_init: KLIPS startup, Openswan KLIPS IPsec stack version: 2.4.5dr3 klips_info:ipsec_alg_init: KLIPS alg v=0.8.1-0 (EALG_MAX=255, AALG_MAX=251) klips_info:ipsec_alg_init: calling ipsec_alg_static_init() ipsec_aes_init(alg_type=15 alg_id=12 name=aes): ret=0 ipsec_aes_init(alg_type=14 alg_id=9 name=aes_mac): ret=0 ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0 ip_conntrack version 2.1 (256 buckets, 2048 max) - 336 bytes per conntrack ip_tables: (C) 2000-2002 Netfilter core team NET4: Unix domain sockets 1.0/SMP for Linux NET4.0. NET4: Ethernet Bridge 008 for NET4.0 Bridge firewalling registered emulate opcode 0x25 at 800f73b8 VFS: Mounted root (squashfs filesystem) readonly. Mounted devfs on /dev Freeing unused kernel memory: 96k freed IRR(4)=c0c40000 ===> Request IRQ 4 for serial, ret=0 Using /etc/hwctl.o System initializing... # BDINFO cloning finish. Tue Sep 13 10:17:rtl8651_user_pid set to 18 53 EST 2005 lzma decode has failed! Bring up ext port 6.. Rx shift=10002 cfg wan to dhcp client ... wanlan_init 4607 MTU = 1500 Set IGMP Default Upstream interface (eth0) ... SUCCESS!! info, client (v0.9.9-pre) started ra0 no privaPPPoE Passthru disabled. te Drop Unknown PPPoE PADT disabled. ioIPv6 Passthru disabled. ctIPX Passthru disabled. lsNETBIOS Passthru disabled. . dhcpc client deconfig RTL865x Port 1 state=BLOCKING RTL865x Port 1 state=DISABLED device eth1 entered promiscuous mode lzma decode has failed! BusyBox v1.00-pre2 (2008.02.27-15:42+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. # RTL865x Port 1 state=BLOCKING br0: port 1(eth1) entering learning state RTL865x Port 1 state=LEARNING RTL865x VLAN STP enabled info, server (v0.9.9-pre) started error, max_leases value (254) not sane, setting to 49 instead error, Unable to open /var/udhcpd.leases for reading ret:remoteMgmt_tableDriverAccess() : rtl8651_addProtoStackActions 1002 target 239.0.0.0 SIOCDELRT: No such process Using /etc/rt61ap.o pcibios_enable_resources: already enabled when device probed. pci_request_regions: PCI regions already reserved pcibios_set_master: already done when device probed. IRR(5)=c0c40000 ===> Request IRQ 5 for ra0, ret=0 => Register External Device (ra0) vid (9) extPortNum (6) -- Dev (0x81fea200) register external ra0 device on extPort 6, id 1 ra0 -- (rtl865x_extDev_registerUcastTxDev [660]) Register Unicast Tx Device [81fea200]. (rtl865x_extDev_regCallBack [845]) Register CallBack function -- Ucast Tx (c005bf6c) Free (c005c200). connect[radius]: Network is unreachable Using /lib/software_watchdog.o Easyconf : Start easyconf() 20060313-20:00 Easyconf : Create multicast socket succesded! Easyconf : MYIP: 192.168.3.254 Easyconf : start easyconf and mac writer Easyconf : MYIP is 192.168.3.254 br0: port 1(eth1) entering forwarding state RTL865x Port 1 state=FWD br0: topology change detected, propagating checking httpd ... done checking VpnLog ... done checking sendmail ...checking rt61apd ... done checking rt61iappd ... done After the unit comes up, you do get console access to the OS (without needing to modify the firmware - in this case 1.0.39). The serial port uses 3.3 volt levels at 38400 81N. If you are looking at the card with the ethernet connectors up the pinout is below for the port just below the RTL8651B: Code: TX 3.3v n/a 3.3v n/a GND RX GND n/a Is anyone making any progress in developing their own custom firmware since April? -John
This is a major break through, I believe. Now, it should be possible to load a test firmware image just to the device memory. It should be also a way to "unbrick" the device. The development of the alternative firmware was slow, because noone knew how to recover the unit from a faulty firmware update. Now it should be much safer to experiment with the new firmware compilations. I can confirm, the reset button has a relatively low priority. In some cases the WRV200 does not respond to the reset button. It looks like it is just a software level reset and the hardware level reset is available only through removing the power. Looks like the WRT54GX v2 is using the same Realtek ROME loader and 8651B CPU. It is possible ROME will accept GZIP'ed images of the firmware. http://wiki.openwrt.org/OpenWrtDocs/Hardware/Linksys/WRT54GX http://wiki.openwrt.org/RTL8651BPort
According to the OpenWRT documentation the WRT54GX v2 with Realtek RTL8651B CPU are supported, already. Since it is the same chip as WRV200 has, it could be possible to load the OpenWRT to a WRV200.
One of my WRV200 units is over two years old. I can open it without loosing the warranty, now. I'm curious what is inside of it, but I do not want to trash it. Does anyone know how to open it safely?
All you have to do is carefully pry off the four rubber feet on the bottom to expose the screws. After the screws out out the top just lifts off. If you are careful you can easily stick the feet back on when you are done. I looked in detail at the hardware about a month ago. Based on resistance checks, voltage levels, and a bit of reverse engineering, I'm pretty sure I found the second serial port and determined which JTAG pins do what. Unfortunately I haven't found tool support or found a spec sheet for the 8651B so I haven't tried it out yet. If anyone can point me at either of the above I'd be interested. With access to the boot-loader, it may not be essential to play with JTAG yet (until someone bricks a unit).
Hi, Do you think that it is possible not to use hardware acceleration for routing/NAT on this device? I found that: === The Linux Netfilter/Iptables is replaced by the binary only ROME drivers which provides an interface to the hardware accelerator for NAT/Firewall/routing. ==== Regards
hi, I finally found solution for my TTL problem. It is possible to disable TTL-1 in routing. I did it modifying rtl8651_tblDrvFwd.c (in linux-2.4.x/drivers/net/re865x/rtl865x). Maybe it is not perfect solution but now I can use my router (after half a year) with my ISP who set TTL=1 .
hi, I noticed something interesting in 1.0.32.2GPL there is also included source code of RTL8651B driver. In 1.0.39 there are only objects files. regards
i found the wrv200 GPL on this site ftp://ftp-eng.cisco.com/pub/opensource/linksys/wrv200/1.0.39/ is this usable anywhere ??
