AdvancedTomato - Flat/Material designed web GUI (Shibby base)

Discussion in 'Tomato Firmware' started by Jacky444, Jul 23, 2014.

  1. stillsober

    stillsober Reformed Router Member

  2. Frequenzy

    Frequenzy Addicted to LI Member

    looks like shibby just released 137 hopefully advance tomato is also soon :)
  3. koitsu

    koitsu Network Guru Member

    I've maintained this advice/attitude for several years. It has yet to fail me, on any platform.
  4. mrjayviper

    mrjayviper Connected Client Member

    Thanks for this firmware. Running on my 868L.
  5. Jacky444

    Jacky444 LI Guru Member

    Hi folks! I've just released AdvancedTomato version 3.2-137! I've hit some bumps while trying to compile the firmware but I managed to fix them. I've also switched from Ubuntu 15.04 to 16.04 Xenial. Have a good day!

    Change log:
    Update 3.2-137 (GUI):
    - Added Adblock GUI from Tomato By Shibby 137
    - Fix static routing table for MultiWAN feature @Shibby
    - Upgraded JQuery to 3.0
    Update 137 (Shibby):
    All versions:
    – use dedicated MAC address for WAN1 interface
    – usb_modeswitch ver. 2.4.0 with data package 2016-06-12
    – openvpn: update to 2.3.11
    – dnsmasq/adblock: add option Debug Mode
    – dnsmasq: remove parameter "cache-size" from config file
    – Adblock feature
    – busybox: enable ntpd
    – fix "The field "wl_radio" is invalid" – thx @Yunchen Sun
    – better 4G modem connection detect
    – VPN: allow to disable "nobind" option for VPN Client configuration
    – use mkfs and fsck tools from e2fsprogs instead busybox applets (support ext4)
    – modified linkagg script
    AndreDVJ, mrjayviper and The Master like this.
  6. DracoMilesX

    DracoMilesX Networkin' Nut Member

    Nice advise but it didn't really answer his question. About how to restore all settings easy.

    @Jacky444 I see you released both a K26 and the old AT-RT-AC builds that where removed a long time ago. Any specific differences ?
  7. koitsu

    koitsu Network Guru Member

    There is no way to 100% reliably "restore all settings easy" when going between firmware versions (my post explains why), only if needing to backup/restore settings on the exact same firmware version. I'll spell out the procedure easily:

    1. Maintain whatever your settings/changes are in a .txt file, written or layed out in such a way that they mimic what the GUI areas are. When you change something in the GUI, make sure you reflect that change in the .txt file! -- see the one in my post for how I do mine,
    2. Upgrade the firmware, ensuring that you check the "After flashing, erase all data in NVRAM memory" box,
    3. Once the firmware completes + router reboots, begin applying all the settings by hand via the GUI as per the .txt file.

    Anything you read about using nvram export or nvram show with a whole series of wonky greps are all subject to fail and/or anomalies. Yes, they work for a lot of people, but all it takes is one developer or vendor introducing a new NVRAM value -- or worse, changing the syntax of an existing one's values (this has already happened!) -- to throw a gigantic wrench into the mix. This is why doing it by hand is really the only way at present that ensures things will work reliably. Sadly this problem has existed for a very long time (since the introduction of Tomato); firmwares like OpenWRT solve this by using actual text configuration files (stored on flash as part of the actual filesystem) instead of sticking tons of stuff into NVRAM.

    The only part of this that can fail is Bandwidth Logs and IP Traffic Logs. Those can be backed up via their appropriate GUI sections, and those (ideally) should work when restored from the GUI as well. However: when moving between routers, including if you replace an existing router with the same model!, this will likely break because the MAC address differs between routers (not sure if this applies to IP Traffic, but it does apply to Bandwidth Logs). I don't know of a way to work around that, sorry to say.
    Monk E. Boy likes this.
  8. Aimdev

    Aimdev New Member Member

    I have managed to compile (but not tested yet) AIO for AC3200. I am running the shibby binary on the AC3200 currently.
    What is required to merge your Advanced version, which I understand is mainly the Gui, with the shibby release?


  9. AndreDVJ

    AndreDVJ LI Guru Member

    The link below is a commit of the initial bulk of changes required to convert the standard GUI into AdvancedTomato GUI:

    1) Mainly it replaces the whole /www directory (The actual GUI files)
    2) Adds support for new icons and fonts used by AdvancedTomato.
    3) Adds support for AdvancedTomato's specific files in the Makefile.

    This commit isn't the latest one, and you should not apply that one. It won't work.

    You may download AT (just the GUI) sources, However, you will need to work a little bit on specific changes in order to support your router.

    What I could spot was to add AC3200 support in Advanced/VLAN page:

    I don't have that router so I don't know all changes required to support SDK7 routers.

    I am trying to keep this post rather short, but once you get somehow familiar with Tomato build system, it's easier to apply changes.

    I'd recommend using GIT. Few commands so you can save/revert changes easier (from my own cheat-sheet):

    Not sure if I missed something. If anyone has anything to add, feel free to do so.
    eris23 likes this.
  10. Aimdev

    Aimdev New Member Member


    I have had time to look at this, and I wonder if the reverse approach, ie dont use shibby's release directly but modify the advanced tomato shibby clone to support for the ac3200?

    What would be required to achieve this?
    I am prepared to give it a go.

  11. AndreDVJ

    AndreDVJ LI Guru Member

    I prefer the approach I gave. You'd need to create a branch and add all changes relative to SDK7. It's way more work then just replacing /www and modifying few other files.
  12. JTD121

    JTD121 Addicted to LI Member

    Finally took the time to do a 'proper' upgrade; Write down all relevant settings I'd like to keep, erase NVRAM after upgrading, reset all those settings! Now onto some extra tuning! :D

    By the way, is there a particular difference or preference between the two AIO builds for the RT-N66U, specifically? I chose the RT-N66U_AT-RT-AC6x-3.2-137-AIO-64K.trx (shorter name) build, and while the interface is a bit different in places, I attribute that more to lagging behind doing the 'proper' upgrade and not keeping up on changes.

    Would the K26USB-1.28.AT-RT-N5x-MIPSR2-3.2-137-AIO-64K.trx build have been a better choice for some reason?

    I believe I was using the longer-named build of 3.1-132 previously, so I am not sure which choice to make? I don't see anything in the FAQ describing differences in the builds....
  13. koitsu

    koitsu Network Guru Member

    The difference between the two is the driver (Broadcom, I believe) SDK used (5.x vs. 6.x). This includes different (and very deep) changes, including a wireless driver change. Which works better for you is up to you, and is anecdotal.
    Monk E. Boy likes this.
  14. Nite

    Nite LI Guru Member

    So for the second time I logged into my primary router to find it was running some old version of Shibby firmware instead of Advanced Tomato. I did not flash this router. This only appears to occur on my internet-connected router, I have another internal router that does not have this happen.

    Is this router somehow being flashed remotely? I have remote admin connections disabled and the whole thing is pretty locked down. I just recently reconfigured everything from scratch after this happened the first time, creating new certs, new random passwords, etc.

    I just don't understand how this is possible or how to track down what is occurring. I see nothing in the logs indicating anything when this happens.

    Version string I see when this occurs: Asus RT-AC66U: Tomato 1.28.0000 MIPSR2-114 K26AC USB AIO-64K
    Advanced Tomato string: Asus RT-AC66U: Tomato 1.28.0000 MIPSR2-3.2-137 K26AC USB AIO-64K

    Any thoughts?
  15. Frequenzy

    Frequenzy Addicted to LI Member

    are you sure you are looking at the same router? flashing a firmware requires a reboot so uptime would be different
  16. Nite

    Nite LI Guru Member

    Yes, absolutely certain I am looking at the same router. There was evidence of a reboot in the logs when the change occurred.
  17. pawnu33

    pawnu33 Network Newbie Member

    Dear all,

    I have been trying to compile advancedtomato from github page for advancedtomato using Ubuntu 14, 16 and finally Ubuntu 12.04 and I have run across this problem.

    /opt/brcm/hndtools-mipsel-linux/bin/mipsel-uclibc-gcc: 1: /opt/brcm/hndtools-mipsel-linux/bin/mipsel-uclibc-gcc: Syntax error: Unterminated quoted string
    make[5]: *** [head.o] Error 2
    make[5]: Leaving directory `/home/osboxes/advancedtomato/release/src/lzma-loader'
    make[4]: *** [lzma-loader] Error 2
    make[4]: Leaving directory `/home/osboxes/advancedtomato/release/src/router'
    make[3]: *** [all] Error 2
    make[3]: Leaving directory `/home/osboxes/advancedtomato/release/src-rt'
    make[2]: *** [bin] Error 2
    make[2]: Leaving directory `/home/osboxes/advancedtomato/release/src-rt'
    make[1]: *** [m] Error 2
    make[1]: Leaving directory `/home/osboxes/advancedtomato/release/src-rt'
    make: *** [r2m] Error 2
    I followed the thread in this website "threads/tomato-build-environment.72034/" and instead of tomato, I cloned the advancedtomato. I was wondering if there is any up to date guide on how to compile advancedtomato and which OS is recommended.

    After following the instruction on github page and using 'make' on /release/src directory, i am getting this error as well.

    grep: tomato_profile.mak: No such file or directory
    grep: tomato_profile.mak: No such file or directory
    Version: 1.28.0000 ND (Wed, 03 Aug 2016 02:25:21 +0100)

    I'd appreciate any help, thank you.

    Edit: I was able to compile the following image from the guide however i'm getting uclibc-gcc error for tomato shibby build..
    Number of gids 0
    make[4]: Leaving directory `/home/osboxes/tomato/release/src/router'
    make[4]: Entering directory `/home/osboxes/tomato/release/src/btools'
    gcc -O3 -Wall -o fpkg fpkg.c
    fpkg.c: In function ‘load_image’:
    fpkg.c:161:8: warning: variable ‘p’ set but not used [-Wunused-but-set-variable]
    make[4]: Leaving directory `/home/osboxes/tomato/release/src/btools'
    # Create generic TRX image
    Creating TRX: image/tomato-K26USB-1.28.000000MIPSR2000000-Lite.trx
    TRX Image:
    Total Size .... : 4673536 (4564.0 KB) (4.5 MB)
       Images ...... : 4670380 (0x004743ac)
       Padding ..... : 3128
    Avail. for jffs :
       4MB, 128K CFE : 0 EBs + 0
       4MB, 256K CFE : 0 EBs + 0
       8MB, 256K CFE : 51 EBs + 45056
                Note : Netgear routers have 6 EBs less available!
    CRC-32 ........ : C5756DAE
    128K Blocks ... : 36 (0x00000024)
      64K Blocks ... : 72 (0x00000048)
       0: 0x0000001C  lzma-loader/loader.gz
       1: 0x00000AD8  /home/osboxes/tomato/release/src-rt/linux/linux-2.6/arch/mips/brcm-boards/bcm94
       2: 0x000D4C00  router/mipsel-uclibc/target.image
    1.28.0000 MIPSR2000000 K26 USB Lite  ready
    make[3]: Leaving directory `/home/osboxes/tomato/release/src-rt'
    make[2]: Leaving directory `/home/osboxes/tomato/release/src-rt'
    make[1]: Leaving directory `/home/osboxes/tomato/release/src-rt'
    Last edited: Aug 3, 2016
  18. Frequenzy

    Frequenzy Addicted to LI Member


    using 137, is there a way that the device list would show the hostname rather than ips?
  19. Elfew

    Elfew Network Guru Member

    I think it should not be an issue - in stock fw there is a collumn for hostnames
  20. Monk E. Boy

    Monk E. Boy Network Guru Member

    To my knowledge the hostnames are provided from dnsmasq and are provided by the host as part of their dhcp lease. If you reboot the router in the middle of the host's dhcp lease the hosts will often show up w/o names and just use IPs because it hasn't dhcp'd a new lease from the router, it just uses its old one until renewal time comes. This normally appears with routers that are attached to switches, devices attached to the switch won't see the uplink go dark so they won't do a dhcp release/renew, while devices directly attached to the switch will.

    One alternative is to create fixed DHCP leases for devices, which involves giving them names, at which point dnsmasq uses those names in place of whatever name the host provides (or not, in many cases). Android devices are generally android-longstringofalphanumericdata which isn't always useful when you're trying to find a particular device.
  21. koitsu

    koitsu Network Guru Member

    "Sort of".

    Under Device List, the hostname column tends to be what the hostname the DHCP client provided when getting an IP address. Assigning a static IP (Basic -> Static DHCP) with a hostname doesn't necessarily fix this problem. I'll detail this with evidence:

    * My Android phone has a static DHCP entry (where the hostname is set to "mobile.home.lan"), but under Devices the hostname is "android-{16 hexadecimal chars}.home.lan" (i.e. the android-XXXXXXXXXXXXXXXX portion comes from the client; the domain portion comes from my dnsmasq setup (irrelevant)).

    * My iPad 2 mini Wifi has no static DHCP entry, and the hostname is "Jeremys-iPad" (because that's how I named the device when I set it up after buying it).

    * My Windows 7 workstation has a static DHCP entry (where the hostname is set to koitsu.home.lan), but under Device List the hostname is "KOITSU" (which is the name of the workstation, i.e. what Windows' DHCP client sends).

    The statically-assigned hostnames and IPs end up in the /etc/dnsmasq/hosts/hosts file on the system (this is parsed/honoured by dnsmasq using the addn-hosts option; the /etc/dnsmasq/hosts directory is recursively parsed for files and those files read/used). I still have no idea what purpose /etc/dnsmasq/dhcp/dhcp-hosts serves (it correlates with dhcp-hostsfile=/etc/dnsmasq/dhcp); the file is always 0 bytes for me. The dnsmasq documentation goes over what these all do.

    The DHCP-client-provided names, MACs, and IPs (as well as lease expiry) end up in /var/lib/misc/dnsmasq.leases (which is /tmp, i.e. RAM), and those are the hostnames which are parsed/used by the Device List feature of TomatoUSB.

    Here's the proof of all that:

    root@gw:/tmp/home/root# grep dhcp-host /etc/dnsmasq.conf
    root@gw:/tmp/home/root# cat /etc/dnsmasq/hosts/hosts gw
    XXX wan-ip
    XXX gw-wan canon-lan.home.lan koitsu.home.lan linux.home.lan mobile.home.lan
    root@gw:/tmp/home/root# cat /var/lib/misc/dnsmasq.leases
    11677 f0:4f:7c:93:XX:XX * 01:f0:4f:7c:93:XX:XX
    0 68:05:ca:3f:XX:XX KOITSU 01:68:05:ca:3f:XX:XX
    0 f8:e0:79:57:XX:XX android-e43a50abXXXXXXXX 01:f8:e0:79:57:XX:XX
    85628 b0:34:95:e9:XX:XX Jeremys-iPad 01:b0:34:95:e9:XX:XX
    However, the situation is even more wonky with TomatoUSB due to unique/custom code that Jon Zarate wrote solely for the Device List feature and some uncommonly-used features (such as being able to click on the lease expiry to force expire a lease). This is a custom patch to dnsmasq. I talked about that utter mess in a different thread recently (post in question is a response to the previous post, re: dnsmasq patch). Shibby apparently re-did this patch or implemented it differently in Shibby 138 but I haven't seen what that is yet.

    I get the impression that, overall, somewhere along the lines all of this used to work cleanly/correctly, but because of several files used all over the place, and not all the appropriate code being updated to use all of said files, there is a "disconnect" between dnsmasq vs. Device List. As such, I just use Device List to determine what machines have gotten an IP address via DHCP from dnsmasq, and for wireless clients see their signal level. Everything else is superfluous to me.
    Last edited: Aug 4, 2016
  22. NanoG6

    NanoG6 Network Newbie Member

    Hi, I'm using AT 137 on RT-N16, router is acting as OpenVPN client, and route all connected device through VPN tunnel. Can I make router web admin accessible from VPN network? Currently I only able to access web admin through LAN or WAN

    Sent from my Redmi Note 3 using Tapatalk
  23. Jacky444

    Jacky444 LI Guru Member

    AdvancedTomato version 3.3-138 has just been released. The update had given me lots of headaches, even broken router at first compilation (its been fixed now). So yeah! I wish I had some Asus router instead of R7000, the serial cable unbricking is pain in the A** :p. Anyway!

    Change Log:
    Update 3.3 (GUI):
    - Changed font to "Segoe UI" with "Roboto" as fall-back (Segoe UI is Windows only font)
    - Changed some internal variables in relation from AdvancedTomato GUI to Tomato HTTPD handler
    - Added Ability to change navigation tree trigger from CLICK to HOVER or wise versa
    - Added FIX for navigation menu when its missing JSON object
    - Added an event that initially triggers load of data on Tools Wireless Survey page
    - Modified GUI changes to reflect all changes done by Shibby's 138
    - Many minor changes to the gui styles, I really forgot all ^^ some colors, fonts etc...
    - Upgraded JQuery to 3.1.0
    Update 138 (Shibby):
    All versions:
    – busybox: update to 1.25.0
    – busybox: wget – add TLS SNI support via openssl s_client – Jeremy Chadwick
    – Miniupnpd: update to 2.0
    – NTFS-3G driver update to 2016.2.22
    – OpenSSL: updated to 1.0.2h
    – OpenSSL: add s_client to mipsel`s images
    – dropbear: updated to 2016.74 – AndreDVJ
    – dropbear: fixes and improvements -AndreDVJ
    – dropbear: fix some PATH
    – libcurl: updated to 7.49.1 – AndreDVJ
    – libsodium: updated to 1.0.10 – AndreDVJ
    – igmpproxy: latest patches as of April 27th. 2016 – AndreDVJ
    – libncurses: updated to 6.0 – AndreDVJ
    – libnfsidmap: updated to 0.25 – AndreDVJ
    – spawn-fcgi: updated to 1.6.4 – AndreDVJ & Shibby
    – dnsmasq: updated to 2.76 – AndreDVJ & Shibby
    – nano: updated to 2.6.1 – AndreDVJ
    – libusb10: updated to 1.0.9 – AndreDVJ
    – libevent: updated to 2.0.22 – AndreDVJ
    – dnscrypt: updated to 1.6.1 – AndreDVJ
    – gmp: updated to 6.1.0 – AndreDVJ
    – nettle: updated to 3.2 – AndreDVJ
    – MWAN: write failover state to /tmp/wan.failover file
    – MWAN: be sure we use correct dns servers for failover when primary wan failed
    – DDNS: allow select WANs for DDNS services
    – 4G: better Signal Strength detection
    – Switch entware (obsolete) to entware-ng
    – Revert „Asus RT-N16: fix vlan order” – tvlz
    – VLAN GUI: updates – tvlz
    – IPv6:Fix „ipv6_prefix_length” range checking – tvlz
    – rc/qoc.c: some fixes – tvlz
    – Fix for ipv6 6rd – Magister
    – IPv6: Fix TCP MSS Clamping, move to mangle table – tvlz
    – Fix QOS – make QOS work with IPv6 – tvlz
    – Allow Incoming IPv6 IPSec by default – tvlz
    – Fix renewal of IA NA – tvlz
    – EHCI: fix direction handling for interrupt data toggles – Alan Stern
    ARM only
    – Add support for Netgear R6400
    – Add exFAT support – oneleft & Shibby
    – Kernel: updates for tcp_cubic – AndreDVJ
    – Updated e2fsprogs to 1.43 – AndreDVJ
    – Use kernel ext4 driver for all ext2/3/4 filesystems – nikk gitanes & AndreDVJ
    – R1D: support updates – nikk gitanes & AndreDVJ
    – Updated wireless settings for R6250/R6300v2/R7000 – AndreDVJ
    – Driver: update Linux Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller – AndreDVJ
    – Added Linksys EA6900 gpio addresses, and updated Huawei WS880 gpio address for USB2 LED – AndreDVJ
  24. DracoMilesX

    DracoMilesX Networkin' Nut Member

    Thanks for the new release.

    Yeah great routers those Asus routers with the firm recovery. Have 2 bricked routers I need to recover with serial which just don't wanna work.
  25. koitsu

    koitsu Network Guru Member

    I'd be happy donating to you a (new) Asus RT-N12 or Asus RT-N16 for testing, if it'd help your project.
  26. JJohnson1988

    JJohnson1988 Reformed Router Member

    Thanks for the effort and release!

    I do have a few minor cosmetic (CSS) issues with this release. On the bottom of the overview page, the content in the bottom-most box in the left column seems to be overflowing incorrectly into the right column. I don't think this was the case in v137.

    Additionally on the overview page, there exists both an Enable and Disable button at once when displaying information about my virtual wireless network (not the primary ones). Pretty certain only one or the other should be displayed since it's a toggle.


    Functionally, though, everything seems to be working great. That's what's important.
    Last edited: Aug 15, 2016
  27. misuercarriere

    misuercarriere Reformed Router Member

    I'm looking for older versions of the advanced tomato firmware. In particular, the AIO version 132 for my RT-N66U.

    A quick google search did not yield anything.
    Does any one know of a repository where older firmware can be found?

    Edit: the website ( seems to only have firmware back till version 134.
    Found this website not sure if it's the real deal. Flashing tonight though.
    Last edited: Aug 15, 2016
  28. MyAnonLSI

    MyAnonLSI New Member Member


    I tried to update my tenda W1801 from 137 to 138 without resetting the configuration, the 2.4GHz interface disappears. so I did reset the configuration and got the 2.4GHz interface back. and now working good. so don't forget the reset the configuration to upgrade to 138.

    Many thanks for great efforts to make a great firmware!
  29. Jacky444

    Jacky444 LI Guru Member

    That's very generous of you. I didn't mean it like that, more like I need a new primary router which is R7000 at the moment (Dual Core 1GHz ARM on 1gbps WAN) something like Asus RT-AC87U which has very simple debricking system so I can avoid hours of downtime's and just leave the R7000 open when testing and so on =). I appreciate the offer though! Because debricking R7000 requires opening it up each time and wow all together I had so much trouble last time, spent like 3 hours.

    The web site only displays last 5 versions (performance concerns for the downloads counting). The links are:

    In future you can simply copy the download link of the "latest" version at the time and modify the string (e.g.: .../get/v3.1-132/.. .) to the desired version. Most of the time naming of the images stay the same so that should work.

    I copied this from our email conversation, if anyone else ever seeks the same question.

    The boxes issue is actually HTML5 spec problem with "columns". The browsers should support no break method but it doesn't work. Previous version used inline-block instead of block for the boxes which caused HUGE gap between boxes and refresh button (in some cases, mine for example) and I hated it so much I rather changed it for the current issue, its annoying but hell rather that then that 4 boxes bottom gap. Regarding the buttons I agree, must be a bug. I didn't see it on my R7000 or RT-N66U so I can't say. Could you also screen shot the console log (F12 -> Console) and paste it on ISSUES tracker? Would appreciate it.
    misuercarriere and JJohnson1988 like this.
  30. JJohnson1988

    JJohnson1988 Reformed Router Member

    Thanks for the reply. And excuse me if this has been brought up before.

    The "page-break-inside" property seems to work on children elements assigned to the "box" class but not on the container element. However, the "box-shadow" property of the child class still overflows incorrectly into the second column, and the "margin" property creates unnecessary spacing at the top of the column. Seems the page-breaking doesn't take into account properties that venture outside the content portion of the CSS box model. Is there a way to fix this with some JS hack, perhaps?

    Screenshot here (the box-shadow is very thin -- about 1px in height -- but it's definitely overflowing):

    I will post my console log on the issues tracker after I wake up. I'm pooped at the moment.
  31. JJohnson1988

    JJohnson1988 Reformed Router Member

    Sorry to make another post, but I may have fixed the column break issue AND the huge spacing at the bottom.

    The trick is to set "page-break-inside" on the elements with the "box" class, as mentioned in my post above. Then wrap each of these "box" elements with DIVs consisting of the following style: "display: inline-block; width: 100%;". It's only when the "box" elements don't have wrappers that "display: inline-block;" creates the huge space at the bottom of the page.

    You may even be able to put "page-break-inside" on the wrappers instead of the "box" elements, as that makes more sense, but both ways seem to correct the problem.

    Actually, you may not even have to include the page-break attributes at all, as inline-blocked, 100% width wrapper elements fix everything.

    Screenshot of fixed interface:
    Last edited: Aug 16, 2016
    AndreDVJ likes this.
  32. Frequenzy

    Frequenzy Addicted to LI Member

  33. Jacky444

    Jacky444 LI Guru Member

    In some cases inline block helps, to me it doesn't. That's why I switched to this solution. The UI is not the only example I have the issue with columns at. I also have it at some other projects I work on and its exactly the same issue. The inline-block creates more issues than it solves so I'm really not going to go back to it ^^. If you check the commits logs you will see that I've previously used the exact same solution as you described above.

    P.S.: Looking at the screen shot you simply changed element style of SINGLE box. That defiantly won't fix the problem with element breaking to second column, that only fixes specific element which you can't know unless every single person has same boxes, same boxes height and same boxes in "Open State" and not "Closed". So that's simply "hack" your specific problem. Sadly, I wish there was easier solution... There are some javascript solutions but if I add them, I can cancel support for some routers (flash will become too small for the images) and people will kill me with emails again ^^
    JJohnson1988 likes this.
  34. JJohnson1988

    JJohnson1988 Reformed Router Member

    Yeah, CSS rules are really strange and unpredictable sometimes. Especially back in the day when the box model was implemented differently in Internet Explorer. Likely one of the reasons why I've lost most of my hair, actually.

    Sent from my A0001 using Tapatalk
  35. Jacky444

    Jacky444 LI Guru Member

    I don't think that stopped :D Microsoft is still using their own rules how the web should work. I have no idea why we have HTML specs lol... Anyway you were right regarding breaking properties, I checked again and found out about the box shadow split. Sorry I miss understood your post. My solution was slightly different previously and I applied break solution to wrong element. I'll try again some time when I have time. The only problem I had was with "inline-block" which caused huge gaps and incorrect alignment.
    Techie007 and JJohnson1988 like this.
  36. JJohnson1988

    JJohnson1988 Reformed Router Member

    The screenshot was just an example so you could see the visual result. Outside of the screenshot, I wrapped all the "box" elements with the same style (and even set other boxes to "display: none;" to see how the layout would react with boxes missing, different heights, contents, etc.), and the fix still worked. Even the animations looked correct with the changes.

    Unless there's something I'm missing? Different browser, perhaps?

    I sure hate to be persistent about this issue, especially when you've said there is no easy solution. I'm confident in my solution to the point where if the problems still aren't fixed after wrapping the "box" elements with the custom style, you can yell at me all you want. :D
    Last edited: Aug 16, 2016
  37. Elfew

    Elfew Network Guru Member

    What about to add some icon for renew and release button on status page? Maybe some kind of arrow?
  38. koitsu

    koitsu Network Guru Member

    I wanted to follow up on an issue in this thread from @Nite (also mentioning @Frequenzy here because he chimed in). Nite hit me up privately to look into the problem. It took some days before the issue happened again, but it did. What I did was compare dmesg's.

    I can absolutely confirm that his router is in fact randomly "rolling back" to some very old Shibby firmware (from 2013). Here's a diff between the two dmesgs (with USB and certain device enumerations removed). Note very closely the ASCII dates shown (kernel build and other things):

    -Linux version (root@asus) (gcc version 4.2.4) #2 Thu Jul 7 14:26:58 CEST 2016
    +Linux version (root@asus) (gcc version 4.2.4) #3 Tue Oct 22 07:28:24 CEST 2013
    -Memory: 254760k/131068k available (2705k kernel code, 7084k reserved, 410k data, 208k init, 131072k highmem)
    +Memory: 254760k/131068k available (2697k kernel code, 7076k reserved, 410k data, 208k init, 131072k highmem)
    -0x00133bb0-0x02000000 : "rootfs"
    +0x00132eb8-0x02000000 : "rootfs"
    -net/ipv4/netfilter/tomato_ct.c [Jul  7 2016 14:26:57]
    +net/ipv4/netfilter/tomato_ct.c [Oct 21 2013 22:20:16]
    In short, his claim is accurate and true. The "how can this happen?" question is not easily answered, but I have a strong gut feeling that it's explained by some output seen for the nflash flash (which hosts rootfs/linux MTD) (both the 2013 OS and the 2016 OS see this):

    Found a Samsung NAND flash with 2048B pages or 128KB blocks; total size 128MB
    lookup_nflash_rootfs_offset: offset = 0x0
    nflash: squash filesystem with lzma found at block 9
    Creating 2 MTD partitions on "nflash":
    0x00000000-0x02000000 : "linux"
    0x00133bb0-0x02000000 : "rootfs"
    NAND device: Manufacturer ID: 0xec, Chip ID: 0xf1 (Samsung NAND 128MiB 3,3V 8-bit)
    Bad block table found at page 65472, version 0x01
    Bad block table found at page 65408, version 0x01
    nand_read_bbt: Bad block at 0x00940000
    nand_read_bbt: Bad block at 0x01340000
    nand_read_bbt: Bad block at 0x01fe0000
    nand_read_bbt: Bad block at 0x03d60000
    nand_read_bbt: Bad block at 0x06280000
    nand_read_bbt: Bad block at 0x06e60000
    I want to be very clear with something by showing these lines: having some bad NAND blocks doesn't necessarily mean you're going to experience this problem, and isn't necessarily a sign to freak out and run around replacing hardware. In Nite's case, the situation is manifesting itself in a very uncomfortable way, however.

    My gut feeling here is that his router has a kind of "backup flash" that is getting triggered on occasion. Example scenario: router is running current Shibby. Something hardware-oriented happens, causing the router to reboot. Upon reboot, the pre-boot environment (CFE or pmon or whatever -- or possibly something even prior to that (thinking ASIC firmwares here)) determines for some reason to run off of some kind of "backup flash" which has a very old Shibby version (circa 2013). Device then boots into that.

    The RT-AC66U and RT-N66U both appear to have an additional 2MByte "serial flash" (in dmesg I believe it shows up as "sflash"). "How" Asus chose to designate all of this at the hardware level is a bit precarious. The DD-WRT forum has details on all of this (this thread is massive and as usual is impossible to follow due to the number of posts):

    There is another possibility, which is someone on his LAN is actively running a TFTP session to push a the 2013 firmware to 24x7x365, and when the router reboots (possibly due to a kernel panic or unrelated problem), the TFTP session manages to work/catch it in the 5-second boot_wait window and bam. However, I REALLY doubt this is happening. It just seems too paranoid/aliens-are-in-my-home-probing-my-router-conspiracy-theorist for it to be likely. Occam'z razor says my previous explanation is a lot more likely.

    I've advised that his router be RMAd or replaced as a result.
  39. Mirko Baila

    Mirko Baila Networkin' Nut Member

    On USB & NAS - Usb Support : this page it's bugged!Not work's at all
    My router it's Netgear R7000
  40. RogueScholar

    RogueScholar Reformed Router Member

    It's true, seems that the Save button on the USB Support page fails to trigger the setting of the variables under any circumstance.
  41. Jacky444

    Jacky444 LI Guru Member

    Re-download latest images and re-flash routers, no need to clear nvram. The page was bugged but was fixed about a day after first compilation. I can't increase version for such small fix so I had to simply overwrite the images.
    RogueScholar and Mirko Baila like this.
  42. RogueScholar

    RogueScholar Reformed Router Member

    Much obliged, Jacky. You rock!

    BTW, any thoughts of creating an Android app to sell in the Play Store, porting your AT interface directly to a touchscreen? I'm sure I wouldn't be the only one willing to pay for such a convenience.
    newprouser and JJohnson1988 like this.
  43. Fayz Munayam

    Fayz Munayam New Member Member

    i've had issues with send to youtube to my tv from my ios devices, it doesn't seem to see the devices

    wifi range is very weak, some of my devices will connect to the 2.4ghz instead, i didn't have this is issue with dd wrt fw, also the wifi smart switching is not smart all, its slow and leaves me disconnected for a few seconds before switching bands, i like to keep the ssid's the same

    and also my dlna servers do not show up on my devices once i assigned it to a static ip in range with dhcp

    any help please? i like the UI of this fw but dd wrt is just much more reliable atm

    i have the R7000
  44. Jacky444

    Jacky444 LI Guru Member

    Sadly that requires knowing JAVA / Android and I have never worked with that. I'm web developer knowing HTML, Javascript, CSS, PHP some NodeJS and lately learning C and C++. I focus on these technologies and so these are all I can do =(. I would love seeing Tomato router GUI as mobile app too! could be awesome!
  45. Elfew

    Elfew Network Guru Member

    I think it is not something most have... I set up router one time and then I dont need to change anything.
  46. RMerlin

    RMerlin Network Guru Member

    The R7000 MTD table is a bit "odd".

    I see enough space there for a second firmware image. Might be interesting making a dump of all of these partitions before and after flashing the latest Tomato build, to see if there's any sign of the older build being in one of these extra partition (the UBI one, for example). Or perhaps at the very least keeping a SHA256 hash of each partitions to see if they change after that "rollback" (the nvram partition would obviously be constantly changing, which is normal).

    EDIT: I see that table dump was taken from OpenWRT, so that mtd partition table might be native to OpenWRT rather than what Netgear uses.
  47. koitsu

    koitsu Network Guru Member

    @RMerlin How exactly would a user dump the mtd partitions before flashing Tomato? Does the stock firmware offer some kind of CLI that offers the ability to get at dmesg or /proc/mtd?

    And respectfully of course, but I'm not even sure that's applicable. Here are the two dmesgs in full. You can diff the two and see for yourself. To me, this really looks like something lower level is "switching" between two completely separate flash regions, long before the kernel is even booted. That's what makes me think it's a hardware "feature/problem" or something the CFE is doing transparently. Filenames are a little misleading (my fault), but:

    old.txt = Present-day Shibby firmware; this is what he runs up until the point the router "freaks out" and reboots
    new.txt = Ancient Shibby firmware; this is what ends up running after the router "freaks out"

    Attached Files:

    • old.txt
      File size:
      10.4 KB
    • new.txt
      File size:
      10.7 KB
  48. RMerlin

    RMerlin Network Guru Member

    Dump them after flashing Tomato, not before.

    Those logs aren't conclusive, as their output is generated by the kernel, including some not-so-pretty code from Broadcom. I believe the JFFS2 code in there is actually mine, as initially Asus's didn't have any JFFS2 support on the RT-AC66U. (they've since started treating the whole brcmnand partition as a single JFFS partition).

    The init is the same on both logs however - both booted from mtd3, so that would indicate that the same boot partition was used both times.

    However don't rely on logged data, examine the live system instead. But at a first glance (based on these logs), this seems like a pretty standard mtd map to me.

    And you need to see if the content of that mtd3 changes between both scenarios where the firmware apparently changes "on its own".

    Otherwise, the only way something such as what you describe to happen is if Netgear somehow used shadow mapping (i.e. flip a register, and you end up accessing a different area of the nand overlayed on top of the original address space). Something that a complete dump of the NAND should allow to examine.
  49. koitsu

    koitsu Network Guru Member

    There are no other logs to gain access to through common end-user means. Asking someone to void warranty to install a serial port or JTAG connection can't be done, sorry to say. We must remain practical.

    The kernel is passed the argument root=/dev/mtdblock3 in both cases, and this refers to the root filesystem. Of course that's going to be the same: that hasn't changed between Shibby in 2013 and Shibby in 2016. :) We already know the root filesystem changes because of this (look at the starting offset of rootfs):

    Creating 2 MTD partitions on "nflash":
    0x00000000-0x02000000 : "linux"
    0x00133bb0-0x02000000 : "rootfs"
    Creating 2 MTD partitions on "nflash":
    0x00000000-0x02000000 : "linux"
    0x00132eb8-0x02000000 : "rootfs"
    That's exactly what my line of thinking is, and my gut feeling is that the CFE (or something pre-kernel) is what's responsible. I can't see how the entire kernel (version/build date) and root filesystem would change otherwise.

    I don't know how to dump the entire NAND flash region linearly through Linux. Each individual partition (per /dev/mtdblockN), yes, but not from the NAND equivalent of LBA 0 to the last LBA. The biggest complication with this is that there could be user-identifiable information made available (I don't know what's in the "brcmnand" partition). If dumping all the mtdblockX devices that pertain to the 128MB NAND is somehow helpful, I can step @Nite through it. But we know factually that the rootfs etc. is going to be different.

    I haven't been able to find good, clear PCB photos of both sides of the PCB, for chip identification.
  50. RMerlin

    RMerlin Network Guru Member

    I'm not talking about logs or serial, I'm talking about querying the kernel.

    Now that I'm home to retrieve the exact command:

    admin@Stargate88:/tmp/home/root# cat /proc/mtd
    dev:    size   erasesize  name
    mtd0: 00080000 00020000 "boot"
    mtd1: 00180000 00020000 "nvram"
    mtd2: 03e00000 00020000 "linux"
    mtd3: 03c49db0 00020000 "rootfs"
    mtd4: 04000000 00020000 "brcmnand"
    That will tell you the actual table as seen by the kernel.

    The bootloader is what issues that command (which boots the kernel), not the firmware. That has nothing to do with Tomato.

    If the bootloader had any kind of support for failover firmware, it would point it at a different partition (mtd4, for example). So this confirms that it's not the bootloader switching to an alternate image.

    Occam's razor applies here. But if you still believe there's some kind of failover partition, the only way to know for sure is by looking at the CFE source code. Asus shares theirs, no idea if Netgear also does.
  51. Nite

    Nite LI Guru Member

    Hey, I'm home now to run the command. I'm among giants here, so I really appreciate both of you taking the time to help with this, it's definitely something bizarre that I've never run into before.

    At the moment I am running AT 3.3-138 K26AC USB AIO-64K. As soon as the issue reoccurs I will post the output of the command again. It seems to occur every 3 weeks or so.

    uname -a && cat /proc/mtd && md5sum /dev/mtd[0-9]
    Linux lyra #2 Tue Aug 16 21:29:17 CEST 2016 mips GNU/Linux
    dev: size erasesize name
    mtd0: 00040000 00010000 "pmon"
    mtd1: 00010000 00010000 "nvram"
    mtd2: 02000000 00020000 "linux"
    mtd3: 01ecc460 00020000 "rootfs"
    mtd4: 02000000 00020000 "trx"
    mtd5: 02000000 00020000 "jffs2"
    mtd6: 03f00000 00020000 "brcmnand"
    3e332e98ae04ca08c429ab2f7737b96c /dev/mtd0
    08255d66cf2e7c14ffa833433ec716b5 /dev/mtd1
    377033cacd50acbd6061c698c213b6bd /dev/mtd2
    d0391693016a06fc6201728eada9e6da /dev/mtd3
  52. koitsu

    koitsu Network Guru Member

    The output above comes from the following commands which I asked Nite to run:

    uname -a && cat /proc/mtd && md5sum /dev/mtd[0-9]

    What's really bothering me is the fact that /dev/mtd{4,5,6} are missing checksums from the output, so I've asked for ls -l /dev/mtd* output as well.
  53. Nite

    Nite LI Guru Member

    My apologies. I copied before it had time to finish calculating the sums for mtd4 through 6. Amended result below:

    Linux lyra #2 Tue Aug 16 21:29:17 CEST 2016 mips GNU/Linux
    dev:    size   erasesize  name
    mtd0: 00040000 00010000 "pmon"
    mtd1: 00010000 00010000 "nvram"
    mtd2: 02000000 00020000 "linux"
    mtd3: 01ecc460 00020000 "rootfs"
    mtd4: 02000000 00020000 "trx"
    mtd5: 02000000 00020000 "jffs2"
    mtd6: 03f00000 00020000 "brcmnand"
    3e332e98ae04ca08c429ab2f7737b96c  /dev/mtd0
    08255d66cf2e7c14ffa833433ec716b5  /dev/mtd1
    377033cacd50acbd6061c698c213b6bd  /dev/mtd2
    d0391693016a06fc6201728eada9e6da  /dev/mtd3
    d1b6af3776d30b9b9cd3abddb36c8caf  /dev/mtd4
    085260b1c48e97faa77ef2418377d74d  /dev/mtd5
    03f09a7d6e28b07eee40147f3344ae34  /dev/mtd6
    In case you still need this result as well:

    crw-rw-rw-    1 root     root       90,   0 Dec 31  1969 /dev/mtd0
    crw-rw-rw-    1 root     root       90,   1 Dec 31  1969 /dev/mtd0ro
    crw-rw-rw-    1 root     root       90,   2 Dec 31  1969 /dev/mtd1
    crw-rw-rw-    1 root     root       90,   3 Dec 31  1969 /dev/mtd1ro
    crw-rw-rw-    1 root     root       90,   4 Dec 31  1969 /dev/mtd2
    crw-rw-rw-    1 root     root       90,   5 Dec 31  1969 /dev/mtd2ro
    crw-rw-rw-    1 root     root       90,   6 Dec 31  1969 /dev/mtd3
    crw-rw-rw-    1 root     root       90,   7 Dec 31  1969 /dev/mtd3ro
    crw-rw-rw-    1 root     root       90,   8 Dec 31  1969 /dev/mtd4
    crw-rw-rw-    1 root     root       90,   9 Dec 31  1969 /dev/mtd4ro
    crw-rw-rw-    1 root     root       90,  10 Dec 31  1969 /dev/mtd5
    crw-rw-rw-    1 root     root       90,  11 Dec 31  1969 /dev/mtd5ro
    crw-rw-rw-    1 root     root       90,  12 Dec 31  1969 /dev/mtd6
    crw-rw-rw-    1 root     root       90,  13 Dec 31  1969 /dev/mtd6ro
    brw-rw-rw-    1 root     root       31,   0 Dec 31  1969 /dev/mtdblock0
    brw-rw-rw-    1 root     root       31,   1 Dec 31  1969 /dev/mtdblock1
    brw-rw-rw-    1 root     root       31,   2 Dec 31  1969 /dev/mtdblock2
    brw-rw-rw-    1 root     root       31,   3 Dec 31  1969 /dev/mtdblock3
    brw-rw-rw-    1 root     root       31,   4 Dec 31  1969 /dev/mtdblock4
    brw-rw-rw-    1 root     root       31,   5 Dec 31  1969 /dev/mtdblock5
    brw-rw-rw-    1 root     root       31,   6 Dec 31  1969 /dev/mtdblock6
  54. Shadowfax1007

    Shadowfax1007 New Member Member

    I'm not sure if this is the right place for this, so forgive me if it's not but I'm looking for some help.

    I'm running the latest firmware on an ASUS RT-AC68U. I'm having an issue with incomplete and/or not at all page loading. Issue is present on both LAN and WIFI.

    I have Fibre To The Home with Telstra in Australia. I've tested for packet loss numerous times and that doesn't seem to be the issue. I use Getflix DNS servers usually but I've tried multiple other DNS just in case - same result. I'm not losing connection or power to the router.

    I have no idea what could possibly be wrong. Any suggestions?
  55. newprouser

    newprouser Reformed Router Member

    Hey everyone,

    I am facing a problem with bandwidth monitoring. So I recently upgraded from 132 to 138 build.

    I tried to restore only the bandwidth stats but it wasn't restored.
    2-3 days later I'm observing that the Ip traffic is recorded correctly, but for the bandwidth monitoring, the data is only displayed for Real time and last 24 hours. The options "daily", 'weekly", "monthly" all display no data.

    Clicking on the "Data" button on the non-working pages leads to http://<router-ip>/#bwm-daily.asp which is again a blank page.

    Router : R7000
    Data saved to RAM, and router was not restarted during the monitoring period.

    Any idea how to restore the functionality ?
  56. cyber062

    cyber062 Networkin' Nut Member

    Hi everyone,

    I found a bug in the build AdvancedTomato version 3.3-138 for R7000.
    In the menu USB & NAS -> USB Support -> File Systems Support, I can't find the Ext4 case and I can't save my check in the case ext2/ext3.

    Best regards
  57. AndreDVJ

    AndreDVJ LI Guru Member

    AFAIK Jacky recompiled the builds. Please download again.
    cyber062 likes this.
  58. cyber062

    cyber062 Networkin' Nut Member

    thank you it fixed
  59. EpsilonX

    EpsilonX Network Guru Member

    Any guide to implement AT GUI into Toastman's build..? ;)
    Thanx !
  60. DracoMilesX

    DracoMilesX Networkin' Nut Member

    After reflashing 3.3-138 because I still had the first version with the layout issues. And my VLAN page wasn't showing.

    Now after flashing it I cannot add new VLANs or modify "empty" VLANs that only have a VLAN ID and VID (It aswell deleted my 2 VLAN's where my LAN ports where on.)

    I noticed a strange behaviour as well in Adblock now. I have to add a lot of sites to the whitelist that I didn't need before and grepping in the adblock host file it doesn't show those sites. But even when I have added them to the whitelist after a several seconds - few minutes I can't access them anymore and need to "save" the Adblock settings again. It looks like it automatically stops/crashes

    EDIT: Now I had some time do some more testing and can say that the VLAN settings are broken in this release. I reverted back to 3.2-137 and they are working again.

    After a NVRAM reset I tried to add VLAN's again but after a commit to NVRAM the ports/wan/br0 resetted to default.
    Last edited: Oct 1, 2016
    Nazgulled likes this.
  61. Rayug1

    Rayug1 Network Newbie Member

    I may have found an interesting bug, and is probably a bug with Shibby? It's not serious but causes some headaches (and maybe someone here is more experienced with this):

    I have the latest Advanced Tomato (Version: 3.3-138) installed on a RT-N16 with the AIO version. If I set up everything up minus the VPN client, everything works great and I have it scheduled to reboot every morning at 5 am. No issues ever.

    However when I set up the VPN client, when it reboots in the morning I lose all settings and it reverts back to like a fresh install. (I am guessing the NVRAM gets wiped out?) I needed to set up the VPN last night for something and knowing the history of this I made a backup of my settings (with the VPN settings) just in case. Well just like before everything got erased, and on top of that the backup would not take as well. I had to use an older backup without any VPN settings.

    I don't use the VPN functions that often, and it's not really that big of a deal to me since I can manually set up the VPN and erase it when I am done. (which may or may not erase everything)
  62. imafish

    imafish Serious Server Member

    Is 132 the most problem-free version?
  63. Jose C

    Jose C Serious Server Member

    Based on feedback, yes it is

    Sent from my iPhone using Tapatalk
  64. Bozo29

    Bozo29 Networkin' Nut Member

    Any chance to see AdvancedTomato for RT-AC3200?
  65. Jacky444

    Jacky444 LI Guru Member

    I don't support routers I can't test. So for AC3200 its an ARM7 Instruction Set Architecture (ISA) which I don't have. I have only (MIPSEL2 = RT-N / RT-AC) and ARM based routers so I can't actually test and release the firmware. With that in mind there is no specific date or plans to release firmware for any of the mentioned firmware images. My work is Open Source so anyone can adapt it to work on mentioned router.

    Answered multiple times already...
  66. NanoG6

    NanoG6 Network Newbie Member

    Why would you reboot the router everyday??
  67. lednik

    lednik Reformed Router Member

    Could someone provide a link for Advanced Tomato 132 for Tenda N6? The oldest downloadable version on the Advanced Tomato site is 134 which is MultiWAN, and I want to download a non-MultiWAN version of Advanced Tomato since I do not need that functionality...
  68. zokstar

    zokstar Network Newbie Member

    Great looking WebUI/GUI! Thank you, keep it up!
  69. Jacky444

    Jacky444 LI Guru Member

    Thanks :)

    I added one cool feature to the downloads page, now you can type router name without actually selecting "filter input" first. After clicking "Escape" button on keyboard it will reset field too. Just for quicker filtering and selection sharing the feature =)

    I know some people wonder why there is no RSS or Mail news. In most cases the update notification is shown on the router anyway which is enough. For those that is not, once a month checking out the website shouldn't be a problem. I just feel that all these notifications these days and mails its just annoying. Not to mention its not that easy for me to add them.

    I will make site show older versions of firmware as well up to 10 versions behind (at the moment its 5)
    misuercarriere and Toastman like this.
  70. lednik

    lednik Reformed Router Member

    Ok. Thanks. :) I flashed 138 a couple of days ago out of curiosity. It's OK, but I think I'll flash back to 132 now that it's available for download on your site Jacky. I like the GUI. Nice work.
    Jacky444 likes this.
  71. JTD121

    JTD121 Addicted to LI Member

    So, recently moved. Had to up the transmit power a bit because of how I suspect this place is constructed.....which is another story entirely.

    Anyway, been having some issues staying connected. Random drop-outs here and there on a single laptop, sometimes on my two phones, but very very quick.

    Is there a way to check which version (5.x vs 6.x) I am running so I can switch over, if needed? The 'About' info page and the little descriptor at the bottom of the menu just tell me '3.2-137' at the moment. I assume there is a command to run for this information?

    Also, tangentially related, is there an 'optimal' position for the antennae on an Asus RT-N66U? All 3 just straight up, spread out (like most photos of the device)? Now I kinda want to look into higher gain antennae, maybe just cables to antenna, and tape to wall....?
  72. srouquette

    srouquette Network Guru Member

    Latest version is 3.3-138. When you log into your router, there's a message telling you there's an update, more info on the website.
  73. JTD121

    JTD121 Addicted to LI Member

    @srouquette Yes, I am aware, and I saw the message. What I wanted to know was, how do I tell which build version I am currently using.

    My current build choices are:
    • K26USB-1.28.AT-RT-N5x-MIPSR2-3.3-138-AIO-64K.trx
    • K26USB-1.28.AT-RT-N5x-MIPSR2-3.3-138-VPN-64K.trx
    • RT-N66U_AT-RT-AC6x-3.3-138-AIO-64K.trx
    I know the difference between the N5x and AC6x is the SDK used. Not too sure on the VPN build, given it's about a quarter the size of the other two. But I am having some WiFi connectivity issues on a few devices, and I want to switch from whatever version I've got, to the other, to see if that helps narrow down the issue(s) in some way.
  74. srouquette

    srouquette Network Guru Member

    I see, and I agree it isn't exactly clear.
    The version you are currently using is on the bottom left of the admin page, but I guess that's what you meant with the about page.
    I took a look at the official download page, and there are 2 firmwares: RT-N66u 64k/

    AIO is All in One, which bundles everything. VPN is a lighter version. AIO contains other stuff like torrent client, media server, etc...
    I don't know what is RT-N66U_AT-RT-AC6x-3.3-138-AIO-64K.trx, but this one seems to be a popular download.
  75. JTD121

    JTD121 Addicted to LI Member

    So, switched to tomato-RT-N66U_AT-RT-AC6x-3.3-138-AIO-64K, and left a number of settings I usually tweak, alone, after thorough NVRAM clear.

    We shall see how it pans out :D
  76. RogueScholar

    RogueScholar Reformed Router Member

    I believe I ran into this problem as well yesterday when trying to help my uncle create a new VLAN on his Netgear WNR3500Lv2 running AT3.3-138. When selecting VLAN in the Left navigation frame, the VLAN page would load in the main frame with the VLAN table itself completely absent, only the expandable Wireless and Notes sections were there. Just wanted to make note of that here for Jacky when it comes time to test for AT 3.4 or Shibby 139 while it was fresh on my mind. The issue persisted through an NVRAM reset and firmware reflash with valid MD5, and was observed on all five major Windows browsers (IE11, Edge, Firefox, Chrome, Opera) on a monitor resolution of 1280x720.

    P.S. I'd like to extend my sincere apologies to both Shibby and Jacky (both of whom I have tremendous respect and appreciation for), for the immature and vociferous cursing they received from me while I was at my uncle's house investigating this issue. It had been a long day and when I originally offered to troubleshoot I had anticipated a 5-minute "gold star nephew" performance involving little more than pointing out where the link was in the navigation frame or pointing out a browser config setting that was interfering with the table, followed by another five minutes of accolades and cookies. I went down the rabbit hole when the solution wasn't so readily apparent and, over the course of a half hour, said some things I shouldn't have said while my stomach growled in hunger and commiseration. You both dedicate countless hours to a free project which improves our lives in many ways and I was out of line. It won't happen again, either the volunteering to troubleshoot network problems for family or the cursing of the firmware contributors most visibly involved. ;)
    Toastman, Jacky444 and koitsu like this.
  77. papaberean

    papaberean Network Newbie Member

    I have E6500v2 Running latest stock FW (at the moment) I love AT for its features (Thanks to Shibby) and it design (Thanks to Jacky). I have done a lot of reading because I like to read about the problems and answers before I have to run into them. I am not seeing alot of support for this router, meaning not a lot of people are really using it and therefore not talking about the various issues and then talking about solving them.
    With that being said, the main thing I am not seeing is how easy is it to revert back to stock once I've installed AT.
    1]Will there be issue or some sort of footprint remaining/lingering that will affect stock.
    2]Can I flush nvram without fear of brick (I have read in several places that clearing nvram can either brick this router or at least cause it to not be able to revert to stock.)
    3]concerning AT fw, can I install this in a way that it will not kick back to stock firmware after changing a setting it doesn't like?

    Also, on a side note, went to check AdvancedTomato website today for latest fw and found site is down (FYI!)

    THANKS for the help.
  78. Nazgulled

    Nazgulled Serious Server Member

    I'd love that too... Actually I've been contemplating the idea of developing one myself since I'm an Android developer. I'm eager to test a few new design patterns and new technologies on a personal project and this could be just the thing. Unfortunately, my day-to-day job takes most of time away and I barely have any free time to invest on such an endeavor right now. I wish I could find the time though... :(
    RogueScholar likes this.
  79. Nazgulled

    Nazgulled Serious Server Member

    I had some VLAN issues which forced me to revert to the same version (3.2-137).

    My problem was that no matter what I configured in the VLAN page, a few settings were "reverted" or "changed" to some "defaults". I don't know how to better describe it. Let's just say that ater configuring my VLAN settings and rebooting, the configuration was different and my network didn't work as expected.

    Hopefully this will be fixed on the next version :)
  80. Nite

    Nite LI Guru Member

    Hey, I was messing around with UPNP settings, and noticed Advanced Tomato is missing the mini-upnp custom configuration text box that is present on Shibby.

    I need to restrict most of my devices from UPNP but some don't behave nicely without it. Is there any chance this can be added?
  81. Jacky444

    Jacky444 LI Guru Member

    Will be added if that's so. Need to check. Thanks =)
  82. Nite

    Nite LI Guru Member

    Thank you Jacky for your wonderful work!

    I am looking through some screenshots and on some I see the mini-upnp custom config box and on others I don't, so maybe Shibby removed it?

    This is one I found that had the option:

  83. Nazgulled

    Nazgulled Serious Server Member

  84. Jacky444

    Jacky444 LI Guru Member

    Nazgulled likes this.
  85. Guso.

    Guso. Networkin' Nut Member

    @Jacky444 it is possible to build from your git sources a build using toastman instead? Would you point some advises to doing so if it is? (BTW thank you very much for your work is awesome :))
  86. Jacky444

    Jacky444 LI Guru Member

    GUI is written for Shibby's Tomato and I doubt it would work with Toastman's.
    Guso. likes this.
  87. Jacky444

    Jacky444 LI Guru Member

    I'm currently working on removing HTTP Authorization from Tomato and making it use different kind of AUTH which would be server/cookie based. Basically after successful login a random generated string would store into RAM, that same string would be sent to client as COOKIE (also means only 1 user could login at the same time) while that cookie/server string matches the login is valid. So far I got to the stage where I show the "Login Page" and I designed the login page. Now I have problem with authorization and storing cookie/string. I'm real newbie in C language and I'd appreciate any help from anyone ^^.
  88. koitsu

    koitsu Network Guru Member

    This is an extremely bad idea. I cannot stress this enough from a security perspective: do not implement this.
  89. Jacky444

    Jacky444 LI Guru Member

    U are kidding right? Against base64 encrypted HTTP Auth which runs on damn browser???
  90. koitsu

    koitsu Network Guru Member

    This response doesn't make any sense with regards to the goal of your previous post. Let me explain:

    Your previous post's goal seems to be providing a way where use of HTTP authentication for every request isn't necessary, i.e. use a cookie and that acts as a "pre-validated OK" to access a page on the browser. In other words (and this is how I interpret it -- I could be wrong): you want a way to (inadvertently) "bypass" authentication once it's been authenticated once. The only reason I can think of that a person would want this is so that they could write a program or scripts or something that bang away at after authenticating once. If that's what the goal is, then you can already do that today (I've explained how in the past).

    Your follow-up reply to me takes a whole different angle/stance -- citing concern of use of base64 (re: plaintext) in the client-provided Authorization: HTTP header (in response to the server's HTTP 401/WWW-Authenticate).

    The only concern there is about base64 is that it's "easily decoded". The only way someone can get this information is if they have direct access to either a) the client or b) the router. If the person wanting the base64 string has access to either of those, then any other authentication methods (re: your proposal) solves nothing: an attacker can do whatever they want.

    Thus, the only concern I can see you having with base64 is that "it's barely better than raw plain text". Cookies don't solve that problem either -- that's purely a transport problem that can only be solved with SSL (and hint: one of the most important aspects of implementing secure cookie-based authentication is that SSL as a requirement (see the Secure header -- RFC 6265 covers this)). We all know that implementing HTTPS on Tomato is painful because of firmware size limitations + OpenSSL being fat (plus the issue of certificate management, proper expiry, and so on).

    If that is the case (you'll need to confirm/deny!), then my attitude is that your efforts are better spent understanding RFC 2069 and HTTP digest authentication. I would suggest reading the disadvantages section, however. Digest authentication solves the concern regarding the base64 encoded Authorization HTTP header.

    In summary, until I see a clear outline explaining what your goal is and what the concerns are that the goal truly solves, I see this as "changing something solely for the sake of change". Cookies present a huge multitude of problems that are ridiculously annoying to solve (the complication you've run into is one of, oh, maybe 50!). It's a matter of opinion, but the security concerns with cookies are significantly many compared to significantly fewer with basic HTTP authentication.
  91. Jacky444

    Jacky444 LI Guru Member

    You just wasted precious time in your life. I have over 14 years of experience in web development and I also worked for network banking systems so I completely understand all security aspects of WWW.

    HTTP Auth without SSL is the same as posting a normal form to Tomato with username and password. The "authorization" is still done in "PLAIN TEXT" using BASE64 encoding.

    Auth works almost the same as COOKIE. It creates a session inside browser (which can also be spoofed the same way as cookie as it has no additional security or session between SERVER <-> CLIENT)?

    My idea will only move session string from BROWSER to SERVER (tomato RAM). Nothing else will actually change. Security will stay the same and so will every thing else. One good thing about it is that when someone else logs in the other persons cookie/browser will be forcefully logged out. So one session per router interface which is additional security. Might be annoying but its there and someone may notice their kid just logged in.

    No one uses HTTP Auth in 2016 for good reason. I only said I don't know C language well enough to construct the logic I have in mind. I never said I needed approval or opinion on its safety. Who said this change was to create more secure login?

    AsusWRT Implementation =

    P.S.: You are kind of people that hold the world progress back. I just lost all my interest in this project because all that people want from me is bullshit. Again matter of perspective, but I guess anyone can figure I have set mine.
    Last edited: Nov 28, 2016
    kille72 likes this.
  92. jerrm

    jerrm Network Guru Member

    Good thing? The thought of that behavior makes me cringe. I'd be swearing at it constantly.
    koitsu and Toastman like this.
  93. koitsu

    koitsu Network Guru Member

    I took the time to also look at what Asus wrote (thanks for the link) -- you now have:

    1) Referer header parsing and checking, to try and ensure CSRF doesn't get violated,
    2) IP address tracking/comparisons during login (here's more), and some other stuff I can't even wrap my brain around immediately (gut feeling is an HTTP-based restriction, defining what IPs on the LAN can access the web GUI at all),
    2a) ...which doesn't take into consideration cases where, say, someone changes their LAN IP (static DHCP allocations come to mind) -- now you get to "hack your way in" to relieve yourself of this problem,
    3) Timestamp comparisons, which introduces the wonderful complications such as dealing with:
    3a) Time skew -- forward isn't usually a problem, but backwards usually is. A device must use ntpd or chrony and not ntpdate/ntpc/rdate from a cronjob to accomplish proper time adjustment, otherwise software gets very confused,
    3b) Environments/WAN setups where the router can't get its clock synced up immediately (i.e. httpd must block/wait until NTP is finished -- what if it doesn't finish (network issues, etc.)),
    3c) People who previously weren't using NTP to sync their router's clock, but then decide to (might be a problem, but might not),
    3d) Cases where the user changes timezones, or where the previous timezone was set incorrectly (particularly a problem if time ends up going backwards),
    3e) ...and here's some stuff too which I don't want to review,
    3f) ...and here's (3a) and (3d) documented (don't miss last paragraph),
    4) An enforcement of "maximum number of logins", which introduces the complication of:
    4a) Expiries (when does this imposed limit stop getting reached?),
    4b) Timeout scenarios (particularly a problem when a local network issue happens),
    4c) Having to track successful vs. failed logins,
    4d) Requiring someone to click a logout button vs. just clicking [X] (here too), otherwise they have to wait for the expiry (what IS the expiry anyway? I've been trying to figure it out by reviewing the code, but I just don't see it),
    4e) Oh, but there are some exceptions to all of this,
    5) A sort of weird token that's generated from 4 random numbers (I also don't understand why they used signed values vs. unsigned) -- which even has its own override method (this looks incredibly suspicious to me, but apparently it's for AiCloud, whatever that is),
    6) All while adding several NVRAM variables to try and keep track of all of the above. Let's make a list:


    All in exchange for something simple like this (yes that's really all there is to it).

    If the above is what you call progress, then I guess my youthful reaction would be: such "progress", much wow. Thanks for reminding folks that "newer" is not always better. :)
  94. RMerlin

    RMerlin Network Guru Member

    A lot of the parts of Asuswrt that you quote were actually implemented BEFORE the new session-based authentication. They weren't added because of it, they were already there.

    For instance:

    login_ip* are there because Asuswrt never allowed more than one single simultaneous login. Unrelated to the new session-based auth.

    httpd_clientlist is there to allow a whitelist of IPs allowed to use the webui - again, that was there long before the new login scheme, and is totally unrelated. Users can limit what IPs can access the webui, from the Administration -> System page.

    httpd_handle_fromapp is there to handle Asus's Android/IOS application - and again, unrelated to the session-based auth.

    Everyone is moving away from Basic Auth because it's simply not secure, and easily exploitable. Yes, it's more complex. But simplicity is no longer enough in this world filled with CSS/XSS exploits. For instance, clicking on an "X" does NOT log you out of a basic authenticated session. That's why banks and others recommend closing down the whole browser to ensure you are really logged off.
  95. koitsu

    koitsu Network Guru Member

    Thanks for clarifying which code bits/pieces and NVRAM vars were for what. I want to get to the bulk of the discussion point:

    Everyone is moving away from HTTP basic authentication because of the pop-up browser dialog box that they have no control over visually (i.e. the focus is on aesthetics). There is a common misconception that the methodology/model is "insecure", but it isn't.

    The common rebuttal point about HTTP basic authentication is the one that was presented here by Jacky: that it's insecure because the client sends the credentials in the Authorization HTTP header in a base64-encoded string, and "anyone who can get the string can decode it". If the focus is entirely about the encoding used, then HTTP digest authentication solves that concern. HTTP digest authentication, however, doesn't solve MITM attacks (keep reading please).

    The follow-up rebuttal then becomes a) concerns over MITM attacks, or b) concerns over traffic sniffing. The only way to solve either or both of these is to use SSL. But here's the ruse: once you implement SSL, the previous concern over the base64 encoding becomes moot.

    The follow-up rebuttal to that then becomes that using session-based authentication solves these problems. Except it doesn't. With session-based authentication, you're still subject to concerns over traffic sniffing, and suddenly you have to start worrying about stuff like tracking the users's IP address, enforcing things like only allowing a single user to sign in, dealing with session expiry, blah blah blah -- I covered most of this above.

    The follow-up rebuttal to that then becomes concerns over CSRF attacks. Yes, HTTP basic authentication is subject to these problems: but so is session-based authentication. The only way to rectify CSRF concerns is through Referer checking, which is subject to ridiculous complications coding-wise (I've given examples already).

    This follow-up rebuttal back-and-forth continues on for quite some time on some other subjects (XSS, the aspect of logging out (you covered this already), and a few others). Given the verbosity of my posts, I really don't want to sit here going over every single one, especially when I'm presented with arguments like "I have over 14 years of experience in web development and I also worked for network banking systems so I completely understand all security aspects of WWW".

    The short of it is that the hate and concern over HTTP basic authentication has stemmed (for quite some time) from people who don't actually understand the security aspect as a whole: they see base64-encoded strings and don't think about the rest of the picture (see above). If you solve the transport problem (i.e. use SSL), almost all of those concerns become moot. This intelligent fellow breaks it down quite well.

    This is why I asked Jacky444 to explain what his goal was. To step back and explain what actual problem was which he was solving, or if not a problem, what the intended goal of the feature/change was. If the person cannot explain what it is they're trying to solve, then the logical deduction is that the driving force is change-for-the-sake-of-change, which (IMO) is never a good thing.

    We also must be realistic and practical. The Tomato web GUI is intended to be accessed by devices on the LAN by default (if the user enables remote accessibility, then that's their own fault -- we should not be in the business of preventing foot-shooting: the time is better spent educating people why not to do that, and instead use, say, an SSH port forward/tunnel). For local networks where packet sniffing is a concern (and hoo boy, if you've got this going on, i.e. layer 1 is insecure, then no aspect of the OSI layer can solve your dilemma), Tomato does have SSL, but it's neglected. (It does look like AsusWRT/Merlin implemented this better and is more user-friendly in the sense of certificate management ease-of-use and so on) But for most consumer networks, packet sniffing isn't as concern... so we're back to square one: trying to solve a problem that doesn't exist? I really don't know what else to say at this point, which is why I asked for the intended goal.

    Any time I see someone touching security-related things in a firmware that is commonly used by consumers, I get on edge. With things like Mirai and IoT, it is fairly obvious that even commercial vendors do not understand what they're doing. I want to make sure Tomato does not fall into that category.
  96. azdps

    azdps LI Guru Member

    Just some thoughts Jacky444. First off I remember Toastman saying a while back he had no use for your GUI so I'm not sure why he gave jerm a like in his post above. It will have no impact on him and shouldn't be a concern. koitsu may have some validity to his comments but again koitsu is in the same boat as Toastman. He doesn't use Shibby's firmware but instead uses Toastman's. This change would have no impact on koitsu whatsoever since again he isn't using your GUI. So I'm not sure why he's wanting to put so much effort into explaining why he's right. Freedom of speech? No really sure.

    Nothing wrong with removing HTTP support if you want to remove it and implement a different means of authentication. This is a GUI you designed and is honestly quite impressive. Whatever you come up with I'm sure will be no nothing less then outstanding once it's all done and over with. I happen to welcome a single login session restriction within my network environment. Maybe you can implement it as a setting that could enable or disable it.

    No offense to Toastman or koitsu since I have respect for both of them. They have contributed enormously to make tomato a successful firmware project. So I hope they don't shed any tears over my comments. And koitsu better continue to help me when I'm stumped with something ;).

    Keep up with great work Jacky444!
  97. koitsu

    koitsu Network Guru Member

    @azdps While I don't use AdvancedTomato (but did use Shibby for a period where Toastman was on a bit of a hiatus, though Toastman does occasionally try AT just to get an idea of the experience), my concerns are these:

    1. The lack of defined goal of the change; what actual problem (details needed!) is being fixed by this change? Or is this change-for-the-sake-of-change (very prevalent in today in computing today)?
    2. The general spread of misinformation (FUD) about HTTP basic authorisation and general security practises,
    3. The fact that most of Tomato forks share commits/code/changes amongst one another. If this was to get imported into Shibby, it would be just another one-off that would have to be remembered and avoided in future non-Shibby firmwares. This sounds easy at first ("it's just one commit, so skip it?"), but the problem becomes complicated when spread across multiple commits (use of git rebase -i and squashing commits (rolling them into one) where appropriate) and even more complicated if different/unrelated changes touch/change the file (e.x. you can't just cp Shibby's file into the Toastman tree) (and we've seen cases of this recently!). The developers literally have to start remembering all the one-offs as the forks become more and more separated.

    If the goal of the change is to improve/address security in general, then (IMO) efforts are better spent improving SSL/HTTPS support as a whole, with the final end accomplishment being to move the entire interface over to pure HTTPS (i.e. Tomato listens on 443 and no longer 80).

    And nope, I don't shed any tears or feel butthurt about your comments (or anyone else's for that matter). The reason I'm passionate about this is because the goal/driving force is undefined. I've seen this happen to too many good open-source projects as of late (past ~5 years); Tomato is already a bit of a mess code-wise (lots of chefs in the kitchen over the years, but a lot of the "bleh" comes from Jon Zarate hammering this stuff out without the original goal having been an open-source project, i.e. lots of uncommented code, especially in the JS world).

    That said, it's important all readers understand that my words should hold no more weight than anyone else's. It's just an opinion backed with experience -- just like that of Jacky444 and RMerlin and Shibby and you and anyone else. I respect all of those opinions, no matter if I disagree or agree.
  98. Toastman

    Toastman Super Moderator Staff Member Member

    @azdps - I think you read too much into "like" clicks. :eek:

    In a previous post Jacky had stated:
    As I am also fed up with windows and ads and stupid messages popping up on web pages while I am trying to do something, I totally agree with him. So I clicked "Like".

    Above, with reference to:
    I clicked "Like" on that because I feel as a router admin that one of the most useful functions in remote diagnostic of routers, whether it happened by accident or not, is that I can open more than one session to Tomato routers. Also, the ability for another user, authorized or not, to kick off admin staff by logging in while he is doing maintenance isn't such a terribly good idea.

    example: The "LINE" chat app has a notification and generates a new user message every time someone logs into another device (including your own PC). Most people find that annoying and there is no way to turn it off.

    We seem to get a lot of problems on websites these days with these stupid "Like" buttons. In some countries clicking "Like" on something without thinking can get you 15 years in Jail. Perhaps we should not ever click "Like" but should rather take the time to type out our thoughts into a long explanatory post. But then, would we bother?
  99. Jacky444

    Jacky444 LI Guru Member

    I attached image that I've made a screenshot before I posted for help (I've already modified handler the way it shows the page, just didn't handle the session/actual login yet).

    Attached Files:

    Last edited: Nov 28, 2016
    Tony Ramirez and The Master like this.
  100. Alexandrus

    Alexandrus New Member Member

    Ah, come on, AT is awesome, don't be put off by what some people say or want.
    It's your project so you can do whatever you want with it. Whoever does not like that can use something else.

    PS. That authentication page looks very good. And that's from a guy who dislikes the color blue (hypersensitive eyes and blue makes the pupil shrink).
    Tony Ramirez likes this.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice