pixelserv compiled to run on router WRT54G

Discussion in 'Tomato Firmware' started by Jedis, Sep 5, 2009.

  1. Toxic

    Toxic Administrator Staff Member

    Sorry for the belated reply. The fact is, Bots suck a lot of bandwidth from this site. Anonymous downloads would increase the bandwidth and increase the sites outgoings. All users that want something from the site must register and prove to me and staff that they are not a bot.
  2. mstombs

    mstombs Network Guru Member

    Here is a development version V31, which includes the nullserv jpg, png and swf responses. Perhaps more significant is a change for the default response to be text/html - note haven't implemented nullserv's range of null text responses.

    seems to function for me, but only new responses are from my test at the moment!

    Jun  1 23:47:23 easyN16 daemon.info pixelserv[19515]: ./pixelserv V31 compiled: Jun  1 2013 23:40:13 from pixelserv31.c
    Jun  1 23:47:23 easyN16 daemon.notice pixelserv[19517]: Listening on
    Jun  2 00:05:28 easyN16 daemon.info pixelserv[19517]: 71 req, 0 err, 0 bad, 10 gif, 58 txt, 1 jpg, 1 png, 1 swf

    Attached Files:

  3. HunterZ

    HunterZ Network Guru Member

    Cool, thanks. Giving it a spin now.
  4. HunterZ

    HunterZ Network Guru Member

    Update: Seems to be working fine, thanks.

    Got another email from the author of nullserv with a couple of comments:
  5. mstombs

    mstombs Network Guru Member

    The whole pixelserv.c source and a tomato router binary is posted in the attachment above, together with a script file used to compile using a previously installed tomato toolchain. The whole development is in this thread, or over on dd-wrt forums where others have compiled for Atheros, and the simplistic inetd (no filename parsing) and external file/gif read was added, (inted mode now removed!) There is no licence, its just an assemblage of library calls from examples elsewhere, and should compile/run on any Linux box, router or RaspberryPi etc! Intended to be a small/efficient as possible, the response is a single string pushed out in one send command. I never intend to do much with it, so if someone want to host elsewhere fine!

    Will look at stunnel, it does have a daemon mode, and https ads are becoming more common. Something that answers with 'no thanks' may improve web surfing on pages with blocked adds if alternative is to wait for browser to timeout.
  6. HunterZ

    HunterZ Network Guru Member

    Nullserv's author was asking because he would like to put a link in his nullserv documentation and/or site to pixelserv for those who may be interested in it, but he feels there isn't much point when random people can't easily download pixelserv from here due to the moderation restrictions on new users.

    I don't know if I can find the time, but it would probably be useful to download all of the posted versions of pixelserv's source and upload them successively to a version-controlled hosting site (Github, sourceforge, or Google Code) so that people can see the version history.

    I got entware's stunnel working in deamon mode with pixelserv to some degree, and intend to post details sometime this week. There are two quirks that I haven't come up with a good solution for, but it's still an improvement because worst case is that the browser gets an instant answer it doesn't like versus no answer at all.

    I'm also not confident that I could package a standalone stunnel installation, as entware's has some dependencies (openssl and at least 2 other packages whose names I don't remember). Fortunately, it's pretty painless to get entware working via a cifs mount (or jffs partition, or USB or whatever - just loop mount to /opt and you're done!).
  7. HunterZ

    HunterZ Network Guru Member

  8. mstombs

    mstombs Network Guru Member

    Interesting, thanks, I set entware off to recompile everything last night - so will have all sources and binaries on my PC!
    You get the "invalid/corrupted" browser message if you just run pixelserv to answer on port 443 (BTDTGTTS)!

    Thinking about non-entware 'cut down options' there's discussion about compiling just stunnel here

    But clearly Rodney managed it and standalone binaries are available on his site - but static compile is large!
  9. pharma

    pharma Network Guru Member

    Thanks Mstombs ... upgrading to pixlserv 3.1 once I get home.

  10. HunterZ

    HunterZ Network Guru Member

    That will probably be large. Even the minimal binary-only install with no optional packages is a couple hundred MB I think (unless something else on my router cifs mount is taking up a lot of space).

    A downside of building it all from source is that you won't know if they update something. Entware is meant to be a package manager that lets you install and update packages from their package repository. I guess maybe you could periodically update your mass checkout?

    Yeah, I think nullserv's author mentioned the same thing. Haarp suggested trying this in his adblocker thread, and I think it may be the best option short of using stunnel because it still provides the browser with an instant response (it will just be something the browser doesn't know how to handle). Using iptables to reject with a TCP reset is probably the next-best option, but doesn't seem to be as fast as giving a real response for some reason.

    Of course, stunnel isn't perfect either (as I mention in the adblocker thread). Not having a CA-issued SSL certificate means that browsers won't display pixelserv data automatically through stunnel connections, and even when I get past that it seems that stunnel still serves up corrupted data some of the time.
  11. lancethepants

    lancethepants Network Guru Member

    You can get free ssl certs that work with all browsers and devices at startssl.
    I use it for my home server share and it work great.
  12. mstombs

    mstombs Network Guru Member

    The Entware maintainers do a great job "make clean all" ran to completion - but I haven't looked at anything.
    I did code an option to make pixelserv.c listen on configurable port but I thought this only useful for testing so dont usually build it in - I don't think the browser mesage was pleasant.
    I'm sure there must be a simple polite "not today thanks" response to the initial request to set up the https tunnel - but we didn't find one in the thread about blocking https sites.
  13. HunterZ

    HunterZ Network Guru Member

    Thanks. I've signed up, but I can't see how to get a certificate. It wants me to verify ownership of a top-level domain first, but I just want to use it for my private LAN.
  14. lancethepants

    lancethepants Network Guru Member

    Ah, I think remember reading somehwere they can only do top-level domains, so maybe not an option after all.
  15. Toink

    Toink Network Guru Member

    I know that v30 doesn't work with the E3000 and E4200 which I have tested before. Having tested the latest v31, it still gives me an error 'pixelsrv error' - thingy in my logs using ALL-U-NEED adblocker script. on Toastman's latest 0502.7 NOCAT

    Am I correct that only v27.c works in my routers?

  16. mstombs

    mstombs Network Guru Member

    Yes, sorry I removed support for the interface option, expecting the script would be updated. Config changes via gui could redefine the interface and leave pixelserv non operational. In the lean mean adblock script iptables is used be more selective as to which interface has access to the pixelserv IP, and I think that's the best place for that filtering. I could add it back but you need to kill and restart the prog in the firewall script to be sure it re-attaches to the interface (negligible size increase compared to extra null responses!)

    My stats after a couple of days usage

    Jun  8 12:22:57 unknown daemon.info pixelserv[19517]: 3151 req, 629 err, 3 bad, 115 gif, 2151 txt, 1 jpg, 250 png, 2 swf

    Questions for anyone:-

    If a web-page asks for a jpg or png does the browser really mind if a gif with correct header is returned? I have seen a browser script error which made it clear it had attempted to execute the binary gif, so guess anything possible?

    Is it worth adding the different versions of null text generated by nullserve? In similar query with above ifyou access a website with php extension, you don't expect a plain text source file to be sent, the php code more likely to send text/html ?
  17. mstombs

    mstombs Network Guru Member

    Here's another test version with an attempt at an attempt to reject an https ssl/tls request. I've tried a few options, all result in browsers making repeat attempts with lower levels of encryption - but hopefully conversation is quick and web pages don't wait for timeouts?

    Also compiled with options to select interface and port, to answer https requests either have to divert port 443 to port 80 using iptables DNAT, or run second copy of pixelserv on port 443 using

    root@easy-RTN16:/tmp/var# ./pixelserv -p 443
    pixelserv[16324]: ./pixelserv V32 compiled: Jun  9 2013 19:16:14 from pixelserv32.c
    Jun  9 19:20:02 unknown daemon.info pixelserv[16326]: 1 req, 0 err, 0 gif, 0 bad, 0 txt, 0 jpg, 0 png, 0 swf, 1 ssl
    Jun  9 19:20:02 unknown daemon.info pixelserv[16310]: 3 req, 0 err, 0 gif, 0 bad, 0 txt, 0 jpg, 0 png, 0 swf, 3 ssl

    Attached Files:

    redhat27, vipercubic and pharma like this.
  18. Toink

    Toink Network Guru Member

    Thank you, mstombs! This version seems to be working quite well on my E3000's and E4200 using Toastman's latest 0502.8 Build and running ALL-U-NEED adblock script.

    pixelserv 32.c loads just fine. No more errors when loading :)

    daemon.info pixelserv[1045]: /tmp/pixelserv V32 compiled: Jun  9 2013 19:16:14 from pixelserv32.c
    user.notice root: ADBLOCK: 35197 entries
    user.notice root: ADBLOCK: sorting hosts...
    user.notice root: ADBLOCK: hosts sorted.
    user.notice root: ADBLOCK: 27971 entries
  19. Frequenzy

    Frequenzy Addicted to LI Member

    will try the new pixelserv, currently using the lean and mean adblock script
  20. HunterZ

    HunterZ Network Guru Member

    Just got the new version working in place of my previous stunnel solution. I decided to run two copies of pixelserv because I am not enough of a wizard to guess what the iptables command would be to direct SSL connections to pixelserv on port 80.

    Seems to work about as well as stunnel so far, with firefox saying it gets a valid certificate but that access is denied (ssl_error_access_denied_alert).
  21. mstombs

    mstombs Network Guru Member

    A candidate iptables command for the redirect is

    iptables -t nat -A PREROUTING -i br0 -p tcp -d --dport 443 -j DNAT --to
    I could get various messages from Chromium and Iceweasel, by modifying the response and disabling the excellent AdblockPlus! - but have to admit have not yet used wireshark or equivalent to see what other browsers such as Internet Explorer or Mobile try to do.

    If interested in the details the code above optionally includes a hex_dump of the received message which matches this

    and I have selected the Access denied response from


    stats after few days, very few null gifs now!

    Jun 26 07:53:54 rtn66u daemon.info pixelserv[1160]: 12313 req, 1598 err, 102 gif, 20 bad, 9446 txt, 1 jpg, 31 png, 46 swf, 1069 ssl
    Kye-U likes this.
  22. Frequenzy

    Frequenzy Addicted to LI Member

    i'm currently using pixelserv32, what command do you use to display the stats?
  23. lewisje

    lewisje Reformed Router Member

    The PNG used in pixelserv V32, which is based on the one in nullserv, is unoptimized; by running it through pngout, optipng, advpng, and deflopt, I could reduce it to about 93 bytes from the current 114, but there is an even better 67-byte transparent 1x1-pixel PNG used in Adblock Plus: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAACklEQVR4nGMAAQAABQABDQottAAAAABJRU5ErkJggg==

    I hope that future builds of pixelserv for routers use this PNG; I have already told the maintainer of nullserv about this.
  24. HunterZ

    HunterZ Network Guru Member

    I replied on Github, but I'll ask here too since I'm currently more interested in its possible use here:

    Does AdBlock Plus claim any kind of a license over their PNG data?
  25. mstombs

    mstombs Network Guru Member

    killall -usr1 pixelserv
    Then use web gui to look at system log, or from the command line look at last few messages with

    tail /var/log/messages
    Jun 29 15:25:56 rtn66u daemon.info pixelserv[1160]: 16741 req, 2415 err, 137 gif, 26 bad, 12812 txt, 2 jpg, 37 png, 57 swf, 1255 ssl
    The excellent Adblockplus is open source licensed under GPL or Mozilla/Google Chrome versions so I don't think there would be an issue, but I don't see where it current is in the adblockplus sourcecode - an early reference to the 67 byte png is however available here: - ,


    but clearly discussed in news groups for some time before. I'll check it out by converting to my cryptic mixed ascii/hex string format.

    There's also some smaller gifs mentioned here :-

  26. lewisje

    lewisje Reformed Router Member

    It turned out that Adblock Plus just briefly used that PNG to redirect certain requests, but now it just cancels the request entirely; anyway, there might be a little problem with including GPL code in an LGPL project, except that this particular PNG is fairly well-known and it's just through ABP that I learned about it.

    I also saw that there have been people updating pixelserv for Atheros-based routers, and I'll bump that thread to let them know about the continuing efforts here: https://secure.dd-wrt.com/phpBB2/viewtopic.php?p=513683
  27. HunterZ

    HunterZ Network Guru Member

    I should mention that my Android phone gives me a "sign on to wifi network" when I connect to my wifi with Pixelserv running at on ports 80 and 443 (and an adblock script that configures dnsmasq and iptables to redirect a blocklist of servers to it). Apparently the phone believes that this is a splash page server for public wifi access. I'm not sure if this is due to an adblock redirect, or just the fact that a certain URL appears to resolve.

    I'm thinking of trying to run pixelserv on a different subnet (e.g. or something) to see if that helps.
  28. jerrm

    jerrm Network Guru Member

    I get the same thing on my Kindle Fire. What is yours?

    I haven't bothered to debug yet, rarely use the the kindle for browsing. Assumed it was testing the connection using one of the redirected amazon domains. If you're not on a kindle, might be some other domain.

    I'll enable query logging in dnsnasq when I get home this evening and see what it is looking for.
  29. HunterZ

    HunterZ Network Guru Member

    It's an HTC EVO 4G cell phone running an unofficial Android Jelly Bean ROM, so I think it's safe to say that Android is the common factor here.
  30. jerrm

    jerrm Network Guru Member

    My kindle was continuously querying http://spectrum.s3.amazonaws.com/kindle-wifi/wifistub.html. Spectrum.s3.amazonaws.com, was in my blacklist. Added to my whitelist and now I don't get the prompt.

    Obviously your HTC isn't looking for a kindle URL, but is probably doing something similar.
  31. HunterZ

    HunterZ Network Guru Member

    How do I enable logging in dnsmasq?

    I'm not at home, but looking at my phone's browser history: it looks like it's trying to load "http://{somedomain}/generate_204", and that {somedomain} is probably being redirected to pixelserv.
  32. jerrm

    jerrm Network Guru Member

    Add "log-queries" in the web-gui dnsmasq custom config options.

    Probably easier to just grep the blocklist for somedomain.
  33. HunterZ

    HunterZ Network Guru Member

  34. jerrm

    jerrm Network Guru Member

    OK, if it is trying to resolve the address first and use it in the url then enable log-queries, tail -f /var/log/messages | grep ip.of.ph.one , reboot the phone and watch.
  35. HunterZ

    HunterZ Network Guru Member

    Looks like my phone was probably trying to load http://clients3.google.com/generate_204

    Adding clients3.google.com to the whitelist fixes the issue.

    Also, the message appeared on my phone every time I toggled the wifi connection. Not having to reboot made it easier to test :)
  36. h0tw1r3

    h0tw1r3 Reformed Router Member

    Pushed the latest source to github. Notable change is the ability to decode url's in the query string automatically and redirect.

    Plan to add proper IPv6 and multi-port support.

  37. mstombs

    mstombs Network Guru Member

    Great, you managed to decode the cryptic code too...

    Can you help me understand under what circumstances the "302 Found" redirect is useful, and how to test?

    I haven't looked at this for a while - was testing some smaller strings in unpublished version I recall.
  38. HunterZ

    HunterZ Network Guru Member

    Is there a good reference on how to set up a toolchain for compiling this? I have a Linux box that can be used for cross-compiling if that's easiest.
  39. mstombs

    mstombs Network Guru Member

    I use the toolchain from tomatousb - setup to compile firmware.


    You need a Linux environment but could be a virtual machine, should also compile and run on the Linux box itself natively.

    I have seen shibby has updated his toolchain recently - might not be backward compatible.
  40. lancethepants

    lancethepants Network Guru Member

    Looks like there's a script called build.sh. You just need to have the tomatusb toolchain placed in /opt. Run ./build.sh, and it will create 'pixelserv' and 'pixelserv.tiny', both of which should run in tomatousb.
    If you threw a '-static' in ldflags, it'll create a completely static binary that should work on other non-tomato firmwares.

    Adding '-static' should also take care of any incompatibilities that could arise.
  41. HunterZ

    HunterZ Network Guru Member

    Thanks, seems to be working on Toastman on my RT-N16 when I build using his Toastman-RT-N branch (didn't try with HEAD).

    Note that build.sh tries to unconditionally add the Tomato toolchain to the PATH for you *every* time you run it. I'm not sure why that's in there: It will cause your PATH to get horribly cluttered if you run it more than once, and a proper Tomato toolchain installation should already include have those directories in your PATH.

    Personally I have several cross-compiler toolchains installed (GP32x Wiz, Wii, Tomato, etc.), so I created a script that lets me launch a new shell with a given toolchain's environment and puts its name in my prompt. This lets me 'exit' back out to a clean environment when I'm done.
  42. lancethepants

    lancethepants Network Guru Member

    Your $PATH is only modified for the duration of the script. I don't even think it's modified globally for that time, just for the script itself.
  43. HunterZ

    HunterZ Network Guru Member

    Sorry. For some reason I thought 'export' would also permanently change the variable in the current environment and not just in the scope of the script and its child processes.
  44. koitsu

    koitsu Network Guru Member

    export makes the variable visible to all children spawned from within that shell instance (a new one is created when you run build.sh), i.e. the variable "trickles" downward. It cannot work its way "back upwards" to the shell that launched ran build.sh (ever -- *IX doesn't work like this; a child process cannot modify the environment of its parent).

    Reference: http://stackoverflow.com/questions/1158091/bash-defining-a-variable-with-or-without-export


    myvar="whatever value"
    echo "myvar is: $myvar"
    In this situation the ./someprogram application would not have $myvar defined within its environment. However the echo statement would result in myvar is: whatever value. Next example:

    myvar="whatever value" ./someprogram
    echo "myvar is: $myvar"
    In this situation the ./someprogram application would have $myvar defined within its environment, but any future commands within the script would not, so the echo would show myvar is: and nothing more. In other words: you're defining $myvar just for the benefit of ./someprogram when forked and nothing else (anywhere). Final example:

    export myvar="whatever value"
    echo "myvar is: $myvar"
    In this situation the ./someprogram application would have $myvar defined within its environment, and any future commands within the script would too, so the echo would result in myvar is: whatever value.

    You can verify all of my statements by replacing ./someprogram with env (or /usr/bin/env on some systems, ex. FreeBSD).

    I urge anyone writing shell scripts of any kind to really get some books, read some actual decent online resources, and spend the time learning *IX, especially if you plan on making these scripts public. It is remarkable how many broken/badly-written shell scripts there are in the wild.
    Last edited: Sep 7, 2013
  45. HunterZ

    HunterZ Network Guru Member

    Thanks, I actually found that myself too via google, which is what led to my previous post :)
  46. lancethepants

    lancethepants Network Guru Member

    Ha, I came across that same one too.
  47. mstombs

    mstombs Network Guru Member

    if you paste the script contents into terminal window or 'source' the script using ". ./build.sh" you could get the path assignment in your current session, but it would only be temporary, wouldn't store permanently in your profile, so you start with a fresh environment in a new shell.
  48. Link2User

    Link2User Networkin' Nut Member

    Hi, all i've been following this thread but can't download pixelserv32? You do not have permission to view this page or perform this action.?
  49. Toxic

    Toxic Administrator Staff Member

    Thats due to you being a new member. all new users are moderated, this helps to stop spam. you should now be able to download :) welcome to the forums
  50. Link2User

    Link2User Networkin' Nut Member

    ok cool Thanks :)
  51. HunterZ

    HunterZ Network Guru Member

    I've been using something like this in the adblock script for a while, and it mostly worked, but for some reason that iptables entry keeps mysteriously going away after a while (while others don't).

    Instead of updating the adblock script to keep checking to see if the entry exists, I just went back to running two instances of pixelserv (one on port 80 and the other on 443). With ~13% RAM usage with adblock, pixelserv x2 (596kB VSZ each), and a bunch of other stuff running, it's really no sweat for my RT-N16 to do this.

    Edit: I think multi-port support for pixelserv is a planned feature too.
  52. jerrm

    jerrm Network Guru Member

    Tomato can restart the firewall, too often in some circumstances, but not sure why you would lose the nat entries and not the input entries.

    My version of the adblock script creates a link to itself in /etc/config as adblock.fire. If it is executed via the .fire link then it executes only the iptable commands and exits. If the firewall restarts for any reason, the commands are run, effectively the same as putting the commands in the GUI firewall script.
  53. lewisje

    lewisje Reformed Router Member

    I've compiled a variant of the current version, 0.33-2, in which the default 114-byte null_png
    is replaced with the 67-byte null_png
    I had to change netdb.h from the version in repo.or.cz's tools directory to the one that actually had AI_ADDRCONFIG defined, but I got it built, and I hope it works; I didn't get around to downloading the Atheros toolchain, though, so there's no Atheros build.

    A useful extension might be to specially handle the cases where XML, CSS, and Javascript are requested, but the only differences from the current 0-byte "httpnulltext" are in the "Content-type" header.

    EDIT: I'm obviously a n00b at this, because the main "pixelserv" binary is 94,812 bytes, while the one I've been using, v32, is only 12,188 bytes!

    Attached Files:

    Last edited: Oct 10, 2013
  54. mstombs

    mstombs Network Guru Member

    I've probably got the same 67-byte png from https://github.com/mathiasbynens/small, and added an explanation of all the bytes in my development code. I haven't merged with the github version https://github.com/h0tw1r3/pixelserv which has extra DECODE_URL option, this is just a patch on previous V32 above.

    Also found a 42-byte gif, a 125 byte jpg and made a 99 byte swf (from the gif using gif2swf from swftools), so binary size back down below 12kB. Haven't changed toolchain for a while - are you using Shibby's new one, and using the build script, that file size suggests a static build?

    Wouldn't be surprised not all new images work with all browsers, but I'm sure can be fixed and/or made smaller if error can be reproduced

    To avoid need to run 2 instances or add an iptables rule to use the ssl repsonse, this version now also listens on the https port 443 (first IP:port only is changeable from command line). See http://www.gnu.org/software/libc/manual/html_node/Server-Example.html for how it is supposed to be done, but it didn't work first time... (see code for workaround needed).

    Oct 14 01:04:18 rtn66u daemon.info pixelserv[13993]: /mnt/usb4gb/pixelserv V34 compiled: Oct 14 2013 00:55:22 from pixelserv34.c
    Oct 14 01:04:18 rtn66u daemon.notice pixelserv[13995]: Listening on
    Oct 14 01:04:18 rtn66u daemon.notice pixelserv[13995]: Also Listening on
    Oct 14 01:30:12 rtn66u daemon.info pixelserv[13995]: 23 req, 0 err, 1 gif, 0 bad, 14 txt, 2 jpg, 0 png, 2 swf, 4 ssl
    Dec 21 20:30:02 rtn66u daemon.info pixelserv[13995]: 187551 req, 26653 err, 3547 gif, 146 bad, 137670 txt, 61 jpg, 100 png, 107 swf, 19267 ssl
    Feb 13 20:30:01 rtn66u daemon.info pixelserv[13995]: 285905 req, 45315 err, 5750 gif, 347 bad, 196598 txt, 90 jpg, 122 png, 142 swf, 37541 ssl
    Note only needed upgrade if you want to try new features, shouldn't change functionality and no bug fixes.

    [edit] download temporarily mirrored here


    Attached Files:

    Last edited: Feb 13, 2014
    redhat27, Goggy, Kye-U and 1 other person like this.
  55. Kye-U

    Kye-U Addicted to LI Member

    v3.4 is working very well over here!

    Oct 14 16:14:01 unknown daemon.info pixelserv[22553]: 852 req, 34 err, 19 gif, 24 bad, 307 txt, 3 jpg, 4 png, 2 swf, 459 ssl
  56. lewisje

    lewisje Reformed Router Member

    I thought I had to make a static build if I wanted it to work on DD-WRT; anyway I have not used Shibby's new toolchain but rather the one from the Tomato project.

    I hope someone with the Atheros toolchain can build v34 and release it.
  57. noparking247

    noparking247 Networkin' Nut Member

    Last edited by a moderator: Oct 16, 2013
  58. mstombs

    mstombs Network Guru Member

    There's quite an overlap in standard C-libraries in terms of basic library calls, so often dynamic binaries are interchangeable between tomato and Broadcom mipsel dd-wrt (and even Ti AR7 adsl routers) - but I used to use a dd-wrt (Tornado) toolchain and some slightly different options for dd-wrt. Do you have an Atheros router to test, if so what one? If there's a compilable GPL release I'm sure I can use same toolchain. I do have an old Fonera somewhere which has dd-wrt - but haven't compiled for it recently - original code was OpenWRT based I'm sure..

    Details of how to use an old OpenWRT toolchain for Big Endian Atheros here:-
    Last edited: Oct 18, 2013
  59. vipercubic

    vipercubic Reformed Router Member

    Just wanted to say thank you for all your hard work, pixelsrv (v31) up and running well along with Clean and Mean Adblocking :) in my RT-N16. Too bad i can't download the attachment for the latest versions, i guess because i'm a new member in this forum? :( An external link to v34 would be much appreciated!

    Edit. Got it, thnx!
    Last edited: Oct 20, 2013
  60. D.Raven

    D.Raven Serious Server Member

    I've been running pixelserv v31 and the ablocking script since 2 months - flawlessly, no complaints. But yesterday my phone (android) logs into the wifi network, it demands authentification and starts the browser (wifi+ internet working), as if it is redirected to a landing page/ captive portal. The wifi connection get's suspended after 2 minutes and i have to log into the network again, very annoying.
    I updated the router quick and dirty, no nvram delete, old config - no change
    Well, i reset the phone - no change.
    I flashed the router (shibby tomato 112->114), NVRAM deleted, setup from scratch - no change.
    updated pixelserv to v34 - no change
    but when the script and therefor pixelserv/dnsmasq isn't running everything works well, no authentification necessary and no connection drops, wifi working well.
    All other devices, laptop, ipad, android/win8 phone, haven't experienced this issue, only this single android phone running 4.3.
    Mayhaps someone here has an idea how i can get adblocking back and a "working" wifi ;)
    thx in advance
  61. Goggy

    Goggy Network Guru Member


    Add "clients3.google.com" to your whitelist ...
    Should solve your problem ...
    D.Raven likes this.
  62. D.Raven

    D.Raven Serious Server Member

    Funny thing, nothing had to be done except for some patience, it suited itself, i came home and this problem was no more. In order to circumvent further problems i added "clients..." to the whitelist though, so thank you.
  63. lewisje

    lewisje Reformed Router Member

    For some reason, pixelserv32 seems to work on my Linksys E900 with DD-WRT 22786 std_usb_nas (compiled a couple days ago), but pixelserv34 ends immediately; I'll try compiling pixelserv myself again to see whether my own build works...

    EDIT No, it doesn't, I get "Permission Denied"
    Last edited: Nov 11, 2013
  64. mstombs

    mstombs Network Guru Member

    The problem with dd-wrt will be the attempt to bind to https port 443. Tomato httpd was modified a while ago to only bind to the specific ip:port combo, before this the default was to bind to all router ip addresses on the selected port. Can you change dd-wrt web interface to use a non-standard https port No? If V32 works it also means dd-wrt accepts the "DROP_ROOT" compile option to change to user "nobody" by default, I used to compile without that for them.
  65. yelkarama

    yelkarama Reformed Router Member

    You can try this one:


    It's a lot faster then ALL-U-NEED one.
  66. lockheed

    lockheed Reformed Router Member

    I want to put pixelserv 34 on my WRT54G v2 running Tomato RAF Firmware v1.28.8525 _RAF ND VPN.

    However, I don't know how to compile it for this router. All howtos I found were about compiling the entire firmware.
  67. rs232

    rs232 Network Guru Member

  68. lockheed

    lockheed Reformed Router Member

    Last edited: Dec 1, 2013
  69. jerrm

    jerrm Network Guru Member

    I think his point was the pre-compiled binary was attached.

    Easiest "howto" for compiling is to start with a functional tomato build environment. Use koitsu's post here. Shibby's git repository has a 64 bit toolchain - you'll need a 64bit Linux. The others are still 32bit I think. I use Ubuntu, others use Mint.

    You won't need everything required for tomato, but it's probably faster to just cut and paste from koitsu's howto than trial and error.

    After the toolchain is in place, run the supplied build.sh.
  70. lockheed

    lockheed Reformed Router Member

    Thanks. I am running Arch linux 64bit as my main system, so that's not a problem. I compiled the file
    I uploaded it to the router to /var/, changed the permissions to 666 and made it executable. But when I run it, I get this for the attached file:
    Bus error
    and this for the pixelserv.host I compiled myseld:
    /var/pixelserv: line 1: syntax error: unexpected ")" 
  71. lockheed

    lockheed Reformed Router Member

  72. rs232

    rs232 Network Guru Member

    Yes sorry, as Jerm correctly pointed out I was directing you towards a pre-compiled version. Good to hear you've found a solution!
  73. mstombs

    mstombs Network Guru Member

    Just to post a plug h0tw1r3 has posted an update on github - building on from the version here


    Main enhancement is that ports 80 and 443 are just default, but multiple ports (up to 10, defined by MAX_PORTS) can be defined from the command line with multiple use of -p [port].

    and of course adds back in the "DECODE_URL" feature etc.

    I'll compile and test a version with the same Tomato toolchain I have used before - and make it available as before when passed my own QA.

    Note the example template build.sh just configures the single line compile/link command, the ".host" version should run natively on the computer you have just used to compile it - but on Ubuntu likely to need sudo to start, and likely not be able to use default port 80/443, as they will already be used for printer status etc. The program shouldn't need any special compiler but does contain a lot of system calls so it is important for the compiler to use the correct header files for the target libc on a real computer uclibc on router. I have tested on Ubuntu/Devian/Mint/Cygwin often using localhost:8081.

    When copying to a router with ftp etc, make sure you use 'binary' mode, text or ascii mode will corrupt the executable and give strange script like errors.
    Goggy likes this.
  74. GaretJax

    GaretJax Reformed Router Member

    I am trying to get pixelserv running on IP address I have tried using these two commands:

    /jffs/pixelserv -n br0
    In both cases, it is complaining that it can't use the requested address:

    Dec 27 16:29:26 unknown daemon.info pixelserv[1187]: /jffs/pixelserv V32 compiled: Jun  9 2013 19:16:14 from pixelserv32.c
    Dec 27 16:29:26 unknown daemon.err pixelserv[1189]: Abort: Cannot assign requested address
    Dec 27 16:30:21 unknown daemon.info pixelserv[1216]: /jffs/pixelserv V32 compiled: Jun  9 2013 19:16:14 from pixelserv32.c
    Dec 27 16:30:21 unknown daemon.err pixelserv[1218]: Abort: Cannot assign requested address
    I have set Tomato/Router to use and I want to keep them that way. I am pretty sure it is because I don't an extra interface configured to use, but I am not sure how to do that in Tomato. Any help would be appreciated.

    Here is the output of "ip addr":
    1: lo: <LOOPBACK,MULTICAST,UP,10000> mtu 16436 qdisc noqueue
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet brd scope host lo
        inet6 ::1/128 scope host
           valid_lft forever preferred_lft forever
    2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
        link/ether c0:c1:c0:44:cb:b5 brd ff:ff:ff:ff:ff:ff
    3: eth1: <BROADCAST,MULTICAST,ALLMULTI,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
        link/ether c0:c1:c0:44:cb:b7 brd ff:ff:ff:ff:ff:ff
    4: eth2: <BROADCAST,MULTICAST,ALLMULTI,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
        link/ether c0:c1:c0:44:cb:b8 brd ff:ff:ff:ff:ff:ff
    5: vlan1@eth0: <BROADCAST,MULTICAST,ALLMULTI,UP,10000> mtu 1500 qdisc noqueue
        link/ether c0:c1:c0:44:cb:b5 brd ff:ff:ff:ff:ff:ff
    6: vlan2@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
        link/ether c0:c1:c0:44:cb:b6 brd ff:ff:ff:ff:ff:ff
    7: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
        link/ether c0:c1:c0:44:cb:b5 brd ff:ff:ff:ff:ff:ff
        inet brd scope global br0
    8: imq0: <NOARP> mtu 1500 qdisc noop qlen 30
    9: imq1: <NOARP> mtu 1500 qdisc noop qlen 30
    10: imq2: <NOARP> mtu 1500 qdisc noop qlen 30
    Thanks a lot for your help.
    Last edited: Dec 27, 2013
  75. GaretJax

    GaretJax Reformed Router Member

    OK guys - this is the command I have come up with:

    ip addr add dev br0:0 broadcast
    It changes the ip addr output to be same as above expect #7 becomes:

    7: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
        link/ether c0:c1:c0:44:cb:b5 brd ff:ff:ff:ff:ff:ff
        inet brd scope global br0
        inet brd scope global secondary br0
    It allows pixelserv to start properly using both

    /jssf/pixerlserv -n br0
    So clearly this solves my problem, but the question is:

    1) Is this the right way and
    2) How do I get this to initialize on startup?
    Last edited: Dec 27, 2013
  76. darkknight93

    darkknight93 Networkin' Nut Member

    good morning!

    I compiled pixelserv for ARM device like Asus RT-AC68U - v34:
    pixelserv version: 0.34-2 compiled: Dec 29 2013 05:53:10 from pixelserv.c

    for cross-compiling fans:
    Google for:
    - thats the toolchain.

    Step 1) define env variables:
    INSTALL_DIR=/path/for/temp/conf <-- here will be the files stored to you compile later
    export INSTALL_DIR
    export PATH=$INSTALL_DIR:/path/to/hndtools-arm-linux-uclibc/bin:$PATH
    PKG_CONFIG=pkg-config <-- must be installed! E.g. via sudo apt-get install pgk-config
    Step 2) clone neccessary git/source files (download e.g. *.tar.gz) and run configure
    wget http://oss.oetiker.ch/rrdtool/pub/rrdtool-1.4.8.tar.gz
    gunzip -c rrdtool-1.4.8.tar.gz | tar xf -
    cd rrdtool-1.4.8
    ./configure --prefix=$INSTALL_DIR --host=arm-brcm-linux-uclibcgnueabi
    make install <-- this will drop the binaries/libraries to INSTALL_DIR specified above

    Attached Files:

    Last edited: Dec 29, 2013
    WaLLy3K likes this.
  77. mstombs

    mstombs Network Guru Member

    I guess most firmwares use the same Broadcom ARM toolchain at the moment, but I'd recommend using the same version as used for the firmware, Asus/Netgear etc so library links are correct. rrdtool just an example? not needed by pixelserv.
  78. darkknight93

    darkknight93 Networkin' Nut Member

    For rrdtool i can provide binaries and libraries or - on asus RT-Ac68U install download Manager on Ausmerlin Firmware,
    afterwards the "ipkg" paketmanager is available and - I could not believe at first - a full arm branch! rrdtool, syslogng, lightttpd, iftop, coreutils are available and running!

    Here is a list of available packages comaptible with Asus RT-AC68U (accessable after installing "Download Manager")

    Attached Files:

    • ipkg.txt
      File size:
      104.3 KB
  79. DksirP

    DksirP Reformed Router Member

    does the new v34-2 compatible with dd-wrt/linksys E1200v2? i compiled and run it in my router but does not give a null pixel on blocked ads. I was using v28 before which works fine, except on some https initiated ad sites that makes the main site you visited too slow to load or worst, won't load it at all. So I decided to update to v34-2 because of the https feature, but it seems not to work.

    root@DDwrt:/tmp# /tmp/pixelserv
    pixelserv[2814]: /tmp/pixelserv version: 0.34-2 compiled: Jan  1 2014 15:58:30 from pixelserv.c
    Last edited: Jan 1, 2014
  80. mstombs

    mstombs Network Guru Member

    I don't think the https port feature is compatible with dd-wrt - is there a subsequent log message about unable to hook port 443? Can you change the dd-wrt web gui https port away from 443 now?
  81. DksirP

    DksirP Reformed Router Member

    i just back read in this thread a bit and tried v32 and it suddenly works, the site im visiting that won't load suddenly loads now.

    about the https not supported in ddwrt, i just tested it and i got Error code: ssl_error_access_denied_alert (used iptables to point port 443 to 80). the reason why i was looking for that feature is that when i check the source code of the site i am visiting i saw this line of code.
    https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
    this made me think that the site which is in my blocklist is getting initialized by https making the site to load so slow or hangs in loading. but since v32 solve it for now Im satisfied with it.

    Im just curious, about my question in my previous post is the v34-2 compatible with ddwrt/linksysE1200v2? because it doesnt even give a null pixel on blocksite even if it's just an http. has anyone here tested it in ddwrt?
  82. mstombs

    mstombs Network Guru Member

    v34 by default listens on both port 80 and 443, so no need for the iptables divert, but it seems v32 and the divert works fine for you. There are some other changes which shouldn't be detrimental, and its possible the multiport thing with its TEMP_FAILURE_RETRY macro isn't quite right yet. It is likely that pixelserv v34+ fails to start up on dd-wrt since the built-in config gui has exclusive use of router port 443. You will need to run syslog and check /tmp/log/messages (or similar) on dd-wrt to see the failure message, which happens after the code goes into daemon mode. Tomato uses the syslog by default with friendly gui interface. v34-2 can be started only to listen on port 80 by specifying command line parameter "-p 80" .
  83. DksirP

    DksirP Reformed Router Member

    thanks for pointing me out to check the syslog, upon checking i notice that i get the error unknown user
    daemon.info pixelserv[1373]: ./pixelserv version: 0.34-2 compiled: Jan 1 2014 15:58:30 from pixelserv.c
    daemon.err pixelserv[1374]: Unknown user "nobody"
    after stopping the pixelserv i issued this command:
    pixelserv -u root
    daemon.info pixelserv[2885]: ./pixelserv version: 0.34-2 compiled: Jan 1 2014 15:58:30 from pixelserv.c
    daemon.notice pixelserv[2886]: Listening on
    daemon.notice pixelserv[2886]: Also listening on
    now it work as it should be. :) thanks for the assistance
    Last edited: Jan 2, 2014
  84. mstombs

    mstombs Network Guru Member

    Great, you can compile without the option to DROP_ROOT if dd-wrt doesn't have the low privilege user "nobody" - exists as default on Tomato for dnsmasq use, and same couple of lines of code used in pixelserv, probably shouldn't be a fatal error though.
  85. Kye-U

    Kye-U Addicted to LI Member

    Kind of off-topic, but still relevant:

    Working well for me! (above stats over the past 7 days - v34)
  86. lewisje

    lewisje Reformed Router Member

    I just found a 27-byte null SWF, shorter than what is currently in either pixelserv or nullserv:
  87. voka

    voka Networkin' Nut Member

    My good old wrt54g have been running pixelserv killing ads all thanks to mstombs.

    Unfortunately I can't find one for my newer atheros-based openwrt/gargoyle routers. So I rolled up my sleeve, uploaded v34 to my github and finally figured out how to build it with openwrt toolchain.

    Anyone looking for atheros tested binary and source can find it at https://github.com/opav/pixelserv-openwrt
  88. mstombs

    mstombs Network Guru Member

    I take that as a challenge - by examing I think you can knock off a couple of bytes so how about a 25-byte one?
    I have also noticed that current Firefox gives error message on current 125 byte jpg - it's this one


    so looks like my long run with v34 coming to an end:-

    Mar 23 17:35:23 rtn66u daemon.info pixelserv[13995]: 351442 req, 56181 err, 6939 gif, 1151 bad, 237599 txt, 228 jpg, 159 png, 241 swf, 48944 ssl
    but to be honest the percentage of jpg, png, swf doesn't justify bothering!

    I still haven't looked at the DECODE_URL code in https://github.com/h0tw1r3/pixelserv version - I understand it allows tracking sites to be blocked, and the real web request to be used - anyone know how to test?

    [edit] Attached WIP, merging in selected bits from h0tw1r3 and pixelserv-openwrt, with bigger but more compatible jpg, and tiny swf. Now supports configuration of multiple (4 allowed by variable MAX_PORTS) ports, only defaults to "-p 80 -p 443" if none on command line. Various other fiddles as I learn to play with char pointers - but it works for me in use for a few days...

    Mar 24 22:46:25 rtn66u daemon.info pixelserv[23592]: /mnt/usb4gb/pixelserv V35 compiled: Mar 24 2014 22:44:17 from pixelserv35.c
    Mar 28 20:30:01 rtn66u daemon.info pixelserv[23594]: 5319 req, 727 err, 47 gif, 30 bad, 3827 txt, 5 jpg, 1 png, 2 swf, 680 ssl

    Attached Files:

    Last edited: Mar 29, 2014
  89. superdos

    superdos Networkin' Nut Member

    Hi, I've compiled pixelserv35 for Asus RT-AC68U
    Included all my config files as well if someone wants them, just place under /jffs/scripts and chmod +x wan-start and adblock

    Attached Files:

    darkknight93 likes this.
  90. hammer

    hammer Connected Client Member

  91. Qvark

    Qvark Network Newbie Member

    I'm kind of a complete newbie about these things so this question is probably going to be annoyingly easy to you but here it goes: I want to use the latest pixelserv for the Clean, Lean and Mean adblocking script. I enabled jffs and put the v34 binary there, then ran ./pixelserv chmod -x pixelserv. Problem is it doesn't seem to show up with ps. Can someone please help me with this?
  92. mstombs

    mstombs Network Guru Member


    You want to make the pixelserv executable using

    chmod +x /jffs/pixelserv
    and try to run it using

    Unless you have moved the Tomato web gui off port 80 (default) this will probably fail unable to listen on the default address. The various adblock scripts will do this for you but to create a secondary IP for pixelserv to listen on you need

    ifconfig br0:0 $PXL_IP up
    /jffs/pixelserv $PXL_IP
    PXL_IP should be an unused IP in same range as router

    test from a PC browser using
    Last edited: Apr 16, 2014
    darkknight93 likes this.
  93. Qvark

    Qvark Network Newbie Member

    Thank you so much for this. I now get:

    2747 nobody     628 S    /jffs/adblock//pixelserv
    I guess that should be right? I also get a "This webpage is unavalible" on instead of just "Connecting...". The "ifconfig $PXL_IP up" however returned:

    ifconfig: up: error fetching interface information: Device not found
    I change the webgui to port 81.

    Thanks again for helping a newbie out!

    Edit: YEEEY! Got the adblocking to work. Thank you so much for the help!
    Last edited: Apr 15, 2014
  94. JoeDirte

    JoeDirte Networkin' Nut Member

    .255 is the broadcast address for, so you may want to change that to .254 (or something else).
  95. Qvark

    Qvark Network Newbie Member

    Ah, I see. I think the adblock-script did that for me :) . Now I'll just have to find out how to change from OPTIMIZED to HOST. I'm a bit surprised that no Tomatomods has the adblock scripts as an option by default. Thanks for all the help!
  96. mstombs

    mstombs Network Guru Member

    We added something to EasyTomato (but only RT-N16) ...

    PS Sorry I got the manual ifconfig command wrong above, now corrected - its good idea to use a script solution...
    Last edited: Apr 16, 2014
  97. mstombs

    mstombs Network Guru Member

    I would just like to report that while router https web gui currently running an old shibby firmware is vulnerable to the heartbleed bug (but I restrict wan access to my fixed work iP, so hope is OK!):-

    ...try to connect with version 0x303 w/o SNI
    ...ssl received type=22 ver=0x301 ht=0x2 size=70
    ...ssl received type=22 ver=0x301 ht=0xb size=450
    ...ssl received type=22 ver=0x301 ht=0xe size=0
    ...send heartbeat#1
    ...ssl received type=24 ver=301 size=16384
    BAD! got 16384 bytes back instead of 3 (vulnerable)
    The C pixelserv in this thread since V32 which also responds to connection attempts is not:-

    ...try to connect with version 0x303 w/o SNI
    ...ssl received type=21 ver=300 size=2
    ...try to connect with version 0x302 w/o SNI
    ...ssl received type=21 ver=300 size=2
    ...try to connect with version 0x301 w/o SNI
    ...ssl received type=21 ver=300 size=2
    ...try to connect with version 0x300 w/o SNI
    ...ssl received type=21 ver=300 size=2
    Failed to make a successful TLS handshake with peer.
    Either peer does not talk SSL or sits behind some stupid SSL middlebox. at ./check-ssl-heartbleed.pl line 261
    Which also means I did look through the errant openssl routines and missed a chance to spot the bug a yer ago - sorry!
  98. HunterZ

    HunterZ Network Guru Member

    mstombs: is the v35 WIP in post #288 your latest official build?

    superdos: how does your v35 build differ from the one by mstombs?

  99. mstombs

    mstombs Network Guru Member

    Not sure about official, since I had intended to give up and use h0tw1r3 version https://github.com/h0tw1r3/pixelserv but old habits die hard and it is my latest in use here for a few weeks-

    Apr 19 20:30:01 rtn66u daemon.info pixelserv[1030]: 36749 req, 6135 err, 548 gif, 144 bad, 23889 txt, 15 jpg, 7 png, 347 swf, 5663 ssl
    Not sure exactly what build options superdos using, but it is using v35 and the adblock script uses "-p 8080 -443" with a divert from port 80, and its for an ac68 - so probably not for Tomato!
  100. darkknight93

    darkknight93 Networkin' Nut Member

    The AC68U is running Asusmerlin (blocking port 80 on all available sockets) so here port 8080 is used.

    The compilation uses exactly the source code available for v35. no difference here
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice