Remote upgrade ideas

Discussion in 'Tomato Firmware' started by NIbbler, Apr 24, 2014.

  1. NIbbler

    NIbbler Network Newbie Member

    I have installed a few routers for friends / family that I wish to upgrade remotely and I'm just looking for a little feedback on my plan or other ideas. I'm aware it's not recommended to remote upgrade, just to get that out of the way.

    The Goal

    To upgrade a router to a Toastman or Shibby build from a standard build of TomatoUsb ( 1.28 ), remove as many old settings as possible, but not lose the ability to connect remotely via ssh.

    The Plan

    1. Run a shell script to unset as many keys as possible ( maybe based on a nvram export ), then restore defaults with "nvram defaults --yes" , allow remote access via nvram set, commit, reboot.

    2. After reboot, shutdown unnecessary processes, scp transfer the new firmware into memory and md5 verify it is intact. Flash new firmware via mtd commands, reboot.

    3. Repeat steps in step 1 : Set defaults of new firmware with nvram defaults, allow remote access via nvram set, commit, reboot.

    Thats just my general idea, any thoughts that would stop this plan from working ?

    Would be nice if there were a fairly easy way to tweak default values in tomato, but I've read that you have to use a firmware kit or basically compile it yourself to pull that off.
    Last edited: Apr 24, 2014
  2. koitsu

    koitsu Network Guru Member

    I'm not dismissing your idea or what you want to do, but in the real networking world, these types of updates -- firmwares, router OSes, etc. -- are all supposed to be done via what's referred to as out-of-band (OOB). In-band attempts can often go wrong/awry for unexpected (and often untraceable) reasons. So consider my statement as words of wisdom.

    Alternately, think of it this way: if your in-band upgrades go awry for some reason, you're going to have to physically go over to your friends/family's abodes and provide in-person technical support anyway -- all while simultaneously explaining to them why things didn't work (and you won't have a good explanation, making them question whether or not you know what you're doing -- even if you do, the average person will be left with a sour taste in their mouth regardless). And if the router firmware didn't upgrade correctly (i.e. semi-bricked) you're going to have to be there physically with a LAN connection + static IP config to do the TFTP method, which as you probably know works but is tedious/tricky given the timing. All that pain could have been avoided if you had just physically gone over there in the first place. You get what I'm saying I'm sure.

    This is one of the many reasons I choose not to do this kind of thing for friends/family/colleagues -- I instead teach them how to do it + write a step-by-step document and make it their problem/choice. I can then just say "Hey, heads up, there's a security hole someone found in the firmware on your router, you need to upgrade. Here's where to get the firmware [or just attach it yourself], please follow the instructions".

    Anyway -- the only methodology I can think would work would be to do what you say (set NVRAM defaults then flash the firmware via mtd), then proceed to set NVRAM variable script_init to some content that auto-enables certain features for you to get back into the router (the big one being enabling SSH) (this might just be starting dropbear and a single iptables rule to permit TCP port 22 access, or maybe you can set some NVRAM variables and use service, dunno -- you'll need to experiment, there's a ton of NVRAM sshd_* variables). Once you're back in, make sure you set all the relevant GUI bits so that you can get in properly going forward. All other settings that they use (port forwards, etc.) should be re-entered manually via the GUI (I keep text files around documenting any changes I make), or use the method Toastman lists in his Common Tomato Topics post (see "Easy backup and restore of any Tomato router").

    You may also want to read the section called "Flashing routers over the web".

    Sorry I can't help past this point, but I hope I've given you some food for thought. I just tend to believe strongly in the whole "give a man a fish and you feed him for a day; teach a man to fish and you feed him for a lifetime" idiom.
  3. Grimson

    Grimson Networkin' Nut Member

    Don't forget that you need to make sure the wan settings are re-set, especially if they use PPPoE. SSH access won't help if the router isn't connected to the Internet.
    koitsu likes this.
  4. NIbbler

    NIbbler Network Newbie Member

    Thanks for the ideas, I will be testing this locally first before deciding to go forward with this.
    I'm sure I can find most of the info I need about enabling remote access in the source code ( which is where I've been looking to learn more ). If this feature was added to custom firmwares it would be far less risky, but I don't think they want to deal with the headaches it would create.

    They have cable modems and as long as wan port's MAC doesn't magically change it should not lose wan access.
    Last edited: Apr 24, 2014
  5. gfunkdave

    gfunkdave LI Guru Member

    All very valid points.

    That said, I have re-flashed routers running Toastman over remote SSH with no issues.
  6. Monk E. Boy

    Monk E. Boy Network Guru Member

    Personally what I do for remote upgrades is have a spare router. I upgrade it locally, make the configuration matches the remote router, then go on-site and simply swap the two. Downtime is minimal, and I need to visit them periodically anyway. I just upgraded a spare router to handle 64K NVRAM and fix the heartbleed vulnerability (upgrading the CFE remotely would require testicular fortitude), and will drive over and do the swap on Monday. In my case it's a business and not family, and obviously the more distant the remote site is the more of an imposition this is, but I like the parallels between my technique and "never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway."
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice