Develop your Cybersecurity Framework
Supply chain attacks, ransomware attacks, phishing, data breaches; all these types of attacks are on the rise, thanks to the expansion of the connected world. With greater expansion comes greater security risk.Recent comments
- After the initial Kong Mod 5 months 6 days ago
- Working the EXACT same 5 months 6 days ago
- While the "5 Easy Steps" 5 months 2 weeks ago
- R8000P would be grate to see. 5 months 2 weeks ago
- Have a R8000 but ordered a 5 months 2 weeks ago
Denns,
I faced similar situation. I did not investigate it in deep. I just remember that I've seen one of the script from R750 FW, or maybe during browsing FW codes, and there was something like "kill telnetenabe daemon if dropbear or ssh is in process list". Maybe I am mistaken. Currently I can enter by telnet to my R7500 in spite of started dropbear daemon.
Well, nice to read that you and wholly could resolve this problem. Your answer to wholly is absolutely correct.
Regards,
Voxel.
Hi Voxel!
Consider replacing hotplug2.mount with your script to mount disks by label name instead of default sda1, sda2...
As you know I installed Entware & dropbear.
My question is, in which scrips I have to replace sda1 with disks label name before I reboot the router?
Thank's in advance.
Zdenko
Zdenko, hi again!
I do not quite understand your question. The script from Netgear FW, i.e. /sbin/hotplug2.mount is executed by system automatically when user connect USB disk to router or after router's boot up. This script is called by system with arguments, when firs of them is the name of device where external HDD is attached (sda1 or sda2 or sdb1 etc).
I.e. suppose that you attach your USB HDD to router. You do not know what name will be assigned to your external HDD: maybe it will be /dev/sda1, but maybe /dev/sdb1. But you know that system immediately call /sbin/hotplug2.mount script with apropriate first argument, for example:
/sbin/hotplug2.mount sdb1 arg2 arg2 arg4 ...
And my changes in hotplug2.mount are that:
- if attached disk has a LABEL then it is mounted to /tmp/mnt/LABELNAME and I set DISKNAME=LABEL in this scrip
- if attached disk has no LABEL then is is attached to /tmp/mnt as is, i.e. with name==first arg, e.g. as /tmp/mnt/sdb1 and I set DISKNAME=sdb1 in this scrip
- after mount I call /tmp/mnt/DISKNAME/autorun/scripts/post-mount.sh with argument == DISKNAME (which either equals to LABEL or sdb1)
so my script /autorun/scripts/post-mount.sh gets arguments which show how it is mounted.
Example of post-mount.sh:
====================================
#!/bin/sh
# Mount Entware to /opt
/bin/ln -sf /tmp/mnt/$1/entware.arm /tmp/opt
====================================
I.e. if my HDD has a label then command from script will run:
/bin/ln -sf /tmp/mnt/LABEL/entware.arm /tmp/opt
if my HDD has no label, then
/bin/ln -sf /tmp/mnt/sdb1/entware.arm /tmp/opt
Regards,
Voxel.
Additional remark to you and to rest (who suppose to use external HDD for Entware or so). I wrote about use of HFS+ filesystem. Additional note: for safety HFS+ must be case sensitive. HFS+ has several options. Important for us (Linux users) is case sensitivity. Otherwitse the file /tmp/AaA and /tmp/aaa will be the same fie (what is not OK for Linix and could cause collisions).
Voxel.
Hi Voxel!
What bothers me and raised qustions regarding mount sources is your point 8. from the first post:
8) Create symbol links for /opt (I suggest two consequential links):
ln -sf /tmp/mnt/sda1/entware.arm /tmp/opt
So you answered that the secret is in post-mount.sh.
Thank you.
A small change for dropbear start: I put startup in forementioned post-mount.sh. In case of a ssh access problem (lost, overwritten, etc. key) removing external disk and reboot, you have a normal telnet access and possibility for ssh errors correction.
I'm planing now to install transmission (the first reason to implement optware).
After that I'll play with CPU speed and try to use full 1.4GHz with "auto" in powerctl script. Will report the results.
Have nice evening,
Zdenko
Hi Zdenko,
I do not have any secrets in what I am doing with my R7500. I just reported my intermediate success in investigation of R7500 possibilities and what could be done with this really nice hardware (in spite of dreadful software, what we all try to correct). I really did not have in my mind a full scheme of changes what I made with my router now, when I published the first port in this topic. And it was not very first my post in this forum. My very first post was that I asked guys who has this R7500 to check: is Entware executables are workable on this router. I did not own R7500 that time, but was very interesting to buy it. But only it can execute Entware and/or chroot-ed Debian. I was not sure at all. In brief, at the end of all, I got my router (spent my money to my own risk) and shared results of my “on-the fly” test. Confirmed that this IPQ8064 is fully compatible with e.g. Broadcom’s ARM CPUs. I was NOT sure in success of my test.
Consequential link is used in ASUSWRT. My plus is that I have enough experience with ASUS routers and know a bit their firmware. I just re-use their scheme with Netgear’s R7500.
Practically all my post in this topic are report of my work in progress. So use of “auto” mode in powerctl script as I know now is a good choice for you when your router is in closed box (wardrobe). I wrote this you in our e-mail communication. You can check yourself of course.
If you use dropbear only what external HDD is connected then most probably you should use dropbear from Entware. Your authorized_keys file must be placed to /opt/etc/dropbear directory in such a case.
Entware has own scheme to start daemons from them:
/opt/etc/init.d/rc.unslung start
After this all scripts in /opt/etc/init.d will be started. Including dropbear from Entware (S51dropbear). Including transmission you plan to install. Including motion if you plan to use webcam.
Shutdown for daemons is the command:
/opt/etc/init.d/rc.unslung stop
after that all Entware daemons will be properly shutdown-ed.
Good luck with Entware and R7500.
Voxel.
Dear Voxel!
I am very sorry, looks like you misunderstood me. I apologize.
By any means I did not want to offend you.
Respect you and your excellent knowledge and your willingness to share that with the world.
I just wish to solve some doubts I have and do not want to brick the router.
Thank you for an explanation above. My doubts are vanished now.
You also answered my unasked question regarding Entware startup.
Have nice day.
Zdenko
Hi Zdenko!
I do not feel any offences in your questions. Absolutely! There were no such thoughts in my mind, really. Sorry, if you could imagine so from my answer. Vice versa, I am glad that there are guys who share my approach to break this nut (R7500) and use my help could be needed. And you are most active guy :-)
I am not "Linux/router's guru" and I cannot spend much time for this hobby. So I post intermediate results which could help, maybe with my mistakes, but not hardcoded final step-by-step instruction with motto "follow me or die" :-)
So I expect the same from others. It is very interesting how you will set up your transmission. BTW, I'd suggest also nginx if you want to control transmission from WAN. With SSL encryption. As a second step after installation of transmission. There are a lot of instruction in Internet re: how to use nginx to control transmission from external world by HTTPS.
Again, no any offences. It's true.
Have a nice day too,
Voxel.
Hi Voxel!
Glad you not offenced - the first part of your previous post feels me that way. Okay, dont bother.
Transmission surprised me much. It worked "out of the box", just set things I had on my PC installed transmission (rpc password, and access policy).
The only thing was another hole punched in firewall.
The transmission-web was immediately accesable localy, and managemet works from local LAN.
So I played with ssh access today at work. The easy way was setup a tunnel to routers transmission-web. Now I can access it through ssh tunnell all over the world. As a result, I do not need openSSL. ssh tunnel works just for anything you want.
Next will be CPU speed tuning as I already written.
Have nice weekend. Here in Slovenia is very hot for june - >32 deg. C !
Zdenko
Hi Zdenko!
Congratulations, well done!
Now time to think over motion setup :-) Or at least mjpeg streamer.
Hot weather - good test for a router in the wardrobe. Here +25 only.
Regards,
Voxel.
Hi
Finally opened my router with this guide, got chrooted debian on it and all seems to work fine.
Is it possible to setup vlan with this? need to set vlan id 102 to get rid of my isp's router.
Thanks for all the help so far :)
Hi Voxel,
Thank you for the howto. I would like to add NFS, but the needed packages are not listed in the repository, so problably not available. Have you any experience in adding NFS?
Beste regards/
Hi Camstar!
I do not have an experience in NFS for this router (R7500). I used NFS previously for ASUS router. But it was two years ago or so. No needs now.
But why do you think that there is no NFS in Entware?
List of NFS server/client tools in Entware.
Best regards,
You are absolutely right! I probably didn have the PATH right, so the netgear opkg was executed...
I'll try to install the nfs-kernel server. There is a howto in the DDWRT pages.
Thanks!
Im running into the same problem after using a new usb drive. How did you solve this problem?
This drive was ext4 formatted on another system. Did a chmod 777 on mc, but no change.
Best regards,
Previous message was a reply to an earlier post of ZDENKO regarding permission denied on executing mc. The reply button doestn work as expected ;-) Neither does my Netgear, so no surprises here ;-)
"permission denied" - is a result of mounting your external USB drive with "noexec" option by script \sbin\hotplug2.mount
You should either correct this script (reemoving "noexec" for your FS) or remount your USB drive manually for test. Also: see one from my post above, I'd suggest case sensitive HFSPLUS filesystem. EXT2/3/4 will always get 777 file attribute.
Regards
Thanks for your answer! (Didn't see it before now, no email notification I guess)
The link you provided mentions the file: /etc/config/network
A lot of other guides for different routers also mentions this file, but it does not exist in my R7500.
Is this only my router?
I am able to receive an ip from my ISP on a vlan interface when I do it like this:
This will give me my public IP, so that is progress, but I cant reach internet from my router ssh terminal (trying to ping 8.8.8.8 doesn't work)
Pinging 8.8.8.8 when my wan port is connected through my "bridgemode" isp router results in good stable ping.
So this leaves me to think there is something wrong with routing, but the output of the "route" command gives me this:
Hi Voxel,
While following your instructions, I've got some issue:
8) Create symbol links for /opt (I suggest two consequential links):
ln -sf /tmp/mnt/sda1/entware.arm /tmp/opt => created symlink with no issues as /tmp/opt was mounted as rw
ln -sf /tmp/opt /opt - getting an error -
ln -sf /tmp/opt /opt
ln: /opt/opt: Read-only file system
That is how my /tmp/opt looks like
tmp/opt# ls -la
drwxr-xr-x 2 root root 0 Sep 19 11:47 .
drwxr-xr-x 15 root root 0 Sep 19 11:47 ..
lrwxrwxrwx 1 root root 25 Sep 19 11:47 entware.arm -> /tmp/mnt/sdb1/entware.arm
And that is how my USB mount /mnt/sdb1 looks like
ls -la /mnt/sdb1
drwxr-xr-x 3 root root 4096 Sep 19 11:44 .
drwxr-xr-x 5 root root 0 Sep 19 10:16 ..
drwxr-xr-x 11 root root 4096 Sep 19 11:48 entware.arm
So questions are :
1. Should I have entware.arm folder on sdb1 root level as it now or I need to extract folder content to the root of /sdb1?
2. How can I fix the issue with ln -sf /tmp/opt /opt error? /opt actually is read-only and created each time router goes up, so could it be some typo?
3. Last question - I'm not super familiar with Entware, however I need it only for one reason - have PERL distro to be able to write PERL scripts. Will it be possible with ENTWARE?
Thank a lot for your help
Hi Voxel,
just wanted to thank you for your effort. I bought this router and for my usa case there is no competition ( Routing + NAS + VPN ). Now with the ability which you have shown us, to add aditional packages, makes it one stop closer to utilize the power it has.
Since the source for this router is open sourced, how diffiult would be to create a custom firmware with the most basic extensions (SSH, overclock, VPN client ? ). I would not mind doing it on my own, if there is a manual how to built the firmware.
Bw,
Peter
Voxel,
Forgot to ask what about if we keep the powerctl to be 'dynamic' but change the following values in the 'on-demand' mode in order to utilize the full power of the router:
Peter
Hi gennadiv!
I do not quite understand what you did with your router's filesystems. IMO you should reboot, remove symlinks you created and do all anew, step-by-step.
What your should have:
root@nighthawk:~# ls -l /opt
lrwxrwxrwx 1 root root 8 Jul 13 21:37 /opt -> /tmp/opt
The root of router ("/") is not read-only file system. Please check that you can create file in the root of router. At least in latest official firmware. Symlink to /tmp/opt (i.e. "/opt") is created once. Symlink to /tmp/mnt/sdb1/entware.arm (i.e. "/tmp/opt") should be created after each router reboot, because /tmp is ramdisk.
PERL in Entware: I did not use it. Mainly work with chroot-ed Debian. But Perl from Entware should work w/o problems. A lot of perl related packages there. I briefly googled, people use perl from Entware
Regards,
Voxel
Hi Peter,
I tried to comple FW. Just for aims to have additional *.ko modules for webcam support. Failed to get workable *.ko. Too dirty codes. I do not advice to make experiments with your own custom FW if you do not have "de-brick" toolkit for R7500 after you get a brick instead of workable router.
We have to wait OpenWRT support. Using Entware or/and Debian while.
Regarding CPU - I finally use default scheme (as is in FW). 1400 on demand.
Regards,
Voxel.
Voxel,
by '1400 on demand' you mean setting the powerctl as i have mentioned or use the stock values? The stock values of latest firmware are set to 1ghz as max frequency by default or am I mistaken?
Bw,
Peter
Great work, Voxel. Thank you for sharing all that you have done. I am trying to see if there's anyway to mount an encrypted partition, but it appears without device-mapper support in the kernel (dm-crypt) we are out of luck. Do you know of any way to mount an encrypted partition? Can this be done with a chroot'ed Debian image? I don't mind if the encrypted files can only be seen by Debian. Thank you.
one other thing. I've installed Debian Wheezy chroot and can't even get it to 'apt-get install wget' after I enter the Debian chroot. I followed the instructions here: https://www.hqt.ro/how-to-install-debian-wheezy-arm/
When I try installing wget, I receive the following error:
Peter,
(Sorry for silence, I was absent (vacations).)
As far as I remember stock values works like: if CPU load is more than 50% it goes to turbo mode (1400MHz). Otherwise: 800MHz. So it is OK in most cases (during hot summer for example to avoid overheat).
Regards,
Voxel
onlinespending,
Thanks for you thanks :-)
Regarding encrypted partititions, I did not try.
Debian: a bit outdated instructions already.Maybe "apt-get update" and "apt-get upgrade" will help you. I use Jessie, it is OK on R7500. I can pass you my own minimal installation. Contact me in PM if you are interested. wget is working.
BTW, you need HFS+ filesystem (case sensitive support) to deal with Debian for this router. I failed to use ext2/3/4 (777 permission for all files/dirs).
Regards,
Voxel.
Pages