Minh’s Scrap Yard

Exploring VTVcab’s router (Dasan H660DW)

2019-01-22T00:00:00+00:00

This post is a little bit different than usual, having me exploring my ISP router which is the Dasan Networks H660DW, stay with me to see what I’ve found in the process.

Disclaimer: I am not responsible for any damage you cause to your device or ISP by following this guide. Do this at your own risk!

The default IP for this router is 192.168.55.1 or 192.168.56.1, yes it has 2 separated LAN IP address. In this tutorial I’ve changed my Net ID to 192.168.0.0 so the router’s IP will be 192.168.0.1 because it’s faster to type.

The password for this router varies by firmware, it could be admin:vertex25 or admin:SERIAL_NUMBER with SERIAL_NUMBER is the GPON S/N on the label of the router.

1. Specs:

1244Mb/s 1310nm DFB Upstream Burst Mode Transmitter
2488Mb/s 1490nm APD/TIA Downstream
1550nm CATV Receiver
Triplexer: Hisense LTY9775M
SC Fiber connector
5x1Gbps Ethernet Switch (4 usable)
1 CATV RF output
WIFI: Ralink RT5392L (2.4GHz Wireless access point with 2 Antenna)
SOC: Ralink MT751020 SOC (4 MIPS core)
RAM: 128MB
NAND: 128MB

2. Access SSH/Telnet:

Web interface have a lot of limitation because it’s designed for end user, what you will want to do is to talk with it natively, on some earlier firmware having SSH and Telnet enabled by default but the latest one doesn’t do that, you have to do it manually.

2.1. Enabling SSH/Telnet

Go to Maintenance -> Utilities -> ACL and set it as the picture below.

ACL: Activated Access Control Listing: This table determines which IP range are allowed to access the router’s features in the SCL.

IP Address: Put your LAN Network ID here
Net Mask: This is the range of the Network ID which are allowed to access SCL, 24 means from 192.168.0.0 to 192.168.0.255 SCL: This table is for enable/disable special function access.
WAN: For security reason, you should disable all the options here so people on the internet couldn’t access your router’s panel.
LAN: You could enable everything here if you want.

2.2. Accessing SSH:

Now you should be able to access SSH/Telnet using PuTTY on Windows or ssh tools on your favorite Linux distribution.

SSH credential: admin:YOUR_PANEL_PASSWORD

Now there’s something to notice: The router’s SSH server are using a deprecated algorithm for SSH which is not allowed to access by openssh by default, you have to put -oKexAlgorithms=+diffie-hellman-group1-sha1 to the ssh command for login:

[user@Arch-Linux ~]$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.0.1
admin@192.168.0.1's password: 
# export
export HOME='/'
export LOGNAME='admin'
export PATH='/userfs/bin:/usr/sbin:/bin:/usr/bin:/sbin'
export PWD='/'
export SHELL='/bin/sh'
export TERM='xterm-256color'
export USER='admin'
# pwd
/
# ls
bin      data     etc      linuxrc  sbin     userfs   var
boaroot  dev      lib      proc     tmp      usr
# uname -a
Linux tc 2.6.36 #1 SMP Thu Jun 22 08:40:46 UTC 2017 mips unknown
#

There we go, we got SSH access, this router is running a MIPS processor with a small Linux on it, the file system is squashfs so you can’t directly modify the file system, it’s not gonna keeping change when you reboot it, the config file is saved on a different partition.

2.3. Accessing Telnet:

This is an exciting one, for some reason, Telnet don’t allow you to login using the control panel’s credentials but it using a different password, I was able to find some documents talking about the password for this.

Telnet credential: admin:vertex25ektks123

[user@Arch-Linux ~]$ telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
tc login: admin
Password: 
# export
export HOME='/'
export LOGNAME='admin'
export PATH='/userfs/bin:/usr/sbin:/bin:/usr/bin:/sbin'
export PWD='/'
export SHELL='/bin/sh'
export TERM='vt102'
export USER='admin'
# 

It’s still the exact same thing as SSH, not that it enable some extra privilege or something and more importantly: You can’t change this password, this is a serious security flaw which allow attacker to logging using a hardcoded credential, I recommeded to disable the telnet function because an attacker could do anything with this telnet access to your router.

3. SSH exploring

Random stuffs I’ve grabbed via SSH goes here:

Mount point, MTD info:

# mount
/dev/mtdblock3 on / type squashfs (ro,relatime)
proc on /proc type proc (rw,relatime)
ramfs on /tmp type ramfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600)
/dev/mtdblock8 on /data type jffs2 (rw,relatime)
# ls /dev/mtd*
/dev/mtd         /dev/mtd4        /dev/mtdblock0   /dev/mtdblock5
/dev/mtd0        /dev/mtd5        /dev/mtdblock1   /dev/mtdblock6
/dev/mtd1        /dev/mtd6        /dev/mtdblock10  /dev/mtdblock7
/dev/mtd10       /dev/mtd7        /dev/mtdblock2   /dev/mtdblock8
/dev/mtd2        /dev/mtd8        /dev/mtdblock3   /dev/mtdblock9
/dev/mtd3        /dev/mtd9        /dev/mtdblock4

/proc/cpuinfo:

system type		: Ralink MT751020 SOC
processor		: 0
cpu model		: MIPS 34Kc V5.5
BogoMIPS		: 498.07
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 64
extra interrupt vector	: yes
hardware watchpoint	: yes, count: 4, address/irw mask: [0x0000, 0x0ff8, 0x0ff8, 0x0ff8]
ASEs implemented	: mips16 dsp mt
shadow register sets	: 1
core			: 0
VCED exceptions		: not available
VCEI exceptions		: not available

processor		: 1
cpu model		: (null) V5.5
BogoMIPS		: 374.37
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 64
extra interrupt vector	: yes
hardware watchpoint	: yes, count: 4, address/irw mask: [0x0000, 0x0ff8, 0x0ff8, 0x0ff8]
ASEs implemented	: mips16 dsp mt
shadow register sets	: 1
core			: 0
VCED exceptions		: not available
VCEI exceptions		: not available

processor		: 2
cpu model		: (null) V5.5
BogoMIPS		: 374.37
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 64
extra interrupt vector	: yes
hardware watchpoint	: yes, count: 4, address/irw mask: [0x0000, 0x0ff8, 0x0ff8, 0x0ff8]
ASEs implemented	: mips16 dsp mt
shadow register sets	: 1
core			: 0
VCED exceptions		: not available
VCEI exceptions		: not available

processor		: 3
cpu model		: (null) V5.5
BogoMIPS		: 374.37
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 64
extra interrupt vector	: yes
hardware watchpoint	: yes, count: 4, address/irw mask: [0x0000, 0x0ff8, 0x0ff8, 0x0ff8]
ASEs implemented	: mips16 dsp mt
shadow register sets	: 1
core			: 0
VCED exceptions		: not available
VCEI exceptions		: not available

/proc/crypto:

name         : stdrng
driver       : krng
module       : kernel
priority     : 200
refcnt       : 1
selftest     : passed
type         : rng
seedsize     : 0

name         : arc4
driver       : arc4-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
type         : cipher
blocksize    : 1
min keysize  : 1
max keysize  : 256

name         : aes
driver       : aes-generic
module       : kernel
priority     : 100
refcnt       : 1
selftest     : passed
type         : cipher
blocksize    : 16
min keysize  : 16
max keysize  : 32

name         : md5
driver       : md5-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
type         : shash
blocksize    : 64
digestsize   : 16

/proc/mtd: (To calculate actual size of MTD, convert the size column from Hex to Decimal, the result will be the size in Kilobytes)

dev:    size   erasesize  name
mtd0: 00040000 00020000 "bootloader"
mtd1: 00040000 00020000 "romfile"
mtd2: 0013645b 00020000 "kernel"
mtd3: 00770000 00020000 "rootfs"
mtd4: 030e0000 00020000 "tclinux"
mtd5: 001358d7 00020000 "kernel_slave"
mtd6: 00760000 00020000 "rootfs_slave"
mtd7: 02ae0000 00020000 "tclinux_slave"
mtd8: 00200000 00020000 "user_rootfs"
mtd9: 00500000 00020000 "user_config"
mtd10: 000a0000 00020000 "reservearea"

#ps aux:

  PID  Uid     VmSize Stat Command
admin       328 S   init       
admin           SW  [kthreadd]
admin           SW  [ksoftirqd/0]
admin           SW  [kworker/0:0]
admin           SW  [kworker/u:0]
admin           SW  [migration/0]
admin           SW  [migration/1]
admin           SW  [ksoftirqd/1]
admin           SW  [migration/2]
admin           SW  [ksoftirqd/2]
admin           SW  [migration/3]
admin           SW  [kworker/3:0]
admin           SW  [ksoftirqd/3]
admin           SW< [khelper]
admin           SW  [sync_supers]
admin           SW  [bdi-default]
admin           SW< [kblockd]
admin           SW  [kswapd0]
admin           SW  [fsnotify_mark]
admin           SW< [aio]
admin           SW< [crypto]
admin           SW  [mtdblock0]
admin           SW  [mtdblock1]
admin           SW  [mtdblock2]
admin           SW  [mtdblock3]
admin           SW  [mtdblock4]
admin           SW  [mtdblock5]
admin           SW  [mtdblock6]
admin           SW  [mtdblock7]
admin           SW  [mtdblock8]
admin           SW  [mtdblock9]
admin           SW  [mtdblock10]
admin           SW  [kworker/3:1]
admin           SW  [kworker/1:1]
admin           SW  [kworker/2:1]
admin           SW  [kworker/0:1]
admin           SWN [jffs2_gcd_mtd8]
admin      2308 S   /userfs/bin/cfg_manager 
admin           SW  [kworker/u:1]
admin           SW  [pon_phy_task]
admin           SW  [kworker/1:2]
admin        60 S   tcwdog -t 1 /dev/watchdog 
admin        56 S   /usr/bin/utelnetd -l /bin/login -d 
admin      2308 S   /userfs/bin/cfg_manager 
admin      2308 S   /userfs/bin/cfg_manager 
admin      2308 S   /userfs/bin/cfg_manager 
admin      2308 S   /userfs/bin/cfg_manager 
admin      2308 S   /userfs/bin/cfg_manager 
admin       596 S   /userfs/bin/epon_oam 
admin      1276 S   /userfs/bin/omci 
admin       308 S   /userfs/bin/dropbear 
admin       324 S   /usr/sbin/udhcpd 
admin        44 S   /usr/bin/manager_watchdog 
admin       308 S   /sbin/syslogd -l 5 -m 0 -O /data/log/messages -o /data/log/sec_messages -S -s 512 
admin       296 S   /sbin/klogd 
admin       736 S   /userfs/bin/boa -c /boaroot -d 
admin       452 S   /bin/sh /usr/script/telnet_checker.sh 
admin       452 S   /bin/sh /usr/script/cpu_usage_check.sh 
admin      2308 S   /userfs/bin/cfg_manager 
admin      2308 S   /userfs/bin/cfg_manager 
admin       596 S   /userfs/bin/epon_oam 
admin       596 S   /userfs/bin/epon_oam 
admin       596 S   /userfs/bin/epon_oam 
admin       596 S   /userfs/bin/epon_oam 
admin       596 S   /userfs/bin/epon_oam 
admin       300 S   /userfs/bin/nos_upgrade 
admin       300 S   /userfs/bin/nos_upgrade 
admin       300 S   /userfs/bin/nos_upgrade 
admin           SW  [kworker/2:2]
admin        92 S   init       
admin      1276 S   /userfs/bin/omci 
admin      1276 S   /userfs/bin/omci 
admin      1276 S   /userfs/bin/omci 
admin      1276 S   /userfs/bin/omci 
admin      1276 S   /userfs/bin/omci 
admin      1276 S   /userfs/bin/omci 
admin      1276 S   /userfs/bin/omci 
admin      1276 S   /userfs/bin/omci 
admin      1276 S   /userfs/bin/omci 
admin       552 S   pppd unit 0 user vtv_XXXXXXX password XXXXXX nodetach holdoff 4 maxfail 0 usepeerdns lcp-echo-interval 60 lcp-echo-failure 3 plugin libpppoe.so nas0 defaultroute noipdefault persist mtu 
admin       100 S   /sbin/udhcpc -i nas6 -s /usr/script/udhcpc_nodef.sh -p /var/run/udhcpc-nas6.pid -m XX:XX:XX:XX:XX:XX 
admin      1620 S   /userfs/bin/snmpd -Ln -c /etc/snmp/snmpd.conf -p /var/log/snmpd.pid 
admin       304 S   /userfs/bin/dnsmasq 
admin       552 S   /userfs/bin/dropbear 
admin       500 S   -sh 
admin        92 S   sleep 5 
admin        92 S   sleep 10 
admin       340 R   ps aux 

#ls /boaroot/cgi-bin (notice these files, there will be more fun after this)

OutVariant.asp                   adv_nat_alg_switch.asp           cfm_mip.asp                      home_wireless_5g.asp             reboot.asp                       tools_update.asp
WLAN_Scheduling.asp              adv_nat_dmz.asp                  cfm_status.asp                   home_wireless_cht.asp            ssid_index2.asp                  upnp_portforward_list.asp
access_URLfilter.asp             adv_nat_ipaddrmap.asp            cfm_status_log.cgi               home_wizard.asp                  status.asp                       video_status.asp
access_acl.asp                   adv_nat_porttriggering.asp       current_users.asp                index.asp                        status_deviceinfo.asp            virsvr_table.cgi
access_acl2.asp                  adv_nat_porttriggering_list.asp  gem_rate.cgi                     index_new.asp                    status_deviceinfo_bhati.asp      wifiqa_advanced.asp
access_appfilter.asp             adv_nat_top.asp                  gem_rate_info.asp                index_org.asp                    status_dhcp.asp                  wifiqa_advanced_cht.asp
access_auth.asp                  adv_nat_virsvr.asp               getCANames.cgi                   ipaddr_table.cgi                 status_log.cgi                   wifiqa_apstatistics.asp
access_auth_registerID.asp       adv_ontmode.asp                  getCertNames.cgi                 loginFail.asp                    status_log_bhati.cgi             wifiqa_basic.asp
access_cwmp.asp                  adv_portbinding.asp              help_access.asp                  logout.cgi                       status_new.asp                   wifiqa_wmm.asp
access_ddns.asp                  adv_pvidsetting.asp              help_advanced.asp                more_client_list.asp             status_statistics.asp            wizardBridge.asp
access_ipfilter.asp              adv_qos.asp                      help_index.asp                   more_client_list_2.asp           tools_admin.asp                  wizardConType.asp
access_l2filter.asp              adv_qoslist.asp                  help_interface.asp               more_client_list_3.asp           tools_admin_cht.asp              wizardDHCP.asp
access_l3filter.asp              adv_routepolicy.asp              help_maintenance.asp             navigation-access.asp            tools_autoprovision.asp          wizardPPP.asp
access_l4appctrl.asp             adv_routepolicy_summary.asp      help_quickstart.asp              navigation-advanced.asp          tools_config_backup.asp          wizardStatic.asp
access_parental.asp              adv_routepolicy_url_summary.asp  help_status.asp                  navigation-basic.asp             tools_config_restore.asp         wizardTZ.asp
access_snmp.asp                  adv_routing.asp                  home_advancedwireless.asp        navigation-help.asp              tools_factory_restore.asp        wizardclose.asp
access_sshd.asp                  adv_routing_table.asp            home_lan.asp                     navigation-left-cht.asp          tools_firmware.asp               wizardcomp.asp
access_upnp.asp                  adv_static_route.asp             home_pvclist.asp                 navigation-left.asp              tools_management.asp             wizardpwd.asp
admin.asp                        adv_vlan_group.asp               home_servlist.asp                navigation-maintenance.asp       tools_remove_tftp.cgi            wizardset.asp
adv_6rdtunnel.asp                adv_vlan_pvid.asp                home_setup.asp                   navigation-status.asp            tools_save.asp                   wizardstart.asp
adv_adsl.asp                     adv_vlan_top.asp                 home_wan.asp                     navigation-status_ssid2.asp      tools_system.asp
adv_firewall.asp                 adv_vpn_connection.asp           home_wan2.asp                    navigation.asp                   tools_test.asp
adv_fonnet.asp                   adv_vpn_setting.asp              home_wan2_setup.asp              portbinding_table.asp            tools_tftp.asp
adv_gpon.asp                     cfm_action.asp                   home_wan2_setup_cht.asp          porttriggering_list.cgi          tools_tftp.cgi
adv_ipv6_static_route.asp         cfm_mep.asp                      home_wireless.asp                pppoe_pwd.cgi                    tools_time.asp

Unencrypted config file is located at /tmp/var/romfile.cfg

3. Web interface vulnerables:

This router have a security issue which allows anyone to access its .cgi page without any password.

As you can see above, we have some .cgi pages

cfm_status_log.cgi       getCANames.cgi           ipaddr_table.cgi         porttriggering_list.cgi  status_log.cgi           tools_remove_tftp.cgi    virsvr_table.cgi
gem_rate.cgi             getCertNames.cgi         logout.cgi               pppoe_pwd.cgi            status_log_bhati.cgi     tools_tftp.cgi

Most of them is not that interesting but take a look at these files:

pppoe_pwd.cgi: This file will show the password of the PPPoE account running inside the router, it only show PPPoE Password but not Username though…
status_log.cgi: This file will reading from /data/log/messages which is the device’s syslogd, there’s nothing much interesting in it, it could also can access via Maintenance -> Logs -> System Log in the web interface.
status_log_bhati.cgi: This is the most interesting one, it’s the kernel kmsg which having the router’s MAC Address in there, the GPON S/N is a MAC Address and also very similar to the one you could get in here, assuming the router is exposed on the internet, anyone could access this file and try to login using this MAC address (assuming the user didn’t changed the default password and this router’s default password is the GPON S/N)

Update: Actually not needed to knowing the Router’s MAC address, just use the hardcoded Telnet password and you’ll get in easily.

Also the Web Interface password is not hashed, it is encoded using base64 and saved in the romfile.cfg, you could even get the data from the export command to print out environment variables in Telnet (SSH don’t have these)

# export
export DS_CONFIG_CONSOLE_PASSWD='dmVydGV4MjVla3RrczEyMw=='
export DS_CONFIG_CONSOLE_USERNAME='admin'
...
export DS_CONFIG_WEB_ACC_NAME_0='admin'
export DS_CONFIG_WEB_ACC_NAME_1='user'
export DS_CONFIG_WEB_ACC_NAME_2='guest'
export DS_CONFIG_WEB_ACC_NUM='3'
export DS_CONFIG_WEB_ACC_PASSWD_0='dmVydGV4MjU='
export DS_CONFIG_WEB_ACC_PASSWD_1='MTIzNA=='
export DS_CONFIG_WEB_ACC_PASSWD_2='MTIzNA=='

4. Firmware hacking

The device having a populated UART header and an unpopulated JTAG header on the board, this is what get spilled out at the UART when boot

DRAMC V2.0 (0)



DRAMC V2.0.0.1 (0)



MT751020 at Wed Dec 16 00:42:14 KST 2015 version 1.6.0 free bootbase

Memory size 128MB

NAND Page size:2048B,Total size 128MB 

bmt pool size: 81 

Press 's' key in 3 secs to enter boot command mode.
............................................................


Invalid Power GPIO, just return and don't turn on Power LED 


==> boot flag = 0
Decompress to 80002000 free_mem_ptr=80600000 free_mem_ptr_end=80780000
from main
Uncompressing [LZMA] ...  done.
busybox init and set aff

init started:  BusyBox v1.00 (2017.06.22-08:43+0000) multi-call binary
chmod: /userfs/profile.cfg: Read-only file system
Unlocking bootloader ...
Writing from /tmp/boot.bin to bootloader ... 
 [ w ]
TCSUPPORT_IPV6
net.netfilter.nf_conntrack_max = 8196
net.netfilter.nf_conntrack_tcp_timeout_established = 3600
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 10
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 10
chmod: /etc/xml/xml: Read-only file system
mtd[readflash]:device=reservearea tclen=512 tcoffset=524288
Unlocking reservearea ...
Reading from reservearea to /tmp/RT30xxEEPROM.bin ... 
mtd[readflash]:device=reservearea tclen=64 tcoffset=525312
Unlocking reservearea ...
Reading from reservearea to /tmp/wlan_cal_info ... 
Error--MCL activate value is NULL.
modprobe: could not parse modules.dep

The kernel doesn't support the ebtables 'filter' table.
modprobe: could not parse modules.dep

The kernel doesn't support the ebtables 'filter' table.
modprobe: could not parse modules.dep

The kernel doesn't support the ebtables 'filter' table.
Cannot find device "br0"
insmod raeth driver
cat: /proc/tc3162/hwnat_wan_account: No such file or directory
route: SIOC[ADD|DEL]RT: No such device
==>wlan_read:ioctl open fail
TCSUPPORT_WLAN
iptables: No chain/target/match by that name.
TCSUPPORT_WLAN_MULTIDRIVER
SIOCGIFFLAGS: No such device
done
TCSUPPORT_WLAN: ifconfig
SIOCSIFADDR: No such device
SIOCGIFFLAGS: No such device
interface rai0 does not exist!
telnetd: starting
  port: 23; login program: /bin/login
SSH
four ports
SIOCGIFFLAGS: No such device
interface eth0.1 does not exist!
sh: vconfig: not found
SIOCGIFFLAGS: No such device
interface eth0.2 does not exist!
sh: vconfig: not found
SIOCGIFFLAGS: No such device
interface eth0.3 does not exist!
sh: vconfig: not found
SIOCGIFFLAGS: No such device
interface eth0.4 does not exist!
sh: vconfig: not found
device eth0 is already a member of a bridge; can't enslave it to bridge br0.
Added VLAN with VID == 1 to IF -:eth0:-
WARNING:  VLAN 1 does not work with many switches,
consider another number if you have problems.
Added VLAN with VID == 2 to IF -:eth0:-
Added VLAN with VID == 3 to IF -:eth0:-
Added VLAN with VID == 4 to IF -:eth0:-
mtd[readflash]:device=reservearea tclen=1 tcoffset=541696
Unlocking reservearea ...
Reading from reservearea to /tmp/bootflag ... 
mtd[readflash]:device=tclinux tclen=32 tcoffset=16
Unlocking tclinux ...
Reading from tclinux to /tmp/main_trx.bin ... 
mtd[readflash]:device=tclinux tclen=4 tcoffset=0
Unlocking tclinux ...
Reading from tclinux to /tmp/main_magic.bin ... 
mtd[readflash]:device=tclinux_slave tclen=32 tcoffset=16
Unlocking tclinux_slave ...
Reading from tclinux_slave to /tmp/slave_trx.bin ... 
mtd[readflash]:device=tclinux_slave tclen=4 tcoffset=0
Unlocking tclinux_slave ...
Reading from tclinux_slave to /tmp/slave_magic.bin ... 
mtd[readflash]:device=reservearea tclen=1 tcoffset=541696
Unlocking reservearea ...
Reading from reservearea to /tmp/boot_flag_read ... 
00:00:17 imgr.c [71]: Initial system driver.
00:00:17 imgr.c [77]: Initial pthread parameters.
00:00:17 imgr.c [83]: Initial dispatcher.
00:00:17 dspch_init.c [23]: Create IPC trap message queue
00:00:17 dspch_init.c [36]: Create IPC trap message queue
00:00:17 imgr.c [89]: Initial database manager.
00:00:17 dbmgr_init.c [32]: Create database memory.
00:00:17 dbmgr_init.c [38]: Create the share database memory successful.
00:00:17 dbmgr_init.c [41]: The total share database size is 0.
00:00:17 imgr.c [95]: Initial config manager.
00:00:17 imgr.c [101]: Initial fault manager.
00:00:17 imgr.c [107]: Initial performance manager.
insmod: cannot insert `/lib/modules/2.6.36/kernel/net/ipv4/netfilter/iptable_filter.ko': File exists (-1): File exists
chmod: /userfs/profile.cfg: Read-only file system
/etc/isp0.conf
/usr/script/wan_start_boot.sh: 925: Syntax error: end of file unexpected
/etc/isp1.conf
/etc/isp2.conf
Cannot find device "imq0"
bad action parsing
parse_action: bad value (5:mirred)!
Illegal fw "action"
/etc/isp3.conf
/etc/isp4.conf
/etc/isp5.conf
/etc/isp6.conf
/etc/isp7.conf
conntrack v1.2.2 (conntrack-tools): connection tracking table has been emptied.
method = HW_NAT_TAB_CLEAN
done
iptables: No chain/target/match by that name.
RTNETLINK answers: No such file or directory
RTNETLINK answers: No such file or directory
RTNETLINK answers: No such file or directory
RTNETLINK answers: No such file or directory
RTNETLINK answers: No such file or directory
RTNETLINK answers: No such file or directory
RTNETLINK answers: No such file or directory
RTNETLINK answers: No such file or directory
conntrack v1.2.2 (conntrack-tools): connection tracking table has been emptied.
method = HW_NAT_TAB_CLEAN
done
SIOCDIFADDR: Cannot assign requested address
SIOCDIFADDR: Cannot assign requested address
killall: dropbear: no process killed
udhcpd (v0.9.9-pre) started
Jan  1 00:00:23 udhcpd[1606]: udhcpd (v0.9.9-pre) started

Unable to open /etc/udhcpd.leases for reading
Jan  1 00:00:23 udhcpd[1606]: Unable to open /etc/udhcpd.leases for reading

sh: /userfs/bin/dproxy: not found
killall: wscd: no process killed
chmod: /userfs/profile.cfg: Read-only file system
chmod: /userfs/profile.cfg: Read-only file system
chmod: /userfs/profile.cfg: Read-only file system
chmod: /userfs/profile.cfg: Read-only file system
chmod: /userfs/profile.cfg: Read-only file system
chmod: /userfs/profile.cfg: Read-only file system
chmod: /userfs/profile.cfg: Read-only file system
chmod: /userfs/profile.cfg: Read-only file system
chmod: /userfs/profile.cfg: Read-only file system
chmod: /userfs/profile.cfg: Read-only file system
chmod: /userfs/profile.cfg: Read-only file system
chmod: /userfs/profile.cfg: Read-only file system
iptables: Chain already exists.
sh: cannot create /proc/tc3162/qos_switch: Directory nonexistent
/etc/lanAlias0.conf
killall: klogd: no process killed
killall: syslogd: no process killed
ftp switch turn on

sip switch turn on

h323 switch turn on

rtsp switch turn on

l2tp switch turn on,sw_state=

iptables: Bad rule (does a matching rule exist in that chain?).
ipsec switch turn on,sw_state=

iptables: Bad rule (does a matching rule exist in that chain?).
pptp switch turn on

done
killall: boa: no process killed
killall: telnet_checker.sh: no process killed
killall: tftpd: no process killed
killall: inetd: no process killed
send: Broken pipe
mkdir: Cannot create directory `/tmp/cwmp': File exists
mtd[writeflash]:device=reservearea tclen=1 tcoffset=541696 tcfilelen =2
Unlocking reservearea ...
Writing from /tmp/boot_flag_write to reservearea ... 
enter real action -----tclen:0x1,tcoffset:0x84400
writeflash: write 0 'st sector,start from 0x80000,0x1 bytes
 [e] [w] writeflash: total write 0x1 bytes

cp: /etc/udhcp_lease: No such file or directory
cp: /etc/udhcp_external_lease: No such file or directory
sendEponOamCmdMsg open message queue fail!
Unlocking romfile ...
Writing from /tmp/var/romfile.cfg to romfile ... 
 [ ] [e] [w] [w] [w] [w] [w]
rai0      no private ioctls.

rai0      no private ioctls.

rai0      no private ioctls.



switch qos type: sp.


switch qos base : 2. (port-based:0, tag-based:1, dscp-based:2, acl-based:3, arl-based:4, stag-based:5)
write reg: 44, value: 227222
dir: 0, port: 6, rate: 1000000
write reg: 1640
write val: 7a12808f
net.ipv4.conf.all.arp_filter = 1
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
^MT7530 switch kernel API (002D, 0, 00000000) return -1 !
^MT7530 switch kernel API (002D, 1, 00000000) return -1 !
iptables: Chain already exists.
^MT7530 switch kernel API (002D, 2, 00000000) return -1 !
^MT7530 switch kernel API (002D, 3, 00000000) return -1 !
device ra1 is not a slave of br0
device ra2 is not a slave of br0
device ra3 is not a slave of br0
unregister_netdevice: waiting for ra0 to become free. Usage count = 1
device ra0 is already a member of a bridge; can't enslave it to bridge br0.
device ra1 is not a slave of br0
device ra2 is not a slave of br0
device ra3 is not a slave of br0
killall: wscd: no process killed
Interface doesn't accept private ioctl...
set (8BE2): Invalid argument
killall: rtdot1xd: no process killed
Ralink DOT1X daemon, version = '2.5.0.0' 

Please press Enter to activate this console. 

This console is the same as the Telnet console, nothing special about it.

The unencrypted ROM configuration file is located at /tmp/var/romfile.cfg, it is a clear text XML file which contains all the configuration data (Panel password, PPPoE account, WiFi…) and it get written to /dev/mtd1 when you save configuration and get loaded on boot.

To write the romfile.cfg to the romfile partition, use this command:

/userfs/bin/mtd write /tmp/var/romfile.cfg romfile

Setup a Tor Exit/Middle/Bridge relay

2018-12-02T00:00:00+00:00

Tor is an anonymity tool used by those who want to stay private and uncensored when browsing the Internet, it’s working like a proxy but your traffic will be passing through multiple servers before reaching its final destination, the entire network is made of routers operated by volunteer so if you have the bandwidth and a spare server you could help make the Tor network more secure and faster.

Tor has 3 kinds of relays:

Entry/Guard Relays - Entry points into the Tor network
Middle Relays - Send traffic from an entry relay to an exit relay
Exit Relays - Send the traffic out of the Tor network to the original destination on clearnet

When connected to a Tor network, your traffic will go like this if you accessing a website on a clearnet:

Your computer -> Entry Relays -> Middle Relay(s) -> Exit Relay -> Destination server

And like this if you’re accessing a .onion website:

Your computer -> Entry Relays -> Middle Relay(s) -> Destination server

Your traffic is fully encrypted while traveling through the Tor network, that means whoever operating the Entry and Middle relays can’t possibly know what kind of data you’re transmitting, the Entry Relay only know your IP address but don’t know what you’re sending through the Tor network, meanwhile the Exit Relay could only read your traffic (if it’s not end-to-end encrypted to Destination server like HTTPS) but it doesn’t know who has transmitted it.

If you accessing the .onion website, only your machine and the Destination server can read your traffic, it’s not needed to pass through the Exit Relay because the server of the .onion website is not located on regular internet. Because of this, no one knows where’s the exact location of a specific .onion server is at.

In this tutorial, I’ll show you how to set up all kind of Tor Relay node.

Requirement:

Internet access
Basic knowledge of Linux

Note:

Ask your ISP or your server hosting to see if they allow Tor Relay/Exit node first, most of ISP allow hosts Tor Relay on their network but not all allowing Tor Exit, because the Exit node will help Tor users access “real” internet that means they might get you into trouble if they’re doing anything illegal while connected to your Exit node.

Generally, it is safe to run a guard or middle relay on any VPS or shared server (such as DigitalOcean or EC2), since all the server operators will see is harmless encrypted traffic.

However, there are special responsibilities to consider when running an exit node. Since exit relays send traffic directly to the end destination, any illicit activity done through Tor appears to come from the exit relay. This leads to the rare possibility of raids, abuse notices, or more.

1. Install Tor

I’m using Debian 9, you could use the tor package from Debian default repo, however… but I want the latest one so I’ll proceed on adding repo from TorProject.

Always run apt update first to make sure you’ll install the latest packages.

root@tor-exit:~# apt update
Hit:1 http://security.debian.org stretch/updates InRelease
Ign:2 http://deb.debian.org/debian stretch InRelease
Hit:3 http://deb.debian.org/debian stretch-updates InRelease
Hit:4 http://deb.debian.org/debian stretch-backports InRelease
Hit:6 http://deb.debian.org/debian stretch Release
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.

This will need to install apt-transport-https because TorProject’s repo using HTTPS instead of HTTP, this is not supported by default.

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  apt-transport-https
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 171 kB of archives.
After this operation, 243 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian stretch/main amd64 apt-transport-https amd64 1.4.8 [171 kB]
Fetched 171 kB in 0s (8,987 kB/s)       
Selecting previously unselected package apt-transport-https.
(Reading database ... 30001 files and directories currently installed.)
Preparing to unpack .../apt-transport-https_1.4.8_amd64.deb ...
Unpacking apt-transport-https (1.4.8) ...
Setting up apt-transport-https (1.4.8) ...

You’ll need to import their PGP key, this will help APT know the package is downloaded from TorProject is legit and not altered/corrupted.

root@tor-exit:~# gpg --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
uid  deb.torproject.org archive signing key
sig!3        EE8CBC9E886DDD89 2012-08-29  [self-signature]
sig!3        EE8CBC9E886DDD89 2014-08-31  [self-signature]
sig!3        EE8CBC9E886DDD89 2009-09-04  [self-signature]
sig!3        EE8CBC9E886DDD89 2018-08-06  [self-signature]
sub  74A941BA219EC810
sig!         EE8CBC9E886DDD89 2012-08-29  [self-signature]
sig!         EE8CBC9E886DDD89 2014-08-31  [self-signature]
sig!         EE8CBC9E886DDD89 2009-09-04  [self-signature]
sig!         EE8CBC9E886DDD89 2018-08-06  [self-signature]
key EE8CBC9E886DDD89:
2 duplicate signatures removed
80 signatures not checked due to missing keys
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key EE8CBC9E886DDD89: public key "deb.torproject.org archive signing key" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

root@tor-exit:~# gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -
key EE8CBC9E886DDD89:
80 signatures not checked due to missing keys
OK

Now adding TorProject’s repo to apt sources.list.d directory

root@tor-exit:~# echo "deb https://deb.torproject.org/torproject.org stretch main" > /etc/apt/sources.list.d/tor.list

Now we re-run apt update again so apt will query available package from the updated sources.list

root@tor-exit:~# apt update
Hit:1 http://security.debian.org stretch/updates InRelease
Ign:2 http://deb.debian.org/debian stretch InRelease                                                              
Hit:3 http://deb.debian.org/debian stretch-updates InRelease                                                      
Hit:4 http://deb.debian.org/debian stretch-backports InRelease                                                    
Hit:5 http://ppa.launchpad.net/scaleway/stable/ubuntu bionic InRelease                                            
Hit:6 http://deb.debian.org/debian stretch Release                                                                
Get:7 https://deb.torproject.org/torproject.org stretch InRelease [4,965 B]
Get:9 https://deb.torproject.org/torproject.org stretch/main amd64 Packages [3,465 B]
Fetched 8,430 B in 1s (7,620 B/s)
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.

Install Tor and TorProject’s keyring

root@tor-exit:~# apt install tor deb.torproject.org-keyring
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  libzstd1 tor-geoipdb torsocks
Suggested packages:
  mixmaster torbrowser-launcher tor-arm apparmor-utils obfs4proxy
The following NEW packages will be installed:
  libzstd1 tor tor-geoipdb torsocks deb.torproject.org-keyring
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 3,282 kB of archives.
After this operation, 12.9 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://deb.debian.org/debian stretch/main amd64 libzstd1 amd64 1.1.2-1 [193 kB]
Get:2 http://deb.debian.org/debian stretch/main amd64 torsocks amd64 2.2.0-1+deb9u1 [72.7 kB]
Get:3 https://deb.torproject.org/torproject.org stretch/main amd64 tor amd64 0.3.4.9-1~d90.stretch+1 [1,718 kB]
Get:4 https://deb.torproject.org/torproject.org stretch/main amd64 tor-geoipdb all 0.3.4.9-1~d90.stretch+1 [1,289 kB]
Get:1 https://deb.torproject.org/torproject.org stretch/main amd64 deb.torproject.org-keyring all 2018.08.06 [4,922 B]
Fetched 3,273 kB in 0s (6,112 kB/s)
Selecting previously unselected package libzstd1.
(Reading database ... 30007 files and directories currently installed.)
Preparing to unpack .../libzstd1_1.1.2-1_amd64.deb ...
Unpacking libzstd1 (1.1.2-1) ...
Selecting previously unselected package tor.
Preparing to unpack .../tor_0.3.4.9-1~d90.stretch+1_amd64.deb ...
Unpacking tor (0.3.4.9-1~d90.stretch+1) ...
Selecting previously unselected package torsocks.
Preparing to unpack .../torsocks_2.2.0-1+deb9u1_amd64.deb ...
Unpacking torsocks (2.2.0-1+deb9u1) ...
Selecting previously unselected package tor-geoipdb.
Preparing to unpack .../tor-geoipdb_0.3.4.9-1~d90.stretch+1_all.deb ...
Unpacking tor-geoipdb (0.3.4.9-1~d90.stretch+1) ...           
Selecting previously unselected package deb.torproject.org-keyring.
Preparing to unpack .../deb.torproject.org-keyring_2018.08.06_all.deb ...
Unpacking deb.torproject.org-keyring (2018.08.06) ...
Setting up libzstd1 (1.1.2-1) ...
Processing triggers for libc-bin (2.24-11+deb9u3) ...
Processing triggers for systemd (232-25+deb9u6) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up deb.torproject.org-keyring (2018.08.06) ...
Setting up torsocks (2.2.0-1+deb9u1) ...
Setting up tor (0.3.4.9-1~d90.stretch+1) ...
Something or somebody made /var/lib/tor disappear.
Creating one for you again.
Something or somebody made /var/log/tor disappear.
Creating one for you again.
Created symlink /etc/systemd/system/multi-user.target.wants/tor.service → /lib/systemd/system/tor.service.
Setting up tor-geoipdb (0.3.4.9-1~d90.stretch+1) ...
Processing triggers for systemd (232-25+deb9u6) ...

2. Prepare Tor config

You’ve just installed Tor successfully (hopefully), now you must tell it what you’re going to do with it

If you have an IPv6 and want your Tor Relay to listening on IPv6 and are able to access IPv6, check Step 2.1 (optional)

If you want to set up a Tor Bridge, get the config from Step 2.2

If you want to set up a Tor Relay, get the config from Step 2.3

If you want to set up a Tor Exit, get the config from Step 2.4 and then continue on Step 3

2.1. Getting your IPv6 address

By default Tor does not listen on IPv6 and will not automatically detect your IPv6 interface, you’ll need to get your current IPv6 and enable Tor to use it.

You could get your current IPv6 address by:

root@tor-exit:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether de:1a:24:26:50:04 brd ff:ff:ff:ff:ff:ff
    inet 10.16.41.7/31 brd 10.16.41.7 scope global ens2
       valid_lft forever preferred_lft forever
    inet6 2001:bc8:4400:2c00::5:c07/127 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::dc1a:24ff:fe26:5004/64 scope link 
       valid_lft forever preferred_lft forever

Look for the line that said inet6 and global, in this case, my IPv6 is 2001:bc8:4400:2c00::5:c07, write it down because you’ll need it later.

2.2. Tor Bridge config

ORPort auto
ORPort [INSERT_IPV6_ADDRESS]:auto
SocksPort 0
BridgeRelay 1
Log notice file /var/log/tor/notices.log
DirPort 9030
ExitPolicy reject6 *:*, reject *:*

If you’re behind a NAT firewall, you could change the port number auto and 9030 to suits your needs. DirPort doesn’t need to listen on IPv6, it will return an error if you try to do that.

If you don’t have an IPv6, remove the second “ORPort” and the “, reject6 :”

Skip to Step 3 from now

2.3. Tor Relay config

SocksPort 0
RunAsDaemon 1
ORPort 9001
ORPort [INSERT_IPV6_ADDRESS]:9001
Nickname YourAwesomeRelayName123
ContactInfo YOUR_EMAIL_HERE [AT] DOMAIN [DOT] EXT
Log notice file /var/log/tor/notices.log
DirPort 9030
ExitPolicy  reject *:*, reject6 *:*

You should change the Nickname and ContactInfo as you’d like.

Nickname only allow 1 to 19 characters, only letters, and numbers, no spaces or other special characters. ContactInfo here you should put your email with slightly obfuscated so scrapper will not add your email to their spam list, this emails will be used to contact you and will be published on Tor Atlas.

If you’re behind a NAT firewall, you could change the port number 9001 and 9030 to suits your needs. DirPort doesn’t need to listen on IPv6, it will return an error if you try to do that.

If you don’t have an IPv6, remove the second “ORPort” and the “, reject6 :”

Skip to Step 3 from now

2.4. Tor Exit config

SocksPort 0
RunAsDaemon 1
ORPort 9001
ORPort [INSERT_IPV6_ADDRESS]:9001
Nickname YourAwesomeRelayName123
ContactInfo YOUR_EMAIL_HERE [AT] DOMAIN [DOT] EXT
DirPort 80
DirPortFrontPage /etc/tor/tor-exit-notice.html
ExitPolicy accept *:*, accept6 *:*
IPv6Exit 1
ExitRelay 1

You should change the Nickname and ContactInfo as you’d like.

If you’re behind a NAT firewall, you could change the port number 9001 and 80 to suits your needs. DirPort doesn’t need to listen on IPv6, it will return an error if you try to do that.

With Exit Relay, you also can put a little HTML page in the path of DirPortFrontPage so whenever someone visited your Exit Relay’s IPv4 Address they will be greeted with your HTML message, the common Tor Exit FrontPage HTML is HERE.

If you don’t have an IPv6, remove the second “ORPort” and the “, accept6 :

Continue to Step 3

3. Write config file and enable Tor

Now you’ve got your config file content, put it into /etc/tor/torrc, you could even delete the default file if you want, the configs in step 2. are already enough to get Tor run.

I also have added my FrontPage based on the one from TorProject’s, notice that in the FrontPage has some FIXME value that you’re supposed to change them.

Save it all and now we’re going to get it up and running.

Enable the Tor service startup with (skip this step if you don’t want Tor to run on startup)

root@tor-exit:~# systemctl enable tor
Synchronizing state of tor.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable tor

And start Tor service

root@tor-exit:~# systemctl start tor

Tor should be running now, check to see if the service still running with

root@tor-exit:~# systemctl status tor
● tor.service - Anonymizing overlay network for TCP (multi-instance-master)
   Loaded: loaded (/lib/systemd/system/tor.service; enabled; vendor preset: enabled)
   Active: active (exited) since Sun 2018-12-02 08:36:59 UTC; 11min ago
  Process: 1810 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
 Main PID: 1810 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4915)
   CGroup: /system.slice/tor.service

Dec 02 08:36:59 tor-exit.minhng99.cloud systemd[1]: Starting Anonymizing overlay network for TCP (multi-instance-master)...
Dec 02 08:36:59 tor-exit.minhng99.cloud systemd[1]: Started Anonymizing overlay network for TCP (multi-instance-master).

If you see it’s active that means there’s no error and it’s running in the background.

Make sure you’ve forwarded port to your Tor relay properly, it won’t work without port forwarding.

After around 12 hours, you could go to Tor Relay Search, type in your relay’s Nickname and see how it’s doing, it should look something like this:

Your Tor relay will not be doing much work until 2 weeks later so just be patient.

Resources:

How Tor works Tor config generator TorProject’s Debian/Ubuntu instruction

Debrick TP-Link Archer C7

2018-11-25T00:00:00+00:00

TP-Link Archer line has a very cool recovery trick that makes it quite safe to do firmware flashing (not so much for bootloader flashing), here I’ll guide you how to recover your Archer from bad flashing or when you just want to go back to stock firmware from OpenWRT.

Requirements:

Ethernet cable
TP-Link Archer C7 router (I’m not sure if this will also work for other models)
A computer with an Ethernet port
The router is in “soft-bricked” state (the main u-boot bootloader hasn’t got ruined yet)

1. How it’s work

This TP-Link router uses 2 separate u-boot, factory-uboot for initializing hardware, download recovery firmware from TFTP (when needed) and the secondary bootloader (u-boot) is for starting the Linux Kernel.

Here’s the MTD partitions on my device:

5 cmdlinepart partitions found on MTD device spi0.0
Creating 5 MTD partitions on "spi0.0":
0x000000000000-0x000000020000 : "factory-uboot"
0x000000020000-0x000000040000 : "u-boot"
0x000000040000-0x000000f00000 : "firmware"
2 uimage-fw partitions found on MTD device firmware
0x000000040000-0x0000001e0000 : "kernel"
0x0000001e0000-0x000000f00000 : "rootfs"
mtd: device 4 (rootfs) set to be root filesystem
1 squashfs-split partitions found on MTD device rootfs
0x000000420000-0x000000f00000 : "rootfs_data"
0x000000f00000-0x000000ff0000 : "config"
0x000000ff0000-0x000001000000 : "art"

Its boot sequence is factory-uboot -> u-boot -> firmware (kernel)

When you update your firmware, only the u-boot and the firmware get updated, if one of those 2 gets corrupted then it will not boot normally thus you can’t access the web panel for firmware upgrade like normal.

Fortunately, TP-Link has configured their factory-uboot so it can detect if you want to enter the firmware flashing mode directly and bypassing the rest, this makes recovery very easy without having to disassemble the device and use UART or JTAG to recover, we can trigger it with just the RESET button on the back side of the router.

2. Preparing firmware and TFTP

You’ll need to download the stock firmware from the official TP-Link website, make sure to get the latest one unless you know what you’re doing.

You could even flash the custom firmware like OpenWRT directly and bypass the whole stock-firmware things, just download the one with “factory” in its name.

Here I’m getting the Archer C7(US)_V4_180425, make sure you’ve chosen the right firmware for your device, careful with the hardware version if your device has it.

The downloaded file is in ZIP format, you’ll need to extract it and get the .bin file, that’s what we need.

Create a new folder somewhere and put the .bin firmware file in it, rename it to ArcherC7v4_tp_recovery.bin, if your router is another model like C9 or different hardware version then just change the name accordingly, here I put mine into “/home/minh/firmware/.

Now you have to set your Ethernet IP address to static and specify this IP:

Address: 192.168.0.66 Netmask: 255.255.255.0

You can skip the rest if you want, it’s not that important.

Some OS need to restart the network interface to apply the new IP, just disable and then enable it again or don’t plug anything into the Ethernet port yet.

Now you need a TFTP server, here I’m using atftpd for it, you’ll need to find a suitable TFTP server for your OS.

Remember: It has to be TFTP, regular FTP will NOT work.

If you’re using atftp like me, you could use this command to run it.

sudo atftpd --daemon --user=root --group=root --no-fork --logfile - /home/minh/firmware

I know that you should not run untrusted apps as root but you only need to keep this thing run until the recovery has finished so it’s not much of a problem.

3. Recovery mode and flashing firmware

Now power off your router with the switch on its back, unplug every Ethernet cables, plug only 1 Ethernet cable into port #1 and then into your computer (where the TFTP server lies)

Find a pin or a toothpick or something that’s small enough to fit into a hole which has the RESET button, find the RESET button on its back and try to push it with your object, if you feel it’s clicking then it’s the right hole.

Push and hold the RESET button, power on the router using the back switch and wait until the WPS LED turn on (the LED which have 2 arrows in a circle), now it should be only the POWER LED and the WPS LED turning on, the rest will not light up.

On your TFTP server, you will see something like this which means the router is currently downloading the firmware from your PC and it will flash it automatically, just wait about 5 minutes and the router will reboot itself automatically.

Now when the router has rebooted (other LEDs lights up), you could shut down the TFTP server and switch your Ethernet config to DHCP again.

Open your browser, navigate to http://192.168.0.1/ and you should be greeted with the password update page, that means your router has flashed firmware successfully and now it will work as normal.

How to install Arch Linux with LUKS encrypted rootfs and boot with EFISTUB

2018-11-18T00:00:00+00:00

In this tutorial, I’ll show you how to install Arch Linux but with an encrypted rootfs (/) and with a bootloader-less setup (direct UEFI boot)

Requirements:

Networking access
Machine MUST support UEFI (non-secured mode)
You have some knowledge about how things work (partitioning, UEFI, bootloader, …), you’re an Arch Linux user after all.

Note:

UEFI boot will save you some precious boot time… meanwhile it will be a pain to fix if something goes wrong and render your machine unbootable (bad kernel/initramfs).
If you’re using more than 1 OS, I’d recommend you to just stick with good-ol’ GRUB bootloader.
You must disable the secure boot mode of the UEFI because the kernel file is unsigned, you could sign it after the setup is done and then enable secure boot again.

1. Booting into Live Arch Linux

Nothing special, just create a bootable media from Arch Linux ISO and then boot it, if you see a different menu than this with a fancy Arch Linux logo (GRUB menu) then your machine isn’t booted by using UEFI or something goes wrong while you create the boot media, try again until you see such similar menu as above.

Select Arch Linux archiso x86_64 UEFI CD

Here you have the Arch Linux Live running on your PC, this is how the disk is configured on my PC, there’s only 1 20GB physical disk which is sda and it’s totally empty (no partition).

Starting off by partitioning the disk with

cfdisk /dev/sda

Chose GPT here, I don’t know if UEFI will boot with DOS or other kinds of partition table or not but just chose GPT

Create partition as above. Here I have 512MB partition #1 which we will use it for /boot to store the kernel and initramfs, the total of it will be just around 50MB so you could create as low as somewhere 80MB but I want to leave some extra space for backup/alternative kernel and such. The second partition will be for LUKS encrypted rootfs so it will take up the rest.

You need to create a separated /boot partition for UEFI to boot the kernel because UEFI don’t understand what LUKS is thus it can’t be merged into rootfs

Do not create another partition for SWAP because it will be unencrypted, create SWAP as a file later on the encrypted rootfs if you want to use SWAP

Write to the disk and exit cfdisk.

Now we need to turn /dev/sda2 into a LUKS container by

cryptsetup luksFormat /dev/sda2

Open (decrypt) the LUKS container with

cryptsetup open /dev/sda2 new_rootfs

This is how LUKS works: It reads the encrypted data (raw disk format) on your block disk, decrypts it and put it to a virtual block device at /dev/mapper/ so you need to interacts with the virtual block device and not the real block device itself (which containing LUKS). Here I have the decrypted virtual block device at /dev/mapper/new_rootfs

Now we need to format it, it’s necessary for the /boot partition to be FAT32 for UEFI to read it so we need to format /dev/sda1 with

mkfs.vfat -F32 /dev/sda1

And the decrypted sda2 block device (located at /dev/mapper/new_rootfs) which will contain the rootfs, you can use whatever the filesystem you like, as long as you add the necessary module to the kernel initramfs.

mkfs.ext4 /dev/mapper/new_rootfs

Here notices: You need to mount the rootfs first because we will need to mount the /boot over /mnt/boot and it doesn’t make sense if you do it in reverse, the /boot will get ignored and nothing will write to it if you do it in reverse

Start by mounting rootfs:

mount /dev/mapper/new_rootfs /mnt

Create the /boot directory on the rootfs:

mkdir /mnt/boot

Mount sda1 into the /mnt/boot so the pacstrap could install kernel into it:

mount /dev/sda1 /mnt/boot

That’s it for the partition setup, now we will continue the next step on the actual Arch Linux installation.

2. Arch Linux Setup

This step is fairly simple, just do install as you would do it with normal Arch Linux installation with /mnt as rootfs

Starting with installing the base, you could add more package after base-devel if you’d like but here’s the basic.

pacstrap /mnt base base-devel linux

500KB/s??? Pacstrap is dumb and sometimes it cannot figure out what’s the best mirror to download from so here’s how you could manually select the nearest mirror:

Edit the file /etc/pacman.d/mirrorlist and delete every other mirror except the closest one to you, I’m in Vietnam so here I kept the Vietnamese mirror and delete the rest.

Save it, run pacstrap again, see how fast it is now?

Wait for the pacstrap to complete and then generate fstab file with:

genfstab -U /mnt >> /mnt/etc/fstab

Now check if the fstab has properly generated, it must have the rootfs (/) and the /boot in there, these 2 should have been added automatically by genfstab but if it doesn’t, either you’ve done something wrong with the mounting step or genfstab is broken, try to add it manually.

I’d recommend using UUID when interacting with fstab to prevent unexpected behavior

Here you have to chroot into the installed rootfs, what is chroot? It allows you to “join” into the installed rootfs environment as you were booted into it, meanwhile, the kernel still is from the host (Arch Linux Live), all the changes you made in here will be saved into your final installation disk (/dev/mapper/new_rootfs).

Chroot into the installed directory with

arch-chroot /mnt

Now when you’re inside the chroot, declaring the language and generate the locale with

echo LANG=en_US.UTF-8 > /etc/locale.conf
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
locale-gen

I only do 1 step of adding locale because I’ve forgotten the rest when taking screenshots for this tutorial. You could set up the Desktop environment and install things here if you like, I’ll skip it because that’s not what this tutorial is for.

Now the important step: While in chroot, edit the file /etc/mkinitcpio.conf and add encrypt to HOOKS as the picture above.

You will need to add keymap before the encrypt if you want to use keymap other than the US standard keymap.

Save the mkinitcpio.conf and to the next step

Now you will need to regenerate the initramfs for the kernel to be able to decrypt the encrypted rootfs with the added encrypt module.

First, check your installed kernel version with

ls /usr/lib/modules

You can see the only installed kernel is 4.19.2-arch1-1-ARCH (ignore the extramodules-ARCH)

NOTE: Do not use uname -r to check for kernel version here, this command will return the current kernel which is used to boot and it’s from Arch Linux Live, it may or may not be the same version as the kernel which you’ve installed to the rootfs

Get the name of the install kernel in /boot (vmlinuz-* for the kernel, initramfs-*.img for the initramfs) for use in the next step, if you use other kernels like Zen then the name will be different

Generate new initramfs with

mkinitcpio -g /boot/initramfs-linux.img -k 4.19.2-arch1-1-ARCH

Modify the command as needed

Now exit from chroot to the Arch Linux Live, I’m paranoid here so I’ve done another sync to make sure everything was flushed down the disk and then reboot, continue to boot with the Arch Linux bootable media.

3. Configure EFI to boot the kernel

In the Arch Linux boot menu, chose UEFI Shell x86_64 v2 this time to get into the EFI Shell

Here’s how the EFI Shell looks like, you could press ESC to skip startup.nsh if you’ve configured it to boot something else.

Here types map to see which partition the EFI has recognized, it’s kinda similar to Linux, here I have FS0 and FS1

Use ls fsX: (with X is the FS# from the mapping table above)

What you’re trying to find here is the partition which contains the kernel files (/boot)

Here we found that the fs0 is the one that we need, it has vmlinuz and initramfs

We need to add a new boot entry at 0 points to vmlinuz-linux so it will get booted first with the command:

bcfg boot add 0 fs0:\vmlinuz-linux "Arch Linux"

Now create a new text file for storing the cmdline for the kernel with

edit fs0:\cmdline.txt

Here you put the necessary kernel cmdline to boot your rootfs, in this example we have

 cryptdevice=/dev/sda2:new_rootfs root=/dev/mapper/new_rootfs rw initrd=\initramfs-linux.img 

NOTICE: Add extra spaces at the beginning of the line in the file. There is a byte order mark at the beginning of the line that will squash any character next to it which will cause an error when booting.

If you use SSD for rootfs, you could add a flag to allow discarding on LUKS encrypted drive with :allow-discards added after the cryptdevice, it will becomes cryptdevice=/dev/sda2:new_rootfs:allow-discards

If you want to use intel-ucode, you need to add an extra initrd before the actual linux initramfs, it will be something like this:

 cryptdevice=/dev/sda2:new_rootfs root=/dev/mapper/new_rootfs rw initrd=\intel-ucode.img initrd=\initramfs-linux.img 

Press F2 to save and then F3 to exit.

Now insert the cmdline to the boot entry #0 with

bcfg boot -opt 0 fs0:\cmdline.txt

reboot your machine with reset, now you don’t need the Arch Linux bootable media anymore, you could pull it out and let your machine boot normally.

Here you can see it’s booting and the kernel asked you to typing password for unlocking the rootfs

That’s it, that’s how you configure your machine to boot the kernel with UEFI meanwhile use LUKS for the rootfs. Comment below if you have any questions or stuck on somewhere along the line.

Resources:

EFISTUB

dm-crypt/Encrypting an entire system

How to Install Arch Linux

How to install/reinstall Linux on a VPS manually

2018-11-13T00:00:00+00:00

In this tutorial, I’ll show you how to reinstall or install another version or a completely different Linux OS for your VPS manually.

This tutorial will come in handy if you want to install/upgrade to an unsupported Linux version from your hosting provider or wanted a customized partition scheme on your server.

Requirements:

Networking access
VNC/KVM/IPMI access of the target machine which will handle the installation, UART/Serial console access might work with extra configuration
The targeted installation machine must either be VPS using full virtualization (KVM/QEMU/VMware/VBOX) or is a dedicated server running on barebone hardware, OpenVZ or any kind of kernel virtualization or containers are not supported.
root access of the Linux server

Note:

This tutorial might not always be working if the virtualization/hardware of the targeted machine is using some weird driver/non-standard hardware configuration.
Some VPS providers set Static IP for their clients, make sure you’ve written down the current IP configuration on the current pre-installed OS for later on, just in case!

1. Getting the machine to boot the netboot version of the OS you wanted to install

Here you can see my pre-installed OS is Ubuntu 16.04 LTS, now I’ll try to get the beta version of Ubuntu which is 19.04 install on the same machine.

First, you need to change the GRUB configuration so it will allow you to see the boot menu by editing the /etc/default/grub and comment out (or delete) the line GRUB_TIMEOUT_STYLE=hidden.

Then execute the command update-grub2 for generating the new boot config file.

Then you check for the location of the first partition of your boot drive, here my VPS vda1 are mounted as /, I’m going to download the netboot version of Ubuntu which is just the 2 fileslinux (kernel) and initrd.gz (ramdisk) to /

Those two files are located HERE

Now you open the VNC/KVM/IPMI of the VPS and then reboot it, it will look something like this

This depends on your GRUB version, it might take you to the GRUB menu and start counting or it will be counting without showing the GRUB menu like what mine did, you could even holding [SHIFT] when the machine is booting for accessing the GRUB menu.

You have to quickly press [ESC] for it to stop the automated boot and then press [c] for accessing the GRUB command-line

Now you get to the command-line part, type it as above, you could remove the priority=low for setup without Advanced mode, for me I like the Advanced mode so I put the priority=low in there, the Advanced mode will allow you to do much more customization for your installation like custom kernel selection, doesn’t force you to create standard user account…

2. Install the OS using netboot installer

Now when you get to this part then it’s pretty easy down the line, just do what it asks you to do, starting off by Choose language then it will take you to the next necessary step when you’ve finished it, don’t select the random step here if you don’t know what you are doing.

As I’ve said before, you could even do manual partitioning on the current disk of the server without any limitation, the setup is currently on RAM so it doesn’t care if the disk contents get nuked or anything !! Your old data will get nuked if you decide to format/erase the partitions !!

If you decided to go with the Advanced mode as I do, you will get to this part which allows you to chose the appropriate kernel for your machine, usually select linux-generic is fine but since this is a VPS and there won’t be any new device get connected to it, I choose the linux-virtual for lightweight.

Also, this part if you’re using a VPS then I’d recommend to chose targeted because it will make your boot process faster since the initrd will be smaller.

You could even install a desktop environment or some recommended software suits your needs… But you can always install those later and I don’t want desktop environment on my server.

After some waiting, the setup will say it’s finished, just do what it wanted you to do.

And setup finished, my VPS is running Ubuntu 19.04, now you have to install ssh server to remote it later on.

Here’s some common OS’s netboot:

Ubuntu: 19.04 18.10 18.04

Debian: 9.0 8.0

CentOS: 7.0

Fedora: 29

How to install Windows on Linux server natively

2018-11-12T00:00:00+00:00

In this tutorial, I’ll show you how to install Windows Server on a VPS natively (without the need for virtualization software like VBOX, VMware…)

Requirements:

At least 2 machines (1 for sharing the setup data via Samba/Network Share, the other for installation)
Networking access between 2 machines
VNC/KVM/IPMI access of the target machine which will handle the installation, UART/Serial console access only will not work
The targeted installation machine must either be VPS using full virtualization (KVM/QEMU/VMware/VBOX) or is a dedicated server running on barebone hardware, OpenVZ or any kind of kernel virtualization or container is not supported.
root access of the Linux server

Note:

This tutorial might not always be working if the virtualization/hardware of the targeted machine is using some weird driver/non-standard hardware configuration.
I’ll also show you how to integrate VirtIO driver into Windows installation image for it to recognize network driver because Windows doesn’t have the driver for VirtIO built-in.
Some VPS providers set Static IP for their clients, make sure you’ve written down the current IP configuration on the Linux server that you’re going to install Windows on it, just in case!

1. Integrating VirtIO driver into Windows ISO

Why we have to do this? Because on some common virtualization software which some VPS providers use, they use a specialized driver for their virtual devices and these devices doesn’t have driver pre-installed in Windows, the results could be somewhere from non-working network card to unbootable because of lacking disk driver

You could download the latest VirtIO driver for the most variant of Windows HERE, chose the latest version, download the ISO file and extract it to get the driver files.

If you know that the devices on the targeted machine use don’t need a specialized driver or you’re trying to install on a dedicated/bare-metal server, you could skip this step.

You could do this with DISM and tons of command line… but to simplify the procedure I would recommend you to use NTLite. Here I’m using NTLite v1.7.1.6572 which is the latest version when this post is created.

You’ll need a Windows setup ISO, here I’m using Windows Server 2019 evaluation downloaded from Microsoft’s website, after downloaded it you’ll need to extract the content from it, you could use 7-Zip or some other ISO extract tools but here I’m just using Windows to mount it and then copy it out.

Why do I have to copy it out? Because NTLite (or Windows’s DISM) does not want to work with a read-only .wim file so you’ll have to copy it out somewhere writable.

Now we will have to load it to NTLite for adding drivers into it.

Starting off by click Add and then Image directory

Here choose the directory of the extracted content from the ISO file, I’ve copied the contents to C:\winiso-extract.

Do not select the mounted, read-only drive

NTLite will show how many variants of the OS is available inside the ISO files, there could be multiple selections here like for Pro/Core Installation/Datacenter… Select the one that you’re going to install, if you install the driver into the wrong version which you will not use for the actual setup then you’ll NOT get the driver that you’ve integrated or you could integrate the driver for every variant of it… but it will need some time to do so, here my ISO only have Essential so I’ll just go with it

Right-click into the variant you want to integrate driver under Operating systems | install.wim and select Load

After some time of waiting, the long menu on the left side will appear, now select Drivers, Add, Directory containing drivers

Now you have to select the appropriate driver for your OS version and architecture, select the wrong one could bring disaster so make sure it’s the right one.

The driver folder which you select should’ve looked something like this inside:

For Windows to work on VirtIO virtualized properly, you have to have at least these 4 driver in it (Baloon, NetKVM, VioSCSI, VIOStor), NetKVM is the important bit because you will be able to download those drivers later but without internet access on your targetted machine after install has finished then you have no way to download anything.

I’ll just be going to add as below…

Now select the Apply on the left side, chose the option as you want in the middle, you could skip the Create ISO if you’re gonna to create a shared directory right after this… But it’s nice to have the ISO image for backing up somewhere so you don’t have to do this again.

After you’ve done fiddling around, press the green Process button on the top left corner for NTLite to do its job.

This could take a pretty long time to finish so just wait patiently and hopefully it will succeed in the end.

2. Create a shared folder of the Windows Installation ISO

Now I’m assuming that you’ve succeeded in integrating the drivers into the Installation ISO? Good, now you’ll need to create a Shared folder on another Windows machine, you could use Samba to create a shared folder on Linux if you don’t have another Windows machine laying around but since I already have a Windows machine here so I’ll just use it.

If you did not use Create ISO with NTLite, it will save the driver integrated setup into the Image directory which you’ve selected earlier, you could directly use it without any issue (the Image directory is C:\winiso-extract in my case) but here since I’ve created a new ISO so I’m gonna to mount it and serve the mounted drive as a Shared folder

You’ll need to Disable Windows Firewall for reaching the Shared folder from outside the internet (which is what the targeted installation machine will do).

3. Obtaining WinPE ISO

WinPE ISO is a very “mini” version of Windows which can run on RAM, you’ll need to install a big Windows Assessment and Deployment Kit (ADK) which is around 1.5GB just to create a 300MB ISO file which is ridiculous, I’ll attach the WinPE ISO file with the VirtIO driver integrated here for easier for you to use it.

But here’s the related docs if you curious on how to get the ISO file: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/download-winpe–windows-pe

You also could use NTLite to add VirtIO driver to WinPE.

Download my WinPE ISO integrated with VirtIO driver: winpe-with-virtio.iso

4. Configure GRUB to boot WinPE on Linux server

The Linux OS I’m using is Ubuntu 18.04, other OS might involve different steps to generate new grub config file.

First of, login to your Linux server using SSH using root.

Create a new dir called win in / by executing command:

mkdir /win

Download wimboot into the directory by using the command:

wget https://www.minhng99.cloud/assets/files/wimboot -O /win/wimboot

Download and copy the winpe-with-virtio.iso into /win/winpe-with-virtio.iso also

Now be careful with the partitions here, on my server there’s only 1 disk and 1 partition (your server might be different), and my / is located on disk 0 partition 1, if your grub bootloader is located on another partition then it will need a little bit of modification for it to work… I’ll tell you how to deal with different partition scheme later.

Now edit the file /etc/default/grub to comment out (or delete) the line GRUB_TIMEOUT_STYLE=hidden as above.

Some other grub version might use GRUB_HIDDEN_TIMEOUT_QUIET=true, comment out (or delete) that line also.

nano /etc/default/grub

Use Ctrl+O to save and Ctrl+X to exit.

Now use edit the file /etc/grub.d/40_custom and add the following code at the end of that file

menuentry "wimboot winpe" {
        set iso_path="/win/winpe-with-virtio.iso"
        loopback loop $iso_path
        linux16 /win/wimboot
        initrd16 \
                newc:bootmgr:(loop)/bootmgr \
                newc:bcd:(loop)/Boot/BCD \
                newc:boot.sdi:(loop)/Boot/boot.sdi \
                newc:boot.wim:(loop)/sources/boot.wim
}

Remember I said something with the partitioning? If your / is not located on the same disk and partition as grub, you will have to do a little modification to the set iso_path="/win/winpe-with-virtio.iso" for pointing grub to the proper disk/partition by change it to set iso_path="(hd0,1)/win/winpe-with-virtio.iso" here hd0,1 means the ISO file is located on the disk 0 and partition 1, change those number as your partition scheme, also - there’s no partition 0, the first partition is 1.

You need to modify the linux16 /win/wimboot to point it to the correct partition also.

If your partition scheme is the same as mine then you can just copy and paste it in place.

Now run update-grub2 to generate new grub config file.

5. Installs Windows by using WinPE

Now you have to access the VNC/KVM/IPMI of the Linux VPS you wanted to install Windows on it, this is a special feature and it’s available on most of hosting services which allow you to control the VPS/server even the network is down/system crash/kernel panic…, it works by capture the screen output from the machine and send it to you meanwhile capture your input and send it to the machine just like you are in front of it and access it physically.

If you don’t have access to such feature then you will not be able to do setup.. at least with the method of this tutorial which involves manual setup

Open the VNC from the VPS’s control panel, type reboot in the SSH and you would see something like this

Use your [arrow keys] and select the wimboot winpe and [Enter]

Now the WinPE is booted and you would see something like this, it’s fine, don’t panic. Now check the internet accessibility by pinging a known working IP address like 1.1.1.1 or 8.8.8.8

If you see it reply then good, internet access is working and you may proceed to the next step, if the network is not working (request timed out or something else showing) then there might be error in somewhere, it could be your VPS provider doesn’t allow DHCP and you have to set the IP by using the command line, or it could be the network device not being recognized. You will have to diagnose this yourself, sorry.

Now do you remember the Shared directory we’ve created on step 2? You need it now.

Mount the Shared directory which is the contents of the Windows Setup to drive w:

net use w: \\YOUR_SHARED_SERVER_IP\winiso * /USER:WORKGROUP\YOUR_SHARED_DIRECTORY_USERNAME

Type the password for YOUR_SHARED_DIRECTORY_USERNAME then [Enter], if it say successfully as above then it’s good to go, otherwise you have to check the step 2 again.

Now navigate to the Windows Setup drive which is w: by typing

w:

and then run the setup with

setup.exe

and proceed the installation process as you would do on a normal Windows Setup

As for this step, select Delete for deleting the Linux OS’s partition !! YOU WILL LOSE ALL OF YOUR LINUX OS’S DATA !! and select Next or you could create the partition as you’d like.

Now it’s time to wait and hope that everything will be OK, the speed of this highly depends on your Linux server’s Download speed and the Shared server’s Upload speed (whichever is the slowest)

Unfortunately… Windows Server 2019 somehow bugged and results in BSoD when the installation successful so I’ve redone it with Windows Server 2016, it’s basically the same.

Woohoo, we got to this welcome screen now, just set things up yourself.

As we can see, the network device is recognized and working properly.

Also, there are no missing drivers.

Now you just have to enable RDP or install TeamViewer or just… use VNC as is for remoting your server. With this tutorial, you can install Windows Server yourself on hosting providers which are not supported it or charging you ridiculous amount of “license fees”, but I don’t think that they’ll happy to see you’re running Windows Server without their permission :)

Resources:

wimboot

Windows Server 2016 Standard/Datacenter ISO with VirtIO

Windows PE ISO with VirtIO