This adds a "factory" image for the aircube-isp devices. Note that the
firmware can't be uploaded without prior special preparation. For the
most recent instructions on how to do that, visit the OpenWRT wiki page
of the Ubiquiti airCube ISP for details:
https://openwrt.org/toh/ubiquiti/ubiquiti_aircube_isp
Current procedure:
With the original firmware 2.5.0 it is possible to upload and execute a
script via the configuration. To do that download and unpack the
original configuration, adapt uhttpd config to execute another lua
handler (placed in the config directory) and pack and upload it again.
The lua handler can call a script that mounts an overlayfs and modifies
the "fwupdate.real" binary so that an unsigned image is accepted. The
overlayfs is necessary because a security system (called tomoyo) doesn't
allow binaries in other locations than /sbin/fwupdate.real (and maybe
some more) to access the flash when executed via network.
A big thanks to Torvald Menningen (Snap) from the OpenWRT forum for
finding out how to patch the binary so that it accepts an unsigned
image.
The current step-by-step procedure is:
- Use a version 2.5.0 of the original firmware. This is important
because a binary file will be modified.
- Download a configuration.
- Unpack it (it's just a tar gz file without an ending).
- Add the following to uhttpd:
``````
config 'uhttpd' 'other'
list listen_http 0.0.0.0:8080
list listen_http [::]:8080
option 'home' '/tmp/persistent/config/patch/www'
option lua_prefix '/lua'
option lua_handler '/tmp/persistent/config/patch/handler.lua'
``````
- Create a `patch` subfolder.
- Create a `patch/www` subfolder.
- Create a `patch/handler.lua` with the following content:
``````
function handle_request(env)
uhttpd.send("Status: 200 OK\r\n")
uhttpd.send("Content-Type: text/plain\r\n\r\n")
local command = "/bin/sh /tmp/persistent/config/patch/patch.sh 2>&1"
local proc = assert(io.popen(command))
for line in proc:lines() do
uhttpd.send(line.."\r\n")
end
proc:close()
end
``````
- Create a `patch/patch.sh` with the following content:
``````
#!/bin/sh -x
set -e
set -u
set -x
UBNTBOX_PATCHED="/tmp/fwupdate.real"
MD5FILE="/tmp/patchmd5"
cat <<EOF > ${MD5FILE}
c33235322da5baca5a7b237c09bc8df1 /sbin/fwupdate.real
EOF
# check md5 of files that will be patched
if ! md5sum -c ${MD5FILE}
then
echo "******** Error when checking files. Refuse to do anything. ********"
exit 0
fi
# prepare some overlay functionality
LOWERDIR="/tmp/lower_root"
mkdir -p ${LOWERDIR}
mount -t squashfs -oro /dev/mtdblock3 ${LOWERDIR}
overlay_some_path()
{
PATH_TO_OVERLAY=$1
ALIAS=$2
UPPERDIR="/tmp/over_${ALIAS}"
WORKDIR="/tmp/over_${ALIAS}_work"
mkdir -p ${UPPERDIR}
mkdir -p ${WORKDIR}
mount -t overlay -o lowerdir=${LOWERDIR}${PATH_TO_OVERLAY},upperdir=${UPPERDIR},workdir=${WORKDIR} overlay ${PATH_TO_OVERLAY}
}
# patch the ubntbox binary.
overlay_some_path "/sbin" "sbin"
echo -en '\x10' | dd of=/sbin/fwupdate.real conv=notrunc bs=1 count=1 seek=24598
echo "******** Done ********"
``````
- Repack the configuration.
- Upload it via the normal web interface.
- Wait about a minute. The webserver should restart.
- Now there is a second web server at port 8080 which can call the lua
script. Visit the page with a web browser. Link is for example
http://192.168.1.1:8080/lua
- You should see the output of the script with a "*** Done ***" at the
end. Note that the patches are not permanent. If you restart the
router you have to re-visit the link (but not re-upload the config).
- Now you can upload an unsigned binary via the normal web interface.
Signed-off-by: Christian Mauderer <oss@c-mauderer.de>
Convert leading spaces to tabs and generally harmonize leading
whitespace indent in the file.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
No bash features are actually used here.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[slightly adjust commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This has nothing that needs bash.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[add prefix to commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This has nothing that needs bash.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[add prefix to commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
There is nothing that needs bash anymore.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[add prefix to commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This replaces deprecated backticks by more versatile $(...) syntax.
Found with shellcheck.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[adjust commit title and message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This replaces deprecated backticks by more versatile $(...) syntax.
Found with shellcheck.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[alter commit title, extend commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Enables proper checking. Matches printf behavior in C.
Found with shellcheck.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[add prefix to commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
let is a bashism.
Found with shellcheck.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[add prefix to commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This reverts commit 10cbc896c0a26aecff37261450c21f29fb5b99db.
The updated iptables package does not build due to the following error
encountered on the buildbots:
cp: cannot stat '.../iptables-1.8.4/ipkg-install/usr/lib/libiptc.so.*': No such file or directory
The changelog mentions "build: remove -Wl,--no-as-needed and libiptc.so" so
it appears as if further packaging changes are needed beyond a simple
version bump.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Setting user and group for a jailed process caused the jail not to
come up. Fix this by passing user and group to ujail and change
user only once the jail has been setup.
This allows jailing services which refuse to run as root user.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This adds an LED trigger for the WAN LED on top of the TP-Link
TL-WR902AC v3. Currently, only the LED on the port itself shows the link
state, while the LED on top of the device stays dark.
The WAN port of the device is a hybrid LAN/WAN one, hence why the LED at
the port was labled LAN.
Signed-off-by: David Bauer <mail@david-bauer.net>
This adds a (currently missing) throughput LED trigger for the rt2x00
driver. Previously, LED triggers had to be assigned to the netdev, which
was limited to a single VAP.
Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Christoph Krapp <achterin@googlemail.com>
b30e0df kmodloader: print an error when no kernel module dir can be found
17689b6 logread: add option to filter for facilities
c9ffeac kmodloader: added -v arg to modeprobe
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This patch uses the SOC variable to calculate DTS names automatically
based on the SOC and the device definition node name.
This reduces redundancy and (by having to choose DTS name
appropriately) will unify the naming of a device in different places
(image/Makefile, DTS name, compatible, image name). This is supposed
to make life easier for developers and reviewers.
Since the kernel uses a "soc-device.dts" scheme for this target, we
use this for the derivation of DEVICE_DTS, too, leaving the DTS names
unchanged for this target.
Note that for some devices the kernel itself uses inconsistent names
(DTS naming scheme vs. compatible), leaving us with a manual overwrite
of DEVICE_DTS for those cases.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This patch uses the SOC variable to calculate DTS names automatically
based on the SOC and the device definition node name.
This reduces redundancy and (by having to choose DTS name
appropriately) will unify the naming of a device in different places
(image/Makefile, DTS name, compatible, image name). This is supposed
to make life easier for developers and reviewers.
Since the kernel uses a "soc-device.dts" scheme for this target, we
use this for the derivation of DEVICE_DTS, too, and rename the files
not having followed it so far.
Note that for some devices the kernel itself is inconsistent, leaving
us with a manual overwrite for ap.dk01.1-c1 and ap.dk04.1-c1.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Several devices in mt76x8 subtarget use the following line to set
up wmac in their DTS(I) files:
ralink,mtd-eeprom = <&factory 0x4>
This is strange for several reasons:
- They should use mediatek,mtd-eeprom on this SOC
- The caldata is supposed to start at 0x0
- The parent DTSI mt7628an.dtsi specifies mediatek,mtd-eeprom anyway,
starting from 0x0
- The offset coincides with the default location of the MAC address
in caldata
Based on the comment in b28e94d4bfa1 ("ramips: MiWiFi Nano fixes"),
it looks like the author for this device wanted to actually use
mtd-mac-address instead of ralink,mtd-eeprom. A check on the same
device revealed that actually the MAC address start at offset 4 there,
so the correct caldata offset is 0x0.
Based on these findings, and the fact that the expected location on
this SOC is 0x0, we remove the "ralink,mtd-eeprom = <&factory 0x4>"
statement from all devices in ramips (being only mt7628an anyway).
Thanks to Sungbo Eo for finding and researching this.
Reported-by: Sungbo Eo <mans0n@gorani.run>
Fixes: b28e94d4bfa1 ("ramips: MiWiFi Nano fixes")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
As announced on the mailing list, WireGuard will be in Linux 5.6. As a
result, the wg(8) tool, used by OpenWRT in the same manner as ip(8), is
moving to its own wireguard-tools repo. Meanwhile, the out-of-tree
kernel module for kernels 3.10 - 5.5 moved to its own wireguard-linux-
compat repo. Yesterday, releases were cut out of these repos, so this
commit bumps packages to match. Since wg(8) and the compat kernel module
are versioned and released separately, we create a wireguard-tools
Makefile to contain the source for the new tools repo. Later, when
OpenWRT moves permanently to Linux 5.6, we'll drop the original module
package, leaving only the tools. So this commit shuffles the build
definition around a bit but is basically the same idea as before.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2a0a19168dce mt7603: remove vif sta from poll list on interface remove
dc14ac64e7f3 mt7615: remove vif sta from poll list on interface remove
d868638fdd96 mt76: remove obsolete .add_buf() from struct mt76_queue_ops
50b1e9bd25cd mt76: refactor cc_lock locking scheme
1987b741dac2 mt76: mt76x0: remove 350ms delay in mt76x0_phy_calibrate
c93a2d1c1304 mt76: mt76x02u: update ewma pkt len in mt76x02u_tx_prepare_skb
58e1e969f03e mt76: mt7615: remove unneeded semicolon
c14d6563c492 mt76: mt76x2e: disable pcie_aspm by default
f2be00b1011a mt76: dma: fix buffer unmap with non-linear skbs
20f05897873a mt76: mt76u: rely on usb_interface instead of usb_dev
3cbaf81a185e mt76: mt76u: rely on a dedicated stats workqueue
ea19cd7ac6c6 mt76: Remove set but not used variable 'idx'
a85c06cec844 mt76: use mt76_dev in mt76_is_{mmio,usb}
e0731a82a14f mt76: move SUPPORTS_REORDERING_BUFFER hw property in mt76_register_device
cfdb75124e7c mt76: mt7615: add ibss support
e2f90adcc3b1 mt76: move interface_modes definition in mt76_core module
5dfb0ec9c6d1 mt76: mt7615: disable radar pattern detector during scanning
7121e163c068 mt76: fix possible out-of-bound access in mt7615_fill_txs/mt7603_fill_txs
db78ee08d95e mt76: move mt76_get_antenna in mt76_core module
faf5e6fedd7e mt76: mt7615: read {tx,rx} mask from eeprom
44825e88a42d mt76: use rcu_read_lock_bh in mt76_dma_rx_poll
af83ee8de928 mt76: move initialization of some struct members to mt76_alloc_device
6493e234b40d mt76: introduce struct mt76_phy
ea46624355ec mt76: add support for an extra wiphy in the rx path
c5f1e83e30d4 mt76: add support for an extra wiphy in the main tx path
1d8011871458 mt76: add support for an extra wiphy in the tx status path
e5e755a7a6b0 mt76: add support for an extra wiphy in mt76_sta_state()
ee36c8e2170f mt76: move channel state to struct mt76_phy
d246beb23350 mt76: keep a set of software tx queues per phy
a3e88bcf17e8 mt76: move state from struct mt76_dev to mt76_phy
9cda51d195db mt76: move chainmask back to driver specific structs
df74d6993383 mt76: move txpower_conf back to driver specific structs
9e95fa6208a2 mt76: move txpower and antenna mask to struct mt76_phy
502d09a6e806 mt76: add multiple wiphy support to mt76_get_min_avg_rssi
842cae558b82 mt76: add priv pointer to struct mt76_phy
8ca04846857b mt76: add function for allocating an external wiphy
04cd17a64520 mt76: add ext_phy field to struct mt76_wcid
1c8d69e7d666 mt76: move ampdu_ref from mt76_dev to driver struct
e6659d12d01e mt76: mt7615: add dual-phy support for mac80211 ops
e5ea72ac7158 mt76: mt7615: add multiple wiphy support for smart carrier sense
bdcd45dd04e0 mt76: mt7615: add missing register init for dual-wiphy support
0954c37d015f mt76: mt7615: remove useless MT_HW_RDD0/1 enum
705a0fcdc3a5 mt76: mt7615: add multiple wiphy support to the dfs support code
849fefacc48a mt76: mt7615: rework chainmask handling
caa47af1d6f2 mt76: mt7615: add multiple wiphy support to the rx path
c5585a735864 mt76: mt7615: initialize dbdc settings on interface add
6265fd1954d7 mt76: mt7615: move radio/mac initialization to .start/stop callbacks
5725d1f919ff mt76: mt7615: select the correct tx queue for frames sent to the second phy
993683d62fb7 mt76: mt7615: add support for registering a second wiphy via debugfs
1456a53ddeb3 mt76: mt7615: update beacon contents on BSS_CHANGED_BEACON
ea41ad8bdb36 mt76: mt7615: defer mcu initialization via workqueue
59de6c9447a7 mt7615: replace sta_state callback with sta_add/sta_remove
88db676f8517 mt76: fix rx dma ring descriptor state on reset
fff2c07193bb Revert "mt76: use rcu_read_lock_bh in mt76_dma_rx_poll"
b3bf83d6da1c mt76: disable bh in mt76_dma_rx_poll
efcbee1d8bfc mt76: mt76x0u: do not reset radio on resume
5dc6f6fcc027 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 174
84554a1fbb9a kernel: fix typos and some coding style in comments
a116b0a6afe9 mt76: fix possible undetected invalid MAC address
becdec318fce mt76: Off by one in mt76_calc_rx_airtime()
683eb244fa55 mt76: mt7603: reset STA_CCA counter setting the channel
812692db171c mt76: eeprom: add support for big endian eeprom partition
8b362382b10c mt76: mt7615: Fix build with older compilers
fc24815a2cb4 mt76: mt7615: report firmware version using ethtool
5cec93d57e6d mt76: mt76x02: fix coverage_class type
9354f0f41d1c mt76: mt7603: set 0 as min coverage_class value
a589d095eeb6 mt76: mt7615: add set_coverage class support
257c19f5b56f mt76: clear skb pointers from rx aggregation reorder buffer during cleanup
05c87a33831f mt76: do not overwrite max_tx_fragments if it has been set
05fa07c667f3 mt76: use AC specific reorder timeout
3ef5f3444a94 mt76: mt7615: measure channel noise and report it via survey
726fd501651a mt76: mt7615: increase MCU command timeout
99d8cd03edfa mt76: mt7603: fix input validation issues for powersave-filtered frames
32129af2604d net/wireless: Delete unnecessary checks before the macro call “dev_kfree_skb”
85a8abf80385 mt76: mt76x02: omit beacon slot clearing
8b5d3615e1c8 mt76: mt76x02: split beaconing
dc364547d91a mt76: mt76x02: add check for invalid vif idx
462a16e185e4 mt76: mt76x02: remove a copy call for usb speedup
fa24aba4c280 mt76: speed up usb bulk copy
6a84ad21306e mt76: mt76x02: add channel switch support for usb interfaces
09fcbc214b10 mt76: usb: use max packet length for m76u_copy
584c0784e019 mt76: mt76x02u: do not set NULL beacons
ca17e5657e8a mt76: mt76x02: minor mt76x02_mac_set_beacon optimization
d5fdd2e7ced8 mt76: mt7615: fix MT7615_CFEND_RATE_DEFAULT value
ae25a4bf99a9 mt76: mt7615: introduce LED support
cd759b00cc06 mt76: mt76x02: simplify led reg definitions
cf00467c5de4 mt76: mt7603: simplify led reg definitions
1c8e76f4de3e mt76: fix compilation warning in mt76_eeprom_override()
960f5cc2390b mt76: mt76u: fix endpoint definition order
15e1c29ed8e3 mt76: mt7615: add missing settings for simultaneous dual-band support
e09b9f61eeb3 mt76: mt7615: rework set_channel function
4cb1195a1530 mt76: mt7615: add set_antenna callback
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Physically allocated memory for modules needs to be registered with kmemleak,
so it can track it as object.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Contains following changes:
a1523d76b016 fix blob parsing vulnerability by using blob_parse_untrusted
c60583743ccf ubus_monitor: workaround possibly false positive uses of memory after it is freed
dac6c7c575ac ubusd_monitor: fix possible null pointer dereference
060dfbb26da3 ubus_common: remove duplicate ARRAY_SIZE and add missing include
c5f2053dfcfd workaround possibly false positive uses of memory after it is freed
72be8e93f07d lua: ubus_lua_do_subscribe: fix copy&paste error
a995b1e68129 lua: workaround false positive dereference of null pointer
08f17c87a000 add fuzzer and cram based unit tests
c413be9b376c refactor ubusd.c into reusable ubusd_library
afd47189e864 examples: remove dead increments
b2e544238672 add initial GitLab CI support
058f4e9526ed libubus: fix incompatible pointer types assigment
d2e026a33df8 iron out all extra compiler warnings
5d7ca8309d0a ubusd/libubus-io: fix variable sized struct position warning
d61282db5640 ubusd: fix comparison of integers of different signs
90fb16234c22 cmake: enable extra compiler checks
and bumps ABI_VERSION to 20191219.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
14a279411cff fix certificate blob parsing vulnerability by using blob_parse_untrusted
19a7225ac018 fix leaking memory in cert_dump_blob
9dba44ddd4f5 fix possibly garbage value returned in cert_process_revoker
4462ff9dedfa add cram based unit tests
5fe64b5606aa cmake: split usign bits into static library
5d7626a2b6d8 cmake: reindent the file
e284ed941972 cmake: enable hardening compiler flags and fix the reported issues
7e5390666347 add initial GitLab CI support
fa0bf4ef45b1 cmake: add proper include and library dependencies
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Contains following changes:
eb7eb6393d47 blobmsg: fix array out of bounds GCC 10 warning
86f6a5b8d1f1 blobmsg: reuse blobmsg_namelen in blobmsg_data
586ce031eaa0 tests: fuzz: fuzz _len variants of checking methods
b0e21553ae8c blobmsg: add _len variants for all attribute checking methods
cd3059796a57 Replace use of blobmsg_check_attr by blobmsg_check_attr_len
143303149c8b Ensure blob_attr length check does not perform out of bounds reads
f2b2ee441adb blobmsg: fix heap buffer overflow in blobmsg_parse
4dfd24ed88c4 blobmsg: make blobmsg_len and blobmsg_data_len return unsigned value
2df6d35e3299 tests: add test cases for blobmsg parsing
8a34788b46c4 test: fuzz: add blobmsg_check_attr crashes
478597b9f9ae blob: fix OOB access in blob_check_type
325418a7a3c0 tests: use blob_parse_untrusted variant
0b24e24b93e1 blob: introduce blob_parse_untrusted
6d27336e4a8b blob: refactor attr parsing into separate function
833d25797b16 test: fuzz: add blob_parse crashes
09ee90f8d6ed tests: add test cases for blob parsing
436d6363a10b tests: add libFuzzer based tests
bf680707acfd tests: add unit tests covered with Clang sanitizers
f804578847de cmake: add more hardening compiler flags
46f8268b4b5b blobmsg/ulog: fix format string compiler warnings
eb216a952407 cmake: use extra compiler warnings only on gcc6+
and bumps ABI_VERSION to 20191226.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
We have only 11 sensors on ipq806x. Fix the reg property
to load the right amount of data instead of the entire
space.
Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> [nbg6817/ipq8065]
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Tsense driver for ipq806x have various problem.
- Emit wrong error. On probing of this driver, nvmem driver can be
not ready and this cause a EDEFER error. Actually this is not an
error as the kernel will retry to probe the driver after the
nvmem driver is loaded.
- Use uninitialized value on trigger of critical temp
- Doesn't free allocated memory
Because of this, rework the driver and improve it by removing extra
load of data.
Change the logic of loading data. Use the backup calib data only
when the calib data is not present. As the calibration is only
needed to set the temp offset, we don't really need to read
both calib data and set the offset based only on the backup one.
Also change how the notifier function work. At times when we
output the trigger message, we already have read the temp so
remove the extra read and the wrong uninitialized data that
probably caused a kernel panic for null pointer exception.
(Think we never experience this bug because the router
never reached that temp ever... So just lucky)
Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> [nbg6817/ipq8065]
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>