Site Tools


remote_upgrade_poc

This is an old revision of the document!


Remotely Upgrade FreshTomato

This Wiki article originates from a thread on the Tomato Firmware discussion forum initiated on Dec 28, 2022 by xixix@linksysinfo

It describes Requirements, Use Cases, Preconditions, Approach, Facilitators, Dealbreakers, and Proof of Concept

Requirements

Original requirements are to:

  1. remotely upgrade a Freshtomato router
  2. in a secluded location
  3. with no convenient physical access

Use Cases

  1. Digitally challenged friends/relatives
  2. Remote monitoring sites:
    1. Cottages in the wilderness (with a set of local IOT-enabled devices)
    2. Observation decks, stations, facilities
    3. Weather stations
    4. Pollution monitoring sites
  3. Remote properties, estates
    1. Airbnb vacation homes & condo
  4. … expand as you see fit

POC Preconditions

  1. Netgear R*000 Router has already a 202[12].x AIO FT installed
  2. Router is connected to the internet via WAN0 :
    1. Type PPPoE
    2. Wireless Client Mode Disabled
    3. Username <username>
    4. Password <password>
  3. Internal LAN 192.168.1.0
  4. VPN server is enabled, configured, working
  5. Dropbear/SSH access is possible
  6. Internal network has already a LAN wired client that could be used via Teamviewer - once internet connectivity is up after minimal upgrade & reconf - to complete other major reconf

Tentative Approach

  1. Script download of new FT firmware (via curl, wget)
  2. Manual flash from shell of new firmware (how? mtd write? dd? )
  3. Reset/erase all data in NVRAM memory from shell (how? nvram erase?)
  4. Set nvram minimal parameters for internet connectivity
    1. Type PPPoE (wan_proto), Username (wan_ppp_username), Password (wan_ppp_passwd),
  5. Reboot

nvram script_init or script_wan parameters could also be used for post reboot initialization/reconfiguration activities…

A bit of fail safe logic and logging could possibly be included and scripted, during the critical blind reboot phases, in such a way that router could be flashed back to working FT version/config and rebooted in case upgrade fails for some reason.

Overall Concerns, Issues, and Known Challenges

TLDR: don't do remote upgrades unless you have a tested recovery strategy (like another router, emergency on-site presence, fallback options); if you do…

  1. How critical is the the internet access in the remote location?
  2. How fast can the remote location be reached to fix possible problems?
  3. Although best practices recommend FW upgrades when available, in the case of remote configurations, only high impact CVEs should be considered - is this the case?
  4. As general recommendations, have a backup plan in case upgrade fails:
    1. Have a spare device on site fully configured and ready OR
    2. Reach the remote location in X hours/days OR
    3. Have a person on-site that can recover from a failure (something like factory defaults button + restore backup config / switch to PC internet only)
  5. The problem with these routers is the new firmware image is written on top of the running firmware. That means there is always a risk that the (now invalid) filesystem might cause issues and crash during the reboot operation, requiring a manual power cycle.
    1. This could be easily fixed if any person (even non technical) is on site and can perform a simple power cycle. So something to keep in mind for sure but perhaps not as disruptive as loosing all the settings.
  6. Asus tries to avoid issues by creating a temporary rootfs where they copy the critical bits required during the reboot. It's unknown if Tomato does the same, and even if it did, it wouldn't fully be reliable in case there is a missing component.
    1. Newer Broadcom routers solve this by having two separate firmware partitions, and the new firmware gets written to the other partition, so the running filesystem remains untouched. Old Netgear switches, for example, also did the same.
    2. If you need something that is remotely managed, you need to get a router that is designed for that.
  7. It takes a lot of effort to try and script fail-safe procedures for all possible failure scenarios
    1. Plenty of potential unrecoverable issues surface remain, at least without physical/manual intervention. Even if use cases are not that critical, the inconvenience of such recovery is definitely pretty annoying!
  8. Nvram full hard erase/reset is strongly advised after FT upgrade:
    1. FT will recreate and initialize required default parameters at first run
    2. Dirty upgrade (no Nvram full hard erase/reset) - even if for basic configuration it might works just fine - is strongly discouraged as source for potential issues and conflicts of new parameters/functionalities
  9. Some sort of storage persistence is necessary; in fact,full hard erase/reset of nvram partition (parameters storage) via mtd-erase/mtd-erase2 is not committed until next reboot/powercycle
    1. mtd-erase vs nvram erase, what is the difference if any?
      1. Calling erase nvram will still erase the nvram mtd, but on reboot (or any other action) the nvram is saved to mtd from RAM, so this will not wipe everything unless power is removed right after the erase nvram. However, nvram erase clears the nvram in RAM then writes to flash, but does not zero out the flash from first to last block. See also Hard reset or 30/30/30 - DD-WRT Wiki
      2. the nvram erase command will keep the nvram structure (header, checksum, length) in the nvram area but will erase the variables. The mtd command will erase a flash partition (containing one or more flash sectors depending on which partition it is) leaving the partition data set to FF's (flash erase state)
  10. Options for storage persistence appear to be:
    1. JFFS; however, if NVRAM is cleared, jffs in not mounted by default. Not to mention that while upgrading, jffs needs to be unmounted first, this is because occasionally it gets re-partitioned/reformatted (search on this www.linksysinfo.org forum for more details) to a different size if the firmware image grows.
    2. USB storage
  11. FT, Tomato, DD-WRT trigger execution of specific shell scripts with <file>.autorun extension after external volumes/partitions are mounted
    1. Automount functionality/parameter automatically mount all partitions to sub-directories in /mnt. nvram usb_automount defaults to 1 (enabled - at least in recently compiled .trx FWs)
    2. Some logic needs to be implemented in order to distinguish if <file>.autorun has been executed right after an upgrade or during normal operations reboots/restarts
  12. shell upgrade is safer than web/gui upgrade. With the former you essentially download a .zip and you can check for magic number errors when extracting the archive. Most of the device will have enough RAM to host the .zip. Uploading a straight .trx via the web interface increases the risk especially if you have a sloppy connection like wireless client or so.
  13. Clearing the NVRAM and restoring the variables via a script remotely, might lead to serious lockout or bootloops; even if such an approach can save time (e.g. having a list of nvram set commands). Too many things can go wrong.
  14. Persisting basic internet connectivity, VPN, and LAN network parameters, could potentially allow and internal device (PC, or small service/maintenance appliance RPIs) to announce its reachability and be accessed remotely for finalizing the whole FT post-upgrade configuration (VPN might not be necessary in case of remote access tools such Teamviewer or other centralized options)
  15. Upgrade options via TFTP file transfer are not viable procedures due to the requirement to trigger the transfer during a short (few seconds) “service” window at power up time (and possibly requiring specific buttons press combinations)
  16. Other options for enabling FT firmware to allow some sort of controlled reconfiguration during upgrade might include leaving specific entry points, hooks, or callback scripts; however, this requires thorough examination, new developments, and testing - possibly unfeasible due to limited dev resources focused on other priorities.

GENERAL DISCLAIMER

!!!WARNING!!! THE USUAL DISCLAIMER IS DUE HERE!!! ;-) DO NOT TRY THIS AT HOME !!!WARNING!!!

The following procedure may permanently turn your router into a Frisbee

Remote Upgrade types

There are multiple types of remote upgrade you can perform but mainly they can be summarized, in order of risk, as follow:

  • dirty upgrade = overwrite the firmware + keep the current nvram settings
  • clear upgrade = overwrite the firmware + erase the nvram settings essentially restoring the default ones
  • advanced upgrade = overwrite the firmware + save selected nvram configuration + erase nvram + restore saved settings via USB automount feature

dirty upgrade is probably the less risky and would perform pretty much the same action as upgrading using the GUI.

clear upgrade will restore the default settings/IP/credentials and it's unlikely the option you will want to select if you're doing this remotely. Still it can be helpful to speed up things if you are sitting next to the device itself.

advanced upgrade is for very peculiar cases, sensitive remote installations, large installations or anything else that would require such level of complexity in favor of automation.

Dirty Upgrade

Clean Upgrade

Advanced Upgrade

Remote Upgrade Proof of Concept

Based on above considerations and a set of other useful links, I was able to remotely upgrade the architecture described in the preconditions above.

The whole procedure was attempted by thoroughly testing on a dedicated lab setup mocking the live remote preconditions.

All the scripts below need to be adjusted and all associated risks/collaterals fully understood before attempting any similar exercise.

There is no guarantee that any of the actions described in this Wiki are going to work on your own infrastructure, architecture, and Hardware/Software setup.

If you decide to move forward with any of these sperimentations, you are doing it at your on risk and responsibility.

Subject to own preferences or best practices:

  1. evaluate use of external files for certificates
  2. evaluate use of external file for the list of parameters to preserve
  3. replace the `….` notation for subshell in favor of FT's default syntax $(….)
  4. consider handling internally EOL of files you reference (you can find plenty of sed examples on how to achieve this and force LR)
  5. consider defining the usb path as a variable at the top of the script
  6. be aware some devices might have multiple USB drives plugged in or multiple partitions setup. Perhaps a “scan” of their content could help.

Parameters Preservation and Restore

I have consolidated the following, for my main router, over the past years (full set of customized parms total is 233 circa).

Main Preserve Script, with a list of parameters to save, basically creates the Restore script with actual parameters values.

!!!WARNING!!! Unespected side effects may happen if any parameter value contains the single quote (') character. Evaluate replacing with double quote (“) if/where possible

As a general recommendation, after every upgrade, consider reviewing FT CHANGELOG and bitbucket commits for further configurations adjustments as needed depending on:

  1. Fixed bugs
  2. Extended options
  3. New functionalities
  4. Explicit recommendations from devs

New/revised parameters are adjusted in /opt/nvram_upgrade_preserve.sh

Script: nvram_upgrade_preserve.sh

#!/bin/sh
# Used to adjust static or semi-static Freshtomato configurations that need to be preserved during upgrades
set -x
set -v
# -----------------------------------------------------------------------------------------
Preserve () {
    echo "nvram set ${1}='`nvram get ${1}`'" >> /opt/nvram_upgrade_restore.sh
}
 
# -----------------------------------------------------------------------------------
cat <<EOF > /opt/nvram_upgrade_restore.sh
#!/bin/sh
# Used to adjust static or semi-static Freshtomato configurations that need to be preserved during upgrades
set -x
set -v
# -----------------------------------------------------------------------------------
EOF
chmod 755 /opt/nvram_upgrade_restore.sh
 
# Change Wan MAC Address every time we upgrade Firmware => We'll get a new public/WAN IP as a consequence
WAN_MAC=$(nvram get wan_mac)
if [ "_$WAN_MAC" = "_40:00:00:00:00:00" ];then
    echo "nvram set    wan_mac='40:00:00:00:00:01'" >> /opt/nvram_upgrade_restore.sh
    echo "nvram set wan_hwaddr='40:00:00:00:00:01'" >> /opt/nvram_upgrade_restore.sh
else
    echo "nvram set    wan_mac='40:00:00:00:00:00'" >> /opt/nvram_upgrade_restore.sh
    echo "nvram set wan_hwaddr='40:00:00:00:00:00'" >> /opt/nvram_upgrade_restore.sh
fi
 
Preserve bt_auth
Preserve bt_blocklist
Preserve bt_custom
Preserve bt_dht
Preserve bt_dir
Preserve bt_enable
Preserve bt_lpd
Preserve bt_log
Preserve bt_log_path
Preserve bt_pex
Preserve bt_settings
Preserve bt_settings_custom
Preserve bt_sleep
Preserve bt_ul
Preserve bt_ul_enable
Preserve ctf_disable
Preserve crt_ver
Preserve cstats_enable
Preserve cstats_path
Preserve cstats_stime
Preserve ddnsx0
Preserve ddnsx_refresh
Preserve dhcp1_lease
Preserve dhcp_moveip
Preserve dhcp_num
Preserve dhcp_start
Preserve dhcpc_minpkt
Preserve dhcpd_endip
Preserve dhcpd_gwmode
Preserve dhcpd_lmax
Preserve dhcpd_slt
Preserve dhcpd_startip
Preserve dhcpd_static
Preserve dhcpd_static_only
Preserve dns_intcpt
Preserve dnsmasq_custom
Preserve dnssec_method
Preserve http_enable
Preserve http_passwd
Preserve http_id
Preserve https_crt_file
Preserve https_crt_gen
Preserve https_crt_save
Preserve https_crt_timeset
Preserve https_enable
Preserve https_lanport
Preserve lan1_ifname
Preserve lan1_proto
Preserve lan2_ifname
Preserve lan3_ifname
Preserve lan_hostname
Preserve lan_ipaddr
Preserve log_dropdups
Preserve log_events
Preserve log_file_custom
Preserve log_file_keep
Preserve log_file_path
Preserve log_file_size
Preserve log_limit
Preserve log_mark
Preserve ms_dbdir
Preserve ms_dirs
Preserve ms_sas
Preserve ne_shlimit
Preserve nginx_docroot
Preserve nginx_enable
Preserve nginx_fqdn
Preserve nginx_php
Preserve nginx_port
Preserve nginx_servercustom
Preserve nginx_upload
Preserve ntp_server
Preserve ntpd_enable
Preserve ntpd_server_redir
Preserve router_name
Preserve rrule0
Preserve rrule1
Preserve rrule2
Preserve rruleN
Preserve rrules_activated
Preserve rstats_enable
Preserve rstats_path
Preserve rstats_stime
Preserve sch_c1
Preserve sch_c1_cmd
Preserve sch_c1_last
Preserve sch_c2
Preserve sch_c2_cmd
Preserve sch_c2_last
Preserve sch_c3
Preserve sch_c3_cmd
Preserve sch_c3_last
Preserve sch_c4
Preserve sch_c4_cmd
Preserve sch_c4_last
Preserve sch_c5
Preserve sch_c5_cmd
Preserve sch_c5_last
Preserve sch_rboot
Preserve sch_rcon
Preserve script_fire
Preserve script_wanup
Preserve smbd_autoshare
Preserve smbd_cpage
Preserve smbd_cset
Preserve smbd_custom
Preserve smbd_enable
Preserve smbd_ifnames
Preserve smbd_master
Preserve smbd_nlsmod
Preserve smbd_passwd
Preserve smbd_protocol
Preserve smbd_shares
Preserve smbd_user
Preserve smbd_wgroup
Preserve smbd_wins
Preserve snmp_enable
Preserve sshd_authkeys
Preserve sshd_dsskey
Preserve sshd_ecdsakey
Preserve sshd_ed25519
Preserve sshd_hostkey
Preserve stealth_mode
Preserve stubby_resolvers
Preserve telnetd_eas
Preserve tm_sel
Preserve tm_tz
Preserve tomatoanon_answer
Preserve tomatoanon_enable
Preserve upnp_custom
Preserve upnp_custom
Preserve upnp_enable
Preserve upnp_lan1
Preserve upnp_lan2
Preserve upnp_lan3
Preserve upnp_lan
Preserve usb_fs_exfat
Preserve usb_fs_hfs
Preserve usb_fs_zfs
Preserve vpn_client1_addr
Preserve vpn_client1_ca
Preserve vpn_client1_cn
Preserve vpn_client1_crt
Preserve vpn_client1_custom
Preserve vpn_client1_key
Preserve vpn_client1_ncp_ciphers
Preserve vpn_client1_password
Preserve vpn_client1_port
Preserve vpn_client1_proto
Preserve vpn_client1_tlsremote
Preserve vpn_client1_userauth
Preserve vpn_client1_username
Preserve vpn_client1_useronly
Preserve vpn_client2_addr
Preserve vpn_client2_ca
Preserve vpn_client2_cn
Preserve vpn_client2_crt
Preserve vpn_client2_custom
Preserve vpn_client2_key
Preserve vpn_client2_ncp_ciphers
Preserve vpn_client2_password
Preserve vpn_client2_port
Preserve vpn_client2_proto
Preserve vpn_client2_tlsremote
Preserve vpn_client2_userauth
Preserve vpn_client2_username
Preserve vpn_client2_useronly
Preserve vpn_client_eas
Preserve vpn_server1_ca
Preserve vpn_server1_crt
Preserve vpn_server1_custom
Preserve vpn_server1_dh
Preserve vpn_server1_key
Preserve vpn_server1_ncp_ciphers
Preserve vpn_server1_port
Preserve vpn_server1_proto
Preserve vpn_server1_sn
Preserve vpn_server1_users_val
Preserve vpn_server2_users_val
Preserve vpn_server_eas
Preserve wan1_gateway_get
Preserve wan1_get_dns
Preserve wan2_gateway_get
Preserve wan2_get_dns
Preserve wan3_gateway_get
Preserve wan3_get_dns
Preserve wan4_gateway_get
Preserve wan4_get_dns
Preserve wan_dns
Preserve wan_dns_auto
Preserve wan_hostname
Preserve wan_wins
Preserve web_adv_scripts
Preserve web_css
Preserve web_mx
Preserve wl_country_code
Preserve wl_country_rev
Preserve wl0_akm
Preserve wl0_channel
Preserve wl0_chanspec
Preserve 0:ccode
Preserve 0:regrev
Preserve wl0_country_code
Preserve wl0_country_rev
Preserve wl0_nbw
Preserve wl0_nctrlsb
Preserve wl0_security_mode
Preserve wl0_ssid
Preserve wl0_wpa_psk
Preserve wl1_akm
Preserve wl1_channel
Preserve wl1_chanspec
Preserve 1:ccode
Preserve 1:regrev
Preserve wl1_country_code
Preserve wl1_country_rev
Preserve wl1_nbw
Preserve wl1_nctrlsb
Preserve wl1_security_mode
Preserve wl1_ssid
Preserve wl1_wpa_psk
Preserve wl2_akm
Preserve wl2_channel
Preserve wl2_chanspec
Preserve 2:ccode
Preserve 2:regrev
Preserve wl2_country_code
Preserve wl2_country_rev
Preserve wl2_nbw
Preserve wl2_nctrlsb
Preserve wl2_security_mode
Preserve wl2_ssid
Preserve wl2_wpa_psk
 
echo "nvram commit" >> /opt/nvram_upgrade_restore.sh

Firmware Upgrade Custom Script

Script: firmup.sh

#!/bin/sh
{
#set -x
#set -v
# Variables Definition
ERASE_NVRAM="$1"
FIRMWARE="$2"
 
# Functions Definition
# e_logr - echo message and logs to syslog with proper priority/tag
e_logr () {
        echo "${1}"
        logger -p NOTICE -t FT-Upgrade "${1}"
}
 
# Main
 
# Check proper command syntax and parms #
if [ $# -ne 2 ] || [ "_${ERASE_NVRAM}" != "_-n" -a "_${ERASE_NVRAM}" != "_-e" ]; then
    e_logr "Usage: `basename ${0}` -e|-n firmware_file.trx"
    exit 1
fi
 
# Prepare/Check firmware flashing pre-requisites
if [ ! -s "${FIRMWARE}" ]; then
    e_logr "${FIRMWARE} does NOT exist or is empty (0 length). Exiting..."
    exit 2
fi
 
# Copy firmware file to /tmp directory
# Avoids issues of missing /mnt/<volume> after we issue 'kill -s SIGUSR1 1' below
e_logr "Copying ${FIRMWARE} to /tmp directory..."
TMPFIRMWARE="/tmp/`basename \"${FIRMWARE}\"`"
cp "${FIRMWARE}" "${TMPFIRMWARE}"
 
if [ "_${ERASE_NVRAM}" == "_-e" ];then WWO="w/"; else WWO="w/o";fi
e_logr "Performs a canonical upgrade ${WWO} nvram clearing"
# Check if firmware  file is present and not 0
if [ ! -s "${TMPFIRMWARE}" ]; then
    e_logr "${TMPFIRMWARE} does NOT exist or is empty (0 length)"
    e_logr "Check source Firmware file presence and consistency:"
    e_logr "      ${FIRMWARE}"
    exit 2
fi
 
e_logr "About to start Flashing firmware:"
e_logr "    MD5=`md5sum \"${TMPFIRMWARE}\"`"
e_logr "Press ENTER to continue (or Ctrl-C to exit)"
read x
 
# Prepare/Check firmware flashing pre-requisites
e_logr "Waiting for services to stop."
nvram set action_service=upgrade-start
sleep 1
kill -s SIGUSR1 1
c=1;while [ "$(nvram get action_service)" ];do echo -n $c\ ;c=`expr $c + 1`;sleep 1;done;echo
e_logr "Services stopped."
 
# Flash/Write firmware file
e_logr "Writing firmware ${TMPFIRMWARE}"
nohup mtd-write2 ${TMPFIRMWARE} linux > /tmp/nohup.out 2>/dev/null &
c=1;while [ "$(pidof mtd-write2)" ];do echo -n $c\ ;c=`expr $c + 1`;sleep 1;done;echo
sleep 1
# Check if "/tmp/nohup.out" output file is present and not 0
if [ ! -s "/tmp/nohup.out" ]; then
    e_logr "/tmp/nohup.out does NOT exist or is empty (0 length)"
    e_logr "mtd-write2 ${TMPFIRMWARE} NOT successfully completed!"
    e_logr "Try again now or perform a manual 'reboot' and repeat the upgrade procedure..."
    exit 3
fi
cat /tmp/nohup.out | sort -u; rm /tmp/nohup.out
e_logr "Flash finished."
 
# Is nvram erase requested?
if [ "_${ERASE_NVRAM}" == "_-e" ]; then
        e_logr "Clearing nvram"
        mtd-erase2 nvram
        sleep 1
fi
 
e_logr "Rebooting..."
sleep 1
reboot &
c=1;while true;do echo -n $c\ ;c=`expr $c + 1`;sleep 1;done
exit
}

After Upgrade Automatic Persistent Epilogue Script Execution

Script 00-00-identify.autorun

#!/bin/sh
set -x
set -v
# This is 00-00-identify.autorun
# To be stored in the root dir of an external USB drive to guarantee persistence
# FT Automount functionality automatically mounts all partitions to sub-directories in /mnt.
# nvram usb_automount defaults to 1 (enabled - at least in recently compiled .trx FWs)
# 00-00-identify.autorun file is executed if existing from each mounted partition
logger "AUTORUN id: [$0] [$1] $(date '+%D %T') uptime: $(cut -f1 -d\  /proc/uptime)"
OS_VERSION_UNDERSCORED=$(nvram get os_version | tr " " "_")
MODEL=$(nvram get t_model_name | tr " " "_")
ROUTER_NAME=$(nvram get router_name | tr " " "_")
SPEC="${ROUTER_NAME}_${MODEL}_${OS_VERSION_UNDERSCORED}"
BOOTLOG="${1}/boot.log"
 
c=0;while true;do NVRAMBCK="${1}/${SPEC}_nvram_${c}.cfg";if [ ! -s "${NVRAMBCK}" ];then break; else c=`expr $c + 1`;fi;done
nvram save "${NVRAMBCK}";nvram show > "${NVRAMBCK}.txt"
 
echo "---------------------------------------------------------------" >> "${BOOTLOG}"
echo "--- ${SPEC}" >> "${BOOTLOG}"
echo "---------------------------------------------------------------" >> "${BOOTLOG}"
echo "AUTORUN id: [$0] [$1] $(date '+%D %T') uptime: $(cut -f1 -d\  /proc/uptime)" >> "${BOOTLOG}"
 
if [ "_`nvram get upgrade_epilogue_config`" != "_done" ] ; then
        echo "upgrade_epilogue_config != done ; setting nvram parameters and rebooting..." >> "${BOOTLOG}"
 
        nvram set wan_proto=pppoe
        nvram set wan_ppp_username=username
        nvram set wan_ppp_passwd=password
        nvram set wan_sta=
        nvram set ddnsx0='afraid<<<<<<bmt....<token>....MTc='
        nvram set ddnsx_refresh='1'
 
        nvram set vpn_server1_ca='-----BEGIN CERTIFICATE-----
MIIDGTCCAgGgAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApvcGVu
....
ZGDWu/rGtWIFcTsoxr797jaIKspY1NtCrIgsd0E=
-----END CERTIFICATE-----'
        nvram set vpn_server1_crt='-----BEGIN CERTIFICATE-----
MIIDADCCAeigAwIBAgIIaY3sRfUVtHwwDQYJKoZIhvcNAQELBQAwFTETMBEGA1UE
....
8U8TAg==
-----END CERTIFICATE-----'
        nvram set vpn_server1_custom='verb 5
script-security 2
#crl-verify /home/root/crl.pem
tls-version-min 1.2
auth SHA512'
        nvram set vpn_server1_dh='-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA3IH5AwWcIMSaHXFkSh5BUrRiiruQYgToSnGVCW328rYn8kOyLRxS
....
Nb2Va+s+Hju96X4HlDEhiJHDzoS13ozwUwIBAg==
-----END DH PARAMETERS-----'
        nvram set vpn_server1_key='-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC2kmZJzzFJrHel
....
3T3FRuaIoGEfYGhIATCDeo0=
-----END PRIVATE KEY-----'
        nvram set vpn_server1_ncp_ciphers='CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC'
        nvram set vpn_server1_port='443'
        nvram set vpn_server1_proto='tcp-server'
        nvram set vpn_server1_sn='10.10.20.0'
        nvram set vpn_server1_users_val=''
        nvram set vpn_server2_users_val=''
        nvram set vpn_server_eas='1,'
 
        # This script takes care of reconfiguring other necessary parameters in nvram
        ${1}/optware/nvram_upgrade_restore.sh
 
        nvram set upgrade_epilogue_config=done
        nvram commit
        reboot
        c=1;while true;do echo -n $c\ ;c=`expr $c + 1`;sleep 1;done
fi
 
echo "upgrade_epilogue_config == done ; ready to Rock'n'Roll..." >> "${BOOTLOG}"
 
# Mount optware
logger "AUTORUN id: [$0] [$1] Checking mounted /proc/mounts for presence of /opt Optware"
if /bin/grep -q /opt /proc/mounts
then
  logger "AUTORUN id: [$0] [$1] umount /opt Optware if already mounted"
  /bin/umount /opt
  if [ $? -ne 0 ]
  then
    logger "AUTORUN id: [$0] [$1] umount failed, script not continuing"
    exit 1
  fi
fi
 
logger "AUTORUN id: [$0] [$1] Mounting bindable /tmp/mnt/myusbdrive/optware to /opt"
/bin/mount -o bindable /tmp/mnt/myusbdrive/optware /opt
 
# This is just an example of what can be done with mount --bind
# it allows to replace files in normally read-only /root filesystem with custom ones
# mount --bind /mnt/usb/advanced-vlan.asp /www/advanced-vlan.asp
 
logger "AUTORUN id: [$0] [$1] If we are here... then we have a mounted /opt"
logger "AUTORUN id: [$0] [$1] Let's GO!!!"

Alternatives

  1. Compile your own firmware with your settings hard-coded in it
    1. A lot of effort is required in building the compilation environment.
    2. Consolidated experience with such process is necessary
    3. Several attempts in the past with directions provided per freshtomato-arm README.md but was able to generate a match to the byte with own .trx build vs. .trx images prepared for general distribution in the download repo

References and Online Resources

Credits

/home/fresoehv/wiki/data/pages/remote_upgrade_poc.txt · Last modified: 2023/01/24 21:31 by xixix