Site Tools


remote_upgrade_poc

Remotely Upgrade FreshTomato

This Wiki article originates from a thread on the Tomato Forums titled: Remotely upgrade FreshTomato initiated on Dec 28, 2022 by user: xixix@linksysinfo

It describes requirements, use cases, preconditions, approach, facilitators, deal-breakers, and proof of concept.

Requirements

The original requirements were to:

  1. Remotely upgrade a Freshtomato router's firmware
  2. Perform the upgrade in an isolated location
  3. Perform the upgrade when no convenient physical access is available

Use Cases

  • Computer-challenged friends/relatives
  • Remote monitoring sites, such as:
    • Cottages in the wilderness (with a set of local IOT-enabled devices)
    • Observation decks, stations, facilities
    • Weather stations
    • Pollution monitoring sites
    • Remote properties or estates
  • Airbnb vacation homes or condos

Preconditions for Proof Of Concept

  1. A Netgear Rx000-series router preinstalled with FreshTomato 202[12].x AIO
  2. The router is connected to the Internet via WAN0:
    1. Connection Type set to: PPPoE
    2. Wireless Client Mode set to: Disabled
    3. Username <saved in FreshTomato>
    4. Password <saved in FreshTomato>
  3. The router's LAN subnet is configured to “192.168.1.0”
  4. A VPN server is enabled, configured and working
  5. Dropbear/SSH access is possible
  6. The internal network has an Ethernet LAN client that accessible via Teamviewer, once Internet connectivity
    is available after minimal upgrade & reconfiguration. This will be used to complete other major reconfiguration.

Tentative Approach

  1. Script the download of new FreshTomato firmware version (using curl and wget)
  2. Manually flash from the command shell of the new firmware (How? Should we use mtd write? dd?)
  3. Reset/erase all data in NVRAM memory from within the shell (How? Using nvram erase?)
  4. Set minimal nvram parameters for Internet connectivity
    1. Connection Type PPPoE (wan_proto)
    2. Username (wan_ppp_username)
    3. Password (wan_ppp_passwd)
  5. Reboot


The script_init or script_wan NVRAM parameters could also be used for post-reboot initialization/reconfiguration activities.

Some fail-safe logic and logging might be included and scripted, for the critical “blind reboot” phases. This would be done in a way that the router could be flashed back to a working FreshTomato version/configuration and rebooted if the upgrade failed.

Concerns, Issues, and Known Challenges

Summary: Don't perform remote upgrades unless you have a tested recovery strategy (such as a backup router, emergency on-site presence, fallback options).

If you do, you must know the answers to the following questions:


  1. How critical is the Internet access at the remote location?

  2. How quickly can the remote location be reached to fix possible problems?

  3. Best practices include firmware upgrades when available. However, in scenarios involving remote configurations,
    only high impact CVEs should be considered. Does this rule apply in your scenario?

  4. Make a backup plan in case the upgrade fails:
    1. Have a spare device on site, fully configured and ready or;
    2. Reach the remote location in x hours/days or;
    3. Have someone on-site who can recover from a failure
      1. (Such as using the factory Reset button and restore backup config / switch to PC internet only)

  5. A problem with these routers is that new firmware is written on top of the running firmware. This involves some risk that
    the (now invalid) filesystem could cause issues/ crash during the reboot. This would cause a manual power cycle to be needed.
    1. This could be easily resolved if someone on site could perform a power cycle.

  6. Asus tries to avoid this by creating a temporary rootfs where they copy the critical bits needed during reboot.
    It's unknown if FreshTomato does this. Even if it did, it wouldn't be fully reliable if a component were missing.
    1. Newer Broadcom routers solve this using two separate firmware partitions. The new firmware is written to
      the other partition, so the running filesystem remains intact.
    2. If you need something that is remotely managed, you need to a router designed for that.

  7. Trying to script fail-safe procedures for all possible scenarios requires a lot of work.
    1. Other, potentially unrecoverable issues remain when there's no physical access. Even in use cases that aren't critical,
      it's annoying to perform that kind of recovery.

  8. It is strongly advised to performing an NVRAM full erase/reset after a FreshTomato upgrade.
    1. On its first run, FreshTomato will recreate and initialize required default parameters.
    2. A “dirty” upgrade (without NVRAM full erase/reset) might work. However, it is strongly discouraged, since it can
      cause many potential issues, due to conflicts of parameters/functions with the old ones.

  9. Some form of permanent storage is necessary. A full erase/reset of NVRAM-stored parameters via mtd-erase is not
    committed until the next reboot/power cycle.
    1. What is the difference betweeen the mtd-erase and nvram erase commands?
      1. Issuing the nvram erase command still erases the nvram mtd. However, on reboot (or other action) NVRAM is saved
        to mtd from RAM. Thus, it will not wipe everything unless power is removed right after the command completes.
        However, nvram erase clears the NVRAM in RAM then writes to flash, but doesn't zero out all the flash.
        See also Hard reset or 30/30/30 - DD-WRT Wiki
      2. The nvram erase command maintains the NVRAM structure (header/checksum/length) but erases the variables.
        The mtd command erases the sectors of a flash partition, leaving the partition data values set to “FF” (flash erase state).

  10. Thus, options for storage persistence seem to be:
    1. JFFS. However, if NVRAM is cleared, by default, JFFS is unmounted. Moreover, JFFS needs to be unmounted
      before an upgrade, because occasionally, it gets repartitioned/reformatted
      (See www.linksysinfo.org forum for more details) to a different size if the firmware image grows.
    2. USB storage

  11. All forks of Tomato and DD-WRT trigger execution of certain shell scripts with <file>.autorun extension after external volumes
    or partitions are mounted.
    1. Automount automatically mounts all partitions to subdirectories in “/mnt”. The nvram usb_automount parameter
      defaults to “1” (enabled), at least in recently compiled “.trx” firmware builds).
    2. Some logic is needed to distinguish if <file>.autorun was run right after an upgrade or during normal operations reboots/restarts.

  12. Performing an upgrade via the shell is safer than via the web interface. From the shell, you download a .zip and check
    for magic number errors when extracting the archive. Most devices have enough RAM to host the .zip. Uploading a “.trx” file
    via the web interface increases risk, especially on a less stable connection, such as WiFi client.

  13. Clearing NVRAM and restoring the variables via a script remotely might lead to a serious lockout or bootloop.
    Even if such an approach (having a list of nvram set commands) saved time, too many things could go wrong.

  14. Persistent basic Internet connectivity, VPN, and LAN parameters could allow an internal device (PC, or small
    service/maintenance appliance RPI) to announce its reachability. This could allow it to be
    accessed remotely for finalizing the whole post-upgrade configuration. A VPN might not be needed if a remote access tool
    such as Teamviewer were available).

  15. Upgrade options via TFTP would not be viable due to the need to trigger the transfer during a short (few seconds)
    service window at power up time. They might also require specific button press combinations which wouldn't be practical.

  16. Other options to allow FreshTomato to do controlled reconfiguration during upgrade might include leaving specific entry points,
    hooks, or callback scripts. However, this would require thorough examination, development and testing. Such work might be unfeasible
    due to limited developer resources.

GENERAL DISCLAIMER

WARNING: EXTREME CAUTION IS ADVISED WHEN PERFORMING THESE TASKS!

Your router could be rendered completely unusable.

Remote Upgrade types

There are several types of remote upgrades. They can be summarized in order of risk, as follows:

  • Dirty upgrade - overwrites the firmware and retains current nvram settings
  • Clear upgrade - overwrites the firmware and erases NVRAM settings, (restoring the default ones)
  • Advanced upgrade - overwrites the firmware, saves selected NVRAM configuration, erases NVRAM and restores saved settings via USB automount

A dirty upgrade is probably the least risky method. It will function similar to an upgrade using the web interface.

A clear upgrade will restore the default settings/IP/credentials. This is generally not your best option when doing a remote upgrade.
However, it can be helpful to speed things up if you are sitting next to the device itself.

Advanced upgrades are only used in unusual cases, such as sensitive remote installations, large installations, or anything
that would justify that level of complexity by being automated.

Dirty Upgrade

Clean Upgrade

Advanced Upgrade

Remote Upgrade Proof of Concept

Based on above considerations and a set of other useful links, I was able to remotely upgrade the architecture described in the preconditions above.

The whole procedure was attempted by thoroughly testing on a dedicated lab setup mocking the live remote preconditions.

All the scripts below need to be adjusted and all associated risks/collaterals fully understood before attempting any similar exercise.

There is no guarantee that any of the actions described in this Wiki are going to work on your own infrastructure, architecture, and Hardware/Software setup.

If you decide to move forward with any of these sperimentations, you are doing it at your on risk and responsibility.

Subject to own preferences or best practices:

  1. evaluate use of external files for certificates
  2. evaluate use of external file for the list of parameters to preserve
  3. replace the `….` notation for subshell in favor of FT's default syntax $(….)
  4. consider handling internally EOL of files you reference (you can find plenty of sed examples on how to achieve this and force LR)
  5. consider defining the usb path as a variable at the top of the script
  6. be aware some devices might have multiple USB drives plugged in or multiple partitions setup. Perhaps a “scan” of their content could help.

Parameters Preservation and Restore

I have consolidated the following, for my main router, over the past years (full set of customized parms total is 233 circa).

Main Preserve Script, with a list of parameters to save, basically creates the Restore script with actual parameters values.

!!!WARNING!!! Unespected side effects may happen if any parameter value contains the single quote (') character. Evaluate replacing with double quote (“) if/where possible

As a general recommendation, after every upgrade, consider reviewing FT CHANGELOG and bitbucket commits for further configurations adjustments as needed depending on:

  1. Fixed bugs
  2. Extended options
  3. New functionalities
  4. Explicit recommendations from devs

New/revised parameters are adjusted in /opt/nvram_upgrade_preserve.sh

Script: nvram_upgrade_preserve.sh

#!/bin/sh
# Used to adjust static or semi-static Freshtomato configurations that need to be preserved during upgrades
set -x
set -v
# -----------------------------------------------------------------------------------------
Preserve () {
    echo "nvram set ${1}='`nvram get ${1}`'" >> /opt/nvram_upgrade_restore.sh
}
 
# -----------------------------------------------------------------------------------
cat <<EOF > /opt/nvram_upgrade_restore.sh
#!/bin/sh
# Used to adjust static or semi-static Freshtomato configurations that need to be preserved during upgrades
set -x
set -v
# -----------------------------------------------------------------------------------
EOF
chmod 755 /opt/nvram_upgrade_restore.sh
 
# Change Wan MAC Address every time we upgrade Firmware => We'll get a new public/WAN IP as a consequence
WAN_MAC=$(nvram get wan_mac)
if [ "_$WAN_MAC" = "_40:00:00:00:00:00" ];then
    echo "nvram set    wan_mac='40:00:00:00:00:01'" >> /opt/nvram_upgrade_restore.sh
    echo "nvram set wan_hwaddr='40:00:00:00:00:01'" >> /opt/nvram_upgrade_restore.sh
else
    echo "nvram set    wan_mac='40:00:00:00:00:00'" >> /opt/nvram_upgrade_restore.sh
    echo "nvram set wan_hwaddr='40:00:00:00:00:00'" >> /opt/nvram_upgrade_restore.sh
fi
 
Preserve bt_auth
Preserve bt_blocklist
Preserve bt_custom
Preserve bt_dht
Preserve bt_dir
Preserve bt_enable
Preserve bt_lpd
Preserve bt_log
Preserve bt_log_path
Preserve bt_pex
Preserve bt_settings
Preserve bt_settings_custom
Preserve bt_sleep
Preserve bt_ul
Preserve bt_ul_enable
Preserve ctf_disable
Preserve crt_ver
Preserve cstats_enable
Preserve cstats_path
Preserve cstats_stime
Preserve ddnsx0
Preserve ddnsx_refresh
Preserve dhcp1_lease
Preserve dhcp_moveip
Preserve dhcp_num
Preserve dhcp_start
Preserve dhcpc_minpkt
Preserve dhcpd_endip
Preserve dhcpd_gwmode
Preserve dhcpd_lmax
Preserve dhcpd_slt
Preserve dhcpd_startip
Preserve dhcpd_static
Preserve dhcpd_static_only
Preserve dns_intcpt
Preserve dnsmasq_custom
Preserve dnssec_method
Preserve http_enable
Preserve http_passwd
Preserve http_id
Preserve https_crt_file
Preserve https_crt_gen
Preserve https_crt_save
Preserve https_crt_timeset
Preserve https_enable
Preserve https_lanport
Preserve lan1_ifname
Preserve lan1_proto
Preserve lan2_ifname
Preserve lan3_ifname
Preserve lan_hostname
Preserve lan_ipaddr
Preserve log_dropdups
Preserve log_events
Preserve log_file_custom
Preserve log_file_keep
Preserve log_file_path
Preserve log_file_size
Preserve log_limit
Preserve log_mark
Preserve ms_dbdir
Preserve ms_dirs
Preserve ms_sas
Preserve ne_shlimit
Preserve nginx_docroot
Preserve nginx_enable
Preserve nginx_fqdn
Preserve nginx_php
Preserve nginx_port
Preserve nginx_servercustom
Preserve nginx_upload
Preserve ntp_server
Preserve ntpd_enable
Preserve ntpd_server_redir
Preserve router_name
Preserve rrule0
Preserve rrule1
Preserve rrule2
Preserve rruleN
Preserve rrules_activated
Preserve rstats_enable
Preserve rstats_path
Preserve rstats_stime
Preserve sch_c1
Preserve sch_c1_cmd
Preserve sch_c1_last
Preserve sch_c2
Preserve sch_c2_cmd
Preserve sch_c2_last
Preserve sch_c3
Preserve sch_c3_cmd
Preserve sch_c3_last
Preserve sch_c4
Preserve sch_c4_cmd
Preserve sch_c4_last
Preserve sch_c5
Preserve sch_c5_cmd
Preserve sch_c5_last
Preserve sch_rboot
Preserve sch_rcon
Preserve script_fire
Preserve script_wanup
Preserve smbd_autoshare
Preserve smbd_cpage
Preserve smbd_cset
Preserve smbd_custom
Preserve smbd_enable
Preserve smbd_ifnames
Preserve smbd_master
Preserve smbd_nlsmod
Preserve smbd_passwd
Preserve smbd_protocol
Preserve smbd_shares
Preserve smbd_user
Preserve smbd_wgroup
Preserve smbd_wins
Preserve snmp_enable
Preserve sshd_authkeys
Preserve sshd_dsskey
Preserve sshd_ecdsakey
Preserve sshd_ed25519
Preserve sshd_hostkey
Preserve stealth_mode
Preserve stubby_resolvers
Preserve telnetd_eas
Preserve tm_sel
Preserve tm_tz
Preserve tomatoanon_answer
Preserve tomatoanon_enable
Preserve upnp_custom
Preserve upnp_custom
Preserve upnp_enable
Preserve upnp_lan1
Preserve upnp_lan2
Preserve upnp_lan3
Preserve upnp_lan
Preserve usb_fs_exfat
Preserve usb_fs_hfs
Preserve usb_fs_zfs
Preserve vpn_client1_addr
Preserve vpn_client1_ca
Preserve vpn_client1_cn
Preserve vpn_client1_crt
Preserve vpn_client1_custom
Preserve vpn_client1_key
Preserve vpn_client1_ncp_ciphers
Preserve vpn_client1_password
Preserve vpn_client1_port
Preserve vpn_client1_proto
Preserve vpn_client1_tlsremote
Preserve vpn_client1_userauth
Preserve vpn_client1_username
Preserve vpn_client1_useronly
Preserve vpn_client2_addr
Preserve vpn_client2_ca
Preserve vpn_client2_cn
Preserve vpn_client2_crt
Preserve vpn_client2_custom
Preserve vpn_client2_key
Preserve vpn_client2_ncp_ciphers
Preserve vpn_client2_password
Preserve vpn_client2_port
Preserve vpn_client2_proto
Preserve vpn_client2_tlsremote
Preserve vpn_client2_userauth
Preserve vpn_client2_username
Preserve vpn_client2_useronly
Preserve vpn_client_eas
Preserve vpn_server1_ca
Preserve vpn_server1_crt
Preserve vpn_server1_custom
Preserve vpn_server1_dh
Preserve vpn_server1_key
Preserve vpn_server1_ncp_ciphers
Preserve vpn_server1_port
Preserve vpn_server1_proto
Preserve vpn_server1_sn
Preserve vpn_server1_users_val
Preserve vpn_server2_users_val
Preserve vpn_server_eas
Preserve wan1_gateway_get
Preserve wan1_get_dns
Preserve wan2_gateway_get
Preserve wan2_get_dns
Preserve wan3_gateway_get
Preserve wan3_get_dns
Preserve wan4_gateway_get
Preserve wan4_get_dns
Preserve wan_dns
Preserve wan_dns_auto
Preserve wan_hostname
Preserve wan_wins
Preserve web_adv_scripts
Preserve web_css
Preserve web_mx
Preserve wl_country_code
Preserve wl_country_rev
Preserve wl0_akm
Preserve wl0_channel
Preserve wl0_chanspec
Preserve 0:ccode
Preserve 0:regrev
Preserve wl0_country_code
Preserve wl0_country_rev
Preserve wl0_nbw
Preserve wl0_nctrlsb
Preserve wl0_security_mode
Preserve wl0_ssid
Preserve wl0_wpa_psk
Preserve wl1_akm
Preserve wl1_channel
Preserve wl1_chanspec
Preserve 1:ccode
Preserve 1:regrev
Preserve wl1_country_code
Preserve wl1_country_rev
Preserve wl1_nbw
Preserve wl1_nctrlsb
Preserve wl1_security_mode
Preserve wl1_ssid
Preserve wl1_wpa_psk
Preserve wl2_akm
Preserve wl2_channel
Preserve wl2_chanspec
Preserve 2:ccode
Preserve 2:regrev
Preserve wl2_country_code
Preserve wl2_country_rev
Preserve wl2_nbw
Preserve wl2_nctrlsb
Preserve wl2_security_mode
Preserve wl2_ssid
Preserve wl2_wpa_psk
 
echo "nvram commit" >> /opt/nvram_upgrade_restore.sh

Firmware Upgrade Custom Script

Script: firmup.sh

#!/bin/sh
{
#set -x
#set -v
#=========================================================================
# Ref: https://wiki.freshtomato.org/doku.php/remote_upgrade_poc
#
# Dirty Upgrade: overwrite the firmware + keep the current nvram settings
#     firmup.sh -n firmware_image.trx
# Clean Upgrade: overwrite the firmware + erase the nvram settings essentially restoring the default ones (Recommended)
#     firmup.sh -e firmware_image.trx
#=========================================================================
 
# Variables Definition
ERASE_NVRAM="$1"
FIRMWARE="$2"
 
# Functions Definition
# e_logr - echo message and logs to syslog with proper priority/tag
e_logr () {
        echo "${1}"
        logger -p NOTICE -t FT-Upgrade "${1}"
}
 
# Main
 
# Check proper command syntax and parms #
if [ $# -ne 2 ] || [ "_${ERASE_NVRAM}" != "_-n" -a "_${ERASE_NVRAM}" != "_-e" ]; then
    e_logr "Usage: $(basename ${0}) -e|-n firmware_file.trx"
    exit 1
fi
 
# Prepare/Check firmware flashing pre-requisites
if [ ! -s "${FIRMWARE}" ]; then
    e_logr "${FIRMWARE} does NOT exist or is empty (0 length). Exiting..."
    exit 2
fi
 
# Copy firmware file to /tmp directory
# Avoids issues of missing /mnt/<volume> after we issue 'kill -s SIGUSR1 1' below
e_logr "Copying ${FIRMWARE} to /tmp directory..."
TMPFIRMWARE="/tmp/$(basename ${FIRMWARE})"
cp "${FIRMWARE}" "${TMPFIRMWARE}"
 
if [ "_${ERASE_NVRAM}" == "_-e" ];then WWO="w/"; else WWO="w/o";fi
e_logr "Performs a canonical upgrade ${WWO} nvram clearing"
# Check if firmware  file is present and not 0
if [ ! -s "${TMPFIRMWARE}" ]; then
    e_logr "${TMPFIRMWARE} does NOT exist or is empty (0 length)"
    e_logr "Check source Firmware file presence and consistency:"
    e_logr "      ${FIRMWARE}"
    exit 2
fi
 
e_logr "About to start Flashing firmware:"
e_logr "    MD5=$(md5sum ${TMPFIRMWARE})"
e_logr "Press ENTER to continue (or Ctrl-C to exit)"
read x
 
# Prepare/Check firmware flashing pre-requisites
e_logr "Waiting for services to stop."
nvram set action_service=upgrade-start
sleep 1
kill -s SIGUSR1 1
c=1;while [ "$(nvram get action_service)" ];do echo -n $c\ ;c=$((c+1));sleep 1;done;echo
e_logr "Services stopped."
 
# Flash/Write firmware file
e_logr "Writing firmware ${TMPFIRMWARE}"
nohup mtd-write2 ${TMPFIRMWARE} linux > /tmp/nohup.out 2>/dev/null &
c=1;while [ "$(pidof mtd-write2)" ];do echo -n $c\ ;c=$((c+1));sleep 1;done;echo
sleep 1
 
# Check if "/tmp/nohup.out" output file is present and not 0
if [ ! -s "/tmp/nohup.out" ]; then
    e_logr "/tmp/nohup.out does NOT exist or is empty (0 length)"
    e_logr "mtd-write2 ${TMPFIRMWARE} NOT successfully completed!"
    e_logr "Try again now or perform a manual 'reboot' and repeat the upgrade procedure..."
    exit 3
fi
cat /tmp/nohup.out | sort -u; rm /tmp/nohup.out
e_logr "Flash finished."
 
# Is nvram erase requested?
if [ "_${ERASE_NVRAM}" == "_-e" ]; then
        e_logr "Clearing nvram"
        mtd-erase2 nvram
        sleep 1
fi
 
# All set... time to reboot
e_logr "Rebooting..."
sleep 1
reboot &
c=1;while true;do echo -n $c\ ;c=$((c+1));sleep 1;done
exit
}

After Upgrade Automatic Persistent Epilogue Script Execution

Script 00-00-identify.autorun

#!/bin/sh
set -x
set -v
# This is 00-00-identify.autorun
# To be stored in the root dir of an external USB drive to guarantee persistence
# FT Automount functionality automatically mounts all partitions to sub-directories in /mnt.
# nvram usb_automount defaults to 1 (enabled - at least in recently compiled .trx FWs)
# 00-00-identify.autorun file is executed if existing from each mounted partition
logger "AUTORUN id: [$0] [$1] $(date '+%D %T') uptime: $(cut -f1 -d\  /proc/uptime)"
OS_VERSION_UNDERSCORED=$(nvram get os_version | tr " " "_")
MODEL=$(nvram get t_model_name | tr " " "_")
ROUTER_NAME=$(nvram get router_name | tr " " "_")
SPEC="${ROUTER_NAME}_${MODEL}_${OS_VERSION_UNDERSCORED}"
BOOTLOG="${1}/boot.log"
 
c=0;while true;do NVRAMBCK="${1}/${SPEC}_nvram_${c}.cfg";if [ ! -s "${NVRAMBCK}" ];then break; else c=`expr $c + 1`;fi;done
nvram save "${NVRAMBCK}";nvram show > "${NVRAMBCK}.txt"
 
echo "---------------------------------------------------------------" >> "${BOOTLOG}"
echo "--- ${SPEC}" >> "${BOOTLOG}"
echo "---------------------------------------------------------------" >> "${BOOTLOG}"
echo "AUTORUN id: [$0] [$1] $(date '+%D %T') uptime: $(cut -f1 -d\  /proc/uptime)" >> "${BOOTLOG}"
 
if [ "_`nvram get upgrade_epilogue_config`" != "_done" ] ; then
        echo "upgrade_epilogue_config != done ; setting nvram parameters and rebooting..." >> "${BOOTLOG}"
 
        nvram set wan_proto=pppoe
        nvram set wan_ppp_username=username
        nvram set wan_ppp_passwd=password
        nvram set wan_sta=
        nvram set ddnsx0='afraid<<<<<<bmt....<token>....MTc='
        nvram set ddnsx_refresh='1'
 
        nvram set vpn_server1_ca='-----BEGIN CERTIFICATE-----
MIIDGTCCAgGgAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApvcGVu
....
ZGDWu/rGtWIFcTsoxr797jaIKspY1NtCrIgsd0E=
-----END CERTIFICATE-----'
        nvram set vpn_server1_crt='-----BEGIN CERTIFICATE-----
MIIDADCCAeigAwIBAgIIaY3sRfUVtHwwDQYJKoZIhvcNAQELBQAwFTETMBEGA1UE
....
8U8TAg==
-----END CERTIFICATE-----'
        nvram set vpn_server1_custom='verb 5
script-security 2
#crl-verify /home/root/crl.pem
tls-version-min 1.2
auth SHA512'
        nvram set vpn_server1_dh='-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA3IH5AwWcIMSaHXFkSh5BUrRiiruQYgToSnGVCW328rYn8kOyLRxS
....
Nb2Va+s+Hju96X4HlDEhiJHDzoS13ozwUwIBAg==
-----END DH PARAMETERS-----'
        nvram set vpn_server1_key='-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC2kmZJzzFJrHel
....
3T3FRuaIoGEfYGhIATCDeo0=
-----END PRIVATE KEY-----'
        nvram set vpn_server1_ncp_ciphers='CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC'
        nvram set vpn_server1_port='443'
        nvram set vpn_server1_proto='tcp-server'
        nvram set vpn_server1_sn='10.10.20.0'
        nvram set vpn_server1_users_val=''
        nvram set vpn_server2_users_val=''
        nvram set vpn_server_eas='1,'
 
        # This script takes care of reconfiguring other necessary parameters in nvram
        ${1}/optware/nvram_upgrade_restore.sh
 
        nvram set upgrade_epilogue_config=done
        nvram commit
        reboot
        c=1;while true;do echo -n $c\ ;c=`expr $c + 1`;sleep 1;done
fi
 
echo "upgrade_epilogue_config == done ; ready to Rock'n'Roll..." >> "${BOOTLOG}"
 
# Mount optware
logger "AUTORUN id: [$0] [$1] Checking mounted /proc/mounts for presence of /opt Optware"
if /bin/grep -q /opt /proc/mounts
then
  logger "AUTORUN id: [$0] [$1] umount /opt Optware if already mounted"
  /bin/umount /opt
  if [ $? -ne 0 ]
  then
    logger "AUTORUN id: [$0] [$1] umount failed, script not continuing"
    exit 1
  fi
fi
 
logger "AUTORUN id: [$0] [$1] Mounting bindable /tmp/mnt/myusbdrive/optware to /opt"
/bin/mount -o bindable /tmp/mnt/myusbdrive/optware /opt
 
# This is just an example of what can be done with mount --bind
# it allows to replace files in normally read-only /root filesystem with custom ones
# mount --bind /mnt/usb/advanced-vlan.asp /www/advanced-vlan.asp
 
logger "AUTORUN id: [$0] [$1] If we are here... then we have a mounted /opt"
logger "AUTORUN id: [$0] [$1] Let's GO!!!"

Alternatives

  1. Compile your own firmware with your settings hard-coded in it
    1. A lot of effort is required in building the compilation environment.
    2. Consolidated experience with such process is necessary
    3. Several attempts in the past with directions provided per freshtomato-arm README.md but was NEVER able to generate a match to the byte with own .trx build vs. .trx images prepared for general distribution in the download repo

References and Online Resources

Credits

remote_upgrade_poc.txt · Last modified: 2023/06/10 00:21 by hogwild