- drop unused 'UBOOT' variable from 'Device/apalis' recipe
- fix 'KERNEL_SUFFIX' for 'Device/cubox-i' (should be '-zImage')
- drop redundant 'DEVICE_{VENDOR,MODEL}' from 'Device/ventana-large'
- other, minor fixes
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
This reverts commit f716c30241.
Migrating everyone to the new syntax could break downgrades. We may
reintroduce it way later if needed.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Missing br- prefix could result in name conflict between DSA port
interface and bridge interface. Some devices with just one LAN port use
"lan" interface name for DSA port. Trying to create bridge with the same
"lan" name was failing.
Reported-by: David Bauer <mail@david-bauer.net>
Fixes: 43fc720657 ("base-files: generate "device" UCI type section for bridge")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
/etc/syslog.conf is used by sysklogd, and /etc/crontabs is used
by crond, both features of busybox. Given this, ownership for
these files should be bound to busybox, especially if one day
there's a way to do an in-place opkg update of busybox.
There's also the busybox provided syslogd which uses this file
if CONFIG_BUSYBOX_FEATURE_SYSLOGD_CFG is set.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
The nslookup_lede/openwrt applet was introduced in de5b8e5. It was
introduced because:
Add a new LEDE nslookup applet which is compatible with musl libc
and providing more features like ability to specify query type.
In contrast to busybox' builtin nslookup applet, this variant does
not rely on libc resolver internals but uses explicit send logic
and the libresolv primitives to parse received DNS responses.
In busybox this applet is added in 0dd3be8. In particular, this commit
introduces the variable NSLOOKUP_BIG. We set the default to true and
so nothing changes.
Signed-off-by: Nick Hainke <vincent@systemli.org>
On login busybox shows a timestamp per default contianing the build
date. Since the build date isn't reproducible per default this behaviour
was disabled by default via 34df4d40 "busybox: disable timestamp in
version".
This commit modifies busybox so that the printed timestamp reproducible
using SOURCE_DATE_EPOCH and therefore shouldn't be disabled anymore.
Before:
BusyBox v1.33.1 () built-in shell (ash)
After:
BusyBox v1.33.1 (2021-05-13 09:34:34 UTC) built-in shell (ash)
Signed-off-by: Paul Spooren <mail@aparcar.org>
netifd has been recently patched to use more accurate "ports" option
instead of "ifname". This is a simple translation between two UCI
options.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
This switches from the old way of defining bridges in an "interface" UCI
section type (that should be used for layer 3 only). From now a defualt
board switch will have its own "device" UCI section type. It's a new &
preferred way of defining L2 devices.
Before:
config interface 'lan'
option type 'bridge'
option ifname 'lan1 lan2 lan3 lan4'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
After:
config device
option name 'lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option ifname 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
use AUTORELEASE since BusyBox is often updaten and PKG_RELEASE is not
consistently bumped. Also use SPDX license headers to be machine
readable and bump the copyright year to 2021.
Signed-off-by: Paul Spooren <mail@aparcar.org>
02dd2f2df7cb fix unannotated fall-through warnings
3052f2f67686 extdev: remove unused function
2a97fd006c3b device: add support for configuring devices with external auth handler
87e469be0c08 wireless: fix memory corruption bug when using vlans/station entries in the config
7277764bf817 bridge: rename "ifname" attribute to "ports"
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This can be used to handle network configuration of dynamically created vlan
interfaces in a more flexible way
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Bridge aggregates multiple ports so use a more accurate name ("ports")
and format (array) for storing them in board.json.
Example:
"network": {
"lan": {
"ports": [
"lan1",
"lan2",
"lan3",
"lan4"
],
"protocol": "static"
},
"wan": {
"ifname": "wan",
"protocol": "dhcp"
}
}
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Instead of adding all public signature keys from the openwrt-keyring
repository only add the key which is used to sign the master feeds.
If one of the other keys would be compromised this would not affect
users of master snapshot builds.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This reduces redundant instructions.
The solution is inspired by a different implemention of
Roman Kuzmitskii.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
ZiKing CPE46B is a POE outdoor 2.4ghz device with an integrated directional
antenna. It is low cost and mostly available via Aliexpress, references can
be found at:
- https://forum.openwrt.org/t/anddear-ziking-cpe46b-ar9331-ap121/60383
- https://git.lsd.cat/g/openwrt-cpe46b
Specifications:
- Atheros AR9330
- 32MB of RAM
- 8MB of flash (SPI NOR)
- 1 * 2.4ghz integrated antenna
- 2 * 10/100/1000 ethernet ports (1 POE)
- 3 * Green LEDs controlled by the SoC
- 3 * Green LEDs controlled via GPIO
- 1 * Reset Button controlled via GPIO
- 1 * 4 pin serial header on the PCB
- Outdoor packaging
Flashing instruction:
You can use sysupgrade image directly in vendor firmware which is based
on OpenWrt/LEDE. In case of issues with the vendor GUI, the vendor
Telnet console is vulnerable to command injection and can be used to gain
a shell directly on the OEM OpenWrt distribution.
Signed-off-by: Giulio Lorenzo <salveenee@mortemale.org>
[fix whitespaces, drop redundant uart status and serial0, drop
num-chipselects, drop 0x1002 MAC address for wmac]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
COMFAST CF-E375AC is a ceiling mount AP with PoE support,
based on Qualcomm/Atheros QCA9563 + QCA9886 + QCA8337.
Short specification:
2x 10/100/1000 Mbps Ethernet, with PoE support
128MB of RAM (DDR2)
16 MB of FLASH
3T3R 2.4 GHz, 802.11b/g/n
2T2R 5 GHz, 802.11ac/n/a, wave 2
built-in 5x 3 dBi antennas
output power (max): 500 mW (27 dBm)
1x RGB LED, 1x button
built-in watchdog chipset
Flash instruction:
1) Original firmware is based on OpenWrt.
Use sysupgrade image directly in vendor GUI.
2) TFTP
2.1) Set a tftp server on your machine with a fixed IP address of
192.168.1.10. A place the sysupgrade as firmware_auto.bin.
2.2) boot the device with an ethernet connection on fixed ip route
2.3) wait a few seconds and try to login via ssh
3) TFTP trough Bootloader
3.1) open the device case and get a uart connection working
3.2) stop the autoboot process and test connection with serverip
3.3) name the sysupgrade image firmware.bin and run firmware_upg
MAC addresses:
Though the OEM firmware has four adresses in the usual locations,
it appears that the assigned addresses are just incremented in a
different way:
interface address location
LAN: *:DC 0x0
WAN *:DD 0x1002
WLAN 2.4g *:E6 n/a (0x0 + 10)
WLAN 5g *:DE 0x6
unused *:DF 0x5006
The MAC address pointed at the label is the one assign to the LAN
interface.
Signed-off-by: Joao Henrique Albuquerque <joaohccalbu@gmail.com>
[add label-mac-device, remove redundant uart status, fix whitespace
issues, fix commit message wrapping, remove x bit on DTS file]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Ubiquiti EdgeRouter 6P is 6 port router with similar
specifications as the EdgeRouter 4, support for which was added
in commit dd651e54cc
There are five 10/100/1000 Mbps RJ/Copper ports and
one 1000 Mbps SFP port.
SoC: Octeon Cavium 7130 (Cavium 3) at 1000MHz
Memory: 1GiB DDR3
Flash: 2x2M chips with uboots (chainloaded) + 512K eeprom
LEDs: 1x for power status (white/blue, controllable)
and 6x for ethernet and SFP ports (no control over them)
Buttons: 1x Reset
Serial: 1x RJ45 port on front panel. 115200 baud, 8N1
USB: 1x USB3.0 on front panel
MII: 1x QSGMII from SoC
PHY: 1x Vitesse VSC8504 of which 4 ports are used (phys 4-7)
1x Vitesse VSC8514 of which 2 ports are used (phys 8-9)
Network port mapping
- eth0 on device maps to lan0 and phy5
- eth1 on device maps to lan1 and phy6
- eth2 on device maps to lan2 and phy7
- eth3 on device maps to lan3 and phy8
- eth4 on device maps to lan4 and phy9
- eth5 (SFP) on device maps to lan5 and phy4
What is not working:
- There is no port status available before it goes up
- SFP have no additional status and presented as no different from eth
- Power-over-ethernet (passive) support has not been tested
How to flash the firmware:
- copy openwrt-octeon-ubnt_edgerouter-6p-initramfs-kernel.bin and
openwrt-octeon-ubnt_edgerouter-6p-squashfs-sysupgrade.tar to
USB flash drive that is formatted to vfat/fat32
- connect USB flash drive to EdgeRouter 6P front USB port
- connect serial cable using front RJ45 port (115200 baud, 8N1)
- connect power to cable to EdgeRouter 6P
- connect terminal to the console to see uboot boot process
- interrupt boot by pressing button(s) on your keyboard to log
in to the uboot
- detect usb connected flash drives by typing to the console:
usb start
- after drive is detected load initramfs+kernel to the memory by typing:
fatload usb 0:1 0x20000000 openwrt-octeon-ubnt_edgerouter-6p-initramfs-kernel.bin
- after initramfs+kernel is loaded to the memory load it by typing:
bootoctlinux 0 numcores=4 endbootargs mem=0
- boot process should finish and you will be greeted with console
after pressing enter
- create directory to mount usb flash drive to by typing:
mkdir /tmp/sda
- mount flash drive to that directory by typing:
mount /dev/sda1 /tmp/sda
- flash firmware to router internal storage by typing:
sysupgrade /tmp/sda/openwrt-octeon-ubnt_edgerouter-6p-squashfs-sysupgrade.tar
- device will reboot and after it gets up you will have
edgerouter 6p running openwrt
Signed-off-by: Dan Brown <danbrown@gmail.com>
[reorder/squash patches, move ethernet@0 to DTS, share image setup]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
EdgeRouter 4 and upcoming EdgeRouter 6P and 12 have similar setup,
so create a shared DTSI to prevent duplicate code.
Signed-off-by: Dan Brown <danbrown@gmail.com>
[reorder/squash commits, add description, move ethernet@0 to DTS]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Remove vn call in favour of v call. This commit serves as preparation
for removing the v function call.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
[alter slightly to prevent double space after colon]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Vendor firmware expects model name without manufacturer name inside
'supported_devices' part of metadata. This allows direct upgrade to
OpenWrt from vendor's GUI.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
This fixes a small regression where the lzma-loader variable values
are being shared between boards that require different configurations.
If not set to "" globally, a device without these settings will just take
the last values another device has set before in the queue.
Fixes: 1b8bd17c2d ("ath79: lzma-loader: allow setting custom kernel magic")
Signed-off-by: Michael Pratt <mcpratt@pm.me>
[add detailed explanation to the commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
When building GRUB with binutils 2.35.2 or later, an error occurs due to
a section .note.gnu.property that is placed at an offset such that
objcopy needs to pad the img file with zeros. This in turn causes the
following error: "error: Decompressor is too big.".
The fix accepted by upstream patches a python script that isn't executed
at all when building GRUB with OpenWrt buildroot. There's another patch
that patches the files generated by that python script directly, but by
including it we would deviate further from upstream. Instead of doing
that, simply bump to the latest release candidate.
As one of the fixes for the CVEs causes grub to crash on some x86
hardware using legacy BIOS when compiled with -O2, filter -O2 and
-O3 out of TARGET_CFLAGS.
Fixes the following CVEs:
- CVE-2020-14372
- CVE-2020-25632
- CVE-2020-25647
- CVE-2020-27749
- CVE-2020-27779
- CVE-2021-3418
- CVE-2021-20225
- CVE-2021-20233
Runtime-tested on x86/64.
Fixes: FS#3790
Suggested-by: Dirk Neukirchen <plntyk.lede@plntyk.name>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
c44b40b overlay: fix syncronizing typo
b5397a1 fstools: block: fix segfault on mount with no target
bd7cc8d block: use dynamically allocated target string
6d8450e blockd: use allocated strings instead of fixed buffers
d47909e libblkid-tiny: fix buffer overflow
67d2297 block: match device path instead of assuming /dev/%s
2aeba88 block: allow autofs and umount commands also on MTD/UBI
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
28b162366d09 mt76: fix calling mt76_get_of_eeprom with an offset for pre-cal data
9d736545bb5a mt76: mt7915: disable pre-calibration support for now
Signed-off-by: Felix Fietkau <nbd@nbd.name>
6a6011d uclient-http: set eof mark when content-length is 0
19571e4 tests: fix help usage test for uclient built with sanitizer
c5fc04b tests: fix help usage test
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
PREFER_IPV4_ADDRESS is broken on IPv6-only hosts, as it causes busybox
utilities (ping, traceroute, ntpd) to forcibly use the A record instead of
the AAAA record when resolving a DNS name. This obviously fails when
there is no IPv4 connectivity. Since IPv6-only hosts or routers will only
become more common over time, disable PREFER_IPV4_ADDRESS to support this
use-case.
As a side-effect, disabling PREFER_IPV4_ADDRESS changes the default
resolution behaviour of busybox utilities on dual-stack hosts. Busybox
utilities now simply use the order given by getaddrinfo(), so they will
now prefer IPv6 addresses when resolving a name with both A and AAAA
records if there is IPv6 connectivity. This is in line with RFC 6724.
PREFER_IPV4_ADDRESS was likely intended to work around naive
implementations of getaddrinfo() that could return AAAA records first,
even on an IPv4-only host. But both musl (since 1.1.3) and glibc
correctly implement RFC 6724 for getaddrinfo() and check connectivity to
determine the correct order in which to return records. On IPv4-only
hosts, getaddrinfo() will return A records first, so there is no need for
the PREFER_IPV4_ADDRESS hack.
See also: https://bugs.busybox.net/show_bug.cgi?id=12381
Fixes: FS#84
Fixes: FS#2608
References: https://github.com/openwrt/openwrt/pull/4167
Signed-off-by: Alexander Traud <pabstraud@compuserve.com>
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
Before this commit, it was assumed that mkhash is in the PATH. While
this was fine for the normal build workflow, this led to some issues if
make TOPDIR="$(pwd)" -C "$pkgdir" compile
was called manually. In most of the cases, I just saw warnings like this:
make: Entering directory '/home/.../package/gluon-status-page'
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
[...]
While these were only warnings and the package still compiled sucessfully,
I also observed that some package even fail to build because of this.
After applying this commit, the variable $(MKHASH) is introduced. This
variable points to $(STAGING_DIR_HOST)/bin/mkhash, which is always the
correct path.
Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
Fixes following error while executing the init script on the buildhost:
Enabling boot
./etc/init.d/bootcount: line 5: /lib/upgrade/asrock.sh: No such file or directory
Enabling bootcount
While at it fix following shellcheck issue:
base-files/etc/init.d/bootcount line 11:
if [ $? -eq 0 ]; then
^-- SC2181: Check exit code directly with e.g. 'if mycmd;', not indirectly with $?.
Cc: Ansuel Smith <ansuelsmth@gmail.com>
Cc: Pawel Dembicki <paweldembicki@gmail.com>
Cc: Christian Lamparter <chunkeey@gmail.com>
Fixes: 98b86296e6 ("ipq806x: add support for ASRock G10")
References: https://gitlab.com/ynezz/openwrt/-/jobs/1243290743#L1444
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Includes fix for CVE-2020-24588
c7dd54a22e30 mt76: connac: skip wtbl reset on sta disconnect
3511fd430356 mt76: validate rx A-MSDU subframes
aedc3145de6e mt76: fix possible NULL pointer dereference in mt76_tx
5c2baab92cd0 mt76: mt7615: fix NULL pointer dereference in tx_prepare_skb()
af21659ee834 mt76: mt76x0: use dev_debug instead of dev_err for hw_rf_ctrl
e423c16f16f7 mt76: mt7615: free irq if mt7615_mmio_probe fails
f2d0da8da9b7 mt76: mt7663: enable hw rx header translation
d2713a5d9de9 mt76: mt7921: fix mt7921_wfsys_reset sequence
ce5f32d84f33 mt76: mt7921: Don't alter Rx path classifier
8ab8c7747197 mt76: connac: fw_own rely on all packet memory all being free
a747b0bb4956 mt76: mt7921: enable deep sleep at runtime
2e6e999509b1 mt76: mt7921: add deep sleep control to runtime-pm knob
30bcb2338ce2 mt76: connac: fix WoW with disconnetion and bitmap pattern
56518f4a126e mt76: mt7921: consider the invalid value for to_rssi
e969ab10a034 mt76: mt7921: add back connection monitor support
Signed-off-by: Felix Fietkau <nbd@nbd.name>
From the patch series description:
Several security issues in the 802.11 implementations were found by
Mathy Vanhoef (New York University Abu Dhabi), who has published all
the details at
https://papers.mathyvanhoef.com/usenix2021.pdf
Specifically, the following CVEs were assigned:
* CVE-2020-24586 - Fragmentation cache not cleared on reconnection
* CVE-2020-24587 - Reassembling fragments encrypted under different
keys
* CVE-2020-24588 - Accepting non-SPP A-MSDU frames, which leads to
payload being parsed as an L2 frame under an
A-MSDU bit toggling attack
* CVE-2020-26139 - Forwarding EAPOL from unauthenticated sender
* CVE-2020-26140 - Accepting plaintext data frames in protected
networks
* CVE-2020-26141 - Not verifying TKIP MIC of fragmented frames
* CVE-2020-26142 - Processing fragmented frames as full frames
* CVE-2020-26143 - Accepting fragmented plaintext frames in
protected networks
* CVE-2020-26144 - Always accepting unencrypted A-MSDU frames that
start with RFC1042 header with EAPOL ethertype
* CVE-2020-26145 - Accepting plaintext broadcast fragments as full
frames
* CVE-2020-26146 - Reassembling encrypted fragments with non-consecutive
packet numbers
* CVE-2020-26147 - Reassembling mixed encrypted/plaintext fragments
In general, the scope of these attacks is that they may allow an
attacker to
* inject L2 frames that they can more or less control (depending on the
vulnerability and attack method) into an otherwise protected network;
* exfiltrate (some) network data under certain conditions, this is
specific to the fragmentation issues.
A subset of these issues is known to apply to the Linux IEEE 802.11
implementation (mac80211). Where it is affected, the attached patches
fix the issues, even if not all of them reference the exact CVE IDs.
In addition, driver and/or firmware updates may be necessary, as well
as potentially more fixes to mac80211, depending on how drivers are
using it.
Specifically, for Intel devices, firmware needs to be updated to the
most recently released versions (which was done without any reference
to the security issues) to address some of the vulnerabilities.
To have a single set of patches, I'm also including patches for the
ath10k and ath11k drivers here.
We currently don't have information about how other drivers are, if
at all, affected.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When building for MikroTik devices the kernel2minor tool will sometimes
fail with:
Can't get lstat from kernel file!: No such file or directory.
This is because kernel2minor expects paths no longer than 250 chars.
To work around this the include/image-commands.mk has been modified
to copy the kernel to a temporary file (/tmp/tmp.XXXXXXXXXX) before
calling kernel2minor.
Signed-off-by: François Chavant <francois@chavant.info>
Add support for querying and parsing SRV DNS records to nslookup_lede.c
This patch is based on http://lists.busybox.net/pipermail/busybox/2019-June/087359.html
Signed-off-by: Perry Melange <isprotejesvalkata@gmail.com>
[reword subject, bump PKG_RELEASE]
Signed-off-by: Paul Spooren <mail@aparcar.org>
When the list of packages to be installed in a built image exceeds a certain
number, then 'opkg install' executed for target '$(curdir)/install' in
package/Makefile fails with: /usr/bin/env: Argument list too long.
On Linux, the length of a command-line parameter is limited by
MAX_ARG_STRLEN to max 128 kB.
* https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/binfmts.h#L15
* https://www.in-ulm.de/~mascheck/various/argmax/
To solve the problem, store the package list being passed to 'opkg install'
in a temporary file and use the shell command substitution to pass the
content of the file to 'opkg install'. This guarantees that the length of
the command-line parameters passed to the bash shell is short.
The following bash script demonstrates the problem:
----------------------------------------------------------------------------
count=${1:-1000}
FILES=""
a_file="/home/egorenar/Repositories/openwrt-rel/bin/targets/alpine/generic/packages/base-files_1414-r16464+19-e887049fbb_arm_cortex-a15_neon-vfpv4.ipk"
for i in $(seq 1 $count); do
FILES="$FILES $a_file"
done
env bash -c "echo $FILES >/dev/null"
echo "$FILES" | wc -c
----------------------------------------------------------------------------
Test run:
----------------------------------------------------------------------------
$ ./test.sh 916
130989
$ ./test.sh 917
./test.sh: line 14: /bin/env: Argument list too long
131132
----------------------------------------------------------------------------
Signed-off-by: Alexander Egorenkov <egorenar-dev@posteo.net>
[reword commit subject]
Signed-off-by: Paul Spooren <mail@aparcar.org>
The allows userspace LEDs to be created and controlled. This can be useful
for testing triggers and can also be used to implement virtual LEDs.
Signed-off-by: Keith T. Garner <kgarner@kgarner.com>
[squash fixup commit and improve option wording]
Signed-off-by: Paul Spooren <mail@aparcar.org>