Author Topic: Buffalo WZR-HP-G450H Post 20025 Firmware Solution  (Read 92050 times)

Jacobi

  • Calf
  • *
  • Posts: 6
Re: Buffalo WZR-HP-G450H Post 20025 Firmware Solution
« Reply #150 on: August 01, 2018, 05:27:19 am »
Can someone share hex file of both chips (25Q128BVFG) ? My WZR-HP-G450H is completly dead ! Board Rev: 0. U-boot is gone !!!

My WZR-HP-G450H is still running, what do you need? I'm running on build 30357 and for some reason the SQUASHFS errors that broke the Web-Service were gone once I granted a weekend break to my router.
So I'm able to access the flash-ROM of my router:

root@DD-WRT:~# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00050000 00010000 "RedBoot"
mtd1: 01f80000 00010000 "linux"
mtd2: 017b5000 00010000 "rootfs"
mtd3: 006b0000 00010000 "ddwrt"
mtd4: 00010000 00010000 "nvram"
mtd5: 00010000 00010000 "FIS directory"
mtd6: 00010000 00010000 "board_config"
mtd7: 02000000 00010000 "fullflash"
mtd8: 00010000 00010000 "uboot-env"

I don't know my board revision though, but I think it's level 0. The other problem is the legal one: Can I just "share" the data or is there some copyright on it and someone can sue me for sharing?

One problem I still have with build 30357 is that libssl seems to be broken. Applications like radius, openvpn and openssl just hang in some kind of an endless loop and don't proceed.

Jacobi

  • Calf
  • *
  • Posts: 6
Re: Buffalo WZR-HP-G450H Post 20025 Firmware Solution
« Reply #151 on: August 01, 2018, 08:13:58 am »
I've been able to get strace for build 30357 to find out more about where openssl gets stuck. For build 30357, you must take care to take newer ipkg-Packages of the tools since that built is based on the musl-version of libc, the older µClibc based packages won't work any more (see also https://news.ycombinator.com/item?id=9941076).

That's what I get with openssl without any parameters:

root@DD-WRT:~# /tmp/ipkg/usr/bin/strace openssl
execve("/usr/sbin/openssl", ["openssl"], [/* 14 vars */]) = 0
set_thread_area(0x779f8f38)             = 0
set_tid_address(0x779f1e78)             = 30728
open("/lib/libssl.so.1.0.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/libssl.so.1.0.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
fcntl64(3, F_SETFD, FD_CLOEXEC)         = 0
fstat64(3, {st_mode=S_IFREG|0755, st_size=313004, ...}) = 0
read(3, "\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\10\0\0\0\1\0\0\311\0\0\0\0004"..., 936) = 936
mmap2(NULL, 380928, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x778f2000
mmap2(0x7794a000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x48000) = 0x7794a000
close(3)                                = 0
open("/lib/libcrypto.so.1.0.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/libcrypto.so.1.0.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
fcntl64(3, F_SETFD, FD_CLOEXEC)         = 0
fstat64(3, {st_mode=S_IFREG|0755, st_size=1462544, ...}) = 0
read(3, "\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\10\0\0\0\1\0\3\231@\0\0\0004"..., 936) = 936
mmap2(NULL, 1536000, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x7777a000
mmap2(0x778dd000, 81920, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x153000) = 0x778dd000
mmap2(0x778f0000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x778f0000
close(3)                                = 0
open("/lib/libgcc_s.so.1", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
fcntl64(3, F_SETFD, FD_CLOEXEC)         = 0
fstat64(3, {st_mode=S_IFREG|0644, st_size=76572, ...}) = 0
read(3, "\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\10\0\0\0\1\0\0(p\0\0\0004"..., 936) = 936
mmap2(NULL, 143360, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x77756000
mmap2(0x77778000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x12000) = 0x77778000
close(3)

And then it's stuck, no further progress and the process stays in state 'R' with 100% CPU. That means
that for example you won't be able to utilize the Freeradius Service as the bootstrap strip of that service
will have to call openssl several times to generate the certificate and the Diffie-Hellman parameters and such.

Jacobi

  • Calf
  • *
  • Posts: 6
Re: Buffalo WZR-HP-G450H Post 20025 Firmware Solution
« Reply #152 on: August 01, 2018, 09:27:28 am »
Yes, it really seems that the libssl.so from build 30357 is broken. I was able to work around this and the freeradius service now seems to run again on my WZR-HP-G450H also with build 30357. At first, I downloaded the openssl-util and libopenssl ipkgs from the openwrt project:

http://archive.openwrt.org/snapshots/trunk/ar71xx/generic/packages/base/

I installed the packages in /tmp like this (of course you must get them to your Router before installation):

ipkg -d /tmp/ipkg install /tmp/<package>.ipkg

And after this I was able to bootstrap the Freeradius-Certificate manually (this is what's supposed to happen when you press the "Gen Cert" button on the Freeradius Service web dialog):

root@DD-WRT:/jffs/etc/freeradius/certs# LD_LIBRARY_PATH=/tmp/ipkg/lib:/tmp/ipkg/usr/lib PATH=/tmp/ipkg/bin:/tmp/ipkg/usr/bin:${PATH}
 ./bootstrap

I think the openssl-util ipkg is not even needed, also not overloading the PATH variable ... but this way libssl.so from the ipkg is used and that .so doesn't seem to hang but the bootstrap completes cleanly and you have a fresh certificate with everything.

And next, the Radius-Daemon with the alternative libssl must be started:

LD_LIBRARY_PATH=/tmp/ipkg/lib:/tmp/ipkg/usr/lib radiusd -d /jffs/etc/freeradius

Unfortunately, this must happen manually in an SSH-Login session. So it'll be painful to configure the service as you'll have to use the web-interface and
start the service manually after every config change.
But at least it seems to work and I run a firmware that is not vulnerable to the dnsmasq-issue any more.

The next thing to investigate in is the OpenVPN-Service, that daemon is linked to libssl.so as well.

Jacobi

  • Calf
  • *
  • Posts: 6
Re: Buffalo WZR-HP-G450H Post 20025 Firmware Solution
« Reply #153 on: August 02, 2018, 09:27:30 am »
Ok, also the openvpnserver works when using libssl.so from the libopenssl ipkg package from openwrt-snapshots.

My next question -> is there an outlook for a build 30357 with a functional libssl.so?