Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-developer:adding_new_device [2017/10/20 10:56] – [/target/linux/<arch_name>/modules.mk] murixdocs:guide-developer:adding_new_device [2024/10/22 09:39] – Add note about using curl as an option. evs
Line 2: Line 2:
  
 A good all-round advice would be to start by looking at recent commits about adding a new device, to see what files where changed and how. Many files try to be as self-explanatory as possible, most of the times just opening them will be enough to understand their function. A good all-round advice would be to start by looking at recent commits about adding a new device, to see what files where changed and how. Many files try to be as self-explanatory as possible, most of the times just opening them will be enough to understand their function.
 +
 +===== Learn by example =====
 +
 +==== Search by grep locally ====
 +
 +A good method is learn by example, so you can do: 
 +
 +  grep -lri mt300a target/
 +
 +The result is minimal list of files required to add a new board:
 +
 +<code>
 +target/linux/ramips/base-files/etc/board.d/01_leds
 +target/linux/ramips/base-files/etc/board.d/02_network
 +target/linux/ramips/base-files/lib/upgrade/platform.sh
 +target/linux/ramips/base-files/lib/ramips.sh
 +target/linux/ramips/dts/GL-MT300A.dts
 +target/linux/ramips/image/mt7620.mk
 +</code>
 +
 +==== Search by Git commit ====
 +
 +[[https://git.openwrt.org/?p=openwrt%2Fopenwrt.git&a=search&h=HEAD&st=commit&s=add+support+for|Browse the source filtered by "add support for"]] and checkout the ''diff'' for newly added device
 +
 +===== Important files =====
  
 This is a general map of where most important files are located: This is a general map of where most important files are located:
Line 17: Line 42:
   * **…diag.sh** defines what is the led to use for error codes for each board   * **…diag.sh** defines what is the led to use for error codes for each board
  
 +//Note that some of these functions are now done in the DTS for the board.//
 ==== /target/linux/<arch_name>/base-files/lib/… ==== ==== /target/linux/<arch_name>/base-files/lib/… ====
  
Line 35: Line 61:
 Device tree source files, or dts for short. Device tree source files, or dts for short.
  
 +//Certain architectures have the DTS directory deeper down. ARM devices, for example, typically have it located at ''files-X.yy/arch/arm/boot/dts/''//
 +
 +//If the DTS or DTSI file is already present in upstream Linux, they will usually not be present in the OpenWrt source. Configuring for the target and running ''make target/linux/{clean,prepare}'' will download and patch Linux, allowing the resulting file to be found in the ''build_dir''//
 ==== /target/linux/<arch_name>/image/ ==== ==== /target/linux/<arch_name>/image/ ====
  
Line 46: Line 75:
  
 Arch-specific kernel module config file for menuconfig Arch-specific kernel module config file for menuconfig
- 
  
 ==== Making new device appear in make menuconfig ==== ==== Making new device appear in make menuconfig ====
Line 52: Line 80:
 After edit the files above, you need to touch the makefiles After edit the files above, you need to touch the makefiles
  
-touch target/linux/*/Makefile+  touch target/linux/*/Makefile 
 ===== Patches ===== ===== Patches =====
 The patches-* subdirectories contain the kernel patches applied for every target.\\  The patches-* subdirectories contain the kernel patches applied for every target.\\ 
Line 71: Line 100:
 All patches must be written in a way that they are potentially upstreamable, meaning: All patches must be written in a way that they are potentially upstreamable, meaning:
  
-- they must contain a proper subject\\ +  - they must contain a **proper subject** 
-- they must contain a proper commit message explaining what they change\\ +  - they must contain a **proper commit message** explaining what they change 
-- they must contain a valid Signed-off-by line\\+  - they must contain a **valid Signed-off-by line**
 </WRAP> </WRAP>
  
 ===== Testing images ===== ===== Testing images =====
-Test firmware images without writing them to flash by using ramdisk images.\\+Test firmware images without writing them to flash by using ramdisk images.
  
-In **make menuconfig** select **Target Images** and then you can select the **ramdisk** option.\\+In **make menuconfig** select **Target Images** and then you can select the **ramdisk** option.
  
 This will create an image with kernel + initramfs, that will have **initramfs** in the name. The resulting image can be loaded in the device through the bootloader's tftp function and should boot to a prompt without relying on flash/filesystem support. This will create an image with kernel + initramfs, that will have **initramfs** in the name. The resulting image can be loaded in the device through the bootloader's tftp function and should boot to a prompt without relying on flash/filesystem support.
Line 85: Line 114:
 ===== Tips and tricks ===== ===== Tips and tricks =====
 ==== Getting a shell on the target device ==== ==== Getting a shell on the target device ====
-In order to collect relevant data for a port of LEDE to the device of interest one wants shell access. Most devices though do not offer a way to get a shell with telnet or ssh.+In order to collect relevant data for a port of OpenWrt to the device of interest one wants shell access. Most devices though do not offer a way to get a shell with telnet or ssh. 
 +=== Abuse Unsanitized User Input === 
 +Some router offers ping test or NTP server configuration and may not properly sanitize user input. Try to enter shell script and see if you are lucky. You may need some ''javascript'' knowledges to disable client-side input validation. 
 +== Starting telnetd == 
 +<code bash> 
 +$( /bin/busybox telnetd -l/bin/sh -p23 & ) 
 +</code> 
 +== Obtain the password hash using HTTP or use ''sed'' to delete/change the default password if telnet login is required == 
 +<code bash> 
 +$( cp /etc/shadow /www ) 
 +$( cp /etc/passwd /www ) 
 +</code> 
 +Then try to download them to your computer and crack the hash
  
-With [[https://wiki.openwrt.org/toh/netgear/telnet.console|netgear-telnetenable]] many Netgear devices can be opened up for telnet access. Also see [[https://github.com/insanid/NetgearTelnetEnable|GitHub: insanid/NetgearTelnetEnable]].+=== Downgrade to older firmware === 
 +Some router may try to download a firmware file (e.g. [[toh:tp-link:archer_c2_ac750|TP-Link Archer C2 AC750]]) from specific private IP at the beginning of booting, which allow user to downgrade to older firmware 
 + 
 +=== Downgrade by Serial access === 
 +Serial access may allow you to enter console mode of u-boot for flashing/loading other firmwareUsually soldering is required. 
 +See [[docs:guide-user:installation:generic.flashing.serial|Generic flashing over the Serial port]] 
 + 
 +=== HTTP Server Vulnerability === 
 +Some routers may be running outdated/insecure HTTP server and may be vulnerable to buffer overflow or other attack 
 + 
 +=== Netgear === 
 +With [[toh:netgear:telnet.console|netgear-telnetenable]] many Netgear devices can be opened up for telnet access. Also see [[https://github.com/insanid/NetgearTelnetEnable|GitHub: insanid/NetgearTelnetEnable]].
 When such means cannot be used, one could try to flash an image build from the sources published by the vendor with telnetd enabled. When such means cannot be used, one could try to flash an image build from the sources published by the vendor with telnetd enabled.
  
Line 96: Line 148:
  
 Typically one can use the following commands: Typically one can use the following commands:
-  dmesg                          # log buffer might be to small, see note 1. 
-  cat /proc/cmdline 
-  cat /proc/cpuinfo 
-  cat /proc/meminfo 
-  cat /proc/devices 
-  ls /sys/devices/platform 
-  cat /proc/mtd 
-  cat /sys/class/mtd/mtd*/offset # Linux 4.1 and newer, see note 2. 
-  ifconfig -a 
-  ls /sys/class/net 
-  brctl show 
-   
-Note 1: Often the log buffer is to small and the earliest messages may be missing from the information retrieved with ''dmesg''. If one build a stock image from the sources the vendor has published, a larger buffer size can be set within the kernel config. 
  
-Note 2: http://lxr.free-electrons.com/source/Documentation/ABI/testing/sysfs-class-mtd+<code bash> 
 +dmesg                          # log buffer might be to small, see note 1. 
 +cat /proc/cmdline 
 +cat /proc/cpuinfo 
 +cat /proc/meminfo 
 +cat /proc/devices 
 +ls /sys/devices/platform 
 +cat /proc/mtd 
 +cat /sys/class/mtd/mtd*/offset # Linux 4.1 and newer, see note 2. 
 +ifconfig -a 
 +ls /sys/class/net 
 +brctl show 
 +cat /sys/kernel/debug/gpio     # GPIO information 
 +</code> 
 + 
 +**Note 1:** Often the log buffer is to small and the earliest messages may be missing from the information retrieved with ''dmesg''. If one build a stock image from the sources the vendor has published, a larger buffer size can be set within the kernel config. 
 + 
 +**Note 2:** [[http://lxr.free-electrons.com/source/Documentation/ABI/testing/sysfs-class-mtd]]
  
 Another useful tool for getting information for setting LEDs might be [[https://github.com/jclehner/gpiodump-mt7620|gpiodump]], a MT7620 GPIOMODE register dumper (RAMIPS). Another useful tool for getting information for setting LEDs might be [[https://github.com/jclehner/gpiodump-mt7620|gpiodump]], a MT7620 GPIOMODE register dumper (RAMIPS).
  
 ==== Getting collected data from a device ==== ==== Getting collected data from a device ====
-Sometimes no normal means such as scp or ftp are available for retrieving files from device. Still one could use httpd and busybox its mount command to do soHow? +Because of the limited space, common file transfer utilities such as rsync/curl/ssh/scp/ftp/http/tftp may not be availablestripped down version/applet may be available from busybox. 
-Assume the files with relevant data on the device with IP address ''192.168.0.123'' are stored under ''/tmp'' and pages of the web interface are served from ''/www''+ 
-On the device do+Assume the router ip is ''192.168.0.123'', and the file to be transfer located at ''/tmp/important-data.txt''.  
-  cp important-data.txt /tmp +  
-  mount -o bind /tmp /www +=== HTTP by ''httpd'' and ''busybox mount'' === 
-After that the data on the host connected to the device do: +If the web interface are served from ''/www''
-  wget http://192.168.0.123/important-data.txt + 
-  +== Sender == 
 +<code bash> 
 +mount -o bind /tmp /www 
 +</code> 
 + 
 +== Receiver == 
 +<code bash> 
 +wget http://192.168.0.123/important-data.txt 
 +</code> 
 + 
 +=== FTP by ''busybox ftpput'' === 
 +== Receiver == 
 +Setup an FTP server. Add an anonymous account with write permission 
 + 
 +<code bash> 
 +python -m pyftpdlib -w -p 21 
 +</code> 
 +== Sender == 
 +<code bash> 
 +busybox ftpput 192.168.0.123 important-data.txt /tmp/important-data.txt  
 +</code> 
 + 
 +=== netcat by ''busybox nc'' === 
 +== Receiver == 
 +<code bash> 
 +busybox nc -l -p 12345 > important-data.txt  
 +</code> 
 +== Sender == 
 +<code bash> 
 +cat /tmp/important-data.txt | busybox nc 192.168.0.123:12345  
 +</code> 
 + 
 +=== TFTP by ''busybox tftp'' === 
 +== Receiver == 
 +Setup a tftp server  
 + 
 +== Sender ==  
 +<code bash> 
 +busybox tftp -p -l /tmp/important-data.txt -r important-data.txt 192.168.0.123 
 +</code> 
 + 
 +=== Use Curl to upload === 
 +Depending on what is compiled into your curl binary if available you may also be able to auth, use ftp/tftp etc. 
 +"It supports these protocols: DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, 
 +       HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET,  TFTP,  WS 
 +       and WSS. The command is designed to work without user interaction. 
 +
 +Extract from curl man page: 
 +<code> 
 +       -T, --upload-file <file> 
 +              This transfers the specified local file to the remote URL. If there is no file part in the specified URL, curl will  append 
 +              the  local  file  name.  NOTE that you must use a trailing / on the last directory to really prove to Curl that there is no 
 +              file name or curl will think that your last directory name is the remote file name to use. That will most likely cause  the 
 +              upload operation to fail. If this is used on an HTTP(S) server, the PUT command will be used. 
 + 
 +              Use  the  file name "-" (a single dash) to use stdin instead of a given file.  Alternately, the file name "." (a single pe‐ 
 +              riod) may be specified instead of "-" to use stdin in non-blocking mode to allow reading server output while stdin is being 
 +              uploaded. 
 + 
 +              You can specify one -T, --upload-file for each URL on the command line. Each -T, --upload-file + URL pair specifies what to 
 +              upload and to where. curl also supports "globbing" of the -T, --upload-file argument, meaning that you can upload  multiple 
 +              files to a single URL by using the same URL globbing style supported in the URL. 
 + 
 +              When  uploading  to  an SMTP server: the uploaded data is assumed to be RFC 5322 formatted. It has to feature the necessary 
 +              set of headers and mail body formatted correctly by the user as curl will not transcode nor encode it further in any way. 
 + 
 +              -T, --upload-file can be used several times in a command line 
 + 
 +              Examples: 
 +               curl -T file https://example.com 
 +               curl -T "img[1-1000].png" ftp://ftp.example.com/ 
 +               curl --upload-file "{file1,file2}" https://example.com 
 + 
 +              See also -G, --get and -I, --head. 
 + 
 +</code> 
 +=== Copy from terminal === 
 +If all of the above tools/applets are unavailable, you may copy from telnet terminal but it may not work for binary file. 
 + 
 +base64 would be a common choice to work around this limitation, but many routers lack such a command. You can first escape binary data to screen-safe hexadecimal by piping to busybox hexdump on the router: 
 +<code bash> 
 +hexdump -v -e '/1 "%02x"' 
 +</code> 
 +You can then reverse it on the computer with the following command: 
 +<code bash> 
 +xxd -r -p 
 +</code> 
 + 
  • Last modified: 2024/10/23 03:53
  • by evs