[PATCH] FritzBox-4040-UBOOT: Allow for easier devices recovery

Mathias Kresin dev at kresin.me
Tue Nov 23 11:03:40 PST 2021 

11/23/21 12:20 PM, David Bauer:
> Hello Enrico,
> 
> On 11/22/21 11:55, Enrico Mioso wrote:
>> When flashing a broken kernel, or an image where failsafe mode is no 
>> more accessible, recoverying these devices can become needlessly painful.
>> Allow for easier recovery by unconditionally trying to get an 
>> initramfs image over TFTP once before booting, thereby giving the user 
>> a chance to sysupgrade to a working image.
> 
> As I've already explained, I don't like increasing the time necessary 
> for the device to boot.
> Also, introducig such a method on a 4040 does not make sense, as its NOR 
> flash can be rewritten
> from EVA.
> 
> That being said, unconditionally requesting a bootable image over the 
> network is a security
> risk in itself.

I second that! Introducing a potential point of attack while having an 
easy way of recovery via the EVA bootloader, is a no go.

Best regards
Mathias

> NAND based ipq40xx boards from AVM also only allow 
> connections to their
> bootloader on cold-boots for exactly this reason.
> 
> For example, if an attacker is able to create a kernel-panic, your patch 
> would enable him
> to modify the router in case he is on the same network. A Pushbutton 
> TFTP procedure mitigates
> this problem, as it depends on the attacker having physical access to 
> the device.
> 
> Recovery is - for all boards - possible using the AVM recovery tool or 
> manually patching the
> U-Boot and sideloading via EVA. So a network request for a boot image 
> raises more problems than
> it tries to solve.
> 
> Best
> David
> 
>>
>> Signed-off-by: Enrico Mioso <mrkiko.rs at gmail.com>
>> CC: Christian Lamparter <chunkeey at gmail.com>
>> CC: David Bauer <mail at david-bauer.net>
>> ---
>>
>> Reasons for this patch:
>> 1 - There are situations where it can be nice to recover a device 
>> without the AVM Recovery tool. In some cases the tool won't even be an 
>> option (as far as I know, it exists only for Windows, or am I wrong?).
>> 2 - Since the effort of creating a second-stage bootloader for these 
>> devices has been carried out (thanks a lot for this!), I think it 
>> makes sense to allow for things to be more friendly to developers and 
>> users.
>>
>> Side effects:
>> When nandboot fails, there will be TWO tftp requests with no delay 
>> between them, then the sleep will kick in.
>>
>> Possible "improvements":
>> Implementing a push-button method may be preferred. Still, I have no 
>> easy way to attach an UART to the device right now.
>> Moreover, being able to do this "more" remotely would be a vaulable 
>> feature to me.
>>
>> Enrico
>>
>>   include/configs/fritz1200.h | 2 +-
>>   include/configs/fritz3000.h | 2 +-
>>   include/configs/fritz4040.h | 2 +-
>>   include/configs/fritz7530.h | 2 +-
>>   4 files changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/include/configs/fritz1200.h b/include/configs/fritz1200.h
>> index 90d5186..16152a3 100644
>> --- a/include/configs/fritz1200.h
>> +++ b/include/configs/fritz1200.h
>> @@ -23,7 +23,7 @@
>>       "mtdparts=" MTDPARTS_DEFAULT "\0"            \
>>       "nandboot=ubi part ubi && ubi read 0x85000000 kernel && 
>> bootm\0"    \
>>       "tftpboot=tftpboot && bootm; sleep 5; run tftpboot\0"    \
>> -    "fritzboot=run nandboot || run tftpboot;\0"        \
>> +    "fritzboot=tftpboot && bootm; run nandboot || run 
>> tftpboot;\0"        \
>>   #undef V_PROMPT
>>   #define V_PROMPT        "(" CONFIG_MODEL ") # "
>> diff --git a/include/configs/fritz3000.h b/include/configs/fritz3000.h
>> index e383ffb..3440550 100644
>> --- a/include/configs/fritz3000.h
>> +++ b/include/configs/fritz3000.h
>> @@ -23,7 +23,7 @@
>>       "mtdparts=" MTDPARTS_DEFAULT "\0"            \
>>       "nandboot=ubi part ubi && ubi read 0x85000000 kernel && 
>> bootm\0"    \
>>       "tftpboot=tftpboot && bootm; sleep 5; run tftpboot\0"    \
>> -    "fritzboot=run nandboot || run tftpboot;\0"        \
>> +    "fritzboot=tftpboot && bootm; run nandboot || run 
>> tftpboot;\0"        \
>>   #undef V_PROMPT
>>   #define V_PROMPT        "(" CONFIG_MODEL ") # "
>> diff --git a/include/configs/fritz4040.h b/include/configs/fritz4040.h
>> index 060afb0..582edfd 100644
>> --- a/include/configs/fritz4040.h
>> +++ b/include/configs/fritz4040.h
>> @@ -23,7 +23,7 @@
>>       "mtdparts=" MTDPARTS_DEFAULT "\0"            \
>>       "nandboot=nboot firmware && bootm\0"            \
>>       "tftpboot=tftpsrv && bootm; sleep 5; run tftpboot\0"    \
>> -    "fritzboot=run nandboot || run tftpboot;\0"        \
>> +    "fritzboot=tftpboot && bootm; run nandboot || run 
>> tftpboot;\0"        \
>>   #undef V_PROMPT
>>   #define V_PROMPT        "(" CONFIG_MODEL ") # "
>> diff --git a/include/configs/fritz7530.h b/include/configs/fritz7530.h
>> index b07ecfc..caecd5d 100644
>> --- a/include/configs/fritz7530.h
>> +++ b/include/configs/fritz7530.h
>> @@ -23,7 +23,7 @@
>>       "mtdparts=" MTDPARTS_DEFAULT "\0"            \
>>       "nandboot=ubi part ubi && ubi read 0x85000000 kernel && 
>> bootm\0"    \
>>       "tftpboot=tftpboot && bootm; sleep 5; run tftpboot\0"    \
>> -    "fritzboot=run nandboot || run tftpboot;\0"        \
>> +    "fritzboot=tftpboot && bootm; run nandboot || run 
>> tftpboot;\0"        \
>>   #undef V_PROMPT
>>   #define V_PROMPT        "(" CONFIG_MODEL ") # "
>>
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list