Custom firmware build for Orbi RBK50 v. 2.5.0.42SF-HW

[Voxel]

Initial custom firmware build for Orbi RBK50 2.5.0.42SF-HW.

It is based on the stock firmware v. 2.5.0.40

What was changed, only major changes (vs stock 2.5.0.40):

1. Kernel: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 security fixes are added.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479​

2. Kernel: Congestion Control Algorithms: Westwood+, YeAH, HSTCP, Vegas are added (CCA Westwood+ is set as default).
3. Kernel: RNDIS kernel object compilation is added.
4. Kernel: NG/DNI changes to set 777 permission rights for all file (ext2/ext3/ext4 filesystems) are removed to provide normal Linux native security.
5. Toolchain: GCC 5.2.0 compiler is updated to GCC 5.5.0 (plus all patches from OpenWRT).
6. Toolchain: Binutils Linaro 2.24.0-2014.09 is updated to GNU version 2.32.
7. Toolchain: GDB Linaro 7.6-2013.05 is updated to GDB 8.3.1.
8. Compilation: Default compiler options are changed from
-Os -pipe -march=armv7-a -mtune=cortex-a7 -mfloat-abi=soft
to
-O2 -pipe -mcpu=cortex-a7 -mtune=cortex-a7 -mfpu=neon-vfpv4 -funsafe-math-optimizations -mfloat-abi=softfp
(Common performance: higher level of optimization, using neon SIMD instructions, Cortex-A7 extended instructions and true hardware floating-point instructions [instead of pure software floating-point emulation and pure ARMv7-A instructions])
9. OpenSSL 1.0.2 is significantly changed. This needs in detailed explanations.

(a) Upgraded to latest version 1.0.2t.
(b) ASM/Neon SIMD accelerations are added. Benchmarks (OpenSSL utility):
Stock 2.5.0.40 (openssl speed aes-256-cbc -elapsed)

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256 cbc       7052.33k     7076.09k     7229.18k     7222.48k     6976.13k

My version:

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256 cbc      12696.43k    13449.48k    13707.96k    13952.61k    13862.75k

So my version is almost twice faster.
(c) Hardware acceleration is enabled (use of /dev/crypto hardware). It seems that NG and/or DNI had the intentions to add such acceleration (probably design by QCA) but they failed; so de facto hardware acceleration of OpenSSL does not work in the stock fw. Benchmarks (OpenSSL utility):
Stock 2.5.0.40 (openssl speed -evp aes-256-cbc -elapsed)

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc       6515.24k     6907.97k     6751.23k     7051.95k     7097.00k

My version:

type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc        228.46k      857.39k     3464.87k    13802.84k    49010.01k

I.e. for example for 8KB blocks my version is in 7 times faster, thus hardware acceleration is working.
[NOTE: Specific of crypto device (it is PCI device) is that when using small blocks (less than 1KB) it will be slower vs ordinary version. But as far as I can guess OpenSSL 1.0.2 is used for connection of router with satellites and is using not less that 1KB blocks. At least my tests with iperf3 do not show any degradation of router <- - -> satellite speed when using hardware acceleration of OpenSSL 1.0.2, rather vice versa]​

10. OpenSSL 1.1.1 is added (latest version 1.1.1d) . Currently it is used by OpenVPN, wget and stubby/getdns (TLS 1.3). Hardware acceleration of OpenSSL 1.1.1 is not enabled (but only ASM/Neon SIMD) because of its primary goal its using by OpenVPN and OpenVPN works faster w/o hardware acceleration of OpenSSL 1.1.1.
11. OpenVPN server is upgraded to v. 2.4.8. Plus optimization of servers/clients configs and using external liblz4 (boost).
12. samba package is upgraded to version 3.6.25 with all available patches. Plus: samba is enabled by default so if you have MBR USB disk/dongle attached to router/satellite its first partition will be used for samba sharing automatically after reboot and you can map it to e.g. your Windows PC. Sharename is “USB”. For example \\192.168.1.1\USB. It could be mapped for an user: guest (no password, read-only access), admin (your HTTP password, ordinary user’s write access according to permissions of folders on USB), root (your HTTP password, full root access to all files/disks).
13. zlib package is upgraded to version 1.2.11.
14. redis package is upgraded to version 2.6.17.
15. dbus package is upgraded to version 1.12.12.
16. lzo package is upgraded to version 2.10.
17. dnsmasq package is upgraded to version 2.80 with specific NG/DNI changes.
18. expat package is upgraded to version 2.2.9.
19. tar package is upgraded to version 1.32.
20. unzip package is upgraded to version 6.0.
21. wget package is upgraded to version 1.20.3.
22. util-linux package is upgraded to version 2.34.
23. lua package is changed (adding some patches).
24. gettext package is upgraded to version 0.19.8.1.
25. ncurses package is upgraded to version 6.1.
26. e2fsprogs package is upgraded to version 1.44.5.
27. libjson-c package is upgraded to version 0.13.1.
28. curl/libcurl package is upgraded to version 7.66.0.
29. britge-utils package is upgraded to version 1.6.
30. libmnl package is upgrade to version 1.0.4.
31. jansson package is upgraded to version 2.12.
32. liblz4 package version 1.9.2 is added (used by OpenVPN).
33. avahi package version 0.7 is added (used by samba).
34. libdaemon package version 0.14 is added (used by avahi).
35. gdbm package version 1.18.1 is added (used by avahi).
36. DNSCrypt-Proxy-2 package version 2.0.33 is added.

to enable it run from telnet console the commands

nvram set dnscrypt2=1
nvram commit
reboot

37. stubby (DNS-Over-TLS) package version 0.2.6 is added.

to enable it run from telnet console the commands

nvram set stubby=1
nvram commit
reboot

If both DNSCrypt-Proxy-2 and stubby are enabled, only stubby will be used.
38. unbound package version 1.9.5 is added (used by stubby).
39. getdns package version 1.5.2 is added (used by stubby).
40. yaml package version 0.2.2 is added (used by stubby).
41. haveged package version 1.9.8 is added.
42. ca-certificates package version 20190110 is added.
43. usb-modeswitch package version 2017-12-19 is added with database 20170806.
44. libusb package version 1.0.22 is added.
45. libusb-compat package version 0.1.5 is added.
46. mp707 package is added.
47. dropbear package version 2019.78 is added.
48. iperf3 package is added (testing connection speed).
49. hotplug2 package is enabled and changed (allowing use of Entware from USB disk and /overlay partition on USB allowing changes of files/dirs.).
50. alsalib, px5g, polarssl/mbedtls, libevent2, sqlite3, mxml, libjpeg/jpeg-tools, cyassl, uclibcxx, libnice, glib2, libffi and some others are disabled (because of they are not used now, to save a space).
51. Several bugs are fixed. Yet several packages are changed/optimized/corrected.
52. Etc. etc.

NOTE: Your WebGUI could display after time passed that “New version of firmware is available”. Beware: it is not my message, but from NETGEAR server (new stock version) and if you start upgrading newer version it will flash the new stock version.

The link is:

https://www.voxel-firmware.com/Downloads/Voxel/html/browse.html

(thanks to vladlenas for his help with hosting).

Thanks to W1lliam for his help in testing.

Voxel.

 

[e38BimmerFN]

I think some people are going to like this.
I'll be giving this a try as well. Thank you Sir.

 

[100won]

Wow, finally Sir released the first firmware for Orbi50.
I read post from Chinese's forum by google translate, the author enabled the third band of 5.8G 1733Mbps.

Link: https://koolshare.cn/thread-146122-1-1.html

 

[100won]

Hi,

Their firmware in here: https://firmware.koolshare.cn/Koolshare_NETGEAR_Official_Mod/Orbi50/

The author builded custom firmware for RBS50 to RBR50.
After this post I will upload your firmware Sir. It's happy when I am soonest people use Voxel's firmware.

Thank you Sir~

 

[e38BimmerFN]

One item regarding stock FW and not sure if it might be seen in Voxels.

• Starting with v38 stock FW, there is a custom device naming issue that was introduced in this version of FW. Device Type and Device Name won't to keep after the user makes the change and applys the change. Some have said that v40 fixes this and some said it doesn't. Personal experience with v40 doesn't work for me. Thought not majorly important to me. Seems to be with others. Also was not officially mentioned in release notes about any fixes for this issue in v40 or now the officially supported v34 version of stock FW. These versions only fix a certificate issue that was expired.
• Also the attached devices web page keeps refreshing on it's own and there is no way to disable this or set a refresh time frame.

So not sure if this is something Voxel is aware of or could have already fixed in his FW build or not.

• Also something to request, any chance of putting in a reboot button on the RBS UI web page so that users can reboot the RBS remotely instead of having to psychically go to the RBS and power it off and back on? Button would be same operation as RBRs reboot button. This would be a convenience factor.

 

[100won]

Hi,

Firmware V2.3.5.30: In Basic - Attached Devices tab display: icon, device name. And display "Add Orbi Satellite feature"
Custom firmware has nothing but I don't care because I change Orbi to AP Mode.
Sir, can you enable region selection in Advanced Wireless Settings?
And can you customize VLAN with Ports, Wireless Network in AP Mode such Unifi?

 

[Voxel]

FYI: I've got this unit only two weeks ago. Well, only tomorrow will be exactly two weeks. So I cannot know all its issues (stock fw). Step-by-step. I rather worked with sources of firmware. Correcting bugs I found and including correction to my version. For example, I see the scripts in the stock version which is not executable (file attributes). Therefore it will not work. I fix it and it is working in my version. Or lost binary called from another script but missed by NG/DNI. Or this not workable hardware acceleration of OpenSSL. So maybe some issue visible for owners of Orbi are already fixed. Goal of the first release is to be better than stock 2.5.0.40. But not worse.

Main accent is stability and acceleration of its work. Plus fixing all bugs I see right now. E.g. kernel CVE: it is dangerous to use stock 2.5.0.40 connecting it directly to Internet.

P.S.

But I did not get yet any feedback. Only from W1lliam who said that in his feeling the speed was increased and it is fine.

Voxel.

 

[pege63]

Wow, finally Sir released the first firmware for Orbi50.
I read post from Chinese's forum by google translate, the author enabled the third band of 5.8G 1733Mbps.

Link: https://koolshare.cn/thread-146122-1-1.html

I don't see any benefits in making this band visible as it is specifically made for backhaul between the satellites and the router.

 

[Voxel]

I don't see any benefits in making this band visible as it is specifically made for backhaul between the satellites and the router.

Agree. And other thing: as far as I understand this is "MOD" i.e. hacking binary version of official firmware. I deal with source codes. Normal compilation. Modification of binary is not interesting and illegal I think. And I prefer to avoid any illegal stuffs.

P.S.
And BTW, sorry, but I do not understand Chinese...

Voxel.

 

[e38BimmerFN]

For what it's worth, I would not trust any modded FW from China. Nobody knows what they put in that FW that could be collecting user data.

My 2 cents.

 

[e38BimmerFN]

Thanks for letting us know about your new operations with the Orbi. We are looking forward to experienced good FW, step by step.

I wanted to bring to your attention only of what some of the issues were in recent stock fw. Just so you know if you hadn't. I frequent the NG Orbi forums to stay well informed of whats going on with Orbi and it's users.

Feel free to add me to your FW beta tester group should you wish to have some additional help in testing your builds out prior to release.

I'll get your v42 loaded this weekend as i'm currently using v40 stock. Is this Kernal CVE only with v40 stock or is it present in prior versions of FW?

Thank you again for all that you do.

FYI: I've got this unit only two weeks ago. Well, only tomorrow will be exactly two weeks. So I cannot know all its issues (stock fw). Step-by-step. I rather worked with sources of firmware. Correcting bugs I found and including correction to my version. For example, I see the scripts in the stock version which is not executable (file attributes). Therefore it will not work. I fix it and it is working in my version. Or lost binary called from another script but missed by NG/DNI. Or this not workable hardware acceleration of OpenSSL. So maybe some issue visible for owners of Orbi are already fixed. Goal of the first release is to be better than stock 2.5.0.40. But not worse.

Main accent is stability and acceleration of its work. Plus fixing all bugs I see right now. E.g. kernel CVE: it is dangerous to use stock 2.5.0.40 connecting it directly to Internet.

P.S.

But I did not get yet any feedback. Only from W1lliam who said that in his feeling the speed was increased and it is fine.

Voxel.

 

[Voxel]

Is this Kernal CVE only with v40 stock or is it present in prior versions of FW?

In all versions of the stock fw for Orbi.

Feel free to add me to your FW beta tester group should you wish to have some additional help in testing your builds out prior to release.

Thank you.

Voxel.

 

[Thomas Murphy]

Thank you for doing this Voxel. I updated this morning - everything appears to have worked well.

 

[CrimpOn]

What a fascinating project. Thanks. Rather than flash my Orbi "back and forth", perhaps it is more prudent to purchase a used RBR50 to experiment with when the family is not home and then swap the stock Orbi back in when they are glued to their devices. Is the configuration file identical between stock firmware and your firmware?

When Netgear releases new firmware that fixes their "device mess", I hope you update your firmware as well.

I have noticed that although Netgear has a web site for "suggestions", they seldom seem to incorporate any of them into the product. https://community.netgear.com/t5/Idea-Exchange-For-Home/idb-p/idea-exchange-for-home

Do you intend to make any functional improvements, such as:

• Allow the user to "sort by columns" on tables, such as the Attached Devices web page.
  Other Netgear routers allow the user to sort by Name, IP address, Mac address, etc.
  When I am looking to see if a device is on-line, it is a real chore to scan through all 50+ of them looking for a known IP address.
• When a remote login is rejected, show the bad password that was entered in the log file.
  I have one Orbi that I suspect VPN access will be unstable and have enabled Remote Management.
  Naturally, this attracts attacks. I have a long, complicated admin password, so I am not TOO worried,
  but it would be useful to see how they are attacking. i.e. is it a sequential search? a dictionary attack? common passwords?

 

[e38BimmerFN]

Ok, got my RBK50 system loaded today. Just migrated to Voxels v42 and didn't factory reset anything.
Love the picture icons of course. More modern looking. Easy on the eyes.


First speed test with out a factory reset on the RBR is a bit low: 900/50Mbps ISP

This was with the ISP CM 1100 modem rebooted as well. Possible other factors to slower speed results is that it's a holiday, other people on the line and such. Still not too bad.
I'll try a reset on the RBR at some point.

Gonna do some gaming with two consoles connected and see how things go this week and weekend.

 

[Voxel]

Is the configuration file identical between stock firmware and your firmware?

I do not quite understand what configuration file do you mean... If linux kernel config: no, there are changes. If package build config in GPL: no, there are changes. If /etc/sysctl.conf : also changed.

Do you intend to make any functional improvements, such as:

• Allow the user to "sort by columns" on tables, such as the Attached Devices web page.
  Other Netgear routers allow the user to sort by Name, IP address, Mac address, etc.
  When I am looking to see if a device is on-line, it is a real chore to scan through all 50+ of them looking for a known IP address.
• When a remote login is rejected, show the bad password that was entered in the log file.
  I have one Orbi that I suspect VPN access will be unstable and have enabled Remote Management.
  Naturally, this attracts attacks. I have a long, complicated admin password, so I am not TOO worried,
  but it would be useful to see how they are attacking. i.e. is it a sequential search? a dictionary attack? common passwords?

I am not ready yet to answer all the questions. I own this gadget two weeks only. Of course I intend to add fixes from the next NG stock to my build. Regarding other: I cannot fix everything. There are binaries (pre-built) modules in the stock GPL sources, I do not have all source codes. So I fix what I can. Similar to my builds for R7800/R9000.

P.S.

I have one Orbi that I suspect VPN access will be unstable and have enabled Remote Management.

BTW OpenVPN should be stable. I'd not recommend Remote Management for any router. Including Orbi.

Voxel.

 

[Voxel]

Possible other factors to slower speed results is that it's a holiday, other people on the line and such. Still not too bad.

OK, thanks, waiting for your testing re: speed.

Voxel.

 

[CrimpOn]

I do not quite understand what configuration file do you mean... If linux kernel config: no, there are changes. If package build config in GPL: no, there are changes. If /etc/sysctl.conf : also changed.

Sorry to be imprecise. Orbi has a feature to "Save the configuration file." (under the Advanced Tab->Administration->Backup Settings. My "plan" to switch between my "stock" Orbi and the "experimental" Orbi is to save the configuration file to my PC. Swap the hardware. Upload the configuration file to the other Orbi. That way, all my device IP assignments, DHCP ranges, device names, etc. would be the same.

 

[Voxel]

Sorry to be imprecise. Orbi has a feature to "Save the configuration file." (under the Advanced Tab->Administration->Backup Settings. My "plan" to switch between my "stock" Orbi and the "experimental" Orbi is to save the configuration file to my PC. Swap the hardware. Upload the configuration file to the other Orbi. That way, all my device IP assignments, DHCP ranges, device names, etc. would be the same.​

Yes, the same scheme. It works. Save you config on your Orbi and restore the settings on "experimental".

Voxel.

 

[e38BimmerFN]

So I was able to reset the RBR50 last night. I'm still not seeing much over 700Mbps after the reset with v42HW loaded. I checked with my RBK852 system that's connected to the other WAN port on the CM1100 and it saw 870Mbps. Though weather conditions last night were snowy and after the ISP came and checked the modem and line about a week ago, that seems to be now the norm, though I had seen over 900Mbps before the tech came out. He installed a 6db attenuator behind the CM1100. Said some of the signal was too high I guess. I may call the ISP and have them test the line once more and see if we can get back to over 900Mbps...

I might revert back to stock v40 and test again if I get some time this week.

OK, thanks, waiting for your testing re: speed.

Voxel.