Downgraded firmware after power lost

[HonzaCZ]

Hi,

After power loss my RT-AC66U with RT-AC66U_380.64_0 boot in some old firmware version (3.0.0.4.270.26). All of compatible settings (IP configuration, wireless configuration etc.) are the same. Rebooting didn't help.

Do somebody know what was happened? Any system restore feature boots from backup ROM? Or some virus/worm attack?

Thanks for replys.

 

[RMerlin]

That's simply not possible, as any firmware upgrade will completely overwrite any previous firmware.

 

[HonzaCZ]

I tkink so, but....

 

[thelonelycoder]

I tkink so, but....

View attachment 8730

Leave your neighbors router alone...

 

[HonzaCZ]

So, when upgraded to original firmware (RT-AC66U_380.64_0) it works like before. It makes no sense...

 

[joegreat]

So, when upgraded to original firmware (RT-AC66U_380.64_0) it works like before. It makes no sense...

Maybe upgrade did not work: The firmware is very, very old and you need to do an intermediate update to get to the latest Merlin firmware version.

 

[HonzaCZ]

Maybe upgrade did not work: The firmware is very, very old and you need to do an intermediate update to get to the latest Merlin firmware version.

No, I mean it works like before incident. So, resume is:

1. working router, configured, long term without problems, FW ver. RT-AC66U_380.64_0
2. power failure, after boot it routing, wifi works, PPTP VPN works, OpenVPN client doesn't work, GUI seems old, FW ver. 3.0.0.4.270.26
3. upgrade to RT-AC66U_380.64_0, all settings from point 1 are preserved, everything works like in point 1, included OpenVPN client

So? It makes me crazy. Where FW ver. 3.0.0.4.270.26 came from? All settings are preserved from before, I explore every single setting page and all is like before.

 

[HonzaCZ]

Sorry for the dump question,maybe i missed something, but what was the fw version before 380.64 ?

RT-AC66U_380.63_x or RT-AC66U_380.62_x. When I was doing upgrade I skipped max. 2-3 builds.

 

[L&LD]

Was your router possibly hacked? What services did you have open or running on it?

 

[HonzaCZ]

Was your router possibly hacked? What services did you have open or running on it?

I was afraid of that too. But I have no clue how to check it. No opened services on WAN. No open wifi. I have changed all passwords. Do you think what more I can do or what to check?

 

[L&LD]

I was afraid of that too. But I have no clue how to check it. No opened services on WAN. No open wifi. I have changed all passwords. Do you think what more I can do or what to check?

Was it hacked internally? Teenager in the house?

 

[HonzaCZ]

Was it hacked internally? Teenager in the house?

I don't think so. What about some recover mode or backup ROM?

 

[thelonelycoder]

I was afraid of that too. But I have no clue how to check it. No opened services on WAN. No open wifi. I have changed all passwords. Do you think what more I can do or what to check?

Or maybe this is just a glitch in the software.
3.0.0.4 is stored as a value in nvram if memory serves me correctly. You'd have to check for it. If 270.26 is in there too, there might be a simpler explanation.
You could check by saving the nvram and search for it in the file.
nvram show | sort > /tmp/mnt/<your usb device>/nvram.txt

 

[L&LD]

I don't think so. What about some recover mode or backup ROM?

As RMerlin said, not possible.

Either someone did it (and from the sounds of it; from within the building) intentionally, or they're otherwise playing tricks with you (anyone else you or your kids know with an RT-AC66U).

Did you do a complete power off (10 minutes or longer) and check again?

Edit: see thelonelycoder's response too.

 

[HonzaCZ]

Version glitch is not possible - there was old user interface, misconfigured OpenVPN, it seemed there was really that old version of FW.

 

[HonzaCZ]

I didn't try power off that long. I upgrade FW back to original merlin fw and it is OK. Now I'm trying to secure it more.

 

[HonzaCZ]

Hi,

So similar situation occured again. I had installed last version 380.67_0 on my RT-AC66U. Suddenly I have filtered SSH port to router, even from LAN. So I tried change settings on Administration - System but without required effect.

So I tried reboot - pushed reboot button in web gui.

After reboot there was again 3.0.0.4.270.26 (merlin build)! I promise, that I clicked reboot from gui, which says version 380.67_0 running and reboot to 3.0.0.4.270.26 (merlin build). I don't get it at all. Reboot took longer than usual.

Is this some failure recovery function or is it really hacked? How can I find out if everything in system is allright? Or how can I do really hard and definite reset?

Thanks.

H.

 

[ColinTaylor]

Suddenly I have filtered SSH port to router, even from LAN.

Can you explain what you mean by this please.

Is this some failure recovery function or is it really hacked? How can I find out if everything in system is allright?

Make sure there is no malicious code in /jffs.

Or how can I do really hard and definite reset?

1) Press the power button to turn off the router and unplug any USB devices. Remove all LAN cables apart from the one connected to your PC.
2) Unplug the power adapter.
3) Press the power button to turn on the router and drain any residual power.
4) Press the power button to turn off the router.

5) Plug in the power adapter.
6) Press and hold the WPS button (not the reset button) then turn on the router. Wait about 10 seconds, then release the WPS button.

https://www.snbforums.com/threads/faq-nvram-and-factory-default-reset.22822/

 

[Blinkyz]

If you are still on 270.26,try this plz....
Remove usb drives,reboot
Flash with 378.55 (https://www.asus.com/support/FAQ/1030651/)
Follow all steps.
Reboot
Flash with 380.67
Reboot to see if 380.67 is still there

 

[HonzaCZ]

Can you explain what you mean by this please.

Can't connect to port 22. When nmap it, nmap says filtered. Tried disabling SSH, or changing accesibility (LAN only/all) options via web gui and nothing changed.

Make sure there is no malicious code in /jffs.

I'm watching jffs backup and nothing suspicious here. Only https cert, openvpn keys, logs. Now, after factory reset (thanks for FAQ link), and after setting up new certs & keys, there is almost similar content.

It was second time when firmware downgrade was done. In first case it was after power loss and now it is after "legal" reboot via web gui.

One more strage thing: Before factory reset I see about 1 MB/s inbound traffic on WAN, but no outbound traffic on LAN or WLAN. Is it any option that was only by some bug or inaccurate measuring? Something about NAT acceleration or so?

Now, after factory reset, I have constant cca 65 KB/s inbound on WAN. Same as before - no outbound on LAN or WLAN in graphs. Is there any option to check what process or even what endpoints of communication belong to this traffic? In FreeBSD there is tool like pftop. Or tcpdump would be great. Can it be installed on this Asus?