What's new

Merlin - automatic firmware update possible?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
By security, I mean the risk of malicious hijacking. In addition to Asus having an actual team of sysadmins to monitor their servers, their firmware images are also signed with an RSA key.
I am not saying that they are not covering their own butts on their end. That doesn't necessarily make me anymore comfortable about automatic unattended update processes at the firmware level either.
 
I've just seen so many posts on these forums recommending it on threads with upgrade problems

Mostly on routers with 256/512MB RAM or with Samba share enabled. The upgrade process needs free RAM.

That feature can be turned off in stock Asus firmware.

Not really.

 
Same place as Asus firmware!
Where ?
I seem abit lost looking for the webui email options.

Screenshot_20230613_064729_Samsung Internet.jpg


Screenshot_20230613_064440_Samsung Internet.jpg


Obviously we know there is a webui ICON notification, but where is the email notification option?
 
Okay, so it is possible using a user script, but where is the webui options?
If you create /jffs/scripts/update-notification it is triggered by the firmware if an update is available. There is no WebUI option for that particular file. If the file is found, it is run in the event of.
That‘s how I do it in Diversion.
 
Will this work using an Outlook e-mail account as the sender and a Gmail account as the recipient? Also, can the recipient's name be left as unspecified (i.e., "") with just the receipient's e-mail address added between the quotes?
This is how I have set it up so far:
Screenshot - 13_06_2023 , 18_42_47.jpg

Screenshot - 13_06_2023 , 18_42_07.jpg
 
Last edited:
Scripted email sending is getting increasingly complex as providers are all deprecating password-based authentication, switching to OAUTH.
 
 
This script is obviously not working. Proof in your signature:

1695952694990.png



:)
 
This script is obviously not working. Proof in your signature:

View attachment 53359


:)

It does work perfectly for me? :D

You can submit an issue if you have one :)
 
This script is obviously not working. Proof in your signature:

View attachment 53359


:)

Oh i see what your saying, no unlike you, I don't update my signature with every router update because it handles it alone ;)
I'll update it now to make you happy :D
 
Automatic SNB Forums signature update as a script feature? :)

Hahaha... I mean. Nothing is impossible? at least that's what I hear.
 
No, and I have no plan to ever offer such a feature, sorry. I don't have the resources to ensure the reliability and security of such a service that could potentially get hijacked, and compromise tens of thousands of routers. A large company such as Asus does.
Just curious, what would be required from such a service? Isn't downloading a firmware file from Sourceforge/Github/Onedrive in effect outsourcing the security/integrity of the firmware file to them?
 
Just curious, what would be required from such a service?
For me to run a company with someone dedicated full time to managing a server infrastructure and ensuring their security. And to have the income required to run my own storage server to host the files, and have enough bandwidth to handle Terabytes amounts of monthly transfers.

Isn't downloading a firmware file from Sourceforge/Github/Onedrive in effect outsourcing the security/integrity of the firmware file to them?
These three organizations have server administrators devoted to ensuring their security. And also if someone somehow were to upload a compromised file (meaning they would bypass both my private SSH key and Sourceforge's security team monitoring their servers), then the issue would be discovered after the first few dozen of users were to notice it and/or download it. With an automated update, it means thousands of users could be compromised before the issue is discovered and addressed. Within 24 hours, every single router could be compromised, which means tens of thousands of users, and would be a disaster that would immediately spell the end of this project, and probably have a direct impact on my personal life as well.
 
For me to run a company with someone dedicated full time to managing a server infrastructure and ensuring their security. And to have the income required to run my own storage server to host the files, and have enough bandwidth to handle Terabytes amounts of monthly transfers.
These three organizations have server administrators devoted to ensuring their security. And also if someone somehow were to upload a compromised file (meaning they would bypass both my private SSH key and Sourceforge's security team monitoring their servers), then the issue would be discovered after the first few dozen of users were to notice it and/or download it.
Why would the way files are hosted for this auto-update service need to be different from how/where the files are hosted today – couldn't you simply continue to use those hosting services instead of setting up your own?

(Or maybe it could be based on a peer-to-peer service like Bitorrent? I don't know.)

With an automated update, it means thousands of users could be compromised before the issue is discovered and addressed. Within 24 hours, every single router could be compromised, which means tens of thousands of users, and would be a disaster that would immediately spell the end of this project, and probably have a direct impact on my personal life as well.
How would that be different from the risk that the firmware file stored on those servers today gets compromised? From your explanation, it sounds like the answers comes down to the risk that a compromised file is spread very fast.

With respect to that, allow me to make a suggestion (don't claim to be an expert telling you, just asking):

To space the automatic updates out over eg. a week or two – equivalent to the way they are dispersed manually today.

In that way, people who want to update immediately can do so manually, while people who are not keeping close tabs on their routers firmware version – and thus are exposed to security risks today – gets an automatic update a little later.
 
Last edited:
Status
Not open for further replies.

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top