Merlin - automatic firmware update possible?

[SomeWhereOverTheRainBow]

By security, I mean the risk of malicious hijacking. In addition to Asus having an actual team of sysadmins to monitor their servers, their firmware images are also signed with an RSA key.

I am not saying that they are not covering their own butts on their end. That doesn't necessarily make me anymore comfortable about automatic unattended update processes at the firmware level either.

 

[Tech9]

I've just seen so many posts on these forums recommending it on threads with upgrade problems

Mostly on routers with 256/512MB RAM or with Samba share enabled. The upgrade process needs free RAM.

That feature can be turned off in stock Asus firmware.

Not really.

Auto Firmware Upgrade made official - a new Note in Asus FAQ

In this Firmware Update FAQ: https://www.asus.com/support/FAQ/1008000/ ... a new Note appeared recently: This gives you an explanation why your router auto upgraded to different* Asuswrt version even with Auto Firmware Upgrade set to OFF. * - When/if it happens I'm assuming it will auto...

www.snbforums.com

 

[chris.at]

This is a good response! I love it. Or maybe a feature on the router that sends an email report when the router detects new updates available. Then the user can update at their leisure using the method of their choice.

It's already part of the firmware and working perfectly (I'm using it myself):

Update Notification Example

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

 

[SomeWhereOverTheRainBow]

It's already part of the firmware and working perfectly (I'm using it myself):

Update Notification Example

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

Okay, so it is possible using a user script, but where is the webui options?

 

[bbunge]

Okay, so it is possible using a user script, but where is the webui options?

Same place as Asus firmware!

 

[SomeWhereOverTheRainBow]

Same place as Asus firmware!

Where ?
I seem abit lost looking for the webui email options.

Obviously we know there is a webui ICON notification, but where is the email notification option?

 

[thelonelycoder]

Okay, so it is possible using a user script, but where is the webui options?

If you create /jffs/scripts/update-notification it is triggered by the firmware if an update is available. There is no WebUI option for that particular file. If the file is found, it is run in the event of.
That‘s how I do it in Diversion.

 

[TheLyppardMan]

Will this work using an Outlook e-mail account as the sender and a Gmail account as the recipient? Also, can the recipient's name be left as unspecified (i.e., "") with just the receipient's e-mail address added between the quotes?
This is how I have set it up so far:

 

[RMerlin]

Scripted email sending is getting increasingly complex as providers are all deprecating password-based authentication, switching to OAUTH.

 

[ExtremeFiretop]

Releases · Firetop/MerlinAutoUpdate

Script to allow you to remotely identify a beta or stable firmware update for an ASUS Merlin router, and automatically download and update via an unattended method. Can be setup on a task scheduler...

github.com

 

[Tech9]

This script is obviously not working. Proof in your signature:

Release - Asuswrt-Merlin 3004.388.4 is now available

Asuswrt-Merlin 388.4 is now available for Wifi 6 models. 3004.388.4 (21-Aug-2023) - NOTE: In preparation for the new 3.0.0.6 codebase, the version string will now start with 3004 or 3006 to match with upstream. - NOTE: The RT-AX56U is no longer supported, as Asus has...

www.snbforums.com

 

[ExtremeFiretop]

This script is obviously not working. Proof in your signature:

View attachment 53359

Release - Asuswrt-Merlin 3004.388.4 is now available

Asuswrt-Merlin 388.4 is now available for Wifi 6 models. 3004.388.4 (21-Aug-2023) - NOTE: In preparation for the new 3.0.0.6 codebase, the version string will now start with 3004 or 3006 to match with upstream. - NOTE: The RT-AX56U is no longer supported, as Asus has...

www.snbforums.com

It does work perfectly for me?

You can submit an issue if you have one

 

[ExtremeFiretop]

This script is obviously not working. Proof in your signature:

View attachment 53359

Release - Asuswrt-Merlin 3004.388.4 is now available

Asuswrt-Merlin 388.4 is now available for Wifi 6 models. 3004.388.4 (21-Aug-2023) - NOTE: In preparation for the new 3.0.0.6 codebase, the version string will now start with 3004 or 3006 to match with upstream. - NOTE: The RT-AX56U is no longer supported, as Asus has...

www.snbforums.com

Oh i see what your saying, no unlike you, I don't update my signature with every router update because it handles it alone
I'll update it now to make you happy

 

[Tech9]

Automatic SNB Forums signature update as a script feature?

 

[ExtremeFiretop]

Automatic SNB Forums signature update as a script feature?

Hahaha... I mean. Nothing is impossible? at least that's what I hear.

 

[heywire]

No, and I have no plan to ever offer such a feature, sorry. I don't have the resources to ensure the reliability and security of such a service that could potentially get hijacked, and compromise tens of thousands of routers. A large company such as Asus does.

Just curious, what would be required from such a service? Isn't downloading a firmware file from Sourceforge/Github/Onedrive in effect outsourcing the security/integrity of the firmware file to them?

 

[RMerlin]

Just curious, what would be required from such a service?

For me to run a company with someone dedicated full time to managing a server infrastructure and ensuring their security. And to have the income required to run my own storage server to host the files, and have enough bandwidth to handle Terabytes amounts of monthly transfers.

Isn't downloading a firmware file from Sourceforge/Github/Onedrive in effect outsourcing the security/integrity of the firmware file to them?

These three organizations have server administrators devoted to ensuring their security. And also if someone somehow were to upload a compromised file (meaning they would bypass both my private SSH key and Sourceforge's security team monitoring their servers), then the issue would be discovered after the first few dozen of users were to notice it and/or download it. With an automated update, it means thousands of users could be compromised before the issue is discovered and addressed. Within 24 hours, every single router could be compromised, which means tens of thousands of users, and would be a disaster that would immediately spell the end of this project, and probably have a direct impact on my personal life as well.

 

[Tech9]

direct impact on my personal life as well

Positive, I guess. Time for #WellDeservedVacation.

https://www.welldeservedvacation.com/

 

[JGrana]

Positive, I guess. Time for #WellDeservedVacation.

https://www.welldeservedvacation.com/

I like it! Good idea.

We need a new Donation thread:

Send Merlin on Vaction
(Just in time for an El Niño Winter)

 

[heywire]

For me to run a company with someone dedicated full time to managing a server infrastructure and ensuring their security. And to have the income required to run my own storage server to host the files, and have enough bandwidth to handle Terabytes amounts of monthly transfers.

These three organizations have server administrators devoted to ensuring their security. And also if someone somehow were to upload a compromised file (meaning they would bypass both my private SSH key and Sourceforge's security team monitoring their servers), then the issue would be discovered after the first few dozen of users were to notice it and/or download it.

Why would the way files are hosted for this auto-update service need to be different from how/where the files are hosted today – couldn't you simply continue to use those hosting services instead of setting up your own?

(Or maybe it could be based on a peer-to-peer service like Bitorrent? I don't know.)

With an automated update, it means thousands of users could be compromised before the issue is discovered and addressed. Within 24 hours, every single router could be compromised, which means tens of thousands of users, and would be a disaster that would immediately spell the end of this project, and probably have a direct impact on my personal life as well.

How would that be different from the risk that the firmware file stored on those servers today gets compromised? From your explanation, it sounds like the answers comes down to the risk that a compromised file is spread very fast.

With respect to that, allow me to make a suggestion (don't claim to be an expert telling you, just asking):

To space the automatic updates out over eg. a week or two – equivalent to the way they are dispersed manually today.

In that way, people who want to update immediately can do so manually, while people who are not keeping close tabs on their routers firmware version – and thus are exposed to security risks today – gets an automatic update a little later.