[Official Release] AiMesh Firmware v3.0.0.4.384.10007 for All Supported Products

[Quad80]

I must admit that my security views don't always align with Asus's own. For instance, their IFTTT/Alexa feature requires you to expose your router's webui to the WAN, something I have always felt strongly against, due to Asuwrt's past track record in security issues tied to the httpd daemon. But marketing too often overrules engineering decisions I fear.

Well, I never would trust that IFTTT/Alexa feature regardless, because I don't trust Alexa and the like. How hard is it for me to really turn on my own lights or, in this case, to manually reboot my router? Frankly, I don't trust these systems to get this crap right, let alone taking into account any security holes. As for the last point, yeah, unfortunately that is all too often the case. However, if that is indeed the case here (i.e., they're forgoing security on WPS to get AiMesh out the door), then I'll just switch it off and go with a manually configured AP. Hell, I'm halfway there since I don't have AP roaming on (never turned it on, then tried it and had some issues so turned it off). I can live without the centralized features, especially if they're not going to work right and be a security risk.

Funny how all this blew up. I really don't know what I'm talking about and fully expected to be told "that's not what you think it is" and to move on. Yet, here we are. It's a possible bug with some potential security implications for a major OEM and some of their high end consumer equipment. And, it might actually get fixed since Asus has a regular presence here. Fancy that.

 

[dabears]

https://routersecurity.org/wps.php

 

[arthurlien]

Basically, I don't think the WPS procedure is proceeding with in all the time. If this is true, you can try to trigger WPS in your client device and it will be pairing successfully.

BTW, I still will check with team.

我從使用 Tapatalk 的 ASUS_Z012DA 發送

 

[RandomName23]

Well, @arthurlien has not stated that it is necessary, so unless they were hiding this fact, then I assume it's not actually necessary for the mesh to work. If it *is* necessary, they really shouldn't hide that fact because a) apparently even a dummy like myself can quickly tell it's on, b) it is a security threat that people should be fully aware of, and c) it goes completely counter to the manual user settings (i.e., it doesn't give the behavior a user would expect, thus looks like a bug).

Really, I can't think of any reason we can't have it closed up or, if it is required, confirmation of such a requirement from official sources. I guess we'll have to wait and see what @arthurlien has to say when he gets back from partying.

WPS seems to be required to setup your nodes as you don't have to go into any UIs and specify your Wifi password to have the nodes connect wirelessly. I'm guessing that WPS would also then be used anytime you changed your wireless password to allow to the nodes to connect with the new settings. I can't imagine any scenario where it should be required outside of those two scenarios.

 

[Quad80]

Basically, I don't think the WPS procedure is proceeding with in all the time. If this is true, you can try to trigger WPS in your client device and it will be pairing successfully.

BTW, I still will check with team.

我從使用 Tapatalk 的 ASUS_Z012DA 發送

Pretty sure @dabears has already said he confirmed it still works.

 

[arthurlien]

Pretty sure @dabears has already said he confirmed it still works.

Don't worry about it, I still will discuss with team.

If you would like to do some test, you can try to activate WPS in your client. Than see the results.

我從使用 Tapatalk 的 ASUS_Z012DA 發送

 

[ROBERT CARLSON MD]

Firmware version 3.0.0.4.384.10007

New feature
AiMesh: an innovative new router feature that connects multiple ASUS routers to create a whole-home WiFi network.
Refer to https://www.asus.com/aimesh/ for more detail.

Security fixed
- Fixed XSS vulnerability. Thanks for Joaquim's contribution.
- Fixed LAN RCE vulnerability. An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
- Fixed remote code execution vulnerability. Thanks to David Maciejak of Fortinet's FortiGuard Labs

Bug fixed
- Fixed network map abnormal responded time issues
- Fixed client list issues.
- Fixed AiCloud smart sync issue.

Boost Samba write performance up to 30%. To get full USB 3.0 speed, please disable "reducing USB 3.0 interference".

Firmware Download Links:-

RT-AC86U

RT-AC88U

RT-AC68U

RT-AC66U_B1

Enjoy!

Moderator Note 8 Jan 18: Please discuss AiMesh/TM-AC1900 here.

Moderator Note: Old discussion for AiMesh beta is here. That thread is closed. Please continue the AiMesh discussion here for version 3.0.0.4.384.10007

 

[ROBERT CARLSON MD]

Currently, running firmware 3.0.0.4.384_20308 with 2 RT-AC68U meshed together. The older AC68U with hardware version A2 was very hard to update and kept looping back to the same countdown screen and then rebooting over and over again. I'm worried about ever trying to update it again.

The mesh seems to be working fairly well, but I have a question about future firmware updates: When an update comes out, will all the devices in the mesh be updated automatically?

-- R Carlson MD

 

[RandomName23]

Currently, running firmware 3.0.0.4.384_20308 with 2 RT-AC68U meshed together. The older AC68U with hardware version A2 was very hard to update and kept looping back to the same countdown screen and then rebooting over and over again. I'm worried about ever trying to update it again.

The mesh seems to be working fairly well, but I have a question about future firmware updates: When an update comes out, will all the devices in the mesh be updated automatically?

-- R Carlson MD

You have to perform the update but all the mesh nodes can be updated from a single location in the main router UI.

 

[Richard Li]

Completely broken is an overstatement. It works perfectly in standalone mode, but not with AiMesh.
- I was not able to upload my node, until I disabled MAC filtering
- Once in Aimesh mode, indeed no WIFI access to anyone, even if whitelisted.

Interesting part:
- when I failed to install the Aimesh node, it only uploaded till 52% or so. Then it rapidly ran up to 100%, giving a failure.
- I then added the Aimesh node to the MAC filtering whitelisting.... I suddenly could go to 99%, still failing
- Only when disabling the MAC filtering I succeeded.
Who knows: perhaps you have to add all AiMesh node WIFI adapters to the whitelisting first??

I tried, you can never paired properly if you enable MAC address filtering. And MAC address filtering has a bug now which is now not working in my configuration RT-AC88U as AP and RT-AC68U as node. The 68U just will not accept any wifi connection when MAC filtering is enabled.

ASUS team can now reproduce this problem, need to wait for them to fix this issue.

 

[ROBERT CARLSON MD]

Firmware version 3.0.0.4.384.10007

New feature
AiMesh: an innovative new router feature that connects multiple ASUS routers to create a whole-home WiFi network.
Refer to https://www.asus.com/aimesh/ for more detail.

Security fixed
- Fixed XSS vulnerability. Thanks for Joaquim's contribution.
- Fixed LAN RCE vulnerability. An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
- Fixed remote code execution vulnerability. Thanks to David Maciejak of Fortinet's FortiGuard Labs

Bug fixed
- Fixed network map abnormal responded time issues
- Fixed client list issues.
- Fixed AiCloud smart sync issue.

Boost Samba write performance up to 30%. To get full USB 3.0 speed, please disable "reducing USB 3.0 interference".

Firmware Download Links:-

RT-AC86U

RT-AC88U

RT-AC68U

RT-AC66U_B1

Enjoy!

Moderator Note 8 Jan 18: Please discuss AiMesh/TM-AC1900 here.

Moderator Note: Old discussion for AiMesh beta is here. That thread is closed. Please continue the AiMesh discussion here for version 3.0.0.4.384.10007

Firmware version 3.0.0.4.384.10007

New feature
AiMesh: an innovative new router feature that connects multiple ASUS routers to create a whole-home WiFi network.
Refer to https://www.asus.com/aimesh/ for more detail.

Security fixed
- Fixed XSS vulnerability. Thanks for Joaquim's contribution.
- Fixed LAN RCE vulnerability. An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
- Fixed remote code execution vulnerability. Thanks to David Maciejak of Fortinet's FortiGuard Labs

Bug fixed
- Fixed network map abnormal responded time issues
- Fixed client list issues.
- Fixed AiCloud smart sync issue.

Boost Samba write performance up to 30%. To get full USB 3.0 speed, please disable "reducing USB 3.0 interference".

Firmware Download Links:-

RT-AC86U

RT-AC88U

RT-AC68U

RT-AC66U_B1

Enjoy!

Moderator Note 8 Jan 18: Please discuss AiMesh/TM-AC1900 here.

Moderator Note: Old discussion for AiMesh beta is here. That thread is closed. Please continue the AiMesh discussion here for version 3.0.0.4.384.10007

 

[ROBERT CARLSON MD]

Is it necessary or desirable to use the same SSID for both bands? I noticed on the marketing pages that they show only one "SSID-ASUS-AIMESH" signal in their example... ???

-- R Carlson MD

 

[RandomName23]

Is it necessary or desirable to use the same SSID for both bands? I noticed on the marketing pages that they show only one "SSID-ASUS-AIMESH" signal in their example... ???

-- R Carlson MD

Personal preference

 

[pradeepv]

I went through the steps in flashing 2 ASUS TM-AC1900 routers to RT-AC68U with firmware Version 3.0.0.4.384.20308 to set up an AiMesh network. Both have been successfully flashed. I was able to set one as the router but not able to search the other router to set it up as a node. Can someone help me with this issue? Thanks.

 

[ROBERT CARLSON MD]

I just did the same thing today. It's a bit confusing.

The trick is to first update the new node device to the latest firmware, and then reset it back to the factory default settings. Don't worry about configuring the node in any way and boot it up. Place it near the AIMesh router with no ethernet cables connected. Go into the router AIMesh settings and search for another device, and it should pop up. After it configures the node, you can place where you want. After it's set up, and you want to use an ethernet backhaul, make sure you plug the lan ethernet cable into the node's WAN port, NOT one of the lan ports. Weird, but it works.

-- R Carlson MD

 

[OzarkEdge]

Is it necessary or desirable to use the same SSID for both bands? I noticed on the marketing pages that they show only one "SSID-ASUS-AIMESH" signal in their example... ???

-- R Carlson MD

It's desirable. It's not necessary. And under the circumstances, it's not advisable at this time in AiMesh development, imo, particularly if you are using nodes that do not support SmartConnect aka band selection/steering and have dumb/stubborn wireless clients.

With simple IoT devices that you may have less control over, I think you are better off configuring/forcing them to use one SSID/WLAN; otherwise, they might connect to another SSID/WLAN that you intend for other clients.

Finally, if you experiment with using same SSIDs and then switch to using different SSIDs, you will likely find that wireless clients connect a bit more quickly... you have done the band steering for them... and it appears that some wireless clients are better at connecting to the better of two different SSIDs than they are at connecting to the better of two identical SSIDs. And you'll spend less time inspecting/assessing wireless client connections.

OE

 

[monaro-ds]

I went through the steps in flashing 2 ASUS TM-AC1900 routers to RT-AC68U with firmware Version 3.0.0.4.384.20308 to set up an AiMesh network. Both have been successfully flashed. I was able to set one as the router but not able to search the other router to set it up as a node. Can someone help me with this issue? Thanks.

make sure to convert original_cfe.bin to 1.0.2.0 US AiMesh not just 1.0.2.0 US
if you did not go back to step 10 and re-do the conversion.

 

[Volfi]

The KRACK fixed and WPS off are totally different thing.

我從使用 Tapatalk 的 ASUS_Z012DA 發送

When can we expect KRACK fix on AC86U? This model is getting updates pretty late, comparing to other models.

 

[arthurlien]

When can we expect KRACK fix on AC86U? This model is getting updates pretty late, comparing to other models.

Have you check ASUS web side ? it already fixed in 382.18219 and newer version.

Version 3.0.0.4.382.182192017/10/2455.48 MBytes

ASUS RT-AC86U Firmware version 3.0.0.4.382.18219
Security fixed
- Fixed KRACK vulnerability
- Fixed CVE-2017-14491: DNS - 2 byte heap based overflow
- Fixed CVE-2017-14492: DHCP - heap based overflow
- Fixed CVE-2017-14493: DHCP - stack based overflow

 

[Volfi]

Have you check ASUS web side ? it already fixed in 382.18219 and newer version.

Version 3.0.0.4.382.182192017/10/2455.48 MBytes

ASUS RT-AC86U Firmware version 3.0.0.4.382.18219
Security fixed
- Fixed KRACK vulnerability
- Fixed CVE-2017-14491: DNS - 2 byte heap based overflow
- Fixed CVE-2017-14492: DHCP - heap based overflow
- Fixed CVE-2017-14493: DHCP - stack based overflow

Ok, so AC88U got KRACK fix (very) late, not till 384.20379. Got it.