USB disk encryption on Asuswrt-Merlin

[DrPozo]

I have had some success with USB disk encryption on Asuswrt-Merlin. The only problem is that the WebUI shows the disk as "unmounted" and the user scripts "post-mount" and "unmount" are never called. I think the reason is that cryptsetup puts the encrypted disk partitions in /dev/mapper, not /dev. Also, there is no /etc/crypttab in Asuswrt. I managed to got everything working just fine, however. My unmount logic runs from /jffs/scripts/services-stop at router reboot or shutdown.

I modified the Asuswrt-Merlin firmware so that cryptsetup runs from /entware/sbin and its dependant libraries in /entware/lib. If you intend to try this, you must patch the ELF headers yourself for the Entware-ng cryptsetup program and its dependent libraries before compiling them into the firmware. Otherwise, cryptsetup won't be able to find the Entware-ng libraries in the firmware. This technique might also be possible with Optware-ng to run a few packages side-by-side with Entware-ng from the firmware or /jffs. The firmware is squashfs compressed, and there's still plenty of room left for more programs. C'mon on in boys, the water is fine!

 

[kvic]

The firmware is squashfs compressed, and there's still plenty of room left for more programs. Come on in boys, the water is fine.

If people compile their own firmware, it's very easy to insert a few extra goodies into the "rom" without knowing anything about squashfs.

Knowing squashfs gives people a bit edge, allowing them to extract the latest wireless and CTF drivers from official firmware without waiting for GPL release.

At the moment, my RT-AC56U's firmware is a combination of

• 380.58 alpha 4 user-space from Merlin
• a custom kernel
• plus wireless & ctf drivers from official 380_2695

 

[DrPozo]

it's very easy to insert a few extra goodies

I can open the Asuswrt and Merlin firmwares in 7-Zip, but cannot make changes. Maybe there's another way? A firmware re-packer for ARM and MIPS routers?

 

[kvic]

I can open the Asuswrt and Merlin firmwares in 7-Zip, but cannot make changes. Maybe there's another way? A firmware re-packer for ARM and MIPS routers?

People may have attempted creating a re packer. Some sites mentioned that but I never tried. The best re-packer is actually shipped with asus GPL code already.

 

[RMerlin]

https://bitsum.com/firmware_mod_kit.htm

It's what I use to unpack binary firmwares if I need to investigate changes in a beta firmware, or recover some missing closed-source executables.

 

[kvic]

https://bitsum.com/firmware_mod_kit.htm

It's what I use to unpack binary firmwares if I need to investigate changes in a beta firmware, or recover some missing closed-source executables.

I use standard Linux utilities to extract files from TRX which has two partitions. The second partition is the root filesystem in squashfs format.

I use dd to extract the squashfs partition and then use unsquashfs to explode into regular file hierarchy.

 

[DrPozo]

https://bitsum.com/firmware_mod_kit.htm

Hopefully his warning is just an overstatement.

WARNING: You are going to brick your device by using this kit (maybe not, but better to say you will). Brick means to effectively turn into a non-functional 'brick'. Recovery is sometimes possible without hardware modifications. Sometimes it requires hardware mods (e.g. serial or JTAG headers soldered onto the PCB). Sometimes it just isn't feasible, or would cost more in total recovery cost than the unit is worth.

Do NOT use this kit if you are not prepared to have your router bricked!

EULA: By downloading or using this kit, you agree to accept liability for consequences of use or misuse of the Firmware Mod Kit. These include the bricking of your device. The authors of this kit have duly warned you. This kit is only for embedded systems software engineers.

 

[RMerlin]

Hopefully his warning is just an overstatement.

Probably just covering their behinds, as flashing of a modified image can cause critical issues, especially if someone doesn't understand what he's doing, or if the target device has some kind of protection.

I've never used it to modify, only to extract content.

Recompiling from source is always the best option.

 

[DrPozo]

Here's what I did for the disk encryption.

On router startup, my scripts create an encrypted 1GB swap partition and mount a 4000GB encrypted data partition. On router shutdown, the encrypted partitions are properly unmounted and closed.

My kernel was recompiled to enable dm-crypt and all necessary ciphers and hashes. Router is RT-AC68U overclocked to 1200MHZ. I wouldn't try it with anything less.

/jffs/configs/fstab

/dev/mapper/swap-1b3da15a-d580-45e1-91d9-16aaacfc5f9f      none             swap    defaults             0      0
/dev/mapper/data-8c7d552d-17bb-494e-8d91-ba6ee2dcf150      /mnt/data        ext4    rw,nodev,noatime     0      2
/dev/mapper/data-e8264547-9e1d-44b8-9ee8-5ef52ae54ba9      /mnt/data2       ext4    rw,nodev,noatime     0      2
/dev/mapper/data-3009fae4-c8af-4347-8ee1-2fc59cbe62b9      /mnt/usbflash    ext4    rw,nodev,noatime     0      2

/jffs/scripts/pre-mount

#!/bin/sh
/usr/bin/logger -t $(/usr/bin/basename $0) "custom script started [$$]"
finish()
{
  /usr/bin/logger -t $(/usr/bin/basename $0) "custom script ended [$$]"
}
trap finish EXIT

DEVICE_PATH=$1

mount_swap()
{
  local luks_uuid="$1"
  local mappername="swap-${luks_uuid}"

  if [ -b /dev/mapper/$mappername ]; then
    /sbin/swapoff /dev/mapper/$mappername
    /entware/sbin/cryptsetup luksClose $mappername
  fi

  passphrase="$(/usr/bin/tr -cd !-~ < /dev/urandom | /usr/bin/head -c 50)"
  /bin/echo -n "$passphrase" | /entware/sbin/cryptsetup --cipher=aes-cbc-essiv:sha256 --key-size=256 --batch-mode --uuid=$luks_uuid luksFormat $DEVICE_PATH
  /bin/echo -n "$passphrase" | /entware/sbin/cryptsetup --batch-mode luksOpen $DEVICE_PATH $mappername
  passphrase="" # forget about it
  /sbin/mkswap /dev/mapper/$mappername
  /sbin/swapon /dev/mapper/$mappername
}

mount_data()
{
  local luks_uuid="$1"
  local mountname="$2"
  local passphrase="$3"
  local passtype="$4"
  local mappername="data-${luks_uuid}"

  if [ ! -d "/mnt/$mountname" ]; then
   /bin/mkdir -p /mnt/$mountname
   /bin/chown $(/usr/sbin/nvram get http_username):root /mnt/$mountname
   /bin/chmod a+rwx /mnt/$mountname
  fi

  if [ -b /dev/mapper/$mappername ]; then
    /bin/umount /dev/mapper/$mappername
    /entware/sbin/cryptsetup luksClose $mappername
  fi

  if [ "$passtype" == "file" ]; then
    /entware/sbin/cryptsetup --batch-mode luksOpen $DEVICE_PATH $mappername < $passphrase
  elif [ "$passtype" == "text" ]; then
    /bin/echo -n $passphrase | /entware/sbin/cryptsetup --batch-mode luksOpen $DEVICE_PATH $mappername
  else
    /usr/bin/logger -t $(/usr/bin/basename $0) "custom script passphrase type '$passtype' was not recognized [$$]"
  fi
  passphrase="" # forget about it
  /bin/mount /dev/mapper/$mappername
  /jffs/scripts/post-mount /tmp/mnt/$mountname
}

/sbin/lsmod | /bin/grep dm_mod > /dev/null 2>&1 || /sbin/modprobe dm-mod
/sbin/lsmod | /bin/grep dm_crypt > /dev/null 2>&1 || /sbin/modprobe dm-crypt
/sbin/lsmod | /bin/grep gf128mul > /dev/null 2>&1 || /sbin/modprobe gf128mul
/sbin/lsmod | /bin/grep xts > /dev/null 2>&1 || /sbin/modprobe xts
/sbin/lsmod | /bin/grep sha256_generic > /dev/null 2>&1 || /sbin/modprobe sha256_generic

/entware/sbin/cryptsetup isLuks $DEVICE_PATH

if [ $? == 0 ]; then

  LUKS_UUID=$(/entware/sbin/cryptsetup luksUUID $DEVICE_PATH)

  case "$LUKS_UUID" in

    "1b3da15a-d580-45e1-91d9-16aaacfc5f9f" )
      mount_swap "$LUKS_UUID"
      ;;
  
    "8c7d552d-17bb-494e-8d91-ba6ee2dcf150" )
      mount_data "$LUKS_UUID" "data" "/jffs/passphrase.key" "file"
      ;;

    "e8264547-9e1d-44b8-9ee8-5ef52ae54ba9" )
      mount_data "$LUKS_UUID" "data2" "lol" "text"
      ;;
  
    "3009fae4-c8af-4347-8ee1-2fc59cbe62b9" )
      mount_data "$LUKS_UUID" "usbflash" "lol" "text"
      ;;

    *)

      /usr/bin/logger -t $(/usr/bin/basename $0) "custom script LUKS_UUID=$LUKS_UUID was not recognized [$$]"
      ;;
  
  esac

else

  /usr/bin/logger -t $(/usr/bin/basename $0) "custom script device $DEVICE_PATH was not recognized [$$]"

fi

/jffs/scripts/post-mount

#!/bin/sh
/usr/bin/logger -t $(/usr/bin/basename $0) "custom script started [$$]"
finish()  {
  /usr/bin/logger -t $(/usr/bin/basename $0) "custom script ended [$$]"
}
trap finish EXIT

MOUNT_POINT="$1"

if [ "$MOUNT_POINT" == "/tmp/mnt/data" ]; then

  [ ! -f /tmp/opt ] && /bin/ln -sf $MOUNT_POINT/entware.arm /tmp/opt

  export set HOME=/opt/home

  # start Entware on /opt
  /opt/etc/init.d/rc.unslung start
fi

/jffs/scripts/services-stop

#!/bin/sh
/usr/bin/logger -t $(/usr/bin/basename $0) "custom script started [$$]"
finish()  {
  /usr/bin/logger -t $(/usr/bin/basename $0) "custom script ended [$$]"
}
trap finish EXIT


umount_swap()
{
  local luks_uuid="$1"
  local mappername="swap-${luks_uuid}"

  if [ -b /dev/mapper/$mappername ]; then
    /sbin/swapoff /dev/mapper/$mappername
    /entware/sbin/cryptsetup luksClose $mappername
  fi
}

umount_data()
{
  local luks_uuid="$1"
  local mappername="data-${luks_uuid}"

  if [ -b /dev/mapper/$mappername ]; then
    /bin/umount /dev/mapper/$mappername
    /entware/sbin/cryptsetup luksClose $mappername
  fi
}

# stop Entware on /opt
/opt/etc/init.d/rc.unslung stop

# stop Samba to release locked files
/sbin/service stop_samba

# unmount the encrypted partitions and the swap partition
umount_swap "1b3da15a-d580-45e1-91d9-16aaacfc5f9f"
umount_data "8c7d552d-17bb-494e-8d91-ba6ee2dcf150"
umount_data "e8264547-9e1d-44b8-9ee8-5ef52ae54ba9"
umount_data "3009fae4-c8af-4347-8ee1-2fc59cbe62b9"

# overclocking
/usr/sbin/nvram set clkfreq=1200,800
/usr/sbin/nvram commit