This adds a "factory" image for the aircube-isp devices. Note that the
firmware can't be uploaded without prior special preparation. For the
most recent instructions on how to do that, visit the OpenWRT wiki page
of the Ubiquiti airCube ISP for details:
https://openwrt.org/toh/ubiquiti/ubiquiti_aircube_isp
Current procedure:
With the original firmware 2.5.0 it is possible to upload and execute a
script via the configuration. To do that download and unpack the
original configuration, adapt uhttpd config to execute another lua
handler (placed in the config directory) and pack and upload it again.
The lua handler can call a script that mounts an overlayfs and modifies
the "fwupdate.real" binary so that an unsigned image is accepted. The
overlayfs is necessary because a security system (called tomoyo) doesn't
allow binaries in other locations than /sbin/fwupdate.real (and maybe
some more) to access the flash when executed via network.
A big thanks to Torvald Menningen (Snap) from the OpenWRT forum for
finding out how to patch the binary so that it accepts an unsigned
image.
The current step-by-step procedure is:
- Use a version 2.5.0 of the original firmware. This is important
because a binary file will be modified.
- Download a configuration.
- Unpack it (it's just a tar gz file without an ending).
- Add the following to uhttpd:
``````
config 'uhttpd' 'other'
list listen_http 0.0.0.0:8080
list listen_http [::]:8080
option 'home' '/tmp/persistent/config/patch/www'
option lua_prefix '/lua'
option lua_handler '/tmp/persistent/config/patch/handler.lua'
``````
- Create a `patch` subfolder.
- Create a `patch/www` subfolder.
- Create a `patch/handler.lua` with the following content:
``````
function handle_request(env)
uhttpd.send("Status: 200 OK\r\n")
uhttpd.send("Content-Type: text/plain\r\n\r\n")
local command = "/bin/sh /tmp/persistent/config/patch/patch.sh 2>&1"
local proc = assert(io.popen(command))
for line in proc:lines() do
uhttpd.send(line.."\r\n")
end
proc:close()
end
``````
- Create a `patch/patch.sh` with the following content:
``````
#!/bin/sh -x
set -e
set -u
set -x
UBNTBOX_PATCHED="/tmp/fwupdate.real"
MD5FILE="/tmp/patchmd5"
cat <<EOF > ${MD5FILE}
c33235322da5baca5a7b237c09bc8df1 /sbin/fwupdate.real
EOF
# check md5 of files that will be patched
if ! md5sum -c ${MD5FILE}
then
echo "******** Error when checking files. Refuse to do anything. ********"
exit 0
fi
# prepare some overlay functionality
LOWERDIR="/tmp/lower_root"
mkdir -p ${LOWERDIR}
mount -t squashfs -oro /dev/mtdblock3 ${LOWERDIR}
overlay_some_path()
{
PATH_TO_OVERLAY=$1
ALIAS=$2
UPPERDIR="/tmp/over_${ALIAS}"
WORKDIR="/tmp/over_${ALIAS}_work"
mkdir -p ${UPPERDIR}
mkdir -p ${WORKDIR}
mount -t overlay -o lowerdir=${LOWERDIR}${PATH_TO_OVERLAY},upperdir=${UPPERDIR},workdir=${WORKDIR} overlay ${PATH_TO_OVERLAY}
}
# patch the ubntbox binary.
overlay_some_path "/sbin" "sbin"
echo -en '\x10' | dd of=/sbin/fwupdate.real conv=notrunc bs=1 count=1 seek=24598
echo "******** Done ********"
``````
- Repack the configuration.
- Upload it via the normal web interface.
- Wait about a minute. The webserver should restart.
- Now there is a second web server at port 8080 which can call the lua
script. Visit the page with a web browser. Link is for example
http://192.168.1.1:8080/lua
- You should see the output of the script with a "*** Done ***" at the
end. Note that the patches are not permanent. If you restart the
router you have to re-visit the link (but not re-upload the config).
- Now you can upload an unsigned binary via the normal web interface.
Signed-off-by: Christian Mauderer <oss@c-mauderer.de>
5e5e92b7c3