Add menuconfig option 'kmod-usb-gadget-fs' for the USB FunctionFS gadget
module
OpenWRT is perfect for USB gadgets that are network-enabled, since it
provides everything needed to easily manage the device. Having support
for the FunctionFS gadget enables the use of any custom USB devices
that does not have a specific module, like Media Transfer Protocol.
Signed-off-by: Dominic Germain <dominic@germain.cc>
Link: https://github.com/openwrt/openwrt/pull/21207
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The build system allows to use Linux release candidate kernels (-rcX).
For this a target/linux/generic/kernel-6.XY as follows is needed:
LINUX_VERSION-6.XY = -rc1
LINUX_KERNEL_HASH-6.XY-rc1 = 18ba6ebd72f46b881e0d73e390b2888b7b43...
Sadly the builds fail with a packaging error.
fakeroot /home/openwrt/openwrt/openwrt/staging_dir/host/bin/apk
mkpkg --info "name:kernel" --info "version:6.15-rc1~c4bf...1f6-r1"
ERROR: info field 'version' has invalid value: package version is invalid
The apk metadata specification reads:
"... Currently the APK version specification is as follows:
number{.number}...{letter}{_suffix{number}}...{~hash}{-r#} ...
Optionally one or more _suffix{number} components can follow.
The list of valid suffixes (and their sorting order) is: alpha,
beta, pre, rc, <no suffix>, cvs, svn, git, hg, p."
Given that the kernel uses "-rcX" naming scheme and apk requires
"_rcX" instead, simply translate the dash to an underscore for
these builds.
Signed-off-by: Markus Stockhausen <markus.stockhausen@gmx.de>
Link: https://github.com/openwrt/openwrt/pull/21214
Signed-off-by: Robert Marko <robimarko@gmail.com>
Broadcom BCM43602 needs certain NVRAM variables to be set to function. Add
a quirk for it and add ASUS RT-AC3200 which has got Broadcom BCM43602 to
the quirk. Thanks to Tom Brautaset for finding the needed variables.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com>
Add ASUS RT-AC3200 and ASUS RT-AC5300 to the set wireless LED behaviour
quirk. ASUS RT-AC3200's wireless chip is different than ASUS RT-AC5300's,
the environment variables for it are 0:ledbh10 and 1:ledbh10.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com>
- Security: Avoid privilege escalation via unix stream forwarding in Dropbear
server. Other programs on a system may authenticate unix sockets via
SO_PEERCRED, which would be root user for Dropbear forwarded connections,
allowing root privilege escalation.
Reported by Turistu, and thanks for advice on the fix.
This is tracked as CVE-2025-14282, and affects 2024.84 to 2025.88.
It is fixed by dropping privileges of the dropbear process after
authentication. Unix stream sockets are now disallowed when a
forced command is used, either with authorized_key restrictions or
"dropbear -c command".
In previous affected releases running with "dropbear -j" (will also disable
TCP fowarding) or building with localoptions.h/distrooptions.h
"#define DROPBEAR_SVR_LOCALSTREAMFWD 0" is a mitigation.
- Security: Include scp fix for CVE-2019-6111. This allowed
a malicious server to overwrite arbitrary local files.
The missing fix was reported by Ashish Kunwar.
- Server dropping privileges post-auth is enabled by default. This requires
setresgid() support, so some platforms such as netbsd or macos will have to
disable DROPBEAR_SVR_DROP_PRIVS in localoptions.h. Unix stream forwarding is
not available if DROPBEAR_SVR_DROP_PRIVS is disabled.
Remote server TCP socket forwarding will now use OS privileged port
restrictions rather than having a fixed "allow >=1024 for non-root" rule.
A future release may implement privilege dropping for netbsd/macos.
- Fix a regression in 2025.87 when RSA and DSS are not built. This would lead
to a crash at startup with bad_bufptr().
Reported by Dani Schmitt and Sebastian Priebe.
- Don't limit channel window to 500MB. That is could cause stuck connections
if peers advise a large window and don't send an increment within 500MB.
Affects SSH.NET https://github.com/sshnet/SSH.NET/issues/1671
Reported by Rob Hague.
- Ignore -g -s when passwords arent enabled. Patch from Norbert Lange.
Ignore -m (disable MOTD), -j/-k (tcp forwarding) when not enabled.
- Report SIGBUS and SIGTRAP signals. Patch from Loïc Mangeonjean.
- Fix incorrect server auth delay. Was meant to be 250-350ms, it was actually
150-350ms or possibly negative (zero). Reported by pickaxprograms.
- Fix building without public key options. Thanks to Konstantin Demin
- Fix building with proxycmd but without netcat. Thanks to Konstantin Demin
- Fix incorrect path documentation for distrooptions, thanks to Todd Zullinger
- Fix SO_REUSEADDR for TCP tests, reported by vt-alt.
Dropped:
* 050-dropbear-multihop-fix.patch as its included in the release 5cc0127000db5f
* 051-fix-pubkey-options.patch as its included in the release 1d4c4a542cd5df
* 052-fix-missing-depends-for-sntrup761x25519-sha512.patch as its included
in the release 1a2c1e649a1824
* 053-Don-t-limit-channel-window-to-500MB.patch as its included in the release a8610f7b98ad
Manually rebased:
* 110-change_user.patch
Fixes: CVE-2025-14282, CVE-2019-6111
Reviewed-by: Hauke Mehrtens <hauke@hauke-m.de>
Reviewed-by: Konstantin Demin <rockdrilla@gmail.com>
Tested-by: Konstantin Demin <rockdrilla@gmail.com> [mediatek/filogic (GL.iNet GL-MT6000)]
Link: https://github.com/openwrt/openwrt/pull/21186
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The u-boot target name has to match the u-boot configuration. Switch
this back to the old names.
Fixes: d871e95e7f ("sunxi: image: sync target profiles names with DT compatible")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This fixes a failed bring up of the radio on bootup
if the model defines a rename of phy in its /etc/board.json.
This specifically impacts Redmi AX6S and any router that does so
in its /etc/board.json. The fix fortunately is simple, just update
phy name in phys after rename.
The entry that specifically causes this issue is the following:
{
<omitted>
"wlan": {
"wl0": {
"path": "platform/18000000.wmac",
"info": {
"antenna_rx": 15,
"antenna_tx": 15,
"bands": {
"2G": {
"ht": true,
"max_width": 40,
"modes": [
"NOHT",
"HT20",
"HT40"
],
"default_channel": 1
}
},
"radios": [
]
}
},
...
}
The issue is that after rename, referenced phy in config is going to be
wl0 but in phys array it is still phy0; and so it fails to find phy
and does not bring up radio.
Fixes: https://github.com/openwrt/openwrt/issues/20250
Fixes: https://github.com/openwrt/openwrt/issues/20339
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/21175
Signed-off-by: Robert Marko <robimarko@gmail.com>
Following up with errors reported in the ASU repo, these bananapi cases
do not match the DT compatible "bpi", sync with dts sources.
Also some profiles were overwriting SUPPORTED_DEVICES.
Sysupgrade would be failing in SUPPORTED_DEVICES check since
the DT compatible(/tmp/sysinfo/board_name) is not in SUPPORTED_DEVICES.
This should also fix errors when using ASU sysupgrade clients.
- Sync profile makefile target names with DT compatibles.
- Fix overwrites of SUPPORTED_DEVICES instead of appending.
- Adapt the uboot-sunxi profiles accordingly.
*bpi-p2-zero dts is still not upstream.
V2:
- Include fixes for arm926ejs(ARM926EJ-S) subtarget (LicheePi Nano and
PopStick v1.1) (profile rename for correct default SUPPORTED_DEVICES)
Fixes: https://forum.openwrt.org/t/luci-attended-sysupgrade-support-thread/230552/246
Fixes: https://github.com/openwrt/asu/issues/486
Fixes: https://github.com/openwrt/asu/issues/524
Fixes: 9aa66b8ce7 "sunxi: add support for Banana Pi M2 Berry"
Fixes: d5f615bf2a "sunxi: add support for Sinovoip Banana Pi M2 Plus"
Fixes: 3819c1638a "sunxi: Add support for Banana Pi M2 Ultra"
Fixes: 6bf8193b25 "sunxi: add support for Bananapi P2 Zero"
Fixes: 80edfaf675 "sunxi: add support for Banana Pi M3"
Fixes: 3c24a1d423 "sunxi: add support for NanoPi NEO Plus2 board"
Fixes: a689307c97 "sunxi: build image/uboot for the NanoPi NEO2"
Fixes: fde68cb809 "sunxi: add support for FriendlyARM NanoPi R1S H5"
Fixes: 3ec468ff4f "sunxi: add F1C100 (arm926ej-s) support"
Signed-off-by: Mario Andrés Pérez <mapb_@outlook.com>
Link: https://github.com/openwrt/openwrt/pull/21095
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This is a trivial change to allow users to use 'list' on iface.
Old wifi-scripts already implements this, so this just ensures
that shell-based and ucode wifi-scripts are on-par with each other.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20977
Signed-off-by: Robert Marko <robimarko@gmail.com>
When iface is omitted, wifi-vlan will apply to all interfaces.
However, netifd.set_vlan call is not successful as it assumes
that every wifi-vlan section corresponds to one VIF.
For this reason in the wifi-vlan case (cur_type == "vlan")
we create a composite key in the form `${vif.name}/${vlan.name}`
allowing the same vlan section to correspond to multiple VAPs.
`/` was decided as a delimiter as it is an invalid character
for a network interface name and UCI identifier; so it is
impossible for it to cause conflicts.
It was verified that the `ubus call network.wireless status`
works as expected with this change. Moreover, wifi-station
is not susceptible to this problem.
This also means that it is now possible for wifi-vlan
to support `list` iface similar to old shell-based wifi-scripts.
This will be done in a follow-up commit.
Fixes: 98435a37a7 ("wifi-scripts: iface should be optional in wifi-vlan definition")
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20977
Signed-off-by: Robert Marko <robimarko@gmail.com>
c6202981872e ipq5018: use correct board for GL-iNet B3000 IPQ5018 radio
ec72376cadf1 qca4019: Add Meraki Underdog
059b7114c77b ipq6018: add tp-link eap620hd v2
Signed-off-by: Robert Marko <robimarko@gmail.com>
cf51aeb93220 odhcpd: fix captive_portal_uri reset
e8b7fdea8d5e dhcpv4: fix DNS server option
b84553e496a3 router: Modify relayed RA PIO P flag according to interface policy
da3e2a9829cc router: Modify relayed RA PIO A flags according to interface policy
bad7138b70f0 README.md: update dhcp ubus events
ca00527e5f...cf51aeb932
Also remove duplicated /usr/share/libubox/jshn.sh include.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
This allows an optional tag to be put in the .config file which is
included in the filename of the resulting images, so it's easier to
build images with different functionality for the same target hardware.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Link: https://github.com/openwrt/openwrt/pull/20984
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The previous logic was copied from 12_network-generate-ula, but fails to
account for upgrades where the "auto" value isn't set (it is set by
base-files/files/bin/config_generate). Fix this to always set the
default duid if it isn't set.
Also, rename the file to better reflect what it does.
Closes: #21029
Fixes: a660a076db ("base-files: generate a global DHCP DUID")
Link: https://github.com/openwrt/openwrt/pull/21118
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [fixes,closes tag]
Add the DDR4_4BG_MODE option, which supports 4GB DDR4 RAM
for the MT7987 and 8GB DDR4 RAM for the MT7988. If this mode
is not enabled, bl2 can only recognize half the size of RAM.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
Link: https://github.com/openwrt/openwrt/pull/21000
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This commit adds support for the Watchguard Firebox models
T10-W, T15 and T15-W.
CPU: Freescale P1010
RAM: 512MB (T10) / 1024MB (T15)
Flash: 1MB SPI-NOR, 512MB NAND (T10) / 1024MB NAND (T15)
WiFi: 802.11abgn 2T2R AR9582 based Mini-PCIe card (-W models only)
Ethernet: 3x GBE (via AR8033 PHY)
LEDs: 7x hard-wired (6x LAN, 1x Power)
4x GPIO single-colored (Attn/Status/Mode/Failover)
1x GPIO dual-colored (2.4/5G WiFi, -W models only)
Serial: RJ45, Cisco pinout, 115200/8N1
Other: Battery backed RTC
Atmel TPM 1.2 chip (unsupported)
Based on 35f6d79, which introduced Watchguard Firebox T10 support.
The T10 and T15 are identical hardware, with the exception of the T15
having twice the flash and RAM size.
The T10-W and T15-W models have their Mini-PCIe slot populated with an ath9
(AR9582) based WiFi card. The slot is either unpopulated or empty for
non-WiFi models. All required drivers are present by default on the mpc85xx
target, so T10/T10-W resp. T15/T15-W can use the same OpenWrt image.
This commit also introduces the zImage loader from 7d768a9 to boot the
kernel. This is required, since the U-Boot version used in these devices
appears to have a hard limit of 16MB for the kernel size it can handle. The
current kernel size is around 17MB, though, due to kernel page alignment
required for memory protection.
Installation (replaces previous instructions for T10):
1. If the U-Boot password is known, proceed with step 2.
If the U-Boot password is unknown, dump the NOR flash using a SPI
programmer and patch the unknown password to a known one. You can use
blocktrron's Python script:
https://github.com/blocktrron/t10-uboot-patcher/
This script will patch the password to '1234' (without quotes).
Alternatively, you can search for the hashed password in the NOR dump
yourself and overwrite it with a known one. The SHA1 hash is:
E597301A1D89FF3F6D318DBF4DBA0A5ABC5ECBEA
Write the patched NOR dump back to the device.
2. Connect the device via serial cable, power it on and interrupt
the boot process by pressing Ctrl+C. Enter the U-Boot password to access
the CLI.
3. (Optional) Populate the uboot-env partition by entering:
saveenv
This will allow you to use uboot-envtools from within OpenWrt later,
e.g. to increase the loadable kernel size.
The default loadable kernel size is 5MB, the compressed kernel size at
the time of this commit is 3.1MB.
4. Serve the initramfs OpenWrt image from a TFTP server at 10.0.1.13/24,
connected to eth0 (WAN) of the device. File name must be 'uImage'. Boot
with:
tftpboot; bootm;
Make sure to use the correct image for your device (T10 resp. T15)!
5. After booting, connect to OpenWrt on eth1 (LAN) via SSH. Verify
that the UBI partiton is mtd7, format it and install the sysupgrade
image.
$ cat /proc/mtd
$ ubiformat /dev/mtd7 -y
$ sysupgrade -n <path to sysupgrade.bin>
6. The device should now boot OpenWrt from NAND flash. Enjoy.
Back to stock:
Use the vendor recovery procedure.
Stock recovery might also be necessary in case you have accidentally used
the fw_setenv command from within OpenWrt without using saveenv in U-Boot
first.
In order to use the vendor firmware recovery procedure, the NAND partitions
mtd3 to mtd6 must remain intact. Make sure not to overwrite them, or keep
dumps of them for later recovery.
Signed-off-by: Shine <4c.fce2@proton.me>
Link: https://github.com/openwrt/openwrt/pull/16776
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Update to latest release.
Add patch `003-Revert-libcap-Add-build-ldflags-to-_makenames-rule.patch`
to fix errors in the form of:
```
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(__stack_chk_fail.o): relocation R_X86_64_32 against symbol `__stack_chk_guard' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(strerror.o): relocation R_X86_64_32 against `.rodata.errmsgstr' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(realloc.o): relocation R_X86_64_32S against hidden symbol `__malloc_size_classes' can not be used when making a PIE object
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(__stdout_write.o): relocation R_X86_64_32S against hidden symbol `__stdio_write' can not be used when making a PIE object
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(ofl.o): relocation R_X86_64_32 against `.bss.ofl_lock' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(stderr.o): warning: relocation against `__stderr_FILE' in read-only section `.rodata.stderr'
/usr/bin/ld.bfd: /usr/lib/gcc/x86_64-linux-gnu/10/../../../x86_64-linux-gnu/Scrt1.o: in function `_start':
(.text+0x12): undefined reference to `__libc_csu_fini'
/usr/bin/ld.bfd: (.text+0x19): undefined reference to `__libc_csu_init'
collect2: error: ld returned 1 exit status
```
Changes: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/diff/?id=v1.2.77&id2=v1.2.69&dt=2
The apk size did not increase much:
Old size for armsr/armv8:
16245 libcap-2.69-r1.apk
new size for armsr/armv8:
16315 libcap-2.77-r1.apk
Signed-off-by: Nick Hainke <vincent@systemli.org>
Link: https://github.com/openwrt/openwrt/pull/20881
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Backport patch fixing support for GCC15 caused by __counted_by.
This macro was moved to a different header in recent kernel version and
caused wrong detection on the #ifndef condition.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
ca00527e5fc3 statefiles: don't write empty hosts files
24b70c5c2ff0 Revert "statefiles: fix escape sequence for broken hostname output"
5203ad13954c statefiles: fix stale pio handling for !ubus
a64760b30f67 odhcpd: rename piofolder to piodir
6779344a8c8a statefiles: use tmpfile functions for pio files
9f8abcc662d0 statefiles: rename prefix information functions
cb65b83e524e config: move pio json handling to statefiles.c
5b01849cc42c statefiles: add a dirfd helper function
eadde3d7dd74 statefiles: add tmp helper functions
c29aa7091498 statefiles: fix escape sequence for broken hostname output
00f2d7a4dbe5 dhcpv4: don't send zero IPv6-only preferred option
c86d29bb83d6 Revert "dhcpv6-ia: add some noise to the T1 and T2 periods"
b062769ab85f Revert "do not delegate ULA prefixes"
fd4714bb2dfe do not delegate ULA prefixes
81ea5bfef775 dhcpv6-ia: add some noise to the T1 and T2 periods
79252ed0c0...ca00527e5f
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
This fixes the following build error:
```
../src/apk.c: In function 'parse_options':
../src/apk.c:584:4: error: a label can only be part of a statement and a declaration is not a statement
584 | char *arg = opt_parse_arg(&st);
| ^~~~
```
Upstream MR: https://gitlab.alpinelinux.org/alpine/apk-tools/-/merge_requests/376
Fixes: b91ebdabbb ("apk: bump to 3.0.1")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
