SSH Can't open Koolshare script - on offical firmware

[DX81]

Hi,

I realise this has been referenced on another post (https://www.snbforums.com/threads/rt-n66u-koolshare.56351/) but I'm having this issue suddenly pop up after using the offical AsusWRT-Merlin firmware without ever having used "Koolshare"

When I login via SSH as per normal the router suddenly comes up with:

-sh: source: line 4: can't open '/koolshare/scripts/base.sh'
admin@RT-AC88U-E268:/tmp/home/root#

Whats concerning after reading the last post is that I didn't even know of any other unofficial/illegal alternate firmware called Koolshare - as far as I know the router only ever previously had the offical Asus stock firmware when I previously bought it.

The issue only appeared after the Diversion stopped working - from what appeared as a USB drive failure.

I proceded to take USB flash drive offline and performing a "Health Scanner" check via the routers admin page which listed a few errors that I assumed may have been caused by a sudden power loss.

I only noticed this when Diversion and Skynet appeared to not be working - but after a reinstallation (the reinstaller found the previous configuration files and reinstalled over the top) the following "-sh: source: line 4: can't open '/koolshare/scripts/base.sh'" started to appear.

I can categorically confirm that I'm on the offical Merlin firmware (384.14_2 on AC88U) so I'm left perplexed - if not a bit concerned.

Assuming its trying to start a non-existent script is there anyway to edit any boot up SSH files to be able to remove the problematic "line 4"

Many thanks in advance for any advice!

 

[Maverickcdn]

Curious, where did you download the 'official' firmware you flashed?

 

[ColinTaylor]

Did you buy this router second hand?

 

[DX81]

Curious, where did you download the 'official' firmware you flashed?

The first time I installed AsusWRT-Merlin it was from https://www.asuswrt-merlin.net/download

I've had the router for more than a year and its been updating as normal - and even checking now the WebUI update page references "https://www.asuswrt-merlin.net/download" in order to do a manual update

Specifically this on the "Firmware Upgrade" tab under Administration

Note:

1. The latest firmware version includes updates from the previous version.
2. Configuration parameters will keep their settings during the firmware update process.
3. In case the upgrade process fails, RT-AC88U enters the emergency mode automatically. The LED signals at the front of RT-AC88U will indicate such a situation.Please visit ASUS Download Center to download ASUS Device Discovery utility.
4. Get the latest firmware version from the download site at https://www.asuswrt-merlin.net/download/

Firmware Version
Signature version
2.158 Updated : 2019/12/27 02:00

Scheduled check for new firmware availability Yes No
Check Update
AiMesh router
RT-AC88U

 

[ColinTaylor]

Remove any USB devices and reboot the router. If the message is still there then reformat the /jffs partition.

 

[DX81]

Did you buy this router second hand?

Thats my concern - it came retail but via an online store - I don't recall anything being out of the ordinary (it was more than a year ago) but the very first thing I did was replace the firmware with Merlin as I was coming from an older router where I had been using the same firmware.

So I have double questioned myself over whether it might have had been used/returned stock - I have to admit that as unlikely as it is I'm really left wondering. What I do know is that I've definitely been using the offical firmware ever since - so I'm perplexed how over the last year nothing out of the ordinary never revealed anything until now more than a year later - especially as I've long been using Diversion and Skynet with and never noticed anything.

 

[RMerlin]

That koolshare thing does not exist either in the stock firmware or my firmware. Someone once ran a non-supported third party firmware, or incorrectly configured something about it in the JFFS custom scripts. You should do a complete factory default reset, including resetting the JFFS content.

Check what is in the /jffs/scripts/ folder. It should be empty with a new router.

 

[DX81]

Remove any USB devices and reboot the router. If the message is still there then reformat the /jffs partition.

Thanks! I've definitely tried the first option of rebooting/removing the drive. Will reformatting the JFFS partition wipe the configuration settings for Diversion and Skynet?

That koolshare thing does not exist either in the stock firmware or my firmware. Your router is running some other unknown firmware.

Many thanks RMerlin for the input - is there anyway for me to categorically confirm that I'm on your offical firmware? ..via SSH or any sure way?

..according to the WebUI it is on 384.14_2 and the signature check works.

If it had been used/flashed before I bought it: should wiping and installing your firmware override everything? - With the dubious nature of Koolshare I'm concerned there might be residual files/scripts if it was a previously used router as I'm suspecting?

 

[dave14305]

Isn't it only possible for something like that to appear in /jffs/configs/profile.add or /opt/etc/profile (i.e. Entware)?

RT-N66U + koolshare

 

[Maverickcdn]

Even more curious its 'retail' and firmware you loaded came from the source.

Have you ever had the following?

On your Administration-->System page... is SSH enabled? for just LAN or WAN/LAN? Also is Webaccess from WAN enabled?

Or when you say 'retail' buy, are we talking reputable brick and mortar or aliexpress??

RMerlin could say for sure, but your 'firmware/signature' version you posted looks wonky to me

 

[ColinTaylor]

Isn't it only possible for something like that to appear in /jffs/configs/profile.add or /opt/etc/profile (i.e. Entware)?

Koolshare copies its files from /rom/etc/ into the /jffs partition. So yes, there will be files in /jffs. It also modifies files like wan-start, nat-start, post-mount, etc.

 

[DX81]

Even more curious its 'retail' and firmware you loaded came from the source.

Have you ever had the following?

On your Administration-->System page... is SSH enabled? for just LAN or WAN/LAN? Also is Webaccess from WAN enabled?

Or when you say 'retail' buy, are we talking reputable brick and mortar or aliexpress??

RMerlin could say for sure, but your 'firmware/signature' version you posted looks wonky to me

Sorry the firmware version got cut off when I copied and pasted before - below is the correct info (minus redundant info I've deleted for conciseness)
Firmware Version
Signature version
2.158 Updated : 2019/12/27 02:00
RT-AC88U
Current Version : 384.14_2

SSH is definitely ONLY enabled for LAN - likewise with "WebAccess from WAN" being disabled
-- however that's definitely not indicative of what it was originally as over the last year I've gone through most settings and customised things as I've needed - and of course if that had been enabled it would have set off warning bells.

It wasn't a AliExpress or Ebay purchase - it was from an Australian online retailer. I have to go through and try to find but I received a regular receipt and nothing was suspect or unusual besides the slightly discounted cost. The only thing I can possibly imagine is returned stock from someone who had used it before - as unlikely as it sounds even to me.

 

[Maverickcdn]

Just trying to rule out a net attack against you.

The guru's can take it from here, but if it were me, I wouldnt hesitate to do a full factory reset (maybe even reflash the firmware) and start reconfiguring and see if it comes back.

 

[dave14305]

Koolshare copies its files from /rom/etc/ into the /jffs partition. So yes, there will be files in /jffs. It also modifies files like wan-start, nat-start, post-mount, etc.

That’s un-kool. Glad I missed that era.

 

[Davidncali001]

I bought my AC86 from New Egg and it was obvious that someone had flashed the firmware before I had my hands on it. When I booted the AC86 up for the first time and went into the GUI I saw that it was running an older build of RMerlin's firmware. I did a complete M&M Nuke reset and updated to the latest Merlin firmware. No problems that I know of so far, going on 8 months.

 

[thelonelycoder]

Koolshare copies its files from /rom/etc/ into the /jffs partition. So yes, there will be files in /jffs. It also modifies files like wan-start, nat-start, post-mount, etc.

And the addons (or marketplace) page is dynamically loaded from a source that is even more questionable then the rest of the firmware.

 

[DX81]

Whats the best way to truely wipe everything?

Is there anyway to save AsusWRT-Merlin settings? And preferably those of Diversion and Skynet?

 

[thelonelycoder]

Whats the best way to truely wipe everything?

Is there anyway to save AsusWRT-Merlin settings? And preferably those of Diversion and Skynet?

I would not take any chances and wipe it all, including the USB device.
Diversion has a function for a local backup in d. Run it and save the file on an external device after. The function shows where the file is saved to on /jffs.
Then use amtm to format the device.
Then do a reset of the router in Administration, then also format the /jffs partition.
Then it's time to install the latest firmware. Place the Diversion backup file back in/jffs and use amtm to install Diversion. Select the option to restore from backup.

 

[RMerlin]

Whats the best way to truely wipe everything?

Is there anyway to save AsusWRT-Merlin settings? And preferably those of Diversion and Skynet?

Erase everything in jffs. My bet is Koolsahre was flashed at some point, and it created various scripts in the /jffs/ partition, which are still there because the factory default reset wasn't fully done (it's an extra checkbox on the webui to also wipe out that partition).

 

[L&LD]

I would not use anything that was backed up from this router. Pretend you just bought it today.

• Flash the firmware you want to use (even if it's the same you have on it now).
• Reset to factory defaults making sure to check the box to 'Initialize all settings...'.
• Do a temporary/quick set up just to get into the GUI and check the 'Format JFFS on next boot' option, make sure to go to the bottom of the webpage and hit 'Save'. Reboot the router and let it sit idle for 5 minutes after boot up.
• Perform a Hard Reboot by pulling the power plug from the router itself. Wait at least two minutes with no power connected to the router.
• Hold down the WPS button continuously while you plug in the power plug into the router. Keep holding the WPS button down until the router reboots (or shuts off). (This is a different way to reset to factory defaults).
  • If you did the above step properly, the Setup Wizard should appear when the router boots up.
• Do another tempory/quick set up and flash the same identical firmware you want to run.
• After the reboot, reset to factory defaults one last time (as above) including to 'Initialize all settings'.
• When the router has booted up in Setup Wizard mode, perform a full M&M Config.

At this point, I would begin to trust the router a little.

But I would be using new SSID's (that you've never connected to before, anywhere), a new user name, and of course new passwords everywhere on the router.

Please see more details of the M&M Config and possibly the Nuclear Reset Guide in my signature below.