1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Custom firmware build for Orbi RBK50 v. 2.5.0.42SF-HW

Discussion in 'NETGEAR AC Wireless' started by Voxel, Nov 26, 2019.

Tags:
  1. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,439
    Initial custom firmware build for Orbi RBK50 2.5.0.42SF-HW.

    It is based on the stock firmware v. 2.5.0.40

    What was changed, only major changes (vs stock 2.5.0.40):

    1. Kernel: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 security fixes are added.
    2. Kernel: Congestion Control Algorithms: Westwood+, YeAH, HSTCP, Vegas are added (CCA Westwood+ is set as default).
    3. Kernel: RNDIS kernel object compilation is added.
    4. Kernel: NG/DNI changes to set 777 permission rights for all file (ext2/ext3/ext4 filesystems) are removed to provide normal Linux native security.
    5. Toolchain: GCC 5.2.0 compiler is updated to GCC 5.5.0 (plus all patches from OpenWRT).
    6. Toolchain: Binutils Linaro 2.24.0-2014.09 is updated to GNU version 2.32.
    7. Toolchain: GDB Linaro 7.6-2013.05 is updated to GDB 8.3.1.
    8. Compilation: Default compiler options are changed from
    -Os -pipe -march=armv7-a -mtune=cortex-a7 -mfloat-abi=soft
    to
    -O2 -pipe -mcpu=cortex-a7 -mtune=cortex-a7 -mfpu=neon-vfpv4 -funsafe-math-optimizations -mfloat-abi=softfp
    (Common performance: higher level of optimization, using neon SIMD instructions, Cortex-A7 extended instructions and true hardware floating-point instructions [instead of pure software floating-point emulation and pure ARMv7-A instructions])
    9. OpenSSL 1.0.2 is significantly changed. This needs in detailed explanations.
    (a) Upgraded to latest version 1.0.2t.
    (b) ASM/Neon SIMD accelerations are added. Benchmarks (OpenSSL utility):
    Stock 2.5.0.40 (openssl speed aes-256-cbc -elapsed)
    Code:
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-256 cbc       7052.33k     7076.09k     7229.18k     7222.48k     6976.13k
    
    My version:
    Code:
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-256 cbc      12696.43k    13449.48k    13707.96k    13952.61k    13862.75k
    
    So my version is almost twice faster.
    (c) Hardware acceleration is enabled (use of /dev/crypto hardware). It seems that NG and/or DNI had the intentions to add such acceleration (probably design by QCA) but they failed; so de facto hardware acceleration of OpenSSL does not work in the stock fw. Benchmarks (OpenSSL utility):
    Stock 2.5.0.40 (openssl speed -evp aes-256-cbc -elapsed)
    Code:
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-256-cbc       6515.24k     6907.97k     6751.23k     7051.95k     7097.00k
    
    My version:
    Code:
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-256-cbc        228.46k      857.39k     3464.87k    13802.84k    49010.01k
    
    I.e. for example for 8KB blocks my version is in 7 times faster, thus hardware acceleration is working.
    [NOTE: Specific of crypto device (it is PCI device) is that when using small blocks (less than 1KB) it will be slower vs ordinary version. But as far as I can guess OpenSSL 1.0.2 is used for connection of router with satellites and is using not less that 1KB blocks. At least my tests with iperf3 do not show any degradation of router <- - -> satellite speed when using hardware acceleration of OpenSSL 1.0.2, rather vice versa]​
    10. OpenSSL 1.1.1 is added (latest version 1.1.1d) . Currently it is used by OpenVPN, wget and stubby/getdns (TLS 1.3). Hardware acceleration of OpenSSL 1.1.1 is not enabled (but only ASM/Neon SIMD) because of its primary goal its using by OpenVPN and OpenVPN works faster w/o hardware acceleration of OpenSSL 1.1.1.
    11. OpenVPN server is upgraded to v. 2.4.8. Plus optimization of servers/clients configs and using external liblz4 (boost).
    12. samba package is upgraded to version 3.6.25 with all available patches. Plus: samba is enabled by default so if you have MBR USB disk/dongle attached to router/satellite its first partition will be used for samba sharing automatically after reboot and you can map it to e.g. your Windows PC. Sharename is “USB”. For example \\192.168.1.1\USB. It could be mapped for an user: guest (no password, read-only access), admin (your HTTP password, ordinary user’s write access according to permissions of folders on USB), root (your HTTP password, full root access to all files/disks).
    13. zlib package is upgraded to version 1.2.11.
    14. redis package is upgraded to version 2.6.17.
    15. dbus package is upgraded to version 1.12.12.
    16. lzo package is upgraded to version 2.10.
    17. dnsmasq package is upgraded to version 2.80 with specific NG/DNI changes.
    18. expat package is upgraded to version 2.2.9.
    19. tar package is upgraded to version 1.32.
    20. unzip package is upgraded to version 6.0.
    21. wget package is upgraded to version 1.20.3.
    22. util-linux package is upgraded to version 2.34.
    23. lua package is changed (adding some patches).
    24. gettext package is upgraded to version 0.19.8.1.
    25. ncurses package is upgraded to version 6.1.
    26. e2fsprogs package is upgraded to version 1.44.5.
    27. libjson-c package is upgraded to version 0.13.1.
    28. curl/libcurl package is upgraded to version 7.66.0.
    29. britge-utils package is upgraded to version 1.6.
    30. libmnl package is upgrade to version 1.0.4.
    31. jansson package is upgraded to version 2.12.
    32. liblz4 package version 1.9.2 is added (used by OpenVPN).
    33. avahi package version 0.7 is added (used by samba).
    34. libdaemon package version 0.14 is added (used by avahi).
    35. gdbm package version 1.18.1 is added (used by avahi).
    36. DNSCrypt-Proxy-2 package version 2.0.33 is added.
    to enable it run from telnet console the commands
    Code:
    nvram set dnscrypt2=1
    nvram commit
    reboot
    
    37. stubby (DNS-Over-TLS) package version 0.2.6 is added.
    to enable it run from telnet console the commands
    Code:
    nvram set stubby=1
    nvram commit
    reboot
    
    If both DNSCrypt-Proxy-2 and stubby are enabled, only stubby will be used.
    38. unbound package version 1.9.5 is added (used by stubby).
    39. getdns package version 1.5.2 is added (used by stubby).
    40. yaml package version 0.2.2 is added (used by stubby).
    41. haveged package version 1.9.8 is added.
    42. ca-certificates package version 20190110 is added.
    43. usb-modeswitch package version 2017-12-19 is added with database 20170806.
    44. libusb package version 1.0.22 is added.
    45. libusb-compat package version 0.1.5 is added.
    46. mp707 package is added.
    47. dropbear package version 2019.78 is added.
    48. iperf3 package is added (testing connection speed).
    49. hotplug2 package is enabled and changed (allowing use of Entware from USB disk and /overlay partition on USB allowing changes of files/dirs.).
    50. alsalib, px5g, polarssl/mbedtls, libevent2, sqlite3, mxml, libjpeg/jpeg-tools, cyassl, uclibcxx, libnice, glib2, libffi and some others are disabled (because of they are not used now, to save a space).
    51. Several bugs are fixed. Yet several packages are changed/optimized/corrected.
    52. Etc. etc.

    NOTE: Your WebGUI could display after time passed that “New version of firmware is available”. Beware: it is not my message, but from NETGEAR server (new stock version) and if you start upgrading newer version it will flash the new stock version.

    The link is:

    https://www.voxel-firmware.com/Downloads/Voxel/html/browse.html

    (thanks to vladlenas for his help with hosting).

    Thanks to W1lliam for his help in testing.

    Voxel.
     
    Last edited: Nov 26, 2019
    Rebaser, W1lliam, L&LD and 8 others like this.
  2. e38BimmerFN

    e38BimmerFN Very Senior Member

    Joined:
    May 25, 2012
    Messages:
    896
    Location:
    USA
    I think some people are going to like this. o_O
    I'll be giving this a try as well. Thank you Sir. ;)
     
    Gar, kamoj and Voxel like this.
  3. 100won

    100won New Around Here

    Joined:
    Nov 26, 2019
    Messages:
    6
    Wow, finally Sir released the first firmware for Orbi50.
    I read post from Chinese's forum by google translate, the author enabled the third band of 5.8G 1733Mbps.

    Link: https://koolshare.cn/thread-146122-1-1.html
     
    kamoj and Voxel like this.
  4. 100won

    100won New Around Here

    Joined:
    Nov 26, 2019
    Messages:
    6
  5. e38BimmerFN

    e38BimmerFN Very Senior Member

    Joined:
    May 25, 2012
    Messages:
    896
    Location:
    USA
    One item regarding stock FW and not sure if it might be seen in Voxels.
    • Starting with v38 stock FW, there is a custom device naming issue that was introduced in this version of FW. Device Type and Device Name won't to keep after the user makes the change and applys the change. Some have said that v40 fixes this and some said it doesn't. Personal experience with v40 doesn't work for me. Thought not majorly important to me. Seems to be with others. Also was not officially mentioned in release notes about any fixes for this issue in v40 or now the officially supported v34 version of stock FW. These versions only fix a certificate issue that was expired.
    • Also the attached devices web page keeps refreshing on it's own and there is no way to disable this or set a refresh time frame.
    So not sure if this is something Voxel is aware of or could have already fixed in his FW build or not.

    • Also something to request, any chance of putting in a reboot button on the RBS UI web page so that users can reboot the RBS remotely instead of having to psychically go to the RBS and power it off and back on? Button would be same operation as RBRs reboot button. This would be a convenience factor.
     
  6. 100won

    100won New Around Here

    Joined:
    Nov 26, 2019
    Messages:
    6
    Hi,

    Firmware V2.3.5.30: In Basic - Attached Devices tab display: icon, device name. And display "Add Orbi Satellite feature"
    Custom firmware has nothing but I don't care because I change Orbi to AP Mode.
    Sir, can you enable region selection in Advanced Wireless Settings?
    And can you customize VLAN with Ports, Wireless Network in AP Mode such Unifi?
     
  7. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,439
    FYI: I've got this unit only two weeks ago. Well, only tomorrow will be exactly two weeks. So I cannot know all its issues (stock fw). Step-by-step. I rather worked with sources of firmware. Correcting bugs I found and including correction to my version. For example, I see the scripts in the stock version which is not executable (file attributes). Therefore it will not work. I fix it and it is working in my version. Or lost binary called from another script but missed by NG/DNI. Or this not workable hardware acceleration of OpenSSL. So maybe some issue visible for owners of Orbi are already fixed. Goal of the first release is to be better than stock 2.5.0.40. But not worse.

    Main accent is stability and acceleration of its work. Plus fixing all bugs I see right now. E.g. kernel CVE: it is dangerous to use stock 2.5.0.40 connecting it directly to Internet.

    P.S.

    But I did not get yet any feedback. Only from W1lliam who said that in his feeling the speed was increased and it is fine.

    Voxel.
     
    Gar, kamoj and vladlenas like this.
  8. pege63

    pege63 Very Senior Member

    Joined:
    Jan 17, 2015
    Messages:
    1,002
    Location:
    Sweden, AngelIsland
    I don't see any benefits in making this band visible as it is specifically made for backhaul between the satellites and the router.
     
    Gar, 100won, kamoj and 1 other person like this.
  9. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,439
    Agree. And other thing: as far as I understand this is "MOD" i.e. hacking binary version of official firmware. I deal with source codes. Normal compilation. Modification of binary is not interesting and illegal I think. And I prefer to avoid any illegal stuffs.

    P.S.
    And BTW, sorry, but I do not understand Chinese...

    Voxel.
     
    Last edited: Nov 27, 2019
    Gar, vladlenas, 100won and 1 other person like this.
  10. e38BimmerFN

    e38BimmerFN Very Senior Member

    Joined:
    May 25, 2012
    Messages:
    896
    Location:
    USA
    For what it's worth, I would not trust any modded FW from China. Nobody knows what they put in that FW that could be collecting user data.

    My 2 cents.
     
  11. e38BimmerFN

    e38BimmerFN Very Senior Member

    Joined:
    May 25, 2012
    Messages:
    896
    Location:
    USA
    Thanks for letting us know about your new operations with the Orbi. We are looking forward to experienced good FW, step by step.

    I wanted to bring to your attention only of what some of the issues were in recent stock fw. Just so you know if you hadn't. I frequent the NG Orbi forums to stay well informed of whats going on with Orbi and it's users.

    Feel free to add me to your FW beta tester group should you wish to have some additional help in testing your builds out prior to release.

    I'll get your v42 loaded this weekend as i'm currently using v40 stock. Is this Kernal CVE only with v40 stock or is it present in prior versions of FW?

    Thank you again for all that you do.

     
    Voxel and vladlenas like this.
  12. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,439
    In all versions of the stock fw for Orbi.

    Thank you.

    Voxel.
     
  13. Thomas Murphy

    Thomas Murphy New Around Here

    Joined:
    Nov 28, 2019
    Messages:
    1
    Thank you for doing this Voxel. I updated this morning - everything appears to have worked well.
     
    Voxel and kamoj like this.
  14. CrimpOn

    CrimpOn New Around Here

    Joined:
    Nov 28, 2019
    Messages:
    2
    What a fascinating project. Thanks. Rather than flash my Orbi "back and forth", perhaps it is more prudent to purchase a used RBR50 to experiment with when the family is not home and then swap the stock Orbi back in when they are glued to their devices. Is the configuration file identical between stock firmware and your firmware?

    When Netgear releases new firmware that fixes their "device mess", I hope you update your firmware as well.

    I have noticed that although Netgear has a web site for "suggestions", they seldom seem to incorporate any of them into the product. https://community.netgear.com/t5/Idea-Exchange-For-Home/idb-p/idea-exchange-for-home

    Do you intend to make any functional improvements, such as:
    • Allow the user to "sort by columns" on tables, such as the Attached Devices web page.
      Other Netgear routers allow the user to sort by Name, IP address, Mac address, etc.
      When I am looking to see if a device is on-line, it is a real chore to scan through all 50+ of them looking for a known IP address.
    • When a remote login is rejected, show the bad password that was entered in the log file.
      I have one Orbi that I suspect VPN access will be unstable and have enabled Remote Management.
      Naturally, this attracts attacks. I have a long, complicated admin password, so I am not TOO worried,
      but it would be useful to see how they are attacking. i.e. is it a sequential search? a dictionary attack? common passwords?
     
    Voxel and kamoj like this.
  15. e38BimmerFN

    e38BimmerFN Very Senior Member

    Joined:
    May 25, 2012
    Messages:
    896
    Location:
    USA
    Ok, got my RBK50 system loaded today. Just migrated to Voxels v42 and didn't factory reset anything.
    Love the picture icons of course. More modern looking. Easy on the eyes.
    [​IMG]

    First speed test with out a factory reset on the RBR is a bit low: 900/50Mbps ISP
    [​IMG]
    This was with the ISP CM 1100 modem rebooted as well. Possible other factors to slower speed results is that it's a holiday, other people on the line and such. Still not too bad.
    I'll try a reset on the RBR at some point.

    Gonna do some gaming with two consoles connected and see how things go this week and weekend.
     
    Voxel and kamoj like this.
  16. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,439
    I do not quite understand what configuration file do you mean... If linux kernel config: no, there are changes. If package build config in GPL: no, there are changes. If /etc/sysctl.conf : also changed.

    I am not ready yet to answer all the questions. I own this gadget two weeks only. Of course I intend to add fixes from the next NG stock to my build. Regarding other: I cannot fix everything. There are binaries (pre-built) modules in the stock GPL sources, I do not have all source codes. So I fix what I can. Similar to my builds for R7800/R9000.

    P.S.
    BTW OpenVPN should be stable. I'd not recommend Remote Management for any router. Including Orbi.

    Voxel.
     
    vladlenas and kamoj like this.
  17. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,439
    OK, thanks, waiting for your testing re: speed.

    Voxel.
     
    kamoj likes this.
  18. CrimpOn

    CrimpOn New Around Here

    Joined:
    Nov 28, 2019
    Messages:
    2
     
  19. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,439
    Sorry to be imprecise. Orbi has a feature to "Save the configuration file." (under the Advanced Tab->Administration->Backup Settings. My "plan" to switch between my "stock" Orbi and the "experimental" Orbi is to save the configuration file to my PC. Swap the hardware. Upload the configuration file to the other Orbi. That way, all my device IP assignments, DHCP ranges, device names, etc. would be the same.


    Yes, the same scheme. It works. Save you config on your Orbi and restore the settings on "experimental".

    Voxel.
     
  20. e38BimmerFN

    e38BimmerFN Very Senior Member

    Joined:
    May 25, 2012
    Messages:
    896
    Location:
    USA
    So I was able to reset the RBR50 last night. I'm still not seeing much over 700Mbps after the reset with v42HW loaded. I checked with my RBK852 system that's connected to the other WAN port on the CM1100 and it saw 870Mbps. Though weather conditions last night were snowy and after the ISP came and checked the modem and line about a week ago, that seems to be now the norm, though I had seen over 900Mbps before the tech came out. :mad: He installed a 6db attenuator behind the CM1100. Said some of the signal was too high I guess. I may call the ISP and have them test the line once more and see if we can get back to over 900Mbps...

    I might revert back to stock v40 and test again if I get some time this week.


     
    Voxel likes this.