What's new

[SCRIPT] asuswrt-sha256-signature - easily check a firmware files SHA256 security signature

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

lightaffaire

Occasional Visitor
The attached unix/linux bash script allows one to easily check a firmware file or firmware file contained within a zip archive for security integrity by comparing it's SHA256 signature against the projects "reference" SHA256 signatures located at https://asuswrt-merlin.net/download

It can check a local firmware file, a local zip archive file or via an URL (firmware/zip).

Script available @ https://lightaffaire.com/code/asusrwt-merlin/asuswrt-sha256-signature


$ asuswrt-sha256-signature

Check asuswrt-merlin firmware/zip/url file against offical SHA256 signature.

Usage: asuswrt-sha256-signature [options]
-f file firmware image/zip/url file

-l list official sha256 signatures @ https://asuswrt-merlin.net/download

-v verbose
-h help


1. check url (zip or firmware file)

$ asuswrt-sha256-signature -f https://lightaffaire.com/mirror/asuswrt-merlin/GT-AX11000/Beta/GT-AX11000_386.5_beta1.zip

fetch: https://lightaffaire.com/mirror/asuswrt-merlin/GT-AX11000/Beta/GT-AX11000_386.5_beta1.zip

check: /tmp/GT-AX11000_386.5_beta1.zip [ZIP archive]
sha256 7a4ded381aaa951314fdf3ec3b52f886ba7d871dc91d9413738929068adcec9b [ZIP archive]

check: GT-AX11000_386.5_beta1_cferom_ubi.w [ZIP archive]
sha256 8e390fb884565201324221969db479e646199eb15f6cf34e0a0da38c11536814

check: sha256sum.sha256 [ZIP archive]
sha256 8e390fb884565201324221969db479e646199eb15f6cf34e0a0da38c11536814

check: GT-AX11000_386.5_beta1_cferom_ubi.w @ https://asuswrt-merlin.net/download
sha256 8e390fb884565201324221969db479e646199eb15f6cf34e0a0da38c11536814


2. check local zip file

$ asuswrt-sha256-signature -f /software/asus/asus-merlin/gt-ax11000/GT-AX11000_386.5_beta1.zip

check: /software/asus/asus-merlin/gt-ax11000/GT-AX11000_386.5_beta1.zip [ZIP archive]
sha256 7a4ded381aaa951314fdf3ec3b52f886ba7d871dc91d9413738929068adcec9b [ZIP archive]

check: GT-AX11000_386.5_beta1_cferom_ubi.w [ZIP archive]
sha256 8e390fb884565201324221969db479e646199eb15f6cf34e0a0da38c11536814

check: sha256sum.sha256 [ZIP archive]
sha256 8e390fb884565201324221969db479e646199eb15f6cf34e0a0da38c11536814

check: GT-AX11000_386.5_beta1_cferom_ubi.w @ https://asuswrt-merlin.net/download
sha256 8e390fb884565201324221969db479e646199eb15f6cf34e0a0da38c11536814


3. check local firmware file

$ asuswrt-sha256-signature -f /software/asus/asus-merlin/gt-ax11000/GT-AX11000_386.5_beta1/GT-AX11000_386.5_beta1_cferom_ubi.w

check: GT-AX11000_386.5_beta1_cferom_ubi.w [Firmware]
sha256 8e390fb884565201324221969db479e646199eb15f6cf34e0a0da38c11536814

check: GT-AX11000_386.5_beta1_cferom_ubi.w @ https://asuswrt-merlin.net/download
sha256 8e390fb884565201324221969db479e646199eb15f6cf34e0a0da38c11536814


I am always open to constructive feedback and ideas.

Iain
 

Attachments

  • asuswrt-sha256-signature.sh.txt
    4.7 KB · Views: 111
Last edited:
The attached script allows one to easily check a firmware file or firmware file contained within a zip archive for security integrity by comparing it's SHA256 signature against the projects "reference" SHA256 signatures located at https://asuswrt-merlin.net/download

It can check a local firmware file, a local zip archive file or via an URL (firmware/zip).

Script available @ https://lightaffaire.com/code/asusrwt-merlin/asuswrt-sha256-signature


$ asuswrt-sha256-signature

Check asuswrt-merlin firmware/zip/url file against offical SHA256 signature.

Usage: asuswrt-sha256-signature [options]
-f file firmware image/zip/url file

-l list official sha256 signatures @ https://asuswrt-merlin.net/download

-v verbose
-h help


1. check url (zip or firmware file)

$ asuswrt-sha256-signature -f https://lightaffaire.com/mirror/asuswrt-merlin/GT-AX11000/Beta/GT-AX11000_386.5_beta1.zip

fetch: https://lightaffaire.com/mirror/asuswrt-merlin/GT-AX11000/Beta/GT-AX11000_386.5_beta1.zip

check: /tmp/GT-AX11000_386.5_beta1.zip [ZIP archive]
sha256 7a4ded381aaa951314fdf3ec3b52f886ba7d871dc91d9413738929068adcec9b [ZIP archive]

check: GT-AX11000_386.5_beta1_cferom_ubi.w [ZIP archive]
sha256 8e390fb884565201324221969db479e646199eb15f6cf34e0a0da38c11536814

check: sha256sum.sha256 [ZIP archive]
sha256 8e390fb884565201324221969db479e646199eb15f6cf34e0a0da38c11536814

check: GT-AX11000_386.5_beta1_cferom_ubi.w @ https://asuswrt-merlin.net/download
sha256 8e390fb884565201324221969db479e646199eb15f6cf34e0a0da38c11536814


2. check local zip file

$ asuswrt-sha256-signature -f /software/asus/asus-merlin/gt-ax11000/GT-AX11000_386.5_beta1.zip

check: /software/asus/asus-merlin/gt-ax11000/GT-AX11000_386.5_beta1.zip [ZIP archive]
sha256 7a4ded381aaa951314fdf3ec3b52f886ba7d871dc91d9413738929068adcec9b [ZIP archive]

check: GT-AX11000_386.5_beta1_cferom_ubi.w [ZIP archive]
sha256 8e390fb884565201324221969db479e646199eb15f6cf34e0a0da38c11536814

check: sha256sum.sha256 [ZIP archive]
sha256 8e390fb884565201324221969db479e646199eb15f6cf34e0a0da38c11536814

check: GT-AX11000_386.5_beta1_cferom_ubi.w @ https://asuswrt-merlin.net/download
sha256 8e390fb884565201324221969db479e646199eb15f6cf34e0a0da38c11536814


3. check local firmware file

$ asuswrt-sha256-signature -f /software/asus/asus-merlin/gt-ax11000/GT-AX11000_386.5_beta1/GT-AX11000_386.5_beta1_cferom_ubi.w

check: GT-AX11000_386.5_beta1_cferom_ubi.w [Firmware]
sha256 8e390fb884565201324221969db479e646199eb15f6cf34e0a0da38c11536814

check: GT-AX11000_386.5_beta1_cferom_ubi.w @ https://asuswrt-merlin.net/download
sha256 8e390fb884565201324221969db479e646199eb15f6cf34e0a0da38c11536814


I am alway open to constructive feedback and ideas.

Iain

First you setup a mirror repository for firmware, and now you offer a tool to verify the integrity of firmware downloaded from that repository? Regardless of your intention, this is suspicious and arguably unnecessary and something I would avoid.

OE
 
@OzarkEdge the code is attached above... so you can easily check it yourself (bash script in an easy to understand documented coding style that uses the commands sha256sum, unzip (optional) and curl (optional)).

It can be used against any download site and obviously any local firmware or zip archive files.

Now how about you do something useful and code review it and then report back to the forum?
 
Last edited:
@OzarkEdge the code is attached above... so you can easily check it yourself (bash script in an easy to understand documented coding style that uses the commands sha256sum, unzip (optional) and curl (optional)).

It can be used against any download site and obviously any local firmware or zip archive files.

Now how about you do something useful and code review it and then report back to the forum?

I've already reviewed your work. See post #2 above.

OE
 
@OzarkEdge that is not a code review... that is just you sprouting.

I invested the time and effort to create a useful script that checks a firmware file against the projects "reference" list of sha256 signatures on the projects download page.

Zero contribution from you... just another weekend armchair merchant.
 
This spices things up. The fun we have!
 
We do not need a code review and we do not need your mirror. Please take it down!
 
@bbunge nice... so your opinion is that a script that has the potential to help some users easily do a tedius security task is not required?
 
@OzarkEdge there is no "higher" level... either you review it line by line or its not a code review (SW dev 101).
 
Users should know this requires a *nix host with Bash in order to run. Many users who need help verifying hashes are probably not going to be running such an OS. I’m not trashing your effort, but looking to clarify your target users.
 
First you setup a mirror repository for firmware, and now you offer a tool to verify the integrity of firmware downloaded from that repository? Regardless of your intention, this is suspicious and arguably unnecessary and something I would avoid.

OE
This script doesn't do anything wrong. Let the users decide if they find it useful or not. If nobody does, the author will most likely see it in the download counts.
 
by comparing it's SHA256 signature against the projects "reference" SHA256 signatures located at https://asuswrt-merlin.net/download

Thank you for reminding me of this!

I have been (manually) checking the firmware against the checksum in the included sha256sum.sha256 file, but that only verifies that the download was not corrupted during the download. It does not verify that it is not tampered with before the download.

This might be the year I finally (fully) migrate from Windows to macOS. If I do, I will probably use this one-liner (for my AC86U) going forward:

Code:
curl -s https://asuswrt-merlin.net/download | grep AC86U | cut -d\& -f1 | shasum -a 256 -c --ignore-missing
 
A slow shake of the head... the script does that and more for you... but hey if more people all of a sudden start checking the firmware image against the project sha256 signatures then it is a good thing.
 
Thanks for what you've done, in fact it's possible to implement something similar in batch scripting for Windows, I don't have time to do it, but here are some key commands:

Unzip the firmware:
Code:
powershell -command Expand-Archive -LiteralPath "%fwzip%" -DestinationPath "%unzipdir%\\" -Force

Get the SHA256 of the firmware:
Code:
certutil -hashfile %fwfile% SHA256 | findstr /v ":"

Download Merlin's page to get the SHA256 on the server:
Code:
curl -s "https://asuswrt-merlin.net/download" -o "%temp%\downloadsignatures"
Yes, windows 10/11 supports curl ;)

Comparing two SHA256s:
Code:
findstr /c:"%fwsha256%" "%temp%\downloadsignatures"


However, I have to admit that it is much more elegant to do this in unix/linux.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top