Divested-WRT: No-nonsense hardened builds for Linksys WRT series

Hello!
Here are my simple, no-nonsense, UNOFFICIAL builds of OpenWrt for the Marvell-based Linksys WRT devices.
I've maintained these between 2015-2016 and again since mid-2020.
Configs and patches are obviously included.

Builds are here and via onion service here
Changelog is here
Git repo is here or here
GPG key used to sign the sha256sums is here
A simple build guide is here
The build guide in video form is here
There is an XMPP chat room at divested-wrt@conference.konvers.me

mamba and venom builds have their kernel partition resized to 4MB and 6MB respectively.
There is more infomation in this thread.

A simple content blocking script is included that adds our blocklist config to dnsmasq from here.
This is a much more efficient approach than downloading & processing the lists on device and has the benefit of supporting wildcards for greater efficiency and increased blocking.
This blocker can be permanently disabled via /etc/init.d/divblock disable if you don't want it or want another blocker package.
You can exclude a domain by adding it to /etc/config/divblock-exclusions as so:

/www\.example\.com/

Then restart: /etc/init.d/divblock restart
Please report any wrongly blocked domains in this thread or here:

All reasonable questions are welcome in this thread, however:
Please read the README at the builds page, and the special instructions for resized builds!
Please also read/search through this thread to see if your questions have already been answered!
You can also search other parts of this forum and the wiki for answers to your questions.

Have fun!

13 Likes

great builds - you got through the dsa - wifi-lan disconnect issues with a patch.
thank you

1 Like

still some issues with reconnect to wifi after roaming - it takes many minutes to re-establish wifi connection.
see Pre-compiled updated mwlwifi drivers for stable releases

@linbox, OT here, but there too... if you have the time to try a different tack.
See PR4307 for some possible DSA setup info using netifd. I'm not suggesting you use the actual GUI change from the PR(but can if you want), but to get some syntax for the config files involved. You will also need to read recent commit comments in the netifd log. This did not work for me the last time I tried (mamba), but apparently worked from comments in PR thread. There have been a considerable number of commits since I last tried, some appearing to be related to getting WLAN integrated into the DSA change, as well as syntax changes. This is where things will land when complete (i.e. WIP), so it is the road forward. There also looks to be some related WIP in jow staging tree.

@ghoffman
To confirm you are having roaming issues on my builds?

Besides wpa2-eap, the only thing extra in my config is

        option rsn_preauth '1'
        option wpa_disable_eapol_key_retries '1'

I've tested supplicants switching in the middle of an iperf with only a second or two at most of slow speeds.
I used to have 802.11r working, but I haven't been able to make it work.
I will admit there is still a slight noticeable delay with this patched DSA vs swconfig.
Also 802.11w has some issues on mwlwifi, disable that if enabled.

@anomeome
I backported all DSA commits from 5.9 to 5.4 during my testing, it wasn't fixed.
I did see something related in 5.10 or maybe 5.11 that might've fixed this, but I never saved the link.

GPG signatures are now available in all sha256sums files.
Fingerprint: 6395 FC99 11ED CD61 5871 2DF7 BADF CABD DBF5 B694
Key (2020 #1):

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF/La4cBEADGUgoiPUJcEs0DRpWgmmpnMtgRxOiqT4b2R1d9cwtWpMOqQ3eN
OJqSBdzmN+aNwt61XWi4MUAseN5O3L3C+UXIk8HptOmalNySSHcGXk6Kn250Tmy5
O+ZGHlPng1zqOMBBZs1kNYw9aXuxQFCRk1rfFcePreyF+rHuBx0K2EGJPQ7udEf0
znq8gRZ29wFz3TzqGmKVv5cWkdGSUUkQc9ecZX89yBMfuqRXUG/ucojD0gLaQyTy
cjfS/0RE+Bje8Mpe8wswR+hg2qZDO+n9uMY/7dmdctKGU/kdxEBPqe0dak1sJ16M
0bawI+Rq/5RqPYwgEcfTg4VQotvpENUN/uAqi1b0IRLcPE46kXGpY9HIukFkzRKD
N1WMz8D6sVNimV99KucKvXzD/1VvyawChPWJsGCow4OoYrvHTU5f8J7PHStLQ61O
pVjWRbRonpjGBvz3hP0vkwCgy21AkYnRWaSKztwSkIJ36NCqsU24WIH1XgWzxsrf
kniQdXP6+sMCAxV+u6ig671BdtqYqaIGxb15j/wPXuju92myrTGa4rk0uUTur+VV
v0ethh3S8c9yisuRjkV+K/xpoJjGv7MsZf6hkcyIT826cv4Jr8LbtSMVD/pQB93i
olhizs8U0ph+RMnNPC4ZiroPgjDhYDZcIPuWw8WETHrUQDaEj6XgYm8P2QARAQAB
tEhEaXZlc3RlZCBSZWxlYXNlIFNpZ25pbmcgKDIwMjAgIzEpIDxzdXBwb3J0K3Jl
bGVhc2VzaWduaW5nQGRpdmVzdGVkLmRldj6JAk4EEwEIADgWIQRjlfyZEe3NYVhx
Lfe638q92/W2lAUCX8trhwIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC6
38q92/W2lH49D/9F4f1pGf5ZWZjs7LiW4BQgAOx0NiKsvFTXBAhhUSJwTseB3vnK
ZGx3qoUCI0pk+4Z/YHhY91QTopJHcg/QW8tj/shjtRbzmfBB6dwFQkZtOHofXHMV
DowoY2MXZRd9dRIBhwLRvktZA9yKO1iH0M0vSqxuh8ALkvUlDgfzy0QBsAHjsUTB
FoxGemxT+70zDNx+xL0PusRA25AOn7EXzrjk6E1653KL1sRojqGZ/XzWWw+6dZyM
4Aap3CGrS7+YrXhJTMokOC/OfariDaN02YtlRizztWYEhkJ5SB0kIIlzgrGmY659
b0ENjjHAVK16LfRoDprb1PpC3du2QAVFtBRDqD2zwXBmELjyOpAnSYDuJVPgv4T8
Oty5be+U84lKVIgG5N60VrJzkwi5J+FSx2hTJl0C5BZyKChDXXvlnJI2Y4Qrwjyz
7mx5gjFLZra/yKrVKnfxp5AJ7DxHxNOYn0dcceWBBVC1L5sniim9z4Q5fNRErJT8
ayf77gecLuCVt+LhCH1rFejeIZrl0QEw+udrTYrPt3BWUK2OOIzF8PqLHfyUF+7W
ZuLgMxj0nGLMqOlPSszrQ6RxmL//GmXkmE3CeDNXV+7SpmMYe07pHzycg8+d/tNq
EajUfLQJqUYj3m51MnKW2r+QUKjkIYsn4iFfk+2aeY5HX1RalWJ7d4NHJQ==
=qpX+
-----END PGP PUBLIC KEY BLOCK-----

Hi I have flashed this firmware and it boots on my WRT32X nicely.

How did you overcome the Kernel size issue? As this is the main reason it's not in snapshots for official right now.

Also was wondering if I had permission to use and modify you config too, also what's the work directory about??

it boots on my WRT32X nicely.

Awesome!

overcome the Kernel size issue?

I disabled many debug options and bluetooth/usb support.

permission to use and modify you config to

You are free to use the configs however you like in the spirit of open source.
If you need a defined license consider it GPL-2.0.

also what's the work directory

Work is just where I store changes as they are raw, not in .patch form.

Thank you for your quick reply.

Will make a pve VM later and get back to recompiling firmware.

Might add USB and BT back in unless you think that would cause the kernel size issue.

If you mean kernel 5.10 | 5.11, there is a mvebu 5.10 patch-set available now, but my understanding of the issue is that it is not considered a bug, but a design limitation. So to my point above, it is something that is going to have to be addressed by other means.

On the mamba and venom kernel partition size being exceeded, this is currently really a bot 5.4 build issue, unless you really load up the builtin kmods. But I have hit the issue with my build on 5.10; see post

@anomeome
My mamba kernel is at 2496250 bytes without CONFIG_KERNEL_CC_OPTIMIZE_FOR_PERFORMANCE.
I see no reason 5.4 to 5.10 would increase past the 3MB limit with my config.
And 5.4 has support until nearly 2026 if anything.

Well, i have managed to get my PVE LXC setup done and debian installed @SkewedZeppelin are you able to PM me, i have questions about how you build yours so i can follow it the best i can.

I need to add stuff to the image or at least host my own files so i can use things such as sqm etc due to kernel issues between your build and openwrt's build.

I think 60GB SSD and 4GB Ram should be enough on my little PVE Box.

@solidus1983

My build VM is Fedora 33 with 16GB storage (btrfs compressed) and 6GB RAM.

Step by step:

# Install the dependencies listed at https://openwrt.org/docs/guide-developer/build-system/install-buildsystem
git clone https://git.openwrt.org/openwrt/openwrt.git
cd openwrt
git config pull.rebase true #makes updating easier
./scripts/feeds update -a
./scripts/feeds install -a
#copy in my config
#git am/apply my patches
make nconfig #make your changes
make download -j4
make -j16
1 Like

Thanks for that and your reply will let you know how it goes.

Edit: Right on make download section now, so i should be able to get it compiled pretty quickly. I have enabled USB and Bluetooth but as kmods so hopefully i can stand clear from the kernel issue.

Edit: Compiled without Issues haven't tested USB or Bluetooth yet aka checked Bluetooth in log and or plug in a USB Storage Device, however it booted and works well thus far, so thank you! Just got to make a slight adjustment to the config as i forgot 1 addon i needed for DDNS.

Edit 2: Checked logs and USB 2/3 shows to be working as well as the bluetooth.

This my first time i have seen that command, so how to you update after the initial pull?
as i tried just git pull and it wouldn't update at all.

@solidus1983

That config command just ensures any commits you make are rebased instead of merged.
Makes maintaining your local fork easier.

Steps to update everytime:

git pull
./scripts/feeds update -a
./scripts/feeds install -a
make nconfig #save and exit
make download -j4
make -j16

I flashed this build and booted it on my WRT32X. I could not get internet access across the LAN ports and flashed back to stock.

Is there a preconfigured build that acts like a router after flash without configuration required?

Currently flashed back to stock firmware

@SkewedZeppelin would like to thank you for your help, now have builds working lovely.

Currently running:

OpenWrt SNAPSHOT r15241+5-3ab695368a
Kernel Version	5.4.83

With CPU Frequency scaling enabled and working very well.

Update:

Firmware Version	OpenWrt SNAPSHOT r15371+5-7e4585e593 / LuCI Master git-20.348.36293-4843841
Kernel Version	5.4.85

On WRT32X with CPU Frequency working very well using the following settings

echo ondemand > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor
echo ondemand > /sys/devices/system/cpu/cpu1/cpufreq/scaling_governor
echo 933000 > /sys/devices/system/cpu/cpu1/cpufreq/scaling_min_freq
echo 933000 > /sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq
echo 30 > /sys/devices/system/cpu/cpufreq/ondemand/up_threshold
echo 10 > /sys/devices/system/cpu/cpufreq/ondemand/sampling_down_factor
1 Like

There is now an XMPP chatroom for anyone interested.
Not a guarantee of support, but I'll do my best to answer questions there.
divested-wrt@conference.konvers.me

2 Likes