Divested-WRT: No-nonsense hardened builds for Linksys WRT series

ver++, rinse and repeated :wink:

how man ? which build you running on your wrt32x??

3 Likes

https://divested.dev/unofficial-openwrt-builds/mvebu-linksys/20231124-01/

  • update to 6f5c301eab71e07b1fe4b57ce6a2662dca4c66de
    https://github.com/openwrt/openwrt/compare/4d9108e0...6f5c301e
  • [upstream] update to kernel 6.1.63 (security and bug fixes)
  • [cherrypick] #14044: mwlwifi: update to version 10.4.10-20231120
    huge mwlwifi update thanks to @jbsky :fire::fire::fire:
    fixes amsdu and wpa3 (on 1900/1200) + many other improvements
  • drops amsdu patch

Been running for a few hours and happy with it :slight_smile:

wpa3 works without having sae_pwe in wireless config

9 Likes

Brings some improvements for 3200 too?

Check jbsky's changelog, you can see a few fixes for "all chips". But yea most of the fixes are for 1200/1900 series since that's where the problems were with amsdu, etc.

edit: he only fixed WPA3 for 1200/1900 as per the changelog, it's not fixed for 3200acm/32x as per his commit info: "Only 8964 left with broken WPA3."

1 Like

hi,

problem here, idea?
thanks

openwrt$ git am *.patch
Applying: Revert "uhttpd: don't redirect to HTTPS by default"
Applying: kernel: generic 6.1: config hardening
Applying: base-files: sysctl.d: basic hardening
Applying: dnsmasq: only listen on br-lan interface
Applying: arm/aarch64: Set -O2 as default for Cortex-A processor cores
Applying: ARM Cortex-A9: build the userspace with Thumb-2 instructions
Applying: build: hardening: misc added flags
Applying: mwlwifi: update to version 10.4.10-20231120
.git/rebase-apply/patch:74: trailing whitespace.
 
.git/rebase-apply/patch:75: space before tab in indent.
 	if (sizeof(struct pcie_tx_ctrl_ndp) >
.git/rebase-apply/patch:76: space before tab in indent.
 	    sizeof(tx_info->driver_data)) {
.git/rebase-apply/patch:79: space before tab in indent.
 			  sizeof(struct pcie_tx_ctrl_ndp),
.git/rebase-apply/patch:80: space before tab in indent.
 			  sizeof(tx_info->driver_data));
error: patch failed: package/kernel/mwlwifi/Makefile:8
error: package/kernel/mwlwifi/Makefile: patch does not apply
error: patch failed: package/kernel/mwlwifi/patches/001-Fix-compilation-warning-with-64-bit-system.patch:117
error: package/kernel/mwlwifi/patches/001-Fix-compilation-warning-with-64-bit-system.patch: patch does not apply
error: patch failed: package/kernel/mwlwifi/patches/004-mwlwifi-fix-PCIe-DT-node-null-pointer-dereference.patch:19
error: package/kernel/mwlwifi/patches/004-mwlwifi-fix-PCIe-DT-node-null-pointer-dereference.patch: patch does not apply
error: patch failed: package/kernel/mwlwifi/patches/005-mac80211_update.patch:1
error: package/kernel/mwlwifi/patches/005-mac80211_update.patch: patch does not apply
error: patch failed: package/kernel/mwlwifi/patches/006-remove-uaccess-and-get_fs-calls-from-PCIe-for-Kenel-.patch:19
error: package/kernel/mwlwifi/patches/006-remove-uaccess-and-get_fs-calls-from-PCIe-for-Kenel-.patch: patch does not apply
error: patch failed: package/kernel/mwlwifi/patches/007-replace-usage-of-the-deprecated-pci-dma-compat.h-API.patch:24
error: package/kernel/mwlwifi/patches/007-replace-usage-of-the-deprecated-pci-dma-compat.h-API.patch: patch does not apply
Patch failed at 0008 mwlwifi: update to version 10.4.10-20231120

@Peacefuleight
that last commit you don't need as it was merged upstream: https://github.com/openwrt/openwrt/commit/2ed358180ef0f87532cdedefec09d5d605625beb

1 Like

finaly it is ok for the patch but errors at the end

 postinst prerm;  )
install -d -m0755 /media/james/D/WRT_build/openwrt/bin/packages/arm_cortex-a9_vfpv3-d16/base
/media/james/D/WRT_build/openwrt/staging_dir/host/bin/fakeroot /media/james/D/WRT_build/openwrt/staging_dir/host/bin/bash /media/james/D/WRT_build/openwrt/scripts/ipkg-build -m "" /media/james/D/WRT_build/openwrt/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/ath10k-ct-firmware-2020-11-08/ipkg-arm_cortex-a9_vfpv3-d16/ath10k-firmware-qca988x-ct /media/james/D/WRT_build/openwrt/bin/packages/arm_cortex-a9_vfpv3-d16/base
Packaged contents of /media/james/D/WRT_build/openwrt/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/ath10k-ct-firmware-2020-11-08/ipkg-arm_cortex-a9_vfpv3-d16/ath10k-firmware-qca988x-ct into /media/james/D/WRT_build/openwrt/bin/packages/arm_cortex-a9_vfpv3-d16/base/ath10k-firmware-qca988x-ct_2020-11-08-1_arm_cortex-a9_vfpv3-d16.ipk
rm -rf /media/james/D/WRT_build/openwrt/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/ath10k-ct-firmware-2020-11-08/.pkgdir/ath10k-firmware-qca988x-ct.installed /media/james/D/WRT_build/openwrt/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/ath10k-ct-firmware-2020-11-08/.pkgdir/ath10k-firmware-qca988x-ct
mkdir -p /media/james/D/WRT_build/openwrt/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/ath10k-ct-firmware-2020-11-08/.pkgdir/ath10k-firmware-qca988x-ct
install -d -m0755 /media/james/D/WRT_build/openwrt/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/ath10k-ct-firmware-2020-11-08/.pkgdir/ath10k-firmware-qca988x-ct/lib/firmware/ath10k/QCA988X/hw2.0
install -m0644 /media/james/D/WRT_build/openwrt/dl/ath10k-ct-firmware-2020-11-08/QCA988X-firmware-2-ct-full-community-22.bin.lede.022 /media/james/D/WRT_build/openwrt/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/ath10k-ct-firmware-2020-11-08/.pkgdir/ath10k-firmware-qca988x-ct/lib/firmware/ath10k/QCA988X/hw2.0/firmware-2.bin
touch /media/james/D/WRT_build/openwrt/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/ath10k-ct-firmware-2020-11-08/.pkgdir/ath10k-firmware-qca988x-ct.installed
mkdir -p /media/james/D/WRT_build/openwrt/staging_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/root-mvebu/stamp
SHELL= flock /media/james/D/WRT_build/openwrt/tmp/.root-copy.flock -c 'cp -fpR /media/james/D/WRT_build/openwrt/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/ath10k-ct-firmware-2020-11-08/.pkgdir/ath10k-firmware-qca988x-ct/. /media/james/D/WRT_build/openwrt/staging_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/root-mvebu/'
touch /media/james/D/WRT_build/openwrt/staging_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/root-mvebu/stamp/.ath10k-firmware-qca988x-ct_installed
echo "ath10k-firmware-qca988x-ct" >> /media/james/D/WRT_build/openwrt/staging_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/pkginfo/ath10k-ct-firmware.default.install
make[3]: Leaving directory '/media/james/D/WRT_build/openwrt/package/firmware/ath10k-ct-firmware'
time: package/firmware/ath10k-ct-firmware/compile#0.41#0.12#0.48
make[3]: Entering directory '/media/james/D/WRT_build/openwrt/package/kernel/mwlwifi'
touch /media/james/D/WRT_build/openwrt/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/linux-mvebu_cortexa9/mwlwifi-2023-11-20-2a5a4ae3/.prepared_463c4261b3dcdbbc6f5f920bbe4987f1_6664517399ebbbc92a37c5bb081b5c53_check
. /media/james/D/WRT_build/openwrt/include/shell.sh; xzcat /media/james/D/WRT_build/openwrt/dl/mwlwifi-2023-11-20-2a5a4ae3.tar.xz | tar -C /media/james/D/WRT_build/openwrt/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/linux-mvebu_cortexa9/mwlwifi-2023-11-20-2a5a4ae3/.. -xf -
[ ! -d ./src/ ] || cp -fpR ./src/. /media/james/D/WRT_build/openwrt/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/linux-mvebu_cortexa9/mwlwifi-2023-11-20-2a5a4ae3

Applying /media/james/D/WRT_build/openwrt/package/kernel/mwlwifi/patches/001-Fix-compilation-warning-with-64-bit-system.patch using plaintext: 
patching file debugfs.c
patching file hif/fwcmd.c
patching file hif/pcie/8964/tx_ndp.c
patching file hif/pcie/pcie.c

Applying /media/james/D/WRT_build/openwrt/package/kernel/mwlwifi/patches/001-Fix-compilation-warning-with-64-bit-system.patch.rej using plaintext: 
patching file debugfs.c
Hunk #1 FAILED at 130.
Hunk #2 FAILED at 143.
Hunk #3 FAILED at 158.
3 out of 3 hunks FAILED -- saving rejects to file debugfs.c.rej
Patch failed!  Please fix /media/james/D/WRT_build/openwrt/package/kernel/mwlwifi/patches/001-Fix-compilation-warning-with-64-bit-system.patch.rej!
make[3]: *** [Makefile:107: /media/james/D/WRT_build/openwrt/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/linux-mvebu_cortexa9/mwlwifi-2023-11-20-2a5a4ae3/.prepared_463c4261b3dcdbbc6f5f920bbe4987f1_6664517399ebbbc92a37c5bb081b5c53] Error 1
make[3]: Leaving directory '/media/james/D/WRT_build/openwrt/package/kernel/mwlwifi'
time: package/kernel/mwlwifi/compile#0.19#0.05#0.22
    ERROR: package/kernel/mwlwifi failed to build.
make[2]: *** [package/Makefile:128: package/kernel/mwlwifi/compile] Error 1
make[2]: Leaving directory '/media/james/D/WRT_build/openwrt'
make[1]: *** [package/Makefile:122: /media/james/D/WRT_build/openwrt/staging_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/stamp/.package_compile] Error 2
make[1]: Leaving directory '/media/james/D/WRT_build/openwrt'
make: *** [/media/james/D/WRT_build/openwrt/include/toplevel.mk:232: world] Error 2

@Peacefuleight
try resetting:

  • git add -A && git am --abort
  • git add -A && git reset --hard
  • git pull
  • etc.
1 Like

Guess I could bring the 1900 out of storage and try it. Is it worth it? Or stick with the 3200 and wireless AP?

The only difference is WPA3 is fixed for the 1900. Other than connecting to WiFi in a slightly more secure way than WPA2, the 3200 is faster or on par in every other way.

Most networks still can't use WPA3 exclusively so it's moot anyway, since many devices still rely on WPA2 so you end up leaving both protocols enabled (on my U6+ I have both on).

My AP is a WAX620 and I have WPA3/WPA2 enabled. Only device uses WPA3 is my phone.

OK I'll stick with the 3200.

Thanks much!

Is disabling AMSDU still recommended for WRT32x/3200, or has this been fixed at some point along the way? :slight_smile: Thanks

Disabling AMSDU has never been recommended for 32x/3200acm. It was only a latency issue on 1200/1900.

It's discussed here: [https://openwrt.org/toh/linksys/wrt_ac_series#latency_with_88w8864]

2 Likes

Don't need anymore echo 0 > ..... on 8864 from my test.

Just wanted to say "Thank you so much!" for helping keep this old hardware alive and useful. :grinning:

I just installed your latest 20231204-00 build on my previously-retired AC1900v2 so that I can get a better 2.4GHz wireless signal than my Belkin RT3200, which will now switch from being my main router into being a 5GHz access point instead.

3 Likes

@SkewedZeppelin,
Thanks for this and agree. Just got up and running this AM and its been a real nice improvement. I was stuck pretty far back in time due to some config conflicts that I could never resolve in builds after around April. Either something got fixed since or I cleaned something else up in my config and I'm running just fine on latest release.

Would you consider adding wget-ssl to your included packages? They dumbed down the standard wget package while back to shrink its size, but they tossed ssl/ssh functionality in the process.

I know I can (and do )just opkg install it, but I pull my auto config scripts to the router from a local lan server with wget/ssh. I have to manually install wget-ssl first before I can do any of that. And since its manual... I forget it often.

@joekane101
the "wget" included is uclient-fetch with openssl support

I just tested it enforcing correctly:

wget "https://sha256.badssl.com/"
Downloading 'https://sha256.badssl.com/'
Connecting to 104.154.89.105:443
Writing to 'index.html'
index.html           100% |*******************************|   498   0:00:00 ETA


wget "https://expired.badssl.com/"
Downloading 'https://expired.badssl.com/'
Connecting to 104.154.89.105:443
Connection error: Invalid SSL certificate

I'm not opposed to adding it, but is there something else missing that makes full wget needed?

hmm. Do you have a success case though for an ssl connection (not a fail case like )?

My scripts ran fine until the refactor of wget package on opwnwrt. Saw many references to the fact that you needed to add wget-ssl post refactor to get back the ssl support.

like here:
https://github.com/openwrt/packages/issues/11534

or here:

https://forum.openwrt.org/t/ssl-support-in-openwrt-opkg-wget/99351

I suppose it may have been something else removed that broke me but once I do opkg install wget-ssl, everything works again.

I did not try on this fresh install though with the latest release to see if things works without wget-ssl (in event something has again changed in wget package).