In case anyone thinks the commercial vendors don't think OpenWRT is a threat

This is a kudos post to the OpenWRT community. I ran across the following and it is proof positive that the commercial router vendors not only love raiding OpenWRT for OS versions for their hardware - they also hate and fear OpenWRT for cutting into their sales. So if you are a user, or a dev. or someone, and you are wondering if you are making a difference - you absolutely are. And here is the proof of it:

As many know, the commercial hardware vendors use artificial End Of Life and End Of Support dates to encourage customers to throw away perfectly working kit and spend money on brand new kit that does the same thing the old kit did. This isn't confined to high tech, automakers have done this for years - arguing that your 20 year old Ford that still drives you to and from work and has no dents on it, is "an old beat up worthless car" They discontinue parts in an effort to encourage customers to buy new cars - fortunately we have wrecking yards to counter that. High Tech does the same thing but it's particularly egregious since a lot of high tech kit does not degrade mechanically over time, at least not at a very high rate. Maybe a 40 year old radio needs it's capacitors replaced, and so on, as does a 40 year old computer - but otherwise, it still functions.

But many customers don't fall for this nonsense and continue using old kit. So, one of the slimier tricks that's going on is waiting for the Russian Cracker consortium or Chinese Military Cracking group to find some security hole in their products - then trumpeting to the world how "our device is gonna be gunned so you GOTTA REPLACE IT because we aren't patching it anymore" While that might be an issue for a router exposed to the Internet - it's NOT for a NAS that is on a private network that crackers can't get into. But still, the scummier companies try using that sales line of Fear Doubt Uncertainty to FUD the customer into buying new kit to replace their old, working, kit.

One of those companies that engages in this slime is D-Link. Here is a typical example:

D-Link says it won’t fix a serious security flaw affecting 60,000 older NAS devices | TechRadar

In this article from a few months ago D-Link takes great delight in telling the reporter "them there NASes we made are NOW OPEN FOR CRACKERS SO YOU GOTTA REPLACE THEM"

But, that ISN'T the whole story - because the FIRST NAS on that list - the DNS-320 - has a port of OpenWRT to it. So, the fact D-Link is encouraging people by getting their trained monkeys at Techradar to write viral marketing "news stories" like this, to throw away "insecure devices" that could be secured by flashing OpenWRT to them is being ignored.

Does D-Link know that it's a lie that the DNS-320 is insecure? (since it can be made secure by flashing OpenWRT on it?) With 1000% certainty - they do.

Consider the following:

support.dlink.com - /resource/products/

Browse into the DNS-320 and DNS-320L directories there. The EOL notice is there - but so is the firmware. Same for the DNS-340L - EOL notice is there but so is the firmware

(Although there is no OpenWRT port for the DNS-340L, that NAS uses the Marvell Armada S370 and there's a generic OpenWRT image for that, here)

[OpenWrt Wiki] Techdata: Marvell Armada A370 DB

NOW - browse into the DNS-325 directory. That device has no OpenWRT support - and - the directory doesen't exist AT ALL not even an EOL notice.

Why is this significant?

It's because D-Link knows that as long as they keep support and firmware available for the devices that OpenWRT supports, it helps to keep customers "in their fold" so to speak - the reality is that the existence of an OpenWRT build for their hardware keeps them from throwing their customers to the dogs since their customers can just flash OpenWRT and wash their hands of them.

But, for the DNS-325, which there is NO OpenWRT support for - D-Link is perfectly happy to withdraw ALL support and throw their customers to the dogs - upgrade or kiss off.

This is why OpenWRT is so important. It acts as a check on basically unlimited power of manufacturers to force golden handcuffs on customers and force customers to continually buy gear from them. It's critical work you are all doing - since it prevents the tech vendors from degenerating into a series of dictatorships with unlimited power over their customers.

In a broader perspective it is the Open Source which makes the difference.

I finally could convince my spouse to use LibreOffice and stop paying for Office 365 after the last price increase (and yes I donated to Libre Office)

My old Broadcom Routers (not suported by OpenWRT and that is for a reason I totally get) are still humming along fine thanks to another third party firmware using Kernel 4.4 which is still supported as SLTS release all thanks to Open Source

But yeah kudos to OpenWRT and all its developers and very knowledgeable and patient members which give support at the forum

Now, one thing to keep in mind is that we have an incentive problem due to the way software is accounted. Typically routers are sold as is for a one-time fixed price and that needs to cover the expenses for both the hardware/development/marketing/shipping/initial software as well as ongoing software updates. Especially the last happen after the only point in this game where money was payed...so as long as we do not have structures for on going payments to cover software maintenance we need realistically expect things to atrophy. And since the manufacturers only get money for selling physical devices they are clearly not incentivised for people to keep using older gear with different firmwares (and even if they were, I am sure legal would not want a company to openly advise switching EOL/EOS devices over to other firmwares).
I note that many ISPs actually rent out routers for a continuous money stream that actually could finance on going maintenance (and some seem to be doing that), but that is a mixed blessing, as many of these are artificially restricted in configurability to keep support costs low.

Tl;dr: part of this is a consequence of what end users are willing and are not willing to pay for, and "rent" for continues software support does not seem to be what the customer wants to pay for.

Sometimes money is not the only incentive, also good name matters.

Actually, no, we don't. Nothing prevents a company like D-Link from offering - for sale - after an EOL date - firmware updates using any sort of pricing scheme they might wish.

For example D-Link sells 50,000 DNS-320's. They EOL them at year 5. At that point new releases of firmware have to be purchased - even if such a new release is needed for a security update. Let's say 10% of the 50,000 users are interested in keeping their DNS-320 going with the "official" firmware. That's 5,000 people. Out of that, 100% of them will pay for it if the firmware is $5 a copy. That's $25,000 - more than enough to pay a junior developer to create new firmware with the older toolchain.

But beyond this - nothing prevents that same company from after EOL date saying "OK, we aren't going to do firmware for this device anymore. So, here is our code. Our COMPLETE code for the device, including the toolchain we used to build it and everything else." Then publishing that and be done with it.

So, instead of that support directory for the DNS-325 being empty - there's a zipfile in it of their last complete toolchain and source code for everything.

Now I also have heard the argument that D-Link can't do that since the chipset vendor (Broadcom or whoever) requires them to use closed source binary blobs. But the reality is - if D-Link, Netgear, Belkin/Linksys, and all of the other network device vendors out there told their chipset vendors "we won't buy your stuff anymore as long as you are forcing us to sign an NDA" then in a twinkling those vendors would open their binary blobs. Because otherwise, they wouldn't sell any chipsets anymore. The reality is that the vendors like Belkin, Netgear and so on - they are using their suppliers demands for closed source to run interference against their own customers and justify this argument that their customers must throw away perfectly working kit at an arbitrary date.

And, beyond this also - nothing prevents a company from adding newer desirable features. D-Link could have for example added some NAS feature that their customers wanted - (I don't have an example since I'm not a hardware NAS customer) and released new firmware that had it and charged for that.

Lastly there's the "razor/blade" value-add marketing schemes. The fundamental problem with a product like a NAS is this - while it provides a great place to store files, you still have to back those files up. The NAS vendor can provide a cloud storage that they charge an ongoing fee to then they rsync the file on the NAS to their cloud. So, the NAS itself, and the firmware on it merely exists to enable D-Link to make money on the cloud storage. Yes, there will be customers who buy the NAS, say "wham bam thank you mam" and just use it as a NAS and don't pay D-Link for the cloud storage but those can be ignored since there will be enough customers who will that you can make your ongoing revenue stream.

Unfortunately, we have the piss-poor example of Cisco Meraki where they do this with their products however instead of merely being content to make money on value-add, they make the product stop working if you stop paying for the subscription. This is horribly exploitive to their customers which is one reason I get intense satisfaction every time I flash OpenWRT to a Meraki access point.

The reality is that what companies like D-link and Netgear and Cisco think is that there's only money in hardware, and that their path to wealth is to force customers to throw away working hardware at a very frequent rate. In the customer abuse scale, at least all you CAN say about D-link and their NASes is that they are -less- customer abusive than Cisco/Meraki - at least the D-Link products don't stop working if the customer elects to not pay a subscription. But it's still slimy to plant news stories stirring up FUD to push customers to replace working kit that don't even mention the phrase "3rd party firmware is available for the DNS-320 that has the holes patched"

Yeah, offering something that nobody buys does not generate a revenue stream. You need to actually find people willing to pay for such a service. And that will be a hard sell in an environment where one-time upfront payment is the norm.

The same company that earns money selling new routers is hardly economically inclined to do so.

Not that I would not like that, but this is again an incentive issue, you expect the router manufacturers to pressure the SDK/chip makers for the sole benefit of end customers and to the detriment of the router makers themselves (as they will sell fewer new routers).

The same argument applies to android devices which are gateways into the google ecosystem resulting in users spending money with google, and yet, even Nexus/Pixel devices get the no-more-updates boot quite quickly, even though arguable google already has that earn-money-from-cloud-offerings thing down like a champ.

Because that is how that markets operates right now...

Again, I really can not see an official press release by one of the router makers pointing to a 3rd party firmware (that the router maker likely never checked) arguing that it fixes specific vulnerabilities. What if that referenced 3rd party firmware does not really fix a CVE and I get exploited, can I now sue the router maker? Not saying that is possible, but that this is what IMHO the legal department of the router maker will argue...

Now, I am happy if I am wrong, but really I see no realistic solution to the issues you correctly pointed out.

Wrong. That is how they THINK the market operates but the market operates that way precisely because the router vendors behave by treating their products as a drive-by shooting. It's a catch-22 and no router vendor has had the balls so far to try doing it differently.

There's no example of a networking vendor that treated the customer right, released a supportable long term product and did all the other stuff I said because they all are like you and believe they would not make money if they did. But their belief is based on nothing - since none of them have actually tried doing it. But if my way was a loser then why did the OpenWRT One sell out? That's an example of a device that the makers are NOT treating like a one time upfront cost drive by shooting - at least they claim they aren't going to - although I'll be interested to see if OpenWRT is still releasing firmware builds for it 10 years from now or if they all start pretending it never existed.

I didn't say for them to use the name OpenWRT or link to it. And they can make the lawyers happy by saying:

"3rd party firmware is available for the DNS-320 that claims to have the holes patched"

They can also put in their own firmware that they sell a disclaimer that they don't guarantee merchantability of fitness or whatever else. They do that now, already, with their new stuff. The shrinkwrap licenses don't claim the stuff is secure so you can't sue 'em.

No need to propagate your dissatisfaction with one vendor to everybody.

Puzzled, you seem to claim my statement to be wrong and correct at the same time, as in a superposition?

Without customers willing to pay continuous maintenance fees this is not going to fly, and that is IMHO a hard sell, as this is not in the immediate interest of customers, comparing brand A with a one-time fixed price, and brand B with one-time fixed price, plus a continous maintenance fee.

That is arguably incorrect. I bought a turris omnia, 2016 and it is both:
a) supported by upstream OpenWrt (partly due to upstreaming efforts by team turris)
b) still supported with software updates (albeit slowly, but there is always option a)). But that did not take the world by storm and also does not have a continous maintenance fee.

Dedicated "fan boys" and word of mouth (disclaimer, I got one myself), but that is not a mass market device I would recommend to the rest of my family (the other two nerds exempted).

I keep my fingers crossed (having bought one myself) but that is only partially a commercial product in that no single company needs to survive on OpenWrt One revenue.

Have you run that by legal?

Yeah, I guess I will bow out of this thread, having nothing more productive to add, I see your argument and am sympathetic to it, but can not convince myself that this is realistic.

• What percentage of people buys a router themselves, instead of using whatever device is provided by the ISP?
• Of those who buy a router, how many of them care about firmware updates?
• Of those who care, how many of them decide to buy a new device, and how many of them decide to install OpenWrt, when the manufacturer stops releasing upgrades?
• How many manufacturers have decided to implement measures against OpenWrt, like digitally signing the upgrades?

Some manufacturers see OpenWrt as a source of free software, the others just ignore it.

Planned obsolescence by hardware vendors is a century old concept
.https://en.wikipedia.org/wiki/Phoebus_cartel
.https://en.wikipedia.org/wiki/Planned_obsolescence

@tmittelstaedt, do you think you could perhaps be slightly less confrontational about the way vendors operate? Nobody here is getting paid by them, so to assert things like "Wrong" and "Actually no, we don't" seems a bit barbed.

"I disagree with you on X, Y and Z but agree on A and B" would be a much nicer way to put things.

But to address your original point: I would suggest that the big vendors - D-Link, TP-Link, Cisco, Netgear, Belkin etc don't care one jot about OpenWRT, DD-WRT, FriendlyWRT, Tomato and so on. The number of devices they sell is so large that OpenWRT wouldn't even register on their sales figures.
The vast majority of consumer users worldwide either buy a device & set it up (or have someone set it up for them), or get a preconfigured device from their ISP. Either way, that will only get replaced as and when it either breaks, they change provider, or move house.

We might all think that OpenWRT is the best thing since sliced bread, but that's because we're nerds and we like dedicating the time to tinkering with stuff. For most people, that's not something they care about or are interested in.

So the market continues, the vendors keep throwing new models out, and we as a community keep on hacking on them to do more interesting stuff. If OpenWRT went away tomorrow, or if OpenWRT sold a hundred thousand or a million devices, they wouldn't care as they're selling hundreds of millions to billions of devices over their commercial lives.

If they didn't care they wouldn't have proprietary binary blobs.

If they didn't care they wouldn't block off the ssh and telnet ports to the LAN

If they didn't care they wouldn't put recovery processes in that open a TFTP server for less than a second so you have to catch it perfectly.

If they didn't care they wouldn't lock devices down to the point you have to solder on a serial port.

If they didn't care they wouldn't fill the serial port holes to make it difficult to solder on a serial header.

They DO care. But, they view OpenWRT as a blessing and a curse. It's a blessing because it saves them a ton of money since the operating system for the device is already written. It's a curse since it makes the device easy to keep going long past it's lifespan and that cuts into their sales.

This is a side issue. The fact is that an ISP has the following overriding interest in CPE gear: cost.

So they strive to keep ISP routers simple. No multi AP meshes unless they can get the customer to pay a subscription fee. While they may work OK in an apartment or restricted space - there's a whole lot of people in large houses in the suburbs that cannot do it with just 1 wifi AP. Especially when all their neighbors have multi-AP setups and the noise floor on the radio bands is sky high. I think you would be surprised at how many of them eschew the ISP-supplied router.

They also try to avoid handing out free gear. A common setup is to charge a monthly fee which create a powerful incentive for people to return the ISP-supplied router and supply their own router.

They also try to run the gear until it's long long past technical obsolescence. As long as the subscriber is happy with their service and isn't complaining, they won't in general initiate a CPE replacement since it would cost a tech time service call. They have no financial interest in pushing gear, they get their money pushing packets, and packets work just fine on old gear as they do new gear.

The OpenWRT project has cracked ISP-supplied routers before, you know. But there's not a lot of call for it because ISP's don't EOL gear so by the time most ISP devices move from the original purchaser to the secondary market, they are so obsolete there's no interest in cracking into them.

Ans lastly in the money saving mode they often use cable or dsl or fiber uplink, not ethernet uplink, thus only people on that ISP would be interested in reflashing which is a small market. ISP's may seem big in a region, but they are small compared to the entire world.

It's NOT the ISPs handing out free routers that are the problem. It's the router vendors force-obsoleting gear long before it's necessary. Keep in mind an ISP that buys 20,000 routers from a vendor is going to take a VERY dim view of that vendor trying to force-obsolete the gear 4 years later.

The router vendors and the router market OpenWRT operates in is the market of routers that are bought by people who are choosing to NOT use the ISP supplied one. Thus, the people who do - they aren't part of the discussion. Not their circus, not our monkeys.

EVERYONE cares about their stuff being secure, what you are meaning is how many of them DO their own firmware updates. Most don't but they choose devices that auto-update.

This is a moot question, it's actually wrong. The right question is - how many of them who do care, and of the ones that don't flash OpenWRT, how many donate their old device or sell it or otherwise do something with it that causes it to appear on the secondary market (the used car market) vs throwing it in the garbage?

HP (and every other printer maker) has a "free toner cartridge recycling program" which the express purpose is to prevent cartridges from being bought by cartridge refurb companies. When they get a cartridge, they grind it up.

The refurb houses have the same deal, for example Office Depot pays $2 a cartridge for up to 10 cartridges. So if you bring in 10 cartridges, by a $10 flash drive, you will get a $20 credit.

Clearly the used cartridges have values but the values are different. The refurb cartridge companies participating in the Office Depot deal want the rebuildable cores to rebuild, HP wants 'em to destroy them to prevent them from being rebuilt.

The router vendors do exactly the same thing. Back in 2020 Netgear had a trade in program but nowadays they work through Best Buy and Amazon and other large retailers. For example Best Buy gives you 15% off when you bring in a wifi router for "recycling" They get money from the router vendors when they ship the vendors a palletload of their routers and the vendors get to shred them so they don't appear on the secondary market. Amazon does the same.

So the question is - is the highly paid suburban dweller going to give his 3 wifi 5 APs to Goodwill for resale, is he going to sell them himself on Ebay, or is he going to trade them in at Best Buy for 3 new wifi 6 routers or simply throw them in the trash? The first 2 options puts them on the secondary market where they compete against sales of new devices, the last 2 options takes them off the secondary market, permanently.

The Acer Predator Connect W6 is one for example. It JUST got support in 24.10. Luckily it seems someone discovered if you zap the first 2 partitions on the flash and overwrite them with zeros, that it's uboot has a panic mode that after signature verification fails, will do an emergency attempt to boot the image.

You can look up instructions for that model. I suspect you think that nobody does signature verification because your experience is flashing older devices that are in the $20 range off the secondary market. I realized a long time ago the biases inherent in drawing conclusions off what's going on solely in the obsolete gear sector. You need to look at all markets, the secondary and the primary one.

Remember I said that the maintenance fee was only ONE option a company has to treat purchasers of their products right.

But as for maintenance fees, there are many customers out there who will gladly pay a maintenance fee. People in this forum are not used to this because we are all educated to the point we can get OpenWRT running on at least SOME devices so we are not the target market for devices with maintenance fees. But people who don't know anything about what they are buying - THEY are the market for these fees.

Meraki build a business on selling devices that simply stop working if you quit paying the maintenance fee. It's extremely NOT in the interest of customers to do this for a bunch of Meraki wifi APs (at Meraki's rates) - but nevertheless the company thrived doing this. The customers buying these devices basically don't understand how they operate so they went with the Maraki solution because the entire point of Meraki's marketing was you don't need to know squat about what you are doing - you pay us to do it for you.

But like I said - this is about treating the customer right. And force-obsoleting working kit then FUDDIng/scaring the customer into replacing it, isn't doing that. They don't HAVE to do a maintenance fee to treat their customers who have older gear right. That was just one option.

Yes, I fail to see a realistic alternative to that, that avoids the "we really need to sell new devices to stay in business" issue. Also, please tone it down, no need to shout.

Well, I see your claim, but I do not see that hunger ion those users I interact with. At most people are willing to rent a modem-router from their ISP expecting an all-in-one solution where they do not have to care for anything. These are however lost to OpenWrt...

What is their market share among end users and how much revenue this bring in?

It is, in my opinion, the only realistically sustainable one. The alternatives seem to require altruism from the vendor side. Don't get me wrong, I would love to see that happening, but I am old enough to not hold my breath waiting for that. Anyway it seems we have different opinions on this, maybe we can agree on that fact and call it a day?

The rest of the stuff you can answer yourself, google Meraki to see how much money they made doing this, its millions, and BTW I'm also an old fart too, probably older than you if you want to play the age game, I might even be older enough to call you a whippersnapper, LOL.

And what happens when there are no more advances to be had?

going from wifi 5 to wifi 6 gives VERY minimal benefits in most cases. The marketing campaign to get Ma and Pa Kettle to believe it was significant was a massive viral campaign with many, many planted stories and influencer articles. And most of the 6 kit is designed to look like the Fugly Doom spider you needed to use the BFG on multiple times to kill, clearly it is aimed at gamers who is a market that isn't technically sophisticated but think they are and anyway don't care they love toys and the more blinkin lights the better.

Going from 802.11b to g for example required no marketing at all. They just published the specs and people were stampeding over each other to dump their old gear.

The total wifi router market today is far larger - so it has the money to have paid for that marketing campaign.

There are still plenty of naysayers pointing out that hey if you are in the city with a high radio floor and interference you ain't gonna be able to carve out 2 80Mhz bands and bond 'em but those voices of reason are of course, boring and being ignored.

But eventually when wifi 6 penetration is full people will figure out that they got snookered that their 6 gear isn't helping them surf the web any faster.

I think we are at the end of the line for radio technical upgrades. The killer draw has always been more radio bandwidth/througput but the RF spectrum is so crowded that that is the limiting factor. In fact, other limiting factors are the many-to-one shared spectrum space - 500 wifi clients in one room connected to 1 AP all see each others packets and all must back off sending when 1 is talking - this is entirely unlike how a switch with a fat backplane works. wifi 6 was a strain, wifi 7 will be ignored.

So when even Ma and Pa Kettle sees that the new gear isn't any better than the old gear, how do the vendors keep the train going? sliming customers with security FUD?

The preposition that they really need to keep selling new devices to stay in business is not a long term sustainable business practice. Intel also tried that and while it worked for a few decades, Moore's Law died eventually.

You claim to be old enough - the only people who can get away with that claim have spent multiple decades in tech -and if that's true for you, then you have seen this play out before.

Selling new devices didn't keep Palm Pilot alive, nor Blackberry. It won't keep the wifi router vendors alive, either. And if you are old enough to call yourself experienced - you know it's true. Once a product line has moved into commodity territory - CPUs are there, wifi gear is getting there, GPUs will get there - then you have to find a new product if you want to survive by moving boxes.

I think you missed my point:

• I do not have the numbers, but my impression is that the amount of people who buys a router, cares about the firmware revisions, and finally decides to install OpenWrt when it becomes out of support, is a little tiny percentage of the people who uses whatever device is distributed by the ISP.
• It's just anecdotal evidence, but I have only met one person in real life who bought a router, and they do not know anything at all about firmwares, and I would never advice them to install OpenWrt.
• So, you've found one device that uses digital signatures for the updates; how many devices are there in the ToH? It does not look like manufacturers are rushing to block third-party firmwares, does it?

Anyway, you think that OpenWrt is a threat to commercial vendors (I disagree, but that is not the point); now what? What do you propose to do about this situation?

The only limitation, for me, has been wearing out the flash memory. Once the device gets flaky and crashes with random errors, it is done. Perhaps that's a build quality problem intended to shorten the life?

I don't think OpenWRT is a threat to the commercial router vendors, those vendors do. And they have already taken steps to rectify the situation, the primary one being to make it difficult to convert over their products to OpenWRT and easy to continue updating their products with their own firmware.

I'm making an observation, not calling for either OpenWRT to make changes or the commercial router vendors to make changes. I don't see there's much OpenWRT can do, and I don't have control over the commercial vendors.

Making an observation that the commercial vendors are afraid of OpenWRT and therefore taking very slimy steps to "protect" their products, is NOT a call for anyone to do anything. It's merely an observation.

You are free to disagree and advocate for security FUD slime like what the commercial router vendors are doing.