Hello,
From time to time OpenWRT is mentioned as causing or being affected by potential issues with compliance to the RED directive (Example in German: Heise.de).
This can be regarded as a potential issue for replacing the initial Firmware with OpenWRT, because manufacturers might decide to comply with article 3(3)i by making it hard to replace their firmware (locked-down hardware). TP-Link did so in the past when they tried to be more FCC compliant Example: Routers affected by FCC restrictions
The relevant article says:
Radio equipment within certain categories or classes shall be so constructed that it complies with the following essential requirements:
...
(i) radio equipment supports certain features in order to ensure that software can only be loaded into the radio equipÂment where the compliance of the combination of the radio equipment and software has been demonstrated.
...
Mostly, we might cause non-compliance because OpenWRT might allow users to exceed TX-power or devices might not correctly apply DFS (~radar detection). The difference to the original-manufacturers-compliance is not large and this might reduce our efforts if we just need to show OpenWRT does not invalidate the original-manufacturers-decalartion-of-conformity.
Whats the long term strategy for us?
Simply ignore and rely on unlocking hardware?
Offer regional builds that comply with the relevant regulation?
Reach out and cooperate with manufacturers?
I am pretty sure, ignoring this topic will put us in a bad, defensive position and might lead to Regulators constraining us, so that's probably not a long term solution.
We as individuals are IMHO allowed to replace firmware as long as we do not cause interference. But this is not so easy anymore if OpenWRT is to be used in a commercial setup. More important: original-manufacturers might decide they need to lock us out, thus giving us a hard time reusing and improving their hardware.
Isnât this the normal EU states governments way if dealing with Brussel? At least until Great Britain took it a step further and bailed outđ
But to be honest we already broke both CE by opening the case and adding a serial port and EEC rules by changing the EMC values already. So why not go for a hat trickđ
FCC is a US thing so that no one cares about.
But I donât really see the manufacturers cooperating with Open source firmware developers since they donât do it to begin with âif you install anything else on this device the warranty expiresâ thingâŚ
Thank you for replying, but I do not agree that this a viable long-term-solution and I just added it as "keep-it-as-it-is" option.
Long term, manufacturers will have to lock devices down even more than just that, if we gain too much popularity and people are using OpenWRT at a larger scale. End users are not supposed to be able to change the radio-equipment-setup as demonstrated to be compliant according to the RED.
Long term, projects that allow end-users to make modifications that are considered "against the law" might be regarded illegal. If we are not prepared this could hit us. In case we are not prepared at all, it might hit us even harder.
The European directives are aimed mainly towards market actors (manufacturers, importers) that put devices onto the market and not end-users. We, as end-users & developers & security-researchers, need to worry if we really cause RF-interference. Just opening an enclosure does not automatically cause non-compliance, it just voids some manufacturer warranties, but compliance is normally still OK. Also, we as single users might be responsible for a couple of devices, while a manufacturer sells thousands of devices. Adding too high gain antennas or tinkering with the EEPROM values for RF-power, that's something potentially invalidating the DoC (Declration of Conformity).
I am hoping to spark off better ideas than the ones currently coming to my mind. Cheers!
I would say they sell billions of devices per year in EU.
How many people of the whole population of EU do you believe exist that has the geek level of know how and will power to actually make this modification to a router?
100 or maybe 1000?
We will not reach any magic level of popularity since the standard living person simply doesnât give a shit about the firmware in the router. They donât even change the original password.
And if the EU market gets locked devices from the manufacturers, what do you think happens then?
Ebay and Amazon to the rescue and then the few that really want a router with OpenWRT buy devices from abroad with out hardware lock since they most often only need 12V DC adapter or any other DC adapter to run.
But this law about radio transmitters has been local laws for ever since radios was invented so it isnât something new anyway.
@jow Do you have ideas how this could be expanded & build upon?
For instance: Do you know why Buffalo and GL.inet are using OpenWRT without making it difficult to replace it with vanilla OpenWRT? Did OpenWRT developers help them and in the end they saved development effort? Is that something OpenWRT could offer other manufacturers as well so both parties (manufacturer and OpenWRT) have an advantage from that?
I have lived very long in this EU thing and lived before EU thing. My experience for all these directories that is spraying out from Brussel is to cool down until anything is actually implemented EU wide so we see what the real end result became.
And to see how the world respond.
I think OpenWRT has a lot to offer for manufacturers. Of course article 3(3)i is annoying and not in our favour. IT is good to see the FSFE, Netzpolitik.org, etc working on showing why this must be changed and I wish them all the best.
In the past manufacturers were facing issues like:
outdated kernel and thus vulnerabilities
long release cycles until their firmware is updated, leaving users and interconnected devices vulnerable for extended period of time.
sometimes no updates at all
However, if the draft delegated article finds its way to being compulsory legislation, especially then OpenWRT would be very useful for manufacturers and save them a lot of development effort in order to comply:
It would require manufacturer to protect users from cyber security risks (Points (d), (e) and (f) of Article 3(3) of Directive 2014/53/EU aim at ensuring that the concerned radio equipment protect the user from elements of cyber security risks.)
With OpenWRT necessary requirements to comply are already present. If not using Linux in internet-connected-devices, few other embedded operating systems offer the same level of security AND broad support in terms of developers/hardware support. It would be not cost effective for manufacturers to implement their own system and basically redo a lot of the work OpenWRT already did.
Using OpenWRT as foundation to build their own software on would put manufacturers in a better position, because:
They do not have to start from a board-support-package or scratch
Quite recent kernel and packages, thus having fixes against the CVEs
a robust update mechanism
And if they show compliance to the radio and non-radio functions with the OpenWRT-based-derivate this would in return justify why OpenWRT does not invalidate automatically their declaration of conformity if changes do not affect the radio functions. When accepting patches this would be a good check to classify if this might potentially affect radio-functions and thus compliance. If not, no costly retesting is necessary at all.
Wikipedia lists several manufacturers already using OpenWRT in (some) of their products. Does anyone have an insight or contacts why these companies are using it and how they like it? This might be something where we can shape a win-win for manufacturers and this project while still meeting the (future) legal requirements.
Edit #1: This idea (using OpenWRT as a cost-effective choice for manufacturers and showing compliance to RED that way, thus allowing us to freely modify parts of the software not affecting compliance to the RED) aligns quite well with the aims of the "Cybersecurity-strategy" of Germany: https://www.bmi.bund.de/SharedDocs/downloads/DE/veroeffentlichungen/2021/06/entwurf-cybersicherheitsstrategie-2021.pdf;jsessionid=D9F56CCC29300376F3A06BD8FC7782A5.2_cid295?__blob=publicationFile&v=1
That document says in chapter 8.2.9 that Open-Source can be used to achieve "Security by design" and as we know only Open-Source gives transparency. This transparency can only be achieved by publishing the sourcecode. In contrast closed-software reduces public traceability, auditability and thus acceptance of implementations in products for the majority of security-interested-citizens - which makes the Cybersecurity concept fall short of its aim to be widely acceptable if it would deem solely closed-source-software acceptable. For security the preference on products that are open, auditable, approachable is logical. The commercial aspect (free, non-paid software) is something that can be seen differently and is not a necessary needed to achieve transparency.
Also considering the way we are taking with WiFi ac and now ax... The simple fact that we have proprietary firmware that are really external system that communicate with the router, in theory the rule should already be followed... But it's too generic... Nowadays it's hard to violate regulation as the firmware internally will simply reject it.
Some routers (Linksys WRT3200ACM, for example) have locked the radio firmware to a specific region and settings, so any third party router firmware is also locked.
OEM firmware is overwhelmingly Linux-based these days, and a great deal of it is OpenWRT based. (Including my EOL Zyxel access point.)
There's a case to be made that standard FOSS license agreements should preclude locking out third-party firmware. In other words, if you base your OEM firmware on FOSS, you must permit installation of FOSS firmware, or be in violation.
@Ansuel: Partially true, because suddenly there is something like this Firmware-hack, where the WiFi-card-Firmware-blob suddenly can do all sorts of things.
I mean, vendors are already busy locking (or so far trying) to lock their devices (AVM is experimenting with EFI, Xiaomi AX devices have RX pin disabled, etc.). Long term it will be more and more difficult to gain access...
We could perhaps agree on fundamental rules, that we do not invalidate the radio-compliance in binary builds. People gaining the expertise to compile their own firmware can always circumvent software limitations and this should also remain in their responsibility. Such clever people can be expected to be smart enough to know if what they are doing is legal or not.
@Cheddoleum: I agree, and OpenWRT could also do their part and NOT make it very easy to violate radio-limits just by entering incorrect settings. If the binary builds would be compliant, that could be used to show that we are at least not invalidating radio-compliance for the average user that does not compile his own firmware.
I have a hard time seeing this because that will include non disclosure deals and OpenWRT is a very loose thing to make information security business deals with. It isnât really a company to begin with, and what warranties have we?
That is the whole idea of capitalism, everyone must buy new better stuff all the time and keep the money flowing.
No one whant anything that works, at least not the ones making money.
I would suggest to start cooperating mostly with chinese vendors to have "official" openwrt devices which mostly already are out there, just search openwrt on sites like AliExpress.
Even without this law installing openwrt on commercial routers sold in the eu and us is becoming more and more difficult. I know part of the spirit of openwrt was reusing devices which no longer had manufacturer support but newer routers more and more often already require desoldering flash chips and some SOCs even have secure boot now...
Even stuff like ubiquiti or tplink that was openwrt friendly at start, now is a complete mess to work with
Altho not directly related to the RED compliance, why not raise awareness and demand for small appliances like routers and APs to be included in the new End user right to repair what we own, and software lock-ups? - there is some positive movement in that direction for large kitchen appliances that will prolong the service life, demands the manufacturers to provide schematics, repair guides, parts, etc?
OpenWRT firmware has already proven its ability to prolong and extend the life of any hardware that is available!
Personally, I prefer to use obsolete enterprise hardware as for different reasons it's not competitive enough for the enterprise market like Meraki MX60 router and Meraki MR12-33 APs that's now converted to OpenWrt it springs a new life in my home network
When it comes to the radio tx compliance as some already stated here, there are already some measures in place from the manufacturers that lock hardware ability to deviate from its standard manufacturers tx specs. When it comes to radio complinece and OpenWrt vanilla install - out of box radio setings can default to low TX, and user agreement can be added to when you change TX settings. We certainly can't send and test all vast pool of devices out there for radio TX/interference compliance but the manufacturer can see a benefit to provide a way forward for the end-user to install third-party firmware ( OpenWrt ) and also can do the lab testing with OpenWrt installed if they do not want or not able to provide +10 years of support if routers become part of the new EU repair lows? There is some movement and changes in UK and US regarding the same.
