Tiny 4MB openwrt v23.05.4 ath79/ath9k dumb AP, +WPA3, +luci-ssl, -dnsmasq, -firewall

This is especially useful if you have a wifi camera in a dead zone and an obsolete 4MB device still laying around somewhere.

After days of use on WR841N V11 everything works for a dumb AP:

  1. no opkg package
  2. no mtd package: flashing on router possibly doesnt work, reflash it with tftp
  3. no dnsmasq/odhcpd: static IP only
  4. no firewall
  5. most of busybox stuff removed along with everything possible (everything still works)
  6. +vi editor, crond, ntpd, logd, ash
  7. +dropbear ssh
  8. +swconfig for vlans
  9. +WPA3 with roaming
  10. +luci with https

config.buildinfo:

CONFIG_TARGET_ath79=y
CONFIG_TARGET_ath79_tiny=y
CONFIG_TARGET_ath79_tiny_DEVICE_tplink_tl-wr841-v11=y
CONFIG_BUSYBOX_CUSTOM=y
# CONFIG_ATH9K_HWRNG is not set
# CONFIG_ATH9K_UBNTHSR is not set
CONFIG_BUSYBOX_CONFIG_ASH_OPTIMIZE_FOR_SIZE=y
# CONFIG_BUSYBOX_CONFIG_BB_SYSCTL is not set
# CONFIG_BUSYBOX_CONFIG_BRCTL is not set
# CONFIG_BUSYBOX_CONFIG_CHGRP is not set
# CONFIG_BUSYBOX_CONFIG_CMP is not set
# CONFIG_BUSYBOX_CONFIG_CRONTAB is not set
# CONFIG_BUSYBOX_CONFIG_DATE is not set
# CONFIG_BUSYBOX_CONFIG_DF is not set
# CONFIG_BUSYBOX_CONFIG_DMESG is not set
# CONFIG_BUSYBOX_CONFIG_DU is not set
# CONFIG_BUSYBOX_CONFIG_ECHO is not set
# CONFIG_BUSYBOX_CONFIG_FEATURE_IPV6 is not set
# CONFIG_BUSYBOX_CONFIG_FEATURE_NTPD_SERVER is not set
# CONFIG_BUSYBOX_CONFIG_FEATURE_SEAMLESS_GZ is not set
# CONFIG_BUSYBOX_CONFIG_FEATURE_TEST_64 is not set
# CONFIG_BUSYBOX_CONFIG_FIND is not set
# CONFIG_BUSYBOX_CONFIG_FREE is not set
# CONFIG_BUSYBOX_CONFIG_GUNZIP is not set
# CONFIG_BUSYBOX_CONFIG_GZIP is not set
# CONFIG_BUSYBOX_CONFIG_HALT is not set
# CONFIG_BUSYBOX_CONFIG_HWCLOCK is not set
# CONFIG_BUSYBOX_CONFIG_ID is not set
# CONFIG_BUSYBOX_CONFIG_IFCONFIG is not set
# CONFIG_BUSYBOX_CONFIG_IP is not set
# CONFIG_BUSYBOX_CONFIG_KILL is not set
# CONFIG_BUSYBOX_CONFIG_KILLALL is not set
# CONFIG_BUSYBOX_CONFIG_LESS is not set
# CONFIG_BUSYBOX_CONFIG_LOCK is not set
# CONFIG_BUSYBOX_CONFIG_MD5SUM is not set
CONFIG_BUSYBOX_CONFIG_MD5_SMALL=3
# CONFIG_BUSYBOX_CONFIG_MKFIFO is not set
# CONFIG_BUSYBOX_CONFIG_MKNOD is not set
# CONFIG_BUSYBOX_CONFIG_MKSWAP is not set
# CONFIG_BUSYBOX_CONFIG_MOUNT is not set
# CONFIG_BUSYBOX_CONFIG_NC is not set
# CONFIG_BUSYBOX_CONFIG_NETMSG is not set
# CONFIG_BUSYBOX_CONFIG_NETSTAT is not set
# CONFIG_BUSYBOX_CONFIG_NSLOOKUP is not set
# CONFIG_BUSYBOX_CONFIG_PGREP is not set
# CONFIG_BUSYBOX_CONFIG_PIDOF is not set
# CONFIG_BUSYBOX_CONFIG_PING is not set
# CONFIG_BUSYBOX_CONFIG_PIVOT_ROOT is not set
# CONFIG_BUSYBOX_CONFIG_POWEROFF is not set
# CONFIG_BUSYBOX_CONFIG_PRINTF is not set
# CONFIG_BUSYBOX_CONFIG_PS is not set
# CONFIG_BUSYBOX_CONFIG_PWD is not set
# CONFIG_BUSYBOX_CONFIG_RESET is not set
# CONFIG_BUSYBOX_CONFIG_RESIZE is not set
# CONFIG_BUSYBOX_CONFIG_ROUTE is not set
# CONFIG_BUSYBOX_CONFIG_SHA256SUM is not set
# CONFIG_BUSYBOX_CONFIG_START_STOP_DAEMON is not set
# CONFIG_BUSYBOX_CONFIG_SWAPOFF is not set
# CONFIG_BUSYBOX_CONFIG_SWAPON is not set
# CONFIG_BUSYBOX_CONFIG_SWITCH_ROOT is not set
# CONFIG_BUSYBOX_CONFIG_TAR is not set
# CONFIG_BUSYBOX_CONFIG_TASKSET is not set
# CONFIG_BUSYBOX_CONFIG_TEST is not set
# CONFIG_BUSYBOX_CONFIG_TEST1 is not set
# CONFIG_BUSYBOX_CONFIG_TEST2 is not set
# CONFIG_BUSYBOX_CONFIG_TIME is not set
# CONFIG_BUSYBOX_CONFIG_TOP is not set
# CONFIG_BUSYBOX_CONFIG_TRACEROUTE is not set
# CONFIG_BUSYBOX_CONFIG_UDHCPC is not set
# CONFIG_BUSYBOX_CONFIG_UMOUNT is not set
# CONFIG_BUSYBOX_CONFIG_UNAME is not set
# CONFIG_BUSYBOX_CONFIG_UPTIME is not set
# CONFIG_BUSYBOX_CONFIG_VERBOSE_RESOLUTION_ERRORS is not set
# CONFIG_BUSYBOX_CONFIG_WHICH is not set
# CONFIG_BUSYBOX_CONFIG_YES is not set
# CONFIG_BUSYBOX_CONFIG_ZCAT is not set
CONFIG_CLEAN_IPKG=y
# CONFIG_DOWNLOAD_CHECK_CERTIFICATE is not set
# CONFIG_KERNEL_DEBUG_FS is not set
# CONFIG_KERNEL_IPV6_MROUTE is not set
# CONFIG_KERNEL_IP_MROUTE is not set
# CONFIG_KERNEL_MAGIC_SYSRQ is not set
# CONFIG_KERNEL_PRINTK is not set
# CONFIG_KERNEL_PRINTK_TIME is not set
# CONFIG_KERNEL_SECCOMP is not set
CONFIG_KERNEL_SQUASHFS_FRAGMENT_CACHE_SIZE=1
# CONFIG_KERNEL_WERROR is not set
# CONFIG_PACKAGE_ATH_DFS is not set
# CONFIG_PACKAGE_MAC80211_DEBUGFS is not set
# CONFIG_PACKAGE_MAC80211_MESH is not set
# CONFIG_PACKAGE_ca-bundle is not set
CONFIG_PACKAGE_cgi-io=y
# CONFIG_PACKAGE_dnsmasq is not set
# CONFIG_PACKAGE_firewall4 is not set
# CONFIG_PACKAGE_getrandom is not set
# CONFIG_PACKAGE_jansson is not set
# CONFIG_PACKAGE_kmod-crypto-crc32c is not set
# CONFIG_PACKAGE_kmod-gpio-button-hotplug is not set
# CONFIG_PACKAGE_kmod-lib-crc-ccitt is not set
# CONFIG_PACKAGE_kmod-lib-crc32c is not set
# CONFIG_PACKAGE_kmod-nf-conntrack is not set
# CONFIG_PACKAGE_kmod-nf-conntrack6 is not set
# CONFIG_PACKAGE_kmod-nf-flow is not set
# CONFIG_PACKAGE_kmod-nf-log is not set
# CONFIG_PACKAGE_kmod-nf-log6 is not set
# CONFIG_PACKAGE_kmod-nf-nat is not set
# CONFIG_PACKAGE_kmod-nf-reject is not set
# CONFIG_PACKAGE_kmod-nf-reject6 is not set
# CONFIG_PACKAGE_kmod-nfnetlink is not set
# CONFIG_PACKAGE_kmod-nft-core is not set
# CONFIG_PACKAGE_kmod-nft-fib is not set
# CONFIG_PACKAGE_kmod-nft-nat is not set
# CONFIG_PACKAGE_kmod-nft-offload is not set
# CONFIG_PACKAGE_kmod-ppp is not set
# CONFIG_PACKAGE_knot-resolver_dnstap is not set
CONFIG_PACKAGE_liblua=y
CONFIG_PACKAGE_liblucihttp=y
CONFIG_PACKAGE_liblucihttp-lua=y
CONFIG_PACKAGE_liblucihttp-ucode=y
# CONFIG_PACKAGE_libmnl is not set
# CONFIG_PACKAGE_libnftnl is not set
# CONFIG_PACKAGE_libpthread is not set
# CONFIG_PACKAGE_libuclient is not set
CONFIG_PACKAGE_lua=y
CONFIG_PACKAGE_luci-base=y
CONFIG_PACKAGE_luci-lib-base=y
CONFIG_PACKAGE_luci-lib-ip=y
CONFIG_PACKAGE_luci-lib-jsonc=y
CONFIG_PACKAGE_luci-lib-nixio=y
CONFIG_PACKAGE_luci-mod-admin-full=y
CONFIG_PACKAGE_luci-mod-network=y
CONFIG_PACKAGE_luci-mod-status=y
CONFIG_PACKAGE_luci-mod-system=y
CONFIG_PACKAGE_luci-theme-bootstrap=y
# CONFIG_PACKAGE_mtd is not set
# CONFIG_PACKAGE_nftables-json is not set
# CONFIG_PACKAGE_odhcp6c is not set
# CONFIG_PACKAGE_odhcpd-ipv6only is not set
# CONFIG_PACKAGE_openwrt-keyring is not set
# CONFIG_PACKAGE_opkg is not set
# CONFIG_PACKAGE_ppp is not set
CONFIG_PACKAGE_px5g-mbedtls=y
CONFIG_PACKAGE_rpcd=y
CONFIG_PACKAGE_rpcd-mod-file=y
CONFIG_PACKAGE_rpcd-mod-iwinfo=y
CONFIG_PACKAGE_rpcd-mod-luci=y
CONFIG_PACKAGE_rpcd-mod-ucode=y
# CONFIG_PACKAGE_uboot-envtools is not set
# CONFIG_PACKAGE_uclient-fetch is not set
CONFIG_PACKAGE_ucode-mod-html=y
CONFIG_PACKAGE_ucode-mod-math=y
CONFIG_PACKAGE_uhttpd=y
# CONFIG_PACKAGE_urandom-seed is not set
# CONFIG_PACKAGE_urngd is not set
# CONFIG_PACKAGE_usign is not set
# CONFIG_PKG_CHECK_FORMAT_SECURITY is not set
# CONFIG_SECCOMP is not set
# CONFIG_SIGNATURE_CHECK is not set
# CONFIG_SIGNED_PACKAGES is not set
CONFIG_STRIP_KERNEL_EXPORTS=y
# CONFIG_TARGET_ROOTFS_INITRAMFS is not set
CONFIG_TARGET_SQUASHFS_BLOCK_SIZE=1024
CONFIG_USE_MKLIBS=y

I only played with make menuconfig (.config) since I dont know how to strip kernel.

Suggestions for more stripping (to possibly readd seccomp) and anything else are welcome.

7 Likes

Hey, can you try to squeeze default image to save 8MB flash devices for another couple of years of official support?

Sorry, I dont understand the question. 8MB is bigger then 4MB so there should not be a problem. Take this 4MB and readd stuff back.

Snapshot got so much beef that now 8MB devices seem non-viable....

The devs who have contributed to the 'tiny' builds might be able to do this for 8MB by creating similar community builds and recipies.

That said, official support will almost certainly not be kept for any 8MB devices because of the fact that things must necessarily be removed from the build which makes it non-standard and difficult to support. Further, the build that the OP created (which is actually impressive! kudos @devianceluka) is not viable for any kind of official support since it really only is good for bridged AP scenarios as so much (including the firewall) been stripped out to fit in the available space.

All of that being said, while official support for 8MB targets will be dropped, the community builds is a perfect place for continuing efforts to the extent that there are volunteers available to help.

1 Like

If OP quantizes compaction settings one might be able to claw back a megabyte by say losing ash errors and md5sum speed and similar non-essential stuff.

I understand you now. I went and removed packages one by one untill it did not boot anymore. Wrote those "crucial" down and readded untill I got the minimum by size possible, but still only "regular" packages. Then I went and added only luci one by one until it was usable. Again, only minimum needed. Maybe I removed also untill it was still usable. Then it was the same with ssl and things got seriously too much at this point for 4MB. Here I started removing busybox applets untill it was unusable and again, readding untill it was usable. Long road. At the end I wanted logd to see if there are any errors. Added logd, and again too big, so removing/readding one by one all over again. The result is this: no errors and totally usable as a dumb AP.

Luci is maybe beef that one already does not need. Without luci, I think its atleast 500KB smaller than this. But its nice to have to atleast quickly check status way down the line when we forget the commands.

I suggest you do the same. Another, maybe easier, method would be to compare this .config with 8MB .config and remove stuff from 8MB that arent in this 4MB and thats it.

2 Likes

I was more after config options like that say this reduces busybox binary by 10kB or by 100kB and so on.

Maybe this build will help with optimizations and especially dependencies, since theres alot of beef included... Its nice to have alot of "tools". But this build proves they are not needed or crucial. I would like someone to also test a build like this to see if there are any errors because then it would be possible to make something like "ultra tiny" targets that have bare minimum for "advanced users".

Just food for thought :stuck_out_tongue:

Sure. I am genuinely impressed that you got this to fit.

But, omitting things like the firewall limits the device to purely local/trusted environments, and the severely limited space means that it's unlikely that any additional packages (and their dependencies) are likely to fit... I think that you have managed to piece together the last-gasp of these devices in the context of a modern OpenWrt version operating as an AP.

That said, I won't say that further optimizations are impossible, but I do think they're going to be of diminishing returns.

3 Likes

You could simply use https://firmware-selector.openwrt.org and select packages instead of setting up a build environment.

That is not an option for removing busybox features/ applets, which has been done here (and is very high risk) - those decisions can only be done at build time. Some other of those space conserving options are likewise build-time settings only.

2 Likes

Not in the case of the device in question. The WR841v11 does not exist in the firmware selector (19.07 and newer). The last supported build for this was 18.06, after which it was disabled from building because of the 4/32 limitations. Presumably the device was simply disabled/excluded (rather than removed), but a build environment is required to do anything with this device with 19.07 and newer.

4 Likes

Oh wow that's ancient.

See also my previous similar package set target attempt here 22.03.3 tiny official(!) imagebuilder configuration for 4/32MB devices (ath79, TL-WA860RE v1 etc.), using ramdisk extroot

Yes custom build fit at the time, but I was aiming to also keep the ability to install stock packages.

Regardless, it didn't work out and wasn't worth any additional investment.

1 Like

Hey, I was trying to build the same for the tp link 840n v6.2 but i'm unable to find it in the target profile?