I would like to verify that a device is actually running the exact firmware that it is supposed to be running. Is there any easy method for me to do that?
The reason for this is that I will be having branded routers manufactured in China with an OpenWRT firmware that I am supplying. I want to make sure not modifications have been made to the firmware in the process.
I have identical devices here flashed by myself with the same firmware that I could compare to. I can of course check the checksums of single files but I would like to be able to check the integrity of the entire firmware if possible.
Thank you, this appears to work for my u-boot and kernel mtds, but the rootfs, rootfs_data, art and firmware mtds return a different checksum every time I run the command.
I guess if the bootloader and kernel checksums match the ones of the kernel and bootloader I supplied, I can safely assume that the device is really running my firmware, right?
Booting an initramfs kerlen requires a serial console, right? Cause that would mean having to break open the device and soldering in my case...
I tried mounting the rootfs and rootfs_data partitions read-only. That worked, so I now get consistent checksums every time I run the md5sum command. Unfortunately, the md5 sums are not consistent between two devices running the same firmware or the same device flashed again with the same firmware. I guess that makes sense since the partitions will have already been altered by the time I can mount them read-only...
The best way to deal with the possibilty someone tampered with rootfs_data is to erase it. This will return to a "factory" state where the only filesystem is the squashfs rootfs i.e. the "ROM". Hashes of rootfs (which is both the squashfs and the rootfs_data area reserved for the jffs) should then be consistent.
The next reboot will rebuild the jffs overlay into default configuration. You can set up default files in the ROM.
But you could have set up a multi boot in the boot loader (u-boot ? ), which would attempt to boot other media (USB, TFTP, etc) before it booted from flash.
Or nc up and running for a couple of seconds during the boot loader countdown
But, your existing check sum file won't catch files added to the flashed rom.
They could add files, and you won't notice, since you're verifying files know to
you, through the template image.
You should compare in the other direction, from the flashed rom to the template
image. Then the added files (if any) should pop up as missing when compared
to your template.
That's what I did, sorry for not making that clearer in my post. What I am wondering is do I need to check other stuff like /overlay as well if all checksums in /rom as well as the checksums vor dd if=/dev/mtd0 bs=512 | md5sum (u-boot) and dd if=/dev/mtd1 bs=512 | md5sum (kernel) match?