Skip to content

Instantly share code, notes, and snippets.

@djeraseit

djeraseit/openwrt-integrity.sh

Last active October 10, 2021 07:39
Show Gist options
  • Save djeraseit/f780760225a04602370acaa04028ad29 to your computer and use it in GitHub Desktop.
Save djeraseit/f780760225a04602370acaa04028ad29 to your computer and use it in GitHub Desktop.
Download ZIP
OpenWRT Integrity Checker
Raw
openwrt-integrity.sh
#/bin/sh
# Check integrity of all files
SCRIPTNAME=$(basename $0) # name of this script
PCKGLIST=/etc/config/opkg.installed # location to save package list
KERNEL_VER=$(uname -r)
# Define base firmware model
MODEL=glinet_gl-mt300n-v2
SOC=mipsel_24kc
#https://downloads.openwrt.org/releases/21.02.0/packages/$(SOC)/telephony/Packages.sig
# Take a snapshot first
# Make a list of executable files using find and run through sha256sum
# Check for required software (i.e. sha256sum, wget, curl, etc)
type sha256sum
#type curl
type gpg
type wget # built in no need to install curl (takes up too much space)
# Define kernel and sysupgrade binaries
KERNEL=$(MODEL)-initramfs-kernel.bin
SYSUPGRADE=$(MODEL)-squashfs-sysupgrade.bin
# Check for internet connection
ping -q -c 1 google.com
if [ "$?" -eq 0 ]; then
echo 1 > /sys/class/leds/green\:power/brightness #turn on LED
echo 1 > /sys/class/leds/red:wlan/brightness
else
echo 0 > /sys/class/leds/green\:power/brightness #turn off LED
echo 0 > /sys/class/leds/red:wlan/brightness
fi
# Update package lists
opkg update
CORE=/var/opkg-lists/openwrt_core
BASE=/var/opkg-lists/openwrt_base
LUCI=/var/opkg-lists/openwrt_luci
PACKAGES=/var/opkg-lists/openwrt_packages
ROUTING=/var/opkg-lists/openwrt_routing
TELEPHONY=/var/opkg-lists/openwrt_telephony
# Load values into environment variables
while read line; do
export "$line"
done < /etc/os-release
#echo $VERSION_ID
# Get version info
cat /proc/version
# Get list of installed packages
opkg list-installed > "$PCKGLIST"
# Find all files
for i in `find /sbin -type f`; do [ -x $i ] && echo "$i is executable"; done
for i in `find /bin -type f`; do [ -x $i ] && echo "$i is executable"; done
for i in `find /usr/bin -type f`; do [ -x $i ] && echo "$i is executable"; done
for i in `find /usr/sbin -type f`; do [ -x $i ] && echo "$i is executable"; done
# build our download url
#https://downloads.openwrt.org/snapshots/targets/ramips/mt76x8/
BASE_URL=https://downloads.openwrt.org/snapshots/targets/$(OPENWRT_BOARD)
# Files sha256sums, sha256sums.sig, sha256sums.asc
curl $(BASE_URL)/sha256sums -s -f -O /tmp
curl $(BASE_URL)/sha256sums.asc -s -f -O /tmp
curl $(BASE_URL)/sha256sums.sig -s -f -O /tmp
curl $(BASE_URL)/$(SYSUPGRADE) -s -f -O /tmp
# check the integrity of the image file via sha256sums
sha256sum -c /tmp/sha256sums 2> /dev/null | grep OK
# the desired result is that the downloaded firmware filename is listed with "OK" afterwards
gpg --verify /tmp/sha256sums.sig /tmp/sha256sums
####################################################
# Initiate sysupgrade with your desired options
# by default ( no -n ) settings are kept
####################################################
sysupgrade -v /tmp/$(SYSUPGRADE)
@djeraseit
Copy link
Author

djeraseit commented Oct 10, 2021
edited
Loading

USB tethering / TTL modification

opkg install iptables-mod-physdev
opkg install iptables-mod-ipopt

Modify /etc/sysctl.d/11-br-netfilter.conf
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1

Firewall rule /etc/firewall.user
Bridged
iptables -t mangle -I POSTROUTING -m physdev --physdev-out usb0 -j TTL --ttl-set 65
or
Standard Routed
iptables -t mangle -I POSTROUTING -o usb0 -j TTL --ttl-set 65

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment