Thanks Gnomad.
I went into this without ever having used OpenWrt and long after Itus went under. I've got no experience with using the Shield in any way like Itus expected.
As for your tinkering abilities, you got it loaded, so they aren't bad :p
I'm still learning how the Shield architecture works. For example, from what I can tell, there is no way to update the kernel. It seem the board is set to boot from uBoot to the ELF-bin, which has the kernel. Once that is loaded, it boots like a Linux Live CD install. About halfway through the boot, when the MMC device finally comes up, the root pivots to whatever the proper partition is (as set by the front-panel switch). So, by the time the console goes active, / is mounted to /dev/mmcblk1p2 (for router). Ok, that works well.. I don't know if that is what is needed or proper, but it is what Itus did.
Ok, so in order to update the kernel, you replace the ItusrouterImage and reboot. Not ideal, because it takes the box offline, but we aren't talking daily updates or anything. The issue comes when you have kernel-dependent libraries, which are stored on the mmc.. At that point, you've got kernel panics and dumps and a bootloop..
Ok, so.. This is why there is a /.norwits file and why everything gets wiped and recopied to the MMC.. But.. it wipes out USER data in it's present form.
But, since we can't use the official opkg repos for OpenWrt, I'd have to either include them in the image anyway, or maintain a repo of all the compiled opkgs a user might want and their dependencies - For each published build with a library or kernel change. Even something like snort might throw a fit at having a kernel change and not being updated with a recompiled binary under the new version.. I don' t know yet..
Of course, this all could be the complete WRONG way to do it, but it's how Itus did it, so it was a starting point.
There could be a "turnkey" image, but built on what?
More issues I'm running into at the practicality sides of the Shield. Again, I have to put out there I've NEVER used the Shield as a security device.. I didn't even open the box from the Kickstarter until Jan 2019 because I lost the box :D
More considerations I've had along the way.
I'm not sure how effective a consumer-level security device would be. You can run snort3 all day long, but it won't touch encrypted traffic AFAIK. So, https breaks snort (or ssh, scp, etc). Not without other changes like an enforced TLS proxy to act as the encryption endpoints. What package should I look into? Will the shield have enough go-juice to handle it? At the very least, it's a badass little router that runs OpenWrt, but what else can it do?
Cavium is impossible to get much out of. I've got their toolchain and kernel repos, but the toolchain refuses to build out and I can't get it to tell me why..
MARVELL_PKGVERSION="Marvell Development Version" RELEASE= VERBOSE= STATIC=false /home/grommish/Downloads/toolchain-src-249.0/toolchain/scripts/build-marvell-linux
Building zlib for aarch64-marvell-linux-gnu .......done.
Building expat for aarch64-marvell-linux-gnu ........done.
Building libiconv for aarch64-marvell-linux-gnu ..............done.
Building bison for aarch64-marvell-linux-gnu ............done.
make: *** [Makefile.marvell:36: marvell-linux] Error 1
grommish@norwits:~/Downloads/toolchain-src-249.0/toolchain$
And their kernel is 4.14. OpenWrt is stable 4.19.123 and testing 5.4. I'm not sure how much effort and energy it would take to find the changes and forward port the Octeon/Mips specific stuff, or try and port from the repo into the Octeon kernel src.. Again, i'm in over my head in the best practices..
In theory, we could replace the octboot.bin and uBoot loader and do whatever we want, but it would take someone with more knowledge or tenacity to help with me with. I can put in the time and building, but only if I have something TO build.
Once this is all done, it has to be applied to the Bridge mode and eventually the Gateway slot I suppose. Bridge mode poses a lot of different issues.. For example,. snort might work, but what about port-mirroring? Where it acts as a transparent bridge and allows for packet sniffing while doing it? All would have to be built and tested. Again, i can DO that, but I don't know in which direction to go.
Ah well.. This is why I'm here, to get ideas from people who know. You may not have time to tinker, Gnomad, but you have user-requirements. You've purchased a replacement for the Shield, so you have an idea of what you need/want/desire it to do. Feed me that info?
Same goes to whoever else is reading this. Whether you got the Shield because it was a tech novelty, a talking point, or as an enthusiast, you had your reasons for the purchase. What were the reasons? Something simply turn-key? I believe some people bought it with that in mind, but I don't know most did. We've paid for the hardware, so we might as well get some use out of it.
Does anyone have ideas for other ways to reprovision the device? It's an ARMv7, 1GB Ram, and call it just under 4Gb storage on board and a USB3(?) SD Card interface, so..
Send me those thoughts and ideas.
Running Itus Shield v2 Firmware
If you reply to this email, your message will be added to the discussion below:http://itus.accessinnov.com/FIRMWARE-Itus-Shield-v2-tp2014p2048.html
Free forum by Nabble | Edit this page |