Tuesday, February 18, 2014

Running a Tor relay on a TP-Link TL-WR741ND

... is not possible (for now).
It tuns out even the spacious 32 MB RAM on the 741 is not enough for Tor.
Even with a custom minimized firmware, logging in via serial so I can kill dropbear and save a meg of RAM, this is not enough.
I was able to get to ~70% of the setup, with about half of the caches loaded when the system went out of memory.
I tried to put the caches into a compressed loopback image with

# rm -rf /var/lib/tor/*
# mkdir /tmp/jffsroot
# mkfs.jffs2 --pad=0x500000 -o /tmp/rootfs.jffs2 -e 0x4000 -n -d/tmp/jffsroot
# losetup -f
/dev/loop0
# losetup /dev/loop0 /tmp/rootfs.jffs2
# modprobe block2mtd
# echo "/dev/loop0,131072" > /sys/module/block2mtd/parameters/block2mtd
# mount -t jffs2 -o rw /dev/mtdblock6 /var/lib/tor
# chown tor /var/lib/tor


but it only helped a little bit, mostly because their contents does not compress well. The tor binary kept growing in RAM and eventually reached about 20 MB. Then I was out of memory again.
So it looks like it might only be possible to run Tor with the caches located on an external storage, provided Tor's RAM usage won't grow over ~25 MB.

Saturday, February 15, 2014

TP-Link TL-WR741ND unbricking

So I was playing with the router, mounted one of the system partitions and after reboot it wouldn't come up.
Fortunately the box comes with serial, although not in very convenient way.
The OpenWRT wiki has photos with locations of the pins.
After some soldering and hot-glueing I had the serial port ready:


To connect it to the PC, I've finally found some use of the Arduino, or rather the FTDI chip that comes with it, as described by ZooBaB:

I've installed a tftp server and copied the firmware to its directory:
root@debian:~# apt-get install tftpd-hpa
Reading package lists... Done
Building dependency tree      
Reading state information... Done
Suggested packages:
  syslinux-common
The following NEW packages will be installed:
  tftpd-hpa
0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.
Need to get 47.6 kB of archives.
After this operation, 91.1 kB of additional disk space will be used.
Get:1 http://ftp.cz.debian.org/debian/ wheezy/main tftpd-hpa amd64 5.2-4 [47.6 kB]
Fetched 47.6 kB in 0s (196 kB/s)  
Preconfiguring packages ...
Selecting previously unselected package tftpd-hpa.
(Reading database ... 108212 files and directories currently installed.)
Unpacking tftpd-hpa (from .../tftpd-hpa_5.2-4_amd64.deb) ...
Processing triggers for man-db ...
Setting up tftpd-hpa (5.2-4) ...
[ ok ] Starting HPA's tftpd: in.tftpd.
root@debian:~# cp /home/hajma/openwrt/openwrt/bin/ar71xx/openwrt-ar71xx-generic-tl-wr741nd-v2-squashfs-sysupgrade.bin /srv/tftp/

root@debian:~#

Then I set the PC's IP to 192.168.1.3 and connected it to the first Ethernet port of the router.

Then I connected to the serial link:
$ screen /dev/ttyUSB1 115200,cs8,-parenb,-cstopb

And this is what I saw:
U-Boot 1.1.4 (Sep  3 2010 - 12:28:13)

AP91 (ar7240) U-boot
DRAM:
sri
#### TAP VALUE 1 = a, 2 = b
32 MB
id read 0x100000ff
flash size 4194304, sector count = 64
Flash:  4 MB
Using default environment


In:    serial
Out:   serial
Err:   serial
Net:   ag7240_enet_initialize...
No valid address in Flash. Using fixed address
: cfg1 0xf cfg2 0x7014
eth0: 00:03:7f:09:0b:ad
eth0 up
No valid address in Flash. Using fixed address
: cfg1 0xf cfg2 0x7214
eth1: 00:03:7f:09:0b:ad

eth0 up
No valid address in Flash. Using fixed address
: cfg1 0xf cfg2 0x7214
eth1: 00:03:7f:09:0b:ad
ATHRS26: resetting s26
ATHRS26: s26 reset done
eth1 up
eth0, eth1
Autobooting in 1 seconds
## Booting image at 9f020000 ...
   Uncompressing Kernel Image ... Error: Bad gzipped data
GUNZIP ERROR - must RESET board to recover

Resetting...


... stuck in  a boot loop due to corrupted firmware.

Following the steps at the OpenWRT wiki to tftp the image:
Type 'tpl' to break to boot loop. Then

ar7240> setenv ipaddr 192.168.1.100
ar7240> setenv serverip 192.168.1.3
ar7240> tftpboot 0x80000000 openwrt-ar71xx-generic-tl-wr741nd-v2-squashfs-sysupgrade.bin
eth1 link down
eth0 link down
Using eth1 device
TFTP from server 192.168.1.3; our IP address is 192.168.1.100
Filename 'openwrt-ar71xx-generic-tl-wr741nd-v2-squashfs-sysupgrade.bin'.
Load address: 0x80000000
Loading: T T T T T T T T T T
Retry count exceeded; starting again
eth0 link down
eth1 link down
Using eth0 device

...
TFTP from server 192.168.1.3; our IP address is 192.168.1.100
Filename 'openwrt-ar71xx-generic-tl-wr741nd-v2-squashfs-sysupgrade.bin'.
Load address: 0x80000000
Loading: #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ##
done
Bytes transferred = 3670020 (380004 hex)

ar7240> erase 0x9f020000 +0x380004

First 0x2 last 0x3a sector size 0x10000                                       58
Erased 57 sectors
ar7240> cp.b 0x80000000 0x9f020000 0x380004
Copy to Flash... write addr: 9f020000
done

ar7240> bootm 0x9f020000
## Booting image at 9f020000 ...
   Uncompressing Kernel Image ... OK

Starting kernel ...



OpenWrt kernel loader for AR7XXX/AR9XXX
Copyright (C) 2011 Gabor Juhos
Looking for OpenWrt image... found at 0xbf022000
Decompressing kernel... done!
Starting kernel at 80060000...

[    0.000000] Linux version 3.10.28 (hajma@debian) (gcc version 4.6.4 (OpenWrt/Linaro GCC 4.6-2013.05 r39457) ) #4 Fri Feb 14 00:04:39 CET 2014
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU revision is: 00019374 (MIPS 24Kc)
[    0.000000] SoC: Atheros AR7240 rev 2
[    0.000000] Clocks: CPU:350.000MHz, DDR:350.000MHz, AHB:175.000MHz, Ref:5.000
MHz
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 02000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x00000000-0x01ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00000000-0x01ffffff]
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
[    0.000000] Kernel command line:  board=TL-WR741ND console=ttyS0,115200 rootfstype=squashfs,jffs2 noinitrd
[    0.000000] PID hash table entries: 128 (order: -3, 512 bytes)
[    0.000000] Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 29168k/32768k available (2062k kernel code, 3600k reserved, 354k data, 268k init, 0k highmem)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS:51

[    0.000000] Calibrating delay loop... 232.24 BogoMIPS (lpj=1161216)
[    0.080000] pid_max: default: 32768 minimum: 301
[    0.080000] Mount-cache hash table entries: 512
[    0.090000] NET: Registered protocol family 16
[    0.100000] MIPS: machine is TP-LINK TL-WR741ND
[    0.500000] registering PCI controller with io_map_base unset
[    0.510000] bio: create slab at 0
[    0.520000] PCI host bridge to bus 0000:00
[    0.520000] pci_bus 0000:00: root bus resource [mem 0x10000000-0x13ffffff]
[    0.530000] pci_bus 0000:00: root bus resource [io  0x0000]
[    0.530000] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[    0.540000] pci 0000:00:00.0: fixup device configuration
[    0.540000] pci 0000:00:00.0: BAR 0: assigned [mem 0x10000000-0x1000ffff 64bit]
[    0.550000] pci 0000:00:00.0: using irq 40 for pin 1
[    0.550000] Switching to clocksource MIPS
[    0.560000] NET: Registered protocol family 2
[    0.560000] TCP established hash table entries: 512 (order: 0, 4096 bytes)
[    0.570000] TCP bind hash table entries: 512 (order: -1, 2048 bytes)
[    0.580000] TCP: Hash tables configured (established 512 bind 512)
[    0.580000] TCP: reno registered
[    0.590000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.590000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.600000] NET: Registered protocol family 1
[    0.620000] squashfs: version 4.0 (2009/01/31) Phillip Lougher

[    0.630000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.640000] msgmni has been set to 56
[    0.650000] io scheduler noop registered
[    0.650000] io scheduler deadline registered (default)
[    0.660000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[    0.680000] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A
[    0.690000] console [ttyS0] enabled, bootconsole disabled
[    0.690000] console [ttyS0] enabled, bootconsole disabled
[    0.700000] ath79-spi ath79-spi: master is unqueued, this is deprecated
[    0.710000] m25p80 spi0.0: found s25sl032p, expected m25p80
[    0.720000] m25p80 spi0.0: s25sl032p (4096 Kbytes)
[    0.720000] 5 tp-link partitions found on MTD device spi0.0
[    0.730000] Creating 5 MTD partitions on "spi0.0":
[    0.730000] 0x000000000000-0x000000020000 : "u-boot"
[    0.740000] 0x000000020000-0x0000000f8200 : "kernel"
[    0.750000] mtd: partition "kernel" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
[    0.760000] 0x0000000f8200-0x0000003f0000 : "rootfs"
[    0.770000] mtd: partition "rootfs" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
[    0.780000] mtd: device 2 (rootfs) set to be root filesystem
[    0.790000] 1 squashfs-split partitions found on MTD device rootfs
[    0.790000] 0x0000003a0000-0x0000003f0000 : "rootfs_data"
[    0.800000] 0x0000003f0000-0x000000400000 : "art"
[    0.810000] 0x000000020000-0x0000003f0000 : "firmware"

[    0.920000] libphy: ag71xx_mdio: probed
[    1.480000] ag71xx-mdio.0: Found an AR7240/AR9330 built-in switch
[    2.510000] eth0: Atheros AG71xx at 0xba000000, irq 5, mode:GMII
[    3.080000] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.0:04 [uid=004dd041, driver=Generic PHY]
[    3.090000] eth1: Atheros AG71xx at 0xb9000000, irq 4, mode:MII
[    3.090000] TCP: cubic registered
[    3.100000] NET: Registered protocol family 17
[    3.100000] 8021q: 802.1Q VLAN Support v1.8
[    3.120000] VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
[    3.130000] Freeing unused kernel memory: 268K (802bd000 - 80300000)
procd: Console is alive
procd: - watchdog -
procd: - preinit -
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[    8.090000] eth0: link up (1000Mbps/Full duplex)
kmod: ran 1 iterations
mount_root: jffs2 is not ready - EOF marker found
[   10.470000] eth0: link down
procd: - early -
procd: - watchdog -
procd: - ubus -
procd: - init -
Please press Enter to activate this console.


Yay!