Restore of settings over HTTPS seems to corrupt nvram

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
jnwbn
DD-WRT Novice


Joined: 17 Sep 2018
Posts: 4

PostPosted: Thu Oct 04, 2018 17:31    Post subject: Restore of settings over HTTPS seems to corrupt nvram Reply with quote
I am admittedly pretty new to DD-WRT, but I have systematically tested the settings backup and restore, and found that nvram settings are messed up when restoring them with HTTPS admin enabled (and no HTTP). The same settings .bin file restores properly if using just HTTP -- which is the obvious workaround, once you know the cause of the problem. But it is annoying and potentially risky to have to drop security every time I want to restore settings. Backup of settings over HTTPS does NOT cause any problem, only restoring them over HTTPS.

Is this a known limitation with HTTPS in DD-WRT? If so, is this on one build or branch, or on all DD-WRT builds? Or is it somehow hardware-specific, or common to all routers and firmware?

This limitation with HTTPS does not appear to be documented or prevented by the DD-WRT GUI. And I searched a bunch, but could not find any mention of this as a known issue on websites related to DD-WRT. Can someone more knowledgeable please document this better?

My testing environment:
Router: Asus RT-AC68U (original, not T-Mobile).
Build: Kong v3.0-r36070M kongac (05/31/18).
Connection: Windows 10 laptop with Ethernet patch cable to router LAN port 1. Using MS Edge browser (after Chrome operated crazy slow when in HTTPS mode).
Context: Going through steps to configure simple Router mode; all settings files were saved/restored with the same build version.

FYI, I worked up the following custom script (adapted from some posts elsewhere) for use in the DD-WRT Admin-Commands-Diagnostics command shell. The script helped me to dump out nvram settings in a browser- and Windows-compatible line-terminated text format. Maybe this will be useful to others in future:

#Run in DD-WRT Diagnostics shell, then view in browser at [router IP]\user\nvdump.asp
cd /tmp/www/;
rm nvdump.asp;
nvram show | sort > nvdump.asp;
sed -i "s/\$/'\<br\>\\r'/" nvdump.asp;

Dumping and comparing the nvram showed that the restore over HTTPS reset the IP settings to 192.168.1.1, along with some other basic settings, and many other settings were left duplicated (redundant) in nvram.

P.S. If anyone happens to know the maximum filename length allowed when restoring settings, that could also be useful to know. Apparently that can also cause a surprise problem with restore, although I don't think it is directly related to the problem above.
Sponsor
slice1900
DD-WRT User


Joined: 18 Feb 2013
Posts: 99

PostPosted: Thu Oct 04, 2018 18:00    Post subject: Reply with quote
Why are you worried about the difference between HTTP and HTTPS over a direct LAN connection to the router? If you were using an unsecured wifi connection, or doing a restore from the WAN I could understand why you need HTTPS. Someone would have had to have already compromised your router or your PC to be able to view the unencrypted traffic over that link - and if that's happened the encryption is pointless.

If you are still concerned about it you can enable both HTTP and HTTPS over the LAN, use HTTP only for NVRAM restores (which presumably are rare) and use HTTPS the rest of the time.

Can you do a reset to factory defaults then a restore via HTTP, then the same with a restore via HTTPS and provide a diff of the two so we can see exactly what is different?
jnwbn
DD-WRT Novice


Joined: 17 Sep 2018
Posts: 4

PostPosted: Thu Oct 04, 2018 19:01    Post subject: Reply with quote
Because I do plan to use this router over a LAN or WLAN (maybe WAN) that is not as secure as my initial test environment, and HTTPS is good security hygiene in general.

I would like to hear from those who have knowledge of why it isn't working, or if they have instead succeeded with reliable restores over HTTPS.

As requested, I am attaching a diff file [somewhat redacted] showing what is different in the sorted nvram parameters after a good HTTP restore vs. after a bad HTTPS restore, of the same exact backup file.



NvramDumpc8vsc6.ilcompare.redacted.txt
 Description:

Download
 Filename:  NvramDumpc8vsc6.ilcompare.redacted.txt
 Filesize:  136.75 KB
 Downloaded:  432 Time(s)

hackler756
DD-WRT User


Joined: 17 Sep 2014
Posts: 68
Location: Austria

PostPosted: Thu Oct 04, 2018 19:36    Post subject: Reply with quote
slice1900 wrote:
Why are you worried about the difference between HTTP and HTTPS over a direct LAN connection to the router?


your toilet door does not lock from the inside - just because you're at home ???

a nice person, patiently sits outside your place and captures your WLAN traffic, maybe getting a little help from an older unpatched IPAD and TADA: WLAN Key

now a few more little tricks and your switch becomes a hub and with your next HTTP router login. you'll have the new dd-wrt auto update feature enabled Smile

_________________
ZTE MC801A - 5G bridge mode
R7000 - router, AP 2.4Ghz / 5Ghz
hackler756
DD-WRT User


Joined: 17 Sep 2014
Posts: 68
Location: Austria

PostPosted: Thu Oct 04, 2018 20:01    Post subject: Reply with quote
I reported an issue with updating dd-wrt via HTTPS on the x86_64 builds: #6303

But I haven't encountered any corruption on my broadcom based R7000 (so far).

With a custom script, you could dump a checksum of the uploaded nvram file and compare it with the local one.

Code:
root@R7000:~#md5sum /tmp/uploaded_file | logger


Did you check the console output during the restore?
Unter Services / System Log - enable syslog and klog
Code:
root@R7000:~# tail -f /var/log/messages

or directly with TTL Cable?
jnwbn
DD-WRT Novice


Joined: 17 Sep 2018
Posts: 4

PostPosted: Fri Oct 05, 2018 3:33    Post subject: Reply with quote
I don't know how to get that checksum or check the log output after a restore, because the router reboots as soon as I do the restore. Maybe I am missing something.
hackler756
DD-WRT User


Joined: 17 Sep 2014
Posts: 68
Location: Austria

PostPosted: Fri Oct 05, 2018 6:30    Post subject: Reply with quote
my restore on x86_64 with r37139 using HTTPS fails. after reboot -->> factory settings.

Same file - HTTP - nvram restore works.

Ticket: #6452
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Fri Oct 05, 2018 14:47    Post subject: Reply with quote
Somewhere around 36154 or 36168, a whole lot of screwy sh*t happened with flashing via webUI, firmware or nvram restores. Major screwy sh*t. I used to not have ANY issues using the reset to defaults after flash, now it's broken all to sh*t. And it matters NOT what browser I use. I pointed out the differences in serial outputs ... either in a build thread or on a ticket and it's pretty much been ignored, or so it seems. I personally do NOT do any flashing or administrative tasks over wi-fi, so they'd have to snoop wired ethernet as I have webUI, ssh, telnet, etc. access from wi-fi blocked via ebtables.
lazardo
DD-WRT User


Joined: 17 Apr 2014
Posts: 135
Location: SF Bay Area

PostPosted: Fri Oct 05, 2018 21:52    Post subject: Reply with quote
1. Try a non-edge, non-chrome browser. There are [rare] browser-centric issues.
2. dd-wrt "restore" "over https" returned 14K hits going back to 2010, search engine searches are 10x more effective than forum searches.
3. Avoid acrobatics in both the Diagnostic shell and /tmp/www, rather, use the correct tools provided:
Code:
nvram backup /tmp/$(nvram get os_version).nvrambak.bin

Also 'nvram restore <filename>'. ssh/scp/putty are your friends.
4. See prevous, then, for the easy to read version:
Code:
nvram show > /tmp/$(nvram get os_version).nvrambak.txt
.
If you are comfortable with compiling code: https://github.com/tknarr/ddwrt-nvram-tools

Most important in ddwrt-land: if you're riding a dead horse, get off.
jnwbn
DD-WRT Novice


Joined: 17 Sep 2018
Posts: 4

PostPosted: Sat Oct 06, 2018 18:28    Post subject: Reply with quote
1. Also tried a Firefox browswer upon lazardo's suggestion. Saw corruption again on settings restore over HTTPS (and again no problem with backup, and no problem with restore over HTTP). Again it reset the IP and other basic setup parameters, scrambled the VLAN configuration, etc. (But whether it duplicates many other nvram parameters seems sporadic, and not browser-specific.)

2. Been there, searched that (hundreds, not all 14K), and found nothing about a problem restoring DD-WRT settings over HTTPS. Let us know if you have any explicit URLs that are actually pertinent to this issue, not just common word hits.

3&4. Thanks for the alternate commands, which might be useful for future/workarounds.

All of this still leaves the problematic HTTPS restore bug unaddressed. It should be fixed or at least documented/prevented if not fixable. Perhaps the existence of this thread will help others.

Meanwhile, I am still looking for more info / corroboration / explanation of the HTTPS restore issue. Hopefully something will come of the support tickets that hackler756 has submitted (referenced above). The fact that I am relatively new to DD-WRT does not diminish the seriousness of a fatal problem with basic functionality (and HTTPS is pretty basic security these days). If I had the tools setup for it, I would look into debugging the code myself, but others are far better equipped.

Maybe others with a very recent test build, in addition to hackler756, can at least try a restore over HTTPS, and report here if it does or doesn't corrupt/reset their nvram settings like IP address.
Tobit
DD-WRT Novice


Joined: 19 Jul 2016
Posts: 3

PostPosted: Thu Feb 04, 2021 7:05    Post subject: Reply with quote
I just wanted to say thank you to jnwbn. After restoring a backup on my R7800 (running 30880M, old, I know) I found everything horked (no WiFi, admin password reset to default, static IPs gone). Without knowing what the problem was, this would have been a very tough issue to figure out. Fortunately, Googling "dd-wrt restore config fails" (without quotes) yielded this topic as the top result. Went and restored over HTTP instead of HTTPS and now everything is working perfectly.

Thank you SO MUCH for posting this, it was incredibly helpful.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Thu Feb 04, 2021 7:32    Post subject: Reply with quote
Tobit unless you use that router for a WAP or just an AP with no NAT and DNSmasq behind another router 30880M is fine, in any other cases/uses 30880M is full of vulnerabilities...and lacking of security....

https restore config has been working always, just back in the days there was a glitch...in fact do not restore config files from different builds...

current R7800 builds have a lots of new features updates and stability....

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Tobit
DD-WRT Novice


Joined: 19 Jul 2016
Posts: 3

PostPosted: Thu Feb 04, 2021 17:42    Post subject: Reply with quote
Alozaros wrote:
current R7800 builds have a lots of new features updates and stability....

Thanks for the heads up.
Alozaros wrote:
in fact do not restore config files from different builds...

Of course, this is one of the main reasons why I and some people shy away from upgrading. After spending hours getting the configuration right where I want it, it's intimidating to think about doing it all again from scratch. But I guess once every 5 years should be doable XD
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 5660

PostPosted: Thu Feb 04, 2021 18:14    Post subject: Reply with quote
Write down your current settings, or copy paste, or screenshot. Rolling Eyes
Mihai_3
DD-WRT Novice


Joined: 27 Feb 2009
Posts: 5

PostPosted: Sun Apr 11, 2021 8:32    Post subject: restore BIN file settings on fail over HTTPS Reply with quote
yes, restoring my backup (.BIN) over HTTPS from LAN failed to me also when I try it.

I consider this a bug, Shocked since there is no warning of anything to let the user know that restoring over HTTPS it will not work.
Now, reading this thread I discover that it's already known.

I have: DD-WRT v3.0-r44715 std (11/03/20)
inside of: TP-Link WR1043ND V2. Rolling Eyes
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum