Skip to content

Instantly share code, notes, and snippets.

@HackingGate

HackingGate/image-build.sh

Last active March 14, 2024 08:56
Show Gist options
  • Save HackingGate/b75ac856397075756ea878380c5b848c to your computer and use it in GitHub Desktop.
Save HackingGate/b75ac856397075756ea878380c5b848c to your computer and use it in GitHub Desktop.
Download ZIP
upgrade ipk on OpenWrt
Raw
image-build.sh
VERSION=19.07.7
# Download imagebuilder for R7800.
aria2c -c -x4 -s4 https://downloads.openwrt.org/releases/${VERSION}/targets/ipq806x/generic/openwrt-imagebuilder-${VERSION}-ipq806x-generic.Linux-x86_64.tar.xz
# Extract & remove used file & cd to the directory
tar -xvf openwrt-imagebuilder-${VERSION}-ipq806x-generic.Linux-x86_64.tar.xz
rm openwrt-imagebuilder-${VERSION}-ipq806x-generic.Linux-x86_64.tar.xz
cd openwrt-imagebuilder-${VERSION}-ipq806x-generic.Linux-x86_64/
# Use https when making image
sed -i 's/http:/https:/g' repositories.conf
# Make all kernel modules built-in
sed -i -e "s/=m/=y/g" build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/linux-ipq806x_generic/linux-*/.config
# Run the final build configuration
make image PROFILE=netgear_r7800 \
PACKAGES="ca-bundle ca-certificates libustream-openssl -ppp -ppp-mod-pppoe \
uhttpd uhttpd-mod-ubus libiwinfo-lua luci-base luci-app-firewall luci-mod-admin-full luci-theme-bootstrap \
-wpad-mini -wpad-basic wpad-openssl usbutils block-mount e2fsprogs samba4-server luci-app-samba4 \
aria2 luci-app-aria2 ariang stubby curl wget tcpdump kmod-fs-ext4 kmod-usb-storage kmod-usb-storage-uas"
# list result
ls $PWD/bin/targets/ipq806x/generic
Raw
install-script.sh
# To use opkg via https
opkg update
opkg install ca-bundle ca-certificates libustream-openssl curl wget
sed -i 's/http:/https:/g' /etc/opkg/distfeeds.conf
# DoH with Dnsmasq and https-dns-proxy
# https://openwrt.org/docs/guide-user/services/dns/doh_dnsmasq_https-dns-proxy
opkg install https-dns-proxy luci-app-https-dns-proxy
# pkg-upgrade.sh
wget https://gist.github.com/HackingGate/b75ac856397075756ea878380c5b848c/raw/db404b6028b9136b47192ce90f3520e97a3faa3e/pkg-upgrade.sh
chmod +x pkg-upgrade.sh
./pkg-upgrade.sh
# sys-upgrade.sh
wget https://gist.github.com/HackingGate/b75ac856397075756ea878380c5b848c/raw/725c991f7286400e4f0d6ae5f993f8dd17caca90/sys-upgrade.sh
chmod +x sys-upgrade.sh
./sys-upgrade.sh
# Capturing packets
opkg install tcpdump
# Deploy WPA3 Wi-Fi
opkg remove wpad-mini wpad-basic
opkg install wpad-openssl
/etc/init.d/network restart
# Using storage devices
opkg update
opkg install kmod-usb-storage
opkg install kmod-usb-storage-uas
opkg install usbutils
lsusb -t
opkg install block-mount
block info | grep "/dev/sd"
lsusb -t
opkg install e2fsprogs
opkg install kmod-fs-ext4
block detect | uci import fstab
uci set fstab.@mount[-1].enabled='1'
uci set fstab.@global[0].check_fs='1'
uci commit fstab
uci show fstab
service fstab boot
# SMB Samba4
opkg install samba4-server
opkg install luci-app-samba4
# Aira2 and ariang
opkg install aria2
opkg install luci-app-aria2
opkg install ariang
Raw
pkg-upgrade.sh
#!/bin/sh
set -e
# Force HTTPS
sed -i 's/http:/https:/g' /etc/opkg/distfeeds.conf
# Update packages
opkg update
for ipk in $(opkg list-upgradable | awk '$1!~/^base-files|^kmod|^Multiple/{print $1}'); do
opkg upgrade $ipk
done
# Download bt trackers
TRACKERS=`curl -s https://raw.githubusercontent.com/ngosang/trackerslist/master/trackers_best.txt \
| tr '\n' ' ' \
| sed 's/ *$//'`
echo "Updating /etc/config/aria2 bt_tracker"
# Delete config
sed -i "/list bt_tracker/d" /etc/config/aria2
# Append config
echo -e "\tlist bt_tracker '$TRACKERS'" | tee -a /etc/config/aria2
# Download netboot.xyz
wget https://boot.netboot.xyz/ipxe/netboot.xyz.efi -O /root/tftp/netboot.xyz.efi
Raw
sys-upgrade.sh
#!/bin/sh
set -e
OPENWRT_TAG=`git ls-remote git://github.com/openwrt/openwrt.git | grep -E -o 'v[0-9]+\.[0-9]+\.[0-9]+' | tail -1`
OPENWRT_VERSION=`echo ${OPENWRT_TAG} | grep -E -o '[0-9]+\.[0-9]+\.[0-9]+'`
rm -f *.manifest manifest.diff
# Use sed remove vlmcsd
opkg list-installed | sed '/vlmcsd/d' | tee list-installed.manifest
wget https://downloads.hackinggate.com/openwrt-${OPENWRT_VERSION}-ipq806x-generic-netgear-r7800/openwrt-${OPENWRT_VERSION}-ipq806x-generic-device-netgear-r7800.manifest
diff openwrt-${OPENWRT_VERSION}-ipq806x-generic-device-netgear-r7800.manifest list-installed.manifest | tee manifest.diff
FILE1_LINES=`cat manifest.diff | grep '<' | wc -l`
FILE2_LINES=`cat manifest.diff | grep '>' | wc -l`
# n1 -ge n2 True if the integer n1 is algebraically greater than or equal to the integer n2.
# n1 -gt n2 True if the integer n1 is algebraically greater than the integer n2.
if [ ${FILE1_LINES} -ge 0 ] && [ ${FILE1_LINES} -eq ${FILE2_LINES} ]
then
echo "Upgrading to ${OPENWRT_TAG}"
rm -f openwrt-${OPENWRT_TAG}-ipq806x-generic-netgear_r7800-squashfs-sysupgrade.bin
wget https://downloads.hackinggate.com/openwrt-${OPENWRT_VERSION}-ipq806x-generic-netgear-r7800/openwrt-${OPENWRT_VERSION}-ipq806x-generic-netgear_r7800-squashfs-sysupgrade.bin
# -o attempt to preserve all changed files in /, except those
# from packages but including changed confs.
sysupgrade -o openwrt-${OPENWRT_VERSION}-ipq806x-generic-netgear_r7800-squashfs-sysupgrade.bin
fi
@HackingGate
Copy link
Author

HackingGate commented Aug 4, 2021
edited
Loading

Block Country IPs

Tutorial for how to boycott CN IPv4 on OpenWrt.
Script from here https://github.com/kravietz/blacklist-scripts
CIDR IP list from my project https://country-ip-blocks.hackinggate.com

OpenWrt Setup

Install

opkg install ipset curl
wget https://raw.githubusercontent.com/kravietz/blacklist-scripts/master/blacklist.sh
mv blacklist.sh /etc/firewall.user

Create /etc/ip-blacklist.conf

URLS="https://country-ip-blocks.hackinggate.com/CN_IPv4.txt"

Edit /etc/firewall.user

I don't have pppoe-wan and the blocklist don't work.
I replaced IN_OPT="-i $wan_iface" with IN_OPT="" and it works now. (kravietz/blacklist-scripts#6)

Activate

# Manual run
sh /etc/firewall.user
# Daily update
echo "01 01 * * * sh /etc/firewall.user" >>/etc/crontabs/root

Check & Test

ipset list -name

Two new sets are added

manual-blacklist
country-ip-blocks.hac

View blocked CN IPv4 entries

ipset list country-ip-blocks.hac

Here's how to use manual-blacklist.

ipset add manual-blacklist 8.8.8.8
ipset list manual-blacklist
ping 8.8.8.8
ipset del manual-blacklist 8.8.8.8
ping 8.8.8.8

Block Multi Lists

Example of /etc/ip-blacklist.conf

# Emerging Threats lists offensive IPs such as botnet command servers
URLS="https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"

# Blocklist.de collects reports from fail2ban probes, listing password brute-forces, scanners and other offenders
URLS="$URLS https://www.blocklist.de/downloads/export-ips_all.txt"

URLS="$URLS https://country-ip-blocks.hackinggate.com/CN_IPv4.txt"
URLS="$URLS https://country-ip-blocks.hackinggate.com/HK_IPv4.txt"
URLS="$URLS https://country-ip-blocks.hackinggate.com/MO_IPv4.txt"

All set will name country-ip-blocks.hac and override.

To fix it. Edit /etc/firewall.user. Insert script between the two lines. L116

# download the blocklist                                                                                            
set_name=$(echo "$url" | awk -F/ '{print substr($3,0,21);}') # set name is derived from source URL hostname         
curl -L -v -s ${COMPRESS_OPT} -k "$url" >"${unsorted_blocklist}" 2>"${headers}"

Will be

# download the blocklist                                                                                            
set_name=$(echo "$url" | awk -F/ '{print substr($3,0,21);}') # set name is derived from source URL hostname         
# autodetect country-ip-blocks.hackinggate.com                                                                      
if echo "${url}" | grep -q 'country-ip-blocks.hackinggate.com'; then                                                
    set_name=$(echo "$url" | awk -F/ '{print substr($4,0,21);}')                                                    
fi                                                                                                                  
curl -L -v -s ${COMPRESS_OPT} -k "$url" >"${unsorted_blocklist}" 2>"${headers}"

sh /etc/firewall.user and ipset list -name will be

manual-blacklist
rules.emergingthreats
www.blocklist.de
CN_IPv4.txt
HK_IPv4.txt
MO_IPv4.txt

Check if there's entries

ipset list CN_IPv4.txt | wc -l

@HackingGate
Copy link
Author

HackingGate commented Oct 3, 2021
edited
Loading

netboot.xyz

https://netboot.xyz

cd /root
mkdir tftp
cd tftp
wget https://boot.netboot.xyz/ipxe/netboot.xyz.efi

Edit /etc/config/dhcp

config dnsmasq
        ...
        option enable_tftp '1'
        option dhcp_boot 'netboot.xyz.efi'
        option tftp_root '/root/tftp'

config dhcp 'lan'
	...
	list dhcp_option '66,0.0.0.0'

/etc/init.d/dnsmasq restart

@HackingGate
Copy link
Author

Upgrade OpenWrt

auc

@HackingGate
Copy link
Author

HackingGate commented Sep 9, 2022
edited
Loading

Advertise DNS server

/etc/config/dhcp

config dhcp 'lan'
	...
	list dhcp_option '6,192.168.4.45'

@HackingGate
Copy link
Author

Exroot

https://openwrt.org/docs/guide-user/additional-software/extroot_configuration

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment