OpenWRT Integrity Checker

openwrt-integrity.sh

#/bin/sh
# Check integrity of all files
SCRIPTNAME=$(basename $0)            # name of this script
PCKGLIST=/etc/config/opkg.installed # location to save package list
KERNEL_VER=$(uname -r)

# Define base firmware model
MODEL=glinet_gl-mt300n-v2
SOC=mipsel_24kc

#https://downloads.openwrt.org/releases/21.02.0/packages/$(SOC)/telephony/Packages.sig
# Take a snapshot first

# Make a list of executable files using find and run through sha256sum

# Check for required software (i.e. sha256sum, wget, curl, etc)
type sha256sum
#type curl
type gpg
type wget # built in no need to install curl (takes up too much space)

# Define kernel and sysupgrade binaries
KERNEL=$(MODEL)-initramfs-kernel.bin
SYSUPGRADE=$(MODEL)-squashfs-sysupgrade.bin

# Check for internet connection
ping -q -c 1 google.com
if [ "$?" -eq 0 ]; then                           
  echo 1 > /sys/class/leds/green\:power/brightness #turn on LED
  echo 1 > /sys/class/leds/red:wlan/brightness
else                                              
  echo 0 > /sys/class/leds/green\:power/brightness #turn off LED
  echo 0 > /sys/class/leds/red:wlan/brightness
fi
# Update package lists
opkg update

CORE=/var/opkg-lists/openwrt_core
BASE=/var/opkg-lists/openwrt_base
LUCI=/var/opkg-lists/openwrt_luci
PACKAGES=/var/opkg-lists/openwrt_packages
ROUTING=/var/opkg-lists/openwrt_routing
TELEPHONY=/var/opkg-lists/openwrt_telephony

# Load values into environment variables

while read line; do
   export "$line"
done < /etc/os-release
#echo $VERSION_ID

# Get version info
cat /proc/version

# Get list of installed packages
opkg list-installed > "$PCKGLIST"

# Find all files
for i in `find /sbin -type f`; do [ -x $i ] && echo "$i is executable"; done
for i in `find /bin -type f`; do [ -x $i ] && echo "$i is executable"; done
for i in `find /usr/bin -type f`; do [ -x $i ] && echo "$i is executable"; done
for i in `find /usr/sbin -type f`; do [ -x $i ] && echo "$i is executable"; done

# build our download url
#https://downloads.openwrt.org/snapshots/targets/ramips/mt76x8/
BASE_URL=https://downloads.openwrt.org/snapshots/targets/$(OPENWRT_BOARD)
# Files sha256sums, sha256sums.sig, sha256sums.asc
curl $(BASE_URL)/sha256sums -s -f -O /tmp 
curl $(BASE_URL)/sha256sums.asc -s -f -O /tmp 
curl $(BASE_URL)/sha256sums.sig -s -f -O /tmp
curl $(BASE_URL)/$(SYSUPGRADE) -s -f -O /tmp
 
# check the integrity of the image file via sha256sums
sha256sum -c /tmp/sha256sums 2> /dev/null | grep OK
 
# the desired result is that the downloaded firmware filename is listed with "OK" afterwards
 gpg --verify /tmp/sha256sums.sig /tmp/sha256sums
 
####################################################
# Initiate sysupgrade with your desired options
# by default ( no -n ) settings are kept
####################################################
sysupgrade -v /tmp/$(SYSUPGRADE)

adb - android.5.0.2_r1-3
autossh - 1.4g-2
base-files - 1432-r16279-5cc0535800
busybox - 1.33.1-6
ca-bundle - 20210119-1
ca-certificates - 20210119-1
cgi-io - 2020-10-27-ab4c3471-19
curl - 7.78.0-1
dnsmasq - 2.85-8
dropbear - 2020.81-2
ebtables - 2018-06-27-48cff25d-1
ebtables-utils - 2018-06-27-48cff25d-1
firewall - 2021-03-23-61db17ed-1
fstools - 2021-01-04-c53b1882-1
fwtool - 2019-11-12-8f7fe925-1
getrandom - 2020-10-25-9ef88681-2
hostapd-common - 2020-06-08-5a8b3662-35
ip6tables - 1.8.7-1
iptables - 1.8.7-1
iptables-mod-tproxy - 1.8.7-1
iw - 5.9-8fab0c9e-1
iwinfo - 2021-04-30-c45f0b58-2.1
jq - 1.6-1
jshn - 2021-05-16-b14c4688-2
jsonfilter - 2018-02-04-c7e938d6-1
kernel - 5.4.143-1-81b5fa8a3bdde9109c65df5b7a2d086e
kmod-arptables - 5.4.143-1
kmod-cfg80211 - 5.4.143+5.10.42-1-1
kmod-crypto-ecdh - 5.4.143-1
kmod-crypto-hash - 5.4.143-1
kmod-crypto-kpp - 5.4.143-1
kmod-crypto-lib-blake2s - 5.4.143-1
kmod-crypto-lib-chacha20 - 5.4.143-1
kmod-crypto-lib-chacha20poly1305 - 5.4.143-1
kmod-crypto-lib-curve25519 - 5.4.143-1
kmod-crypto-lib-poly1305 - 5.4.143-1
kmod-ebtables - 5.4.143-1
kmod-gpio-button-hotplug - 5.4.143-3
kmod-ip6tables - 5.4.143-1
kmod-ipt-conntrack - 5.4.143-1
kmod-ipt-core - 5.4.143-1
kmod-ipt-geoip - 5.4.143+3.13-4
kmod-ipt-ipset - 5.4.143-1
kmod-ipt-nat - 5.4.143-1
kmod-ipt-offload - 5.4.143-1
kmod-ipt-tproxy - 5.4.143-1
kmod-leds-gpio - 5.4.143-1
kmod-lib-crc-ccitt - 5.4.143-1
kmod-mac80211 - 5.4.143+5.10.42-1-1
kmod-mt76-core - 5.4.143+2021-06-06-22b69033-4
kmod-mt7603 - 5.4.143+2021-06-06-22b69033-4
kmod-nf-conntrack - 5.4.143-1
kmod-nf-conntrack6 - 5.4.143-1
kmod-nf-flow - 5.4.143-1
kmod-nf-ipt - 5.4.143-1
kmod-nf-ipt6 - 5.4.143-1
kmod-nf-nat - 5.4.143-1
kmod-nf-reject - 5.4.143-1
kmod-nf-reject6 - 5.4.143-1
kmod-nfnetlink - 5.4.143-1
kmod-nls-base - 5.4.143-1
kmod-ppp - 5.4.143-1
kmod-pppoe - 5.4.143-1
kmod-pppox - 5.4.143-1
kmod-slhc - 5.4.143-1
kmod-tun - 5.4.143-1
kmod-udptunnel4 - 5.4.143-1
kmod-udptunnel6 - 5.4.143-1
kmod-usb-core - 5.4.143-1
kmod-usb-ehci - 5.4.143-1
kmod-usb-ohci - 5.4.143-1
kmod-usb2 - 5.4.143-1
kmod-wireguard - 5.4.143-1
libblobmsg-json20210516 - 2021-05-16-b14c4688-2
libc - 1.1.24-3
libcap - 2.43-1
libcurl4 - 7.78.0-1
libevent2-7 - 2.1.12-1
libgcc1 - 8.4.0-3
libip4tc2 - 1.8.7-1
libip6tc2 - 1.8.7-1
libiwinfo-data - 2021-04-30-c45f0b58-2.1
libiwinfo-lua - 2021-04-30-c45f0b58-2.1
libiwinfo20210430 - 2021-04-30-c45f0b58-2.1
libjson-c5 - 0.15-2
libjson-script20210516 - 2021-05-16-b14c4688-2
liblua5.1.5 - 5.1.5-9
liblucihttp-lua - 2021-06-11-3dc89af4-1
liblucihttp0 - 2021-06-11-3dc89af4-1
libncurses6 - 6.2-1
libnghttp2-14 - 1.43.0-1
libnl-tiny1 - 2020-08-05-c291088f-2
libopenssl1.1 - 1.1.1l-1
libpcap1 - 1.9.1-3
libpthread - 1.1.24-3
libreadline8 - 8.1-1
librt - 1.1.24-3
libsodium - 1.0.18-3
libubox20210516 - 2021-05-16-b14c4688-2
libubus-lua - 2021-06-30-4fc532c8-2
libubus20210630 - 2021-06-30-4fc532c8-2
libuci20130104 - 2020-10-06-52bbc99f-5
libuclient20201210 - 2021-05-14-6a6011df-1
libustream-wolfssl20201210 - 2020-12-10-68d09243-1
libwolfssl4.7.0.66253b90 - 4.7.0-stable-2
libxtables12 - 1.8.7-1
logd - 2020-10-25-9ef88681-2
lua - 5.1.5-9
luci-app-firewall - git-21.244.20922-3b3c2e5
luci-app-opkg - git-21.079.58598-6639e31
luci-base - git-21.231.26241-422c175
luci-lib-base - git-20.232.39649-1f6dc29
luci-lib-ip - git-20.250.76529-62505bd
luci-lib-jsonc - git-19.317.29469-8da8f38
luci-lib-nixio - git-20.234.06894-c4a4e43
luci-mod-admin-full - git-19.253.48496-3f93650
luci-mod-network - git-21.243.25235-d9a228e
luci-mod-status - git-21.188.55036-eafe171
luci-mod-system - git-21.230.63964-c3580ee
luci-proto-ipv6 - git-21.148.49484-14511e5
luci-proto-ppp - git-21.163.64918-6c6559a
luci-theme-bootstrap - git-21.164.71418-bd36169
mtd - 26
netifd - 2021-07-26-440eb064-1
odhcp6c - 2021-01-09-53f07e90-16
odhcpd-ipv6only - 2021-07-18-bc9d317f-3
openwrt-keyring - 2021-02-20-49283916-2
opkg - 2021-06-13-1bf042dd-1
ppp - 2.4.8.git-2020-10-03-3
ppp-mod-pppoe - 2.4.8.git-2020-10-03-3
procd - 2021-02-23-37eed131-1
px5g-wolfssl - 3
rpcd - 2021-03-11-ccb75178-1
rpcd-mod-file - 2021-03-11-ccb75178-1
rpcd-mod-iwinfo - 2021-03-11-ccb75178-1
rpcd-mod-luci - 20210614
rpcd-mod-rrdns - 20170710
softethervpn5-client - 5.02.5180-1
softethervpn5-libs - 5.02.5180-1
swconfig - 12
tcpdump - 4.9.3-3
terminfo - 6.2-1
tor - 0.4.5.8-1
torsocks - 2.3.0-1
ubox - 2020-10-25-9ef88681-2
ubus - 2021-06-30-4fc532c8-2
ubusd - 2021-06-30-4fc532c8-2
uci - 2020-10-06-52bbc99f-5
uclient-fetch - 2021-05-14-6a6011df-1
urandom-seed - 3
urngd - 2020-01-21-c7f7b6b6-1
usign - 2020-05-23-f1f65026-1
wireguard-tools - 1.0.20210223-2
wireless-regdb - 2021.04.21-1
wpad-basic-wolfssl - 2020-06-08-5a8b3662-35
zlib - 1.2.11-3

USB tethering / TTL modification

opkg install iptables-mod-physdev
opkg install iptables-mod-ipopt

Modify /etc/sysctl.d/11-br-netfilter.conf
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1

Firewall rule /etc/firewall.user
Bridged
iptables -t mangle -I POSTROUTING -m physdev --physdev-out usb0 -j TTL --ttl-set 65
or
Standard Routed
iptables -t mangle -I POSTROUTING -o usb0 -j TTL --ttl-set 65