Slashdot Mirror
TP-Link Begins Lockdown of Firmware In Response To FCC
An anonymous reader writes: In response to an FCC rule that requires manufacturers to lock down computing devices (routers, PCs, phones) to prevent modification if they have a "modular wireless radio," TP-Link has begun locking down its routers to prevent firmware not signed by TP-Link from being installed. This essentially prevents open source OSs (OpenWRT, for example) from being used on routers. TP-Link may not be a prestige brand, exactly, but the company makes a lot of routers suitable for installing third-party firmware, precisely the sort of thing being locked down makes difficult if not impossible.
So this is the end of open source firmware on basically any device with a radio
The FCC didn't claim this would happen, and it still happened. Congrats, FCC!
I don't have first hand experience with it, but if you are an aspiring OpenWRT hacker then you might want to look into WRTNode. Using third party proprietary hardware is always fraught with peril anyway.
I am not interested in articles about life extension advancements.
Except the FCC has repeatedly stated time and time again they have no intent of hurting third party open source firmware and they're solely focused on the radio component not causing interference. They even recently modified these rules to appease people worried about this:
http://arstechnica.com/information-technology/2015/11/fcc-we-arent-banning-dd-wrt-on-wi-fi-routers/
So I have a sneaking suspicion this support employee has no damn idea what they're actually talking about.
If the memory isn't built into the wireless chip itself, what is to prevent JTAG or desoldering of the flash chips to install new firmware?
Figured I may as well ask since once one does this, the rest will follow.
You screwed up, you trusted us!
Glad I already returned my TP-Link and bought an Asus. I had the C9 Archer and it was terribly unstable. I guess TP-Link will be falling into obscurity again.
If it can't run OpenWRT without soldering, it's not useful for me. Same goes for any other router that doesn't run a variant of OpenWRT, RouterOS or IOS-*.
Guess I'll be shadowing the OpenWRT forum for my next purchase.
TP-Link is about to see their sales decline. Their cheap shit was eagerly consumed by DIY types putting openWRT on it and frankly you could do some interesting things with it. But, this makes them into just another cheap-shit proprietary Chinese junk network equipment vendor.
I'll pass, thanks.
P.S. Isn't it great how well the FCC listened to all those comments that they solicited? Don;t you feel like your voice matters? That you're part of the system? That your government works for you and takes your concerns into consideration?
I tried OpenWRT on a cheap TP-LINK router and it barely managed 1/3 of the throughput of the stock firmware.
Only the State obtains its revenue by coercion. - Murray Rothbard
I've seen claims, or expressions of suspicion that Chinese-made networking gear may have Chinese government backdoors.
I have no idea of the credibility of such. But it seems now the FCC wants to prevent people from taking steps to reduce that possibility. by using open firmware.
so what if HP locks there systems to windows only that as it's easier to due that and only need to have an windows only bios / firmware update tool.
The last few routers I've bought for family and friends have been TP-Link, and of course I immediately flash them all with OpenWRT. The last two routers I bought had firmware from October that was locked down, just like TFA makes note of. I wasn't pleased with the google effort and time required to get to where I wanted to go.
As I recall, first I had to find a sort of neutral flashing dd-wrt firmware from early last year, that was possible to be flashed by TP-Link's firmware. Then, since TP-Link's October's firmware was useless, I had to flash the router with a much older version of their firmware, making the unit an April TP-Link router. Once I got that far, I was able to flash to OpenWRT as planned.
I'm happy with the units price and performance under OpenWRT, however I will look to other vendors from now on. Of course I must also blame the FCC, which sort of hurts because lately the FCC has been making a lot of good calls for its actual constituents, (while ignoring its paid-for lobbyists).
Regrettably, they seem to have mistaken channel-based hardware with cryptographically-signed (linux, bsd) databases of allowed channels for something completely different, completely programmable "software defined radios".
The latter are an unsolved problem for the FCC: the former are the chip designers and the Linux networking team working hard to make it easy for the FCC... and being treated badly.
davecb@spamcop.net
Nothing in the regulations prevent use of open source, put the blame where it lies.
With TPlink not having a reason to specifically accommodate open source.
At least the FCC does have a reason to regulate the relevant spectrum.
What about the rest of the world? Have they locked down routers sold in europe for example?
What this will lead to is an open source hardware/software platform, immune to OEM regulation. Imagine a modular router system like arduino or Raspberry PI running routers. I imagine there will be a kickstarter project for an open source WRT or DD-WRT router because of this. Other platforms like Mikrotik will be IMMUNE, as the modular nature of their firmware is germane to their product.
The FCC's rule change makes the manufacturers responsible for compliance, not the owner/operator. How, then, will the vendors deal with the updates required by the glibc bug, http://linux.slashdot.org/stor...
The vendors of anything that can't be reflashed by their users are now responsible to the FCC for any compliance-critical errors in their devices. A DNS hack can can allow anyone to change to an illegal channel or use an illegal power level.
Similarly, the vendors are at risk of being named in class-action suits for anyone whose router gets hacked through their negligence. Especially in the US, where suing people seems to be the national hobby (;-))
Do you suppose some tiny Taiwanese firm can afford to do a recall like an auto manufacturer, and fix all their locked-down devices? Or be haulded into a US court without going broke? I suspect not...
Locking down your products for the US market because "it's easy" may turn out to be a company-killing error.
--dave
davecb@spamcop.net
tplink still makes quite a number of decent standalone wireless access points with injector capability. ive never used their AIO devices, but instead ive built a network at the office with a central gentoo router connected to a switch, and the AP's locked to vlans with an IDS sniffing the network. FWIW if you need alternatives, pc engines Geode based alix routers are great (AND include AES offload at the cpu level for true random number generator acceleration.)
Good people go to bed earlier.
I recall I purchased one of TP-Link's Mini Pocket Router. There was a US version that did I could not install openwrt but there was a Chinese version that could. So hopefully we can still purchase ones outside of the country that can be modified.
That the figurative back-door man would be worse than the actual back-door man?
All I have to do now is find replacement manufacturers - China has a ton.
I've been worrying about the ability for wireless routers to withstand any significant attack, particularly given the reponsiveness of the manufacturers of the things (like, none at all) to exploits. So I made a decision to put my wireless router behind a firewall that keeps bad people in the cloud from playing.
Yes, the firewall would cost money ($70 for the computer, $0 for the firewall software -- I'm using CentOS and IPTABLES) and it's another box, but that box protects my inside network, so that I abide by the rule "Never expose Microsoft gear to the bare Internet." As a bonus, I run the router in bridge mode, so that my firewall gets to answer DHCP requests instead of the router. Makes packages like Dropbox work properly even for wireless devices.
I use LANsync quite a bit, because the repository at work has some DVD ISO images, and an update or addition causes quite a bit of network traffic without LANsync. With LANsync, the traffic is between my fileserver and the wireless device, and the uplink carries only the administrative traffic.
What I'm looking for is a wireless card I can put into a CentOS 7 box, so that I don't have to have the lashup I have now. It also means my resulting wireless router/server would be considerably more future-proof than my no-longer-supported Cisco branded router is. (Rebanded Linksys, I think.)
I'm sure TP-Link won't mind the resulting 5-10% drop in sales...
I'm guessing that TP-Link is choosing to lock out all open source software on their devices and blaming it on the FCC.
There is no reason TP-Link or any other vendor can't use signed radio firmware enforcing region specific regulatory limits. Almost all countries have these rules (most follow the US FCC or the EU ETSI, but some have their own). The purpose is to prevent unauthorized use of the unlicensed spectrum. The limits include: allowed RF channels, effective indicated radiated power (EIRP), and Dynamic Frequency Selection (DFS) which protects incumbent services (Military and weather radar) that share the more recently authorized 5 GHz channels (Extended UNI-II)
This is something that PCs have done for years. . The radio is untouchable by user, yet the PCs can run all sorts of open source operating systems. WiFi adaptors have their own embedded firmware that is controlled by the chipset maker (Broadcom, Intel,...)
I would never buy a TPLink device (well, to be fair, *any* consumer router) that I couldn't replace the firmware on. It's been very well established that router firmwares are crap.
My router choices are based on the DDWRT HCL. (I'd try OpenWRT, but having to set up a complete toolchain and compile the thing is a bit of a turnoff for me.)
With only a PCB-trace antenna and one ethernet port, that is nearly useless.
Please help metamoderate.
Actually, you're the titanic fail. We've got enough evidence of harassment/spamming/bypassing bans to have you effectively court-ordered off the internet for many years, APK.
And we are going to get it done very soon, with monetary damages included.
So remember, Alexander P. Kowalski, we can find you, we can serve you court papers, and we can cut you off from your source of life and livelihood because you continue to abuse it.
Tech support is not paid to define or even know corporate policy. Asking customer service reps about this is like asking the cashier in the drive through at McDonald's what the next version McD's app will be like.
This means nothing at all.
http://lkml.org/lkml/2005/8/20/95
TP-Link is about to see their sales decline. Their cheap shit was eagerly consumed by DIY types putting openWRT on it and frankly you could do some interesting things with it.
The TP-Link router is a mass market consumer product that retails for $20 and up when purchased from outlets like Amazon.com.
The DIY market is microscopic and always has been.
Really, we don't need a firmware/BIOS/etc lock in software (even if it's partly ROM software). Just give us back a jumper or something similar that's defaulted to "no updates" in a place where most people won't mess with it. For those that really want to tweak their own hardware, just flip the jumper. For others, updates are not allowed.
Or, if you really want to make things convenient for everyone: jumper open=signed updates only; jumper closed=allow unsigned updates.
FCC has no say in the matter; we do not recognize their claims to authority and will not only ignore them, but will actively circumvent and aid others in the same.
We also will no longer use TP-Link, they lost our business.
Anytime a regulator writes a rule, they have to remember that any reaction to that ruling will be met in the cheapest possible way. It's very rare for any company to "do the right thing" when adhering to any regulation. If it's cheaper for them to lock down they device and they assume X loss to those who want to modify it will be less costly than changing their designs to be more modular, they will do it.
I can only suspect that the FCC's ruling is only in part to keep the wattage ratings in check but to also keep possible terrorists from making software changes to allow them to build a communications system that is not as monitor-able.
All that needs to happen is that new radio chipsets need to have a write-once register that can be used to lock the chip to a specific radio band. They could manufacture one chip for global use, and a simple write to that register by the router manufacturer would lock it down to a region. No need to deal with locked firmware at all.
--- Generation X: The first generation to have SIG lines inferior to their parents... ---
And I bought it especially because it was on the support hardware list for OpenWRT. TP-link is not the only manufacture on that list. I think others who make routers that are open will get business from people who want open source firmware for their devices. But I don't know how big of a market this is.
The idea that manufacturers should be compelled to secure their products against intentional misuse by the purchaser is just ridiculous. Consumer products are not sealed black boxes, they are collections of repurposable components.
Isn't the rule a certain level of ERP (effective radiated power), not raw wattage out of the radio.
How does the stock firmware know to reduce the output power to compensate for the 24dbi gain antenna you attached?
OTOH, keeping the consumers in their legally allocated spectrum sounds like a noble cause, but now it's more difficult to get "below" channel 1 and down into the relatively empty Part-90 allocation I'm authorized to use just below 2.4Ghz
Going from the 'buy' to 'don't buy' list. Ouch.
I hope Asus keeps up with their OpenWRT support.
Did they lock down the serial port interface to uboot? What about the jtag port? Can you upload using the jtag port?
Just wondering or that is the going rate. My 4 year old WNDR4500 is good enough to handle streaming netflix wireless br, youtube on two wireless devices, and chromecast audio streaming spotify on 4 wireless devices without any noticeable drops. And if something drops on chromecasts audio (1 sec every 5 minutes), which is the most obvious drop, I blame the driver!
Another slashdoter said it best.
What's there to be "conflicted" about? In all of these cases, the "security" is "security AGAINST THE OWNER OF THE DEVICE," a.k.a. tyranny. It is unambiguously bad!
A clash action against fcc for violating the fourth amendment would be a start. There action are so wrong and misaligned. Are they bought by Crocks In Suits?
In order to form an immaculate member of a flock of sheep one must, above all, be a sheep.
So, I haven't looked at the latest FCC rant, but is the push towards specifically not allowing alternate firmware (are they afraid some one will be able to remotely install new firmware on random routers?)?
Or is the push to secure routers in general, and this company completely screwed it up by locking out one method of securing routers by replacing their crap firmware?
Who messed it up? FCC? or TP?
AB HOC POSSUM VIDERE DOMUM TUUM
Personally I have a fleet of WNDR4300's to play with myself. I have to build my own OpenWRT software for them, but the configuration to do so is out there. I'm just looking a that AC1900 and drooling given it's extra elbow room, USB 3 and eSATA port. The WNDR4300 is about $40 used on E-Bay, where the AC1900 is seen at $130 all day long and sometimes less than that.
Unfortunately your WNDR4500 doesn't seem to be supported and with the Broadcom legal issues doesn't seem likely it ever will.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
(anon so as to not undo mods) You mentioned $100 for the 1900AC earlier, and $130 or less here.... dunno about that -- $180 at Amazon and other retailers... I've seen $139 on Ebay (provenance unknown) and also for refurbs.... I think a more realistic price to cite is the $180. And based on that, looks like the 1900ACS model is the same price now, so I'd go with that.