FCC Locks Down Router Firmware

For years, we have been graced with consumer electronics that run some form of Linux, have a serial port on the circuit board somewhere, and are able to be upgraded through official and unofficial means. That digital picture frame you got for Christmas in 2007 and forgot to regift in 2008? That’s a computer, and it would make a wonderful Twitter feed display. Your old Linksys WRT54G router? You can make a robotic lawnmower out of that thing. The ability to modify the firmware of consumer electronics is the cornerstone of Hackaday’s editorial prerogative. Now that right we have all enjoyed is in jeopardy, thanks to regulations from the FCC and laziness from router manufacturers.

Several months ago, the FCC proposed a rule that governed the certification of RF equipment, specifically wireless routers. This regulation would require router manufacturers to implement security on the radio modules inside these routers. While these regulations only covered the U-NII bands – the portion of the spectrum used for 5GHz WiFi, and there was no expectation of implementing security on the CPU or operating system of these routers, there were concerns. Routers are built around a System on Chip, with the CPU and radio in a single package. The easiest way to prevent modification of the radio module would be to prevent modification to the entire router. Some would call it fear mongering, but there was an expectation these proposed FCC rules would inevitably lead to wireless routers being completely locked down.

These expectations have become reality. Libre Planet has received confirmation from a large router manufacturer that firmware is now being locked down thanks to FCC rule changes.

News of this change to router firmware comes from a Battlemesh mailing list, a contest centered around modifying WiFi routers for mesh networking and ad-hoc networks. According to a  customer service rep, TP-Link has locked down the firmware for several models of WiFi routers due to the new FCC rule change. The models affected include the most recent 802.11n from TP-Link, and there is no way to use other firmware on these routers.

The controversy surrounding the FCC’s rule change has ebbed and flowed over the last several months, with the most recent chapter in the story coming from [Julias Knapp], chief of the FCC’s Office of Engineering and Technology. The FCC took note of the comments for the proposed rule and removed mentions of third-party Open Source firmware being disallowed on wireless devices.

Now, it seems, router manufacturers are continuing on with the easiest implementation of the new FCC rules.

The troublesome issue with the FCC’s latest rules governing radio output power on the 5GHz band was never serious. The issue only concerned the radio module itself, and not the entire router. Changes to firmware that would allow routers to comply with the FCC’s decision could be implemented without an outright banning of third-party firmware. However, because of the architecture of most consumer routers, and the fact that banning third-party firmware was the easiest way to comply with FCC rules, we’re in a pretty big mess.

This isn’t malice on behalf of the FCC or TP-Link; this is the product of doing what is required with the least amount of effort. TP-Link must limit transmit power on the 5GHz band, and locked firmware is the simplest way to do that. It’s a sad state of affairs, but custom firmware will eventually be loaded onto these routers; it’s just a little harder now and slightly more absurd.

112 thoughts on “FCC Locks Down Router Firmware

      1. It is just the telecoms trying to remain relevant, as the world shifts away from proprietary networks.
        This is why most of the US is still on G2 bands running G3 protocols, and “lov’n it”. =(

        America doesn’t make the hardware any more, so the FCC can go shove its unenforceable policy where the sun don’t shine. If anyone falls for this business collusion scam, we will be suing you under the very TPP deal Disney is passing in your CONgress.

        1. what is actually gonna happen is that no proper producer of net equipment will listen to the deranged ramblings of what goes for a political system in the US.

          the rest of the world will probably carry on as before, worst consequence is that routers would have to be US specific, something that in the very monopolized world of US net coverage probably isnt any worse than what is already available(or rather, not available)

          1. The rest except for Canada. The standards for WiFi are the same and these companies are not going to bother creating a separate model for Canada. We’ll get the locked US version by default.

    1. the fcc is just helping the open source community create the next 50 watt wifi router. of course the fcc forgot about the aftermarket wifi amplifers that plug into the antenna jack. so what is the fcc really worried about? access to possibly a software defined radio?

    1. Most of these guys don’t use SPI flash modules. They’re usually using the cheap NAND flash chips. So it’s a bit more involved in doing this but it would be possible. I’m not aware of any way to do them in-line easily though because of the package size and type so the few times I’ve seen someone pull data off they had to desolder the chip and put it on a new board. Not really something that is sane for a project like OpenWRT to recommend.

    2. What about the export version? You’d not want to update the Japanese version if you don’t have to, and that (older) version would allow software updates. And the American version should allow loading the Japanese version as a “Valid” update.

      1. I’d guess lowest common denominator rules. In this case, the Japanese don’t NEED to be able to run custom firmware. So if the American government says “lock the firmware”, everyone gets locked firmware. Still suits nearly all customers. Saves having to have 2 separate ROM versions out there, creating worry and confusion.

      2. The US version will check the region code (ala DVDs of yore, remember?). A signed Japanese FW image will not have the correct region code for the US version and will be summarily rejected. You want to hack the US region code? Finding it might be a challenge if its saved in a fusereg on the die. Further challenges: JTAG disabled, signed FW only etc. Might be a hard job I think. All that said, I am sure eBay will always have a steady stream of Far East routers that can be hacked easily (probably even encouraged by Far East SoC vendors).

  1. It might also be the only way to implement it – most versions of dd-wrt, from what I can tell, can pretty much adjust any radio parameter, which I assume happens directly over some serial bus to the radio chipset. I’m not sure how you’d permit third party firmware operation while restricting only a single parameter or chipset from being modified. Maybe a open source router developer has some ideas? Honestly, it’d probably require coordination between an open source router developer and a router company, which sounds like a hell of a lot of extra man hours (probably requires some sort of open-source API to access the 5GHz band, etc.) Honestly probably won’t be possible to any real degree of security preventing 5GHz band modifications.

    1. This sounds like a business opportunity. Make a hackable router, with full serial port and extra memory, and the entire market would get pushed into your line. Of course you’d have to charge extra for all that.

        1. I dunno about that. I saw a post on a site somewhere, “How do I make a J tag?”. Presumably a bit better than an I tag but cheaper than a K tag.

          It was to do with hacking Xbox 360s, dicking with the flash on the optical drive, I think, let you put your own code on, either pirated games or homebrew or emulators or whatnot. So you had kids who didn’t know what a transistor was, attempting JTAG reprogramming with some files they’d downloaded off a gaming site.

          If they were doing the hacking themselves you could admire their interest, and persistence, but these were just grasping dumbasses wanting free consumer goods. Not in the least aware of what they were doing, just following the steps like baking a cake.

          My point is, dicking with JTAG is no longer as high up the ivory tower as it was. We’ve got norms doing it, or attempting it. So if, one day, some genius comes up with a way of abusing 5GHz for some reason, it’ll be all over the net in a week. Rather than just one guy’s home workshop. So they have to make a serious attempt to do this properly.

          Myself, I think it’s premature, I’d have waited to see if any problems actually happened, before I started laying down laws. This is why I ought to be in charge of everything. What actually are the alleged dangers, of overpowered transmitting on 5GHz?

      1. You’d be in competition with companies that make tens of millions of routers, selling a feature that only a few thousand people want.

        Still… you have to ask, “what is being lost?”. Sure you no longer have access to a nice ARM and some RAM, but they’ve got even cheaper over the last few years. You can just use a Raspi. If you want Wifi on your project, have it connect to the router through Ethernet.

        The only thing these routers offer, that you can’t get some other small, cheap, computer to do, is actual routing. So it just means those two functions have now been split apart. Your home-made file server will need an extra board, to do the serving, and connect to the router through the front door for the network connection.

        It’s not a huge loss. Mobile phones and embedded ARMs finding their way into everything, have changed the landscape since people started router hacking. These $10 Android phones HAD mentioned a while ago, might well do the same job better. Slap in a $5 Pi Zero, or an Arduino, for the GPIOs, and you’re better off than you were.

          1. Hm, that’s a bugger. Maybe the time’s come for somebody to open-source a router. An FPGA might be able to do it, one with an ARM system on board maybe. Wifi would be difficult, but not impossible. Perhaps use a USB Wifi adaptor for that, or just an Ethernet connection to a separate Wifi router. But your main Internet connection, for most people, comes down a wire, so if you were able to plug your own router between that, you could firewall any backdoors.

            Actually this law only affects wireless routers. So a simple wire-only one, if they still sell them, would be exempt. Whether they’d choose to lock down the firmware ANYWAY, I dunno. Might be the case that they use the same design for the wifi / non-wifi ones, and just leave the Wifi stuff out if it’s not used.

            Still, back in the day, people would use an old 386 PC running an early Linux as a firewall. A single-board Linux computer could do the same thing. So you could secure your stuff that way. Most people wouldn’t, of course, but it’d still be possible.

          2. I’m reply to Greenaum, that’s exactly what a lot of people use PC Engines ALIX boards for. Lots of people use them as a low power multipurpose media server/firewall/router that runs Linux. We buy them by the case to make wireless APs.

        1. You are also jammed up with a router firmware that is complete and utter trash, versus a firmware that crams serious routing and switching features that are simply not available on anything but enterprise equipment. I have always used dd-wrt because it allows me to see what every single mac address on my network is doing. This allows me to diagnose Windows PCs blasting information out to god-knows-where when they are sitting there idle with no (visible) programs running… could be Windows Update torrenting bits of itself out to people at the expense of my latency in a first-person shooter game or it could be a virus on a roommate’s computer acting as a part of a botnet DDoS.

          Until every company puts serious vlan, QoS, NAT rules, firewall rules (including iptables type rule granularity), traffic monitoring, multiple wifi network (including guest networks), and (custom) DynDNS support into every router, and they manage to do it RIGHT in every router, I had planned on using dd-wrt.

          I guess government bureaucracy is the quickest way to a perfect world!

          1. Check out the company called Ubiquity. Everything is enterprise grade and manageable with consumer level pricing. Their Edge Router Lite 3 port router blows the socks off everything at $99. You can find it cheaper as an open box item at their major distributor Doubleradius.com . It is managed gear and based on Vyatta but specifically tailored to the hardware they use so they can get the best bang for the buck. You have to leave the gui’s though and do console work for more advanced functionality but its way better than DDWRT etc could hope to be.

          2. I’ve heard a lot of good things about Ubiquity equipment. The Area515 hackerspace in Des Moines, where I used to live, uses their APs at least, and possibly one of their routers (though I can’t be sure about that). However, they were all set up by a person who works for a local ISP and has experience dealing with enterprise CLIs.

            I have no such experience, other than blocking some IP addresses connected to some WordPress hack attempts with iptables (with a lot of ‘man iptables’ going on, at that). That is why dd-wrt was so great. You had a polished GUI with some fields that allowed you to configure using commandline entries if need be. I never had to use any of that, though, because the GUI is so complete.

    1. Am I paranoid in thinking that the cellular companies know that consumers aren’t going to like it when they coop the 5Ghz band for LTE, and these rules are being put into place to stop people from modifying routers to fight off the LTE incursion?

      1. Three things:

        Very few people will be angry enough at something that technical to break federal law and interfere with transmissions. AFAIK this sort of thing has never happened — please correct me if I’m wrong.

        Purposefully interfering with LTE would be very, very illegal, and also fairly easy to trace. I suspect phone companies would just go that route if it proves a problem.

        Locking down routers won’t stop anyone who is determined enough. I suspect a relatively simple circuit could interfere heavily, especially because cellular radios themselves might be purchasable. One might even be able to use a magnetron!

        1. 5GHz “cellular radio”, that’s basically a phone!

          People run custom firmware on Andoid phones all the time. I don’t know what the modded firmware actually contains, how much of the phone’s total software it replaces. Is the phone’s radio run separately from Android / Cyanogen? Does Android just open a port, and send simple commands, like a land-line modem? So the radio part would be implemented separately, either separate chip, or separate at least on a logical level.

          Or does Android / Cyanogen etc have to do the actual frequency-hopping? Or at least, say, a module that does that? I think Android phones typically have a separate CPU for all the realtime stuff, with Android running on the nice fast ARM doing the high-end stuff.

          I should just go look this up myself, but if anyone wants to explain I’m sure others would find it interesting too.

          The point I’m meandering from was, that a 5GHz phone is a great example of a programmable 5GHz transceiver. I wonder if you can update the back-end radio software? Not just the OS. What if you had a few pins connected to one of the phone’s chips, could you do it then?

          There’s not a lot of point doing it, since the comms are all encrypted. But in the situation of someone who wanted to dick with phone service, that might be an ideal way. Portable and undetectable to the naked eye. Might even resist quite a lot of analysis, if it looks like a normal phone when it’s operating. Just key in a secret code for the naughty stuffz.

          You could even buy a few cheap phones, and leave them on a bus, or a train, or whatever, that’d make it really difficult to track down your mobile network outage.

          1. All the phones I know of (at least modern ones) have a separate microcontroller for the cellular radio with its own firmware. So if you wanted to modify a phone to talk on a frequency band its not otherwise allowed to talk on, you would need to hack/modify that.

          2. The cellular radio in almost every phone I’ve encountered is a separate chip. The operating system sends manual commands to the cellular chip but it can’t control the chip in a way that would allow misuse.

        2. Well, the reason that consumers are going to be pissed is that cellular providers are planning to use the 5GHz wifi band for LTE and disable listen-before-talk in countries like the US that let them get away with it, so that LTE will transmit on top of existing WiFi transmissions, forcing the WiFi transmitter to give up and resend whenever the LTE networks decide to shut up and hope they won’t stomp on the retransmission too. Disabling listen-before-talk for non-WiFi transmissions and making the LTE devices give up and move back to their own bands seems like a perfectly reasonable response to that.

    2. Most of the time when US government or any other government for that matter makes a rule there is some ulterior motive behind it.
      The cell companies probably paid off the FCC to gain some bandwidth.
      The cellular companies in the US are some of the most corrupt companies in the world which is why wireless service in the US is over priced slow and crippled with data caps.
      This has me pissed because the stock firmware in most consumer routers is as best mediocre and limited and at worst trash.
      Open firmware is a way to literally make a silk purse out a of a sows ear as I once flash a Microsoft router with tomato and turned a door stop into a useful repeater.

  2. From what I’ve read at a few places, you can still replace the shipping firmware by using a serial console and doing a “recovery load”/restore via TFTP, at least on some TP-Link models. it’s just impossible to upgrade/change the firmware using the native GUI interface.

    1. Note the term used in the above article.
      “laziness from router manufacturers.”
      It won’t be long until someone finds a way to flash custom firmware on a router that wasn’t locked down properly.
      It’s happened with numerous video game consoles as well as many other ‘IoT’ devices posted here on Hackaday like Network Enabled outlets :D

      Have no fear, the hackers are here!

      1. A big difference is, there’s a huge amount of pressure to crack video game consoles. Both for the people who sell the mod kits (at first, at least, til every dick with a PIC programmer starts cloning the mod chips), and the people who sell pirated software that needs modified consoles to work.

        Obviously… China…

        Don’t need to say much more. They’ve got a few bright sparks over there. Plenty of demand for pirated media. So lots of demand, pressure, money, for cracking “protection”.

        Same thing doesn’t exist for router mods. Nobody really makes money from modding routers, far as I know. If a Chinese business wants to produce a networked media player, they do it from scratch, using some of the many chips that would do the job. They have access to the hardware and the documentation and data, on a level that Western companies really don’t have.

    2. Several sources report that the “lockdown” is after all just an MD5 check of sorts, and dd-wrt apparantly already released some (perhaps unofficial) images that match the update routine’s requirements. So it seems that this lockdown only keeps the casual user from flashing custom firmware.

    3. So if one of the new locked down routers is hacked by one guy, possible with great difficulty, and the firmware is reverse engineered and serious security flaws are found and published, do the manufacturer the have to recall all of them for upgrades?

    1. Exactly. See: Android rooting and bootloader unlocking, iOS jailbreaking, game console hacking, software cracking for piracy, DRM removers. This probably won’t even be as hard as these.

  3. “Now, it seems, router manufacturers are continuing on with the easiest implementation of the new FCC rules.”

    Or they could just invent a whole new architecture that doesn’t allow RF adjustments that are outside FCC limits.

    They took the only reasonable alternative to halting production till chipmakers produce new chips to comply with FCC regs.

    1. That’s a horrible business model…
      Great for us, but no one in their right mind would put excessive time into making something ‘hacker’ friendly unless that was the major target audience for a product. Why can’t people see past the “me me me!” goggles they are wearing when someone makes a change that does not benefit them?

    1. Linksys didn’t realize the value of hackable routers as a benefit to consumers. They used a soc that incorporated open source code that require GNU licensing. People figured it out and Linksys had to release GNU code for it. This ended up being a good thing for the community, but it wasn’t the intention. Linksys’ later routers (Cisco years) were so locked down, you had to configure them through an ON-LINE interface connected to the web.

      Following that, I got tired of the routers built with these SOCs and performance with the default firmwares, so I built a router out of a bookshelf PC and smoothwall, and use Ubiquiti APs for my wireless. Its not for everyone, but I have a slightly complicated wired network so it makes sense.

      1. +1 for the Ubiquiti APs. I spent maybe 30 minutes setting it up around a year ago and that was the last time i thought about it. It has “just worked” since then with no need to reboot it.

      2. Great I used a old dell gx270 an extra nic not wireless but still can add wireless if I choose.
        IPfire worked well and sets up in no time including openvpn.
        Had to do this because the Cisco router kept failing credit card security tests and Cisco could not fix said router with new firmware (their intent was to upsell me) .

  4. note that the manufacturer in question (tplink) locked down their routers in 2013 and are now claiming that they did so because of the FCC rules in 2015

    this would be far from the first time that a manufacturer claimed they were locking things down because of FCC rules when the rules did not require this.

    Nobody has been able to get anyone in the FCC to confirm that they are requiring this. The last official statement from the FCC was that they were NOT trying to require this sort of lockdown.

  5. Washington has adopted a path to eliminate innovation, the FCC and FAA are among the 1st. The slow creep is 100% in effect, Magic pens stored in the White House can dictate the push to America being the next 3rd world country ruled by it sitting dictator.

  6. So this seem shitty to say the least, BUT…
    I am confident that it will open up a market for an open router community just like the Raspberry Pi, but for networking!
    A box made by hackers for hackers, with more and better features than any of the established ones. Basically opernWRT, but on our own hardware. And the WiFi modules are just added via some port, who cares. FCC happy, hackers happy.

    1. There are lots of things like that that already exist. The first one that springs to mind is the Carambola2 from 8devices. It’s based on the pretty ubiquitous AR9331, runs OpenWRT and is pretty cheap. If memory serves, which it may not, there’s also schematics etc available.

      It is far from the only device that fits that bill. There’s lots of other AR9331 based devices as well as others using different chipsets with varying degrees of openness.

      These things have been around for a long time, too. Sometimes it is easy to get caught up in the desire to modify something and in doing so neglect to look for alternatives that already exist and do everything you need.

  7. The issue is not only the power but _all_ RF properties… eg the use of channel 14…

    btw europe has done the same some years ago… in april the RED will enforce similar restrictions to manufatureres…

    73

  8. In my country it’s a criminal offense against the terrorism act to change an IMEI for mobile networks (25 years imprisonment) and to buy anything with an IMEI like a mobile phone you have to identify with a 1000 point of ID so the government can track your GPS every 20 minutes.

    I just bought a GPRS chip from China and me government can go get fuc(d because I didn’t change the IMEI and I didn’t have to identify myself to the government.

    It’s like door locks – they keep the honest people out. The real crims just break the locks.

    1. Lots of phones can have their IMEI numbers changed and their mac addresses on wifi and BT too. Buying sim cards with cash without ID is however not allowed in many countries, for the same reasons you describe.

      1. cpu’s are cheap maybe doing it in fractions overlapping 1-2Mhz, would make 22MHz easy.. not in that business, can’t think about it.
        But hey, RTL sdr was magic 10 years ago, and now there’s even esp8266 ahah

        p.s. sry because I missed the button and clicked on the report comment.. my fault

  9. So the thing is, they will be locking down short range 5ghz soc based routers that even before the “lock-down” were buggy garbage to begin with. Good news any one looking to make a older g based box tick a new tock, time to shine guys/gals.

  10. TP link routers are garbage anyways. Every single one I have is complete junk and have failed. I just buy routerboard and install wireless cards if I really want a wireless router. No more FCC meddling.

  11. “TP-Link must limit transmit power on the 5GHz band, and locked firmware is the simplest way to do that.”

    The EASIEST way to limit transmit power is to change the RF amplifier. Adding to, or replacing the transmit section then becomes the only way to get extra power.
    Result: two almost identical versions of the same board. The US version uses two different resistors to set the gain of the final stage. If carefully selected, you may even have the same value resistors already on the board.

    Bonus: all a hacker need do is replace two resistors to get an “international standard” router with higher power.

    1. You forget parts tolerances. If you put a HW limit on the power, you will get the usual variation where half the routers are under and half the routers are over the limit you set, and you’d have to trim them individually to the specified values.

        1. 802.11n requires a quite linear PA. As such you are not using it close to the maximum output power. You may well be able to push a 300mW PA to more than 1W if you don’t care about the signal quality.

          Still, locking down the router does not prevent anyone from increasing the power, you can simply attach an external PA that you can freely buy to reach any power you want. I guess they are more afraid of people interfering with weather radars if they are able to change the frequencies. Of course you can also do that with an external transverter, but they are harder and more expensive to buy.

  12. This news sickens me.. On the other hand, this will probably push Hackers to start building computers made to replace routers.

    But no matter what – I can tell you this: I will NOT buy a locked down computer. That goes for any un-rootable Android tablet, any iOS device OR a locked down router!

  13. We need a blacklist. We need to spread the message about locked down routers. We need to leave poor reviews of routers that are locked down the ‘lazy’ way telling people why. Everywhere they are sold.

  14. License of Linux kernel and tools like Busybox have also aided this locking down. They are GNU GPL v2, and v2 only. When FSF found that some companies (TiVo) exploited GPL v2 to give the source, and at the same time restrict the users in modifying the binary/firmware, FSF introduced GPLv3.

    But Linus, as he cares not much about freedom of users[1] (or even open source) denied moving to GPL v3. Even we don’t have a way to verify that the binary/firmware running on the device corresponds to the source given (like ddwrt)

    But that’s just the firmware part.

    [1] http://www.techrepublic.com/article/linux-creator-linus-torvalds-doesnt-really-care-about-open-source/

    1. If Linux were GPLv3 manufacturers would either violate the GPL slightly more than they already do, or switch to BSD or a proprietary firmware base. Linux is only a strong presence in the router space because anyone can throw it into a router cheaply, if they suddenly had to create a complex set of hardware enforced locks in the radio chip just to avoid a simple signed firmware system it would lose that property and router manufacturers would look elsewhere instead.

  15. TP-Link should just lock down the power with a resistor bridge that they can leave out depending on region.
    That seems acceptable by the FCC, which we know from the past in other devices.

  16. 1) There will be a run on the workable stuff that’s still floating around out there, or what passes for one as the enthusiast community starts grabbing them and the enterprise community grabs them to sell to the enthusiast community at a profit.
    2) Work-arounds will be developed for the new “locked” firmwares as the same lazy manufacturers will indeed to the least possible to comply, which will leave vulnerabilities.
    3) The procedures change but the result is the same. Unless somebody really pisses these guys off or does something stupid to bring this stuff more into the light this will just result in a change in procedure to do the same stuff.

  17. The Freifunk (free wifi in germany) community is going to have huge problems due to this rule. Our law literally prohibits open Wifi, with Freifunk we now have a free open Wifi that private people can afford and install in their homes. Without routers that provides an open slot for such projekts our free Wifi in the cities is going to stop before it really started. I am starting to make Freifunk routers with raspberry pis but they are more expensive than a TL-WR841N. This really is a problem the FCC did there and I am really angry about that fact.

  18. So when(not if) a new security flaw in a firmware is found, then what?
    Will the router company do a recall??(yeah right)
    I think at that point users should sue and then companies will do the job right(lock only wifi binaries and allow firmware updates).

  19. can we build our own router by using a raspberry pi and some ethernet shields and usb wifi dongles?

    but then wouldnt the usb wifi dongles have their firmware locked or does it only apply to the routers you buy in the store?

    1. Sure we can build our own routers. The dongles though do have firmware blobs, which is almost a tradition now for the manufacturers – they had locked (as in ‘compiled and without sources’) firmware long ago. You will get a router with custom firmware though, so that’s good, but you won’t get around regulations with those dongles.

  20. is this only pertain to the radios? so https://www.slickvpn.com/routers.html is legal?

    these are routers flashed to connect to their vpn service https://www.slickvpn.com/

    and what is the fuss? is it that the radios can be told to work with higher power than what is allowed or they work into channels that are not allowed?

    if it is power then an external amplifier would solve that problem.

    if it is channels a frequency shifter (remember those dongles that convert fm radio so you can play on am?) would solve that problem but i dont know if frequency shifters are 2 way.

  21. if they lock down so you cant flash the firmware via the router couldnt you unsolder the firmware chip from the router and flash it with an avr programmer or something or even swap the firmware chips?

  22. The reference designs provided by the main radio chipset vendors (Broadcom, Qualcom, Realtek, and others), are designed to be cheaply implemented worldwide, despite radio spectrum allocations being vastly different. For 2.4 GHz this wasn’t as large of a problem, openWRT could give you access to channel 12, 13, and 14(Japan) which was available in some countries, but not the USA. 2.4 G had a very limited frequency range of 2.412-2.484 Ghz.

    5 GHz is a whole other story.
    Look at this mess:
    https://en.wikipedia.org/wiki/List_of_WLAN_channels#5.C2.A0GHz_.28802.11a.2Fh.2Fj.2Fn.2Fac.29.5B17.5D

    Now compare it to this USA frequency chart:
    https://www.ntia.doc.gov/files/ntia/publications/2003-allochrt.pdf

    The FCC has noted that routers with open source firmware are broadcasting over set power limits on frequencies used for radio navigation, thermal doppler weather radar, and other important public services. Put down your pitchfork, LTE carriers are not trying to steal spectrum. Openwrt firmwares are not operating in the proper unlicensed spectrums.

    Now look again at that wikipedia chart. Those EIRP numbers are quite varied and strict. The FCC is just beginning to take these steps. Other certification bodies will start taking measures to prevent the sale of devices which violate spectrum rules. From a government enforcement perspective, it is far easier to nip this in the bud, rather than send out fleets of vehicles to track down rogue routers. We’ve seen what a mess the drone registration is – there’s no way the FCC wants to license wi-fi routers like that or like ham radio. They don’t want to put people in jail like idiots who shine laser pointers at airplanes, jam GPS, or jam mobile phones. Look at Israel, which has a tiny consumer electronics market, but only a sliver of 5 GHz frequencies available; I doubt you’ll find many devices for sale there in the future.

    Honestly, TP-Link and other manufacturers won’t really care as they now have a valid excuse to start locking down their firmwares entirely with signed keys. They wouldn’t mind either, considering the number of bricked devices that get returned from bad flashes. Plus one only needs to look at the nearly daily stream of router security vulnerabilities, many involving the replacement of firmware, along with the recent ASUS FTC security case to start being tempted to lock down routers like Microsoft, Sony, and Apple have done with their devices. Aside from Linksys how many other companies have embraced the open source firmware community? Just look at how many times Linksys has been sold off. There’s very little money in catering to the open source router hacker community. It only exists because gnu-linux runs all these devices.

    Unfortunately, in my opinion this only came about because openwrt developers didn’t take enough precautions to ensure that flashed devices would abide by regional rf spectrum rules. Nor could they, I can’t even devise of a 100% effective technical solution that ensures proper frequencies and power guidelines are followed. The openwrt forums are litered with one-off experimental firmwares; who knows if they are breaking ERP rules. Being able to compile your own opensource firmware is a double edged sword. Then there are people who will blatantly use channels not approved for their region to gain access to ‘unused’ spectrum. Separating firmwares from rf configuration files won’t solve pirate radio routers.

    The real issue:
    -An outdated map of frequency allocations which worked well enough for “analog” radio.

    Things which will not happen:
    -Getting the entire world to adopt a universal frequency usage chart.

    Things which are likely to happen:
    -Locked down devices.

    When will this happen?
    Mobile World Congress just wrapped up, and CES was a few weeks ago. 2016 might be the last year of easily hacked 5 GHz routers.

    Who is this going to effect?
    For the average consumer, they just need a magical black box and are not going to care. This sucks for open source projects which rely on openwrt. It’s been a good ride, but the era of cheap, easily, hacked routers and wi-fi devices is coming to a close. If Broadcom ever comes out with an open-source friendly 5 G wi-fi card (notice the lack of 5G on the raspberry pi 3), expect it to cost an arm and a leg and require a high level of technical expertise to configure to ensure that it follows certification guidelines.

  23. As long as I know TP-Link and Ubiquiti enforced the lock down. no longer open source firmware(3rd party firmware) won’t run on them.
    Asus, Netgear, I’m not sure yet. But possibly lock down. As article says, it’s the most easiest way to follow the FCC updates. As other guys say, technically they can put “RADIO parameter” into the designated NAND/SPI/E2PROM (maybe with encryption?), and read the RADIO parameter from that device. Doesn’t allow parameter change from system side(linux console/driver). But most of them have the SKU for world wide, and this means “they need designated hardware for each region”. This may steal the flexibility of the hardware. I believe they don’t take this way.

    In the other hands, I’m using DD-WRT-NXT. Seems they also started to locking down from latest firmware. But still have customize-ability. I couldn’t change the RADIO parameter from console, but I don’t need that function. I need customize-ability. So this is the best solution for me at this moment.

    By the way, I also heard that there is a possibility to delay the applying date from June 2nd. only several products passed the “new FCC rule”. So. Does anyone have the clue?

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.