Router Security Router Firmware Updates Website by     
Michael Horowitz 
Home Site Index Bugs News Security Checklist Tests DNS Resources Stats Search Popular Pages
Also see my Defensive Computing Checklist website
 

Updating the firmware on a router is a major pain the neck. While every article about routers says to regularly update the firmware, none talk about the problems. Here is my list of "issues" with firmware updates:

  1. It's dangerous: The new firmware may cause a problem and there is, typically, no fallback option
  2. It's dangerous: If the firmware update fails halfway through, it may brick the router
  3. It's dangerous: The new firmware may reset some settings, settings that very few people are likely to notice or understand. When I updated the firmware on a TP-LINK TL-WR841N, I lost all the settings that I had changed. It went back to factory fresh state.
  4. It is often not done because router owners don't know it needs to be done (see below for various update notification schemes).
  5. It is often not done because firmware issues don't scream at you, they fly under the radar by and large
  6. The update process varies, techies have to deal with different upgrade procedures for different routers
  7. The update process is never correctly or fully documented
  8. Even when you update the firmware, you may still not have the latest firmware. Routers don't always update to the latest firmware. You may have to update the firmware multiple times.

For an example of an Asus router update process that confused me (no documentation on what to expect) see A router firmware update goes bad. Not to pick on Asus, but in an August 2014 review of the Asus RT-AC68U router in PC Magazine Samara Lynn wrote "I was able to manually upgrade the newer router without a hitch ... This is an improvement over the quirky behavior I experienced when trying to upgrade the RT-AC66U's software." Quirky?

OK, maybe I will pick on Asus. This page How to update the firmware on an ASUS networking product says "After updating the firmware, we recommend that you restore the factory default settings by pressing the reset button of the device for 5 seconds." This is horrible, it means that you lose all the customizations you made to the router. Last verified May 8, 2017.

Still worse, was this observation of the Luma mesh networking system by Tim Higgins in September 2016: "Luma provides neither a way to see [the current] firmware version nor a way to check for updates."

Firmware Update History

It's always nice to know where you stand. For that, you need a a history of firmware updates. Some router vendors offer a single web page with the history, others do not. Google Wifi does not. Below are the good vendors, that I am aware of, and links to their firmware histories.

Firmware Update Notification

There are a number of ways that the owner of a router can learn about the availability of new firmware.

  1. Look for themselves. That is, the router may do nothing on its own.
  2. Logon to the router and click a button to check for firmware updates. Still a manual process.
  3. Logon to the router and see an indication of new firmware right off the bat. As an example, Asus uses a blinking yellow exclamation point on the router home page.
  4. The router manufacturer or the router itself may send you an email when new firmware is available.
  5. The smartphone app from the router manufacturer may notify you of new firmware. It have read that Netgear's Genie app does this.

In November 2017, Daniel Aleksandersen blogged about TP-Link firmware updates rolling out slowly to Europe. He noted that none the 9 TP-Link devices he investigated self-updated. Worse, TP-Link does not contact their customers to tell them of newly released firmware; no emailing lists, no syndication feeds, nothing. While investigating, he was told by a support technician not to update the firmware if the device is working fine. Yikes.

Manual Firmware Updates

I have seen two different approaches for manually updating router firmware.

The worst approach requires you to download a file to your computer, and then upload it to the router. I call this is the worst approach because it requires the most work. I have also seen instances where the downloaded file was compressed and needed to be uncompressed, a fact not explained by the vendor. I have also seen the download include multiple files, only one of which was supposed to be uploaded to the router. Needless to say, this wasn't explained either.

A far better approach is where the router completely handles the update. The router owner says to upgrade from version x to version y and the router does so without the need for files to be manually downloaded to your computing device and then uploaded. Click a button and let it go.

In a June 20, 2018 review of the TP-Link EAP225v3 AC1350 Access Point Jim Salter wrote: "I have to ding TP-Link for having one of the most primitive firmware update processes around ... It is hard to find the firmware version you're currently running under (which isn't mentioned anywhere near the actual firmware upgrade section of the UI) and you don't get any notifications when there's a new version available for download. You also have to manually download, unzip, and extract the firmware before you can then manually upload it ... Boo."

Automatically Updating Firmware

As routers are evolving, more and more can self-update. The owner of the router can remain blissfully ignorant of the need to update the firmware or even that firmware exists. But, self-updating can be done well or poorly. For one, the router may not backup the current settings before upgrading the firmware. Then too, you have scheduling issues. It can be quite inconvenient for the router to reboot itself whenever it feels like it. And, if something all of a sudden goes wrong, you may not realize that the router just recently upgraded the firmware which may explain the new problem.

There is a list of self-updating routers on the Resources page. The Security Checklist page has details on what separates the men from the boys when it comes to self-updating firmware. Finally, the Firmware Self-Updating page has details on how some vendors respond to this checklist.

Re-install on top of itself

The VPNFilter malware/botnet, which we first became aware of in May 2018, raised a new question. The first solution for removing the malware was to reset the router to factory state. But, how or why this works was never explained. Certainly the best way to remove hacked firmware is to install new firmware. If a router is running old firmware, fine. But what if a router is running the latest release of the firmware? Does it allow you to re-install the same firmware on top of itself? Until May 2018, there was no reason to ask this question.

Looking ahead, malicious firmware may eventually prevent the detection of newer firmware, so we may have to download the new firmware using a different router. Thus, it is safer to use a router that can accept new firmware from a file on your computer. At least until the bad guys prevent that too.

Safely Updating Firmware

On a new router, I would do the firmware upgrade pretty much first thing to minimize the danger. See the New Router page for more.

For an existing router:

Moving on up - routers with multiple firmwares

When it comes to firmware updates, Peplink is the Rolls Royce of routers. You get the first taste of this, when you update the firmware. Before it does anything it reminds you that its a good idea to save the current configuration. I have seen this on their Balance line and the Surf SOHO. Their travel router however, does not have this automated reminder.

Peplink can reboot into previous firmware

What really separates the men from the boys however, is that Peplink/Pepwave routers maintain two copies of the firmware. The screen shot above illustrates that my preferred router, the Pepwave Surf SOHO can be rebooted to run either firmware version 6.2.1 or 6.2.0. I have also seen that their Balance line (high end) and their travel router (bottom of the line) also keep two copies of the firmware.

This eliminates almost all the risk involved in firmware upgrades. It's great Defensive Computing. If new firmware causes a problem, just re-boot to fall back to the prior release. The only downside is that when you download new firmware, the router reboots into it immediately. If you don't want to use the new firmware, however, just reboot back to the tried and true older version.

I have seen a Linksys Smart WiFi router (the EA6200) that also offered to reboot into the prior firmware. It didn't say what the prior version was, but still, it's a nice option to have. I have also been told that the Linksys WRT1900ACS supports two installed copies of the firmware, but that it is not documented. The secret handshake for the WRT1900ACS to switch firmwares is to turn it on and off three times. Or, if you can get into terminal, the fw_setenv command can switch the boot firmware. I can't confirm this.

In April 2017 John Hagensieker wrote about the Linksys WRT3200ACM and its two onboard firmwares: " ... router comes with Linksys firmware and if you upgrade to DD-WRT Firmware that in reality BOTH FIRMWARES RESIDE ON YOUR SYSTEM. So let's say you muck up DDWRT real good or even you think you might have bricked the router you can turn it off on the switch on back, then turn it on three times until the lights come on, then turn off again. I think on the 4th boot it will revert to the other boot partition ... One thing you don't want to do is update DDWRT from DDWRT because then it resides on both partitions. ONLY INSTALL OR UPDATE DDWRT FROM THE LINKSYS FIRMWARE." He also discussed switching boot partitions with some Telnet commands.

If you know of other routers that maintain two copies of the firmware, please let me know.

Updating the Pepwave Surf SOHO firmware

The process of updating firmware is often poorly documented. So, here is what to expect when updating the Surf SOHO.

The process starts from System -> Firmware -> Check for Firmware button. There are two sections below documenting the process when it finds new firmware and when it does not. In the former case, the process is pretty simple. In the latter case, you have to first download the firmware from the Peplink website to your computer, then, during the process that firmware file is uploaded to the router. Sadly, Peplink's automatic detection of new firmware has been poor for years.

A great Peplink feature is that before firmware is installed it always reminds you to backup the current state of the router, as shown below. When you click the OK button, it downloads a .conf file to your computer.

Reminder to backup current settings

ROUTER DETECTS NEW FIRMWARE

If it finds newly available firmware, it asks if you want to install it. After saying yes, the system asks if you want to backup all the current settings (shown above).

These screen shots are from June 2017, when a Surf SOHO was updated from firmware 6.3.3 to 7.0.1 and from December 2019 when updating from 7.1.2 to 8.0.1.

Next, it tells you it is upgrading the firmware and reports both the old and new firmware versions. It also provides a link to the Release Notes for the new firmware, a nice touch. Below is how this looked when upgrading from 7.1.2 to 8.0.1.

This screen has not changed, as you see below, it looked the same when upgrading from 6.3.3 to 7.0.1.

Then, a boring screen warning that this might take up to 6 minutes. This screen was the same for both upgrades.

Then, in red, it says that the router is rebooting. This too, was the same for both upgrades.

And, eventually, you are back at the logon screen. Maybe. When I upgraded from firmware 7.1.2 to 8.0.1, the screen above, which says it is rebooting, displayed forever. I was not automatically taken to the logon page.

MANUAL FIRMWARE UPDATES

As noted above, when manually updating the firmware, you have to first download the firmware from the Peplink website. Current firmware is available at Peplink.com from Support -> Firmware and Manual Downloads. Or just bookmark https://www.peplink.com/support/downloads/. As you can see below, the firmware, release notes and full user manual are all available. The firmware downloads as a .bin file. This does require you to know the hardware version of your router. The first version of the Surf SOHO is HW1, the second is HW2 and the third is MK3. In the router web interface, these stupid abbreviations are not used, it simply uses 1, 2 and 3. Older firmware releases, are available in the Firmware Archive.

A manual update is required when the check for new firmware button says "No update available" (see below). Next, click the Choose File button and navigate to the downloaded firmware.

Then, click the Manual Upgrade button and the firmware uploads from your computer to the router as shown below.

Then, it validates the uploaded firmware.

It then shows the same boring Firmware Upgrade screen with the orange progress bar, as shown above in the ROUTER DETECTS NEW FIRMWARE section, that this might take up to 6 minutes. Eventually, it reboots to the logon page.

No Forced Migration

With Peplink, you do not have to migrate from firmware version 1 to 2 to 3 to 4, if you don't want to. And, when a major new release is issued, there are good reasons not to. For more, see my Dec. 2019 blog: A nifty router firmware trick.



Top 
Page Created: August 19, 2015      
 Last Updated: October 29, 2020 1AM CT
Viewed 43,459 times
 (14/day over 3,165 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Changelog
Copyright 2015 - 2024