ADVANTECH ICR-3231 4G Industrial Cellular Router Instructions

ICR-OS
Firmware 6.2.8
RELEASE NOTES

ICR-3231 4G Industrial Cellular Router

Abstract

This document describes:

• Firmware update instructions.
• Description of all new features, fixes and other changes implemented in the firmware.
• Known issues related to a firmware version.

Firmware Details

• Firmware version: 6.2.8
• Release date: February 19, 2021
• Hardware compatibility: applicable to the Advantech routers

Please note that not all new Advantech routers are produced and shipped with the latest release of the firmware. The reason for this is usually an existing certification valid for a specific carrier or a region. For more information about the latest version of the firmware for your router, see the Firmware Distribution Overview document.
For current and detailed information about the router configuration see the latest version of the Configuration Manual for your router.
Product related documents and applications including the firmware can be obtained on Engineering Portal at https://ep.advantech-bb.cz/address.
Advantech Czech s.r.o., Sokolska 71, 562 04 Usti nad Orlici, Czech Republic This document was issued on February 19, 2021

Firmware Update Instructions

General Update Instructions and Notices
HTTPS certificates: The HTTPS certificate format in the router was updated in FW 5.3.5 to improve the security. Existing HTTPS certificates on previously manufactured routers will not automatically be updated with the firmware update! It is possible to update the HTTPS certificates by deleting the files within /etc/certs/https in the router (e.g. via SSH). The certificates will be re-created automatically during the router’s next start.
Specific Update Instructions
New filename: If the filename of firmware for your router was changed, you will meet with an issue during manual firmware updating or with automatic firmware update feature. This warning message will appear during the firmware updating process: “You are trying to upload file “xx.bin” but “yy.bin” is expected. Are you sure to continue?”
To proceed with the firmware updating please follow these steps: Check the table below for details about recent firmware filename changes and make sure you have the correct firmware file for your router. Go ahead with manual firmware updating and confirm the displayed warning message.
To proceed with automatic firmware updating, rename new firmware files (.bin and *.ver) to filenames valid before the filename change. This should allow the router to pass through the process of automatic firmware updating. Next time, the automatic  rmware update feature will work as expected with no need to rename the file.

SmartMotion ST352
SmartMotion ST355| 6.0.2| SPECTRE-v3T-LTE.bin| BIVIAS-v3LL.bin
SmartStart SL302| 6.0.3| SPECTRE-v3L-LTE-US.bin| SPECTRE-v3L-LTE-AT.bin

Table 1: Recent Firmware Filename Changes
Updating Firmware of Version Less than 5.3.0
**** It is necessary to follow specific update instructions below only if you are updating from firmware older than 5.3.0.
Due to a bug in the firewall (now fixed) when a WAN device is part of a bridged interface, caution should be taken when updating in following case:

Condition:| When a WAN device is part of a bridged interface, access to that WAN device (HTTPS, SSH) is always granted regardless of configuration.
---|---
Problem:| If this is your configuration, it is highly likely that you are not aware of this, so the undesired effect of the bridge firewall fix may render
the router inaccessible.
Recommended Action:| Enable access to both the web and ssh services before updating
if you want to retain the current behavior (access to the WAN interface).
This can be done on the NAT page in the Configuration section of the router’s Web interface.

Change the root’s password:
It is necessary to change the password for the root user when updating to the firmware version 5.3.0 or newer. The reason for this is an update of the authentication system (encryption algorithm crypt was changed to MD5; passwords are now stored in the  etc/shadow file instead of /etc/passwd). The change of the password is required before setting up the remote access on the NAT Configuration page.
Please note that when downgrading from 5.3.0+ to previous firmware versions, the password for the root user is reset to the default one, which is root.

Changelog

Legend: Affected products are marked as shown below for every changelog item:

Quectel Module Update

Released router firmware supports the Quectel BG96 cellular module having the firmware of version R02A07+.
Enhanced OpenVPN Configuration

There is a new configuration option Security Mode in the OpenVPN configuration GUI. Here, for relevant authentication modes only, you can choose from two different security modes tls-auth and tls-crypt.
We recommend using the tls-crypt mode for the security reasons. In this mode, all the data is encrypted with a pre-shared key. Moreover, this mode is more robust against the TLS denial of service attacks.

Enhanced GRE Configuration

We have enhanced the GRE tunnel configuration GUI with Local IP Address configuration option. This item is optional together with Remote IP Address and Pre-shared Key, but at least one of them must be configured.

HTTPS TLS Version Configuration

A minimal version of TLS protocol can now be configured in HTTP GUI settings to version 1.3. We recommend using the latest version of TLS. Support for other version persists due to compatibility with various web browsers.

Added ebtables Program

We have added ebtables program, which can be used as an administration tool for firewall IP packets filtering. It enables transparent filtering of network traffic passing through a Linux bridge. The filtering possibilities are limited to link layer filtering and some basic filtering on higher network layers.
The ebtables tool can be combined with the other filtering tools (iptables and ip6tables) to make a bridging firewall that is also capable of filtering these higher network layers. Check the Commands and Scripts application note for more information about this program.

Added doas Program

There is a new program called doas which can be used to execute commands as another user. This program replaces the sudo command, which is not supported by the firmware from version 6.2.8 anymore. For compatibility reasons, the sudo command is just a symlink to the doas command. Check the Commands and Scripts application note for more information about this program.

Out-of-memory Reboot

We have changed the settings of the out-of-memory feature. It will now invoke the kernel panics compulsorily and reboot the router with no processes killed by the out-of-memory killer.

DHCP Authoritative Mode

Configuration of the DHCP server, running on our routers, was updated to act as the authoritative DHCP server for all WiFi clients. Authoritative DHCP server is a server which always responds to a DHCP request if no another DHCP server in the network responds. This configuration prevents issue with obtaining the IP address for some WiFi clients having a valid address assigned in another WiFi network.

Fix for NB-IoT Networks

We have extended the timeout for NB-IoT network registration from two to five minutes to let the cellular module scan all the channels.

Fixed WiFi Issue

We have made a fix for transmit issues on the Laird SU60 WiFi module. This issue caused the WiFi to stop working. If required, this fix will invoke reboot of the router.
Fixed OpenVPN Issue

We have fixed an issue with resolving of IP address in OpenVPN version 2.4. The OpenVPN configuration was updated to be compatible with OpenVPN of version 2.3.

Fixed Possible XSS Attack

We have fixed possible reflected XSS attack (medium severity) in the web administration.

Updated curl Program

We have updated the curl program to version 7.74.0. This update has fixed NVD – CVE-2020-8285 (nist.gov) (high), NVD – CVE-2020-8169 (nist.gov) NVD – CVE-2020-8177 (nist.gov) (medium) and NVD – CVE-2020-8284 (nist.gov)(low). For more details about this curl release, see https://curl.haxx.se/changes.html#7_74_0.

Updated dnsmasq Software

We have updated the dnsmasq software to version 2.84. This update has fixed NVD – CVE-2020-25681 (nist.gov) , NVD – CVE-2020-25682 (nist.gov) (high), NVD – CVE-2020-25683 (nist.gov), NVD – CVE-2020-25687 (nist.gov) (medium), NVD – CVE-2020-25684 (nist.gov), NVD – CVE-2020-25685 (nist.gov) and NVD – CVE-2020-25686 (nist.gov) (low). For more details about the release, see the webpage at http://www.thekelleys.org.uk/dnsmasq/CHANGELOG.

Updated OpenSSL Library

We have updated the OpenSSL library to version 1.1.1j. This update has fixedNVD – CVE-2021-23839 (nist.gov),NVD – CVE-2021-23840 (nist.gov) and CVE-2021-23841.

Known Issues

Firmware Update – Unexpected Filename
If the filename of firmware for your router was changed, you could have an issue during manual firmware updating or with Automatic Update feature. This warning message will appear: “You are trying to upload file “xx.bin” but “yy.bin” is expected. Are you sure to continue?” To fix this issue follow instructions in Part I – Firmware Update Instructions.
Automatic Update – Update to Version 6.1.10
The feature of automatic firmware update will not recognize the firmware version 6.1.10 as a new version in case the installed version of firmware is from 6.1.0 to 6.1.8. To fix this issue, either update the firmware by the automatic update to version 6.1.9 first or  pdate it manually directly to the version 6.1.10.
WiFi Configuration – Lost After Firmware Downgrade
If the firmware is downgraded to the version less than 6.2.0, the WiFi configuration will be lost completely.
ICR-3200 – Country Code for WiFi
The first version of the firmware for the WiFi module does not support the settings of the country code. Due to this issue, the settings of the country code made on the configuration page has no effect at all. The country code is set up during the manufacturing process according to
the product destination region.
SmartStart – Cellular Network Registration
It is necessary to use router’s firmware version 6.1.5 or higher if the Telit cellular module installed in your SmartStart router has following version of the firmware:

• Telit LE910-EU V2 cellular module with firmware version 20.00.403 or newer,
• Telit LE910-NA1 cellular module with firmware version 20.00.014 or newer.

Note: The model name and firmware version of the cellular module can be found on router’s web GUI at Mobile WAN Status page in Mobile Network Information section.

SmartStart SL302 – Cellular Network Authentication
It is not possible to use username and password when connecting to Mobile WAN network (on Mobile WAN Configuration page) if your SmartStart SL302 router has the 20.00.522 firmware version inside the Telit LE910-NA1 cellular module. The version of cellular module firmware can be found at Mobile WAN Status page in Mobile Network Information section.
SmartStart SL302 – SMS in Verizon Network
SmartStart SL302 router (equipped with the Telit modules LE910-SV1 or LE910-NA1) supports sending and receiving of SMS in Verizon cellular network since the firmware version 6.1.4. Please note that to support SMS receiving, cellular module with Verizon firmware version higher than 20.00.012 is required.

References

• thekelleys.org.uk/dnsmasq/CHANGELOG
• curl - Changes
• Advantech 4G, 5G Cellular Routers & Gateways for IoT applications - Engineering Portal
• Application Notes - Cellular Routers Engineering Portal
• NVD - CVE-2020-25681
• NVD - CVE-2020-25682
• NVD - CVE-2020-25683
• NVD - CVE-2020-25685
• NVD - CVE-2020-25686
• NVD - CVE-2020-25687
• NVD - CVE-2020-8169
• NVD - CVE-2020-8177
• NVD - CVE-2020-8231
• NVD - CVE-2020-8284
• NVD - CVE-2020-8285
• NVD - CVE-2020-8286
• NVD - CVE-2021-23839

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>