About a year ago, discussions started about new rules from the FCC that could prevent routers from installing open source third party operating systems such as OpenWrt or DDWRT. Despite the FCC assurance that the rules were meant to prevent some users from illegally tweaking the RF settings, and that it would not have to impact installing of open source alternatives, the reality is that companies such as TP-Link ended up locking their routers up due to the new rules, while Linksys would only ensure OpenWrt/ DD-WRT compatibility on some of their routers, but not all. Companies are probably doing that due to the extra work that would be required to separate the RF settings which need to be locked, and the rest of the firmware. But Imagination Technology’s prpl security group has a solution for their MIPS Warrior P-Class processors using hardware virtualization.

In order to show the concept works, they’ve developed the solution on an evaluation board based on Baikal T1 dual core MIPS P5600 communication processor, and using a Realtek RTL8192 WiFi adapter and the Ethernet port (WAN) for communications. The serial port was used for debugging Linux.

One the software side, they run an hypervisor, and three virtual machines (VM) leveraging the processor hardware capabilities:

Open source L4Re hypervisor comprised of an L4 microkernel that can run trusted native applications and act as a trusted hypervisor for operating systems.

comprised of an L4 microkernel that can run trusted native applications and act as a trusted hypervisor for operating systems. Open VM for OpenWrt running OpenWrt and providing the main interface to the router facilities

running OpenWrt and providing the main interface to the router facilities Isolated VM for the Wi-Fi driver without direct access to the driver from other VMs, except through the virtual network connection using ports 85 for http, 449 for https or 29 for ssh. That’s the important part to comply with the FCC rules.

without direct access to the driver from other VMs, except through the virtual network connection using ports 85 for http, 449 for https or 29 for ssh. That’s the important part to comply with the FCC rules. Dedicated VM for third party applications acting as a sandbox for running third party applications that provide additional functionality such as home automation apps.

Here’s the demo.

Of course, this will not solve the issues for existing cheap routers, but this could be a solution for future not-so-low-end WiFi routers.