Platform Ladder
Current State
Routing Risk
Target Architecture
Platform Scope Matrix
Implementation Roadmap
Release Gates
Summary & Actions
Draft Contract Date: 2026-06-07 Target: Asuswrt-Merlin

ASUSWRT-Merlin Parity is Not a Port.
It is an Adapter and Rebuild.

A roadmap for resuming the abandoned Merlin project. This plan details how to rebuild our package runtime, settings schemas, and routing mechanics to match OpenWrt parity safely.

Koolshare Merlin (官改梅林) Phase 1 Target
ASUSWRT-Merlin with Software Center
Asuswrt-Merlin (原版梅林) Source Base
Open-source firmware with JFFS custom script hooks
ASUSWRT (華碩官方) Restricted
Stock closed-source router operating system
Click a step above to explore the firmware layer capabilities and how our integration hooks into it.
Usable Pieces
Broken Joins
Hover over or click a piece to inspect code block alignments and baseline defects.
LAN Client
Gateway
VilaNet
Unsafe TCP Redirect Active
Today (Unsafe): The firewall redirects raw LAN TCP packets to the proxy port. However, a mixed HTTP/SOCKS port expects handshakes, not raw stream data. This causes timeouts, socket errors, and loops.
User Interface Module_vilanet.asp
Structured JSON API CGI RPC Wrapper
NVRAM / DBus Adapter JSON Config Map
Shared Core Config Generator vilanet-core
Daemon Service Static 32-bit ARM ELF
User Interface Layer: An ASUSWRT-styled native control dashboard hosted in the Koolshare directory structure, replacing the standalone stale mock UI.
Platform Pkg Target CPU / Arch Support
HND (RT-AC86U, GT-AC5300) hnd ARMv8 32-bit userspace Phase 1
AXHND (RT-AX88U, GT-AX11000) axhnd ARMv8 32-bit userspace Phase 1
AXHND.675x (RT-AX56U, AX58U) axhnd.675x ARMv7 (Static 32-bit) Phase 1
QCA (Qualcomm) qcasoft Qualcomm MIPS/ARM ⏳ Deferred
Legacy ARM (RT-AC68U, AC87U) arm380/384 ARMv7 Old Core Unsupported
Click a platform row to inspect compiler target configurations and package matching criteria.

M0: Repo Cleanup & Truthful Docs

Ensure correct support declarations in README and restore package building scripts.

  • Deliverable: Updated documentation, restored build.sh.
  • Exit Gate: Documentation matches binary scope; validator passes.
OK
Validator
OK
Paths Match
!
UI Schema
!
Safe Creds
OK
No Redirect
!
Smoke Tests
Click on a gate checkpoint above to review the release blocking criteria and verification commands.

Baseline (Today)

  • Stale redirect logic (hijacks raw TCP, crash risk).
  • Mixed `/opt` and `/koolshare` runtime directories.
  • Base64 plaintext credentials in `argv` and configs.
  • CGI parsing plain script output (unstable status UI).

Target Parity

  • Safe Proxy-first, TPROXY-gated transparent mode.
  • Pure `/koolshare` native directory tree (no Entware dependency).
  • Encrypted credentials in `0600` local file.
  • Structured JSON endpoints with strict input allowlist.
01 / Concept

The Platform Ladder

VilaNet’s Merlin compatibility requires a specific structural approach. Rather than porting the OpenWrt layout directly, we must build a native wrapper that respects the specific environment of the router firmware.

ASUS routers exist on three main tiers:

  • ASUSWRT (華碩官方): The official closed-source firmware. It has no standard shell hooks or script runners, and does not allow raw user integrations.
  • Asuswrt-Merlin (原版梅林): A popular community modification. It opens SSH access, adds JFFS custom script hooks, and exposes raw configurations. It acts as our development source base.
  • Koolshare Merlin (官改梅林): A fork that adds a dedicated Software Center interface (`rogsoft` runtime). This is our Phase 1 integration target.
02 / Diagnostic

Usable Pieces vs. Broken Joins

An audit of the current repository shows it is not a direct shippable codebase. It contains critical mismatch bugs, conflicting paths, and security gaps.

However, it contains valuable, working source material. Our plan separates these usable pieces from the broken joints that we must rebuild.

Usable assets: The compiled static Go daemon binaries, the NVRAM connector core, the basic WHMCS api failover layers, and parts of the local template generator.

Broken joins: Stale CGI endpoints that shell out commands blindly, path conflicts where installer scripts write to `/koolshare/bin` but start scripts check `/opt/bin`, and a missing packaging automation pipeline.

03 / Architecture Risk

The Unsafe Redirect Fallacy

A major bug in the abandoned codebase is the transparent redirect implementation. The helper scripts configure `iptables` to redirect raw TCP traffic from LAN clients directly into the VilaNet proxy port.

Why this breaks: The proxy listener runs a mixed HTTP/SOCKS port. It expects specific protocol handshakes (e.g. SOCKS5 greeting or HTTP request lines). When raw TCP packets arrive directly from a redirect rule, the proxy cannot determine the original target IP or port, and fails to parse the stream, causing instant network timeouts.

The Solution: We must ship a safe, manual proxy mode first. We will keep transparent capturing disabled until the platform supports the `/dev/net/tun` interface, TPROXY, or REDIRECT capabilities, and they have been fully verified.

04 / Design

Modernized Architecture

To ensure reliability, the target architecture mirrors the OpenWrt configuration generator pattern but wraps it in a Merlin-compatible runtime layer.

We decouple the system into five distinct layers:

  • UI Layer: Native ASP files integrated into the Koolshare dashboard structure.
  • JSON API: Pure HTTP API endpoint controllers, replacing old, text-scraping shell executions.
  • NVRAM Adapter: A state mapper translating native NVRAM database keys into structured configurations.
  • Core Generator: The shared, verified `vilanet-core` configuration generator (safeguarded against slice index panic vulnerabilities).
  • Daemon Service: Running purely under `/koolshare` paths without Entware or `/opt` directories.
05 / Scope

Platform Support Matrix

We must avoid claiming support for "all ASUS routers." The hardware architectures and package centers vary significantly.

Our Phase 1 support targets the Koolshare HND / AXHND platform family (running kernel 4.1.x and newer, with `rogsoft` software centers). These models typically run mostly 32-bit userspace environments.

Phase 1 scope details: HND, AXHND, and AXHND.675x targets.

Future plans: Separate validation is required for older MIPS routers or QCA-based hardware, which use different software centers (`qcasoft`).

06 / Execution

Roadmap (Milestones M0 - M7)

Our implementation timeline covers eight distinct milestones, ensuring we validate each step on real hardware before proceeding.

  • M0 - M2 (Foundation): Clean up baseline claims, set up the `rogsoft` package skeleton, and align install paths.
  • M3 - M5 (Core Parity): Build NVRAM config adapters, connect the shared config generator, implement safe proxy mode, and encrypt credentials.
  • M6 - M7 (Release): Probe transparent mode capability gates and publish the Release Candidate.
07 / Quality Control

Release Gates & Stop Signs

We enforce strict release gates. If any gate fails, the release pipeline is automatically blocked.

Our key gates require:

  • Package Integrity: The package validator must pass, ensuring `.valid` and `config.json.js` exist.
  • Directory Uniformity: The package must write files only to `/koolshare` (no mix with `/opt`).
  • Security Audits: Zero credentials stored in plaintext or exposed in the output of `ps` argv command strings.
  • Safety Checks: No transparent iptables rules installed during manual proxy mode.
08 / Summary

What to Do First

This plan shifts our focus from quick ports to stable, verified integration.

Our first three concrete engineering actions are:

  1. M0: Audit & Repo Clean: Remove all incorrect completion claims from the repository documentation and restore the packaging build scripts.
  2. M1: Package Skeleton: Create the `rogsoft`-compliant directory skeleton and define target package checks.
  3. M2: Paths Alignment: Relocate startup binary paths to `/koolshare` and remove the `/opt/bin` dependency.