Examination of Edimax home devices
Summary
⚒
Introduction
⚒
Examination
Summary
Device Model | XT2 Plus |
Manufacturer | Edimax |
Product Type | Router |
Description | 3-in-1 Router, AP, and Range Extender |
Price on Release | 30 Euro |
Release | 2015 Q1 (Continuing as of April 2020) |
State of Research | It was not possible to enable input via UART; the board shows several soldering points; Only bootlog information could be capured |
Ports | 4xGbE, 2xWLAN Antenna |
Buttons | WPS/Reset |
LED | Power, WLAN, WAN, 4xLAN |
Power | 5V/1A DC |
WLAN | 2,4GHz 802.11b/g/n up to 300MBit/s |
Other | N/A |
FCC-ID | NDD9564281303 |
System | REALTEK RTL8691E |
Processor | RTL8196E 2014.09.22 v0.3 [16bit] (380MHz) |
BogoMIPS | |
Memory | DRAM: 16MB [16bit] |
Storage | |
Ethernet MAC | 74:DA38:F8:DE:E5 |
WLAN MAC | 74:DA38:F8:DE:E4 |
WLAN SSID | edimax.setup (Changed during setup) |
WLAN PSK | |
Default IPv4 | |
Hostname | |
NET Protocols | |
Interfaces | |
Ports | |
Webpage | https://edimax.setup |
Webaccess | admin: 1234 |
Root Password | |
Other Login Pw | |
Firmware | v1.16 |
Hardware | Rev. A |
Baudrate | 38400 (8N1) |
Bootdelay | 1s |
Bootloader | Access by pressing ESC or the WPS button on boot. |
mtdparts | |
Filesystem | squashfs |
Image | |
Linux | |
Kernel cmdline | |
Shell | |
BusyBox | |
Services |
Network Mapper
Wide Area Network (WAN)
Host is up.
All 1000 scanned ports on 192.168.86.40 are filtered
Local Area Network (LAN)
PORT STATE SERVICE VERSION 80/tcp open http Boa HTTPd 0.94.14rc21 | http-auth: | HTTP/1.1 401 Unauthorized\x0D | Server returned status 401 but the WWW-Authenticate header could not be parsed. |_ WWW-Authenticate: Basic realm="Default Name:admin Password:1234 |_http-server-header: Boa/0.94.14rc21 |_http-title: 400 Bad Request 52881/tcp open upnp MiniUPnP
Note: This scan has been executed after a basic setup without applying any custom firmware configuration.
Web Interface
⚒
Physical Intervention
SoC
The main processor, referred to as MCU here, is a REALTEK "RTL8196E" Soc and has a Thin Quad Flat Package (TQFP) with 128 leads on the side. Although this chip has a lead density of 24 leads/cm, it is still possible to hook up to them. This could also be used to intercept other information streams in and out of the MCU. Even if this in itself should not have a security risk in the actual use of the device! The MCU was only examined for the availability of an active UART.
UART
⚒
Bootloader
The RTL8196E's bootloader can be accessed by pressing ESC or the WPS button on boot. Entering "help" or any other command command results in a "Unknown command !" after any try.
Booting... ******************************************************************************** * * chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize * 0000000h 0c22016h 00000c2h 0000020h 0000016h 0000000h 0000016h 0400000h * blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName * 0010000h 0000040h 0001000h 0000400h 0000100h 0000010h 000004eh MX25L3205D * ******************************************************************************** ---RealTek(RTL8196E)at 2014.09.22-15:02+0800 v0.3 [16bit](380MHz) ---Dram16M_16Mx1_16bit, TRX Timing: [T:16 R:08] P0phymode=01, embedded phy Unknown command ! ls Unknown command ! help Unknown command ! HELP ? Unknown command ! IPCONFIG Unknown command !
Bootlog
Device in router-mode after a basic setup.
Booting... ******************************************************************************** * * chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize * 0000000h 0c22016h 00000c2h 0000020h 0000016h 0000000h 0000016h 0400000h * blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName * 0010000h 0000040h 0001000h 0000400h 0000100h 0000010h 000004eh MX25L3205D * ******************************************************************************** ---RealTek(RTL8196E)at 2014.09.22-15:02+0800 v0.3 [16bit](380MHz) ---Dram16M_16Mx1_16bit, TRX Timing: [T:16 R:08] decompressing kernel: Uncompressing Linux... done, booting the kernel. done decompressing kernel. Realtek WLAN driver - version 1.6 (2013-02-21) init started: BusyBox v1.11.1 (2015-09-24 13:24:39 CST) starting pid 9, tty '': '-/bin/sh' BusyBox v1.11.1 (2015-09-24 13:24:39 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. /bin/init.sh: /tmp/mssid.txt: line 5: wlan0-va0: not found kill: you need to specify whom to kill Close Wan Interface!! dhcp mtu >> 1500 Initialize WLAN interface >> 2.4G adaptivity enable !! DO 8192E IQK !!!! Done 8192E IQK !!!! [selsect txpower] Normal txpower [txpower] Current Channel : 1 [txpower] Enable Power Table [txpower] CE Power Table [txpower] 11b H->L rate index:4 [txpower] 11g H->L rate index:10 [txpower] 11n20M H->L rate index:10 [txpower] 11n40M H->L rate index:8 [txpower] 40/20M Setup BRIDGE interface ifconfig: ioctl 0x8913 failed: No such device ifconfig: ioctl 0x8913 failed: No such device bridge br0 doesn't exist; can't delete it Setup bridge... DO 8192E IQK !!!! Done 8192E IQK !!!! Static DHCP Leases disable! Setup WAN interface kill: you need to specify whom to kill Close Wan Interface!! >> WAN_MODE is 0 device eth1 is not a slave of br0 device eth0 is already a member of a bridge; can't enslave it to bridge br0. ********************************************************************** * Enable WSC_UPnP * ********************************************************************** ********************************************************************** * Enable LLTD * ********************************************************************** ********************************************************************** * Enable GPIO Interrupt * ********************************************************************** udhcpc (v1.11.1) started into eth1.deconfig Sending select for 192.168.86.40... Lease of 192.168.86.40 obtained, lease time 86400 killall: radiusd: no process killed RADIUS server disable !! ######## eth1.bound ######## cat: can't open '/tmp/pktmask': No such file or directory adding dns 192.168.86.1 route: ioctl 0x890c failed: No such process route: ioctl 0x890c failed: No such process deleting routers route: ioctl 0x890c failed: No such process Notice: caching turned off WiFi Simple Config v2.11-wps2.0 (2012.06.18-11:32+0000). ********************************************************************** * FREE Page,Dentries and Inodes Cache * ********************************************************************** IEEE 802.11f (IAPP) using interface br0 (v1.7) MemFree: 2648 kB Cached: 2204 kB killall: crond: no process killed Time server domain name=pool.ntp.org Time server address=195.186.4.100 boa: server version Boa/0.94.14rc21 boa: server built Sep 24 2015 at 13:24:36. boa: starting server pid=901, port 80 route: ioctl 0x890b failed: File exists route: ioctl 0x890b failed: File exists
Firmware
Download
Current Version
Note: The currently (18. April 2020) the official firmware version is v1.16. But, the version v1.17 is also downloadable.
Despite the fact that v1.17 seems to be the older version, which was created in October 2014 and the versions v.1.15 in Juli 2015 and v1.16 in September 2015.
Known Versions
BR-6428nC:
- v1.17: https://www.edimax.com/edimax/mw/cufiles/files/download/Firmware/BR6428NC_v1.17.zip (Accessed 18. April 2020)
- v1.16: https://www.edimax.com/edimax/mw/cufiles/files/download/Firmware/BR6428NC_v1.16.zip (Accessed 18. April 2020) (To revise CGI Vulnerability.)
- v1.15: https://www.edimax.com/edimax/mw/cufiles/files/download/Firmware/BR6428NC_v1.15.zip (Accessed 18. April 2020)
- v1.07
Note: Search for other available firmware versions: wget https://www.edimax.com/edimax/mw/cufiles/files/download/Firmware/BR6428NC_v1.{0..50}.zip --max-redirect 0
Extraction
$ binwalk -Mre --dd=".*" BR6428NC_v1.15.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 11280 0x2C10 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2486272 bytes 720896 0xB0000 Squashfs filesystem, big endian, version 2.0, size: 1662416 bytes, 426 inodes, blocksize: 65536 bytes, created: 2015-07-08 04:43:17 $ binwalk -Mre --dd=".*" BR6428NC_v1.16.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 11280 0x2C10 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2486272 bytes 720896 0xB0000 Squashfs filesystem, big endian, version 2.0, size: 1659674 bytes, 426 inodes, blocksize: 65536 bytes, created: 2015-09-24 05:25:50 $ binwalk -Mre --dd=".*" BR6428NC_v1.17.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 11280 0x2C10 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2301952 bytes 655360 0xA0000 Squashfs filesystem, big endian, version 2.0, size: 1340670 bytes, 508 inodes, blocksize: 65536 bytes, created: 2014-10-15 05:35:09