Examination of Edimax home devices
Summary
Edimax Technology focuses on networking devices for home applications. The device under investigation here showed a vulnerability to inject almost any command as root by calling a Common Gateway Interface (CGI) for any attacker, which has access to the network and knows the HTTP authentication. Where the default credentials are communicated by the webserver when executing basic NMAP scan.
Introduction
Since Edimax’s establishment in 1986, they have grown to be one of the world’s leading manufacturers of advanced network communication products. Edimax Technology is dedicated to the design, development, manufacture, and marketing of a broad range of networking solutions. The company’s core values include quality service, professional R&D and innovation. Edimax products are all CE, FCC and C-Tick emission certified. Our wireless 802.11n and 802.11ac range is Wi-Fi certified and our drivers are tested by Microsoft and NSTL to ensure interoperability. In addition to being ISO 9001 and ISO 14000 certified in 2003, Edimax has formed strategic partnerships with several chipset vendors. Edimax is also an active member of both the Wi-Fi Alliance and the Gigabit Ethernet Alliance.
Edimax is committed to bring the latest networking technologies to the customer at the most affordable price. Their wide and comprehensive product lines satisfy the connectivity needs of any networking architecture or application for home and business. The complete range of our products include wireless solutions, print servers, xDSL routers, Ethernet switches, PoE solutions, powerline solutions, network access controllers, load balancer solutions, network cameras, professional surveillance cameras, VoIP solutions, KVM switches, media converters, home entertainment integration solutions and other customer-oriented networking applications. Additionally we offer the high-performance Edimax Pro range of enterprise solutions.
Source: [Edimax Profile]
Edimax BR-6428nC: N300 Wireless Router
The BR-6428nC is a 300Mbps high-speed multi-function Wi-Fi solution which supports IEEE 802.11b/g/n standards and provides significantly improved coverage with the 9dBi antenna. Operating as a router, access point or range extender, the BR-6428nC’s flexibility meets the demands of any networking applications. Impressive performance and a competitive price make the BR-6428nC a cost-effective solution for home or small office environments.
Source: [Product Link]
Examination
Summary
Device Model | BR-6428nC |
Manufacturer | Edimax |
Product Type | Router |
Description | 3-in-1 Router, AP, and Range Extender |
Price on Release | 30 Euro |
Release | 2015 Q1 (Continuing as of April 2020) |
State of Research | It was not possible to enable input via UART; the board shows several soldering points; Only bootlog information could be capured |
Ports | 4xGbE, 2xWLAN Antenna |
Buttons | WPS/Reset |
LED | Power, WLAN, WAN, 4xLAN |
Power | 5V/1A DC |
WLAN | 2,4GHz 802.11b/g/n up to 300MBit/s |
Other | N/A |
FCC-ID | NDD9564281303 |
System | RTL8196E_1200 |
Processor | RTL8196E 2014.09.22 v0.3 [16bit] (380MHz) |
BogoMIPS | |
Memory | DRAM: 16MB [16bit] |
Storage | |
Ethernet MAC | 74:DA38:F8:DE:E5 |
WLAN MAC | 74:DA38:F8:DE:E4 |
WLAN SSID | edimax.setup (Changed during setup) |
WLAN PSK | |
Default IPv4 | |
Hostname | |
NET Protocols | |
Interfaces | |
Ports | |
Webpage | https://edimax.setup |
Webaccess | admin: 1234 |
Root Password | edimaxens (init.sh); $1$iNT/snisG/y7YBVbw0tQaaaA (boa.passwd) |
Other Login Pw | |
Firmware | v1.16 |
Hardware | Rev. A |
Baudrate | 38400 (8N1) |
Bootdelay | 1s |
Bootloader | Access by pressing ESC or the WPS button on boot. |
mtdparts | |
Filesystem | squashfs |
Image | |
Linux | 2.4.18 |
Kernel cmdline | |
Shell | |
BusyBox | |
Services |
Network Mapper
Wide Area Network (WAN)
Host is up.
All 1000 scanned ports on 192.168.86.40 are filtered
Local Area Network (LAN)
PORT STATE SERVICE VERSION 80/tcp open http Boa HTTPd 0.94.14rc21 | http-auth: | HTTP/1.1 401 Unauthorized\x0D | Server returned status 401 but the WWW-Authenticate header could not be parsed. |_ WWW-Authenticate: Basic realm="Default Name:admin Password:1234 |_http-server-header: Boa/0.94.14rc21 |_http-title: 400 Bad Request 52881/tcp open upnp MiniUPnP
Note: This scan has been executed after a basic setup without applying any custom firmware configuration.
Web Interface
Note: The SSID, which was edimax.setup
too, has to be changed during the setup, but the webserver will still respond to http://edimax.setup
after the initial setup. The Web Interface is protected by HTTP Authentication mechanism with the default credentials admin:1234
, which are already communicated by the webserver when executing a NMAP scan.
The BR-6428nC can work as router, access point or range extender. One of these modes can be selected during the setup by browsing to http://edimax.setup and following the step-by-step procedure as shown below.
The web interface itself provides a lot of configuration options which are accessbible over CGIs integrated with the BOA webserver. The GCI code is called when submitting a form on the regular ASP webpage and the sourcecode is not available when extracting the firmware. Since the CGI has always the same form of /goform/$METHOD
, it is rather simple to recursivly search for all employed CGI methods within the web root directory, which is listed below including the BOA configuration.
└── web ├── FUNCTION_SCRIPT ├── aIndex.asp ├── aconnected.asp ├── addPC.asp ├── adhcp_fail.asp ├── admin_activeDhcpClient.asp ├── admin_backrestore.asp ├── admin_logs.asp ├── admin_logs2.asp ├── admin_password.asp ├── admin_remotmang.asp ├── admin_restart.asp ├── admin_statistics.asp ├── admin_timezone.asp ├── admin_upgrade.asp ├── adv_alg.asp ├── adv_dmz.asp ├── adv_dos.asp ├── adv_firewal.asp ├── adv_igmp.asp ├── adv_portforward.asp ├── adv_staticrout.asp ├── adv_upnp.asp ├── adv_virtserver.asp ├── adv_wireless.asp ├── advanced_management.asp ├── afail.asp ├── apppoe.asp ├── conclusion.asp ├── conn_test.asp ├── connect_redirect.asp ├── connectmsg.asp ├── detect.asp ├── file │ ├── allasp-n.var │ ├── autowan.var │ ├── javascript.js │ ├── jquery-1.7.1.min.js │ ├── multilanguage.var │ ├── p6.gif │ └── set.css ├── graphics │ ├── ap_mode.jpg │ ├── ap_setup.gif │ ├── back-a.gif │ ├── banner.png │ ├── bg.jpg │ ├── bg1.jpg │ ├── cancel.png │ ├── check.png │ ├── dot-1.png │ ├── dot-2.png │ ├── loading.gif │ ├── logo.gif │ ├── no_connect.jpg │ ├── repeater_mode.jpg │ ├── repeater_setup.gif │ ├── router_mode.jpg │ ├── router_setup.gif │ ├── step1.jpg │ ├── step2.jpg │ ├── step3.jpg │ ├── step4.jpg │ └── wifi_24G.png ├── guest_wireless_basic.asp ├── hwsetup.asp ├── index.asp ├── index1.asp ├── inter_ddns.asp ├── inter_wan.asp ├── lan.asp ├── lan_ap.asp ├── last.asp ├── left_list.asp ├── left_list_ap.asp ├── left_list_rep.asp ├── main.asp ├── mdhcp.asp ├── mfail.asp ├── ml2tp.asp ├── mp.asp ├── mpppoe.asp ├── mpptp.asp ├── mstart.asp ├── mstatic.asp ├── msuccess.asp ├── probe.asp ├── qos.asp ├── qosadd.asp ├── redirect.asp ├── replace.asp ├── security_block.asp ├── security_block1.asp ├── set.css ├── setup_3wizard.asp ├── setup_3wizard_1.asp ├── setup_3wizard_2.asp ├── setup_3wizard_3.asp ├── setup_wizard.asp ├── status.asp ├── status_noInternet.asp ├── wifi.asp ├── wireless_access.asp ├── wireless_basic.asp ├── wireless_schedule.asp ├── wireless_wps.asp ├── wisp_wlsurvey.asp ├── wiz_3in1.asp ├── wiz_apmode1.asp ├── wiz_ip.asp ├── wiz_repeatermode1.asp ├── wiz_repeatermode2.asp ├── wizard_security.asp ├── wlClient.asp ├── wlWDS3_key.asp ├── wlWDS4_key.asp ├── wlWDS5_key.asp └── wlsurvey.asp
Port 80 User root ServerAdmin root@localhost ServerName "" DocumentRoot /web UserDir public_html DirectoryIndex index1.asp DirectoryMaker /usr/lib/boa/boa_indexer KeepAliveMax 1000 KeepAliveTimeout 10 MimeTypes /etc/boa/mime.types DefaultType text/plain AddType application/x-httpd-cgi asp Auth / /etc/boa/boa.passwd PidFile /var/run/webs.pid
In order to investigate further for vulnerabilities of these CGI methods, the GLP Source Code has been of great use, which is also availible in the product's download section. Using the GLP Source Code, the investigation started by looking into the C source code of the BOA server under RTL8196C_Edimax/AP/boa-0.94.14rc21/src/
.
Physical Intervention
SoC
The main processor, referred to as MCU here, is a REALTEK "RTL8196E" Soc and has a Thin Quad Flat Package (TQFP) with 128 leads on the side. Although this chip has a lead density of 24 leads/cm, it is still possible to hook up to them. This could also be used to intercept other information streams in and out of the MCU. Even if this in itself should not have a security risk in the actual use of the device! The MCU was only examined for the availability of an active UART.
UART
⚒
Bootloader
The RTL8196E's bootloader can be accessed by pressing ESC or the WPS button on boot. Entering "help" or any other command command results in a "Unknown command !" after any try.
Booting... ******************************************************************************** * * chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize * 0000000h 0c22016h 00000c2h 0000020h 0000016h 0000000h 0000016h 0400000h * blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName * 0010000h 0000040h 0001000h 0000400h 0000100h 0000010h 000004eh MX25L3205D * ******************************************************************************** ---RealTek(RTL8196E)at 2014.09.22-15:02+0800 v0.3 [16bit](380MHz) ---Dram16M_16Mx1_16bit, TRX Timing: [T:16 R:08] P0phymode=01, embedded phy Unknown command ! ls Unknown command ! help Unknown command ! HELP ? Unknown command ! IPCONFIG Unknown command !
Bootlog
Device in router-mode after a basic setup.
Booting... ******************************************************************************** * * chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize * 0000000h 0c22016h 00000c2h 0000020h 0000016h 0000000h 0000016h 0400000h * blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName * 0010000h 0000040h 0001000h 0000400h 0000100h 0000010h 000004eh MX25L3205D * ******************************************************************************** ---RealTek(RTL8196E)at 2014.09.22-15:02+0800 v0.3 [16bit](380MHz) ---Dram16M_16Mx1_16bit, TRX Timing: [T:16 R:08] decompressing kernel: Uncompressing Linux... done, booting the kernel. done decompressing kernel. Realtek WLAN driver - version 1.6 (2013-02-21) init started: BusyBox v1.11.1 (2015-09-24 13:24:39 CST) starting pid 9, tty '': '-/bin/sh' BusyBox v1.11.1 (2015-09-24 13:24:39 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. /bin/init.sh: /tmp/mssid.txt: line 5: wlan0-va0: not found kill: you need to specify whom to kill Close Wan Interface!! dhcp mtu >> 1500 Initialize WLAN interface >> 2.4G adaptivity enable !! DO 8192E IQK !!!! Done 8192E IQK !!!! [selsect txpower] Normal txpower [txpower] Current Channel : 1 [txpower] Enable Power Table [txpower] CE Power Table [txpower] 11b H->L rate index:4 [txpower] 11g H->L rate index:10 [txpower] 11n20M H->L rate index:10 [txpower] 11n40M H->L rate index:8 [txpower] 40/20M Setup BRIDGE interface ifconfig: ioctl 0x8913 failed: No such device ifconfig: ioctl 0x8913 failed: No such device bridge br0 doesn't exist; can't delete it Setup bridge... DO 8192E IQK !!!! Done 8192E IQK !!!! Static DHCP Leases disable! Setup WAN interface kill: you need to specify whom to kill Close Wan Interface!! >> WAN_MODE is 0 device eth1 is not a slave of br0 device eth0 is already a member of a bridge; can't enslave it to bridge br0. ********************************************************************** * Enable WSC_UPnP * ********************************************************************** ********************************************************************** * Enable LLTD * ********************************************************************** ********************************************************************** * Enable GPIO Interrupt * ********************************************************************** udhcpc (v1.11.1) started into eth1.deconfig Sending select for 192.168.86.40... Lease of 192.168.86.40 obtained, lease time 86400 killall: radiusd: no process killed RADIUS server disable !! ######## eth1.bound ######## cat: can't open '/tmp/pktmask': No such file or directory adding dns 192.168.86.1 route: ioctl 0x890c failed: No such process route: ioctl 0x890c failed: No such process deleting routers route: ioctl 0x890c failed: No such process Notice: caching turned off WiFi Simple Config v2.11-wps2.0 (2012.06.18-11:32+0000). ********************************************************************** * FREE Page,Dentries and Inodes Cache * ********************************************************************** IEEE 802.11f (IAPP) using interface br0 (v1.7) MemFree: 2648 kB Cached: 2204 kB killall: crond: no process killed Time server domain name=pool.ntp.org Time server address=195.186.4.100 boa: server version Boa/0.94.14rc21 boa: server built Sep 24 2015 at 13:24:36. boa: starting server pid=901, port 80 route: ioctl 0x890b failed: File exists route: ioctl 0x890b failed: File exists
Firmware
Download
Current Version
Note: The currently (18. April 2020) the official firmware version is v1.16. But, the version v1.17 is also downloadable.
Despite the fact that v1.17 seems to be the older version, which was created in October 2014 and the versions v.1.15 in Juli 2015 and v1.16 in September 2015.
Known Versions
BR-6428nC:
- v1.17: https://www.edimax.com/edimax/mw/cufiles/files/download/Firmware/BR6428NC_v1.17.zip (Accessed 18. April 2020)
- v1.16: https://www.edimax.com/edimax/mw/cufiles/files/download/Firmware/BR6428NC_v1.16.zip (Accessed 18. April 2020) (To revise CGI Vulnerability.)
- v1.15: https://www.edimax.com/edimax/mw/cufiles/files/download/Firmware/BR6428NC_v1.15.zip (Accessed 18. April 2020)
- v1.07
Note: Search for other available firmware versions: wget https://www.edimax.com/edimax/mw/cufiles/files/download/Firmware/BR6428NC_v1.{0..50}.zip --max-redirect 0
Extraction
binwalk
or dd
with unsqushfs
was only partwise successfull. See the last approach using firmware-mod-kit for the best extraction option in this scenario.binwalk
usage.$ binwalk -Mre --dd=".*" BR6428NC_v1.16.bin Scan Time: 2020-04-26 20:46:12 Target File: ./Examination of Edimax devices/BR-6428nC/Firmware/BR6428NC_v1.16/BR6428NC_v1.16.bin MD5 Checksum: 3c06df588aefc9d5d21a9e1e746bf1e2 Signatures: 404 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 325 0x145 LZMA compressed data, properties: 0x88, dictionary size: 336068608 bytes, uncompressed size: 29696 bytes 465 0x1D1 LZMA compressed data, properties: 0x88, dictionary size: 336068608 bytes, uncompressed size: 29696 bytes 509 0x1FD LZMA compressed data, properties: 0x88, dictionary size: 1048576 bytes, uncompressed size: 65535 bytes 11280 0x2C10 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2486272 bytes 720896 0xB0000 Squashfs filesystem, big endian, version 2.0, size: 1659674 bytes, 426 inodes, blocksize: 65536 bytes, created: 2015-09-24 05:25:50 [... 7400 more lines of recursive extraction ...] DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 1611576 0x189738 Certificate in DER format (x509 v3), header length: 4, sequence length: 130 2026624 0x1EEC80 Linux kernel version 2.4.18 2034184 0x1F0A08 Unix path: /usr/lib/libc.so.1
dd
then unsquahfs
.$ binwalk BR6428NC_v1.16.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 325 0x145 LZMA compressed data, properties: 0x88, dictionary size: 336068608 bytes, uncompressed size: 29696 bytes 465 0x1D1 LZMA compressed data, properties: 0x88, dictionary size: 336068608 bytes, uncompressed size: 29696 bytes 509 0x1FD LZMA compressed data, properties: 0x88, dictionary size: 1048576 bytes, uncompressed size: 65535 bytes 11280 0x2C10 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2486272 bytes 720896 0xB0000 Squashfs filesystem, big endian, version 2.0, size: 1659674 bytes, 426 inodes, blocksize: 65536 bytes, created: 2015-09-24 05:25:50 $ dd if=BR6428NC_v1.16.bin skip=720896 bs=1 of=BR6428NC_v1.16.squashfs 1662978+0 records in 1662978+0 records out 1662978 bytes transferred in 6.229509 secs (266952 bytes/sec) $ file BR6428NC_v1.16.squashfs Squashfs filesystem, big endian, version 2.0, size: 1659674 bytes, 426 inodes, blocksize: 65536 bytes, created: 2015-09-24 05:25:50 $ unsquashfs BR6428NC_v1.16.squashfs Reading a different endian SQUASHFS filesystem on BR6428NC_v1.16.squashfs gzip uncompress failed with error code -3 read_block: failed to read block @0x195226 read_fragment_table: failed to read fragment table block File system corruption detected FATAL ERROR:failed to read file system tables
$ ./fimrware-extract BR6428NC_v1.16.bin [Output ommitted] $ tree ./fmk/ ./fmk/ ├── image_parts │ ├── header.img │ └── rootfs.img ├── logs │ ├── binwalk.log │ └── config.log └── rootfs ├── bin │ ├── BSrestoreChan.sh │ ├── QoS.sh │ ├── Radiusd.sh │ ├── accessctl.sh │ ├── alg.sh │ ├── ash -> busybox │ ├── auth │ ├── axhttpd │ ├── brctl │ ├── bridge.sh │ ├── busybox │ ├── cat -> busybox │ ├── chmod -> busybox │ ├── cleanlog.sh │ ├── connect.sh │ ├── connect_test.sh │ ├── cp -> busybox │ ├── create_l2tp_conf.sh │ ├── date -> busybox │ ├── date.sh │ ├── ddns.sh │ ├── debugMsg.sh │ ├── del-route.sh │ ├── detect_Link.sh │ ├── dhcpc.sh │ ├── dhcpd.sh │ ├── disconnect.sh │ ├── dnrd │ ├── dnrd.sh │ ├── duallaccess.sh │ ├── echo -> busybox │ ├── edx_cloud │ ├── ez-ipupdate │ ├── ezqos.sh │ ├── firewall.sh │ ├── fixedip.sh │ ├── flash │ ├── fping │ ├── getstatus.sh │ ├── grep -> busybox │ ├── hex_dec_convert │ ├── http_proxy.sh │ ├── hwset.sh │ ├── iapp │ ├── igmpproxy │ ├── init.sh │ ├── init_ap.sh │ ├── interrupt.sh │ ├── intrusion.sh │ ├── ip -> busybox │ ├── ipcalc -> busybox │ ├── iptables │ ├── ipup.sh │ ├── iwcontrol │ ├── iwpriv │ ├── kill -> busybox │ ├── killapp.sh │ ├── l2tp.sh │ ├── l2tp_2.sh │ ├── l2tpd │ ├── lanwanaccess.sh │ ├── lld2d │ ├── ln -> busybox │ ├── ls -> busybox │ ├── mini_upnpd │ ├── miniigd │ ├── miniupnp.sh │ ├── mkdir -> busybox │ ├── mknod -> busybox │ ├── mount -> busybox │ ├── mssid.sh │ ├── mssid2.sh │ ├── multidmz.sh │ ├── nbnsd │ ├── nbtscan │ ├── noip2 │ ├── parentalcontrol.sh │ ├── pidof -> busybox │ ├── ping -> busybox │ ├── pod.sh │ ├── portfw.sh │ ├── portscan.sh │ ├── pppd │ ├── pppoe │ ├── pppoe.sh │ ├── pppoeloop.sh │ ├── pptp │ ├── pptp.sh │ ├── pptpd.sh │ ├── ps -> busybox │ ├── radio_on_off.sh │ ├── rdisc │ ├── reboot.sh │ ├── reload │ ├── remote.sh │ ├── reset.sh │ ├── rftest.sh │ ├── rm -> busybox │ ├── run_iqv2.sh │ ├── saveiq.sh │ ├── savelog.sh │ ├── sch_reboot.sh │ ├── scriptlib.sh │ ├── scriptlib_util.sh │ ├── sdmzWanCheck.sh │ ├── seclog.sh │ ├── setdip.sh │ ├── setl2tp.sh │ ├── setpppoe.sh │ ├── setpptp.sh │ ├── setsip.sh │ ├── setssidmac.sh │ ├── setup │ ├── sh -> busybox │ ├── sleep -> busybox │ ├── sntp.sh │ ├── sntpclock │ ├── stcrout.sh │ ├── syn-flood.sh │ ├── syslog.sh │ ├── tc │ ├── touch -> busybox │ ├── triggerport.sh │ ├── txpower.sh │ ├── txpower_INDIA.sh │ ├── txpower_V3.sh │ ├── txpower_select.sh │ ├── upnp.sh │ ├── urlblocking.sh │ ├── urlname.sh │ ├── vlan.sh │ ├── vserver.sh │ ├── wan-status.sh │ ├── watchdog.sh │ ├── webs │ ├── wiz_dhcpc.sh │ ├── wlan.sh │ ├── wlan2band.sh │ ├── wlanScan.sh │ ├── wlan_scan │ ├── wlanapp.sh │ ├── wps.sh │ ├── wps_Led.sh │ ├── wps_daemon.sh │ ├── wpstool -> /bin/wps.sh │ └── wscd ├── dev │ ├── log -> /var/dev/log │ ├── pts │ ├── ptyp0 -> /var/dev/ptyp0 │ ├── ptyp1 -> /var/dev/ptyp1 │ └── ptyp2 -> /var/dev/ptyp2 ├── etc │ ├── boa │ │ ├── boa.conf │ │ ├── boa.passwd │ │ └── mime.types │ ├── compiler_date │ ├── config.bin │ ├── dnrd │ │ └── master -> /etc/hosts │ ├── fstab │ ├── group │ ├── host.conf │ ├── hosts -> /var/hosts │ ├── icon.ico │ ├── init.d │ │ └── rcS │ ├── inittab │ ├── iproute2 │ │ ├── rt_dsfield │ │ ├── rt_protos │ │ ├── rt_realms │ │ ├── rt_scopes │ │ └── rt_tables │ ├── l2tpd │ ├── linuxigd -> /var/linuxigd │ ├── passwd │ ├── ppp -> /var/ppp │ ├── ppp.ro │ │ ├── ip-down │ │ └── ip-up │ ├── profile │ ├── protocols │ ├── resolv.conf -> /var/resolv.conf │ ├── resolv1.conf -> /var/resolv1.conf │ ├── resolv2.conf -> /var/resolv2.conf │ ├── services │ ├── simplecfg -> /var/wps │ ├── simplecfgservice.xml │ ├── svn_info │ ├── tmp │ │ ├── picsdesc.skl │ │ └── picsdesc.xml │ ├── udhcpc │ │ ├── br0.bound │ │ ├── br0.bound.ga │ │ ├── br0.deconfig -> /var/udhcpc/br0.deconfig │ │ ├── br0.leasefail │ │ ├── br0.sh │ │ ├── eth0.bound │ │ ├── eth0.deconfig │ │ ├── eth0.sh │ │ ├── eth1.bound │ │ ├── eth1.deconfig -> /var/udhcpc/eth1.deconfig │ │ ├── eth1.leasefail │ │ ├── eth1.sh │ │ ├── resolv.conf -> /var/udhcpc/resolv.conf │ │ ├── wlan0-vxd.bound │ │ ├── wlan0-vxd.deconfig -> /var/udhcpc/wlan0-vxd.deconfig │ │ ├── wlan0-vxd.sh │ │ ├── wlan0.bound │ │ ├── wlan0.deconfig -> /var/udhcpc/wlan0.deconfig │ │ ├── wlan0.leasefail │ │ ├── wlan0.sh │ │ ├── wlan1.bound │ │ ├── wlan1.deconfig -> /var/udhcpc/wlan1.deconfig │ │ ├── wlan1.leasefail │ │ └── wlan1.sh │ ├── version │ └── wscd.conf ├── lib │ ├── ld-uClibc.so.0 │ ├── libc.so.0 │ ├── libcrypt.so.0 │ ├── libdl.so.0 │ ├── libgcc_s_4181.so.1 │ ├── libm.so.0 │ ├── libpthread.so.0 │ ├── libresolv.so.0 │ └── mini_upnp.so ├── linuxrc -> bin/busybox ├── proc ├── sbin │ ├── chat │ ├── halt -> ../bin/busybox │ ├── ifconfig -> ../bin/busybox │ ├── init -> ../bin/busybox │ ├── logread -> ../bin/busybox │ ├── poweroff -> ../bin/busybox │ ├── reboot -> ../bin/busybox │ ├── route -> ../bin/busybox │ ├── syslogd -> ../bin/busybox │ └── udhcpc -> ../bin/busybox ├── tmp -> /var ├── usr │ ├── bin │ │ ├── arping -> ../../bin/busybox │ │ ├── basename -> ../../bin/busybox │ │ ├── cut -> ../../bin/busybox │ │ ├── expr -> ../../bin/busybox │ │ ├── head -> ../../bin/busybox │ │ ├── killall -> ../../bin/busybox │ │ ├── tail -> ../../bin/busybox │ │ ├── top -> ../../bin/busybox │ │ ├── tr -> ../../bin/busybox │ │ └── wc -> ../../bin/busybox │ ├── lib │ ├── sbin │ │ ├── crond -> ../../bin/busybox │ │ ├── pppd -> /bin/pppd │ │ └── udhcpd -> ../../bin/busybox │ └── share ├── var │ ├── etc │ │ └── mtab │ ├── lib │ │ └── misc │ ├── lock │ ├── log │ │ └── messages │ ├── run │ │ └── utmp │ └── state │ └── dhcp │ └── dhcpd.leases └── web ├── FUNCTION_SCRIPT ├── aIndex.asp ├── aconnected.asp ├── addPC.asp ├── adhcp_fail.asp ├── admin_activeDhcpClient.asp ├── admin_backrestore.asp ├── admin_logs.asp ├── admin_logs2.asp ├── admin_password.asp ├── admin_remotmang.asp ├── admin_restart.asp ├── admin_statistics.asp ├── admin_timezone.asp ├── admin_upgrade.asp ├── adv_alg.asp ├── adv_dmz.asp ├── adv_dos.asp ├── adv_firewal.asp ├── adv_igmp.asp ├── adv_portforward.asp ├── adv_staticrout.asp ├── adv_upnp.asp ├── adv_virtserver.asp ├── adv_wireless.asp ├── advanced_management.asp ├── afail.asp ├── apppoe.asp ├── conclusion.asp ├── conn_test.asp ├── connect_redirect.asp ├── connectmsg.asp ├── detect.asp ├── file │ ├── allasp-n.var │ ├── autowan.var │ ├── javascript.js │ ├── jquery-1.7.1.min.js │ ├── multilanguage.var │ ├── p6.gif │ └── set.css ├── graphics │ ├── ap_mode.jpg │ ├── ap_setup.gif │ ├── back-a.gif │ ├── banner.png │ ├── bg.jpg │ ├── bg1.jpg │ ├── cancel.png │ ├── check.png │ ├── dot-1.png │ ├── dot-2.png │ ├── loading.gif │ ├── logo.gif │ ├── no_connect.jpg │ ├── repeater_mode.jpg │ ├── repeater_setup.gif │ ├── router_mode.jpg │ ├── router_setup.gif │ ├── step1.jpg │ ├── step2.jpg │ ├── step3.jpg │ ├── step4.jpg │ └── wifi_24G.png ├── guest_wireless_basic.asp ├── hwsetup.asp ├── index.asp ├── index1.asp ├── inter_ddns.asp ├── inter_wan.asp ├── lan.asp ├── lan_ap.asp ├── last.asp ├── left_list.asp ├── left_list_ap.asp ├── left_list_rep.asp ├── main.asp ├── mdhcp.asp ├── mfail.asp ├── ml2tp.asp ├── mp.asp ├── mpppoe.asp ├── mpptp.asp ├── mstart.asp ├── mstatic.asp ├── msuccess.asp ├── probe.asp ├── qos.asp ├── qosadd.asp ├── redirect.asp ├── replace.asp ├── security_block.asp ├── security_block1.asp ├── set.css ├── setup_3wizard.asp ├── setup_3wizard_1.asp ├── setup_3wizard_2.asp ├── setup_3wizard_3.asp ├── setup_wizard.asp ├── status.asp ├── status_noInternet.asp ├── wifi.asp ├── wireless_access.asp ├── wireless_basic.asp ├── wireless_schedule.asp ├── wireless_wps.asp ├── wisp_wlsurvey.asp ├── wiz_3in1.asp ├── wiz_apmode1.asp ├── wiz_ip.asp ├── wiz_repeatermode1.asp ├── wiz_repeatermode2.asp ├── wizard_security.asp ├── wlClient.asp ├── wlWDS3_key.asp ├── wlWDS4_key.asp ├── wlWDS5_key.asp └── wlsurvey.asp
Exposures
root:x:0:0:root:/root:/bin/sh bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail: news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp: operator:x:11:0:operator:/root: games:x:12:100:games:/usr/games: gopher:x:13:30:gopher:/usr/lib/gopher-data: ftp:x:14:50:FTP User:/var/ftp: nobody:x:99:99:Nobody:/: nscd:x:28:28:NSCD Daemon:/:/bin/false mailnull:x:47:47::/var/spool/mqueue:/dev/null ident:x:98:98:pident user:/:/bin/false rpc:x:32:32:Portmapper RPC user:/:/bin/false rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/bin/false xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false john:x:500:500:John Huang:/home/john:/bin/tcsh dliu:x:501:501::/home/dliu:/bin/tcsh odysseus:x:502:502::/home/odysseus:/bin/tcsh ygtai:x:503:503::/home/ygtai:/bin/tcsh hcjong:x:504:504::/home/hcjong:/bin/tcsh rpm:x:37:37::/var/lib/rpm:/bin/bash ntp:x:38:38::/etc/ntp:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin radvd:x:75:75:radvd user:/:/bin/false postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash apache:x:48:48:Apache:/var/www:/bin/false squid:x:23:23::/var/spool/squid:/dev/null named:x:25:25:Named:/var/named:/bin/false pcap:x:77:77::/var/arpwatch:/bin/nologin ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
shadow
file has been found.Path: . URL: svn+ssh://KenZhang@192.168.1.24/home/svn-root/products/router2/RTL8196C_Edimax Repository Root: svn+ssh://KenZhang@192.168.1.24/home/svn-root/products/router2/RTL8196C_Edimax Repository UUID: 2e6af85d-bad3-47ab-a8a2-a8c7726efec4 Revision: 450 Node Kind: directory Schedule: normal Last Changed Author: KenZhang Last Changed Rev: 450 Last Changed Date: 2015-09-24 12:00:23 +0800 (Thu, 24 Sep 2015)
shadow
file has been found.GPL Source Code
The GPL Source code is available on the Edimax Product Download section.
<nowiki>$ tree -L 3
. ├── 20151006_RTL8196C_Edimax_Edimax_GPL.tar.gz ├── 20151006_RTL8196C_Edimax_Edimax_GPL_md5.txt ├── 20151006_RTL8196C_Edimax_Edimax_GPL_readme.txt └── RTL8196C_Edimax
├── AP │ ├── DoApp.sh │ ├── Edimax_Cloud │ ├── RTL8196E_1200 │ ├── axTLS │ ├── boa-0.94.14rc21 │ ├── bridge-utils │ ├── busybox-1.11.1 │ ├── clockspeed-0.62 │ ├── dnrd-2.20.3_hijack │ ├── etc.rootfs │ ├── ez-ipupdate-3.0.10 │ ├── fping-2.4b2_interface │ ├── hex_dec_convert │ ├── igmpproxy │ ├── iproute2-2.4.7 │ ├── iptables-1.3.8 │ ├── iputils │ ├── l2tpd │ ├── lltd │ ├── mkimg │ ├── nbtscan-1.5.1a │ ├── netbios │ ├── noip-2.1.9-1 │ ├── ppp-2.4.2 │ ├── pptp-1.31 │ ├── rp-l2tp-0.4 │ ├── rp-pppoe-3.5 │ ├── script │ ├── var │ ├── wget-1.10 │ ├── wireless_tools.25 │ ├── wlan_scan │ └── xl2tpd-1.2.4 ├── BUILD.sh ├── COMPILING-SCRIPT.sh ├── PREPARE.sh ├── RobertGPL1.sh ├── boards │ └── rtl8196c ├── boot-source │ ├── bootcode_rtl8196d │ ├── bootcode_rtl8196d_EdimaxBootUpgrade │ └── rtl8196c-bootcode-1.0a ├── cleanSvn.sh ├── define │ ├── PATH_RTL8196E_1200_SDK12L │ └── usb_support.conf ├── generateGpl1 ├── image │ ├── DoImage.sh │ ├── Upgrade.sh │ ├── autoCks.c │ ├── boot-SPI-16M-16BIT-SDRAM-6228NSv2BootUpgrade │ ├── boot-SPI-16M-16BIT-SDRAM-6228NSv2BootUpgrade.bin │ ├── boot-SPI-16M-16BIT-SDRAM-6428NSv2BootUpgrade │ ├── boot-SPI-16M-16BIT-SDRAM-6428NSv2BootUpgrade.bin │ ├── mgbin │ ├── mkimage │ ├── swapHL │ └── swapHL.c ├── linux-2.4.18_1200_96E_SDK12L │ ├── COPYING │ ├── CREDITS │ ├── DoLinux.sh │ ├── Documentation │ ├── MAINTAINERS │ ├── Makefile │ ├── README │ ├── REPORTING-BUGS │ ├── Rules.make │ ├── arch │ ├── drivers │ ├── fs │ ├── include │ ├── init │ ├── ipc │ ├── kernel │ ├── lib │ ├── mk │ ├── mm │ ├── net │ ├── rtk_voip │ ├── rtkload │ └── scripts ├── porting_sdk.txt ├── set_app_defined.sh ├── set_compiler_condition.sh └── toolchain ├── clean-space ├── rtl8196c-toolchain-1.1.tar.gz └── tools