Routers are basically embedded devices (or system), and most modern routers run on linux. Think of it like a mini computer that has its own cpu, storage space, ram memory, ethernet ports, wifi chipset, and optionally a usb port.
Functionally these are single board computers similar to a raspberry pi. They software that runs on such devices is often called firmware, which is a smaller version of a full size operating system.
Firmwares are different from a full os install in many ways. Vendor provided firmwares are often "static", meaning it is actually a single large executable program that starts running right when you power on your router.
They are in the form of a ".bin" file which is usually downloaded when you upgrade your firmware. For example, this is how a firmware file could look.
2021.12.02-10.43_DIR_825I_RT8197G_WW_1.0.4_release.bin
Think of it like a single executable file that runs your entire operating system. This file contains the linux kernel, device drivers and everything else needed to run a system.
Embedded devices like routers have constraints on the storage space and ram memory, hence they compress everything in order to make then work.
How to check system and hardware details
In this article we shall take a quick look at how to check the hardware information on a router from the ssh shell. For the sake of this article, we shall be using this router: D-Link DIR-825 HW:I1. Its ones of those many obscure routers from dlink that have not been documented properly.
Enable ssh and login
The first thing you need to do is enable ssh login from the web admin panel.
Once ssh has been enabled, try logging in with your admin username/password. You would need to disable host key checking in order to connected.
ssh -o StrictHostKeyChecking=no [email protected]
This is what i get when i run the command on my dlink router.
$ ssh -o StrictHostKeyChecking=no [email protected] [email protected]'s password: BusyBox v1.31.1 (2021-12-02 11:12:53 MSK) built-in shell (ash) admin@DIR_825I_RT8197G_WW:~$
Right after connecting we can see some useful details like:
- BusyBox v1.31.1
- DIR_825I_RT8197G_WW
- built-in shell (ash)
To know what shell program is being used, echo the $SHELL environment variable
admin@DIR_825I_RT8197G_WW:~$ echo $SHELL /bin/sh admin@DIR_825I_RT8197G_WW:~$
$ sh --version BusyBox v1.31.1 (2021-12-02 11:12:53 MSK) built-in shell (ash) admin@DIR_825I_RT8197G_WW:~$
Check Busybox
This router uses busybox for providing linux command in a compact way. If we simply run the busybox command, it will tell us what commands are supported in the current installation:
admin@DIR_825I_RT8197G_WW:~$ busybox
BusyBox v1.31.1 (2021-12-02 11:12:53 MSK) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2015.
Licensed under GPLv2. See source distribution for detailed
copyright notices.
Usage: busybox [function [arguments]...]
or: busybox --list
or: function [arguments]...
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.
Currently defined functions:
[, [[, arping, ash, basename, bash, brctl, cat, clear, cp, date, dd, dmesg, echo, false, free, fuser, grep, gunzip, gzip, hexdump, ifconfig, insmod, ip, ipaddr, ipcrm, ipcs,
iplink, ipneigh, iproute, iprule, iptunnel, kill, killall, klogd, ln, logger, login, logread, ls, lsmod, md5sum, mkdir, modprobe, mount, mv, nc, nice, nslookup, ntpd, passwd,
ping, ping6, poweroff, ps, pstree, reboot, rm, rmmod, sh, sleep, su, syslogd, tail, tar, telnetd, test, top, touch, traceroute, traceroute6, true, udhcpc, umount, uptime, vi
admin@DIR_825I_RT8197G_WW:~$
A lot of the terminal commands are actually pointers to busybox binary only which can be verified like this
admin@DIR_825I_RT8197G_WW:~$ ls -la bin drwxr-xr-x 2 root system 748 . drwxr-xr-x 18 root system 301 .. -rwxr-xr-x 1 root system 19104 UDPserver lrwxrwxrwx 1 root system 7 ash -> busybox -rwxr-xr-x 1 root system 117472 auth lrwxrwxrwx 1 root system 7 bash -> busybox -rwsr-xr-x 1 root system 379484 busybox -rwxr-xr-x 1 root system 94 cal lrwxrwxrwx 1 root system 7 cat -> busybox -rwxr-xr-x 1 root system 515 check_leaks lrwxrwxrwx 1 root system 7 cp -> busybox ...
Note that arrow pointing to busybox, which means its a link.
Environment Variables
On a typical linux system we can use the env/printenv commands to print the environment variables, but it did not work here.
Instead the set command was able to print the environment variables.
admin@DIR_825I_RT8197G_WW:~$ set HOME='/' HOSTNAME='DIR_825I_RT8197G_WW' IFS=' ' LD_LIBRARY_PATH='/lib:/lib/private:/usr/lib' LINENO='' LOGNAME='admin' OLDPWD='/' OPTIND='1' PATH='/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin' PPID='1912' PS1='\[3[36m\]\u\[3[m\]@\[3[32m\]\h:\[3[33;1m\]\w\[3[m\]$ ' PS2='> ' PS4='+ ' PWD='/' SHELL='/bin/sh' SSH_CLIENT='192.168.0.135 39828 22' SSH_CONNECTION='192.168.0.135 39828 192.168.0.1 22' SSH_TTY='/dev/pts/0' TERM='xterm-256color' USER='admin' _='/' admin@DIR_825I_RT8197G_WW:~$
File System and Directories
Directories in root /
admin@DIR_825I_RT8197G_WW:~$ ls -la drwxr-xr-x 18 root system 301 . drwxr-xr-x 18 root system 301 .. -rw-r--r-- 1 root system 236 VERSION drwxr-xr-x 2 root system 748 bin drwxr-xr-x 2 root system 3 boot drwxr-xr-x 6 root system 1772 dev drwxr-xr-x 7 root system 804 etc drwxr-xr-x 2 root system 3 home drwxr-xr-x 3 root system 645 lib lrwxrwxrwx 1 root system 3 lib32 -> lib lrwxrwxrwx 1 root system 3 lib64 -> lib lrwxrwxrwx 1 root system 8 mnt -> /tmp/mnt drwxr-xr-x 2 root system 3 opt dr-xr-xr-x 79 root system 0 proc drwx------ 2 root system 77 root drwxr-xr-x 2 root system 495 sbin drwxr-xr-x 3 root system 30 share drwxr-xr-x 3 root system 28 srv drwxr-xr-x 2 root system 3 storage dr-xr-xr-x 11 root system 0 sys drwxrwxrwt 16 root system 0 tmp drwxr-xr-x 7 root system 115 usr lrwxrwxrwx 1 root system 8 var -> /tmp/var admin@DIR_825I_RT8197G_WW:~$
There is a file named VERSION which has some useful details:
admin@DIR_825I_RT8197G_WW:~$ cat VERSION NAME: DIR_825I_RT8197G_WW VERSION: 1.0.4 DATAMODEL: 2.100.0 SYSBUILDTIME: Thu Dec 2 10:43:54 MSK 2021 VENDOR: D-Link Russia BUGS: SUMMARY: Root filesystem image for DIR_825I_RT8197G_WW admin@DIR_825I_RT8197G_WW:~$
The NAME string contains the name of the firmware installed: DIR_825I_RT8197G_WW
The VERSION string is the firmware version installed on this dlink router. It had 1.0.2 when purchased, then was upgraded to 1.0.4.
Linux Version
admin@DIR_825I_RT8197G_WW:~$ cat /proc/version Linux version 3.10.90+ (jenkins@jrdslave2) (gcc version 7.4.0 (crosstool-NG 1.24.0-rc3) ) #1 Thu Dec 2 10:56:24 MSK 2021 admin@DIR_825I_RT8197G_WW:~$
Seems like its running Linux kernel version 3.10.90
Hostname
admin@DIR_825I_RT8197G_WW:~$ cat /etc/hostname DIR_825I_RT8197G_WW admin@DIR_825I_RT8197G_WW:~$
List of available commands
Most of the executable programs can be found in the following locations:
- /bin/
- /sbin/
- /usr/bin/
- /usr/sbin/
admin@DIR_825I_RT8197G_WW:~$ ls /bin UDPserver cat echo gzip ls map_reinit nice sh uboot.img ash check_leaks false iapp map_agent map_reset ping sleep umount auth cp flush_iptables iwcontrol map_checker mkdir ping6 su urlfilterd bash date flush_iptables6 kill map_controller mount pptp tar vi busybox dd grep ln map_delayed_pbc mv ps touch wscd cal dmesg gunzip login map_init nand_dump_iso rm true admin@DIR_825I_RT8197G_WW:~$
admin@DIR_825I_RT8197G_WW:~$ ls /sbin/ chat hotplug insmod iplink iprule iwgetid iwspy lsmod mount.ntfs-3g pppoe-relay syslogd d_init ifconfig ip ipneigh iptunnel iwlist klogd miniupnpd poweroff reboot tr069 ebtables init ipaddr iproute iwconfig iwpriv logread modprobe pppd rmmod udhcpc admin@DIR_825I_RT8197G_WW:~$
admin@DIR_825I_RT8197G_WW:~$ ls usr/sbin/ anweb dnsmasq emergency_mode ip6tables-save iptables-restore minidlnad ntpd ripngd xtables-multi arping drop_caches inadyn iperf3 iptables-save nfnl_osf p910nd telnetd zebra brctl dropbear ip6tables ipsec locdns notify_all pure-ftpd usb_modeswitch zic deuteron dschedctl ip6tables-restore iptables mfc ntfs-3g ripd xl2tpd admin@DIR_825I_RT8197G_WW:~$
admin@DIR_825I_RT8197G_WW:~$ ls usr/bin/ [ dmsc flac improxy lsusb nvramctl smbd top [[ dmsc_interpreter flash ipcrm md5sum odhcp6c smbpasswd traceroute basename dmsc_lua free ipcs metaflac passwd ssh traceroute6 button_test dnsmasq_script fuser iptables-xml mtd_write ppp_wrapper sslsplit transmission-daemon clear dropbearconvert fw_upgrade killall nc pstree tail um dbclient dropbearkey hexdump libusb-config nmbd samba_multicall test uptime dlinkwatcher dsysctl igmpx logger nslookup scp tinysvcmdns usbinfo admin@DIR_825I_RT8197G_WW:~$
CPU Details
Most of the hardware detail commands are not available on this embedded linux environment. Hence we have to use the /proc/ directory to get hardware information. The cpu details can be found inside /proc/cpuinfo.
$ cat /proc/cpuinfo system type : RTL8197FH-VG5 machine : 8197G(PA=0) 8812F(PA=0) 8367R USB NAND RAM=128 processor : 0 cpu model : MIPS 24Kc V8.5 BogoMIPS : 666.41 wait instruction : yes microsecond timers : yes tlb_entries : 64 extra interrupt vector : yes hardware watchpoint : yes, count: 4, address/irw mask: [0x0000, 0x0ffc, 0x01b0, 0x06cb] isa : mips1 mips2 mips32r2 ASEs implemented : mips16 shadow register sets : 4 kscratch registers : 0 core : 1 VCED exceptions : not available VCEI exceptions : not available admin@DIR_825I_RT8197G_WW:~$
Doing a quick search on google for RTL8197FH-VG5 shows the following page:
https://www.realtek.com/en/products/communications-network-ics/item/rtl8197f
The page mentions details about the chip.
The Realtek RTL8197F is a highly- integrated and feature-rich 2T2R 802.11b/g/n WiSoC. It integrates a high performance 1GHz MIPS24Kc processor, 2T2R 802.11b/g/n MAC/BB/RF, PCI Express, five-port Fast Ethernet switch with RGMII, USB2.0 controller, DRAM and flash memory controller, and useful peripheral interfaces. The RTL8197F delivers high-performance with low power consumption for applications such as 11ac dual band smart routers, IoT gateway, VPN gateway, VoIP gateway, Network Storage, LTE routers etc.
This is basically a WiSoc (Wifi System-on-chip) from Realtek which combines a cpu, wifi chipset, usb controller, ethernet controller and few other things all in a single chip.
This cpu is based on the MIPS 24Kc V8.5 architecture, compared to your desktop/laptop pc cpus that are based on x86_64 architecture. MIPS is a RISC ISA, and according to the list provided at openwrt is used by a lot of soc chips used across routers.
So basically if you want to build your own firmware, it has to compiled for this MIPS 24Kc architecture, in order to run on RTL8197FH soc.
Memory/RAM Details
The ram memory details can be checked using the free command. It reports values close to 128 MB.
admin@DIR_825I_RT8197G_WW:~$ free
total used free shared buff/cache available
Mem: 106272 25172 64620 0 16480 0
-/+ buffers/cache: 25172 81100
Swap: 0 0 0
admin@DIR_825I_RT8197G_WW:~$
Another way to check memory details:
admin@DIR_825I_RT8197G_WW:~$ cat /proc/meminfo MemTotal: 106272 kB MemFree: 64408 kB Buffers: 4132 kB Cached: 12408 kB SwapCached: 0 kB Active: 11468 kB Inactive: 9680 kB Active(anon): 4608 kB Inactive(anon): 0 kB Active(file): 6860 kB Inactive(file): 9680 kB Unevictable: 0 kB Mlocked: 0 kB SwapTotal: 0 kB SwapFree: 0 kB Dirty: 0 kB Writeback: 0 kB AnonPages: 4628 kB Mapped: 3900 kB Shmem: 0 kB Slab: 9428 kB SReclaimable: 1112 kB SUnreclaim: 8316 kB KernelStack: 992 kB PageTables: 348 kB NFS_Unstable: 0 kB Bounce: 0 kB WritebackTmp: 0 kB CommitLimit: 53136 kB Committed_AS: 29588 kB VmallocTotal: 1048372 kB VmallocUsed: 216 kB VmallocChunk: 1041076 kB admin@DIR_825I_RT8197G_WW:~$
So this confirms total memory on system is around 106272 KB ~ 103 MB.
Note that commands like lshw, lspci, fdisk, lsblk, blkid, hwinfo, df, file are not available on this router's linux system.
admin@DIR_825I_RT8197G_WW:~$ lshw sh: lshw: not found admin@DIR_825I_RT8197G_WW:~$ lspci sh: lspci: not found admin@DIR_825I_RT8197G_WW:~$ fdisk sh: fdisk: not found admin@DIR_825I_RT8197G_WW:~$ lsblk sh: lsblk: not found admin@DIR_825I_RT8197G_WW:~$ blkid sh: blkid: not found admin@DIR_825I_RT8197G_WW:~$ hwinfo sh: hwinfo: not found admin@DIR_825I_RT8197G_WW:~$ admin@DIR_825I_RT8197G_WW:~$ df sh: df: not found admin@DIR_825I_RT8197G_WW:~$ file sh: file: not found
Disk Partitions
Just like a normal computer, this embedded device also has a storage devices. We need to query the /proc/partitions file for disk drive and partition details.
admin@DIR_825I_RT8197G_WW:~$ cat /proc/partitions major minor #blocks name 31 0 4096 mtdblock0 31 1 2048 mtdblock1 31 2 2048 mtdblock2 31 3 2560 mtdblock3 31 4 8576 mtdblock4 31 5 50688 mtdblock5 31 6 131072 mtdblock6 31 7 8192 mtdblock7 31 8 2560 mtdblock8 31 9 8576 mtdblock9 31 10 50688 mtdblock10 admin@DIR_825I_RT8197G_WW:~$
The third column is the size of the partition in KiB. The partitions are actually nested (some are under another).
In this example its a 128 MiB flash storage containing all the other partitions. Note the 6th index partition
31 6 131072 mtdblock6
The /proc/mtd entry shows the label of each of the partitions:
admin@DIR_825I_RT8197G_WW:~$ cat /proc/mtd dev: size erasesize name mtd0: 00400000 00020000 "boot" mtd1: 00200000 00020000 "MAC" mtd2: 00200000 00020000 "config" mtd3: 00280000 00020000 "kernel" mtd4: 00860000 00020000 "rootfs" mtd5: 03180000 00020000 "Linux" mtd6: 08000000 00020000 "ALL" mtd7: 00800000 00020000 "reserved" mtd8: 00280000 00020000 "kernel (bank2)" mtd9: 00860000 00020000 "rootfs (bank2)" mtd10: 03180000 00020000 "Linux (bank2)" admin@DIR_825I_RT8197G_WW:~$
The size column indicates the size of each partition in hexadecimal.
mtd6 - The "ALL" partition size is 8000000 bytes in hexadecimal which = 134,217,728 bytes = 128 MiB.
mtd0 - 4 MiB - has the u-boot bootloader program
With the dmesg command the start-end point of each partition is reported. You have to search though
<5>11 dlinkpart partitions found on MTD device rtk_nand <5>Creating 11 MTD partitions on "rtk_nand": <5>0x000000000000-0x000000400000 : "boot" <5>0x000000400000-0x000000600000 : "MAC" <5>0x000000600000-0x000000800000 : "config" <5>0x000000800000-0x000000a80000 : "kernel" <5>0x000000a80000-0x0000012e0000 : "rootfs" <5>0x000000800000-0x000003980000 : "Linux" <5>0x000000000000-0x000008000000 : "ALL" <5>0x000003980000-0x000004180000 : "reserved" <5>0x000004180000-0x000004400000 : "kernel (bank2)" <5>0x000004400000-0x000004c60000 : "rootfs (bank2)" <5>0x000004180000-0x000007300000 : "Linux (bank2)"
Partition of root file system
admin@DIR_825I_RT8197G_WW:~$ dmesg | grep -i mtd <5>Kernel command line: console=ttyS0,38400 root=/dev/mtdblock4 <5>11 dlinkpart partitions found on MTD device rtk_nand <5>Creating 11 MTD partitions on "rtk_nand": admin@DIR_825I_RT8197G_WW:~$
admin@DIR_825I_RT8197G_WW:~$ cat /proc/diskstats 7 0 loop0 0 0 0 0 0 0 0 0 0 0 0 7 1 loop1 0 0 0 0 0 0 0 0 0 0 0 7 2 loop2 0 0 0 0 0 0 0 0 0 0 0 7 3 loop3 0 0 0 0 0 0 0 0 0 0 0 7 4 loop4 0 0 0 0 0 0 0 0 0 0 0 7 5 loop5 0 0 0 0 0 0 0 0 0 0 0 7 6 loop6 0 0 0 0 0 0 0 0 0 0 0 7 7 loop7 0 0 0 0 0 0 0 0 0 0 0 31 0 mtdblock0 0 0 0 0 0 0 0 0 0 0 0 31 1 mtdblock1 0 0 0 0 0 0 0 0 0 0 0 31 2 mtdblock2 0 0 0 0 0 0 0 0 0 0 0 31 3 mtdblock3 0 0 0 0 0 0 0 0 0 0 0 31 4 mtdblock4 154 3892 8092 3440 0 0 0 0 0 3440 3440 31 5 mtdblock5 0 0 0 0 0 0 0 0 0 0 0 31 6 mtdblock6 0 0 0 0 0 0 0 0 0 0 0 31 7 mtdblock7 0 0 0 0 0 0 0 0 0 0 0 31 8 mtdblock8 0 0 0 0 0 0 0 0 0 0 0 31 9 mtdblock9 0 0 0 0 0 0 0 0 0 0 0 31 10 mtdblock10 0 0 0 0 0 0 0 0 0 0 0 admin@DIR_825I_RT8197G_WW:~$
The /proc/cmdline file tells us the exact device partition of root file system.
admin@DIR_825I_RT8197G_WW:~$ cat /proc/cmdline console=ttyS0,38400 root=/dev/mtdblock4 admin@DIR_825I_RT8197G_WW:~$
The mount is also command is available but only with limited options, and does not tell much about the partitions.
admin@DIR_825I_RT8197G_WW:~$ mount rootfs on / type rootfs (rw) /dev/root on / type squashfs (ro,relatime) proc on /proc type proc (rw,relatime) sysfs on /sys type sysfs (rw,relatime) tmpfs on /tmp type tmpfs (rw,noatime,mode=01777) devpts on /dev/pts type devpts (rw,relatime,mode=600) none on /dev/shm type tmpfs (rw,relatime) admin@DIR_825I_RT8197G_WW:~$
Note that /dev/root which is mounted as root (/) is SquashFS file system which uses compression. Embedded devices have storage size constrainsts which require the use of compression.
The "mtd" prefix indicates a Memory Technology Device which is non-volatile flash memory. This flash memory stores the firmware, and various configuration settings done from the web admin panel.
List modules - lsmod
admin@DIR_825I_RT8197G_WW:~$ lsmod Module Size Used by nf_nat_rtsp 3984 0 nf_conntrack_rtsp 5049 1 nf_nat_rtsp gpiom 19933 0 admin@DIR_825I_RT8197G_WW:~$
Process List
The currently running processes can be viewed with the ps command. Other commands like pstree and top are also available.
admin@DIR_825I_RT8197G_WW:~$ ps
PID USER VSZ STAT COMMAND
1 root 4408 S /sbin/d_init
2 root 0 SW [kthreadd]
3 root 0 SW [ksoftirqd/0]
4 root 0 SW [kworker/0:0]
5 root 0 SW< [kworker/0:0H]
6 root 0 SW [kworker/u2:0]
7 root 0 SW< [khelper]
8 root 0 SW [kworker/u2:1]
100 root 0 SW< [writeback]
103 root 0 SW< [bioset]
104 root 0 SW< [crypto]
106 root 0 SW< [kblockd]
112 root 0 SW [spi0]
118 root 0 SW [khubd]
133 root 0 SW [kworker/0:1]
138 root 0 SW [kswapd0]
184 root 0 SW [fsnotify_mark]
740 root 0 SW [mtdblock0]
745 root 0 SW [mtdblock1]
750 root 0 SW [mtdblock2]
755 root 0 SW [mtdblock3]
760 root 0 SW [mtdblock4]
765 root 0 SW [mtdblock5]
770 root 0 SW [mtdblock6]
775 root 0 SW [mtdblock7]
780 root 0 SW [mtdblock8]
785 root 0 SW [mtdblock9]
790 root 0 SW [mtdblock10]
850 root 0 SW< [deferwq]
863 root 1708 S /bin/sh
864 root 7632 S {Deuteron} deuteron
873 root 1836 S syslogd -S -m 0 -C128 -l 7 -L
875 root 1704 S klogd
958 root 5268 S {dlinkwtch} dlinkwatcher
1552 root 1704 S ntpd -p pool.ntp.org
1554 root 23636 S anweb -I 37 -m 80,443s -k /etc/server.key -p /etc/se
1570 root 1828 S pppoe-relay -C br0 -B eth1 -I 39
1584 root 1348 S locdns 192.168.0.1 dlinkrouter.local br0
1612 root 3464 S tinysvcmdns dlinkrouter.local 192.168.0.1 br0 0 101
1641 admin 1708 R ps
1656 nobody 1612 S dnsmasq --service-id=36 --conf-file=/tmp/dnsmasq/dns
1657 root 1608 S dnsmasq --service-id=36 --conf-file=/tmp/dnsmasq/dns
1658 root 1608 S dnsmasq --service-id=36 --conf-file=/tmp/dnsmasq/dns
1691 root 0 SW< [kworker/0:1H]
1835 root 0 Z [anweb]
1858 root 1696 S wscd -start -c /var/wsc_wlan1_wlan0.conf -w2 wlan1 -
1886 root 1372 S iwcontrol wlan1 wlan0
2046 root 1704 S telnetd -p 23 -l /bin/login
2091 root 1584 S dropbear -p 22 -r /tmp/dropbear/fileeN2dWS
2439 root 1608 R dropbear -p 22 -r /tmp/dropbear/fileeN2dWS
2454 admin 1716 S -sh
3009 admin 1720 S sh --version
admin@DIR_825I_RT8197G_WW:~$
Some of the interesting processes are the following ones:
dropbear - This is the ssh server.
telnetd - This is the telnet server which we currently have enabled.
anweb - This is the webserver that runs the admin web interface. And it is running with root privileges.
1554 root 23636 S anweb -I 37 -m 80,443s -k /etc/server.key -p /etc/se
Since the web server is running with root privileges, it is able to flash the firmware.
The top command is also available on this router and it will show the process list as well, sorted by their load on the system.
List Users
The /etc/passwd file reveals the user accounts on the system
admin@DIR_825I_RT8197G_WW:~$ cat /etc/passwd root:*:0:0:(null):/:/bin/false dmsd:*:1:0:(null):/:/bin/false dsysinit:*:3:0:(null):/:/bin/false dwatcher:*:2:0:(null):/:/bin/false scheduler:*:4:0:(null):/:/bin/false tr:*:5:0:(null):/:/bin/false dlinkwatcher:*:6:0:(null):/:/bin/false mfc:*:7:0:(null):/:/bin/false dsl:*:8:0:(null):/:/bin/false apson:*:9:0:(null):/:/bin/false rtkvoip:*:10:0:(null):/:/bin/false sla_agent:*:11:0:(null):/:/bin/false quagga:*:12:0:(null):/:/bin/false dca:*:13:0:(null):/:/bin/false dcs:*:14:0:(null):/:/bin/false easymesh:*:15:0:(null):/:/bin/false net_snmp:*:16:0:(null):/:/bin/false nobody:*:99:99:(null):/:/bin/false admin:$1$643C6633$NWptDXBWIP0CrggO.9VAv1:100:0:(null):/:/bin/sh admin@DIR_825I_RT8197G_WW:~$
Looking at the line for user:root, we can tell the root login is disabled (locked) and there is no way to switch to root user and make modifications to the system.
On most modern routers, the root account seems to be disabled as a measure to protect the device. Root access enable users to make changes to the system that can potentially damage the router (brick it) beyond repair.
However if you are a power user who wants to modify the system in creative ways, like installing your own kernel modules for new functionality, you need root access. Without it, pretty much no modification can be done.
There are some ways to forcefully get root on an embedded device. One such method is to try using the routersploit exploit framework that tries look for and exploit known software vulnerabilities on your router and get you root access. If it works you can make really nice changes to your router.
User Groups
The user groups are also readable.
admin@DIR_825I_RT8197G_WW:~$ cat /etc/group system:*:0:root,admin nobody:*:99:nobody sysusers_ro:*:1000: admin@DIR_825I_RT8197G_WW:~$
Home directory completely empty
admin@DIR_825I_RT8197G_WW:~$ ls /home/ admin@DIR_825I_RT8197G_WW:~$
Query ARP Table
The arp tables quickly tell us what other network devices are connected/identified based on their mac address.
admin@DIR_825I_RT8197G_WW:~$ cat /proc/net/arp IP address HW type Flags HW address Mask Device 192.168.0.135 0x1 0x2 90:cc:df:fd:97:c4 * br0 admin@DIR_825I_RT8197G_WW:~$
The device shown above with ip address 192.168.0.135 is my Acer Swift 3 laptop with which i am connected to the router.
Network configuration and devices
admin@DIR_825I_RT8197G_WW:~$ iproute
192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.1
admin@DIR_825I_RT8197G_WW:~$ iplink
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0
link/ether f0:b4:d2:a4:94:21 brd ff:ff:ff:ff:ff:ff
3: wlan0-vxd: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether f0:b4:d2:a4:94:21 brd ff:ff:ff:ff:ff:ff
4: wlan0-va0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether 00:e0:4c:81:86:86 brd ff:ff:ff:ff:ff:ff
5: wlan0-va1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether 00:e0:4c:81:86:86 brd ff:ff:ff:ff:ff:ff
6: wlan0-va2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether 00:e0:4c:81:86:86 brd ff:ff:ff:ff:ff:ff
7: wlan0-va3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether 00:e0:4c:81:86:86 brd ff:ff:ff:ff:ff:ff
8: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0
link/ether f0:b4:d2:a4:94:23 brd ff:ff:ff:ff:ff:ff
9: wlan1-vxd: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether f0:b4:d2:a4:94:23 brd ff:ff:ff:ff:ff:ff
10: wlan1-va0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether 00:e0:4c:81:86:86 brd ff:ff:ff:ff:ff:ff
11: wlan1-va1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether 00:e0:4c:81:86:86 brd ff:ff:ff:ff:ff:ff
12: wlan1-va2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether 00:e0:4c:81:86:86 brd ff:ff:ff:ff:ff:ff
13: wlan1-va3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether 00:e0:4c:81:86:86 brd ff:ff:ff:ff:ff:ff
14: pwlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether 00:e0:4c:81:96:96 brd ff:ff:ff:ff:ff:ff
15: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
link/ether f0:b4:d2:a4:94:21 brd ff:ff:ff:ff:ff:ff
16: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
link/ether f0:b4:d2:a4:94:20 brd ff:ff:ff:ff:ff:ff
18: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0
link/ether f0:b4:d2:a4:94:21 brd ff:ff:ff:ff:ff:ff
19: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
link/ether f0:b4:d2:a4:94:21 brd ff:ff:ff:ff:ff:ff
admin@DIR_825I_RT8197G_WW:~$
Reading System Log
The busybox logread command can be used to read system logs. The output is colorful actually.
admin@DIR_825I_RT8197G_WW:~$ logread Dec 2 07:43:04 [INFO] syslogd started: BusyBox v1.31.1 Dec 2 07:43:05 [INFO] Deuteron[868]: DSysinit / Service manager starting... Dec 2 07:43:05 [INFO] Deuteron[868]: DSysinit / Service manager init successful. Dec 2 07:43:05 [INFO] Deuteron[868]: DMSD / Device RPC server starting... Dec 2 07:43:05 [NOTE] CONFIG[868]: Booting with device mode: Router Dec 2 07:43:05 [NOTE] d_config_fixup_fw_version[868]: Setting version 2.100.0 -> 2.100.0 Dec 2 07:43:05 [ DBG] mac_recount[868]: Nothing to do Dec 2 07:43:05 [INFO] CONFIG[868]: Initing config Dec 2 07:43:05 [INFO] d_conf_bin_init[868]: Probing attach to existing shared memory Dec 2 07:43:05 [INFO] PERMISSIONS[868]: Initing permissions ...
Shows kernel messages and other useful diagnostic information.
Web server and Router admin interface files
The router runs a webserver named "anweb" which provides the admin panel access from web browser. The admin web-interface files are located in the directory /srv/anweb
admin@DIR_825I_RT8197G_WW:~$ ls srv/anweb/ admin apps autoconf.js browser_check error404 general trouble version.json version.txt wizard admin@DIR_825I_RT8197G_WW:~$
These are the html files that show up when you open the admin interface in your web browser by point the url to http://192.168.0.1
Extracting the code of the admin web interface:
First create a directory on your local system using mkdir
mkdir -p dlink/anweb
Now use the scp command on your local linux desktop machine to copy/download the files. Its actually easy!
scp -O -r [email protected]:/srv/anweb/ dlink/anweb/
Now you have downloaded all the files of the admin panel web application and can examine them easily and find useful stuff in there.
I opened the firmware page of the admin panel in browser and inspected it in dom viewer.
I found the following function call
grep -ri 'firmware.remote.checkUpdates' . grep -ri 'checkUpdates' .
It reveals the name and location of the file that handles firmwre updates
./admin/pages/system/firmware/ctrl.lazy.js
Now digging further into that file i find that the server being contacted was
https://fwupdate.dlink.ru/pub/Router/DIR-825/Firmware/
At that location I found firmware update image files for the firmware on this router:
DIR_825I_RT8197G_WW
The User Manual was found here:
https://fwupdate.dlink.ru/pub/Router/DIR-825/Description/DIR-825_I_User%20Manual_v.1.0.3_12.04.21_EN.pdf
The datasheet with full technical details was found here:
https://fwupdate.dlink.ru/pub/Router/DIR-825/Data_sh/DIR-825_I_DS_v.1.0.3_23.03.21_EN.pdf
Acording to the datasheet, the hardware details are as follows:
- Processor: RTL8197FH-VG (1GHz)
- RAM: 128MB, DDR2, built in processor
- Flash: 128MB, SPI NAND
The above data matches with the details fetched using the /proc command earlier.
Creating/Writing files on the system
Only the /tmp directory is writable. So can use echo or cat to create files in there. Alternatively can use the scp command to download files into the /temp directory.
Connecting Printer
I connected my HP LaserJet M1136 MFP printer to this router and turned it on. The dmesg log shows printer connected
dmin@DIR_825I_RT8197G_WW:/tmp/mnt/usb1_4$ dmesg ... <6>usb 1-1: new high-speed USB device number 3 using rtl819x-ehci <6>usblp 1-1:1.0: usblp0: USB Bidirectional printer dev 3 if 0 alt 0 proto 2 vid 0x03F0 pid 0x042A <6>usbcore: registered new interface driver usblp admin@DIR_825I_RT8197G_WW:/tmp/mnt/usb1_4$
The corresponding device path is /dev/usblp0
The lsmod command shows the loaded driver module: usblp
admin@DIR_825I_RT8197G_WW:~$ lsmod Module Size Used by usblp 10080 0 nf_nat_rtsp 3984 0 nf_conntrack_rtsp 5049 1 nf_nat_rtsp gpiom 19933 0 admin@DIR_825I_RT8197G_WW:~$
The lsusb command also shows the printer connected:
admin@DIR_825I_RT8197G_WW:~$ lsusb
0001-0003: 0x03f0:0x042a csp = 0x00:0x00:0x00, mps = ['Hewlett-Packard', 'HP LaserJet Professional M1136 MFP', '000000000QHCNL0DPR1a']
1-1:1.0: csp = 0x07:0x01:0x02, driver = usblp
0x01: bulk out
0x81: bulk in
1-1:1.1: csp = 0xff:0x02:0x10, driver = none
0x02: bulk out
0x82: bulk in
0x83: intr in
1-1:1.2: csp = 0xff:0xff:0xff, driver = none
0x05: bulk out
0x85: bulk in
admin@DIR_825I_RT8197G_WW:~$
There is another command usbinfo, which shows the same details along with ifconfig details.
Next, if i run the p910nd command, it starts a jetdirect port (tcp 9100) daemon
admin@DIR_825I_RT8197G_WW:~$ p910nd
Now when i run nmap from my desktop machine to scan ports on this router, i can see the jetdirect port.
acerlight@acerlight-laptop:~$ nmap 192.168.0.1 Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-02 09:52 IST Nmap scan report for dlinkrouter.local (192.168.0.1) Host is up (0.017s latency). Not shown: 991 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 23/tcp open telnet 53/tcp open domain 80/tcp open http 81/tcp open hosts2-ns 443/tcp open https 4443/tcp open pharos 4445/tcp open upnotifyp 9100/tcp open jetdirect Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds acerlight@acerlight-laptop:~$
Howver, i could not get it to print anything. The print server does not work as intended.
When i tried print commands like these, nothing happened
admin@DIR_825I_RT8197G_WW:~$ echo "Hello World" > /dev/usblp0 admin@DIR_825I_RT8197G_WW:~$ cat /proc/cpuinfo | nc 192.168.0.1 9100
Seems like it just cannot print to the printer
USB Storage device
Now we test inserting a usb flash drive in the usb port of the router. I am using Sandisk Cruzer Blade 16GB USB 2.0.
admin@DIR_825I_RT8197G_WW:~$ lsusb
0001-0002: 0x0781:0x5567 csp = 0x00:0x00:0x00, mps = ['SanDisk', 'Cruzer Blade', '4C530000310229214143']
1-1:1.0: csp = 0x08:0x06:0x50, driver = usb-storage
0x02: bulk out
0x81: bulk in
admin@DIR_825I_RT8197G_WW:~$
To read the usb drive, it loaded the drivers as well, which can be checked with lsmod
admin@DIR_825I_RT8197G_WW:~$ lsmod Module Size Used by vfat 9904 1 fat 52671 1 vfat nf_nat_rtsp 3984 0 nf_conntrack_rtsp 5049 1 nf_nat_rtsp gpiom 19933 0 admin@DIR_825I_RT8197G_WW:~$
dmesg shows information about usb drive
<6>usb 1-1: new high-speed USB device number 2 using rtl819x-ehci <6>usb-storage 1-1:1.0: USB Mass Storage device detected <6>scsi0 : usb-storage 1-1:1.0 <5>scsi 0:0:0:0: Direct-Access SanDisk Cruzer Blade 1.00 PQ: 0 ANSI: 6 <5>sd 0:0:0:0: [sda] 30031872 512-byte logical blocks: (15.3 GB/14.3 GiB) <5>sd 0:0:0:0: Attached scsi generic sg0 type 0 <5>sd 0:0:0:0: [sda] Write Protect is off <7>sd 0:0:0:0: [sda] Mode Sense: 43 00 00 00 <5>sd 0:0:0:0: [sda] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA <6> sda: sda1 sda2 sda3 sda4 <5>sd 0:0:0:0: [sda] Attached SCSI removable disk <4>FAT-fs (sda4): Volume was not properly unmounted. Some data may be corrupt. Please run fsck.
The output shows the driver being used: rtl819x-ehci
And mount shows where it has been mounted
admin@DIR_825I_RT8197G_WW:~$ mount ... /tmp/dev/sda4 on /tmp/mnt/usb1_4 type vfat (rw,relatime,gid=1000,fmask=0020,dmask=0020,allow_utime=0002,codepage=866,iocharset=cp866,shortname=mixed,utf8,flush,errors=remount-ro) admin@DIR_825I_RT8197G_WW:~$
Now we can switch to the directory and read the contents of the usb drive.
<6>usb 1-1: USB disconnect, device number 2
OpenWRT Support
OpenWRT is an excellent alternative firmware for your router device, if you are not satisfied with the vendor provided firmware. However openwrt does not support all socs across routers.
It seems there is some work in progress to add support for RTL8197F socs in openwrt. Here is a discussion on it:
https://forum.openwrt.org/t/working-realtek-soc-rtl8196e-97d-97f-in-last-master/70975/1However it is not fully functional yet and we have to wait. With openwrt we get full (root) access on the device a lot more flexibility to configure the device in any way that we like to.
Conclusion
Routers running linux based firmwares are like a mini-computer that can do a lot more than just routing. For example some routers with usb ports can act as a print server allowing you to connect your printer to it and make it accessible over network.
If a storage device like usb flash drive or usb external ssd is connected to such a router, it can act as a network storage device as well with the right linux drivers. A linux based firmware along with a usb port opens a lot of options to use the device in diverse ways. Another device that can be connected is a usb modem that allows you to connect to your isp.
When combined with a open source firmware like openwrt we can install more drivers to do even more things. With openwrt a usb router can connect even more devices like a webcam, sound card.
