Orbi software deconstruction

This sort of information seems to interest people, so I'm going to share my *VERY RAW* notes about some interesting things I've observed under-the-hood on the Orbi.  I'm far from done, but a good number of my fundamental questions about the devices have been answered so far, with more yet unknown (e.g. is Ethernet backhaul _really_ that difficult?  What would it take to enable USB and Samba?  How does the full firmware update process *really* work?).

Enjoy, and I'll post more as I come across it - fully analyzing and deconstructing one of these things is difficult in the best case, and the Orbi in particular is REALLY difficult, being a hodge-podge of massively-modified OpenWRT, R7500 cruft, and God-knows-what-else...it is a MESS under the hood, but it mostly works!  I still need to compile a few utilities to install myself (dmidecode in particular) to get a (much) better view of the hardware side of things.

Completely raw, terse notes:

/bin/fbwifi
  Facebook Wifi Portal
  R7500
  NETGEAR Facebook Captive Portal version
  Missing libssl and libcrypto, cannot function
/bin/ookla
  Ookla command-line speed test tool
  Missing settings.txt
/bin/readycloud_nvram
  In addition to /bin/nvram, sets ReadyCloud-specific parameters?
/cloud_version
  Contains a date, but cloud what?
/dev
  Suggests Atheros chipset and hardware RNG
/proc/cpuinfo
  Shows Qualcomm "ARMv7 Processor rev 5 (v71) at 26.81 bogomips with 4 cores
/etc/appflow
  Contains AppFlow/StreamBoost
/etc/athx100.conf
  Suggests Atheros XSpan chipset, hard-coded PSK of 12345678
/etc/config/hd-idle
  HD idle time of 30 minutes is enabled, presumably for future USB (NAS?) support
/etc/config/hyd
  Qualcomm Hy-Fi, perhaps the underlying engine supporting satellite?
/etc/config/repacd
  Contains data on guest backhaul (defaults to 2.4GHz?), LED state changes, etc.
/home/fileinfo.txt
  Encrypted on FTP server, unencrypted contains md5sum and size for img (currently RBR50-V1.4.0.16.img) including localization data
/home/log/messages
  "Public" log (the one displayed in the router web GUI)
/home/log/log-message
  "Private" log containing logins and firmware checks via SOAP
/home/netscan
  Contains data on attached devices, including StreamBoost levels per device
/home/netwall-rules
  Appears to be a list of iptables rules for default ACCEPT and DROP on localnet (and a disturbing number of them are in ACCEPT)
/home/ping_netgear_result
  Results of latest 2-packet ping to a Netgear-owned AWS site (used to determine if Internet is up?), occurs once per minute?
/home/ping_result
  Similar to above, but 4 packets and less frequent (every 3 hours?)
/home/satellite_attached_dev
  Devices attached to satellite(s) in XML format
/home/satellite_device_info
  MAC, IP, name, version, and serial of attached satellite(s)
/home/switch
  Link state, speed, duplex by port
/home/telnetip
  The IP last connected via telnet
/home/traffic_meter
  All raw data for the traffic meter function
/home/wifi_update/wireless.net
  All data about wifi services, including (cleartext) wifi password, WPS, hidden Satellite SSID and (cleartext) auth key
/home/wla_channel
  Currently selected 5GHz channels for AP and Satellite
/module_name
  Type of unit - perhaps if changed, could 'morph' router into satellite (or vice-versa), likely requiring firmware update after reboot to 'sync'
/opt/xagent
  Contains some sort of 'phone home' agent, possibly specific to Netgear - would definitely like to know more about this, somehow related to CloudSync


uhttpd - More than just the web GUI, heavily modified from OpenWRT (handles portions of firmware update and ReadyShare)
WiFi backhaul appears to be adapted from FastLane technology
- Remnants of Netgear Downloader are present
- Remote logging appears to be possible via log_ip, log_port and log_proto in /etc/config/system
- Full SAMBA support appears to be present but not running by default (obviously due to lack of USB storage support)
- /etc/ledstatus appears to indicate the state of the LED
- There are guest and admin logins with 'ftpadmin' rights
- Firmware updates use ReadyCloud
- Filesystem is persistent (overlayfs over squashfs), but per /etc/sysupgrade.conf, nothing but NVRAM vars is kept after upgrade
- Three VLANs exist by default - WAN, LAN, and backhaul - unclear whether guest represents another VLAN

Listens on:
  localnet: 49152
  localhost: 7777, 14369
  anynet: 53, 80, 443, 3333, 5555