This sort of information seems to interest people, so I'm going to share my *VERY RAW* notes about some interesting things I've observed under-the-hood on the Orbi. I'm far from done, but a good number of my fundamental questions about the devices have been answered so far, with more yet unknown (e.g. is Ethernet backhaul _really_ that difficult? What would it take to enable USB and Samba? How does the full firmware update process *really* work?).
Enjoy, and I'll post more as I come across it - fully analyzing and deconstructing one of these things is difficult in the best case, and the Orbi in particular is REALLY difficult, being a hodge-podge of massively-modified OpenWRT, R7500 cruft, and God-knows-what-else...it is a MESS under the hood, but it mostly works! I still need to compile a few utilities to install myself (dmidecode in particular) to get a (much) better view of the hardware side of things.
Completely raw, terse notes:
/bin/fbwifi
Facebook Wifi Portal
R7500
NETGEAR Facebook Captive Portal version
Missing libssl and libcrypto, cannot function
/bin/ookla
Ookla command-line speed test tool
Missing settings.txt
/bin/readycloud_nvram
In addition to /bin/nvram, sets ReadyCloud-specific parameters?
/cloud_version
Contains a date, but cloud what?
/dev
Suggests Atheros chipset and hardware RNG
/proc/cpuinfo
Shows Qualcomm "ARMv7 Processor rev 5 (v71) at 26.81 bogomips with 4 cores
/etc/appflow
Contains AppFlow/StreamBoost
/etc/athx100.conf
Suggests Atheros XSpan chipset, hard-coded PSK of 12345678
/etc/config/hd-idle
HD idle time of 30 minutes is enabled, presumably for future USB (NAS?) support
/etc/config/hyd
Qualcomm Hy-Fi, perhaps the underlying engine supporting satellite?
/etc/config/repacd
Contains data on guest backhaul (defaults to 2.4GHz?), LED state changes, etc.
/home/fileinfo.txt
Encrypted on FTP server, unencrypted contains md5sum and size for img (currently RBR50-V1.4.0.16.img) including localization data
/home/log/messages
"Public" log (the one displayed in the router web GUI)
/home/log/log-message
"Private" log containing logins and firmware checks via SOAP
/home/netscan
Contains data on attached devices, including StreamBoost levels per device
/home/netwall-rules
Appears to be a list of iptables rules for default ACCEPT and DROP on localnet (and a disturbing number of them are in ACCEPT)
/home/ping_netgear_result
Results of latest 2-packet ping to a Netgear-owned AWS site (used to determine if Internet is up?), occurs once per minute?
/home/ping_result
Similar to above, but 4 packets and less frequent (every 3 hours?)
/home/satellite_attached_dev
Devices attached to satellite(s) in XML format
/home/satellite_device_info
MAC, IP, name, version, and serial of attached satellite(s)
/home/switch
Link state, speed, duplex by port
/home/telnetip
The IP last connected via telnet
/home/traffic_meter
All raw data for the traffic meter function
/home/wifi_update/wireless.net
All data about wifi services, including (cleartext) wifi password, WPS, hidden Satellite SSID and (cleartext) auth key
/home/wla_channel
Currently selected 5GHz channels for AP and Satellite
/module_name
Type of unit - perhaps if changed, could 'morph' router into satellite (or vice-versa), likely requiring firmware update after reboot to 'sync'
/opt/xagent
Contains some sort of 'phone home' agent, possibly specific to Netgear - would definitely like to know more about this, somehow related to CloudSync
uhttpd - More than just the web GUI, heavily modified from OpenWRT (handles portions of firmware update and ReadyShare)
WiFi backhaul appears to be adapted from FastLane technology
- Remnants of Netgear Downloader are present
- Remote logging appears to be possible via log_ip, log_port and log_proto in /etc/config/system
- Full SAMBA support appears to be present but not running by default (obviously due to lack of USB storage support)
- /etc/ledstatus appears to indicate the state of the LED
- There are guest and admin logins with 'ftpadmin' rights
- Firmware updates use ReadyCloud
- Filesystem is persistent (overlayfs over squashfs), but per /etc/sysupgrade.conf, nothing but NVRAM vars is kept after upgrade
- Three VLANs exist by default - WAN, LAN, and backhaul - unclear whether guest represents another VLAN
Listens on:
localnet: 49152
localhost: 7777, 14369
anynet: 53, 80, 443, 3333, 5555
