- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Re: Orbi software deconstruction
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Orbi software deconstruction
This sort of information seems to interest people, so I'm going to share my *VERY RAW* notes about some interesting things I've observed under-the-hood on the Orbi. I'm far from done, but a good number of my fundamental questions about the devices have been answered so far, with more yet unknown (e.g. is Ethernet backhaul _really_ that difficult? What would it take to enable USB and Samba? How does the full firmware update process *really* work?).
Enjoy, and I'll post more as I come across it - fully analyzing and deconstructing one of these things is difficult in the best case, and the Orbi in particular is REALLY difficult, being a hodge-podge of massively-modified OpenWRT, R7500 cruft, and God-knows-what-else...it is a MESS under the hood, but it mostly works! I still need to compile a few utilities to install myself (dmidecode in particular) to get a (much) better view of the hardware side of things.
Completely raw, terse notes:
/bin/fbwifi Facebook Wifi Portal R7500 NETGEAR Facebook Captive Portal version Missing libssl and libcrypto, cannot function /bin/ookla Ookla command-line speed test tool Missing settings.txt /bin/readycloud_nvram In addition to /bin/nvram, sets ReadyCloud-specific parameters? /cloud_version Contains a date, but cloud what? /dev Suggests Atheros chipset and hardware RNG /proc/cpuinfo Shows Qualcomm "ARMv7 Processor rev 5 (v71) at 26.81 bogomips with 4 cores /etc/appflow Contains AppFlow/StreamBoost /etc/athx100.conf Suggests Atheros XSpan chipset, hard-coded PSK of 12345678 /etc/config/hd-idle HD idle time of 30 minutes is enabled, presumably for future USB (NAS?) support /etc/config/hyd Qualcomm Hy-Fi, perhaps the underlying engine supporting satellite? /etc/config/repacd Contains data on guest backhaul (defaults to 2.4GHz?), LED state changes, etc. /home/fileinfo.txt Encrypted on FTP server, unencrypted contains md5sum and size for img (currently RBR50-V1.4.0.16.img) including localization data /home/log/messages "Public" log (the one displayed in the router web GUI) /home/log/log-message "Private" log containing logins and firmware checks via SOAP /home/netscan Contains data on attached devices, including StreamBoost levels per device /home/netwall-rules Appears to be a list of iptables rules for default ACCEPT and DROP on localnet (and a disturbing number of them are in ACCEPT) /home/ping_netgear_result Results of latest 2-packet ping to a Netgear-owned AWS site (used to determine if Internet is up?), occurs once per minute? /home/ping_result Similar to above, but 4 packets and less frequent (every 3 hours?) /home/satellite_attached_dev Devices attached to satellite(s) in XML format /home/satellite_device_info MAC, IP, name, version, and serial of attached satellite(s) /home/switch Link state, speed, duplex by port /home/telnetip The IP last connected via telnet /home/traffic_meter All raw data for the traffic meter function /home/wifi_update/wireless.net All data about wifi services, including (cleartext) wifi password, WPS, hidden Satellite SSID and (cleartext) auth key /home/wla_channel Currently selected 5GHz channels for AP and Satellite /module_name Type of unit - perhaps if changed, could 'morph' router into satellite (or vice-versa), likely requiring firmware update after reboot to 'sync' /opt/xagent Contains some sort of 'phone home' agent, possibly specific to Netgear - would definitely like to know more about this, somehow related to CloudSync uhttpd - More than just the web GUI, heavily modified from OpenWRT (handles portions of firmware update and ReadyShare) WiFi backhaul appears to be adapted from FastLane technology - Remnants of Netgear Downloader are present - Remote logging appears to be possible via log_ip, log_port and log_proto in /etc/config/system - Full SAMBA support appears to be present but not running by default (obviously due to lack of USB storage support) - /etc/ledstatus appears to indicate the state of the LED - There are guest and admin logins with 'ftpadmin' rights - Firmware updates use ReadyCloud - Filesystem is persistent (overlayfs over squashfs), but per /etc/sysupgrade.conf, nothing but NVRAM vars is kept after upgrade - Three VLANs exist by default - WAN, LAN, and backhaul - unclear whether guest represents another VLAN Listens on: localnet: 49152 localhost: 7777, 14369 anynet: 53, 80, 443, 3333, 5555
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Orbi software deconstruction
Well, I at least finally figured out how to see the actual signal strength between the router and satellite.
From the router, issue:
wlanconfig ath01 list sta
You'll get output like:
ADDR AID CHAN TXRATE RXRATE RSSI MINRSSI MAXRSSI IDLE TXSEQ RXSEQ CAPS ACAPS ERP STATE MAXRATE(DOT11) HTCAPS ASSOCTIME IEs MODE PSMODE aa:04:60:17:35:8f 1 4 192M 192M 43 38 48 0 0 65535 EPSs 0 f 0 APM 06:51:15 RSN WME IEEE80211_MODE_11NG_HT20 0
Would be kind of useful to expose some of it in the UI. 😛
Note you can derive -dBm from Atheros RSSI by subtracting 95 from the value.
Rodney
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Orbi software deconstruction
@rhester72 wrote:Well, I at least finally figured out how to see the actual signal strength between the router and satellite.
From the router, issue:
wlanconfig ath01 list sta
You'll get output like:
ADDR AID CHAN TXRATE RXRATE RSSI MINRSSI MAXRSSI IDLE TXSEQ RXSEQ CAPS ACAPS ERP STATE MAXRATE(DOT11) HTCAPS ASSOCTIME IEs MODE PSMODE aa:04:60:17:35:8f 1 4 192M 192M 43 38 48 0 0 65535 EPSs 0 f 0 APM 06:51:15 RSN WME IEEE80211_MODE_11NG_HT20 0Would be kind of useful to expose some of it in the UI. 😛
Note you can derive -dBm from Atheros RSSI by subtracting 95 from the value.
Rodney
pretty sure you are looking at the 2.4 gig there not the backhaul , the last bit suggest it is
MODE_11NG_HT20
as if the tx and rx where only 192M the backhaul wouldnt be usable
now if you want to di , try and find out how the backhaul is connected and if you can manage to get a standard client to connect to it
prob best however not post it or anything else here as the mods might get a bit narky if you expose too much of the under the hood stuff , doesnt mean you cant start your own blog and do your own project 🙂
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Orbi software deconstruction
Right you are - will correct the example and output. (Ironically, the MAC matches what's displayed in the UI associated with the satellite - which is _not_ correct!)
I know how the (wifi) backhaul is connected, and yes, you can connect a standard client to it - all you need is the hidden SSID (last two digits are "unique") and the password (which is random and better done by copy/paste than trying to hand-enter, though presumably you could override it). It would be quite trivial to convert backhaul to another legitimate standard SSID, but would not be persistent across reboots.
Rodney
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Orbi software deconstruction
Wow - I can neither edit or reply "historical" posts. That sucks.
Correction from the above post.
Well, I at least finally figured out how to see the actual signal strength between the router and satellite.
From the router, issue:
wlanconfig ath2 list sta
You'll get output like:
ADDR AID CHAN TXRATE RXRATE RSSI MINRSSI MAXRSSI IDLE TXSEQ RXSEQ CAPS ACAPS ERP STATE MAXRATE(DOT11) HTCAPS ASSOCTIME IEs MODE PSMODE a0:04:60:17:35:92 1 157 1053M 1053M 31 0 42 0 0 65535 EPs 0 b 0 AWPSM 07:37:51 RSN WME IEEE80211_MODE_11AC_VHT80 0
Note you can derive -dBm from Atheros RSSI by subtracting 95 from the value.
Rodney
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Orbi software deconstruction
peteytesting wrote:prob best however not post it or anything else here as the mods might get a bit narky if you expose too much of the under the hood stuff , doesnt mean you cant start your own blog and do your own project 🙂
There are other similar threads, such as the megathread on the DGND3700. I'm hoping the moderators will allow this, so long as vulnerabilities are not disclosed.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Orbi software deconstruction
@TheEther wrote:
@peteytesting wrote:prob best however not post it or anything else here as the mods might get a bit narky if you expose too much of the under the hood stuff , doesnt mean you cant start your own blog and do your own project 🙂
There are other similar threads, such as the megathread on the DGND3700. I'm hoping the moderators will allow this, so long as vulnerabilities are not disclosed.
i would agree that it would be good but its prob not a good idea untill at least the dev team have finished introucing new features and at least got to a stable all working platform to then start diving under the hood
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Orbi software deconstruction
Very well.
One last bit of fun for now, then.
Since the Orbi is supposed to look vaguely nouveau-art, enjoy the light show!
while [ 1 ]; do for color in red green blue white amber cyan magenta; do /sbin/ledcontrol -n all -l on -c $color -s on; sleep 2; done; done
Rodney
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Orbi software deconstruction
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Orbi software deconstruction
you cant as its encoded , there is also no reason to access it as its used specifically for backhaul
• What is the difference between WiFi 6 and WiFi 7?
• Yes! WiFi 7 is backwards compatible with other Wifi devices? Learn more