How to check system details on Linux based Routers

By | February 10, 2023

Routers are basically embedded devices (or system), and most modern routers run on linux. Think of it like a mini computer that has its own cpu, storage space, ram memory, ethernet ports, wifi chipset, and optionally a usb port.

Functionally these are single board computers similar to a raspberry pi. They software that runs on such devices is often called firmware, which is a smaller version of a full size operating system.

Firmwares are different from a full os install in many ways. Vendor provided firmwares are often "static", meaning it is actually a single large executable program that starts running right when you power on your router.

They are in the form of a ".bin" file which is usually downloaded when you upgrade your firmware. For example, this is how a firmware file could look.

2021.12.02-10.43_DIR_825I_RT8197G_WW_1.0.4_release.bin

Think of it like a single executable file that runs your entire operating system. This file contains the linux kernel, device drivers and everything else needed to run a system.

Embedded devices like routers have constraints on the storage space and ram memory, hence they compress everything in order to make then work.

How to check system and hardware details

In this article we shall take a quick look at how to check the hardware information on a router from the ssh shell. For the sake of this article, we shall be using this router: D-Link DIR-825 HW:I1. Its ones of those many obscure routers from dlink that have not been documented properly.

Enable ssh and login

The first thing you need to do is enable ssh login from the web admin panel.

Once ssh has been enabled, try logging in with your admin username/password. You would need to disable host key checking in order to connected.

ssh -o StrictHostKeyChecking=no [email protected]

This is what i get when i run the command on my dlink router.

$ ssh -o StrictHostKeyChecking=no [email protected]
[email protected]'s password:
BusyBox v1.31.1 (2021-12-02 11:12:53 MSK) built-in shell (ash)
[email protected]_825I_RT8197G_WW:~$

Right after connecting we can see some useful details like:

  • BusyBox v1.31.1
  • DIR_825I_RT8197G_WW
  • built-in shell (ash)

To know what shell program is being used, echo the $SHELL environment variable

[email protected]_825I_RT8197G_WW:~$ echo $SHELL
/bin/sh
[email protected]_825I_RT8197G_WW:~$
$ sh --version
BusyBox v1.31.1 (2021-12-02 11:12:53 MSK) built-in shell (ash)
[email protected]_825I_RT8197G_WW:~$

Check Busybox

This router uses busybox for providing linux command in a compact way. If we simply run the busybox command, it will tell us what commands are supported in the current installation:

[email protected]_825I_RT8197G_WW:~$ busybox
BusyBox v1.31.1 (2021-12-02 11:12:53 MSK) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2015.
Licensed under GPLv2. See source distribution for detailed
copyright notices.
Usage: busybox [function [arguments]...]
   or: busybox --list
   or: function [arguments]...
        BusyBox is a multi-call binary that combines many common Unix
        utilities into a single executable.  Most people will create a
        link to busybox for each function they wish to use and BusyBox
        will act like whatever it was invoked as.
Currently defined functions:
        [, [[, arping, ash, basename, bash, brctl, cat, clear, cp, date, dd, dmesg, echo, false, free, fuser, grep, gunzip, gzip, hexdump, ifconfig, insmod, ip, ipaddr, ipcrm, ipcs,
        iplink, ipneigh, iproute, iprule, iptunnel, kill, killall, klogd, ln, logger, login, logread, ls, lsmod, md5sum, mkdir, modprobe, mount, mv, nc, nice, nslookup, ntpd, passwd,
        ping, ping6, poweroff, ps, pstree, reboot, rm, rmmod, sh, sleep, su, syslogd, tail, tar, telnetd, test, top, touch, traceroute, traceroute6, true, udhcpc, umount, uptime, vi
[email protected]_825I_RT8197G_WW:~$

A lot of the terminal commands are actually pointers to busybox binary only which can be verified like this

[email protected]_825I_RT8197G_WW:~$ ls -la bin
drwxr-xr-x    2 root     system         748 .
drwxr-xr-x   18 root     system         301 ..
-rwxr-xr-x    1 root     system       19104 UDPserver
lrwxrwxrwx    1 root     system           7 ash -> busybox
-rwxr-xr-x    1 root     system      117472 auth
lrwxrwxrwx    1 root     system           7 bash -> busybox
-rwsr-xr-x    1 root     system      379484 busybox
-rwxr-xr-x    1 root     system          94 cal
lrwxrwxrwx    1 root     system           7 cat -> busybox
-rwxr-xr-x    1 root     system         515 check_leaks
lrwxrwxrwx    1 root     system           7 cp -> busybox
...

Note that arrow pointing to busybox, which means its a link.

Environment Variables

On a typical linux system we can use the env/printenv commands to print the environment variables, but it did not work here.
Instead the set command was able to print the environment variables.

[email protected]_825I_RT8197G_WW:~$ set
HOME='/'
HOSTNAME='DIR_825I_RT8197G_WW'
IFS='
'
LD_LIBRARY_PATH='/lib:/lib/private:/usr/lib'
LINENO=''
LOGNAME='admin'
OLDPWD='/'
OPTIND='1'
PATH='/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin'
PPID='1912'
PS1='\[3[36m\]\u\[3[m\]@\[3[32m\]\h:\[3[33;1m\]\w\[3[m\]$ '
PS2='> '
PS4='+ '
PWD='/'
SHELL='/bin/sh'
SSH_CLIENT='192.168.0.135 39828 22'
SSH_CONNECTION='192.168.0.135 39828 192.168.0.1 22'
SSH_TTY='/dev/pts/0'
TERM='xterm-256color'
USER='admin'
_='/'
[email protected]_825I_RT8197G_WW:~$

File System and Directories

Directories in root /

[email protected]_825I_RT8197G_WW:~$ ls -la
drwxr-xr-x   18 root     system         301 .
drwxr-xr-x   18 root     system         301 ..
-rw-r--r--    1 root     system         236 VERSION
drwxr-xr-x    2 root     system         748 bin
drwxr-xr-x    2 root     system           3 boot
drwxr-xr-x    6 root     system        1772 dev
drwxr-xr-x    7 root     system         804 etc
drwxr-xr-x    2 root     system           3 home
drwxr-xr-x    3 root     system         645 lib
lrwxrwxrwx    1 root     system           3 lib32 -> lib
lrwxrwxrwx    1 root     system           3 lib64 -> lib
lrwxrwxrwx    1 root     system           8 mnt -> /tmp/mnt
drwxr-xr-x    2 root     system           3 opt
dr-xr-xr-x   79 root     system           0 proc
drwx------    2 root     system          77 root
drwxr-xr-x    2 root     system         495 sbin
drwxr-xr-x    3 root     system          30 share
drwxr-xr-x    3 root     system          28 srv
drwxr-xr-x    2 root     system           3 storage
dr-xr-xr-x   11 root     system           0 sys
drwxrwxrwt   16 root     system           0 tmp
drwxr-xr-x    7 root     system         115 usr
lrwxrwxrwx    1 root     system           8 var -> /tmp/var
[email protected]_825I_RT8197G_WW:~$

There is a file named VERSION which has some useful details:

[email protected]_825I_RT8197G_WW:~$ cat VERSION
NAME:           DIR_825I_RT8197G_WW
VERSION:        1.0.4
DATAMODEL:      2.100.0
SYSBUILDTIME:   Thu Dec  2 10:43:54 MSK 2021
VENDOR:         D-Link Russia
BUGS:
SUMMARY:        Root filesystem image for DIR_825I_RT8197G_WW
[email protected]_825I_RT8197G_WW:~$

The NAME string contains the name of the firmware installed: DIR_825I_RT8197G_WW
The VERSION string is the firmware version installed on this dlink router. It had 1.0.2 when purchased, then was upgraded to 1.0.4.

Linux Version

[email protected]_825I_RT8197G_WW:~$ cat /proc/version
Linux version 3.10.90+ ([email protected]) (gcc version 7.4.0 (crosstool-NG 1.24.0-rc3) ) #1 Thu Dec 2 10:56:24 MSK 2021
[email protected]_825I_RT8197G_WW:~$

Seems like its running Linux kernel version 3.10.90

Hostname

[email protected]_825I_RT8197G_WW:~$ cat /etc/hostname
DIR_825I_RT8197G_WW
[email protected]_825I_RT8197G_WW:~$

List of available commands

Most of the executable programs can be found in the following locations:

  • /bin/
  • /sbin/
  • /usr/bin/
  • /usr/sbin/
[email protected]_825I_RT8197G_WW:~$ ls /bin
UDPserver        cat              echo             gzip             ls               map_reinit       nice             sh               uboot.img
ash              check_leaks      false            iapp             map_agent        map_reset        ping             sleep            umount
auth             cp               flush_iptables   iwcontrol        map_checker      mkdir            ping6            su               urlfilterd
bash             date             flush_iptables6  kill             map_controller   mount            pptp             tar              vi
busybox          dd               grep             ln               map_delayed_pbc  mv               ps               touch            wscd
cal              dmesg            gunzip           login            map_init         nand_dump_iso    rm               true
[email protected]_825I_RT8197G_WW:~$
[email protected]_825I_RT8197G_WW:~$ ls /sbin/
chat           hotplug        insmod         iplink         iprule         iwgetid        iwspy          lsmod          mount.ntfs-3g  pppoe-relay    syslogd
d_init         ifconfig       ip             ipneigh        iptunnel       iwlist         klogd          miniupnpd      poweroff       reboot         tr069
ebtables       init           ipaddr         iproute        iwconfig       iwpriv         logread        modprobe       pppd           rmmod          udhcpc
[email protected]_825I_RT8197G_WW:~$
[email protected]_825I_RT8197G_WW:~$ ls usr/sbin/
anweb              dnsmasq            emergency_mode     ip6tables-save     iptables-restore   minidlnad          ntpd               ripngd             xtables-multi
arping             drop_caches        inadyn             iperf3             iptables-save      nfnl_osf           p910nd             telnetd            zebra
brctl              dropbear           ip6tables          ipsec              locdns             notify_all         pure-ftpd          usb_modeswitch     zic
deuteron           dschedctl          ip6tables-restore  iptables           mfc                ntfs-3g            ripd               xl2tpd
[email protected]_825I_RT8197G_WW:~$
[email protected]_825I_RT8197G_WW:~$ ls usr/bin/
[                    dmsc                 flac                 improxy              lsusb                nvramctl             smbd                 top
[[                   dmsc_interpreter     flash                ipcrm                md5sum               odhcp6c              smbpasswd            traceroute
basename             dmsc_lua             free                 ipcs                 metaflac             passwd               ssh                  traceroute6
button_test          dnsmasq_script       fuser                iptables-xml         mtd_write            ppp_wrapper          sslsplit             transmission-daemon
clear                dropbearconvert      fw_upgrade           killall              nc                   pstree               tail                 um
dbclient             dropbearkey          hexdump              libusb-config        nmbd                 samba_multicall      test                 uptime
dlinkwatcher         dsysctl              igmpx                logger               nslookup             scp                  tinysvcmdns          usbinfo
[email protected]_825I_RT8197G_WW:~$

CPU Details

Most of the hardware detail commands are not available on this embedded linux environment. Hence we have to use the /proc/ directory to get hardware information. The cpu details can be found inside /proc/cpuinfo.

$ cat /proc/cpuinfo
system type             : RTL8197FH-VG5
machine                 : 8197G(PA=0) 8812F(PA=0) 8367R USB NAND RAM=128
processor               : 0
cpu model               : MIPS 24Kc V8.5
BogoMIPS                : 666.41
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 64
extra interrupt vector  : yes
hardware watchpoint     : yes, count: 4, address/irw mask: [0x0000, 0x0ffc, 0x01b0, 0x06cb]
isa                     : mips1 mips2 mips32r2
ASEs implemented        : mips16
shadow register sets    : 4
kscratch registers      : 0
core                    : 1
VCED exceptions         : not available
VCEI exceptions         : not available
[email protected]_825I_RT8197G_WW:~$

Doing a quick search on google for RTL8197FH-VG5 shows the following page:
https://www.realtek.com/en/products/communications-network-ics/item/rtl8197f

The page mentions details about the chip.

The Realtek RTL8197F is a highly- integrated and feature-rich 2T2R 802.11b/g/n WiSoC. It integrates a high performance 1GHz MIPS24Kc processor, 2T2R 802.11b/g/n MAC/BB/RF, PCI Express, five-port Fast Ethernet switch with RGMII, USB2.0 controller, DRAM and flash memory controller, and useful peripheral interfaces. The RTL8197F delivers high-performance with low power consumption for applications such as 11ac dual band smart routers, IoT gateway, VPN gateway, VoIP gateway, Network Storage, LTE routers etc.

This is basically a WiSoc (Wifi System-on-chip) from Realtek which combines a cpu, wifi chipset, usb controller, ethernet controller and few other things all in a single chip.

This cpu is based on the MIPS 24Kc V8.5 architecture, compared to your desktop/laptop pc cpus that are based on x86_64 architecture. MIPS is a RISC ISA, and according to the list provided at openwrt is used by a lot of soc chips used across routers.

So basically if you want to build your own firmware, it has to compiled for this MIPS 24Kc architecture, in order to run on RTL8197FH soc.

Memory/RAM Details

The ram memory details can be checked using the free command. It reports values close to 128 MB.

[email protected]_825I_RT8197G_WW:~$ free
              total        used        free      shared  buff/cache   available
Mem:         106272       25172       64620           0       16480           0
-/+ buffers/cache:        25172       81100
Swap:             0           0           0
[email protected]_825I_RT8197G_WW:~$

Another way to check memory details:

[email protected]_825I_RT8197G_WW:~$ cat /proc/meminfo
MemTotal:         106272 kB
MemFree:           64408 kB
Buffers:            4132 kB
Cached:            12408 kB
SwapCached:            0 kB
Active:            11468 kB
Inactive:           9680 kB
Active(anon):       4608 kB
Inactive(anon):        0 kB
Active(file):       6860 kB
Inactive(file):     9680 kB
Unevictable:           0 kB
Mlocked:               0 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:                 0 kB
Writeback:             0 kB
AnonPages:          4628 kB
Mapped:             3900 kB
Shmem:                 0 kB
Slab:               9428 kB
SReclaimable:       1112 kB
SUnreclaim:         8316 kB
KernelStack:         992 kB
PageTables:          348 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:       53136 kB
Committed_AS:      29588 kB
VmallocTotal:    1048372 kB
VmallocUsed:         216 kB
VmallocChunk:    1041076 kB
[email protected]_825I_RT8197G_WW:~$

So this confirms total memory on system is around 106272 KB ~ 103 MB.

Note that commands like lshw, lspci, fdisk, lsblk, blkid, hwinfo, df, file are not available on this router's linux system.

[email protected]_825I_RT8197G_WW:~$ lshw
sh: lshw: not found
[email protected]_825I_RT8197G_WW:~$ lspci
sh: lspci: not found
[email protected]_825I_RT8197G_WW:~$ fdisk
sh: fdisk: not found
[email protected]_825I_RT8197G_WW:~$ lsblk
sh: lsblk: not found
[email protected]_825I_RT8197G_WW:~$ blkid
sh: blkid: not found
[email protected]_825I_RT8197G_WW:~$ hwinfo
sh: hwinfo: not found
[email protected]_825I_RT8197G_WW:~$
[email protected]_825I_RT8197G_WW:~$ df
sh: df: not found
[email protected]_825I_RT8197G_WW:~$ file
sh: file: not found

Disk Partitions

Just like a normal computer, this embedded device also has a storage devices. We need to query the /proc/partitions file for disk drive and partition details.

[email protected]_825I_RT8197G_WW:~$ cat /proc/partitions
major minor  #blocks  name
  31        0       4096 mtdblock0
  31        1       2048 mtdblock1
  31        2       2048 mtdblock2
  31        3       2560 mtdblock3
  31        4       8576 mtdblock4
  31        5      50688 mtdblock5
  31        6     131072 mtdblock6
  31        7       8192 mtdblock7
  31        8       2560 mtdblock8
  31        9       8576 mtdblock9
  31       10      50688 mtdblock10
[email protected]_825I_RT8197G_WW:~$

The third column is the size of the partition in KiB. The partitions are actually nested (some are under another).
In this example its a 128 MiB flash storage containing all the other partitions. Note the 6th index partition

31        6     131072 mtdblock6

The /proc/mtd entry shows the label of each of the partitions:

[email protected]_825I_RT8197G_WW:~$ cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00400000 00020000 "boot"
mtd1: 00200000 00020000 "MAC"
mtd2: 00200000 00020000 "config"
mtd3: 00280000 00020000 "kernel"
mtd4: 00860000 00020000 "rootfs"
mtd5: 03180000 00020000 "Linux"
mtd6: 08000000 00020000 "ALL"
mtd7: 00800000 00020000 "reserved"
mtd8: 00280000 00020000 "kernel (bank2)"
mtd9: 00860000 00020000 "rootfs (bank2)"
mtd10: 03180000 00020000 "Linux (bank2)"
[email protected]_825I_RT8197G_WW:~$

The size column indicates the size of each partition in hexadecimal.
mtd6 - The "ALL" partition size is 8000000 bytes in hexadecimal which = 134,217,728 bytes = 128 MiB.

mtd0 - 4 MiB - has the u-boot bootloader program

With the dmesg command the start-end point of each partition is reported. You have to search though

<5>11 dlinkpart partitions found on MTD device rtk_nand
<5>Creating 11 MTD partitions on "rtk_nand":
<5>0x000000000000-0x000000400000 : "boot"
<5>0x000000400000-0x000000600000 : "MAC"
<5>0x000000600000-0x000000800000 : "config"
<5>0x000000800000-0x000000a80000 : "kernel"
<5>0x000000a80000-0x0000012e0000 : "rootfs"
<5>0x000000800000-0x000003980000 : "Linux"
<5>0x000000000000-0x000008000000 : "ALL"
<5>0x000003980000-0x000004180000 : "reserved"
<5>0x000004180000-0x000004400000 : "kernel (bank2)"
<5>0x000004400000-0x000004c60000 : "rootfs (bank2)"
<5>0x000004180000-0x000007300000 : "Linux (bank2)"

Partition of root file system

[email protected]_825I_RT8197G_WW:~$ dmesg | grep -i mtd
<5>Kernel command line: console=ttyS0,38400 root=/dev/mtdblock4
<5>11 dlinkpart partitions found on MTD device rtk_nand
<5>Creating 11 MTD partitions on "rtk_nand":
[email protected]_825I_RT8197G_WW:~$
[email protected]_825I_RT8197G_WW:~$ cat /proc/diskstats
   7       0 loop0 0 0 0 0 0 0 0 0 0 0 0
   7       1 loop1 0 0 0 0 0 0 0 0 0 0 0
   7       2 loop2 0 0 0 0 0 0 0 0 0 0 0
   7       3 loop3 0 0 0 0 0 0 0 0 0 0 0
   7       4 loop4 0 0 0 0 0 0 0 0 0 0 0
   7       5 loop5 0 0 0 0 0 0 0 0 0 0 0
   7       6 loop6 0 0 0 0 0 0 0 0 0 0 0
   7       7 loop7 0 0 0 0 0 0 0 0 0 0 0
  31       0 mtdblock0 0 0 0 0 0 0 0 0 0 0 0
  31       1 mtdblock1 0 0 0 0 0 0 0 0 0 0 0
  31       2 mtdblock2 0 0 0 0 0 0 0 0 0 0 0
  31       3 mtdblock3 0 0 0 0 0 0 0 0 0 0 0
  31       4 mtdblock4 154 3892 8092 3440 0 0 0 0 0 3440 3440
  31       5 mtdblock5 0 0 0 0 0 0 0 0 0 0 0
  31       6 mtdblock6 0 0 0 0 0 0 0 0 0 0 0
  31       7 mtdblock7 0 0 0 0 0 0 0 0 0 0 0
  31       8 mtdblock8 0 0 0 0 0 0 0 0 0 0 0
  31       9 mtdblock9 0 0 0 0 0 0 0 0 0 0 0
  31      10 mtdblock10 0 0 0 0 0 0 0 0 0 0 0
[email protected]_825I_RT8197G_WW:~$

The /proc/cmdline file tells us the exact device partition of root file system.

[email protected]_825I_RT8197G_WW:~$ cat /proc/cmdline
console=ttyS0,38400 root=/dev/mtdblock4
[email protected]_825I_RT8197G_WW:~$

The mount is also command is available but only with limited options, and does not tell much about the partitions.

[email protected]_825I_RT8197G_WW:~$ mount
rootfs on / type rootfs (rw)
/dev/root on / type squashfs (ro,relatime)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
tmpfs on /tmp type tmpfs (rw,noatime,mode=01777)
devpts on /dev/pts type devpts (rw,relatime,mode=600)
none on /dev/shm type tmpfs (rw,relatime)
[email protected]_825I_RT8197G_WW:~$

Note that /dev/root which is mounted as root (/) is SquashFS file system which uses compression. Embedded devices have storage size constrainsts which require the use of compression.

The "mtd" prefix indicates a Memory Technology Device which is non-volatile flash memory. This flash memory stores the firmware, and various configuration settings done from the web admin panel.

List modules - lsmod

[email protected]_825I_RT8197G_WW:~$ lsmod
Module                  Size  Used by
nf_nat_rtsp             3984  0
nf_conntrack_rtsp       5049  1 nf_nat_rtsp
gpiom                  19933  0
[email protected]_825I_RT8197G_WW:~$

Process List

The currently running processes can be viewed with the ps command. Other commands like pstree and top are also available.

[email protected]_825I_RT8197G_WW:~$ ps
  PID USER       VSZ STAT COMMAND
    1 root      4408 S    /sbin/d_init
    2 root         0 SW   [kthreadd]
    3 root         0 SW   [ksoftirqd/0]
    4 root         0 SW   [kworker/0:0]
    5 root         0 SW<  [kworker/0:0H]
    6 root         0 SW   [kworker/u2:0]
    7 root         0 SW<  [khelper]
    8 root         0 SW   [kworker/u2:1]
  100 root         0 SW<  [writeback]
  103 root         0 SW<  [bioset]
  104 root         0 SW<  [crypto]
  106 root         0 SW<  [kblockd]
  112 root         0 SW   [spi0]
  118 root         0 SW   [khubd]
  133 root         0 SW   [kworker/0:1]
  138 root         0 SW   [kswapd0]
  184 root         0 SW   [fsnotify_mark]
  740 root         0 SW   [mtdblock0]
  745 root         0 SW   [mtdblock1]
  750 root         0 SW   [mtdblock2]
  755 root         0 SW   [mtdblock3]
  760 root         0 SW   [mtdblock4]
  765 root         0 SW   [mtdblock5]
  770 root         0 SW   [mtdblock6]
  775 root         0 SW   [mtdblock7]
  780 root         0 SW   [mtdblock8]
  785 root         0 SW   [mtdblock9]
  790 root         0 SW   [mtdblock10]
  850 root         0 SW<  [deferwq]
  863 root      1708 S    /bin/sh
  864 root      7632 S    {Deuteron} deuteron
  873 root      1836 S    syslogd -S -m 0 -C128 -l 7 -L
  875 root      1704 S    klogd
  958 root      5268 S    {dlinkwtch} dlinkwatcher
 1552 root      1704 S    ntpd -p pool.ntp.org
 1554 root     23636 S    anweb -I 37 -m 80,443s -k /etc/server.key -p /etc/se
 1570 root      1828 S    pppoe-relay -C br0 -B eth1 -I 39
 1584 root      1348 S    locdns 192.168.0.1 dlinkrouter.local br0
 1612 root      3464 S    tinysvcmdns dlinkrouter.local 192.168.0.1 br0 0 101
 1641 admin     1708 R    ps
 1656 nobody    1612 S    dnsmasq --service-id=36 --conf-file=/tmp/dnsmasq/dns
 1657 root      1608 S    dnsmasq --service-id=36 --conf-file=/tmp/dnsmasq/dns
 1658 root      1608 S    dnsmasq --service-id=36 --conf-file=/tmp/dnsmasq/dns
 1691 root         0 SW<  [kworker/0:1H]
 1835 root         0 Z    [anweb]
 1858 root      1696 S    wscd -start -c /var/wsc_wlan1_wlan0.conf -w2 wlan1 -
 1886 root      1372 S    iwcontrol wlan1 wlan0
 2046 root      1704 S    telnetd -p 23 -l /bin/login
 2091 root      1584 S    dropbear -p 22 -r /tmp/dropbear/fileeN2dWS
 2439 root      1608 R    dropbear -p 22 -r /tmp/dropbear/fileeN2dWS
 2454 admin     1716 S    -sh
 3009 admin     1720 S    sh --version
[email protected]_825I_RT8197G_WW:~$

Some of the interesting processes are the following ones:

dropbear - This is the ssh server.
telnetd - This is the telnet server which we currently have enabled.

anweb - This is the webserver that runs the admin web interface. And it is running with root privileges.

1554 root     23636 S    anweb -I 37 -m 80,443s -k /etc/server.key -p /etc/se

Since the web server is running with root privileges, it is able to flash the firmware.

The top command is also available on this router and it will show the process list as well, sorted by their load on the system.

List Users

The /etc/passwd file reveals the user accounts on the system

[email protected]_825I_RT8197G_WW:~$ cat /etc/passwd
root:*:0:0:(null):/:/bin/false
dmsd:*:1:0:(null):/:/bin/false
dsysinit:*:3:0:(null):/:/bin/false
dwatcher:*:2:0:(null):/:/bin/false
scheduler:*:4:0:(null):/:/bin/false
tr:*:5:0:(null):/:/bin/false
dlinkwatcher:*:6:0:(null):/:/bin/false
mfc:*:7:0:(null):/:/bin/false
dsl:*:8:0:(null):/:/bin/false
apson:*:9:0:(null):/:/bin/false
rtkvoip:*:10:0:(null):/:/bin/false
sla_agent:*:11:0:(null):/:/bin/false
quagga:*:12:0:(null):/:/bin/false
dca:*:13:0:(null):/:/bin/false
dcs:*:14:0:(null):/:/bin/false
easymesh:*:15:0:(null):/:/bin/false
net_snmp:*:16:0:(null):/:/bin/false
nobody:*:99:99:(null):/:/bin/false
admin:$1$643C6633$NWptDXBWIP0CrggO.9VAv1:100:0:(null):/:/bin/sh
[email protected]_825I_RT8197G_WW:~$

Looking at the line for user:root, we can tell the root login is disabled (locked) and there is no way to switch to root user and make modifications to the system.

On most modern routers, the root account seems to be disabled as a measure to protect the device. Root access enable users to make changes to the system that can potentially damage the router (brick it) beyond repair.

However if you are a power user who wants to modify the system in creative ways, like installing your own kernel modules for new functionality, you need root access. Without it, pretty much no modification can be done.

There are some ways to forcefully get root on an embedded device. One such method is to try using the routersploit exploit framework that tries look for and exploit known software vulnerabilities on your router and get you root access. If it works you can make really nice changes to your router.

User Groups

The user groups are also readable.

[email protected]_825I_RT8197G_WW:~$ cat /etc/group
system:*:0:root,admin
nobody:*:99:nobody
sysusers_ro:*:1000:
[email protected]_825I_RT8197G_WW:~$

Home directory completely empty

[email protected]_825I_RT8197G_WW:~$ ls /home/
[email protected]_825I_RT8197G_WW:~$

Query ARP Table

The arp tables quickly tell us what other network devices are connected/identified based on their mac address.

[email protected]_825I_RT8197G_WW:~$ cat /proc/net/arp
IP address       HW type     Flags       HW address            Mask     Device
192.168.0.135    0x1         0x2         90:cc:df:fd:97:c4     *        br0
[email protected]_825I_RT8197G_WW:~$

The device shown above with ip address 192.168.0.135 is my Acer Swift 3 laptop with which i am connected to the router.

Network configuration and devices

[email protected]_825I_RT8197G_WW:~$ iproute
192.168.0.0/24 dev br0 proto kernel scope link  src 192.168.0.1
[email protected]_825I_RT8197G_WW:~$ iplink
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0
    link/ether f0:b4:d2:a4:94:21 brd ff:ff:ff:ff:ff:ff
3: wlan0-vxd: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
    link/ether f0:b4:d2:a4:94:21 brd ff:ff:ff:ff:ff:ff
4: wlan0-va0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
    link/ether 00:e0:4c:81:86:86 brd ff:ff:ff:ff:ff:ff
5: wlan0-va1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
    link/ether 00:e0:4c:81:86:86 brd ff:ff:ff:ff:ff:ff
6: wlan0-va2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
    link/ether 00:e0:4c:81:86:86 brd ff:ff:ff:ff:ff:ff
7: wlan0-va3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
    link/ether 00:e0:4c:81:86:86 brd ff:ff:ff:ff:ff:ff
8: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0
    link/ether f0:b4:d2:a4:94:23 brd ff:ff:ff:ff:ff:ff
9: wlan1-vxd: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
    link/ether f0:b4:d2:a4:94:23 brd ff:ff:ff:ff:ff:ff
10: wlan1-va0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
    link/ether 00:e0:4c:81:86:86 brd ff:ff:ff:ff:ff:ff
11: wlan1-va1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
    link/ether 00:e0:4c:81:86:86 brd ff:ff:ff:ff:ff:ff
12: wlan1-va2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
    link/ether 00:e0:4c:81:86:86 brd ff:ff:ff:ff:ff:ff
13: wlan1-va3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
    link/ether 00:e0:4c:81:86:86 brd ff:ff:ff:ff:ff:ff
14: pwlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
    link/ether 00:e0:4c:81:96:96 brd ff:ff:ff:ff:ff:ff
15: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
    link/ether f0:b4:d2:a4:94:21 brd ff:ff:ff:ff:ff:ff
16: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
    link/ether f0:b4:d2:a4:94:20 brd ff:ff:ff:ff:ff:ff
18: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0
    link/ether f0:b4:d2:a4:94:21 brd ff:ff:ff:ff:ff:ff
19: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
    link/ether f0:b4:d2:a4:94:21 brd ff:ff:ff:ff:ff:ff
[email protected]_825I_RT8197G_WW:~$

Reading System Log

The busybox logread command can be used to read system logs. The output is colorful actually.

[email protected]_825I_RT8197G_WW:~$ logread
Dec  2 07:43:04 [INFO] syslogd started: BusyBox v1.31.1
Dec  2 07:43:05 [INFO] Deuteron[868]: DSysinit / Service manager starting...
Dec  2 07:43:05 [INFO] Deuteron[868]: DSysinit / Service manager init successful.
Dec  2 07:43:05 [INFO] Deuteron[868]: DMSD / Device RPC server starting...
Dec  2 07:43:05 [NOTE] CONFIG[868]: Booting with device mode: Router
Dec  2 07:43:05 [NOTE] d_config_fixup_fw_version[868]: Setting version 2.100.0 -> 2.100.0
Dec  2 07:43:05 [ DBG] mac_recount[868]: Nothing to do
Dec  2 07:43:05 [INFO] CONFIG[868]: Initing config
Dec  2 07:43:05 [INFO] d_conf_bin_init[868]: Probing attach to existing shared memory
Dec  2 07:43:05 [INFO] PERMISSIONS[868]: Initing permissions
...

Shows kernel messages and other useful diagnostic information.

Web server and Router admin interface files

The router runs a webserver named "anweb" which provides the admin panel access from web browser. The admin web-interface files are located in the directory /srv/anweb

[email protected]_825I_RT8197G_WW:~$ ls srv/anweb/
admin          apps           autoconf.js    browser_check  error404       general        trouble        version.json   version.txt    wizard
[email protected]_825I_RT8197G_WW:~$

These are the html files that show up when you open the admin interface in your web browser by point the url to http://192.168.0.1

Extracting the code of the admin web interface:

First create a directory on your local system using mkdir

mkdir -p dlink/anweb

Now use the scp command on your local linux desktop machine to copy/download the files. Its actually easy!

scp -O -r [email protected]:/srv/anweb/ dlink/anweb/

Now you have downloaded all the files of the admin panel web application and can examine them easily and find useful stuff in there.

I opened the firmware page of the admin panel in browser and inspected it in dom viewer.
I found the following function call

grep -ri 'firmware.remote.checkUpdates' .
grep -ri 'checkUpdates' .

It reveals the name and location of the file that handles firmwre updates

./admin/pages/system/firmware/ctrl.lazy.js

Now digging further into that file i find that the server being contacted was

https://fwupdate.dlink.ru/pub/Router/DIR-825/Firmware/

At that location I found firmware update image files for the firmware on this router:

DIR_825I_RT8197G_WW

The User Manual was found here:
https://fwupdate.dlink.ru/pub/Router/DIR-825/Description/DIR-825_I_User%20Manual_v.1.0.3_12.04.21_EN.pdf

The datasheet with full technical details was found here:
https://fwupdate.dlink.ru/pub/Router/DIR-825/Data_sh/DIR-825_I_DS_v.1.0.3_23.03.21_EN.pdf

Acording to the datasheet, the hardware details are as follows:

  • Processor: RTL8197FH-VG (1GHz)
  • RAM: 128MB, DDR2, built in processor
  • Flash: 128MB, SPI NAND

The above data matches with the details fetched using the /proc command earlier.

Creating/Writing files on the system

Only the /tmp directory is writable. So can use echo or cat to create files in there. Alternatively can use the scp command to download files into the /temp directory.

Connecting Printer

I connected my HP LaserJet M1136 MFP printer to this router and turned it on. The dmesg log shows printer connected

[email protected]_825I_RT8197G_WW:/tmp/mnt/usb1_4$ dmesg
...
<6>usb 1-1: new high-speed USB device number 3 using rtl819x-ehci
<6>usblp 1-1:1.0: usblp0: USB Bidirectional printer dev 3 if 0 alt 0 proto 2 vid 0x03F0 pid 0x042A
<6>usbcore: registered new interface driver usblp
[email protected]_825I_RT8197G_WW:/tmp/mnt/usb1_4$

The corresponding device path is /dev/usblp0

The lsmod command shows the loaded driver module: usblp

[email protected]_825I_RT8197G_WW:~$ lsmod
Module                  Size  Used by
usblp                  10080  0
nf_nat_rtsp             3984  0
nf_conntrack_rtsp       5049  1 nf_nat_rtsp
gpiom                  19933  0
[email protected]_825I_RT8197G_WW:~$

The lsusb command also shows the printer connected:

[email protected]_825I_RT8197G_WW:~$ lsusb
0001-0003: 0x03f0:0x042a csp = 0x00:0x00:0x00, mps = ['Hewlett-Packard', 'HP LaserJet Professional M1136 MFP', '000000000QHCNL0DPR1a']
    1-1:1.0: csp = 0x07:0x01:0x02, driver = usblp
        0x01: bulk out
        0x81: bulk in
    1-1:1.1: csp = 0xff:0x02:0x10, driver = none
        0x02: bulk out
        0x82: bulk in
        0x83: intr in
    1-1:1.2: csp = 0xff:0xff:0xff, driver = none
        0x05: bulk out
        0x85: bulk in
[email protected]_825I_RT8197G_WW:~$

There is another command usbinfo, which shows the same details along with ifconfig details.

Next, if i run the p910nd command, it starts a jetdirect port (tcp 9100) daemon

[email protected]_825I_RT8197G_WW:~$ p910nd

Now when i run nmap from my desktop machine to scan ports on this router, i can see the jetdirect port.

[email protected]:~$ nmap 192.168.0.1
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-02 09:52 IST
Nmap scan report for dlinkrouter.local (192.168.0.1)
Host is up (0.017s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
23/tcp   open  telnet
53/tcp   open  domain
80/tcp   open  http
81/tcp   open  hosts2-ns
443/tcp  open  https
4443/tcp open  pharos
4445/tcp open  upnotifyp
9100/tcp open  jetdirect
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
[email protected]:~$

Howver, i could not get it to print anything. The print server does not work as intended.
When i tried print commands like these, nothing happened

[email protected]_825I_RT8197G_WW:~$ echo "Hello World" > /dev/usblp0
[email protected]_825I_RT8197G_WW:~$ cat /proc/cpuinfo | nc 192.168.0.1 9100

Seems like it just cannot print to the printer

USB Storage device

Now we test inserting a usb flash drive in the usb port of the router. I am using Sandisk Cruzer Blade 16GB USB 2.0.

[email protected]_825I_RT8197G_WW:~$ lsusb
0001-0002: 0x0781:0x5567 csp = 0x00:0x00:0x00, mps = ['SanDisk', 'Cruzer Blade', '4C530000310229214143']
    1-1:1.0: csp = 0x08:0x06:0x50, driver = usb-storage
        0x02: bulk out
        0x81: bulk in
[email protected]_825I_RT8197G_WW:~$

To read the usb drive, it loaded the drivers as well, which can be checked with lsmod

[email protected]_825I_RT8197G_WW:~$ lsmod
Module                  Size  Used by
vfat                    9904  1
fat                    52671  1 vfat
nf_nat_rtsp             3984  0
nf_conntrack_rtsp       5049  1 nf_nat_rtsp
gpiom                  19933  0
[email protected]_825I_RT8197G_WW:~$

dmesg shows information about usb drive

<6>usb 1-1: new high-speed USB device number 2 using rtl819x-ehci
<6>usb-storage 1-1:1.0: USB Mass Storage device detected
<6>scsi0 : usb-storage 1-1:1.0
<5>scsi 0:0:0:0: Direct-Access     SanDisk  Cruzer Blade     1.00 PQ: 0 ANSI: 6
<5>sd 0:0:0:0: [sda] 30031872 512-byte logical blocks: (15.3 GB/14.3 GiB)
<5>sd 0:0:0:0: Attached scsi generic sg0 type 0
<5>sd 0:0:0:0: [sda] Write Protect is off
<7>sd 0:0:0:0: [sda] Mode Sense: 43 00 00 00
<5>sd 0:0:0:0: [sda] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
<6> sda: sda1 sda2 sda3 sda4
<5>sd 0:0:0:0: [sda] Attached SCSI removable disk
<4>FAT-fs (sda4): Volume was not properly unmounted. Some data may be corrupt. Please run fsck.

The output shows the driver being used: rtl819x-ehci

And mount shows where it has been mounted

[email protected]_825I_RT8197G_WW:~$ mount
...
/tmp/dev/sda4 on /tmp/mnt/usb1_4 type vfat (rw,relatime,gid=1000,fmask=0020,dmask=0020,allow_utime=0002,codepage=866,iocharset=cp866,shortname=mixed,utf8,flush,errors=remount-ro)
[email protected]_825I_RT8197G_WW:~$

Now we can switch to the directory and read the contents of the usb drive.

<6>usb 1-1: USB disconnect, device number 2

OpenWRT Support

OpenWRT is an excellent alternative firmware for your router device, if you are not satisfied with the vendor provided firmware. However openwrt does not support all socs across routers.

It seems there is some work in progress to add support for RTL8197F socs in openwrt. Here is a discussion on it:

https://forum.openwrt.org/t/working-realtek-soc-rtl8196e-97d-97f-in-last-master/70975/1

However it is not fully functional yet and we have to wait. With openwrt we get full (root) access on the device a lot more flexibility to configure the device in any way that we like to.

Conclusion

Routers running linux based firmwares are like a mini-computer that can do a lot more than just routing. For example some routers with usb ports can act as a print server allowing you to connect your printer to it and make it accessible over network.

If a storage device like usb flash drive or usb external ssd is connected to such a router, it can act as a network storage device as well with the right linux drivers. A linux based firmware along with a usb port opens a lot of options to use the device in diverse ways. Another device that can be connected is a usb modem that allows you to connect to your isp.

When combined with a open source firmware like openwrt we can install more drivers to do even more things. With openwrt a usb router can connect even more devices like a webcam, sound card.

About Silver Moon

A Tech Enthusiast, Blogger, Linux Fan and a Software Developer. Writes about Computer hardware, Linux and Open Source software and coding in Python, Php and Javascript. He can be reached at [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *