Author: Solaris17

ScreenConnect Woes

ScreenConnect Woes

Oh, where to begin? Like most of the IT industry and home lab enthusiasts I was drawn in by ScreenConnect the now defunct remote software company that was bought out by ConnectWise and renamed Control. When I first came across this server it was initially configured on a Ubuntu 14 desktop environment.

I wanted this to become a production system and with the delicate Mono config decided to try my luck converting it. This caused me some grief but I did not know what I know now about Ubuntu or even Linux in general in 2014. After removing the gnome desktop environment it lived like this for a few years with problem after problem that was slowly patched and fixed.

Enter connectwise. Connectwise bought SC and turned it into Control. This was of no moment at the time, using NGINX as a reverse proxy I had SSL and a manageable interface as Mono; Screenconnects built in web engine slowly faded into EOL status and no longer supported modern browsers.

It was time for 19.04 LTS and after attempting upgrade it failed. Not only was I stuck on a Gen1 VM I could no longer update the core OS from 18.04 without destroying SC. So with Connectwise predatory pricing scheme, and my lifetime SC license no longer activating on their servers I could do nothing but wait.

So I did, With 20.04 coming out I wanted to try again. I was finished the migration to encrypted and protected VMs with a slew of other security related modifications the only server out was Screenconnect.

I did the upgrade from 18.04 to 20.04 and as anticipated it broke. This time however I wanted to fix it. First and foremost I saw that the service was starting, but only After I was able to console into the server. SSH was not working. I figured if SSH did not fuction it stood to reason this may be firewall related. After a quick check:

Sudo ufw status

I was confused to find it disabled. After enabling the firewall

sudo ufw start
sudo ufw enable

This completed without issue, and a check of my rules showed they were still in place. I decided at this point to reboot, hoping that maybe this was always the problem. After however, I was greeted with the same problem. This needed to be fixed first for me to proceed. I need the firewall to start with the system. What was odd was that all of the enable commands via systemctl or otherwise did not report an error.
After some digging I managed to find my issue.

sudo nano /lib/systemd/system/ufw.service

Had a line in it regarding firewall start metrics.

This made no sense, we need the firewall to start AFTER the network comes up so it does not fail and stop.

Done. After yet another reboot the firewall service was working correctly. Now it was time to check on Screenconnect. While installed and intact after the upgrade still was not starting. Thankfully SC is configured to log its own errors.

at ScreenConnect.Program.Main (System.String[] args) [0x00000] in :0
[ERROR] FATAL UNHANDLED EXCEPTION: System.TypeInitializationException: An exception was thrown by the type initializer for libc ---> System.DllNotFoundException:
at (wrapper managed-to-native) ScreenConnect.MonoNative+libdlProxy:dlopenPlatformInvoke (void,int) at ScreenConnect.MonoNative+libdlProxy.dlopen (System.Void , Int32 ) [0x00000] in :0
at ScreenConnect.MonoToolkit+MonoDiskNativeLibrary.TryLoadNativeLibrary (System.String libraryPath) [0x00000] in :0
at ScreenConnect.DiskNativeLibrary..ctor (System.String libraryPath) [0x00000] in :0
at ScreenConnect.MonoToolkit+MonoDiskNativeLibrary..ctor (System.String libraryPath) [0x00000] in :0
at ScreenConnect.MonoToolkit.LoadNativeLibraryFromDisk (System.String libraryPath) [0x00000] in :0
at ScreenConnect.NativeLibrary.LoadLibrary (System.String libraryName, System.Type lookInAssemblyWithType) [0x00000] in :0
at ScreenConnect.NativeLibrary.LoadLibrary (System.Type type, System.Type lookInAssemblyWithType) [0x00000] in :0
at ScreenConnect.NativeLibrary.LoadProxy (System.Type type, System.Type lookInAssemblyWithType) [0x00000] in :0
at ScreenConnect.NativeLibrary.LoadProxy[libc] (System.Type lookInAssemblyWithType) [0x00000] in :0
at ScreenConnect.MonoNative+libc..cctor () [0x00000] in :0
--- End of inner exception stack trace ---

Rough. IT looks like it was having some issues with libc, libdl after a quick look around using find I came across broken symlinks in /lib/x86_64-linux-gnu where the files resided. It looked like glibc was updated and the existing links were broken.

SSH made this easy because the broken links showed up as bright red. Time to fix them.

sudo ln -s
sudo ln -s
sudo ln -s

After the re-link a reboot for good measure and WE WERE BACK!

20.04 running well and screenconnect letting me touch my machines.

Life is good.

BONUS: If you want colors in your sessions

sudo nano ~/.bashrc

Then uncomment the line


Anatomy of a public DNS breakin

Anatomy of a public DNS breakin


Hiya, Today I am going to walk you through discovering and potentially leveraging open DNS servers in an effort to show you why you should be careful with the DNS blocking tools that have steadily become popular.

I am NOT affiliated, sponsored, represent, or paid by any security firm or corporation. I do not officially represent any entity while posting under my USN.

I am a normal guy that wants to bring as much security information to this forum as I have time to do. I understand that it isn’t really the focus of this site but the more eyes and DIYs that can see it the better.

What I am doing is for education. BE WARNED that what is being done is POTENTIALLY ILLEGAL and can result in CRIMINAL CHARGES. NEVER pentest or modify a computer system WITHOUT CONSENT.

We will be tackling this with free tools in windows.

I will try to keep this short.

Taking a look

Today’s internet is full of devices that are becoming popular in regards, to security and privacy. Some of these devices show in the form of DNS filtering agents. This is because other than adblockers this is the easiest way to protect an entire network.

Devices and software like:

  • Bitdefender Box
  • Firewalla
  • Fingbox
  • Winston
  • Pi-hole
  • AdGuard

Have more or less the same features, and one of the biggest and most useful are there abilities to block DNS queries based on a reputation system that has definitions we call “lists”. Of course we have been doing things like this for years on our personal computers. Modification of the ‘hosts’ file is in essence what these devices do only on a much broader scale. So what is the big deal with these kinds of devices and why might there be a problem?

The issue stems from availability without much education. I have covered DNS basics and even went over the setup of a Pi-hole in a previous guide (I promise to fix the pictures). Basically, convenience is our enemy here and when installing these devices more privacy/hobbyist minded individuals make modifications to these systems (with some just being vulnerable to being with) that promote bad internet hygiene and expose them to more risk.


I am going to be picking on pi-hole today. I should get it out of the way that in this case pi-hole as a product is safe and its defaults are also safe. The issue stems from its misconfiguration by individuals and its widespread adoption by DIYers combined with a lack of understanding on how DNS works.

To start lets go over why an open DNS server that is, a DNS server that can be used publicly is bad. I have an example myself but for a more bulleted list we can look here Now to reiterate it should be noted that even the pi-hole staff and much of the people ‘in the know’ do NOT want you to open DNS to the public. DNS servers exposed to the public and ran by amatures is such a bad idea that there are several lists available exposing them.

Abusing DNS is bad, and I’ve said it four different ways already. If you didn’t read any of the links I posted it boils down to these potential problems.

  • DDoS of the DNS service
  • Poisoning DNS servers
  • Hijacking DNS requests
  • Amplification (reflection) attacks utilizing public DNS servers to overwhelm a specific domain
  • Waste of bandwidth

You can read what CISA thinks about amplification attacks here. They are the easiest and most abused aspect of public DNS servers. In most of my guides I try to educate and most of the cases involve some examples. However, I understand that is not enough for some people. To some security articles are nothing more than a pentester or security professional soap boxing on a public forum.

Getting dirty

So let’s break into public DNS servers. First we want to make it appeal to the masses. Lets really drive home how easy it is to disrupt people and break privacy.

What if we imposed rules? Hm. How about.

  • It has to be with free tools
  • They don’t need to be installed
  • They don’t require a user account

That’s a little rough. No burp suite, no nmap no normal pentesting kit tools. However if we stick to those rules in theory anyone with a PC can do it.

To start Let’s think critically. We do need SOME info. How about something simple? How about we go with a name? Most of these products brand themselves so we will start with “pihole”.

Now how about we plug this into a website that scans IoT things?

Oh my, even without a user account.

Ok, So shodan lets us dive in. What does the request actually look like? What else may have been detected on this server? I mean, what if they are hosting a public FTP server that we can access as well? The possibilities are scary and are only limited to web hostable content.

Neat, so they are running pihole on port 8089 on this specific IP address. Let’s try to go to it.

Sad face. It looks like its responding however.

What if we tacked on something? What if we did a little URL modification? Say for example we attempted to access the admin page of the unit? That has a default path of I think


Yikes! and its out of date! Not only is it public but let’s not forget that products can have CVEs.

As we can see though this one requires login at least. Maybe we can use it as a DNS server? Lets see if it accepts outside connections.

To do this on Linux you can use the ‘dig’ command. However, for windows we can use ‘nslookup’.

Something like <command> <domain I want> <server I want to use>

Let’s take a look.

Nope, no open resolver. Just an open web interface. Still bad, but we are looking for quick targets. Let’s move on and try a few more.

Wow. Words cannot communicate how ridiculous this is.

Anyone fancy changing there upstream DNS server to your own so you can re-route traffic?

Or maybe you want to stop the service? Maybe shut down the device?

Danger Zone indeed!

Other than hijacking there DNS requests to a server you run, or making their lives miserable but disabling DNS resolution. Or otherwise peeking on their lives, or man maybe even getting to know there work schedule by monitoring the DNS request graph.

Can it actually resolve public DNS though? Or did they just remove the password on the admin CP?

Wow. We can even abuse it via DNS itself.

Buttoning up

According to the command list it appears that installers are utilizing

pihole -a -p

to change the -admin -password and simply leaving the field blank. This would effectively disable the password requirement that the pihole actually FORCES during install by randomly generating a password that is displayed to you.

Let’s take a moment to remember our honorable mentions, like the knockoff products that customize the existing code of existing products. In the pi-holes example “Adgone” and “Rootswitch” after investigation not only provide public resolves based off of the product but themselves charge customers for access to there public resolver as part of a product stack that they ripped off.

It’s important to understand the risks and consequences of this. In a broad sense. 

Some DIYers setup these devices and consciously know they are exposing it to the internet. This allows them to customize phones or laptops when they are not on the LAN to use the filter settings they setup. However there are MUCH better ways to do this. Others simply have no idea. There routers could be port forwarding port 53 (DNS) and 80 or 443 (HTTP/s) by default and the intent was just to use it like normal. Some going further may have believed the forwards necessary for functionality.

In either case this is not limited to the pi-hole. Or even privacy/security/filtering products like this, or the ones mentioned. You should always be aware that a network is just that. A collection of devices working together. All parts of a network should be examined. Routers should be checked. Firewalls in network devices need to be examined. 

If you don’t I’ll do it for you on my lunch break.

Things we did today.

  • Found your devices admin panel
  • Broke into your device
  • Found out if I could use your device for bad things
  • Found out you work 10-6pm EST
  • Followed you on instagram
  • Took note of the number of devices on your network
  • Took note of your device names
  • Found the local address of the other servers you run on your network


Stay safe, know what you are buying and how to set it up. If you don’t find someone who does. Check your devices. Typing this literally took longer than it took me to find 271 exposed devices and I managed to find 13 I could admin access before I finished writing this sentence.

Hope you learned something. Thanks for reading!

UART and you gaining root on random hardware

UART and you gaining root on random hardware


Hello, today I hope to explain to you UART. We will take a shallow dive into the world serial device access and what it may mean from a technological and security perspective. 

I am a normal guy that wants to bring as much security information to this forum as I have time to do. I understand that it isn’t really the focus of this site but the more eyes and DIYs that can see it the better. We are in an ever growing technological field, and while gaming is fun there are alot of moving parts now from the days of original DOOM.

We will be tackling this in Windows. A Lot of the security field focuses on Linux, with a popular option being Kali. I want to show you that Windows can be used too; and because why not?

I will try to keep this short.

What is UART?

UART stands for “Universal Asynchronous Receiver/Transmitter” or as I like to call it yoU Are RooT. UART is a straight serial bus communication technology. That is to say it is NOT a communications protocol but rather a direct interface to the serial bus.

UART or UART(s) as there may be several on any given device allow us to interface with a particular bus on said device. For example, we may be able to talk to a microprocessor or a controller of somesort. We can sometimes write data. Other times we can see things that can’t normally be seen. Depending on the device we have several different option at our disposal.

What is the objective?

Today I am going to attempt to show you some common techniques and some possible outcomes by interfacing with the UART connector on a device. We will go over the various ways this can be accomplished and I really hope you walk away from it with a little more insight in both hardware complexity and security awareness.

  • I will show you various ways to check prior to purchasing a device  to see if it shows signs of UART interfacing.
  • I will show you some cheap hardware (under $30?) you can use to try it yourself.
  • We will gain root access to a popular device I bought off of amazon.
  • We will explore some of the technological and software dilemmas we are faced with judging by what we find.

Show me the loot

Here we have a list of some parts I will be using for this demonstration. The prices will be in USD as applicable.

Total cost for the tools to do this to whatever?

$22.50 USD

As for the device we will be using to actually test with..

Total cost for everything to reproduce this guide?

$43 USD

You of course, are free to shop around for cheaper stuff. This is all pretty decent quality stuff, but I know you may be able to get usb > TTY devices for only a few dollars and I know cheaper or smaller bundles of wire are available. you can probably easily do this in or under the $15 USD range.

Tools of the trade

We are going to need a few tools to help us. Thankfully the first part of any kind of hardware probing is why waste money if we can look first? Good question. Welcome to the FCC ID database. If you managed to snag a picture of the box or simple google for a products FCC ID and it transmits a signal we can use the below to find it.

It’s important to first remember, that FCC applications are generally NOT done with final products. In this case we are looking for signs of UART (3 to 4 pins) next to each other. Now while it’s also important to know that UART pins aren’t necessarily next to each other for a good % of devices they are.

Now because the final product seldom has the jumpers we are really just looking to see if they give us the options for UART the jumper may not exist anymore, but if they used UART for testing (since UART generally has debug and run info piped too it) we can use the holes are pads to connect too since even if the header is removed functionality (the output) is seldom disabled.

The links in the flesh!

This site is awesome because you can search other FCC-esque databases used/exclusive in/to other countries.

Then we have old reliable

Now here’s some links for our specific device.

FCC website only caches searches no direct linking because idk FCC.

With a link to the internal pictures (that must be submitted if your submitting to the FCC) we are after!

Now that I’m pretty sure I’m going to have some luck lets order it and wait 2 days.

Specifically the image that tipped me off was none other than.


Disassembly and examination

Now that we have the device we are going to show some quick candid pictures and I will explain what we are looking for. For this demonstration it’s important to note that after purchase I read up on the device and it turns out the market for this device is pretty much experimentation supported by the manufacturer. That’s fine though. Other devices iv probed offer similar but unintentional access, so the lessons learned still fit the task at hand.

The router itself comes in a small cardboard box. Nothing of real interest. I was pleasantly surprised by the size however, no doubt it is smaller than the TP-Link TL-MR3020 I’ve disassembled previously.

Pen for reference

Now that we have to take it apart. Nothing crazy here. Device backplate is held in with clips my knife made quick work of. The PCB itself also snaps into place.

Note: The device has a switch on the side and the actual plastic button covering the switch is built into the chassis and has a channel carved into the plastic that allows the nipple to slide in during assembly/disassembly. If you are constantly removing and installing the board take note of the switch position on both the PCB and chassis and line the nipple of the switch up with the channel or you will probably destroy it. For ease on these devices even with other brands the ethernet jacks are the least forgiving. Try to install the ethernet side first, and remove the device ethernet side last (lift from the other direction). This will reduce stress on the board.

The back of the board is pretty neat we see some holes and solder points for connectors and an SPI, probably where the FW is stored. If your going to play with this stuff and you feel you have more money to spend I personally use a flash cat classic (FCUSB2X) ($30) to dump everything prior to attempting to destroy it. So I can write it back. But depending on the device and its capabilities its not impossible to pull it off via GPIO or another header if you need too. Not something we are going to cover here though.

Now that we have the device pulled out let’s take a look at the other side.

We can see they were super nice and gave us jumpers to play with. But the device also has holes if you want practice with that. Looks like the holes on this are SPI but we want UART. In this case the pins attached TX RX GND and VCC. In most cases VCC will be provided by your tty to USB and will measure at 3.3v. When I can though I only plug in the TX RX and GND. I use the power of the device itself to provide my voltage.

You can probe at this point with something like a Logic Analyzer or even just a multimeter if you want. To try and figure out what the pins are protocol wise and if they are live. You also don’t need to hook up both TX and RX. Some devices won’t even let you interface but TX (Transmit) will let you see what the device is dumping to the bus. I hook up all to see if I can work with the device so that’s what we are going to do.

You would be surprised how many devices still leave pads or holes like the row below. As mentioned earlier however, not all devices will have them clearly marked, and the contacts may not be near each other. Generally speaking, they will share a common name like G1 G2 G3 G4 which will stick out compared to the naming convention of the other devices soldered to the PCB around it. This trick can help you narrow down a device you are digging into.

It should be noted that A LOT of devices actually do leave the UART connections available and active. This will play a big part in the discussion to follow.

All hooked up!

It’s important to note how UART works. So I drew up a very crude example of how to wire UART. Put simply, TX and RX (Transmit and Receive) are wired BACKWARDS to your USB device. This in a way works like current networking, or phone systems. Transmit will go to the Receive pin of the other device. Makes sense right? It’s like the digital equivalent of playing catch.

Make sense? Awesome. Now let’s get ready to go!


Now lets configure putty and figure out the baud rate.

First things first what am I talking about? Well with serial we need to specify a baud rate. I wont be getting into specific serial processes but suffice to say serial is incapable of doing any kind of auto negotiation. So we have to tell in this case putty, how fast the data is being transmitted so it can read it.

Lets get started. First we need to plug in our handy dandy usb to tty. Now we have to find the COM port the device is speaking through. This is thankfully easy, in windows simply open your device manager.

Below is a picture of my device. Yours will say something different. You might even have a few, but just look for something with a name you expect.


In my case you can see my device is on COM3.

Lets get some things out of the way. Baud rate can be set to really a lot of things. Now we can try a logic analyzer or maybe some fancy documentation but you know what? There are only a few that are used a ton. I generally start with those and just try blindly.

They are:

9600, 19200, 38400, 57600, 115200, 230400, 460800, 921600

Now what happens if its wrong? Well you will either get nothing or you will get some scrambled or oddly spaced characters like so.

Enough chatter though lets fire up putty and see.


In this case, I have found through quick trial and error that I get a response using a baud rate of 115200. You can also see that I have selected “Serial” (since this is a serial connection) and I have changed my com port to ‘COM3’ which we took out of device manager.

If the stars align we get a text output! While leaving the session open I went ahead and restarted the device and we get this!

Sweet! Now that we can re-produce this to a working state since we know the port and baud rate. Lets take a look at one other putty option that’s useful.

On the left hand side under Session at the very top click “Logging”.

To the right we will now have session logging options. Sometimes the device text will scroll too quickly or we may miss important information that can help us. In this case we can configure putty (per session) to log the console output to a log.

In this case I selected “All session output”. Browse for the file location and simply Click “Session” again to go back to the connection panel.


Now when we connect to putty and reboot the device we get a log file that contains this.

DDR Calibration DQS reg = 00008888

U-Boot 1.1.3 (Apr 26 2018 - 15:30:15)

Board: Ralink APSoC DRAM:  128 MB

relocate_code Pointer at: 87fb0000


Software System Reset Occurred


flash manufacture id: ef, device id 40 18

find flash: W25Q128BV

*** Warning - bad CRC, using default environment


Ralink UBoot Version:


ASIC 7628_MP (Port5<->None)

DRAM component: 1024 Mbits DDR, width 16

DRAM bus: 16 bit

Total memory: 128 MBytes

Flash component: SPI Flash

Date:Apr 26 2018  Time:15:30:15


icache: sets:512, ways:4, linesz:32 ,total:65536

dcache: sets:256, ways:4, linesz:32 ,total:32768


##### The CPU freq = 575 MHZ ####

##### Memory size =128 Mbytes ####


RESET button is pressed for:  0 second(s)

Catution: RESET button wasn't pressed or not long enough!

Continuing normal boot...

Autobooting in:    2 s (type 'gl' to run U-Boot console)

Device have ART, checking calibration status...

Device have calibrated, checking test status...

Device haven tested, checking MAC info...

Device have MAC info, starting firmware...

## Booting image at bc050000 ...

   Image Name:   MIPS OpenWrt Linux-4.14.63

   Image Type:   MIPS Linux Kernel Image (lzma compressed)

   Data Size:    1544570 Bytes =  1.5 MB

   Load Address: 80000000

   Entry Point:  80000000

   Verifying Checksum ... OK

   Uncompressing Kernel Image ... OK

No initrd

## Transferring control to Linux (at address 80000000) ...

## Giving linux memsize in MB, 128

Starting kernel ...

[    0.000000] Linux version 4.14.63 (lancer@gl-inet) (gcc version 7.3.0 (OpenWrt GCC 7.3.0 r7258-5eb055306f)) #0 Thu Aug 16 07:51:15 2018
[    0.000000] Board has DDR2
[    0.000000] Analog PMU set to hw control
[    0.000000] Digital PMU set to hw control
[    0.000000] SoC Type: MediaTek MT7628AN ver:1 eco:2
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019655 (MIPS 24KEc)
[    0.000000] MIPS: machine is GL-MT300N-V2
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 08000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] random: get_random_bytes called from start_kernel+0x8c/0x47c with crng_init=0
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 32512
[    0.000000] Kernel command line: console=ttyS0,115200 rootfstype=squashfs,jffs2
[    0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[    0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Writing ErrCtl register=0005e643
[    0.000000] Readback ErrCtl register=0005e643
[    0.000000] Memory: 124832K/131072K available (3565K kernel code, 178K rwdata, 856K rodata, 192K init, 214K bss, 6240K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS: 256
[    0.000000] intc: using register map from devicetree
[    0.000000] CPU Clock: 575MHz
[    0.000000] timer_probe: no matching timers found
[    0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 6647862422 ns
[    0.000012] sched_clock: 32 bits at 287MHz, resolution 3ns, wraps every 7469508094ns
[    0.007550] Calibrating delay loop... 380.92 BogoMIPS (lpj=1904640)
[    0.073454] pid_max: default: 32768 minimum: 301
[    0.078150] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.084501] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.097206] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.106701] futex hash table entries: 256 (order: -1, 3072 bytes)
[    0.112649] pinctrl core: initialized pinctrl subsystem
[    0.119002] NET: Registered protocol family 16
[    0.148882] mt7621_gpio 10000600.gpio: registering 32 gpios
[    0.154492] mt7621_gpio 10000600.gpio: registering 32 gpios
[    0.160087] mt7621_gpio 10000600.gpio: registering 32 gpios
[    0.170297] clocksource: Switched to clocksource MIPS
[    0.176336] NET: Registered protocol family 2
[    0.181585] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[    0.188277] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.194459] TCP: Hash tables configured (established 1024 bind 1024)
[    0.200697] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.206295] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.212652] NET: Registered protocol family 1
[    0.220147] Crashlog allocated RAM at address 0x3f00000
[    0.226730] workingset: timestamp_bits=30 max_order=15 bucket_order=0
[    0.238864] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.244485] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.264074] io scheduler noop registered
[    0.267807] io scheduler deadline registered (default)
[    0.273744] gpio-export gpio_export: 1 gpio(s) exported
[    0.278954] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[    0.288153] console [ttyS0] disabled
[    0.291646] 10000c00.uartlite: ttyS0 at MMIO 0x10000c00 (irq = 28, base_baud = 2500000) is a 16550A
[    0.300365] console [ttyS0] enabled
[    0.300365] console [ttyS0] enabled
[    0.307363] bootconsole [early0] disabled
[    0.307363] bootconsole [early0] disabled
[    0.316138] 10000d00.uart1: ttyS1 at MMIO 0x10000d00 (irq = 29, base_baud = 2500000) is a 16550A
[    0.325727] cacheinfo: Failed to find cpu0 device node
[    0.330982] cacheinfo: Unable to detect cache hierarchy for CPU 0
[    0.337915] spi-mt7621 10000b00.spi: sys_freq: 191666666
[    0.360208] m25p80 spi0.0: w25q128 (16384 Kbytes)
[    0.365096] 4 fixed-partitions partitions found on MTD device spi0.0
[    0.371548] Creating 4 MTD partitions on "spi0.0":
[    0.376423] 0x000000000000-0x000000030000 : "u-boot"
[    0.382409] 0x000000030000-0x000000040000 : "u-boot-env"
[    0.388662] 0x000000040000-0x000000050000 : "factory"
[    0.394749] 0x000000050000-0x000001000000 : "firmware"
[    0.473297] 2 uimage-fw partitions found on MTD device firmware
[    0.479332] 0x000000050000-0x0000001c91ba : "kernel"
[    0.485320] 0x0000001c91ba-0x000001000000 : "rootfs"
[    0.491266] mtd: device 5 (rootfs) set to be root filesystem
[    0.498506] 1 squashfs-split partitions found on MTD device rootfs
[    0.504866] 0x000000ae0000-0x000001000000 : "rootfs_data"
[    0.512037] libphy: Fixed MDIO Bus: probed
[    0.525906] rt3050-esw 10110000.esw: link changed 0x00
[    0.534222] mtk_soc_eth 10100000.ethernet eth0: mediatek frame engine at 0xb0100000, irq 5
[    0.544509] NET: Registered protocol family 10
[    0.553217] Segment Routing with IPv6
[    0.557059] NET: Registered protocol family 17
[    0.561691] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[    0.574838] 8021q: 802.1Q VLAN Support v1.8
[    0.591816] VFS: Mounted root (squashfs filesystem) readonly on device 31:5.
[    0.600009] Freeing unused kernel memory: 192K
[    0.604561] This architecture does not have kernel memory protection.
[    1.887491] init: Console is alive
[    1.891282] init: - watchdog -
[    2.310307] random: fast init done
[    5.793900] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[    6.006183] usbcore: registered new interface driver usbfs
[    6.011896] usbcore: registered new interface driver hub
[    6.017398] usbcore: registered new device driver usb
[    6.029093] exFAT: Version 1.2.9
[    6.068262] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    6.084723] SCSI subsystem initialized
[    6.094416] ehci-platform: EHCI generic platform driver
[    6.110020] phy phy-10120000.usbphy.0: remote usb device wakeup disabled
[    6.116832] phy phy-10120000.usbphy.0: UTMI 16bit 30MHz
[    6.122166] ehci-platform 101c0000.ehci: EHCI Host Controller
[    6.128027] ehci-platform 101c0000.ehci: new USB bus registered, assigned bus number 1
[    6.136186] ehci-platform 101c0000.ehci: irq 26, io mem 0x101c0000
[    6.170324] ehci-platform 101c0000.ehci: USB 2.0 started, EHCI 1.00
[    6.177751] hub 1-0:1.0: USB hub found
[    6.182008] hub 1-0:1.0: 1 port detected
[    6.189909] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[    6.198242] ohci-platform: OHCI generic platform driver
[    6.203881] ohci-platform 101c1000.ohci: Generic Platform OHCI controller
[    6.210840] ohci-platform 101c1000.ohci: new USB bus registered, assigned bus number 2
[    6.218958] ohci-platform 101c1000.ohci: irq 26, io mem 0x101c1000
[    6.295370] hub 2-0:1.0: USB hub found
[    6.299640] hub 2-0:1.0: 1 port detected
[    6.307035] uhci_hcd: USB Universal Host Controller Interface driver
[    6.321390] usbcore: registered new interface driver usb-storage
[    6.328719] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[    6.338257] init: - preinit -
[    7.766010] rt3050-esw 10110000.esw: link changed 0x00
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[    8.256057] random: procd: uninitialized urandom read (4 bytes read)
[   11.632275] jffs2: notice: (420) jffs2_build_xattr_subsystem: complete building xattr subsystem, 21 of xdatum (2 unchecked, 18 orphan) and 74 of xref (14 dead, 15 orphan) found.
[   11.650642] mount_root: switching to jffs2 overlay
[   11.729288] overlayfs: upper fs does not support tmpfile.
[   11.747747] urandom-seed: Seeding with /etc/urandom.seed
[   11.902138] procd: - early -
[   11.905176] procd: - watchdog -
[   12.632084] procd: - watchdog -
[   12.635549] procd: - ubus -
[   13.066712] random: jshn: uninitialized urandom read (4 bytes read)
[   13.158182] random: ubusd: uninitialized urandom read (4 bytes read)
[   13.173886] random: ubusd: uninitialized urandom read (4 bytes read)
[   13.183609] procd: - init -
Please press Enter to activate this console.
[   14.914799] kmodloader: loading kernel modules from /etc/modules.d/*
[   15.060512] ntfs: driver 2.1.32 [Flags: R/O MODULE].
[   15.123288] tun: Universal TUN/TAP device driver, 1.6
[   15.158003] ip6_tables: (C) 2000-2006 Netfilter Core Team
[   15.205192] Netfilter messages via NETLINK v0.30.
[   15.233401] ip_set: protocol 6
[   15.343818] u32 classifier
[   15.346574]     input device check on
[   15.350358]     Actions configured
[   15.373285] Mirror/redirect action on
[   15.391495] nf_conntrack version 0.5.0 (2048 buckets, 8192 max)
[   15.487398] fuse init (API version 7.26)
[   16.706662]
[   16.706662]
[   16.706662] === pAd = c05fa000, size = 1175584 ===
[   16.706662]
[   16.716283] <-- RTMPAllocTxRxRingMemory, Status=0, ErrorValue=0x
[   16.724063] <-- RTMPAllocAdapterBlock, Status=0
[   16.728664] RtmpChipOpsHook(748): Not support for HIF_MT yet!
[   16.734512] mt7628_init()-->
[   16.737438] mt7628_init(FW(8a00), HW(8a01), CHIPID(7628))
[   16.742921] e2.bin mt7628_init(1142)::(2), pChipCap->fw_len(63536)
[   16.749185] mt_bcn_buf_init(289): Not support for HIF_MT yet!
[   16.755016] <--mt7628_init()
[   16.831764] usbcore: registered new interface driver cdc_acm
[   16.837514] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
[   16.869311] usbcore: registered new interface driver cdc_wdm
[   16.882394] Loading modules backported from Linux version wt-2017-11-01-0-gfe248fc2c180
[   16.890586] Backport generated by backports.git v4.14-rc2-1-31-g86cf0e5d
[   16.925156] ip_tables: (C) 2000-2006 Netfilter Core Team
[   16.942466] usbcore: registered new interface driver ipheth
[   17.401371] usbcore: registered new interface driver usbserial
[   17.407389] usbcore: registered new interface driver usbserial_generic
[   17.414164] usbserial: USB Serial support registered for generic
[   17.456907] wireguard: WireGuard 0.0.20180718 loaded. See for information.
[   17.465542] wireguard: Copyright (C) 2015-2018 Jason A. Donenfeld <>. All Rights Reserved.
[   17.592626] xt_time: kernel timezone is -0000
[   17.614119] usbcore: registered new interface driver cdc_ether
[   17.632310] usbcore: registered new interface driver cdc_ncm
[   17.723555] usbcore: registered new interface driver cp210x
[   17.729303] usbserial: USB Serial support registered for cp210x
[   17.751971] usbcore: registered new interface driver huawei_cdc_ncm
[   17.885199] PPP generic driver version 2.4.2
[   17.902098] PPP MPPE Compression module registered
[   17.914247] NET: Registered protocol family 24
[   17.934102] usbcore: registered new interface driver qmi_wwan
[   17.949507] usbcore: registered new interface driver rndis_host
[   18.010215] usbcore: registered new interface driver sierra
[   18.016068] usbserial: USB Serial support registered for Sierra USB modem
[   18.043322] usbcore: registered new interface driver sierra_net
[   18.082712] usbcore: registered new interface driver option
[   18.088478] usbserial: USB Serial support registered for GSM modem (1-port)
[   18.147710] usbcore: registered new interface driver rt2800usb
[   18.234961] kmodloader: done loading kernel modules from /etc/modules.d/*
[   32.334313] TX_BCN DESC a6fd6000 size = 320
[   32.338627] RX[0] DESC a6fd8000 size = 2048
[   32.345840] RX[1] DESC a6fd9000 size = 1024
[   32.412513] prepare to get e2p access------------
[   32.417556] E2pAccessMode=2
[   32.421202] cfg_mode=9
[   32.423593] cfg_mode=9
[   32.425988] wmode_band_equal(): Band Equal!
[   32.434479] APSDCapable[0]=1
[   32.437400] APSDCapable[1]=1
[   32.440331] APSDCapable[2]=1
[   32.443248] APSDCapable[3]=1
[   32.446164] APSDCapable[4]=1
[   32.449081] APSDCapable[5]=1
[   32.452006] APSDCapable[6]=1
[   32.454923] APSDCapable[7]=1
[   32.457839] APSDCapable[8]=1
[   32.460772] APSDCapable[9]=1
[   32.463689] APSDCapable[10]=1
[   32.466694] APSDCapable[11]=1
[   32.469699] APSDCapable[12]=1
[   32.472711] APSDCapable[13]=1
[   32.475716] APSDCapable[14]=1
[   32.478720] APSDCapable[15]=1
[   32.481734] default ApCliAPSDCapable[0]=1
[   32.680781] Key1Str is Invalid key length(0) or Type(1)
[   32.686446] Key2Str is Invalid key length(0) or Type(1)
[   32.692135] Key3Str is Invalid key length(0) or Type(1)
[   32.697803] Key4Str is Invalid key length(0) or Type(1)
[   32.733389] load fw image from fw_header_image
[   32.737899] AndesMTLoadFwMethod1(2548)::pChipCap->fw_len(63536)
[   32.743910] FW Version:
[   32.743915] _
[   32.746387] e
[   32.747981] 2
[   32.749574] _
[   32.751178] m
[   32.752773] p
[   32.754366]
[   32.755959]
[   32.757552]
[   32.759147]
[   32.760753]
[   32.763850] FW Build Date:
[   32.763853] 2
[   32.766592] 0
[   32.768184] 1
[   32.769778] 5
[   32.771384] 0
[   32.772977] 6
[   32.774571] 2
[   32.776163] 5
[   32.777758] 2
[   32.779352] 1
[   32.780962] 1
[   32.782556] 4
[   32.784151] 2
[   32.785745] 2
[   32.787337]
[   32.788933]
[   33.680408] CmdAddressLenReq:(ret = 0)
[   33.684944] CmdFwStartReq: override = 1, address = 1048576
[   33.690604] CmdStartDLRsp: WiFI FW Download Success
[   33.710352] MtAsicDMASchedulerInit(): DMA Scheduler Mode=0(LMAC)
[   33.716467] efuse_probe: efuse = 10000012
[   33.720590] RtmpChipOpsEepromHook::e2p_type=2, inf_Type=4
[   33.726063] RtmpEepromGetDefault::e2p_dafault=2
[   33.730669] RtmpChipOpsEepromHook: E2P type(2), E2pAccessMode = 2, E2P default = 2
[   33.738339] NVM is FLASH mode
[   33.741409] 1. Phy Mode = 14
[   33.831446] CmdSlotTimeSet:(ret = 0)
[   33.934021] Country Region from e2p = ffff
[   33.940497] tssi_1_target_pwr_g_band = 33
[   33.944574] 2. Phy Mode = 14
[   33.948511] 3. Phy Mode = 14
[   33.951489] NICInitPwrPinCfg(11): Not support for HIF_MT yet!
[   33.957313] NICInitializeAsic(848): Not support rtmp_mac_sys_reset () for HIF_MT yet!
[   33.965263] mt_mac_init()-->
[   33.968181] MtAsicInitMac()-->
[   34.000454] mt7628_init_mac_cr()-->
[   34.004016] MtAsicSetMacMaxLen(1842): Set the Max RxPktLen=1024!
[   34.010101] <--mt_mac_init()
[   34.013204]     WTBL Segment 1 info:
[   34.016562]         MemBaseAddr/FID:0x28000/0
[   34.020477]         EntrySize/Cnt:32/128
[   34.023924]     WTBL Segment 2 info:
[   34.027280]         MemBaseAddr/FID:0x40000/0
[   34.031177]         EntrySize/Cnt:64/128
[   34.034620]     WTBL Segment 3 info:
[   34.037976]         MemBaseAddr/FID:0x42000/64
[   34.041966]         EntrySize/Cnt:64/128
[   34.045410]     WTBL Segment 4 info:
[   34.048766]         MemBaseAddr/FID:0x44000/128
[   34.052869]         EntrySize/Cnt:32/128
[   34.056395] AntCfgInit(3591): Not support for HIF_MT yet!
[   34.062015] MCS Set = ff ff 00 00 01
[   34.065642] MtAsicSetChBusyStat(1146): Not support for HIF_MT yet!
[   34.071958] [PMF]ap_pmf_init:: apidx=0, MFPC=0, MFPR=0, SHA256=0
[   34.078058] [PMF]RTMPMakeRsnIeCap: RSNIE Capability MFPC=0, MFPR=0
[   34.084376] MtAsicSetRalinkBurstMode(4061): Not support for HIF_MT yet!
[   34.091094] MtAsicSetPiggyBack(1081): Not support for HIF_MT yet!
[   34.230347] MtAsicSetTxPreamble(4040): Not support for HIF_MT yet!
[   34.240441] MtAsicAddSharedKeyEntry(1909): Not support for HIF_MT yet!
[   34.247166] MtAsicSetPreTbtt(): bss_idx=0, PreTBTT timeout = 0xf0
[   34.253386] Main bssid = e4:95:6e:40:d1:ea
[   34.257617] <==== rt28xx_init, Status=0
[   34.316015] mt7628_set_ed_cca: TURN OFF EDCCA  mac 0x10618 = 0xd7083f0f, EDCCA_Status=0
[   34.324218] WiFi Startup Cost (ra0): 1.990s
[   34.405654] MtAsicSetPreTbtt(): bss_idx=0, PreTBTT timeout = 0x0
[   34.411849] MtAsicSetPiggyBack(1081): Not support for HIF_MT yet!
[   35.835526] tx_kickout_fail_count = 0
[   35.839252] tx_timeout_fail_count = 0
[   35.843003] rx_receive_fail_count = 0
[   35.846714] alloc_cmd_msg = 35
[   35.849808] free_cmd_msg = 35
[   35.894412] TX_BCN DESC a6fd6000 size = 320
[   35.898726] RX[0] DESC a6fd8000 size = 2048
[   35.905930] RX[1] DESC a6fd9000 size = 1024
[   35.943271] prepare to get e2p access------------
[   35.948314] E2pAccessMode=2
[   35.951972] cfg_mode=9
[   35.954363] cfg_mode=9
[   35.956757] wmode_band_equal(): Band Equal!
[   35.965256] APSDCapable[0]=1
[   35.968178] APSDCapable[1]=1
[   35.971120] APSDCapable[2]=1
[   35.974039] APSDCapable[3]=1
[   35.976955] APSDCapable[4]=1
[   35.979872] APSDCapable[5]=1
[   35.982802] APSDCapable[6]=1
[   35.985719] APSDCapable[7]=1
[   35.988635] APSDCapable[8]=1
[   35.991562] APSDCapable[9]=1
[   35.994479] APSDCapable[10]=1
[   35.997482] APSDCapable[11]=1
[   36.000499] APSDCapable[12]=1
[   36.003505] APSDCapable[13]=1
[   36.006510] APSDCapable[14]=1
[   36.009514] APSDCapable[15]=1
[   36.012529] default ApCliAPSDCapable[0]=1
[   36.211507] Key1Str is Invalid key length(0) or Type(1)
[   36.217171] Key2Str is Invalid key length(0) or Type(1)
[   36.222850] Key3Str is Invalid key length(0) or Type(1)
[   36.228519] Key4Str is Invalid key length(0) or Type(1)
[   36.264102] load fw image from fw_header_image
[   36.268612] AndesMTLoadFwMethod1(2548)::pChipCap->fw_len(63536)
[   36.274653] FW Version:
[   36.274658] _
[   36.277134] e
[   36.278727] 2
[   36.280333] _
[   36.281925] m
[   36.283519] p
[   36.285114]
[   36.286707]
[   36.288300]
[   36.289895]
[   36.291498]
[   36.294595] FW Build Date:
[   36.294599] 2
[   36.297336] 0
[   36.298931] 1
[   36.300537] 5
[   36.302129] 0
[   36.303723] 6
[   36.305318] 2
[   36.306911] 5
[   36.308504] 2
[   36.310099] 1
[   36.311703] 1
[   36.313296] 4
[   36.314888] 2
[   36.316483] 2
[   36.318077]
[   36.319672]
[   36.322855] CmdReStartDLRsp: WiFI FW Download Success
[   36.720457] CmdAddressLenReq:(ret = 0)
[   36.724940] CmdFwStartReq: override = 1, address = 1048576
[   36.730580] CmdStartDLRsp: WiFI FW Download Success
[   36.740357] MtAsicDMASchedulerInit(): DMA Scheduler Mode=0(LMAC)
[   36.746467] efuse_probe: efuse = 10000012
[   36.750542] RtmpChipOpsEepromHook::e2p_type=2, inf_Type=4
[   36.756014] RtmpEepromGetDefault::e2p_dafault=2
[   36.760620] RtmpChipOpsEepromHook: E2P type(2), E2pAccessMode = 2, E2P default = 2
[   36.768288] NVM is FLASH mode
[   36.771362] 1. Phy Mode = 14
[   36.973642] Country Region from e2p = ffff
[   36.990364] tssi_1_target_pwr_g_band = 33
[   36.994446] 2. Phy Mode = 14
[   36.998369] 3. Phy Mode = 14
[   37.001319] NICInitPwrPinCfg(11): Not support for HIF_MT yet!
[   37.007143] NICInitializeAsic(848): Not support rtmp_mac_sys_reset () for HIF_MT yet!
[   37.015087] mt_mac_init()-->
[   37.018003] MtAsicInitMac()-->
[   37.051404] mt7628_init_mac_cr()-->
[   37.054963] MtAsicSetMacMaxLen(1842): Set the Max RxPktLen=1024!
[   37.061082] <--mt_mac_init()
[   37.064161]     WTBL Segment 1 info:
[   37.067520]         MemBaseAddr/FID:0x28000/0
[   37.071414]         EntrySize/Cnt:32/128
[   37.074857]     WTBL Segment 2 info:
[   37.078214]         MemBaseAddr/FID:0x40000/0
[   37.082111]         EntrySize/Cnt:64/128
[   37.085554]     WTBL Segment 3 info:
[   37.088911]         MemBaseAddr/FID:0x42000/64
[   37.092892]         EntrySize/Cnt:64/128
[   37.096334]     WTBL Segment 4 info:
[   37.099690]         MemBaseAddr/FID:0x44000/128
[   37.103781]         EntrySize/Cnt:32/128
[   37.107305] AntCfgInit(3591): Not support for HIF_MT yet!
[   37.112923] MCS Set = ff ff 00 00 01
[   37.116549] MtAsicSetChBusyStat(1146): Not support for HIF_MT yet!
[   37.122868] [PMF]ap_pmf_init:: apidx=0, MFPC=0, MFPR=0, SHA256=0
[   37.128969] [PMF]RTMPMakeRsnIeCap: RSNIE Capability MFPC=0, MFPR=0
[   37.135280] MtAsicSetRalinkBurstMode(4061): Not support for HIF_MT yet!
[   37.141998] MtAsicSetPiggyBack(1081): Not support for HIF_MT yet!
[   37.237937] MtAsicSetTxPreamble(4040): Not support for HIF_MT yet!
[   37.248047] MtAsicAddSharedKeyEntry(1909): Not support for HIF_MT yet!
[   37.254780] MtAsicSetPreTbtt(): bss_idx=0, PreTBTT timeout = 0xf0
[   37.260988] Main bssid = e4:95:6e:40:d1:ea
[   37.265217] <==== rt28xx_init, Status=0
[   37.269124] mt7628_set_ed_cca: TURN OFF EDCCA  mac 0x10618 = 0xd7083f0f, EDCCA_Status=0
[   37.277268] WiFi Startup Cost (ra0): 1.380s
[   37.281723] IPv6: ADDRCONF(NETDEV_UP): ra0: link is not ready
[   37.287664] IPv6: ADDRCONF(NETDEV_CHANGE): ra0: link becomes ready
[   38.716386] br-lan: port 1(eth0.1) entered blocking state
[   38.722127] br-lan: port 1(eth0.1) entered disabled state
[   38.727978] device eth0.1 entered promiscuous mode
[   38.732979] device eth0 entered promiscuous mode
[   38.751830] br-lan: port 1(eth0.1) entered blocking state
[   38.757339] br-lan: port 1(eth0.1) entered forwarding state
[   38.763314] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready
[   39.065459] br-lan: port 2(ra0) entered blocking state
[   39.070761] br-lan: port 2(ra0) entered disabled state
[   39.076448] device ra0 entered promiscuous mode
[   39.081173] br-lan: port 2(ra0) entered blocking state
[   39.086388] br-lan: port 2(ra0) entered forwarding state
[   39.272799] MtAsicSetPreTbtt(): bss_idx=0, PreTBTT timeout = 0x0
[   39.278903] MtAsicSetPiggyBack(1081): Not support for HIF_MT yet!
[   41.792821] tx_kickout_fail_count = 0
[   41.796547] tx_timeout_fail_count = 0
[   41.800256] rx_receive_fail_count = 0
[   41.803988] alloc_cmd_msg = 36
[   41.807081] free_cmd_msg = 36
[   41.814203] br-lan: port 2(ra0) entered disabled state
[   41.921171] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
[   42.004589] TX_BCN DESC a6fd6000 size = 320
[   42.008900] RX[0] DESC a6fd8000 size = 2048
[   42.016079] RX[1] DESC a6fd9000 size = 1024
[   42.073326] prepare to get e2p access------------
[   42.078367] E2pAccessMode=2
[   42.082015] cfg_mode=9
[   42.084405] cfg_mode=9
[   42.086800] wmode_band_equal(): Band Equal!
[   42.095300] APSDCapable[0]=1
[   42.098221] APSDCapable[1]=1
[   42.101150] APSDCapable[2]=1
[   42.104065] APSDCapable[3]=1
[   42.106981] APSDCapable[4]=1
[   42.109896] APSDCapable[5]=1
[   42.112820] APSDCapable[6]=1
[   42.115736] APSDCapable[7]=1
[   42.118651] APSDCapable[8]=1
[   42.121574] APSDCapable[9]=1
[   42.124490] APSDCapable[10]=1
[   42.127495] APSDCapable[11]=1
[   42.130511] APSDCapable[12]=1
[   42.133515] APSDCapable[13]=1
[   42.136517] APSDCapable[14]=1
[   42.139522] APSDCapable[15]=1
[   42.142537] default ApCliAPSDCapable[0]=1
[   42.341547] Key1Str is Invalid key length(0) or Type(1)
[   42.347209] Key2Str is Invalid key length(0) or Type(1)
[   42.352888] Key3Str is Invalid key length(0) or Type(1)
[   42.358555] Key4Str is Invalid key length(0) or Type(1)
[   42.394138] load fw image from fw_header_image
[   42.398645] AndesMTLoadFwMethod1(2548)::pChipCap->fw_len(63536)
[   42.405667] FW Version:
[   42.405673] _
[   42.408153] e
[   42.409745] 2
[   42.411368] _
[   42.412962] m
[   42.414556] p
[   42.416151]
[   42.417744]
[   42.419338]
[   42.420940]
[   42.422536]
[   42.425633] FW Build Date:
[   42.425637] 2
[   42.428375] 0
[   42.429968] 1
[   42.431574] 5
[   42.433167] 0
[   42.434760] 6
[   42.436352] 2
[   42.437946] 5
[   42.439539] 2
[   42.441143] 1
[   42.442736] 1
[   42.444330] 4
[   42.445924] 2
[   42.447516] 2
[   42.449109]
[   42.450710]
[   42.453883] CmdReStartDLRsp: WiFI FW Download Success
[   43.702033] CmdAddressLenReq:(ret = 0)
[   43.706639] CmdFwStartReq: override = 1, address = 1048576
[   43.712288] CmdStartDLRsp: WiFI FW Download Success
[   43.804814] MtAsicDMASchedulerInit(): DMA Scheduler Mode=0(LMAC)
[   43.810974] efuse_probe: efuse = 10000012
[   43.815039] RtmpChipOpsEepromHook::e2p_type=2, inf_Type=4
[   43.820518] RtmpEepromGetDefault::e2p_dafault=2
[   43.825111] RtmpChipOpsEepromHook: E2P type(2), E2pAccessMode = 2, E2P default = 2
[   43.832822] NVM is FLASH mode
[   43.835885] 1. Phy Mode = 14
[   44.116361] Country Region from e2p = ffff
[   44.122100] tssi_1_target_pwr_g_band = 33
[   44.126176] 2. Phy Mode = 14
[   44.130108] 3. Phy Mode = 14
[   44.133078] NICInitPwrPinCfg(11): Not support for HIF_MT yet!
[   44.138902] NICInitializeAsic(848): Not support rtmp_mac_sys_reset () for HIF_MT yet!
[   44.146846] mt_mac_init()-->
[   44.149765] MtAsicInitMac()-->
[   44.224376] mt7628_init_mac_cr()-->
[   44.227935] MtAsicSetMacMaxLen(1842): Set the Max RxPktLen=1024!
[   44.234079] <--mt_mac_init()
[   44.237158]     WTBL Segment 1 info:
[   44.240528]         MemBaseAddr/FID:0x28000/0
[   44.244415]         EntrySize/Cnt:32/128
[   44.247858]     WTBL Segment 2 info:
[   44.251221]         MemBaseAddr/FID:0x40000/0
[   44.255106]         EntrySize/Cnt:64/128
[   44.258550]     WTBL Segment 3 info:
[   44.261913]         MemBaseAddr/FID:0x42000/64
[   44.265886]         EntrySize/Cnt:64/128
[   44.269329]     WTBL Segment 4 info:
[   44.272724]         MemBaseAddr/FID:0x44000/128
[   44.276787]         EntrySize/Cnt:32/128
[   44.280325] AntCfgInit(3591): Not support for HIF_MT yet!
[   44.285939] MCS Set = ff ff 00 00 01
[   44.289563] MtAsicSetChBusyStat(1146): Not support for HIF_MT yet!
[   44.295885] [PMF]ap_pmf_init:: apidx=0, MFPC=0, MFPR=0, SHA256=0
[   44.301995] [PMF]RTMPMakeRsnIeCap: RSNIE Capability MFPC=0, MFPR=0
[   44.308300] MtAsicSetRalinkBurstMode(4061): Not support for HIF_MT yet!
[   44.315013] MtAsicSetPiggyBack(1081): Not support for HIF_MT yet!
[   44.730385] MtAsicSetTxPreamble(4040): Not support for HIF_MT yet!
[   44.740452] MtAsicAddSharedKeyEntry(1909): Not support for HIF_MT yet!
[   44.747173] MtAsicSetPreTbtt(): bss_idx=0, PreTBTT timeout = 0xf0
[   44.753381] Main bssid = e4:95:6e:40:d1:ea
[   44.757613] <==== rt28xx_init, Status=0
[   44.761530] mt7628_set_ed_cca: TURN OFF EDCCA  mac 0x10618 = 0xd7083f0f, EDCCA_Status=0
[   44.769645] WiFi Startup Cost (ra0): 2.760s
[   44.774078] IPv6: ADDRCONF(NETDEV_UP): ra0: link is not ready
[   44.780545] IPv6: ADDRCONF(NETDEV_CHANGE): ra0: link becomes ready
[   44.787037] br-lan: port 2(ra0) entered blocking state
[   44.792302] br-lan: port 2(ra0) entered forwarding state
[   89.000371] random: crng init done
[   89.003840] random: 6 urandom warning(s) missed due to ratelimiting

BusyBox v1.28.3 () built-in shell (ash)

  _______                     ________        __
|       |.-----.-----.-----.|  |  |  |.----.|  |_
|   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
|_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
OpenWrt 18.06.1, r7258-5eb055306f

Cool right?

Touching the naughty bits

Now that we have connectivity and we have a read out Let’s break it down.

If we take a look at the log we can pull some interesting tidbits; Specifically.

Autobooting in: 2 s (type 'gl' to run U-Boot console)

Press the [f] key and hit [enter] to enter failsafe mode

Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level

Also significant


During the boot sequence we learn that the machine is running U-Boot. We can not only enter the U-Boot console but if we allot the machine to boot kernel we are given two more options. We can enter failsafe mode. Which in this case exposes a few more commands and mounts a few things as RW. Super important assuming this was a black box is we can select a debug operation level.

Finally, assuming we ignore all attempts to seduce our fingers thus far we are greeted with a root shell on the device.

From either of the 3 boot modes uboot, failsafe and normal root we can make persistent changes to the device. Meaning that when the machine is rebooted changes stay with it.

On top of this the FW includes ‘vi’ text editor. Why is this important? It allows us to view modify and otherwise analyze the manufacturers scrips and configs. We can also modify the various HTML pages and web server.


There are a few points I would like to make regarding hardware access via UART.

First, the ending was pretty anticlimactic. I did this on purpose. You have 3 different root shells to 3 different function modes in this specific device. If you have any inclination of what that means then it doesn’t warrant any further explination.

Let’s be fair though. This device unbeknownst to me appears to have been designed with this intended. You should be proud of what you have accomplished and give yourself a pat on the back for doing something not a lot of people take time to venture into.

All things considered though we walk into our next problem.

Second, this is not uncommon. From IP Cameras, baby monitors, other travel routers. A Lot of these devices allow arbitrary root access. This can pose a security risk to you and others. Now are people connecting microcontrollers with pre-loaded scripts to your Samsung fridge (has already been hacked, no guide by me sorry and there like 3 grand) UART port and hacking you? Probably not, and even if they wanted too there are easier tools to use.


Third, these devices are not always updated quickly. More importantly a lot of these configurations scripts or even entire FW revisions with just a device ID change are used across multiple models of similar devices, allowing the kernel to pick up the hardware changes.

So what does this mean for you?

Well this method has a bit of a double edged sword. You see if you get a mystery device, like a game system, or your an IT manager and find some random device plugged into your network, having shell access provided by a serial bus is great for reversing. Instead of black boxing and throwing commands or probing for ages on a device that has no obvious purpose and an even less obvious function, serial gives us a looking glass into the workings of devices. Even if as I mentioned previously they do not allow input, seeing how a system reacts to a surprise reboot or seeing a scan for a specific FW file when booted with a random USB drive plugged in helps us understand the unknown.

When these things are found however, and more so when write and root access are given allow us to have intimate knowledge into a devices functionality and in a lot of cases allow us to find breaches bugs or attack vectors that can be used on devices that can span models and years. Some without updates.

I think the regularity of this is enough to pose enough risk, it might be a good idea for manufacturers to think about bus safeguards before releasing devices at least maybe a proper password to remove some of the low hanging fruit. In this case setting a password or creating a user in the actual web interface of the device in no way prevented any kind of root access in any of the shells, and this is pretty common.

That’s it! I hope you learned something and had fun. The costs associated with preparing yourself to dive into the world of serial isn’t a lot and who knows what you might find!



But not thew way you think. I got bored this evening and while it is nowhere close to completion I decided to install grafana on my rasberryPI B+.

To do this I first downloaded Ubuntu server 19.04 from the Pi site.

From here after the normal install and updates etc it was time to stand it up so I can feel productive later. First and foremost I needed to make sure that I could poll network equipment and pretty much anything that supported SNMP. So lets get that out of the way.

sudo apt install snmp

Now that we have snmp we can probe things, but we aren’t going to get anything we can read so we need the MIBs to translate the info from the various manufacturers.

sudo apt install snmp-mibs-downloader

Now that we have the downloader lets go get the actual MIBs

sudo download-mibs

Sweet, now we need to tell snmp to use them, so lets edit the config.

sudo nano /etc/snmp/snmp.conf

and now lets change the default value to

mibs +ALL

save and exit and cool beans.

Now we have the networking stuff installed so now we need to go grab grafana. Its a seperate repo so we will need to tell ubuntu where to look for it. In this case I dont want betas, so I’ll be using the stable repo.

Lets make sure we have this

apt-get install -y software-properties-common

now we need to make sure we can do https transport just in case.

sudo apt-get install -y apt-transport-https

Lets add the repo now so ubuntu knows where to find grafana

sudo add-apt-repository "deb stable main"

Ubuntu is going to get mad unless we make sure this repo is legit so lets add the key for it

wget -q -O - | sudo apt-key add -

wew. Ok now we need to do an update so that ubuntu knows to check that repo when we ask it to install things.

sudo apt update

Now lets install grafana.

sudo apt install grafana

Cool, now we need to start it and set it to start at boot.

sudo service grafana-server start
sudo systemctl enable grafana-server.service

We will need InfluxDB because its what I want to use anyway so we can log stuff. So lets install it.

sudo apt install influxdb

Now, you do need to continue and create a data base in influx with a username and password. I’m stopping here though. Since I’m not sure what I want to do with it yet.

The Grafana default port is 3000 so you should get something like this if you nav to your IP and port 3000.

Now I just need to set it up more and play with it. Will be polling stuff for no reason in no time. Here is a peek at my home setup.

Excuse me sir, where are you headed?

Excuse me sir, where are you headed?

Today I was adding a regex list to my pi-hole. I have been running my pi-hole as both my DHCP and DNS server in my unifi stack for months. I wanted to try out some regex lists and while I was making the edit I realized I never wrote about my DNS over https experience. It’s been a few weeks so it’s the perfect time to comment on it.

So I have seen and heard about DNS over HTTPS for awhile now and just never got around to doing it. Now for people that don’t know and kind of technically apt wikipedia’s first paragraph on the subject explains it well.

For those that don’t understand maybe you have seen something like this while going to a site or searching.

Related image

This generally happens when you are using your ISP DNS servers to lookup websites. For the most part this is a lot of world and a large percentage of everyday users using there ISPs default settings and equipment. Now we can see in the picture that WOW! in this case intercepted and redirected us to a different result instead of just showing us an error page.

This goes a bit deeper though. Other DNS providers like Googles log and keep this data. Like many others they sample some and save others. The usage rights generally state they strip some personal information and permanently store the rest for analysis.

However, this data and other data from other providers including your ISP is also often sold. This allows bigger marketing conglomerates to keep analyse and use the data for targeted advertising. Now while it has happened via data breaches etc, I am not going to soap box about cliche terms like “big data” and scare you about your personal data being stolen and used. It already is and you should already know that. You should also already know this all applies to hackers and malware authors, and that if a marketing dept can do it they can too.

Now, DNS over HTTPS to a reputable company however can help. It encrypts the request between your computer and the server that has to answer. Combined with a service that stands by your privacy rights you have a winning combo. Now while a privacy policy focused on privacy is good they can change; but it’s better to lean towards that as opposed to a company that doesn’t. Take it all with a grain of salt.

Anyway, with the pihole I use cloudflared. I used this specific guide because I’m so smart I could do it myself. Now while it is true like I hinted above that someone needs to be able to see your DNS request for them to well….make it. Encrypting the connection and using a provider that is security conscious is just one more layer to the security onion.

I implemented cloudflared a few weeks ago as I was saying. I also make sure to utilize DNSSEC which is supported by cloudflares name servers (the ones that handle the DNS requests). Now the wife and roommate can be demanding if netflix or other random services don’t work.

However, I can say that thus far with a modest blocklist everything has been going great! DNS requests are quick so things load quickly and otherwise it’s been business as usual. Maybe a little less pomp and circumstance that I would have liked but if nothing changed then it means its working correctly.

The cache, clocklists, and actual resolver are all doing there job. It’s a well oiled machine.

At some point I encourage everyone to utilize DNS over HTTPS. Be it cloudflared or not. Its easy to implement and if you chose pihole as your host as well you now have easy DNS curation built in. I personally run mine on a virtual machine and it hums along nicely.

Go give security a chance. Change your passwords, use good rules, uninstall weird stuff. Tweak your AV. Curate your outlook rules.

Take care of yourself out there.

Permissions to the rescue

Permissions to the rescue

Last night I was changing my default tabs in chrome and decided to add my site as one of them. I figured if I did this it would push me to write more.

Imagine my shock when I was greeted with a 502 proxy error by nginx. After a little digging I found some errors in nginx error.log, specifically.

unix:/var/run/php/php7.2-fpm.sock failed (13: Permission denied) while connecting to upstream

After looking online I saw some old security patches for php5 regarding process ownership and some recommendations regarding www.conf. None of them applied of course and I was stuck again. However, after a little more digging it turns out that this may have been because of an update. As such permissions were modified. It also turns out on older OSs ‘nginx’ is not by default part of the www-data group.

Now while the site was working at some point I figured the problem was because of this broken group/user relationship and thats when I found the command to re-add it to the group.

usermod -a -G www-data nginx

That worked great! Now the site was up! A new problem arose though. I needed to commit some updates to wordpress but some of the plugins would not take. Some were complaining about write permissions. The paths seemed to indicate issues with their respective home directories. A quick glance at permissions showed that either because of initial problems during my install or otherwise the ownership of the folder was set incorrectly.

A quick chown sudo chown -R www-data:stuff and we were back in business. Now my coffee was lukewarm and I have to get ready for work. Atleast I get to complain about things on the internet now though.

Hello world!

Hello world!

Well that was hard. So it’s been I think a year? Since I blogged about my random misadventures in IT. Specifically since I had my misadventure into flash cache and SAN storage. I ended up losing everything in a freak HDD failure combined with an SSD cache drive failing.

So.. last night I spent the time and actually stood up my wordpress install. I configured NGINX a few weeks ago and just never got around to actually doing anything with my domains as I rebuilt my internal services.

What a mess, I think for the most part I do things in a more complex manner than needed. In this case it took me a bit to figure out why my database server wasn’t linking to my nginx server. It ended up being a interface bind issue, but it had been so long that I had to ask myself if it wouldn’t just be easier to install mysql on the web server.

I was adamant though, and continued on. Now I have some semblance of an active website maybe, if not.. well I have another project I guess.