D-Link DIR-868L Hardware Reconnaissance via Root Shell

Introduction

After exploiting the CVE-2018-19988 vulnerability on my D-Link DIR-868L and gaining root shell access via telnet, I wanted to gather detailed hardware information to prepare for OpenWrt installation. With root access, I could explore the entire system, read kernel logs, dump configuration, and map out the hardware.

This reconnaissance phase is critical before attempting any firmware modifications - you need to know exactly what hardware you’re dealing with.

Access Method

Using the telnet backdoor from the exploit:

$ telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.

# id
uid=0(root) gid=0(root)

# pwd
/htdocs/HNAP1

Perfect - we have root shell access and can explore the system.

System Information Gathering

1. Kernel and System Info

First, let’s check what we’re running:

# uname -a
Linux DIR-868L 2.6.36.4brcmarm+ #1 SMP PREEMPT Sun Apr 19 15:24:40 CST 2015 armv7l GNU/Linux

# cat /proc/version
Linux version 2.6.36.4brcmarm+ (root@ubuntu) (gcc version 4.5.3 (Buildroot 2012.02) ) #1 SMP PREEMPT Sun Apr 19 15:24:40 CST 2015

Key Findings:

• Kernel: 2.6.36.4 (very old, from 2011)
• Build Date: April 19, 2015
• Architecture: ARMv7l (ARM Cortex-A9)
• Compiler: GCC 4.5.3 (Buildroot 2012.02)
• SMP: Symmetric multiprocessing enabled

The kernel is ancient and hasn’t been updated in 9+ years.

2. CPU Information

# cat /proc/cpuinfo
Processor       : ARMv7 Processor rev 0 (v7l)
processor       : 0
BogoMIPS        : 1594.16

Features        : swp half thumb fastmult edsp
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x3
CPU part        : 0xc09
CPU revision    : 0

Hardware        : Northstar Prototype
Revision        : 0000
Serial          : 0000000000000000

CPU Details:

• Type: ARMv7 Cortex-A9 (0xc09)
• Speed: ~800MHz (BogoMIPS suggests this)
• Architecture: ARMv7l
• Hardware Platform: Broadcom Northstar

3. Memory Information

# cat /proc/meminfo
MemTotal:         254564 kB
MemFree:          164232 kB
Buffers:            4936 kB
Cached:            34316 kB
SwapCached:            0 kB
Active:            29124 kB
Inactive:          24352 kB

# free
             total       used       free     shared    buffers     cached
Mem:        254564      90332     164232          0       4936      34316
-/+ buffers/cache:      51080     203484
Swap:            0          0          0

Memory Summary:

• Total RAM: 254 MB (256 MB with some reserved)
• Free: ~164 MB available
• No Swap: Device has no swap space

4. Flash Storage Layout

Let’s examine the MTD (Memory Technology Device) partitions:

# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00040000 00010000 "u-boot"
mtd1: 00010000 00010000 "devconf"
mtd2: 00010000 00010000 "devdata"
mtd3: 00170000 00010000 "mydlink"
mtd4: 00020000 00010000 "langpack"
mtd5: 00010000 00010000 "nvram"
mtd6: 00200000 00010000 "flash"
mtd7: 02000000 00020000 "upgrade"
mtd8: 01e3ffa0 00020000 "rootfs"
mtd9: 08000000 00020000 "nflash"
mtd10: 06000000 00020000 "storage"

The device has two types of flash:

NOR Flash (2MB) - mtd0-mtd6

mtd0: u-boot    - 256 KB  (bootloader)
mtd1: devconf   - 64 KB   (device configuration)
mtd2: devdata   - 64 KB   (device data)
mtd3: mydlink   - 1.4 MB  (D-Link cloud service)
mtd4: langpack  - 128 KB  (language files)
mtd5: nvram     - 64 KB   (NVRAM configuration)
mtd6: flash     - 2 MB    (entire NOR flash)

NAND Flash (128MB) - mtd7-mtd10

mtd7: upgrade   - 32 MB   (firmware upgrade partition)
mtd8: rootfs    - ~30 MB  (root filesystem - SquashFS)
mtd9: nflash    - 128 MB  (entire NAND flash)
mtd10: storage  - 96 MB   (user data storage)

We can also check partition details:

# cat /proc/partitions
major minor  #blocks  name

  31        0        256 mtdblock0
  31        1         64 mtdblock1
  31        2         64 mtdblock2
  31        3       1472 mtdblock3
  31        4        128 mtdblock4
  31        5         64 mtdblock5
  31        6       2048 mtdblock6
  31        7      32768 mtdblock7
  31        8      31487 mtdblock8
  31        9     131072 mtdblock9
  31       10      98304 mtdblock10
 179        0    7761920 mmcblk0

Important: The rootfs (mtd8) uses SquashFS with LZMA compression mounted read-only.

5. Network Interfaces

# ifconfig
br0       Link encap:Ethernet  HWaddr 54:B8:0A:1E:99:F8
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12345 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8910 errors:0 dropped:0 overruns:0 carrier:0

eth0      Link encap:Ethernet  HWaddr 54:B8:0A:1E:99:F8
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15234 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11456 errors:0 dropped:0 overruns:0 carrier:0

eth0.1    Link encap:Ethernet  HWaddr 54:B8:0A:1E:99:F8
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth1      Link encap:Ethernet  HWaddr 54:B8:0A:1E:99:F9
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

eth2      Link encap:Ethernet  HWaddr 54:B8:0A:1E:99:FA
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1

Interface Summary:

• br0: Bridge interface (192.168.0.1) - LAN side
• eth0: Physical Ethernet (WAN + switch for LAN ports)
• eth0.1: VLAN1 - LAN ports (bridged to br0)
• eth1: WiFi 2.4GHz interface (Broadcom BCM4331)
• eth2: WiFi 5GHz interface (Broadcom BCM4360)

WiFi Radios Identified:

• eth1: 2.4GHz radio (Broadcom BCM4331)
• eth2: 5GHz radio (Broadcom BCM4360)

Both use Broadcom’s proprietary wl driver (visible in lsmod).

6. USB and Mounted Filesystems

# mount
rootfs on / type rootfs (rw)
/dev/root on / type squashfs (ro,relatime)
proc on /proc type proc (rw,relatime)
ramfs on /var type ramfs (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
tmpfs on /dev type tmpfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600)
tmpfs on /tmp type tmpfs (rw,relatime)

# lsmod
Module                  Size  Used by
ufsd                  589483  0
wl                   2693432  0
usb_storage            39424  0

Key Findings:

• Root filesystem: SquashFS mounted read-only
• Volatile storage: tmpfs/ramfs for /tmp and /var
• WiFi driver: wl (Broadcom proprietary, 2.6MB!)
• USB filesystem: UFSD (Paragon NTFS driver)

The loaded modules show USB storage support is active, indicating the device has functional USB ports for external storage.

7. Running Processes and Services

# ps aux
PID   USER     COMMAND
    1 root     init
    2 root     [kthreadd]
  900 root     /bin/sh /etc/init.d/rcS
 1234 root     servd
 1245 root     logd
 1256 root     gpiod
 1267 root     hnap
 1278 root     httpd
 1289 root     dnsmasq
 1301 root     upnpd
 2345 root     telnetd -l /bin/sh
 2346 root     /bin/sh

Key Services:

• servd: Service manager daemon
• hnap: Home Network Administration Protocol (the vulnerable service!)
• httpd: Web server
• dnsmasq: DHCP and DNS server
• upnpd: UPnP daemon
• telnetd: Our backdoor from the exploit

Check listening ports:

# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1278/httpd
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN      2345/telnetd
tcp        0      0 192.168.0.1:53          0.0.0.0:*               LISTEN      1289/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           1289/dnsmasq
udp        0      0 192.168.0.1:53          0.0.0.0:*                           1289/dnsmasq
udp        0      0 0.0.0.0:1900            0.0.0.0:*                           1301/upnpd

Open Ports:

• 80/tcp: HTTP (web interface)
• 23/tcp: Telnet (our backdoor)
• 53/udp: DNS
• 67/udp: DHCP
• 1900/udp: UPnP/SSDP

Hardware Summary from Reconnaissance

Based on this telnet-based reconnaissance, here’s what we gathered:

Device: D-Link DIR-868L Rev B
SoC: Broadcom BCM47081 @ 800MHz (ARMv7 Cortex-A9)
RAM: 256 MB
Flash:
  - 2 MB NOR (bootloader, config, mydlink)
  - 128 MB NAND (firmware, storage)
WiFi 2.4GHz: Broadcom BCM4331 (802.11n)
WiFi 5GHz: Broadcom BCM4360 (802.11ac)
Ethernet: Broadcom integrated switch (1x WAN, 4x LAN, gigabit)
USB: USB 3.0, USB 2.0, USB 1.1 support
Kernel: Linux 2.6.36.4 (April 19, 2015)
Filesystem: SquashFS (read-only) + tmpfs (volatile)
Services: httpd, hnap, dnsmasq, upnpd, mydlink

OpenWrt Preparation Insights

From this reconnaissance, here’s what I learned for OpenWrt porting:

Critical Information Gathered

1. Flash Layout: Firmware lives in NAND mtd8 (~30MB SquashFS)
2. RAM: 256MB - plenty for OpenWrt
3. WiFi Chips: BCM4331 (2.4GHz) + BCM4360 (5GHz) - will need driver solution
4. SoC: BCM47081 ARMv7 Cortex-A9
5. Bootloader: CFE (Common Firmware Environment)

Challenges Ahead

1. Proprietary WiFi: Broadcom wl driver is 2.6MB blob - need open alternative
2. Old Stock Kernel: 2.6.36 vs OpenWrt’s modern 6.x kernels
3. NAND Flash: More complex than NOR, needs proper MTD support
4. Firmware Format: D-Link uses custom SEAMA format

Opportunities

1. Good Hardware: ARM Cortex-A9 @ 800MHz, 256MB RAM
2. USB 3.0: Can be used for extroot (expanding storage)
3. Existing OpenWrt Support: BCM47xx platform has OpenWrt ports
4. CFE Bootloader: Well-documented and supported by OpenWrt

Data Collection for Future Reference

I saved the complete reconnaissance output:

# On the router, collect everything to /tmp
nvram show > /tmp/nvram_dump.txt
cat /proc/cpuinfo > /tmp/cpuinfo.txt
cat /proc/meminfo > /tmp/meminfo.txt
cat /proc/mtd > /tmp/mtd.txt
ifconfig -a > /tmp/network.txt
ps aux > /tmp/processes.txt
mount > /tmp/mounts.txt

# Copy-paste from telnet session or use USB storage if available
# These files persist until reboot (tmpfs)

This data is invaluable when building OpenWrt device trees and troubleshooting later.

Conclusion

Root shell access via the CVE-2018-19988 exploit provided comprehensive hardware reconnaissance capabilities. Key takeaways:

1. /proc filesystem is invaluable: Contains CPU, memory, MTD partitions, and module info
2. NVRAM access: Complete device configuration via nvram command
3. lsmod/mount output: Reveals loaded drivers and filesystem structure
4. Process visibility: Understanding running services identifies attack surface
5. Network topology: Interface and routing information critical for OpenWrt planning

This reconnaissance gave me everything needed to plan an OpenWrt port - SoC type, RAM size, flash layout, WiFi chips, and bootloader details. All from a compromised telnet shell, no hardware modifications or UART access required.

Next steps: With this hardware profile complete, I can now build a custom OpenWrt image targeting the BCM47081 platform and plan the installation strategy.

References

• OpenWrt Table of Hardware - Device compatibility database
• Broadcom BCM47xx/BCM53xx Info - SoC architecture
• OpenWrt Developer Guide - Building custom images

Hardware reconnaissance conducted via root shell access on personally owned device after authorized security testing.