What's new

Static Analysis of ASUS stock firmware for RT-AC66U

rickyzhang

Occasional Visitor
I knew this device is old. I bought it 4+ years ago. But recent EULA change made me concerned on my privacy. So today I finally took a look at the stock version firmware source code.

1. Version
The preliminary analysis is 3.0.0.4.382.51640 version from ASUS stock.

2. Binary Blobs
The source code is not complete open source. There are 43 binary blob in application level (excluding wireless drivers).

find . | grep prebuild/
./release/src-rt-6.x/ctools/prebuild/trx_asus
./release/src/router/sambaclient/prebuild/sambaclient
./release/src/router/dropbox_client/prebuild/dropbox_client
./release/src/router/httpd/prebuild/pwenc.o
./release/src/router/httpd/prebuild/web_hook.o
./release/src/router/lighttpd-1.4.39/prebuild/mod_query_field_json.so
./release/src/router/lighttpd-1.4.39/prebuild/mod_captive_portal_uam.so
./release/src/router/lighttpd-1.4.39/prebuild/mod_smbdav.so
./release/src/router/lighttpd-1.4.39/prebuild/mod_aicloud_sharelink.so
./release/src/router/lighttpd-1.4.39/prebuild/mod_create_captcha_image.so
./release/src/router/lighttpd-1.4.39/prebuild/mod_aicloud_invite.so
./release/src/router/lighttpd-1.4.39/prebuild/mod_aidisk_access.so
./release/src/router/lighttpd-1.4.39/prebuild/mod_aicloud_auth.so
./release/src/router/rc/prebuild/tcode_brcm.o
./release/src/router/rc/prebuild/conn_diag.o
./release/src/router/rc/prebuild/ate-broadcom.o
./release/src/router/rc/prebuild/tcode_rc.o
./release/src/router/rc/prebuild/psta_monitor.o
./release/src/router/rc/prebuild/broadcom.o
./release/src/router/rc/prebuild/private.o
./release/src/router/u2ec/prebuild/u2ec
./release/src/router/aaews/prebuild/mastiff
./release/src/router/aaews/prebuild/aaews
./release/src/router/asuswebstorage/prebuild/asuswebstorage
./release/src/router/asusnatnl/natnl/prebuild/libasusnatnl.so
./release/src/router/inotify/prebuild/inotify
./release/src/router/webdav_client/prebuild/webdav_client
./release/src/router/sysstate/commands/prebuild/asuslog
./release/src/router/sysstate/log_daemon/prebuild/sysstate
./release/src/router/libvpn/prebuild/libvpn.so
./release/src/router/usbclient/prebuild/usbclient
./release/src/router/wb/prebuild/libws.so
./release/src/router/ftpclient/prebuild/ftpclient
./release/src/router/networkmap/prebuild/asusdiscovery
./release/src/router/networkmap/prebuild/networkmap
./release/src/router/protect_srv/prebuild/Send_Event2ptcsrv
./release/src/router/protect_srv/prebuild/protect_srv
./release/src/router/protect_srv/lib/prebuild/libptcsrv.so
./release/src/router/shared/prebuild/tcode.o
./release/src/router/shared/prebuild/shutils_private.o
./release/src/router/shared/prebuild/spwenc.o
./release/src/router/shared/prebuild/notify_rc.o
./release/src/router/shared/prebuild/private.o
The binary blob is in ELF format for MIPS. Since I'm not familiar with MIPS architecture, I only skimmed through some of them by IDA. Those binary files under ./release/src/router/rc/prebuild, ./release/src/router/shared/prebuild/ and ./release/src/router/aaews/prebuild worth some time in future to revisit. TBH, I don't understand why ASUS makes it closed source. There is no trade secret. It makes no sense to me. My only concern if any of them sending my private information to some unknown servers.

3. First Deep Dive -- Dynamic DNS service

My first deep dive is to see how dynamic DNS works. Because that's one of the features that I may want to trade for accepting their god-dammed EULA.

The firmware boots each application service in release/src/router/rc/services.c. Depending on DDNS vendor, there are several ways to bring up DDNS. See source code here.

If you use WWW.ORAY.COM (an unknown Chinese sites to me) or Google Domain, you won't use ez-ipupdate. If you use ASUS DDNS or any other DDNS vendor, it brings up ASUS customized version ez-ipupdate. At the same time, the /src/router/rc/watchdog.c will run periodically to check if WAN IP change. If it did change, it restarts DDNS service.

Using ASUS DDNS will force to send your router MAC to ASUS. See source code here. If you don't like it, use Google domain. That's what I'm going to do next.

4. Conclusion

I know my static analysis is too trivial. But it is better than nothing if someone wonder what is going on. What makes me feel concern is those binary blob at application level. A few bytes of shell code written there can pawn your whole network.

Do I trust ASUS now? No.

The next question is how to safe guard my privacy. I'm thinking of setting up a pfsense router between cable modem and the ASUS router. Change ASUS router to work as access point. Put a close watch on ASUS router.
 
Last edited:

dosborne

Very Senior Member
If you distrust ASUS to this level, why on earth are you running their product.
 

rickyzhang

Occasional Visitor
It is their recent EULA prompt me to think what the heck they are doing behind my back.

Do I trust a Taiwan brand router that manufacture in mainland China? No.
 

dosborne

Very Senior Member
Then, again, why are you running their product? If I don't trust a vendor to the extent that you don't, then I don't buy their products (or I replace them if I already bought them)

If you don't like the new EULA, then run the old software.
 

rickyzhang

Occasional Visitor
I paid them 4+ years ago. I didn't expect that 4 years later I have to trade my privacy for additional software features.

I can't find any American brand wireless home router.

So that's why.
 

Grisu

Part of the Furniture
You bought a router with some functions and features 4 years ago. There has been no EULA and you have been happy.
Now they gave you some more features and if you want to use them you have to accept their EULA.
Dont use those new features and nothing changed for you!!!

Others like those new features and trust them, why would you like them to miss those only because you dont want that EULA???
Just dont accept the EULA and dont use those new features you never payed for!

In reality nothing changed, with and without EULA, they only introduced the EULA because of GPRD to be complient, in background the software has been the same as 4 years ago ;)
 

rickyzhang

Occasional Visitor
No, they are not new features. DDNS has been provided since day one. I have been using it for 4+ years. But now you have to accept ASUS EULA in order to use DDNS.

I have never known that ASUS has been collecting and sending my private information in background. I thought they "open source" their software. Thus, I put a blind trust to them.

Now I took back my trust based on my analysis.
 

L&LD

Part of the Furniture
No, they are not new features. DDNS has been provided since day one. I have been using it for 4+ years. But now you have to accept ASUS EULA in order to use DDNS.

I have never known that ASUS has been collecting and sending my private information in background. I thought they "open source" their software. Thus, I put a blind trust to them.

Now I took back my trust based on my analysis.
Your blind trust is your issue alone. Now that you're aware of your mistake, make a decision and move on.

Most of the users on this forum know the issues you're bringing up. We act accordingly (already).
 

rickyzhang

Occasional Visitor
How often do consumers poke around the "open source" stuffs?

I bet even the one with knowledge knows how will put their blind trust from time to time.

We always trade our privacy for convenience. But what I don't like is that you can not claim yourself is open source if keep some are in closed source. That's misleading. Also don't violate GPL.

I withdrew my ASUS EULA now and paid for Google Domain. The next move is to get a pfsense router.
 

L&LD

Part of the Furniture
Google domain?

Nothing that I would even consider.

Good luck with pfSense too. Many hurdles to overcome there from my experience.
 

RMerlin

Asuswrt-Merlin dev
Using ASUS DDNS will force to send your router MAC to ASUS.
...And? How is that different from sending a unique username?

In fact, sending a generic router MAC instead of having you create a user account provides MORE privacy. Asus doesn't know the first thing about you, while creating an account at a DDNS service will require you to provide various personal information such as your real name.
 

AndreiV

Very Senior Member
Your internet connection is never really private.

Stealthing router ports is a pointless exercise. Anyone sniffing around IP addresses will know you are there behind stealthed ports because they don't receive an empty response to their query, they can also see your router MAC address .......
Big question is , just exactly what have you got to hide?
 

dosborne

Very Senior Member
Big question is , just exactly what have you got to hide?
The bigger question is does he realize how much is exposed regardless of the EULA and DDNS issue. I suspect not. The only way to hide from the internet is to become a troll in a cave LOL.

@rickyzhang Put another router between your ASUS and the internet and block / limit / monitor access to any non-approved sites if you are so concerned.
 
Last edited:

rickyzhang

Occasional Visitor
Comrade @AndreiV

It is my privacy. I don't want big brothers watching me. Is that not OK with you? The rhetorical question you asked make me feel that you and I have cultural differences.

@dosborne

A troll is abusive term by liberals here. I don't want to start a political fight with you. You have a good sense of humor like a Chinese regrading to 'a troll in a cave'. (in case you don't get my sarcasm behind the computer screen, I have to fake a cough a little bit...)

That's what I'm going to do next: place a pFsense between cable modem and ASUS router. The ASUS router will turn into AP.

@RMerlin

It is about trust that subjective to individual. ASUS is a Taiwanese company which is doing major operation business in mainland China. I have no faith in anything related to that.

So I place my (blind) trust in Google Domain. Should Google sell me out, I could find them accountable in US jurisdiction. The same philosophy I never use VPN from VPN vendors which are mostly owned by mainland China. Neither will I plug my gadgets to hotel network.

It all subject o individual's trust setting.
 

AndreiV

Very Senior Member
Comrade @AndreiV

It is my privacy. I don't want big brothers watching me.
Lol, then you had better remove yourself from the USA as a matter of urgency.

Cultural differences , yes some, but I don't live in a state of constant fear and extreme paranoia , as you so obviously do,always suspicious of anything or anyone from outside your not so very free country.

Honestly, if you are so terrified of what people just might possibly see about you then you should not be using a computer or the internet , ever.

I can imagine the heart attack you are going to have when you realise exactly what a website owner can see when they run CPanel/Awstats/Webalizer and Google Analytics ......... :rolleyes::rolleyes::D:D
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top