1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Static Analysis of ASUS stock firmware for RT-AC66U

Discussion in 'ASUSWRT - Official' started by rickyzhang, Jul 28, 2019.

  1. rickyzhang

    rickyzhang Occasional Visitor

    Joined:
    Jul 28, 2019
    Messages:
    25
    Location:
    Planet Earth
    I knew this device is old. I bought it 4+ years ago. But recent EULA change made me concerned on my privacy. So today I finally took a look at the stock version firmware source code.

    1. Version
    The preliminary analysis is 3.0.0.4.382.51640 version from ASUS stock.

    2. Binary Blobs
    The source code is not complete open source. There are 43 binary blob in application level (excluding wireless drivers).

    find . | grep prebuild/
    ./release/src-rt-6.x/ctools/prebuild/trx_asus
    ./release/src/router/sambaclient/prebuild/sambaclient
    ./release/src/router/dropbox_client/prebuild/dropbox_client
    ./release/src/router/httpd/prebuild/pwenc.o
    ./release/src/router/httpd/prebuild/web_hook.o
    ./release/src/router/lighttpd-1.4.39/prebuild/mod_query_field_json.so
    ./release/src/router/lighttpd-1.4.39/prebuild/mod_captive_portal_uam.so
    ./release/src/router/lighttpd-1.4.39/prebuild/mod_smbdav.so
    ./release/src/router/lighttpd-1.4.39/prebuild/mod_aicloud_sharelink.so
    ./release/src/router/lighttpd-1.4.39/prebuild/mod_create_captcha_image.so
    ./release/src/router/lighttpd-1.4.39/prebuild/mod_aicloud_invite.so
    ./release/src/router/lighttpd-1.4.39/prebuild/mod_aidisk_access.so
    ./release/src/router/lighttpd-1.4.39/prebuild/mod_aicloud_auth.so
    ./release/src/router/rc/prebuild/tcode_brcm.o
    ./release/src/router/rc/prebuild/conn_diag.o
    ./release/src/router/rc/prebuild/ate-broadcom.o
    ./release/src/router/rc/prebuild/tcode_rc.o
    ./release/src/router/rc/prebuild/psta_monitor.o
    ./release/src/router/rc/prebuild/broadcom.o
    ./release/src/router/rc/prebuild/private.o
    ./release/src/router/u2ec/prebuild/u2ec
    ./release/src/router/aaews/prebuild/mastiff
    ./release/src/router/aaews/prebuild/aaews
    ./release/src/router/asuswebstorage/prebuild/asuswebstorage
    ./release/src/router/asusnatnl/natnl/prebuild/libasusnatnl.so
    ./release/src/router/inotify/prebuild/inotify
    ./release/src/router/webdav_client/prebuild/webdav_client
    ./release/src/router/sysstate/commands/prebuild/asuslog
    ./release/src/router/sysstate/log_daemon/prebuild/sysstate
    ./release/src/router/libvpn/prebuild/libvpn.so
    ./release/src/router/usbclient/prebuild/usbclient
    ./release/src/router/wb/prebuild/libws.so
    ./release/src/router/ftpclient/prebuild/ftpclient
    ./release/src/router/networkmap/prebuild/asusdiscovery
    ./release/src/router/networkmap/prebuild/networkmap
    ./release/src/router/protect_srv/prebuild/Send_Event2ptcsrv
    ./release/src/router/protect_srv/prebuild/protect_srv
    ./release/src/router/protect_srv/lib/prebuild/libptcsrv.so
    ./release/src/router/shared/prebuild/tcode.o
    ./release/src/router/shared/prebuild/shutils_private.o
    ./release/src/router/shared/prebuild/spwenc.o
    ./release/src/router/shared/prebuild/notify_rc.o
    ./release/src/router/shared/prebuild/private.o
    The binary blob is in ELF format for MIPS. Since I'm not familiar with MIPS architecture, I only skimmed through some of them by IDA. Those binary files under ./release/src/router/rc/prebuild, ./release/src/router/shared/prebuild/ and ./release/src/router/aaews/prebuild worth some time in future to revisit. TBH, I don't understand why ASUS makes it closed source. There is no trade secret. It makes no sense to me. My only concern if any of them sending my private information to some unknown servers.

    3. First Deep Dive -- Dynamic DNS service

    My first deep dive is to see how dynamic DNS works. Because that's one of the features that I may want to trade for accepting their god-dammed EULA.

    The firmware boots each application service in release/src/router/rc/services.c. Depending on DDNS vendor, there are several ways to bring up DDNS. See source code here.

    If you use WWW.ORAY.COM (an unknown Chinese sites to me) or Google Domain, you won't use ez-ipupdate. If you use ASUS DDNS or any other DDNS vendor, it brings up ASUS customized version ez-ipupdate. At the same time, the /src/router/rc/watchdog.c will run periodically to check if WAN IP change. If it did change, it restarts DDNS service.

    Using ASUS DDNS will force to send your router MAC to ASUS. See source code here. If you don't like it, use Google domain. That's what I'm going to do next.

    4. Conclusion

    I know my static analysis is too trivial. But it is better than nothing if someone wonder what is going on. What makes me feel concern is those binary blob at application level. A few bytes of shell code written there can pawn your whole network.

    Do I trust ASUS now? No.

    The next question is how to safe guard my privacy. I'm thinking of setting up a pfsense router between cable modem and the ASUS router. Change ASUS router to work as access point. Put a close watch on ASUS router.
     
    Last edited: Jul 29, 2019
  2. dosborne

    dosborne Senior Member

    Joined:
    May 11, 2019
    Messages:
    450
    Location:
    /dev/null
    If you distrust ASUS to this level, why on earth are you running their product.
     
  3. rickyzhang

    rickyzhang Occasional Visitor

    Joined:
    Jul 28, 2019
    Messages:
    25
    Location:
    Planet Earth
    It is their recent EULA prompt me to think what the heck they are doing behind my back.

    Do I trust a Taiwan brand router that manufacture in mainland China? No.
     
  4. dosborne

    dosborne Senior Member

    Joined:
    May 11, 2019
    Messages:
    450
    Location:
    /dev/null
    Then, again, why are you running their product? If I don't trust a vendor to the extent that you don't, then I don't buy their products (or I replace them if I already bought them)

    If you don't like the new EULA, then run the old software.
     
  5. rickyzhang

    rickyzhang Occasional Visitor

    Joined:
    Jul 28, 2019
    Messages:
    25
    Location:
    Planet Earth
    I paid them 4+ years ago. I didn't expect that 4 years later I have to trade my privacy for additional software features.

    I can't find any American brand wireless home router.

    So that's why.
     
  6. Grisu

    Grisu Part of the Furniture

    Joined:
    Aug 28, 2014
    Messages:
    2,885
    You bought a router with some functions and features 4 years ago. There has been no EULA and you have been happy.
    Now they gave you some more features and if you want to use them you have to accept their EULA.
    Dont use those new features and nothing changed for you!!!

    Others like those new features and trust them, why would you like them to miss those only because you dont want that EULA???
    Just dont accept the EULA and dont use those new features you never payed for!

    In reality nothing changed, with and without EULA, they only introduced the EULA because of GPRD to be complient, in background the software has been the same as 4 years ago ;)
     
  7. rickyzhang

    rickyzhang Occasional Visitor

    Joined:
    Jul 28, 2019
    Messages:
    25
    Location:
    Planet Earth
    No, they are not new features. DDNS has been provided since day one. I have been using it for 4+ years. But now you have to accept ASUS EULA in order to use DDNS.

    I have never known that ASUS has been collecting and sending my private information in background. I thought they "open source" their software. Thus, I put a blind trust to them.

    Now I took back my trust based on my analysis.
     
  8. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    10,929
    Your blind trust is your issue alone. Now that you're aware of your mistake, make a decision and move on.

    Most of the users on this forum know the issues you're bringing up. We act accordingly (already).
     
  9. rickyzhang

    rickyzhang Occasional Visitor

    Joined:
    Jul 28, 2019
    Messages:
    25
    Location:
    Planet Earth
    How often do consumers poke around the "open source" stuffs?

    I bet even the one with knowledge knows how will put their blind trust from time to time.

    We always trade our privacy for convenience. But what I don't like is that you can not claim yourself is open source if keep some are in closed source. That's misleading. Also don't violate GPL.

    I withdrew my ASUS EULA now and paid for Google Domain. The next move is to get a pfsense router.
     
  10. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    10,929
    Google domain?

    Nothing that I would even consider.

    Good luck with pfSense too. Many hurdles to overcome there from my experience.
     
    Grisu likes this.
  11. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,109
    Location:
    Canada
    ...And? How is that different from sending a unique username?

    In fact, sending a generic router MAC instead of having you create a user account provides MORE privacy. Asus doesn't know the first thing about you, while creating an account at a DDNS service will require you to provide various personal information such as your real name.
     
    ColinTaylor, dosborne, Grisu and 2 others like this.
  12. AndreiV

    AndreiV Very Senior Member

    Joined:
    Aug 25, 2015
    Messages:
    1,079
    Location:
    Відправився на риболовлю
    Your internet connection is never really private.

    Stealthing router ports is a pointless exercise. Anyone sniffing around IP addresses will know you are there behind stealthed ports because they don't receive an empty response to their query, they can also see your router MAC address .......
    Big question is , just exactly what have you got to hide?
     
    dosborne likes this.
  13. dosborne

    dosborne Senior Member

    Joined:
    May 11, 2019
    Messages:
    450
    Location:
    /dev/null
    The bigger question is does he realize how much is exposed regardless of the EULA and DDNS issue. I suspect not. The only way to hide from the internet is to become a troll in a cave LOL.

    @rickyzhang Put another router between your ASUS and the internet and block / limit / monitor access to any non-approved sites if you are so concerned.
     
    Last edited: Jul 29, 2019
  14. rickyzhang

    rickyzhang Occasional Visitor

    Joined:
    Jul 28, 2019
    Messages:
    25
    Location:
    Planet Earth
    Comrade @AndreiV

    It is my privacy. I don't want big brothers watching me. Is that not OK with you? The rhetorical question you asked make me feel that you and I have cultural differences.

    @dosborne

    A troll is abusive term by liberals here. I don't want to start a political fight with you. You have a good sense of humor like a Chinese regrading to 'a troll in a cave'. (in case you don't get my sarcasm behind the computer screen, I have to fake a cough a little bit...)

    That's what I'm going to do next: place a pFsense between cable modem and ASUS router. The ASUS router will turn into AP.

    @RMerlin

    It is about trust that subjective to individual. ASUS is a Taiwanese company which is doing major operation business in mainland China. I have no faith in anything related to that.

    So I place my (blind) trust in Google Domain. Should Google sell me out, I could find them accountable in US jurisdiction. The same philosophy I never use VPN from VPN vendors which are mostly owned by mainland China. Neither will I plug my gadgets to hotel network.

    It all subject o individual's trust setting.
     
  15. AndreiV

    AndreiV Very Senior Member

    Joined:
    Aug 25, 2015
    Messages:
    1,079
    Location:
    Відправився на риболовлю
    Lol, then you had better remove yourself from the USA as a matter of urgency.

    Cultural differences , yes some, but I don't live in a state of constant fear and extreme paranoia , as you so obviously do,always suspicious of anything or anyone from outside your not so very free country.

    Honestly, if you are so terrified of what people just might possibly see about you then you should not be using a computer or the internet , ever.

    I can imagine the heart attack you are going to have when you realise exactly what a website owner can see when they run CPanel/Awstats/Webalizer and Google Analytics ......... :rolleyes::rolleyes::D:D
     
    Last edited: Jul 30, 2019
    Grisu likes this.