rickyzhang
Occasional Visitor
I knew this device is old. I bought it 4+ years ago. But recent EULA change made me concerned on my privacy. So today I finally took a look at the stock version firmware source code.
1. Version
The preliminary analysis is 3.0.0.4.382.51640 version from ASUS stock.
2. Binary Blobs
The source code is not complete open source. There are 43 binary blob in application level (excluding wireless drivers).
3. First Deep Dive -- Dynamic DNS service
My first deep dive is to see how dynamic DNS works. Because that's one of the features that I may want to trade for accepting their god-dammed EULA.
The firmware boots each application service in release/src/router/rc/services.c. Depending on DDNS vendor, there are several ways to bring up DDNS. See source code here.
If you use WWW.ORAY.COM (an unknown Chinese sites to me) or Google Domain, you won't use ez-ipupdate. If you use ASUS DDNS or any other DDNS vendor, it brings up ASUS customized version ez-ipupdate. At the same time, the /src/router/rc/watchdog.c will run periodically to check if WAN IP change. If it did change, it restarts DDNS service.
Using ASUS DDNS will force to send your router MAC to ASUS. See source code here. If you don't like it, use Google domain. That's what I'm going to do next.
4. Conclusion
I know my static analysis is too trivial. But it is better than nothing if someone wonder what is going on. What makes me feel concern is those binary blob at application level. A few bytes of shell code written there can pawn your whole network.
Do I trust ASUS now? No.
The next question is how to safe guard my privacy. I'm thinking of setting up a pfsense router between cable modem and the ASUS router. Change ASUS router to work as access point. Put a close watch on ASUS router.
1. Version
The preliminary analysis is 3.0.0.4.382.51640 version from ASUS stock.
2. Binary Blobs
The source code is not complete open source. There are 43 binary blob in application level (excluding wireless drivers).
find . | grep prebuild/
./release/src-rt-6.x/ctools/prebuild/trx_asus
./release/src/router/sambaclient/prebuild/sambaclient
./release/src/router/dropbox_client/prebuild/dropbox_client
./release/src/router/httpd/prebuild/pwenc.o
./release/src/router/httpd/prebuild/web_hook.o
./release/src/router/lighttpd-1.4.39/prebuild/mod_query_field_json.so
./release/src/router/lighttpd-1.4.39/prebuild/mod_captive_portal_uam.so
./release/src/router/lighttpd-1.4.39/prebuild/mod_smbdav.so
./release/src/router/lighttpd-1.4.39/prebuild/mod_aicloud_sharelink.so
./release/src/router/lighttpd-1.4.39/prebuild/mod_create_captcha_image.so
./release/src/router/lighttpd-1.4.39/prebuild/mod_aicloud_invite.so
./release/src/router/lighttpd-1.4.39/prebuild/mod_aidisk_access.so
./release/src/router/lighttpd-1.4.39/prebuild/mod_aicloud_auth.so
./release/src/router/rc/prebuild/tcode_brcm.o
./release/src/router/rc/prebuild/conn_diag.o
./release/src/router/rc/prebuild/ate-broadcom.o
./release/src/router/rc/prebuild/tcode_rc.o
./release/src/router/rc/prebuild/psta_monitor.o
./release/src/router/rc/prebuild/broadcom.o
./release/src/router/rc/prebuild/private.o
./release/src/router/u2ec/prebuild/u2ec
./release/src/router/aaews/prebuild/mastiff
./release/src/router/aaews/prebuild/aaews
./release/src/router/asuswebstorage/prebuild/asuswebstorage
./release/src/router/asusnatnl/natnl/prebuild/libasusnatnl.so
./release/src/router/inotify/prebuild/inotify
./release/src/router/webdav_client/prebuild/webdav_client
./release/src/router/sysstate/commands/prebuild/asuslog
./release/src/router/sysstate/log_daemon/prebuild/sysstate
./release/src/router/libvpn/prebuild/libvpn.so
./release/src/router/usbclient/prebuild/usbclient
./release/src/router/wb/prebuild/libws.so
./release/src/router/ftpclient/prebuild/ftpclient
./release/src/router/networkmap/prebuild/asusdiscovery
./release/src/router/networkmap/prebuild/networkmap
./release/src/router/protect_srv/prebuild/Send_Event2ptcsrv
./release/src/router/protect_srv/prebuild/protect_srv
./release/src/router/protect_srv/lib/prebuild/libptcsrv.so
./release/src/router/shared/prebuild/tcode.o
./release/src/router/shared/prebuild/shutils_private.o
./release/src/router/shared/prebuild/spwenc.o
./release/src/router/shared/prebuild/notify_rc.o
./release/src/router/shared/prebuild/private.o
The binary blob is in ELF format for MIPS. Since I'm not familiar with MIPS architecture, I only skimmed through some of them by IDA. Those binary files under ./release/src/router/rc/prebuild, ./release/src/router/shared/prebuild/ and ./release/src/router/aaews/prebuild worth some time in future to revisit. TBH, I don't understand why ASUS makes it closed source. There is no trade secret. It makes no sense to me. My only concern if any of them sending my private information to some unknown servers../release/src-rt-6.x/ctools/prebuild/trx_asus
./release/src/router/sambaclient/prebuild/sambaclient
./release/src/router/dropbox_client/prebuild/dropbox_client
./release/src/router/httpd/prebuild/pwenc.o
./release/src/router/httpd/prebuild/web_hook.o
./release/src/router/lighttpd-1.4.39/prebuild/mod_query_field_json.so
./release/src/router/lighttpd-1.4.39/prebuild/mod_captive_portal_uam.so
./release/src/router/lighttpd-1.4.39/prebuild/mod_smbdav.so
./release/src/router/lighttpd-1.4.39/prebuild/mod_aicloud_sharelink.so
./release/src/router/lighttpd-1.4.39/prebuild/mod_create_captcha_image.so
./release/src/router/lighttpd-1.4.39/prebuild/mod_aicloud_invite.so
./release/src/router/lighttpd-1.4.39/prebuild/mod_aidisk_access.so
./release/src/router/lighttpd-1.4.39/prebuild/mod_aicloud_auth.so
./release/src/router/rc/prebuild/tcode_brcm.o
./release/src/router/rc/prebuild/conn_diag.o
./release/src/router/rc/prebuild/ate-broadcom.o
./release/src/router/rc/prebuild/tcode_rc.o
./release/src/router/rc/prebuild/psta_monitor.o
./release/src/router/rc/prebuild/broadcom.o
./release/src/router/rc/prebuild/private.o
./release/src/router/u2ec/prebuild/u2ec
./release/src/router/aaews/prebuild/mastiff
./release/src/router/aaews/prebuild/aaews
./release/src/router/asuswebstorage/prebuild/asuswebstorage
./release/src/router/asusnatnl/natnl/prebuild/libasusnatnl.so
./release/src/router/inotify/prebuild/inotify
./release/src/router/webdav_client/prebuild/webdav_client
./release/src/router/sysstate/commands/prebuild/asuslog
./release/src/router/sysstate/log_daemon/prebuild/sysstate
./release/src/router/libvpn/prebuild/libvpn.so
./release/src/router/usbclient/prebuild/usbclient
./release/src/router/wb/prebuild/libws.so
./release/src/router/ftpclient/prebuild/ftpclient
./release/src/router/networkmap/prebuild/asusdiscovery
./release/src/router/networkmap/prebuild/networkmap
./release/src/router/protect_srv/prebuild/Send_Event2ptcsrv
./release/src/router/protect_srv/prebuild/protect_srv
./release/src/router/protect_srv/lib/prebuild/libptcsrv.so
./release/src/router/shared/prebuild/tcode.o
./release/src/router/shared/prebuild/shutils_private.o
./release/src/router/shared/prebuild/spwenc.o
./release/src/router/shared/prebuild/notify_rc.o
./release/src/router/shared/prebuild/private.o
3. First Deep Dive -- Dynamic DNS service
My first deep dive is to see how dynamic DNS works. Because that's one of the features that I may want to trade for accepting their god-dammed EULA.
The firmware boots each application service in release/src/router/rc/services.c. Depending on DDNS vendor, there are several ways to bring up DDNS. See source code here.
If you use WWW.ORAY.COM (an unknown Chinese sites to me) or Google Domain, you won't use ez-ipupdate. If you use ASUS DDNS or any other DDNS vendor, it brings up ASUS customized version ez-ipupdate. At the same time, the /src/router/rc/watchdog.c will run periodically to check if WAN IP change. If it did change, it restarts DDNS service.
Using ASUS DDNS will force to send your router MAC to ASUS. See source code here. If you don't like it, use Google domain. That's what I'm going to do next.
4. Conclusion
I know my static analysis is too trivial. But it is better than nothing if someone wonder what is going on. What makes me feel concern is those binary blob at application level. A few bytes of shell code written there can pawn your whole network.
Do I trust ASUS now? No.
The next question is how to safe guard my privacy. I'm thinking of setting up a pfsense router between cable modem and the ASUS router. Change ASUS router to work as access point. Put a close watch on ASUS router.
Last edited: