Ok so I tried to search the forum for a while but didn't find anything similar.
I've had this Zyxel NBG4615v2 router for several years now, I got it from my isp and to my knowledge it's running the zyxel factory os (not rebranded).
It has been collecting dust in my closet for couple of years unused but recently I decided to play around with it little bit.
The first concern for me was the factory enabled NetUSB (which is known vulnerability) and I decided to snoop around if it could be disabled somehow.
Zyxel web interface didn't give any options for it and at that point the router didn't let me sign in via ssh with root/interface password (even though I enabled it in the web ui).
The url was familiar from somewhere though..
So I decided to open the hood and find the serial headers and solder some jumpwires to it.
Fired up PuTTY and more familiar lines start popping up, wait, what?! Is this thing running OpenWRT???
I try to login with root/1234 (default for webui) and my suspicions are confirmed.
Here's the full bootlog:
U-Boot 2009.11 (Nov 29 2012 - 12:02:26)
Board: NBG4615v2
DRAM: 128 MB
CPU frequency: 700000000
SPI FLASH: MX25L12805D size=16MB
Net: Switch: RTL8367RB
Eth0 (10/100-M)
ZyXEL zloader v1.01 (Nov 29 2012 - 12:02:55)
Multiboot clinent version: 1.0
Waitting for RX_DMA_BUSY status Start... done
Header Payload scatter function is Disable !!
Hit any key to stop autoboot: 0
### JFFS2 loading '/boot/vmlinux.lzma.uImage' to 0x80400000
Scanning JFFS2 FS: '/boot/vmlinux.lzma.uImage' found, done
Loading file: done
### JFFS2 load complete: 1054148 bytes loaded to 0x80400000
## Booting kernel from Legacy Image at 80400000 ...
Image Name: Linux Kernel Image
Created: 2015-05-25 8:04:00 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 1054084 Bytes = 1 MB
Load Address: 80020000
Entry Point: 80023d70
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
Starting kernel ...
Linux version 2.6.36 (hank@ubuntu) (gcc version 4.3.3 (GCC) ) #7 Mon May 25 16:0 3:56 CST 2015
ISPRAM0: PA=002a0000,Size=00008000,enabled
Ralink RT63165 SOC prom init
bootconsole [early0] enabled
CPU revision is: 00019555 (MIPS 34Kc)
Determined physical RAM map:
memory: 07fe0000 @ 00020000 (usable)
Wasting 1024 bytes for tracking 32 unused pages
Initrd not found or empty - disabling initrd
Zone PFN ranges:
Normal 0x00000020 -> 0x00008000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
0: 0x00000020 -> 0x00008000
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32480
Kernel command line: init=/etc/preinit root=/dev/mtdblock5 rootfstype=jffs2 rw z ld_ver=1.01 console=ttyS0,115200 mtdparts=raspi:0x30000(u-boot),0x10000(env)ro,0 x10000(RFdata)ro,0x60000(rootfs_data),0x10000(header),0xF40000(rootfs) es=1
PID hash table entries: 512 (order: -1, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00026e00
Readback ErrCtl register=00026e00
Memory: 126516k/130944k available (2592k kernel code, 4428k reserved, 398k data, 176k init, 0k highmem)
Hierarchical RCU implementation.
RCU-based detection of stalled CPUs is disabled.
Verbose stalled-CPUs detection is disabled.
NR_IRQS:64
CPU frequency 699.00 MHz
console [ttyS0] enabled, bootconsole disabled
console [ttyS0] enabled, bootconsole disabled
Calibrating delay loop... 465.30 BogoMIPS (lpj=2326528)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
NET: Registered protocol family 16
Ralink GPIOLIB Init.
start PCIe register access
*************** RT6855A PCIe RC mode *************
PCIE1 no card, disable it(RST&CLK)
registering PCI controller with io_map_base unset
bio: create slab <bio-0> at 0
pci 0000:00:00.0: BAR 0: can't assign mem (size 0x80000000)
pci 0000:00:00.0: BAR 8: assigned [mem 0x20000000-0x200fffff]
pci 0000:01:00.0: BAR 0: assigned [mem 0x20000000-0x2000ffff]
pci 0000:01:00.0: BAR 0: set to [mem 0x20000000-0x2000ffff] (PCI address [0x2000 0000-0x2000ffff]
pci 0000:00:00.0: PCI bridge to [bus 01-01]
pci 0000:00:00.0: bridge window [io disabled]
pci 0000:00:00.0: bridge window [mem 0x20000000-0x200fffff]
pci 0000:00:00.0: bridge window [mem pref disabled]
** bus= 0, slot=0x0
BAR0 at slot 0 = 0
bus=0x0, slot = 0x0
res[0]->start = 0
res[0]->end = 0
res[1]->start = 0
res[1]->end = 0
res[2]->start = 0
res[2]->end = 0
res[3]->start = 0
res[3]->end = 0
res[4]->start = 0
res[4]->end = 0
res[5]->start = 0
res[5]->end = 0
** bus= 1, slot=0x0
bus=0x1, slot = 0x0
res[0]->start = 20000000
res[0]->end = 2000ffff
res[1]->start = 0
res[1]->end = 0
res[2]->start = 0
res[2]->end = 0
res[3]->start = 0
res[3]->end = 0
res[4]->start = 0
res[4]->end = 0
res[5]->start = 0
res[5]->end = 0
cfg80211: Calling CRDA to update world regulatory domain
Switching to clocksource MIPS
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
RT3xxx EHCI/OHCI init.
squashfs: version 4.0 (2009/01/31) Phillip Lougher
Registering mini_fo version $Id$
JFFS2 version 2.2 (NAND) (SUMMARY) (ZLIB) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
msgmni has been set to 247
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
ttyS0 at I/O 0xbfbf0003 (irq = 1) is a TC3162
brd: module loaded
flash manufacture id: c2, device id 20 18
MX25L12805D(c2 2018c220) (16384 Kbytes)
mtd .name = raspi, .size = 0x01000000 (0M) .erasesize = 0x00000010 (0K) .numeras eregions = 65536
6 cmdlinepart partitions found on MTD device raspi
Using command line partition definition
Creating 6 MTD partitions on "raspi":
0x000000000000-0x000000030000 : "u-boot"
0x000000030000-0x000000040000 : "env"
0x000000040000-0x000000050000 : "RFdata"
0x000000050000-0x0000000b0000 : "rootfs_data"
0x0000000b0000-0x0000000c0000 : "header"
0x0000000c0000-0x000001000000 : "rootfs"
mtd: partition "rootfs" set to be root filesystem
split_squashfs: no squashfs found in "raspi"
rdm_major = 253
MAC_ADRH -- : 0x0000000c
SMACCR1 -- : 0x0000000c
MAC_ADRL -- : 0x432880e2
SMACCR0 -- : 0x432880e2
Ralink APSoC Ethernet Driver Initilization. v2.1 256 rx/tx descriptors allocate d, mtu = 1500!
MAC_ADRH -- : 0x0000000c
SMACCR1 -- : 0x0000000c
MAC_ADRL -- : 0x432880df
SMACCR0 -- : 0x432880df
PROC INIT OK!
input: gpio-buttons as /devices/platform/gpio-buttons/input/input0
Simple TC action Loaded
IPv4 over IPv4 tunneling driver
TCP westwood registered
NET: Registered protocol family 10
lo: Disabled Privacy Extensions
tunl0: Disabled Privacy Extensions
IPv6 over IPv4 tunneling driver
sit0: Disabled Privacy Extensions
ip6tnl0: Disabled Privacy Extensions
NET: Registered protocol family 17
NET: Registered protocol family 15
Bridge firewalling registered
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (jffs2 filesystem) on device 31:5.
Freeing unused kernel memory: 176k freed
- preinit -
Press the [f] key and hit [enter] to enter failsafe mode
- regular preinit -
switching to jffs2
mini_fo: using base directory: /
mini_fo: using storage directory: /overlay
- init -
Setting Switch Reset
System Mode = 1
Setting Switch Interface
phy_tx_ring = 0x0746d000, tx_ring = 0xa746d000
phy_rx_ring0 = 0x0746e000, rx_ring0 = 0xa746e000
MAC_ADRH -- : 0x0000107b
SMACCR1 -- : 0x0000107b
MAC_ADRL -- : 0xef5e519d
SMACCR0 -- : 0xef5e519d
ESW: Link Status Changed - Port5 Link UP
CDMA_CSG_CFG = 81000007
GDMA1_FWD_CFG = C0710000
device eth2 entered promiscuous mode
Setting Switch Register
Member:0x2AB10352 Untag Member:0x7FBC1F54 fid:4331712
Vid:10 Member:0x0050 Untag Member:0x0010 fid:0
Member:0x2B25C352 Untag Member:0x7FFA9F54 fid:4331712
Vid:20 Member:0x004F Untag Member:0x000F fid:0
TEST "rtk_igmp_static_router_port_set OK"
Please press Enter to activate this console. root: Start preboot
Currently, GPIOLIB not support irq on this platform!
Currently, GPIOLIB not support irq on this platform!
hw_nat: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
Ralink HW NAT Module Enabled
root: Start luci_fixtime
root: Tue Jun 9 08:45:00 UTC 2015
root: Start ess_info
root: Start boot
root: udhcpc (v1.15.3) started
root: Sending discover...
root: Sending discover...
root: Start password
root: Changing password for root
root: New password:
root: Bad password: too short
root: Retype password:
root: Password for root changed by root
root: Start usb
root: Start network
root: Start wireless
root: 'ra0' is disabled
root: Start wireless_client
root: Start firewall
root: Sending discover...
root: Start firewall6
root: Start systimeout
root: Start cron
root: Start dropbear
root: Start lldt
root: ***** g_wl_interface = ra0 ******
root: ***** g_wl_interface = ra0 ******
root: Start nat
root: Start radvd
root: Start telnet
root: Start uhttpd
root: disable www
root: Start updatedd
root: Start htp
root: Start luci_dhcp_migrate
root: Start dnsmasq
root: no more available dns servers !
root: no more available dns servers !
root: Start wol
root: Start route
root: Start wps
root: WLAN turn off by HW button, WPS doesn't start.
root: Start done
root: Start miniupnpd
root: miniupnpd starting ...
root: Start led
root: Start portTrigger
root: Start time_daemon
root: Start watchdog
root: Start webstr_filter
root: Start wifi_scheduling
root: Start wireless_macfilter
root: Start qos
root: Start sysntpd
root: Start bootend
root: Start gw6c
root: You haven't edited your configuration file. Gateway6 is disabled.
root: Gateway6 client cannot start.
root: Start igmpproxy
root: Start sitesurvey_status_monitor
root: Start sysctl
root: Start sysstat
root: Start usb_detect
root: Start wan_status_monitor
root: Boot finished!
root: 'ra0' is disabled
NBG4615 v2 login: root
Password:
BusyBox v1.15.3 (2015-04-01 17:36:11 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
Backfire (10.03.1, r5276) ---------------------------
root@NBG4615 v2:~# cd /
root@NBG4615 v2:/# ls -l
drwxr-xr-x 2 root root 0 Jun 9 08:45 bin
drwxr-xr-x 2 root root 0 May 25 08:04 boot
drwxr-xr-x 5 root root 1580 Jun 9 08:45 dev
drwxr-xr-x 5 root root 0 Jun 9 08:45 etc
drwxr-xr-x 3 root root 0 Apr 1 09:42 etc_ro
drwxr-xr-x 3 root root 0 Jan 1 1970 home
drwxr-xr-x 13 root root 0 Jun 9 08:45 lib
drwxr-xr-x 2 root root 0 Jun 9 08:44 mnt
drwxr-xr-x 4 root root 0 Jan 1 1970 overlay
dr-xr-xr-x 59 root root 0 Jan 1 1970 proc
drwxr-xr-x 20 root root 0 Jan 1 1970 rom
drwxr-xr-x 2 root root 0 Jun 9 08:44 root
drwxr-xr-x 2 root root 0 Apr 1 06:50 sbin
drwxr-xr-x 11 root root 0 Jan 1 1970 sys
drwxrwxrwt 9 root root 600 Jun 9 08:45 tmp
-rw-r--r-- 1 root root 2 Jan 1 1970 tmp.05Vkw3
-rw-r--r-- 1 root root 2 Jan 1 1970 tmp.3BufOf
-rw-r--r-- 1 root root 2 Jan 1 1970 tmp.5A58zU
-rw-r--r-- 1 root root 2 Jan 1 1970 tmp.DYzO9r
-rw-r--r-- 1 root root 2 Jan 1 1970 tmp.MbCwb3
-rw-r--r-- 1 root root 2 Jan 1 1970 tmp.OlYWWP
-rw-r--r-- 1 root root 2 Jan 1 1970 tmp.QCRkoz
-rw-r--r-- 1 root root 2 Jan 1 1970 tmp.Ru3Ec2
-rw------- 1 root root 4 Jan 1 1970 tmp.YRHh5s
-rw-r--r-- 1 root root 2 Jan 1 1970 tmp.Yi4ruS
-rw------- 1 root root 2 Jan 1 1970 tmp.jiBmoe
-rw-r--r-- 1 root root 2 Jan 1 1970 tmp.kn4fSc
-rw------- 1 root root 0 Jan 1 1970 tmp.oVfDPc
-rw-r--r-- 1 root root 2 Jan 1 1970 tmp.q1Khct
-rw-r--r-- 1 root root 2 Jan 1 1970 tmp.qqU0f4
-rw-r--r-- 1 root root 2 Jan 1 1970 tmp.rHeXfk
-rw-r--r-- 1 root root 2 Jan 1 1970 tmp.xrqo2T
drwxr-xr-x 6 root root 0 Jun 9 08:45 usr
lrwxrwxrwx 1 root root 4 Jun 9 08:45 var -> /tmp
drwxr-xr-x 5 root root 0 Jun 9 08:45 www
root@NBG4615 v2:/#
So I guess my real question in here is that if anybody has ever seen manufacturer using OpenWRT as template for their own UI?
I've seen some small scale rebranders etc using this but Zyxel? Really??