Mastodon

Having a detailed look at the Netgear Nighthawk M5 Mobile LTE/Router

Dr . Watson

After gaining root access to the device in the first post of this series, we will have a closer look at the device and its firmware.

This post is documenting some internals of the device which is not the most exciting stuff to read. I mainly collected it here for documentation purposes.

All information in this post has been collected from a device running firmware version NTGX55_12.04.12.00.

Software

Netgear’s firmware is Linux-based and uses quite a lot of common open-source tools. They provide all modifications to GPL licensed code via their support area: NETGEAR Open Source Software for Programmers.

From what I can tell only their user interface and configuration management is developed by Netgear themself apart from a bunch of binary blobs provided by Qualcomm which contains the modem firmware which gets loaded to the baseband processor.

One curiosity catched my eye: there is a running X server on the device. It is used by the front-panel display of the device. A custom application developed by Netgear uses Webkit’s engine to render the touch screen interface which just like the web UI is based on HTML and Javascript.

Here is an almost complete list of open source software components which I found on the device:

  • atk (v2.28)
  • Avahi (v0.7)
  • bash (v4.4.23)
  • base-files (v3.0.14)
  • BusyBox (v1.29.3)
  • conntrack-tools (v1.0.1)
  • D-Bus (v1.12.10)
  • ddclient (v3.8.1)
  • dhcpcd (v5.2.10)
  • DiG (v9.11.5-P4)
  • Dnsmasq (v2.85)
  • ethtool (v4.19)
  • font-config (v2.12.6)
  • freetype (v2.9.1)
  • glib (v2.58.0)
  • hostapd (v2.8-devel)
  • iproute2 (iproute2-ss140804)
  • iptables (v1.6.2)
  • iw (v4.14)
  • libcap (v2.25)
  • libnfnetlink (v1.0.0)
  • Linux Kernel (v4.14.117)
  • miniupnpd
  • mtd-utils (v2.0.2)
  • nettle (v3.4)
  • OpenSSL (v1.1.1b)
  • pimd (v2.1.8)
  • pppd (v2.4.7)
  • strace (v4.24)
  • SystemD (v239)
  • tinyproxy (v1.8.3)
  • util-linux (v2.32.1)
  • wireless-tools (v30)
  • wpa_supplicant (v2.9)
  • Xorg (v1.20.1)
  • xz (v5.2.4)

Basic facts

Lets first have a look at the Kernel version:

$ uname -a
Linux sdxprairie 4.14.117 #1 PREEMPT Thu Aug 19 23:42:26 UTC 2021 armv7l GNU/Linux

/ # cat /proc/version
Linux version 4.14.117 (oe-user@oe-host) (clang version 6.0.9 for Android NDK) #1 PREEMPT Thu Aug 19 23:42:26 UTC 2021

Apparently the firmware has been built by Open Embedded as indicated by the kernel notice „oe-user„.

There is also a /target file lying around. I assume that „sdxprairie“ is Qualcomm’s name for the SDK/BSP which is used by Netgear.

$ cat /target
sdxprairie

The application processor of the Snapdragon X55 is a fairly low powered single-core ARM v7:

$ cat /proc/cpuinfo
processor       : 0
model name      : ARMv7 Processor rev 5 (v7l)
BogoMIPS        : 38.40
Features        : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xc07
CPU revision    : 5

Hardware        : Qualcomm Technologies, Inc SDXPRAIRIE
Revision        : 0000
Serial          : 0000000000000000

With around 780 MB of RAM:

$ free -m
             total       used       free     shared    buffers     cached
Mem:           781        387        393          0          0        142
-/+ buffers/cache:        245        535
Swap:          109          0        109

SoC details

Within the SysFS we can find some details about the SoC. More details about the meaning can be found in the Kernel documentation:

SysFS EntryValue
/sys/devices/soc0/accessory_chip0
/sys/devices/soc0/chip_family0x5e
/sys/devices/soc0/chip_nameSDX55
/sys/devices/soc0/familySnapdragon
/sys/devices/soc0/foundry_id1
/sys/devices/soc0/hw_platformMTP
/sys/devices/soc0/image_crm_version:ntgrbc-fwbuild6
/sys/devices/soc0/image_variantMAATANAZA
/sys/devices/soc0/image_version00:BOOT.SBL.4.1-00231
/sys/devices/soc0/machineSDXPRAIRIE
/sys/devices/soc0/ncluster_array_offset0xb0
/sys/devices/soc0/ndefective_parts_array_offset0xb4
/sys/devices/soc0/nmodem_supported0xffffffff
/sys/devices/soc0/nproduct_id0x410
/sys/devices/soc0/num_clusters0x1
/sys/devices/soc0/num_defective_parts0xd
/sys/devices/soc0/platform_subtypeInvalid
/sys/devices/soc0/platform_subtype_id5
/sys/devices/soc0/platform_version65536
/sys/devices/soc0/pmic_die_revision131072
/sys/devices/soc0/pmic_model65568
/sys/devices/soc0/raw_device_family0x6
/sys/devices/soc0/raw_device_number0xb
/sys/devices/soc0/raw_id207
/sys/devices/soc0/raw_version2
/sys/devices/soc0/revision2.0
/sys/devices/soc0/select_image0
/sys/devices/soc0/serial_number27453XXXX
/sys/devices/soc0/soc_id357
/sys/devices/soc0/vendorQualcomm
$ cat /sys/devices/soc0/images
0:
        CRM:            00:BOOT.SBL.4.1-00231
        Variant:        MAATANAZA
        Version:        :ntgrbc-fwbuild6
1:
        CRM:            01:TZ.FU.5.9-00147
        Variant:        EATAANBAA
        Version:        :CRM
11:
        CRM:            11:MPSS.HI.2.0.c3.5-00010-SDX55_CPEALL_PACK-1.403198.3
        Variant:        sdx55.gennatch.prod
        Version:        :ntgrbc-fwbuild6

Kernel command line

$ cat /proc/cmdline<br>noinitrd rw rootwait console=ttyMSM0,115200,n8 androidboot.hardware=qcom msm_rtb.filter=0x237 androidboot.console=ttyMSM0 lpm_levels.sleep_disabled=1 firmware_class.path=/lib/firmware/updates service_locator.enable=1 net.ifnames=0 atlantic_fwd.rx_ring_size=1024 pci=pcie_bus_perf rootfstype=ubifs rootflags=bulk_read root=ubi0:rootfs ubi.mtd=24 androidboot.serialno=105d0dc7 androidboot.baseband=msm

Kernel log

Unfortunately, I was not able to capture early kernel log messages. I assume those are only printed via a serial port and lost as the circular buffer for the kernel log has not been set up.

More details…

Feel free to contact me if I missed any particular detail which is interesting for you.