Skip to content

Instantly share code, notes, and snippets.

@ankurpandeyvns

ankurpandeyvns/excitel_ppc.md

Created September 28, 2025 16:20
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ankurpandeyvns/e065aa9554dfc2f60f8f6109d7563a73 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ankurpandeyvns/e065aa9554dfc2f60f8f6109d7563a73 to your computer and use it in GitHub Desktop.
Download ZIP
Excitel PPC Router Documentation
Raw
excitel_ppc.md

Router System Documentation

This document outlines the system information, filesystem structure, available commands, and network interfaces of the target router.

1. Operating System

  • OS: GNU/Linux
  • Hostname: RTKGW
  • Kernel Version: 4.4.140
  • Architecture: mips
  • System Time: Wed Apr 3 09:23:56 CST 2024
  • Core Utilities: BusyBox v1.22.1 provides the main set of shell commands.

2. Filesystem Structure

The filesystem is characteristic of an embedded device, with a small, read-only root partition and several writable partitions for configuration and temporary data.

Filesystem Usage (df -P)

Filesystem Size (1K-blocks) Used Available Capacity Mounted on
/dev/root 12160 12160 0 100% /
devtmpfs 55544 0 55544 0% /dev
tmpfs 55660 0 55660 0% /run
ubi0:ubi_Config 8140 252 7436 3% /var/config
ubi0:ubi_misc 25688 24 24316 0% /var/misc

Root Directory (/) Layout

The root directory contains standard Linux folders. Several directories are symlinked to the writable /var partition to allow for dynamic data storage.

  • /bin: Core system binaries.
  • /config: -> ./var/config/
  • /dev: Device files.
  • /etc: System configuration files.
  • /lib: Shared libraries.
  • /mnt: -> /var/mnt
  • /proc: Kernel process information.
  • /run: Runtime data.
  • /sbin: -> /bin (symlink)
  • /sys: Kernel object information.
  • /tmp: -> /var/tmp
  • /usr: User binaries and libraries.
  • /var: Writable partition for variable data.

3. Binaries and Commands

The available commands are located in directories specified by the $PATH environment variable.

  • $PATH: /sbin:/usr/sbin:/bin:/usr/bin:/etc/scripts

Command Locations

  • /bin: Contains the busybox executable and numerous symlinks to it for common commands (e.g., ls, cat, vi). It also contains other standalone binaries related to networking (udhcpd), VoIP, and system utilities.
  • /usr/bin, /usr/sbin: These directories are in the $PATH but do not exist on the filesystem.
  • /etc/scripts: Contains various shell scripts (.sh) for managing system functions, including networking (udhcpc.sh), hardware (rps.sh), and VoIP services.

This indicates that most functionality is provided by busybox and specialized scripts, rather than a full set of standard GNU utilities.

4. Network Interfaces (ifconfig -a)

The router has a complex network configuration with multiple bridge, Ethernet, and wireless interfaces.

Interface Summary

  • lo: The local loopback interface.
  • br0: A bridge interface, likely for the main LAN, grouping together Ethernet and wireless clients.
  • eth0, eth1, eth2, eth3, eth4: Physical Ethernet ports.
  • p-ppp: A PPP (Point-to-Point Protocol) interface, almost certainly for the WAN (Internet) connection.
  • wlan0, wlan1: Physical wireless interfaces.
  • wlan0-vap0, wlan0-vap1, etc.: Virtual Access Points (VAPs) for creating multiple SSIDs (e.g., guest networks) on the physical wireless interfaces.
  • wlan0-vxd, wlan1-vxd: Likely a virtual interface for WDS (Wireless Distribution System) or a similar mesh/bridging technology.

This setup allows the router to manage multiple LAN clients (wired and wireless), guest networks, and connect to the internet via PPP.

5. Boot Process Analysis

The router utilizes a classic BusyBox-based init process, starting with /etc/inittab and dispatching a series of numbered scripts.

5.1. /etc/inittab

This is the main configuration file for the init process. The most important line is: ::sysinit:/etc/init.d/rcS This command specifies that the /etc/init.d/rcS script is the first script to be executed on system boot.

5.2. /etc/init.d/rcS

This is the primary system initialization script. Its main function is to loop through numbers 0 to 63 and execute any script in /etc/init.d/ that follows the pattern rc<number> (e.g., rc2, rc3, etc.).

A key feature is the conditional execution of /var/tmp/custom_cmds.sh when the loop counter reaches 32.

5.3. Initialization Scripts (/etc/init.d/rc*)

The boot sequence is determined by the following scripts, executed in numerical order:

  • rc2: Performs critical early-boot tasks:

    • Mounts /var as a RAM filesystem.
    • Initializes mdev for device hotplugging.
    • Mounts UBI filesystems for configuration (/var/config) and other data (/var/misc).
    • Initializes the loopback network interface (lo).

  • rc3: Starts core services and loads drivers:

    • Starts the configd daemon.
    • Executes multiple scripts for custom configuration, VoIP, and driver loading (insdrv.sh).
    • Launches the main Realtek SDK process (runsdk.sh) with high priority.

  • rc6: Prepares for Samba file sharing by creating the /var/samba/ directory.

  • rc10: Tunes the IPv4 network stack by setting various kernel parameters in /proc/sys/net/ipv4/, including connection tracking timeouts and enabling IP forwarding.

  • rc14: Tunes the IPv6 network stack, configuring forwarding, autoconfiguration, and duplicate address detection.

  • rc18: Starts a background process named /bin/systemd. This is highly unconventional and is likely a custom binary, not the standard Linux init system.

  • rc20: Starts the /bin/ramonitor background process.

  • rc32:

    • Starts a generic startup background process.
    • Creates directories for the CUPS printing service, indicating print server functionality.
    • Runs rtkbosa, a Realtek-specific hardware initialization utility.
    • Calls /var/tmp/custom_cmds.sh (see below).

  • rc34:

    • Starts VoIP services (rcm_voip).
    • Enables the luna_watchdog hardware watchdog.

  • rc35: Performs hardware and performance tuning:

    • Initializes the board and firmware (fw_loaded.sh, board_init.sh).
    • Activates the fiber optic laser (laser_force_on_detect), confirming this is a fiber router.
    • Enables Receive Packet Steering (rps.sh) for network performance.
    • Starts another watchdog timer (cdt_wdt).

  • rc36: Starts the /etc/init.d/asod_monitor background process.

5.4. /var/tmp/custom_cmds.sh

This script is executed during the rc32 step and performs critical, device-specific configurations:

  • MIB Configuration: Sets several Management Information Base (MIB) variables for services like CWMP (TR-069 remote management) and sets the PPP credentials for the excitel_sys user.
  • U-Boot Bootloader Update: Contains a dangerous but critical function that checks the U-Boot version. If the version does not match a specific string, it erases and re-flashes the bootloader (/dev/mtd0) with a new image (/etc/encode_uboot.img) and reboots the device. This is a powerful and potentially risky automated update mechanism.

6. PPP Connection Handling (Excitel)

The router's PPP connection process for Excitel is distinct and involves a combination of default scripting and provisioned credentials.

6.1. Core Components

  • PPP Daemon: The system uses a custom daemon, /bin/spppd, and a control utility, /bin/spppctl.
  • Configuration Directory: /etc/ppp is a symbolic link to the writable /var/ppp/ directory.

6.2. Connection Process

  1. Default Credential Injection: During the boot process, the /var/tmp/custom_cmds.sh script sets a default, hard-coded PPP username and password (excitel_sys / 11223344) into the router's MIB (Management Information Base) configuration. This appears to be a fallback or initial setup step.

  2. Provisioned Credentials: The actual credentials used for the live connection are stored in /var/ppp/ppp.conf. This file contains the real username and password (e.g., ccc / cccc) that are likely provisioned by Excitel's backend systems, overriding the default excitel_sys user.

  3. Configuration Management: The /etc/scripts/flash script contains references to PPP settings (pppUser, pppPasswd, etc.), indicating it is the utility responsible for reading and writing these configurations to the device's persistent flash storage.

  4. Session Status: Once the connection is active, its status, including the session MAC addresses and uptime, is reflected in the /var/ppp/pppoe.conf file.

In summary, while the router has hard-coded default credentials for Excitel, the live connection relies on credentials that are provisioned separately and stored in a dynamically generated configuration file. This process is managed by custom PPP binaries and scripts.

7. System Scripts Analysis (/etc/scripts/)

This section provides a detailed analysis of individual shell scripts found in the /etc/scripts/ directory, beyond those directly involved in the main rcS boot sequence.

board_init.sh

Status: This script was called from /etc/init.d/rc35 but was not found on the filesystem during analysis. It is possible it is dynamically created, removed after execution, or its presence is conditional.

checkroot.sh

Function: This is a standard Linux script responsible for checking and mounting the root filesystem.

  • Reads /etc/fstab to determine root filesystem properties.
  • Activates swap partitions.
  • Performs a filesystem check (fsck) on the root filesystem.
  • If fsck fails, it drops into a single-user shell for manual repair.
  • Remounts the root filesystem with appropriate read/write permissions.

devpts.sh

Function: Sets up the devpts filesystem, essential for pseudo-terminals.

  • Checks for devpts kernel support.
  • Creates /dev/ptmx device node if missing.
  • Mounts devpts at /dev/pts.

disable_printk.sh

Function: Controls the kernel's logging verbosity.

  • Reads the PRINTK_DISABLE MIB variable.
  • Sets /proc/sys/kernel/printk to 1 (disables most messages) or 7 (enables all messages) based on PRINTK_DISABLE and script arguments.

flash

Status: Identified as a binary executable, not a shell script. It is used by other scripts (e.g., rcm_voip, update_ver_normal.sh) to interact with the device's persistent flash memory, likely for reading and writing configuration parameters like PON_MODE and software versions, and potentially for managing PPP settings.

fw_loaded.sh

Function: Manages firmware update states and image commitment.

  • Determines the active (sw_active) and backup firmware images.
  • If an update was performed by a non-OMCI updater (sw_updater is set), it ensures the sw_commit flag matches the sw_active image, marking the new firmware as committed.
  • Clears the sw_updater environment variable.

ins_rtk_snooping_mod.sh

Function: Loads the Realtek IGMP/MLD snooping kernel module.

  • Identifies the current kernel version.
  • Constructs the path to rtk_igmp_hook.ko.
  • Loads the module using insmod if found, crucial for optimizing multicast traffic (e.g., IPTV).

irf

Function: Reads RF (Radio Frequency) parameters from the wlan0 wireless interface.

  • Takes <path> and <offset> as arguments.
  • Uses iwpriv wlan0 read_rf to query specific RF parameters.

irf1

Function: Reads RF parameters from the wlan1 wireless interface.

  • Identical to irf, but targets wlan1.

iw

Function: Reads a register from the wlan0 wireless interface.

  • Takes <offset> as an argument.
  • Uses iwpriv wlan0 read_reg w,<offset> for low-level hardware debugging/configuration.

iw1

Function: Reads a register from the wlan1 wireless interface.

  • Identical to iw, but targets wlan1.

mnt_cfgfs.sh

Function: Mounts configuration filesystems, particularly UBI volumes.

  • Takes mount parameters, MTD name, and mount directory as arguments.
  • Validates arguments, creates mount point if needed.
  • Identifies MTD ID from /proc/mtd.
  • Attempts to mount the MTD block device.
  • If mounting fails, it attempts to flash_erase the partition (e.g., for yaffs2 filesystems) and retries the mount, ensuring persistent configuration storage is available.

modutils.sh

Function: Comprehensive script for loading various kernel modules, especially Realtek-specific drivers.

  • PON Configuration: Contains functions (ca_rtk_pon_set_scfg, rtk_pon_set_scfg) to configure Passive Optical Network (PON) settings, including MAC addresses, by interacting with a scfg file.
  • Module Dependency: Runs depmod -Ae if module dependencies are not found.
  • Generic Module Loading: Processes /etc/modules and /etc/modules-load.d/*.conf to load specified modules.
  • Realtek-Specific Drivers: Explicitly loads numerous Realtek kernel modules for Ethernet (fc_mgr, fc_8198f, rg, rtl8226b, rtl8367, rtl8261), wireless (rtl8192cd, 8852ae), and other functionalities (ext_phy_polling).

ob

Function: Writes a byte to a register on the wlan0 wireless interface.

  • Takes <offset> and <data> as arguments.
  • Uses iwpriv wlan0 write_reg b,<offset>,<data> for low-level wireless hardware configuration.

ob1

Function: Writes a byte to a register on the wlan1 wireless interface.

  • Identical to ob, but targets wlan1.

od

Function: Writes a double word (32-bit) to a register on the wlan0 wireless interface.

  • Takes <offset> and <data> as arguments.
  • Uses iwpriv wlan0 write_reg dw,<offset>,<data> for low-level wireless hardware configuration.

od1

Function: Writes a double word (32-bit) to a register on the wlan1 wireless interface.

  • Identical to od, but targets wlan1.

orf

Function: Writes RF (Radio Frequency) parameters to the wlan0 wireless interface.

  • Takes <path>, <offset>, and <data> as arguments.
  • Uses iwpriv wlan0 write_rf to configure specific RF parameters.

orf1

Function: Writes RF parameters to the wlan1 wireless interface.

  • Identical to orf, but targets wlan1.

ow

Function: Writes a word (16-bit) to a register on the wlan0 wireless interface.

  • Takes <offset> and <data> as arguments.
  • Uses iwpriv wlan0 write_reg w,<offset>,<data> for low-level wireless hardware configuration.

ow1

Function: Writes a word (16-bit) to a register on the wlan1 wireless interface.

  • Identical to ow, but targets wlan1.

rc_dev_voip

Function: Creates device nodes for VoIP (Voice over IP) functionality.

  • Determines the major device number for VoIP from /proc/devices.
  • Creates /dev/voip directory.
  • Uses mknod to create character device nodes for DTMF detectors, IVR, PCM channels, and a manager interface, essential for VoIP operations.

rcm_voip

Function: Initializes and manages VoIP-related modules and processes.

  • Retrieves PON_MODE from flash memory using the flash get command.
  • Conditionally executes aipc_util -E 0x0 based on PON_MODE.
  • Executes /etc/rc_voip_module and /bin/voip_def_init if they are executable.
  • Starts a VoIP watchdog daemon (/bin/voip_gwdt) in the background.

reset_default.sh

Function: Resets the router to its default configuration.

  • Checks for rst2dfl=1 in the kernel command line.
  • If present, it removes /etc/config/lastgood.xml to trigger a reset.

rps.sh

Function: Configures Receive Packet Steering (RPS) for network performance optimization.

  • Takes on or off as an argument.
  • Sets RPS_cpus and RPS_flow_cnt based on CPU core count.
  • Applies RPS settings to specific network interfaces (e.g., eth0.2, nas0).

rssi

Function: Sets a MIB variable for RSSI (Received Signal Strength Indicator) dumping on the wlan0 interface.

  • Takes an argument to set the rssi_dump MIB variable using iwpriv wlan0 set_mib.

rssi1

Function: Sets a MIB variable for RSSI dumping on the wlan1 wireless interface.

  • Identical to rssi, but targets wlan1.

setmib

Function: Generic utility to set MIB variables on the wlan0 wireless interface.

  • Takes a MIB variable name and a value as arguments.
  • Uses iwpriv wlan0 set_mib to apply the setting.

setmib1

Function: Generic utility to set MIB variables on the wlan1 wireless interface.

  • Identical to setmib, but targets wlan1.

slogd_sync.sh

Function: Synchronizes log files.

  • Compares modification times of two provided file paths.
  • Copies the first file to the second if the first is newer.

sysfs.sh

Function: Mounts various kernel virtual filesystems.

  • Mounts procfs, sysfs, debugfs, devtmpfs, and tmpfs at their respective locations, making kernel information and device files accessible.

udhcpc.deconfig

Function: udhcpc (DHCP client) hook script for deconfiguration.

  • Deconfigures the network interface by setting its IP address to 0.0.0.0 when a DHCP lease is released.

udhcpc.sh

Function: Main udhcpc (DHCP client) hook script.

  • Executes at different stages of the DHCP lease process (bound, renew, deconfig, nak).
  • Configures the network interface, interacts with UPNP, calls updateddctrl, and manages routes.
  • Signals the udhcpd (DHCP server) if running.

update_ver_normal.sh

Function: Manages software version information, particularly for province-specific configurations and OMCI.

  • Retrieves active software image and hardware province name.
  • Extracts PROVINCE_SW_VERSION from XML configuration files.
  • Uses the flash utility and mib command to update PROVINCE_SW_VERSION and OMCI software versions.

vm_tuning.sh

Function: Tunes virtual memory parameters for system performance.

  • Adjusts min_free_kbytes to prevent memory deadlocks.
  • Configures lowmem_reserve_ratio, vfs_cache_pressure, and dirty page writeback parameters (dirty_bytes, dirty_background_bytes, dirty_writeback_centisecs, dirty_expire_centisecs).

8. Hidden 2.4GHz SSID Configuration (www.excitel.com)

The configuration of the hidden 2.4GHz SSID named "www.excitel.com" is primarily managed through the flash binary, which interacts with the router's persistent configuration storage.

8.1. Key Components

  • flash Binary: This executable is central to setting wireless parameters, including SSID and its hidden status. It likely interacts with MIB variables or directly with flash memory to store these settings.
  • Wireless Interfaces: The 2.4GHz SSID would be configured on one of the wireless interfaces, typically wlan0 or wlan1.

8.2. Configuration Mechanism

Based on the analysis of scripts and the grep output for "ssid" and "hidden" within /etc/scripts/flash, the following MIB-like parameters are likely used:

  • WLAN_SSID: To set the SSID name (e.g., "www.excitel.com").
  • WLAN_HIDDEN_SSID: To enable or disable the hidden status of the SSID (e.g., 1 for hidden, 0 for broadcast).
  • Similar parameters exist for the second wireless interface, such as WLAN1_SSID and WLAN1_HIDDEN_SSID.

While custom_cmds.sh sets various MIBs, it does not directly configure the SSID or its hidden status. Therefore, these settings are either pre-configured in the firmware, set by a different provisioning mechanism, or configured via the router's web interface, which then uses the flash binary to persist the changes.

To set the hidden 2.4GHz SSID "www.excitel.com", the flash binary would be invoked with commands similar to:

flash set WLAN_SSID "www.excitel.com"
flash set WLAN_HIDDEN_SSID 1

(Note: The exact syntax for flash set and the MIB names might vary slightly, but the identified strings strongly suggest this mechanism.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment