Skip to content
stv0g's weblog stv0g's weblog stv0g's weblog

Having a detailed look at the Netgear Nighthawk M5 Mobile LTE/Router

Dr. Watson

After gaining root access to the device in the first post of this series, we will have a closer look at the device and its firmware.

This post is documenting some internals of the device which is not the most exciting stuff to read. I mainly collected it here for documentation purposes.

All information in this post has been collected from a device running firmware version NTGX55_12.04.12.00.

Software

Section titled “Software”

Netgear’s firmware is Linux-based and uses quite a lot of common open-source tools. They provide all modifications to GPL licensed code via their support area: NETGEAR Open Source Software for Programmers.

From what I can tell only their user interface and configuration management is developed by Netgear themself apart from a bunch of binary blobs provided by Qualcomm which contains the modem firmware which gets loaded to the baseband processor.

One curiosity caught my eye: there is a running X server on the device. It is used by the front-panel display of the device. A custom application developed by Netgear uses Webkit’s engine to render the touch screen interface which just like the web UI is based on HTML and Javascript.

Here is an almost complete list of open source software components which I found on the device:

  • atk (v2.28)
  • Avahi (v0.7)
  • bash (v4.4.23)
  • base-files (v3.0.14)
  • BusyBox (v1.29.3)
  • conntrack-tools (v1.0.1)
  • D-Bus (v1.12.10)
  • ddclient (v3.8.1)
  • dhcpcd (v5.2.10)
  • DiG (v9.11.5-P4)
  • Dnsmasq (v2.85)
  • ethtool (v4.19)
  • font-config (v2.12.6)
  • freetype (v2.9.1)
  • glib (v2.58.0)
  • hostapd (v2.8-devel)
  • iproute2 (iproute2-ss140804)
  • iptables (v1.6.2)
  • iw (v4.14)
  • libcap (v2.25)
  • libnfnetlink (v1.0.0)
  • Linux Kernel (v4.14.117)
  • miniupnpd
  • mtd-utils (v2.0.2)
  • nettle (v3.4)
  • OpenSSL (v1.1.1b)
  • pimd (v2.1.8)
  • pppd (v2.4.7)
  • strace (v4.24)
  • SystemD (v239)
  • tinyproxy (v1.8.3)
  • util-linux (v2.32.1)
  • wireless-tools (v30)
  • wpa_supplicant (v2.9)
  • Xorg (v1.20.1)
  • xz (v5.2.4)

Basic facts

Section titled “Basic facts”

Lets first have a look at the Kernel version:

Terminal window
$ uname -a
Linux sdxprairie 4.14.117 #1 PREEMPT Thu Aug 19 23:42:26 UTC 2021 armv7l GNU/Linux


/ # cat /proc/version
Linux version 4.14.117 (oe-user@oe-host) (clang version 6.0.9 for Android NDK) #1 PREEMPT Thu Aug 19 23:42:26 UTC 2021

Apparently the firmware has been built by Open Embedded as indicated by the kernel notice “oe-user”.

There is also a /target file lying around. I assume that “sdxprairie” is Qualcomm’s name for the SDK / BSP which is used by Netgear.

Terminal window
$ cat /target
sdxprairie

The application processor of the Snapdragon X55 is a fairly low powered single-core ARM v7:

Terminal window
$ cat /proc/cpuinfo
processor       : 0
model name      : ARMv7 Processor rev 5 (v7l)
BogoMIPS        : 38.40
Features        : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xc07
CPU revision    : 5


Hardware        : Qualcomm Technologies, Inc SDXPRAIRIE
Revision        : 0000
Serial          : 0000000000000000

With around 780 MB of RAM:

Terminal window
$ free -m
             total       used       free     shared    buffers     cached
Mem:           781        387        393          0          0        142
-/+ buffers/cache:        245        535
Swap:          109          0        109

SoC details

Section titled “SoC details”

Within the SysFS we can find some details about the SoC. More details about the meaning can be found in the Kernel documentation:

SysFS EntryValue
/sys/devices/soc0/accessory_chip0
/sys/devices/soc0/chip_family0x5e
/sys/devices/soc0/chip_nameSDX55
/sys/devices/soc0/familySnapdragon
/sys/devices/soc0/foundry_id1
/sys/devices/soc0/hw_platformMTP
/sys/devices/soc0/image_crm_version:ntgrbc-fwbuild6
/sys/devices/soc0/image_variantMAATANAZA
/sys/devices/soc0/image_version00:BOOT.SBL.4.1-00231
/sys/devices/soc0/machineSDXPRAIRIE
/sys/devices/soc0/ncluster_array_offset0xb0
/sys/devices/soc0/ndefective_parts_array_offset0xb4
/sys/devices/soc0/nmodem_supported0xffffffff
/sys/devices/soc0/nproduct_id0x410
/sys/devices/soc0/num_clusters0x1
/sys/devices/soc0/num_defective_parts0xd
/sys/devices/soc0/platform_subtypeInvalid
/sys/devices/soc0/platform_subtype_id5
/sys/devices/soc0/platform_version65536
/sys/devices/soc0/pmic_die_revision131072
/sys/devices/soc0/pmic_model65568
/sys/devices/soc0/raw_device_family0x6
/sys/devices/soc0/raw_device_number0xb
/sys/devices/soc0/raw_id207
/sys/devices/soc0/raw_version2
/sys/devices/soc0/revision2.0
/sys/devices/soc0/select_image0
/sys/devices/soc0/serial_number27453XXXX
/sys/devices/soc0/soc_id357
/sys/devices/soc0/vendorQualcomm
Terminal window
$ cat /sys/devices/soc0/images
0:
        CRM:            00:BOOT.SBL.4.1-00231
        Variant:        MAATANAZA
        Version:        :ntgrbc-fwbuild6
1:
        CRM:            01:TZ.FU.5.9-00147
        Variant:        EATAANBAA
        Version:        :CRM
11:
        CRM:            11:MPSS.HI.2.0.c3.5-00010-SDX55_CPEALL_PACK-1.403198.3
        Variant:        sdx55.gennatch.prod
        Version:        :ntgrbc-fwbuild6

Kernel command line

Section titled “Kernel command line”
Terminal window
$ cat /proc/cmdline
noinitrd rw rootwait console=ttyMSM0,115200,n8 androidboot.hardware=qcom msm_rtb.filter=0x237 androidboot.console=ttyMSM0 lpm_levels.sleep_disabled=1 firmware_class.path=/lib/firmware/updates service_locator.enable=1 net.ifnames=0 atlantic_fwd.rx_ring_size=1024 pci=pcie_bus_perf rootfstype=ubifs rootflags=bulk_read root=ubi0:rootfs ubi.mtd=24 androidboot.serialno=105d0dc7 androidboot.baseband=msm

Kernel log

Section titled “Kernel log”

Unfortunately, I was not able to capture early kernel log messages. I assume those are only printed via a serial port and lost as the circular buffer for the kernel log has not been set up.

More details

Section titled “More details”

Feel free to contact me if I missed any particular detail which is interesting to you.