Technicolor C2100T
From charlesreid1
Contents
Links
Firmware download:
Datasheet: http://internethelp.centurylink.com/internethelp/pdf/modems/datasheet-c2100t.pdf
Info about FCC testing: https://fccid.io/RSE-C2100T#exhibits
DSLReports forums: https://www.dslreports.com/forum/centurylink
This kind of explains the port 1050 thing (Java or OTG file share). Keyword was "Corba" management: https://docs.oracle.com/cd/E17984_01/doc.898/e14696/java_connector.htm
Chipset: BCM963268 Broadband Router
Attack vector:
- Possible ADSL attack vector: http://bundlr.com/clips/5376055378cc8710a00003bc
- Boils down to an nmap command to look for open port 80 on a huge block of IP addresses
Linux: $ nmap -sS -sV -vv -n -Pn -T5 1A.B.C.D -p80 -oG - Mac: $ nmap -sS -sV -vv -n -Pn -T5 A.B.C.D -p80 -oG -
Telnet
Telnet access:
- Log in to the router through the admin page
- Advanced setup
- Remote console
- Enable telnet from WAN or LAN
NOTE: THIS IS REALLY REALLY FREAKING IMPORTANT: When you turn on telnet, it turns it on from BOTH sides - internal and external. Don't leave it on, or else your telnet server will get hammered, a hacker will obtain root access, your router firmware will get flashed with a malicious binary, traffic sniffers will be installed, people will spy on you using your webcam, your bank accounts will be emptied, life as you know it will come to a screeching halt, etc. etc. etc.
Telnet Commands
Logging in and typing a question mark for help shows all the available commands:
> ? ? help logout exit quit reboot env_list autodetect adsl xdslctl0 xdslctl1 loglevel meminfo dnsproxy ping voice dect wlctl lanhosts passwd restoredefault save swversion uptime cfgupdate swupdate exitOnIdle wan igmp imageServer pm led wpsbtn snoop_on snoop_off
These commands provide lots of information about the router. Here's a brief rundown:
- env_list - lists all environmental variables, including _PROD_SERIAL_NBR, _BOOTLOADER_VERSION, _WL0_WEPKEY_SERIAL, _WL0_WPAKEY_SERIAL, _WL0_PIN_SERIAL
- autodetect - sets parameters (start_delay, cycle_delay, ppp_attempts, dhcp_attempts) for router
- adsl - asymmetric digital subscriber line, faster data rates over copper phone lines than by using conventional VOIP modem
- xdslctl0 - not sure, but looks like another advanced command line interface, related to ADSL
- xdslctl1 - ditto
- meminfo - info about how much memory is being used
- dnsproxy - dumps info or stats (in my case, nothing printed out........)
- ping - works like normal ping, say ping IPADDR
- voice - this is basically the program that you use to interface with VOIP settings on the router. See below for detailed output.
- dect - dect is some kind of phone handset base station functionality. more of this SIP/phone/dialing stuff.
- wlctl - wireless control program, looooots of commands, options, and information provided
- lanhosts - for each host connected to the network (wired or wireless), list IP address, MAC address, and hostname.
- passwd - duh, changes password
- restoredefault - duh, restores default factory settings (?)
- save - save current settings to config file (?)
- swversion - tells you what version of router firmware your router is running
- uptime - reports uptime of router
- cfgupdate - not sure - update settings using config file (?)
- swupdate - update onboard software (?)
- exitOnIdle - (?)
- wan - shows information about network interfaces and devices
- igmp - igmp is internet group management protocol, used for multicasting and for dealing with video and games
- imageServer - downloads and installs a firmware image from an external URL
- pm - port mirroring/monitoring service
- wpsbtn - returns a 1 or 0 depending on whether the WPS button is turned off or on
- snoop_on/snoop_off - turns igmpv3 snooping on or off (this will assist with igmp traffic routing)
voice
Here's the output for the voice command:
> voice Command syntax: voice --help - show the voice command syntax voice show - show the voice parameters voice show stats - show call statistics voice start - start the voice application voice stop - stop the voice application voice save - store voice params to flash voice reboot - restart the voice application voice set <param> <arg1> <arg2>.. - set a provisionable parameter List of voice set params and args: defaults <None> - Default VoIP setup boundIfname <LAN|Any_WAN|(WAN IfName, e.g. nas_0_0_35)> - vodsl network interface ipAddrFamily <IPv4|IPv6> - IP address family pstnDialPlan <pstn line#> <dialPlan> - PSTN dial plan pstnRouteRule <pstn line#> <Auto|Voip|Line> - PSTN Route rule pstnRouteData <pstn line#> <line #|URL for VOIP> - PSTN Route data locale <srvPrv#> <region> - 2 or 3 character code DTMFMethod <srvPrv#> <InBand|RFC2833|SIPInfo> - DTMF digit passing method hookFlashMethod <srvPrv#> <SIPInfo|None> - Hook flash method transport <srvPrv#> <UDP|TCP|TLS> - transport protocol srtpOption <srvPrv#> <Mandatory|Optional|Disabled> - SRTP usage option regRetryInt <srvPrv#> <seconds> - SIP register retryinterval regExpires <srvPrv#> <seconds> - Register expires hdr val rtpDSCPMark <srvPrv#> <mark> - RTP outgoing DSCP mark logServer <srvPrv#> <hostName|IP> - Log server logPort <srvPrv#> <port> - Log server port digitMap <srvPrv#> <digitmap> - dial digit map T38 <srvPrv#> on|off - enable/disable T38 V18 <srvPrv#> on|off - enable/disable V.18 detection reg <srvPrv#> <hostName|IP> - SIP registrar server regPort <srvPrv#> <port> - SIP registrar server port proxy <srvPrv#> <hostName|IP> - SIP proxy server proxyPort <srvPrv#> <port> - SIP proxy server port obProx <srvPrv#> <hostName|IP> - SIP outbound proxy obProxPort <srvPrv#> <port> - SIP outbound proxy port sipDomain <srvPrv#> <CPE_domainName> - SIP user agent domain sipPort <srvPrv#> <port> - SIP user agent port sipDSCPMark <srvPrv#> <mark> - SIP outgoing DSCP mark musicServer <srvPrv#> <hostName|IP> - SIP music server musicSrvPort <srvPrv#> <port> - SIP music server port tagMatching <srvPrv#> <on|off> - SIP to tag matching timerB <srvPrv#> <time in ms> - SIP protocol B timer timerF <srvPrv#> <time in ms> - SIP protocol F timer lineStatus <srvPrv#> <accnt#> <on|off> - Activate line physEndpt <srvPrv#> <accnt#> <id> - Phys Endpt extension <srvPrv#> <accnt#> <URI> - SIP extension dispName <srvPrv#> <accnt#> <Name> - SIP Display Name authName <srvPrv#> <accnt#> <name> - SIP auth name authPwd <srvPrv#> <accnt#> <pwd> - SIP auth password MWIEnable <srvPrv#> <accnt#> <on|off> - Msg Waiting Indication cfwdNum <srvPrv#> <accnt#> <number> - call forward number cfwdAll <srvPrv#> <accnt#> <on|off> - call forward all cfwdNoAns <srvPrv#> <accnt#> <on|off> - call forward no answer cfwdBusy <srvPrv#> <accnt#> <on|off> - call forward busy callWait <srvPrv#> <accnt#> <on|off> - call waiting anonBlck <srvPrv#> <accnt#> <on|off> - Anonymous call rcv blcking anonCall <srvPrv#> <accnt#> <on|off> - Anonymous outgng calls DND <srvPrv#> <accnt#> <on|off> - do not disturb CCBS <srvPrv#> <accnt#> <on|off> - Call completion on busy speedDial <srvPrv#> <accnt#> <on|off> - Speed dial warmLine <srvPrv#> <accnt#> <on|off> - Warm line warmLineNum <srvPrv#> <accnt#> <number> - Warm line number callBarring <srvPrv#> <accnt#> <on|off> - Call barring callBarrPin <srvPrv#> <accnt#> <number> - Call barring pin callBarrDigMap <srvPrv#> <accnt#> <digitmap> - Call barring digit map netPrivacy <srvPrv#> <accnt#> <on|off> - Network privacy vmwi <srvPrv#> <accnt#> <on|off> - Visual message waiting indication vad <srvPrv#> <accnt#> <on|off> - enable vad pTime <srvPrv#> <accnt#> <pTime> - packetization period codecList <srvPrv#> <accnt#> <codec(1)[,codec(2)]> - codec priority list rxGain <srvPrv#> <accnt#> <rxGain> - rxGain (dB) txGain <srvPrv#> <accnt#> <txGain> - txGain (dB)
Now trying voice show to show values of parameters:
> voice show
Global Parameters:
------------------
BoundIfName : Any_WAN
IP address family : IPv4
Vodsl logLevel : Error
Management Protocol : TR69
Service Provider 0:
--------------------
Associated Voice Profile: 1
Locale : USA
DTMFMethod : RFC2833
HookFlashMethod : None
DigitMap : #xx|[2-9]11|1[2-9]11|[2-9]xxxxxxxxx|1[2-9]xxxxxxxxx|x.T
Log Server Addr :
Log Server Port : 0
T38 : on
V18 : off
RTPDSCPMark : 46
SIP:
Domain :
Port : 0
Transport : UDP
RegExpires : 0
RegRetryInterval : 0
DSCPMark : 40
Registrar Addr :
Registrar Port : 0
Proxy Addr :
Proxy Port : 0
OutBoundProxy Addr :
OutBoundProxy Port : 0
Music Server Addr :
Music Server Port : 0
To Tag Matching : On
Timer B ( in ms ) : 32000
Timer F ( in ms ) : 32000
SRTP Usage Option : Optional
Account 0:
-----------
ActivationStatus : Disabled
VoipServiceStatus : Disabled
CallStatus : Idle
Associated CM Acnt : 0
PhysEndpt : 1
Extension :
DisplayName :
AuthName :
AuthPwd :
TxGain : 0 dB
RxGain : 0 dB
CALLFEATURES:
MWI : off
CallWaiting : on
CFWDNum :
CallFwdAll : off
CallFwdBusy : off
CallFwdNoans : off
AnonymousOutgoingCall: off
AnonymousCallRcvBlock: off
DoNotDisturb : off
CallCompOnBusy : off
SpeedDial : off
WarmLine : off
WarmLineNum :
CallBarring : off
CallBarringMode : None
CallBarringPin : 9999
CallBarringDigitMap :
NetPrivacy : off
VMWI : off
CODECSETTINGS:
VAD : off
pTime : 20
CodecList : (0) G.722
(1) G.711MuLaw
(2) T38
(3) NTE
Account 1:
-----------
ActivationStatus : Disabled
VoipServiceStatus : Disabled
CallStatus : Idle
Associated CM Acnt : 1
PhysEndpt : 1
Extension :
DisplayName :
AuthName :
AuthPwd :
TxGain : 0 dB
RxGain : 0 dB
CALLFEATURES:
MWI : off
CallWaiting : on
CFWDNum :
CallFwdAll : off
CallFwdBusy : off
CallFwdNoans : off
AnonymousOutgoingCall: off
AnonymousCallRcvBlock: off
DoNotDisturb : off
CallCompOnBusy : off
SpeedDial : off
WarmLine : off
WarmLineNum :
CallBarring : off
CallBarringMode : None
CallBarringPin : 9999
CallBarringDigitMap :
NetPrivacy : off
VMWI : off
CODECSETTINGS:
VAD : off
pTime : 20
CodecList : (0) G.722
(1) G.711MuLaw
(2) T38
(3) NTE
wlctl
Hold on to your butts, there's gonna be about 100 pages of output:
> wlctl
Usage: wlctl [-a|i <adapter>] [-h] [-d|u|x] <command> [arguments]
-h this message and command descriptions
-h [cmd] command description for cmd
-a, -i adapter name or number
-d output format signed integer
-u output format unsigned integer
-x output format hexdecimal
ver get version information
cmds generate a short list of available commands
up reinitialize and mark adapter up (operational)
down reset and mark adapter down (disabled)
out mark adapter down but do not reset hardware(disabled)
On dualband cards, cards must be bandlocked before use.
clk set board clock state. return error for set_clk attempt if the driver is not down
0: clock off
1: clock on
restart Restart driver. Driver must already be down.
reboot Reboot platform
radio Set the radio on or off.
"on" or "off"
dump Give suboption "list" to list various suboptions
srclear Clears first 'len' bytes of the srom, len in decimal or hex
Usage: srclear <len>
srdump print contents of SPROM to stdout
srwrite Write the srom: srwrite byteoffset value
srcrc Get the CRC for input binary file
ciswrite
Write specified <file> to the SDIO CIS source (either SROM or OTP)
cisupdate
Write a hex byte stream to specified byte offset to the CIS source (either SROM or OTP)
--preview option allows you to review the update without committing it
<byte offset> <hex byte stream> [--preview]
cisdump Display the content of the SDIO CIS source
-b <file> -- also write raw bytes to <file>
<len> -- optional count of bytes to display (must be even)
cis_source
Display which source is used for the SDIO CIS
cisconvert
Print CIS tuple for given name=value pair
rdvar Read a named variable to the srom
wrvar Write a named variable to the srom
nvram_source
Display which source is used for nvram
nvram_dump
print nvram variables to stdout
nvset set an nvram variable
name=value (no spaces around '=')
nvget get the value of an nvram variable
nvram_get
get the value of an nvram variable
revinfo get hardware revision information
customvar1
print the value of customvar1 in hex format
msglevel
set driver console debugging message bitvector
type 'wl msglevel ?' for values
phymsglevel
set phy debugging message bitvector
type 'wl phymsglevel ?' for values
PM set driver power management mode:
0: CAM (constantly awake)
1: PS (power-save)
2: FAST PS mode
wake set driver power-save mode sleep state:
0: core-managed
1: awake
promisc set promiscuous mode ethernet address reception
0 - disable
1 - enable
monitor set monitor mode
0 - disable
1 - enable active monitor mode (interface still operates)
frag Deprecated. Use fragthresh.
rts Deprecated. Use rtsthresh.
cwmin Set the cwmin. (integer [1, 255])
cwmax Set the cwmax. (integer [256, 2047])
srl Set the short retry limit. (integer [1, 255])
lrl Set the long retry limit. (integer [1, 255])
rate force a fixed rate:
valid values for 802.11a are (6, 9, 12, 18, 24, 36, 48, 54)
valid values for 802.11b are (1, 2, 5.5, 11)
valid values for 802.11g are (1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54)
-1 (default) means automatically determine the best rate
mrate force a fixed multicast rate:
valid values for 802.11a are (6, 9, 12, 18, 24, 36, 48, 54)
valid values for 802.11b are (1, 2, 5.5, 11)
valid values for 802.11g are (1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54)
-1 (default) means automatically determine the best rate
a_rate force a fixed rate for the A PHY:
valid values for 802.11a are (6, 9, 12, 18, 24, 36, 48, 54)
-1 (default) means automatically determine the best rate
a_mrate force a fixed multicast rate for the A PHY:
valid values for 802.11a are (6, 9, 12, 18, 24, 36, 48, 54)
-1 (default) means automatically determine the best rate
bg_rate force a fixed rate for the B/G PHY:
valid values for 802.11b are (1, 2, 5.5, 11)
valid values for 802.11g are (1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54)
-1 (default) means automatically determine the best rate
bg_mrate
force a fixed multicast rate for the B/G PHY:
valid values for 802.11b are (1, 2, 5.5, 11)
valid values for 802.11g are (1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54)
-1 (default) means automatically determine the best rate
infra Set Infrastructure mode: 0 (IBSS) or 1 (Infra BSS)
ap Set AP mode: 0 (STA) or 1 (AP)
bssid Get the BSSID value, error if STA and not associated
bssmax get number of BSSes
channel Set the channel:
valid channels for 802.11b/g (2.4GHz band) are 1 through 14
valid channels for 802.11a (5 GHz band) are:
36, 40, 44, 48, 52, 56, 60, 64,
100, 104, 108, 112, 116,120, 124, 128, 132, 136, 140,
149, 153, 157, 161,
184, 188, 192, 196, 200, 204, 208, 212, 216
cur_mcsset
Get the current mcs set
chanspecs
Get all the valid chanspecs (default: all within current locale):
-b band (5(a) or 2(b/g))
-w bandwidth, 10,20 or 40
[-c country_abbrev]
chanspec
Set <channel>[a,b][n][u,l]
channel number (0-224)
band a=5G, b=2G, default to 2G if channel <= 14
bandwidth, n=10, none for 20 & 40
ctl sideband, l=lower, u=upper
OR Set channel with legacy format:
-c channel number (0-224)
-b band (5(a) or 2(b/g))
-w bandwidth, 10,20 or 40
-s ctl sideband, -1=lower, 0=none, 1=upper
dfs_channel_forced
Set <channel>[a,b][n][u,l]
channel number (0-224)
band a=5G, b=2G, default to 2G if channel <= 14
bandwidth, n=10, non for 20 & 40
ctl sideband, l=lower, u=upper
tssi Get the tssi value from radio
txpwr Set tx power in milliwatts. Range [1, 84].
txpwr1 Set tx power in in various units. Choose one of (default: dbm):
-d dbm units
-q quarter dbm units
-m milliwatt units
Can be combined with:
-o turn on override to disable regulatory and other limitations
Use wl txpwr -1 to restore defaults
txpathpwr
Turn the tx path power on or off on 2050 radios
txpwrlimit
Return current tx power limit
powerindex
Set the transmit power for A band(0-63).
-1 - default value
atten Set the transmit attenuation for B band. Args: bb radio txctl1.
auto to revert to automatic control
manual to supspend automatic control
phyreg Get/Set a phy register:
offset [ value ] [ band ]
radioreg
Get/Set a radio register:
offset [ value ] [ band/core ]
HTPHY:
Get a radio register: wl radioreg [ offset ] [ cr0/cr1/cr2 ]
Set a radio register: wl radioreg [ offset ] [ value ] [ cr0/cr1/cr2/all ]
ucflags Get/Set ucode flags 1, 2, 3(16 bits each)
offset [ value ] [ band ]
shmem Get/Set a shared memory location:
offset [ value ] [band ]
macreg Get/Set any mac registers(include IHR and SB):
macreg offset size[2,4] [ value ] [ band ]
ucantdiv
Enable/disable ucode antenna diversity (1/0 or on/off)
gpioout Set any GPIO pins to any value. Use with caution as GPIOs would be assigned to chipcommon
Usage: gpiomask gpioval
devpath print device path
jtagureg
g/set JTAG user registers
coma Put the router in a catatonic state
pllreset
set the pll to reset value
Usage: wl pllreset
pcieserdesreg
g/set SERDES registers: dev offset [val]
ampdu_activate_test
actiate
ampdu_tid
enable/disable per-tid ampdu; usage: wl ampdu_tid <tid> [0/1]
ampdu_retry_limit_tid
Set per-tid ampdu retry limit; usage: wl ampdu_retry_limit_tid <tid> [0~31]
ampdu_rr_retry_limit_tid
Set per-tid ampdu regular rate retry limit; usage: wl ampdu_rr_retry_limit_tid <tid> [0~31]
ampdu_send_addba
send addba to specified ea-tid; usage: wl ampdu_send_addba <tid> <ea>
ampdu_send_delba
send delba to specified ea-tid; usage: wl ampdu_send_delba <tid> <ea>
ampdu_clear_dump
clear ampdu counters
dpt_deny
adds/removes ea to dpt deny list
usage: wl dpt_deny <add,remove> <ea>
dpt_endpoint
creates/updates/deletes dpt endpoint for ea
usage: wl dpt_endpoint <create, update, delete> <ea>
dpt_pmk sets DPT pre-shared key
dpt_fname
sets/gets DPT friendly name
dpt_list
gets status of all dpt peers
actframe
Send a Vendor specific Action frame to a channel
usage: wl actframe <Dest Mac Addr> <data> channel dwell-time <BSSID>
antdiv Set antenna diversity for rx
0 - force use of antenna 0
1 - force use of antenna 1
3 - automatic selection of antenna diversity
txant Set the transmit antenna
0 - force use of antenna 0
1 - force use of antenna 1
3 - use the RX antenna selection that was in force during
the most recently received good PLCP header
plcphdr Set the plcp header.
"long" or "auto" or "debug"
phytype Get phy type
rateparam
set driver rate selection tunables
arg 1: tunable id
arg 2: tunable value
wepstatus
Set or Get WEP status
wepstatus [on|off]
primary_key
Set or get index of primary key
addwep Set an encryption key. The key must be 5, 13 or 16 bytes long, or
10, 26, 32, or 64 hex digits long. The encryption algorithm is
automatically selected based on the key size. keytype is accepted
only when key length is 16 bytes/32 hex digits and specifies
whether AES-OCB or AES-CCM encryption is used. Default is ccm.
WAPI is selected if key len is 32 and arguments contain wapi.
addwep <keyindex> <keydata> [ocb | ccm | wapi] [notx] [xx:xx:xx:xx:xx:xx]
rmwep Remove the encryption key at the specified key index.
keys Prints a list of the current WEP keys
tsc Print Tx Sequence Couter for key at specified key index.
wsec_test
Generate wsec errors
wsec_test <test_type> <keyindex|xx:xx:xx:xx:xx:xx>
type 'wl wsec_test ?' for test_types
tkip_countermeasures
Enable or disable TKIP countermeasures (TKIP-enabled AP only)
0 - disable
1 - enable
wsec_restrict
Drop unencrypted packets if WSEC is enabled
0 - disable
1 - enable
eap restrict traffic to 802.1X packets until 802.1X authorization succeeds
0 - disable
1 - enable
cur_etheraddr
Get/set the current hw address
perm_etheraddr
Get the permanent address from NVRAM
authorize
restrict traffic to 802.1X packets until 802.1X authorization succeeds
deauthorize
do not restrict traffic to 802.1X packets until 802.1X authorization succeeds
deauthenticate
deauthenticate a STA from the AP with optional reason code (AP ONLY)
wsec wireless security bit vector
1 - WEP enabled
2 - TKIP enabled
4 - AES enabled
8 - WSEC in software
0x80 - FIPS enabled
0x100 - WAPI enabled
auth set/get 802.11 authentication type. 0 = OpenSystem, 1= SharedKey, 2=Open/Shared
wpa_auth
Bitvector of WPA authorization modes:
1 WPA-NONE
2 WPA-802.1X/WPA-Professional
4 WPA-PSK/WPA-Personal
64 WPA2-802.1X/WPA2-Professional
128 WPA2-PSK/WPA2-Personal
0 disable WPA
wpa_cap set/get 802.11i RSN capabilities
set_pmk Set passphrase for PMK in driver-resident supplicant.
scan Initiate a scan.
Default to an active scan across all channels for any SSID.
Optional arg: SSIDs, list of [up to 10] SSIDs to scan (comma or space separated).
Options:
-s S, --ssid=S SSIDs to scan
-t ST, --scan_type=ST [active|passive|prohibit] scan type
--bss_type=BT [bss/infra|ibss/adhoc] bss type to scan
-b MAC, --bssid=MAC particular BSSID MAC address to scan, xx:xx:xx:xx:xx:xx
-n N, --nprobes=N number of probes per scanned channel
-a N, --active=N dwell time per channel for active scanning
-p N, --passive=N dwell time per channel for passive scanning
-h N, --home=N dwell time for the home channel between channel scans
-c L, --channels=L comma or space separated list of channels to scan
iscan_s Initiate an incremental scan.
Default to an active scan across all channels for any SSID.
Optional arg: SSIDs, list of [up to 10] SSIDs to scan (comma or space separated).
Options:
-s S, --ssid=S SSIDs to scan
-t ST, --scan_type=ST [active|passive|prohibit] scan type
--bss_type=BT [bss/infra|ibss/adhoc] bss type to scan
-b MAC, --bssid=MAC particular BSSID MAC address to scan, xx:xx:xx:xx:xx:xx
-n N, --nprobes=N number of probes per scanned channel
-a N, --active=N dwell time per channel for active scanning
-p N, --passive=N dwell time per channel for passive scanning
-h N, --home=N dwell time for the home channel between channel scans
-c L, --channels=L comma or space separated list of channels to scan
iscan_c Continue an incremental scan.
Default to an active scan across all channels for any SSID.
Optional arg: SSIDs, list of [up to 10] SSIDs to scan (comma or space separated).
Options:
-s S, --ssid=S SSIDs to scan
-t ST, --scan_type=ST [active|passive|prohibit] scan type
--bss_type=BT [bss/infra|ibss/adhoc] bss type to scan
-b MAC, --bssid=MAC particular BSSID MAC address to scan, xx:xx:xx:xx:xx:xx
-n N, --nprobes=N number of probes per scanned channel
-a N, --active=N dwell time per channel for active scanning
-p N, --passive=N dwell time per channel for passive scanning
-h N, --home=N dwell time for the home channel between channel scans
-c L, --channels=L comma or space separated list of channels to scan
scancache_clear
clear the scan cache
escan Start an escan.
Default to an active scan across all channels for any SSID.
Optional arg: SSIDs, list of [up to 10] SSIDs to scan (comma or space separated).
Options:
-s S, --ssid=S SSIDs to scan
-t ST, --scan_type=ST [active|passive|prohibit] scan type
--bss_type=BT [bss/infra|ibss/adhoc] bss type to scan
-b MAC, --bssid=MAC particular BSSID MAC address to scan, xx:xx:xx:xx:xx:xx
-n N, --nprobes=N number of probes per scanned channel
-a N, --active=N dwell time per channel for active scanning
-p N, --passive=N dwell time per channel for passive scanning
-h N, --home=N dwell time for the home channel between channel scans
-c L, --channels=L comma or space separated list of channels to scan
escanabort
Abort an escan.
Default to an active scan across all channels for any SSID.
Optional arg: SSIDs, list of [up to 10] SSIDs to scan (comma or space separated).
Options:
-s S, --ssid=S SSIDs to scan
-t ST, --scan_type=ST [active|passive|prohibit] scan type
--bss_type=BT [bss/infra|ibss/adhoc] bss type to scan
-b MAC, --bssid=MAC particular BSSID MAC address to scan, xx:xx:xx:xx:xx:xx
-n N, --nprobes=N number of probes per scanned channel
-a N, --active=N dwell time per channel for active scanning
-p N, --passive=N dwell time per channel for passive scanning
-h N, --home=N dwell time for the home channel between channel scans
-c L, --channels=L comma or space separated list of channels to scan
passive Puts scan engine into passive mode
regulatory
Get/Set regulatory domain mode (802.11d). Driver must be down.
spect Get/Set 802.11h Spectrum Management mode.
0 - Off
1 - Loose interpretation of 11h spec - may join non-11h APs
2 - Strict interpretation of 11h spec - may not join non-11h APs
3 - Disable 11h and enable 11d
4 - Loose interpretation of 11h+d spec - may join non-11h APs
scanabort
Abort a scan.
scanresults
Return results from last scan.
iscanresults
Return results from last iscan. Specify a buflen (max 8188)
to artificially limit the size of the results buffer.
iscanresults [buflen]
assoc Print information about current network association.
(also known as "status")
status Print information about current network association.
(also known as "assoc")
disassoc
Disassociate from the current BSS/IBSS.
channels
Return valid channels for the current settings.
channels_in_country
Return valid channels for the country specified.
Arg 1 is the country abbreviation
Arg 2 is the band(a or b)
curpower
Return current tx power settings.
-q (quiet): estimated power only.
curppr Return current tx power per rate offset.
txinstpwr
Return tx power based on instant TSSI
scansuppress
Suppress all scans for testing.
0 - allow scans
1 - suppress scans
evm Start an EVM test on the given channel, or stop EVM test.
Arg 1 is channel number 1-14, or "off" or 0 to stop the test.
Arg 2 is optional rate (1, 2, 5.5 or 11)
rateset Returns or sets the supported and basic rateset, (b) indicates basic
With no args, returns the rateset. Args are
rateset "default" | "all" | <arbitrary rateset> -m <arbitrary mcsset>
default - driver defaults
all - all rates are basic rates
arbitrary rateset - list of rates
arbitrary mcsset - list of mcs rates octets, each bit representing
corresponding mcs
List of rates are in Mbps and each rate is optionally followed
by "(b)" or "b" for a Basic rate. Example: 1(b) 2b 5.5 11
At least one rate must be Basic for a legal rateset.
roam_trigger
Get or Set the roam trigger RSSI threshold:
Get: roam_trigger [a|b]
Set: roam_trigger <integer> [a|b|all]
integer - 0: default
1: optimize bandwidth
2: optimize distance
[-1, -99]: dBm trigger value
roam_delta
Set the roam candidate qualification delta. roam_delta [integer [, a/b]]
roam_scan_period
Set the roam candidate qualification delta. (integer)
suprates
Returns or sets the 11g override for the supported rateset
With no args, returns the rateset. Args are a list of rates,
or 0 or -1 to specify an empty rateset to clear the override.
List of rates are in Mbps, example: 1 2 5.5 11
scan_channel_time
Get/Set scan channel time
scan_unassoc_time
Get/Set unassociated scan channel dwell time
scan_home_time
Get/Set scan home channel dwell time
scan_passive_time
Get/Set passive scan channel dwell time
scan_nprobes
Get/Set scan parameter for number of probes to use per channel scanned
prb_resp_timeout
Get/Set probe response timeout
channel_qa
Get last channel quality measurment
channel_qa_start
Start a channel quality measurment
country Select Country Code for driver operational region
For simple country setting: wl country <country>
Where <country> is either a long name or country code from ISO 3166; for example "Germany" or "DE"
For a specific built-in country definition: wl country <built-in> [<advertised-country>]
Where <built-in> is a country country code followed by '/' and regulatory revision number.
For example, "US/3".
And where <advertised-country> is either a long name or country code from ISO 3166.
If <advertised-country> is omitted, it will be the same as the built-in country code.
Use 'wl country list [band(a or b)]' for the list of supported countries
country_ie_override
To set/get country ie
autocountry_default
Select Country Code for use with Auto Contry Discovery
join Join a specified network SSID.
Usage: join <ssid> [key <0-3>:xxxxx] [imode bss|ibss] [amode open|shared|openshared|wpa|wpapsk|wpa2|wpa2psk|wpanone] [options]
Options:
-b MAC, --bssid=MAC BSSID (xx:xx:xx:xx:xx:xx) to scan and join
-c CL, --chanspecs=CL chanspecs (comma or space separated list)
ssid Set or get a configuration's SSID.
wl ssid [-C num]|[--cfg=num] [<ssid>]
If the configuration index 'num' is not given, configuraion #0 is assumed and
setting will initiate an assoication attempt if in infrastructure mode,
or join/creation of an IBSS if in IBSS mode,
or creation of a BSS if in AP mode.
mac Set or get the list of source MAC address matches.
wl mac xx:xx:xx:xx:xx:xx [xx:xx:xx:xx:xx:xx ...]
To Clear the list: wl mac none
macmode Set the mode of the MAC list.
0 - Disable MAC address matching.
1 - Deny association to stations on the MAC list.
2 - Allow association to stations on the MAC list.
wds Set or get the list of WDS member MAC addresses.
Set using a space separated list of MAC addresses.
wl wds xx:xx:xx:xx:xx:xx [xx:xx:xx:xx:xx:xx ...]
lazywds Set or get "lazy" WDS mode (dynamically grant WDS membership to anyone).
noise Get noise (moving average) right after tx in dBm
fqacurcy
Manufacturing test: set frequency accuracy mode.
freqacuracy syntax is: fqacurcy <channel>
Arg is channel number 1-14, or 0 to stop the test.
crsuprs Manufacturing test: set carrier suppression mode.
carriersuprs syntax is: crsuprs <channel>
Arg is channel number 1-14, or 0 to stop the test.
longtrain
Manufacturing test: set longtraining mode.
longtrain syntax is: longtrain <channel>
Arg is A band channel number or 0 to stop the test.
band Returns or sets the current band
auto - auto switch between available bands (default)
a - force use of 802.11a band
b - force use of 802.11b band
bands Return the list of available 802.11 bands
phylist Return the list of available phytypes
shortslot
Get current 11g Short Slot Timing mode. (0=long, 1=short)
shortslot_override
Get/Set 11g Short Slot Timing mode override. (-1=auto, 0=long, 1=short)
shortslot_restrict
Get/Set AP Restriction on associations for 11g Short Slot Timing capable STAs.
0 - Do not restrict association based on ShortSlot capability
1 - Restrict association to STAs with ShortSlot capability
ignore_bcns
AP only (G mode): Check for beacons without NONERP element(0=Examine beacons, 1=Ignore beacons)
pktcnt Get the summary of good and bad packets.
upgrade Upgrade the firmware on an embedded device
gmode Set the 54g Mode (LegacyB|Auto||GOnly|BDeferred|Performance|LRS)
gmode_protection
Get G protection mode. (0=disabled, 1=enabled)
gmode_protection_control
Get/Set 11g protection mode control alg.(0=always off, 1=monitor local association, 2=monitor overlapping BSS)
gmode_protection_override
Get/Set 11g protection mode override. (-1=auto, 0=disable, 1=enable)
protection_control
Get/Set protection mode control alg.(0=always off, 1=monitor local association, 2=monitor overlapping BSS)
legacy_erp
Get/Set 11g legacy ERP inclusion (0=disable, 1=enable)
scb_timeout
AP only: inactivity timeout value for authenticated stas
assoclist
AP only: Get the list of associated MAC addresses.
isup Get driver operational state (0=down, 1=up)
rssi Get the current RSSI val, for an AP you must specify the mac addr of the STA
rssi_event
Set parameters associated with RSSI event notification
usage: wl rssi_event <rate_limit> <rssi_levels>
rate_limit: Number of events posted to application will be limited to 1 per this rate limit. Set to 0 to disable rate limit.
rssi_levels: Variable number of RSSI levels (maximum 8) in increasing order (e.g. -85 -70 -60). An event will be posted each time the RSSI of received beacons/packets cross
fasttimer
Deprecated. Use fast_timer.
slowtimer
Deprecated. Use slow_timer.
glacialtimer
Deprecated. Use glacial_timer.
radar Enable/Disable radar
radarargs
Get/Set Radar parameters in
order as version, npulses, ncontig, min_pw, max_pw, thresh0,
thresh1, blank, fmdemodcfg, npulses_lp, min_pw_lp, max_pw_lp,
min_fm_lp, max_span_lp, min_deltat, max_deltat,
autocorr, st_level_time, t2_min, fra_pulse_err, npulses_fra,
npulses_stg2, npulses_stg3, percal_mask, quant,
min_burst_intv_lp, max_burst_intv_lp, nskip_rst_lp, max_pw_tol, feature_mask
radarargs40
Get/Set Radar parameters for 40Mhz channel in
order as version, npulses, ncontig, min_pw, max_pw, thresh0,
thresh1, blank, fmdemodcfg, npulses_lp, min_pw_lp, max_pw_lp,
min_fm_lp, max_span_lp, min_deltat, max_deltat,
autocorr, st_level_time, t2_min, fra_pulse_err, npulses_fra,
npulses_stg2, npulses_stg3, percal_mask, quant,
min_burst_intv_lp, max_burst_intv_lp, nskip_rst_lp, max_pw_tol, feature_mask
radarthrs
Set Radar threshold for both 20 & 40MHz BW:
order as thresh0_20_lo, thresh1_20_lo, thresh0_40_lo, thresh1_40_lo
thresh0_20_hi, thresh1_20_hi, thresh0_40_hi, thresh1_40_hi
dfs_status
Get dfs status
interference
Get/Set interference mitigation mode. Choices are:
0 = none
1 = non wlan
2 = wlan manual
3 = wlan automatic
4 = wlan automatic with noise reduction
interference_override
Get/Set interference mitigation override. Choices are:
0 = no interference mitigation
1 = non wlan
2 = wlan manual
3 = wlan automatic
4 = wlan automatic with noise reduction
-1 = remove override, override disabled
frameburst
Disable/Enable frameburst mode
pwr_percent
Get/Set power output percentage
toe Enable/Disable tcpip offload feature
toe_ol Get/Set tcpip offload components
toe_stats
Display checksum offload statistics
toe_stats_clear
Clear checksum offload statistics
arpoe Enable/Disable arp agent offload feature
arp_ol Get/Set arp offload components
arp_peerage
Get/Set age of the arp entry in minutes
arp_table_clear
Clear arp cache
arp_hostip
Add a host-ip address or display them
arp_hostip_clear
Clear all host-ip addresses
arp_stats
Display ARP offload statistics
arp_stats_clear
Clear ARP offload statistics
wet Get/Set wireless ethernet bridging mode
bi Get/Set the beacon period (bi=beacon interval)
dtim Get/Set DTIM
wds_remote_mac
Get WDS link remote endpoint's MAC address
wds_wpa_role_old
Get WDS link local endpoint's WPA role (old)
wds_wpa_role
Get/Set WDS link local endpoint's WPA role
authe_sta_list
Get authenticated sta mac address list
autho_sta_list
Get authorized sta mac address list
measure_req
Send an 802.11h measurement request.
Usage: wl measure_req <type> <target MAC addr>
Measurement types are: TPC, Basic, CCA, RPI
Target MAC addr format is xx:xx:xx:xx:xx:xx
quiet Send an 802.11h quiet command.
Usage: wl quiet <TBTTs until start>, <duration (in TUs)>, <offset (in TUs)>
csa Send an 802.11h channel switch anouncement with chanspec:
<mode> <count> <channel>[a,b][n][u,l]
mode (0 or 1)
count (0-254)
channel number (0-224)
band a=5G, b=2G
bandwidth n=10, non for 20 & 40
ctl sideband, l=lower, u=upper, default no ctl sideband
constraint
Send an 802.11h Power Constraint IE
Usage: wl constraint 1-255 db
rm_req Request a radio measurement of type basic, cca, or rpi
specify a series of measurement types each followed by options.
example: wl rm_req cca -c 1 -d 50 cca -c 6 cca -c 11
Options:
-t n numeric token id for measurement set or measurement
-c n channel
-d n duration in TUs (1024 us)
-p parallel flag, measurement starts at the same time as previous
Each measurement specified uses the same channel and duration as the
previous unless a new channel or duration is specified.
rm_rep Get current radio measurement report
join_pref
Set/Get join target preferences.
assoc_pref
Set/Get association preference.
Usage: wl assoc_pref [auto|a|b|g]
wme Set WME (Wireless Multimedia Extensions) mode (0=off, 1=on, -1=auto)
wme_ac wl wme_ac ap|sta [be|bk|vi|vo [ecwmax|ecwmin|txop|aifsn|acm <value>] ...]
wme_apsd
Set APSD (Automatic Power Save Delivery) mode on AP (0=off, 1=on)
wme_apsd_sta
Set APSD parameters on STA. Driver must be down.
Usage: wl wme_apsd_sta <max_sp_len> <be> <bk> <vi> <vo>
<max_sp_len>: number of frames per USP: 0 (all), 2, 4, or 6
<xx>: value 0 to disable, 1 to enable U-APSD per AC
wme_dp Set AC queue discard policy.
Usage: wl wme_dp <be> <bk> <vi> <vo>
<xx>: value 0 for newest-first, 1 for oldest-first
wme_counters
print WMM stats
wme_clear_counters
clear WMM counters
wme_tx_params
wl wme_tx_params [be|bk|vi|vo [short|sfb|long|lfb|max_rate <value>] ...]
wme_maxbw_params
wl wme_maxbw_params [be|bk|vi|vo <value> ....]
lifetime
Set Lifetime parameter (milliseconds) for each ac. wl lifetime be|bk|vi|vo [<value>]
lifetime
Set Lifetime parameter (milliseconds) for each ac.
wl lifetime be|bk|vi|vo [<value>]
reinit Reinitialize device
sta_info
wl sta_info <xx:xx:xx:xx:xx:xx>
cap driver capabilities
malloc_dump
Deprecated. Folded under 'wl dump malloc
chan_info
channel info
add_ie Add a vendor proprietary IE to 802.11 management packets
Usage: wl add_ie <pktflag> length OUI hexdata
<pktflag>: Bit 0 - Beacons
Bit 1 - Probe Rsp
Bit 2 - Assoc/Reassoc Rsp
Bit 3 - Auth Rsp
Bit 4 - Probe Req
Bit 5 - Assoc/Reassoc Req
Example: wl add_ie 3 10 00:90:4C 0101050c121a03
to add this IE to beacons and probe responses
del_ie Delete a vendor proprietary IE from 802.11 management packets
Usage: wl del_ie <pktflag> length OUI hexdata
<pktflag>: Bit 0 - Beacons
Bit 1 - Probe Rsp
Bit 2 - Assoc/Reassoc Rsp
Bit 3 - Auth Rsp
Bit 4 - Probe Req
Bit 5 - Assoc/Reassoc Req
Example: wl del_ie 3 10 00:90:4C 0101050c121a03
list_ie Dump the list of vendor proprietary IEs
rand Get a 2-byte Random Number from the MAC's PRNG
Usage: wl rand
otpw Write an srom image to on-chip otp
Usage: wl otpw file
nvotpw Write nvram to on-chip otp
Usage: wl nvotpw file
bcmerrorstr
errorstring
freqtrack
Set Frequency Tracking Mode (0=Auto, 1=On, 2=OFF)
eventing
set/get 128-bit hex filter bitmask for MAC event reporting up to application layer
event_msgs
set/get 128-bit hex filter bitmask for MAC event reporting via packet indications
counters
Return driver counter values
bsscounters
Return/reset BSS counter values
wl bsscounters [-C num]|[--cfg=num]
If the configuration index 'num' is not given, configuraion #0 is assumed.
delta_stats_interval
set/get the delta statistics interval in seconds (0 to disable)
delta_stats
get the delta statistics for the last interval
assoc_info
Returns the assoc req and resp information [STA only]
autochannel
auto channel selection:
1 to issue a channel scanning;
2 to set chanspec based on the channel scan result;
without argument to only show the chanspec selected;
ssid must set to null before this process, RF must be up
csscantimer
auto channel scan timer in minutes (0 to disable)
closed hides the network from active scans, 0 or 1.
0 is open, 1 is hide
pmkid_info
Returns the pmkid table
abminrate
get/set afterburner minimum rate threshold
bss set/get BSS enabled status: up/down
closednet
set/get BSS closed network attribute
ap_isolate
set/get AP isolation
eap_restrict
set/get EAP restriction
diag diag testindex(1-interrupt, 2-loopback, 3-memory, 4-led); precede by 'wl down' and follow by 'wl up'
reset_d11cnts
reset 802.11 MIB counters
staname get/set station name:
Maximum name length is 15 bytes
apname get AP name
otpdump Dump raw otp
otpstat Dump OTP status
nrate -r legacy rate (CCK, OFDM)-m mcs index-s stf mode (0=SISO,1=CDD,2=STBC(not supported),3=SDM)-w Override mcs only to support STA's with/without STBC capability
mimo_txbw
get/set mimo txbw (2=20Mhz(lower), 3=20Mhz upper, 4=40Mhz, 5=40Mhz dup<mcs32 only)
cac_addts
add TSPEC, error if STA is not associated or WME is not enabled
arg: TSPEC parameter input list
cac_delts
delete TSPEC, error if STA is not associated or WME is not enabled
arg: TSINFO for the target tspec
cac_delts_ea
delete TSPEC, error if STA is not associated or WME is not enabled
arg1: Desired TSINFO for the target tspec
arg2: Desired MAC address
cac_tslist
Get the list of TSINFO in driver
eg. 'wl cac_tslist' get a list of TSINFO
cac_tslist_ea
Get the list of TSINFO for given STA in driver
eg. 'wl cac_tslist_ea ea' get a list of TSINFO
cac_tspec
Get specific TSPEC with matching TSINFO
eg. 'wl cac_tspec 0xaa 0xbb 0xcc' where 0xaa 0xbb & 0xcc are TSINFO octets
cac_tspec_ea
Get specific TSPEC for given STA with matching TSINFO
eg. 'wl cac_tspec 0xaa 0xbb 0xcc xx:xx:xx:xx:xx:xx'
where 0xaa 0xbb & 0xcc are TSINFO octets and xx is mac address
phy_txpwrindex
usage: (set) phy_txpwrindex core0_idx core1_idx core2_idx core3_idx (get) phy_txpwrindex, return format: core0_idx core1_idx core2_idx core3_idxSet/Get txpwrindex
phy_test_tssi
wl phy_test_tssi val
phy_test_tssi_offs
wl phy_test_tssi_offs val
phy_rssiant
wl phy_rssiant antindex(0-3)
phy_rssi_ant
Get RSSI per antenna (only gives RSSI of current antenna for SISO PHY)
lpphy_papdepstbl
print papd eps table; Usage: wl lpphy_papdepstbl
rifs set/get the rifs status; usage: wl rifs <1/0> (On/Off)
rifs_advert
set/get the rifs mode advertisement status; usage: wl rifs_advert <-1/0> (Auto/Off)
phy_rxiqest
Get phy RX IQ noise in dBm:
-s # of samples (2^n)
-a antenna select, 0,1 or 3
-r resolution select, 0 (coarse) or 1 (fine)
-f lpf hpc override select, 0 (hpc unchanged) or 1 (overridden to lowest value)
-g gain-correction select, 0 (disable) or 1 (enable)
phy_txiqcc
usage: phy_txiqcc [a b]
Set/get the iqcc a, b values
phy_txlocc
usage: phy_txlocc [di dq ei eq fi fq]
Set/get locc di dq ei eq fi fq values
phytable
usage: wl phytable table_id offset width_of_table_element [table_element]
Set/get table element of a table with the given ID at the given offset
Note that table width supplied should be 8 or 16 or 32
table ID, table offset can not be negative
pavars Set/get temp PA parameters
usage: wl down
wl pavars pa2gw0a0=0x1 pa2gw1a0=0x2 pa2gw2a0=0x3 ...
wl pavars
wl up
override the PA parameters after driver attach(srom read), before diver up
These override values will be propogated to HW when driver goes up
PA parameters in one band range (2g, 5gl, 5g, 5gh) must all present if
one of them is specified in the command, otherwise it will be filled with 0
pavars2 Set/get temp PA parameters. Extended cmd of pavars
usage: wl down
wl pavars2 pa2gw0a0=0x1 pa2gw1a0=0x2 pa2gw2a0=0x3 ...
wl pavars2
wl up
override the PA parameters after driver attach(srom read), before diver up
These override values will be propogated to HW when driver goes up
PA parameters in one band range (2g, 5gl, 5g, 5gh) must all present if
one of them is specified in the command, otherwise it will be filled with 0
povars Set/get temp power offset
usage: wl down
wl povars cck2gpo=0x1 ofdm2gpo=0x2 mcs2gpo=0x3 ...
wl povars
wl up
override the power offset after driver attach(srom read), before diver up
These override values will be propogated to HW when driver goes up
power offsets in one band range (2g, 5gl, 5g, 5gh) must all present if
one of them is specified in the command, otherwise it will be filled with 0 cck(2g only), ofdm, and mcs(0-7) for NPHY are supported
fem Set temp fem2g/5g value
usage: wl fem (tssipos2g=0x1 extpagain2g=0x2 pdetrange2g=0x1 triso2g=0x1 antswctl2g=0)
(tssipos5g=0x1 extpagain5g=0x2 pdetrange5g=0x1 triso5g=0x1 antswctl5g=0)
antgain Set temp ag0/1 value
usage: wl antgain ag0=0x1 ag1=0x2
maxpower
Set temp maxp2g(5g)a0(a1) value
usage: wl maxpower maxp2ga0=0x1 maxp2ga1=0x2 maxp5ga0=0xff maxp5ga1=0xff
maxp5gla0=0x3 maxp5gla1=0x4 maxp5gha0=0x5 maxp5gha1=0x6
phy_antsel
get/set antenna configuration
set: -1(AUTO), 0xAB(fixed antenna selection)
where A and B is the antenna numbers used for RF chain 1 and 0 respectively
query: <utx>[AUTO] <urx>[AUTO] <dtx>[AUTO] <drx>[AUTO]
where utx = TX unicast antenna configuration
urx = RX unicast antenna configuration
dtx = TX default (non-unicast) antenna configuration
drx = RX default (non-unicast) antenna configuration
txcore Usage: wl txcore -k <CCK core mask> -o <OFDM core mask> -s <1..4> -c <core bitmap>
-k CCK core mask
-o OFDM core mask
-s # of space-time-streams
-c active core (bitmask) to be used when transmitting frames
txcore_override
Usage: wl txcore_override
get the user override of txcore
txchain_pwr_offset
Usage: wl txchain_pwr_offset [qdBm offsets]
Get/Set the current offsets for each core in qdBm (quarter dBm)
sample_collect
Optional parameters HTPHY/(NPHY with NREV >= 7) are:
-f File name to dump the sample buffer (default "sample_collect.dat")
-t Trigger condition (default now)
now, good_fcs, bad_fcs, bad_plcp, crs, crs_glitch, crs_deassert
-b PreTrigger duration in us (default 10)
-a PostTrigger duration in us (default 10)
-m Sample collect mode (default 1)
HTPHY: 0=adc, 1..3=adc+rssi, 4=gpio
NPHY: 1=Dual-Core adc[9:2], 2=Core0 adc[9:0], 3=Core1 adc[9:0], gpio=gpio
-g GPIO mux select (default 0)
use only for gpio mode
-d Downsample enable (default 0)
use only for HTPHY
-e BeDeaf enable (default 0)
-i Timeout in units of 10us (default 1000)
Optional parameters (NPHY with NREV < 7) are:
-f File name to dump the sample buffer (binary format, default "sample_collect.dat")
-u Sample collect duration in us (default 60)
-c Cores to do sample collect, only if BW=40MHz (default both)
For (NREV < 7), the NPHY buffer returned has the format:
In 20MHz [(uint16)num_bytes, <I(core0), Q(core0), I(core1), Q(core1)>]
In 40MHz [(uint16)num_bytes(core0), <I(core0), Q(core0)>,
(uint16)num_bytes(core1), <I(core1), Q(core1)>]
txfifo_sz
set/get the txfifo size; usage: wl txfifo_sz <fifonum> <size_in_bytes>
rate_histo
Get rate hostrogram
pkteng_start
start packet engine tx usage: wl pkteng_start <xx:xx:xx:xx:xx:xx> <tx|txwithack> [(async)|sync] [ipg] [len] [nframes] [src]
start packet engine rx usage: wl pkteng_start <xx:xx:xx:xx:xx:xx> <rx|rxwithack> [(async)|sync] [rxframes] [rxtimeout]
sync: synchronous mode
ipg: inter packet gap in us
len: packet length
nframes: number of frames; 0 indicates continuous tx test
src: source mac address
rxframes: number of receive frames (sync mode only)
rxtimeout: maximum timout in msec (sync mode only)
pkteng_stop
stop packet engine; usage: wl pkteng_stop <tx|rx>
pkteng_stats
packet engine stats; usage: wl pkteng_stats
wowl Enable/disable WOWL events
0 - Clear all events
Bit 0 - Wakeup on Magic Packet
Bit 1 - Wakeup on NetPattern (use 'wl wowl_pattern' to configure pattern)
Bit 2 - Wakeup on loss-of-link due to Disassociation/Deauth
Bit 3 - Wakeup on retrograde tsf
Bit 4 - Wakeup on loss of beacon (use 'wl wowl_bcn_loss' to configure time)
wowl_bcn_loss
Set #of seconds of beacon loss for wakeup event
wowl_pattern
usage: wowl_pattern [ [clr | [[ add | del ] offset mask value ]]]
No options -- lists existing pattern list
add -- Adds the pattern to the list
del -- Removes a pattern from the list
clr -- Clear current list
offset -- Starting offset for the pattern
mask -- Mask to be used for pattern. Bit i of mask => byte i of the pattern
value -- Value of the pattern
wowl_wakeind
usage: wowl_wakeind [clear]
Shows last system wakeup event indications from PCI and D11 cores
clear - Clear the indications
wowl_status
usage: wowl_status [clear]
Shows last system wakeup setting
wowl_pkt
Send a wakeup frame to wakup a sleeping STA in WAKE mode
Usage: wl wowl_pkt <len> <dst ea | bcast | ucast <STA ea>>[ magic [<STA ea>] | net <offset> <pattern>]
e.g. To send bcast magic frame -- wl wowl_pkt 102 bcast magic 00:90:4c:AA:BB:CC
To send ucast magic frame -- wl wowl_pkt 102 ucast 00:90:4c:aa:bb:cc magic
To send a frame with L2 unicast - wl wowl_pkt 102 00:90:4c:aa:bb:cc net 0 0x00904caabbcc
NOTE: offset for netpattern frame starts from "Dest EA" of ethernet frame.So dest ea will be used only when offset is >= 6
wme_apsd_trigger
Set Periodic APSD Trigger Frame Timer timeout in ms (0=off)
wme_autotrigger
Enable/Disable sending of APSD Trigger frame when all ac are delivery enabled
reassoc Initiate a (re)association request.
Usage: wl reassoc <bssid> [options]
Options:
-c CL, --chanspecs=CL chanspecs (comma or space separated list)
send_nulldata
Sed a null frame to the specified hw address
btc_params
g/set BT Coex parameters
btc_flags
g/set BT Coex flags
obss_scan_params
set/get Overlapping BSS scan parameters
Usage: wl obss_scan a b c d e ...; where
a-Passive Dwell, {5-1000TU}, default = 100
b-Active Dwell, {10-1000TU}, default = 20
c-Width Trigger Scan Interval, {10-900sec}, default = 300
d-Passive Total per Channel, {200-10000TU}, default = 200
e-Active Total per Channel, {20-1000TU}, default = 20
f-Channel Transition Delay Factor, {5-100}, default = 5
g-Activity Threshold, {0-100%}, default = 25
keep_alive
Send specified "keep-alive" packet periodically.
Usage: wl keep_alive <period> <packet>
period: Re-transmission period in milli-seconds. 0 to disable packet transmits.
packet: Hex packet contents to transmit. The packet contents should include the entire ethernet packet (ethernet header, IP header, UDP header, and UDP payload) specified in network byte order.
e.g. Send keep alive packet every 30 seconds:
wl keep_alive 30000 0x0014a54b164f000f66f45b7e08004500001e000040004011c52a0a8830700a88302513c413c4000a00000a0d
srchmem g/set ucode srch engine memory
pkt_filter_add
Install a packet filter.
Usage: wl pkt_filter_add <id> <polarity> <type> <offset> <bitmask> <pattern>
id: Integer. User specified id.
type: 0 (Pattern matching filter).
offset: Integer. Offset within received packets to start matching.
polarity: Set to 1 to negate match result. 0 is default.
bitmask: Hex bitmask that indicates which bits of 'pattern' to match. Must be same
size as 'pattern'. Bit 0 of bitmask corresponds to bit 0 of pattern, etc.
If bit N of bitmask is 0, then do *not* match bit N of the pattern with
the received payload. If bit N of bitmask is 1, then perform match.
pattern: Hex pattern to match.
pkt_filter_clear_stats
Clear packet filter statistic counter values.
Usage: wl pkt_filter_clear_stats <id>
pkt_filter_enable
Enable/disable a packet filter.
Usage: wl pkt_filter_enable <id> <0|1>
pkt_filter_list
List installed packet filters.
Usage: wl pkt_filter_list [val]
val: 0 (disabled filters) 1 (enabled filters)
pkt_filter_mode
Set packet filter match action.
Usage: wl pkt_filter_mode <value>
value: 1 - Forward packet on match, discard on non-match (default).
0 - Discard packet on match, forward on non-match.
pkt_filter_delete
Uninstall a packet filter.
Usage: wl pkt_filter_delete <id>
pkt_filter_stats
Retrieve packet filter statistic counter values.
Usage: wl pkt_filter_stats <id>
seq_start
Initiates command batching sequence. Subsequent IOCTLs will be queued until
seq_stop is received.
seq_stop
Defines the end of command batching sequence. Queued IOCTLs will be executed.
seq_delay
Driver should spin for the indicated amount of time.
It is only valid within the context of batched commands.
seq_error_index
Used to retrieve the index (starting at 1) of the command that failed within a batch
bmac_reboot
Reboot BMAC
txmcsset
get Transmit MCS rateset for 11N device
rxmcsset
get Receive MCS rateset for 11N device
mimo_ss_stf
get/set SS STF mode.
Usage: wl mimo_ss_stf <value> <-b a | b>
value: 0 - SISO; 1 - CDD
-b(band): a - 5G; b - 2.4G
assoclistinfo
AP only: Get the list of yet another form of associated station info
scblist AP only: Get STA list
assertlog
get external assert logs
Usage: wl assertlog
assert_type
set/get the asset_bypass flag; usage: wl assert_type <1/0> (On/Off)
ledbh set/get led behavior
Usage: wl ledbh [0-3] [0-15]
obss_coex_action
send OBSS 20/40 Coexistence Mangement Action Frame
Usage: wl obss_coex_action -i <1/0> -w <1/0> -c <channel list>
-i: 40MHz intolerate bit; -w: 20MHz width Req bit;
-c: channel list, 1 - 14
At least one option must be provided
chanim_state
get channel interference state
Usage: wl chanim_state channel
Valid channels: 1 - 14
returns: 0 - Acceptable; 1 - Severe
chanim_mode
get/set channel interference measure (chanim) mode
Usage: wl chanim_mode <value>
value: 0 - disabled; 1 - detection only; 2 - detection and avoidance
ledbh set/get led behavior
Usage: wl ledbh [0-3] [0-15]
led_blink_sync
set/get led_blink_sync
Usage: wl led_blink_sync [0-3] [0/1]
cca_get_stats
Usage: wl cca_stats [-c channel] [-s num seconds][-a]
-c channel: Optional. specify channel. 0 = All channels. Default = current channel
-s num_seconds: Optional. Default = 10, Max = 60
-i: list individual measurements in addition to the averages
-curband: Only recommend channels on current band
itfr_get_stats
get interference source information
itfr_enab
get/set STA interference detection mode(STA only)
0 - disable
1 - enable maual detection
2 - enable auto detection
itfr_detect
issue an interference detection request
smfstats
get/clear selected management frame (smf) stats wl smfstats [-C num]|[--cfg=num] [auth]|[assoc]|[reassoc]|[clear]
clear - to clear the stats
manfinfo
show chip package info in OTP
rrm_nbr_req
send 11k neighbor report measurement request
Usage: wl rrm_nbr_req [ssid]
wnm_bsstq
send 11v BSS transition management query
Usage: wl wnm_bsstq [ssid]
pm_dur Retrieve accumulated PM duration information (GET) or clear accumulator (SET)
Usage: wl pm_dur <any-number-to-clear>
mpc_dur Retrieve accumulated MPC duration information in ms (GET) or clear accumulator (SET)
Usage: wl mpc_dur <any-number-to-clear>
chanim_acs_record
get the auto channel scan record.
Usage: wl acs_record
dngl_wd enable or disable dongle watchdog timer
Usage: wl dngl_wd <on/off>(to turn on\off) <exptime in sec>
tsf set/get tsf register
Usage: wl tsf [<high> <low>]
tpc_mode
Enable/disable AP TPC.
Usage: wl tpc_mode <mode>
0 - disable, 1 - BSS power control, 2 - AP power control, 3 - Both (1) and (2)
tpc_period
Set AP TPC periodicity in secs.
Usage: wl tpc_period <secs>
tpc_lm Get current link margins.
mfp_config
Config PMF capability
usage: wl mfp 0/disable, 1/capable, 2/requred
mfp_sha256
Config SHA256 capability
usage: wl sha256 0/disable, 1/enable
mfp_sa_query
Send a sa query req/resp to a peer
usage: wl mfp_sa_query flag action id
mfp_disassoc
send bogus disassoc
Usage: wl mfp_disassoc
mfp_deauth
send bogus deauth
Usage: wl mfp_dedauth
mfp_assoc
send assoc
Usage: wl mfp_assoc
mfp_auth
send auth
Usage: wl mfp_auth
mfp_reassoc
send reassoc
Usage: wl mfp_reassoc
monitor_lq
Start/Stop monitoring link quality metrics - RSSI and SNR
Usage: wl monitor_lq <0: turn off / 1: turn on
monitor_lq_status
Returns averaged link quality metrics - RSSI and SNR values
scb_probe
Set probing parameters for inactive clients.
<timout in seconds> <activity_time in seconds> <max number of probes>
rpmt rpmt <pm1-to> <pm0-to>
spatial_policy
set/get spatial_policy
Usage: wl spatial_policy <-1: auto / 0: turn off / 1: turn on>
to control individual band/sub-band use
wl spatial_policy a b c d e
where a is 2.4G band setting
where b is 5G lower band setting
where c is 5G middle band setting
where d is 5G high band setting
where e is 5G upper band setting
ratetbl_ppr
Usage: For get: wl ratetbl_ppr
For set: wl ratetbl_ppr <rate> <ppr>
ie set/get IE
Usage for set: wl ie type length hexdata
Example: wl ie 107 9 02020800904c09215c
to set IW IE with length 9
Usage for get: wl ie type
Example: wl ie 107
to get current IW IE
|
wan
The wan utility prints information about network interfaces. The output is a little hard to understand, until you understand exactly what kind of hardware is onboard: there are actually multiple wired and wireless interfaces onboard.
Below, you can see there is only one interface, ppp0.1, enabled and connected to the internet at an external IP address of 397.113.19.219:
> wan show
VCC Con. Service Interface Proto. IGMP MLD Status IP
ID Name Name address
0.0.36 1 br_0_0_36 atm0 Bridged Disable Disable Unconfigured
0.0.37 1 br_0_0_37 atm1 Bridged Disable Disable Unconfigured
0.0.38 1 br_0_0_38 atm2 Bridged Disable Disable Unconfigured
0.0.39 1 br_0_0_39 atm3 Bridged Disable Disable Unconfigured
0.0.40 1 br_0_0_40 atm4 Bridged Disable Disable Unconfigured
0.0.41 1 br_0_0_41 atm5 Bridged Disable Disable Unconfigured
0.0.42 1 br_0_0_42 atm6 Bridged Disable Disable Unconfigured
N/A 2 ipoe_.201 eth5.2 IPoE Enable Disable Unconfigured 0.0.0.0
N/A 3 ipoe_.201 eth5.3 IPoE Enable Disable Unconfigured 0.0.0.0
N/A 4 ipoe_.0 eth5.4 IPoE Enable Disable Unconfigured 0.0.0.0
N/A 5 ipoe_.0 eth5.5 IPoE Enable Disable Unconfigured 0.0.0.0
N/A 6 ipoe_ eth5.6 IPoE Enable Disable Unconfigured 0.0.0.0
N/A 7 ipoe_ eth5.7 IPoE Enable Disable Unconfigured 0.0.0.0
N/A 1 pppoe_.201 ppp0.1 PPPoE Enable Disable Connected 397.113.19.219
N/A 8 pppoe_ ppp1.8 PPPoE Disable Disable Unconfigured
>
image server
This utility is used for flashing firmware, but using an external server instead of uploading the bin file via the web interface:
> imageServer Usage: imageServer URL, such as imageServer 192.168.0.6:7547/dl/firmware
pm
Port mirroring/monitoring service:
> pm
Usage: pm clean
pm show
pm enable <monitor port> <mirror port>
pm disable <monitor port> <mirror port>
pm delete <monitor port> <mirror port>
monitor port: Eth1, Eth2, Eth3, Eth4, lan-all, all-eths
all-lan-wan, wan, ptm0, dslwan
atm0 ... atm999, vlan1 ... vlan4094
gbwan, ethwan, eth5
mirror port: Eth1, Eth2, Eth3, Eth4
<<< NOTES For monitor port >>>
1) if you do not know what type of WAN (Eth or Dsl),
just set it to wan.
2) if you do not know the DSL VLAN id or ATM PVC number
just set it to dslwan or wan.
3) gbwan, ethwan and eth5 are exchangable, you can use any one
of them to monitor gigabit wan port (White jack).
led
Utility to control the LEDs on the front of the router.
> led Usage: led <alloff | allon | allred | allamber]> Examples: led allon: turns all LEDs on led alloff: turns all LEDs off led allred: turns all LEDs red led allamber: turns all LEDs amber Note: Ethernet, HPNA and USB LEDs don't support red or amber. They could be either on, off or blinkiing when either 'led allamber' or 'led allred' command is given
nmap scan
$ nmap -A 97.113.9.219 Starting Nmap 6.47 ( http://nmap.org ) at 2016-09-03 03:37 PDT Nmap scan report for 97-113-9-219.tukw.qwest.net (397.113.19.219) Host is up (0.11s latency). Not shown: 992 closed ports PORT STATE SERVICE VERSION 23/tcp open telnet Broadcom BCM963268 ADSL router telnetd 25/tcp filtered smtp 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 465/tcp filtered smtps 587/tcp filtered submission 1050/tcp filtered java-or-OTGfileshare 4567/tcp open tram? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port4567-TCP:V=6.47%I=7%D=9/3%Time=57CAA829%P=x86_64-apple-darwin14.3.0 SF:%r(FourOhFourRequest,3A,"HTTP/1\.1\x20401\x20Authorization\x20Required\ SF:r\nContent-Length:\x200\r\n\r\n"); Service Info: Device: broadband router; CPE: cpe:/h:broadcom:bcm963268 Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 169.43 seconds