From charlesreid1

Links

Firmware download:

Datasheet: http://internethelp.centurylink.com/internethelp/pdf/modems/datasheet-c2100t.pdf

Info about FCC testing: https://fccid.io/RSE-C2100T#exhibits

DSLReports forums: https://www.dslreports.com/forum/centurylink

This kind of explains the port 1050 thing (Java or OTG file share). Keyword was "Corba" management: https://docs.oracle.com/cd/E17984_01/doc.898/e14696/java_connector.htm

Chipset: BCM963268 Broadband Router

Attack vector:

Linux:
$ nmap -sS -sV -vv -n -Pn -T5 1A.B.C.D -p80 -oG - 

Mac:
$ nmap -sS -sV -vv -n -Pn -T5 A.B.C.D -p80 -oG -

Telnet

Telnet access:

  • Log in to the router through the admin page
  • Advanced setup
  • Remote console
  • Enable telnet from WAN or LAN

NOTE: THIS IS REALLY REALLY FREAKING IMPORTANT: When you turn on telnet, it turns it on from BOTH sides - internal and external. Don't leave it on, or else your telnet server will get hammered, a hacker will obtain root access, your router firmware will get flashed with a malicious binary, traffic sniffers will be installed, people will spy on you using your webcam, your bank accounts will be emptied, life as you know it will come to a screeching halt, etc. etc. etc.

Telnet Commands

Logging in and typing a question mark for help shows all the available commands:

 > ?
?
help
logout
exit
quit
reboot
env_list
autodetect
adsl
xdslctl0
xdslctl1
loglevel
meminfo
dnsproxy
ping
voice
dect
wlctl
lanhosts
passwd
restoredefault
save
swversion
uptime
cfgupdate
swupdate
exitOnIdle
wan
igmp
imageServer
pm
led
wpsbtn
snoop_on
snoop_off

These commands provide lots of information about the router. Here's a brief rundown:

  • env_list - lists all environmental variables, including _PROD_SERIAL_NBR, _BOOTLOADER_VERSION, _WL0_WEPKEY_SERIAL, _WL0_WPAKEY_SERIAL, _WL0_PIN_SERIAL
  • autodetect - sets parameters (start_delay, cycle_delay, ppp_attempts, dhcp_attempts) for router
  • adsl - asymmetric digital subscriber line, faster data rates over copper phone lines than by using conventional VOIP modem
  • xdslctl0 - not sure, but looks like another advanced command line interface, related to ADSL
  • xdslctl1 - ditto
  • meminfo - info about how much memory is being used
  • dnsproxy - dumps info or stats (in my case, nothing printed out........)
  • ping - works like normal ping, say ping IPADDR
  • voice - this is basically the program that you use to interface with VOIP settings on the router. See below for detailed output.
  • dect - dect is some kind of phone handset base station functionality. more of this SIP/phone/dialing stuff.
  • wlctl - wireless control program, looooots of commands, options, and information provided
  • lanhosts - for each host connected to the network (wired or wireless), list IP address, MAC address, and hostname.
  • passwd - duh, changes password
  • restoredefault - duh, restores default factory settings (?)
  • save - save current settings to config file (?)
  • swversion - tells you what version of router firmware your router is running
  • uptime - reports uptime of router
  • cfgupdate - not sure - update settings using config file (?)
  • swupdate - update onboard software (?)
  • exitOnIdle - (?)
  • wan - shows information about network interfaces and devices
  • igmp - igmp is internet group management protocol, used for multicasting and for dealing with video and games
  • imageServer - downloads and installs a firmware image from an external URL
  • pm - port mirroring/monitoring service
  • wpsbtn - returns a 1 or 0 depending on whether the WPS button is turned off or on
  • snoop_on/snoop_off - turns igmpv3 snooping on or off (this will assist with igmp traffic routing)

voice

Here's the output for the voice command:

 > voice
Command syntax:
voice --help                      -  show the voice command syntax
voice show                        -  show the voice parameters
voice show stats                  -  show call statistics
voice start                       -  start the voice application
voice stop                        -  stop the voice application
voice save                        -  store voice params to flash
voice reboot                      -  restart the voice application
voice set <param> <arg1> <arg2>.. -  set a provisionable parameter
List of voice set params and args:
defaults        <None>                      - Default VoIP setup
boundIfname     <LAN|Any_WAN|(WAN IfName, e.g. nas_0_0_35)> - vodsl network interface
ipAddrFamily    <IPv4|IPv6>                 - IP address family
pstnDialPlan    <pstn line#> <dialPlan>     - PSTN dial plan
pstnRouteRule   <pstn line#> <Auto|Voip|Line> - PSTN Route rule
pstnRouteData   <pstn line#> <line #|URL for VOIP> - PSTN Route data
locale          <srvPrv#> <region>          - 2 or 3 character code
DTMFMethod      <srvPrv#> <InBand|RFC2833|SIPInfo> - DTMF digit passing method
hookFlashMethod <srvPrv#> <SIPInfo|None>    - Hook flash method
transport       <srvPrv#> <UDP|TCP|TLS>     - transport protocol
srtpOption      <srvPrv#> <Mandatory|Optional|Disabled> - SRTP usage option
regRetryInt     <srvPrv#> <seconds>         - SIP register retryinterval
regExpires      <srvPrv#> <seconds>         - Register expires hdr val
rtpDSCPMark     <srvPrv#> <mark>            - RTP outgoing DSCP mark
logServer       <srvPrv#> <hostName|IP>     - Log server
logPort         <srvPrv#> <port>            - Log server port
digitMap        <srvPrv#> <digitmap>        - dial digit map
T38             <srvPrv#> on|off            - enable/disable T38
V18             <srvPrv#> on|off            - enable/disable V.18 detection
reg             <srvPrv#> <hostName|IP>     - SIP registrar server
regPort         <srvPrv#> <port>            - SIP registrar server port
proxy           <srvPrv#> <hostName|IP>     - SIP proxy server
proxyPort       <srvPrv#> <port>            - SIP proxy server port
obProx          <srvPrv#> <hostName|IP>     - SIP outbound proxy
obProxPort      <srvPrv#> <port>            - SIP outbound proxy port
sipDomain       <srvPrv#> <CPE_domainName>  - SIP user agent domain
sipPort         <srvPrv#> <port>            - SIP user agent port
sipDSCPMark     <srvPrv#> <mark>            - SIP outgoing DSCP mark
musicServer     <srvPrv#> <hostName|IP>     - SIP music server
musicSrvPort    <srvPrv#> <port>            - SIP music server port
tagMatching     <srvPrv#> <on|off>          - SIP to tag matching
timerB          <srvPrv#> <time in ms>      - SIP protocol B timer
timerF          <srvPrv#> <time in ms>      - SIP protocol F timer
lineStatus      <srvPrv#> <accnt#> <on|off> - Activate line
physEndpt       <srvPrv#> <accnt#> <id>     - Phys Endpt
extension       <srvPrv#> <accnt#> <URI>    - SIP extension
dispName        <srvPrv#> <accnt#> <Name>   - SIP Display Name
authName        <srvPrv#> <accnt#> <name>   - SIP auth name
authPwd         <srvPrv#> <accnt#> <pwd>    - SIP auth password
MWIEnable       <srvPrv#> <accnt#> <on|off> - Msg Waiting Indication
cfwdNum         <srvPrv#> <accnt#> <number> - call forward number
cfwdAll         <srvPrv#> <accnt#> <on|off> - call forward all
cfwdNoAns       <srvPrv#> <accnt#> <on|off> - call forward no answer
cfwdBusy        <srvPrv#> <accnt#> <on|off> - call forward busy
callWait        <srvPrv#> <accnt#> <on|off> - call waiting
anonBlck        <srvPrv#> <accnt#> <on|off> - Anonymous call rcv blcking
anonCall        <srvPrv#> <accnt#> <on|off> - Anonymous outgng calls
DND             <srvPrv#> <accnt#> <on|off> - do not disturb
CCBS            <srvPrv#> <accnt#> <on|off> - Call completion on busy
speedDial       <srvPrv#> <accnt#> <on|off> - Speed dial
warmLine        <srvPrv#> <accnt#> <on|off> - Warm line
warmLineNum     <srvPrv#> <accnt#> <number> - Warm line number
callBarring     <srvPrv#> <accnt#> <on|off> - Call barring
callBarrPin     <srvPrv#> <accnt#> <number> - Call barring pin
callBarrDigMap  <srvPrv#> <accnt#> <digitmap> - Call barring digit map
netPrivacy      <srvPrv#> <accnt#> <on|off> - Network privacy
vmwi            <srvPrv#> <accnt#> <on|off> - Visual message waiting indication
vad             <srvPrv#> <accnt#> <on|off> - enable vad
pTime           <srvPrv#> <accnt#> <pTime>  - packetization period
codecList       <srvPrv#> <accnt#> <codec(1)[,codec(2)]> - codec priority list
rxGain          <srvPrv#> <accnt#> <rxGain> - rxGain (dB)
txGain          <srvPrv#> <accnt#> <txGain> - txGain (dB)

Now trying voice show to show values of parameters:

 > voice show


Global Parameters:
------------------
BoundIfName          : Any_WAN
IP address family    : IPv4
Vodsl logLevel       : Error
Management Protocol  : TR69

Service Provider 0:
--------------------
   Associated Voice Profile: 1
   Locale                  : USA
   DTMFMethod              : RFC2833
   HookFlashMethod         : None
   DigitMap                : #xx|[2-9]11|1[2-9]11|[2-9]xxxxxxxxx|1[2-9]xxxxxxxxx|x.T
   Log Server Addr         :
   Log Server Port         : 0
   T38                     : on
   V18                     : off
   RTPDSCPMark             : 46
   SIP:
      Domain               :
      Port                 : 0
      Transport            : UDP
      RegExpires           : 0
      RegRetryInterval     : 0
      DSCPMark             : 40
      Registrar Addr       :
      Registrar Port       : 0
      Proxy Addr           :
      Proxy Port           : 0
      OutBoundProxy Addr   :
      OutBoundProxy Port   : 0
      Music Server Addr    :
      Music Server Port    : 0
      To Tag Matching      : On
      Timer B ( in ms )    : 32000
      Timer F ( in ms )    : 32000
      SRTP Usage Option    : Optional

   Account 0:
   -----------
      ActivationStatus        : Disabled
      VoipServiceStatus       : Disabled
      CallStatus              : Idle
      Associated CM Acnt      : 0
      PhysEndpt               : 1
      Extension               :
      DisplayName             :
      AuthName                :
      AuthPwd                 :
      TxGain                  : 0 dB
      RxGain                  : 0 dB
      CALLFEATURES:
         MWI                  : off
         CallWaiting          : on
         CFWDNum              :
         CallFwdAll           : off
         CallFwdBusy          : off
         CallFwdNoans         : off
         AnonymousOutgoingCall: off
         AnonymousCallRcvBlock: off
         DoNotDisturb         : off
         CallCompOnBusy       : off
         SpeedDial            : off
         WarmLine             : off
         WarmLineNum          :
         CallBarring          : off
         CallBarringMode      : None
         CallBarringPin       : 9999
         CallBarringDigitMap  :
         NetPrivacy           : off
         VMWI                 : off
      CODECSETTINGS:
         VAD                  : off
         pTime                : 20
         CodecList            : (0) G.722
                                (1) G.711MuLaw
                                (2) T38
                                (3) NTE

   Account 1:
   -----------
      ActivationStatus        : Disabled
      VoipServiceStatus       : Disabled
      CallStatus              : Idle
      Associated CM Acnt      : 1
      PhysEndpt               : 1
      Extension               :
      DisplayName             :
      AuthName                :
      AuthPwd                 :
      TxGain                  : 0 dB
      RxGain                  : 0 dB
      CALLFEATURES:
         MWI                  : off
         CallWaiting          : on
         CFWDNum              :
         CallFwdAll           : off
         CallFwdBusy          : off
         CallFwdNoans         : off
         AnonymousOutgoingCall: off
         AnonymousCallRcvBlock: off
         DoNotDisturb         : off
         CallCompOnBusy       : off
         SpeedDial            : off
         WarmLine             : off
         WarmLineNum          :
         CallBarring          : off
         CallBarringMode      : None
         CallBarringPin       : 9999
         CallBarringDigitMap  :
         NetPrivacy           : off
         VMWI                 : off
      CODECSETTINGS:
         VAD                  : off
         pTime                : 20
         CodecList            : (0) G.722
                                (1) G.711MuLaw
                                (2) T38
                                (3) NTE

wlctl

Hold on to your butts, there's gonna be about 100 pages of output:

 > wlctl
Usage: wlctl [-a|i <adapter>] [-h] [-d|u|x] <command> [arguments]

  -h        this message and command descriptions
  -h [cmd]  command description for cmd
  -a, -i    adapter name or number
  -d        output format signed integer
  -u        output format unsigned integer
  -x        output format hexdecimal

ver     get version information

cmds    generate a short list of available commands

up      reinitialize and mark adapter up (operational)

down    reset and mark adapter down (disabled)

out     mark adapter down but do not reset hardware(disabled)
        On dualband cards, cards must be bandlocked before use.

clk     set board clock state. return error for set_clk attempt if the driver is not down
        0: clock off
        1: clock on

restart Restart driver.  Driver must already be down.

reboot  Reboot platform

radio   Set the radio on or off.
        "on" or "off"

dump    Give suboption "list" to list various suboptions

srclear Clears first 'len' bytes of the srom, len in decimal or hex
        Usage: srclear <len>

srdump  print contents of SPROM to stdout

srwrite Write the srom: srwrite byteoffset value

srcrc   Get the CRC for input binary file

ciswrite
        Write specified <file> to the SDIO CIS source (either SROM or OTP)

cisupdate
        Write a hex byte stream to specified byte offset to the CIS source (either SROM or OTP)
--preview option allows you to review the update without committing it
        <byte offset> <hex byte stream> [--preview]

cisdump Display the content of the SDIO CIS source
        -b <file> -- also write raw bytes to <file>
        <len> -- optional count of bytes to display (must be even)

cis_source
        Display which source is used for the SDIO CIS

cisconvert
        Print CIS tuple for given name=value pair

rdvar   Read a named variable to the srom

wrvar   Write a named variable to the srom

nvram_source
        Display which source is used for nvram

nvram_dump
        print nvram variables to stdout

nvset   set an nvram variable
        name=value (no spaces around '=')

nvget   get the value of an nvram variable

nvram_get
        get the value of an nvram variable

revinfo get hardware revision information

customvar1
        print the value of customvar1 in hex format

msglevel
        set driver console debugging message bitvector
        type 'wl msglevel ?' for values

phymsglevel
        set phy debugging message bitvector
        type 'wl phymsglevel ?' for values

PM      set driver power management mode:
        0: CAM (constantly awake)
        1: PS  (power-save)
        2: FAST PS mode

wake    set driver power-save mode sleep state:
        0: core-managed
        1: awake

promisc set promiscuous mode ethernet address reception
        0 - disable
        1 - enable

monitor set monitor mode
        0 - disable
        1 - enable active monitor mode (interface still operates)

frag    Deprecated. Use fragthresh.

rts     Deprecated. Use rtsthresh.

cwmin   Set the cwmin.  (integer [1, 255])

cwmax   Set the cwmax.  (integer [256, 2047])

srl     Set the short retry limit.  (integer [1, 255])

lrl     Set the long retry limit.  (integer [1, 255])

rate    force a fixed rate:
        valid values for 802.11a are (6, 9, 12, 18, 24, 36, 48, 54)
        valid values for 802.11b are (1, 2, 5.5, 11)
        valid values for 802.11g are (1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54)
        -1 (default) means automatically determine the best rate

mrate   force a fixed multicast rate:
        valid values for 802.11a are (6, 9, 12, 18, 24, 36, 48, 54)
        valid values for 802.11b are (1, 2, 5.5, 11)
        valid values for 802.11g are (1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54)
        -1 (default) means automatically determine the best rate

a_rate  force a fixed rate for the A PHY:
        valid values for 802.11a are (6, 9, 12, 18, 24, 36, 48, 54)
        -1 (default) means automatically determine the best rate

a_mrate force a fixed multicast rate for the A PHY:
        valid values for 802.11a are (6, 9, 12, 18, 24, 36, 48, 54)
        -1 (default) means automatically determine the best rate

bg_rate force a fixed rate for the B/G PHY:
        valid values for 802.11b are (1, 2, 5.5, 11)
        valid values for 802.11g are (1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54)
        -1 (default) means automatically determine the best rate

bg_mrate
        force a fixed multicast rate for the B/G PHY:
        valid values for 802.11b are (1, 2, 5.5, 11)
        valid values for 802.11g are (1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54)
        -1 (default) means automatically determine the best rate

infra   Set Infrastructure mode: 0 (IBSS) or 1 (Infra BSS)

ap      Set AP mode: 0 (STA) or 1 (AP)

bssid   Get the BSSID value, error if STA and not associated

bssmax  get number of BSSes

channel Set the channel:
        valid channels for 802.11b/g (2.4GHz band) are 1 through 14
        valid channels for 802.11a  (5 GHz band) are:
                36, 40, 44, 48, 52, 56, 60, 64,
                100, 104, 108, 112, 116,120, 124, 128, 132, 136, 140,
                149, 153, 157, 161,
                184, 188, 192, 196, 200, 204, 208, 212, 216

cur_mcsset
        Get the current mcs set

chanspecs
        Get all the valid chanspecs (default: all within current locale):
        -b band (5(a) or 2(b/g))
        -w bandwidth, 10,20 or 40
        [-c country_abbrev]

chanspec
        Set <channel>[a,b][n][u,l]
        channel number (0-224)
        band a=5G, b=2G, default to 2G if channel <= 14
        bandwidth, n=10, none for 20 & 40
        ctl sideband, l=lower, u=upper
OR Set channel with legacy format:
        -c channel number (0-224)
        -b band (5(a) or 2(b/g))
        -w bandwidth, 10,20 or 40
        -s ctl sideband, -1=lower, 0=none, 1=upper

dfs_channel_forced
        Set <channel>[a,b][n][u,l]
        channel number (0-224)
        band a=5G, b=2G, default to 2G if channel <= 14
        bandwidth, n=10, non for 20 & 40
        ctl sideband, l=lower, u=upper

tssi    Get the tssi value from radio

txpwr   Set tx power in milliwatts.  Range [1, 84].

txpwr1  Set tx power in in various units. Choose one of (default: dbm):
        -d dbm units
        -q quarter dbm units
        -m milliwatt units
Can be combined with:
        -o turn on override to disable regulatory and other limitations
Use wl txpwr -1 to restore defaults

txpathpwr
        Turn the tx path power on or off on 2050 radios

txpwrlimit
        Return current tx power limit

powerindex
        Set the transmit power for A band(0-63).
        -1 - default value

atten   Set the transmit attenuation for B band. Args: bb radio txctl1.
        auto to revert to automatic control
        manual to supspend automatic control

phyreg  Get/Set a phy register:
        offset [ value ] [ band ]

radioreg
        Get/Set a radio register:
        offset [ value ] [ band/core ]
HTPHY:
        Get a radio register: wl radioreg [ offset ] [ cr0/cr1/cr2 ]
        Set a radio register: wl radioreg [ offset ] [ value ] [ cr0/cr1/cr2/all ]


ucflags Get/Set ucode flags 1, 2, 3(16 bits each)
        offset [ value ] [ band ]

shmem   Get/Set a shared memory location:
        offset [ value ] [band ]

macreg  Get/Set any mac registers(include IHR and SB):
        macreg offset size[2,4] [ value ] [ band ]

ucantdiv
        Enable/disable ucode antenna diversity (1/0 or on/off)

gpioout Set any GPIO pins to any value. Use with caution as GPIOs would be assigned to chipcommon
        Usage: gpiomask gpioval

devpath print device path

jtagureg
        g/set JTAG user registers

coma    Put the router in a catatonic state

pllreset
        set the pll to reset value
        Usage: wl pllreset

pcieserdesreg
        g/set SERDES registers: dev offset [val]

ampdu_activate_test
        actiate

ampdu_tid
        enable/disable per-tid ampdu; usage: wl ampdu_tid <tid> [0/1]

ampdu_retry_limit_tid
        Set per-tid ampdu retry limit; usage: wl ampdu_retry_limit_tid <tid> [0~31]

ampdu_rr_retry_limit_tid
        Set per-tid ampdu regular rate retry limit; usage: wl ampdu_rr_retry_limit_tid <tid> [0~31]

ampdu_send_addba
        send addba to specified ea-tid; usage: wl ampdu_send_addba <tid> <ea>

ampdu_send_delba
        send delba to specified ea-tid; usage: wl ampdu_send_delba <tid> <ea>

ampdu_clear_dump
        clear ampdu counters

dpt_deny
        adds/removes ea to dpt deny list
        usage: wl dpt_deny <add,remove> <ea>

dpt_endpoint
        creates/updates/deletes dpt endpoint for ea
        usage: wl dpt_endpoint <create, update, delete> <ea>

dpt_pmk sets DPT pre-shared key

dpt_fname
        sets/gets DPT friendly name

dpt_list
        gets status of all dpt peers

actframe
        Send a Vendor specific Action frame to a channel
        usage: wl actframe <Dest Mac Addr> <data> channel dwell-time <BSSID>

antdiv  Set antenna diversity for rx
        0 - force use of antenna 0
        1 - force use of antenna 1
        3 - automatic selection of antenna diversity

txant   Set the transmit antenna
        0 - force use of antenna 0
        1 - force use of antenna 1
        3 - use the RX antenna selection that was in force during
            the most recently received good PLCP header

plcphdr Set the plcp header.
        "long" or "auto" or "debug"

phytype Get phy type

rateparam
        set driver rate selection tunables
        arg 1: tunable id
        arg 2: tunable value

wepstatus
        Set or Get WEP status
        wepstatus [on|off]

primary_key
        Set or get index of primary key

addwep  Set an encryption key.  The key must be 5, 13 or 16 bytes long, or
        10, 26, 32, or 64 hex digits long.  The encryption algorithm is
        automatically selected based on the key size. keytype is accepted
        only when key length is 16 bytes/32 hex digits and specifies
        whether AES-OCB or AES-CCM encryption is used. Default is ccm.
        WAPI is selected if key len is 32 and arguments contain wapi.
        addwep <keyindex> <keydata> [ocb | ccm | wapi] [notx] [xx:xx:xx:xx:xx:xx]

rmwep   Remove the encryption key at the specified key index.

keys    Prints a list of the current WEP keys

tsc     Print Tx Sequence Couter for key at specified key index.

wsec_test
        Generate wsec errors
        wsec_test <test_type> <keyindex|xx:xx:xx:xx:xx:xx>
        type 'wl wsec_test ?' for test_types

tkip_countermeasures
        Enable or disable TKIP countermeasures (TKIP-enabled AP only)
        0 - disable
        1 - enable

wsec_restrict
        Drop unencrypted packets if WSEC is enabled
        0 - disable
        1 - enable

eap     restrict traffic to 802.1X packets until 802.1X authorization succeeds
        0 - disable
        1 - enable

cur_etheraddr
        Get/set the current hw address

perm_etheraddr
        Get the permanent address from NVRAM

authorize
        restrict traffic to 802.1X packets until 802.1X authorization succeeds

deauthorize
        do not restrict traffic to 802.1X packets until 802.1X authorization succeeds

deauthenticate
        deauthenticate a STA from the AP with optional reason code (AP ONLY)

wsec    wireless security bit vector
        1 - WEP enabled
        2 - TKIP enabled
        4 - AES enabled
        8 - WSEC in software
        0x80 - FIPS enabled
        0x100 - WAPI enabled

auth    set/get 802.11 authentication type. 0 = OpenSystem, 1= SharedKey, 2=Open/Shared

wpa_auth
        Bitvector of WPA authorization modes:
        1       WPA-NONE
        2       WPA-802.1X/WPA-Professional
        4       WPA-PSK/WPA-Personal
        64      WPA2-802.1X/WPA2-Professional
        128     WPA2-PSK/WPA2-Personal
        0       disable WPA

wpa_cap set/get 802.11i RSN capabilities

set_pmk Set passphrase for PMK in driver-resident supplicant.

scan    Initiate a scan.
        Default to an active scan across all channels for any SSID.
        Optional arg: SSIDs, list of [up to 10] SSIDs to scan (comma or space separated).
        Options:
        -s S, --ssid=S          SSIDs to scan
        -t ST, --scan_type=ST   [active|passive|prohibit] scan type
        --bss_type=BT           [bss/infra|ibss/adhoc] bss type to scan
        -b MAC, --bssid=MAC     particular BSSID MAC address to scan, xx:xx:xx:xx:xx:xx
        -n N, --nprobes=N       number of probes per scanned channel
        -a N, --active=N        dwell time per channel for active scanning
        -p N, --passive=N       dwell time per channel for passive scanning
        -h N, --home=N          dwell time for the home channel between channel scans
        -c L, --channels=L      comma or space separated list of channels to scan

iscan_s Initiate an incremental scan.
        Default to an active scan across all channels for any SSID.
        Optional arg: SSIDs, list of [up to 10] SSIDs to scan (comma or space separated).
        Options:
        -s S, --ssid=S          SSIDs to scan
        -t ST, --scan_type=ST   [active|passive|prohibit] scan type
        --bss_type=BT           [bss/infra|ibss/adhoc] bss type to scan
        -b MAC, --bssid=MAC     particular BSSID MAC address to scan, xx:xx:xx:xx:xx:xx
        -n N, --nprobes=N       number of probes per scanned channel
        -a N, --active=N        dwell time per channel for active scanning
        -p N, --passive=N       dwell time per channel for passive scanning
        -h N, --home=N          dwell time for the home channel between channel scans
        -c L, --channels=L      comma or space separated list of channels to scan

iscan_c Continue an incremental scan.
        Default to an active scan across all channels for any SSID.
        Optional arg: SSIDs, list of [up to 10] SSIDs to scan (comma or space separated).
        Options:
        -s S, --ssid=S          SSIDs to scan
        -t ST, --scan_type=ST   [active|passive|prohibit] scan type
        --bss_type=BT           [bss/infra|ibss/adhoc] bss type to scan
        -b MAC, --bssid=MAC     particular BSSID MAC address to scan, xx:xx:xx:xx:xx:xx
        -n N, --nprobes=N       number of probes per scanned channel
        -a N, --active=N        dwell time per channel for active scanning
        -p N, --passive=N       dwell time per channel for passive scanning
        -h N, --home=N          dwell time for the home channel between channel scans
        -c L, --channels=L      comma or space separated list of channels to scan

scancache_clear
        clear the scan cache

escan   Start an escan.
        Default to an active scan across all channels for any SSID.
        Optional arg: SSIDs, list of [up to 10] SSIDs to scan (comma or space separated).
        Options:
        -s S, --ssid=S          SSIDs to scan
        -t ST, --scan_type=ST   [active|passive|prohibit] scan type
        --bss_type=BT           [bss/infra|ibss/adhoc] bss type to scan
        -b MAC, --bssid=MAC     particular BSSID MAC address to scan, xx:xx:xx:xx:xx:xx
        -n N, --nprobes=N       number of probes per scanned channel
        -a N, --active=N        dwell time per channel for active scanning
        -p N, --passive=N       dwell time per channel for passive scanning
        -h N, --home=N          dwell time for the home channel between channel scans
        -c L, --channels=L      comma or space separated list of channels to scan

escanabort
        Abort an escan.
        Default to an active scan across all channels for any SSID.
        Optional arg: SSIDs, list of [up to 10] SSIDs to scan (comma or space separated).
        Options:
        -s S, --ssid=S          SSIDs to scan
        -t ST, --scan_type=ST   [active|passive|prohibit] scan type
        --bss_type=BT           [bss/infra|ibss/adhoc] bss type to scan
        -b MAC, --bssid=MAC     particular BSSID MAC address to scan, xx:xx:xx:xx:xx:xx
        -n N, --nprobes=N       number of probes per scanned channel
        -a N, --active=N        dwell time per channel for active scanning
        -p N, --passive=N       dwell time per channel for passive scanning
        -h N, --home=N          dwell time for the home channel between channel scans
        -c L, --channels=L      comma or space separated list of channels to scan

passive Puts scan engine into passive mode

regulatory
        Get/Set regulatory domain mode (802.11d). Driver must be down.

spect   Get/Set 802.11h Spectrum Management mode.
        0 - Off
        1 - Loose interpretation of 11h spec - may join non-11h APs
        2 - Strict interpretation of 11h spec - may not join non-11h APs
        3 - Disable 11h and enable 11d
        4 - Loose interpretation of 11h+d spec - may join non-11h APs

scanabort
        Abort a scan.

scanresults
        Return results from last scan.

iscanresults
        Return results from last iscan. Specify a buflen (max 8188)
        to artificially limit the size of the results buffer.
        iscanresults [buflen]

assoc   Print information about current network association.
        (also known as "status")

status  Print information about current network association.
        (also known as "assoc")

disassoc
        Disassociate from the current BSS/IBSS.

channels
        Return valid channels for the current settings.

channels_in_country
        Return valid channels for the country specified.
        Arg 1 is the country abbreviation
        Arg 2 is the band(a or b)

curpower
        Return current tx power settings.
        -q (quiet): estimated power only.

curppr  Return current tx power per rate offset.


txinstpwr
        Return tx power based on instant TSSI

scansuppress
        Suppress all scans for testing.
        0 - allow scans
        1 - suppress scans

evm     Start an EVM test on the given channel, or stop EVM test.
        Arg 1 is channel number 1-14, or "off" or 0 to stop the test.
        Arg 2 is optional rate (1, 2, 5.5 or 11)

rateset Returns or sets the supported and basic rateset, (b) indicates basic
        With no args, returns the rateset. Args are
        rateset "default" | "all" | <arbitrary rateset> -m <arbitrary mcsset>
                default - driver defaults
                all - all rates are basic rates
                arbitrary rateset - list of rates
                arbitrary mcsset - list of mcs rates octets, each bit representing
                                corresponding mcs
        List of rates are in Mbps and each rate is optionally followed
        by "(b)" or "b" for a Basic rate. Example: 1(b) 2b 5.5 11
        At least one rate must be Basic for a legal rateset.

roam_trigger
        Get or Set the roam trigger RSSI threshold:
        Get: roam_trigger [a|b]
        Set: roam_trigger <integer> [a|b|all]
        integer -   0: default
                    1: optimize bandwidth
                    2: optimize distance
            [-1, -99]: dBm trigger value

roam_delta
        Set the roam candidate qualification delta. roam_delta [integer [, a/b]]

roam_scan_period
        Set the roam candidate qualification delta.  (integer)

suprates
        Returns or sets the 11g override for the supported rateset
        With no args, returns the rateset. Args are a list of rates,
        or 0 or -1 to specify an empty rateset to clear the override.
        List of rates are in Mbps, example: 1 2 5.5 11

scan_channel_time
        Get/Set scan channel time

scan_unassoc_time
        Get/Set unassociated scan channel dwell time

scan_home_time
        Get/Set scan home channel dwell time

scan_passive_time
        Get/Set passive scan channel dwell time

scan_nprobes
        Get/Set scan parameter for number of probes to use per channel scanned

prb_resp_timeout
        Get/Set probe response timeout

channel_qa
        Get last channel quality measurment

channel_qa_start
        Start a channel quality measurment

country Select Country Code for driver operational region
        For simple country setting: wl country <country>
        Where <country> is either a long name or country code from ISO 3166; for example "Germany" or "DE"

        For a specific built-in country definition: wl country <built-in> [<advertised-country>]
        Where <built-in> is a country country code followed by '/' and regulatory revision number.
        For example, "US/3".
        And where <advertised-country> is either a long name or country code from ISO 3166.
        If <advertised-country> is omitted, it will be the same as the built-in country code.

        Use 'wl country list [band(a or b)]' for the list of supported countries

country_ie_override
        To set/get country ie

autocountry_default
        Select Country Code for use with Auto Contry Discovery

join    Join a specified network SSID.
        Usage: join <ssid> [key <0-3>:xxxxx] [imode bss|ibss] [amode open|shared|openshared|wpa|wpapsk|wpa2|wpa2psk|wpanone] [options]
        Options:
        -b MAC, --bssid=MAC     BSSID (xx:xx:xx:xx:xx:xx) to scan and join
        -c CL, --chanspecs=CL   chanspecs (comma or space separated list)

ssid    Set or get a configuration's SSID.
        wl ssid [-C num]|[--cfg=num] [<ssid>]
        If the configuration index 'num' is not given, configuraion #0 is assumed and
        setting will initiate an assoication attempt if in infrastructure mode,
        or join/creation of an IBSS if in IBSS mode,
        or creation of a BSS if in AP mode.

mac     Set or get the list of source MAC address matches.
        wl mac xx:xx:xx:xx:xx:xx [xx:xx:xx:xx:xx:xx ...]
        To Clear the list: wl mac none

macmode Set the mode of the MAC list.
        0 - Disable MAC address matching.
        1 - Deny association to stations on the MAC list.
        2 - Allow association to stations on the MAC list.

wds     Set or get the list of WDS member MAC addresses.
        Set using a space separated list of MAC addresses.
        wl wds xx:xx:xx:xx:xx:xx [xx:xx:xx:xx:xx:xx ...]

lazywds Set or get "lazy" WDS mode (dynamically grant WDS membership to anyone).

noise   Get noise (moving average) right after tx in dBm

fqacurcy
        Manufacturing test: set frequency accuracy mode.
        freqacuracy syntax is: fqacurcy <channel>
        Arg is channel number 1-14, or 0 to stop the test.

crsuprs Manufacturing test: set carrier suppression mode.
        carriersuprs syntax is: crsuprs <channel>
        Arg is channel number 1-14, or 0 to stop the test.

longtrain
        Manufacturing test: set longtraining mode.
        longtrain syntax is: longtrain <channel>
        Arg is A band channel number or 0 to stop the test.

band    Returns or sets the current band
        auto - auto switch between available bands (default)
        a - force use of 802.11a band
        b - force use of 802.11b band

bands   Return the list of available 802.11 bands

phylist Return the list of available phytypes

shortslot
        Get current 11g Short Slot Timing mode. (0=long, 1=short)

shortslot_override
        Get/Set 11g Short Slot Timing mode override. (-1=auto, 0=long, 1=short)

shortslot_restrict
        Get/Set AP Restriction on associations for 11g Short Slot Timing capable STAs.
        0 - Do not restrict association based on ShortSlot capability
        1 - Restrict association to STAs with ShortSlot capability

ignore_bcns
        AP only (G mode): Check for beacons without NONERP element(0=Examine beacons, 1=Ignore beacons)

pktcnt  Get the summary of good and bad packets.

upgrade Upgrade the firmware on an embedded device

gmode   Set the 54g Mode (LegacyB|Auto||GOnly|BDeferred|Performance|LRS)

gmode_protection
        Get G protection mode. (0=disabled, 1=enabled)

gmode_protection_control
        Get/Set 11g protection mode control alg.(0=always off, 1=monitor local association, 2=monitor overlapping BSS)

gmode_protection_override
        Get/Set 11g protection mode override. (-1=auto, 0=disable, 1=enable)

protection_control
        Get/Set protection mode control alg.(0=always off, 1=monitor local association, 2=monitor overlapping BSS)

legacy_erp
        Get/Set 11g legacy ERP inclusion (0=disable, 1=enable)

scb_timeout
        AP only: inactivity timeout value for authenticated stas

assoclist
        AP only: Get the list of associated MAC addresses.

isup    Get driver operational state (0=down, 1=up)

rssi    Get the current RSSI val, for an AP you must specify the mac addr of the STA

rssi_event
        Set parameters associated with RSSI event notification
        usage: wl rssi_event <rate_limit> <rssi_levels>
        rate_limit: Number of events posted to application will be limited to 1 per this rate limit. Set to 0 to disable rate limit.
        rssi_levels: Variable number of RSSI levels (maximum 8)  in increasing order (e.g. -85 -70 -60). An event will be posted each time the RSSI of received beacons/packets cross

fasttimer
        Deprecated. Use fast_timer.

slowtimer
        Deprecated. Use slow_timer.

glacialtimer
        Deprecated. Use glacial_timer.

radar   Enable/Disable radar

radarargs
        Get/Set Radar parameters in
        order as version, npulses, ncontig, min_pw, max_pw, thresh0,
        thresh1, blank, fmdemodcfg, npulses_lp, min_pw_lp, max_pw_lp,
        min_fm_lp, max_span_lp, min_deltat, max_deltat,
        autocorr, st_level_time, t2_min, fra_pulse_err, npulses_fra,
        npulses_stg2, npulses_stg3, percal_mask, quant,
        min_burst_intv_lp, max_burst_intv_lp, nskip_rst_lp, max_pw_tol, feature_mask

radarargs40
        Get/Set Radar parameters for 40Mhz channel in
        order as version, npulses, ncontig, min_pw, max_pw, thresh0,
        thresh1, blank, fmdemodcfg, npulses_lp, min_pw_lp, max_pw_lp,
        min_fm_lp, max_span_lp, min_deltat, max_deltat,
        autocorr, st_level_time, t2_min, fra_pulse_err, npulses_fra,
        npulses_stg2, npulses_stg3, percal_mask, quant,
        min_burst_intv_lp, max_burst_intv_lp, nskip_rst_lp, max_pw_tol, feature_mask

radarthrs
        Set Radar threshold for both 20 & 40MHz BW:
        order as thresh0_20_lo, thresh1_20_lo, thresh0_40_lo, thresh1_40_lo
        thresh0_20_hi, thresh1_20_hi, thresh0_40_hi, thresh1_40_hi

dfs_status
        Get dfs status

interference
        Get/Set interference mitigation mode. Choices are:
        0 = none
        1 = non wlan
        2 = wlan manual
        3 = wlan automatic
        4 = wlan automatic with noise reduction

interference_override
        Get/Set interference mitigation override. Choices are:
        0 = no interference mitigation
        1 = non wlan
        2 = wlan manual
        3 = wlan automatic
        4 = wlan automatic with noise reduction
        -1 = remove override, override disabled

frameburst
        Disable/Enable frameburst mode

pwr_percent
        Get/Set power output percentage

toe     Enable/Disable tcpip offload feature

toe_ol  Get/Set tcpip offload components

toe_stats
        Display checksum offload statistics

toe_stats_clear
        Clear checksum offload statistics

arpoe   Enable/Disable arp agent offload feature

arp_ol  Get/Set arp offload components

arp_peerage
        Get/Set age of the arp entry in minutes

arp_table_clear
        Clear arp cache

arp_hostip
        Add a host-ip address or display them

arp_hostip_clear
        Clear all host-ip addresses

arp_stats
        Display ARP offload statistics

arp_stats_clear
        Clear ARP offload statistics

wet     Get/Set wireless ethernet bridging mode

bi      Get/Set the beacon period (bi=beacon interval)

dtim    Get/Set DTIM

wds_remote_mac
        Get WDS link remote endpoint's MAC address

wds_wpa_role_old
        Get WDS link local endpoint's WPA role (old)

wds_wpa_role
        Get/Set WDS link local endpoint's WPA role

authe_sta_list
        Get authenticated sta mac address list

autho_sta_list
        Get authorized sta mac address list

measure_req
        Send an 802.11h measurement request.
        Usage: wl measure_req <type> <target MAC addr>
        Measurement types are: TPC, Basic, CCA, RPI
        Target MAC addr format is xx:xx:xx:xx:xx:xx

quiet   Send an 802.11h quiet command.
        Usage: wl quiet <TBTTs until start>, <duration (in TUs)>, <offset (in TUs)>

csa     Send an 802.11h channel switch anouncement with chanspec:
        <mode> <count> <channel>[a,b][n][u,l]
        mode (0 or 1)
        count (0-254)
        channel number (0-224)
        band a=5G, b=2G
        bandwidth n=10, non for 20 & 40
        ctl sideband, l=lower, u=upper, default no ctl sideband

constraint
        Send an 802.11h Power Constraint IE
        Usage: wl constraint 1-255 db

rm_req  Request a radio measurement of type basic, cca, or rpi
        specify a series of measurement types each followed by options.
        example: wl rm_req cca -c 1 -d 50 cca -c 6 cca -c 11
        Options:
        -t n  numeric token id for measurement set or measurement
        -c n  channel
        -d n  duration in TUs (1024 us)
        -p    parallel flag, measurement starts at the same time as previous

        Each measurement specified uses the same channel and duration as the
        previous unless a new channel or duration is specified.

rm_rep  Get current radio measurement report

join_pref
        Set/Get join target preferences.

assoc_pref
        Set/Get association preference.
Usage: wl assoc_pref [auto|a|b|g]

wme     Set WME (Wireless Multimedia Extensions) mode (0=off, 1=on, -1=auto)

wme_ac  wl wme_ac ap|sta [be|bk|vi|vo [ecwmax|ecwmin|txop|aifsn|acm <value>] ...]

wme_apsd
        Set APSD (Automatic Power Save Delivery) mode on AP (0=off, 1=on)

wme_apsd_sta
        Set APSD parameters on STA. Driver must be down.
Usage: wl wme_apsd_sta <max_sp_len> <be> <bk> <vi> <vo>
   <max_sp_len>: number of frames per USP: 0 (all), 2, 4, or 6
   <xx>: value 0 to disable, 1 to enable U-APSD per AC

wme_dp  Set AC queue discard policy.
Usage: wl wme_dp <be> <bk> <vi> <vo>
   <xx>: value 0 for newest-first, 1 for oldest-first

wme_counters
        print WMM stats

wme_clear_counters
        clear WMM counters

wme_tx_params
        wl wme_tx_params [be|bk|vi|vo [short|sfb|long|lfb|max_rate <value>] ...]

wme_maxbw_params
        wl wme_maxbw_params [be|bk|vi|vo <value> ....]

lifetime
        Set Lifetime parameter (milliseconds) for each ac. wl lifetime be|bk|vi|vo [<value>]

lifetime
        Set Lifetime parameter (milliseconds) for each ac.
wl lifetime be|bk|vi|vo [<value>]

reinit  Reinitialize device

sta_info
        wl sta_info <xx:xx:xx:xx:xx:xx>

cap     driver capabilities

malloc_dump
        Deprecated. Folded under 'wl dump malloc

chan_info
        channel info

add_ie  Add a vendor proprietary IE to 802.11 management packets
Usage: wl add_ie <pktflag> length OUI hexdata
<pktflag>: Bit 0 - Beacons
           Bit 1 - Probe Rsp
           Bit 2 - Assoc/Reassoc Rsp
           Bit 3 - Auth Rsp
           Bit 4 - Probe Req
           Bit 5 - Assoc/Reassoc Req
Example: wl add_ie 3 10 00:90:4C 0101050c121a03
         to add this IE to beacons and probe responses

del_ie  Delete a vendor proprietary IE from 802.11 management packets
Usage: wl del_ie <pktflag> length OUI hexdata
<pktflag>: Bit 0 - Beacons
           Bit 1 - Probe Rsp
           Bit 2 - Assoc/Reassoc Rsp
           Bit 3 - Auth Rsp
           Bit 4 - Probe Req
           Bit 5 - Assoc/Reassoc Req
Example: wl del_ie 3 10 00:90:4C 0101050c121a03

list_ie Dump the list of vendor proprietary IEs

rand    Get a 2-byte Random Number from the MAC's PRNG
Usage: wl rand

otpw    Write an srom image to on-chip otp
Usage: wl otpw file

nvotpw  Write nvram to on-chip otp
Usage: wl nvotpw file

bcmerrorstr
        errorstring

freqtrack
        Set Frequency Tracking Mode (0=Auto, 1=On, 2=OFF)

eventing
        set/get 128-bit hex filter bitmask for MAC event reporting up to application layer

event_msgs
        set/get 128-bit hex filter bitmask for MAC event reporting via packet indications

counters
        Return driver counter values

bsscounters
        Return/reset BSS counter values
        wl bsscounters [-C num]|[--cfg=num]
        If the configuration index 'num' is not given, configuraion #0 is assumed.


delta_stats_interval
        set/get the delta statistics interval in seconds (0 to disable)

delta_stats
        get the delta statistics for the last interval

assoc_info
        Returns the assoc req and resp information [STA only]

autochannel
        auto channel selection:
        1 to issue a channel scanning;
        2 to set chanspec based on the channel scan result;
        without argument to only show the chanspec selected;
        ssid must set to null before this process, RF must be up

csscantimer
        auto channel scan timer in minutes (0 to disable)

closed  hides the network from active scans, 0 or 1.
        0 is open, 1 is hide

pmkid_info
        Returns the pmkid table

abminrate
        get/set afterburner minimum rate threshold

bss     set/get BSS enabled status: up/down

closednet
        set/get BSS closed network attribute

ap_isolate
        set/get AP isolation

eap_restrict
        set/get EAP restriction

diag    diag testindex(1-interrupt, 2-loopback, 3-memory, 4-led); precede by 'wl down' and follow by 'wl up'

reset_d11cnts
        reset 802.11 MIB counters

staname get/set station name:
        Maximum name length is 15 bytes

apname  get AP name

otpdump Dump raw otp

otpstat Dump OTP status

nrate   -r legacy rate (CCK, OFDM)-m mcs index-s stf mode (0=SISO,1=CDD,2=STBC(not supported),3=SDM)-w Override mcs only to support STA's with/without STBC capability

mimo_txbw
        get/set mimo txbw (2=20Mhz(lower), 3=20Mhz upper, 4=40Mhz, 5=40Mhz dup<mcs32 only)

cac_addts
        add TSPEC, error if STA is not associated or WME is not enabled
        arg: TSPEC parameter input list

cac_delts
        delete TSPEC, error if STA is not associated or WME is not enabled
        arg: TSINFO for the target tspec

cac_delts_ea
        delete TSPEC, error if STA is not associated or WME is not enabled
        arg1: Desired TSINFO for the target tspec
        arg2: Desired MAC address

cac_tslist
        Get the list of TSINFO in driver
        eg. 'wl cac_tslist' get a list of TSINFO

cac_tslist_ea
        Get the list of TSINFO for given STA in driver
        eg. 'wl cac_tslist_ea ea' get a list of TSINFO

cac_tspec
        Get specific TSPEC with matching TSINFO
        eg. 'wl cac_tspec 0xaa 0xbb 0xcc' where 0xaa 0xbb & 0xcc are TSINFO octets

cac_tspec_ea
        Get specific TSPEC for given STA with matching TSINFO
        eg. 'wl cac_tspec 0xaa 0xbb 0xcc xx:xx:xx:xx:xx:xx'
            where 0xaa 0xbb & 0xcc are TSINFO octets and xx is mac address

phy_txpwrindex
        usage: (set) phy_txpwrindex core0_idx core1_idx core2_idx core3_idx       (get) phy_txpwrindex, return format: core0_idx core1_idx core2_idx core3_idxSet/Get txpwrindex

phy_test_tssi
        wl phy_test_tssi val

phy_test_tssi_offs
        wl phy_test_tssi_offs val

phy_rssiant
        wl phy_rssiant antindex(0-3)

phy_rssi_ant
        Get RSSI per antenna (only gives RSSI of current antenna for SISO PHY)

lpphy_papdepstbl
        print papd eps table; Usage: wl lpphy_papdepstbl

rifs    set/get the rifs status; usage: wl rifs <1/0> (On/Off)

rifs_advert
        set/get the rifs mode advertisement status; usage: wl rifs_advert <-1/0> (Auto/Off)

phy_rxiqest
        Get phy RX IQ noise in dBm:
        -s # of samples (2^n)
        -a antenna select, 0,1 or 3
        -r resolution select, 0 (coarse) or 1 (fine)
        -f lpf hpc override select, 0 (hpc unchanged) or 1 (overridden to lowest value)
        -g gain-correction select, 0 (disable) or 1 (enable)

phy_txiqcc
        usage: phy_txiqcc [a b]
Set/get the iqcc a, b values

phy_txlocc
        usage: phy_txlocc [di dq ei eq fi fq]
Set/get locc di dq ei eq fi fq values

phytable
        usage: wl phytable table_id offset width_of_table_element [table_element]
Set/get table element of a table with the given ID at the given offset
Note that table width supplied should be 8 or 16 or 32
table ID, table offset can not be negative

pavars  Set/get temp PA parameters
usage: wl down
       wl pavars pa2gw0a0=0x1 pa2gw1a0=0x2 pa2gw2a0=0x3 ...
       wl pavars
       wl up
  override the PA parameters after driver attach(srom read), before diver up
  These override values will be propogated to HW when driver goes up
  PA parameters in one band range (2g, 5gl, 5g, 5gh) must all present if
  one of them is specified in the command, otherwise it will be filled with 0

pavars2 Set/get temp PA parameters. Extended cmd of pavars
usage: wl down
       wl pavars2 pa2gw0a0=0x1 pa2gw1a0=0x2 pa2gw2a0=0x3 ...
       wl pavars2
       wl up
  override the PA parameters after driver attach(srom read), before diver up
  These override values will be propogated to HW when driver goes up
  PA parameters in one band range (2g, 5gl, 5g, 5gh) must all present if
  one of them is specified in the command, otherwise it will be filled with 0

povars  Set/get temp power offset
usage: wl down
       wl povars cck2gpo=0x1 ofdm2gpo=0x2 mcs2gpo=0x3 ...
       wl povars
       wl up
  override the power offset after driver attach(srom read), before diver up
  These override values will be propogated to HW when driver goes up
  power offsets in one band range (2g, 5gl, 5g, 5gh) must all present if
  one of them is specified in the command, otherwise it will be filled with 0  cck(2g only), ofdm, and mcs(0-7) for NPHY are supported

fem     Set temp fem2g/5g value
usage: wl fem (tssipos2g=0x1 extpagain2g=0x2 pdetrange2g=0x1 triso2g=0x1 antswctl2g=0)
        (tssipos5g=0x1 extpagain5g=0x2 pdetrange5g=0x1 triso5g=0x1 antswctl5g=0)

antgain Set temp ag0/1 value
usage: wl antgain ag0=0x1 ag1=0x2

maxpower
        Set temp maxp2g(5g)a0(a1) value
usage: wl maxpower maxp2ga0=0x1 maxp2ga1=0x2 maxp5ga0=0xff maxp5ga1=0xff
       maxp5gla0=0x3 maxp5gla1=0x4 maxp5gha0=0x5 maxp5gha1=0x6

phy_antsel
        get/set antenna configuration
        set: -1(AUTO), 0xAB(fixed antenna selection)
                where A and B is the antenna numbers used for RF chain 1 and 0 respectively
        query: <utx>[AUTO] <urx>[AUTO] <dtx>[AUTO] <drx>[AUTO]
                where utx = TX unicast antenna configuration
                        urx = RX unicast antenna configuration
                        dtx = TX default (non-unicast) antenna configuration
                        drx = RX default (non-unicast) antenna configuration


txcore  Usage: wl txcore -k <CCK core mask> -o <OFDM core mask> -s <1..4> -c <core bitmap>
        -k CCK core mask
        -o OFDM core mask
        -s # of space-time-streams
        -c active core (bitmask) to be used when transmitting frames


txcore_override
        Usage: wl txcore_override
        get the user override of txcore


txchain_pwr_offset
        Usage: wl txchain_pwr_offset [qdBm offsets]
        Get/Set the current offsets for each core in qdBm (quarter dBm)


sample_collect
        Optional parameters HTPHY/(NPHY with NREV >= 7) are:
        -f File name to dump the sample buffer (default "sample_collect.dat")
        -t Trigger condition (default now)
                 now, good_fcs, bad_fcs, bad_plcp, crs, crs_glitch, crs_deassert
        -b PreTrigger duration in us (default 10)
        -a PostTrigger duration in us (default 10)
        -m Sample collect mode (default 1)
                 HTPHY: 0=adc, 1..3=adc+rssi, 4=gpio
                 NPHY: 1=Dual-Core adc[9:2], 2=Core0 adc[9:0], 3=Core1 adc[9:0], gpio=gpio
        -g GPIO mux select (default 0)
                 use only for gpio mode
        -d Downsample enable (default 0)
                 use only for HTPHY
        -e BeDeaf enable (default 0)
        -i Timeout in units of 10us (default 1000)
Optional parameters (NPHY with NREV < 7) are:
        -f File name to dump the sample buffer (binary format, default "sample_collect.dat")
        -u Sample collect duration in us (default 60)
        -c Cores to do sample collect, only if BW=40MHz (default both)
For (NREV < 7), the NPHY buffer returned has the format:
        In 20MHz [(uint16)num_bytes, <I(core0), Q(core0), I(core1), Q(core1)>]
        In 40MHz [(uint16)num_bytes(core0), <I(core0), Q(core0)>,
                (uint16)num_bytes(core1), <I(core1), Q(core1)>]

txfifo_sz
        set/get the txfifo size; usage: wl txfifo_sz <fifonum> <size_in_bytes>

rate_histo
        Get rate hostrogram

pkteng_start
        start packet engine tx usage: wl pkteng_start <xx:xx:xx:xx:xx:xx> <tx|txwithack> [(async)|sync] [ipg] [len] [nframes] [src]
        start packet engine rx usage: wl pkteng_start <xx:xx:xx:xx:xx:xx> <rx|rxwithack> [(async)|sync] [rxframes] [rxtimeout]
        sync: synchronous mode
        ipg: inter packet gap in us
        len: packet length
        nframes: number of frames; 0 indicates continuous tx test
        src: source mac address
        rxframes: number of receive frames (sync mode only)
        rxtimeout: maximum timout in msec (sync mode only)

pkteng_stop
        stop packet engine; usage: wl pkteng_stop <tx|rx>

pkteng_stats
        packet engine stats; usage: wl pkteng_stats

wowl    Enable/disable WOWL events
  0   - Clear all events
Bit 0 - Wakeup on Magic Packet
Bit 1 - Wakeup on NetPattern (use 'wl wowl_pattern' to configure pattern)
Bit 2 - Wakeup on loss-of-link due to Disassociation/Deauth
Bit 3 - Wakeup on retrograde tsf
Bit 4 - Wakeup on loss of beacon (use 'wl wowl_bcn_loss' to configure time)

wowl_bcn_loss
        Set #of seconds of beacon loss for wakeup event

wowl_pattern
        usage: wowl_pattern [ [clr | [[ add | del ] offset mask value ]]]
No options -- lists existing pattern list
add -- Adds the pattern to the list
del -- Removes a pattern from the list
clr -- Clear current list
offset -- Starting offset for the pattern
mask -- Mask to be used for pattern. Bit i of mask => byte i of the pattern
value -- Value of the pattern

wowl_wakeind
        usage: wowl_wakeind [clear]
Shows last system wakeup event indications from PCI and D11 cores
clear - Clear the indications

wowl_status
        usage: wowl_status [clear]
Shows last system wakeup setting

wowl_pkt
        Send a wakeup frame to wakup a sleeping STA in WAKE mode
Usage: wl wowl_pkt <len> <dst ea | bcast | ucast <STA ea>>[ magic [<STA ea>] | net <offset> <pattern>]
e.g. To send bcast magic frame -- wl wowl_pkt 102 bcast magic 00:90:4c:AA:BB:CC
     To send ucast magic frame -- wl wowl_pkt 102 ucast 00:90:4c:aa:bb:cc magic
     To send a frame with L2 unicast - wl wowl_pkt 102 00:90:4c:aa:bb:cc net 0 0x00904caabbcc
 NOTE: offset for netpattern frame starts from "Dest EA" of ethernet frame.So dest ea will be used only when offset is >= 6

wme_apsd_trigger
        Set Periodic APSD Trigger Frame Timer timeout in ms (0=off)

wme_autotrigger
        Enable/Disable sending of APSD Trigger frame when all ac are delivery enabled

reassoc Initiate a (re)association request.
        Usage: wl reassoc <bssid> [options]
        Options:
        -c CL, --chanspecs=CL   chanspecs (comma or space separated list)

send_nulldata
        Sed a null frame to the specified hw address

btc_params
        g/set BT Coex parameters

btc_flags
        g/set BT Coex flags

obss_scan_params
        set/get Overlapping BSS scan parameters
Usage: wl obss_scan a b c d e ...; where
        a-Passive Dwell, {5-1000TU}, default = 100
        b-Active Dwell, {10-1000TU}, default = 20
        c-Width Trigger Scan Interval, {10-900sec}, default = 300
        d-Passive Total per Channel, {200-10000TU}, default = 200
        e-Active Total per Channel, {20-1000TU}, default = 20
        f-Channel Transition Delay Factor, {5-100}, default = 5
        g-Activity Threshold, {0-100%}, default = 25

keep_alive
        Send specified "keep-alive" packet periodically.
        Usage: wl keep_alive <period> <packet>
                period: Re-transmission period in milli-seconds. 0 to disable packet transmits.
                packet: Hex packet contents to transmit. The packet contents should include the entire ethernet packet (ethernet header, IP header, UDP header, and UDP payload) specified in network byte order.

        e.g. Send keep alive packet every 30 seconds:
        wl keep_alive 30000 0x0014a54b164f000f66f45b7e08004500001e000040004011c52a0a8830700a88302513c413c4000a00000a0d

srchmem g/set ucode srch engine memory

pkt_filter_add
        Install a packet filter.
        Usage: wl pkt_filter_add <id> <polarity> <type> <offset> <bitmask> <pattern>
        id:       Integer. User specified id.
        type:     0 (Pattern matching filter).
        offset:   Integer. Offset within received packets to start matching.
        polarity: Set to 1 to negate match result. 0 is default.
        bitmask:  Hex bitmask that indicates which bits of 'pattern' to match. Must be same
                size as 'pattern'. Bit 0 of bitmask corresponds to bit 0 of pattern, etc.
                If bit N of bitmask is 0, then do *not* match bit N of the pattern with
                the received payload. If bit N of bitmask is 1, then perform match.
        pattern:  Hex pattern to match.

pkt_filter_clear_stats
        Clear packet filter statistic counter values.
        Usage: wl pkt_filter_clear_stats <id>

pkt_filter_enable
        Enable/disable a packet filter.
        Usage: wl pkt_filter_enable <id> <0|1>

pkt_filter_list
        List installed packet filters.
        Usage: wl pkt_filter_list [val]
        val: 0 (disabled filters) 1 (enabled filters)

pkt_filter_mode
        Set packet filter match action.
        Usage: wl pkt_filter_mode <value>
        value: 1 - Forward packet on match, discard on non-match (default).
               0 - Discard packet on match, forward on non-match.

pkt_filter_delete
        Uninstall a packet filter.
        Usage: wl pkt_filter_delete <id>

pkt_filter_stats
        Retrieve packet filter statistic counter values.
        Usage: wl pkt_filter_stats <id>

seq_start
        Initiates command batching sequence. Subsequent IOCTLs will be queued until
seq_stop is received.

seq_stop
        Defines the end of command batching sequence. Queued IOCTLs will be executed.

seq_delay
        Driver should spin for the indicated amount of time.
It is only valid within the context of batched commands.

seq_error_index
        Used to retrieve the index (starting at 1) of the command that failed within a batch

bmac_reboot
        Reboot BMAC

txmcsset
        get Transmit MCS rateset for 11N device

rxmcsset
        get Receive MCS rateset for 11N device

mimo_ss_stf
        get/set SS STF mode.
        Usage: wl mimo_ss_stf <value> <-b a | b>
        value: 0 - SISO; 1 - CDD
        -b(band): a - 5G; b - 2.4G

assoclistinfo
        AP only: Get the list of yet another form of associated station info

scblist AP only: Get STA list

assertlog
        get external assert logs
        Usage: wl assertlog

assert_type
        set/get the asset_bypass flag; usage: wl assert_type <1/0> (On/Off)

ledbh   set/get led behavior
        Usage: wl ledbh [0-3] [0-15]

obss_coex_action
        send OBSS 20/40 Coexistence Mangement Action Frame
        Usage: wl obss_coex_action -i <1/0> -w <1/0> -c <channel list>
         -i: 40MHz intolerate bit; -w: 20MHz width Req bit;
         -c: channel list, 1 - 14
         At least one option must be provided

chanim_state
        get channel interference state
        Usage: wl chanim_state channel
        Valid channels: 1 - 14
        returns: 0 - Acceptable; 1 - Severe

chanim_mode
        get/set channel interference measure (chanim) mode
        Usage: wl chanim_mode <value>
        value: 0 - disabled; 1 - detection only; 2 - detection and avoidance

ledbh   set/get led behavior
        Usage: wl ledbh [0-3] [0-15]

led_blink_sync
        set/get led_blink_sync
        Usage: wl led_blink_sync [0-3] [0/1]

cca_get_stats
        Usage: wl cca_stats [-c channel] [-s num seconds][-a]
         -c channel: Optional. specify channel. 0 = All channels. Default = current channel
         -s num_seconds: Optional. Default = 10, Max = 60
         -i: list individual measurements in addition to the averages
         -curband: Only recommend channels on current band

itfr_get_stats
        get interference source information

itfr_enab
        get/set STA interference detection mode(STA only)
         0  - disable
         1  - enable maual detection
         2  - enable auto detection

itfr_detect
        issue an interference detection request

smfstats
        get/clear selected management frame (smf) stats wl smfstats [-C num]|[--cfg=num] [auth]|[assoc]|[reassoc]|[clear]
        clear - to clear the stats

manfinfo
        show chip package info in OTP

rrm_nbr_req
        send 11k neighbor report measurement request
        Usage: wl rrm_nbr_req [ssid]

wnm_bsstq
        send 11v BSS transition management query
        Usage: wl wnm_bsstq [ssid]

pm_dur  Retrieve accumulated PM duration information (GET) or clear accumulator (SET)
        Usage: wl pm_dur <any-number-to-clear>

mpc_dur Retrieve accumulated MPC duration information in ms (GET) or clear accumulator (SET)
        Usage: wl mpc_dur <any-number-to-clear>

chanim_acs_record
        get the auto channel scan record.
         Usage: wl acs_record

dngl_wd enable or disable dongle watchdog timer
        Usage: wl dngl_wd <on/off>(to turn on\off) <exptime in sec>

tsf     set/get tsf register
        Usage: wl tsf [<high> <low>]

tpc_mode
        Enable/disable AP TPC.
Usage: wl tpc_mode <mode>
        0 - disable, 1 - BSS power control, 2 - AP power control, 3 - Both (1) and (2)


tpc_period
        Set AP TPC periodicity in secs.
Usage: wl tpc_period <secs>


tpc_lm  Get current link margins.


mfp_config
        Config PMF capability
        usage: wl mfp 0/disable, 1/capable, 2/requred

mfp_sha256
        Config SHA256 capability
        usage: wl sha256 0/disable, 1/enable

mfp_sa_query
        Send a sa query req/resp to a peer
        usage: wl mfp_sa_query flag action id

mfp_disassoc
        send bogus disassoc
Usage: wl mfp_disassoc


mfp_deauth
        send bogus deauth
        Usage: wl mfp_dedauth


mfp_assoc
        send assoc
Usage: wl mfp_assoc


mfp_auth
        send auth
        Usage: wl mfp_auth


mfp_reassoc
        send reassoc
Usage: wl mfp_reassoc


monitor_lq
        Start/Stop monitoring link quality metrics - RSSI and SNR
        Usage: wl monitor_lq <0: turn off / 1: turn on


monitor_lq_status
        Returns averaged link quality metrics - RSSI and SNR values

scb_probe
        Set probing parameters for inactive clients.
        <timout in seconds> <activity_time in seconds> <max number of probes>

rpmt    rpmt <pm1-to> <pm0-to>


spatial_policy
        set/get spatial_policy
        Usage: wl spatial_policy <-1: auto / 0: turn off / 1: turn on>
               to control individual band/sub-band use
               wl spatial_policy a b c d e
               where a is 2.4G band setting
               where b is 5G lower band setting
               where c is 5G middle band setting
               where d is 5G high band setting
               where e is 5G upper band setting


ratetbl_ppr
        Usage: For get: wl ratetbl_ppr
             For set: wl ratetbl_ppr <rate> <ppr>


ie      set/get IE
Usage for set: wl ie type length hexdata
Example: wl ie 107 9 02020800904c09215c
         to set IW IE with length 9
Usage for get: wl ie type
Example: wl ie 107
         to get current IW IE

wan

The wan utility prints information about network interfaces. The output is a little hard to understand, until you understand exactly what kind of hardware is onboard: there are actually multiple wired and wireless interfaces onboard.

Below, you can see there is only one interface, ppp0.1, enabled and connected to the internet at an external IP address of 397.113.19.219:

 > wan show
VCC     Con.    Service         Interface       Proto.  IGMP    MLD     Status          IP
        ID      Name            Name                                                    address
0.0.36  1       br_0_0_36       atm0            Bridged Disable Disable Unconfigured
0.0.37  1       br_0_0_37       atm1            Bridged Disable Disable Unconfigured
0.0.38  1       br_0_0_38       atm2            Bridged Disable Disable Unconfigured
0.0.39  1       br_0_0_39       atm3            Bridged Disable Disable Unconfigured
0.0.40  1       br_0_0_40       atm4            Bridged Disable Disable Unconfigured
0.0.41  1       br_0_0_41       atm5            Bridged Disable Disable Unconfigured
0.0.42  1       br_0_0_42       atm6            Bridged Disable Disable Unconfigured
N/A     2       ipoe_.201       eth5.2          IPoE    Enable  Disable Unconfigured    0.0.0.0
N/A     3       ipoe_.201       eth5.3          IPoE    Enable  Disable Unconfigured    0.0.0.0
N/A     4       ipoe_.0         eth5.4          IPoE    Enable  Disable Unconfigured    0.0.0.0
N/A     5       ipoe_.0         eth5.5          IPoE    Enable  Disable Unconfigured    0.0.0.0
N/A     6       ipoe_           eth5.6          IPoE    Enable  Disable Unconfigured    0.0.0.0
N/A     7       ipoe_           eth5.7          IPoE    Enable  Disable Unconfigured    0.0.0.0
N/A     1       pppoe_.201      ppp0.1          PPPoE   Enable  Disable Connected       397.113.19.219
N/A     8       pppoe_          ppp1.8          PPPoE   Disable Disable Unconfigured
 >

image server

This utility is used for flashing firmware, but using an external server instead of uploading the bin file via the web interface:

> imageServer

Usage: imageServer URL, such as imageServer 192.168.0.6:7547/dl/firmware

pm

Port mirroring/monitoring service:

 > pm

Usage: pm clean
       pm show
       pm enable  <monitor port> <mirror port>
       pm disable <monitor port> <mirror port>
       pm delete  <monitor port> <mirror port>
       monitor port: Eth1, Eth2, Eth3, Eth4, lan-all, all-eths
                     all-lan-wan, wan, ptm0, dslwan
                     atm0 ... atm999, vlan1 ... vlan4094
                     gbwan, ethwan, eth5
        mirror port: Eth1, Eth2, Eth3, Eth4

   <<< NOTES For monitor port >>>
            1) if you do not know what type of WAN (Eth or Dsl),
               just set it to wan.
            2) if you do not know the DSL VLAN id or ATM PVC number
               just set it to dslwan or wan.
            3) gbwan, ethwan and eth5 are exchangable, you can use any one
               of them to monitor gigabit wan port (White jack).

led

Utility to control the LEDs on the front of the router.

 > led
Usage: led <alloff | allon | allred | allamber]>
Examples:
  led allon: turns all LEDs on
  led alloff: turns all LEDs off
  led allred: turns all LEDs red
  led allamber: turns all LEDs amber
Note: Ethernet, HPNA and USB LEDs don't support
  red or amber.  They could be either on, off or blinkiing
  when either 'led allamber' or 'led allred' command is given

nmap scan

$ nmap -A 97.113.9.219

Starting Nmap 6.47 ( http://nmap.org ) at 2016-09-03 03:37 PDT
Nmap scan report for 97-113-9-219.tukw.qwest.net (397.113.19.219)
Host is up (0.11s latency).
Not shown: 992 closed ports
PORT     STATE    SERVICE              VERSION
23/tcp   open     telnet               Broadcom BCM963268 ADSL router telnetd
25/tcp   filtered smtp
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
465/tcp  filtered smtps
587/tcp  filtered submission
1050/tcp filtered java-or-OTGfileshare
4567/tcp open     tram?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port4567-TCP:V=6.47%I=7%D=9/3%Time=57CAA829%P=x86_64-apple-darwin14.3.0
SF:%r(FourOhFourRequest,3A,"HTTP/1\.1\x20401\x20Authorization\x20Required\
SF:r\nContent-Length:\x200\r\n\r\n");
Service Info: Device: broadband router; CPE: cpe:/h:broadcom:bcm963268

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 169.43 seconds