Technicolor C2100T
From charlesreid1
Contents
Links
Firmware download:
Datasheet: http://internethelp.centurylink.com/internethelp/pdf/modems/datasheet-c2100t.pdf
Info about FCC testing: https://fccid.io/RSE-C2100T#exhibits
DSLReports forums: https://www.dslreports.com/forum/centurylink
This kind of explains the port 1050 thing (Java or OTG file share). Keyword was "Corba" management: https://docs.oracle.com/cd/E17984_01/doc.898/e14696/java_connector.htm
Chipset: BCM963268 Broadband Router
Attack vector:
- Possible ADSL attack vector: http://bundlr.com/clips/5376055378cc8710a00003bc
- Boils down to an nmap command to look for open port 80 on a huge block of IP addresses
Linux: $ nmap -sS -sV -vv -n -Pn -T5 1A.B.C.D -p80 -oG - Mac: $ nmap -sS -sV -vv -n -Pn -T5 A.B.C.D -p80 -oG -
Telnet
Telnet access:
- Log in to the router through the admin page
- Advanced setup
- Remote console
- Enable telnet from WAN or LAN
NOTE: THIS IS REALLY REALLY FREAKING IMPORTANT: When you turn on telnet, it turns it on from BOTH sides - internal and external. Don't leave it on, or else your telnet server will get hammered, a hacker will obtain root access, your router firmware will get flashed with a malicious binary, traffic sniffers will be installed, people will spy on you using your webcam, your bank accounts will be emptied, life as you know it will come to a screeching halt, etc. etc. etc.
Telnet Commands
Logging in and typing a question mark for help shows all the available commands:
> ? ? help logout exit quit reboot env_list autodetect adsl xdslctl0 xdslctl1 loglevel meminfo dnsproxy ping voice dect wlctl lanhosts passwd restoredefault save swversion uptime cfgupdate swupdate exitOnIdle wan igmp imageServer pm led wpsbtn snoop_on snoop_off
These commands provide lots of information about the router. Here's a brief rundown:
- env_list - lists all environmental variables, including _PROD_SERIAL_NBR, _BOOTLOADER_VERSION, _WL0_WEPKEY_SERIAL, _WL0_WPAKEY_SERIAL, _WL0_PIN_SERIAL
- autodetect - sets parameters (start_delay, cycle_delay, ppp_attempts, dhcp_attempts) for router
- adsl - asymmetric digital subscriber line, faster data rates over copper phone lines than by using conventional VOIP modem
- xdslctl0 - not sure, but looks like another advanced command line interface, related to ADSL
- xdslctl1 - ditto
- meminfo - info about how much memory is being used
- dnsproxy - dumps info or stats (in my case, nothing printed out........)
- ping - works like normal ping, say ping IPADDR
- voice - this is basically the program that you use to interface with VOIP settings on the router. See below for detailed output.
- dect - dect is some kind of phone handset base station functionality. more of this SIP/phone/dialing stuff.
- wlctl - wireless control program, looooots of commands, options, and information provided
- lanhosts - for each host connected to the network (wired or wireless), list IP address, MAC address, and hostname.
- passwd - duh, changes password
- restoredefault - duh, restores default factory settings (?)
- save - save current settings to config file (?)
- swversion - tells you what version of router firmware your router is running
- uptime - reports uptime of router
- cfgupdate - not sure - update settings using config file (?)
- swupdate - update onboard software (?)
- exitOnIdle - (?)
- wan - shows information about network interfaces and devices
- igmp - igmp is internet group management protocol, used for multicasting and for dealing with video and games
- imageServer - downloads and installs a firmware image from an external URL
- pm - port mirroring/monitoring service
- wpsbtn - returns a 1 or 0 depending on whether the WPS button is turned off or on
- snoop_on/snoop_off - turns igmpv3 snooping on or off (this will assist with igmp traffic routing)
voice
Here's the output for the voice command:
> voice Command syntax: voice --help - show the voice command syntax voice show - show the voice parameters voice show stats - show call statistics voice start - start the voice application voice stop - stop the voice application voice save - store voice params to flash voice reboot - restart the voice application voice set <param> <arg1> <arg2>.. - set a provisionable parameter List of voice set params and args: defaults <None> - Default VoIP setup boundIfname <LAN|Any_WAN|(WAN IfName, e.g. nas_0_0_35)> - vodsl network interface ipAddrFamily <IPv4|IPv6> - IP address family pstnDialPlan <pstn line#> <dialPlan> - PSTN dial plan pstnRouteRule <pstn line#> <Auto|Voip|Line> - PSTN Route rule pstnRouteData <pstn line#> <line #|URL for VOIP> - PSTN Route data locale <srvPrv#> <region> - 2 or 3 character code DTMFMethod <srvPrv#> <InBand|RFC2833|SIPInfo> - DTMF digit passing method hookFlashMethod <srvPrv#> <SIPInfo|None> - Hook flash method transport <srvPrv#> <UDP|TCP|TLS> - transport protocol srtpOption <srvPrv#> <Mandatory|Optional|Disabled> - SRTP usage option regRetryInt <srvPrv#> <seconds> - SIP register retryinterval regExpires <srvPrv#> <seconds> - Register expires hdr val rtpDSCPMark <srvPrv#> <mark> - RTP outgoing DSCP mark logServer <srvPrv#> <hostName|IP> - Log server logPort <srvPrv#> <port> - Log server port digitMap <srvPrv#> <digitmap> - dial digit map T38 <srvPrv#> on|off - enable/disable T38 V18 <srvPrv#> on|off - enable/disable V.18 detection reg <srvPrv#> <hostName|IP> - SIP registrar server regPort <srvPrv#> <port> - SIP registrar server port proxy <srvPrv#> <hostName|IP> - SIP proxy server proxyPort <srvPrv#> <port> - SIP proxy server port obProx <srvPrv#> <hostName|IP> - SIP outbound proxy obProxPort <srvPrv#> <port> - SIP outbound proxy port sipDomain <srvPrv#> <CPE_domainName> - SIP user agent domain sipPort <srvPrv#> <port> - SIP user agent port sipDSCPMark <srvPrv#> <mark> - SIP outgoing DSCP mark musicServer <srvPrv#> <hostName|IP> - SIP music server musicSrvPort <srvPrv#> <port> - SIP music server port tagMatching <srvPrv#> <on|off> - SIP to tag matching timerB <srvPrv#> <time in ms> - SIP protocol B timer timerF <srvPrv#> <time in ms> - SIP protocol F timer lineStatus <srvPrv#> <accnt#> <on|off> - Activate line physEndpt <srvPrv#> <accnt#> <id> - Phys Endpt extension <srvPrv#> <accnt#> <URI> - SIP extension dispName <srvPrv#> <accnt#> <Name> - SIP Display Name authName <srvPrv#> <accnt#> <name> - SIP auth name authPwd <srvPrv#> <accnt#> <pwd> - SIP auth password MWIEnable <srvPrv#> <accnt#> <on|off> - Msg Waiting Indication cfwdNum <srvPrv#> <accnt#> <number> - call forward number cfwdAll <srvPrv#> <accnt#> <on|off> - call forward all cfwdNoAns <srvPrv#> <accnt#> <on|off> - call forward no answer cfwdBusy <srvPrv#> <accnt#> <on|off> - call forward busy callWait <srvPrv#> <accnt#> <on|off> - call waiting anonBlck <srvPrv#> <accnt#> <on|off> - Anonymous call rcv blcking anonCall <srvPrv#> <accnt#> <on|off> - Anonymous outgng calls DND <srvPrv#> <accnt#> <on|off> - do not disturb CCBS <srvPrv#> <accnt#> <on|off> - Call completion on busy speedDial <srvPrv#> <accnt#> <on|off> - Speed dial warmLine <srvPrv#> <accnt#> <on|off> - Warm line warmLineNum <srvPrv#> <accnt#> <number> - Warm line number callBarring <srvPrv#> <accnt#> <on|off> - Call barring callBarrPin <srvPrv#> <accnt#> <number> - Call barring pin callBarrDigMap <srvPrv#> <accnt#> <digitmap> - Call barring digit map netPrivacy <srvPrv#> <accnt#> <on|off> - Network privacy vmwi <srvPrv#> <accnt#> <on|off> - Visual message waiting indication vad <srvPrv#> <accnt#> <on|off> - enable vad pTime <srvPrv#> <accnt#> <pTime> - packetization period codecList <srvPrv#> <accnt#> <codec(1)[,codec(2)]> - codec priority list rxGain <srvPrv#> <accnt#> <rxGain> - rxGain (dB) txGain <srvPrv#> <accnt#> <txGain> - txGain (dB)
Now trying voice show to show values of parameters:
> voice show Global Parameters: ------------------ BoundIfName : Any_WAN IP address family : IPv4 Vodsl logLevel : Error Management Protocol : TR69 Service Provider 0: -------------------- Associated Voice Profile: 1 Locale : USA DTMFMethod : RFC2833 HookFlashMethod : None DigitMap : #xx|[2-9]11|1[2-9]11|[2-9]xxxxxxxxx|1[2-9]xxxxxxxxx|x.T Log Server Addr : Log Server Port : 0 T38 : on V18 : off RTPDSCPMark : 46 SIP: Domain : Port : 0 Transport : UDP RegExpires : 0 RegRetryInterval : 0 DSCPMark : 40 Registrar Addr : Registrar Port : 0 Proxy Addr : Proxy Port : 0 OutBoundProxy Addr : OutBoundProxy Port : 0 Music Server Addr : Music Server Port : 0 To Tag Matching : On Timer B ( in ms ) : 32000 Timer F ( in ms ) : 32000 SRTP Usage Option : Optional Account 0: ----------- ActivationStatus : Disabled VoipServiceStatus : Disabled CallStatus : Idle Associated CM Acnt : 0 PhysEndpt : 1 Extension : DisplayName : AuthName : AuthPwd : TxGain : 0 dB RxGain : 0 dB CALLFEATURES: MWI : off CallWaiting : on CFWDNum : CallFwdAll : off CallFwdBusy : off CallFwdNoans : off AnonymousOutgoingCall: off AnonymousCallRcvBlock: off DoNotDisturb : off CallCompOnBusy : off SpeedDial : off WarmLine : off WarmLineNum : CallBarring : off CallBarringMode : None CallBarringPin : 9999 CallBarringDigitMap : NetPrivacy : off VMWI : off CODECSETTINGS: VAD : off pTime : 20 CodecList : (0) G.722 (1) G.711MuLaw (2) T38 (3) NTE Account 1: ----------- ActivationStatus : Disabled VoipServiceStatus : Disabled CallStatus : Idle Associated CM Acnt : 1 PhysEndpt : 1 Extension : DisplayName : AuthName : AuthPwd : TxGain : 0 dB RxGain : 0 dB CALLFEATURES: MWI : off CallWaiting : on CFWDNum : CallFwdAll : off CallFwdBusy : off CallFwdNoans : off AnonymousOutgoingCall: off AnonymousCallRcvBlock: off DoNotDisturb : off CallCompOnBusy : off SpeedDial : off WarmLine : off WarmLineNum : CallBarring : off CallBarringMode : None CallBarringPin : 9999 CallBarringDigitMap : NetPrivacy : off VMWI : off CODECSETTINGS: VAD : off pTime : 20 CodecList : (0) G.722 (1) G.711MuLaw (2) T38 (3) NTE
wlctl
Hold on to your butts, there's gonna be about 100 pages of output:
> wlctl Usage: wlctl [-a|i <adapter>] [-h] [-d|u|x] <command> [arguments] -h this message and command descriptions -h [cmd] command description for cmd -a, -i adapter name or number -d output format signed integer -u output format unsigned integer -x output format hexdecimal ver get version information cmds generate a short list of available commands up reinitialize and mark adapter up (operational) down reset and mark adapter down (disabled) out mark adapter down but do not reset hardware(disabled) On dualband cards, cards must be bandlocked before use. clk set board clock state. return error for set_clk attempt if the driver is not down 0: clock off 1: clock on restart Restart driver. Driver must already be down. reboot Reboot platform radio Set the radio on or off. "on" or "off" dump Give suboption "list" to list various suboptions srclear Clears first 'len' bytes of the srom, len in decimal or hex Usage: srclear <len> srdump print contents of SPROM to stdout srwrite Write the srom: srwrite byteoffset value srcrc Get the CRC for input binary file ciswrite Write specified <file> to the SDIO CIS source (either SROM or OTP) cisupdate Write a hex byte stream to specified byte offset to the CIS source (either SROM or OTP) --preview option allows you to review the update without committing it <byte offset> <hex byte stream> [--preview] cisdump Display the content of the SDIO CIS source -b <file> -- also write raw bytes to <file> <len> -- optional count of bytes to display (must be even) cis_source Display which source is used for the SDIO CIS cisconvert Print CIS tuple for given name=value pair rdvar Read a named variable to the srom wrvar Write a named variable to the srom nvram_source Display which source is used for nvram nvram_dump print nvram variables to stdout nvset set an nvram variable name=value (no spaces around '=') nvget get the value of an nvram variable nvram_get get the value of an nvram variable revinfo get hardware revision information customvar1 print the value of customvar1 in hex format msglevel set driver console debugging message bitvector type 'wl msglevel ?' for values phymsglevel set phy debugging message bitvector type 'wl phymsglevel ?' for values PM set driver power management mode: 0: CAM (constantly awake) 1: PS (power-save) 2: FAST PS mode wake set driver power-save mode sleep state: 0: core-managed 1: awake promisc set promiscuous mode ethernet address reception 0 - disable 1 - enable monitor set monitor mode 0 - disable 1 - enable active monitor mode (interface still operates) frag Deprecated. Use fragthresh. rts Deprecated. Use rtsthresh. cwmin Set the cwmin. (integer [1, 255]) cwmax Set the cwmax. (integer [256, 2047]) srl Set the short retry limit. (integer [1, 255]) lrl Set the long retry limit. (integer [1, 255]) rate force a fixed rate: valid values for 802.11a are (6, 9, 12, 18, 24, 36, 48, 54) valid values for 802.11b are (1, 2, 5.5, 11) valid values for 802.11g are (1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54) -1 (default) means automatically determine the best rate mrate force a fixed multicast rate: valid values for 802.11a are (6, 9, 12, 18, 24, 36, 48, 54) valid values for 802.11b are (1, 2, 5.5, 11) valid values for 802.11g are (1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54) -1 (default) means automatically determine the best rate a_rate force a fixed rate for the A PHY: valid values for 802.11a are (6, 9, 12, 18, 24, 36, 48, 54) -1 (default) means automatically determine the best rate a_mrate force a fixed multicast rate for the A PHY: valid values for 802.11a are (6, 9, 12, 18, 24, 36, 48, 54) -1 (default) means automatically determine the best rate bg_rate force a fixed rate for the B/G PHY: valid values for 802.11b are (1, 2, 5.5, 11) valid values for 802.11g are (1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54) -1 (default) means automatically determine the best rate bg_mrate force a fixed multicast rate for the B/G PHY: valid values for 802.11b are (1, 2, 5.5, 11) valid values for 802.11g are (1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54) -1 (default) means automatically determine the best rate infra Set Infrastructure mode: 0 (IBSS) or 1 (Infra BSS) ap Set AP mode: 0 (STA) or 1 (AP) bssid Get the BSSID value, error if STA and not associated bssmax get number of BSSes channel Set the channel: valid channels for 802.11b/g (2.4GHz band) are 1 through 14 valid channels for 802.11a (5 GHz band) are: 36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108, 112, 116,120, 124, 128, 132, 136, 140, 149, 153, 157, 161, 184, 188, 192, 196, 200, 204, 208, 212, 216 cur_mcsset Get the current mcs set chanspecs Get all the valid chanspecs (default: all within current locale): -b band (5(a) or 2(b/g)) -w bandwidth, 10,20 or 40 [-c country_abbrev] chanspec Set <channel>[a,b][n][u,l] channel number (0-224) band a=5G, b=2G, default to 2G if channel <= 14 bandwidth, n=10, none for 20 & 40 ctl sideband, l=lower, u=upper OR Set channel with legacy format: -c channel number (0-224) -b band (5(a) or 2(b/g)) -w bandwidth, 10,20 or 40 -s ctl sideband, -1=lower, 0=none, 1=upper dfs_channel_forced Set <channel>[a,b][n][u,l] channel number (0-224) band a=5G, b=2G, default to 2G if channel <= 14 bandwidth, n=10, non for 20 & 40 ctl sideband, l=lower, u=upper tssi Get the tssi value from radio txpwr Set tx power in milliwatts. Range [1, 84]. txpwr1 Set tx power in in various units. Choose one of (default: dbm): -d dbm units -q quarter dbm units -m milliwatt units Can be combined with: -o turn on override to disable regulatory and other limitations Use wl txpwr -1 to restore defaults txpathpwr Turn the tx path power on or off on 2050 radios txpwrlimit Return current tx power limit powerindex Set the transmit power for A band(0-63). -1 - default value atten Set the transmit attenuation for B band. Args: bb radio txctl1. auto to revert to automatic control manual to supspend automatic control phyreg Get/Set a phy register: offset [ value ] [ band ] radioreg Get/Set a radio register: offset [ value ] [ band/core ] HTPHY: Get a radio register: wl radioreg [ offset ] [ cr0/cr1/cr2 ] Set a radio register: wl radioreg [ offset ] [ value ] [ cr0/cr1/cr2/all ] ucflags Get/Set ucode flags 1, 2, 3(16 bits each) offset [ value ] [ band ] shmem Get/Set a shared memory location: offset [ value ] [band ] macreg Get/Set any mac registers(include IHR and SB): macreg offset size[2,4] [ value ] [ band ] ucantdiv Enable/disable ucode antenna diversity (1/0 or on/off) gpioout Set any GPIO pins to any value. Use with caution as GPIOs would be assigned to chipcommon Usage: gpiomask gpioval devpath print device path jtagureg g/set JTAG user registers coma Put the router in a catatonic state pllreset set the pll to reset value Usage: wl pllreset pcieserdesreg g/set SERDES registers: dev offset [val] ampdu_activate_test actiate ampdu_tid enable/disable per-tid ampdu; usage: wl ampdu_tid <tid> [0/1] ampdu_retry_limit_tid Set per-tid ampdu retry limit; usage: wl ampdu_retry_limit_tid <tid> [0~31] ampdu_rr_retry_limit_tid Set per-tid ampdu regular rate retry limit; usage: wl ampdu_rr_retry_limit_tid <tid> [0~31] ampdu_send_addba send addba to specified ea-tid; usage: wl ampdu_send_addba <tid> <ea> ampdu_send_delba send delba to specified ea-tid; usage: wl ampdu_send_delba <tid> <ea> ampdu_clear_dump clear ampdu counters dpt_deny adds/removes ea to dpt deny list usage: wl dpt_deny <add,remove> <ea> dpt_endpoint creates/updates/deletes dpt endpoint for ea usage: wl dpt_endpoint <create, update, delete> <ea> dpt_pmk sets DPT pre-shared key dpt_fname sets/gets DPT friendly name dpt_list gets status of all dpt peers actframe Send a Vendor specific Action frame to a channel usage: wl actframe <Dest Mac Addr> <data> channel dwell-time <BSSID> antdiv Set antenna diversity for rx 0 - force use of antenna 0 1 - force use of antenna 1 3 - automatic selection of antenna diversity txant Set the transmit antenna 0 - force use of antenna 0 1 - force use of antenna 1 3 - use the RX antenna selection that was in force during the most recently received good PLCP header plcphdr Set the plcp header. "long" or "auto" or "debug" phytype Get phy type rateparam set driver rate selection tunables arg 1: tunable id arg 2: tunable value wepstatus Set or Get WEP status wepstatus [on|off] primary_key Set or get index of primary key addwep Set an encryption key. The key must be 5, 13 or 16 bytes long, or 10, 26, 32, or 64 hex digits long. The encryption algorithm is automatically selected based on the key size. keytype is accepted only when key length is 16 bytes/32 hex digits and specifies whether AES-OCB or AES-CCM encryption is used. Default is ccm. WAPI is selected if key len is 32 and arguments contain wapi. addwep <keyindex> <keydata> [ocb | ccm | wapi] [notx] [xx:xx:xx:xx:xx:xx] rmwep Remove the encryption key at the specified key index. keys Prints a list of the current WEP keys tsc Print Tx Sequence Couter for key at specified key index. wsec_test Generate wsec errors wsec_test <test_type> <keyindex|xx:xx:xx:xx:xx:xx> type 'wl wsec_test ?' for test_types tkip_countermeasures Enable or disable TKIP countermeasures (TKIP-enabled AP only) 0 - disable 1 - enable wsec_restrict Drop unencrypted packets if WSEC is enabled 0 - disable 1 - enable eap restrict traffic to 802.1X packets until 802.1X authorization succeeds 0 - disable 1 - enable cur_etheraddr Get/set the current hw address perm_etheraddr Get the permanent address from NVRAM authorize restrict traffic to 802.1X packets until 802.1X authorization succeeds deauthorize do not restrict traffic to 802.1X packets until 802.1X authorization succeeds deauthenticate deauthenticate a STA from the AP with optional reason code (AP ONLY) wsec wireless security bit vector 1 - WEP enabled 2 - TKIP enabled 4 - AES enabled 8 - WSEC in software 0x80 - FIPS enabled 0x100 - WAPI enabled auth set/get 802.11 authentication type. 0 = OpenSystem, 1= SharedKey, 2=Open/Shared wpa_auth Bitvector of WPA authorization modes: 1 WPA-NONE 2 WPA-802.1X/WPA-Professional 4 WPA-PSK/WPA-Personal 64 WPA2-802.1X/WPA2-Professional 128 WPA2-PSK/WPA2-Personal 0 disable WPA wpa_cap set/get 802.11i RSN capabilities set_pmk Set passphrase for PMK in driver-resident supplicant. scan Initiate a scan. Default to an active scan across all channels for any SSID. Optional arg: SSIDs, list of [up to 10] SSIDs to scan (comma or space separated). Options: -s S, --ssid=S SSIDs to scan -t ST, --scan_type=ST [active|passive|prohibit] scan type --bss_type=BT [bss/infra|ibss/adhoc] bss type to scan -b MAC, --bssid=MAC particular BSSID MAC address to scan, xx:xx:xx:xx:xx:xx -n N, --nprobes=N number of probes per scanned channel -a N, --active=N dwell time per channel for active scanning -p N, --passive=N dwell time per channel for passive scanning -h N, --home=N dwell time for the home channel between channel scans -c L, --channels=L comma or space separated list of channels to scan iscan_s Initiate an incremental scan. Default to an active scan across all channels for any SSID. Optional arg: SSIDs, list of [up to 10] SSIDs to scan (comma or space separated). Options: -s S, --ssid=S SSIDs to scan -t ST, --scan_type=ST [active|passive|prohibit] scan type --bss_type=BT [bss/infra|ibss/adhoc] bss type to scan -b MAC, --bssid=MAC particular BSSID MAC address to scan, xx:xx:xx:xx:xx:xx -n N, --nprobes=N number of probes per scanned channel -a N, --active=N dwell time per channel for active scanning -p N, --passive=N dwell time per channel for passive scanning -h N, --home=N dwell time for the home channel between channel scans -c L, --channels=L comma or space separated list of channels to scan iscan_c Continue an incremental scan. Default to an active scan across all channels for any SSID. Optional arg: SSIDs, list of [up to 10] SSIDs to scan (comma or space separated). Options: -s S, --ssid=S SSIDs to scan -t ST, --scan_type=ST [active|passive|prohibit] scan type --bss_type=BT [bss/infra|ibss/adhoc] bss type to scan -b MAC, --bssid=MAC particular BSSID MAC address to scan, xx:xx:xx:xx:xx:xx -n N, --nprobes=N number of probes per scanned channel -a N, --active=N dwell time per channel for active scanning -p N, --passive=N dwell time per channel for passive scanning -h N, --home=N dwell time for the home channel between channel scans -c L, --channels=L comma or space separated list of channels to scan scancache_clear clear the scan cache escan Start an escan. Default to an active scan across all channels for any SSID. Optional arg: SSIDs, list of [up to 10] SSIDs to scan (comma or space separated). Options: -s S, --ssid=S SSIDs to scan -t ST, --scan_type=ST [active|passive|prohibit] scan type --bss_type=BT [bss/infra|ibss/adhoc] bss type to scan -b MAC, --bssid=MAC particular BSSID MAC address to scan, xx:xx:xx:xx:xx:xx -n N, --nprobes=N number of probes per scanned channel -a N, --active=N dwell time per channel for active scanning -p N, --passive=N dwell time per channel for passive scanning -h N, --home=N dwell time for the home channel between channel scans -c L, --channels=L comma or space separated list of channels to scan escanabort Abort an escan. Default to an active scan across all channels for any SSID. Optional arg: SSIDs, list of [up to 10] SSIDs to scan (comma or space separated). Options: -s S, --ssid=S SSIDs to scan -t ST, --scan_type=ST [active|passive|prohibit] scan type --bss_type=BT [bss/infra|ibss/adhoc] bss type to scan -b MAC, --bssid=MAC particular BSSID MAC address to scan, xx:xx:xx:xx:xx:xx -n N, --nprobes=N number of probes per scanned channel -a N, --active=N dwell time per channel for active scanning -p N, --passive=N dwell time per channel for passive scanning -h N, --home=N dwell time for the home channel between channel scans -c L, --channels=L comma or space separated list of channels to scan passive Puts scan engine into passive mode regulatory Get/Set regulatory domain mode (802.11d). Driver must be down. spect Get/Set 802.11h Spectrum Management mode. 0 - Off 1 - Loose interpretation of 11h spec - may join non-11h APs 2 - Strict interpretation of 11h spec - may not join non-11h APs 3 - Disable 11h and enable 11d 4 - Loose interpretation of 11h+d spec - may join non-11h APs scanabort Abort a scan. scanresults Return results from last scan. iscanresults Return results from last iscan. Specify a buflen (max 8188) to artificially limit the size of the results buffer. iscanresults [buflen] assoc Print information about current network association. (also known as "status") status Print information about current network association. (also known as "assoc") disassoc Disassociate from the current BSS/IBSS. channels Return valid channels for the current settings. channels_in_country Return valid channels for the country specified. Arg 1 is the country abbreviation Arg 2 is the band(a or b) curpower Return current tx power settings. -q (quiet): estimated power only. curppr Return current tx power per rate offset. txinstpwr Return tx power based on instant TSSI scansuppress Suppress all scans for testing. 0 - allow scans 1 - suppress scans evm Start an EVM test on the given channel, or stop EVM test. Arg 1 is channel number 1-14, or "off" or 0 to stop the test. Arg 2 is optional rate (1, 2, 5.5 or 11) rateset Returns or sets the supported and basic rateset, (b) indicates basic With no args, returns the rateset. Args are rateset "default" | "all" | <arbitrary rateset> -m <arbitrary mcsset> default - driver defaults all - all rates are basic rates arbitrary rateset - list of rates arbitrary mcsset - list of mcs rates octets, each bit representing corresponding mcs List of rates are in Mbps and each rate is optionally followed by "(b)" or "b" for a Basic rate. Example: 1(b) 2b 5.5 11 At least one rate must be Basic for a legal rateset. roam_trigger Get or Set the roam trigger RSSI threshold: Get: roam_trigger [a|b] Set: roam_trigger <integer> [a|b|all] integer - 0: default 1: optimize bandwidth 2: optimize distance [-1, -99]: dBm trigger value roam_delta Set the roam candidate qualification delta. roam_delta [integer [, a/b]] roam_scan_period Set the roam candidate qualification delta. (integer) suprates Returns or sets the 11g override for the supported rateset With no args, returns the rateset. Args are a list of rates, or 0 or -1 to specify an empty rateset to clear the override. List of rates are in Mbps, example: 1 2 5.5 11 scan_channel_time Get/Set scan channel time scan_unassoc_time Get/Set unassociated scan channel dwell time scan_home_time Get/Set scan home channel dwell time scan_passive_time Get/Set passive scan channel dwell time scan_nprobes Get/Set scan parameter for number of probes to use per channel scanned prb_resp_timeout Get/Set probe response timeout channel_qa Get last channel quality measurment channel_qa_start Start a channel quality measurment country Select Country Code for driver operational region For simple country setting: wl country <country> Where <country> is either a long name or country code from ISO 3166; for example "Germany" or "DE" For a specific built-in country definition: wl country <built-in> [<advertised-country>] Where <built-in> is a country country code followed by '/' and regulatory revision number. For example, "US/3". And where <advertised-country> is either a long name or country code from ISO 3166. If <advertised-country> is omitted, it will be the same as the built-in country code. Use 'wl country list [band(a or b)]' for the list of supported countries country_ie_override To set/get country ie autocountry_default Select Country Code for use with Auto Contry Discovery join Join a specified network SSID. Usage: join <ssid> [key <0-3>:xxxxx] [imode bss|ibss] [amode open|shared|openshared|wpa|wpapsk|wpa2|wpa2psk|wpanone] [options] Options: -b MAC, --bssid=MAC BSSID (xx:xx:xx:xx:xx:xx) to scan and join -c CL, --chanspecs=CL chanspecs (comma or space separated list) ssid Set or get a configuration's SSID. wl ssid [-C num]|[--cfg=num] [<ssid>] If the configuration index 'num' is not given, configuraion #0 is assumed and setting will initiate an assoication attempt if in infrastructure mode, or join/creation of an IBSS if in IBSS mode, or creation of a BSS if in AP mode. mac Set or get the list of source MAC address matches. wl mac xx:xx:xx:xx:xx:xx [xx:xx:xx:xx:xx:xx ...] To Clear the list: wl mac none macmode Set the mode of the MAC list. 0 - Disable MAC address matching. 1 - Deny association to stations on the MAC list. 2 - Allow association to stations on the MAC list. wds Set or get the list of WDS member MAC addresses. Set using a space separated list of MAC addresses. wl wds xx:xx:xx:xx:xx:xx [xx:xx:xx:xx:xx:xx ...] lazywds Set or get "lazy" WDS mode (dynamically grant WDS membership to anyone). noise Get noise (moving average) right after tx in dBm fqacurcy Manufacturing test: set frequency accuracy mode. freqacuracy syntax is: fqacurcy <channel> Arg is channel number 1-14, or 0 to stop the test. crsuprs Manufacturing test: set carrier suppression mode. carriersuprs syntax is: crsuprs <channel> Arg is channel number 1-14, or 0 to stop the test. longtrain Manufacturing test: set longtraining mode. longtrain syntax is: longtrain <channel> Arg is A band channel number or 0 to stop the test. band Returns or sets the current band auto - auto switch between available bands (default) a - force use of 802.11a band b - force use of 802.11b band bands Return the list of available 802.11 bands phylist Return the list of available phytypes shortslot Get current 11g Short Slot Timing mode. (0=long, 1=short) shortslot_override Get/Set 11g Short Slot Timing mode override. (-1=auto, 0=long, 1=short) shortslot_restrict Get/Set AP Restriction on associations for 11g Short Slot Timing capable STAs. 0 - Do not restrict association based on ShortSlot capability 1 - Restrict association to STAs with ShortSlot capability ignore_bcns AP only (G mode): Check for beacons without NONERP element(0=Examine beacons, 1=Ignore beacons) pktcnt Get the summary of good and bad packets. upgrade Upgrade the firmware on an embedded device gmode Set the 54g Mode (LegacyB|Auto||GOnly|BDeferred|Performance|LRS) gmode_protection Get G protection mode. (0=disabled, 1=enabled) gmode_protection_control Get/Set 11g protection mode control alg.(0=always off, 1=monitor local association, 2=monitor overlapping BSS) gmode_protection_override Get/Set 11g protection mode override. (-1=auto, 0=disable, 1=enable) protection_control Get/Set protection mode control alg.(0=always off, 1=monitor local association, 2=monitor overlapping BSS) legacy_erp Get/Set 11g legacy ERP inclusion (0=disable, 1=enable) scb_timeout AP only: inactivity timeout value for authenticated stas assoclist AP only: Get the list of associated MAC addresses. isup Get driver operational state (0=down, 1=up) rssi Get the current RSSI val, for an AP you must specify the mac addr of the STA rssi_event Set parameters associated with RSSI event notification usage: wl rssi_event <rate_limit> <rssi_levels> rate_limit: Number of events posted to application will be limited to 1 per this rate limit. Set to 0 to disable rate limit. rssi_levels: Variable number of RSSI levels (maximum 8) in increasing order (e.g. -85 -70 -60). An event will be posted each time the RSSI of received beacons/packets cross fasttimer Deprecated. Use fast_timer. slowtimer Deprecated. Use slow_timer. glacialtimer Deprecated. Use glacial_timer. radar Enable/Disable radar radarargs Get/Set Radar parameters in order as version, npulses, ncontig, min_pw, max_pw, thresh0, thresh1, blank, fmdemodcfg, npulses_lp, min_pw_lp, max_pw_lp, min_fm_lp, max_span_lp, min_deltat, max_deltat, autocorr, st_level_time, t2_min, fra_pulse_err, npulses_fra, npulses_stg2, npulses_stg3, percal_mask, quant, min_burst_intv_lp, max_burst_intv_lp, nskip_rst_lp, max_pw_tol, feature_mask radarargs40 Get/Set Radar parameters for 40Mhz channel in order as version, npulses, ncontig, min_pw, max_pw, thresh0, thresh1, blank, fmdemodcfg, npulses_lp, min_pw_lp, max_pw_lp, min_fm_lp, max_span_lp, min_deltat, max_deltat, autocorr, st_level_time, t2_min, fra_pulse_err, npulses_fra, npulses_stg2, npulses_stg3, percal_mask, quant, min_burst_intv_lp, max_burst_intv_lp, nskip_rst_lp, max_pw_tol, feature_mask radarthrs Set Radar threshold for both 20 & 40MHz BW: order as thresh0_20_lo, thresh1_20_lo, thresh0_40_lo, thresh1_40_lo thresh0_20_hi, thresh1_20_hi, thresh0_40_hi, thresh1_40_hi dfs_status Get dfs status interference Get/Set interference mitigation mode. Choices are: 0 = none 1 = non wlan 2 = wlan manual 3 = wlan automatic 4 = wlan automatic with noise reduction interference_override Get/Set interference mitigation override. Choices are: 0 = no interference mitigation 1 = non wlan 2 = wlan manual 3 = wlan automatic 4 = wlan automatic with noise reduction -1 = remove override, override disabled frameburst Disable/Enable frameburst mode pwr_percent Get/Set power output percentage toe Enable/Disable tcpip offload feature toe_ol Get/Set tcpip offload components toe_stats Display checksum offload statistics toe_stats_clear Clear checksum offload statistics arpoe Enable/Disable arp agent offload feature arp_ol Get/Set arp offload components arp_peerage Get/Set age of the arp entry in minutes arp_table_clear Clear arp cache arp_hostip Add a host-ip address or display them arp_hostip_clear Clear all host-ip addresses arp_stats Display ARP offload statistics arp_stats_clear Clear ARP offload statistics wet Get/Set wireless ethernet bridging mode bi Get/Set the beacon period (bi=beacon interval) dtim Get/Set DTIM wds_remote_mac Get WDS link remote endpoint's MAC address wds_wpa_role_old Get WDS link local endpoint's WPA role (old) wds_wpa_role Get/Set WDS link local endpoint's WPA role authe_sta_list Get authenticated sta mac address list autho_sta_list Get authorized sta mac address list measure_req Send an 802.11h measurement request. Usage: wl measure_req <type> <target MAC addr> Measurement types are: TPC, Basic, CCA, RPI Target MAC addr format is xx:xx:xx:xx:xx:xx quiet Send an 802.11h quiet command. Usage: wl quiet <TBTTs until start>, <duration (in TUs)>, <offset (in TUs)> csa Send an 802.11h channel switch anouncement with chanspec: <mode> <count> <channel>[a,b][n][u,l] mode (0 or 1) count (0-254) channel number (0-224) band a=5G, b=2G bandwidth n=10, non for 20 & 40 ctl sideband, l=lower, u=upper, default no ctl sideband constraint Send an 802.11h Power Constraint IE Usage: wl constraint 1-255 db rm_req Request a radio measurement of type basic, cca, or rpi specify a series of measurement types each followed by options. example: wl rm_req cca -c 1 -d 50 cca -c 6 cca -c 11 Options: -t n numeric token id for measurement set or measurement -c n channel -d n duration in TUs (1024 us) -p parallel flag, measurement starts at the same time as previous Each measurement specified uses the same channel and duration as the previous unless a new channel or duration is specified. rm_rep Get current radio measurement report join_pref Set/Get join target preferences. assoc_pref Set/Get association preference. Usage: wl assoc_pref [auto|a|b|g] wme Set WME (Wireless Multimedia Extensions) mode (0=off, 1=on, -1=auto) wme_ac wl wme_ac ap|sta [be|bk|vi|vo [ecwmax|ecwmin|txop|aifsn|acm <value>] ...] wme_apsd Set APSD (Automatic Power Save Delivery) mode on AP (0=off, 1=on) wme_apsd_sta Set APSD parameters on STA. Driver must be down. Usage: wl wme_apsd_sta <max_sp_len> <be> <bk> <vi> <vo> <max_sp_len>: number of frames per USP: 0 (all), 2, 4, or 6 <xx>: value 0 to disable, 1 to enable U-APSD per AC wme_dp Set AC queue discard policy. Usage: wl wme_dp <be> <bk> <vi> <vo> <xx>: value 0 for newest-first, 1 for oldest-first wme_counters print WMM stats wme_clear_counters clear WMM counters wme_tx_params wl wme_tx_params [be|bk|vi|vo [short|sfb|long|lfb|max_rate <value>] ...] wme_maxbw_params wl wme_maxbw_params [be|bk|vi|vo <value> ....] lifetime Set Lifetime parameter (milliseconds) for each ac. wl lifetime be|bk|vi|vo [<value>] lifetime Set Lifetime parameter (milliseconds) for each ac. wl lifetime be|bk|vi|vo [<value>] reinit Reinitialize device sta_info wl sta_info <xx:xx:xx:xx:xx:xx> cap driver capabilities malloc_dump Deprecated. Folded under 'wl dump malloc chan_info channel info add_ie Add a vendor proprietary IE to 802.11 management packets Usage: wl add_ie <pktflag> length OUI hexdata <pktflag>: Bit 0 - Beacons Bit 1 - Probe Rsp Bit 2 - Assoc/Reassoc Rsp Bit 3 - Auth Rsp Bit 4 - Probe Req Bit 5 - Assoc/Reassoc Req Example: wl add_ie 3 10 00:90:4C 0101050c121a03 to add this IE to beacons and probe responses del_ie Delete a vendor proprietary IE from 802.11 management packets Usage: wl del_ie <pktflag> length OUI hexdata <pktflag>: Bit 0 - Beacons Bit 1 - Probe Rsp Bit 2 - Assoc/Reassoc Rsp Bit 3 - Auth Rsp Bit 4 - Probe Req Bit 5 - Assoc/Reassoc Req Example: wl del_ie 3 10 00:90:4C 0101050c121a03 list_ie Dump the list of vendor proprietary IEs rand Get a 2-byte Random Number from the MAC's PRNG Usage: wl rand otpw Write an srom image to on-chip otp Usage: wl otpw file nvotpw Write nvram to on-chip otp Usage: wl nvotpw file bcmerrorstr errorstring freqtrack Set Frequency Tracking Mode (0=Auto, 1=On, 2=OFF) eventing set/get 128-bit hex filter bitmask for MAC event reporting up to application layer event_msgs set/get 128-bit hex filter bitmask for MAC event reporting via packet indications counters Return driver counter values bsscounters Return/reset BSS counter values wl bsscounters [-C num]|[--cfg=num] If the configuration index 'num' is not given, configuraion #0 is assumed. delta_stats_interval set/get the delta statistics interval in seconds (0 to disable) delta_stats get the delta statistics for the last interval assoc_info Returns the assoc req and resp information [STA only] autochannel auto channel selection: 1 to issue a channel scanning; 2 to set chanspec based on the channel scan result; without argument to only show the chanspec selected; ssid must set to null before this process, RF must be up csscantimer auto channel scan timer in minutes (0 to disable) closed hides the network from active scans, 0 or 1. 0 is open, 1 is hide pmkid_info Returns the pmkid table abminrate get/set afterburner minimum rate threshold bss set/get BSS enabled status: up/down closednet set/get BSS closed network attribute ap_isolate set/get AP isolation eap_restrict set/get EAP restriction diag diag testindex(1-interrupt, 2-loopback, 3-memory, 4-led); precede by 'wl down' and follow by 'wl up' reset_d11cnts reset 802.11 MIB counters staname get/set station name: Maximum name length is 15 bytes apname get AP name otpdump Dump raw otp otpstat Dump OTP status nrate -r legacy rate (CCK, OFDM)-m mcs index-s stf mode (0=SISO,1=CDD,2=STBC(not supported),3=SDM)-w Override mcs only to support STA's with/without STBC capability mimo_txbw get/set mimo txbw (2=20Mhz(lower), 3=20Mhz upper, 4=40Mhz, 5=40Mhz dup<mcs32 only) cac_addts add TSPEC, error if STA is not associated or WME is not enabled arg: TSPEC parameter input list cac_delts delete TSPEC, error if STA is not associated or WME is not enabled arg: TSINFO for the target tspec cac_delts_ea delete TSPEC, error if STA is not associated or WME is not enabled arg1: Desired TSINFO for the target tspec arg2: Desired MAC address cac_tslist Get the list of TSINFO in driver eg. 'wl cac_tslist' get a list of TSINFO cac_tslist_ea Get the list of TSINFO for given STA in driver eg. 'wl cac_tslist_ea ea' get a list of TSINFO cac_tspec Get specific TSPEC with matching TSINFO eg. 'wl cac_tspec 0xaa 0xbb 0xcc' where 0xaa 0xbb & 0xcc are TSINFO octets cac_tspec_ea Get specific TSPEC for given STA with matching TSINFO eg. 'wl cac_tspec 0xaa 0xbb 0xcc xx:xx:xx:xx:xx:xx' where 0xaa 0xbb & 0xcc are TSINFO octets and xx is mac address phy_txpwrindex usage: (set) phy_txpwrindex core0_idx core1_idx core2_idx core3_idx (get) phy_txpwrindex, return format: core0_idx core1_idx core2_idx core3_idxSet/Get txpwrindex phy_test_tssi wl phy_test_tssi val phy_test_tssi_offs wl phy_test_tssi_offs val phy_rssiant wl phy_rssiant antindex(0-3) phy_rssi_ant Get RSSI per antenna (only gives RSSI of current antenna for SISO PHY) lpphy_papdepstbl print papd eps table; Usage: wl lpphy_papdepstbl rifs set/get the rifs status; usage: wl rifs <1/0> (On/Off) rifs_advert set/get the rifs mode advertisement status; usage: wl rifs_advert <-1/0> (Auto/Off) phy_rxiqest Get phy RX IQ noise in dBm: -s # of samples (2^n) -a antenna select, 0,1 or 3 -r resolution select, 0 (coarse) or 1 (fine) -f lpf hpc override select, 0 (hpc unchanged) or 1 (overridden to lowest value) -g gain-correction select, 0 (disable) or 1 (enable) phy_txiqcc usage: phy_txiqcc [a b] Set/get the iqcc a, b values phy_txlocc usage: phy_txlocc [di dq ei eq fi fq] Set/get locc di dq ei eq fi fq values phytable usage: wl phytable table_id offset width_of_table_element [table_element] Set/get table element of a table with the given ID at the given offset Note that table width supplied should be 8 or 16 or 32 table ID, table offset can not be negative pavars Set/get temp PA parameters usage: wl down wl pavars pa2gw0a0=0x1 pa2gw1a0=0x2 pa2gw2a0=0x3 ... wl pavars wl up override the PA parameters after driver attach(srom read), before diver up These override values will be propogated to HW when driver goes up PA parameters in one band range (2g, 5gl, 5g, 5gh) must all present if one of them is specified in the command, otherwise it will be filled with 0 pavars2 Set/get temp PA parameters. Extended cmd of pavars usage: wl down wl pavars2 pa2gw0a0=0x1 pa2gw1a0=0x2 pa2gw2a0=0x3 ... wl pavars2 wl up override the PA parameters after driver attach(srom read), before diver up These override values will be propogated to HW when driver goes up PA parameters in one band range (2g, 5gl, 5g, 5gh) must all present if one of them is specified in the command, otherwise it will be filled with 0 povars Set/get temp power offset usage: wl down wl povars cck2gpo=0x1 ofdm2gpo=0x2 mcs2gpo=0x3 ... wl povars wl up override the power offset after driver attach(srom read), before diver up These override values will be propogated to HW when driver goes up power offsets in one band range (2g, 5gl, 5g, 5gh) must all present if one of them is specified in the command, otherwise it will be filled with 0 cck(2g only), ofdm, and mcs(0-7) for NPHY are supported fem Set temp fem2g/5g value usage: wl fem (tssipos2g=0x1 extpagain2g=0x2 pdetrange2g=0x1 triso2g=0x1 antswctl2g=0) (tssipos5g=0x1 extpagain5g=0x2 pdetrange5g=0x1 triso5g=0x1 antswctl5g=0) antgain Set temp ag0/1 value usage: wl antgain ag0=0x1 ag1=0x2 maxpower Set temp maxp2g(5g)a0(a1) value usage: wl maxpower maxp2ga0=0x1 maxp2ga1=0x2 maxp5ga0=0xff maxp5ga1=0xff maxp5gla0=0x3 maxp5gla1=0x4 maxp5gha0=0x5 maxp5gha1=0x6 phy_antsel get/set antenna configuration set: -1(AUTO), 0xAB(fixed antenna selection) where A and B is the antenna numbers used for RF chain 1 and 0 respectively query: <utx>[AUTO] <urx>[AUTO] <dtx>[AUTO] <drx>[AUTO] where utx = TX unicast antenna configuration urx = RX unicast antenna configuration dtx = TX default (non-unicast) antenna configuration drx = RX default (non-unicast) antenna configuration txcore Usage: wl txcore -k <CCK core mask> -o <OFDM core mask> -s <1..4> -c <core bitmap> -k CCK core mask -o OFDM core mask -s # of space-time-streams -c active core (bitmask) to be used when transmitting frames txcore_override Usage: wl txcore_override get the user override of txcore txchain_pwr_offset Usage: wl txchain_pwr_offset [qdBm offsets] Get/Set the current offsets for each core in qdBm (quarter dBm) sample_collect Optional parameters HTPHY/(NPHY with NREV >= 7) are: -f File name to dump the sample buffer (default "sample_collect.dat") -t Trigger condition (default now) now, good_fcs, bad_fcs, bad_plcp, crs, crs_glitch, crs_deassert -b PreTrigger duration in us (default 10) -a PostTrigger duration in us (default 10) -m Sample collect mode (default 1) HTPHY: 0=adc, 1..3=adc+rssi, 4=gpio NPHY: 1=Dual-Core adc[9:2], 2=Core0 adc[9:0], 3=Core1 adc[9:0], gpio=gpio -g GPIO mux select (default 0) use only for gpio mode -d Downsample enable (default 0) use only for HTPHY -e BeDeaf enable (default 0) -i Timeout in units of 10us (default 1000) Optional parameters (NPHY with NREV < 7) are: -f File name to dump the sample buffer (binary format, default "sample_collect.dat") -u Sample collect duration in us (default 60) -c Cores to do sample collect, only if BW=40MHz (default both) For (NREV < 7), the NPHY buffer returned has the format: In 20MHz [(uint16)num_bytes, <I(core0), Q(core0), I(core1), Q(core1)>] In 40MHz [(uint16)num_bytes(core0), <I(core0), Q(core0)>, (uint16)num_bytes(core1), <I(core1), Q(core1)>] txfifo_sz set/get the txfifo size; usage: wl txfifo_sz <fifonum> <size_in_bytes> rate_histo Get rate hostrogram pkteng_start start packet engine tx usage: wl pkteng_start <xx:xx:xx:xx:xx:xx> <tx|txwithack> [(async)|sync] [ipg] [len] [nframes] [src] start packet engine rx usage: wl pkteng_start <xx:xx:xx:xx:xx:xx> <rx|rxwithack> [(async)|sync] [rxframes] [rxtimeout] sync: synchronous mode ipg: inter packet gap in us len: packet length nframes: number of frames; 0 indicates continuous tx test src: source mac address rxframes: number of receive frames (sync mode only) rxtimeout: maximum timout in msec (sync mode only) pkteng_stop stop packet engine; usage: wl pkteng_stop <tx|rx> pkteng_stats packet engine stats; usage: wl pkteng_stats wowl Enable/disable WOWL events 0 - Clear all events Bit 0 - Wakeup on Magic Packet Bit 1 - Wakeup on NetPattern (use 'wl wowl_pattern' to configure pattern) Bit 2 - Wakeup on loss-of-link due to Disassociation/Deauth Bit 3 - Wakeup on retrograde tsf Bit 4 - Wakeup on loss of beacon (use 'wl wowl_bcn_loss' to configure time) wowl_bcn_loss Set #of seconds of beacon loss for wakeup event wowl_pattern usage: wowl_pattern [ [clr | [[ add | del ] offset mask value ]]] No options -- lists existing pattern list add -- Adds the pattern to the list del -- Removes a pattern from the list clr -- Clear current list offset -- Starting offset for the pattern mask -- Mask to be used for pattern. Bit i of mask => byte i of the pattern value -- Value of the pattern wowl_wakeind usage: wowl_wakeind [clear] Shows last system wakeup event indications from PCI and D11 cores clear - Clear the indications wowl_status usage: wowl_status [clear] Shows last system wakeup setting wowl_pkt Send a wakeup frame to wakup a sleeping STA in WAKE mode Usage: wl wowl_pkt <len> <dst ea | bcast | ucast <STA ea>>[ magic [<STA ea>] | net <offset> <pattern>] e.g. To send bcast magic frame -- wl wowl_pkt 102 bcast magic 00:90:4c:AA:BB:CC To send ucast magic frame -- wl wowl_pkt 102 ucast 00:90:4c:aa:bb:cc magic To send a frame with L2 unicast - wl wowl_pkt 102 00:90:4c:aa:bb:cc net 0 0x00904caabbcc NOTE: offset for netpattern frame starts from "Dest EA" of ethernet frame.So dest ea will be used only when offset is >= 6 wme_apsd_trigger Set Periodic APSD Trigger Frame Timer timeout in ms (0=off) wme_autotrigger Enable/Disable sending of APSD Trigger frame when all ac are delivery enabled reassoc Initiate a (re)association request. Usage: wl reassoc <bssid> [options] Options: -c CL, --chanspecs=CL chanspecs (comma or space separated list) send_nulldata Sed a null frame to the specified hw address btc_params g/set BT Coex parameters btc_flags g/set BT Coex flags obss_scan_params set/get Overlapping BSS scan parameters Usage: wl obss_scan a b c d e ...; where a-Passive Dwell, {5-1000TU}, default = 100 b-Active Dwell, {10-1000TU}, default = 20 c-Width Trigger Scan Interval, {10-900sec}, default = 300 d-Passive Total per Channel, {200-10000TU}, default = 200 e-Active Total per Channel, {20-1000TU}, default = 20 f-Channel Transition Delay Factor, {5-100}, default = 5 g-Activity Threshold, {0-100%}, default = 25 keep_alive Send specified "keep-alive" packet periodically. Usage: wl keep_alive <period> <packet> period: Re-transmission period in milli-seconds. 0 to disable packet transmits. packet: Hex packet contents to transmit. The packet contents should include the entire ethernet packet (ethernet header, IP header, UDP header, and UDP payload) specified in network byte order. e.g. Send keep alive packet every 30 seconds: wl keep_alive 30000 0x0014a54b164f000f66f45b7e08004500001e000040004011c52a0a8830700a88302513c413c4000a00000a0d srchmem g/set ucode srch engine memory pkt_filter_add Install a packet filter. Usage: wl pkt_filter_add <id> <polarity> <type> <offset> <bitmask> <pattern> id: Integer. User specified id. type: 0 (Pattern matching filter). offset: Integer. Offset within received packets to start matching. polarity: Set to 1 to negate match result. 0 is default. bitmask: Hex bitmask that indicates which bits of 'pattern' to match. Must be same size as 'pattern'. Bit 0 of bitmask corresponds to bit 0 of pattern, etc. If bit N of bitmask is 0, then do *not* match bit N of the pattern with the received payload. If bit N of bitmask is 1, then perform match. pattern: Hex pattern to match. pkt_filter_clear_stats Clear packet filter statistic counter values. Usage: wl pkt_filter_clear_stats <id> pkt_filter_enable Enable/disable a packet filter. Usage: wl pkt_filter_enable <id> <0|1> pkt_filter_list List installed packet filters. Usage: wl pkt_filter_list [val] val: 0 (disabled filters) 1 (enabled filters) pkt_filter_mode Set packet filter match action. Usage: wl pkt_filter_mode <value> value: 1 - Forward packet on match, discard on non-match (default). 0 - Discard packet on match, forward on non-match. pkt_filter_delete Uninstall a packet filter. Usage: wl pkt_filter_delete <id> pkt_filter_stats Retrieve packet filter statistic counter values. Usage: wl pkt_filter_stats <id> seq_start Initiates command batching sequence. Subsequent IOCTLs will be queued until seq_stop is received. seq_stop Defines the end of command batching sequence. Queued IOCTLs will be executed. seq_delay Driver should spin for the indicated amount of time. It is only valid within the context of batched commands. seq_error_index Used to retrieve the index (starting at 1) of the command that failed within a batch bmac_reboot Reboot BMAC txmcsset get Transmit MCS rateset for 11N device rxmcsset get Receive MCS rateset for 11N device mimo_ss_stf get/set SS STF mode. Usage: wl mimo_ss_stf <value> <-b a | b> value: 0 - SISO; 1 - CDD -b(band): a - 5G; b - 2.4G assoclistinfo AP only: Get the list of yet another form of associated station info scblist AP only: Get STA list assertlog get external assert logs Usage: wl assertlog assert_type set/get the asset_bypass flag; usage: wl assert_type <1/0> (On/Off) ledbh set/get led behavior Usage: wl ledbh [0-3] [0-15] obss_coex_action send OBSS 20/40 Coexistence Mangement Action Frame Usage: wl obss_coex_action -i <1/0> -w <1/0> -c <channel list> -i: 40MHz intolerate bit; -w: 20MHz width Req bit; -c: channel list, 1 - 14 At least one option must be provided chanim_state get channel interference state Usage: wl chanim_state channel Valid channels: 1 - 14 returns: 0 - Acceptable; 1 - Severe chanim_mode get/set channel interference measure (chanim) mode Usage: wl chanim_mode <value> value: 0 - disabled; 1 - detection only; 2 - detection and avoidance ledbh set/get led behavior Usage: wl ledbh [0-3] [0-15] led_blink_sync set/get led_blink_sync Usage: wl led_blink_sync [0-3] [0/1] cca_get_stats Usage: wl cca_stats [-c channel] [-s num seconds][-a] -c channel: Optional. specify channel. 0 = All channels. Default = current channel -s num_seconds: Optional. Default = 10, Max = 60 -i: list individual measurements in addition to the averages -curband: Only recommend channels on current band itfr_get_stats get interference source information itfr_enab get/set STA interference detection mode(STA only) 0 - disable 1 - enable maual detection 2 - enable auto detection itfr_detect issue an interference detection request smfstats get/clear selected management frame (smf) stats wl smfstats [-C num]|[--cfg=num] [auth]|[assoc]|[reassoc]|[clear] clear - to clear the stats manfinfo show chip package info in OTP rrm_nbr_req send 11k neighbor report measurement request Usage: wl rrm_nbr_req [ssid] wnm_bsstq send 11v BSS transition management query Usage: wl wnm_bsstq [ssid] pm_dur Retrieve accumulated PM duration information (GET) or clear accumulator (SET) Usage: wl pm_dur <any-number-to-clear> mpc_dur Retrieve accumulated MPC duration information in ms (GET) or clear accumulator (SET) Usage: wl mpc_dur <any-number-to-clear> chanim_acs_record get the auto channel scan record. Usage: wl acs_record dngl_wd enable or disable dongle watchdog timer Usage: wl dngl_wd <on/off>(to turn on\off) <exptime in sec> tsf set/get tsf register Usage: wl tsf [<high> <low>] tpc_mode Enable/disable AP TPC. Usage: wl tpc_mode <mode> 0 - disable, 1 - BSS power control, 2 - AP power control, 3 - Both (1) and (2) tpc_period Set AP TPC periodicity in secs. Usage: wl tpc_period <secs> tpc_lm Get current link margins. mfp_config Config PMF capability usage: wl mfp 0/disable, 1/capable, 2/requred mfp_sha256 Config SHA256 capability usage: wl sha256 0/disable, 1/enable mfp_sa_query Send a sa query req/resp to a peer usage: wl mfp_sa_query flag action id mfp_disassoc send bogus disassoc Usage: wl mfp_disassoc mfp_deauth send bogus deauth Usage: wl mfp_dedauth mfp_assoc send assoc Usage: wl mfp_assoc mfp_auth send auth Usage: wl mfp_auth mfp_reassoc send reassoc Usage: wl mfp_reassoc monitor_lq Start/Stop monitoring link quality metrics - RSSI and SNR Usage: wl monitor_lq <0: turn off / 1: turn on monitor_lq_status Returns averaged link quality metrics - RSSI and SNR values scb_probe Set probing parameters for inactive clients. <timout in seconds> <activity_time in seconds> <max number of probes> rpmt rpmt <pm1-to> <pm0-to> spatial_policy set/get spatial_policy Usage: wl spatial_policy <-1: auto / 0: turn off / 1: turn on> to control individual band/sub-band use wl spatial_policy a b c d e where a is 2.4G band setting where b is 5G lower band setting where c is 5G middle band setting where d is 5G high band setting where e is 5G upper band setting ratetbl_ppr Usage: For get: wl ratetbl_ppr For set: wl ratetbl_ppr <rate> <ppr> ie set/get IE Usage for set: wl ie type length hexdata Example: wl ie 107 9 02020800904c09215c to set IW IE with length 9 Usage for get: wl ie type Example: wl ie 107 to get current IW IE |
wan
The wan utility prints information about network interfaces. The output is a little hard to understand, until you understand exactly what kind of hardware is onboard: there are actually multiple wired and wireless interfaces onboard.
Below, you can see there is only one interface, ppp0.1, enabled and connected to the internet at an external IP address of 397.113.19.219:
> wan show VCC Con. Service Interface Proto. IGMP MLD Status IP ID Name Name address 0.0.36 1 br_0_0_36 atm0 Bridged Disable Disable Unconfigured 0.0.37 1 br_0_0_37 atm1 Bridged Disable Disable Unconfigured 0.0.38 1 br_0_0_38 atm2 Bridged Disable Disable Unconfigured 0.0.39 1 br_0_0_39 atm3 Bridged Disable Disable Unconfigured 0.0.40 1 br_0_0_40 atm4 Bridged Disable Disable Unconfigured 0.0.41 1 br_0_0_41 atm5 Bridged Disable Disable Unconfigured 0.0.42 1 br_0_0_42 atm6 Bridged Disable Disable Unconfigured N/A 2 ipoe_.201 eth5.2 IPoE Enable Disable Unconfigured 0.0.0.0 N/A 3 ipoe_.201 eth5.3 IPoE Enable Disable Unconfigured 0.0.0.0 N/A 4 ipoe_.0 eth5.4 IPoE Enable Disable Unconfigured 0.0.0.0 N/A 5 ipoe_.0 eth5.5 IPoE Enable Disable Unconfigured 0.0.0.0 N/A 6 ipoe_ eth5.6 IPoE Enable Disable Unconfigured 0.0.0.0 N/A 7 ipoe_ eth5.7 IPoE Enable Disable Unconfigured 0.0.0.0 N/A 1 pppoe_.201 ppp0.1 PPPoE Enable Disable Connected 397.113.19.219 N/A 8 pppoe_ ppp1.8 PPPoE Disable Disable Unconfigured >
image server
This utility is used for flashing firmware, but using an external server instead of uploading the bin file via the web interface:
> imageServer Usage: imageServer URL, such as imageServer 192.168.0.6:7547/dl/firmware
pm
Port mirroring/monitoring service:
> pm Usage: pm clean pm show pm enable <monitor port> <mirror port> pm disable <monitor port> <mirror port> pm delete <monitor port> <mirror port> monitor port: Eth1, Eth2, Eth3, Eth4, lan-all, all-eths all-lan-wan, wan, ptm0, dslwan atm0 ... atm999, vlan1 ... vlan4094 gbwan, ethwan, eth5 mirror port: Eth1, Eth2, Eth3, Eth4 <<< NOTES For monitor port >>> 1) if you do not know what type of WAN (Eth or Dsl), just set it to wan. 2) if you do not know the DSL VLAN id or ATM PVC number just set it to dslwan or wan. 3) gbwan, ethwan and eth5 are exchangable, you can use any one of them to monitor gigabit wan port (White jack).
led
Utility to control the LEDs on the front of the router.
> led Usage: led <alloff | allon | allred | allamber]> Examples: led allon: turns all LEDs on led alloff: turns all LEDs off led allred: turns all LEDs red led allamber: turns all LEDs amber Note: Ethernet, HPNA and USB LEDs don't support red or amber. They could be either on, off or blinkiing when either 'led allamber' or 'led allred' command is given
nmap scan
$ nmap -A 97.113.9.219 Starting Nmap 6.47 ( http://nmap.org ) at 2016-09-03 03:37 PDT Nmap scan report for 97-113-9-219.tukw.qwest.net (397.113.19.219) Host is up (0.11s latency). Not shown: 992 closed ports PORT STATE SERVICE VERSION 23/tcp open telnet Broadcom BCM963268 ADSL router telnetd 25/tcp filtered smtp 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 465/tcp filtered smtps 587/tcp filtered submission 1050/tcp filtered java-or-OTGfileshare 4567/tcp open tram? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port4567-TCP:V=6.47%I=7%D=9/3%Time=57CAA829%P=x86_64-apple-darwin14.3.0 SF:%r(FourOhFourRequest,3A,"HTTP/1\.1\x20401\x20Authorization\x20Required\ SF:r\nContent-Length:\x200\r\n\r\n"); Service Info: Device: broadband router; CPE: cpe:/h:broadcom:bcm963268 Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 169.43 seconds