Backdoor in firmware? Router is uploading data itself that i have no clue of

I'm using this andyX firmware Minimum/Lite Firmware for TPLINK-MR1XU-MR3XXX-WA7XX-WA8XX-WA901ND-WA7X10N-WR7XXN-WR8XXN-WR9XXND-WR1041N & NETGEAR-WNR612-WNR1000-WNR2000-WPN824N (4M Flash ONLY) for my tp link TP-Link TL-WR941N/ND v2 and i was checking my bandwidth monitor when i saw my router mac in list. It shows that my router in last 3 days uploaded 39kb and made 67 conections on other protocol.

Screenshot: https://imgur.com/a/rjDgyjl

Which packages does the build contain? Maybe some package is sniffing for neighbours, like peer to peer traffic or some addressing scheme like avahi

Sorry I don't know but these are the apps listed on firmware page
SFE(Qualcomm FAST PATCH) / SQM-QOS / UPNP / IPv6 Support / VLAN Support / WIFI Schedule / Bandwidth Montior / Wake-On-Lan / Scheduled Reboot

Please post the output [within code boxes] of: opkg list-installed

It says opkg not found!

Impossible... see opkg

  • If andyX did not include opkg, that throws up an enormous red flag their firmware should not be utilized.

Compile clean firmware from source

Maybe it was to lower firmware size?

It's require tinkering to adjust firmware for small router storage which I can't do

You don't remove a package manager to save room on public builds... that's asinine.

Looks like I'm going to revert back to DD wrt

Why not compile your own?

Also there's process list in web gui I'm not sure if that's handy

I don't have clue how to compile it myself

You can utilize this script to automate the entire process on Ubuntu (can be ran in a VirtualBox VM), or you can utilize one of the official OpenWrt images for your device

It doesn't list my router in download page.

Well, it is a "minimal" firmware targeting 4/32 devices, so opkg might have been innocently left out just to save space and pack some other packages in. (using opkg with 32 MB RAM device may cause memory spikes in any case, so having opkg there is not that useful.)

1 Like

I wasn't aware that opkg could cause those types of issues... learn something new everyday. Thanks! =]

You do if it saves you space and you can include some more stuff on a 4 MB flash device... Most people don't provide builds here with the intention to share them with the general public. That is usually an afterthought, not the main reason.

My money would be on data to maintain your WAN connection (PPP session, DHCP, ...) or, like @hnyman says, some stuff like Avahi.

39 kB is not a lof of data for a backdoor, it seems to me.

1 Like

The question here should be: why didn’t you ask @AndyX directly ? I find it insulting to say someone put in a backdoor in a community build that he’s sharing on this forum without any hard proof. It seems to me AndyX is trying hard to squeeze as much functionality in a 4/32 device as possible. For this reason opkg is left out for sure. No point to have it since you will have no space to install anything else anyway. He probably left out all kinds of debug features and kernel features that are none essential if you don’t install packages after compiling/flashing.

Use his config.seed (or ask for his if it wasn’t published) and compile yourself. On those limited devices that’s a good idea anyway. That way you know exactly what you are using/running without the “fear” of backdoors or anything “fishy”.