Anonabox has had a very chequered past, and by far it isn’t the best VPN router on the market. However, it’s not intended to be.

Indeed, Anonabox was created with a single purpose. To create a portable Tor client to access the internet more securely. Being able to run a VPN service on it, is just a bonus. We recommend reading this full Anonabox review before you decide to purchase one, however, if you’re interested you can purchase it using the link below.

History of the Anonabox

Before we go on, we must state that the Anonabox has had much of a chequered past. It was originally launched on Kickstarter and raised over $500,000 within a week. Unfortunately, it was quickly discovered that its hardware and software are very similar to products you can already purchase online. This was then followed by the discovery of a vulnerability. With all of that happening, Kickstarter decided to pull the campaign.

Despite its initial pitfalls, Anonabox was purchased by a third party company and it still alive and well. There are currently four different devices for sale: the Original, the Anonabox Pro, the Fawkes, and the Tunneler. Due to the number of iterations that they go through, if you’re reading user reviews it’s important

Tor on a Router

The Anonabox product is essentially a Tor router. Tor has the following mainstream issues:

It’s complicated to set up

It’s not portable

Not available on all OS

By running Tor on a router you overcome all of these issues. Thereby making the Anonabox a fantastic little tool for privacy.

Of course, a similar result can be achieved with a VPN router. Unfortunately, most VPN routers aren’t portable, though that isn’t to say they don’t exist.

What is Tor?

We won’t go into too much detail about Tor. However, in short, it’s a system that helps users keep private and anonymous by routing it through multiple layers. This is where it got its name – The Onion Router. As it goes through each layer another level of encryption is also added, making your data impossible to decrypt.

When a user connects to the Tor network, their connection is routed through a random set of at least three nodes. Once the connection goes through these relays, it will reach its final destination – the website you wish to visit. Incoming traffic is handled similarly to the outgoing traffic. Usually, this happens through the Tor browser, but with the Anonabox it handles it through your router.

While the TOR network is heavily developed by the US government, the nodes themselves are run by individuals make the system a lot more secure.

Tor vs VPN?

Tor and VPN both help protect your online anonymity and privacy. Unfortunately, while Tor has its positives, it can be extremely slow and a hassle to use. A secure and reliable VPN can offer you a similar level of protection without the drastic speed loss.

There are also Tor VPN services but that’s a more complicated topic, and for those that are extremely paranoid about their online security.

Physical Looks and Function

All versions of the Anonabox come is a small form factor router that’s the size of a cigarette box. All it requires to run is a USB port for power. Alongside this, you need an ethernet cable to be able to connect it to a network. Luckily most airports and hotels have ethernet ports that you can use.

Setup and Usage

Using the Anonabox is extremely straight forward. Just follow these steps.

Connect it to power. Either through your computer or a power socket. Connect it to the internet using the Ethernet port Connect to the new WiFi network using the password provided That’s it, your wireless network is now protected by Tor

Some versions of the Anonabox also support the use of a VPN such as VyprVPN or HMA. The Anonabox interface also makes it easy to set these up. Their user manual clearly outlines the steps for you to follow, but in short, it’s as follows.

Log in to your Anonabox web interface Navigate to Network -> VPN Enter your username and password for your VPN and select the location you wish to use. Connect Now all of your data is protected by a VPN and Tor

Anonabox vs InvizBox

As mentioned at the start of this article, there are a lot of devices similar to Anonabox on the market, and even on Amazon. One of the most popular competitors is InvizBox. While the two seem to offer much of the same we’d recommend InvizBox as they seem to keep the product and website more up to date.

Conclusion

In conclusion, Anonabox is a very niche device. In our personal opinion, we’d avoid using it. While it’s relatively cheap and could be a useful device, on the whole the unstable past and present of the company discourages us from using it.

Anonabox Analysis

The following is research carried out by Lars Boegild Thomsen on the vulnerability of the original Anonabox. He found a number of deep tech issues embedded within the system and made a note of them. This section is intended to serve as an archive and should you have any questions relating to it you should email Lars directly as most of it is too technical even for us.

The Anonabox is, according to their website:

anonymity in a box Anonabox is a Tor hardware router for increased online privacy & anonymity. This pocket size device offers a plug-and-play solution to route ALL of your network traffic over the Tor network. You heard that right, no software to install, no activation, & no registration. Just plug it in and start cloaking your online activity.

The website contains absolutely no links to any kind of documentation, source code or any other technical documentation, so I simply had to have a poke around the insides of this little router.

Initial Assessment

After plugging the wan port of the Anonabox into my lan and powering up the device, a new access point showed up on my phone:

I am guessing that “anbx1424833770” is the access point I should be using. Connecting to that access point, the first thing that is noticeable is the allocated IP address:

126.16.2.128? Now there is a new one! A quick search on whois show:

% [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '126.0.0.0 - 126.255.255.255' inetnum: 126.0.0.0 - 126.255.255.255 netname: BBTEC descr: Japan Nation-wide Network of Softbank BB Corp. country: JP admin-c: SA421-AP tech-c: SA421-AP mnt-by: APNIC-HM mnt-lower: MAINT-JP-BBTECH status: ALLOCATED PORTABLE remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ remarks: This object can only be updated by APNIC hostmasters. remarks: To update this object, please contact APNIC remarks: hostmasters and include your organisation's account remarks: name in the subject line. remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ changed: hm-changed@apnic.net 20050208 changed: hm-changed@apnic.net 20081031 source: APNIC role: SoftbankBB ABUSE address: Tokyo Shiodome bldg., 1-9-1, Higashi-Shimbashi, Minatoku,Tokyo country: JP phone: +81-3-6688-5120 e-mail: stsuruma@bb.softbank.co.jp remarks: Please send spam report,virus alart remarks: or any other abuse report remarks: to abuse@bbtec.net remarks: Any other Information, Notice, remarks: Please send to hostmaster@bbtec.net admin-c: ST222-AP tech-c: ST222-AP nic-hdl: SA421-AP notify: admin@bbtec.net mnt-by: MAINT-JP-BBTECH changed: stsuruma@bb.softbank.co.jp 20081030 source: APNIC changed: hm-changed@apnic.net 20111114 % This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)

Now, there is a novel approach? Instead of using the 3 ranges of IP addresses that are allocated to private use, just grab a random one and use that. I guess it could be argued that since this device route everything through Tor, it really doesn’t matter all that much. But it still seems rather pointless and I can’t image why on earth that decision was made.

Very well, second test would be to check if Tor is working:

It would appear so because that is definitely not my public IP. A further quick check at https://check.torproject.org show:

So yeah, the Anonabox appears to be working but it is downright shocking that the WiFi connection is running unencrypted. Anybody within range of the Anonabox can connect to the network and sniff all network traffic.

Normally, OpenWrt (which the Anonabox is based on) is running a web-based user interface that will enable the user to change the device configuration. Pointing the browser to:

https://126.16.2.1

resulted in – well – absolutely nothing. In other words, there doesn’t appear to be any way whatsoever that a user can make this security device – well – ahem – secure.

Breaking and Entering

In order to figure out how to get in to the box, I hooked it’s LAN port up to my LAN. I hardcoded my IP address as:

126.16.1.2/24

And sure thing – I could now ping the Anonabox:

root@ncpws04:~# ping 126.16.2.1 PING 126.16.2.1 (126.16.2.1) 56(84) bytes of data. 64 bytes from 126.16.2.1: icmp_seq=1 ttl=51 time=132 ms 64 bytes from 126.16.2.1: icmp_seq=2 ttl=51 time=136 ms

Next step was to see if there was any ports open:

root@ncpws04:~# nmap -O -p- 126.16.2.1 Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-06 17:05 MYT Nmap scan report for softbank126016002001.bbtec.net (126.16.2.1) Host is up (0.13s latency). All 65535 scanned ports on softbank126016002001.bbtec.net (126.16.2.1) are filtered Too many fingerprints match this host to give specific OS details Network Distance: 13 hops OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1034.15 seconds

So far it would appear that the Anonabox is locked down pretty tightly – except the unencrypted WiFi obviously. Apologies to bbtec.net, but I _really_ didn’t scan their public IP 🙂

However, since the box is running a Linux Kernel and OpenWrt, IPv6 should be enabled by default. Since “Tor” is not supporting IPv6 at all it seemed quite likely that the Anonabox came with the default IPv6 firewall and a working link local address. Fortunately, as can be seen on the photo at the start of this page, the Anonabox came with the MAC address of at least one interface conveniently labelled on the box.

Using:

https://ben.akrin.com/ipv6_mac_address_to_link_local_converter/?mode=api&mac=0C:EF:AF:CA:14:82

The link local address of one interface should be:

fe80::eef:afff:feca:1482

Trying to ping that:

lth@ncpws04:~$ ping6 fe80::eef:afff:feca:1482%eth0 PING fe80::eef:afff:feca:1482%eth0(fe80::eef:afff:feca:1482) 56 data bytes From fe80::e2cb:4eff:fe3e:11c6 icmp_seq=1 Destination unreachable: Address unreachable

A device running OpenWrt is likely to have more than one interface, and it is likely that the MAC addresses are allocated in series, so poking around a bit more resulted in:

lth@ncpws04:~$ ping6 fe80::eef:afff:feca:1481%eth0 PING fe80::eef:afff:feca:1481%eth0(fe80::eef:afff:feca:1481) 56 data bytes 64 bytes from fe80::eef:afff:feca:1481: icmp_seq=1 ttl=64 time=0.483 ms

Time to do a port scan on that address:

root@ncpws04:~# nmap -O -p- fe80::eef:afff:feca:1481%eth0 Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-06 17:24 MYT fe80::eef:afff:feca:1481/0 looks like an IPv6 target specification -- you have to use the -6 option. WARNING: No targets were specified, so 0 hosts scanned. Nmap done: 0 IP addresses (0 hosts up) scanned in 0.47 seconds root@ncpws04:~# nmap -O -6 -p- fe80::eef:afff:feca:1481%eth0 Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-06 17:24 MYT Nmap scan report for fe80::eef:afff:feca:1481 Host is up (0.00042s latency). Not shown: 65532 closed ports PORT STATE SERVICE 53/tcp open domain 80/tcp open http 32891/tcp open unknown MAC Address: 0C:EF:AF:CA:14:81 (Unknown) No OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=6.47%E=6%D=4/6%OT=53%CT=1%CU=32856%PV=N%DS=1%DC=D%G=Y%M=0CEFAF%T OS:M=55226A8B%P=x86_64-pc-linux-gnu)S1(P=6000{4}280640XX{32}0035e8651164f1 OS:208799aafba0126f9066330000020405a00402080a00134370ff{4}0103{3}%ST=0.091 OS:935%RT=0.292415)S2(P=6000{4}280640XX{32}0035e8660e698b728799aafca0126f9 OS:0ced00000020405a00402080a0013437aff{4}0103{3}%ST=0.192034%RT=0.292466)S OS:3(P=6000{4}280640XX{32}0035e867d93a8a928799aafda0126f9007d40000020405a0 OS:0101080a00134384ff{4}0103{3}%ST=0.291967%RT=0.492329)S4(P=6000{4}280640 OS:XX{32}0035e868e7cd66498799aafea0126f901a7d0000020405a00402080a0013438ef OS:f{4}0103{3}%ST=0.391912%RT=0.492353)S5(P=6000{4}280640XX{32}0035e869934 OS:2bc5a8799aaffa0126f9018eb0000020405a00402080a00134398ff{4}0103{3}%ST=0. OS:491897%RT=0.633643)S6(P=6000{4}240640XX{32}0035e86a9a64cf298799ab009012 OS:6f9012f80000020405a00402080a001343a2ff{4}%ST=0.591902%RT=0.633666)IE1(P OS:=6000{4}803a40XX{32}8109c161abcd00{122}%ST=0.633072%RT=0.831159)IE2(P=6 OS:000{4}583a40XX{32}0401c2b300{3}38600123450028003bXX{32}3c00010400{4}2b0 OS:0010400{12}3a00010400{4}8000c2e1abcd0001%ST=0.682893%RT=0.831209)NS(P=6 OS:000{4}183affXX{32}8800d5e3c000{3}XX{16}%ST=0.781307%RT=0.831241)U1(P=60 OS:00{3}01643a40XX{32}010457f300{4}6001234501341128XX{32}e7ef805801341ac84 OS:3{300}%ST=0.830545%RT=1.02953)TECN(P=6000{4}200640XX{32}0035e86b77b74f9 OS:38799ab01801270800b060000020405a0010104020103{3}%ST=0.880458%RT=1.02957 OS:)T4(P=6000{4}140640XX{32}0035e86e8efa74dc00{4}50040000b2590000%ST=1.724 OS:75%RT=1.72507)T5(P=6000{4}140640XX{32}0001e86f00{4}8799ab055014000083b4 OS:0000%ST=1.07879%RT=1.7251)T6(P=6000{4}140640XX{32}0001e870953287b900{4} OS:5004000099760000%ST=1.12803%RT=1.72511)T7(P=6000{4}140640XX{32}0001e871 OS:00{4}8799ab075014000083b00000%ST=1.1772%RT=1.72511)EXTRA(FL=12345) Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6573.41 seconds

That took a while, but it was well worth it. First of all port 80 is open. Unfortunately, I believe ‘lynx’ is the only browser that support link local addresses, so:

lynx http://[fe80::eef:afff:feca:1481%eth0]

While Lynx is pretty cool it is a bit tedious to use. Fortunately there is a tool called tcpproxy, that will proxy between IPv4 and IPv6 addresses:

lth@ncpws04:~/src/tcpproxy/src$ ./tcpproxy -D -t ipv4 -p 8087 -r fe80::eef:afff:feca:1481%eth0 -R 6 -o 80

By default, OpenWrt doesn’t come with a password and that will be prominently displayed on the login page of Luci. In other words, the Anonabox has got a root password hard coded. And the root password is – I am not joking: “admin” (that took me 4 attempts, I think I tried root, anonabox, 12345678 and a few other first):

By now we know the root password and we got the web interface, so we could change that port zero for dropbear. But hold on – go back and check the port scan I did earlier – something listening on port 32891. Could it be – surely not:

lth@ncpws04:~$ ssh -p 32891 root@fe80::eef:afff:feca:1481%eth0 The authenticity of host '[fe80::eef:afff:feca:1481%eth0]:32891 ([fe80::eef:afff:feca:1481%eth0]:32891)' can't be established. RSA key fingerprint is 48:2d:c9:93:ab:39:c9:b7:55:52:71:a2:8e:56:e7:1e. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[fe80::eef:afff:feca:1481%eth0]:32891' (RSA) to the list of known hosts. root@fe80::eef:afff:feca:1481%eth0's password: BusyBox v1.22.1 (2014-11-29 06:25:27 PHT) built-in shell (ash) Enter 'help' for a list of built-in commands. █████╗ ███╗ ██╗ ██████╗ ███╗ ██╗ █████╗ ██████╗ ██████╗ ██╗ ██╗ ██╔══██╗████╗ ██║██╔═══██╗████╗ ██║██╔══██╗██╔══██╗██╔═══██╗╚██╗██╔╝ ███████║██╔██╗ ██║██║ ██║██╔██╗ ██║███████║██████╔╝██║ ██║ ╚███╔╝ ██╔══██║██║╚██╗██║██║ ██║██║╚██╗██║██╔══██║██╔══██╗██║ ██║ ██╔██╗ ██║ ██║██║ ╚████║╚██████╔╝██║ ╚████║██║ ██║██████╔╝╚██████╔╝██╔╝ ██╗ ╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═════╝ ╚═╝ ╚═══╝╚═╝ ╚═╝╚═════╝ ╚═════╝ ╚═╝ ╚═╝ v2.1 ___,,___ _,-='=- =- -`"--.__,,.._ ,-;// / - - - -= - "=. ,'/// - - - = - ==-=\`. |/// / = `. - = == - =.=_,,._ `=/| /// - - \ - - = ,ndDMHHMM/\b \\ ,' - / / / /\ = - /MM(,,._`YQMML `| <_,=^Kkm / / / / ///H|wnWWdMKKK#""-;. `"0\ | `""QkmmmmmnWMMM\""WHMKKMM\ `--. \> \ hjm `""' `->>> ``WHMb,. `-_<@) `"QMM`. `>>> _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | o || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M Based on CHAOS CALMER (Bleeding Edge, r41992) root@anonabox:~#

There you have it – root shell on an Anonabox without changing a single thing.

Can the Anonabox be made secure?

Well, yes and no. Some of the obvious mistakes made by Anonabox can be remedied and that will make it a better produce. But there’s still a fundamental problem in the fact that the source code is not available, so a back door could theoretically be hidden in a binary file somewhere (dropbear for example). It would be a far better approach to build an entirely new firmware.

Gallery

Xxx cracked open

Xxx board btm view

Xxx board top view

Ripping firmware out of the darn thing

Raw Dumps

For each file I have added some comments at the end.

Serial console – boot

U-Boot 1.1.4 (Jan 24 2015) AP121 (AR9331) U-Boot DRAM: 64 MB FLASH: Winbond W25Q128 (16 MB) Using default environment In: serial Out: serial Err: serial Net: ag7240_enet_initialize... : cfg1 0x5 cfg2 0x7114 eth0: 0C:EF:AF:CA:14:82 eth0 up : cfg1 0xf cfg2 0x7214 eth1: 0C:EF:AF:CA:14:82 athrs26_reg_init_lan eth1 up Press any key to stop autoboot, Autobooting in : 0 Booting image at: 0x9F020000 Image name: OpenWrt r43423 Image type: MIPS Linux Kernel Image (lzma compressed) Data size: 1107428 Bytes = 1.1 MB Load address: 0x80060000 Entry point: 0x80060000 Uncompressing kernel image... OK! Starting kernel... [ 0.000000] Linux version 3.14.18 (openwrt@ioes.cn) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r43423) ) #4 Sat Nov 29 09:50:23 PHT 2014 [ 0.000000] bootconsole [early0] enabled [ 0.000000] CPU0 revision is: 00019374 (MIPS 24Kc) [ 0.000000] SoC: Atheros AR9330 rev 1 [ 0.000000] Determined physical RAM map: [ 0.000000] memory: 04000000 @ 00000000 (usable) [ 0.000000] Initrd not found or empty - disabling initrd [ 0.000000] Zone ranges: [ 0.000000] Normal [mem 0x00000000-0x03ffffff] [ 0.000000] Movable zone start for each node [ 0.000000] Early memory node ranges [ 0.000000] node 0: [mem 0x00000000-0x03ffffff] [ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. [ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes [ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256 [ 0.000000] Kernel command line: board=OOLITE-BOX1 console=ttyATH0,115200 rootfstype=squashfs,jffs2 noinitrd [ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes) [ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes) [ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes) [ 0.000000] Writing ErrCtl register=00000000 [ 0.000000] Readback ErrCtl register=00000000 [ 0.000000] Memory: 61076K/65536K available (2379K kernel code, 119K rwdata, 500K rodata, 256K init, 187K bss, 4460K reserved) [ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 [ 0.000000] NR_IRQS:51 [ 0.000000] Clocks: CPU:400.000MHz, DDR:400.000MHz, AHB:200.000MHz, Ref:25.000MHz [ 0.000000] Calibrating delay loop... 265.42 BogoMIPS (lpj=1327104) [ 0.080000] pid_max: default: 32768 minimum: 301 [ 0.080000] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes) [ 0.090000] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes) [ 0.100000] NET: Registered protocol family 16 [ 0.100000] MIPS: machine is Oolite Box V1 [ 0.560000] bio: create slab <bio-0> at 0 [ 0.570000] Switched to clocksource MIPS [ 0.570000] NET: Registered protocol family 2 [ 0.580000] TCP established hash table entries: 1024 (order: 0, 4096 bytes) [ 0.580000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes) [ 0.590000] TCP: Hash tables configured (established 1024 bind 1024) [ 0.590000] TCP: reno registered [ 0.600000] UDP hash table entries: 256 (order: 0, 4096 bytes) [ 0.600000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes) [ 0.610000] NET: Registered protocol family 1 [ 0.620000] futex hash table entries: 256 (order: -1, 3072 bytes) [ 0.640000] squashfs: version 4.0 (2009/01/31) Phillip Lougher [ 0.650000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc. [ 0.660000] msgmni has been set to 119 [ 0.660000] io scheduler noop registered [ 0.660000] io scheduler deadline registered (default) [ 0.670000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled [ 0.680000] ar933x-uart: ttyATH0 at MMIO 0x18020000 (irq = 11, base_baud = 1562500) is a AR933X UART [ 0.680000] console [ttyATH0] enabled [ 0.680000] console [ttyATH0] enabled [ 0.690000] bootconsole [early0] disabled [ 0.690000] bootconsole [early0] disabled [ 0.700000] m25p80 spi0.0: found w25q128, expected m25p80 [ 0.710000] m25p80 spi0.0: w25q128 (16384 Kbytes) [ 0.710000] 5 tp-link partitions found on MTD device spi0.0 [ 0.720000] Creating 5 MTD partitions on "spi0.0": [ 0.720000] 0x000000000000-0x000000020000 : "u-boot" [ 0.730000] 0x000000020000-0x00000012e7e4 : "kernel" [ 0.730000] mtd: partition "kernel" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only [ 0.750000] 0x00000012e7e4-0x000000ff0000 : "rootfs" [ 0.750000] mtd: partition "rootfs" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only [ 0.770000] mtd: device 2 (rootfs) set to be root filesystem [ 0.770000] 1 squashfs-split partitions found on MTD device rootfs [ 0.780000] 0x000000380000-0x000000ff0000 : "rootfs_data" [ 0.790000] 0x000000ff0000-0x000001000000 : "art" [ 0.790000] 0x000000020000-0x000000ff0000 : "firmware" [ 0.810000] libphy: ag71xx_mdio: probed [ 1.370000] ag71xx-mdio.1: Found an AR7240/AR9330 built-in switch [ 2.400000] eth0: Atheros AG71xx at 0xba000000, irq 5, mode:GMII [ 3.030000] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.1:04 [uid=004dd041, driver=Generic PHY] [ 3.030000] eth1: Atheros AG71xx at 0xb9000000, irq 4, mode:MII [ 3.040000] TCP: cubic registered [ 3.040000] NET: Registered protocol family 17 [ 3.050000] 8021q: 802.1Q VLAN Support v1.8 [ 3.060000] VFS: Mounted root (squashfs filesystem) readonly on device 31:2. [ 3.070000] Freeing unused kernel memory: 256K (80350000 - 80390000) procd: Console is alive procd: - watchdog - [ 5.730000] usbcore: registered new interface driver usbfs [ 5.730000] usbcore: registered new interface driver hub [ 5.740000] usbcore: registered new device driver usb [ 5.750000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver [ 5.750000] ehci-platform: EHCI generic platform driver [ 5.760000] ehci-platform ehci-platform: EHCI Host Controller [ 5.760000] ehci-platform ehci-platform: new USB bus registered, assigned bus number 1 [ 5.770000] ehci-platform ehci-platform: irq 3, io mem 0x1b000000 [ 5.800000] ehci-platform ehci-platform: USB 2.0 started, EHCI 1.00 [ 5.800000] hub 1-0:1.0: USB hub found [ 5.800000] hub 1-0:1.0: 1 port detected procd: - preinit - md5sum: can't open '/lib/firmware/ath10k/QCA988X/hw2.0/firmware-3.bin': No such file or directory [ 7.960000] random: mktemp urandom read with 63 bits of entropy available Press the [f] key and hit [enter] to enter failsafe mode Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level jffs2 is ready jffs2 is ready [ 11.330000] jffs2: notice: (302) jffs2_build_xattr_subsystem: complete building xattr subsystem, 1 of xdatum (1 unchecked, 0 orphan) and 16 of xref (0 dead, 2 orphan) found. switching to overlay procd: - early - procd: - watchdog - procd: - ubus - procd: - init - Please press Enter to activate this console. [ 14.820000] NET: Registered protocol family 10 [ 14.830000] ip6_tables: (C) 2000-2006 Netfilter Core Team [ 14.890000] u32 classifier [ 14.890000] input device check on [ 14.890000] Actions configured [ 14.920000] Mirror/redirect action on [ 14.950000] nf_conntrack version 0.5.0 (958 buckets, 3832 max) [ 14.970000] Loading modules backported from Linux version master-2014-11-04-0-gf3660a2 [ 14.980000] Backport generated by backports.git backports-20141023-2-g4ff890b [ 15.000000] ip_tables: (C) 2000-2006 Netfilter Core Team [ 15.190000] xt_time: kernel timezone is -0000 [ 15.250000] cfg80211: Calling CRDA to update world regulatory domain [ 15.250000] cfg80211: World regulatory domain updated: [ 15.260000] cfg80211: DFS Master region: unset [ 15.260000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time) [ 15.270000] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A) [ 15.280000] cfg80211: (2457000 KHz - 2482000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A) [ 15.290000] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (N/A, 2000 mBm), (N/A) [ 15.290000] cfg80211: (5170000 KHz - 5250000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A) [ 15.300000] cfg80211: (5250000 KHz - 5330000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2000 mBm), (0 s) [ 15.310000] cfg80211: (5490000 KHz - 5730000 KHz @ 160000 KHz), (N/A, 2000 mBm), (0 s) [ 15.320000] cfg80211: (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A) [ 15.330000] cfg80211: (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 0 mBm), (N/A) [ 15.430000] PPP generic driver version 2.4.2 [ 15.440000] NET: Registered protocol family 24 [ 15.570000] cfg80211: Calling CRDA for country: US [ 15.590000] cfg80211: Regulatory domain changed to country: US [ 15.590000] cfg80211: DFS Master region: FCC [ 15.590000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time) [ 15.600000] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 3000 mBm), (N/A) [ 15.610000] cfg80211: (5170000 KHz - 5250000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 1700 mBm), (N/A) [ 15.620000] cfg80211: (5250000 KHz - 5330000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2300 mBm), (0 s) [ 15.630000] cfg80211: (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 3000 mBm), (N/A) [ 15.640000] cfg80211: (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 4000 mBm), (N/A) [ 15.650000] ieee80211 phy0: Atheros AR9330 Rev:1 mem=0xb8100000, irq=2 [ 23.610000] random: nonblocking pool is initialized [ 26.720000] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready [ 26.720000] device eth0 entered promiscuous mode [ 26.740000] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready [ 26.800000] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready [ 26.820000] IPv6: ADDRCONF(NETDEV_UP): br-wifi: link is not ready [ 29.140000] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready [ 29.160000] device wlan0 entered promiscuous mode [ 29.200000] br-wifi: port 1(wlan0) entered forwarding state [ 29.200000] br-wifi: port 1(wlan0) entered forwarding state [ 29.210000] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 29.230000] IPv6: ADDRCONF(NETDEV_CHANGE): br-wifi: link becomes ready [ 29.240000] eth1: link up (100Mbps/Full duplex) [ 29.240000] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready [ 31.200000] br-wifi: port 1(wlan0) entered forwarding state procd: - init complete -

The main point of interest there is the fact that the kernel was build in China. In other words it is doubtful if Anonabox have been building their own OpenWrt from scratch.

Output of ‘dmesg’

[ 0.000000] Linux version 3.14.18 (openwrt@ioes.cn) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r43423) ) #4 Sat Nov 29 09:50:23 PHT 2014 [ 0.000000] MyLoader: sysp=8198bab2, boardp=99edd07b, parts=3b02dafb [ 0.000000] bootconsole [early0] enabled [ 0.000000] CPU0 revision is: 00019374 (MIPS 24Kc) [ 0.000000] SoC: Atheros AR9330 rev 1 [ 0.000000] Determined physical RAM map: [ 0.000000] memory: 04000000 @ 00000000 (usable) [ 0.000000] Initrd not found or empty - disabling initrd [ 0.000000] Zone ranges: [ 0.000000] Normal [mem 0x00000000-0x03ffffff] [ 0.000000] Movable zone start for each node [ 0.000000] Early memory node ranges [ 0.000000] node 0: [mem 0x00000000-0x03ffffff] [ 0.000000] On node 0 totalpages: 16384 [ 0.000000] free_area_init_node: node 0, pgdat 80338420, node_mem_map 81000000 [ 0.000000] Normal zone: 128 pages used for memmap [ 0.000000] Normal zone: 0 pages reserved [ 0.000000] Normal zone: 16384 pages, LIFO batch:3 [ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. [ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes [ 0.000000] pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768 [ 0.000000] pcpu-alloc: [0] 0 [ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256 [ 0.000000] Kernel command line: board=OOLITE-BOX1 console=ttyATH0,115200 rootfstype=squashfs,jffs2 noinitrd [ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes) [ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes) [ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes) [ 0.000000] Writing ErrCtl register=00000000 [ 0.000000] Readback ErrCtl register=00000000 [ 0.000000] Memory: 61076K/65536K available (2379K kernel code, 119K rwdata, 500K rodata, 256K init, 187K bss, 4460K reserved) [ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 [ 0.000000] NR_IRQS:51 [ 0.000000] Clocks: CPU:400.000MHz, DDR:400.000MHz, AHB:200.000MHz, Ref:25.000MHz [ 0.000000] Calibrating delay loop... 265.42 BogoMIPS (lpj=1327104) [ 0.080000] pid_max: default: 32768 minimum: 301 [ 0.080000] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes) [ 0.090000] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes) [ 0.100000] NET: Registered protocol family 16 [ 0.100000] MIPS: machine is Oolite Box V1 [ 0.560000] bio: create slab <bio-0> at 0 [ 0.570000] Switched to clocksource MIPS [ 0.570000] NET: Registered protocol family 2 [ 0.580000] TCP established hash table entries: 1024 (order: 0, 4096 bytes) [ 0.580000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes) [ 0.590000] TCP: Hash tables configured (established 1024 bind 1024) [ 0.590000] TCP: reno registered [ 0.600000] UDP hash table entries: 256 (order: 0, 4096 bytes) [ 0.600000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes) [ 0.610000] NET: Registered protocol family 1 [ 0.610000] PCI: CLS 0 bytes, default 32 [ 0.620000] futex hash table entries: 256 (order: -1, 3072 bytes) [ 0.640000] squashfs: version 4.0 (2009/01/31) Phillip Lougher [ 0.650000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc. [ 0.660000] msgmni has been set to 119 [ 0.660000] io scheduler noop registered [ 0.660000] io scheduler deadline registered (default) [ 0.670000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled [ 0.680000] ar933x-uart: ttyATH0 at MMIO 0x18020000 (irq = 11, base_baud = 1562500) is a AR933X UART [ 0.680000] console [ttyATH0] enabled [ 0.690000] bootconsole [early0] disabled [ 0.700000] m25p80 spi0.0: found w25q128, expected m25p80 [ 0.710000] m25p80 spi0.0: w25q128 (16384 Kbytes) [ 0.710000] 5 tp-link partitions found on MTD device spi0.0 [ 0.720000] Creating 5 MTD partitions on "spi0.0": [ 0.720000] 0x000000000000-0x000000020000 : "u-boot" [ 0.730000] 0x000000020000-0x00000012e7e4 : "kernel" [ 0.730000] mtd: partition "kernel" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only [ 0.750000] 0x00000012e7e4-0x000000ff0000 : "rootfs" [ 0.750000] mtd: partition "rootfs" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only [ 0.770000] mtd: device 2 (rootfs) set to be root filesystem [ 0.770000] 1 squashfs-split partitions found on MTD device rootfs [ 0.780000] 0x000000380000-0x000000ff0000 : "rootfs_data" [ 0.790000] 0x000000ff0000-0x000001000000 : "art" [ 0.790000] 0x000000020000-0x000000ff0000 : "firmware" [ 0.810000] libphy: ag71xx_mdio: probed [ 1.370000] ag71xx-mdio.1: Found an AR7240/AR9330 built-in switch [ 2.400000] eth0: Atheros AG71xx at 0xba000000, irq 5, mode:GMII [ 3.030000] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.1:04 [uid=004dd041, driver=Generic PHY] [ 3.030000] eth1: Atheros AG71xx at 0xb9000000, irq 4, mode:MII [ 3.040000] TCP: cubic registered [ 3.040000] NET: Registered protocol family 17 [ 3.050000] 8021q: 802.1Q VLAN Support v1.8 [ 3.060000] VFS: Mounted root (squashfs filesystem) readonly on device 31:2. [ 3.070000] Freeing unused kernel memory: 256K (80350000 - 80390000) [ 5.730000] usbcore: registered new interface driver usbfs [ 5.730000] usbcore: registered new interface driver hub [ 5.740000] usbcore: registered new device driver usb [ 5.750000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver [ 5.750000] ehci-platform: EHCI generic platform driver [ 5.760000] ehci-platform ehci-platform: EHCI Host Controller [ 5.760000] ehci-platform ehci-platform: new USB bus registered, assigned bus number 1 [ 5.770000] ehci-platform ehci-platform: irq 3, io mem 0x1b000000 [ 5.800000] ehci-platform ehci-platform: USB 2.0 started, EHCI 1.00 [ 5.800000] hub 1-0:1.0: USB hub found [ 5.800000] hub 1-0:1.0: 1 port detected [ 7.960000] random: mktemp urandom read with 65 bits of entropy available [ 11.330000] jffs2: notice: (302) jffs2_build_xattr_subsystem: complete building xattr subsystem, 1 of xdatum (1 unchecked, 0 orphan) and 16 of xref (0 dead, 2 orphan) found. [ 14.570000] NET: Registered protocol family 10 [ 14.800000] ip6_tables: (C) 2000-2006 Netfilter Core Team [ 14.840000] u32 classifier [ 14.840000] input device check on [ 14.850000] Actions configured [ 14.860000] Mirror/redirect action on [ 14.880000] nf_conntrack version 0.5.0 (958 buckets, 3832 max) [ 14.890000] Loading modules backported from Linux version master-2014-11-04-0-gf3660a2 [ 14.900000] Backport generated by backports.git backports-20141023-2-g4ff890b [ 14.930000] ip_tables: (C) 2000-2006 Netfilter Core Team [ 15.120000] xt_time: kernel timezone is -0000 [ 15.160000] cfg80211: Calling CRDA to update world regulatory domain [ 15.170000] cfg80211: World regulatory domain updated: [ 15.170000] cfg80211: DFS Master region: unset [ 15.170000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time) [ 15.180000] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A) [ 15.190000] cfg80211: (2457000 KHz - 2482000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A) [ 15.200000] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (N/A, 2000 mBm), (N/A) [ 15.210000] cfg80211: (5170000 KHz - 5250000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A) [ 15.210000] cfg80211: (5250000 KHz - 5330000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2000 mBm), (0 s) [ 15.220000] cfg80211: (5490000 KHz - 5730000 KHz @ 160000 KHz), (N/A, 2000 mBm), (0 s) [ 15.230000] cfg80211: (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A) [ 15.240000] cfg80211: (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 0 mBm), (N/A) [ 15.340000] PPP generic driver version 2.4.2 [ 15.360000] NET: Registered protocol family 24 [ 15.440000] ath: EEPROM regdomain: 0x0 [ 15.440000] ath: EEPROM indicates default country code should be used [ 15.440000] ath: doing EEPROM country->regdmn map search [ 15.440000] ath: country maps to regdmn code: 0x3a [ 15.440000] ath: Country alpha2 being used: US [ 15.440000] ath: Regpair used: 0x3a [ 15.450000] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht' [ 15.470000] cfg80211: Calling CRDA for country: US [ 15.480000] cfg80211: Regulatory domain changed to country: US [ 15.480000] cfg80211: DFS Master region: FCC [ 15.480000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time) [ 15.490000] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 3000 mBm), (N/A) [ 15.500000] cfg80211: (5170000 KHz - 5250000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 1700 mBm), (N/A) [ 15.510000] cfg80211: (5250000 KHz - 5330000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2300 mBm), (0 s) [ 15.520000] cfg80211: (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 3000 mBm), (N/A) [ 15.530000] cfg80211: (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 4000 mBm), (N/A) [ 15.540000] ieee80211 phy0: Atheros AR9330 Rev:1 mem=0xb8100000, irq=2 [ 22.800000] random: nonblocking pool is initialized [ 26.700000] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready [ 26.700000] device eth0 entered promiscuous mode [ 26.720000] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready [ 26.780000] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready [ 26.790000] IPv6: ADDRCONF(NETDEV_UP): br-wifi: link is not ready [ 29.390000] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready [ 29.430000] device wlan0 entered promiscuous mode [ 29.450000] br-wifi: port 1(wlan0) entered forwarding state [ 29.450000] br-wifi: port 1(wlan0) entered forwarding state [ 29.460000] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 29.500000] IPv6: ADDRCONF(NETDEV_CHANGE): br-wifi: link becomes ready [ 31.450000] br-wifi: port 1(wlan0) entered forwarding state [ 62.430000] eth1: link up (100Mbps/Full duplex) [ 62.430000] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready

Output of ‘ps w’

root@anonabox:~# ps w PID USER VSZ STAT COMMAND 1 root 1396 S /sbin/procd 2 root 0 SW [kthreadd] 3 root 0 SW [ksoftirqd/0] 5 root 0 SW< [kworker/0:0H] 6 root 0 SW [kworker/u2:0] 7 root 0 SW< [khelper] 8 root 0 SW [kworker/u2:1] 59 root 0 SW< [writeback] 62 root 0 SW< [bioset] 64 root 0 SW< [kblockd] 90 root 0 SW [kworker/0:1] 97 root 0 SW [kswapd0] 144 root 0 SW [fsnotify_mark] 160 root 0 SW [spi0] 241 root 0 SW< [deferwq] 252 root 0 SW [khubd] 303 root 0 SWN [jffs2_gcd_mtd3] 358 root 888 S /sbin/ubusd 359 root 1372 S /bin/ash --login 521 root 0 SW< [ipv6_addrconf] 625 root 0 SW< [cfg80211] 726 root 1040 S /sbin/logd -S 16 760 root 1548 S /sbin/netifd 784 root 1160 S /usr/sbin/odhcpd 833 root 1152 S /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p 0 -K 300 1218 root 1584 S /usr/sbin/hostapd -P /var/run/wifi-phy0.pid -B /var/run/hostapd-phy0.conf 1264 tor 18652 S /usr/sbin/tor --PidFile /var/run/tor.pid 1276 root 1520 S /usr/sbin/uhttpd -f -h /www -r anonabox -x /cgi-bin -u /ubus -t 60 -T 30 -k 20 -A 1 -n 3 -N 100 -R -p 0.0 1404 nobody 928 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf -k 1550 root 1364 S /usr/sbin/ntpd -n -S /usr/sbin/ntpd-hotplug -p 0.openwrt.pool.ntp.org -p 1.openwrt.pool.ntp.org -p 2.open 1599 root 0 SW [kworker/0:0] 1604 root 1360 R ps w

The ‘-p 0’ parameter to dropbear is curious. As far as I know, dropbear can’t bind to tcp port 0, and “normally” port 0 means pick a random available port. If they intend to stop the use of ssh, why not simply remove the package or disable it.

Content of /etc/config/dhcp

root@anonabox:/etc/config# cat dhcp config dnsmasq option domainneeded '1' option boguspriv '1' option filterwin2k '0' option localise_queries '1' option rebind_protection '1' option rebind_localhost '1' option local '/lan/' option domain 'lan' option expandhosts '1' option nonegcache '0' option authoritative '1' option readethers '1' option leasefile '/tmp/dhcp.leases' option resolvfile '/tmp/resolv.conf.auto' config dhcp 'lan' option interface 'lan' option start '100' option limit '150' option leasetime '12h' config dhcp 'wan' option interface 'wan' option ignore '1' config odhcpd 'odhcpd' option maindhcp '0' option leasefile '/tmp/hosts/odhcpd' option leasetrigger '/usr/sbin/odhcpd-update' config dhcp option start '100' option leasetime '12h' option limit '150' option interface 'wifi'

Content of /etc/config/dropbear

root@anonabox:/etc/config# cat dropbear config dropbear option PasswordAuth 'on' option Port '0'

There is that port 0 again. Odd.

Content of /etc/config/firewall

root@anonabox:/etc/config# cat firewall config defaults option syn_flood '1' option output 'ACCEPT' option forward 'REJECT' option input 'ACCEPT' config zone option name 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' option network 'lan' config zone option name 'wan' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' option network 'wan wan6' config forwarding option src 'lan' option dest 'wan' config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT' config rule option name 'Allow-DHCPv6' option src 'wan' option proto 'udp' option src_ip 'fe80::/10' option src_port '547' option dest_ip 'fe80::/10' option dest_port '546' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Input' option src 'wan' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' list icmp_type 'router-solicitation' list icmp_type 'neighbour-solicitation' list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Forward' option src 'wan' option dest '*' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config include option path '/etc/firewall.user'

That is pretty much OpenWrt default.

Content of /etc/config/luci

root@anonabox:/etc/config# cat luci config core 'main' option lang 'auto' option mediaurlbase '/luci-static/openwrt.org' option resourcebase '/luci-static/resources' config extern 'flash_keep' option uci '/etc/config/' option dropbear '/etc/dropbear/' option openvpn '/etc/openvpn/' option passwd '/etc/passwd' option opkg '/etc/opkg.conf' option firewall '/etc/firewall.user' option uploads '/lib/uci/upload/' config internal 'languages' config internal 'sauth' option sessionpath '/tmp/luci-sessions' option sessiontime '3600' config internal 'ccache' option enable '1' config internal 'themes' option Bootstrap '/luci-static/bootstrap'

Content of /etc/config/network

root@anonabox:/etc/config# cat network config interface 'loopback' option ifname 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config globals 'globals' option ula_prefix 'fdd5:429b:7cf6::/48' config interface 'lan' option force_link '1' option type 'bridge' option proto 'static' option netmask '255.255.255.0' option ip6assign '60' option ipaddr '126.16.1.1' option _orig_ifname 'eth0 wlan0' option _orig_bridge 'true' option ifname 'eth0' option delegate '0' config interface 'wan' option ifname 'eth1' option proto 'dhcp' option delegate '0' config switch option name 'switch0' option reset '1' option enable_vlan '1' config switch_vlan option device 'switch0' option vlan '1' option ports '0 1 2 3 4' config interface 'onions' option proto 'static' option ifname 'onions' option ipaddr '10.192.0.1' option netmask '255.192.0.0' option delegate '0' config interface 'wifi' option proto 'static' option ipaddr '126.16.2.1' option netmask '255.255.255.0' option type 'bridge' option _orig_ifname 'wifi' option _orig_bridge 'true' option ifname 'wifi' option delegate '0'

The choice of IP addresses is deeply weird. I think it might be some misguided attempt at security through obscurity, but well – since there’s a DHCP server running that happily hand out IP addresses to anybody within WiFi range it is not as if it is a big secret.

Content of /etc/config/qos

root@anonabox:/etc/config# cat qos # QoS configuration for OpenWrt # INTERFACES: config interface wan option classgroup "Default" option enabled 0 option upload 128 option download 1024 # RULES: config classify option target "Priority" option ports "22,53" option comment "ssh, dns" config classify option target "Normal" option proto "tcp" option ports "20,21,25,80,110,443,993,995" option comment "ftp, smtp, http(s), imap" config classify option target "Express" option ports "5190" option comment "AOL, iChat, ICQ" config default option target "Express" option proto "udp" option pktsize "-500" config reclassify option target "Priority" option proto "icmp" config default option target "Bulk" option portrange "1024-65535" # Don't change the stuff below unless you # really know what it means :) config classgroup "Default" option classes "Priority Express Normal Bulk" option default "Normal" config class "Priority" option packetsize 400 option avgrate 10 option priority 20 config class "Priority_down" option packetsize 1000 option avgrate 10 config class "Express" option packetsize 1000 option avgrate 50 option priority 10 config class "Normal" option packetsize 1500 option packetdelay 100 option avgrate 10 option priority 5 config class "Normal_down" option avgrate 20 config class "Bulk" option avgrate 1 option packetdelay 200

I don’t think this is used at all.

Content of /etc/config/system

root@anonabox:/etc/config# cat system



config system

option hostname 'anonabox'

option timezone 'UTC'



config timeserver 'ntp'

list server '0.openwrt.pool.ntp.org'

list server '1.openwrt.pool.ntp.org'

list server '2.openwrt.pool.ntp.org'

list server '3.openwrt.pool.ntp.org'

option enabled '1'

option enable_server '0'



config led

option default '0'

option name '1'

option trigger 'netdev'

option mode 'tx rx'

option sysfs 'oolitebox:green:system'

option dev 'br-wifi'

Content of /etc/config/ucitrack

root@anonabox:/etc/config# cat ucitrack config network option init network list affects dhcp list affects radvd config wireless list affects network config firewall option init firewall list affects luci-splash list affects qos list affects miniupnpd config olsr option init olsrd config dhcp option init dnsmasq list affects odhcpd config odhcpd option init odhcpd config dropbear option init dropbear config httpd option init httpd config fstab option init fstab config qos option init qos config system option init led list affects luci_statistics config luci_splash option init luci_splash config upnpd option init miniupnpd config ntpclient option init ntpclient config samba option init samba config tinyproxy option init tinyproxy config 6relayd option init 6relayd

Content of /etc/config/uhttpd

root@anonabox:/etc/config# cat uhttpd config uhttpd 'main' list listen_http '0.0.0.0:80' list listen_http '[::]:80' list listen_https '0.0.0.0:443' list listen_https '[::]:443' option home '/www' option rfc1918_filter '1' option max_requests '3' option max_connections '100' option cert '/etc/uhttpd.crt' option key '/etc/uhttpd.key' option cgi_prefix '/cgi-bin' option script_timeout '60' option network_timeout '30' option http_keepalive '20' option tcp_keepalive '1' option ubus_prefix '/ubus' config cert 'px5g' option days '730' option bits '1024' option country 'DE' option state 'Berlin' option location 'Berlin' option commonname 'OpenWrt'

How nice of them to bind to IPv6. That is actually not OpenWrt default if I remember correctly.

Content of /etc/config/wireless

root@anonabox:/etc/config# cat wireless config wifi-device 'radio0' option type 'mac80211' option channel '7' option hwmode '11g' option path 'platform/ar933x_wmac' option noscan '1' option disabled '0' option htmode 'HT20' option txpower '30' option country 'US' config wifi-iface option device 'radio0' option mode 'ap' option encryption 'none' option network 'wifi' option ssid 'anbx1424833770'

Oh dear. This is really where it gets ugly. Open WiFi – no encryption – no password – random ssid apparently – syntax error in the UCI configuration file.

Output of “uci show”

root@anonabox:/etc/config# uci show dhcp.@dnsmasq[0]=dnsmasq dhcp.@dnsmasq[0].domainneeded=1 dhcp.@dnsmasq[0].boguspriv=1 dhcp.@dnsmasq[0].filterwin2k=0 dhcp.@dnsmasq[0].localise_queries=1 dhcp.@dnsmasq[0].rebind_protection=1 dhcp.@dnsmasq[0].rebind_localhost=1 dhcp.@dnsmasq[0].local=/lan/ dhcp.@dnsmasq[0].domain=lan dhcp.@dnsmasq[0].expandhosts=1 dhcp.@dnsmasq[0].nonegcache=0 dhcp.@dnsmasq[0].authoritative=1 dhcp.@dnsmasq[0].readethers=1 dhcp.@dnsmasq[0].leasefile=/tmp/dhcp.leases dhcp.@dnsmasq[0].resolvfile=/tmp/resolv.conf.auto dhcp.lan=dhcp dhcp.lan.interface=lan dhcp.lan.start=100 dhcp.lan.limit=150 dhcp.lan.leasetime=12h dhcp.wan=dhcp dhcp.wan.interface=wan dhcp.wan.ignore=1 dhcp.odhcpd=odhcpd dhcp.odhcpd.maindhcp=0 dhcp.odhcpd.leasefile=/tmp/hosts/odhcpd dhcp.odhcpd.leasetrigger=/usr/sbin/odhcpd-update dhcp.@dhcp[0]=dhcp dhcp.@dhcp[0].start=100 dhcp.@dhcp[0].leasetime=12h dhcp.@dhcp[0].limit=150 dhcp.@dhcp[0].interface=wifi dropbear.@dropbear[0]=dropbear dropbear.@dropbear[0].PasswordAuth=on dropbear.@dropbear[0].Port=0 dropbear~.@dropbear[0]=dropbear dropbear~.@dropbear[0].PasswordAuth=on dropbear~.@dropbear[0].Port=22 firewall.@defaults[0]=defaults firewall.@defaults[0].syn_flood=1 firewall.@defaults[0].output=ACCEPT firewall.@defaults[0].forward=REJECT firewall.@defaults[0].input=ACCEPT firewall.@zone[0]=zone firewall.@zone[0].name=lan firewall.@zone[0].input=ACCEPT firewall.@zone[0].output=ACCEPT firewall.@zone[0].forward=ACCEPT firewall.@zone[0].network=lan firewall.@zone[1]=zone firewall.@zone[1].name=wan firewall.@zone[1].input=REJECT firewall.@zone[1].output=ACCEPT firewall.@zone[1].forward=REJECT firewall.@zone[1].masq=1 firewall.@zone[1].mtu_fix=1 firewall.@zone[1].network=wan wan6 firewall.@forwarding[0]=forwarding firewall.@forwarding[0].src=lan firewall.@forwarding[0].dest=wan firewall.@rule[0]=rule firewall.@rule[0].name=Allow-DHCP-Renew firewall.@rule[0].src=wan firewall.@rule[0].proto=udp firewall.@rule[0].dest_port=68 firewall.@rule[0].target=ACCEPT firewall.@rule[0].family=ipv4 firewall.@rule[1]=rule firewall.@rule[1].name=Allow-Ping firewall.@rule[1].src=wan firewall.@rule[1].proto=icmp firewall.@rule[1].icmp_type=echo-request firewall.@rule[1].family=ipv4 firewall.@rule[1].target=ACCEPT firewall.@rule[2]=rule firewall.@rule[2].name=Allow-DHCPv6 firewall.@rule[2].src=wan firewall.@rule[2].proto=udp firewall.@rule[2].src_ip=fe80::/10 firewall.@rule[2].src_port=547 firewall.@rule[2].dest_ip=fe80::/10 firewall.@rule[2].dest_port=546 firewall.@rule[2].family=ipv6 firewall.@rule[2].target=ACCEPT firewall.@rule[3]=rule firewall.@rule[3].name=Allow-ICMPv6-Input firewall.@rule[3].src=wan firewall.@rule[3].proto=icmp firewall.@rule[3].icmp_type=echo-request echo-reply destination-unreachable packet-too-big time-exceeded bad-header unknown-header-type router-solicitation neighbour-solicitation router-advertisement neighbour-advertisement firewall.@rule[3].limit=1000/sec firewall.@rule[3].family=ipv6 firewall.@rule[3].target=ACCEPT firewall.@rule[4]=rule firewall.@rule[4].name=Allow-ICMPv6-Forward firewall.@rule[4].src=wan firewall.@rule[4].dest=* firewall.@rule[4].proto=icmp firewall.@rule[4].icmp_type=echo-request echo-reply destination-unreachable packet-too-big time-exceeded bad-header unknown-header-type firewall.@rule[4].limit=1000/sec firewall.@rule[4].family=ipv6 firewall.@rule[4].target=ACCEPT firewall.@include[0]=include firewall.@include[0].path=/etc/firewall.user luci.main=core luci.main.lang=auto luci.main.mediaurlbase=/luci-static/openwrt.org luci.main.resourcebase=/luci-static/resources luci.flash_keep=extern luci.flash_keep.uci=/etc/config/ luci.flash_keep.dropbear=/etc/dropbear/ luci.flash_keep.openvpn=/etc/openvpn/ luci.flash_keep.passwd=/etc/passwd luci.flash_keep.opkg=/etc/opkg.conf luci.flash_keep.firewall=/etc/firewall.user luci.flash_keep.uploads=/lib/uci/upload/ luci.languages=internal luci.sauth=internal luci.sauth.sessionpath=/tmp/luci-sessions luci.sauth.sessiontime=3600 luci.ccache=internal luci.ccache.enable=1 luci.themes=internal luci.themes.Bootstrap=/luci-static/bootstrap network.loopback=interface network.loopback.ifname=lo network.loopback.proto=static network.loopback.ipaddr=127.0.0.1 network.loopback.netmask=255.0.0.0 network.globals=globals network.globals.ula_prefix=fdd5:429b:7cf6::/48 network.lan=interface network.lan.force_link=1 network.lan.type=bridge network.lan.proto=static network.lan.netmask=255.255.255.0 network.lan.ip6assign=60 network.lan.ipaddr=126.16.1.1 network.lan._orig_ifname=eth0 wlan0 network.lan._orig_bridge=true network.lan.ifname=eth0 network.lan.delegate=0 network.wan=interface network.wan.ifname=eth1 network.wan.proto=dhcp network.wan.delegate=0 network.@switch[0]=switch network.@switch[0].name=switch0 network.@switch[0].reset=1 network.@switch[0].enable_vlan=1 network.@switch_vlan[0]=switch_vlan network.@switch_vlan[0].device=switch0 network.@switch_vlan[0].vlan=1 network.@switch_vlan[0].ports=0 1 2 3 4 network.onions=interface network.onions.proto=static network.onions.ifname=onions network.onions.ipaddr=10.192.0.1 network.onions.netmask=255.192.0.0 network.onions.delegate=0 network.wifi=interface network.wifi.proto=static network.wifi.ipaddr=126.16.2.1 network.wifi.netmask=255.255.255.0 network.wifi.type=bridge network.wifi._orig_ifname=wifi network.wifi._orig_bridge=true network.wifi.ifname=wifi network.wifi.delegate=0 qos.wan=interface qos.wan.classgroup=Default qos.wan.enabled=0 qos.wan.upload=128 qos.wan.download=1024 qos.@classify[0]=classify qos.@classify[0].target=Priority qos.@classify[0].ports=22,53 qos.@classify[0].comment=ssh, dns qos.@classify[1]=classify qos.@classify[1].target=Normal qos.@classify[1].proto=tcp qos.@classify[1].ports=20,21,25,80,110,443,993,995 qos.@classify[1].comment=ftp, smtp, http(s), imap qos.@classify[2]=classify qos.@classify[2].target=Express qos.@classify[2].ports=5190 qos.@classify[2].comment=AOL, iChat, ICQ qos.@default[0]=default qos.@default[0].target=Express qos.@default[0].proto=udp qos.@default[0].pktsize=-500 qos.@reclassify[0]=reclassify qos.@reclassify[0].target=Priority qos.@reclassify[0].proto=icmp qos.@default[1]=default qos.@default[1].target=Bulk qos.@default[1].portrange=1024-65535 qos.Default=classgroup qos.Default.classes=Priority Express Normal Bulk qos.Default.default=Normal qos.Priority=class qos.Priority.packetsize=400 qos.Priority.avgrate=10 qos.Priority.priority=20 qos.Priority_down=class qos.Priority_down.packetsize=1000 qos.Priority_down.avgrate=10 qos.Express=class qos.Express.packetsize=1000 qos.Express.avgrate=50 qos.Express.priority=10 qos.Normal=class qos.Normal.packetsize=1500 qos.Normal.packetdelay=100 qos.Normal.avgrate=10 qos.Normal.priority=5 qos.Normal_down=class qos.Normal_down.avgrate=20 qos.Bulk=class qos.Bulk.avgrate=1 qos.Bulk.packetdelay=200

Notice the “wireless” section is not included, probably because of the syntax error mentioned earlier.

Content of /etc/rc.d/S49ssid

root@anonabox:/overlay/etc/rc.d# cat S49ssid #!/bin/sh #echo "date;" #/bin/date #echo "date" rm -rf /tmp/hash.txt rm -rf /tmp/hash0.txt rm -rf /tmp/hash1.txt rm -rf /tmp/hash2.txt rm -rf /tmp/wifitmp.txt echo "anbx" >> /tmp/hash.txt /bin/date +"%s" >> /tmp/hash.txt echo "option ssid '" >> /tmp/hash0.txt /bin/sed -n -e ":a" -e "$ s/

/,/gp;N;b a" /tmp/hash.txt >> /tmp/hash0.txt echo "'" >> /tmp/hash0.txt /bin/sed -n -e ":a" -e "$ s/

/,/gp;N;b a" /tmp/hash0.txt >> /tmp/hash1.txt /bin/sed -e 's/,//g' /tmp/hash1.txt >> /tmp/hash2.txt echo "#" >> /tmp/wifitmp.txt /bin/sed '/option_ssid/d' /etc/config/wireless >> /tmp/wifitmp.txt #/bin/date +"$s" >> /tmp/hash!txt rm -rf /etc/config/wireless #echo "#" >> /etc/config/wireless #cat /tmp/wifitmp.txt >> /etc/config/wireless cp -rf /etc/config/scripts/wireless /etc/config/wireless cat /tmp/hash2.txt >> /etc/config/wireless

I am not sure what to say about this one. It is – by far – one the ugliest pieces of shell script I have ever seen – and I have seen a lot.

On their web site, Anonabox claim that they have developed 5,201,567 lines of code. In all seriousness the above is the ONLY lines of code I found in Anonabox that actually appear to have been developed by them. The rest is standard OpenWrt. So excluding the comments:

root@anonabox:/# cat /etc/rc.d/S49ssid | grep -v "^#" | wc -l

20

In other words, Anonabox wrote 20 lines of code, not 5201567.

Apart from being almost unbelievably clumsy, this piece of shell script illustrates a fundamental lack of knowledge of the inner workings of OpenWrt, a fundamental lack of knowledge of UNIX and shell scripting (but some love affair with ‘sed’). An update such as this should be done through uci not by editing the config file directly!

And those 20 lines of code could have been handled elegantly like:

#!/bin/sh uci set wireless.@wifi-iface[0].ssid=anon`/bin/date +"%s"` && uci commit

One line – ONE! And that wouldn’t result in a syntax error in the configuration file.

Also I really don’t get the point of it. Why force a new ssid on the – otherwise open – WiFi on each boot. How annoying would that be in daily use?

Content of /etc/passwd

root@anonabox:/overlay/etc/rc.d# cat /etc/passwd root:x:0:0:root:/root:/bin/false daemon:*:1:1:daemon:/var:/bin/false ftp:*:55:55:ftp:/home/ftp:/bin/false network:*:101:101:network:/var:/bin/false nobody:*:65534:65534:nobody:/var:/bin/false tor:x:52:52:/var/lib/tor:/var/run/tor:/bin/false

Content of /etc/shadow

root@anonabox:/overlay/etc/rc.d# cat /etc/shadow root:$1$u3ww8XNt$VSQBuEJUw70rDy3jh0JeO0:16403:0:99999:7::: daemon:*:0:0:99999:7::: ftp:*:0:0:99999:7::: network:*:0:0:99999:7::: nobody:*:0:0:99999:7::: tor:x:0:0:99999:7:::

Oh dear – hard coded root password that is completely undocumented and under normal circumstances impossible for the end-user to change. And it is: “admin”. What on earth possessed them?

Output of ‘netstat -a’

root@anonabox:~# netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:58990 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:www 0.0.0.0:* LISTEN tcp 0 0 126.16.2.1:9040 0.0.0.0:* LISTEN tcp 0 0 anonabox.lan:9040 0.0.0.0:* LISTEN tcp 0 0 localhost:9040 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:domain 0.0.0.0:* LISTEN tcp 0 0 localhost:9050 0.0.0.0:* LISTEN tcp 0 0 :::www :::* LISTEN tcp 0 0 :::domain :::* LISTEN tcp 0 0 :::58168 :::* LISTEN udp 0 0 0.0.0.0:domain 0.0.0.0:* udp 0 0 0.0.0.0:bootps 0.0.0.0:* udp 0 0 126.16.2.1:9053 0.0.0.0:* udp 0 0 anonabox.lan:9053 0.0.0.0:* udp 0 0 localhost:9053 0.0.0.0:* udp 0 0 0.0.0.0:5300 0.0.0.0:* udp 0 0 :::domain :::* raw 0 0 :::58 ::%4429580:* 58 raw 0 0 :::58 ::%4429580:* 58 Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 6 [ ] DGRAM 1037 /dev/log unix 2 [ ] DGRAM 1991 /var/run/hostapd/wlan0 unix 2 [ ACC ] STREAM LISTENING 232 /var/run/ubus.sock unix 2 [ ] DGRAM 1781 unix 3 [ ] STREAM CONNECTED 2134 unix 3 [ ] STREAM CONNECTED 1039 unix 2 [ ] DGRAM 1550 unix 3 [ ] STREAM CONNECTED 2133 unix 3 [ ] STREAM CONNECTED 2166 unix 3 [ ] STREAM CONNECTED 1137 unix 3 [ ] STREAM CONNECTED 235 /var/run/ubus.sock unix 3 [ ] STREAM CONNECTED 1993 unix 3 [ ] STREAM CONNECTED 2167 /var/run/ubus.sock unix 3 [ ] STREAM CONNECTED 234 unix 2 [ ] DGRAM 2375 unix 2 [ ] DGRAM 1330 unix 3 [ ] STREAM CONNECTED 1138 /var/run/ubus.sock unix 3 [ ] STREAM CONNECTED 1095 unix 3 [ ] STREAM CONNECTED 1994 /var/run/ubus.sock unix 2 [ ] DGRAM 1553 unix 3 [ ] STREAM CONNECTED 1096 /var/run/ubus.sock unix 3 [ ] STREAM CONNECTED 1040 /var/run/ubus.sock

Notice – listening on port 80 for IPv4 + IPv6 and here is the killer – what is that thing listening on port 58168. That is my friends – dropbear! In other words it is possible to SSH to that port using root/admin to login.

Content of /etc/firewall.user

root@anonabox:/etc/dropbear# cat /etc/firewall.user # everything else LAN goes over tor iptables -t nat -A PREROUTING -i br-lan -p tcp --syn -j REDIRECT --to-ports 9040 # udp traffic for LAN DNS (port 53) is sent to tor 9053 iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-ports 9053 # everything else wifi goes over tor iptables -t nat -A PREROUTING -i br-wifi -p tcp --syn -j REDIRECT --to-ports 9040 # udp traffic for wifi DNS (port 53) is sent to tor 9053 iptables -t nat -A PREROUTING -i br-wifi -p udp --dport 53 -j REDIRECT --to-ports 9053 # resolve the .onion hidden services #iptables -A INPUT -p tcp --dport 9040 -j ACCEPT #iptables -t nat -A PREROUTING -p tcp -d 192.168.8.0/10 -j REDIRECT --to-port 9040 #iptables -t nat -A OUTPUT -p tcp -d 192.168.8.0/10 -j REDIRECT --to-port 9040 # security rules from https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html #iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP #iptables -A OUTPUT -m state --state INVALID -j DROP # security rules to prevent kernel leaks from link above #iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP #iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP ﻿

Content of /etc/tor/torrc

root@anonabox:~# cat /etc/tor/torrc VirtualAddrNetwork 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort 9040 TransListenAddress 127.0.0.1 TransListenAddress 126.16.1.1 TransListenAddress 126.16.2.1 DNSPort 9053 DNSListenAddress 127.0.0.1 DNSListenAddress 0.0.0.0:5300 DNSListenAddress 126.16.1.1 DNSListenAddress 126.16.2.1 ## Configuration file for a typical Tor user ## Last updated 12 September 2012 for Tor 0.2.4.3-alpha. ## (may or may not work for much older or much newer versions of Tor.) ## ## Lines that begin with "## " try to explain what's going on. Lines ## that begin with just "#" are disabled commands: you can enable them ## by removing the "#" symbol. ## ## See 'man tor', or https://www.torproject.org/docs/tor-manual.html, ## for more options you can use in this file. ## ## Tor will look for this file in various places based on your platform: ## https://www.torproject.org/docs/faq#torrc ## Tor opens a socks proxy on port 9050 by default -- even if you don't ## configure one below. Set "SocksPort 0" if you plan to run Tor only ## as a relay, and not make any local application connections yourself. #SocksPort 9050 # Default: Bind to localhost:9050 for local connections. #SocksPort 192.168.0.1:9100 # Bind to this address:port too. ## Entry policies to allow/deny SOCKS requests based on IP address. ## First entry that matches wins. If no SocksPolicy is set, we accept ## all (and only) requests that reach a SocksPort. Untrusted users who ## can access your SocksPort may be able to learn about the connections ## you make. #SocksPolicy accept 192.168.0.0/16 #SocksPolicy reject * ## Logs go to stdout at level "notice" unless redirected by something ## else, like one of the below lines. You can have as many Log lines as ## you want. ## ## We advise using "notice" in most cases, since anything more verbose ## may provide sensitive information to an attacker who obtains the logs. ## ## Send all messages of level 'notice' or higher to /var/log/tor/notices.log #Log notice file /var/log/tor/notices.log ## Send every possible message to /var/log/tor/debug.log #Log debug file /var/log/tor/debug.log ## Use the system log instead of Tor's logfiles #Log notice syslog ## To send all messages to stderr: #Log debug stderr ## Uncomment this to start the process in the background... or use ## --runasdaemon 1 on the command line. This is ignored on Windows; ## see the FAQ entry if you want Tor to run as an NT service. RunAsDaemon 1 ## The directory for keeping all the keys/etc. By default, we store ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. DataDirectory /var/lib/tor ## The port on which Tor will listen for local connections from Tor ## controller applications, as documented in control-spec.txt. #ControlPort 9051 ## If you enable the controlport, be sure to enable one of these ## authentication methods, to prevent attackers from accessing it. #HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C #CookieAuthentication 1 ############### This section is just for location-hidden services ### ## Once you have configured a hidden service, you can look at the ## contents of the file ".../hidden_service/hostname" for the address ## to tell people. ## ## HiddenServicePort x y:z says to redirect requests on port x to the ## address y:z. #HiddenServiceDir /var/lib/tor/hidden_service/ #HiddenServicePort 80 127.0.0.1:80 #HiddenServiceDir /var/lib/tor/other_hidden_service/ #HiddenServicePort 80 127.0.0.1:80 #HiddenServicePort 22 127.0.0.1:22 ################ This section is just for relays ##################### # ## See https://www.torproject.org/docs/tor-doc-relay for details. ## Required: what port to advertise for incoming Tor connections. #ORPort 9001 ## If you want to listen on a port other than the one advertised in ## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as ## follows. You'll need to do ipchains or other port forwarding ## yourself to make this work. #ORPort 443 NoListen #ORPort 127.0.0.1:9090 NoAdvertise ## The IP address or full DNS name for incoming connections to your ## relay. Leave commented out and Tor will guess. #Address noname.example.com ## If you have multiple network interfaces, you can specify one for ## outgoing traffic to use. # OutboundBindAddress 10.0.0.5 ## A handle for your relay, so people don't have to refer to it by key. #Nickname ididnteditheconfig ## Define these to limit how much relayed traffic you will allow. Your ## own traffic is still unthrottled. Note that RelayBandwidthRate must ## be at least 20 KB. ## Note that units for these config options are bytes per second, not bits ## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc. #RelayBandwidthRate 100 KB # Throttle traffic to 100KB/s (800Kbps) #RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps) ## Use these to restrict the maximum traffic per day, week, or month. ## Note that this threshold applies separately to sent and received bytes, ## not to their sum: setting "4 GB" may allow up to 8 GB total before ## hibernating. ## ## Set a maximum of 4 gigabytes each way per period. #AccountingMax 4 GB ## Each period starts daily at midnight (AccountingMax is per day) #AccountingStart day 00:00 ## Each period starts on the 3rd of the month at 15:00 (AccountingMax ## is per month) #AccountingStart month 3 15:00 ## Contact info to be published in the directory, so we can contact you ## if your relay is misconfigured or something else goes wrong. Google ## indexes this, so spammers might also collect it. #ContactInfo Random Person <nobody AT example dot com> ## You might also include your PGP or GPG fingerprint if you have one: #ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com> ## Uncomment this to mirror directory information for others. Please do ## if you have enough bandwidth. #DirPort 9030 # what port to advertise for directory connections ## If you want to listen on a port other than the one advertised in ## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as ## follows. below too. You'll need to do ipchains or other port ## forwarding yourself to make this work. #DirPort 80 NoListen #DirPort 127.0.0.1:9091 NoAdvertise ## Uncomment to return an arbitrary blob of html on your DirPort. Now you ## can explain what Tor is if anybody wonders why your IP address is ## contacting them. See contrib/tor-exit-notice.html in Tor's source ## distribution for a sample. #DirPortFrontPage /etc/tor/tor-exit-notice.html ## Uncomment this if you run more than one Tor relay, and add the identity ## key fingerprint of each Tor relay you control, even if they're on ## different networks. You declare it here so Tor clients can avoid ## using more than one of your relays in a single circuit. See ## https://www.torproject.org/docs/faq#MultipleRelays ## However, you should never include a bridge's fingerprint here, as it would ## break its concealability and potentionally reveal its IP/TCP address. #MyFamily $keyid,$keyid,... ## A comma-separated list of exit policies. They're considered first ## to last, and the first match wins. If you want to _replace_ ## the default exit policy, end this with either a reject *:* or an ## accept *:*. Otherwise, you're _augmenting_ (prepending to) the ## default exit policy. Leave commented to just use the default, which is ## described in the man page or at ## https://www.torproject.org/documentation.html ## ## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses ## for issues you might encounter if you use the default exit policy. ## ## If certain IPs and ports are blocked externally, e.g. by your firewall, ## you should update your exit policy to reflect this -- otherwise Tor ## users will be told that those destinations are down. ## ## For security, by default Tor rejects connections to private (local) ## networks, including to your public IP address. See the man page entry ## for ExitPolicyRejectPrivate if you want to allow "exit enclaving". ## #ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more #ExitPolicy accept *:119 # accept nntp as well as default exit policy #ExitPolicy reject *:* # no exits allowed ## Bridge relays (or "bridges") are Tor relays that aren't listed in the ## main directory. Since there is no complete public list of them, even an ## ISP that filters connections to all the known Tor relays probably ## won't be able to block all the bridges. Also, websites won't treat you ## differently because they won't know you're running Tor. If you can ## be a real relay, please do; but if not, be a bridge! #BridgeRelay 1 ## By default, Tor will advertise your bridge to users through various ## mechanisms like https://bridges.torproject.org/. If you want to run ## a private bridge, for example because you'll give out your bridge ## address manually to your friends, uncomment this line: #PublishServerDescriptor 0 User tor

Firmware Archive

If any readers feel inclined to dig deeper into this, I have made an archive with files I have ripped out from the serial console.

These files were dumped from a unmodified “virgin” Anonabox. As far as I know the only modified file is “/root/.ssh/known_hosts” which got updated when I used ssh to copy files out of the box.

The archive contains:

config/ – contents of /etc/config/

dmesg.txt – output from dmesg

etc.tar – tar archive of the entire /etc

mtdX.dat – raw dump of the five flash partitions

overlay/ – contents of /overlay

syslog.txt – output of logread

tmp.tar – tar archive of /tmp

usr.tar – tar archive of /usr

That should do the trick. If anybody need further information I still have the box, so I can pull out more.

And I also put the files on Github:

https://github.com/lbthomsen/anonabox

OpenWrt Configuration Backup

I also saved a backup of the original configuration: