Anonabox Review

Peter Smyth
Guide by Peter Smyth

Anonabox has had a very chequered past, and by far it isn’t the best VPN router on the market. However, it’s not intended to be.

Indeed, Anonabox was created with a single purpose. To create a portable Tor client to access the internet more securely. Being able to run a VPN service on it, is just a bonus. We recommend reading this full Anonabox review before you decide to purchase one, however, if you’re interested you can purchase it using the link below.

History of the Anonabox

Before we go on, we must state that the Anonabox has had much of a chequered past. It was originally launched on Kickstarter and raised over $500,000 within a week. Unfortunately, it was quickly discovered that its hardware and software are very similar to products you can already purchase online. This was then followed by the discovery of a vulnerability. With all of that happening, Kickstarter decided to pull the campaign.

Despite its initial pitfalls, Anonabox was purchased by a third party company and it still alive and well. There are currently four different devices for sale: the Original, the Anonabox Pro, the Fawkes, and the Tunneler. Due to the number of iterations that they go through, if you’re reading user reviews it’s important

Tor on a Router

The Anonabox product is essentially a Tor router. Tor has the following mainstream issues:

  • It’s complicated to set up
  • It’s not portable
  • Not available on all OS

By running Tor on a router you overcome all of these issues. Thereby making the Anonabox a fantastic little tool for privacy.

Of course, a similar result can be achieved with a VPN router. Unfortunately, most VPN routers aren’t portable, though that isn’t to say they don’t exist.

What is Tor?

We won’t go into too much detail about Tor. However, in short, it’s a system that helps users keep private and anonymous by routing it through multiple layers. This is where it got its name – The Onion Router. As it goes through each layer another level of encryption is also added, making your data impossible to decrypt.

What is Tor

When a user connects to the Tor network, their connection is routed through a random set of at least three nodes. Once the connection goes through these relays, it will reach its final destination – the website you wish to visit. Incoming traffic is handled similarly to the outgoing traffic. Usually, this happens through the Tor browser, but with the Anonabox it handles it through your router.

While the TOR network is heavily developed by the US government, the nodes themselves are run by individuals make the system a lot more secure.

Tor vs VPN?

Tor and VPN both help protect your online anonymity and privacy. Unfortunately, while Tor has its positives, it can be extremely slow and a hassle to use. A secure and reliable VPN can offer you a similar level of protection without the drastic speed loss.

There are also Tor VPN services but that’s a more complicated topic, and for those that are extremely paranoid about their online security.

Physical Looks and Function

All versions of the Anonabox come is a small form factor router that’s the size of a cigarette box. All it requires to run is a USB port for power. Alongside this, you need an ethernet cable to be able to connect it to a network. Luckily most airports and hotels have ethernet ports that you can use.

Anonabox

Setup and Usage

Using the Anonabox is extremely straight forward. Just follow these steps.

  1. Connect it to power. Either through your computer or a power socket.
  2. Connect it to the internet using the Ethernet port
  3. Connect to the new WiFi network using the password provided
  4. That’s it, your wireless network is now protected by Tor

Some versions of the Anonabox also support the use of a VPN such as VyprVPN or HMA. The Anonabox interface also makes it easy to set these up. Their user manual clearly outlines the steps for you to follow, but in short, it’s as follows.

  1. Log in to your Anonabox web interface
  2. Navigate to Network -> VPN
  3. Enter your username and password for your VPN and select the location you wish to use.
  4. Connect
  5. Now all of your data is protected by a VPN and Tor

Anonabox vs InvizBox

As mentioned at the start of this article, there are a lot of devices similar to Anonabox on the market, and even on Amazon. One of the most popular competitors is InvizBox. While the two seem to offer much of the same we’d recommend InvizBox as they seem to keep the product and website more up to date.

Conclusion

In conclusion, Anonabox is a very niche device. In our personal opinion, we’d avoid using it. While it’s relatively cheap and could be a useful device, on the whole the unstable past and present of the company discourages us from using it.


Anonabox Analysis

The following is research carried out by Lars Boegild Thomsen on the vulnerability of the original Anonabox. He found a number of deep tech issues embedded within the system and made a note of them. This section is intended to serve as an archive and should you have any questions relating to it you should email Lars directly as most of it is too technical even for us.

The Anonabox is, according to their website:

anonymity in a box
Anonabox is a Tor hardware router for increased online privacy &
anonymity. This pocket size device offers a plug-and-play solution 
to route ALL of your network traffic over the Tor network. You 
heard that right, no software to install, no activation, & no 
registration. Just plug it in and start cloaking your online activity.

The website contains absolutely no links to any kind of documentation, source code or any other technical documentation, so I simply had to have a poke around the insides of this little router.

Anonabox Details

Initial Assessment

After plugging the wan port of the Anonabox into my lan and powering up the device, a new access point showed up on my phone:

Anonabox WiFi Settings

I am guessing that “anbx1424833770” is the access point I should be using. Connecting to that access point, the first thing that is noticeable is the allocated IP address:

Network Connection

126.16.2.128? Now there is a new one! A quick search on whois show:

% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '126.0.0.0 - 126.255.255.255'

inetnum:        126.0.0.0 - 126.255.255.255
netname:        BBTEC
descr:          Japan Nation-wide Network of Softbank BB Corp.
country:        JP
admin-c:        SA421-AP
tech-c:         SA421-AP
mnt-by:         APNIC-HM
mnt-lower:      MAINT-JP-BBTECH
status:         ALLOCATED PORTABLE
remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks:        This object can only be updated by APNIC hostmasters.
remarks:        To update this object, please contact APNIC
remarks:        hostmasters and include your organisation's account
remarks:        name in the subject line.
remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed:        [email protected] 20050208
changed:        [email protected] 20081031
source:         APNIC

role:           SoftbankBB ABUSE
address:        Tokyo Shiodome bldg., 1-9-1, Higashi-Shimbashi, Minatoku,Tokyo
country:        JP
phone:          +81-3-6688-5120
e-mail:         [email protected]
remarks:        Please send spam report,virus alart
remarks:        or any other abuse report
remarks:        to  [email protected]
remarks:        Any other Information, Notice,
remarks:        Please send to [email protected]
admin-c:        ST222-AP
tech-c:         ST222-AP
nic-hdl:        SA421-AP
notify:         [email protected]
mnt-by:         MAINT-JP-BBTECH
changed:        [email protected] 20081030
source:         APNIC
changed:        [email protected] 20111114

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)

Now, there is a novel approach? Instead of using the 3 ranges of IP addresses that are allocated to private use, just grab a random one and use that. I guess it could be argued that since this device route everything through Tor, it really doesn’t matter all that much. But it still seems rather pointless and I can’t image why on earth that decision was made.

Very well, second test would be to check if Tor is working:

What Is My IP

It would appear so because that is definitely not my public IP. A further quick check at https://check.torproject.org show:

TOR Project Check

So yeah, the Anonabox appears to be working but it is downright shocking that the WiFi connection is running unencrypted. Anybody within range of the Anonabox can connect to the network and sniff all network traffic.

Normally, OpenWrt (which the Anonabox is based on) is running a web-based user interface that will enable the user to change the device configuration. Pointing the browser to:

https://126.16.2.1

resulted in – well – absolutely nothing. In other words, there doesn’t appear to be any way whatsoever that a user can make this security device – well – ahem – secure.

Breaking and Entering

In order to figure out how to get in to the box, I hooked it’s LAN port up to my LAN. I hardcoded my IP address as:

 126.16.1.2/24

And sure thing – I could now ping the Anonabox:

root@ncpws04:~# ping 126.16.2.1
PING 126.16.2.1 (126.16.2.1) 56(84) bytes of data.
64 bytes from 126.16.2.1: icmp_seq=1 ttl=51 time=132 ms
64 bytes from 126.16.2.1: icmp_seq=2 ttl=51 time=136 ms

Next step was to see if there was any ports open:

root@ncpws04:~# nmap -O -p- 126.16.2.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-06 17:05 MYT
Nmap scan report for softbank126016002001.bbtec.net (126.16.2.1)
Host is up (0.13s latency).
All 65535 scanned ports on softbank126016002001.bbtec.net (126.16.2.1) are filtered
Too many fingerprints match this host to give specific OS details
Network Distance: 13 hops

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1034.15 seconds

So far it would appear that the Anonabox is locked down pretty tightly – except the unencrypted WiFi obviously. Apologies to bbtec.net, but I _really_ didn’t scan their public IP 🙂

However, since the box is running a Linux Kernel and OpenWrt, IPv6 should be enabled by default. Since “Tor” is not supporting IPv6 at all it seemed quite likely that the Anonabox came with the default IPv6 firewall and a working link local address. Fortunately, as can be seen on the photo at the start of this page, the Anonabox came with the MAC address of at least one interface conveniently labelled on the box.

Using:

https://ben.akrin.com/ipv6_mac_address_to_link_local_converter/?mode=api&mac=0C:EF:AF:CA:14:82

The link local address of one interface should be:

 fe80::eef:afff:feca:1482

Trying to ping that:

 lth@ncpws04:~$ ping6 fe80::eef:afff:feca:1482%eth0
 PING fe80::eef:afff:feca:1482%eth0(fe80::eef:afff:feca:1482) 56 data bytes
 From fe80::e2cb:4eff:fe3e:11c6 icmp_seq=1 Destination unreachable: Address unreachable

A device running OpenWrt is likely to have more than one interface, and it is likely that the MAC addresses are allocated in series, so poking around a bit more resulted in:

 lth@ncpws04:~$ ping6 fe80::eef:afff:feca:1481%eth0
 PING fe80::eef:afff:feca:1481%eth0(fe80::eef:afff:feca:1481) 56 data bytes
 64 bytes from fe80::eef:afff:feca:1481: icmp_seq=1 ttl=64 time=0.483 ms

Time to do a port scan on that address:

root@ncpws04:~# nmap -O -p- fe80::eef:afff:feca:1481%eth0

Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-06 17:24 MYT
fe80::eef:afff:feca:1481/0 looks like an IPv6 target specification -- you have to use the -6 option.
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.47 seconds
root@ncpws04:~# nmap -O -6 -p- fe80::eef:afff:feca:1481%eth0

Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-06 17:24 MYT
Nmap scan report for fe80::eef:afff:feca:1481
Host is up (0.00042s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
32891/tcp open  unknown
MAC Address: 0C:EF:AF:CA:14:81 (Unknown)
No OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.47%E=6%D=4/6%OT=53%CT=1%CU=32856%PV=N%DS=1%DC=D%G=Y%M=0CEFAF%T
OS:M=55226A8B%P=x86_64-pc-linux-gnu)S1(P=6000{4}280640XX{32}0035e8651164f1
OS:208799aafba0126f9066330000020405a00402080a00134370ff{4}0103{3}%ST=0.091
OS:935%RT=0.292415)S2(P=6000{4}280640XX{32}0035e8660e698b728799aafca0126f9
OS:0ced00000020405a00402080a0013437aff{4}0103{3}%ST=0.192034%RT=0.292466)S
OS:3(P=6000{4}280640XX{32}0035e867d93a8a928799aafda0126f9007d40000020405a0
OS:0101080a00134384ff{4}0103{3}%ST=0.291967%RT=0.492329)S4(P=6000{4}280640
OS:XX{32}0035e868e7cd66498799aafea0126f901a7d0000020405a00402080a0013438ef
OS:f{4}0103{3}%ST=0.391912%RT=0.492353)S5(P=6000{4}280640XX{32}0035e869934
OS:2bc5a8799aaffa0126f9018eb0000020405a00402080a00134398ff{4}0103{3}%ST=0.
OS:491897%RT=0.633643)S6(P=6000{4}240640XX{32}0035e86a9a64cf298799ab009012
OS:6f9012f80000020405a00402080a001343a2ff{4}%ST=0.591902%RT=0.633666)IE1(P
OS:=6000{4}803a40XX{32}8109c161abcd00{122}%ST=0.633072%RT=0.831159)IE2(P=6
OS:000{4}583a40XX{32}0401c2b300{3}38600123450028003bXX{32}3c00010400{4}2b0
OS:0010400{12}3a00010400{4}8000c2e1abcd0001%ST=0.682893%RT=0.831209)NS(P=6
OS:000{4}183affXX{32}8800d5e3c000{3}XX{16}%ST=0.781307%RT=0.831241)U1(P=60
OS:00{3}01643a40XX{32}010457f300{4}6001234501341128XX{32}e7ef805801341ac84
OS:3{300}%ST=0.830545%RT=1.02953)TECN(P=6000{4}200640XX{32}0035e86b77b74f9
OS:38799ab01801270800b060000020405a0010104020103{3}%ST=0.880458%RT=1.02957
OS:)T4(P=6000{4}140640XX{32}0035e86e8efa74dc00{4}50040000b2590000%ST=1.724
OS:75%RT=1.72507)T5(P=6000{4}140640XX{32}0001e86f00{4}8799ab055014000083b4
OS:0000%ST=1.07879%RT=1.7251)T6(P=6000{4}140640XX{32}0001e870953287b900{4}
OS:5004000099760000%ST=1.12803%RT=1.72511)T7(P=6000{4}140640XX{32}0001e871
OS:00{4}8799ab075014000083b00000%ST=1.1772%RT=1.72511)EXTRA(FL=12345)

Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6573.41 seconds

That took a while, but it was well worth it. First of all port 80 is open. Unfortunately, I believe ‘lynx’ is the only browser that support link local addresses, so:

 lynx http://[fe80::eef:afff:feca:1481%eth0]
Lynx

While Lynx is pretty cool it is a bit tedious to use. Fortunately there is a tool called tcpproxy, that will proxy between IPv4 and IPv6 addresses:

 lth@ncpws04:~/src/tcpproxy/src$ ./tcpproxy -D -t ipv4 -p 8087 -r fe80::eef:afff:feca:1481%eth0 -R 6 -o 80
tcpproxy

By default, OpenWrt doesn’t come with a password and that will be prominently displayed on the login page of Luci. In other words, the Anonabox has got a root password hard coded. And the root password is – I am not joking: “admin” (that took me 4 attempts, I think I tried root, anonabox, 12345678 and a few other first):

localhost

By now we know the root password and we got the web interface, so we could change that port zero for dropbear. But hold on – go back and check the port scan I did earlier – something listening on port 32891. Could it be – surely not:

lth@ncpws04:~$ ssh -p 32891 root@fe80::eef:afff:feca:1481%eth0  
The authenticity of host '[fe80::eef:afff:feca:1481%eth0]:32891 ([fe80::eef:afff:feca:1481%eth0]:32891)' can't be established.
RSA key fingerprint is 48:2d:c9:93:ab:39:c9:b7:55:52:71:a2:8e:56:e7:1e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[fe80::eef:afff:feca:1481%eth0]:32891' (RSA) to the list of known hosts.
root@fe80::eef:afff:feca:1481%eth0's password: 


BusyBox v1.22.1 (2014-11-29 06:25:27 PHT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  █████╗ ███╗   ██╗ ██████╗ ███╗   ██╗ █████╗ ██████╗  ██████╗ ██╗  ██╗
 ██╔══██╗████╗  ██║██╔═══██╗████╗  ██║██╔══██╗██╔══██╗██╔═══██╗╚██╗██╔╝
 ███████║██╔██╗ ██║██║   ██║██╔██╗ ██║███████║██████╔╝██║   ██║ ╚███╔╝ 
 ██╔══██║██║╚██╗██║██║   ██║██║╚██╗██║██╔══██║██╔══██╗██║   ██║ ██╔██╗ 
 ██║  ██║██║ ╚████║╚██████╔╝██║ ╚████║██║  ██║██████╔╝╚██████╔╝██╔╝ ██╗
 ╚═╝  ╚═╝╚═╝  ╚═══╝ ╚═════╝ ╚═╝  ╚═══╝╚═╝  ╚═╝╚═════╝  ╚═════╝ ╚═╝  ╚═╝
 v2.1                  ___,,___
                  _,-='=- =-  -`"--.__,,.._
               ,-;// /  - -       -   -= - "=.
             ,'///    -     -   -   =  - ==-=\`.
            |/// /  =    `. - =   == - =.=_,,._ `=/|
           ///    -   -    \  - - = ,ndDMHHMM/\b  \\
         ,' - / /        / /\ =  - /MM(,,._`YQMML  `|
        <_,=^Kkm / / / / ///H|wnWWdMKKK#""-;. `"0\  |
               `""QkmmmmmnWMMM\""WHMKKMM\   `--. \> \
        hjm          `""'  `->>>    ``WHMb,.    `-_<@)
                                       `"QMM`.
                                          `>>>
          _______                     ________        __
         |       |.-----.-----.-----.|  |  |  |.----.|  |_
         |   o   ||  _  |  -__|     ||  |  |  ||   _||   _|
         |_______||   __|_____|__|__||________||__|  |____|
                  |__| W I R E L E S S   F R E E D O M
            Based on CHAOS CALMER (Bleeding Edge, r41992) 


root@anonabox:~# 

There you have it – root shell on an Anonabox without changing a single thing.

Can the Anonabox be made secure?

Well, yes and no. Some of the obvious mistakes made by Anonabox can be remedied and that will make it a better produce. But there’s still a fundamental problem in the fact that the source code is not available, so a back door could theoretically be hidden in a binary file somewhere (dropbear for example). It would be a far better approach to build an entirely new firmware.

Gallery

  • Xxx cracked open
  • Xxx board btm view
  • Xxx board top view
  • Ripping firmware out of the darn thing

Raw Dumps

For each file I have added some comments at the end.

Serial console – boot

U-Boot 1.1.4  (Jan 24 2015)

AP121 (AR9331) U-Boot

DRAM:  64 MB
FLASH: Winbond W25Q128 (16 MB)
Using default environment

In:  serial
Out: serial
Err: serial
Net:   ag7240_enet_initialize...
: cfg1 0x5 cfg2 0x7114
eth0: 0C:EF:AF:CA:14:82
eth0 up
: cfg1 0xf cfg2 0x7214
eth1: 0C:EF:AF:CA:14:82
athrs26_reg_init_lan
eth1 up

Press any key to stop autoboot, Autobooting in : 0 

Booting image at: 0x9F020000

   Image name:   OpenWrt r43423
   Image type:   MIPS Linux Kernel Image (lzma compressed)
   Data size:    1107428 Bytes = 1.1 MB
   Load address: 0x80060000
   Entry point:  0x80060000

Uncompressing kernel image... OK!
Starting kernel...

[    0.000000] Linux version 3.14.18 ([email protected]) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r43423) ) #4 Sat Nov 29 09:50:23 PHT 2014
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019374 (MIPS 24Kc)
[    0.000000] SoC: Atheros AR9330 rev 1
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 04000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x00000000-0x03ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00000000-0x03ffffff]
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
[    0.000000] Kernel command line:  board=OOLITE-BOX1 console=ttyATH0,115200 rootfstype=squashfs,jffs2 noinitrd
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 61076K/65536K available (2379K kernel code, 119K rwdata, 500K rodata, 256K init, 187K bss, 4460K reserved)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS:51
[    0.000000] Clocks: CPU:400.000MHz, DDR:400.000MHz, AHB:200.000MHz, Ref:25.000MHz
[    0.000000] Calibrating delay loop... 265.42 BogoMIPS (lpj=1327104)
[    0.080000] pid_max: default: 32768 minimum: 301
[    0.080000] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.090000] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.100000] NET: Registered protocol family 16
[    0.100000] MIPS: machine is Oolite Box V1
[    0.560000] bio: create slab <bio-0> at 0
[    0.570000] Switched to clocksource MIPS
[    0.570000] NET: Registered protocol family 2
[    0.580000] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[    0.580000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.590000] TCP: Hash tables configured (established 1024 bind 1024)
[    0.590000] TCP: reno registered
[    0.600000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.600000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.610000] NET: Registered protocol family 1
[    0.620000] futex hash table entries: 256 (order: -1, 3072 bytes)
[    0.640000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.650000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.660000] msgmni has been set to 119
[    0.660000] io scheduler noop registered
[    0.660000] io scheduler deadline registered (default)
[    0.670000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[    0.680000] ar933x-uart: ttyATH0 at MMIO 0x18020000 (irq = 11, base_baud = 1562500) is a AR933X UART
[    0.680000] console [ttyATH0] enabled
[    0.680000] console [ttyATH0] enabled
[    0.690000] bootconsole [early0] disabled
[    0.690000] bootconsole [early0] disabled
[    0.700000] m25p80 spi0.0: found w25q128, expected m25p80
[    0.710000] m25p80 spi0.0: w25q128 (16384 Kbytes)
[    0.710000] 5 tp-link partitions found on MTD device spi0.0
[    0.720000] Creating 5 MTD partitions on "spi0.0":
[    0.720000] 0x000000000000-0x000000020000 : "u-boot"
[    0.730000] 0x000000020000-0x00000012e7e4 : "kernel"
[    0.730000] mtd: partition "kernel" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
[    0.750000] 0x00000012e7e4-0x000000ff0000 : "rootfs"
[    0.750000] mtd: partition "rootfs" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
[    0.770000] mtd: device 2 (rootfs) set to be root filesystem
[    0.770000] 1 squashfs-split partitions found on MTD device rootfs
[    0.780000] 0x000000380000-0x000000ff0000 : "rootfs_data"
[    0.790000] 0x000000ff0000-0x000001000000 : "art"
[    0.790000] 0x000000020000-0x000000ff0000 : "firmware"
[    0.810000] libphy: ag71xx_mdio: probed
[    1.370000] ag71xx-mdio.1: Found an AR7240/AR9330 built-in switch
[    2.400000] eth0: Atheros AG71xx at 0xba000000, irq 5, mode:GMII
[    3.030000] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.1:04 [uid=004dd041, driver=Generic PHY]
[    3.030000] eth1: Atheros AG71xx at 0xb9000000, irq 4, mode:MII
[    3.040000] TCP: cubic registered
[    3.040000] NET: Registered protocol family 17
[    3.050000] 8021q: 802.1Q VLAN Support v1.8
[    3.060000] VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
[    3.070000] Freeing unused kernel memory: 256K (80350000 - 80390000)
procd: Console is alive
procd: - watchdog -
[    5.730000] usbcore: registered new interface driver usbfs
[    5.730000] usbcore: registered new interface driver hub
[    5.740000] usbcore: registered new device driver usb
[    5.750000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    5.750000] ehci-platform: EHCI generic platform driver
[    5.760000] ehci-platform ehci-platform: EHCI Host Controller
[    5.760000] ehci-platform ehci-platform: new USB bus registered, assigned bus number 1
[    5.770000] ehci-platform ehci-platform: irq 3, io mem 0x1b000000
[    5.800000] ehci-platform ehci-platform: USB 2.0 started, EHCI 1.00
[    5.800000] hub 1-0:1.0: USB hub found
[    5.800000] hub 1-0:1.0: 1 port detected
procd: - preinit -
md5sum: can't open '/lib/firmware/ath10k/QCA988X/hw2.0/firmware-3.bin': No such file or directory
[    7.960000] random: mktemp urandom read with 63 bits of entropy available
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
jffs2 is ready
jffs2 is ready
[   11.330000] jffs2: notice: (302) jffs2_build_xattr_subsystem: complete building xattr subsystem, 1 of xdatum (1 unchecked, 0 orphan) and 16 of xref (0 dead, 2 orphan) found.
switching to overlay
procd: - early -
procd: - watchdog -
procd: - ubus -
procd: - init -
Please press Enter to activate this console.
[   14.820000] NET: Registered protocol family 10
[   14.830000] ip6_tables: (C) 2000-2006 Netfilter Core Team
[   14.890000] u32 classifier
[   14.890000]     input device check on
[   14.890000]     Actions configured
[   14.920000] Mirror/redirect action on
[   14.950000] nf_conntrack version 0.5.0 (958 buckets, 3832 max)
[   14.970000] Loading modules backported from Linux version master-2014-11-04-0-gf3660a2
[   14.980000] Backport generated by backports.git backports-20141023-2-g4ff890b
[   15.000000] ip_tables: (C) 2000-2006 Netfilter Core Team
[   15.190000] xt_time: kernel timezone is -0000
[   15.250000] cfg80211: Calling CRDA to update world regulatory domain
[   15.250000] cfg80211: World regulatory domain updated:
[   15.260000] cfg80211:  DFS Master region: unset
[   15.260000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[   15.270000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[   15.280000] cfg80211:   (2457000 KHz - 2482000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[   15.290000] cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (N/A, 2000 mBm), (N/A)
[   15.290000] cfg80211:   (5170000 KHz - 5250000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A)
[   15.300000] cfg80211:   (5250000 KHz - 5330000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2000 mBm), (0 s)
[   15.310000] cfg80211:   (5490000 KHz - 5730000 KHz @ 160000 KHz), (N/A, 2000 mBm), (0 s)
[   15.320000] cfg80211:   (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A)
[   15.330000] cfg80211:   (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 0 mBm), (N/A)
[   15.430000] PPP generic driver version 2.4.2
[   15.440000] NET: Registered protocol family 24
[   15.570000] cfg80211: Calling CRDA for country: US
[   15.590000] cfg80211: Regulatory domain changed to country: US
[   15.590000] cfg80211:  DFS Master region: FCC
[   15.590000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[   15.600000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 3000 mBm), (N/A)
[   15.610000] cfg80211:   (5170000 KHz - 5250000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 1700 mBm), (N/A)
[   15.620000] cfg80211:   (5250000 KHz - 5330000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2300 mBm), (0 s)
[   15.630000] cfg80211:   (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 3000 mBm), (N/A)
[   15.640000] cfg80211:   (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 4000 mBm), (N/A)
[   15.650000] ieee80211 phy0: Atheros AR9330 Rev:1 mem=0xb8100000, irq=2
[   23.610000] random: nonblocking pool is initialized
[   26.720000] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[   26.720000] device eth0 entered promiscuous mode
[   26.740000] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready
[   26.800000] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[   26.820000] IPv6: ADDRCONF(NETDEV_UP): br-wifi: link is not ready
[   29.140000] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[   29.160000] device wlan0 entered promiscuous mode
[   29.200000] br-wifi: port 1(wlan0) entered forwarding state
[   29.200000] br-wifi: port 1(wlan0) entered forwarding state
[   29.210000] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[   29.230000] IPv6: ADDRCONF(NETDEV_CHANGE): br-wifi: link becomes ready
[   29.240000] eth1: link up (100Mbps/Full duplex)
[   29.240000] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
[   31.200000] br-wifi: port 1(wlan0) entered forwarding state
procd: - init complete -

The main point of interest there is the fact that the kernel was build in China. In other words it is doubtful if Anonabox have been building their own OpenWrt from scratch.

Output of ‘dmesg’

[    0.000000] Linux version 3.14.18 ([email protected]) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r43423) ) #4 Sat Nov 29 09:50:23 PHT 2014
[    0.000000] MyLoader: sysp=8198bab2, boardp=99edd07b, parts=3b02dafb
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019374 (MIPS 24Kc)
[    0.000000] SoC: Atheros AR9330 rev 1
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 04000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x00000000-0x03ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00000000-0x03ffffff]
[    0.000000] On node 0 totalpages: 16384
[    0.000000] free_area_init_node: node 0, pgdat 80338420, node_mem_map 81000000
[    0.000000]   Normal zone: 128 pages used for memmap
[    0.000000]   Normal zone: 0 pages reserved
[    0.000000]   Normal zone: 16384 pages, LIFO batch:3
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768
[    0.000000] pcpu-alloc: [0] 0 
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
[    0.000000] Kernel command line:  board=OOLITE-BOX1 console=ttyATH0,115200 rootfstype=squashfs,jffs2 noinitrd
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 61076K/65536K available (2379K kernel code, 119K rwdata, 500K rodata, 256K init, 187K bss, 4460K reserved)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS:51
[    0.000000] Clocks: CPU:400.000MHz, DDR:400.000MHz, AHB:200.000MHz, Ref:25.000MHz
[    0.000000] Calibrating delay loop... 265.42 BogoMIPS (lpj=1327104)
[    0.080000] pid_max: default: 32768 minimum: 301
[    0.080000] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.090000] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.100000] NET: Registered protocol family 16
[    0.100000] MIPS: machine is Oolite Box V1
[    0.560000] bio: create slab <bio-0> at 0
[    0.570000] Switched to clocksource MIPS
[    0.570000] NET: Registered protocol family 2
[    0.580000] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[    0.580000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.590000] TCP: Hash tables configured (established 1024 bind 1024)
[    0.590000] TCP: reno registered
[    0.600000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.600000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.610000] NET: Registered protocol family 1
[    0.610000] PCI: CLS 0 bytes, default 32
[    0.620000] futex hash table entries: 256 (order: -1, 3072 bytes)
[    0.640000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.650000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.660000] msgmni has been set to 119
[    0.660000] io scheduler noop registered
[    0.660000] io scheduler deadline registered (default)
[    0.670000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[    0.680000] ar933x-uart: ttyATH0 at MMIO 0x18020000 (irq = 11, base_baud = 1562500) is a AR933X UART
[    0.680000] console [ttyATH0] enabled
[    0.690000] bootconsole [early0] disabled
[    0.700000] m25p80 spi0.0: found w25q128, expected m25p80
[    0.710000] m25p80 spi0.0: w25q128 (16384 Kbytes)
[    0.710000] 5 tp-link partitions found on MTD device spi0.0
[    0.720000] Creating 5 MTD partitions on "spi0.0":
[    0.720000] 0x000000000000-0x000000020000 : "u-boot"
[    0.730000] 0x000000020000-0x00000012e7e4 : "kernel"
[    0.730000] mtd: partition "kernel" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
[    0.750000] 0x00000012e7e4-0x000000ff0000 : "rootfs"
[    0.750000] mtd: partition "rootfs" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
[    0.770000] mtd: device 2 (rootfs) set to be root filesystem
[    0.770000] 1 squashfs-split partitions found on MTD device rootfs
[    0.780000] 0x000000380000-0x000000ff0000 : "rootfs_data"
[    0.790000] 0x000000ff0000-0x000001000000 : "art"
[    0.790000] 0x000000020000-0x000000ff0000 : "firmware"
[    0.810000] libphy: ag71xx_mdio: probed
[    1.370000] ag71xx-mdio.1: Found an AR7240/AR9330 built-in switch
[    2.400000] eth0: Atheros AG71xx at 0xba000000, irq 5, mode:GMII
[    3.030000] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.1:04 [uid=004dd041, driver=Generic PHY]
[    3.030000] eth1: Atheros AG71xx at 0xb9000000, irq 4, mode:MII
[    3.040000] TCP: cubic registered
[    3.040000] NET: Registered protocol family 17
[    3.050000] 8021q: 802.1Q VLAN Support v1.8
[    3.060000] VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
[    3.070000] Freeing unused kernel memory: 256K (80350000 - 80390000)
[    5.730000] usbcore: registered new interface driver usbfs
[    5.730000] usbcore: registered new interface driver hub
[    5.740000] usbcore: registered new device driver usb
[    5.750000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    5.750000] ehci-platform: EHCI generic platform driver
[    5.760000] ehci-platform ehci-platform: EHCI Host Controller
[    5.760000] ehci-platform ehci-platform: new USB bus registered, assigned bus number 1
[    5.770000] ehci-platform ehci-platform: irq 3, io mem 0x1b000000
[    5.800000] ehci-platform ehci-platform: USB 2.0 started, EHCI 1.00
[    5.800000] hub 1-0:1.0: USB hub found
[    5.800000] hub 1-0:1.0: 1 port detected
[    7.960000] random: mktemp urandom read with 65 bits of entropy available
[   11.330000] jffs2: notice: (302) jffs2_build_xattr_subsystem: complete building xattr subsystem, 1 of xdatum (1 unchecked, 0 orphan) and 16 of xref (0 dead, 2 orphan) found.
[   14.570000] NET: Registered protocol family 10
[   14.800000] ip6_tables: (C) 2000-2006 Netfilter Core Team
[   14.840000] u32 classifier
[   14.840000]     input device check on
[   14.850000]     Actions configured
[   14.860000] Mirror/redirect action on
[   14.880000] nf_conntrack version 0.5.0 (958 buckets, 3832 max)
[   14.890000] Loading modules backported from Linux version master-2014-11-04-0-gf3660a2
[   14.900000] Backport generated by backports.git backports-20141023-2-g4ff890b
[   14.930000] ip_tables: (C) 2000-2006 Netfilter Core Team
[   15.120000] xt_time: kernel timezone is -0000
[   15.160000] cfg80211: Calling CRDA to update world regulatory domain
[   15.170000] cfg80211: World regulatory domain updated:
[   15.170000] cfg80211:  DFS Master region: unset
[   15.170000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[   15.180000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[   15.190000] cfg80211:   (2457000 KHz - 2482000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[   15.200000] cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (N/A, 2000 mBm), (N/A)
[   15.210000] cfg80211:   (5170000 KHz - 5250000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A)
[   15.210000] cfg80211:   (5250000 KHz - 5330000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2000 mBm), (0 s)
[   15.220000] cfg80211:   (5490000 KHz - 5730000 KHz @ 160000 KHz), (N/A, 2000 mBm), (0 s)
[   15.230000] cfg80211:   (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A)
[   15.240000] cfg80211:   (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 0 mBm), (N/A)
[   15.340000] PPP generic driver version 2.4.2
[   15.360000] NET: Registered protocol family 24
[   15.440000] ath: EEPROM regdomain: 0x0
[   15.440000] ath: EEPROM indicates default country code should be used
[   15.440000] ath: doing EEPROM country->regdmn map search
[   15.440000] ath: country maps to regdmn code: 0x3a
[   15.440000] ath: Country alpha2 being used: US
[   15.440000] ath: Regpair used: 0x3a
[   15.450000] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht'
[   15.470000] cfg80211: Calling CRDA for country: US
[   15.480000] cfg80211: Regulatory domain changed to country: US
[   15.480000] cfg80211:  DFS Master region: FCC
[   15.480000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[   15.490000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 3000 mBm), (N/A)
[   15.500000] cfg80211:   (5170000 KHz - 5250000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 1700 mBm), (N/A)
[   15.510000] cfg80211:   (5250000 KHz - 5330000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2300 mBm), (0 s)
[   15.520000] cfg80211:   (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 3000 mBm), (N/A)
[   15.530000] cfg80211:   (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 4000 mBm), (N/A)
[   15.540000] ieee80211 phy0: Atheros AR9330 Rev:1 mem=0xb8100000, irq=2
[   22.800000] random: nonblocking pool is initialized
[   26.700000] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[   26.700000] device eth0 entered promiscuous mode
[   26.720000] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready
[   26.780000] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[   26.790000] IPv6: ADDRCONF(NETDEV_UP): br-wifi: link is not ready
[   29.390000] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[   29.430000] device wlan0 entered promiscuous mode
[   29.450000] br-wifi: port 1(wlan0) entered forwarding state
[   29.450000] br-wifi: port 1(wlan0) entered forwarding state
[   29.460000] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[   29.500000] IPv6: ADDRCONF(NETDEV_CHANGE): br-wifi: link becomes ready
[   31.450000] br-wifi: port 1(wlan0) entered forwarding state
[   62.430000] eth1: link up (100Mbps/Full duplex)
[   62.430000] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready

Output of ‘ps w’

root@anonabox:~# ps w
  PID USER       VSZ STAT COMMAND
    1 root      1396 S    /sbin/procd
    2 root         0 SW   [kthreadd]
    3 root         0 SW   [ksoftirqd/0]
    5 root         0 SW<  [kworker/0:0H]
    6 root         0 SW   [kworker/u2:0]
    7 root         0 SW<  [khelper]
    8 root         0 SW   [kworker/u2:1]
   59 root         0 SW<  [writeback]
   62 root         0 SW<  [bioset]
   64 root         0 SW<  [kblockd]
   90 root         0 SW   [kworker/0:1]
   97 root         0 SW   [kswapd0]
  144 root         0 SW   [fsnotify_mark]
  160 root         0 SW   [spi0]
  241 root         0 SW<  [deferwq]
  252 root         0 SW   [khubd]
  303 root         0 SWN  [jffs2_gcd_mtd3]
  358 root       888 S    /sbin/ubusd
  359 root      1372 S    /bin/ash --login
  521 root         0 SW<  [ipv6_addrconf]
  625 root         0 SW<  [cfg80211]
  726 root      1040 S    /sbin/logd -S 16
  760 root      1548 S    /sbin/netifd
  784 root      1160 S    /usr/sbin/odhcpd
  833 root      1152 S    /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p 0 -K 300
 1218 root      1584 S    /usr/sbin/hostapd -P /var/run/wifi-phy0.pid -B /var/run/hostapd-phy0.conf
 1264 tor      18652 S    /usr/sbin/tor --PidFile /var/run/tor.pid
 1276 root      1520 S    /usr/sbin/uhttpd -f -h /www -r anonabox -x /cgi-bin -u /ubus -t 60 -T 30 -k 20 -A 1 -n 3 -N 100 -R -p 0.0
 1404 nobody     928 S    /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf -k
 1550 root      1364 S    /usr/sbin/ntpd -n -S /usr/sbin/ntpd-hotplug -p 0.openwrt.pool.ntp.org -p 1.openwrt.pool.ntp.org -p 2.open
 1599 root         0 SW   [kworker/0:0]
 1604 root      1360 R    ps w

The ‘-p 0’ parameter to dropbear is curious. As far as I know, dropbear can’t bind to tcp port 0, and “normally” port 0 means pick a random available port. If they intend to stop the use of ssh, why not simply remove the package or disable it.

Content of /etc/config/dhcp

root@anonabox:/etc/config# cat dhcp 

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'wifi'

Content of /etc/config/dropbear

root@anonabox:/etc/config# cat dropbear

config dropbear
        option PasswordAuth 'on'
        option Port '0'

There is that port 0 again. Odd.

Content of /etc/config/firewall

root@anonabox:/etc/config# cat firewall

config defaults
        option syn_flood '1'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

That is pretty much OpenWrt default.

Content of /etc/config/luci

root@anonabox:/etc/config# cat luci

config core 'main'
        option lang 'auto'
        option mediaurlbase '/luci-static/openwrt.org'
        option resourcebase '/luci-static/resources'

config extern 'flash_keep'
        option uci '/etc/config/'
        option dropbear '/etc/dropbear/'
        option openvpn '/etc/openvpn/'
        option passwd '/etc/passwd'
        option opkg '/etc/opkg.conf'
        option firewall '/etc/firewall.user'
        option uploads '/lib/uci/upload/'

config internal 'languages'

config internal 'sauth'
        option sessionpath '/tmp/luci-sessions'
        option sessiontime '3600'

config internal 'ccache'
        option enable '1'

config internal 'themes'
        option Bootstrap '/luci-static/bootstrap'

Content of /etc/config/network

root@anonabox:/etc/config# cat network 

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd5:429b:7cf6::/48'

config interface 'lan'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '126.16.1.1'
        option _orig_ifname 'eth0 wlan0'
        option _orig_bridge 'true'
        option ifname 'eth0'
        option delegate '0'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option delegate '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 4'

config interface 'onions'
        option proto 'static'
        option ifname 'onions'
        option ipaddr '10.192.0.1'
        option netmask '255.192.0.0'
        option delegate '0'

config interface 'wifi'
        option proto 'static'
        option ipaddr '126.16.2.1'
        option netmask '255.255.255.0'
        option type 'bridge'
        option _orig_ifname 'wifi'
        option _orig_bridge 'true'
        option ifname 'wifi'
        option delegate '0'

The choice of IP addresses is deeply weird. I think it might be some misguided attempt at security through obscurity, but well – since there’s a DHCP server running that happily hand out IP addresses to anybody within WiFi range it is not as if it is a big secret.

Content of /etc/config/qos

root@anonabox:/etc/config# cat qos
# QoS configuration for OpenWrt

# INTERFACES:
config interface wan
        option classgroup  "Default"
        option enabled      0
        option upload       128
        option download     1024

# RULES:
config classify
        option target       "Priority"
        option ports        "22,53"
        option comment      "ssh, dns"
config classify
        option target       "Normal"
        option proto        "tcp"
        option ports        "20,21,25,80,110,443,993,995"
        option comment      "ftp, smtp, http(s), imap"
config classify
        option target       "Express"
        option ports        "5190"
        option comment      "AOL, iChat, ICQ"
config default
        option target       "Express"
        option proto        "udp"
        option pktsize      "-500"
config reclassify
        option target       "Priority"
        option proto        "icmp"
config default
        option target       "Bulk"
        option portrange    "1024-65535"


# Don't change the stuff below unless you
# really know what it means :)

config classgroup "Default"
        option classes      "Priority Express Normal Bulk"
        option default      "Normal"


config class "Priority"
        option packetsize  400
        option avgrate     10
        option priority    20
config class "Priority_down"
        option packetsize  1000
        option avgrate     10


config class "Express"
        option packetsize  1000
        option avgrate     50
        option priority    10

config class "Normal"
        option packetsize  1500
        option packetdelay 100
        option avgrate     10
        option priority    5
config class "Normal_down"
        option avgrate     20

config class "Bulk"
        option avgrate     1
        option packetdelay 200

I don’t think this is used at all.

Content of /etc/config/system

root@anonabox:/etc/config# cat system

config system
option hostname 'anonabox'
option timezone 'UTC'

config timeserver 'ntp'
list server '0.openwrt.pool.ntp.org'
list server '1.openwrt.pool.ntp.org'
list server '2.openwrt.pool.ntp.org'
list server '3.openwrt.pool.ntp.org'
option enabled '1'
option enable_server '0'

config led
option default '0'
option name '1'
option trigger 'netdev'
option mode 'tx rx'
option sysfs 'oolitebox:green:system'
option dev 'br-wifi'

Content of /etc/config/ucitrack

root@anonabox:/etc/config# cat ucitrack 
config network
        option init network
        list affects dhcp
        list affects radvd

config wireless
        list affects network

config firewall
        option init firewall
        list affects luci-splash
        list affects qos
        list affects miniupnpd

config olsr
        option init olsrd

config dhcp
        option init dnsmasq
        list affects odhcpd

config odhcpd
        option init odhcpd

config dropbear
        option init dropbear

config httpd
        option init httpd

config fstab
        option init fstab

config qos
        option init qos

config system
        option init led
        list affects luci_statistics

config luci_splash
        option init luci_splash

config upnpd
        option init miniupnpd

config ntpclient
        option init ntpclient

config samba
        option init samba

config tinyproxy
        option init tinyproxy

config 6relayd
        option init 6relayd

Content of /etc/config/uhttpd

root@anonabox:/etc/config# cat uhttpd 

config uhttpd 'main'
        list listen_http '0.0.0.0:80'
        list listen_http '[::]:80'
        list listen_https '0.0.0.0:443'
        list listen_https '[::]:443'
        option home '/www'
        option rfc1918_filter '1'
        option max_requests '3'
        option max_connections '100'
        option cert '/etc/uhttpd.crt'
        option key '/etc/uhttpd.key'
        option cgi_prefix '/cgi-bin'
        option script_timeout '60'
        option network_timeout '30'
        option http_keepalive '20'
        option tcp_keepalive '1'
        option ubus_prefix '/ubus'

config cert 'px5g'
        option days '730'
        option bits '1024'
        option country 'DE'
        option state 'Berlin'
        option location 'Berlin'
        option commonname 'OpenWrt'

How nice of them to bind to IPv6. That is actually not OpenWrt default if I remember correctly.

Content of /etc/config/wireless

root@anonabox:/etc/config# cat wireless 

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '7'
        option hwmode '11g'
        option path 'platform/ar933x_wmac'
        option noscan '1'
        option disabled '0'
        option htmode 'HT20'
        option txpower '30'
        option country 'US'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option encryption 'none'
        option network 'wifi'

option ssid 'anbx1424833770'

Oh dear. This is really where it gets ugly. Open WiFi – no encryption – no password – random ssid apparently – syntax error in the UCI configuration file.

Output of “uci show”

root@anonabox:/etc/config# uci show
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded=1
dhcp.@dnsmasq[0].boguspriv=1
dhcp.@dnsmasq[0].filterwin2k=0
dhcp.@dnsmasq[0].localise_queries=1
dhcp.@dnsmasq[0].rebind_protection=1
dhcp.@dnsmasq[0].rebind_localhost=1
dhcp.@dnsmasq[0].local=/lan/
dhcp.@dnsmasq[0].domain=lan
dhcp.@dnsmasq[0].expandhosts=1
dhcp.@dnsmasq[0].nonegcache=0
dhcp.@dnsmasq[0].authoritative=1
dhcp.@dnsmasq[0].readethers=1
dhcp.@dnsmasq[0].leasefile=/tmp/dhcp.leases
dhcp.@dnsmasq[0].resolvfile=/tmp/resolv.conf.auto
dhcp.lan=dhcp
dhcp.lan.interface=lan
dhcp.lan.start=100
dhcp.lan.limit=150
dhcp.lan.leasetime=12h
dhcp.wan=dhcp
dhcp.wan.interface=wan
dhcp.wan.ignore=1
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp=0
dhcp.odhcpd.leasefile=/tmp/hosts/odhcpd
dhcp.odhcpd.leasetrigger=/usr/sbin/odhcpd-update
dhcp.@dhcp[0]=dhcp
dhcp.@dhcp[0].start=100
dhcp.@dhcp[0].leasetime=12h
dhcp.@dhcp[0].limit=150
dhcp.@dhcp[0].interface=wifi
dropbear.@dropbear[0]=dropbear
dropbear.@dropbear[0].PasswordAuth=on
dropbear.@dropbear[0].Port=0
dropbear~.@dropbear[0]=dropbear
dropbear~.@dropbear[0].PasswordAuth=on
dropbear~.@dropbear[0].Port=22
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood=1
firewall.@defaults[0].output=ACCEPT
firewall.@defaults[0].forward=REJECT
firewall.@defaults[0].input=ACCEPT
firewall.@zone[0]=zone
firewall.@zone[0].name=lan
firewall.@zone[0].input=ACCEPT
firewall.@zone[0].output=ACCEPT
firewall.@zone[0].forward=ACCEPT
firewall.@zone[0].network=lan
firewall.@zone[1]=zone
firewall.@zone[1].name=wan
firewall.@zone[1].input=REJECT
firewall.@zone[1].output=ACCEPT
firewall.@zone[1].forward=REJECT
firewall.@zone[1].masq=1
firewall.@zone[1].mtu_fix=1
firewall.@zone[1].network=wan wan6
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src=lan
firewall.@forwarding[0].dest=wan
firewall.@rule[0]=rule
firewall.@rule[0].name=Allow-DHCP-Renew
firewall.@rule[0].src=wan
firewall.@rule[0].proto=udp
firewall.@rule[0].dest_port=68
firewall.@rule[0].target=ACCEPT
firewall.@rule[0].family=ipv4
firewall.@rule[1]=rule
firewall.@rule[1].name=Allow-Ping
firewall.@rule[1].src=wan
firewall.@rule[1].proto=icmp
firewall.@rule[1].icmp_type=echo-request
firewall.@rule[1].family=ipv4
firewall.@rule[1].target=ACCEPT
firewall.@rule[2]=rule
firewall.@rule[2].name=Allow-DHCPv6
firewall.@rule[2].src=wan
firewall.@rule[2].proto=udp
firewall.@rule[2].src_ip=fe80::/10
firewall.@rule[2].src_port=547
firewall.@rule[2].dest_ip=fe80::/10
firewall.@rule[2].dest_port=546
firewall.@rule[2].family=ipv6
firewall.@rule[2].target=ACCEPT
firewall.@rule[3]=rule
firewall.@rule[3].name=Allow-ICMPv6-Input
firewall.@rule[3].src=wan
firewall.@rule[3].proto=icmp
firewall.@rule[3].icmp_type=echo-request echo-reply destination-unreachable packet-too-big time-exceeded bad-header unknown-header-type router-solicitation neighbour-solicitation router-advertisement neighbour-advertisement
firewall.@rule[3].limit=1000/sec
firewall.@rule[3].family=ipv6
firewall.@rule[3].target=ACCEPT
firewall.@rule[4]=rule
firewall.@rule[4].name=Allow-ICMPv6-Forward
firewall.@rule[4].src=wan
firewall.@rule[4].dest=*
firewall.@rule[4].proto=icmp
firewall.@rule[4].icmp_type=echo-request echo-reply destination-unreachable packet-too-big time-exceeded bad-header unknown-header-type
firewall.@rule[4].limit=1000/sec
firewall.@rule[4].family=ipv6
firewall.@rule[4].target=ACCEPT
firewall.@include[0]=include
firewall.@include[0].path=/etc/firewall.user
luci.main=core
luci.main.lang=auto
luci.main.mediaurlbase=/luci-static/openwrt.org
luci.main.resourcebase=/luci-static/resources
luci.flash_keep=extern
luci.flash_keep.uci=/etc/config/
luci.flash_keep.dropbear=/etc/dropbear/
luci.flash_keep.openvpn=/etc/openvpn/
luci.flash_keep.passwd=/etc/passwd
luci.flash_keep.opkg=/etc/opkg.conf
luci.flash_keep.firewall=/etc/firewall.user
luci.flash_keep.uploads=/lib/uci/upload/
luci.languages=internal
luci.sauth=internal
luci.sauth.sessionpath=/tmp/luci-sessions
luci.sauth.sessiontime=3600
luci.ccache=internal
luci.ccache.enable=1
luci.themes=internal
luci.themes.Bootstrap=/luci-static/bootstrap
network.loopback=interface
network.loopback.ifname=lo
network.loopback.proto=static
network.loopback.ipaddr=127.0.0.1
network.loopback.netmask=255.0.0.0
network.globals=globals
network.globals.ula_prefix=fdd5:429b:7cf6::/48
network.lan=interface
network.lan.force_link=1
network.lan.type=bridge
network.lan.proto=static
network.lan.netmask=255.255.255.0
network.lan.ip6assign=60
network.lan.ipaddr=126.16.1.1
network.lan._orig_ifname=eth0 wlan0
network.lan._orig_bridge=true
network.lan.ifname=eth0
network.lan.delegate=0
network.wan=interface
network.wan.ifname=eth1
network.wan.proto=dhcp
network.wan.delegate=0
network.@switch[0]=switch
network.@switch[0].name=switch0
network.@switch[0].reset=1
network.@switch[0].enable_vlan=1
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device=switch0
network.@switch_vlan[0].vlan=1
network.@switch_vlan[0].ports=0 1 2 3 4
network.onions=interface
network.onions.proto=static
network.onions.ifname=onions
network.onions.ipaddr=10.192.0.1
network.onions.netmask=255.192.0.0
network.onions.delegate=0
network.wifi=interface
network.wifi.proto=static
network.wifi.ipaddr=126.16.2.1
network.wifi.netmask=255.255.255.0
network.wifi.type=bridge
network.wifi._orig_ifname=wifi
network.wifi._orig_bridge=true
network.wifi.ifname=wifi
network.wifi.delegate=0
qos.wan=interface
qos.wan.classgroup=Default
qos.wan.enabled=0
qos.wan.upload=128
qos.wan.download=1024
qos.@classify[0]=classify
qos.@classify[0].target=Priority
qos.@classify[0].ports=22,53
qos.@classify[0].comment=ssh, dns
qos.@classify[1]=classify
qos.@classify[1].target=Normal
qos.@classify[1].proto=tcp
qos.@classify[1].ports=20,21,25,80,110,443,993,995
qos.@classify[1].comment=ftp, smtp, http(s), imap
qos.@classify[2]=classify
qos.@classify[2].target=Express
qos.@classify[2].ports=5190
qos.@classify[2].comment=AOL, iChat, ICQ
qos.@default[0]=default
qos.@default[0].target=Express
qos.@default[0].proto=udp
qos.@default[0].pktsize=-500
qos.@reclassify[0]=reclassify
qos.@reclassify[0].target=Priority
qos.@reclassify[0].proto=icmp
qos.@default[1]=default
qos.@default[1].target=Bulk
qos.@default[1].portrange=1024-65535
qos.Default=classgroup
qos.Default.classes=Priority Express Normal Bulk
qos.Default.default=Normal
qos.Priority=class
qos.Priority.packetsize=400
qos.Priority.avgrate=10
qos.Priority.priority=20
qos.Priority_down=class
qos.Priority_down.packetsize=1000
qos.Priority_down.avgrate=10
qos.Express=class
qos.Express.packetsize=1000
qos.Express.avgrate=50
qos.Express.priority=10
qos.Normal=class
qos.Normal.packetsize=1500
qos.Normal.packetdelay=100
qos.Normal.avgrate=10
qos.Normal.priority=5
qos.Normal_down=class
qos.Normal_down.avgrate=20
qos.Bulk=class
qos.Bulk.avgrate=1
qos.Bulk.packetdelay=200

Notice the “wireless” section is not included, probably because of the syntax error mentioned earlier.

Content of /etc/rc.d/S49ssid

root@anonabox:/overlay/etc/rc.d# cat S49ssid 
#!/bin/sh
#echo "date;"
#/bin/date
#echo "date"
rm -rf /tmp/hash.txt
rm -rf /tmp/hash0.txt
rm -rf /tmp/hash1.txt
rm -rf /tmp/hash2.txt
rm -rf /tmp/wifitmp.txt
echo "anbx" >> /tmp/hash.txt
/bin/date +"%s"  >> /tmp/hash.txt
echo "option ssid '" >> /tmp/hash0.txt
/bin/sed -n -e ":a" -e "$ s/\n/,/gp;N;b a" /tmp/hash.txt  >> /tmp/hash0.txt
echo "'" >> /tmp/hash0.txt
/bin/sed -n -e ":a" -e "$ s/\n/,/gp;N;b a" /tmp/hash0.txt >> /tmp/hash1.txt
/bin/sed -e 's/,//g' /tmp/hash1.txt >> /tmp/hash2.txt
echo "#" >> /tmp/wifitmp.txt
/bin/sed '/option_ssid/d' /etc/config/wireless >> /tmp/wifitmp.txt

#/bin/date +"$s" >> /tmp/hash!txt
rm -rf /etc/config/wireless
#echo "#" >> /etc/config/wireless
#cat /tmp/wifitmp.txt >> /etc/config/wireless
cp -rf /etc/config/scripts/wireless /etc/config/wireless
cat /tmp/hash2.txt >> /etc/config/wireless

I am not sure what to say about this one. It is – by far – one the ugliest pieces of shell script I have ever seen – and I have seen a lot.

On their web site, Anonabox claim that they have developed 5,201,567 lines of code. In all seriousness the above is the ONLY lines of code I found in Anonabox that actually appear to have been developed by them. The rest is standard OpenWrt. So excluding the comments:

 root@anonabox:/# cat /etc/rc.d/S49ssid | grep -v "^#" | wc -l
20

In other words, Anonabox wrote 20 lines of code, not 5201567.

Apart from being almost unbelievably clumsy, this piece of shell script illustrates a fundamental lack of knowledge of the inner workings of OpenWrt, a fundamental lack of knowledge of UNIX and shell scripting (but some love affair with ‘sed’). An update such as this should be done through uci not by editing the config file directly!

And those 20 lines of code could have been handled elegantly like:

#!/bin/sh
uci set wireless.@wifi-iface[0].ssid=anon`/bin/date +"%s"` && uci commit

One line – ONE! And that wouldn’t result in a syntax error in the configuration file.

Also I really don’t get the point of it. Why force a new ssid on the – otherwise open – WiFi on each boot. How annoying would that be in daily use?

Content of /etc/passwd

root@anonabox:/overlay/etc/rc.d# cat /etc/passwd
root:x:0:0:root:/root:/bin/false
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
tor:x:52:52:/var/lib/tor:/var/run/tor:/bin/false

Content of /etc/shadow

root@anonabox:/overlay/etc/rc.d# cat /etc/shadow
root:$1$u3ww8XNt$VSQBuEJUw70rDy3jh0JeO0:16403:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
tor:x:0:0:99999:7:::

Oh dear – hard coded root password that is completely undocumented and under normal circumstances impossible for the end-user to change. And it is: “admin”. What on earth possessed them?

Output of ‘netstat -a’

root@anonabox:~# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 0.0.0.0:58990           0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:www             0.0.0.0:*               LISTEN      
tcp        0      0 126.16.2.1:9040         0.0.0.0:*               LISTEN      
tcp        0      0 anonabox.lan:9040       0.0.0.0:*               LISTEN      
tcp        0      0 localhost:9040          0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:domain          0.0.0.0:*               LISTEN      
tcp        0      0 localhost:9050          0.0.0.0:*               LISTEN      
tcp        0      0 :::www                  :::*                    LISTEN      
tcp        0      0 :::domain               :::*                    LISTEN      
tcp        0      0 :::58168                :::*                    LISTEN      
udp        0      0 0.0.0.0:domain          0.0.0.0:*                           
udp        0      0 0.0.0.0:bootps          0.0.0.0:*                           
udp        0      0 126.16.2.1:9053         0.0.0.0:*                           
udp        0      0 anonabox.lan:9053       0.0.0.0:*                           
udp        0      0 localhost:9053          0.0.0.0:*                           
udp        0      0 0.0.0.0:5300            0.0.0.0:*                           
udp        0      0 :::domain               :::*                                
raw        0      0 :::58                   ::%4429580:*            58          
raw        0      0 :::58                   ::%4429580:*            58          
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  6      [ ]         DGRAM                      1037 /dev/log
unix  2      [ ]         DGRAM                      1991 /var/run/hostapd/wlan0
unix  2      [ ACC ]     STREAM     LISTENING        232 /var/run/ubus.sock
unix  2      [ ]         DGRAM                      1781 
unix  3      [ ]         STREAM     CONNECTED       2134 
unix  3      [ ]         STREAM     CONNECTED       1039 
unix  2      [ ]         DGRAM                      1550 
unix  3      [ ]         STREAM     CONNECTED       2133 
unix  3      [ ]         STREAM     CONNECTED       2166 
unix  3      [ ]         STREAM     CONNECTED       1137 
unix  3      [ ]         STREAM     CONNECTED        235 /var/run/ubus.sock
unix  3      [ ]         STREAM     CONNECTED       1993 
unix  3      [ ]         STREAM     CONNECTED       2167 /var/run/ubus.sock
unix  3      [ ]         STREAM     CONNECTED        234 
unix  2      [ ]         DGRAM                      2375 
unix  2      [ ]         DGRAM                      1330 
unix  3      [ ]         STREAM     CONNECTED       1138 /var/run/ubus.sock
unix  3      [ ]         STREAM     CONNECTED       1095 
unix  3      [ ]         STREAM     CONNECTED       1994 /var/run/ubus.sock
unix  2      [ ]         DGRAM                      1553 
unix  3      [ ]         STREAM     CONNECTED       1096 /var/run/ubus.sock
unix  3      [ ]         STREAM     CONNECTED       1040 /var/run/ubus.sock

Notice – listening on port 80 for IPv4 + IPv6 and here is the killer – what is that thing listening on port 58168. That is my friends – dropbear! In other words it is possible to SSH to that port using root/admin to login.

Content of /etc/firewall.user

root@anonabox:/etc/dropbear# cat /etc/firewall.user
# everything else LAN goes over tor
iptables -t nat -A PREROUTING -i br-lan -p tcp --syn -j REDIRECT --to-ports 9040
# udp traffic for LAN DNS (port 53) is sent to tor 9053
iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-ports 9053
# everything else wifi goes over tor                                                 
iptables -t nat -A PREROUTING -i br-wifi -p tcp --syn -j REDIRECT --to-ports 9040
# udp traffic for wifi DNS (port 53) is sent to tor 9053                             
iptables -t nat -A PREROUTING -i br-wifi -p udp --dport 53 -j REDIRECT --to-ports 9053
 
# resolve the .onion hidden services
#iptables        -A INPUT      -p tcp --dport 9040     -j ACCEPT
#iptables -t nat -A PREROUTING -p tcp -d 192.168.8.0/10 -j REDIRECT --to-port 9040
#iptables -t nat -A OUTPUT     -p tcp -d 192.168.8.0/10 -j REDIRECT --to-port 9040

# security rules from https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html
#iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
#iptables -A OUTPUT -m state --state INVALID -j DROP
# security rules to prevent kernel leaks from link above
#iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
#iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP


Content of /etc/tor/torrc

root@anonabox:~# cat /etc/tor/torrc
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 127.0.0.1
TransListenAddress 126.16.1.1
TransListenAddress 126.16.2.1
DNSPort 9053
DNSListenAddress 127.0.0.1
DNSListenAddress 0.0.0.0:5300
DNSListenAddress 126.16.1.1
DNSListenAddress 126.16.2.1

## Configuration file for a typical Tor user
## Last updated 12 September 2012 for Tor 0.2.4.3-alpha.
## (may or may not work for much older or much newer versions of Tor.)
##
## Lines that begin with "## " try to explain what's going on. Lines
## that begin with just "#" are disabled commands: you can enable them
## by removing the "#" symbol.
##
## See 'man tor', or https://www.torproject.org/docs/tor-manual.html,
## for more options you can use in this file.
##
## Tor will look for this file in various places based on your platform:
## https://www.torproject.org/docs/faq#torrc

## Tor opens a socks proxy on port 9050 by default -- even if you don't
## configure one below. Set "SocksPort 0" if you plan to run Tor only
## as a relay, and not make any local application connections yourself.
#SocksPort 9050 # Default: Bind to localhost:9050 for local connections.
#SocksPort 192.168.0.1:9100 # Bind to this address:port too.

## Entry policies to allow/deny SOCKS requests based on IP address.
## First entry that matches wins. If no SocksPolicy is set, we accept
## all (and only) requests that reach a SocksPort. Untrusted users who
## can access your SocksPort may be able to learn about the connections
## you make.
#SocksPolicy accept 192.168.0.0/16
#SocksPolicy reject *

## Logs go to stdout at level "notice" unless redirected by something
## else, like one of the below lines. You can have as many Log lines as
## you want.
##
## We advise using "notice" in most cases, since anything more verbose
## may provide sensitive information to an attacker who obtains the logs.
##
## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
#Log notice file /var/log/tor/notices.log
## Send every possible message to /var/log/tor/debug.log
#Log debug file /var/log/tor/debug.log
## Use the system log instead of Tor's logfiles
#Log notice syslog
## To send all messages to stderr:
#Log debug stderr

## Uncomment this to start the process in the background... or use
## --runasdaemon 1 on the command line. This is ignored on Windows;
## see the FAQ entry if you want Tor to run as an NT service.
RunAsDaemon 1

## The directory for keeping all the keys/etc. By default, we store
## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
DataDirectory /var/lib/tor

## The port on which Tor will listen for local connections from Tor
## controller applications, as documented in control-spec.txt.
#ControlPort 9051
## If you enable the controlport, be sure to enable one of these
## authentication methods, to prevent attackers from accessing it.
#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C
#CookieAuthentication 1

############### This section is just for location-hidden services ###

## Once you have configured a hidden service, you can look at the
## contents of the file ".../hidden_service/hostname" for the address
## to tell people.
##
## HiddenServicePort x y:z says to redirect requests on port x to the
## address y:z.

#HiddenServiceDir /var/lib/tor/hidden_service/
#HiddenServicePort 80 127.0.0.1:80

#HiddenServiceDir /var/lib/tor/other_hidden_service/
#HiddenServicePort 80 127.0.0.1:80
#HiddenServicePort 22 127.0.0.1:22

################ This section is just for relays #####################
#
## See https://www.torproject.org/docs/tor-doc-relay for details.

## Required: what port to advertise for incoming Tor connections.
#ORPort 9001
## If you want to listen on a port other than the one advertised in
## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as
## follows.  You'll need to do ipchains or other port forwarding
## yourself to make this work.
#ORPort 443 NoListen
#ORPort 127.0.0.1:9090 NoAdvertise

## The IP address or full DNS name for incoming connections to your
## relay. Leave commented out and Tor will guess.
#Address noname.example.com

## If you have multiple network interfaces, you can specify one for
## outgoing traffic to use.
# OutboundBindAddress 10.0.0.5

## A handle for your relay, so people don't have to refer to it by key.
#Nickname ididnteditheconfig

## Define these to limit how much relayed traffic you will allow. Your
## own traffic is still unthrottled. Note that RelayBandwidthRate must
## be at least 20 KB.
## Note that units for these config options are bytes per second, not bits
## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc.
#RelayBandwidthRate 100 KB  # Throttle traffic to 100KB/s (800Kbps)
#RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)

## Use these to restrict the maximum traffic per day, week, or month.
## Note that this threshold applies separately to sent and received bytes,
## not to their sum: setting "4 GB" may allow up to 8 GB total before
## hibernating.
##
## Set a maximum of 4 gigabytes each way per period.
#AccountingMax 4 GB
## Each period starts daily at midnight (AccountingMax is per day)
#AccountingStart day 00:00
## Each period starts on the 3rd of the month at 15:00 (AccountingMax
## is per month)
#AccountingStart month 3 15:00

## Contact info to be published in the directory, so we can contact you
## if your relay is misconfigured or something else goes wrong. Google
## indexes this, so spammers might also collect it.
#ContactInfo Random Person <nobody AT example dot com>
## You might also include your PGP or GPG fingerprint if you have one:
#ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>

## Uncomment this to mirror directory information for others. Please do
## if you have enough bandwidth.
#DirPort 9030 # what port to advertise for directory connections
## If you want to listen on a port other than the one advertised in
## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as
## follows.  below too. You'll need to do ipchains or other port
## forwarding yourself to make this work.
#DirPort 80 NoListen
#DirPort 127.0.0.1:9091 NoAdvertise
## Uncomment to return an arbitrary blob of html on your DirPort. Now you
## can explain what Tor is if anybody wonders why your IP address is
## contacting them. See contrib/tor-exit-notice.html in Tor's source
## distribution for a sample.
#DirPortFrontPage /etc/tor/tor-exit-notice.html

## Uncomment this if you run more than one Tor relay, and add the identity
## key fingerprint of each Tor relay you control, even if they're on
## different networks. You declare it here so Tor clients can avoid
## using more than one of your relays in a single circuit. See
## https://www.torproject.org/docs/faq#MultipleRelays
## However, you should never include a bridge's fingerprint here, as it would
## break its concealability and potentionally reveal its IP/TCP address.
#MyFamily $keyid,$keyid,...

## A comma-separated list of exit policies. They're considered first
## to last, and the first match wins. If you want to _replace_
## the default exit policy, end this with either a reject *:* or an
## accept *:*. Otherwise, you're _augmenting_ (prepending to) the
## default exit policy. Leave commented to just use the default, which is
## described in the man page or at
## https://www.torproject.org/documentation.html
##
## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
## for issues you might encounter if you use the default exit policy.
##
## If certain IPs and ports are blocked externally, e.g. by your firewall,
## you should update your exit policy to reflect this -- otherwise Tor
## users will be told that those destinations are down.
##
## For security, by default Tor rejects connections to private (local)
## networks, including to your public IP address. See the man page entry
## for ExitPolicyRejectPrivate if you want to allow "exit enclaving".
##
#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
#ExitPolicy accept *:119 # accept nntp as well as default exit policy
#ExitPolicy reject *:* # no exits allowed

## Bridge relays (or "bridges") are Tor relays that aren't listed in the
## main directory. Since there is no complete public list of them, even an
## ISP that filters connections to all the known Tor relays probably
## won't be able to block all the bridges. Also, websites won't treat you
## differently because they won't know you're running Tor. If you can
## be a real relay, please do; but if not, be a bridge!
#BridgeRelay 1
## By default, Tor will advertise your bridge to users through various
## mechanisms like https://bridges.torproject.org/. If you want to run
## a private bridge, for example because you'll give out your bridge
## address manually to your friends, uncomment this line:
#PublishServerDescriptor 0

User tor

Firmware Archive

If any readers feel inclined to dig deeper into this, I have made an archive with files I have ripped out from the serial console.

I put the files on Github:

https://github.com/lbthomsen/anonabox