Strange broadcasting of AP in GL-MT3000 / Beryl AX

MrFOX · October 28, 2023, 3:18am

Let’s start with the fact that I use this device only for the purpose of connecting it to access points. My current working configuration file /etc/config/wireless works without errors as intended. However, I noticed strange access points that are broadcast by this device. At first they were named MTK_CHEETAH_AP_2.4G and MTK_CHEETAH_AP_5.8G. My search led me to the /etc/wireless/mediatek directory where many .dat files define certain parameters. I tried removing the above mentioned names from these files, but this created points with different names HT_AP0 and HT_AP2 (each for 2.4 and 5.8 GHz respectively). Some searches led me to this page, I’m trying to find the true reason for their occurrence…

/etc/config/wireless

config wifi-device 'mt798111'
	option type 'mtk'
	option band '2g'
	option txpower '100'
	option country 'CN'
	option legacy_rates '0'
	option htmode 'HE20'
	option channel '8'

config wifi-device 'mt798112'
	option type 'mtk'
	option band '5g'
	option htmode 'HE80'
	option txpower '100'
	option country 'CN'
	option legacy_rates '0'
	option channel '153'

config wifi-iface 'wifinet1'
	option ssid 'DogNet'
	option encryption 'psk2'
	option device 'mt798111'
	option mode 'sta'
	option key '12345678'
	option network 'wwan1'
	option ifname 'apcli0'
	option macaddr 'ff:ff:ff:ff:ff:fa'

config wifi-iface 'wifinet2'
	option ssid 'CoolNet'
	option encryption 'psk2'
	option device 'mt798112'
	option mode 'sta'
	option key '12345678'
	option network 'wwan2'
	option ifname 'apclix0'
	option macaddr 'ff:ff:ff:ff:ff:fb'

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd55:9243:b92f::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth0'

config device
	option name 'eth1'
	option macaddr '00:00:00:00:00:34'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option isolate '0'

config device
	option name 'eth0'
	option macaddr '00:00:00:00:00:00'

config device
	option name 'eth1'
	option macaddr '00:00:00:00:00:01'

config rule 'policy_bypass_vpn'
	option mark '0x60000/0x60000'
	option lookup '53'
	option priority '53'

config rule 'policy_via_vpn'
	option mark '0x80000/0x80000'
	option lookup '52'
	option priority '52'

config rule 'policy_dns'
	option mark '0x100000/0x100000'
	option lookup '51'
	option priority '51'

config interface 'wwan1'
	option proto 'dhcp'
	option metric '2'

config interface 'wwan2'
	option proto 'dhcp'
	option metric '1'

iwconfig print

lo        no wireless extensions.

eth0      no wireless extensions.

eth1      no wireless extensions.

br-lan    no wireless extensions.

ra0       IEEE 802.11ax  ESSID:"HT_AP0"
          Mode:Master  Channel:8  Access Point: 00:00:00:00:00:35
          Bit Rate=286 Mb/s
          Link Quality:10  Signal level:0  Noise level:176
          Rx invalid nwid:0  invalid crypt:0  invalid misc:0
		  
ra1       IEEE 802.11ax  ESSID:"HT_AP1"
          Mode:Master  Channel:153  Access Point: 00:00:00:00:00:36
          Bit Rate=1.201 Gb/s
          Link Quality:10  Signal level:0  Noise level:176
          Rx invalid nwid:0  invalid crypt:0  invalid misc:0

apcli0    IEEE 802.11ax  ESSID:"DogNet"
          Mode:Managed  Channel:8  Access Point: FF:FF:FF:FF:FF:FA
          Bit Rate=286 Mb/s
          Link Quality=100/0  Signal level:-48 dBm  Noise level:-80 dBm
          Rx invalid nwid:0  invalid crypt:0  invalid misc:0

apclix0   IEEE 802.11ax  ESSID:"CoolNet"
          Mode:Managed  Channel:153  Access Point: FF:FF:FF:FF:FF:FB
          Bit Rate=1.201 Gb/s
          Link Quality=100/0  Signal level:-59 dBm  Noise level:-80 dBm
          Rx invalid nwid:0  invalid crypt:0  invalid misc:0

rax0      IEEE 802.11ax  ESSID:"HT_AP2"
          Mode:Master  Channel:153  Access Point: 00:00:00:00:00:36
          Bit Rate=1.201 Gb/s
          Link Quality:10  Signal level:0  Noise level:176
          Rx invalid nwid:0  invalid crypt:0  invalid misc:0

rax1      no wireless extensions.

ifconfig print

apcli0    Link encap:Ethernet  HWaddr FF:FF:FF:FF:FF:FA
          inet addr:192.168.1.201  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:343574 errors:0 dropped:1 overruns:0 frame:0
          TX packets:11710493 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:85837648 (81.8 MiB)  TX bytes:14748808132 (13.7 GiB)

apclix0   Link encap:Ethernet  HWaddr FF:FF:FF:FF:FF:FB
          inet addr:192.168.5.11  Bcast:192.168.5.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1301517 errors:0 dropped:1 overruns:0 frame:0
          TX packets:39324494 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:363096824 (346.2 MiB)  TX bytes:47106415148 (43.8 GiB)

br-lan    Link encap:Ethernet  HWaddr 00:00:00:00:00:01
          inet addr:192.168.8.1  Bcast:192.168.8.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2774716 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3393601 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1817116495 (1.6 GiB)  TX bytes:2738650287 (2.5 GiB)

eth0      Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:49516195 errors:0 dropped:75 overruns:0 frame:0
          TX packets:33885538 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:61788338637 (57.5 GiB)  TX bytes:31300107318 (29.1 GiB)
          Interrupt:75

eth1      Link encap:Ethernet  HWaddr 00:00:00:00:00:01
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:75

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:9649 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9649 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:726343 (709.3 KiB)  TX bytes:726343 (709.3 KiB)

ra0       Link encap:Ethernet  HWaddr 00:00:00:00:00:35
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:86 errors:5 dropped:0 overruns:0 frame:0
          TX packets:72 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:14748 (14.4 KiB)  TX bytes:5670 (5.5 KiB)
          Interrupt:7

ra1       Link encap:Ethernet  HWaddr 00:00:00:00:00:36
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

rax0      Link encap:Ethernet  HWaddr 00:00:00:00:00:36
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

As you can see, the above-mentioned networks are nowhere to be found. They are created automatically by the driver, but why? And how this can be managed. Now they are open and you can even connect.

davebowker · November 21, 2023, 4:33pm

I can confirm I’ve seen the same from my Beryl AX, I’ve been trying to set up a USB WiFi dongle and the suddenly noticed HT_AP0 and 2 Then after trying to connect a few times (They are open networks no password), I noticed the SSID changed to your CHEETAH version. So mine did the reverse.
I was going to blame the new drivers for the USB dongle, so I factory reset the Beryl and after changing the default SSID names I noticed HT_AP0 appeared but it has now disappeared again.
The Signal strength for the rogue SSID’s was the same in both cases as the Beryl’s, also I can confirm the SSID’s disappeared when the Beryl was powered off.

Kernel Version 5.4.211
Firmware Version OpenWrt 21.02-SNAPSHOT r15812+879-46b6ee7ffc / LuCI openwrt-21.02 branch git-22.245.77575-63bfee6
Admin Panel v4.4.6

davebowker · November 21, 2023, 5:14pm

Well I can make the SSID’s appear.
Netgear AC6210 usb dongle in USB slot.
2. Go to Applications, plugins, after connecting Beryl to internet.
load KMOD_MT76x2u
wpad-basic-wolfssl
usbutil
pciutil

Reboot Beryl with Dongle in usb slot.
in web admin System,Advanced settings. connect to LuCI admin
In LuCI goto Network,Wireless panel.
On radio0 device, click on the Scan option

The HT_AP1 and HT_AP3 SSID’s appear with the same BSSID addresses as the Beryl networks.

MrFOX · February 9, 2024, 1:12pm

I think I understand why this could have happened. You need to explicitly register 4 networks as they were originally specified. 2 networks are 2.4g and 5g and 2 guest networks 2g and 5g respectively. Now tell them disable = 1 or enable = 0 (I don’t remember exactly) this will force them to use new names associated with your devices, and then disable them. Unless of course you don’t need them.

The easiest way is to take the default setting from the factory settings, disable them in the GL web interface, then use the contents of the file /etc/config/wireless

xize11 · February 9, 2024, 6:28pm

This is likely because your router uses the mediatek sdk firmware, this means you probably used a setting not compatible with mediatek drivers, since most of its working is natively, appart from OpenWrts.

I had this to on my Flint 2, i started with a clean wifi config and only resorted using the gl ui, and later i check in luci how it is reflected

You might be able to get factory config via:

/rom/etc/config/wireless

MrFOX · February 9, 2024, 7:43pm

This is MT3000 and you can recreate this effect at home, quite simply. Delete everything that is in the wireless file. Reboot.

Quidn · October 25, 2024, 7:17pm

Screenshot_2024-10-26_02-08-46

Wasn't it a well-known issue?!

MTK_CHEETAH_AP_2.4G
MTK_CHEETAH_AP_5G

It always broadcasts those two SSIDs when boot up, no matter if just after a hard-reset or fully configuered with 4 custom SSIDs. So taking screenshot is so easy.

As OP said, it allows full access to the LAN(br-lan) without any key. I've witnessed that it blindly allows access to the entire network, and even it was easily done by hand-click and click on a plain 5-yo PC.

So basically it's possible to steal information and find vulnerabilities every time a MT3000 reboots by installing a special rogue device within the Wi-Fi coverage.

Even though, I don't really care much about it because it disappears soon. There's no scheduled reboot, moreover nothing is so much valuable that someone would target me, wait for months, and then cracking internal security in that short time. I'm just aware.

https://www.reddit.com/r/GlInet/comments/16y1ebs/

I don't understand but seems that it can't be easily fixed. If so, from a strict security perspective, it has to be unbridged during the boot. Though I don't want to strongly request to fix.