OpenWrt

OpenWrt boot logs are dense. A single capture exposes the U-Boot version, kernel revision, every loaded module, and the full userspace service stack. BootIntel reads all of it in under 10 seconds and ranks findings by exploitability.

What BootIntel detects on OpenWrt

U-Boot misconfigurations — interruptable autoboot, debug-console flags, unsigned FIT loads, NETBOOT exposure.
Kernel-version CVEs — every Linux subrelease matched against the NVD CVE feed. 4.x and 5.15 LTS branches are most common; we catch all of them.
Stale package versions — BusyBox, Dropbear, dnsmasq, uhttpd, hostapd. The boot log shows the running version; we match it against the highest-fixed CVE for that exact subrelease.
Exposed services — telnetd auto-launch, dropbear bound to 0.0.0.0 instead of the LAN interface, uhttpd listening on the WAN.
MTD partition leaks — partition names that reveal where WiFi calibration data, MAC addresses, or factory-default credentials live in flash.
Procd init oddities — debug services left on after vendor customization (common on TP-Link, ASUS, Linksys forks).

What a real OpenWrt boot log looks like

U-Boot 2020.10 (Sep 17 2023 - 11:38:21 +0000)
Model: TP-Link Archer C7 v5
DRAM:  128 MiB
NAND:  ONFI device found
Hit any key to stop autoboot:  3
[    0.000000] Linux version 5.15.137 (builder@buildhost)
                  (mips-openwrt-linux-musl-gcc (OpenWrt GCC 11.2.0 r19685-512e76967f))
[    0.000000] CPU0 revision is: 00019374 (MIPS 74Kc)
[    1.234567] mtd: device 0 (boot)
[    1.235500] mtd: device 2 (factory)
[    3.123456] procd: - early -
[    4.234567] dropbear[1234]: Not backgrounding
[    4.345678] uhttpd[1235]: Listening on 0.0.0.0:80 0.0.0.0:443
[    4.456789] dnsmasq[1236]: started, version 2.86 cachesize 150

Example findings BootIntel surfaces

Bootloader interruption possible (CRITICAL) — U-Boot 2020.10 with a 3-second autoboot countdown lets anyone with serial access enter the U-Boot shell. From there:printenv + tftpboot = remote-controlled firmware swap.
dnsmasq 2.86 cache-poisoning susceptibility (HIGH) — CVE-2022-0934 is fixed in 2.87; 2.86 is still affected.
BusyBox awk parser bug (HIGH) — if the OpenWrt build pulled BusyBox before 1.34 the awk parser bug (CVE-2021-42385) is unfixed. Visible in the boot banner.

Related reading

Reading OpenWrt Boot Logs for Security Issues — phase-by-phase walkthrough of a real Archer C7 capture.
U-Boot Security Misconfigurations: The Top 10 — the bootloader layer most OpenWrt devices use.
Finding UART Pins on an Unknown Board — get to the boot log in the first place.

What BootIntel detects on OpenWrt

U-Boot misconfigurations — interruptable autoboot, debug-console flags, unsigned FIT loads, NETBOOT exposure.

Kernel-version CVEs — every Linux subrelease matched against the NVD CVE feed. 4.x and 5.15 LTS branches are most common; we catch all of them.

Stale package versions — BusyBox, Dropbear, dnsmasq, uhttpd, hostapd. The boot log shows the running version; we match it against the highest-fixed CVE for that exact subrelease.

Exposed services — telnetd auto-launch, dropbear bound to 0.0.0.0 instead of the LAN interface, uhttpd listening on the WAN.

MTD partition leaks — partition names that reveal where WiFi calibration data, MAC addresses, or factory-default credentials live in flash.

Procd init oddities — debug services left on after vendor customization (common on TP-Link, ASUS, Linksys forks).

What a real OpenWrt boot log looks like

U-Boot 2020.10 (Sep 17 2023 - 11:38:21 +0000) Model: TP-Link Archer C7 v5 DRAM: 128 MiB NAND: ONFI device found Hit any key to stop autoboot: 3 [ 0.000000] Linux version 5.15.137 (builder@buildhost) (mips-openwrt-linux-musl-gcc (OpenWrt GCC 11.2.0 r19685-512e76967f)) [ 0.000000] CPU0 revision is: 00019374 (MIPS 74Kc) [ 1.234567] mtd: device 0 (boot) [ 1.235500] mtd: device 2 (factory) [ 3.123456] procd: - early - [ 4.234567] dropbear[1234]: Not backgrounding [ 4.345678] uhttpd[1235]: Listening on 0.0.0.0:80 0.0.0.0:443 [ 4.456789] dnsmasq[1236]: started, version 2.86 cachesize 150

Example findings BootIntel surfaces

Bootloader interruption possible (CRITICAL) — U-Boot 2020.10 with a 3-second autoboot countdown lets anyone with serial access enter the U-Boot shell. From there:printenv + tftpboot = remote-controlled firmware swap.

dnsmasq 2.86 cache-poisoning susceptibility (HIGH) — CVE-2022-0934 is fixed in 2.87; 2.86 is still affected.

BusyBox awk parser bug (HIGH) — if the OpenWrt build pulled BusyBox before 1.34 the awk parser bug (CVE-2021-42385) is unfixed. Visible in the boot banner.

What BootIntel detects on OpenWrt

What a real OpenWrt boot log looks like

Example findings BootIntel surfaces

Related reading

Got a OpenWrt boot log handy?

OpenWrt

What BootIntel detects on OpenWrt

What a real OpenWrt boot log looks like

Example findings BootIntel surfaces

Related reading

Got a OpenWrt boot log handy?