1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Decoding the BEFW11S4 Config

Discussion in 'Other Linksys Equipment' started by mungewell, Sep 8, 2006.

  1. mungewell

    mungewell LI Guru Member

    Hi all,
    I've started hacking away at the BEFW11S4 in an attempt to improve (or really make use of the inbuilt) functionality. So the starting point is obviously the config file.... NVCfgData.cfg.

    It appears that this is 'encrypted' (not really - just all the bits inverted). The attached code can 'decrypt' leaving the settings in plain hex, which can be dumped with 'hexdump -C'.

    This appears to be grouped in blocks, with blocks starting with a marker and followed by '00'. I am working on the assumption that these are just a dump of the contents on the NVRam.

    I've started decoding what each of these mean:
    01 - 01, String Password
    03 - Byte Channel, String ESSID, ....
    04 - Byte[4] DHCP Base, ...
    08 - Byte[4] Lan IP, Byte[4] Netmask, ....
    0A - Byte Manufacturer
    13 - ??
    24 - Byte Beacon, Word Frag, Word RTS
    31 - String Hardware Version
    37 - Byte [8] WEP Key
    5C - Word MTU, ...
    6F - ??, Word Remote Access, ...
    82 - ??
    AE - loads of user set port forwarding info
    B6 - String Hostname
    C6 - loads of DMZ forwarding info
    FE - ??

    These are grouped into 4 sections with 'FF, 00' padding in between.

    I'm only working with one unit (HW 3.2, SW 1.45.10) and would be interested if this can be confirmed with another unit or different product - the WAP22 uses same processor and is likely to have similar code.

    I would be particularly interested to find out how the WAP22 encodes the client access modes, and whether these can be added to the BEFW11S4 via added the appropriate stuff to the config.

    What interesting is that it appears that you could set much wider ranges on IPs, have multiple DMZ (just preconfiged forwarding), etc although I have not yet tried modifing and uploaded a config.

    'Strings' on the firmware also shows up a few interesting things, but I'll save those for another posting.


    Magic Decoder Below.
    #include <stdio.h>
    #include <stdlib.h>
    #include <ctype.h>

    int main(int argc, char *argv[])
    int ch, count;
    FILE *fp;

    if (argc < 2) {
    fp = stdin;
    } else {
    if (NULL == (fp = fopen(argv[1], "r"))) {
    fprintf(stderr, "Error: Cannot open file %s\n", argv[1]);

    while (EOF != (ch =fgetc(fp))) {
    ch = ~ch;

    fputc(ch, stdout);

    fputc('\n', stdout);
    return EXIT_SUCCESS;
  2. JolinarNuun

    JolinarNuun Guest


    Hey I was wondering if anyone can help me...I just got the Linksys befw11s4 v.2 and he didn't have the setup disk. I know this sounds very scetchy, ut I just need some help...

    I can even give a serial number if you need. I would get the file from him if I could, but he has already purged it. If anyone can help, please contact me at chibi_gohan_328@hotmail.com.

Share This Page