Cloud Router Switch CRS125-24G-1S-RM, RouterOS 6.24, Mac OS X 10.8.5 (dhcpd/tftp running on Mac)

Ever wondered if you could get a real shell on a RouterBoard? The answer is yes, yes you can. I recently wanted to know how RouterOS on a Mikrotik CRS125-24G-1S-RM actually sets up VLANs internally so that I can duplicate a complicated set up that I already have on a Ubiquiti EdgeRouter. Below is how to get a busybox shell via ssh or the console. Once you are in, you'll see that the busybox included is pretty limited; however, you can upload a fully operational busybox via the RouterOS web admin interface (WebFig) and then execute that one. With the new busybox, things like ifconfig, dmesg, ls, vconfig, and many more will work.

1. Choose a machine that you want to serve the openwrt boot image.

2. Configure your wired ethernet interface to have an IP address of 192.168.88.5 and a netmask of 255.255.255.0

3. Download the openwrt image I compiled for booting into a CRS125 from https://github.com/ryanchapman/openwrt-mikrotik-crs125/raw/master/bin/ar71xx/openwrt-ar71xx-mikrotik-vmlinux-initramfs.elf into /Users/ryan/tftpboot/vmlinux

4. Modify your tftp plist file to look like this:

Ryans-MacBook-Pro:~ ryan$ cat /System/Library/LaunchDaemons/tftp.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Disabled</key>
    <true/>
    <key>Label</key>
    <string>com.apple.tftpd</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/libexec/tftpd</string>
        <string>-i<string>
        <string>/Users/ryan/tftpboot</string>
    </array>
    <key>inetdCompatibility</key>
    <dict>
        <key>Wait</key>
        <true/>
    </dict>
    <key>InitGroups</key>
    <true/>
    <key>Sockets</key>
    <dict>
        <key>Listeners</key>
        <dict>
            <key>SockServiceName</key>
            <string>tftp</string>
            <key>SockType</key>
            <string>dgram</string>
        </dict>
    </dict>
</dict>
</plist>
Ryans-MacBook-Pro:~ ryan$

5. Load the tftp plist file and start the tftp server:

sudo launchctl load -F /System/Library/LaunchDaemons/tftp.plist
sudo launchctl start com.apple.tftpd

6. Create a dhcpd config file

Ryans-MacBook-Pro:~ ryan$ cat /etc/dhcpd.conf
ddns-update-style interim;

# option definitions common to all supported networks...
#default-lease-time 600;
default-lease-time 14400;
max-lease-time 7200;
authoritative;

allow bootp;
allow booting;

subnet 192.168.88.0 netmask 255.255.255.0 {
    filename "vmlinux";
    next-server 192.168.88.5;
    range dynamic-bootp 192.168.88.15 192.168.88.254;
}

Ryans-MacBook-Pro:~ ryan$

7. Start the dhcp daemon with

sudo dhcpd -d en0
(replace en0 with your wired ethernet interface on your Mac, use ifconfig if unsure)
Ryans-MacBook-Pro:~ ryan$ sudo dhcpd -d en0
dyld: DYLD_ environment variables being ignored because main executable (/usr/bin/sudo) is setuid or setgid
Internet Systems Consortium DHCP Server 4.1-ESV-R4
Copyright 2004-2011 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Wrote 3 leases to leases file.
Listening on BPF/en0/00:XX:XX:XX:XX:XX/192.168.88.0/24
Sending on   BPF/en0/00:XX:XX:XX:XX:XX/192.168.88.0/24
Sending on   Socket/fallback/fallback-net

If you see output like above and no errors, exit dhcpd with Ctrl-C then type sudo dhcpd en0 & to get it to run in the background. You may have to press enter a few times to get a prompt to show up again.

8. Attach an ethernet cable to port 1 on the CRS125 and plug the other end into your Mac running dhcpd

9. Connect a cable to the console port of the CRS125 and the other end to a serial port on your Mac (I'm using a Asunflower FTDI USB-to-console cable which you can find on Amazon for less than $20)

10. Install kermit with brew install kermit (visit http://brew.sh if you don't have brew)

11. Start kermit and connect to the console port.

Ryans-MacBook-Pro:~ ryan$ ls -l /dev/tty.usbserial*
crw-rw-rw-  1 root  wheel   33,  10 Sep  7 23:34 /dev/tty.usbserial-AL00B1FN
Ryans-MacBook-Pro:~ ryan$
Ryans-MacBook-Pro:~ ryan$ kermit
C-Kermit 9.0.302 OPEN SOURCE:, 20 Aug 2011, for Mac OS X 10.8.2 (64-bit)
 Copyright (C) 1985, 2011,
  Trustees of Columbia University in the City of New York.
Type ? or HELP for help.
(/Users/ryan/) C-Kermit>set line /dev/tty.usbserial-AL00B1FN
(/Users/ryan/) C-Kermit>set speed 115200
/dev/tty.usbserial-AL00B1FN, 115200 bps
(/Users/ryan/) C-Kermit>set carrier-watch off
(/Users/ryan/) C-Kermit>connect
Connecting to /dev/tty.usbserial-AL00B1FN, speed 115200
 Escape character: Ctrl-\ (ASCII 28, FS): enabled
Type the escape character followed by C to get back,
or followed by ? to see other options.
----------------------------------------------------

12. Now power on your MikroTik CRS125. You'll have to press any key when prompted on boot to change the boot order, so be ready. You'll change the boot order by pressing o, e, x as you'll see below.

----------------------------------------------------
(/Users/ryan/) C-Kermit>conn
Connecting to /dev/tty.usbserial-AL00B1FN, speed 115200
 Escape character: Ctrl-\ (ASCII 28, FS): enabled
Type the escape character followed by C to get back,
or followed by ? to see other options.
----------------------------------------------------


RouterBOOT booter 3.19

CRS125-24G-1S

CPU frequency: 600 MHz
 Memory speed: 200 MHz
  Memory size: 128 MiB
    NAND size: 128 MiB

Press any key within 2 seconds to enter setup

RouterBOOT-3.19
What do you want to configure?
   d - boot delay
   k - boot key
   s - serial console
   n - silent boot
   o - boot device
   f - cpu frequency
   r - reset booter configuration
   e - format nand
   w - repartition nand
   g - upgrade firmware
   i - board info
   p - boot protocol
   b - booter options
   t - do memory testing
   x - exit setup
your choice: o - boot device

Select boot device:
   e - boot over Ethernet
   n - boot from NAND, if fail then Ethernet
   1 - boot Ethernet once, then NAND
 * o - boot from NAND only
   b - boot chosen device
   f - boot Flash Configure Mode
   3 - boot Flash Configure Mode once, then NAND
your choice: e - boot over Ethernet

RouterBOOT-3.19
What do you want to configure?
   d - boot delay
   k - boot key
   s - serial console
   n - silent boot
   o - boot device
   f - cpu frequency
   r - reset booter configuration
   e - format nand
   w - repartition nand
   g - upgrade firmware
   i - board info
   p - boot protocol
   b - booter options
   t - do memory testing
   x - exit setup
your choice: x - exit setup


writing settings to flash... OK


RouterBOOT booter 3.19

CRS125-24G-1S

CPU frequency: 600 MHz
 Memory speed: 200 MHz
  Memory size: 128 MiB
    NAND size: 128 MiB

Press any key within 2 seconds to enter setup..
trying bootp protocol................... OK
Got IP address: 192.168.88.16
resolved mac address 00:XX:XX:XX:XX:XX
transfer started .............................*............ transfer ok, time=3.01s
setting up elf image... OK
jumping to kernel code
[    0.000000] Linux version 4.1.6 ([email protected]) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r46796) ) #10 Sun Sep 6 04:19:18 EDT 2015
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 0001974c (MIPS 74Kc)
[    0.000000] SoC: Atheros AR9344 rev 2
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 08000000 @ 00000000 (usable)
[    0.000000] User-defined physical RAM map:
[    0.000000]  memory: 08000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
[    0.000000] Kernel command line: lcd_ctrl=84 parts=1 boot_part_size=4194304 gpio=233019 HZ=300000000 mem=128M kmac=4C:5E:0C:99:E3:9D board=crs125g ver=3.19 boot=1 mlc=7 console=ttyS0,115200 root=/dev/mtdblock2 rootfstype=squashfs,yaffs,jffs2 noinitrd rootfstype=yaffs noinitrd
[    0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[    0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 124004K/131072K available (2516K kernel code, 152K rwdata, 532K rodata, 2104K init, 184K bss, 7068K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS:83
[    0.000000] Clocks: CPU:600.000MHz, DDR:400.000MHz, AHB:400.000MHz, Ref:25.000MHz
[    0.000000] clocksource MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 6370868154 ns
[    0.000009] sched_clock: 32 bits at 300MHz, resolution 3ns, wraps every 7158278654ns
[    0.008003] Calibrating delay loop... 299.82 BogoMIPS (lpj=1499136)
[    0.080747] pid_max: default: 32768 minimum: 301
[    0.085611] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.092366] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.102438] clocksource jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.113071] NET: Registered protocol family 16
[    0.119033] MIPS: machine is RouterBOARD CRS125-24G-1S
[    0.354096] Switched to clocksource MIPS
[    0.359362] NET: Registered protocol family 2
[    0.364633] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[    0.371756] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.378331] TCP: Hash tables configured (established 1024 bind 1024)
[    0.384913] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.390867] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.397620] NET: Registered protocol family 1
[    2.745167] futex hash table entries: 256 (order: -1, 3072 bytes)
[    2.765559] io scheduler noop registered
[    2.769538] io scheduler deadline registered (default)
[    2.775165] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[    2.782051] console [ttyS0] disabled
[    2.805831] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11, base_baud = 1562500) is a 16550A
[    2.814658] console [ttyS0] enabled
[    2.814658] console [ttyS0] enabled
[    2.821803] bootconsole [early0] disabled
[    2.821803] bootconsole [early0] disabled
[    2.834338] nand: device found, Manufacturer ID: 0x98, Chip ID: 0xf1
[    2.840909] nand: Toshiba NAND 128MiB 3,3V 8-bit
[    2.845703] nand: 128 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
[    2.853560] Scanning device for bad blocks
[    2.952681] Creating 3 MTD partitions on "ar934x-nfc":
[    2.958010] 0x000000000000-0x000000040000 : "booter"
[    2.964028] 0x000000040000-0x000000400000 : "kernel"
[    2.969968] 0x000000400000-0x000008000000 : "rootfs"
[    2.976146] mtd: device 2 (rootfs) set to be root filesystem
[    2.983880] mtdsplit: no squashfs found in "rootfs"
[    2.989578] mtdsplit: no squashfs found in "ar934x-nfc"
[    3.032821] libphy: ag71xx_mdio: probed
[    3.625988] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode:RGMII
[    3.633482] NET: Registered protocol family 17
[    3.638221] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this.
[    3.651371] 8021q: 802.1Q VLAN Support v1.8
[    3.668454] Freeing unused kernel memory: 2104K (80382000 - 80590000)
[    3.688113] init: Console is alive
[    3.691857] init: - watchdog -
[    3.717323] usbcore: registered new interface driver usbfs
[    3.723071] usbcore: registered new interface driver hub
[    3.728703] usbcore: registered new device driver usb
[    3.739186] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    3.747402] ehci-platform: EHCI generic platform driver
[    3.755732] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[    3.763327] ohci-platform: OHCI generic platform driver
[    4.695771] init: - preinit -
[    4.841933] eth0: link up (1000Mbps/Full duplex)
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[    7.988790] eth0: link down
[    8.001903] procd: - early -
[    8.005573] procd: - watchdog -
[    8.552079] procd: - ubus -
[    9.557472] random: ubusd urandom read with 79 bits of entropy available
[    9.575446] procd: - init -
Please press Enter to activate this console.
[   10.215886] NET: Registered protocol family 10
[   10.227637] ip6_tables: (C) 2000-2006 Netfilter Core Team
[   10.246244] Loading modules backported from Linux version master-2015-07-21-0-g47cd203
[   10.254477] Backport generated by backports.git backports-20150626-0-gc1a4168
[   10.264958] ip_tables: (C) 2000-2006 Netfilter Core Team
[   10.280582] nf_conntrack version 0.5.0 (1970 buckets, 7880 max)
[   10.323471] xt_time: kernel timezone is -0000
[   10.347230] cfg80211: World regulatory domain updated:
[   10.352542] cfg80211:  DFS Master region: unset
[   10.357082] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[   10.367154] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[   10.375429] cfg80211:   (2457000 KHz - 2482000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[   10.383690] cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (N/A, 2000 mBm), (N/A)
[   10.391962] cfg80211:   (5170000 KHz - 5250000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2000 mBm), (N/A)
[   10.401765] cfg80211:   (5250000 KHz - 5330000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2000 mBm), (0 s)
[   10.411565] cfg80211:   (5490000 KHz - 5730000 KHz @ 160000 KHz), (N/A, 2000 mBm), (0 s)
[   10.419921] cfg80211:   (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A)
[   10.428194] cfg80211:   (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 0 mBm), (N/A)
[   10.511024] PPP generic driver version 2.4.2
[   10.518067] NET: Registered protocol family 24
[   17.616533] eth0: link up (1000Mbps/Full duplex)
[   17.644699] device eth0 entered promiscuous mode
[   17.650592] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready
[   18.604159] br-lan: port 1(eth0) entered forwarding state
[   18.609787] br-lan: port 1(eth0) entered forwarding state
[   18.644161] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
[   20.604107] br-lan: port 1(eth0) entered forwarding state
[   40.374123] random: nonblocking pool is initialized

12. Press enter and you'll be greeted with the OpenWRT prompt:


BusyBox v1.23.2 (2015-09-05 23:54:48 EDT) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 CHAOS CALMER (Bleeding Edge, r46796)
 -----------------------------------------------------
  * 1 1/2 oz Gin            Shake with a glassful
  * 1/4 oz Triple Sec       of broken ice and pour
  * 3/4 oz Lime Juice       unstrained into a goblet.
  * 1 1/2 oz Orange Juice
  * 1 tsp. Grenadine Syrup
 -----------------------------------------------------
[email protected]:/#

13. Create a temporary mount directory at /mnt2

[email protected]:/# mkdir -p /mnt2
[email protected]:/#

14. Mount the flash chip on the CRS125 into the directory /mnt2

[email protected]:/# mount /dev/mtdblock2 /mnt2
[  297.951244] yaffs: dev is 32505858 name is "mtdblock2" rw
[  297.956880] yaffs: passed flags ""
[email protected]:/#
[email protected]:/# ls -l /mnt2
drwxrwxr-x    1 root     root          2048 Feb  5  2014 bin
drwxr-xr-x    1 root     root          2048 Jan  1  1970 boot
drwxr-xr-x    1 root     root          2048 Jan  1  1970 etc
drwx------    1 root     root          2048 Sep  4 14:50 lost+found
drwxr-xr-x    1 root     root          2048 Jan  1  1970 nova
drwxr-xr-x    1 root     root          2048 Jan  1  1970 rw
drwxr-xr-x    1 root     root          2048 Jan  1  1970 var

15. Touch the file /mnt2/nova/etc/devel-login. Credit goes to the person at r00t.cz for discovering this. See www.r00t.cz/Misc/MikrotikBackdoor for more info.

[email protected]:/# touch /mnt2/nova/etc/devel-login
[email protected]:/# ls -l /mnt2/nova/etc/
-rw-r--r--    1 root     root             0 Sep  4 14:53 devel-login

16. Unmount /mnt2 and reboot

[email protected]:/# umount /mnt2
[email protected]:/# reboot
[email protected]:/# [  466.597039] br-lan: port 1(eth0) entered disabled state
[  466.614340] device eth0 left promiscuous mode
[  466.618891] br-lan: port 1(eth0) entered disabled state
[  466.628785] eth0: link down
[  466.633361] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[  470.815364] reboot: Restarting system

17. Change the boot order back to boot from NAND

RouterBOOT booter 3.19

CRS125-24G-1S

CPU frequency: 600 MHz
 Memory speed: 200 MHz
  Memory size: 128 MiB
    NAND size: 128 MiB

Press any key within 2 seconds to enter setup

RouterBOOT-3.19
What do you want to configure?
   d - boot delay
   k - boot key
   s - serial console
   n - silent boot
   o - boot device
   f - cpu frequency
   r - reset booter configuration
   e - format nand
   w - repartition nand
   g - upgrade firmware
   i - board info
   p - boot protocol
   b - booter options
   t - do memory testing
   x - exit setup
your choice: o - boot device

Select boot device:
 * e - boot over Ethernet
   n - boot from NAND, if fail then Ethernet
   1 - boot Ethernet once, then NAND
   o - boot from NAND only
   b - boot chosen device
   f - boot Flash Configure Mode
   3 - boot Flash Configure Mode once, then NAND
your choice: o - boot from NAND only

RouterBOOT-3.19
What do you want to configure?
   d - boot delay
   k - boot key
   s - serial console
   n - silent boot
   o - boot device
   f - cpu frequency
   r - reset booter configuration
   e - format nand
   w - repartition nand
   g - upgrade firmware
   i - board info
   p - boot protocol
   b - booter options
   t - do memory testing
   x - exit setup
your choice: x - exit setup


writing settings to flash... OK

18. The CRS125 will boot again, but this time it will boot RouterOS that is on NAND. If you see an error message, unplug the CRS125 from power and plug it back in for a fresh boot. If all goes well, you'll see a RouterOS login:

MikroTik 6.24
MikroTik Login:

19. Log in with the username 'devel'. For the password, use the same password as is on the 'admin' account, which by default is empty (as in nothing, just press enter):

MikroTik 6.24
MikroTik Login: devel
Password:


BusyBox v1.00 (2014.12.09-08:43+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

#

20. Interestingly, the BusyBox provided by RouterOS is extremely limited. It doesn't even have the ls command

# ls
bash: ls: not found
#

21. No worries, echo * does the same thing:

# echo *
MikroTik-19700102-0016.backup auto-before-reset.backup autosupout.old.rif autosupout.rif pub skins
# pwd
/flash/rw/pckg
#

22. This is pretty hard to use, so download a precompiled busybox for the mips architecture that has more applets enabled. Download http://www.busybox.net/downloads/binaries/latest/busybox-mips to your Mac

23. Log into WebFig by visiting http://192.168.88.1/

24. Go to Files on the left hand side, and beside Upload:, press the Choose File button. Select the busybox binary you downloaded in step 21.

25. Back in the RouterOS console, move busybox to /flash/bin because that is already in the PATH environment variable. Also set the executable bit on busybox-mips so we can run it

# echo $PATH
/sbin:/flash//bin:/bin
#
#
# echo *
MikroTik-19700102-0016.backup auto-before-reset.backup autosupout.old.rif autosupout.rif busybox-mips pub skins
#
# mv busybox-mips /flash/bin
#
# cd /flash/bin/
# chmod +x /flash/bin/busybox-mips
#

26. Now if you run busybox-mips from any directory, you'll get a list of available applets in this busybox executable

# busybox-mips
BusyBox v1.16.1 (2010-03-29 11:53:01 CDT) multi-call binary.
Copyright (C) 1998-2009 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.

Usage: busybox [function] [arguments]...
   or: function [arguments]...

    BusyBox is a multi-call binary that combines many common Unix
    utilities into a single executable.  Most people will create a
    link to busybox for each function they wish to use and BusyBox
    will act like whatever it was invoked as.

Currently defined functions:
    [, [[, acpid, addgroup, adduser, adjtimex, arp, arping, ash, awk,
    basename, bbconfig, beep, blkid, brctl, bunzip2, bzcat, bzip2, cal,
    cat, catv, chat, chattr, chgrp, chmod, chown, chpasswd, chpst, chroot,
    chrt, chvt, cksum, clear, cmp, comm, cp, cpio, crond, crontab, cryptpw,
    cttyhack, cut, date, dc, dd, deallocvt, delgroup, deluser, depmod,
    devmem, df, dhcprelay, diff, dirname, dmesg, dnsd, dnsdomainname,
    dos2unix, dpkg, dpkg-deb, du, dumpkmap, dumpleases, echo, ed, egrep,
    eject, env, envdir, envuidgid, ether-wake, expand, expr, fakeidentd,
    false, fbset, fbsplash, fdflush, fdformat, fdisk, fgrep, find, findfs,
    flashcp, fold, free, freeramdisk, fsck, fsck.minix, fsync, ftpd,
    ftpget, ftpput, fuser, getopt, getty, grep, gunzip, gzip, halt, hd,
    hdparm, head, hexdump, hostid, hostname, httpd, hush, hwclock, id,
    ifconfig, ifdown, ifenslave, ifplugd, ifup, inetd, init, insmod,
    install, ionice, ip, ipaddr, ipcalc, ipcrm, ipcs, iplink, iproute,
    iprule, iptunnel, kbd_mode, kill, killall, killall5, klogd, lash, last,
    length, less, linux32, linux64, linuxrc, ln, loadfont, loadkmap,
    logger, login, logname, logread, losetup, lpd, lpq, lpr, ls, lsattr,
    lsmod, lspci, lsusb, lzmacat, lzop, lzopcat, makedevs, makemime, man,
    md5sum, mdev, mesg, microcom, mkdir, mkdosfs, mkfifo, mkfs.minix,
    mkfs.reiser, mkfs.vfat, mknod, mkpasswd, mkswap, mktemp, modprobe,
    more, mount, mountpoint, msh, mt, mv, nameif, nc, netstat, nice,
    nmeter, nohup, nslookup, ntpd, od, openvt, passwd, pgrep, pidof, ping,
    ping6, pipe_progress, pivot_root, pkill, popmaildir, poweroff,
    printenv, printf, ps, pscan, pwd, raidautorun, rdate, rdev, readahead,
    readlink, readprofile, realpath, reboot, reformime, renice, reset,
    resize, rm, rmdir, rmmod, route, rpm, rpm2cpio, rtcwake, run-parts,
    runlevel, runsv, runsvdir, rx, script, scriptreplay, sed, sendmail,
    seq, setarch, setconsole, setfont, setkeycodes, setlogcons, setsid,
    setuidgid, sh, sha1sum, sha256sum, sha512sum, showkey, slattach, sleep,
    softlimit, sort, split, start-stop-daemon, stat, strings, stty, su,
    sulogin, sum, sv, svlogd, swapoff, swapon, switch_root, sync, sysctl,
    syslogd, tac, tail, tar, tcpsvd, tee, telnet, telnetd, test, tftp,
    tftpd, time, timeout, top, touch, tr, traceroute, traceroute6, true,
    tty, ttysize, tunctl, udhcpc, udhcpd, udpsvd, umount, uname,
    uncompress, unexpand, uniq, unix2dos, unlzma, unlzop, unzip, uptime,
    usleep, uudecode, uuencode, vconfig, vi, vlock, volname, wall, watch,
    watchdog, wc, wget, which, who, whoami, xargs, yes, zcat, zcip

27. The next part is a pain. You have to create a symbolic link for each applet you want to be able to use. For example, if you want ls to work, make sure you are in the /flash/bin directory and create a symlink for ls pointing to busybox-mips

# pwd
/flash/bin
# ln -s busybox-mips ls
#

28. Now ls works

# ls
busybox-mips  ls
#

29. Let's do the same for some other interesting commands on a router:

# ln -s busybox-mips ifconfig
# ln -s busybox-mips brctl
# ln -s busybox-mips ps
# ln -s busybox-mips top
# ln -s busybox-mips netstat
# ln -s busybox-mips lspci
# ln -s busybox-mips route
# ln -s busybox-mips grep
# ln -s busybox-mips strings
# ln -s busybox-mips less
#
# ifconfig
br0       Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:9D
          inet addr:192.168.88.1  Bcast:192.168.88.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2058 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1081 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1859490 (1.7 MiB)  TX bytes:534258 (521.7 KiB)

br1       Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:4180 (4.0 KiB)

eth0      Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:9D
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2075 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1685 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1903564 (1.8 MiB)  TX bytes:579157 (565.5 KiB)

eth1      Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:9E
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth10     Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:A7
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth11     Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:A8
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth12     Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:A9
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth13     Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:AA
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth14     Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:AB
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth15     Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:AC
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth16     Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:AD
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth17     Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:AE
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth18     Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:AF
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth19     Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:B0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth2      Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:9F
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth20     Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:B1
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth21     Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:B2
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth22     Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:B3
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth23     Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:B4
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth24     Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:B5
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth3      Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:A0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth4      Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:A1
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth5      Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:A2
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth6      Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:A3
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth7      Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:A4
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth8      Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:A5
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth9      Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:A6
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:3584  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

switch0   Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          UP RUNNING NOARP  MTU:1500  Metric:1
          RX packets:2070 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1685 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1913988 (1.8 MiB)  TX bytes:592477 (578.5 KiB)

vlan30    Link encap:Ethernet  HWaddr 4C:5E:0C:AC:E3:9D
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:4500 (4.3 KiB)

#
# brctl show
bridge name bridge id       STP enabled interfaces
br0     0000.000000000000   yes     eth0
br1     0000.000000000000   yes
#
#
# ps a
PID   USER     TIME   COMMAND
    1 root      17:10 /init
    2 root       6:30 [kthreadd]
    3 root      36:47 [ksoftirqd/0]
    4 root       0:12 [kworker/0:0]
    5 root     212:23 [kworker/u:0]
    6 root       0:08 [khelper]
    7 root      15:36 [kdevtmpfs]
    8 root       0:04 [netns]
    9 root       6:00 [sync_supers]
   10 root       0:38 [bdi-default]
   11 root       0:08 [kblockd]
   12 root       0:00 [kswapd0]
   13 root       0:47 [fsnotify_mark]
   14 root       0:04 [crypto]
   18 root       0:00 [mtdblock0]
   19 root       0:00 [mtdblock1]
   20 root       0:04 [mtdblock2]
   21 root     1844:1 [kworker/0:1]
   31 root       0:08 [kworker/u:1]
   85 root       0:47 catlog -fs -n 10 backtrace
  103 root       0:04 [btest]
  177 root     165:25 /nova/bin/loader
  189 root       8:01 /nova/bin/mproxy
  190 root       4:09 /nova/bin/log
  191 root       2:34 /nova/bin/moduler
  192 root      44:57 /nova/bin/resolver
  193 root       2:30 /nova/bin/mactel
  194 root      38:34 /nova/bin/bridge2
  195 root       2:13 /nova/bin/macping
  197 root     130:42 /nova/bin/net
  198 root      77:48 /nova/bin/sys2
  199 root       4:17 /nova/bin/btest
  200 root      10:22 /nova/bin/route
  202 root       2:00 /nova/bin/sermgr
  203 root       0:25 /nova/bin/diskd
  205 root      39:43 /nova/bin/led
  206 root       2:17 /nova/bin/quickset
  207 root     276:01 /nova/bin/lcdstat
  215 root      35:17 /nova/bin/www
  237 root       1:43 [khubd]
  304 root      13:10 bash
  336 root       0:38 [flush-31:1]
  365 root       0:04 ps a
#
#
# netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:8291            0.0.0.0:*               LISTEN      189/mproxy
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      215/www
tcp        0      0 0.0.0.0:2000            0.0.0.0:*               LISTEN      199/btest
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      202/sermgr
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      192/resolver
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      202/sermgr
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN      202/sermgr
tcp        0      0 0.0.0.0:8728            0.0.0.0:*               LISTEN      202/sermgr
tcp        0      0 0.0.0.0:8729            0.0.0.0:*               LISTEN      202/sermgr
netstat: /proc/net/tcp6: No such file or directory
udp        0      0 0.0.0.0:5678            0.0.0.0:*                           197/net
udp        0      0 0.0.0.0:53              0.0.0.0:*                           192/resolver
netstat: /proc/net/udp6: No such file or directory
netstat: /proc/net/raw6: No such file or directory
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING        381 177/loader          /ram/novasock
unix  2      [ ACC ]     STREAM     LISTENING        479 190/log             /ram/logsocket
unix  3      [ ]         STREAM     CONNECTED        663 190/log             /ram/logsocket
unix  3      [ ]         STREAM     CONNECTED        662 197/net
unix  3      [ ]         STREAM     CONNECTED        629 190/log             /ram/logsocket
unix  3      [ ]         STREAM     CONNECTED        628 200/route
unix  3      [ ]         STREAM     CONNECTED        527 190/log             /ram/logsocket
unix  3      [ ]         STREAM     CONNECTED        526 198/sys2
unix  3      [ ]         STREAM     CONNECTED        502 215/www
unix  3      [ ]         STREAM     CONNECTED        501 177/loader
unix  3      [ ]         STREAM     CONNECTED        423 207/lcdstat
unix  3      [ ]         STREAM     CONNECTED        422 177/loader
unix  3      [ ]         STREAM     CONNECTED        421 206/quickset
unix  3      [ ]         STREAM     CONNECTED        420 177/loader
unix  3      [ ]         STREAM     CONNECTED        419 205/led
unix  3      [ ]         STREAM     CONNECTED        418 177/loader
unix  3      [ ]         STREAM     CONNECTED        415 203/diskd
unix  3      [ ]         STREAM     CONNECTED        414 177/loader
unix  3      [ ]         STREAM     CONNECTED        413 202/sermgr
unix  3      [ ]         STREAM     CONNECTED        412 177/loader
unix  3      [ ]         STREAM     CONNECTED        409 200/route
unix  3      [ ]         STREAM     CONNECTED        408 177/loader
unix  3      [ ]         STREAM     CONNECTED        407 199/btest
unix  3      [ ]         STREAM     CONNECTED        406 177/loader
unix  3      [ ]         STREAM     CONNECTED        405 198/sys2
unix  3      [ ]         STREAM     CONNECTED        404 177/loader
unix  3      [ ]         STREAM     CONNECTED        403 197/net
unix  3      [ ]         STREAM     CONNECTED        402 177/loader
unix  3      [ ]         STREAM     CONNECTED        399 195/macping
unix  3      [ ]         STREAM     CONNECTED        398 177/loader
unix  3      [ ]         STREAM     CONNECTED        397 194/bridge2
unix  3      [ ]         STREAM     CONNECTED        396 177/loader
unix  3      [ ]         STREAM     CONNECTED        395 193/mactel
unix  3      [ ]         STREAM     CONNECTED        394 177/loader
unix  3      [ ]         STREAM     CONNECTED        393 192/resolver
unix  3      [ ]         STREAM     CONNECTED        392 177/loader
unix  3      [ ]         STREAM     CONNECTED        391 191/moduler
unix  3      [ ]         STREAM     CONNECTED        390 177/loader
unix  3      [ ]         STREAM     CONNECTED        389 190/log
unix  3      [ ]         STREAM     CONNECTED        388 177/loader
unix  3      [ ]         STREAM     CONNECTED        387 189/mproxy
unix  3      [ ]         STREAM     CONNECTED        386 177/loader
#
#
# lspci
#
# lspci -h
lspci: invalid option -- h
BusyBox v1.16.1 (2010-03-29 11:53:01 CDT) multi-call binary.

Usage: lspci [-mk]

List all PCI devices

    -m  Parseable output
    -k  Show driver

# lspci -k
#
#
# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.88.0    0.0.0.0         255.255.255.0   U     0      0        0 br0
#
#
# strings /nova/bin/resolver | grep dnsmasq
#

Hmm, I always thought the DNS resolver on MikroTik was dnsmasq under the covers. Guess not.

There you go. Root shell on a MikroTik, step-by-step. If you uncover interesting details about the underlying system, be sure to let me know.