Analyzing a Weird Behavior in a Tenda AX3000 WiFi6 Mesh Router

I recently purchased a Tenda AX3000 WiFi6 Mesh Router from AliExpress. The setup was quite straightforward and it works well. However, I was tempted to figure out what the device might be doing on my network and I encountered something very strange. Let’s take a look at the device and its behavior.

The Device

The device consisted of 3 nodes; one as the main router and two as mesh nodes.

Tenda AX3000

The main router is connected to the internet and the two mesh nodes are connected to the main router via WiFi6. The device has a web interface that allows you to configure it, and also a mobile app (Android/iOS) that can be used to manage the device.

Network Analysis

I did an nmap scan of the device and found that it had the following open ports:

PORT      STATE SERVICE         VERSION
23/tcp    open  tcpwrapped
80/tcp    open  http
443/tcp   open  ssl/https
8888/tcp  open  sun-answerbook?
9000/tcp  open  cslistener?
10004/tcp open  emcrmirccd?
49152/tcp open  upnp

Then I moved to analyzing the egress traffic from the device. I realized a network request was being made almost every 7 seconds to the domain: mac.cloud.tenda.com.cn. This domain was being resolved to the IP address 116.62.171.30 which is managed by Aliyun Computing Co., Ltd. in China.

The request payload contained the first 3 bytes of the MAC addresses of the devices on the network which is the OUI (Organizationally Unique Identifier) that identifies the manufacturer of the device. This request payload was being sent in plaintext over HTTP to that domain.

Network Logs

Quite weird why a router will be sending this information to a remote server every 7 seconds 🤔.

Remediation

I tried blocking the domain mac.cloud.tenda.com.cn on my firewall but I realized the device throughput dropped significantly. Quite weird. I then decided to setup a local DNS server that would resolve the domain to an internal IP on my network. I used dnsmasq for this purpose. I configured dnsmasq to resolve the domain mac.cloud.tenda.com.cn to the local IP address of my DNS server. That didn’t solve the throughput issue.

I had to reverse engineer the backend REST API of the domain to replicate the expected response on my local DNS server. Since the request was being sent in plain text over HTTP, I was able to figure out the request and response and replicated that on my local DNS server using python.

#!/usr/bin/env python3

from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware
from models import DeviceMac

app = FastAPI()
app.add_middleware(
    CORSMiddleware,
    allow_origins=["*"],
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)


@app.post("/route/mac_vendor/v1")
def mac_vendor(mac_addresses: DeviceMac):
    """
    Get the MAC vendor information.
    """

    return {"error": 0, "resp": {"mac_list": {}, "interval": 1135296000}}

In the end, I was able to replicate the expected response and the device throughput was back to normal without forwarding any information to the external domain.

Nginx Logs

Repository: https://github.com/jayluxferro/tenda-ax3000-analysis