The router is built on a MediaTek (MTK) System-on-a-Chip (SoC). This was identified by the presence of the mt7603eap Wi-Fi kernel module. The SoC includes an integrated hardware switch, which the system identifies internally as chiptype: 7.
The device runs a customized version of embedded Linux. Crucially, it does not use the standard Linux swconfig utility for switch management. Instead, it relies on a set of proprietary, command-line tools to control the hardware.
In its standard configuration, the router functions as a simple access point by creating a single, flat network.
[cite_start]This is achieved using a software bridge named bdg2[cite: 4, 43]. This bridge groups all the physical LAN ports and all active Wi-Fi interfaces (like ra0, ra2, and rai2) together. As a result, any device that connects, whether wired or wireless, is placed on the same network and receives an IP address from your main UCG Ultra router.
To perform any advanced configuration like VLAN tagging, we had to reverse-engineer two key command-line utilities:
vlanConfig: This is the primary tool for managing the hardware switch's 802.1Q VLAN capabilities. It doesn't operate on standard network interface names likeeth0. Instead, it requires the specific device node path/dev/feto function. Its main purpose is to create VLAN entries and define which ports are tagged or untagged members.switchmgr: This is a utility for checking the live status of the hardware switch. We used it to identify the mapping of physical LAN ports to the switch's internal port numbers (0-4) via theport linkstatesubcommand. We also determined it can be used to view the switch's MAC address table with themac brtable <port>command.
The router has a complete, built-in Voice over IP (VoIP) system that uses the standard SIP protocol.
- Core Process: A dedicated application,
/userfs/bin/svchost, manages all VoIP functionality. - Configuration: While there is a system configuration file at
/etc/voip_sys.cfg, the most critical information—the SIP username, password, and server—is set toNULL. This indicates that the credentials are dynamically provisioned. - [cite_start]Dynamic Provisioning: The router uses the TR-069 protocol to contact your ISP's remote management server (ACS) after it connects to the internet[cite: 77]. The ISP's server then securely pushes the VoIP credentials directly to the
svchostprocess, which holds them in memory. This is why the credentials are not found in any plain-text configuration files.
To enable VLAN tagging for both wired ports and SSIDs, the default network architecture must be completely rebuilt with the following logic:
- Dismantle the Software Bridge: The master
bdg2bridge must be destroyed, which breaks the single flat network. - Configure the Hardware Switch: Using
vlanConfig, new VLANs are created on the hardware switch. The port connected to your UCG Ultra is configured as a VLAN trunk, and the internal CPU port is also configured as a trunk port to ensure it can process traffic from all VLANs. Other physical LAN ports are set as "access" ports with a single untagged VLAN. - Create Per-VLAN Bridges: For each SSID that needs to be on a VLAN, a new, separate software bridge is created (e.g.,
br3for VLAN 3). - Link Wireless to VLANs: This new bridge links two interfaces together: the Linux VLAN sub-interface (e.g.,
eth0.3) and the target wireless interface (e.g.,ra0). This is the step that places an SSID onto a specific VLAN. - Establish Management Access: Since the original
bdg2interface is gone, the router would become inaccessible. To fix this, one of the new per-VLAN bridges (e.g.,br3) must be designated as the management bridge and configured to get an IP address from the UCG Ultra on its corresponding VLAN.