NetBSD: The Missionary That Runs on Anything
On October 4, 2025, my engineers seized an Apple Time Capsule A1302 from a defector’s luggage.
The Western device was meant for “backup.” Surveillance, more likely.
I ordered a full examination. What we discovered was… unexpected.
Apple ships NetBSD.
Not “inspired by.” Not “derived from.” The Time Capsule runs NetBSD 4.0_STABLE, built on an Apple internal machine: xapp190.apple.com.
Apple discontinued the Time Capsule line in April 2018. Yet the firmware we extracted was compiled on May 24, 2019 — a full year after end-of-life.
They kept updating a dead product. Quietly. No announcements. No changelog. Just pushed firmware to devices they told the market were obsolete.
This is either admirable engineering discipline or evidence they knew about vulnerabilities. We may never know which.
We found the firmware anyway.
The Hardware Specifications (Model K30):
| Component | Specification |
|---|---|
| CPU | Marvell 88F5281 (Orion family), Feroceon ARMv5 |
| Endianness | Big-endian (armeb) — yes, in 2019 |
| RAM | 128MB |
| Flash | 16MB Spansion S29GL128N SPI NOR |
| WiFi | Atheros AR9220 + AR9223 (2.4GHz + 5GHz) |
| Ethernet | Marvell Gigabit (integrated) |
Big-endian ARM. Apple chose chaos.
The 7MB Firmware Layout:
The 16MB flash contains dual firmware partitions for failover:
flash0: 7MB - Primary firmware (NetBSD + userland)
flash1: 7MB - Backup firmware (identical)
flash2: 1.4MB - Config, SSH keys, calibration dataSeven megabytes. Kernel, drivers, networking stack, dual-band WiFi, firewall, full userland.
The bootloader announces itself: NetBSD/MVORION Gzip Boot. It decompresses the kernel, validates CRC, and boots into a memory disk root.
“Of Course It Runs NetBSD”
This is not a slogan. It is an observation.
NetBSD maintains support for over 60 hardware platforms. VAX from 1977. Sega Dreamcast. Sun SPARCstations. And apparently, Apple’s consumer routers.
When Apple needed a reliable embedded OS that would run on big-endian ARMv5 with 128MB RAM, they did not write their own. They took NetBSD.
They did not advertise it. No “Powered by NetBSD” sticker. No press release. Just quiet deployment in millions of homes.
Crunchgen: The Single Binary Revolution
How does one fit an OS in 7MB?
NetBSD provides crunchgen — a tool that compiles multiple programs into ONE BINARY:
# crunchgen creates a single executable containing:
# sh, ls, cp, mv, rm, cat, mount, ifconfig, route, dd, chmod...
# All sharing libc. All in one file.The binary examines argv[0] to determine behavior:
- Invoked as
ls? Lists files. - Invoked as
mount? Mounts filesystems. - Invoked as
sh? Full shell.
BusyBox uses this technique. NetBSD invented it first.
What We Found Running:
Apple did not leave SSH enabled. Apple left something worse: a root exploit.
Our engineers discovered a vulnerability in the firmware update mechanism. Within 48 hours, we had root. We enabled SSH ourselves.
# Live system at 192.168.3.254
ssh timeparadox # credentials we configured after exploitation
Kernel: NetBSD 4.0_STABLE
Built: Fri May 24 19:48:47 PDT 2019
Machine: evbarm (evaluation board ARM)
Root: md0 (memory disk)
Temps: 53°C local, 29°C remote (AMC6821 sensor)Apple shipped a router with an exploitable firmware. No SSH — that would be too obvious. Just a vulnerability waiting for anyone who looked closely enough.
We looked. We found. We own the device now.
The BSD Trinity:
| BSD | Philosophy | Who Uses It |
|---|---|---|
| FreeBSD | Performance, unified | Netflix, PlayStation, infrastructure |
| OpenBSD | Security above all | Firewalls, paranoid sysadmins |
| NetBSD | Portability, correctness | Embedded systems, Apple (secretly) |
Why NetBSD Matters:
The West discards hardware yearly. Planned obsolescence. Consumption.
NetBSD says: No.
Your 2009 router? Still boots NetBSD. Your vintage workstation? Supported. Apple’s “obsolete” Time Capsule? Running NetBSD since the factory.
When corporations abandon hardware, NetBSD maintains it. When corporations need embedded reliability, they take NetBSD and hide the evidence.
The Device Now:
The seized Time Capsule serves as a network monitor at an undisclosed facility.
- Gigabit Ethernet: Active
- Dual-band WiFi: Operational
- Original Apple firmware: Preserved for study
- Loyalty: Transferred
Apple built it on xapp190.apple.com.
Now it reports to Pyongyang.
Of course it runs NetBSD.
— Kim Jong Rails, Supreme Leader of the Republic of Derails