Nytro Posted February 2, 2014 Report Share Posted February 2, 2014 Hacking and patching TP-LINK TD-W8901G routerBy piotrbania.com / 31.01.2014 Motivation Recently a critical vulnerability has been found in TP-LINK routers and few other router devices. This particular vulnerability to which I am referring was described here. Basically it is so called ROM-0 attack. In short attacker by requesting ROM-0 through HTTP request (ie. http://192.168.1.1/ROM-0) can download all important and secret data stored in your router. This includes your ADSL login/password combination, WIFI password and basically all of your configuration data. Actually I was a bit pissed at TP-LINK for this crap so I have decided to patch the vulnerability by myself. DISCLAIMER: Author takes no responsibility for any actions with provided informations or codes. Your are doing everything on your own responsibility. The list of vulnerable devices is presented below: TD-W8901G TD-8816 TD-W8951ND TD-W8961ND D-Link DSL-2640R ADSL Modem AirLive WT-2000ARM Pentagram Cerberus P 6331-42 ZTE ZXV10 W300 I had one of those devices (TD-W8901G) and I took this as a good fortune sign to start playing with hardware router hacking . My task was to patch this vulnerability and make the ROM-0 not downloadable. This was my pretty much first encounter with this type of stuff (and my first encounter with MIPS really). At this point I would like to thank hackerfantastic and robercik for some hardware hints. Serial connection Most of the routers (or embedded devices in general) have some sort of communication port designed to aid the manufactures with testing and debugging of the target device. This communication port is usually SERIAL (UART/RS232) or JTAG (EJTAG). In my case I was unable to find the JTAG (EJTAG) port but I have found the serial port instead (presented on images below). First of all this is some ugly ass soldering work (yes I did that). Ok now getting back to my initial point I have used PL2303 RS232<>USB converter to connect the serial port to the usb port of my computer. Putty is pretty decent for handling normal serial communication so I have used it as my default client (configuration: 115200/8/1/N). I was expecting to see some output in my putty but unfortunately I got nothing. So after some digging around and harassing few friends (ohayo!) I have found out that my voltage levels on RX and TX pins were too low (should be 3.3V). So after some further digging and looking on schematics of this board it became obvious that two resistors are missing (see image above). So I took a piece of wire and I have connected the empty pins together (in two places obviously). So now the voltage levels were correct and I was able to see the output in my terminal.Articol complet: PIOTRBANIA.COM :: Hacking and patching TP-LINK TD-W8901G router Quote Link to comment Share on other sites More sharing options...
wildchild Posted February 2, 2014 Report Share Posted February 2, 2014 TP-Link-urile nu-s routere ci pocnitori. Quote Link to comment Share on other sites More sharing options...
Silviu Posted February 2, 2014 Report Share Posted February 2, 2014 TP-Link-urile nu-s routere ci pocnitori.Cu un DD-WRT pe ele si la banii lor eu zic ca sunt destul de ok, acum depinde ce pretentii ai si de la ele, ca asa nici dacia nu e BMW. Quote Link to comment Share on other sites More sharing options...
