Jump to content
Nytro

Hacking and patching TP-LINK TD-W8901G router

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Hacking and patching TP-LINK TD-W8901G router

By piotrbania.com / 31.01.2014

Motivation

Recently a critical vulnerability has been found in TP-LINK routers and few other router devices. This particular vulnerability to which I am referring was described here. Basically it is so called ROM-0 attack. In short attacker by requesting ROM-0 through HTTP request (ie. http://192.168.1.1/ROM-0) can download all important and secret data stored in your router. This includes your ADSL login/password combination, WIFI password and basically all of your configuration data. Actually I was a bit pissed at TP-LINK for this crap so I have decided to patch the vulnerability by myself.

DISCLAIMER: Author takes no responsibility for any actions with provided informations or codes. Your are doing everything on your own responsibility.

The list of vulnerable devices is presented below:

  • TD-W8901G
  • TD-8816
  • TD-W8951ND
  • TD-W8961ND
  • D-Link DSL-2640R
  • ADSL Modem
  • AirLive WT-2000ARM
  • Pentagram Cerberus P 6331-42
  • ZTE ZXV10 W300

tplink.jpg

I had one of those devices (TD-W8901G) and I took this as a good fortune sign to start playing with hardware router hacking :-). My task was to patch this vulnerability and make the ROM-0 not downloadable. This was my pretty much first encounter with this type of stuff (and my first encounter with MIPS really). At this point I would like to thank hackerfantastic and robercik for some hardware hints.

Serial connection

Most of the routers (or embedded devices in general) have some sort of communication port designed to aid the manufactures with testing and debugging of the target device. This communication port is usually SERIAL (UART/RS232) or JTAG (EJTAG). In my case I was unable to find the JTAG (EJTAG) port but I have found the serial port instead (presented on images below).

router2.jpg

router1.jpg

First of all this is some ugly ass soldering work (yes I did that). Ok now getting back to my initial point I have used PL2303 RS232<>USB converter to connect the serial port to the usb port of my computer. Putty is pretty decent for handling normal serial communication so I have used it as my default client (configuration: 115200/8/1/N). I was expecting to see some output in my putty but unfortunately I got nothing. So after some digging around and harassing few friends (ohayo!) I have found out that my voltage levels on RX and TX pins were too low (should be 3.3V). So after some further digging and looking on schematics of this board it became obvious that two resistors are missing (see image above). So I took a piece of wire and I have connected the empty pins together (in two places obviously). So now the voltage levels were correct and I was able to see the output in my terminal.

Articol complet: PIOTRBANIA.COM :: Hacking and patching TP-LINK TD-W8901G router

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...