Hacking and patching TP-LINK TD-W8901G router

Hacking and patching TP-LINK TD-W8901G router

by piotrbania.com  / twitter: @PiotrBania / 31.01.2014


Motivation
Recently a critical vulnerability has been found in TP-LINK routers and few other router devices. This particular vulnerability to which I am referring was described here. Basically it is so called ROM-0 attack. In short attacker by requesting ROM-0 through HTTP request (ie. http://192.168.1.1/ROM-0) can download all important and secret data stored in your router. This includes your ADSL login/password combination, WIFI password and basically all of your configuration data. Actually I was a bit pissed at TP-LINK for this crap so I have decided to patch the vulnerability by myself.

DISCLAIMER: Author takes no responsibility for any actions with provided informations or codes. Your are doing everything on your own responsibility.

If you are looking for rom-0 password decoder (rom0 decompressor) - here it is: http://piotrbania.com/all/utils/RomDecoder.c

The list of vulnerable devices is presented below:
  • TD-W8901G
  • TD-8816
  • TD-W8951ND
  • TD-W8961ND
  • D-Link DSL-2640R
  • ADSL Modem
  • AirLive WT-2000ARM
  • Pentagram Cerberus P 6331-42
  • ZTE ZXV10 W300


I had one of those devices (TD-W8901G) and I took this as a good fortune sign to start playing with hardware router hacking :-). My task was to patch this vulnerability and make the ROM-0 not downloadable. This was my pretty much first encounter with this type of stuff (and my first encounter with MIPS really). At this point I would like to thank hackerfantastic and robercik for some hardware hints.

Serial connection
Most of the routers (or embedded devices in general) have some sort of communication port designed to aid the manufactures with testing and debugging of the target device. This communication port is usually SERIAL (UART/RS232) or JTAG (EJTAG). In my case I was unable to find the JTAG (EJTAG) port but I have found the serial port instead (presented on images below).




First of all this is some ugly ass soldering work (yes I did that). Ok now getting back to my initial point I have used PL2303 RS232<>USB converter to connect the serial port to the usb port of my computer. Putty is pretty decent for handling normal serial communication so I have used it as my default client (configuration: 115200/8/1/N). I was expecting to see some output in my putty but unfortunately I got nothing. So after some digging around and harassing few friends (ohayo!) I have found out that my voltage levels on RX and TX pins were too low (should be 3.3V). So after some further digging and looking on schematics of this board it became obvious that two resistors are missing (see image above). So I took a piece of wire and I have connected the empty pins together (in two places obviously). So now the voltage levels were correct and I was able to see the output in my terminal.

This is what I have received:
  1. Bootbase Version: VTC1.15 | 2007/11/12 17:18:52
  2. RAM: Size = 8192 Kbytes
  3. DRAM POST: Testing: 8192K
  4. OK
  5. FLASH: AMD 16M *1
  6.  
  7. RAS Version: 1.0.2 Build 080522 Rel.37708
  8. System ID: *2.11.36.0(RE9.C29)3.10.2.60| 2008/04/24
  9.  
  10. Press any key to enter debug mode within 3 seconds.
  11. .....................................
  12. Enter Debug Mode
After some additional digging I have found that you can use 'ATHE' command to list all available commands (this is not really deeply documented anywhere):
  1. ======= Debug Command Listing =======
  2. AT just answer OK
  3. ATHE print help
  4. ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k
  5. ATENx,(y) set BootExtension Debug Flag (y=password)
  6. ATSE show the seed of password generator
  7. ATTI(h,m,s) change system time to hour:min:sec or show current time
  8. ATDA(y,m,d) change system date to year/month/day or show current date
  9. ATDS dump RAS stack
  10. ATDT dump Boot Module Common Area
  11. ATDUx,y dump memory contents from address x for length y
  12. ATRBx display the 8-bit value of address x
  13. ATRWx display the 16-bit value of address x
  14. ATRLx display the 32-bit value of address x
  15. ATGO(x) run program at addr x or boot router
  16. ATGR boot router
  17. ATGT run Hardware Test Program
  18. ATRTw,x,y(,z) RAM test level w, from address x to y (z iterations)
  19. ATSH dump manufacturer related data in ROM
  20. ATDOx,y download from address x for length y to PC via XMODEM
  21. ATTD download router configuration to PC via XMODEM
  22. ATUR upload router firmware to flash ROM
  23.  
  24. < press any key to continue >
  25. ATLC upload router configuration file to flash ROM
  26. ATXSx xmodem select: x=0: CRC mode(default); x=1: checksum mode
  27. ATLD Upload Configuration File and Default ROM File to Flash
  28. ATCD Convert Running ROM File to Default ROM File into Flash
So at this point we have a set of commands but still no way to debug this thing. We can't see the registers, we can't set breakpoints, we can't step on instructions so this a bit like walking in a fog. The good point is we can read and dump memory. So piece by piece using ATDO command I have dumped the memory from the device. Please note that this is a rather painful process because every attempt to read unavailable memory will end up with the device turning into zombie mode (no crash dump or even a guru meditation it just freezes). I have noticed that MINICOM is simply the best thing to dump the memory (I have tried using TeraTerm and HyperTerminal but they both were pretty unstable).




But before we will go to the dump analysis itself there is one especially interesting command - ATEN (set BootExtension Debug Flag (y=password)). So as you can see we need the secret password to use it otherwise it will simply return ERROR. But when successfully used it will provide us some awesome hidden commands!


ATEN Password Generator
So like always in those type of situations you start with googling it up. Somewhere in the google results I have found a website called "Running uCLinux on a ZyXEL router". You can find a ATEN password generation algorithm there but unfortunately it didn't work on my device. So we are back to square one and we need to do some disassembly together with static analysis.

The first step in my approach was to locate the function responsible for handling the ATEN command. I have located this piece by searching for a dispatch-command table. Why I knew there will be one? I just assumed I would code it that way (there isn't any other option really except creating a giant if-elseif condition set). Here it is:
  1. ROM:800158A0 CmdTable: .word unk_80015C20 # DATA XREF: sub_8000E3D8+4C o
  2. ROM:800158A0 # sub_8000E3D8+90 o ...
  3. ROM:800158A4 .word sub_8000E6D0
  4. ROM:800158A8 .byte 0
  5. ROM:800158A9 .byte 0
  6. ROM:800158AA .byte 0
  7. ROM:800158AB .byte 0
  8. ROM:800158AC .word aJustAnswerOk # " just answer OK"
  9. ROM:800158B0 .word aAthe # "ATHE"
  10. ROM:800158B4 .word CMD_SHOW_HELP_ATHE
  11. ROM:800158B8 .byte 0
  12. ROM:800158B9 .byte 0
  13. ROM:800158BA .byte 0
  14. ROM:800158BB .byte 0
  15. ROM:800158BC .word aPrintHelp # " print help"
  16. ROM:800158C0 .word aAtba # "ATBA"
  17. ROM:800158C4 .word CMD_ATBA
  18. ...
  19. ROM:800158D0 .word aAten # "ATEN"
  20. ROM:800158D4 .word CMD_ATEN
  21. ...

The table itselft is pretty straight forward (remember on MIPS word is 4 bytes). So let's now see the CMD_ATEN function (the most important part):
  1. ROM:8000FF84 lw $a0, 8($s0)
  2. ROM:8000FF88 jal sub_80013654
  3. ROM:8000FF8C li $a1, 0
  4. ROM:8000FF90 jal generate_passwd
And now generate_passwd function:
  1. ROM:80010A2C generate_passwd: # CODE XREF: CMD_ATEN+50 p
  2. ROM:80010A2C lui $t9, 0xA11F
  3. ROM:80010A30 lw $v1, ptrDO_GTABLE
  4. ROM:80010A34 lw $t8, dword_80017050
  5. ROM:80010A38 lw $v1, 0x18($v1) # take the seed part, generated by the ATSE command
  6. ROM:80010A3C lbu $t8, 0x6D($t8) # take the last byte of the MAC Address
  7. ROM:80010A40 sll $v1, 8 # $v1 = v1 << 8
  8. ROM:80010A44 andi $t7, $t8, 7 # $t7 = t8 & 0x7
  9. ROM:80010A48 li $t8, 0 # $t8 = 0
  10. ROM:80010A4C srl $v1, 8 # $v1 = v1 >> 8
  11. ROM:80010A50 li $t9, 0xA11F5AC6 # $t9 = MAGIC
  12. ROM:80010A54 j loc_80010A68
  13. ROM:80010A58 addu $t9, $v1, $t9 # $t9 = $v1 + $t9
  14. ROM:80010A5C # ---------------------------------------------------------------------------
  15. ROM:80010A5C
  16. ROM:80010A5C loc_80010A5C: # CODE XREF: generate_passwd+40 j
  17. ROM:80010A5C sll $t9, 31 # $t9 = $t9 << 31
  18. ROM:80010A60 or $t9, $t6, $t9 # $t9 = $t6 | $t9
  19. ROM:80010A64 addiu $t8, 1 # $t8 = $t8 + 1
  20. ROM:80010A68
  21. ROM:80010A68 loc_80010A68: # CODE XREF: generate_passwd+28 j
  22. ROM:80010A68 sltu $t6, $t8, $t7 # $t6 = (t8 < t7? 1:0)
  23. ROM:80010A6C bnez $t6, loc_80010A5C # take jump if $t6 != 0
  24. ROM:80010A70 srl $t6, $t9, 1 # $t6 = $t9 >> 1
  25. ROM:80010A74 jr $ra # all done, exit
  26. ROM:80010A78 xor $v0, $t9, $v1 # $v0 = $t9 ^ $v1
Some notes from the code:
  • $v1 is the seed value (generated by the ATSE command, zero if ATSE is not used)
  • $t8 initially contains the last byte of MAC Address (last octet)
  • 0xA11F5AC6 is a magic value we were looking for!
  • Those two instructions: "$v1 = v1 << 8" and "$v1 = v1 >> 8" are equal to "seed = seed & 0x00FFFFFF"
  • The loop with (sll-or-srl) is nothing more than a ROR instruction (ROR instruction on MIPS is a pseudoinstruction meaning it is typically emulated by using sll-or-srl sequence)
  • $v0 is the result

So this is how it would look in C:
  1. U32 generate_passwd(U32 seed, U8 last_mac_octet)
  2. {
  3. U32 b = seed & 0x00FFFFFF;
  4. U32 r = ROR(b + 0xA11F5AC6, last_mac_octet & 7);
  5. return r^b;
  6. }
And as you can see this is pretty much the algorithm used by ZyXEL the only difference is the MAGIC VALUE (0xA11F5AC6). You can use the script below to generate your own password for ATEN (remember if you will not use the ATSE command your seed will be zero).

ATEN Password Generation Script:
Field Value
Seed:
Last MAC Octet:


In my case the magic command was "ATEN1,508fad63" and this is what "ATHE" produced afterwards:
  1. ======= Debug Command Listing =======
  2. AT just answer OK
  3. ATHE print help
  4. ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k
  5. ATENx,(y) set BootExtension Debug Flag (y=password)
  6. ATSE show the seed of password generator
  7. ATTI(h,m,s) change system time to hour:min:sec or show current time
  8. ATDA(y,m,d) change system date to year/month/day or show current date
  9. ATDS dump RAS stack
  10. ATDT dump Boot Module Common Area
  11. ATDUx,y dump memory contents from address x for length y
  12. ATWBx,y write address x with 8-bit value y
  13. ATWWx,y write address x with 16-bit value y
  14. ATWLx,y write address x with 32-bit value y
  15. ATRBx display the 8-bit value of address x
  16. ATRWx display the 16-bit value of address x
  17. ATRLx display the 32-bit value of address x
  18. ATGO(x) run program at addr x or boot router
  19. ATGR boot router
  20. ATGT run Hardware Test Program
  21. AT%Tx Enable Hardware Test Program at boot up
  22. ATBTx block0 write enable (1=enable, other=disable)
  23.  
  24. ATRTw,x,y(,z) RAM test level w, from address x to y (z iterations)
  25. ATWEa(,b,c,d) write MAC addr, Country code, EngDbgFlag, FeatureBit to flash ROM
  26. ATCUx write Country code to flash ROM
  27. ATCB copy from FLASH ROM to working buffer
  28. ATCL clear working buffer
  29. ATSB save working buffer to FLASH ROM
  30. ATBU dump manufacturer related data in working buffer
  31. ATSH dump manufacturer related data in ROM
  32. ATWMx set low 6 digits MAC address in working buffer
  33. ATMHx set hight 6 digits MAC address in working buffer
  34. ATBS show the bootbase seed of password generator
  35. ATLBx xmodem upload bootbase,x is password
  36. ATSMx set 6 digits MAC address in working buffer
  37. ATCOx set country code in working buffer
  38. ATFLx set EngDebugFlag in working buffer
  39. ATSTx set ROMRAS address in working buffer
  40. ATSYx set system type in working buffer
  41. ATVDx set vendor name in working buffer
  42. ATPNx set product name in working buffer
  43. ATFEx,y,... set feature bits in working buffer
  44. ATMP check & dump memMapTab
  45. ATDOx,y download from address x for length y to PC via XMODEM
  46. ATTD download router configuration to PC via XMODEM
  47. ATUPx,y upload to RAM address x for length y from PC via XMODEM
  48. ATUR upload router firmware to flash ROM
  49. ATDC hardware version check disable during uploading firmware
  50. ATLC upload router configuration file to flash ROM
  51. ATUXx(,y) xmodem upload from flash block x to y
  52. ATERx,y erase flash rom from block x to y
  53. ATWFx,y,z copy data from addr x to flash addr y, length z
  54. ATXSx xmodem select: x=0: CRC mode(default); x=1: checksum mode
  55. ATLD Upload Configuration File and Default ROM File to Flash
  56. ATBR Reset to default Romfile
  57. ATCD Convert Running ROM File to Default ROM File into Flash
Now we have access to few other interesting commands. Remember the objective is to patch the ROM-0 download vulnerability.


Patching the vulnerability (virtually)
In order to patch the vulnerability we need to patch the stage2 firmware (we are still on the stage1 level - minimal boot firmware). You can go to the stage2 firmware by typing ATGR (boot router) command. The bad thing about that is after this step we will have no access to stage 1 commands. So we can't really patch :(
  1. (Compressed)
  2. Version: ADSL ATU-R, start: bfc5d430
  3. Length: 390890, Checksum: 08F1
  4. Compressed Length: D7150, Checksum: DBE7
  5.  
  6. Copyright (c) 2001 - 2006 TP-LINK TECHNOLOGIES CO., LTD
  7. initialize ch = 0, IP175C, ethernet address: 00:XX:XX:XX:XX:41
  8. initialize ch = 1, ethernet address: 00:XX:XX:XX:XX:41
  9. Wan Channel init ........ done
  10. Initializing ADSL F/W ........ done
  11. ANNEXAL
  12. set try multimode number to 3 (dropmode try num 3)
  13. Syncookie switch On!
  14. Press ENTER to continue...
  15.  
  16. Valid commands are:
  17. sys exit ether wan
  18. ip bridge dot1q pktqos
  19. show set lan
  20. tc>
So what happened? The compressed stage 2 firmware got decompressed and executed. Knowing the ATGR command boots up the router let's find the instruction that passes the execution to the stage 2 firmware. This seems to be the best option because the firmware at that point is already unpacked.
  1. ROM:80011E8C loc_80011E8C: # CODE XREF: LoadAndRunImage+D8 j
  2. ROM:80011E8C jal sub_80009B24
  3. ROM:80011E90 li $a0, 0x1F4
  4. ROM:80011E94
  5. ROM:80011E94 execute_image: # execute image
  6. ROM:80011E94 jalr $s0 # jump and link to address in $s0
  7. ROM:80011E98 nop
Now the question is what is the address stored in $s0? Obviously we still can't set a breakpoint, we can't view the registers so we need to leak it using some trick. But wait we can read and write memory so take a look on the following command:
  1. ATWL 80011E94, ae30001c
  2. ATGR
This command patches the instruction at 0x80011E94 with ae30001c (the byte representation of MIPS "sw $s0, 0x1C($s1)" instruction). By overwriting the original jalr $s0 with sw $s0, 0x1C($s1) we have forced the program to store the contents of $s0 register to 0x8001FF1C memory address. So now stage 2 firmware will not be executed instead the "ERROR" message will be presented and we will still have the access to the stage1 console! So let's take a look what was stored at 0x8001FF1C.
  1. ATRL 8001FF1C
  2. 8001FF1C: 80020000
So now when we have leaked stage 2 address (0x80020000) we can dump it and analyse it properly).

So keeping in mind that we want to block ROM-0 from being downloadable I have found (using trail and error and xrefs) following code fragment that was a great candidate for patching:


  1. ROM:80248C98 la $a1, aRom0_8 # "/rom-0"
  2. ROM:80248CA0 jal sub_802D0F2C
  3. ROM:80248CA4 move $a0, $s2
  4. ROM:80248CA8 beqz $v0, loc_80248CB8 # NOP THIS SIR
  5. ROM:80248CAC li $v1, 0xE
  6. ROM:80248CB0 j loc_exit
  7. ROM:80248CB4 sw $v1, 0x64($s3)
  8.  
  9.  
  10. ROM:80248DEC loc_exit: # CODE XREF: sub_80248AA8+208 j
  11. ROM:80248DEC # sub_80248AA8+21C j ...
  12. ROM:80248DEC lw $ra, 0x28+var_4($sp)
  13. ROM:80248DF0 lw $s0, 0x28+var_28($sp)
  14. ROM:80248DF4 lw $s1, 0x28+var_24($sp)
  15. ROM:80248DF8 lw $s2, 0x28+var_20($sp)
  16. ROM:80248DFC lw $s3, 0x28+var_1C($sp)
  17. ROM:80248E00 lw $s4, 0x28+var_18($sp)
  18. ROM:80248E04 lw $s5, 0x28+var_14($sp)
  19. ROM:80248E08 lw $s6, 0x28+var_10($sp)
  20. ROM:80248E0C lw $fp, 0x28+var_8($sp)
  21. ROM:80248E10 nop
  22. ROM:80248E14 jr $ra
  23. ROM:80248E18 addiu $sp, 0x28
So the beqz $v0, loc_80248CB8 instruction jumps to loc_80248CB8 and we simply don't want that. So instead when the condition is not met this procedure jumps to loc_exit which is basically saying "goodbye". So let's patch the beqz with NOP:

  1. ATEN 1,508fad63
  2. ATWL 80011E94, 00000000
  3. ATGR
  4. ATWL 80248CA8, 00000000
  5. ATGO 80020000

So now when the stage 2 firmware is patched in memory and booted it is time to test it (for the record: 192.168.2.1 - is my router addr)!




SUCCESS!


Conclusion
This simple patch was done in virtual memory only meaning everything will come back to the state it was before applying it after your router reboots. This is convenient from one side and inconvenient from the other. It is certainly possible to flash the device with modified firmware but I will not provide such methods here. One way or another I hope you have enjoyed the journey as I did. There are probably a plenty more vulnerabilities like this one somewhere inside every router so sometimes such ghetto hacks may become necessary :-) (let's hope not!). Obviously this was just one simply patch and it wasn't heavily tested in action. Please use this method as a way of learning something NOT as an actual remedy (probably there are plenty of other bugs that need to be patched as well). - PIOTR 31.01.2014 / EOF.


Bonus Binwalk
Some additional material from binwalk:

  1. root@ubuntu:/home/die/binwalk/firmware# binwalk firmware.bin
  2. DECIMAL HEX DESCRIPTION
  3. -------------------------------------------------------------------------------------------------------------------
  4. 84992 0x14C00 ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 66696,
  5. compressed size: 16845, uncompressed checksum:
  6.  
  7. 0xC92E, compressed checksum: 0xC9CE, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed
  8. checksum is valid, memory map table address: 0x0
  9. 85043 0x14C33 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes,
  10. uncompressed size: 66696 bytes
  11. 128002 0x1F402 GIF image data, version "89a", 200 x 50
  12. 136194 0x21402 GIF image data, version "89a", 560 x 50
  13. 349184 0x55400 ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 3737744,
  14. compressed size: 880976, uncompressed checksum:
  15.  
  16. 0x8F1, compressed checksum: 0xDBE7, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed
  17. checksum is valid, memory map table address: 0x0
  18. 349235 0x55433 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes,
  19. uncompressed size: 3737744 bytes
  20.  
  21.  
  22.  
  23. dd if=firmware.bin bs=1 skip=85043 of=image1.lzma
  24. dd if=firmware.bin bs=1 skip=349235 of=image2.lzma
  25.  
  26. root@ubuntu:/home/die/binwalk/firmware# lzma -d image1.lzma
  27. root@ubuntu:/home/die/binwalk/firmware# lzma -d image2.lzma
  28.  
  29.  
  30. die@ubuntu:~/binwalk/firmware$ binwalk image2
  31.  
  32. DECIMAL HEX DESCRIPTION
  33. -------------------------------------------------------------------------------------------------------------------
  34. 2840932 0x2B5964 Copyright string: " (c) 1994 - 2004 ZyXEL Communications Corp."
  35. 2840988 0x2B599C Copyright string: " (c) 2001 - 2006 TrendChip Technologies Corp."
  36. 2841044 0x2B59D4 Copyright string: " (c) 2001 - 2006 "
  37. 2865263 0x2BB86F LZMA compressed data, properties: 0x48, dictionary size: 33554432 bytes,
  38. uncompressed size: 16777216 bytes
  39. 3037283 0x2E5863 LZMA compressed data, properties: 0x5C, dictionary size: 33554432 bytes,
  40. uncompressed size: 16777216 bytes
  41. 3037543 0x2E5967 LZMA compressed data, properties: 0xB4, dictionary size: 33554432 bytes,
  42. uncompressed size: 16777216 bytes
  43. 3209377 0x30F8A1 LZMA compressed data, properties: 0x40, dictionary size: 2097152 bytes,
  44. uncompressed size: 2097216 bytes
  45. 3350495 0x331FDF LZMA compressed data, properties: 0xB8, dictionary size: 16777216 bytes,
  46. uncompressed size: 538981760 bytes
  47. 3445523 0x349313 LZMA compressed data, properties: 0x40, dictionary size: 16777216 bytes,
  48. uncompressed size: 949368448 bytes
  49. 3563851 0x36614B LZMA compressed data, properties: 0x90, dictionary size: 16777216 bytes,
  50. uncompressed size: 33554432 bytes
  51. 3652626 0x37BC12 GIF image data, version "89a", 16 x 16
  52. 3653238 0x37BE76 GIF image data, version "89a", 16 x 16
  53. 3654302 0x37C29E GIF image data, version "89a", 16 x 16
  54. 3655370 0x37C6CA GIF image data, version "89a", 16 x 16
  55. 3734691 0x38FCA3 LZMA compressed data, properties: 0x88, dictionary size: 33554432 bytes,
  56. uncompressed size: 167772160 bytes
  57. 3737404 0x39073C Copyright string: " (c) 1996-2000 Express Logic Inc. * ThreadX R3900/Green Hills "

Popular posts from this blog

Hidden Wiki

[SOLVED] IDM WAS REGISTERED WITH A FAKE SERIAL NUMBER

Mouse, touchpad, and keyboard problems in Windows