So piece by piece using ATDO command I have dumped the memory from the device. The good point is we can read and dump memory. We can't see the registers, we can't set breakpoints, we can't step on instructions so this a bit like walking in a fog. So at this point we have a set of commands but still no way to debug this thing.
1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2kĪTENx,(y) set BootExtension Debug Flag (y=password)ĪTTI(h,m,s) change system time to hour:min:sec or show current timeĪTDA(y,m,d) change system date to year/month/day or show current dateĪTDUx,y dump memory contents from address x for length yĪTRBx display the 8-bit value of address xĪTRWx display the 16-bit value of address xĪTRLx display the 32-bit value of address xĪTGO(x) run program at addr x or boot routerĪTRTw,x,y(,z) RAM test level w, from address x to y (z iterations)ĪTSH dump manufacturer related data in ROMĪTDOx,y download from address x for length y to PC via XMODEMĪTTD download router configuration to PC via XMODEMĪTLC upload router configuration file to flash ROMĪTXSx xmodem select: x=0: CRC mode(default) x=1: checksum modeĪTLD Upload Configuration File and Default ROM File to FlashĪTCD Convert Running ROM File to Default ROM File into Flash
Press any key to enter debug mode within 3 seconds.Īfter some additional digging I have found that you can use 'ATHE' command to list all available commands (this is not really deeply documented anywhere):ĪTBAx change baudrate. So now the voltage levels were correct and I was able to see the output in my terminal. So I took a piece of wire and I have connected the empty pins together (in two places obviously). So after some further digging and looking on schematics of this board it became obvious that two resistors are missing (see image above). So after some digging around and harassing few friends (ohayo!) I have found out that my voltage levels on RX and TX pins were too low (should be 3.3V).
I was expecting to see some output in my putty but unfortunately I got nothing.
Putty is pretty decent for handling normal serial communication so I have used it as my default client (configuration: 11/N). Ok now getting back to my initial point I have used PL2303 RS232USB converter to connect the serial port to the usb port of my computer. In my case I was unable to find the JTAG (EJTAG) port but I have found the serial port instead (presented on images below).įirst of all this is some ugly ass soldering work (yes I did that). This communication port is usually SERIAL (UART/RS232) or JTAG (EJTAG). Most of the routers (or embedded devices in general) have some sort of communication port designed to aid the manufactures with testing and debugging of the target device. At this point I would like to thank hackerfantastic and robercik for some hardware hints. This was my pretty much first encounter with this type of stuff (and my first encounter with MIPS really).
My task was to patch this vulnerability and make the ROM-0 not downloadable. I had one of those devices (TD-W8901G) and I took this as a good fortune sign to start playing with hardware router hacking :-). The list of vulnerable devices is presented below:
If you are looking for rom-0 password decoder (rom0 decompressor) - here it is:
Your are doing everything on your own responsibility. Actually I was a bit pissed at TP-LINK for this crap so I have decided to patch the vulnerability by myself.ĭISCLAIMER: Author takes no responsibility for any actions with provided informations or codes. This includes your ADSL login/password combination, WIFI password and basically all of your configuration data. ) can download all important and secret data stored in your router. In short attacker by requesting ROM-0 through HTTP request (ie. This particular vulnerability to which I am referring was described here. Recently a critical vulnerability has been found in TP-LINK routers and few other router devices.