TL-WR841N copied to clipboard
TL-WR841N Router Hardware Hacking - Reversing and Backdooring
________ _ ______ ____ __ __ ____ __
/_ __/ / | | / / __ \( __ )/ // /< / | / /
/ / / / _____| | /| / / /_/ / __ / // /_/ / |/ /
/ / / /__/_____/ |/ |/ / _, _/ /_/ /__ __/ / /| /
/_/ /_____/ |__/|__/_/ |_|\____/ /_/ /_/_/ |_/
TL-WR841N Router Hardware Hacking
Reversing and Backdooring
📖 Project Overview :
I created this project to discover hardware hacking, I started with an old router (TP LINK TL-WR841N).
Project goals :
- Identify the series port
- Connect to the series port
- Make a full dump of the firmware
- Reverse the firmware
- Backdooring the firmware
- (Optionaly) Understand firmware emulation
I show you my journey of starting hardware hacking, and what I can achieved or not.
I will try to be the more descriptive I can, in every steps.
🚀 Getting Started
This is the list of every softwares and equipement I use.
Equipements :
- Router (TP LINK TL-WR841N)
- Multimeter (with continuity mode)
- Logic analyser (DSLogic U2 Basic)
- TTL to USB converter (DSD TECH SH-U09C5)
- Flash programmer (CH341A)
- SOIC8 clip
Software :
- Logic analyser (dsview)
- Series port communication (putty / screen)
- binary analyser (binwalk)
- (Optionaly) MIPS emulator (qemu)
:computer: Start Hacking
External router photo :
Internal router photo (I unsoldered the antennas) :
1 - Identify components
The first thing I have to do is to identify what is on the board, I am looking for series ports, flash memory / eeprom... On the internal photo we can see a lot of things, first, on the left we can notice that we have severals connectors, the one which contains 4 pins can be UART port or another series port. Then, on the right side of the board there are two 8 pin chip, one of them can be flash memory or eeprom and can contains the firmware.
The next steps are :
- Test the differents series port with a multimeter
- Test the differents series port with logic analyser if the multimeter result seems interresting
- Test the differents chips with a programmer to try to detect them
- Try to dump chip's memory if the programmer detect the chip
2 - Test potentiel series port
To test the 4 pin series port, I start by trying to find the GND with my multimeter in continuity mode (I find it with the GND pin of a chip).
As I expect I can easily find the GND pin, then with my multimeter I looked for the other pins, the first one on the left is the + pin, the voltage is 3,3 V, then the second pin the GND pin. The two last pins, seems to be RX and TX, the third one is 0 V which can be the RX pin waiting for datas, and last one's voltage oscillates (tends to 2,63v), it seems to be the TX pin which transmits the datas.
Now I will use my logic analyser and try to see if these pins send datas.
3 - Using the logic analyser
After I praticaly identify pins, the next step is to see if these pins transmit datas, that is why I connect my logic analyser. The logic analyser just need to be connected to the ground and then to all pins we want to identify, the logic analyser will capture everything that is passings trough the pins and then can identify the protocol and the datas that are transmitted. As you can see I connected the 3 pins, the GND and the "potential" RX and TX pins.
After everthing is connected I can start DSView, I record 1 minute of communication just after the startup up of the router. When I use the decode feature the software detect the communication as UART and it start decoding the datas, as you can see on the DSView UI it start decoding : "Linux Version"...
I post bellow a part of decoded datas I collected (entire datas here :
Id,Time[ns],0:UART: RX/TX
We can indetify that's the router use U-Boot boot loader, the logic analyser has his own limitations, I can't get decoded datas in real time and can't interract with the RX pin. So, the final step is to connect the pins to the TTL to USB adapter and try to interract with the device and get a shell.
3 - Try to get a shell
The TTL to USB adapter permits to interact with the device in UART using tools like screen or putty. The cables have to be correctly connected, as you can see on the scheme bellow, we also need to know the baudrate to correctly communicate with the device, else the datas will not be decoded correctly and will be junk. I configured my adapter on 3,3v for the RX voltage.
You have to plug the cables like this :
My setup :
After some tests, I conclude that I can't interract with the device and can't get a shell.
I have some hypothesis about why I can't interract with the device.
Hypothesis :
- The firmware don't listen to RX and use UART just for logging
- The RX signal is not transmit on the board
- The TX signal is not working on the adapter
I will try to solve every hypothesis and find what is the problem, I will start by the easiest to the hardest to solve. I can only test the 2 last hypothesis because I can't know if the firmware has limitations without reversing it.
1 - The TX signal is not working on the adapter
The hypotesis can be easily discarded, on the TTL adapter there is a led that indicate when a signal is send, and it is perfectly working. Moreover when I connect the TX pin to the RX pin of the adapter everything works great.
So, the problem don't come from the adapter.
2 - The RX signal is not transmit on the board
As you can imagine the problem come from the board, after some investigations and be sure that the problem don't come from the adapter, I found where the problem come from. As you can see bellow, there is a missing resistor, this break the continuity and the signal can't go trough. Then, I reestablished the continuity and try to communicate with the device.
As you can see we progress, now the device receive inputs, datas are absolutely junk but we can now access to the login prompt.
At this point the RX voltage is always 3,3v, the device try to decode datas that I never send so we can imagine that the device interpret the voltage as low and think this is a start of communication (according to how UART works). This is a hypothesis but we can imagine that the voltage of RX is too low, the only higher voltage I have is 5v.