{"id":623150,"date":"2023-03-29T09:49:20","date_gmt":"2023-03-29T14:49:20","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/03\/29\/establishing-a-uart-root-connection-to-a-tp-link-wireless-router\/"},"modified":"2023-03-29T09:49:20","modified_gmt":"2023-03-29T14:49:20","slug":"establishing-a-uart-root-connection-to-a-tp-link-wireless-router","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/03\/29\/establishing-a-uart-root-connection-to-a-tp-link-wireless-router\/","title":{"rendered":"Establishing a UART Root Connection to a TP-Link Wireless Router"},"content":{"rendered":"<div>\n<p>Feb. 16, 2023<\/p>\n<h2 id=\"background\">Background<\/h2>\n<p>Many IoT devices today use a serial communication interface known as the Univeral Asynchronous Receiver Transmitter (UART). The purpose of this interface is to give direct access to the IoT operating system via a command line interface (CLI) for debugging. In many cases, the underlying operating system is just a Unix system, which means backdooring these systems should be (hopefully) very simple.<\/p>\n<p>I worked on this a while ago but finally was able to get all of the images together and uploaded. I found an unused TP-Link router and thought I\u2019d mess with it a little. I noticed it had a UART connection which gave me an easy root shell. Then I modded the firmware and flashed it onto the device. It was easy enough\u2026 But I may have soft locked it \ud83d\ude1b<\/p>\n<h2 id=\"recon\">Recon<\/h2>\n<p>Here is the device in question:<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/staging.rickconsole.com\/images\/hardware-hacking-tp-link\/router.jpg\" alt><\/p>\n<p><em>TP-Link Technologies Co., Ltd.<\/em> 300Mbps Wireless N Router <strong>WR841NV14<\/strong><\/p>\n<p>FCCID: <strong>TE7WR841NV14<\/strong><\/p>\n<p>I threw the ID into fccid.io and found its documentation along with internal photographs:<\/p>\n<p><a href=\"https:\/\/fcc.id\/TE7WR841NV14\">fcc.id\/TE7WR841NV14<\/a><\/p>\n<p>I took mine apart and found that the internals were pretty much the same (obviously):<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/staging.rickconsole.com\/images\/hardware-hacking-tp-link\/internals.jpg\" alt><\/p>\n<p>Then I looked around at the various chips and discovered a row of 4 pins which looks to be a UART connection interface! (I soldered on the header pins after I found it)<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/staging.rickconsole.com\/images\/hardware-hacking-tp-link\/pins.png\" alt><\/p>\n<p>I grabbed my UART to USB interface adapter and plugged in everything:<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/staging.rickconsole.com\/images\/hardware-hacking-tp-link\/uart.jpg\" alt><\/p>\n<p>Then I opened up PuTTY and connected to COM7 which was the serial device that appeared in the Windows Device Manager:<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/staging.rickconsole.com\/images\/hardware-hacking-tp-link\/device_manager.png\" alt><\/p>\n<p>I set the baud rate to 115200 because the device was relatively new and I figured it would be a good first starting guess. And I was right!<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/staging.rickconsole.com\/images\/hardware-hacking-tp-link\/putty.png\" alt><\/p>\n<p>And just like that I had a root shell on the router.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/staging.rickconsole.com\/images\/hardware-hacking-tp-link\/shell.png\" alt><\/p>\n<h2 id=\"pilfering\">Pilfering<\/h2>\n<p>After gaining access like a total 1337 h4x0r I took a look at <strong>\/etc\/passwd<\/strong><\/p>\n<p><img decoding=\"async\" src=\"http:\/\/staging.rickconsole.com\/images\/hardware-hacking-tp-link\/passwd.png\" alt><\/p>\n<p>This made it easy enough to throw into hashcat and I came across a pretty funny result:<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/staging.rickconsole.com\/images\/hardware-hacking-tp-link\/hashcat.png\" alt><\/p>\n<p>This will give us SSH access to the router with the user <strong>admin<\/strong>, and based off of the running processes, ssh an active service:<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/staging.rickconsole.com\/images\/hardware-hacking-tp-link\/ps.png\" alt><\/p>\n<h2 id=\"modding-the-firmware\">Modding the Firmware<\/h2>\n<p>I wanted to install some sort of backdoor but the filesystem is read-only. So I had to resort to modding the firmware and reflashing it.<\/p>\n<p>I went to the TP-Link site and downloaded their latest <a href=\"https:\/.tp-link.com\/upload\/firmware\/2022\/202211\/20221123\/TL-WR841N(US)_V14_220816.zip\">firmware image<\/a><\/p>\n<p>I downloaded it, unzipped it, and then used <a href=\"https:\/\/github.com\/rampageX\/firmware-mod-kit\">firmware-mod-kit<\/a> to extract it. I could have just use <strong>binwalk<\/strong> to extract, but doing it this way allowed me to repack it with relative ease.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/staging.rickconsole.com\/images\/hardware-hacking-tp-link\/extracted.png\" alt><\/p>\n<p>After making a seemingly minor addition to one of the web files and repacking the firmware, I flashed it onto my device.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/staging.rickconsole.com\/images\/hardware-hacking-tp-link\/mod.png\" alt><\/p>\n<p><img decoding=\"async\" src=\"http:\/\/staging.rickconsole.com\/images\/hardware-hacking-tp-link\/repack.png\" alt><\/p>\n<p><img decoding=\"async\" src=\"http:\/\/staging.rickconsole.com\/images\/hardware-hacking-tp-link\/flash.png\" alt><\/p>\n<p>After the router rebooted, I traveled to its IP address and found that my changes were applied successfully! However, the page it now broken and I cannot access any of the routers functions. Sloppy front end development on my part. Hopefully I can fix it soon.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/staging.rickconsole.com\/images\/hardware-hacking-tp-link\/whoops.png\" alt><\/p>\n<h2 id=\"conclusion\">Conclusion<\/h2>\n<p>Being able to identify certain aspects of SBCs can be very valuable for hardware hacking! This was a great experiment in firmware modding and the UART interface.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/staging.rickconsole.com\/posts\/hardware-hacking-tp-link\/\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><br \/>\n Qiana Center<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Feb. 16, 2023 Background Many IoT devices today use a serial communication interface known as the Univeral Asynchronous Receiver Transmitter (UART). The purpose of this interface is to give direct access to the IoT operating system via a command line interface (CLI) for debugging. In many cases, the underlying operating system is just a Unix<\/p>\n","protected":false},"author":1,"featured_media":623151,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27017,114108,46],"tags":[],"class_list":["post-623150","post","type-post","status-publish","format-standard","has-post-thumbnail","category-connection","category-establishing","category-technology"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/623150","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=623150"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/623150\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/623151"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=623150"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=623150"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=623150"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}