Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 [2]

Author Topic: TP-Link TD-W9980 shell access trick  (Read 26067 times)

int0x13

  • Just arrived
  • *
  • Posts: 4
Re: TP-Link TD-W9980 shell access trick
« Reply #15 on: June 21, 2016, 10:10:43 PM »

Yes, I know. The 9980 and later TP-Link models compress the config file before encrypting it. The StatPOSTer program can't do the decompression. It can't really do the compression either, but it can fake it so that an uploaded file will be accepted by the firmware.

You have to upload a sample config file such as the one attached to the first post of this thread.

After you've gained shell access and set up everything, you can access the config xml by saving /dev/mtdblock3 to a file e.g. "cat /dev/mtdblock3 > /var/usbdisk/DiskName/conf.bin" and then using a hex editor or something to remove the few non-xml bytes at the start and all the padding at the end of the file.
thank you very much, i will try this and report if success.
Logged

int0x13

  • Just arrived
  • *
  • Posts: 4
Re: TP-Link TD-W9980 shell access trick
« Reply #16 on: July 05, 2016, 05:32:22 PM »

Yes, I know. The 9980 and later TP-Link models compress the config file before encrypting it. The StatPOSTer program can't do the decompression. It can't really do the compression either, but it can fake it so that an uploaded file will be accepted by the firmware.

You have to upload a sample config file such as the one attached to the first post of this thread.

After you've gained shell access and set up everything, you can access the config xml by saving /dev/mtdblock3 to a file e.g. "cat /dev/mtdblock3 > /var/usbdisk/DiskName/conf.bin" and then using a hex editor or something to remove the few non-xml bytes at the start and all the padding at the end of the file.
Ok i did it, now i got mu telnet running on the port 1023. But i dont understand what is the purpose of saving the config file from mtdblock3?
I did save it and i hexedit it to remove the junk.
1) But now i dont understand what did you ask to do this?
2) To restore that config file, i should encrypt it?
thx.
Logged

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: TP-Link TD-W9980 shell access trick
« Reply #17 on: July 05, 2016, 06:04:35 PM »

1. It's not essential, but it might be useful in future, if you want to edit and restore the config, without setting up everything from the beginning again.

2. If you need to upload it, then yes, you'd need to use the StatPOSTer program to encrypt it first.
Logged

int0x13

  • Just arrived
  • *
  • Posts: 4
Re: TP-Link TD-W9980 shell access trick
« Reply #18 on: July 05, 2016, 06:46:09 PM »

1. It's not essential, but it might be useful in future, if you want to edit and restore the config, without setting up everything from the beginning again.

2. If you need to upload it, then yes, you'd need to use the StatPOSTer program to encrypt it first.
Ok! I felt dumb because i cannot see the purpose.
Now i want to add an updated busybox but so far no success. I tried with every busybox version i could find, but so far no luck, here is what i did:
https://bpaste.net/show/1b9cc32da069
I dont know why my mips binary is not working, it just hang infinintely. I have other binaries compiled for MIPS big endian that are working (such as strace as you can see), here the strace log of the stuck process:
https://bpaste.net/show/d7c320be5c33
Logged
Pages: 1 [2]