Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2 3 ... 9

Author Topic: Hacking TP Link TD-W9970  (Read 83646 times)

kitzuser87430

  • Reg Member
  • ***
  • Posts: 432
Hacking TP Link TD-W9970
« on: February 25, 2016, 11:10:48 AM »

I have opened the case de-soldered the antenna and soldered a header to J7.

Pin outs from the top (nearest to the power button)

TX
RX
GROUND
Vcc (Not usually required)

Find attached

1) Default conf.bin (this has been renamed to conf.zip)

2) Broadcom Bootstrap Serial Output (serial output recieved whilst pressing the reset button during boot of modem)

3) Normal Serial Output during boot.


Edit: Just tried restoring default conf.bin and in the GUI I received an error "Error code: 4501

You put a wrong file."

EDIT /3/16 Corrected my pin outs
« Last Edit: March 03, 2016, 08:58:53 AM by kitzuser87430 »
Logged

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: Hacking TP Link TD-W9970
« Reply #1 on: February 25, 2016, 12:08:24 PM »

If you can login to the shell using the serial connection, it would be useful to dump the mtdblock where the config is saved and copy it off the device somehow. You might need to change some setting in the web UI and save the config first.

I have recently (this morning) found the key needed to decrypt the default_config.xml and reduced_data_model.xml files, although they will probably not be particularly useful anyway.
Logged

kitzuser87430

  • Reg Member
  • ***
  • Posts: 432
Re: Hacking TP Link TD-W9970
« Reply #2 on: February 25, 2016, 06:21:00 PM »

Quote
You might need to change some setting in the web UI and save the config first

Yes tried that and it then worked.

Quote
login to the shell using the serial connection

Not possible at the moment, my keystrokes are sending incorrectly via the serial link; if I press a "s" the terminal receives "sJ" or similar.

Not sure if it is my soldering or something else, (I'm no expert)

Ian
Logged

Dray

  • Kitizen
  • ****
  • Posts: 2361
Re: Hacking TP Link TD-W9970
« Reply #3 on: February 25, 2016, 08:25:11 PM »

Maybe reduce the serial link speed
Logged

kitzuser87430

  • Reg Member
  • ***
  • Posts: 432
Re: Hacking TP Link TD-W9970
« Reply #4 on: February 25, 2016, 09:53:28 PM »

Thanks Dray...will try that in the next couple of days.
Logged

kitzuser87430

  • Reg Member
  • ***
  • Posts: 432
Re: Hacking TP Link TD-W9970
« Reply #5 on: February 27, 2016, 08:20:25 AM »

Ok; The only command that I can receive data on the serial port is

screen -L -U /dev/ttyUSB0 115200,istrip

I have worked out that a "X" typed into the terminal shows the prompt

"starting pid 316, tty '': '/sbin/getty -L ttyS0 115200 vt100'

TD-W9970 login:"

I then cannot type the best guess user of "root"

any other ideas?

Ian
Logged

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: Hacking TP Link TD-W9970
« Reply #6 on: February 27, 2016, 10:08:42 AM »

The root user:pass is admin:1234

Don't know about the serial connection issues, I don't think -U and istrip are needed.
Quote from: https://wiki.openwrt.org/doc/hardware/port.serial
A common set of options (for setting 8N1) is cs8,-parenb,-cstopb
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking TP Link TD-W9970
« Reply #7 on: February 27, 2016, 03:31:49 PM »

screen -L -U /dev/ttyUSB0 115200,istrip

That would be my first choice attempt from any Unix or Linux kernel powered box when using a USB - tty adaptor.

Perhaps test with different parity options or cs7?
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

les-70

  • Kitizen
  • ****
  • Posts: 1254
Re: Hacking TP Link TD-W9970
« Reply #8 on: March 02, 2016, 10:46:35 AM »

  I picked one of these up on ebay (already) for just over £10 and after the great disappointment with the cli have tried the serial port.  Midway on the boot sequence pressing a key starts a login.  I can login with admin:1234 and it looks interesting but I seem to lack privilege to do much. su and sudo don't work but my linux is really at the google and paste it in end of things.  Any ideas??

TD-W9970 login: admin
Password:
Jan  1 00:01:18 login[1159]: root login on 'console'
~ #
~ # ls
web      usr      sys      proc     linuxrc  etc      bin
var      tmp      sbin     mnt      lib      dev
~ # /etc/adsl
-sh: /etc/adsl: Permission denied
~ #
~ # /etc/adsl
-sh: /etc/adsl: Permission denied
~ # ls /etc
wlan                    resolv.conf             inittab
vsftpd_passwd           reduced_data_model.xml  init.d
vsftpd.conf             ppp                     group
ushare.conf             passwd.bak              fstab
support_3g_list         passwd                  default_config.xml
services                mode_switch.conf.bin    adsl
samba                   iptables-stop           TZ
~ #
Logged

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: Hacking TP Link TD-W9970
« Reply #9 on: March 02, 2016, 11:13:18 AM »

You are already logged in as the root user, there is no need to use su or sudo. The Broadcom program to get the DSL stats is xdslctl.

What do you want to do? Press the tab key twice and it should list all the commands. You can do quite a lot at the shell, but anything you change will not generally survive a reboot. For example, you could start another telnetd process, with a command like "telnetd -p 1023 -l login", then you would be enable to telnet to the shell over the LAN on port 1023, but that telnetd process won't be running after the device is rebooted.
Logged

les-70

  • Kitizen
  • ****
  • Posts: 1254
Re: Hacking TP Link TD-W9970
« Reply #10 on: March 02, 2016, 11:49:44 AM »

  You probably judged my linux correctly  :-[.  Yes now 100% of usual broadcom output    :) and your telnetd command works a treat so it should be dslstats compatable after a uart tweak each time it boots.  Output below is with it on a Planet modem in CO mode and after a maxdatarate tweak.

  It has the maxdatarate command in the xdslctl so I will be trying in my line after drilling a hole in the back to let out the leads out for the uart.  I put headers on the board so it is now easy to mess with now.

   The challenge of rebuilding the firmware would be more than I could ever manage but maybe someone is able enough. 
Logged

kitzuser87430

  • Reg Member
  • ***
  • Posts: 432
Re: Hacking TP Link TD-W9970
« Reply #11 on: March 02, 2016, 05:14:12 PM »

Quote
I can login with admin:1234

Think my soldering iron was too hot; I can't type these into the serial terminal.

Never mind ...live and learn :)

Logged

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: Hacking TP Link TD-W9970
« Reply #12 on: March 02, 2016, 06:02:06 PM »

If anyone still wants me to have a go at modifying the TD-W9980 config file method, I'll need another sample conf.bin file (without any passwords or personal data in), that's valid so that the device will accept it. I need to figure out how to create one that the device will accept, so I need to study one that works, rather than the first one that doesn't.
Logged

kitzuser87430

  • Reg Member
  • ***
  • Posts: 432
Re: Hacking TP Link TD-W9970
« Reply #13 on: March 02, 2016, 06:39:18 PM »

Quote
rather than the first one that doesn't

It seems the device does not accept an unedited conf.bin to be restored; can I edit/change.....for example.... the dhcp range then upload that conf.bin for you??
Logged

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: Hacking TP Link TD-W9970
« Reply #14 on: March 02, 2016, 06:44:50 PM »

Yes, that will be fine.
Logged
Pages: [1] 2 3 ... 9
 

anything