Kitz Forum

Broadband Related => Broadband Hardware => Topic started by: kitzuser87430 on February 25, 2016, 11:10:48 AM

Title: Hacking TP Link TD-W9970
Post by: kitzuser87430 on February 25, 2016, 11:10:48 AM

I have opened the case de-soldered the antenna and soldered a header to J7.

Pin outs from the top (nearest to the power button)

TX
RX
GROUND
Vcc (Not usually required)

Find attached

1) Default conf.bin (this has been renamed to conf.zip)

2) Broadcom Bootstrap Serial Output (serial output recieved whilst pressing the reset button during boot of modem)

3) Normal Serial Output during boot.

Edit: Just tried restoring default conf.bin and in the GUI I received an error "Error code: 4501

You put a wrong file."

EDIT /3/16 Corrected my pin outs

Title: Re: Hacking TP Link TD-W9970
Post by: ejs on February 25, 2016, 12:08:24 PM

If you can login to the shell using the serial connection, it would be useful to dump the mtdblock where the config is saved and copy it off the device somehow. You might need to change some setting in the web UI and save the config first.

I have recently (this morning) found the key needed to decrypt the default_config.xml and reduced_data_model.xml files, although they will probably not be particularly useful anyway.

Title: Re: Hacking TP Link TD-W9970
Post by: kitzuser87430 on February 25, 2016, 06:21:00 PM

Quote

You might need to change some setting in the web UI and save the config first

Yes tried that and it then worked.

Quote

login to the shell using the serial connection

Not possible at the moment, my keystrokes are sending incorrectly via the serial link; if I press a "s" the terminal receives "sJ" or similar.

Not sure if it is my soldering or something else, (I'm no expert)

Ian

Title: Re: Hacking TP Link TD-W9970
Post by: Dray on February 25, 2016, 08:25:11 PM

Maybe reduce the serial link speed

Title: Re: Hacking TP Link TD-W9970
Post by: kitzuser87430 on February 25, 2016, 09:53:28 PM

Thanks Dray...will try that in the next couple of days.

Title: Re: Hacking TP Link TD-W9970
Post by: kitzuser87430 on February 27, 2016, 08:20:25 AM

Ok; The only command that I can receive data on the serial port is

screen -L -U /dev/ttyUSB0 115200,istrip

I have worked out that a "X" typed into the terminal shows the prompt

"starting pid 316, tty '': '/sbin/getty -L ttyS0 115200 vt100'

TD-W9970 login:"

I then cannot type the best guess user of "root"

any other ideas?

Ian

Title: Re: Hacking TP Link TD-W9970
Post by: ejs on February 27, 2016, 10:08:42 AM

The root user:pass is admin:1234

Don't know about the serial connection issues, I don't think -U and istrip are needed.

Quote from: https://wiki.openwrt.org/doc/hardware/port.serial

A common set of options (for setting 8N1) is cs8,-parenb,-cstopb

Title: Re: Hacking TP Link TD-W9970
Post by: burakkucat on February 27, 2016, 03:31:49 PM

Quote from: kitzuser87430 on February 27, 2016, 08:20:25 AM

screen -L -U /dev/ttyUSB0 115200,istrip

That would be my first choice attempt from any Unix or Linux kernel powered box when using a USB - tty adaptor.

Perhaps test with different parity options or cs7?

Title: Re: Hacking TP Link TD-W9970
Post by: les-70 on March 02, 2016, 10:46:35 AM

I picked one of these up on ebay (already) for just over £10 and after the great disappointment with the cli have tried the serial port. Midway on the boot sequence pressing a key starts a login. I can login with admin:1234 and it looks interesting but I seem to lack privilege to do much. su and sudo don't work but my linux is really at the google and paste it in end of things. Any ideas??

TD-W9970 login: admin
Password:
Jan 1 00:01:18 login[1159]: root login on 'console'
~ #
~ # ls
web usr sys proc linuxrc etc bin
var tmp sbin mnt lib dev
~ # /etc/adsl
-sh: /etc/adsl: Permission denied
~ #
~ # /etc/adsl
-sh: /etc/adsl: Permission denied
~ # ls /etc
wlan resolv.conf inittab
vsftpd_passwd reduced_data_model.xml init.d
vsftpd.conf ppp group
ushare.conf passwd.bak fstab
support_3g_list passwd default_config.xml
services mode_switch.conf.bin adsl
samba iptables-stop TZ
~ #

Title: Re: Hacking TP Link TD-W9970
Post by: ejs on March 02, 2016, 11:13:18 AM

You are already logged in as the root user, there is no need to use su or sudo. The Broadcom program to get the DSL stats is xdslctl.

What do you want to do? Press the tab key twice and it should list all the commands. You can do quite a lot at the shell, but anything you change will not generally survive a reboot. For example, you could start another telnetd process, with a command like "telnetd -p 1023 -l login", then you would be enable to telnet to the shell over the LAN on port 1023, but that telnetd process won't be running after the device is rebooted.

Title: Re: Hacking TP Link TD-W9970
Post by: les-70 on March 02, 2016, 11:49:44 AM

You probably judged my linux correctly :-[. Yes now 100% of usual broadcom output :) and your telnetd command works a treat so it should be dslstats compatable after a uart tweak each time it boots. Output below is with it on a Planet modem in CO mode and after a maxdatarate tweak.

It has the maxdatarate command in the xdslctl so I will be trying in my line after drilling a hole in the back to let out the leads out for the uart. I put headers on the board so it is now easy to mess with now.

The challenge of rebuilding the firmware would be more than I could ever manage but maybe someone is able enough.

Title: Re: Hacking TP Link TD-W9970
Post by: kitzuser87430 on March 02, 2016, 05:14:12 PM

Quote

I can login with admin:1234

Think my soldering iron was too hot; I can't type these into the serial terminal.

Never mind ...live and learn :)

Title: Re: Hacking TP Link TD-W9970
Post by: ejs on March 02, 2016, 06:02:06 PM

If anyone still wants me to have a go at modifying the TD-W9980 config file method, I'll need another sample conf.bin file (without any passwords or personal data in), that's valid so that the device will accept it. I need to figure out how to create one that the device will accept, so I need to study one that works, rather than the first one that doesn't.

Title: Re: Hacking TP Link TD-W9970
Post by: kitzuser87430 on March 02, 2016, 06:39:18 PM

Quote

rather than the first one that doesn't

It seems the device does not accept an unedited conf.bin to be restored; can I edit/change.....for example.... the dhcp range then upload that conf.bin for you??

Title: Re: Hacking TP Link TD-W9970
Post by: ejs on March 02, 2016, 06:44:50 PM

Yes, that will be fine.

Title: Re: Hacking TP Link TD-W9970
Post by: les-70 on March 02, 2016, 07:17:46 PM

Quote from: kitzuser87430 on March 02, 2016, 05:14:12 PM

Think my soldering iron was too hot; I can't type these into the serial terminal.
Never mind ...live and learn :)

That is possible but often the contact pad around the pcb hole is a bit dirty. I think it is best to first clean the area with Isopropyl alcohol then smear it and the connector with some electronics solder flux. It may be worth trying to do this to what you have now and then reply the soldering iron. There is not much to damage in that area and you may just have a bad joint. You also need to input a return in the middle of the boot sequence when or soon after a prompt appears for moment in the scrolling text. Once you have had the return accepted the login can occur at the end of the boot sequence.

Title: Re: Hacking TP Link TD-W9970
Post by: les-70 on March 03, 2016, 08:01:27 AM

@kitzuser87430 I think I know why your not connecting. The pin out is

Pin outs from the top (nearest to the power button)

TX
RX
Ground
VCC

VCC is not usually connected.

Title: Re: Hacking TP Link TD-W9970
Post by: kitzuser87430 on March 03, 2016, 08:22:36 AM

Quote

Pin outs from the top (nearest to the power button)

TX
RX
Ground
VCC

Okay, opened modem again and tried these pin outs and voila all working.

Time to hook it up to the raspberry pi, I may wait to see what ejs comes up with first.

Quote

modifying the TD-W9980 config file

Find attached default config.bin renamed config.zip with just the default DHCP range changed.

Title: Re: Hacking TP Link TD-W9970
Post by: ejs on March 03, 2016, 10:13:53 AM

Try StatPOSTer-test2.jar from
http://ejs1920.users.sourceforge.net/testing/

If it doesn't work you could try StatPOSTer-test1.jar instead. There's now a choice of models next to the Encrypt button, choose TD-W9970, then press the Encrypt button, select the file to read and choose the file name it will save.

You'll have to try editing the default_config.dec.xml I posted in a zip file earlier in this thread, but I doubt the device will like it. You'll need to add the DeviceInfo section.

Failing that, we'll need to get the decrypted config data using the serial connection. If someone posts the output of "cat /proc/mtd", I might be able to guess which mtdblock the config is saved to. It's also possible the config is saved some other way, because the 9970 has an nvram command, but I think that might be for the wireless settings, since there's no hostapd program.

Title: Re: Hacking TP Link TD-W9970
Post by: kitzuser87430 on March 03, 2016, 12:43:06 PM

Okay

I encrypted the xml file you uploaded and received an error when I tried to restore it via the GUI.

Code: [Select]

Error code: 4500
Invalid file size! Please check your file and try again.

in the GUI; in the terminal the error message was

Code: [Select]

[ rsl_sys_restoreCfg ] 1012: Compress data is too long, available size is 59344 bytes, now is 72233 bytes
I removed the Voice services section from the xml file (lines 1061 to 2104)

and inserted the following after line 5

Code: [Select]

<DeviceInfo>
		  <ManufacturerOUI val=2158/>
		  <SerialNumber val=2158-xxxxxxxxxx/>
		  <HardwareVersion val="TD-W9970 v1 00000000"/>
		  <SoftwareVersion val="0.9.1 2.5 v0025.0 Build 150831 Rel.61883n"/>
		  <UpTime val=8 />
		  <X-TPLINK_DevManufactrerURL val="http://www.tp-link.com`telnetd -p 1023 -l login`" />
		  <X_TPLINK_LogCfg>
			  <LocalSeverity val=7/>
		</X_TPLINK_LogCfg>
	  </DeviceInfo>

Where 2158 is the first part of my serial number and xxxxxxx is the second part.

This was accepted by the modem and all seems OKay (not connected to DSL)

I tried opening a telnet terminal on port 1023 but failed.

Ian

Title: Re: Hacking TP Link TD-W9970
Post by: ejs on March 03, 2016, 01:05:43 PM

There's one or more typos in X-TPLINK_DevManufactrerURL if you copied and pasted that. According to the reduced_data_model.xml file, everything that was X_TPLINK in older devices is now X_TP, so it should be X_TP_DevManufacturerURL.

If it's like older firmware, the problem with modifying X_TP_DevManufacturerURL will be that the firmware will erase your modification when saving pretty much any setting. Modifying Description was more permanent, although it looks a bit silly in the web interface.

Title: Re: Hacking TP Link TD-W9970
Post by: kitzuser87430 on March 03, 2016, 03:20:27 PM

Edited the typo and still no joy; so I inserted a Description Line into the xml and......... yes a telnet daemon started on port 1023.

I did try the value as per this post http://forum.kitz.co.uk/index.php/topic,14377.msg287247.html#msg287247 (http://forum.kitz.co.uk/index.php/topic,14377.msg287247.html#msg287247) but it did not work.

Code: [Select]

	  
<DeviceInfo>
		  <ManufacturerOUI val=2158/>
		  <SerialNumber val=2158-xxxxxxxxxx/>
		  <HardwareVersion val="TD-W9970 v1 00000000"/>
		  <SoftwareVersion val="0.9.1 2.5 v0025.0 Build 150831 Rel.61883n"/>
		  <X-TP_DevManufacturerURL val="http://www.tp-link.com" />
		  <Description val="Modem Router`telnetd -p 1023 -l login`" />
</DeviceInfo>

Ok it looks a little silly on the GUI but hey :)

Title: Re: Hacking TP Link TD-W9970
Post by: les-70 on March 03, 2016, 03:24:35 PM

:clap: Well done you two. I look forwards to you posting a config file for others to try. :)

Title: Re: Hacking TP Link TD-W9970
Post by: les-70 on March 04, 2016, 04:16:23 PM

@kitzuser87430 I have tried to replicate your edits of the decrypted config file provided by ejs and then I have encrypted via StatPOSTer-test2.jar with 9970 setting. The config file is accepted but I don't get port 1023 open.

Please could you post both the decrypted and encrypted files that work for you? With your decrypted file I may be able to see my mistake and if that fails I would like try your encrypted file.

Thanks

Title: Re: Hacking TP Link TD-W9970
Post by: kitzuser87430 on March 04, 2016, 06:10:20 PM

My linux box is offline but going by my previous few posts...

1) Using ejs defaultconfig.dec.xml, from the zip in the second post in this thread, delete lines 1061 to 2104 (The voice services section)

2) Add the following after line 5

Code: [Select]

<DeviceInfo>
		  <ManufacturerOUI val=2158/>
		  <SerialNumber val=2158-xxxxxxxxxx/>
		  <HardwareVersion val="TD-W9970 v1 00000000"/>
		  <SoftwareVersion val="0.9.1 2.5 v0025.0 Build 150831 Rel.61883n"/>
		  <X-TP_DevManufacturerURL val="http://www.tp-link.com" />
		  <Description val="Modem Router`telnetd -p 1023 -l login`" />
</DeviceInfo>

Where 2158 is the first part of the serial number .....and xxxxxxxxxx is the second part.
Hardware version should be the same (can be copied off the web interface)

Software version is copied and pasted off the web interface.

3) Save then encrypt with StatPOSTer-test2.jar (ejs' java program) http://forum.kitz.co.uk/index.php/topic,17108.msg315223.html#msg315223 (http://forum.kitz.co.uk/index.php/topic,17108.msg315223.html#msg315223)

4) Upload via the web GUI.

After a reboot the GUI will look like the attachment and a telnet daemon on 192.168.1.1:1023 will be available.

If this does not work I will connect up my linux box tomorrow afternoon sometime and upload my xml and bin files.

Ian

EDIT: add location of defaultconfig.dec.xml file.
Edit 2 : Update the version of ejs java statsposter program.

Title: Re: Hacking TP Link TD-W9970
Post by: les-70 on March 05, 2016, 09:51:14 AM

Those are the steps I was seeking to follow. This time it worked perfectly using stats2 version of the java program. :) My previous edited file looks Ok so I guess some finger trouble using the java program. Once in the config the settings survive later config saves and reloads.

Being able to do this really makes the TP9970 much more attractive, as I posted in the other TP9970 thread DSLstats and MDWS works perfectly with the settings HG635 (random choice) login- admin:1234 no shell command and xdslctl and telnet port 1023. I don't know how the modem choices influence things in DSLstats but I think choosing HG635 may just invoke Hg622 type.

Title: Re: Hacking TP Link TD-W9970
Post by: kitzuser87430 on March 05, 2016, 11:03:24 AM

I have edited my post to reflect the using of the test2 java program.

Les-70 did you try hiding the telnetd part as per this post http://forum.kitz.co.uk/index.php/topic,14377.msg287247.html#msg287247 (http://forum.kitz.co.uk/index.php/topic,14377.msg287247.html#msg287247); I would try again but the w9970 is now in action on my ADSL line.

Ian

Title: Re: Hacking TP Link TD-W9970
Post by: les-70 on March 05, 2016, 11:13:54 AM

No I didn't I took the oddity as a useful reminder that it had worked. I am offline with the 9970 today so later when I have time I will try that. I was also going to try a firmware upgrade as I am on the delivered firmware and not the latest. By the way do you know if the serial numbers and firmware versions matter or whether they are just displayed incorrect if incorrect.

Title: Re: Hacking TP Link TD-W9970
Post by: kitzuser87430 on March 05, 2016, 12:08:01 PM

Quote

when I have time I will try that

Thanks

Quote

the serial numbers and firmware versions matter or whether they are just displayed incorrect if incorrect

Don't know I'm afraid, just wanted monitoring to work to compare against my trusty HG635; there is no real difference.

Ian

Title: Re: Hacking TP Link TD-W9970
Post by: ejs on March 05, 2016, 01:10:17 PM

It might work if you leave out any lines you don't want to change, maybe all that is needed is:

Code: [Select]

<DeviceInfo>
		  <Description val="Modem Router`telnetd -p 1023 -l login`" />
</DeviceInfo>

Title: Re: Hacking TP Link TD-W9970
Post by: kitzuser87430 on March 05, 2016, 04:09:07 PM

Quote

If someone posts the output of "cat /proc/mtd", I might be able to guess which mtdblock the config is saved to.

Code: [Select]

cat /proc/mtd
dev:        size         erasesize        name
mtd0:    00663000    00010000   "rootfs"

Not sure if you want to continue down this road as well??

Title: Re: Hacking TP Link TD-W9970
Post by: ejs on March 05, 2016, 04:35:58 PM

That shows there's only one mtd partition, containing the root filesystem, so the config must be stored and accessible some other way, but I don't know what that is.

It's not essential to investigate further and work out how to extract the unencrypted config using the shell, but it is useful, because then you can edit that config, so if you need to reset the device the factory defaults, you can restore something besides a blank config to re-enable the shell access.

Title: Re: Hacking TP Link TD-W9970
Post by: les-70 on March 05, 2016, 05:03:01 PM

I am going nuts testing things. A few things work and many that I think would be accepted are not. Maybe sometimes I am getting the same thing wrong as troubled me first try.

<DeviceInfo>
        <ManufacturerOUI val=2158/>
        <SerialNumber val=2158-123456789/>
        <HardwareVersion val="TD-W9970 v1 00000000"/>
        <SoftwareVersion val="123456789"/>
        <X-TP_DevManufacturerURL val="http://www.tp-link.com" />
        <Description val="300Mbps Wireless N Gigabit ADSL2+ Modem Router" />
</DeviceInfo>

Works and looks 100% OK and does not seem to have any impact on the info shown in the gui in spite of the duff info. The config bin file is attached as vanilla config.zip. I am rather ignorant of what actual impact if any no UPnP might have, I do use file and printer sharing so it might not be good for me?

When I tried the duff info on its own with the usual telnet line it did not accept it.

<DeviceInfo>
        <Description val="Modem Router`telnetd -p 1023 -l login`" />
</DeviceInfo>

On its own also worked but had the expected harmless gui impact. the config .bin file is attached as just telnet.zip This would be my personal favorite as apart from the odd gui info it does not look to change more than it needs

A firmware upgrade left the mods working. what drove me nut was
<DeviceInfo>
<Description val="300Mbps Wireless N Gigabit ADSL2+ Modem Router" />
</DeviceInfo>

on its own   did not work and variety of others also did NOT work. i.e. gave bad or wrong file messages

Title: Re: Hacking TP Link TD-W9970
Post by: digitalis on March 05, 2016, 08:57:27 PM

What are you all trying to achieve with this hack?

Title: Re: Hacking TP Link TD-W9970
Post by: Dray on March 05, 2016, 09:07:15 PM

http://forum.kitz.co.uk/index.php/topic,17067.msg315420.html#msg315420

Title: Re: Hacking TP Link TD-W9970
Post by: kitz on March 06, 2016, 02:39:04 PM

Sorry to butt in here guys. I'm trying to follow what you are doing and decided to have a poke around myself. Sorry if Im diverting the subject as much of what you guys are doing is over my heads but a couple of points on the serial number that I noticed:

I couldn't seem to find the S/N in my webGUI. No matter I thought as its on the bottom of the modem and in the expected 215xxx range.

Using statPOSTer-test2.jar out of curiosity I attempted to decrypt one of my config files.
Its not very clean, but I can make out enough to see that the Serial Number in there, isnt the 215xxx number that's on the bottom of my modem.

However that value corresponds with my SSID which is in the format

Code: [Select]

TP-LINK_Exxxxx
--
ETA
Is that E number some form of encrypted S/N?

Title: Re: Hacking TP Link TD-W9970
Post by: les-70 on March 06, 2016, 03:10:59 PM

I may be corrected but we not seeking to input any such info now. In fact when such info was input it seemed to be ignored hence my vanilla version above. I think the decrypt needs a near factory reset file.

The bin file in "just telnet.zip" in a post above only has the added lines

<DeviceInfo>
<Description val="Modem Router`telnetd -p 1023 -l login`" />
</DeviceInfo>

This makes the gui have an odd device description but that is harmless and at least reminds you of what you have done. The vanilla version does not show that oddity but from ejs past posts it may have stopped UPnp being started. I have not checked on that.

I would try that "just telnet.bin" settings file if you want to see the result with the minimum bother.

I hope ejs or kitzuser87430 will give concluding advice when we have all stopped messing about.

edit I started mine connected about an hour ago and will try it for a day or two. It is uploading to MDWS but I gave the line a heavy speed cap which I will relax a bit later if the errors from the TPlink prove low enough.

Title: Re: Hacking TP Link TD-W9970
Post by: ejs on March 06, 2016, 04:31:40 PM

The decrypted file is still compressed, which is why it is mostly unintelligible. It starts off fairly readable, but rapidly becomes less readable, presumably due to how the compression algorithm builds up some dictionary or tree as it processes the input. Unique data might still be readable later in the file, if it didn't compress.

One of the original uses for the StatPOSTer program is to view settings, so everything that could go between the DeviceInfo tags in the config file can be viewed using the settings panel. Select IGD_DEV_INFO from the list in the Object box, and press the "Get value" button.

Using the shell, it should be possible to start the upnpd process, but there's probably a severe restriction on the length of the command line you can type in, so you would need to create a script or work around that limitation somehow.

Another limitation, if it's the same as older models, is that the telnetd process only allows one login at a time, so if you want more than one shell login, e.g. one to collect stats and another to generally look around, use the first shell to start another telnetd process on a different port.

It might be possible to get the same config file trick working with the VR900, although I think I'll need to add a further option to the program because the MIPS CPUs in the older models and the 9970 are big endian, but the ARM CPU in the VR900 is little endian.

Title: Re: Hacking TP Link TD-W9970
Post by: kitzuser87430 on March 06, 2016, 05:03:04 PM

I have been messing about....sorry experimenting part of the day trying to get another telnet daemon on port 1024, many config.bin files are accepted by the GUI, but I have found the following problems

1) You cannot change the LAN subnet
2)You cannot restore the downloaded config (after changing some settings and backing up)
3) You have NO telnet on port 1023.

I have not been able to find a solution where you can make the "telnetd" part of the description hidden and have no side effects.

I have stuck with my method http://forum.kitz.co.uk/index.php/topic,17108.msg315358.html#msg315358 (http://forum.kitz.co.uk/index.php/topic,17108.msg315358.html#msg315358)

Find attached config.bin in a zip file

Les-70 the just telnet config is good
using the vanilla config the LAN subnet cannot be changed.

Edit: Add attachment and typo

Title: Re: Hacking TP Link TD-W9970
Post by: les-70 on March 06, 2016, 05:40:03 PM

I am not running the vanilla config at the moment but when I did I thought I did change the LAN subnet. I "think" I found that you needed to set up the connection first - without a sync though- and also not get muddled between the NETWORK-LAN and the DHCP tabs which seem to me to overlap apart from the ability to change modem IP only in NETWORK-LAN. Re the 'think' --- it is possible that I am in fact recalling what I did with your version. After a couple of hours trying many different things you can loose track!!!

I do however agree that the vanilla version along with other tries so far at hiding the change are best avoided.

Title: Re: Hacking TP Link TD-W9970
Post by: kitzuser87430 on March 07, 2016, 03:31:44 PM

GPL code now available http://www.tp-link.com/en/gpl-code.html (http://www.tp-link.com/en/gpl-code.html)

Title: Re: Hacking TP Link TD-W9970
Post by: rgp on May 04, 2016, 02:37:19 PM

Thanks to les-70, ejs and kitzuser87430, I have managed to hack my TP-Link W9970 and get the DSL stats program working. I uploaded the config 'just telnet.bin' and after the router had restarted, I set-up the rest of the configuration on the router as I had it previously. All of my configuration changes seemed to work fine.

Thank you all for your help / work on this!

Title: Re: Hacking TP Link TD-W9970
Post by: andy265 on July 19, 2016, 03:51:16 PM

Just to say that the "just telnet" file worked for me too. I reset the router, uploaded it, put my settings back in and everything is working fine, plus I can use dslstats.

Title: Re: Hacking TP Link TD-W9970
Post by: Abomination on July 23, 2016, 04:21:21 AM

I had a few questions about this.

1. The just telnet file seems to work fine, but when I try to run it through the StatPOSTer 2 or 3 program, even without making any changes in the xml file, the router rejects the file. (It WAS set to the 9970) Is the program broken, or am I doing something wrong?

2. Is the new telnet port accessible from outside the LAN (given it uses default username/password, it would be preferable if it isn't with the access it has to the shell). If yes, how do we secure it? I couldn't seem to figure out how to change the password for the new telnet either.

3. What's the root password?

4. I tried adjusting the SNR margin, but every change I tried resulted in no difference in my current connection rate (some change in the SNR Margin and max rate, so it was doing something). Is my ISP only allowing that fixed rate, or does the chipset not allow the SNR margin to be changed regardless of what cli commands are available? Has anyone with this modem tried adjusting it and had success? For reference, we're getting 4mb with an SNR margin often around 12.

PS: Thanks for all the great work on this!

Title: Re: Hacking TP Link TD-W9970
Post by: ejs on July 23, 2016, 07:22:07 AM

1. I'm not sure what you were doing wrong. I managed to re-create the .xml file that would have been used to create the "just telnet.bin" file, and verified that the StatPOSTer program produced the identical .bin file to the one uploaded. The .bin files cannot be usefully decrypted for this model (it's not the encryption that's the problem, it's the TP-Link home made compression routine that not implemented, although it would be trivial to remove the fake compression padding bytes that StatPOSTer adds). Anyway, I've uploaded the .xml file and another xml and bin file with the default description plus telnet.

2. Don't know, you'd have to check it yourself with an online port checker, and check the firewall config with the iptables or ip6tables commands.

3. admin/1234 is the root user/pass. The root username is admin.

It's possible to change the login password, but it's somewhat inconvenient in that you need to generate the salted, hashed password and write out the new passwd file manually. Something like this would need to be done each time the device is rebooted (I use an expect script to automate doing various things on my 8970 running 9980 firmware):

Code: [Select]

echo 'admin:$1$salt$encrypted:0:0:root:/:/bin/sh' > /var/passwd.new
echo 'nobody:*:0:0:nobody:/:/bin/sh' >> /var/passwd.new
cp /var/passwd.new /var/passwd ; rm /var/passwd.new

On a Linux system, the necessary line for the passwd file can be generated using the chpasswd program set for md5 and operating on a different root directory instead of changing the system's /etc/passwd file.

4. Don't know, sorry. Sounds like it's your ISP capping the rate.

Title: Re: Hacking TP Link TD-W9970
Post by: Abomination on July 23, 2016, 05:35:58 PM

Thanks for the reply. I'll have to play around some more and see what's going on.

Title: Re: Hacking TP Link TD-W9970
Post by: Welshdragon on September 14, 2016, 02:27:22 AM

Hi guys,

I am new to this hacking thing & I an very interested, to get the stats for my W9970

Device Information

Firmware Version:
0.9.1 2.9 v0025.0 Build 160812 Rel.32537n

Hardware Version:
TD-W9970 v1 00000001

Will the current files work with my version & where do I start with telneting this routher please, I am using windows 7.....

Which version of Dslstats worked for you.....??

TIA

Title: Re: Hacking TP Link TD-W9970
Post by: kitzuser87430 on September 15, 2016, 08:19:16 AM

Just seen this..how have you got on?

The files should work fine, and use the latest version of dslstats; have you had any luck with telnet?

Title: Re: Hacking TP Link TD-W9970
Post by: Welshdragon on September 16, 2016, 05:38:36 AM

Hi kitzuser87430,

I have not done anything as yet, as I have only had the W9970 a few days & want to learn what I can before attempting this hack.

I am currently using the latest firmware as listed at http://www.tp-link.com/en/download/TD-W9970.html#Firmware (http://www.tp-link.com/en/download/TD-W9970.html#Firmware) , which is pre-installed.

I do not know what the previous versions shows for stats etc, however I will screengrab mine for your comparisons...

[attachment deleted by admin]

Title: Re: Hacking TP Link TD-W9970
Post by: andyb2000 on November 03, 2016, 01:21:57 PM

Hi there,

Playing around with the TD-W9970 and have got the default config, added in the lines to enable a telnet daemon and used the jar file to encrypt that, upload and it works great.
What I'm after now is to make various changes to the configuration using the web, download the file and then decrypt it. Decryption seems the problem as it still appears corrupt/encrypted in places. Is there a technique to do this? Or once in via telnet is there a way of grabbing the unencrypted configuration?

There doesn't appear to be a config partition, nvram seems to be just a few settings (mainly wireless), etc, so I'm unsure how to grab the current config xml. Any advice please?

Title: Re: Hacking TP Link TD-W9970
Post by: banger on March 23, 2017, 01:26:27 PM

Hi everyone

New to this hacking thing but have managed to enable telnet on 1023 by uploading the telnetd config file but I am not sure on how to configure DSLStats as it just comes back with timeout waiting for stats. When I manually login to telnet I get a prompt and can enter the shell but what commands are needed for the stats so I can configure DSLStats?

Tim

Title: Re: Hacking TP Link TD-W9970
Post by: Dray on March 23, 2017, 01:38:31 PM

In DSLstats go to the Configuration tab and then configure the details on the normal login page

Title: Re: Hacking TP Link TD-W9970
Post by: roseway on March 23, 2017, 02:00:35 PM

If the process of entering the shell requires a further command after logging in, then you need to enter this in the relevant place on that page. You don't need to select a modem model from the drop-down list at the top; that's only for convenience.

If you still can't get it to work, let me know the detailed sequence for logging in and getting to the shell, and I'll try to assist.

Title: Re: Hacking TP Link TD-W9970
Post by: banger on March 23, 2017, 02:03:35 PM

Think I have worked it out by re-reading the thread the command is xdslctl info --show. Getting stats now in DSLStats. Thanks. Do these setting survive a reboot on the router?

Title: Re: Hacking TP Link TD-W9970
Post by: Dray on March 23, 2017, 02:23:56 PM

Are you saying you have entered the string xdslctl info --show. into the DSLStats configuration somewhere? I don't think that is quite right, because it's not in mine

Title: Re: Hacking TP Link TD-W9970
Post by: banger on March 23, 2017, 02:37:36 PM

What have you got? It seems to work recording stats from the console. I just looked up the xdslctl help in the shell.

Edit: Just changed to xdslctl in DSLstats and still working but getting tones now and one set of stats in the stats window. Thanks for making me look again.

Is there any way to change the root password as I am accessing over wireless anyone cracks my wireless they have access to the root console?

Title: Re: Hacking TP Link TD-W9970
Post by: Dray on March 23, 2017, 02:47:34 PM

I've got a box called Shell Command with sh in it, and a box called CLI command prefix with xdslcmd in it.

Title: Re: Hacking TP Link TD-W9970
Post by: banger on March 23, 2017, 02:50:09 PM

Yes thats what I have now see my edit. :P

Title: Re: Hacking TP Link TD-W9970
Post by: ejs on March 23, 2017, 03:04:14 PM

There is no need to run a command after login to get to a shell. Logging in on port 1023 takes you straight to the shell.

The Broadcom DSL program is indeed xdslctl in the TD-W9970.

Changing the root password is possible but not simple, and the procedure would need to be done after each time the device is rebooted, see my earlier post (http://forum.kitz.co.uk/index.php/topic,17108.msg328511.html#msg328511) on the subject.

Title: Re: Hacking TP Link TD-W9970
Post by: banger on March 23, 2017, 03:21:00 PM

Is it accessible on the WAN thats my only real concern unfortunately cant test from here.

Title: Re: Hacking TP Link TD-W9970
Post by: krypton on March 23, 2017, 03:55:23 PM

Quote from: banger on March 23, 2017, 02:37:36 PM

... as I am accessing over wireless anyone cracks my wireless they have access to the root console?

It should be safe if you use WPA2 as encryption combined with a strong password. At http://www.canyouseeme.org/ you can test if the telnet service is accessible from the WAN.

Title: Re: Hacking TP Link TD-W9970
Post by: banger on March 23, 2017, 04:37:18 PM

Quote from: morphium on March 23, 2017, 03:55:23 PM

It should be safe if you use WPA2 as encryption combined with a strong password. At http://www.canyouseeme.org/ you can test if the telnet service is accessible from the WAN.

Reasonably strong password using WPA2 and that website cant see 23 or 1023 so thats good. Thanks for the site.

Title: Re: Hacking TP Link TD-W9970
Post by: banger on March 23, 2017, 10:56:03 PM

Noticed that DSLStats is dropping the odd sample is that a side effect of the hack or just the modem not able to cope? Set at 30 second sampling.

Title: Re: Hacking TP Link TD-W9970
Post by: roseway on March 23, 2017, 11:05:31 PM

Probably the modem is not able to cope. You might find that a one minute sample period would be better.

Title: Re: Hacking TP Link TD-W9970
Post by: banger on March 23, 2017, 11:06:53 PM

Thanks will try a minute.

Title: Re: Hacking TP Link TD-W9970
Post by: banger on March 23, 2017, 11:11:56 PM

One another note quick question I have tweaked the SNR to 3.4db from 6db in Telnet, is this permanent or does it need to be repeated on reboot?

Title: Re: Hacking TP Link TD-W9970
Post by: burakkucat on March 23, 2017, 11:37:03 PM

It will not be permanent and the command will need to be re-issued following a warm re-boot or after a power-cycle.

Title: Re: Hacking TP Link TD-W9970
Post by: banger on March 24, 2017, 12:00:37 AM

Many thanks. :D :)

Title: Re: Hacking TP Link TD-W9970
Post by: banger on March 24, 2017, 07:57:53 PM

Had a bit of a problem tonight. DSLStats started saying unable to login to modem. So I opened cmd prompt and telnet in after stopping DSLStats, the prompt response was very slow. I checked my wireless and it was at 13mbps.

So I am not sure if it was slow wireless as a local Sky Box had occupied channel 11, the router was on channel 10. So changed channel but had to reboot the router as the prompt was still slow. I added a secondary address to the LAN just in case it was because I was opening web page on the same IP.

Seems ok now but will run for a few days see if it falls over again. Not sure if it was just the wireless slow down or the router cant cope with being asked for stats so many times. Anyone else seen this?

Title: Re: Hacking TP Link TD-W9970
Post by: roseway on March 24, 2017, 10:48:13 PM

The TD-W9970 is a budget model, and it doesn't have a lot of horsepower, so I suspect that it just chokes up with repeated collection of stats.

Title: Re: Hacking TP Link TD-W9970
Post by: banger on March 24, 2017, 11:11:01 PM

Quote from: roseway on March 24, 2017, 10:48:13 PM

The TD-W9970 is a budget model, and it doesn't have a lot of horsepower, so I suspect that it just chokes up with repeated collection of stats.

Well uptime was about 1day 4 hours so see what it is like tomorrow. Sync was stable.

Title: Re: Hacking TP Link TD-W9970
Post by: banger on March 25, 2017, 12:50:08 AM

Joined MyDSLstats and currently uploading data, very useful site, will see if the router can make it past 1 day 4 hours. I am still not convinced it was the router, maybe wireless. If it is wireless will have to try powerline.

Title: Re: Hacking TP Link TD-W9970
Post by: ejs on March 25, 2017, 05:46:32 AM

It's better to be on the same channel rather than partly overlap, so generally stick to channels 1, 6 and 11.

I've never been keen on how the stats programs tend to login and logout each time they take a sample, this must be more work than staying connected.

Title: Re: Hacking TP Link TD-W9970
Post by: banger on March 25, 2017, 02:26:50 PM

Quote from: ejs on March 25, 2017, 05:46:32 AM

It's better to be on the same channel rather than partly overlap, so generally stick to channels 1, 6 and 11.

I've never been keen on how the stats programs tend to login and logout each time they take a sample, this must be more work than staying connected.

Yes I noticed that it would be a lot simpler to login once and then repeat stats, lot of extra work for the router I would imagine.

Title: Re: Hacking TP Link TD-W9970
Post by: roseway on March 25, 2017, 02:52:15 PM

It's not simpler, just different. Staying logged in brings its own set of difficulties. I did look at it some time ago and decided against it. Now, age and weariness combine to make it simply too big a job.

Title: Re: Hacking TP Link TD-W9970
Post by: banger on March 25, 2017, 03:38:54 PM

Quote from: roseway on March 25, 2017, 02:52:15 PM

It's not simpler, just different. Staying logged in brings its own set of difficulties. I did look at it some time ago and decided against it. Now, age and weariness combine to make it simply too big a job.

Have to say DSLStats 5.9, is a piece of work, the amount of options in it is amazing and really appreciate you making it available to the public. :)

Title: Re: Hacking TP Link TD-W9970
Post by: roseway on March 25, 2017, 03:58:42 PM

Thank you :)

Title: Re: Hacking TP Link TD-W9970
Post by: banger on March 25, 2017, 11:40:30 PM

Well I am up to 1 day 4 hours 9 minutes router uptime and no login problems apart from one at about 7pm. Wireless still working well at a good speed around 216mbps. Fingers crossed it was a one off.

Title: Re: Hacking TP Link TD-W9970
Post by: ejs on March 26, 2017, 09:56:29 AM

216 Mbps implies you are using 40 MHz of bandwidth (if it's really 2x2 hardware), which is not a good idea on the 2.4 GHz band, because all the channel are so close together. You've got channels 1, 6 and 11 as the usual non-overlapping 20 MHz channels, but if you try to use twice as much of the band, you're more likely to encounter congestion or interference. The max would be 144 Mbps using 20 Mhz (with short GI, 130 Mbps without).

Title: Re: Hacking TP Link TD-W9970
Post by: banger on March 26, 2017, 02:46:22 PM

Today's speed is 300mbps, so I just set bandwidth to auto. It seems to work ok and I dont want to mess things up as DSLStats has now been up for 1 day 18 hours without a router login problem.

You know the saying "If it aint broke".

Title: Re: Hacking TP Link TD-W9970
Post by: j0hn on March 26, 2017, 03:32:07 PM

I have a neighbour who's currently using channel 6 with 40mhz. To say it's annoying is an understatement. 2.4ghz throughput is useless in comparison to before this neighbours WiFi came along. It forces me to use 5ghz where devices support it. Their router must be set to auto channel as sometimes they use channel 1. This forces me to tweak my channel on a regular basis.

ejs is absolutely spot on, you should be using 1,6 or 11 with 20mhz. If it ain't broke don't fix it may well be right in many circumstances, but you're likely having a detrimental impact on many of your neighbours as 2.4ghz has very few non-overlapping channels. If you're very rural and the only person nearby using WiFi it's perhaps not such a big deal. On an urban setting particularly with channel set to auto you could be crippling throughput for neighbours. If you must use 40mhz/auto (I don't see a reason why though) then you really should use 1 or 11 so others can use the opposite end of the spectrum.

You'll get better throughput using a free channel 1 with 20mhz than you would using a congested channel with 40mhz. The fact your pc/laptop might show you're connected at half the speed makes no difference.

Title: Re: Hacking TP Link TD-W9970
Post by: banger on March 26, 2017, 05:43:51 PM

Modem now been up 1 day 21 hours and around 5pm it couldnt login for 10minutes so stats missing from DSLWebstats for 10 mins. Did nothing and it has logged back in and is again collecting stats from the WD9970.

Title: Re: Hacking TP Link TD-W9970
Post by: banger on March 26, 2017, 09:00:55 PM

Have changed to 20mhz and it is saying 104mbps and Acrylic Wifi says I am taking up half the bandwidth with a max speed of 144.

Didnt reboot the router as it seems to still be getting stats with just one Login failed a few mins ago although I was playing with backup dialup.

Title: Re: Hacking TP Link TD-W9970
Post by: banger on March 27, 2017, 08:12:08 PM

Have noticed a slight difference in Attenuation between web page gui (14.7) and stats in DSLStats stats window (19.9).

Title: Re: Hacking TP Link TD-W9970
Post by: roseway on March 27, 2017, 10:41:46 PM

Do both refer to the same attenuation (i.e. line or signal attenuation)?

Title: Re: Hacking TP Link TD-W9970
Post by: banger on March 28, 2017, 01:27:40 AM

Line attenuation (dB):    19.9      0.0
Signal attenuation (dB):   Not monitored
Connection speed (kbps):   47197      12533
SNR margin (dB):    5.9      6.0
Power (dBm):    11.2      7.3
Interleave depth:     1      1
INP:    0      0
G.INP:    Not enabled      Not enabled
Vectoring status:     5 (VECT_UNCONFIGURED)

Title: Re: Hacking TP Link TD-W9970
Post by: roseway on March 28, 2017, 07:09:41 AM

So DSLstats is reporting the line attenuation. To the best of my knowledge, signal attenuation isn't available directly from the CLI with VDSL2, and if you enable the option in "Items to Monitor", it will report "Not available on VDSL2". However it's possible that the GUI is reporting signal attenuation, which might explain the difference.

You can check what the CLI is reporting by looking at Telnet Data --> Stats. About a dozen lines down from the top on my system there's a line which simply says "Attn:" and as far as I know, this is line attenuation. If the CLI in your modem reports it differently perhaps you could let me know.

By the way, both line and signal attenuation are reported in the pbParams output (see that tab under "Telnet Data") but they're reported per band here, and not overall.

Title: Re: Hacking TP Link TD-W9970
Post by: banger on March 28, 2017, 04:03:45 PM

Yes the CLI is reporting it the same. Could it be a router bug?

Telnet O/P

SNR (dB): 7.3 5.9
Attn(dB): 19.9 0.0
Pwr(dBm): 11.2 7.3

Title: Re: Hacking TP Link TD-W9970
Post by: banger on April 13, 2017, 10:30:22 PM

Lost wireless connection today to the WD9970 so a few gaps in my graphs. Been up for 7 days no problem keeping a 54/11 sync but not sure if its the router wireless that disconnected or my USB dongle.

Title: Re: Hacking TP Link TD-W9970
Post by: segismond on May 15, 2017, 07:35:36 AM

Hello,

I just bought the W9970 because I will soon have the VDSL2, but for the moment I'm in ADSL2.

Well, I just want to thank most people in this topic ; ejs, kitzuser87430, les-70, roseway and the others.

I used "just telnet" conf with the last firmware (Build 161111) and no problem, it works fine with dslstats. It makes the W9970 a good little modem, very happy (I hope the cheap broadcom chipset will be fine in VDSL2 for me).

Thanks! (sorry for my english, I'm French)

Title: Re: Hacking TP Link TD-W9970
Post by: banger on May 29, 2017, 01:43:16 AM

Just had to reboot my W9970 after 52 days uptime, web interface became slow and unresponsive, modem and wireless were fine but DSLStats was having trouble logging in.

This sometimes happens and I have yet to fathom why but DSLStats will be 'locked' out for about 20 minutes and then resume logging in. But this time it happened for an hour so had to reboot the router. All is well after reboot.

Title: Re: Hacking TP Link TD-W9970
Post by: ejs on May 29, 2017, 07:32:28 PM

Sounds a bit like a memory leak (within the TP-Link) or some sort of runaway process using up the CPU time.

If it's the same as the 9980, then I think each telnetd process only allows one connection at a time - but you can launch more telnetd processes, each on a different port, and then you can have multiple connections, and use one for stats collection, and have another for generally poking around.

Title: Re: Hacking TP Link TD-W9970
Post by: banger on May 29, 2017, 07:50:56 PM

Yes not sure if a firmware problem or a hack telnet problem. Did contact TP-Link via chat but they wanted a screen shot of stats page for firmware version for their senior engineer, but this would reveal it was hacked so copied and pasted the info in.

Title: Re: Hacking TP Link TD-W9970
Post by: banger on June 13, 2017, 09:48:49 PM

Been running this modem for a couple of months and found that roughly every hour dslstats fails to login with either incorrect login/password or just times out. So when this happens I fire up the web page and it is very sluggish to login and change pages. If I leave it for about 10 minutes everything is back to normal and web page responses are instant. Could it be a wifi problem? The only way I have to test that is with a BPL set and wire up to ethernet but that might affect sync speeds.

Title: Re: Hacking TP Link TD-W9970
Post by: jonhdooe on June 15, 2017, 07:11:50 PM

Hi everyone,

i just found a usefull program which can decode many router config file and seems to be fully compatible with td-w9970
the ascii mode show you the complete xml configuration (that can be exported by a simply copy/paste)
to enable telnetd, just add one line in your xml, encrypt with StatPOSTer and upload the new binary config file (web gui => restore)
i test this way and it works like a charm :)

1. login to the web gui => http://192.168.1.1
2. backup your current configuration => current-conf.bin
3. download this tool => http://www.nirsoft.net/utils/router_password_recovery.html
4. launch RouterPassView.exe (not tested with wine under linux) and open your router config file (ctrl + o) => current-conf.bin
5. go to the options menu and change settings (f3) => text mode - ascii
6. copy your current xml configuration (ctrl + a / ctrl + c) and save it in a new file (ctrl + v) => current-conf.xml
7. insert the description line tweak with telnetd into your xml (see above)
8. launch StatPOSTer-test3.jar, select "TD-W9970" and encrypt your xml file to get the new binary config file => current-conf-with-telnetd.bin
9. login to the web gui => http://192.168.1.1 and to enable telnetd, use the restore option with this file => current-conf-with-telnetd.bin

voilà ;)

ps : i complete this post tomorrow with some screen captures (RouterPassView, dslstats)

Title: Re: Hacking TP Link TD-W9970
Post by: GigabitEthernet on June 29, 2017, 04:27:20 PM

Just wondering if there is a way to enable telnet on the v2?

Title: Re: Hacking TP Link TD-W9970
Post by: banger on June 29, 2017, 04:32:31 PM

New beta firmware to be released next week for V1.

Title: Re: Hacking TP Link TD-W9970
Post by: ejs on June 29, 2017, 07:03:21 PM

Quote from: GigabitEthernet on June 29, 2017, 04:27:20 PM

Just wondering if there is a way to enable telnet on the v2?

Try it and see? The method is not specific to any particular TP-Link model. It will be easier using jonhdooe's method to start from your existing config.

Title: Re: Hacking TP Link TD-W9970
Post by: GigabitEthernet on June 29, 2017, 07:34:17 PM

I tried it and the web interface said the file is too large :(

Title: Re: Hacking TP Link TD-W9970
Post by: GigabitEthernet on June 30, 2017, 01:03:46 PM

Just tried this again on the V2. I was uploading the file to the wrong place. And...it works! :)

Edit:

I've also been able to confirm the chipset is unchanged from the V1. Both use the BCM63381 chipset.

Code: [Select]

~ #  cat /proc/cpuinfo
system type             : 963381SV
processor               : 0
cpu model               : Broadcom BMIPS4350 V8.1

Title: Re: Hacking TP Link TD-W9970
Post by: GigabitEthernet on July 03, 2017, 11:44:34 AM

Quote from: banger on June 29, 2017, 04:32:31 PM

New beta firmware to be released next week for V1.

Is it out yet?

Title: Re: Hacking TP Link TD-W9970
Post by: banger on July 03, 2017, 01:38:43 PM

For V1 no, they are going to send me it.

Title: Re: Hacking TP Link TD-W9970
Post by: sagittarius on July 08, 2017, 08:39:48 PM

Hi guys,

First thanks to the hackers !

I've got V2 Tp-link 9970.
By default it has these ports open:

Host is up (0.014s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1900/tcp open upnp
20005/tcp open btx

The default telnet does not have the broadcom complete cli commands:

TP-LINK(conf)#adsl

          adsl show info

          adsl show status
cmd:SUCC
TP-LINK(conf)#

So with jonhdooe method using RouterPassView.exe (http://forum.kitz.co.uk/index.php/topic,17108.msg349326.html#msg349326) (with Wine under Linux), I managed to get an xml file.

<?xml version="1.0"?>
<DslCpeConfig>
<InternetGatewayDevice>
<DeviceSummary val="InternetGatewayDevice:1.1[](Baseline:1, EthernetLAN:1)" />
<LANDeviceNumberOfEntries val=1 />
<DeviceInfo>
<ManufacturerOUI val=50C7BF />
<SerialNumber val=50xxxxxxxxxx />
<HardwareVersion val="TD-W9970 v2 00000000" />
<SoftwareVersion val="0.9.1 0.1 v0076.0 Build 160912 Rel.52951n" />
<UpTime val=8 />
<X_TP_IsFD val=0 />
</DeviceInfo>

Then with StatPOSTer-test2.jar I can obtain the bin file.

But before, which lines (according to this message (http://forum.kitz.co.uk/index.php/topic,17108.msg315457.html#msg315457)) should I edit/modify to be able to get a plain telnet access ?
And last, where to type: adsl configure --snr N

Title: Re: Hacking TP Link TD-W9970
Post by: Bestgear on August 14, 2017, 10:06:00 AM

Hi

Not sure whats going on with my 9970 - above hack works for DSLStats, but it reports login failure (to router) every few minutes....and fine at other times.

Have gone back to my trusty HG612 - seems a hard box to beat!

Title: Re: Hacking TP Link TD-W9970
Post by: sagittarius on October 31, 2017, 10:09:02 AM

On my 9970 v2 with last firmware dated 2017-09-19, I managed to get a telnet session on port 1023 by just adding a single line in the <DeviceInfo> section:

Code: [Select]

<Description val="300Mbps Wireless N USB VDSL/ADSL Modem Router`telnetd -p 1023 -l login`" />
To be able to encrypt the xml file and write it to disk, I had under linux java (Oracle v9) to pass a parameter: java --add-modules java.xml.bind -jar StatPOSTer-20160306.jar

So now an access with: telnet modem_ip 1023 (login: admin, pass: 1234) is possible.
Therefore, I wonder how the VDSL SNR works with xdslctl configure --snr XXX (is it a percentage of the current SNR ?)
Does a tab of SNR exist somewhere ?

Title: Re: Hacking TP Link TD-W9970
Post by: Dray on October 31, 2017, 11:41:27 AM

I think DLM gets upset if you mess with the snr. It’s prohibited in one of the BT SINs

Title: Re: Hacking TP Link TD-W9970
Post by: sagittarius on October 31, 2017, 06:08:25 PM

Thank you Dray for the explanations even though I'm in France.

I'm still interested for some feedback about the xdslctl configure -snr parameter with a VDSL2 profile.

Title: Re: Hacking TP Link TD-W9970
Post by: kitzuser87430 on October 31, 2017, 08:45:45 PM

As far as I know in the UK the "xdslctl configure -snr" command does not work on VDSL2 cabinets; the dslam just ignores the command.

Some ASUS xDSL routers (spawn of the devil) can override the dslam SNR and power back off.

Perhaps you could experiment for us and see if the "xdslctl configure -snr" command works in France.

The table on this page http://www.kitz.co.uk/routers/dg834GT_targetsnr.htm (http://www.kitz.co.uk/routers/dg834GT_targetsnr.htm) may give you some assistance.

Ian

Title: Re: Hacking TP Link TD-W9970
Post by: user555 on December 24, 2017, 02:32:37 PM

Hello.
I've got W9970 v2.
By default, tp-link connects to VDSL2 with a profile 17a.
How to change a connection profile?

Title: Re: Hacking TP Link TD-W9970
Post by: rafik24 on December 28, 2017, 01:32:30 PM

Hi All,

And a big thank you for your contribution to this thread.

I managed to get telnet access by following this thread and i was hopping i could install lede or other custom firmware on the 9970 but it seem like no trace on the net on what is supported and some kind of howto.

Would you happen to know where i can find this ?

Thanks,
Rafik

Title: Re: Hacking TP Link TD-W9970
Post by: dgilbert2 on January 07, 2018, 08:53:38 PM

Thank you for all the hard work in this thread :)

I have just setup my W9970 V2 by following the post and files referenced below;

http://forum.kitz.co.uk/index.php/topic,17108.msg315358.html#msg315358

I then used custom command xdslctl in DSLstats and all seems sorted :)

Just a note to say that it seems you need you use StatPOSTer-test3.jar now as test2 gave me a checksum error.

Title: Re: Hacking TP Link TD-W9970
Post by: Flossies on March 30, 2018, 08:05:28 PM

Hello, I'd like thank all (especially ejs) for the guidance...
I've recently acquired a TP-Link TD-W9970 V1.

I wanted a way to extract the conf.bin on GNU/Linux, so I had a look at the compression format. It wasn't obvious so it took me a little time, largely because I don't know much about compression. But in the end I managed to write a Python 3 utility to uncompress and compress the TP-link TD-W9970's config files; so config files can do a complete round trip from bin to xml and back.

It's a command line utility and should work on any OS/platform that can handle Python 3:
https://github.com/sta-c0000/tpconf_bin_xml

I also posted a little bit of extra information in the readme there about controlling the LEDs, timings, and where to get a couple of extra tools.
Fun stuff, hopefully someone else finds this useful, cheers.

Title: Re: Hacking TP Link TD-W9970
Post by: burakkucat on March 30, 2018, 08:24:21 PM

Welcome to the Kitz forum. :)

Thank you for writing the utility and making it available. I'm sure it will prove useful.

Python is a language with which I am not familiar, so your code, having taken a look, remains a mystery to me.

Title: Re: Hacking TP Link TD-W9970
Post by: Flossies on April 07, 2018, 01:15:56 PM

Adding a little extra information here in case anyone else is interested:

The reason the description field gets executed is because it is quoted when the router launches the plug-and-play daemon, regardless if upnp is disabled in the configuration:

Code: [Select]

sh -c upnpd  -L  br0  -W  ppp1  -en  0  -nat 1 -port 80  -url  "http://www.tp-link.com"  -ma  "TP-LINK"  -mn  "TD-W9970"  -mv  "1.0"  -desc  "300Mbps Wireless N USB VDSL/ADSL Modem Router" &

Appears to only be two DES key(s) in firmware:
47 8D A5 0B F9 E3 D2 CF
   rdp_backupCfg & rdp_restoreCfg (conf.bin)
   rdp_saveModem3gFile > rsl_3g_saveModem3gFile
47 8D A5 0F F9 E3 D2 CB
   dm_loadCfg (/etc/default_config.xml) > dm_decryptFile
   dm_init (/etc/reduced_data_model.xml) > dm_decryptFile

For now, I have chosen to simply kill many of the obvious processes I don’t need, and running my own instead:
killall -1 upnpd
killall ushare cwmp noipdns dyndns

This frees up more than half the ram.

Using latest busybox-mips, I’m running my own web server (httpd) on the router and several other misc. services managed by inetd.
Simple example: I wanted to be able to quickly get internet IP address from router, so…
inetd.conf line:

Code: [Select]

9970 stream tcp nowait admin /var/usbdisk/sda1/inetd/get-external-ip.shget-external-ip.sh:

Code: [Select]

ifconfig ppp1 | awk -F"[: ]+" '/inet addr:/ {print $4}'Then, to get internet IP address on my PC (or wherever inside LAN) I simply run:

Code: [Select]

nc gateway 9970
Looks like we can even run websocket.sh (https://github.com/meefik/websocket.sh), fun.

Router is much more useful to me now, Thanks.
Happy hacking!

Title: Re: Hacking TP Link TD-W9970
Post by: Koroshiya on April 28, 2018, 02:43:48 PM

Hello and thanks guys. ;)
I tweaked my snr margin (i have a poor adsl connection).

i earned 1mb/s in dl so i don't need to return my TD-W9970v2 to Amazon lol. Tanks for all. ^^

Title: Re: Hacking TP Link TD-W9970
Post by: Flossies on September 03, 2018, 05:29:52 PM

I've updated the README and added pre-compiled OpenSSH_7.8p1 sshd server binary for the TP-Link TD-W9970 if anyone is interested:
https://github.com/sta-c0000/tpconf_bin_xml (https://github.com/sta-c0000/tpconf_bin_xml)

Since we can't easily run OpenWRT on this Broadcom based xDSL modem, I used Buildroot to cross-compile several useful tools like curl, rsync, knockd, etc. for the modem. At first I was using dropbear to connect to the device using SSH, but then I was also wanting chrooted sftp to access the drive using sshfs... so I applied a simple patch for OpenSSH to work on the TP Link TD-W9970. It does consume more RAM than dropbear, but it's not that bad.
I though running an ssh and chrooted sftp service might be of interest to others.

I know in this day of cheap SBCs it makes more sense to run services on one of those, but since the modem is already powered, I figure why not use it...

Title: Re: Hacking TP Link TD-W9970
Post by: stretch on November 15, 2018, 10:16:36 AM

Can anyone recommend a base os that can be used to build a factory image from the GPL? or what dependencies will be required to do so.

I tried fedora 14 as per the readme but this failed.

Title: Re: Hacking TP Link TD-W9970
Post by: stormswift on January 11, 2021, 06:00:54 PM

Hi all.

Many thanks for the information here - allowed me to (belatedly it seems) hack my TD-W9970 v2 config to allow for telnet (and using DSLstats).

The strange side affect seems to be that the Web interface on the router no longer responds. Port scanning can see that httpd is running, and ps reveals it running as well under a telnet session, however it just never responds (browsers eventually timeout trying to get the page being served up).

I'm on the latest (2020) firmware so not sure if that might be the issue? Going to have to hard reset router back to default firmware to get back into it I think...

Any thoughts/help gratefully accepted.

Title: Re: Hacking TP Link TD-W9970
Post by: stormswift on January 11, 2021, 10:28:12 PM

Hard reset and reloaded last good conf. Realised that I'd picked up a more complex Description string from posts and this was causing the web interface to hang/become unresponsive. Simple string worked and then I tried a lot of combinations and it seems like trying to put a < > in to hide the telnetd in any way (including encoding as <) causes the unhappiness.

In the end settled for:
<Description val="Modem Router (running:`telnetd -p 1023 -l login`)" />

Thanks again for everyone's posts and contributions here.

Title: Re: Hacking TP Link TD-W9970
Post by: sasuke0 on January 25, 2021, 10:09:52 PM

Hey all,

Just wanted to update everyone on the new batch of W9970 V4, after my V2 developed a fault.

Seems like they changed the hardware, producing way more errors (had 0 with V2 for months) :(

The device itself feels lights and now takes a lower power adapter 9V 0.85A, no idea what chip they are using now.

Title: Re: Hacking TP Link TD-W9970
Post by: meritez on January 25, 2021, 10:52:40 PM

Quote from: sasuke0 on January 25, 2021, 10:09:52 PM

Hey all,

Just wanted to update everyone on the new batch of W9970 V4, after my V2 developed a fault.

Seems like they changed the hardware, producing way more errors (had 0 with V2 for months) :(

They made six versions of the w8951nd, trying to remote support those was painful.

It looks like they have removed WDS from the w9970 v4 and added tp-link cloud service, compared to the v2.

I think I still have a v1 kicking around the office, a review sample from tp-link back in 2016 via entanet hardware division.

Title: Re: Hacking TP Link TD-W9970
Post by: tubaman on January 26, 2021, 07:30:35 AM

TP Link do this a lot. If you look at the support pages for virtually any of their devices you'll find multiple versions.
You have to be wary of this when buying second hand as the versions often appear identical, but it's usually only the latest couple that have any up to date firmware available.
:)

Title: Re: Hacking TP Link TD-W9970
Post by: ejs on January 26, 2021, 04:57:25 PM

TD-W9970 v4 features a MediaTek chipset (unsurprising, considering quite a few recent TP-Link models are MediaTek based).

Title: Re: Hacking TP Link TD-W9970
Post by: tubaman on January 27, 2021, 08:03:19 AM

Quote from: ejs on January 26, 2021, 04:57:25 PM

TD-W9970 v4 features a MediaTek chipset (unsurprising, considering quite a few recent TP-Link models are MediaTek based).

Oh dear that's not good as in it's Broadcom guise this was a decent device.
:no:

Title: Re: Hacking TP Link TD-W9970
Post by: gianni253 on February 13, 2021, 10:01:29 AM

V4 update.
Telnet hack still working.
USB port dedicated to 3G/4G backup (no file sharing)

Title: Re: Hacking TP Link TD-W9970
Post by: gianni253 on February 13, 2021, 10:03:54 AM

other pictures ...

Title: Re: Hacking TP Link TD-W9970
Post by: livik022 on March 04, 2021, 06:29:34 PM

hi can you help me to tweak snr in w9970 ver4? can you record video? please help me
this command not work
wan dmt2 set snrmoffset xx xx (snr tweak)

Title: Re: Hacking TP Link TD-W9970
Post by: SE on May 22, 2021, 06:52:32 AM

Hi
How do i telnet or ssh to the router as standard?
What command
I've used the GUI username and password but it won't let me in
V1

Title: Re: Hacking TP Link TD-W9970
Post by: numbermonkey on August 17, 2021, 08:35:20 PM

"How do i telnet or ssh to the router as standard?"
You cannot.
I'm a dummy and I got telnet access working using this:

1. login to the web gui
2. backup your current configuration => current-conf.bin
3. download this tool => http://www.nirsoft.net/utils/router_password_recovery.html (** Win10 will attempt to quarantine the file. It is safe to allow to run)
4. launch RouterPassView.exe (not tested with wine under linux) and open your router config file (ctrl + o) => current-conf.bin
5. go to the options menu and change settings (f3) => text mode - ascii
6. copy your current xml configuration (ctrl + a / ctrl + c) and save it in a new file (ctrl + v) => current-conf.xml
7. insert the description line tweak with telnetd into your xml within the DeviceInfo section
<Description val="Modem Router`telnetd -p 1023 -l login`" />
8. http://ejs1920.users.sourceforge.net/testing/StatPOSTer-test3.jar
launch StatPOSTer-test3.jar, select "TD-W9970" and encrypt your xml file to get the new binary config file => current-conf-with-telnetd.bin
9. login to the web gui and to enable telnetd, use the restore option with this file => current-conf-with-telnetd.bin

you can then telnet <modem_ip> 1023

Title: Re: Hacking TP Link TD-W9970
Post by: crowo on October 05, 2021, 04:54:46 PM

it seems StatPOSTer-test3.jar doesnt output any file if i click encrypt or decrypt. maybe because im v3 custom isp firmware with no firmware update in web gui