Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[eduardoar]

Dear ejs
Those procedures are very complicated for my limited knowledge.
But isnīt it possible to modify the values inside the router through your software statposter?
I mean by the button "set value".
My xml decrypted file only has 1 instance of the 8980 values, but statposter grabs the others, so I was guessing I could change them inside the router.
<ModelName val=TD-W9980 />
<HardwareVersion val="TD-W9980 v1 00000000" /> this is the only one I can find on my file.
<X_TPLINK_ProductID val=2575302657 />
<X_TPLINK_ProductVersion val=33 />
Many Thanks
Eduardo

[ejs]

No, the StatPOSTer program can't change values that are declared as read only. But they can be changed by uploading a config file that contains new values for them.

You can add lines that aren't already in the config, so that the result looks something like the attached image.

[eduardoar]

Dear Ejs
Thanks for the picture.
I donīt see the xml formatted as the picture, I am looking with notepad and editing  with HxD hex editor.
Iīll look for a software that shows xml formatted and try to edit my config file.
Besides that, my config is 5096 bytes and the decrypted xml file is exactly the same size, but after changing the string 8990 to 9980 on the xml, the encryped bin file gets smaller (4896) or larger (5512) according to checking the "add null bytes" or not.
Any hint?
Thanks
Eduardo

[ejs]

If the file is that small, it's compressed, and cannot be edited. You could try editing one of the attached config files on this thread, and encrypting it with "add null bytes" ticked. I don't know if it will work or not, if it doesn't, the most likely result is the file won't be accepted, and the upload page will say something like "you put a wrong file".

You'll probably have to use mkresin's hex editing the firmware header method.

[AArdvark]

I donīt see the xml formatted as the picture, I am looking with notepad and editing  with HxD hex editor.

Get hold of a copy of Programmer's Notepad
http://www.pnotepad.org/
Handles lots of formats. 

[eduardoar]

Thanks Ejs
I was guessing itīs compressed as you said it could be.
Regarding uploading your sample config file from the 9980, wonīt it change passwords and other stuff from vdsl values?
Regarding the mkresin's method of hex editing the firmware header, it seems much easier, but I guess Iīll have to edit future fw upgrades and I donīt know if it will work then.
Besides, the router page will stay saying 8980, what will be a lesser fun.
Thanks a lot.

[eduardoar]

I donīt see the xml formatted as the picture, I am looking with notepad and editing  with HxD hex editor.

Get hold of a copy of Programmer's Notepad
http://www.pnotepad.org/
Handles lots of formats. 

Thanks, AArdvark, Iīve just downloaded it.
Eduardo

[ejs]

Once the 9980 firmware has been installed on a device, it will then accept new 9980 firmware without any modifications (unless TP-Link do something to prevent us doing this crossflashing in a future firmware).

Uploading the sample config will reset everything to factory defaults, all settings will be lost. I think you lose all settings when crossflashing anyway, and if not, doing a factory reset after the flashing is a good idea.

[eduardoar]

Dear Ejs
Thanks for your effort. Iīll try the firmware editing method as soon as I can.
Eduardo.

[Mooingall]

I don't think it has progressed quite that far yet. Well, we can re-sign a firmware image with our own personal key, but the stock firmware won't accept that. We don't have the TP-Link private key to sign modified images with.

Changing the model numbers only works for uploading stock firmware. An alternative place to change the model numbers is the config file, that's how I flashed the 9980 firmware to my 8970v1.

According to his notes he was able to edit lib/libcmm.so and resigning + reflashing the firmware. It even mentions "patches applied; rootfs "

I don't know, very much over my head.

Its a shame he has vanished already.

[ejs]

libcmm.so contains a public key used to validate the firmware signature of an image you try to flash by uploading through the web interface. If you hex edit libcmm.so and change the key to your own public key, and presumably flash this modified firmware via the bootloader using a serial ttl connection, then your modified firmware will accept images signed with your own key.

Getting the firmware containing the modified libcmm.so onto the device couldn't be done via the web interface.

[Mooingall]

libcmm.so contains a public key used to validate the firmware signature of an image you try to flash by uploading through the web interface. If you hex edit libcmm.so and change the key to your own public key, and presumably flash this modified firmware via the bootloader using a serial ttl connection, then your modified firmware will accept images signed with your own key.

Getting the firmware containing the modified libcmm.so onto the device couldn't be done via the web interface.

That limitation is fine, I would just like to make small edits eventually. Nice to know it is possible.

Wish list:
Auto killing all the junk that starts in the background
Making syslogd actually log useful things
A drop in SSHD replacement (with SFTP)
Add missing common tools like grep / or updated busybox.
Questionable WiFi tweaks

[mkresin]

I'm not vanished!

All questions I saw so far, are already answered by the document I linked to. No need to write the same stuff here again, sorry guys.

For illustration:

That was some hefty right up, so since we can resign we can now edit rootfs? That would sure be useful.

Summary from the linked document: We still need the private key used by tp-link to sign a firmware in way that it is accepted by the firmware upgrade webpage.

Regarding the mkresin's method of hex editing the firmware header, it seems much easier, but I guess Iīll have to edit future fw upgrades and I donīt know if it will work then.

As written in my first post, you need to change the header values to values that match the currently running firmware. If you already run a 9980 firmware and you want to flash a new 9980 firmware, you don't need to do anything.

According to his notes he was able to edit lib/libcmm.so and resigning + reflashing the firmware. It even mentions "patches applied; rootfs "

The patches applied + rootfs stuff is openwrt specific as indicated by the term "openwrt image".

As long as the bootloader does not validate the signature, you can write nearly any image you like directly to the flash and boot it. Either via the bootloader or via a flash programmer.

That limitation is fine, I would just like to make small edits eventually. Nice to know it is possible.

Wish list:
Auto killing all the junk that starts in the background
Making syslogd actually log useful things
A drop in SSHD replacement (with SFTP)
Add missing common tools like grep / or updated busybox.
Questionable WiFi tweaks

You should really consider using a 3rd party firmware like openwrt instead of of patching the stock firmware. Replacing busybox and sshd is a bit more than small edits.

[Mooingall]

Forgive me for not digesting your writeup better..... remember most of us are causal hobbyists..

Regarding OpenWRT I was lead to believe it was a total mess for our devices currently, and DSL stuff will never be officially supported?

[eduardoar]

Dear Mkresin
Thanks for sharing all this information.
Could you please explain a little more your quoted text, as I donīt have the expertise needed to understand it fully:

"As written in my first post, you need to change the header values to values that match the currently running firmware. If you already run a 9980 firmware and you want to flash a new 9980 firmware, you don't need to do anything."

I understand that I will be running a 9980 fw but with a header of the 8980, so when I upgrade to a newer 9980 fw, Iīll have to modify it also.

Anyway I guess I understood your method and I probably will be able to do it it. Iīm waiting an opportunity to install my old modem to make the mod. Congratulations for your finding.
Thanks, Eduardo