I have finally succeeded in creating config files that the TD-W9980 firmware will accept. The modified config file can be used to gain telnet shell level access to the router, or probably to flash the TD-W8980 with the 9980 firmware without opening the case, although I don't have a 8980 so haven't tried that. I am (again) running the 9980 firmware on my 8970 however.
The current limitations are:
1. The telnetd command looks ugly in the web interface (it could be done differently, but that would disable UPnP).
2. The StatPOSTer program cannot decompress a config file backup, and so restoring the sample config file will pretty much reset the device to factory defaults.
I did not reverse engineer or figure out the actual config file compression algorithm, I realised doing that is currently beyond me and it would take too long for me to learn. But I realised I didn't actually need to do that, all I needed to do was make the config file acceptable input for the decompression algorithm. And looking at the start of the decrypted but still compressed config file, which starts off uncompressed, almost all I needed to do is insert two zero bytes every 16 bytes of config data.
StatPOSTer-20150712.jarStatPOSTer-20150716.jarQuick steps:
0. Backup your current config
1. Get StatPOSTer-20150712.jar
2. Get and unzip the one of the attached config files (they are almost the factory default, but I had to change a setting to get the config saved to the flash, so I switched off the print server)
3. Optional: edit the config file if you want to and know how
4. In the StatPOSTer, tick the "Add NULL bytes" box next to the Encrypt button
5. Press the Encrypt button, select the .xml file, and choose a .bin filename or accept the automatically generated one
6. Restore the .bin config file
With the sample config, you need to telnet to port 1023 on the router to access the shell, the login/pass is admin/1234, or alternatively you could edit the config file and change the telnetd command to `telnetd -p 1023 -l sh` and then it would go straight to a shell with no login.
Once you do have shell access on the router, you can save the uncompressed config to a file on a USB stick:
cat /dev/mtdblock3 > /var/usbdisk/sda1/config-mtdblock3-backup.bin
You would then need to use a hex editor to remove the first 16 bytes and everything after the last closing xml tag, then you could edit and re-upload that config rather than the factory default config sample.
Disclaimer: Do this at your own risk, I will not be liable if your router ends up permanently inoperable (a.k.a. bricked). Obviously the router should be disconnected from any dsl line before doing things like this to it. If in any doubt, don't attempt this.
Also, I'm not currently using this method for shell access, because I had earlier flashed a modified filesystem via the serial port. But I did test it briefly, and then used it to remove the "Dual Band" from the description shown in the web interface.
Edit: amended config sample files
Edit2: minor update to the StatPOSTer program, only change is to leave decrypted files unchanged if the MD5 verification fails, rather than chop off the first 16 bytes