Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2

Author Topic: TP-Link TD-W9980 shell access trick  (Read 26064 times)

ejs

  • Kitizen
  • ****
  • Posts: 2078
TP-Link TD-W9980 shell access trick
« on: July 12, 2015, 09:00:16 PM »

I have finally succeeded in creating config files that the TD-W9980 firmware will accept. The modified config file can be used to gain telnet shell level access to the router, or probably to flash the TD-W8980 with the 9980 firmware without opening the case, although I don't have a 8980 so haven't tried that. I am (again) running the 9980 firmware on my 8970 however.

The current limitations are:
1. The telnetd command looks ugly in the web interface (it could be done differently, but that would disable UPnP).
2. The StatPOSTer program cannot decompress a config file backup, and so restoring the sample config file will pretty much reset the device to factory defaults.

I did not reverse engineer or figure out the actual config file compression algorithm, I realised doing that is currently beyond me and it would take too long for me to learn. But I realised I didn't actually need to do that, all I needed to do was make the config file acceptable input for the decompression algorithm. And looking at the start of the decrypted but still compressed config file, which starts off uncompressed, almost all I needed to do is insert two zero bytes every 16 bytes of config data.

StatPOSTer-20150712.jar
StatPOSTer-20150716.jar

Quick steps:
0. Backup your current config
1. Get StatPOSTer-20150712.jar
2. Get and unzip the one of the attached config files (they are almost the factory default, but I had to change a setting to get the config saved to the flash, so I switched off the print server)
3. Optional: edit the config file if you want to and know how
4. In the StatPOSTer, tick the "Add NULL bytes" box next to the Encrypt button
5. Press the Encrypt button, select the .xml file, and choose a .bin filename or accept the automatically generated one
6. Restore the .bin config file

With the sample config, you need to telnet to port 1023 on the router to access the shell, the login/pass is admin/1234, or alternatively you could edit the config file and change the telnetd command to `telnetd -p 1023 -l sh` and then it would go straight to a shell with no login.

Once you do have shell access on the router, you can save the uncompressed config to a file on a USB stick:
Code: [Select]
cat /dev/mtdblock3 > /var/usbdisk/sda1/config-mtdblock3-backup.binYou would then need to use a hex editor to remove the first 16 bytes and everything after the last closing xml tag, then you could edit and re-upload that config rather than the factory default config sample.

Disclaimer: Do this at your own risk, I will not be liable if your router ends up permanently inoperable (a.k.a. bricked). Obviously the router should be disconnected from any dsl line before doing things like this to it. If in any doubt, don't attempt this.

Also, I'm not currently using this method for shell access, because I had earlier flashed a modified filesystem via the serial port. But I did test it briefly, and then used it to remove the "Dual Band" from the description shown in the web interface.

Edit: amended config sample files
Edit2: minor update to the StatPOSTer program, only change is to leave decrypted files unchanged if the MD5 verification fails, rather than chop off the first 16 bytes
« Last Edit: July 18, 2015, 01:37:12 PM by ejs »
Logged

hacktrix2006

  • Reg Member
  • ***
  • Posts: 305
    • xDSL Stats:
Re: TP-Link TD-W9980 shell access trick
« Reply #1 on: July 16, 2015, 03:17:24 PM »

Nice one mate, just done a restore using your telnet config and it works lovely.

However it might be best to state that you need to be connected via Ethernet as the WPS pin stock has changed so connecting via wifi will no longer work untill you reconfigure the router and restore the old WPS pin.

It now makes it easier to extract the firmware for the xDSL for OpenWRT lol. That reminds me i need to read on how to compile this yet LOL.

Edit:

There is a default_config.xml file just like yours bud in /etc folder once you have telnet access so that might even help there as well.
« Last Edit: July 16, 2015, 04:57:19 PM by hacktrix2006 »
Logged

Mooingall

  • Member
  • **
  • Posts: 45
Re: TP-Link TD-W9980 shell access trick
« Reply #2 on: July 16, 2015, 06:43:37 PM »

Good stuff ejs! And this survives reboots and other configuration changes done via the Web UI?

I'm thinking you could hide the command from being displayed in the browser by doing something like this

Code: [Select]
`echo "echo <!--" && telnetd -p 1055 -l login && echo " -->"`http://www.w3schools.com/html/html_comments.asp


hacktrix2006, did you note in the config file (via a text editor) the WPS pin could be changed before hand to your liking.

Logged

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: TP-Link TD-W9980 shell access trick
« Reply #3 on: July 16, 2015, 06:59:49 PM »

Thanks for the feedback, I have cleaned out the sample config files a bit more. I was aware of the /etc/default_config.xml - but this file is not very similar to the config file saved by the firmware shortly after a factory reset.

This thread is sort of a follow-on from this, I did work out how to hide the telnet string from the web interface (see linked post), but it breaks UPnP doing it that way.
Logged

Mooingall

  • Member
  • **
  • Posts: 45
Re: TP-Link TD-W9980 shell access trick
« Reply #4 on: July 16, 2015, 07:48:32 PM »

I sent you a PM so I don't clutter your thread with junk that doesn't help anyone  :-[.
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: TP-Link TD-W9980 shell access trick
« Reply #5 on: July 17, 2015, 11:40:45 AM »

Quote
I have finally succeeded in creating config files that the TD-W9980 firmware will accept.

Well done!    :thumbs:
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: TP-Link TD-W9980 shell access trick
« Reply #6 on: July 18, 2015, 01:45:13 PM »

Thank you kitz. First post edited with a minor update to the StatPOSTer program, change doesn't affect encoding and encrypting the config files, but it now leaves the decrypted but still compressed config backup files unchanged, rather than removing the first 16 bytes.

I also noticed that despite the TP-Link shell being very minimal, it does have a gzip command, so TP-Link didn't really need to invent their own compression algorithm.
Logged

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: TP-Link TD-W9980 shell access trick
« Reply #7 on: March 13, 2016, 06:06:48 PM »

The latest version of the StatPOSTer program is 20160306
http://ejs1920.users.sourceforge.net/StatPOSTer-20160306.jar

The new version has a choice of devices to target when encrypting a config file:
TD-W8970v1
TD-W9970 (as tested here)
TD-W9980
VR900 (untested)
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: TP-Link TD-W9980 shell access trick
« Reply #8 on: March 13, 2016, 09:59:31 PM »

Thanks ejs -   I'll cross reference to this thread
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

Wardeddddd

  • Just arrived
  • *
  • Posts: 2
Re: TP-Link TD-W9980 shell access trick
« Reply #9 on: May 02, 2016, 07:28:17 PM »

How can i change the Snr after that???
Logged

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: TP-Link TD-W9980 shell access trick
« Reply #10 on: May 02, 2016, 08:16:45 PM »

On Lantiq devices, it's the locs command, i.e.
Code: [Select]
/firmware/dsl_cpe_pipe.sh locs 0 15if you wanted to increase the target SNRM by 1.5 dB.

The dsl_cpe_pipe command to try and adjust the target downstream noise margin is:

locs 0 x

where x is a value from -50 to 50 corresponding to -5.0 dB to 5.0 dB e.g.

locs 0 20

would increase the target SNRM by 2 dB

The comment in src/include/drv_dsl_cpe_api.h above DSL_OPT_NOISE_MARGIN_DELTA_DS says
Quote
If this parameter will be changed from it's default value it is
strictly recommended to use ONLY positive values. Negative values
are likely to result in link instabilities.

I don't know if it works on VDSL2, I doubt it would.
Logged

Wardeddddd

  • Just arrived
  • *
  • Posts: 2
Re: TP-Link TD-W9980 shell access trick
« Reply #11 on: May 03, 2016, 05:47:53 PM »

/firmware/dsl_cpe_pipe.sh locs 0 -3
nReturn=20

That's what appens, i don't think i acceded properly the shell... in putty's settings i putted connection mode telnet  and port 1023, (+ i opened a port 1023 in the 9980 software, yea the modded one) what am i doing wrong?
Logged

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: TP-Link TD-W9980 shell access trick
« Reply #12 on: May 03, 2016, 06:06:42 PM »

nReturn=20 is the expected response to setting a negative margin, it's a warning that a negative margin is not recommended.

-3 will lower the margin by only 0.3 dB

After the locs command, to start using the snr margin adjustment, you then have to give a command to disconnect and reconnect the DSL link, I think that is:
Code: [Select]
/firmware/dsl_cpe_pipe.sh acs 2
Logged

int0x13

  • Just arrived
  • *
  • Posts: 4
Re: TP-Link TD-W9980 shell access trick
« Reply #13 on: June 20, 2016, 10:49:48 PM »

Hi, i crossflashed my 8970 to a 9980. I want to get a full CLI shell but when i try to decrypt the config file using StatPOSTer-20160306.jar I have bad characters inside the decoded file. There is some clear text at the start of the file though. The decryption was working with firmware 8970 (that's how i crossflashed the firmware 9980, thanks to ejs). I need to access to command line. Otherwise can i install telnet daemon using serial console? Thx.
Logged

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: TP-Link TD-W9980 shell access trick
« Reply #14 on: June 21, 2016, 05:56:31 PM »

Yes, I know. The 9980 and later TP-Link models compress the config file before encrypting it. The StatPOSTer program can't do the decompression. It can't really do the compression either, but it can fake it so that an uploaded file will be accepted by the firmware.

You have to upload a sample config file such as the one attached to the first post of this thread.

After you've gained shell access and set up everything, you can access the config xml by saving /dev/mtdblock3 to a file e.g. "cat /dev/mtdblock3 > /var/usbdisk/DiskName/conf.bin" and then using a hex editor or something to remove the few non-xml bytes at the start and all the padding at the end of the file.
Logged
Pages: [1] 2