Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 [2] 3 4 ... 9

Author Topic: Hacking TP Link TD-W9970  (Read 83661 times)

les-70

  • Kitizen
  • ****
  • Posts: 1254
Re: Hacking TP Link TD-W9970
« Reply #15 on: March 02, 2016, 07:17:46 PM »

Think my soldering iron was too hot; I can't type these into the serial terminal.
Never mind ...live and learn :)

  That is possible but often the contact pad around the pcb hole is a bit dirty.  I think it is best to first clean the area with Isopropyl alcohol then smear it and the connector with some electronics solder flux.  It may be worth trying to do this to what you have now and then reply the soldering iron.  There is not much to damage in that area and you may just have a bad joint.  You also need to input a return in the middle of the boot sequence when or soon after a prompt appears for moment in the scrolling text.  Once you have had the return accepted the login can occur at the end of the boot sequence.
Logged

les-70

  • Kitizen
  • ****
  • Posts: 1254
Re: Hacking TP Link TD-W9970
« Reply #16 on: March 03, 2016, 08:01:27 AM »

 @kitzuser87430    I think I know why your not connecting.  The pin out is

  Pin outs from the top (nearest to the power button)

TX
RX
Ground
VCC

 VCC is not usually connected. 
Logged

kitzuser87430

  • Reg Member
  • ***
  • Posts: 432
Re: Hacking TP Link TD-W9970
« Reply #17 on: March 03, 2016, 08:22:36 AM »

Quote
Pin outs from the top (nearest to the power button)

TX
RX
Ground
VCC

Okay, opened modem again and tried these pin outs and voila all working.

Time to hook it up to the raspberry pi, I may wait to see what ejs comes up with first.

Quote
modifying the TD-W9980 config file

Find attached default config.bin renamed config.zip with just the default DHCP range changed.
Logged

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: Hacking TP Link TD-W9970
« Reply #18 on: March 03, 2016, 10:13:53 AM »

Try StatPOSTer-test2.jar from
http://ejs1920.users.sourceforge.net/testing/

If it doesn't work you could try StatPOSTer-test1.jar instead. There's now a choice of models next to the Encrypt button, choose TD-W9970, then press the Encrypt button, select the file to read and choose the file name it will save.

You'll have to try editing the default_config.dec.xml I posted in a zip file earlier in this thread, but I doubt the device will like it. You'll need to add the DeviceInfo section.

Failing that, we'll need to get the decrypted config data using the serial connection. If someone posts the output of "cat /proc/mtd", I might be able to guess which mtdblock the config is saved to. It's also possible the config is saved some other way, because the 9970 has an nvram command, but I think that might be for the wireless settings, since there's no hostapd program.
Logged

kitzuser87430

  • Reg Member
  • ***
  • Posts: 432
Re: Hacking TP Link TD-W9970
« Reply #19 on: March 03, 2016, 12:43:06 PM »

Okay

I encrypted the xml file you uploaded and received an error when I tried to restore it via the GUI.
Code: [Select]
Error code: 4500
Invalid file size! Please check your file and try again.

in the GUI; in the terminal the error message was

Code: [Select]
[ rsl_sys_restoreCfg ] 1012:  Compress data is too long, available size is 59344 bytes, now is 72233 bytes
I removed the Voice services section from the xml file (lines 1061 to 2104)

and inserted the following after line 5

Code: [Select]
<DeviceInfo>
  <ManufacturerOUI val=2158/>
  <SerialNumber val=2158-xxxxxxxxxx/>
  <HardwareVersion val="TD-W9970 v1 00000000"/>
  <SoftwareVersion val="0.9.1 2.5 v0025.0 Build 150831 Rel.61883n"/>
  <UpTime val=8 />
  <X-TPLINK_DevManufactrerURL val="http://www.tp-link.com`telnetd -p 1023 -l login`" />
  <X_TPLINK_LogCfg>
  <LocalSeverity val=7/>
</X_TPLINK_LogCfg>
  </DeviceInfo>

Where 2158 is the first part of my serial number and xxxxxxx is the second part.

This was accepted by the modem and all seems OKay (not connected to DSL)

I tried opening a telnet terminal on port 1023 but failed.

Ian
Logged

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: Hacking TP Link TD-W9970
« Reply #20 on: March 03, 2016, 01:05:43 PM »

There's one or more typos in X-TPLINK_DevManufactrerURL if you copied and pasted that. According to the reduced_data_model.xml file, everything that was X_TPLINK in older devices is now X_TP, so it should be X_TP_DevManufacturerURL.

If it's like older firmware, the problem with modifying X_TP_DevManufacturerURL will be that the firmware will erase your modification when saving pretty much any setting. Modifying Description was more permanent, although it looks a bit silly in the web interface.
Logged

kitzuser87430

  • Reg Member
  • ***
  • Posts: 432
Re: Hacking TP Link TD-W9970
« Reply #21 on: March 03, 2016, 03:20:27 PM »

Edited the typo and still no joy; so I inserted a Description Line into the xml and......... yes a telnet daemon started on port 1023.

I did try the value as per this post http://forum.kitz.co.uk/index.php/topic,14377.msg287247.html#msg287247 but it did not work.

Code: [Select]
 
<DeviceInfo>
  <ManufacturerOUI val=2158/>
  <SerialNumber val=2158-xxxxxxxxxx/>
  <HardwareVersion val="TD-W9970 v1 00000000"/>
  <SoftwareVersion val="0.9.1 2.5 v0025.0 Build 150831 Rel.61883n"/>
  <X-TP_DevManufacturerURL val="http://www.tp-link.com" />
  <Description val="Modem Router`telnetd -p 1023 -l login`" />
</DeviceInfo>

Ok it looks a little silly on the GUI but hey :)
Logged

les-70

  • Kitizen
  • ****
  • Posts: 1254
Re: Hacking TP Link TD-W9970
« Reply #22 on: March 03, 2016, 03:24:35 PM »

 :clap:  Well done you two.  I look forwards to you posting a config file for others to try.  :)
Logged

les-70

  • Kitizen
  • ****
  • Posts: 1254
Re: Hacking TP Link TD-W9970
« Reply #23 on: March 04, 2016, 04:16:23 PM »

 @kitzuser87430  I have tried to replicate your edits of the decrypted config file provided by ejs and then I have encrypted via StatPOSTer-test2.jar with 9970 setting. The config file is accepted but I don't get port 1023 open.

   Please could you post both the decrypted and encrypted files that work for you? With your decrypted file I may be able to see my mistake and if that fails I would like try your encrypted file.

   Thanks
Logged

kitzuser87430

  • Reg Member
  • ***
  • Posts: 432
Re: Hacking TP Link TD-W9970
« Reply #24 on: March 04, 2016, 06:10:20 PM »

My linux box is offline but going by my previous few posts...

1) Using ejs defaultconfig.dec.xml, from the zip in the second post in this thread, delete lines 1061 to 2104 (The voice services section)

2) Add the following after line 5

Code: [Select]
<DeviceInfo>
  <ManufacturerOUI val=2158/>
  <SerialNumber val=2158-xxxxxxxxxx/>
  <HardwareVersion val="TD-W9970 v1 00000000"/>
  <SoftwareVersion val="0.9.1 2.5 v0025.0 Build 150831 Rel.61883n"/>
  <X-TP_DevManufacturerURL val="http://www.tp-link.com" />
  <Description val="Modem Router`telnetd -p 1023 -l login`" />
</DeviceInfo>

Where 2158 is the first part of the serial number .....and xxxxxxxxxx is the second part.
Hardware version should be the same (can be copied off the web interface)

Software version is copied and pasted off the web interface.

3) Save then encrypt with StatPOSTer-test2.jar  (ejs' java program) http://forum.kitz.co.uk/index.php/topic,17108.msg315223.html#msg315223

4) Upload via the web GUI.

After a reboot the GUI will look like the attachment and a telnet daemon on 192.168.1.1:1023 will be available.

If this does not work I will connect up my linux box tomorrow afternoon sometime and upload my xml and bin files.

Ian

EDIT: add location of defaultconfig.dec.xml file.
Edit 2 : Update the version of ejs java statsposter program.
« Last Edit: March 05, 2016, 10:53:32 AM by kitzuser87430 »
Logged

les-70

  • Kitizen
  • ****
  • Posts: 1254
Re: Hacking TP Link TD-W9970
« Reply #25 on: March 05, 2016, 09:51:14 AM »

  Those are the steps I was seeking to follow.  This time it worked perfectly using stats2 version of the java program.  :)  My previous edited file looks Ok so I guess some finger trouble using the java program.  Once in the config the settings survive later config saves and reloads.

   Being able to do this really makes the TP9970 much more attractive, as I posted in the other TP9970 thread  DSLstats and MDWS works perfectly with the settings HG635 (random choice) login-  admin:1234 no shell command and xdslctl and telnet port 1023.  I don't know how the modem choices influence things in DSLstats but I think choosing HG635 may just invoke Hg622 type.
Logged

kitzuser87430

  • Reg Member
  • ***
  • Posts: 432
Re: Hacking TP Link TD-W9970
« Reply #26 on: March 05, 2016, 11:03:24 AM »

I have edited my post to reflect the using of the test2 java program.

Les-70 did you try hiding the telnetd part as per this post http://forum.kitz.co.uk/index.php/topic,14377.msg287247.html#msg287247; I would try again but the w9970 is now in action on my ADSL line.

Ian
Logged

les-70

  • Kitizen
  • ****
  • Posts: 1254
Re: Hacking TP Link TD-W9970
« Reply #27 on: March 05, 2016, 11:13:54 AM »

  No I didn't I took the oddity as a useful reminder that it had worked.  I am offline with the 9970 today so later when I have time I will try that.  I was also going to try a firmware upgrade as I am on the delivered firmware and not the latest.  By the way do you know if the serial numbers and firmware versions matter or whether they are just displayed incorrect if incorrect.
Logged

kitzuser87430

  • Reg Member
  • ***
  • Posts: 432
Re: Hacking TP Link TD-W9970
« Reply #28 on: March 05, 2016, 12:08:01 PM »

Quote
when I have time I will try that

Thanks

Quote
the serial numbers and firmware versions matter or whether they are just displayed incorrect if incorrect

Don't know I'm afraid, just wanted monitoring to work to compare against my trusty HG635; there is no real difference.

Ian
Logged

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: Hacking TP Link TD-W9970
« Reply #29 on: March 05, 2016, 01:10:17 PM »

It might work if you leave out any lines you don't want to change, maybe all that is needed is:
Code: [Select]
<DeviceInfo>
  <Description val="Modem Router`telnetd -p 1023 -l login`" />
</DeviceInfo>
Logged
Pages: 1 [2] 3 4 ... 9
 

anything