This repo contains dumped flash partitions with firmware version vulnerable to CVE-2019-17147, and some useful binaries to downgrade and debug your WR841N(V14) router.
Doing hardware modifications such as overwriting flash chip partitions have its risks. Evaluate the risks and decide for yourself if you want to do it or not.
The post from ZDI: https://www.zerodayinitiative.com/blog/2019/12/2/mindshare-hardware-reversing-with-the-tp-link-tl-wr841n-router-part-2 demonstrated a very interesting vulnerability that I would really like to try out and learn something from.
Unfortunately the Firmware version (US) 0.9.1 4.16 v007c.0 Build 180613 Rel.42415n is already taken down from the US website and can no longer be downloaded.
However I do have some WR841N that is running firmware version (TW) 0.9.1 4.16 v009e.0 Build 180516 Rel.81030n, which is older than the one ZDI exploited and the same vulnerability still exsist.
I guess many more people would be interested in reproducing this exploit but are facing the same problem that they are unable to find a working WR841N which is running vulnerable version of firmware.
If you are using TW, EU or JP version hardware, it is still possible to download firmware version older than 180613 (which means it's built on 2018/06/13) and downgrade your router just by "upgrading" it with old firmware from official website.
Although firmware downgrade is possible, WR841N actually checks and won't accept firmware that is meant for hardware sold in different countries. So for those people living in the countries where TP-Link don't provide vulnerable version of firmware on their website (For example, US), they will need to bypass the check in http server and write vulnerable firmware directly into the flash chip of their device. That's what this repo is mainly for.
I've also cross compiled static busybox and gdbserver that works on WR841N for anyone who would like to try to debug and recreate the exploit.
Before attempting to overwrite your flash partitions, you should backup current ones so that you can restore your router after you're done playing with this vulnerable version.
I assume you are already familiar with using the serial console so I'll skip the hardware part.
-
Set up a tftp server on the machine of your choice.
-
In WR841N console:
(Replace the ip address with your tftp server)
~ # cat /dev/mtd0 > /var/WR841N_backup_mtd0_boot.bin
~ # tftp -p -r /var/WR841N_backup_mtd0_boot.bin 192.168.0.100
~ # rm /var/WR841N_backup_mtd0_boot.bin
~ #
~ # cat /dev/mtd1 > /var/WR841N_backup_mtd1_kernel.bin
~ # tftp -p -r /var/WR841N_backup_mtd1_kernel.bin 192.168.0.100
~ # rm /var/WR841N_backup_mtd1_kernel.bin
~ #
~ # cat /dev/mtd2 > /var/WR841N_backup_mtd2_rootfs.bin
~ # tftp -p -r /var/WR841N_backup_mtd2_rootfs.bin 192.168.0.100
~ # rm /var/WR841N_backup_mtd2_rootfs.bin=
- Check the .bin files with binwalk to make sure you have successfully backup your flash partitions.
Flash partitions in WR841N is as follows:
dev: size erasesize name
mtd0: 00010000 00010000 "boot"
mtd1: 000f0000 00010000 "kernel"
mtd2: 002e0000 00010000 "rootfs"
mtd3: 00010000 00010000 "config"
mtd4: 00010000 00010000 "radio"
The main partition you need to overwrite is rootfs (mtd2), but for stability's sake we'll overwrite boot and kernel too.
I did not provide config and radio partition because they did not affect the vulnerability and you certainly don't want to mess with RF settings to avoid potential legal problems.
- Transfer
flashcpinto WR841N with tftp.
In the WR841 shell:
~ # cd /var
/var # tftp -g -r flashcp 192.168.0.100
/var # chmod +x flashcp
(Replace the IP address with your machine that is running tftp server, of course.)
- Transfer
TW_wr841N_mtd0_boot_180516.bininto WR841N and overwrite withflashcp:
/var # tftp -g -r TW_wr841N_mtd0_boot_180516.bin 192.168.0.100
/var # ./flashcp TW_wr841N_mtd0_boot_180516.bin /dev/mtd0
/var # rm TW_wr841N_mtd0_boot_180516.bin
Note: The order of partition you transfer and overwrite does not matter, but make sure you do them **ONE BY ONE** and not transfer all the .bin files to WR841N at once.
Remove the .bin you already flashed before transferring next one. The router have very limited memory and it will crash if you transfer too much stuff to its ramfs!
- Transfer
TW_wr841N_mtd1_kernel_180516.bininto WR841N and overwrite withflashcp:
/var # tftp -g -r TW_wr841N_mtd1_kernel_180516.bin 192.168.0.100
/var # ./flashcp TW_wr841N_mtd1_kernel_180516.bin /dev/mtd1
/var # rm TW_wr841N_mtd1_kernel_180516.bin
- Transfer
TW_wr841N_mtd2_rootfs_180516.bininto WR841N and overwrite withflashcp(This is the largest partition so flashcp will take some time to finish):
/var # tftp -g -r TW_wr841N_mtd2_rootfs_180516.bin 192.168.0.100
/var # ./flashcp TW_wr841N_mtd2_rootfs_180516.bin /dev/mtd2
/var # rm TW_wr841N_mtd2_rootfs_180516.bin
- Reboot the router and you should see its web management page become all traditional Chinese, and the firmware version is
0.9.1 4.16 v009e.0 Build 180516 Rel.81030n.
- The PoC provided by ZDI won't work out of the box on the firmware version provided here, memory offsets are different. You should try to modify ZDI's PoC or create your own exploit :)
- All the binaries are cross compiled by myself with
buildroot-2021.02.6. - The language of the firmware shouldn't affect much since most of the work to debug and develop exploit are done in the console. However I could try to build flashable partitions from vulnerable EU or JP version if someone really needs it and made a request.
- Needless to say, doing hardware modifications such as overwriting flash chip partitions have its risks. Evaluate the risks and decide for yourself if you want to do it or not.