Hacking the Linksys WRT120N

[Craig Heffner] recently found himself on the case of the Linksys WRT120N router. The router’s firmware was using some previously unknown form of obfuscation, causing headaches for those wishing to run their own software. The WRT120N, being a 2009 model is somewhat out of date at this point. That didn’t stop [Craig] though, as he dove into reverse engineering the firmware obfuscation.

[Craig] started by running the firmware through his own Binwalk tool. Binwalk analyzes firmware files for known data, be it embedded filesystems, raw compression streams, or binary files. In this case Binwalk only found a small LZMA block which contained the compressed html files for the router’s web interface. The rest of the firmware was unknown data with a high level of entropy. [Craig] couldn’t do anything more with the firmware update file alone, so he ordered a router to attack from the hardware side. Inside he found typical low-end router components:  An Atheros AR7240 SoC, a 2MB SPI flash chip, 32MB of RAM. He also found serial and JTAG headers.

[Craig] connected to the serial port and was greeted with a boot menu. This allowed him to run some commands on the router, but didn’t give him any way to dump memory. He had to go straight to the source – connecting directly to the router’s SPI flash with an FTDI C232HM cable. Using libmpsse, another of his open source tools, [Craig] was able to dump the flash. He now had the un-obfuscated bootloader code, albeit in MIPS assembly. [Craig] was then able to go after the bootloader with IDA Pro. After a bit of work, the obfuscation system was exposed. The system was simple – several byte and nibble swaps had been performed between the LZMA header block and the first few bytes of data. [Craig] finished out this part of his hack by writing a simple C program to de-obfuscate and decompress the firmware.

23 thoughts on “Hacking the Linksys WRT120N

    1. Other routers have been hacked before, DAGS (Do A Google Search) on WRT54g hack. For instance, you can turn a wireless router into a WIFI extender, or into a TNC for Amateur Radio.

    2. If you know how the firmware update obfuscation works you can create and flash your own (modified) firmware just from the web GUI of the original firmware as “update”. If it is possible to let own code run on the device it is possible to re-purpose it for all kinds of stuff. This router has only 2MB flash, so I dont think openWRT will run on it, but the reasons for running “own” software on a router instead of the sw of the manufacturer are the same for every router.

      1. 2MB is too small for OpenWRT unless you do some serious pruning and then it still may not fit. But since this router has 32MB, it might be worth trying some of the other work arounds like replacing the 2MB flash with a pin compatible 4MB flash, use a couple GPIO lines to add a bit bang interface to a larger SPI flash, or possibly load OpenWRT off a USB flash drive if the router has USB. I have an old Netgear router I’ve considered doing the USB approach with.

    3. Craigs tools allow him/you to reverse engineer the firmware, which allows you to check it for exploits. If you find exploits you can use your new found knowledge of the firmware to fix the exploits or rewrite the entire firmware image such as has been done with ddwrt. In other words, make that router your bitch! :-)

  1. So, is this just Cisco being Cisco, or is there some reason that I’m missing for obfuscating the router firmware like that? It’s far weaker than a cryptographic signature check in the bootloader if you, for some ghastly reason, want to forbid 3rd party firmware; but I’m hard pressed to think of anything worth hiding in the firmware for a basic plastic-box home router.

    1. Cisco doesn’t care about people loading their own firmware. They still push product out the door. They do care about security on their devices though. Don’t want a reputation loss when someone finds an exploit that puts millions of home networks at risk.

      1. Cisco didn’t care about their own firmware. Stock firmware for the WRT120N (I have one) is crash prone and bug-ridden.

        Every ‘Linksys by Cisco’ isn’t worth more than the box they come in. Reason #255 I’m still using my WRT54G v4.

  2. DD-WRT has been available on this router for 3 years now, so I don’t think the initial part of this story is correct. However this was an interesting way of being able to retrieve an unobfuscated copy of the original firmware.

      1. Ida knew when you tried to open the Ida executable in itself and gave you a popup saying something along the lines of they know they can’t stop you, but you should feel bad.

  3. The guy wrote binwalk, hes not interested in putting alt FW on it, or saying that this “hack” enables that:

    “It was recently brought to my attention that the firmware updates for the Linksys WRT120N were employing some unknown obfuscation. I thought this sounded interesting and decided to take a look.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s