If the headline makes today’s hack sound like it was easy, rest assured that it wasn’t. But if you’re interested in embedded device hacking, read on.
[Andres] wanted to install a custom OS firmware on a cheap home router, so he bought a router known to be reflashable only to find that the newer version of the firmware made that difficult. We’ve all been there. But instead of throwing the device in the closet, [Andres] beat it into submission, discovering a bug in the firmware, exploiting it, and writing it up for the manufacturer. (And just as we’re going to press: posting the code for the downgrade exploit here.)
This is not a weekend hack — this took a professional many hours of serious labor. But it was made a lot easier because TP-Link left a debugging protocol active, listening on the LAN interface, and not requiring authentication. [Andres] found most of the information he needed in patents, and soon had debugging insight into the running device.
Continue reading “TP-Link Debug Protocol Gives Up Keys To Kingdom”
[Jean-Christophe Rona] found himself with some free time and decided to finish a project he started two years ago, reverse engineering cheap 433MHz home automation equipment. He hopes to control his space heaters remotely, in preparation for a cold and, now, robotic winter.
In a previous life, he had reverse engineered the protocol these cheap wireless plugs, garage doors, and electric window shutters all use. This eventually resulted in a little library called rf-ctrl that can toggle and read GPIO pins in the correct way to control these objects. He has a few of the more popular protocols built into the library and even wrote a guide on how to do the reverse engineering yourself if you have need.
Having successfully interfaced with the plugs to use with his space heaters, [Jean-Christophe] went about converting a cheap TP Link router into a command center for them. Since TP Link never expected anyone to hammer their square peg into a mismatched hole, it takes a careful hand at soldering and some enamel wire to break out the GPIO pins, but it’s well within the average skill set.
The end result is a nicely contained blue box with a little antenna hanging out of it, and we hope, a warm abode for the coming winter.
Last year, the Federal Communications Commission proposed a rule governing the certification of RF equipment, specifically wireless routers. This proposed rule required router manufacturers to implement security on the radio module inside these routers. Although this rule is fairly limited in scope – the regulation only covers the 5GHz U-NII bands, and only applies to the radio subsystem of a router, the law of unintended consequences reared its ugly head. The simplest way to lock down a radio module is to lock down the entire router, and this is exactly what a few large router manufacturers did. Under this rule, open source, third-party firmwares such as OpenWRT are impossible.
Now, router manufacturer TP-Link has reached an agreement with the FCC to allow third-party firmware. Under the agreement, TP-Link will pay a $200,000 fine for shipping routers that could be configured to run above the permitted power limits.
This agreement is in stark contrast to TP-Link’s earlier policy of shipping routers with signed, locked firmware, in keeping with the FCC’s rule.
This is a huge success for the entire open source movement. Instead of doing the easy thing – locking down a router’s firmware and sending it out the door – TP-Link has chosen to take a hit to their pocketbook. That’s great news for any of the dozens of projects experimenting with mesh networking, amateur radio, or any other wireless networking protocol, and imparts a massive amount of goodwill onto TP-Link.
Thanks [Maave] for the tip.
This “security” is so outrageous we had to look for hidden cameras to make sure we’re not being pranked. We don’t want to ruin the face-palming realization for you, so before clicking past the break look closely at the image above and see if you can spot the exploit. It’s plain as day but might take a second to dawn on you.
The exploit was published on [Mark C.’s] Twitter feed after waiting a couple of weeks to hear back from TP-LINK about the discovery. They didn’t respond so he went public with the info.
Continue reading “TP-LINK’s WiFi Defaults to Worst Unique Passwords Ever”
Like it or not, Hackers gonna hack. And when your hackerspace has someone who looks like Doc Brown from Back to the Future, the builds can get a bit weird, like this Hack42 FestivalCharger.
The Hack42 hackerspace in Arnhem, The Netherlands had collected a large number of TP-Link 5V USB chargers – but all of them had the North American NEMA plug (flat, 2 pin) which wouldn’t fit the Schuko sockets prevalent in The Netherlands. [Simon “MacSimski” Claessen] decided to whip out his giant soldering iron and use it to solder two long pieces of welding filler metal rods to 33 of the chargers, effectively wiring them up in parallel. He did apply his obvious skill and experience to good use. For one, the diameter of the filler metal rods he used were just about the right size to fit in the
Shucko Schuko socket. And the gap between the two turned out to be the right distance too, thus creating a sort of Schucko Schuko plug. All that was needed to power up all the chargers was to connect a socket extension to the FestivalCharger. The unit was built to allow crowds of festival-goers to charge their phones and battery-powered gadgets simultaneously. To make sure the visitors didn’t get electrocuted, he used a piece of PVC pipe to cover up the exposed pins and keep it all safe.
Thanks to Hack42 member [Dennis van Zuijlekom] for sending in this tip.
[Squonk] is rather famous in the world of repurposed routers, having reverse engineered the TL-WR703N wireless router from TP-Link a few years ago. With that knowledge, he’s developed an open platform for Things on the Internet called Domino. It’s pretty much exactly what you would get by cracking open a router bought on AliBaba, only in a much more convenient package with many more pins broken out.
The Domino builds on [Squonk]’s reverse engineering efforts of the TP-Link TL-WR703N wireless router, the router that has stolen the thunder from the Linksys WRT54G for all those sweet, sweet, embedded hacks. Both the 703N and the Domino are built around the Atheros AR9331. While the router version of this chipset only breaks out a few GPIOs and other interesting pins, the Domino breaks out just about everything – GPIO, JTAG, I2S, UART, SPI, USB, and Ethernet can be found on the device.
The basic Domino can hopefully be had with a $25 pledge to the Kickstarter campaign. That’s a little less than the normal price for a WR-703N, and if you’re putting a router in a hat it might be worth your while. There are a few advanced versions that include an ATMega32u4 microcontroller, making it compatible with the Arduino Yun as well.
Low-cost wireless routers are a dime a dozen these days — but what happens if you need to flash the firmware? Normally you’d have to solder in a serial connection in order to access it, but [Luka Mustafa] had another idea — pogo-pins!
It’s actually quite easy to make a small PCB with pogo-pins and then use a 3D printed bracket or alignment jig in order to make connection. They currently only have designs for a few TP-Links (WR740 and WR741ND) on their GitHub, but more will be added soon. They’ve also included instructions on how to restore firmware on any of these devices with their handy-dandy pogo-pin PCB.
[Luka] is one of the guys behind IRNAS (the acronym is in Slovenian), a non-profit open-source company that makes lots of cool projects. They believe in open-source and sharing technology in order to empower the world.
And if you’ve royally bricked your router it could be possible to unbrick it with a Raspberry Pi!