The TP-Link TL-WR841N isn’t a particularly impressive piece of hardware, but since it works decently well and sells for under $20 USD, it’s one of the most popular consumer routers on Amazon. Now, thanks to [TrendyTofu] of the Zero Day Initiative, we now have a concise step-by-step guide on how to hack your way into the newer versions of the hardware and take full control over this bargain WiFi device. This work was initially done to help test out reported vulnerabilities in the router’s firmware, but we’re sure the readers of Hackaday can come up with all sorts of potential uses for this information.
The story starts, as so many before it have, with a serial port. Finding the UART pads on the PCB and wiring up a level shifter was no problem, but [TrendyTofu] found it was only working one-way. Some troubleshooting and an oscilloscope later, the culprit was found to be a 1kΩ pull down resistor connected to the RX line that was keeping the voltage from peaking high enough to be recognized.
Once two-way communication was established, proper poking around inside the router’s Linux operating system could begin. It wasn’t a huge surprise to find the kernel was ancient (version 2.6.36, from 2010) and that the system utilities had been stripped to the absolute bare minimum to save space. Replacing the firmware entirely would of course be ideal, but unfortunately OpenWRT has dropped support for the newer hardware revisions of the TL-WR841N.
To teach this barebones build of Linux some new tricks, [TrendyTofu] used the mount command to find a partition on the system that actually had write-access, and used that to stash a pre-compiled build of BusyBox for MIPS. With a more complete set of tools, the real fun could begin: using GDB to debug TP-Link’s binaries and look for chinks in the armor. But feel free to insert your own brand of mayhem here.
[Pablo] is a recent and proud owner of a Transcend WiFi SD Card. It allows him to transfer his pictures to any WiFi-enabled device in a matter of seconds.
As he suspected that some kind of Linux was running on it, he began to see if he could get a root access on it… and succeeded.
His clear and detailed write-up begins with explaining how a simple trick allowed him to browse through the card’s file system, which (as he guessed correctly) is running busybox. From there he was able to see if any of the poorly written Perl scripts had security holes… and got more than he bargained for.
He first thought he had found a way to make the embedded Linux launch user provided scripts and execute commands by making a special HTTP POST request… which failed due to a small technicality. His second attempt was a success: [Pablo] found that the user set password is directly entered in a Linux shell command. Therefore, the password “admin; echo haxx > /tmp/hi.txt #” could create a hi.txt text file.
From there things got easy. He just had to make the card download another busybox to use all the commands that were originally disabled in the card’s Linux. In the end he got the card to connect a bash to his computer so he could launch every command he wanted.
As it was not enough, [Pablo] even discovered an easy way to find the current password of the card. Talk about security…
[Adam Outler] shows us how to expand the Linux tools available on Android without rooting the device. He does this by installing BusyBox. The binary is copied to the device using the Android Developer Bridge. He then opens an ADB shell, adds execution permissions to the binary, and runs it. BusyBox calls itself the Swiss Army Knife of Embedded Linux. It provides a set of very common tools which you’ll find useful in your tinkering. The one that [Adam] shows off in his video is the vi editor, but the basics that make a shell work are all there like: ls, mkdir, grep, dmesg, mount… you get the point.
So what are you going to do with your unrooted device now that you have these commands at your disposal? That’s really for you to figure out. [Adam] continues his demonstration by installing a package that does require root access. It’s BotBrew Basil, which adds apt-get and a few more complex packages. He then uses vi to write a C++ Hello World program, then compiles it and runs it. So if you’re looking to do some development on your phone this is one way.
The Vtech InnoTab is a child-sized tablet computer built for kids. Apart from being the ideal solution to keeping the grubby, sticky hands of nieces and nephews away from proper ‘adult sized’ tablets, it can also serve as a Linux tablet perfect for a few homebrew apps. [Mick] picked up an InnoTab for his son, but after getting BusyBox working, we’re thinking it has become a toy for the father and not the son.
[Mick] cracked open the InnoTab and soldered a few wires to a pair of pins that connect to a TTL level converter and then to a TV. There’s a full Linux shell running on [Mick]’s new tablet, encouragement enough for him to start porting ScummVM, the engine behind famous LucasArts point-and-click adventure games of the early 90s.
Right now, it’s still very much a work in progress, but [Mick] has full screen support and a virtual keyboard working; more than enough to enjoy Day of the Tentacleand Sam & Max Hit the Road. After the break you can see the video of [Mick]’s InnoTab running the much more child-friendly SCUMM adventure Putt Putt Goes to the Moon, something we’re sure his son will love.
[ghostwalker] dropped in on our previous Debian Android post to let us know that he had streamlined the install process. The first time around, it quickly became difficult to complete the process because firmware updates had taken away root access. Hackers have since figured out how to downgrade from RC30 and install BusyBox. All you need to do to put Debian on your phone is download the package from [ghostwalker] and then run the installer script. This isn’t technically a port since Debian already has ARM EABI support. What would you run on your phone if you had access to the entire Debian package tree? A video of Debian starting up is embedded below.
Embedded above is a demo video of an iPhone running a Linux 2.6 kernel. The iphone-dev team has created a new bootloader called OpeniBoot. The bootloader lets you boot into a Linux console, which you can talk to over a USB serial device. They’ve got busybox working, but there is no touchscreen support yet. The instructions are not that difficult and include how to back up your settings. It works on first and second gen iPhones and first gen iPod Touch. This is a very early port, but the future is wide open… Android iPhone?