Reverse TP-Link Router TL-WR841N
How to start doing reverse on IoT Firmware
Reversing TP-Link Router TL-WR841N
Firmware download URL: https://www.tp-link.com/pt/support/download/tl-wr841n/#Firmware
Extracting the Zip File
Inspecting the firmware and arch
Using binwalk tool we can inspect and find the embedded files and executable code inside the firmware binary images.
Tip: use -e option to extract the files into a new folder.
In short, the binwalk structure is composed by three sections:
File location in decimal format
File location in hexadecimal form
Description about what was found and location
As observed above, we got U-Boot at offset 5404B. This is a popular bootload to load the operating system.
Also, an LZMA compressed data was obtained at offset 66560, and finally the squashfs filesystem at 1049088.
Duplicating firmware data with dd
Now, we can copy the filesystem squashfs into a new folder using the dd tool.
dd can duplicate data across files, devices, partitions, and volumes.
if stands for the input file.
of stands for the output file.
bs for block size.
Tip: by using -skip you could ignore some data at the beginning of the input stream. So, the -skip command needs to start with the initial offset we want to copy.
We check the new filesystem file using the file command:
Unarchive the filesystem with unsquashfs
unsquashfs - tool to uncompress squashfs filesystems
From here, we can start with the analysis of the binaries present and individual files in the filesystem, and so on!
Last updated