# Reverse TP-Link Router TL-WR841N ## Reversing TP-Link Router TL-WR841N **Firmware download URL:** ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MYnymeRguUfghOThweA%2F-MYoVkfgqw-dP2lFlLoz%2Fimage.png?alt=media\&token=0a6960d4-71e1-4c83-94fd-bc1bc9bf1476) ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MYnymeRguUfghOThweA%2F-MYoW4RFTlq5KieTnQA0%2Fimage.png?alt=media\&token=4cb4c7fc-4c71-4b63-bd3c-2a758cb138fd) ## **Extracting the Zip File** ``` unzip unzip TL-WR841N\(EU\)_V14_200903.zip ``` ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MYnymeRguUfghOThweA%2F-MYoXkygHvK6epbjDpyG%2Fimage.png?alt=media\&token=6e7755b1-0e53-44ae-b0bc-3410a3487af8) ## Inspecting the firmware and arch Using binwalk tool we can inspect and find the embedded files and executable code inside the firmware binary images. {% hint style="success" %} **Tip**: use **-e** option to extract the files into a new folder. {% endhint %} ``` binwalk -e TL-WR841Nv14_EU_0.9.1_4.17_up_boot\[200903-rel58674\].bin ``` ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MYnymeRguUfghOThweA%2F-MYoYMiXfFrtUWmGcNZ6%2Fimage.png?alt=media\&token=953f88b4-22cd-4b28-9d5e-e7c126ca4d1c) In short, the binwalk structure is composed by three sections: * File location in decimal format * File location in hexadecimal form * Description about what was found and location As observed above, we got **U-Boot at offset 5404B.** This is a popular bootload to load the operating system. Also, an **LZMA compressed data** was obtained **at offset 66560**, and finally the **squashfs filesystem at 1049088.** ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MYnymeRguUfghOThweA%2F-MYoZw76NbgTmixlak-7%2Fimage.png?alt=media\&token=e3a7e265-4f3b-4e95-b080-61def3523cd3) ## Duplicating firmware data with dd Now, we can copy the filesystem squashfs into a new folder using the dd tool. {% hint style="info" %} * **dd** can duplicate data across files, devices, partitions, and volumes. * **if** stands for the input file. * **of** stands for the output file. * **bs** for block size. **Tip:** by using **-skip** you could ignore some data at the beginning of the input stream. So, the -skip command needs to start with the initial offset we want to copy. {% endhint %} ``` dd if=TL-WR841Nv14_EU_0.9.1_4.17_up_boot\[200903-rel58674\].bin skip=1049088 bs=1 of=TP.sfs ``` We check the new filesystem file using the **file** command: ``` file TP.sfs ``` ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MYnymeRguUfghOThweA%2F-MYoa2Ao2mgSEgcVPT30%2Fimage.png?alt=media\&token=0c69f1d9-9fc3-428d-ab5f-7fb34c235bf1) ## **Unarchive the filesystem with unsquashfs** [unsquashfs](https://manpages.debian.org/testing/squashfs-tools/unsquashfs.1.en.html) - tool to uncompress squashfs filesystems ``` unsquashfs TP.sfs ls -la unsquashfs-root ``` ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MYnymeRguUfghOThweA%2F-MYoaxdcVutiSVXMT6t2%2Fimage.png?alt=media\&token=3ecb4182-63d9-4c10-85fe-2ce12edd0e37) Yeah, we got it! :sunglasses: ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MYnymeRguUfghOThweA%2F-MYobC5iY0tB_-f0YcyE%2Fimage.png?alt=media\&token=02ba693a-c037-4e0c-8da0-0dc9ef6be0f3) From here, we can start with the analysis of the binaries present and individual files in the filesystem, and so on! ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MYnymeRguUfghOThweA%2F-MYobd59JOC_JhdbKpOi%2Fimage.png?alt=media\&token=6d0d8292-9077-4baa-beed-80b45b1afe14) \ Good luck :nerd: