Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • Reversing TP-Link Router TL-WR841N
  • Extracting the Zip File
  • Inspecting the firmware and arch
  • Duplicating firmware data with dd
  • Unarchive the filesystem with unsquashfs

Was this helpful?

  1. IoT / Reverse / Firmware
  2. Reverse IoT devices

Reverse TP-Link Router TL-WR841N

How to start doing reverse on IoT Firmware

PreviousReverse IoT devicesNextReverse Trendnet TS-S402 firmware

Last updated 4 years ago

Was this helpful?

Reversing TP-Link Router TL-WR841N

Firmware download URL:

Extracting the Zip File

unzip unzip TL-WR841N\(EU\)_V14_200903.zip

Inspecting the firmware and arch

Using binwalk tool we can inspect and find the embedded files and executable code inside the firmware binary images.

Tip: use -e option to extract the files into a new folder.

binwalk -e TL-WR841Nv14_EU_0.9.1_4.17_up_boot\[200903-rel58674\].bin

In short, the binwalk structure is composed by three sections:

  • File location in decimal format

  • File location in hexadecimal form

  • Description about what was found and location

As observed above, we got U-Boot at offset 5404B. This is a popular bootload to load the operating system.

Also, an LZMA compressed data was obtained at offset 66560, and finally the squashfs filesystem at 1049088.

Duplicating firmware data with dd

Now, we can copy the filesystem squashfs into a new folder using the dd tool.

  • dd can duplicate data across files, devices, partitions, and volumes.

  • if stands for the input file.

  • of stands for the output file.

  • bs for block size.

Tip: by using -skip you could ignore some data at the beginning of the input stream. So, the -skip command needs to start with the initial offset we want to copy.

dd if=TL-WR841Nv14_EU_0.9.1_4.17_up_boot\[200903-rel58674\].bin skip=1049088 bs=1 of=TP.sfs

We check the new filesystem file using the file command:

file TP.sfs

Unarchive the filesystem with unsquashfs

unsquashfs TP.sfs
ls -la unsquashfs-root

From here, we can start with the analysis of the binaries present and individual files in the filesystem, and so on!

- tool to uncompress squashfs filesystems

Yeah, we got it!

Good luck

😎
🤓
unsquashfs
https://www.tp-link.com/pt/support/download/tl-wr841n/#Firmware