# Reverse TP-Link Router TL-WR841N

## Reversing TP-Link Router TL-WR841N

**Firmware download URL:** <https://www.tp-link.com/pt/support/download/tl-wr841n/#Firmware>

![](/files/-MYoVkfgqw-dP2lFlLoz)

![](/files/-MYoW4RFTlq5KieTnQA0)

## **Extracting the Zip File**

```
unzip unzip TL-WR841N\(EU\)_V14_200903.zip
```

![](/files/-MYoXkygHvK6epbjDpyG)

## Inspecting the firmware and arch

Using binwalk tool we can inspect and find the embedded files and executable code inside the firmware binary images.&#x20;

{% hint style="success" %}
**Tip**: use **-e** option to extract the files into a new folder.
{% endhint %}

```
binwalk -e TL-WR841Nv14_EU_0.9.1_4.17_up_boot\[200903-rel58674\].bin
```

![](/files/-MYoYMiXfFrtUWmGcNZ6)

In short, the binwalk structure is composed by three sections:

* File location in decimal format
* File location in hexadecimal form
* Description about what was found and location

As observed above, we got **U-Boot at offset 5404B.** This is a popular bootload to load the operating system.

Also, an **LZMA compressed data** was obtained **at offset 66560**, and finally the **squashfs filesystem at 1049088.**

![](/files/-MYoZw76NbgTmixlak-7)

## Duplicating firmware data with dd

Now, we can copy the filesystem squashfs into a new folder using the dd tool.&#x20;

{% hint style="info" %}

* **dd** can duplicate data across files, devices, partitions, and volumes.
* **if** stands for the input file.
* **of** stands for the output file.
* **bs** for block size.

**Tip:** by using **-skip** you could ignore some data at the beginning of the input stream. So, the -skip command needs to start with the initial offset we want to copy.
{% endhint %}

```
dd if=TL-WR841Nv14_EU_0.9.1_4.17_up_boot\[200903-rel58674\].bin skip=1049088 bs=1 of=TP.sfs
```

&#x20;We check the new filesystem file using the **file** command:

```
file TP.sfs
```

![](/files/-MYoa2Ao2mgSEgcVPT30)

## **Unarchive the filesystem with unsquashfs**

[unsquashfs](https://manpages.debian.org/testing/squashfs-tools/unsquashfs.1.en.html) - tool to uncompress squashfs filesystems

```
unsquashfs TP.sfs
ls -la unsquashfs-root
```

![](/files/-MYoaxdcVutiSVXMT6t2)

Yeah, we got it! :sunglasses:&#x20;

![](/files/-MYobC5iY0tB_-f0YcyE)

From here, we can start with the analysis of the binaries present and individual files in the filesystem, and so on!&#x20;

![](/files/-MYobd59JOC_JhdbKpOi)

\
Good luck :nerd:&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook.seguranca-informatica.pt/arm/reverse-iot-devices/reverse-tp-link-router-tl-wr841n.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.