Red Teaming and Malware Analysis
@sirpedrotavaresseguranca-informatica.pt0xSI_f33d
Search…
About
Red Teaming
Cheat Sheet
Active Directory 101
Fuzzing and Web
Initial Foothold
Privilege Escalation (Privesc)
Lateral Movement (Pivoting)
Persistence
Command and Control (C&C)
Data Exfiltration
CVE & Exploits / CTF
Tools
Resources
Malware Analysis
Unpacking
Basic tips
Malware instrumentation with frida
Tools
Resources
Mobile
Tools
Reverse iOS ipa
Reverse Android APKs
Basic tips
Resources
IoT / Reverse / Firmware
Basic tips
Reverse IoT devices
Reverse TP-Link Router TL-WR841N
Reverse Trendnet TS-S402 firmware
Full emulate Netgear WNAP320
Reverse ASUS RT-AC5300
Reverse LinkOne devices
Tools
Resources
Powered By GitBook
Reverse TP-Link Router TL-WR841N
How to start doing reverse on IoT Firmware

Reversing TP-Link Router TL-WR841N

Firmware download URL: https://www.tp-link.com/pt/support/download/tl-wr841n/#Firmware​

Extracting the Zip File

1
unzip unzip TL-WR841N\(EU\)_V14_200903.zip
Copied!

Inspecting the firmware and arch

Using binwalk tool we can inspect and find the embedded files and executable code inside the firmware binary images.
Tip: use -e option to extract the files into a new folder.
1
binwalk -e TL-WR841Nv14_EU_0.9.1_4.17_up_boot\[200903-rel58674\].bin
Copied!
In short, the binwalk structure is composed by three sections:
    File location in decimal format
    File location in hexadecimal form
    Description about what was found and location
As observed above, we got U-Boot at offset 5404B. This is a popular bootload to load the operating system.
Also, an LZMA compressed data was obtained at offset 66560, and finally the squashfs filesystem at 1049088.

Duplicating firmware data with dd

Now, we can copy the filesystem squashfs into a new folder using the dd tool.
    dd can duplicate data across files, devices, partitions, and volumes.
    if stands for the input file.
    of stands for the output file.
    bs for block size.
Tip: by using -skip you could ignore some data at the beginning of the input stream. So, the -skip command needs to start with the initial offset we want to copy.
1
dd if=TL-WR841Nv14_EU_0.9.1_4.17_up_boot\[200903-rel58674\].bin skip=1049088 bs=1 of=TP.sfs
Copied!
We check the new filesystem file using the file command:
1
file TP.sfs
Copied!

Unarchive the filesystem with unsquashfs

​unsquashfs - tool to uncompress squashfs filesystems
1
unsquashfs TP.sfs
2
ls -la unsquashfs-root
Copied!
Yeah, we got it!
😎
From here, we can start with the analysis of the binaries present and individual files in the filesystem, and so on!
Good luck
🤓
IoT / Reverse / Firmware - Previous
Reverse IoT devices
Next
Reverse Trendnet TS-S402 firmware
Last modified 5mo ago
Copy link
Contents
Reversing TP-Link Router TL-WR841N
Extracting the Zip File
Inspecting the firmware and arch
Duplicating firmware data with dd
Unarchive the filesystem with unsquashfs