Reverse Engineering a Router Firmware

I have an old TP Link Router and I thought if its possible to reverse the firmware and see if there are anything interesting or not. I grabbed the firware from the website and downloaded it locally

root@vultr:~/tplink_rev# wget https://static.tp-link.com/resources/software/TL-WR740N_v1v2_100910.zip
--2018-09-19 16:46:26--  https://static.tp-link.com/resources/software/TL-WR740N_v1v2_100910.zip
Resolving static.tp-link.com (static.tp-link.com)... 23.67.166.40
Connecting to static.tp-link.com (static.tp-link.com)|23.67.166.40|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2902988 (2.8M) [application/x-zip-compressed]
Saving to: ‘TL-WR740N_v1v2_100910.zip’
TL-WR740N_v1v2_100910.zip                 100%[=====================================================================================>]   2.77M  --.-KB/s    in 0.01s
2018-09-19 16:46:26 (220 MB/s) - ‘TL-WR740N_v1v2_100910.zip’ saved [2902988/2902988]


Uncompressing the zip file we get a PDF file and a .bin file

root@vultr:~/tplink_rev# unzip TL-WR740N_v1v2_100910.zip
Archive:  TL-WR740N_v1v2_100910.zip
  inflating: wr740nv1_en_3_12_4_up(100910).bin
  inflating: Router Upgrade Help.doc
Using file command on it revealed the type :

root@vultr:~/tplink_rev# file wr740nv1_en_3_12_4_up\(100910\).bin
wr740nv1_en_3_12_4_up(100910).bin: data
Using strings command I tried to find some hardcoded ascii data, the -13 parameter is set so that I can see words containing more than 13 character. I choose this number by trial and error method because it revealed something interesting.

root@vultr:~/tplink_rev# strings -13 wr740nv1_en_3_12_4_up\(100910\).bin
TP-LINK Technologies
l]1[jY o)*B*jq
POa)D8gDbPwa%

Next I issued the binwalk utility to find some information about the binary

root@vultr:~/tplink_rev# binwalk wr740nv1_en_3_12_4_up\(100910\).bin
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             TP-Link firmware header, firmware version: 0.0.0, image version: "", product ID: 0x0, product version: 121634817, kernel load address: 0x0, kernel entry point: 0x80002000, kernel offset: 3932160, kernel length: 512, rootfs offset: 818284, rootfs length: 1048576, bootloader offset: 2883584, bootloader length: 0
512           0x200           gzip compressed data, has original file name: "vmlinux.bin", from Unix, last modified: 2010-09-03 04:31:13
1048576       0x100000        Squashfs filesystem, big endian, lzma signature, version 3.1, size: 2059306 bytes, 431 inodes, blocksize: 65536 bytes, created: 2010-09-13 03:29:45
 Few notable things we can find are
1. The firmware manufacturer
2. The kernel load address for booting process
3. The filesystem

Now we can try to extract the contents from the binary.

root@vultr:~/tplink_rev# binwalk -e wr740nv1_en_3_12_4_up\(100910\).bin
 root@vultr:~/tplink_rev# ls
 ]  'Router Upgrade Help.doc'   TL-WR740N_v1v2_100910.zip  'wr740nv1_en_3_12_4_up(100910).bin'  '_wr740nv1_en_3_12_4_up(100910).bin.extracted'

We can see binwalk successfully extracted the contents for us

root@vultr:~/tplink_rev/_wr740nv1_en_3_12_4_up(100910).bin.extracted# ls
100000.squashfs  squashfs-root  vmlinux.bin
 So looking into squashfs-root we get the entire file systems

root@vultr:~/tplink_rev/_wr740nv1_en_3_12_4_up(100910).bin.extracted/squashfs-root# ls
bin  dev  etc  lib  linuxrc  mnt  proc  root  sbin  tmp  usr  var  web

Now we can find interesting things inside the file systems

root@vultr:~/tplink_rev/_wr740nv1_en_3_12_4_up(100910).bin.extracted# grep -rnw squashfs-root/ -e 'root'
squashfs-root/etc/passwd:1:root:x:0:0:root:/root:/bin/sh
squashfs-root/etc/passwd:2:Admin:x:0:0:root:/root:/bin/sh
squashfs-root/etc/passwd:13:ap71:x:500:0:Linux User,,,:/root:/bin/sh
squashfs-root/etc/shadow:1:root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::

squashfs-root/etc/group:1:root:x:0:
Binary file squashfs-root/bin/busybox matches
Binary file squashfs-root/sbin/iptables matches
Binary file squashfs-root/sbin/hostapd matches
Binary file squashfs-root/sbin/tc matches
Binary file squashfs-root/lib/libwpa_common.so matches
Binary file squashfs-root/usr/bin/httpd matches
Binary file squashfs-root/usr/sbin/pppd matches
root@vultr:~/tplink_rev/_wr740nv1_en_3_12_4_up(100910).bin.extracted# strings  squashfs-root/usr/bin/httpd | grep "root"
web_server_set_root_dir
root-servers
tc qdisc add dev %s root handle %d: htb default %s
tc qdisc del dev %s root
%s::upnp:rootdevice
Error specifying webserver root directory -- %s: %d
Error registering the rootdevice : %d
root:x:0:0:root:/root:/bin/sh
Admin:x:0:0:root:/root:/bin/sh
ap71:x:500:0:Linux User,,,:/root:/bin/sh

<root xmlns="urn:schemas-upnp-org:device-1-0">
I tried with John the Ripper to decrypt the unshadowed password , but not much successfull with root and admin account ( 5 mins of try only )

root@vultr:~/tplink_rev# unshadow  _wr740nv1_en_3_12_4_up\(100910\).bin.extracted/squashfs-root/etc/passwd _wr740nv1_en_3_12_4_up\(100910\).bin.extracted/squashfs-root/etc/shadow  > password

root@vultr:~/tplink_rev# john --show password
bin:NO PASSWORD:1:1:bin:/bin:/bin/sh
daemon:NO PASSWORD:2:2:daemon:/usr/sbin:/bin/sh
adm:NO PASSWORD:3:4:adm:/adm:/bin/sh
nobody:NO PASSWORD:65534:65534:nobody:/home:/bin/sh
ap71:NO PASSWORD:500:0:Linux User,,,:/root:/bin/sh
5 password hashes cracked, 2 left