OpenWrt Forum Archive

Topic: Access Point firmware modem

The content of this topic has been archived on 29 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
owl-eyes
30 Jul 2014, 06:39

Hi all ;D

I'm on a project for months I have stuck in my head. And I wonder how some tool to edit the firmware of a modem, I will not do anything to pass the limits of ethics.
I want to put a back door to enter the firmware the system differently, do not worry, it's my modem tongue. But the problem is that is in assembly language, I have no knowledge of assembly, operation C, C + +, python, java and something like MySQL, but just.

I would like to cast me out to achieve this project, those who know how.

A cordial greeting ;D

Post #2
dabyd64
30 Jul 2014, 23:41

First you should say what modem is it. If its firmware is linux based maybe there's something that could be done.
If not, that will be almost imposible

Post #3
owl-eyes
31 Jul 2014, 08:27

Hi all ;D

I guess that is not based on Linux, but do not know exactly what it is based.
It is a Modem Tp-Link Model No. TL-WR541G/TL-WR542G.

Down here are the firmwares are available tongue
http://www.tp-link.com/en/products/deta … =TL-WR541G

A cordial greeting ;D

Post #4
dabyd64
31 Jul 2014, 14:36

And what version?   v2, v4, v6, v7... v4 and v6 are the same
I tried to extract  the firmare of all versions with Firmware Mod Kit (it can extract almost any Linux-based router images) but no filesystem was found.  They seem to use VxWorks, nothing to do there.
Better buy a cheap router and throw away that old hardware!, It only has 8MB of RAM and 1 MB of flash!

(Last edited by dabyd64 on 31 Jul 2014, 14:50)

Post #5
owl-eyes
31 Jul 2014, 22:32

The latest version, v7 tongue. Truth does not even know where to begin to see the mother code, not assembly language management, only C, C + +, Python, some Java and MySql. Would not know how to put the back door, but got here to DISCOVER how, I ask you to do a tutorial.

If it's something this would be great: http://www.devttys0.com/2011/05/reverse … s-wag120n/

A cordial greeting ;D

Post #6
dabyd64
1 Aug 2014, 14:37

I had read that article time ago
Read also: http://james.slaterspage.com/hacking-th … pberry-pi/
It's VxWorks, almost forget about doing something with it!
Strings

Copyright 2003-2005 TP-LINK TECHNOLOGIES
AR2315 rev 
 startup...
panic: romStart failed!
0123456789abcdef<
NMI (watchdog): ErrorPC: 
sysConsoleDump: type 
      epc: 
  R0: r0:  
  R4: a0:  
  R8: t0:  
 R12: t4:  
 R16: s0:  
 R20: s4:  
 R24: t8:  
 R28: gp:  
trying NMI callback: 
ACI $Header:   //core/bsp/archives/ar2315/ar531xPlus.h-arc   1.4   Dec 27 2005 15:00:04   dai  $
VxWorks5.5.1
Dec  3 2010, 11:44:26
Copyright 1984-2002 Wind River Systems, Inc.
This program contains confidential information of Wind River Systems, Inc.
and disclosure and copying are prohibited.
{7dd-A'E{-
/}Mf{0msZ9
I3~e;a^rFa
(C"yC/-N}:
 Mx- 10].0>
V@"~Dbm2\KY
4b    %z6tKv)
o%unlNwhN3
mN}vIfsLYV
efM=[T8XpM
8l *r\djR@
&gg`^k&H^F+
*^M[& R[Hy]
{*}`8KIHw]t'F
Hx[i,&Ca.j
VoMRdT~JQV:
XGux=WpNTl
ZV8`Ux[wNT
<:M$7$kB%4k
~dz?tEFsL!B
>F KQ3|Zau
g;2xksdXZW
hIAE]i'A~3
?AZ s+|FGf
o5GR8TFdIB/
]c6Alww:2;q"
U1$=*s@aUA
cV!qmOT{P\
Es    I~N,d4i]
owowowowowowowowowowowowowowowow
AssignedIpAddrListHelpRpm.htm
BackNRestoreHelpRpm.htm
(lChangeLoginPwdHelpRpm.htm
*<DateTimeCfgHelpRpm.htm
DdnsAddComexeHelpRpm.htm
.@DdnsAddHelpRpm.htm
14DMZHelpRpm.htm
40DomainFilterHelpRpm.htm
6 DynDdnsHelpRpm.htm
:dDiagnosticHelpRpm.htm
=@FireWallHelpRpm.htm
FixMapCfgHelpRpm.htm
L2tpCfgHelpRpm.htm
LanArpBindingHelpRpm.htm
I4LanArpBindingListHelpRpm.htm
LanDhcpServerHelpRpm.htm
N\LanMacFilterHelpRpm.htm
MacCloneCfgHelpRpm.htm
ManageControlHelpRpm.htm
MiscAdvHelpRpm.htm
[XMiscHelpRpm.htm
NetworkLanCfgHelpRpm.htm
PPPoECfgAdvHelpRpm.htm
PPPoECfgHelpRpm.htm
PptpCfgHelpRpm.htm
iTRestoreDefaultCfgHelpRpm.htm
SoftwareUpgradeHelpRpm.htm
SpecialAppHelpRpm.htm
StaticRouteTableHelpRpm.htm
x0SysRebootHelpRpm.htm
SystemLogHelpRpm.htm
SystemStatisticHelpRpm.htm
|pUpnpCfgHelpRpm.htm
VirtualServerHelpRpm.htm
0WanBpaCfgHelpRpm.htm
TWanDynamicIpCfgHelpRpm.htm
hWanDynamicIpCfgHelpRpm_8021X.htm
hWanIpFilterHelpRpm.htm
WanStaticIpCfgHelpRpm.htm
WanStaticIpCfgHelpRpm_8021X.htm
dWlanMacFilterHelpRpm.htm
lWlanStationHelpRpm.htm
WlanNetworkHelpRpm.htm
WzdFinishHelpRpm.htm
WzdPPPoEHelpRpm.htm
WzdStartHelpRpm.htm
WzdStaticIpHelpRpm.htm
WzdWanTypeHelpRpm.htm
WzdWlanHelpRpm.htm
DualAccessCfgAdvHelpRpm.htm
DualAccessCfgHelpRpm.htm
QoSCfgSOHOHelpRpm.htm
hstr_err.js
str_menu.js
css_help.css
css_main.css
top1_1.jpg
\top1_2.jpg
top_bg.jpg
;LStatusHelpRpm.htm
CHMenuRpm.htm
errorPage.htm
StatusRpm.htm
KxWzdStartRpm.htm
WzdWanTypeRpm.htm
WzdStaticIpRpm.htm
WzdPPPoERpm.htm
WzdWlanRpm.htm
WzdEndRpm.htm
p,NetworkLanCfgRpm.htm
WanDynamicIpCfgRpm.htm
WanStaticIpCfgRpm.htm
PPPoECfgRpm.htm
PPPoECfgAdvRpm.htm
WanStaticIpCfgRpm_8021X.htm
WanDynamicIpCfgRpm_8021X.htm
hBPACfgRpm.htm
dL2TPCfgRpm.htm
`PPTPCfgRpm.htm
MacCloneCfgRpm.htm
WlanNetworkRpm.htm
WlanMacFilterRpm.htm
WlanMacFilterAdvRpm.htm
WlanStationRpm.htm
LLanDhcpServerRpm.htm
AssignedIpAddrListRpm.htm
 FixMapCfgRpm.htm
FixMapCfgAdvRpm.htm
DVirtualServerRpm.htm
VirtualServerAdvRpm.htm
SpecialAppRpm.htm
SpecialAppAdvRpm.htm
DMZRpm.htm
UpnpCfgRpm.htm
FireWallRpm.htm
WanIpFilterRpm.htm
&HWanIpFilterAdvRpm.htm
DomainFilterRpm.htm
3$DomainFilterAdvRpm.htm
DiagnosticIframeRpm.htm
DiagnosticRpm.htm
LanMacFilterRpm.htm
K@LanMacFilterAdvRpm.htm
Q\ManageControlRpm.htm
UhMiscShowRpm.htm
AdvScrRpm.htm
StaticRouteTableRpm.htm
StaticRouteTableAdvRpm.htm
LanArpBindingRpm.htm
klLanArpBindingAdvRpm.htm
LanArpBindingFindRpm.htm
w$LanArpBindingListRpm.htm
~8DynDdnsRpm.htm
CmxDdnsRpm.htm
HPeanutHullDdnsRpm.htm
@DateTimeCfgRpm.htm
XGetGMTRpm.htm
,SoftwareUpgradeRpm.htm
 confUploadErrorRpm.htm
UpdateTemp.htm
RestoreDefaultCfgRpm.htm
|BakNRestoreRpm.htm
SysRebootRpm.htm
restart.htm
ChangeLoginPwdRpm.htm
$SystemLogRpm.htm
4SystemStatisticRpm.htm
<QoSCfgSOHORpm.htm
DualAccessCfgAdvRpm.htm
4DualAccessCfgRpm.htm
8AuthError.htm
<char_set.js
tcommon.js
v0W\+\n}%T
,7 v2Qj|Gw
1c,@ncBC&*
4U8qfyzpFI


binwalk

DECIMAL       HEX           DESCRIPTION
-------------------------------------------------------------------------------------------------------
14702         0x396E        Linux Journalled Flash filesystem, little endian
14868         0x3A14        LZMA compressed data, properties: 0x6E, dictionary size: 8388608 bytes, uncompressed size: 2415648 bytes
733540        0xB3164       Wind River management filesystem, compressed, 138 files
733542        0xB3166       Wind River management filesystem, 9043969 files
743520        0xB5860       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 716 bytes
743888        0xB59D0       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 834 bytes
744352        0xB5BA0       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 740 bytes
744772        0xB5D44       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1284 bytes
745380        0xB5FA4       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1600 bytes
746136        0xB6298       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1596 bytes
746900        0xB6594       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 855 bytes
747396        0xB6784       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2780 bytes
748488        0xB6BC8       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1424 bytes
749220        0xB6EA4       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 685 bytes
749652        0xB7054       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1142 bytes
750132        0xB7234       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1827 bytes
750916        0xB7544       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4638 bytes
752280        0xB7A98       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1700 bytes
753004        0xB7D6C       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1243 bytes
753600        0xB7FC0       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1905 bytes
754452        0xB8314       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2654 bytes
755508        0xB8734       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1157 bytes
756076        0xB896C       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1677 bytes
756924        0xB8CBC       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 472 bytes
757228        0xB8DEC       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2457 bytes
758044        0xB911C       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1004 bytes
758608        0xB9350       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1659 bytes
759392        0xB9660       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3631 bytes
760504        0xB9AB8       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4629 bytes
761868        0xBA00C       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 476 bytes
762176        0xBA140       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1297 bytes
762872        0xBA3F8       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4193 bytes
764308        0xBA994       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1461 bytes
764952        0xBAC18       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 300 bytes
765176        0xBACF8       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 317 bytes
765396        0xBADD4       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2452 bytes
766212        0xBB104       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1416 bytes
766868        0xBB394       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2707 bytes
767928        0xBB7B8       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3860 bytes
769228        0xBBCCC       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2624 bytes
770252        0xBC0CC       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2905 bytes
771344        0xBC510       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4798 bytes
772908        0xBCB2C       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1780 bytes
773576        0xBCDC8       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2204 bytes
774352        0xBD0D0       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4704 bytes
775688        0xBD608       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1104 bytes
776228        0xBD824       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 6783 bytes
778588        0xBE15C       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 244 bytes
778768        0xBE210       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 313 bytes
779004        0xBE2FC       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 441 bytes
779316        0xBE434       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 821 bytes
779760        0xBE5F0       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1037 bytes
780340        0xBE834       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1469 bytes
781128        0xBEB48       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1665 bytes
781916        0xBEE5C       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3774 bytes
783052        0xBF2CC       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1459 bytes
783692        0xBF54C       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 28510 bytes
789308        0xC0B3C       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4232 bytes
790504        0xC0FE8       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 629 bytes
790844        0xC113C       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2140 bytes
791560        0xC1408       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 7809 bytes
793692        0xC1C5C       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 598 bytes
794048        0xC1DC0       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5363 bytes
798016        0xC2D40       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 16386 bytes
813288        0xC68E8       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 893 bytes
813888        0xC6B40       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 605 bytes
814256        0xC6CB0       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1947 bytes
815172        0xC7044       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3025 bytes
816300        0xC74AC       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1082 bytes
816872        0xC76E8       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1935 bytes
817744        0xC7A50       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1356 bytes
818396        0xC7CDC       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 13541 bytes
821508        0xC8904       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1574 bytes
822244        0xC8BE4       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1414 bytes
822860        0xC8E4C       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3375 bytes
823844        0xC9224       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1622 bytes
824568        0xC94F8       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 15210 bytes
827792        0xCA190       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1314 bytes
828480        0xCA440       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2241 bytes
829436        0xCA7FC       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 8005 bytes
831720        0xCB0E8       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 6570 bytes
833592        0xCB838       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 12098 bytes
835876        0xCC124       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5874 bytes
837400        0xCC718       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 6343 bytes
839116        0xCCDCC       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 7603 bytes
841160        0xCD5C8       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 9257 bytes
843460        0xCDEC4       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 9533 bytes
845812        0xCE7F4       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 9282 bytes
848132        0xCF104       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3303 bytes
849380        0xCF5E4       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 41912 bytes
856596        0xD1214       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 6338 bytes
858432        0xD1940       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3588 bytes
859568        0xD1DB0       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3082 bytes
860760        0xD2258       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5087 bytes
862084        0xD2784       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1814 bytes
862832        0xD2A70       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3905 bytes
864168        0xD2FA8       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3547 bytes
865280        0xD3400       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4325 bytes
866664        0xD3968       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5339 bytes
868380        0xD401C       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4298 bytes
869740        0xD456C       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5947 bytes
871496        0xD4C48       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1476 bytes
872232        0xD4F28       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4039 bytes
873560        0xD5458       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2970 bytes
874412        0xD57AC       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 7008 bytes
876364        0xD5F4C       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5904 bytes
877704        0xD6488       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4933 bytes
879224        0xD6A78       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3152 bytes
880376        0xD6EF8       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 7319 bytes
881932        0xD750C       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 8143 bytes
883876        0xD7CA4       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4972 bytes
885440        0xD82C0       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3075 bytes
886476        0xD86CC       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2582 bytes
887548        0xD8AFC       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1884 bytes
888388        0xD8E44       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 6399 bytes
889920        0xD9440       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3768 bytes
891176        0xD9928       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2951 bytes
892112        0xD9CD0       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5479 bytes
893948        0xDA3FC       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3607 bytes
895112        0xDA888       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5493 bytes
896924        0xDAF9C       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2890 bytes
898032        0xDB3F0       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5181 bytes
899756        0xDBAAC       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 6278 bytes
901540        0xDC1A4       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5563 bytes
903356        0xDC8BC       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 12601 bytes
905616        0xDD190       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 850 bytes
906116        0xDD384       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2232 bytes
907048        0xDD728       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 992 bytes
907596        0xDD94C       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1802 bytes
908512        0xDDCE0       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 915 bytes
909028        0xDDEE4       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1243 bytes
909676        0xDE16C       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 869 bytes
910168        0xDE358       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2657 bytes
911240        0xDE788       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3253 bytes
912280        0xDEB98       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1978 bytes
913056        0xDEEA0       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 7069 bytes
915048        0xDF668       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 17126 bytes
917656        0xE0098       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5990 bytes
919196        0xE069C       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 14086 bytes
921760        0xE10A0       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1587 bytes
922584        0xE13D8       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 83974 bytes
934496        0xE4260       LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 13296 bytes

There is a filesystem!

733540        0xB3164       Wind River management filesystem, compressed, 138 files

Let's extract it: (0xB3164 = 733540 in decimal)

dd if=wr541gv7_en_4_7_13_up.bin bs=733540 skip=1 of=fs.bin

Then I found this:
http://www.devttys0.com/2011/06/mystery-file-system/
http://www.devttys0.com/wp-content/uplo … 6/unowfs.c
I downloaded that file and compiled:

gcc unowsfs.c -o unowfs
chmod +x unowfs

Extract the filesystem:

./unowfs fs.bin extracted

Now enter the "extracted" folder. This are the contents:

AdvScrRpm.htm
AssignedIpAddrListHelpRpm.htm
AssignedIpAddrListRpm.htm
AuthError.htm
BackNRestoreHelpRpm.htm
BakNRestoreRpm.htm
blue.jpg
BPACfgRpm.htm
ChangeLoginPwdHelpRpm.htm
ChangeLoginPwdRpm.htm
char_set.js
CmxDdnsRpm.htm
common.js
confUploadErrorRpm.htm
css_help.css
css_main.css
DateTimeCfgHelpRpm.htm
DateTimeCfgRpm.htm
DdnsAddComexeHelpRpm.htm
DdnsAddHelpRpm.htm
DiagnosticHelpRpm.htm
DiagnosticIframeRpm.htm
DiagnosticRpm.htm
DMZHelpRpm.htm
DMZRpm.htm
DomainFilterAdvRpm.htm
DomainFilterHelpRpm.htm
DomainFilterRpm.htm
DualAccessCfgAdvHelpRpm.htm
DualAccessCfgAdvRpm.htm
DualAccessCfgHelpRpm.htm
DualAccessCfgRpm.htm
DynDdnsHelpRpm.htm
DynDdnsRpm.htm
errorPage.htm
FireWallHelpRpm.htm
FireWallRpm.htm
FixMapCfgAdvRpm.htm
FixMapCfgHelpRpm.htm
FixMapCfgRpm.htm
GetGMTRpm.htm
Index.htm
L2tpCfgHelpRpm.htm
L2TPCfgRpm.htm
LanArpBindingAdvRpm.htm
LanArpBindingFindRpm.htm
LanArpBindingHelpRpm.htm
LanArpBindingListHelpRpm.htm
LanArpBindingListRpm.htm
LanArpBindingRpm.htm
LanDhcpServerHelpRpm.htm
LanDhcpServerRpm.htm
LanMacFilterAdvRpm.htm
LanMacFilterHelpRpm.htm
LanMacFilterRpm.htm
list.txt
MacCloneCfgHelpRpm.htm
MacCloneCfgRpm.htm
ManageControlHelpRpm.htm
ManageControlRpm.htm
menu.js
MenuRpm.htm
MiscAdvHelpRpm.htm
MiscHelpRpm.htm
MiscShowRpm.htm
NetworkLanCfgHelpRpm.htm
NetworkLanCfgRpm.htm
PeanutHullDdnsRpm.htm
PPPoECfgAdvHelpRpm.htm
PPPoECfgAdvRpm.htm
PPPoECfgHelpRpm.htm
PPPoECfgRpm.htm
PptpCfgHelpRpm.htm
PPTPCfgRpm.htm
QoSCfgSOHOHelpRpm.htm
QoSCfgSOHORpm.htm
restart.htm
RestoreDefaultCfgHelpRpm.htm
RestoreDefaultCfgRpm.htm
SoftwareUpgradeHelpRpm.htm
SoftwareUpgradeRpm.htm
SpecialAppAdvRpm.htm
SpecialAppHelpRpm.htm
SpecialAppRpm.htm
StaticRouteTableAdvRpm.htm
StaticRouteTableHelpRpm.htm
StaticRouteTableRpm.htm
StatusHelpRpm.htm
StatusRpm.htm
str_err.js
str_menu.js
SysRebootHelpRpm.htm
SysRebootRpm.htm
SystemLogHelpRpm.htm
SystemLogRpm.htm
SystemStatisticHelpRpm.htm
SystemStatisticRpm.htm
top1_1.jpg
top1_2.jpg
top2.jpg
top_bg.jpg
top.htm
UpdateTemp.htm
UpnpCfgHelpRpm.htm
UpnpCfgRpm.htm
VirtualServerAdvRpm.htm
VirtualServerHelpRpm.htm
VirtualServerRpm.htm
WanBpaCfgHelpRpm.htm
WanDynamicIpCfgHelpRpm_8021X.htm
WanDynamicIpCfgHelpRpm.htm
WanDynamicIpCfgRpm_8021X.htm
WanDynamicIpCfgRpm.htm
WanIpFilterAdvRpm.htm
WanIpFilterHelpRpm.htm
WanIpFilterRpm.htm
WanStaticIpCfgHelpRpm_8021X.htm
WanStaticIpCfgHelpRpm.htm
WanStaticIpCfgRpm_8021X.htm
WanStaticIpCfgRpm.htm
WlanMacFilterAdvRpm.htm
WlanMacFilterHelpRpm.htm
WlanMacFilterRpm.htm
WlanNetworkHelpRpm.htm
WlanNetworkRpm.htm
WlanStationHelpRpm.htm
WlanStationRpm.htm
WzdEndRpm.htm
WzdFinishHelpRpm.htm
WzdPPPoEHelpRpm.htm
WzdPPPoERpm.htm
WzdStartHelpRpm.htm
WzdStartRpm.htm
WzdStaticIpHelpRpm.htm
WzdStaticIpRpm.htm
WzdWanTypeHelpRpm.htm
WzdWanTypeRpm.htm
WzdWlanHelpRpm.htm
WzdWlanRpm.htm

That files aren't readable because they are still compressed in lzma.

for FILE in *; do mv $FILE $FILE.7z && p7zip -d $FILE.7z; done

Now the files are extracted and can be read. Maybe you can find a backdoor in the html code.

Remember that there's no way of repacking the filesystem unless you make your own program.



I forgot about the kernel! Let's have a look:

14868         0x3A14        LZMA compressed data, properties: 0x6E, dictionary size: 8388608 bytes, uncompressed size: 2415648 bytes

Extract the kernel from the firmware:

dd if=wr541gv7_en_4_7_13_up.bin of=kernel.bin bs=1 count=718672 skip=14868

Rename the kernel file format and uncompressing:

mv kernel.bin kernel.7
p7zip -d kernel.7z

Now lets have a look to the uncompressed kernel:

strings kernel: (I omitted the unreadable strings)
It was too big for posting here:
http://pastebin.com/wExjhkEa



There is something interesting:

ae(0,0)TP-MIPS:vxWorks h=192.168.1.18 e=192.168.1.5:0xffffff00 u=wr541 pw=123 f=0x0 tn=wr541 o=ae s=factory
resetting to factory config.

It seems that the default login after a factory reset is wr541 , 123

Also I found this:

192.168.1.1
admin
192.168.1.100
192.168.1.199
username
Hello123World
sm-server

After a bit of googling, Hello123World seems to be the default PPPOE password, nothing else.


Here are the files if you want to have a look:
https://dl.dropboxusercontent.com/u/239 … les.tar.gz


That's all I can do!
As said, forget that old device and go to other cheap router like wr740n / wr741nd / wr703n, once you put openwrt on it you can do almost anything!

(Last edited by dabyd64 on 1 Aug 2014, 15:43)

Post #7
owl-eyes
2 Aug 2014, 07:03

Okay, so far everything goes perfect, I congratulate you, you are a genius big_smile.
Just ask 2 things.
The first is that, where find user and change the default password because i was looking for and can not find it. I mean, username: admin / password: admin. For example, if I wanted to put username and password: 12345, but will reset, which remains the same.
And second, how do I restart in the extracted firmware file?

Kind regards ;D

Post #8
dabyd64
2 Aug 2014, 12:18

As I said, you can't modify the firmware in a way that work in he modem.
You need VxWorks SDK that is private and not available, trying to upload anything will cause checksum error.

Post #9
owl-eyes
4 Aug 2014, 08:08

Is it possible to somehow VxWorks SDK or what company, organization or store the works?

If you get achievement VxWorks SDK, could I ask you to do any firmware there?

Kind regards ;D

Post #10
dabyd64
4 Aug 2014, 08:43

No, that is not available to anyone

Post #11
owl-eyes
4 Aug 2014, 20:49

Do you only VxWorks SDK is the only one who can intervene in the operations I say?
Or is there another tool to do the same?

So, unlike other firmwares, how the openwrt firmware works, Can you can modify the user and the default password resets it though?

Kind regards ;D

The discussion might have continued from here.