Mounir ORFI

Yet another network engineer...

Exploring the TP-Link WR542G / WR642G SOHO Routers

| Comments

Few months ago I bought a bunch of TP-Link routers, for 1DH Moroccan Dirham each (Nop, I am not kidding), so I don’t mind bricking them :)

What’s inside ?

First things first, let’s take them apart !

Nothing fancy there… they both seem to have a 2MB flash memory:

So in both case I can’t really reflash them with openwrt :S (later, I’ll look for the micro dd-wrt version).

The firmware

I couldn’t find the firmwares on the official website, so I downloaded some that are listed here. Not sure if this is what I have:

locating the serial port

The serial port is exposed via test points just next to the reset button. The pinouts are as follow (of course a multimeter was used to locate each pin…):

To make it easy I soldered a four pin header like so:

Bootmenu

Now the interesting part, getting to the bootmenu and maybe a root shell, who knows !

After a few trial and error, I found the right baudrate which is 38400, and there you go:

serial output
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
AR2315 rev 0x00000090 startup...
Attached TCP/IP interface to ae unit 0
Attaching interface lo0...done

USRCONF : g_size = 18344
Name = MODULE_USR_CONF_T , size = 12
Name = UC_IEEE802_1X_CFG_DATA_T , size = 512
Name = UC_ADVANCED_CFG_T , size = 16
Name = UC_ARP_CFG_T , size = 652
Name = UC_BPA_CFG_DATA_T , size = 912
Name = UC_DDNS_T , size = 1480
Name = UC_DHCPC_CFG_DATA_T , size = 416
Name = UC_DHCPS_CFG_AND_STATIC_T , size = 708
Name = UC_FIRE_WALL_STATE_T , size = 1992
Name = UC_FORWARD_VIRTUAL_SERVE_CLASS_T , size = 1572
Name = UC_LAN_CFG_DATA_T , size = 8
Name = UC_L2TP_CFG_DATA_T , size = 1472
Name = UC_MAC_CONFIG_T , size = 80
Name = UC_PPPOE_CFG_DATA_T , size = 1568
Name = UC_NTP_PREFER_SRV_CFG_DATA_T , size = 28
Name = UC_STATIC_IP_CFG_DATA_T , size = 144
Name = UC_SATTIC_ROUTE_CFG_DATA_T , size = 328
Name = UC_MANAGE_USERS_T , size = 64
Name = UC_UTILITIES_T , size = 16
Name = UC_WANCONNTYPE_T , size = 16
Name = UC_WLAN_CFG_T , size = 4872
Name = UC_PPTP_CFG_DATA_T , size = 1472
Name = UC_NETWORK_PSEUDO_T , size = 4
wireless access point starting...
wlan0 Ready


entering tddp...



                            Software Platform for ARM
  Copyright(C) 2001-2004 by TP-LINK TECHNOLOGIES CO., LTD.
  Creation date: May 31 2007, 12:54:26

  Press CTRL-B to enter bootmenu...

  Boot Menu:
     1:  Download application program
     2:  Modify Bootrom password
     3:  Exit the menu
     4:  Reboot
     5:  User commond line
        Enter your choice(1-4):5

  Boot Menu:
     1:  Download application program
     2:  Modify Bootrom password
     3:  Exit the menu
     4:  Reboot
     5:  User commond line
        Enter your choice(1-4):

Hitting CTRL-B doesn’t seem to do anyting… I am always locked in the bootmenu, the available options 1 to 5 aren’t working either. What if I try to type other characters :) only one character at a time is accepted, and some of them seems to work “i” for ifconfig, “r” for route, “n” for netstat… :

serial output
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
Boot Menu:
     1:  Download application program
     2:  Modify Bootrom password
     3:  Exit the menu
     4:  Reboot
     5:  User commond line
        Enter your choice(1-4):n

Active Internet connections (including servers)
PCB      Proto Recv-Q Send-Q  Local Address      Foreign Address    (state)
-------- ----- ------ ------  ------------------ ------------------ -------
807b7e18 TCP        0      0  0.0.0.0.80            0.0.0.0.0             LISTEN
807b8448 UDP        0      0  0.0.0.0.2050          0.0.0.0.0            
807b83c4 UDP        0      0  0.0.0.0.53            0.0.0.0.0            
807b8340 UDP        0      0  0.0.0.0.67            0.0.0.0.0            
807b82bc UDP        0      0  0.0.0.0.68            0.0.0.0.0            

  Boot Menu:
     1:  Download application program
     2:  Modify Bootrom password
     3:  Exit the menu
     4:  Reboot
     5:  User commond line
        Enter your choice(1-4):i

ae (unit number 0):
     Flags: (0x8b63) UP BROADCAST MULTICAST PROMISCUOUS ARP RUNNING 
     Type: ETHERNET_CSMACD
     Internet address: 192.168.1.1
     Broadcast address: 192.168.1.255
     Netmask 0xffffff00 Subnetmask 0xffffff00
     Ethernet address is 00:19:e0:a5:d3:32
     Metric is 0
     Maximum Transfer Unit size is 1500
     0 octets received
     126 octets sent
     0 packets received
     3 packets sent
     0 non-unicast packets received
     0 non-unicast packets sent
     0 unicast packets received
     3 unicast packets sent
     0 input discards
     0 input unknown protocols
     0 input errors
     0 output errors
     0 collisions; 0 dropped
lo (unit number 0):
     Flags: (0x8069) UP LOOPBACK MULTICAST ARP RUNNING 
     Type: SOFTWARE_LOOPBACK
     Internet address: 127.0.0.1
     Netmask 0xff000000 Subnetmask 0xff000000
     Metric is 0
     Maximum Transfer Unit size is 32768
     1 packets received; 1 packets sent
     0 multicast packets received
     0 multicast packets sent
     0 input errors; 0 output errors
     0 collisions; 0 dropped
ae (unit number 1):
     Flags: (0x8b63) UP BROADCAST MULTICAST PROMISCUOUS ARP RUNNING 
     Type: ETHERNET_CSMACD
     Internet address: 10.1.211.51
     Broadcast address: 10.1.211.51
     Netmask 0xff000000 Subnetmask 0xfffffffc
     Ethernet address is 00:19:e0:a5:d3:33
     Metric is 0
     Maximum Transfer Unit size is 1500
     3568 octets received
     7290 octets sent
     8 packets received
     17 packets sent
     0 non-unicast packets received
     8 non-unicast packets sent
     8 unicast packets received
     9 unicast packets sent
     0 input discards
     0 input unknown protocols
     0 input errors
     0 output errors
     0 collisions; 0 dropped
ppp (unit number 1):
     Flags: (0xb0) DOWN POINT-TO-POINT 
     Type: PPP
     Metric is 0
     Maximum Transfer Unit size is 1400
     0 octets received
     0 octets sent
     0 packets received
     0 packets sent
     0 non-unicast packets received
     0 non-unicast packets sent
     0 unicast packets received
     0 unicast packets sent
     0 input discards
     0 input unknown protocols
     0 input errors
     0 output errors

Check my other blogpost if you want learn how to dump the flash IC using an AVR MCU (arduino board).

Comments