Kang-Wei Chang
Security Research Engineer
Blog

Hardware reverse engineering: Hack TP-Link AC1750 router root password using JTAG

October 9, 2019 by Kang-Wei Chang

Here at the Application and Threat Intelligence (ATI) Research Center, we are in the business of creating vulnerability- and exploit-based strikes that our customers use to validate their cybersecurity systems. Every so often, that includes finding zero-day vulnerabilities and tearing into hardware. This is one of those times. We have a few such projects underway, but this one is the furthest along and I’d like to share it with you. This is one of my first times to do this, so bear with me and I’ll show you the basic steps that I’ve taken to connect to a router and extract the firmware.

Let’s dig into it, literally. There are a couple of ways reverse-engineering hardware, for example: UART, SPI, JTAG. Today, I am using one of the most powerful protocols – JTAG (Joint Test Action Group). In this blog, the goal is to show how I can dump the firmware (FW) and retrieve the root shadow password. JTAG will give me the ability to not only dump the FW, but to read the CPU registers and memory. Perhaps later I can explore those, but for now let’s get that firmware.

Tools required:

  • TP-Link AC1750 router
  • JTAG debug board – it can be bus pirate or any JTAG debug board, in this article I am using Attify Badge since it is available on our desk
  • Jump wires
  • Any operating system that can run OpenOCD, I am using AttifyOS, which is free and configured to do some internet of things (IoT) exploitation

Let’s start the process!

Hardware setup

Let’s open the router and see what’s inside. We chose not to use a hammer this time. 

1

There are two sections we should notice here on the bottom left side:

2

This router does have JTAG and UART protocol debug pinouts, lucky for us. I also found the JTAG pin layout online, so wiring is pretty straight forward. If that was not available, we could have just used a tool like JTAGulator to determine the pinout. Next time!

It will look like the following after all the wires for the JTAG protocol are connected. (TDI, TDO, TCK, TMS, GND)

3

Software setup

Next step, let’s connect it to the computer. First, make sure your debug board is connected to your OS (for Linux distribution, check if the USB device exists /dev/ttyUSB0).

4

Next, make sure your OpenOCD is current, I choose to manually compile to ensure it supports our target CPU (check the compile link).

5

Also, make sure our target ath79.cfg file exists, it should be located at: 

/usr/share/openocd/script/target/ath79.cfg

Next, power on the router and execute our OpenOCD using the following command:

sudo openocd –f [board cfg file] –f [router CPU cfg file]

6

There should be no error after execution, if an error is present, Google it.

JTAG command

OpenOCD will open port 4444 on localhost, waiting for a connection. Now, let’s try it using telnet.

7

Great! Now we can use JTAG to do a lot of stuff on this router. In this post, we want to extract the firmware. Do this with the following commands:

8

Using flash banks, we found out the image is located on 0xbf00000000 with size 0x01000000.

Next, we can use the following command to dump the image file.

dump_image [filename] address offset

This step will take a really long time. Unfortunately, after it dumped the image, my terminal didn’t reply with success, but the file was there.

Now that we have the firmware, let’s use binwalk to take a look:

10

binwalk will see it as a squashfs filesystem. Now, let’s use binwalk to get the source code.

binwalk –Me firmware.bin

And we get a folder once it is unpacked:

11

Let’s take a look and see the shadow file! A shadow file stores actual password in encrypted format. 

12

I am not going to crack the password here, but if you use your google-fu, you can easily find the cracked password. With the root password, we can log into the router using UART/SSH with root privilege. 

Summary

We got the firmware! This post walks through the basic process for reversing the router’s firmware using JTAG protocol. 

The next step to find the original vulnerabilities on this is to drop into the recently-released FW Slap tool and see what it can find. From there, ATI researchers might be able to turn that output into a CVE and an ATI-released Strike. 

LEVERAGE SUBSCRIPTION SERVICE TO STAY AHEAD OF ATTACKS

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.