tpl-c900-openwrt-install

command module

v0.0.0-...-32a604b Latest Latest Go to latest Published: Jul 17, 2021 License: BSD-3-Clause, MIT Imports: 10 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/knownunown/tpl-c900-openwrt-install

Links

Open Source Insights

README ¶

tpl-c900-openwrt-install

This repository details how to install OpenWrt on a TP-Link Archer C900 (US). I've been through these steps and though it's worked for me, it might not work for everyone. My C900 is currently fully functional on OpenWrt.

Disclaimer

I'm not responsible for turning your router into a toaster. You're following these instructions of your own accord. These instructions are not for the faint of heart -- they are geared towards guiding fairly technical users. If you don't understand what you're doing when you run these commands or tools, you probably shouldn't be attempting this.

Prerequisites

This guide assumes you're running Linux and that you have a Go installation.

Background

On relatively recent devices (including the Archer C900) TP-Link seems to have implemented some kind of firmware verification scheme that prevents the installation of third-party firmware. Curiously, The Archer C2 v3, the EU region equivalent of the C900, seems to have no such protection, even though the two devices are practically identical in terms of hardware.

This approach to installing OpenWrt doesn't involve attacking the firmware verification scheme head-on. Instead, it relies on gaining shell access to the device. While there is a dropbear server running on port 22 by default, it seems to have been modified to disable PTY and exec channels, i.e. to disallow running any commands. TP-Link seem to be using the server as an authentication mechanism for the API behind their mobile app, which SSH forwards into a service listening on the router's localhost.

Approach

Fortunately, it's possible to configure the dropbear server to again allow the execution of commands. This functionality is unfortunately not exposed through the web interface or mobile app, because that would be too easy. Instead, one has to modify the encrypted backup file. The keys for said backup file are hardcoded into the device firmware. The backup file itself is a tar file, compressed with Zlib and encrypted in AES-256-CBC mode (in that order.) Inside the tar file, the configuration is compressed and encrypted in the same manner and stored in ori-backup-user-config.bin. The configuration file itself is XML which might be a straight dump from UCI (TP-Link bases their firmware off OpenWrt 12.09.) TP-Link configures dropbear from UCI variables as well, so the goal would be to download a backup, unpack it, modify dropbear config keys, repack, then restore the backup via the webui.

Instructions

This repository contains all the necessary tools to unpack and repack the configuration file. Download it or clone it, cd to the directory, and let's get started.

Prelude

Before even extracting the files, we need to extract the backup encryption keys from the stock firmware.

Download the firmware from TP-Link's support site.
Extract the rootfs from the firmware image. At the current revision (V1_161130) it's offset by 1105537 bytes. You can run something like this to extract it: dd if=stock.bin of=stock.squashfs bs=1 skip=1105537.
Decompress the rootfs, like so: unsquashfs stock.squashfs. This should decompress the filesystem into ./squashfs-root.
Extract the encryption keys from the Lua bytecode. Going off the previous steps: strings squashfs-root/usr/lib/lua/luci/model/crypto.lua. This should output a sizeable list of strings. What you're looking for is two hexadecimal strings. One of them (the key) should be significantly longer than any other string in the list. The other one (IV) is right after the key.
Copy .encryption_params.sample into .encryption_params. Paste the key and the IV you found into the appropriate places in .encryption_params.

Modification

You should download the backup file from the router (the page to do so should be in System Tools -> Backup and Restore). These instructions will assume that you have the backup in this directory that the tools are in with a name of backup.bin.

Run extract.sh.
The decrypted config file should now be data/config.xml. There should be a section in the file that looks something like this:

<dropbear name="dropbear">
<RootPasswordAuth>on</RootPasswordAuth>
<SysAccountLogin>off</SysAccountLogin>
<Port>22</Port>
<PasswordAuth>on</PasswordAuth>
</dropbear>

Modify the dropbear section. Somewhere between the opening and closing tags, add the RemoteSSH tag: <RemoteSSH>on</RemoteSSH>. Admire your handiwork and save the file.
Run package.sh. You should now have a backup_final.bin file.
Restore the router using backup_final.bin, on the same page that you used to download the backup. Needless to say, don't turn off your router. It should reboot normally.

Flashing

At this point, your router should be online again after the restore reboot. If nothing went wrong, you should be able to ssh directly into the router as root with the password you set for the webui.

ssh into your router if you haven't already: ssh root@<router_ip>. Verify that you're able to get to a prompt. If not, something went wrong along the way.
Download the latest snapshot sysupgrade image. The file should be named openwrt-ath79-generic-tplink_archer-c2-v3-squashfs-sysupgrade.bin. You can alternatively use any custom sysupgrade image, just make sure it's compatible with the Archer C2 v3. Please make sure that it's a sysupgrade image, otherwise you will brick your router while attempting the following steps.
Check the checksum of the file against the one posted on the download site.
In another terminal, upload the sysupgrade image to your router: cat openwrt-ath79-generic-tplink_archer-c2-v3-squashfs-sysupgrade.bin | ssh root@<router_ip> 'cat >/tmp/firmware.bin'. The image is now uploaded to /tmp/, in RAM.
Going back the router shell, run cat /proc/mtd. Your output should be similar to this:

dev:    size   erasesize  name
mtd0: 00020000 00010000 "factory-uboot"
mtd1: 00010000 00010000 "u-boot"
mtd2: 00100000 00010000 "kernel"
mtd3: 006a0000 00010000 "rootfs"
mtd4: 00010000 00010000 "ART"

If your partition layout (the output from this command) is any different, do not continue.

Flash the image with mtd write /tmp/firmware.bin mtd2:mtd3. Verify that mtd2 and mtd3 correspond with kernel and rootfs, respectively. This overwrites the stock kernel and rootfs with the OpenWrt image. OpenWrt's partitioning is different than stock, but that doesn't really matter -- there really isn't a partition table on this specific device, it's hardcoded into the kernel. As far as I understand it, as long as the offset that u-boot boots from is the same, the new kernel will boot and understand the partition layout and everyone will be happy.
Once the mtd command finishes, type reboot to reboot the router.
Profit! The router should now be running OpenWrt. Be patient, first boot takes a while. If something went wrong while flashing, you can attempt TFTP recovery (the U-Boot partition shouldn't have been touched.) Remember that you've flashed a snapshot image, so you'll have to install LuCi manually.

Happy hacking!

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

decrypt.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL