TP-Link Archer D9
Hardware
- soc.broadcom.bcm47xx
Old links from the previous version of this page:
- CPU & Switch: Broadcom BCM4709A0
- Wireless: Broadcom BCM4360
- ADSL Modem: Broadcom BCM6318
Flashing
The system firmware validates an RSA signature during the upload process. However it is possible to bypass this check via the telnet interface provided. Current steps for version 150826 is as follows:
Update firmware to v150826 via the web interface
Telnet onto device using the same password as for the admin interface
Command “sh”
Use ps to identify the httpd process id (pid)
Read
/proc/pid_of_httpd/mapsto identify location oflibcmm.soCompile a binary using buildroot2012.02 for ARM EABI (compile this using a docker image of ubuntu 12.02) and patch offsets appropriately. It’s uncertain currently whether the offsets to patch are the same across devices, however listed here is the patch and code from one device.
Make sure to correct the offsets given that the start address of libcmm.so on the inspected device was 0x401d3000 and insert the pid from ps.
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ptrace.h>
int main(void){
int pid = 1466;
ptrace(PTRACE_ATTACH, pid, NULL, NULL);
waitpid(pid, NULL, 0);
int patch_offset = 0x401EF0A4;
int patch_data = 0x57E1;
long success = ptrace(PTRACE_POKEDATA, pid, patch_offset, patch_data);
if(success == -1){
perror("ptrace");
}
patch_offset = 0x401EEF97;
success = ptrace(PTRACE_POKEDATA, pid, patch_offset, patch_data);
if(success == -1){
perror("ptrace");
}
patch_offset = 0x401EEF9B;
patch_data = 0x0A1C149F;
success = ptrace(PTRACE_POKEDATA, pid, patch_offset, patch_data);
if(success == -1){
perror("ptrace");
}
ptrace(PTRACE_DETACH, pid, NULL, NULL);
}
Load the binary onto a mounted usb device
On the device, navigate and execute
/var/usbdevice/mount_point/binary_name
You’re now able to upload firmware via the web interface with the RSA check skipped. The above patch also negates the MD5 check.