1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacking the Linksys WRT120N

Discussion in 'Tomato Firmware' started by mpegmaster, Feb 7, 2014.

  1. mpegmaster

    mpegmaster Addicted to LI Member

    Hacking the Linksys WRT120N

    [Craig Heffner] recently found himself on the case of the Linksys WRT120N router. The router’s firmware was using some previously unknown form of obfuscation, causing headaches for those wishing to run their own software. The WRT120N, being a 2009 model is somewhat out of date at this point. That didn’t stop [Craig] though, as he dove into reverse engineering the firmware obfuscation.

    [Craig] started by running the firmware through his own Binwalk tool. Binwalk analyzes firmware files for known data, be it embedded filesystems, raw compression streams, or binary files. In this case Binwalk only found a small LZMA block which contained the compressed html files for the router’s web interface. The rest of the firmware was unknown data with a high level of entropy. [Craig] couldn’t do anything more with the firmware update file alone, so he ordered a router to attack from the hardware side. Inside he found typical low-end router components: An Atheros AR7240 SoC, a 2MB SPI flash chip, 32MB of RAM. He also found serial and JTAG headers.

    [Craig] connected to the serial port and was greeted with a boot menu. This allowed him to run some commands on the router, but didn’t give him any way to dump memory. He had to go straight to the source – connecting directly to the router’s SPI flash with an FTDI C232HM cable. Using libmpsse, another of his open source tools, [Craig] was able to dump the flash. He now had the un-obfuscated bootloader code, albeit in MIPS assembly. [Craig] was then able to go after the bootloader with IDA Pro. After a bit of work, the obfuscation system was exposed. The system was simple – several byte and nibble swaps had been performed between the LZMA header block and the first few bytes of data. [Craig] finished out this part of his hack by writing a simple C program to de-obfuscate and decompress the firmware.

  2. Malitiacurt

    Malitiacurt Networkin' Nut Member

    I'm sure people would rather have devs spend time working on porting Tomato to the new ARM routers than old Atheros routers with crippled flash size.
  3. mpegmaster

    mpegmaster Addicted to LI Member

    Hi Malitiacurt,

    The reason my thread here is to help educate those who do not know how the process is to hack routers.

    Plus some of the tools presented in article are not well known to all.

    Some of the members of this forum would have better understanding of the 'back of house' details to port routers to Tomato firmware. Some, just saying some sometimes think that it is easy to make a request and viola it done magically.


Share This Page