Posted: Tue Mar 14, 2023 18:59 Post subject: TP-Link Archer C9 v5 config backup decryption key
Hi, I know DD-WRT will probably never support the TP-Link Archer C9 v5, however I spent some time recovering the config backup encryption key and I wanted to share the commands to decode it:
Config backup is actually a tar archive with a bunch of files just like other TP-Link routers.
As you can see, the key is ArcherC9 - which is actually extracted at runtime from the product_name uci configuration variable (look for enc_file in /usr/lib/lua/luci/controller/admin/firmware.lua). Next step, reencoding and possibly enabling full root ssh access by adding <RemoteSSH>on</RemoteSSH> to the Dropbear configuration section!
Joined: 08 May 2018 Posts: 14125 Location: Texas, USA
Posted: Tue Mar 14, 2023 19:28 Post subject:
The stock firmware does not have dropbear included AFAIK. Will pass this info to BrainSlayer, but why would we want a way to exploit stock firmware in the wiki? _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
It actually worked, I now have SSH root access to the router without opening it up!
**Instructions**
On a Linux machine, create a new directory called archerc9conf and download a router config backup into it. Its file name will be backup-ArcherC9-YYYY-MM-DD.bin . Open a terminal and cd to the archerc9conf directory. Run the following commands, make sure to replace YYYY-MM-DD with the values from your actual file.
# Decompress using zlib
$ unpigz < backup-ArcherC9-YYYY-MM-DD.decrypted.bin > backup-ArcherC9-YYYY-MM-DD.tar
# Create a subdir for the extracted files
$ mkdir extracted
# The files in the tar archive must have the same permissions, owner info and timestamp as the original. This requires invoking the next commands as sudo.
# Uncompress the tar archive
$ sudo tar --transform 's,^.,extracted,' -xf backup-ArcherC9-YYYY-MM-DD.tar
# Add the line to enable SSH access
$ sudo sed -i '/^<PasswordAuth>.*<\/PasswordAuth>/i <RemoteSSH>on<\/RemoteSSH>' extracted/ori-backup-user-config.bin
# Recreate the tar archive
$ sudo tar -b1 -cvf backup-ArcherC9-YYYY-MM-DD.repack.tar --transform 's,^extracted,.,' --no-recursion --owner=root:0 --group=root:0 extracted/ extracted/ori-backup-user-config.bin extracted/ori-backup-certificate.bin
# Make sure we can access the newly created archive
$ sudo chown $USER: backup-ArcherC9-YYYY-MM-DD.repack.tar
# Encrypt the archive again
$ openssl aes-256-cbc -e -k ArcherC9 -md md5 -in backup-ArcherC9-YYYY-MM-DD.tar.zlib -out backup-ArcherC9-YYYY-MM-DD.reencrypted.bin
Now restore router config from the backup-ArcherC9-YYYY-MM-DD.reencrypted.bin file and wait a minute or two after reboot. Run ssh admin@YOUR-ROUTER-IP and login with your router admin password.
The admin user does not have uid 0 but it's in the root group and has root privileges (see attached image).
I hope it will be useful for others or maybe to port DD-WRT to this or other similar devices!
Joined: 08 May 2018 Posts: 14125 Location: Texas, USA
Posted: Thu Mar 16, 2023 2:56 Post subject:
I probably shouldn't post BrainSlayer's reply, but he's less than interested:
Quote:
let the market rule it. if people avoid buying that shit the vendor maybe changes the mind. its broadcom shit anyway
Am 14.03.2023 um 20:33 schrieb:
Apparently, folks are still foaming at the mouth about the C9 v5. I don't think this information is useful for porting, and last I knew, there was no progress or port completed or it was a dead duck?
Don't expect any miracles unless someone is willing to do the porting or BrainSlayer changes his mind or finds the mood to port it. This device uses a bootloader to load the encrypted firmware image and then boot that image. It's not a simple port, whatsoever. I'm not even sure that you can do a true complete flash dump that way, but he has already dumped the flash on the donated unit, broken the crypto, he is just not very interested in porting Broadcom devices on a whim and I'm not going to try and change his mind.
BTW, congratulations on giving people a way to crack into the v5's stock firmware and hijack it since I don't think you can disable wireless access (can you?) _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
I can see why Broadcom platforms are a waste of time, I'm not surprised by brainslayer position on that. It was just a fun experience for me, spending a couple of days investigating this old (2018) router. I learned a lot about many different aspects - disassembling lua, running firmware in qemu, how older versions of openssl behaved, even about the internals of the tar format.
Regarding your comment I'm not really sure what's deal. If you mean malicious hijacking by the router owner, well, connecting to an AP that's not under your direct control is always a risk and you should assume that your traffic isn't private. If you meant that wireless guests can maliciously edit the router configuration, this procedure requires knowledge of the router admin password so I think it's safe to say that people could do malicious stuff already if they knew the password to the router administration UI.
What are you referring to with "disable wireless access"? You mean allowing SSH access from wired ports only? I'm not sure about that - it seems that dropbear is listening on 0.0.0.0, but it is always possible to restore the previous config backup disabling SSH access.
I just wanted to share my findings - maybe they could be useful to port other more interesting devices, or to help someone else learn about this stuff. The same techniques I used can be applied to analyze other router firmwares. And as I said it was fun!
Joined: 08 May 2018 Posts: 14125 Location: Texas, USA
Posted: Thu Mar 16, 2023 18:53 Post subject:
Yes, wireless access to webUI or anything else that is open on the router itself. It doesn't take much to crack wifi AP connectivity and then it's only a matter of time to crack into the administrator account. Nonetheless, this information may be useful to me in checking into the differences between the EU and US version of the v4. I received a US version from another forum member and haven't gotten around to dumping the flash, etc. to look at what needs to be modified to support it. TP-Link left both TX and RX unconnected to the serial pin header, and I still haven't figure out a way to bridge the pads safely and it would take more than two hands to connect serial and break boot, etc. I didn't want you to think that either myself or this community was ungrateful for your sharing of this information, albeit with some possible caveats. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net