TransWikia.com

Reverse engineering TP-Link TD-W8961N V3

Reverse Engineering Asked by Marouane AIT MENSSOUR on November 30, 2020

I’m trying to reverse engineering the router’s TP-Link TD-W8961N V3 firmware.
After following the same question here
i used the script zynos.py for unpacking the firmware and i got some files

-rw-r--r-- 1 root root    2048 Sep 30 03:33 CertFile.rom
-rw-r--r-- 1 root root  350208 Sep 30 03:33 fmmudata
-rw-r--r-- 1 root root    1024 Sep 30 03:33 headmmu
-rw-r--r-- 1 root root      28 Sep 30 03:33 HTPCode
-rw-r--r-- 1 root root   32768 Sep 30 03:33 HTPCode.rom
drwxr-xr-x 2 root root    4096 Sep 30 15:54 _HTPCode.rom.extracted
-rw-r--r-- 1 root root    2048 Sep 30 03:33 huffmmu
-rw-r--r-- 1 root root    1024 Sep 30 03:33 LedDefi
-rw-r--r-- 1 root root    8192 Sep 30 03:33 LogoImg
-rw-r--r-- 1 root root    8192 Sep 30 03:33 LogoImg2
-rw-r--r-- 1 root root    3072 Sep 30 03:33 MemMapT
-rw-r--r-- 1 root root      28 Sep 30 03:33 RasCode
-rw-r--r-- 1 root root 1163194 Sep 30 03:33 RasCode.rom
drwxr-xr-x 2 root root    4096 Oct  1 18:39 _RasCode.rom.extracted
-rw-r--r-- 1 root root    8192 Sep 30 03:33 RomDefa
-rw-r--r-- 1 root root    1024 Sep 30 03:33 Rt11nE2p
-rw-r--r-- 1 root root     512 Sep 30 03:33 SIDList.rom
-rw-r--r-- 1 root root    4096 Sep 30 03:33 SKUTBL.rom
-rw-r--r-- 1 root root  245760 Sep 30 03:33 StrImag
-rw-r--r-- 1 root root    1024 Sep 30 03:33 termcap

I used binwalk to extract the files HTPCode.rom and RasCode.rom.
After looking at the zynos.md, i find more informations about the extracted files

Memory mapping and objects
All inspected devices so far contain at least these objects: MemMapT, BootBas, BootExt, RasCode, RomDefa, termcap.

The MemMapT object maps the memory mapping table -- its actual location and size in ROM.
The BootBas object maps the BootBase code -- the initial program loader for the device. It is not actually contained within the firmware update image, but I have seen a few firmware releases from ZyXEL that contain BootBase update in a separate file. Apart from boot code, BootBase contains vendor and model names. BootBase is rather small, typically 16K, but then, it does not need to do much except loading stage 2.
The BootExt object maps the BootExtension code -- stage 2 program loader. It also contains rudimentary debugging facilities allowing to recover the device in case of e.g. problems with configuration. BootExtension is responsible to load actual ZyNOS code.
The RasCode object contains the OS image (named RAS -- acronym?) -- the final stage.
The RomDefa object contains ROMFILE with default configuration settings.
The termcap object contains what looks like, well, termcap description. I am not sure this is actually used anywhere in code.
Objects with unknown contents:

DbgArea
RomDir2
Depending on the device, the following objects may be present:

The HTPCode object contains Hardware Test Program, which can be loaded via BootExtension

So the file that containg OS image is RasCode
i used binwalk to get more info about the file

--------------------------------------------------------------------------------
1225740       0x12B40C        TP-Link firmware header, firmware version: -24640.27395.-4500, image version: " Co., Ltd.", product ID: 0x65737320, product version: 1349478766, kernel load address: 0x11F50, kernel entry point: 0xEFFFFFFF, kernel offset: 1693673252, kernel length: 4156967956, rootfs offset: 3556796160, rootfs length: 469800426, bootloader offset: 3573675958, bootloader length: 1106012034
2162096       0x20FDB0        Neighborly text, "neighbor loss) fail"
2165188       0x2109C4        ZyXEL rom-0 configuration block, name: "autoexec.net", compressed size: 25972, uncompressed size: 11886, data offset from start of block: 8313
2178704       0x213E90        Neighborly text, "neighbordown: can't shutdown OSPF task completely"
2189282       0x2167E2        ZyXEL rom-0 configuration block, name: "spt.dat", compressed size: 769, uncompressed size: 259, data offset from start of block: 28805
2270236       0x22A41C        HTML document footer
2270553       0x22A559        HTML document header
2274256       0x22B3D0        XML document, version: "1.0"
2340561       0x23B6D1        Base64 standard index table
2353193       0x23E829        ZyXEL rom-0 configuration block, name: "autoexec.net", compressed size: 25972, uncompressed size: 11886, data offset from start of block: 131
2353305       0x23E899        Copyright string: "Copyright (c) 1994 - 2004 ZyXEL Communications Corp."
2353358       0x23E8CE        Copyright string: "Copyright (c) 2001 - 2006 TrendChip Technologies Corp."
2353413       0x23E905        Copyright string: "Copyright (c) 2001 - 2006 "
2353807       0x23EA8F        ZyXEL rom-0 configuration block, name: "dbgarea", compressed size: 0, uncompressed size: 0, data offset from start of block: 16
2365690       0x2418FA        eCos RTOS string reference: "ecost"
2419868       0x24EC9C        SHA256 hash constants, big endian
2421932       0x24F4AC        Base64 standard index table
2422880       0x24F860        DES PC1 table
2422936       0x24F898        DES PC2 table
2423096       0x24F938        DES SP1, big endian
2423352       0x24FA38        DES SP2, big endian
2462937       0x2594D9        ZyXEL rom-0 configuration block, name: "autoexec.net", compressed size: 25972, uncompressed size: 11886, data offset from start of block: 135
2480824       0x25DAB8        ZyXEL rom-0 configuration block, name: "autoexec.net", compressed size: 25972, uncompressed size: 11886, data offset from start of block: 131
2521748       0x267A94        Base64 standard index table
2564056       0x271FD8        XML document, version: "1.0"
2570560       0x273940        XML document, version: "1.0"
2571748       0x273DE4        XML document, version: "1.0"
2572716       0x2741AC        XML document, version: "1.0"
2577536       0x275480        XML document, version: "1.0"
2581712       0x2764D0        XML document, version: "1.0"
2584984       0x277198        XML document, version: "1.0"
2590372       0x2786A4        XML document, version: "1.0"
2596352       0x279E00        XML document, version: "1.0"
2598488       0x27A658        XML document, version: "1.0"
2605596       0x27C21C        XML document, version: "1.0"
2622128       0x2802B0        XML document, version: "1.0"
2631608       0x2827B8        XML document, version: "1.0"
2640368       0x2849F0        XML document, version: "1.0"
2641804       0x284F8C        XML document, version: "1.0"
2654188       0x287FEC        XML document, version: "1.0"
2674971       0x28D11B        Copyright string: "copyright"
2684587       0x28F6AB        Copyright string: "copyright" >"
2786992       0x2A86B0        CRC32 polynomial table, big endian
2880544       0x2BF420        Copyright string: "Copyright (c) 1996-2010 Express Logic Inc. * ThreadX MIPS32_34Kx/Green Hills Version G5.4.5.0 SN: 3182-197-0401 *"

binwalk -A show that the file have MIPS instructions and the binwalk output before show that it’s a RTOS
ThreadX MIPS32_34Kx/Green Hills Version G5.4.5.0

I tried to load the file into IDA but without success

So my question is how can i work with this RTOS image to understand more about the firmware and find more informations.

The firmware can be downloaded at : https://www.tp-link.com/en/support/download/td-w8961n/v3/#Firmware

Thanks

firmwarefirmware analysismips

Add your own answers!

Ask a Question

Get help from others!

Recent Questions

Recent Answers

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP