TP-LINK's commercial routers seem to use a different encryption method.

[daiaji]

TP-LINK's commercial routers seem to use other methods to encrypt configuration files.

config-2023-02-15-20_00_17.bin.zip TL-R483G V4.0_2.0.1_Build_220113_Rel.45740n.bin.zip

binwalk ./TL-R483G V4.0_2.0.1_Build_220113_Rel.45740n.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
70016         0x11180         U-Boot version string, "U-Boot 1.1.3 (Jul 17 2019 - 21:23:56)"
198656        0x30800         uImage header, header size: 64 bytes, header CRC: 0x63858AB8, created: 2022-01-13 04:42:20, image size: 1636941 bytes, Data Address: 0x81001000, Entry Point: 0x81001000, data CRC: 0x64113980, OS: Linux, CPU: MIPS, image type: Multi-File Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.10.14"
198728        0x30848         LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 4868864 bytes
1901056       0x1D0200        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 12303876 bytes, 3037 inodes, blocksize: 262144 bytes, created: 2022-01-13 04:42:28

The firmware is based on openwrt with some modifications.

[RE-Solver]

Hi, here you are: https://resolverblog.blogspot.com/2023/02/tp-link-tl-r483g-industrial-router.html

[daiaji]

Did I do something wrong? I cut the signature and decrypted it with CyberChef, but it seems that I only got the corrupted file. download.tar.gz config1.bin.tar.gz

openssl enc -d -des-ecb -nopad -K 478DA50BF9E3D2CF -in ./config1.bin -out ./config2.bin
Error setting cipher DES-ECB
40A72980F97F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (DES-ECB : 4), Properties ()

OPENSSL seems to be of no use.

[RE-Solver]

You wrote download.tar.gz file as text file. This is your file:

Must be like this:

config_.tar.gz

[daiaji]

https://gchq.github.io/CyberChef/#recipe=DES_Decrypt(%7B'option':'Hex','string':'478da50bf9e3d2cf'%7D,%7B'option':'Hex','string':''%7D,'ECB','Raw','Raw')To_Hex('None',0)From_Hex('None')

You are right, it seems like some extra configuration of CyberChef is required to be able to download decrypted gz compressed files from CyberChef.

---

I would like to ask something off topic, is it possible to update the compiled mainline OPENWRT from the WEB UI through some binary modification and synthesis?

TP-LINK seems to verify the uploaded firmware during the firmware update process.

[RE-Solver]

If you have a signed verification process on the whole firmware this can be skipped if you have root access trough ssh, telnet or serial unless is made by bootloader (harder to bypass but so rare in those devices). There are few different approaching scenarios but none of them are an immediate task to follow.

Anyway, I don't neither which and how configured is the bootloader on this specific device so, in general you can write the image and upload it by browser by recovery mode, or TFTP mode (uboot) if the bootloader is not locked. There are tons of guides you can read to understand those ways of actions however, without the bootlog and/or the phisical device here, I'm not able to give you some more specific indications atm.

Let me understand your wishes better: are you asking if you can compile and write openwrt firmware? Kernel included? A "frankenstein" approach is generally not recommended for stability.

Cheers

[daiaji]

Yes, I'm trying to migrate the mainline openwrt for it. There are some migration cases for the SOC MT7621DAT of this route, but the trouble is that the UART seems to have been disabled for log output (it may also be that the UART line has not been exported). Unless the UART is repaired, the firmware can only be written using the SPI programmer. If you can sign the mainline openwrt, you may be able to write the firmware to ROM from the WEBUI of the manufacturer's firmware.

[RE-Solver]

take some HQ pics of the PCB

[daiaji]

[RE-Solver]

Last picture: can't see it good, but it looks like an open circuit. Missing R9 and missing R8 resistors. An oscilloscope or at least a multimeter could be a good friends.

[daiaji]

A 10k resistor is connected in series with R9, and a 5k resistor is connected in series with R8, and they are indeed disconnected, it seems that there is no need to solder additional resistors? I measured the logic level from TX at the R8 breakout.