The tp-link TL-R600VPN is a nice low-cost NAT router.
While trying to add a long list of URLs from http://www.shallalist.de/ for URL filtering, I kept bumping into a limit of 25. So, I figured there must be a way to update the list from the command line.
Turning on SSH
There is not an option to turn on SSH. However, there is Remote Assistance (System Tools -> Diagnostics -> Remote Assistance).
After Remote Assistance is turned on there is not an obvious username and password to use to access ssh. This is something that only support is supposed to use.
Finding password
Following this article gave me a great start on figuring out the SSH creds. The article references going to squashfs-root/etc/ and viewing the shadow file for the root password. In this case, the RS600VPN firmware did not have the password. Looking in the squashfs-root/etc/init.d folder did uncover startup scripts.
Enter Dropbear
The dropbear startup init script includes a section to generate a new password on startup.
getNewPasswd()
{
. /lib/functions.sh
local macAddr=""
local username=""
macAddr=$(uci_get tddp macaddr macaddr)
username=$(uci_get "accountmgnt.@account[0].username")
echo "macAddr is $macAddr" > /dev/console
#echo "username = $username" > /dev/console
local key=$(echo -n "$macAddr""$username" | md5sum)
key=$(echo ${key:0:16})
#echo "key is $key" > /dev/console
echo ${key}
}Break it down
macAddr references the LAN MAC. Found here Network -> MAC
example: D8:47:32:12:34:56
username references the user that was created during the setup process
example: administrator
local key puts the two pieces together and pipes it to md5D8:47:32:12:34:56administrator | md5sum
d53ffaa1f8b8ce3b62f6b60673800d0key=$(echo ${key:0:16} takes the hash, and only uses the first 16 characters of that hash as the password.d53ffaa1f8b8ce3b
Now we have the password
SSH as rootssh root@192.168.2.1
provide the password: d53ffaa1f8b8ce3b
Victory!
