{"id":5,"date":"2020-09-28T18:49:57","date_gmt":"2020-09-28T18:49:57","guid":{"rendered":"http:\/\/192.168.2.107\/?p=5"},"modified":"2022-04-16T15:29:36","modified_gmt":"2022-04-16T15:29:36","slug":"ssh-access-tp-link","status":"publish","type":"post","link":"https:\/\/elementalcraft.duckdns.org\/?p=5","title":{"rendered":"ssh access | tp-link TL-R600VPN"},"content":{"rendered":"\n<p>The tp-link TL-R600VPN is a nice low-cost NAT router. <br><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"2844\" height=\"164\" src=\"https:\/\/elementalcraft.duckdns.org\/wp-content\/uploads\/2020\/09\/image-1.png\" alt=\"\" class=\"wp-image-16\"\/><\/figure>\n\n\n\n<p>While trying to add a long list of URLs from<a rel=\"noreferrer noopener\" href=\"http:\/\/www.shallalist.de\/\" target=\"_blank\"> http:\/\/www.shallalist.de\/<\/a> for URL filtering, I kept bumping into a limit of 25. So, I figured there must be a way to update the list from the command line.<\/p>\n\n\n\n<p>Turning on SSH<\/p>\n\n\n\n<p>There is not an option to turn on SSH. However, there is Remote Assistance (System Tools -&gt; Diagnostics -&gt; Remote Assistance). <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"1472\" height=\"386\" src=\"https:\/\/elementalcraft.duckdns.org\/wp-content\/uploads\/2020\/09\/image.png\" alt=\"\" class=\"wp-image-15\"\/><figcaption>Remote Assistance<\/figcaption><\/figure>\n\n\n\n<p><br>After Remote Assistance is turned on there is not an obvious username and password to use to access ssh. This is something that only support is supposed to use.<\/p>\n\n\n\n<p>Finding password<\/p>\n\n\n\n<p>Following this <a href=\"https:\/\/medium.com\/@6c2e6e2e\/getting-root-password-from-firmware-image-tp-link-wr740n-example-f17ef8a58ea3\">article<\/a> gave me a great start on figuring out the SSH creds. The article references going to<code> squashfs-root\/etc\/ <\/code>and viewing the <code>shadow<\/code> file for the root password. In this case, the RS600VPN firmware did not have the password. Looking in the <code>squashfs-root\/etc\/init.d<\/code> folder did uncover startup scripts.<br>Enter Dropbear<br>The <code>dropbear<\/code> startup init script includes a section to generate a new password on startup.<br><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\ngetNewPasswd()\n{\n. \/lib\/functions.sh&nbsp;\nlocal macAddr=\"\"\nlocal username=\"\"\nmacAddr=$(uci_get tddp macaddr macaddr)\nusername=$(uci_get \"accountmgnt.@account&#91;0].username\")\necho \"macAddr is $macAddr\" &gt; \/dev\/console\n#echo \"username = $username\" &gt; \/dev\/console\n\n\nlocal key=$(echo -n \"$macAddr\"\"$username\" | md5sum)\nkey=$(echo ${key:0:16})\n#echo \"key is $key\" &gt; \/dev\/console\n\n\necho ${key}\n}<\/code><\/pre>\n\n\n\n<p>Break it down<br><strong>macAddr<\/strong> references the LAN MAC. Found here Network -&gt; MAC<br>example: <code>D8:47:32:12:34:56<\/code><br><strong>username<\/strong> references the user that was created during the setup process<br>example: <code>administrator<\/code><br><strong>local key<\/strong> puts the two pieces together and pipes it to md5<br><code>D8:47:32:12:34:56administrator | md5sum<br>d53ffaa1f8b8ce3b62f6b60673800d0<\/code><br><br><code>key=$(echo ${key:0:16}<\/code> takes the hash, and only uses the first 16 characters of that hash as the password.<br><code>d53ffaa1f8b8ce3b<\/code><br>Now we have the password<\/p>\n\n\n\n<p>SSH as root<br><code>ssh root@192.168.2.1<\/code><br>provide the password: <code>d53ffaa1f8b8ce3b<\/code><\/p>\n\n\n\n<p>Victory!<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"878\" height=\"606\" src=\"https:\/\/elementalcraft.duckdns.org\/wp-content\/uploads\/2020\/09\/image-3.png\" alt=\"\" class=\"wp-image-20\"\/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>The tp-link TL-R600VPN is a nice low-cost NAT router. While trying to add a long list of URLs from http:\/\/www.shallalist.de\/ for URL filtering, I kept bumping into a limit of 25. So, I figured there must be a way to update the list from the command line. Turning on SSH There is not an option [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":true,"template":"","format":"standard","meta":[],"categories":[2],"tags":[],"_links":{"self":[{"href":"https:\/\/elementalcraft.duckdns.org\/index.php?rest_route=\/wp\/v2\/posts\/5"}],"collection":[{"href":"https:\/\/elementalcraft.duckdns.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/elementalcraft.duckdns.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/elementalcraft.duckdns.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/elementalcraft.duckdns.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5"}],"version-history":[{"count":6,"href":"https:\/\/elementalcraft.duckdns.org\/index.php?rest_route=\/wp\/v2\/posts\/5\/revisions"}],"predecessor-version":[{"id":34,"href":"https:\/\/elementalcraft.duckdns.org\/index.php?rest_route=\/wp\/v2\/posts\/5\/revisions\/34"}],"wp:attachment":[{"href":"https:\/\/elementalcraft.duckdns.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/elementalcraft.duckdns.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/elementalcraft.duckdns.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}