hacking-the-whitebox.md

Hacking the SamKnows Whitebox

The SamKnows Whitebox is a free router (TP-Link TL-WDR3600) provided by SamKnows to gather internet speed statistics. Ok that's great, but any person with a small amount of hacker's spirit will want to hack it to install some custom firmware to take advantage of the two gigantic antennas on the back, the USB ports and everything else.

Step 1 : Debug mode

Root access can be obtained via a "debug mode" on the router giving you a direct root shell via telnet, amazingly simple.

• Disconnect the Whitebox from the internet.
• Connect your computer directly to the Whitebox via Ethernet to one of the four ethernet ports on the Whitebox.
• Configure your computer's IP settings to "Manual" setting the computer's IP address to 192.168.1.2, the Subnet Mask to 255.255.255.0 and the Gateway to 192.168.1.1.
• Turn off the Whitebox.
• Turn on the Whitebox.
• Wait for all the lights to come on and turn off once, then spam the "WPS / Reset" button on the back of the Whitebox.
• Continue spamming until the second LED from the left flashes continuosly. You are now in "debug mode".

Step 2 : Changing the root password

Ok, so now you have a root shell on the Whitebox via telnet, wasn't that hard. Now connect to the Whitebox with a telnet client (Putty on Windows, Terminal on linux) :

$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.

 === IMPORTANT ============================
 Use 'passwd' to set your login password
 this will disable telnet and enable SSH
 ------------------------------------------


BusyBox v1.19.4 (2012-11-21 13:26:44 GMT) built-in     shell (ash)
Enter 'help' for a list of built-in commands.

                     _
 ___  __ _ _ __ ___ | | ___ __   _____      _____
/ __|/ _` | '_ ` _ \| |/ / '_ \ / _ \ \ /\ / / __|
\__ \ (_| | | | | | |   <| | | | (_) \ V  V /\__ \
|___/\__,_|_| |_| |_|_|\_\_| |_|\___/ \_/\_/ |___/
       P E R F O R M A N C E   M O N I T O R I N G

 OS: OpenWRT Attitude Adjustment, r35093
 SW: WDR3600 Build
 -------------------------------------------------
root@(none):/# 

There you have it, a root busybox shell. Next up... mounting the filesystem :

root@(none):/# mount_root
switching to jffs2

Now we can perform modifications to the system, for example we could change the... root user's password maybe (They gave us the hint when connecting via telnet)

root@(none):/# passwd
Changing password for root
New password: 
Bad password: too short
Retype password: 
Password for root changed by root

I set the password to "root", hence the "Bad password" warning.

Step 3 : SSH inside

Telnet is a pile of shit, a move to SSH is recommended.

Now if you restart the box (don't bother trying reboot it doesn't do much, just pull the plug), plug the Whitebox back in to your router then you should be able to access the device via SSH on port 2222 (once you've found the DHCP assigned IP address, check your router's web interface to see if you can get a list of all connected devices, or try an IP scan on the local network)

$ ssh [email protected] -p 2222
[email protected]'s password: 

BusyBox v1.19.4 (2012-11-21 13:26:44 GMT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

                     _
 ___  __ _ _ __ ___ | | ___ __   _____      _____
/ __|/ _` | '_ ` _ \| |/ / '_ \ / _ \ \ /\ / / __|
\__ \ (_| | | | | | |   <| | | | (_) \ V  V /\__ \
|___/\__,_|_| |_| |_|_|\_\_| |_|\___/ \_/\_/ |___/
       P E R F O R M A N C E   M O N I T O R I N G

 OS: OpenWRT Attitude Adjustment, r35093
 SW: WDR3600 Build

root@OpenWrt:~#

Step 4 : Explore

Now you're inside, you can explore around, find your device's "Unit ID" to spoof metrics :

root@OpenWrt:/tmp/samknows# cat /tmp/samknows/unitid
123456

You can also modify it to pretend you're someone else (Warning : the "unitid" goes back to default on reboot) with a quick vi /tmp/samknows/unitid

You can also find out how everything works (such as sending results and all the different test) and disable reporting by exploring /tmp/ispmon

root@OpenWrt:~# cat /tmp/ispmon/cron/crontab 
40 * * * *  /tmp/ispmon/bin/dcsclient https://dcs-uk.samknows.com:443 -v >/dev/null 2>&1
45 * * * * /tmp/ispmon/scripts/pcscript >/dev/null 2>&1
25 * * * * /tmp/ispmon/scripts/sanity.sh >/dev/null 2>&1
26 * * * * /tmp/ispmon/scripts/submit.sh >/dev/null 2>&1
30 * * * * /tmp/ispmon/scripts/timesync.sh >/dev/null 2>&1
35 6 * * * /usr/sbin/udhcpcrestart.sh >/dev/null 2>&1
38 22 * * * /tmp/ispmon/scripts/background_tests.sh restart >/dev/null 2>&1

This shows which scripts are called by the system and how often. The same output can be obtained via crontab -e

Cronjob execution can be disabled for the current session with killall crond

And if you want to disable stuff permanently, take a look at /overlay (A good explanation is available here)

Step 4.2 : Backup

Thanks to @nonflammable for this, if you ever feel like coming back to the original Samknow's firmware then you can do the following, if not ignore the step.

Do a quick system backup :

dd if=/dev/mtdblock5 of=/tmp/sysbackup.bin

Copy the file /tmp/sysbackup.bin to a relatively safe place on your PC with something like WinSCP or Filezilla.

Whenever you need to restore the backup you can use the following command :

mtd -r write /tmp/sysbackup.bin firmware

Or you can also use DD-WRTs web GUI to upload and flash sysbackup.bin without the 1337 command line.

Step 5 : Flash

The great thing about this little Whitebox is that we can install pratically anything on it, I've chosen to install DD-WRT. To start off you need to find the correct firmware for the Whitebox and download it to your computer.

Pop over to the DD-WRT Router Database, type TL-WDR3600 and download the factory-to-ddwrt.bin file.

Put the file on a web server on your computer to make it accessible from the Whitebox so the router can access http://192.168.1.2/factory-to-ddwrt.bin

• Now go back to step 1 and access the Whitebox via telnet.
• Execute the mount_root command.
• Move to the /tmp directory : cd /tmp
• Execute wget http://192.168.1.2/factory-to-ddwrt.bin
• Execute mtd -r write /tmp/factory-to-ddwrt.bin firmware

You should now have the following output, it can take a few moments, don't panic :

root@(none):/tmp# mtd -r write /tmp/factory-to-ddwrt.bin firmware
Unlocking firmware ...

Writing from /tmp/factory-to-ddwrt.bin to firmware ...     
Rebooting ...

Step 6 : Enjoy

Now the telnet session should die and your Whitebox should reboot, I'll call it the Blackbox now because it's turned to the dark side.

Now by visiting http://192.168.1.1/ in your browser you will be greeted with your brand-spanking-new version of DD-WRT. I'm not going to cover setting everything up, that's your problem now. Have fun with your Blackbox !

Step 5.. I dont understand how to create server on my computer

I cannot seem to get the device to boot into debug mode.
After spamming the WPS/reset button after the initial blink of all LEDs, the Sys LED blinks for a bit and then it just boots up regularly every time.

Is it possible to still run the SamKnows analytics on a "black box" after hacking it?

No matter what I do, I cannot seem to get the device to boot into debug mode.
I've done as instructed by spamming the WPS/reset button after the initial blink of all LEDs, but have had no luck being able to telnet into the device with terminal (and yes, I have manually set the IP info and disabled wifi on my computer so it is only hardwired into the TP-Link).

I get a "connection refused" when I try to connect with PuTTY. The debug mode also ends after a minute or so like others have said.

Hey Mag81 Im trying to root in with ssh and its giving me "connection refused". Could i do this threw ubuntu LTS

hi,
anyone got the "debug mode"?
here is version 8.0 of the router

On my TL-WR1034ND I had to do /etc/init.d/dropbear start to get SSH going as mentioned here:

https://forum.openwrt.org/t/solved-repurposing-a-samknows-tl-wr1043nd-v1-10/84741/6

Also I needed to tun ssh with: -oHostKeyAlgorithms=+ssh-dss -oKexAlgorithms=+diffie-hellman-group1-sha1

Worked great. I was able to flash to dd-wrt although I got hung up in the ssh port being 2222. Tricky brits.
Also I didn’t need to create a webserver for the factory-to-ddwrt.bin file. I just used mobaxterm which has a file transfer app built in. Thanks!

No success here enabling debug mode. My device is a SK-WB8+, used by Nielsen in Australia. It has 4 antennas.

Boot sequence only ever lights 1 of the 6 lights - the power one. Hitting the reset or WPS button does not change anything.

According to https://openwrt.org/toh/samknows/sk-wb8 this needs internal serial port hacking :-(

With latest version the failsafe option no longer woks.

The solution is to increase bootcount enough (by powering for about 5 seconds and rebooting it many times), until u-boot has a boot delay. Then follow openwrt tftp flash instructions.

WiFi performance is great actually. Sans a small defect that should be fixed in master soon: openwrt/openwrt#15391

Since Cisco has now killed all the "voluntary" whiteboxes, I wanted to convert my WDR3600 to vanilla openwrt.

I do get telnet to work and it seems I have exact same firmware version as described in this document:

 === IMPORTANT ============================
  Use 'passwd' to set your login password
  this will disable telnet and enable SSH
 ------------------------------------------


BusyBox v1.19.4 (2015-02-03 17:28:09 GMT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

                     _
 ___  __ _ _ __ ___ | | ___ __   _____      _____
/ __|/ _` | '_ ` _ \| |/ / '_ \ / _ \ \ /\ / / __|
\__ \ (_| | | | | | |   <| | | | (_) \ V  V /\__ \
|___/\__,_|_| |_| |_|_|\_\_| |_|\___/ \_/\_/ |___/
       P E R F O R M A N C E   M O N I T O R I N G

 OS: OpenWRT Attitude Adjustment, r35093
 SW: WDR3600 Build
 -------------------------------------------------

but I cannot mount the root file system:

root@(none):/# mount_root
/sbin/mount_root: line 1: pi_include: not found
/sbin/mount_root: line 1: pi_include: not found
/sbin/mount_root: line 1: set_jffs_mp: not found
/sbin/mount_root: line 1: determine_root_device: not found
/sbin/mount_root: line 1: can't create /.extroot.md5sum: Read-only file system
switching to jffs2

And ssh connection is denied, even while still in debug mode.

$ ssh [email protected] -p 2222
ssh: connect to host 192.168.1.1 port 2222: Connection refused

same after power cycling the device and discovered the local IP:

$ ssh [email protected] -p 2222
ssh: connect to host 192.168.1.117 port 2222: Connection refused

ping does work though.

ok, so I solved this this way:

Do not leave the debug mode, start an http server on your machine:

On a Mac for example:

cd /path/to/openwrt-23.05.3-ath79-generic-tplink_tl-wdr3600-v1-squashfs-factory.bin
python3 -m http.server

then on the whitebox:

wget http://192.168.1.2:8000/openwrt-23.05.3-ath79-generic-tplink_tl-wdr3600-v1-squashfs-factory.bin
mtd -r write /tmp/openwrt-23.05.3-ath79-generic-tplink_tl-wdr3600-v1-squashfs-factory.bin firmware

Done. It will come up as a router with DHCP server enabled, you can directly access the web intf with http, login is root and leave pwd empty.