TP-LINK新固件SSH密码几乎无解

Luochancy · 发表于 2025-2-19 02:36:04

立刻注册账号，享受更清爽的界面！

您需要登录才可以下载或查看，没有账号？注册

×

本帖最后由 Luochancy 于 2025-2-19 02:39 编辑

洛手头上有一台R473G V3，想折腾一下
查了下N3发现SSH密码通过MAC就可以算
然后算半天密码不对
然后就想着去解更新包看看
一看不知道，TP-LINK更新了SSH密码计算方式

固件来源：TP-LINK
解包工具：https://zhiwanyuzhou.com/
文件位置：/etc/init.d/dropbear

这是原来的：

#!/bin/sh /etc/rc.common
# Copyright (C) 2006-2010 OpenWrt.org
# Copyright (C) 2006 Carlos Sobrinho
START=50
STOP=50
SERVICE_USE_PID=1
NAME=dropbear
PROG=/usr/sbin/dropbear
PIDCOUNT=0
EXTRA_COMMANDS="killclients"
EXTRA_HELP=" killclients Kill ${NAME} processes except servers and yourself"
getNewPasswd()
{
. /lib/functions.sh
local macAddr=""
macAddr=$(ubus call tddpServer getInfo '{"infoMask":1,"sep":"-"}' | sed 's/-//g' | jsonfilter -e '@.mac')
echo "macAddr from tddp config is $macAddr" > /dev/console
local key=$(echo -n "$macAddr" | md5sum)
key=$(echo ${key:0:16})
#echo "key is $key" > /dev/console
echo ${key}
}
setNewPasswd()
{
local newPasswd=`getNewPasswd`
#echo "newPasswd is $newPasswd" > /dev/console
(echo "$newPasswd";sleep 1;echo "$newPasswd") | passwd > /dev/null
}
setDefaultPasswd()
{
cp /rom/etc/passwd /etc/passwd &> /dev/null
}
dropbear_start()
{
append_ports()
{
local ifname="$1"
local port="$2"
grep -qs "^ *$ifname:" /proc/net/dev || {
append args "-p $port"
return
}
for addr in $(
ifconfig "$ifname" | sed -ne '
/addr: *fe[89ab][0-9a-f]:/d
s/.* addr: *$[0-9a-f:\.]*$.*/\1/p
'
); do
append args "-p $addr:$port"
done
}
local section="$1"
# Customized kill switch
config_get_bool ssh_port_switch "${section}" ssh_port_switch 0
echo "ssh_port_switch is $ssh_port_switch" > /dev/console
if [ "$ssh_port_switch" != "1" ]; then
echo "set default passwd" > /dev/console
setDefaultPasswd
return 0
fi
# check if section is enabled (default)
local enabled
config_get_bool enabled "${section}" enable 1
[ "${enabled}" -eq 0 ] && return 1
setNewPasswd
# verbose parameter
local verbosed
config_get_bool verbosed "${section}" verbose 0
# increase pid file count to handle multiple instances correctly
PIDCOUNT="$(( ${PIDCOUNT} + 1))"
# prepare parameters (initialise with pid file)
local pid_file="/var/run/${NAME}.${PIDCOUNT}.pid"
local args="-P $pid_file"
local val
# A) password authentication
config_get_bool val "${section}" PasswordAuth 1
[ "${val}" -eq 0 ] && append args "-s"
# B) listen interface and port
local port
local interface
config_get interface "${section}" Interface
config_get interface "${interface}" ifname "$interface"
config_get port "${section}" Port 22
append_ports "$interface" "$port"
# C) banner file
config_get val "${section}" BannerFile
[ -f "${val}" ] && append args "-b ${val}"
# D) gatewayports
config_get_bool val "${section}" GatewayPorts 0
[ "${val}" -eq 1 ] && append args "-a"
# E) root password authentication
config_get_bool val "${section}" RootPasswordAuth 1
[ "${val}" -eq 0 ] && append args "-g"
# F) root login
config_get_bool val "${section}" RootLogin 1
[ "${val}" -eq 0 ] && append args "-w"
# G) host keys
config_get val "${section}" rsakeyfile
[ -f "${val}" ] && append args "-r ${val}"
config_get val "${section}" dsskeyfile
[ -f "${val}" ] && append args "-d ${val}"
# execute program and return its exit code
[ "${verbosed}" -ne 0 ] && echo "${initscript}: section ${section} starting ${PROG} ${args}"
SERVICE_PID_FILE="$pid_file" service_start ${PROG} ${args}
}
keygen()
{
for keytype in rsa dss; do
# check for keys
key=dropbear/dropbear_${keytype}_host_key
[ -f /tmp/$key -o -s /etc/$key ] || {
# generate missing keys
mkdir -p /tmp/dropbear
[ -x /usr/bin/dropbearkey ] && {
/usr/bin/dropbearkey -t $keytype -f /tmp/$key 2>&- >&- && exec /etc/rc.common "$initscript" start
} &
exit 0
}
done
lock /tmp/.switch2jffs
mkdir -p /etc/dropbear
mv /tmp/dropbear/dropbear_* /etc/dropbear/
lock -u /tmp/.switch2jffs
chown root /etc/dropbear
chmod 0700 /etc/dropbear
}
start()
{
[ -s /etc/dropbear/dropbear_rsa_host_key -a \
-s /etc/dropbear/dropbear_dss_host_key ] || keygen
config_load "${NAME}"
config_foreach dropbear_start dropbear
}
stop()
{
local pid_file pid_files
pid_files=`ls /var/run/${NAME}.*.pid 2>/dev/null`
[ -z "$pid_files" ] && return 1
for pid_file in $pid_files; do
SERVICE_PID_FILE="$pid_file" service_stop ${PROG} && {
rm -f ${pid_file}
}
done
}
killclients()
{
local ignore=''
local server
local pid
# if this script is run from inside a client session, then ignore that session
pid="$$"
while [ "${pid}" -ne 0 ]
do
# get parent process id
pid=`cut -d ' ' -f 4 "/proc/${pid}/stat"`
[ "${pid}" -eq 0 ] && break
# check if client connection
grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" && {
append ignore "${pid}"
break
}
done
# get all server pids that should be ignored
for server in `cat /var/run/${NAME}.*.pid`
do
append ignore "${server}"
done
# get all running pids and kill client connections
local skip
for pid in `pidof "${NAME}"`
do
# check if correct program, otherwise process next pid
grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" || {
continue
}
# check if pid should be ignored (servers, ourself)
skip=0
for server in ${ignore}
do
if [ "${pid}" == "${server}" ]
then
skip=1
break
fi
done
[ "${skip}" -ne 0 ] && continue
# kill process
echo "${initscript}: Killing ${pid}..."
kill -KILL ${pid}
done
}

复制代码

这是现在（2.2.1 Build 240514 Rel.58724n）

#!/bin/sh /etc/rc.common
# Copyright (C) 2006-2010 OpenWrt.org
# Copyright (C) 2006 Carlos Sobrinho
START=50
STOP=50
SERVICE_USE_PID=1
NAME=dropbear
PROG=/usr/sbin/dropbear
PIDCOUNT=0
EXTRA_COMMANDS="killclients"
EXTRA_HELP=" killclients Kill ${NAME} processes except servers and yourself"
getNewPasswd()
{
local key_code=`/usr/sbin/dbg_passwd_gen`
local key=$(echo ${key_code:0:6})
local code=$(echo ${key_code:6:38})
#echo "Password: $key" > /dev/console
echo "Authorized code: $code" > /dev/console
echo ${key}
echo ${code}
}
setNewPasswd()
{
local ret=`getNewPasswd`
local newPasswd=`echo $ret | awk '{print $1}'`
local newAuthCode=`echo $ret | awk '{print $2}'`
#echo "newPasswd is $newPasswd" > /dev/console
(echo "$newPasswd";sleep 1;echo "$newPasswd") | passwd > /dev/null
uci set ${NAME}.$1.AuthCode="$newAuthCode"
uci commit ${NAME}
}
setDefaultPasswd()
{
cp /rom/etc/passwd /etc/passwd &> /dev/null
}
dropbear_start()
{
append_ports()
{
local ifname="$1"
local port="$2"
grep -qs "^ *$ifname:" /proc/net/dev || {
append args "-p $port"
return
}
for addr in $(
ifconfig "$ifname" | sed -ne '
/addr: *fe[89ab][0-9a-f]:/d
s/.* addr: *$[0-9a-f:\.]*$.*/\1/p
'
); do
append args "-p $addr:$port"
done
}
local section="$1"
# Customized kill switch
config_get_bool ssh_port_switch "${section}" ssh_port_switch 0
echo "ssh_port_switch is $ssh_port_switch" > /dev/console
if [ "$ssh_port_switch" != "1" ]; then
echo "set default passwd" > /dev/console
setDefaultPasswd
return 0
fi
# check if section is enabled (default)
local enabled
config_get_bool enabled "${section}" enable 1
[ "${enabled}" -eq 0 ] && return 1
# debug firmware use default password
setDefaultPasswd
# verbose parameter
local verbosed
config_get_bool verbosed "${section}" verbose 0
# increase pid file count to handle multiple instances correctly
PIDCOUNT="$(( ${PIDCOUNT} + 1))"
# prepare parameters (initialise with pid file)
local pid_file="/var/run/${NAME}.${PIDCOUNT}.pid"
local args="-P $pid_file"
local val
# A) password authentication
config_get_bool val "${section}" PasswordAuth 1
[ "${val}" -eq 0 ] && append args "-s"
# B) listen interface and port
local port
local interface
config_get interface "${section}" Interface
config_get interface "${interface}" ifname "$interface"
config_get port "${section}" Port 22
append_ports "$interface" "$port"
# C) banner file
config_get val "${section}" BannerFile
[ -f "${val}" ] && append args "-b ${val}"
# D) gatewayports
config_get_bool val "${section}" GatewayPorts 0
[ "${val}" -eq 1 ] && append args "-a"
# E) root password authentication
config_get_bool val "${section}" RootPasswordAuth 1
[ "${val}" -eq 0 ] && append args "-g"
# F) root login
config_get_bool val "${section}" RootLogin 1
[ "${val}" -eq 0 ] && append args "-w"
# G) host keys
config_get val "${section}" rsakeyfile
[ -f "${val}" ] && append args "-r ${val}"
config_get val "${section}" dsskeyfile
[ -f "${val}" ] && append args "-d ${val}"
# execute program and return its exit code
[ "${verbosed}" -ne 0 ] && echo "${initscript}: section ${section} starting ${PROG} ${args}"
SERVICE_PID_FILE="$pid_file" service_start ${PROG} ${args}
}
keygen()
{
for keytype in rsa dss; do
# check for keys
key=dropbear/dropbear_${keytype}_host_key
[ -f /tmp/$key -o -s /etc/$key ] || {
# generate missing keys
mkdir -p /tmp/dropbear
[ -x /usr/bin/dropbearkey ] && {
/usr/bin/dropbearkey -t $keytype -f /tmp/$key 2>&- >&- && exec /etc/rc.common "$initscript" start
} &
exit 0
}
done
lock /tmp/.switch2jffs
mkdir -p /etc/dropbear
mv /tmp/dropbear/dropbear_* /etc/dropbear/
lock -u /tmp/.switch2jffs
chown root /etc/dropbear
chmod 0700 /etc/dropbear
}
start()
{
[ -s /etc/dropbear/dropbear_rsa_host_key -a \
-s /etc/dropbear/dropbear_dss_host_key ] || keygen
config_load "${NAME}"
config_foreach dropbear_start dropbear
}
stop()
{
local pid_file pid_files
pid_files=`ls /var/run/${NAME}.*.pid 2>/dev/null`
[ -z "$pid_files" ] && return 1
for pid_file in $pid_files; do
SERVICE_PID_FILE="$pid_file" service_stop ${PROG} && {
rm -f ${pid_file}
}
done
}
killclients()
{
local ignore=''
local server
local pid
# if this script is run from inside a client session, then ignore that session
pid="$$"
while [ "${pid}" -ne 0 ]
do
# get parent process id
pid=`cut -d ' ' -f 4 "/proc/${pid}/stat"`
[ "${pid}" -eq 0 ] && break
# check if client connection
grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" && {
append ignore "${pid}"
break
}
done
# get all server pids that should be ignored
for server in `cat /var/run/${NAME}.*.pid`
do
append ignore "${server}"
done
# get all running pids and kill client connections
local skip
for pid in `pidof "${NAME}"`
do
# check if correct program, otherwise process next pid
grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" || {
continue
}
# check if pid should be ignored (servers, ourself)
skip=0
for server in ${ignore}
do
if [ "${pid}" == "${server}" ]
then
skip=1
break
fi
done
[ "${skip}" -ne 0 ] && continue
# kill process
echo "${initscript}: Killing ${pid}..."
kill -KILL ${pid}
done
}

复制代码

以下是关键字段

# 新计算方式
getNewPasswd()
{
local key_code=`/usr/sbin/dbg_passwd_gen`
local key=$(echo ${key_code:0:6})
local code=$(echo ${key_code:6:38})
#echo "Password: $key" > /dev/console
echo "Authorized code: $code" > /dev/console
echo ${key}
echo ${code}
}
#旧计算方式
getNewPasswd()
{
. /lib/functions.sh
local macAddr=""
macAddr=$(ubus call tddpServer getInfo '{"infoMask":1,"sep":"-"}' | sed 's/-//g' | jsonfilter -e '@.mac')
echo "macAddr from tddp config is $macAddr" > /dev/console
local key=$(echo -n "$macAddr" | md5sum)
key=$(echo ${key:0:16})
#echo "key is $key" > /dev/console
echo ${key}
}

复制代码

根据这个脚本分析出TP-LINK在新版固件（指使用改版OpenWRT固件路由器）修改了ROOT密码计算方式
现在需要由dbg_passwd_gen这个二进制文件来生成不知道撒玩意的东西然后再去算
但是解包却没有看到这玩意的踪影
有点怀疑是TP-LINK是在更新后才释放这个文件，但是固件找不到也就提不出来
希望有大佬能折腾一下这玩意

btpanel · 发表于 2025-2-19 04:19:28

既然能解包再封包，理论上替换shadow里的内容就可以啦，或者看看是不是有个启动时的uci配置教本自动重置了shadow内容
只要telnet能成功登录后，想怎么操作就怎么操作。都是敲命令
例如:
cd
ls
ls -l
cat
passwd

btpanel · 发表于 2025-2-19 04:20:42

binwalk解压原始固件，
squashfs-root文件系统
/etc目录
重新mksquashfs压缩回去。

楼主拿到shadow文件就可以替换了。用别的知道密码的openwrt的shadow替换密码部分就可以了
比如$1$/upNzzBq$n6dSjhrukZDsXFFm33doL1替换$1$tHiYRbC2$zCy8uUkCeF8Rwa8p2yPKX1。保存文件打包回去再上传，重启。
我给的$1$/upNzzBq$n6dSjhrukZDsXFFm33doL1就是admin。替换后root密码就是admin
我的TL-ER3210G提取出来的默认密码就是$1$tHiYRbC2$zCy8uUkCeF8Rwa8p2yPKX1。有高手能反推出密码吗?tp用openwrt内核的路由器是不是都是这个密码啊。
另外拿到root ttl进系统了后能改什么呢？改插件？

TP-LINK新固件SSH密码几乎无解

立刻注册账号，享受更清爽的界面！

相关网站

站内导航

商业推广