Preliminary Analysis of TP-LINK’s TD-8840T Firmware

I’ve recently have some issue with my TP-LINK TD-8840T router and decided to examine its firmware structure, and if the structure can be conveyed, I want to know whether the image result can be executed using Qemu program.

I’m using the latest version with a very long file name called TD-8840Tv4_0.8.0_2.4_up(141022)_2014-10-22_11.14.28.bin, so I rename it to a shorter one to be more manageable to td-8840t.bin.

Performing the text extract of the router firmware using WinHex reveals that it is using VxWorks from Wind River Systems v5.5.1.

The first phase is to find whether there are some utilities regarding this structure. After some searching through the net, I found some utility written in python script called LeeXiaolan’s tplink-vxworks-based-firmware. It claims as the Tools for working with TP-LINK VxWorks-based router firmware. Seems it is suitable for my purpose, so I decided to give it a try:


There are no other information, just go back to the command prompt, further checks reveals that it only creates a .header file of about only 92 bytes, and surely it is a failure.

I decided to perform a more detailed analysis by debugging the code for unpacking routine. Since it is a python script, I have to add the “import pdb” statement to the declaration area of fw script and place pdb.set_trace() to the location of def unpack(opt) function.

Here is the initial debugging session:


Function of of interest is called parsePt, so let’s step into it:


After performing several session of debugging activities in the above manner, I realize that parsePt expect some text information at certain offset of the file (0x5C), where in my case, there are no text information at this location, just a bunch of unknown hex code like this one:


So, I have to resolve to manual analysis. At first glance, the firmware image seems to compose a compressed data and some instruction code, this is indicated from a dense form of binary and a not so dense one.

One of the section that is not dense is the above picture, that is failed to be recognized by LeeXiaolan’s tool, probably this indicated some location of either the data or code. The 0x00000000 is a nop in MIPS processor.

After some sessions of examining the binary codes using IDA Pro by cut and paste the byte codes that is suspected as code instruction, I’ve found that it appears to be using MIPS big endian code format.

For my version of the firmware, the code is located at offset 0x630 from the start of the file. By dissecting that portion of binary code, here is the result of trying to transform the binary to MIPS big endian (mipsb) instruction in IDA Pro:


The MIPS instruction code or opcodes appears to be sane, as indicated by the sequence of instruction marked by red box, which is a boolean operation and branch condition. Probably this is the VxWorks 5.5.1 kernel initialization codes, but to be sure, further analysis is necessary.

Let’s go back to the mysterious sequence of bytes at the start of the file above. By using IDA pro to interpret is as code, I have:


The offset of the branch instruction at 0x630 corresponds to the location described above. So, this confirms that firmware is indeed contains MIPS big endian instruction code and the start of the file denotes the jump start location to the VxWorks kernel routines.

As for the more dense binary data, close examination reveals one section contains lzma format at offset 0x3390 through 0xCDE7F. This section can be extracted by performing slicing of the section to the new file using hex editor and extracted using zip tools.

Other dense binary section at offset 0x4D0 and 0x100000 appears to be containing compressed data ready to be decompressed, or some encrypted data, probably used by VxWorks kernel routine, because it contains no head information.

This concludes the preliminary analysis of the firmware, and if the you find another interesting information, please let me know 🙂


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: