TP-LINK TD-W8901N v1

From WikiDevi.Wi-Cat.RU
Jump to navigation Jump to search

TP-LINK TD-W8901N v1

FCC approval date: 24 May 2013
Country of manuf.: China

Type: wireless router, dsl modem

FCC ID: TE7TDW8901NV1
IC ID: 8853A-W8901N
PCB ID: 2011500135

Power: 9 VDC, 0.6 A
Connector type: barrel

CPU1: Ralink RT63365E
FLA1: 2 MiB2,097,152 B <br />16,384 Kib <br />2,048 KiB <br />16 Mib <br />0.00195 GiB <br /> (Winbond W25Q16DVSIG)
RAM1: 8 MiB8,388,608 B <br />65,536 Kib <br />8,192 KiB <br />64 Mib <br />0.00781 GiB <br /> (ESMT M12L64164A-5T)

Expansion IFs: none specified

WI1 chip1: Ralink RT5390
WI1 802dot11 protocols: bgn
WI1 MIMO config: 1x1:1
WI1 antenna connector: none

ETH chip1: Ralink RT63365E
Switch: Ralink RT63365E
LAN speed: 100M
LAN ports: 4

bgn

Default IP address: 192.168.1.1
the IP 192.168.1.1 is used by 1304 additional devices
of which 109 are TP-LINK devices
Default login user: admin
Default login password: admin
admin:admin credentials used by 1327 additional devices
of which 277 are TP-LINK devices

802dot11 OUI: A0:F3:C1 (8 E, 7 W), E8:94:F6 (2 E, 3 W)
Ethernet OUI: A0:F3:C1 (8 E, 7 W), E8:94:F6 (2 E, 3 W)

For a list of all currently documented Ralink chipsets with specifications, see Ralink.


150Mbps Wireless N ADSL2+ Modem Router

"2011500135" is silkscreened on the board in the FCC photos.

The SoC used is a Ralink RT63365E.

A MAC address w/ a A0:F3:C1 OUI is shown on the FCC EUT's label.

FCC unit has RAM chip by EtronTech.

From an actual unit (not FCC):

  • Ralink RT63365E
  • ESMT M12L64164A-5T
  • Winbond 25Q16DVSIG
  • Ralink RT5390RL
  • Ralink RT63087N (ADSL Front-End)
  • MAC Address: E8:94:F6:xx:xx:xx

Operating System: "RAS"

(OS genealogy: w:ThreadX OS by Express Logic/Green Hills ->
w:ZyNOS by ZyXEL -> used by TrendChip -> RAS OS by Ralink)

The hardware is OK, the firmware is crap:

  • The device ships with firmware V1_121121:
    • has port 7547 OPEN to the internet (admin/admin)
    • allows direct download of the router configuration file at:
http://192.168.1.1/ROM-0
  • vulnerable to Misfortune Cookie (RCE) on WAN port: RCE
  • Latest available firmware V1_140227:
    • closed port 7547 from WAN side (LAN side is still open)
    • still vulnerable to Misfortune Cookie (RCE) on LAN port, not on WAN port
    • leaks random internal memory blocks in IGMP packets trailing data
(username, password and various packet fragments have been seen)
  • IGMP cannot be disabled
    • "fixed" the ROM-0 vulnerability by requiring a valid referrer
in the http request... (easy to bypass)

Open LAN (local) ports (in latest firmware V1_140227):

  • 21/tcp (ftp)
  • 23/tcp (telnet)
  • 80/tcp (web)
  • 7547/tcp (tr069/CWMP - CPE WAN Management Protocol)
- even if disabled in web interface

Web server (port 80 and port 7547): RomPager/4.07 UPnP/1.0

(vulnerable to Misfortune Cookie)

Web interface is basic. Telnet interface has a metric assload of configuration

options and diagnostic pages, (very partially) detailed in: Ref. Manual