TP-LINK TD-W8901N v1
TP-LINK TD-W8901N v1
FCC approval date: 24 May 2013
Country of manuf.: China
Type: wireless router, dsl modem
FCC ID: TE7TDW8901NV1
IC ID: 8853A-W8901N
PCB ID: 2011500135
Power: 9 VDC, 0.6 A
Connector type: barrel
CPU1: Ralink RT63365E
FLA1: 2 MiB2,097,152 B <br />16,384 Kib <br />2,048 KiB <br />16 Mib <br />0.00195 GiB <br /> (Winbond W25Q16DVSIG)
RAM1: 8 MiB8,388,608 B <br />65,536 Kib <br />8,192 KiB <br />64 Mib <br />0.00781 GiB <br /> (ESMT M12L64164A-5T)
Expansion IFs: none specified
WI1 chip1: Ralink RT5390
WI1 802dot11 protocols: bgn
WI1 MIMO config: 1x1:1
WI1 antenna connector: none
ETH chip1: Ralink RT63365E
Switch: Ralink RT63365E
LAN speed: 100M
LAN ports: 4
bgn
Default IP address: 192.168.1.1
the IP 192.168.1.1 is used by 1304 additional devices
of which 109 are TP-LINK devices
Default login user: admin
Default login password: admin
admin:admin credentials used by 1327 additional devices
of which 277 are TP-LINK devices
802dot11 OUI: A0:F3:C1 (8 E, 7 W), E8:94:F6 (2 E, 3 W)
Ethernet OUI: A0:F3:C1 (8 E, 7 W), E8:94:F6 (2 E, 3 W)
CPU1 brand | WI1 chip1 brand | WI1 chip2 brand | |
---|---|---|---|
TP-LINK TD-W8901N v1 | Ralink | Ralink | |
TP-LINK TD-W8901N v2 | Ralink | MediaTek | |
TP-LINK TD-W8901N v3 | MediaTek | MediaTek |
For a list of all currently documented Ralink chipsets with specifications, see Ralink.
150Mbps Wireless N ADSL2+ Modem Router
"2011500135" is silkscreened on the board in the FCC photos.
- The SoC used is a Ralink RT63365E.
A MAC address w/ a A0:F3:C1 OUI is shown on the FCC EUT's label.
- FCC unit has RAM chip by EtronTech.
From an actual unit (not FCC):
- Ralink RT63365E
- ESMT M12L64164A-5T
- Winbond 25Q16DVSIG
- Ralink RT5390RL
- Ralink RT63087N (ADSL Front-End)
- MAC Address: E8:94:F6:xx:xx:xx
Operating System: "RAS"
- (OS genealogy: w:ThreadX OS by Express Logic/Green Hills ->
- w:ZyNOS by ZyXEL -> used by TrendChip -> RAS OS by Ralink)
The hardware is OK, the firmware is crap:
- The device ships with firmware V1_121121:
- has port 7547 OPEN to the internet (admin/admin)
- allows direct download of the router configuration file at:
- http://192.168.1.1/ROM-0
- vulnerable to Misfortune Cookie (RCE) on WAN port: RCE
- Latest available firmware V1_140227:
- closed port 7547 from WAN side (LAN side is still open)
- still vulnerable to Misfortune Cookie (RCE) on LAN port, not on WAN port
- leaks random internal memory blocks in IGMP packets trailing data
- (username, password and various packet fragments have been seen)
- IGMP cannot be disabled
- "fixed" the ROM-0 vulnerability by requiring a valid referrer
- in the http request... (easy to bypass)
Open LAN (local) ports (in latest firmware V1_140227):
- 21/tcp (ftp)
- 23/tcp (telnet)
- 80/tcp (web)
- 7547/tcp (tr069/CWMP - CPE WAN Management Protocol)
- - even if disabled in web interface
Web server (port 80 and port 7547): RomPager/4.07 UPnP/1.0
- (vulnerable to Misfortune Cookie)
Web interface is basic. Telnet interface has a metric assload of configuration
- options and diagnostic pages, (very partially) detailed in: Ref. Manual