TP-Link MR3020: SITREP 0x01

A weekly log for you and me.

What I said I’d do

Let’s call this week one. The goal was easy peasy: Just backdoor the firmware! No big deal.

The plan was to begin with a n00b run: use firmware mod kit to unpack the firmware, add a basic bindshell binary and set the init script to trigger it, then rebuild the firmware and flash it via the web UI. If that worked, I’d move on to writing a kernel module.

I thought I’d probably get through that pretty quickly, and maybe be able to deploy the kernel module similarly (FMK and so forth).

I even thought that I might have time this week to — as an academic exercise — recreate the final firmware image manually (i.e. without FMK) using the GPL code on the TP-Link website.


What I did

I wish I were coming to you triumphant, but alas.

That place is: mipsel-buildroot-linux-uclibc/bin/ld: cannot find -los

There’s a lot to say about this, but right now I don’t have a very organised way of saying it. I have been poking and prodding and compiling things like manually to see what would happen, but the issues persist. Rather than spew half-remembered thoughts and confusion at you, I’ll diagnose the problem more methodically (tomorrow?) and summarise it in another post.

Excessive details

For those playing at home, here’s where I’m at:

sudo make MODEL=MR3020V3 apps_build
build wireless tools
#cd /home/lol/TL-MR3020V3/build/../mtk_ApSoC_4320/modules/public/wireless_tools.29 &&  make realclean && make all;\
	cd /home/lol/TL-MR3020V3/build/../mtk_ApSoC_4320/modules/public/wireless_tools.29 && make all;	
make[1]: Entering directory `/home/lol/TL-MR3020V3/mtk_ApSoC_4320/modules/public/wireless_tools.29'
mipsel-linux-gcc -L/home/lol/TL-MR3020V3/mtk_ApSoC_4320/modules/public/wireless_tools.29/../../../../apps/public/os_libs/include//../ -los -lrt -pthread  -Os -W -Wall -Wstrict-prototypes -Wmissing-prototypes -Wshadow -Wpointer-arith -Wcast-qual -Winline -I. -I/home/lol/TL-MR3020V3/mtk_ApSoC_4320/modules/public/wireless_tools.29/../../../../apps/public/os_libs/include/ -DINCLUDE_LAN_WLAN -MMD      -o iwconfig iwconfig.o -lm
/opt/buildroot-gcc463/usr/lib/gcc/mipsel-buildroot-linux-uclibc/4.6.3/../../../../mipsel-buildroot-linux-uclibc/bin/ld: skipping incompatible /home/lol/TL-MR3020V3/mtk_ApSoC_4320/modules/public/wireless_tools.29/../../../../apps/public/os_libs/include//..// when searching for -los
/opt/buildroot-gcc463/usr/lib/gcc/mipsel-buildroot-linux-uclibc/4.6.3/../../../../mipsel-buildroot-linux-uclibc/bin/ld: cannot find -los warning: gethostbyname is obsolescent, use getnameinfo() instead.
collect2: ld returned 1 exit status
make[1]: *** [iwconfig] Error 1
make[1]: Leaving directory `/home/lol/TL-MR3020V3/mtk_ApSoC_4320/modules/public/wireless_tools.29'
make: *** [wirelesstool] Error 2

The relevant slice of Makefile (failing line 3):

ifeq ($(strip $(SUPPLIER)),mtk_ApSoC_4320)
	@echo "build wireless tools BLEP"
	cd $(WIRELESSTOOLS) &&  make realclean && make all;\	
	cp -f iwpriv $(INSTALL_WIRELESS)/sbin;\
	cp -f iwconfig $(INSTALL_WIRELESS)/sbin;\
	cp -f iwlist $(INSTALL_WIRELESS)/sbin;\
	cp -f wlNetlinkTool $(INSTALL_WIRELESS)/sbin
	#@echo "build wireless tools"
	#cd $(WIRELESSTOOLS)/../sysstat-9.0.6 &&  make clean && make mpstat;\
	#cp -f mpstat $(INSTALL_WIRELESS)/sbin
	#@echo "build ated for QA"
	#cd $(WIRELESSTOOLS)/../ated &&  make clean && make all;\
	#cp -f ated $(INSTALL_WIRELESS)/sbin

	echo "Build the rt2860apd for 802.1x"
	cd $(WIRELESSTOOLS)/../8021x &&  make clean && make all;\
	cp -f rt2860apd $(INSTALL_WIRELESS)/sbin/;\
	ln -sf rt2860apd $(INSTALL_WIRELESS)/sbin/rtinicapd

	echo "Build wscd for wps while coexist of dual-band"
	cd $(WIRELESSTOOLS)/../wsc_upnp/wsc_upnp && chmod -R +rx ./ && make clean && make all;\
	cp -f wscd $(INSTALL_WIRELESS)/sbin/;\
	ln -sf wscd $(INSTALL_WIRELESS)/sbin/wscd_5G

And if we jump into the wireless tools Makefile:

SRC = os_linux.c os_msgLinux.c os_log.c 
OBJS = $(SRC:.c=.o) 
CFLAGS = -D__LINUX_OS_FC__ -fPIC -I./include/ $(DF_FLAGS)

$(FOBJ).so: $(OBJS)
	$(CC) $(CFLAGS) -shared $(OBJS) -o $@
	$(STRIP) $@

sinclude $(SRC:.c=.d) 

%.o: ./src/%.c
	$(CC) $(CFLAGS) -c -o $@ $<

%.d: ./src/%.c
	@$(CC) -MM $(CFLAGS) $< > $@.$$$$; \
	sed 's,\($*\)\.o[ :]*,\1.o $@ : ,g' < $@.$$$$ > $@; \
	rm -f $@.$$$$

.PHONY : clean
clean :
	$(RM) $(FOBJ) $(SRC:.c=.d) $(OBJS) 

What next?

Having reviewed my actual timeline and recalibrated my productivity expectations accordingly, I pledge only to solve my build errors between now and next Wednesday. I’ll flash the new firmware, too.

Side quest, the first: I’ll probably tidy up the extremely generic bindshell (i.e. take the word ‘lol’ out of every variable) too and chuck it on the internet, because we obviously need more of those.

Side quest, the second: I’ll pay more attention to documenting things as I go. I have been taking notes in Notion and just realised today that I could export directly from Notion to markdown, which basically makes me giddy because it means I can pipe formatted notes straight into these write-ups really easily.