Analysis of TP-LINK WDR 7660 VxWorks System

Author | Green Alliance Technology Laboratory Wei Fan

Introduction:The router is the most widely used IoT device, and TP-LINK is the largest router manufacturer in China. Its WDR 7660 model router uses the VxWorks operating system for the first time, offering high real-time performance and reliability, but also presenting significant challenges for reverse analysis. This article introduces the reverse analysis of the TP-LINK WDR 7660 VxWorks system and provides methods for obtaining the VxWorks system loading base address and repairing function names using the symbol table.
Obtain the VxWorks file system from the upgrade package
Get the latest upgrade package from the official website and analyze it using binwalk.
Analysis of TP-LINK WDR 7660 VxWorks System
According to the binwalk results, there is a large lzma compressed file from 0x10400 to 0x15a477. After extracting with dd, it shows that the compressed file failed to decompress. By examining it manually in UltraEdit, it is found that the end of the file at 0x15a477 does not appear to be the end of an lzma file, as shown in the figure below:
Analysis of TP-LINK WDR 7660 VxWorks System
Looking upwards, the end of the lzma can be found, which should be at 0x15a477.
Analysis of TP-LINK WDR 7660 VxWorks System
After extracting and decompressing, the VxWorks file system is obtained:

Analysis of TP-LINK WDR 7660 VxWorks System

Determine the loading base address
When analyzing using disassembly tools like IDA or Ghidra, it is necessary to understand the loading base address of the VxWorks system; otherwise, the analysis cannot be performed correctly. The loading base address of the VxWorks system is the same as the stack initialization address. According to the official documentation from VxWorks, it uses usrInit for stack initialization, and usrInit is the first function that runs after the VxWorks system boots. Therefore, the VxWorks system file can be directly loaded into IDA with a loading base address of 0, and then the first occurrence of the sp register can be found, which is the loading base address of the VxWorks system.
Directly load the VxWorks system into IDA and set the loading base address to 0 to view the initial code.
Analysis of TP-LINK WDR 7660 VxWorks System
It is found that “LDR R0, =0x40205000” is followed by “MOV SP, R0”, which confirms that the loading base address is 0x40205000.
Utilizing the symbol table to repair function names
The symbol table of the TP-LINK WDR7660 is separate from the VxWorks system file, so it is necessary to find the symbol file from the files obtained after extracting the upgrade file using binwalk. Bzero is a function in VxWorks that clears the data in the bss section during system startup, so you can use “grep -r bzero” to search for the bzero function and find a file that is obviously the symbol table file.
Analysis of TP-LINK WDR 7660 VxWorks System
After finding the symbol file, it can be seen that the symbol table ranges from 0x08 to 0x1a728, and the starting position of the symbol strings is 0x1a728.
Analysis of TP-LINK WDR 7660 VxWorks System
Analysis of TP-LINK WDR 7660 VxWorks System
Through analysis, the storage rules for symbols in the symbol file are determined as follows: every 8 bytes form a group. For example, 54 00 00 00 40 37 36 84 indicates that 54 represents the type of symbol (54 indicates function name), 00 00 00 represents the offset of the symbol in the string table, and 40 37 36 84 represents the absolute address of the symbol object in memory.
Knowing the position of the symbol table, the position of the symbol strings, and the storage rules, IDA scripts can be used to restore function names. Here is a small tip: if you are not sure about the storage rules of the symbol table, you can randomly find a function in IDA to roughly guess which common function it is. For example, we can guess that the function at 0x40290030 is the memset function.

Analysis of TP-LINK WDR 7660 VxWorks System

Finally, we confirmed our guess using the symbol table extracted using the above rules.

Analysis of TP-LINK WDR 7660 VxWorks System

Conclusion
This article briefly introduces the method of obtaining the VxWorks system files from the upgrade package and the analysis methods for the VxWorks system. After determining the loading base address and repairing the function names, the subsequent work is essentially binary reverse analysis.
Reprint must indicate the source: National Engineering Laboratory for Emergency Technology in Cybersecurity
Analysis of TP-LINK WDR 7660 VxWorks System

Related posts

  1. Analyzing the Boot Process of VxWorks 6.x BSP on ARM
  2. Introduction to VxWorks 7 Technology
  3. Differences Between Linux and VxWorks Systems
  4. Seven Exciting Features of VxWorks 7
  5. Migrating FreeRTOS Applications to SAFERTOS: A Comprehensive Guide
  6. Understanding VxWorks Console Operations
  7. Introduction to VxWorks 5.4 System
  8. Understanding the Boot Process and Overflow Testing of VxWorks
  9. Implementing Dual NIC Redundancy Backup Technology in VxWorks Environment
  10. Accelerating Graphic Applications with VxWorks 7 on i.MX 6
  11. How to Use Startup Scripts in VxWorks
  12. Inter-Task and Inter-Process Communication in VxWorks
  13. C++ and IoT: The Path to Programming Embedded Systems
  14. Understanding VxWorks Kernel: Real-Time Operating System
  15. Porting and Using VxWorks RngLib Ring Buffer
  16. Installing and Running QT on VxWorks 6.8
  17. Integrating U-Boot with VxWorks 7
  18. Common Functions in VxWorks Programming
  19. VxWorks-Based Onboard Bus Simulation System for Aircraft

Leave a Comment