Summary of "I Hacked This Temu Router. What I Found Should Be Illegal."

Short summary

The creator bought a very cheap Temu‑branded Wi‑Fi router (advertised as $30 then $5; >100k sold) and performed a security audit, finding multiple severe vulnerabilities that allowed gaining root shell access remotely/locally. The video demonstrates the full workflow: trigger, recover, extract firmware, static analysis, craft exploits, and get an interactive root shell.

Key product / device details

Low‑cost Temu Wi‑Fi router (bestseller in Wi‑Fi & networking).
Web management interface accessible at the device IP.
Bootloader/recovery web interface (“breed”) exposed on another IP; it offers firmware backup/restore and allows downloading full.bin.
Files and binaries observed in the firmware image:
- comm (web server binary)
- lighttpd configuration and a writable /webs document root
- upload.cgi (firmware upload helper)
- tnetd (small TCP exec daemon)
- dropbear (SSH server)
- other common utilities

Vulnerabilities & exploit chain

Initial reconnaissance
- Inspected the web UI and network requests; noticed endpoints such as protocol.csp, fname=net, and opt=wizard_config.
- Used Wireshark to observe the device changing IP after a reset.
Command injection via web parameters
- Injected a shell expression into a Wi‑Fi password/time parameter in the web UI. The handler passed unsanitized input to system()/a shell.
- A crafted request to protocol.csp?fname=net&opt=time_comp&time=... allowed arbitrary commands (demonstrated with reboot).
- Because the malicious value was stored in NVRAM, the device entered a soft‑brick loop until recovery.
Recovery → firmware extraction
- Holding the reset exposed the breed web UI; used the “programmer firmware” option to download full.bin.
- Extracted full.bin with binwalk and obtained the SquashFS root filesystem.
Static analysis to find handlers
- Searched strings in the firmware and decompiled the comm binary in Ghidra.
- Identified a table of request handlers including time_config / time_comp. These handlers used a static buffer plus sprintf and then called system(), enabling injection.
Getting interactive access / root shell
- Located tnetd and attempted to use it as a bind shell (initial attempts had issues).
- Discovered /webs/cgi-bin/upload.cgi used for firmware uploads; uploaded a small script via multipart/form‑data to /tmp/temp_firmware.
- Used chmod +x and executed the uploaded script to start tnetd with /bin/sh on port 4444.
- Connected with netcat to obtain an interactive root shell.

Supplementary findings / environment

The device runs lighttpd (with a writable /webs docroot), dropbear SSH, and tnetd.
The lighttpd configuration pointed to the writable /webs directory.
The researcher used the writable web directory as an exfiltration channel (e.g., writing ps output to a web‑accessible file and retrieving it).

Tools shown / used

Wireshark (network capture)
Breed web UI (bootloader/recovery)
binwalk (firmware analysis)
SquashFS extraction tools
strings (searching firmware)
Ghidra (decompilation and static analysis)
curl (crafted requests and file upload)
chmod, netcat, and basic shell commands

Security implications

Unsanitized input passed to system()/shell via web handlers is trivially exploitable.
A bootloader web UI that allows full firmware download makes large‑scale analysis and replication trivial.
With widespread sales (>100k), these issues could have a broad impact if other units share the same firmware.

Guide / tutorial elements demonstrated

How to check for command injection in web UI parameters (simple one‑liner injection).
How to recover/expose the bootloader web UI (hold reset) and download firmware via breed.
How to extract firmware using binwalk and inspect the SquashFS root.
How to locate relevant request handlers by searching firmware strings.
How to use Ghidra to find vulnerable functions (static buffers, sprintf → system).
How to exploit command injection via curl and escalate to an interactive root shell using upload.cgi and tnetd.
How to use a writable web docroot as a covert output/exfiltration channel.