The Damn Vulnerable Router Firmware (DVRF) is a vulnerable firmware for Linksys E1550 routers. According to the author, "the goal of this project is to simulate a real world environment to help people learn about other CPU architectures outside of the x86_64 space."
Before overwriting the original firmware, make sure to get a copy of the most recent version: FW_E1550_1.0.03.002_US_20120201_code.bin.
DVLF can be installed to the Linksys E1550 by opening the device's firmware upgrade page.
As stated in the project's README.md file, UART access is needed in order to execute the "pwnable" binaries. The UART pins are easily accessible after populating DJ12 with a 1x5 pin male header (2.54 mm spacing between pins).
To avoid short-circuiting, remove the power plug before you open the housing!
The Linksys E1550 uses an external power supply so it was not designed with concern for hazardous voltages inside the enclosure. However, to avoid short-circuiting, remove the power plug before you open the housing!
To open the housing, remove the three screw covers on the back of the device. Please note that products with their warranty labels and barcodes removed or altered are not covered by the warranty any more.
The screws can be easily removed using a Phillips-tip screwdriver. After removal, use a special soft-plastic housing opening tool to lift the lid.
Attach Pin Header
The UART pins are located at DJ12, right above the Serial Flash IC (Winbond 25Q128BVFG). Use a solder iron to solder a 1x5 pin male header (2.54 mm spacing between pins) to DJ12.
- Pin1: 3.3 V
- Pin2: Tx (Linksys E1550 transmits on this pin)
- Pin3: Rx (Linksys E1550 receives on this pin)
- Pin4: ?
- Pin5: GND
Connect your PC to the Linksys E1550 via Ethernet. Your PC should get an IP address via DHCP, the default subnet is 192.168.1.0/24. Use your default browser to open the device's firmware upgrade page and upload file DVRF/Firmware/DVRF_v03.bin. The device will automatically reboot after the installation.
After the device rebooted, connect to the router's default page, you should see the following: