I Hacked This Temu Router. Wha

Target Device Overview #

• Device: A $5 Wi-Fi router (formerly $30) purchased from Temu.
• Popularity: Bestselling item in Temu’s Wi-Fi and networking category with over 100,000 units sold.
• Initial Security Assessment: Embedded devices typically have poor security; this device proved to be no exception.

Initial Discovery and Command Injection #

• Reboot Vulnerability: By entering a command injection string ($(reboot)) into the Wi-Fi password field, the author successfully triggered a system reboot.
• Soft Bricking: Because the malicious string was saved to NVRAM, the device entered a boot loop, effectively soft-bricking the unit until a factory reset was performed.

Extracting the Firmware #

• Hidden Diagnostic Interface: Holding the reset button for 60 seconds triggered a low-level "breed" web interface on a different IP address.
• Firmware Backup Feature: This interface included a "Programmer Firmware" button, allowing the entire system firmware (full.bin) to be downloaded directly without desoldering chips.
• File System Access: Using binwalk, the author extracted the SquashFS filesystem, gaining total access to the device’s internal binaries and configurations.

Reverse Engineering with Ghidra #

• Identifying the Web Server: Using grep on strings found in browser network requests (like protocol.csp and wizard_config), the author identified the main management binary: /usr/sbin/comm.
• Decompilation: The comm binary was loaded into Ghidra to analyze the C code logic.
• Vulnerability Mapping: A table was discovered that mapped URL parameters to specific functions.
• The "Time Config" Flaw: The time_conf function was found to take a user-supplied "time" string and pass it directly into a system() call via sprintf without any sanitization.

Exploitation and Remote Code Execution (RCE) #

• Validation: A curl command targeting the time_conf function proved that arbitrary commands (like reboot) could be executed via the URL.
• Data Exfiltration: To see what was happening on the device, the author redirected the process list (ps) to a file in the accessible /webs directory and viewed it via a browser.
• Establishing a Shell:
  • The author attempted to use tnetd (a Telnet daemon) to create a bind shell.
  • Due to difficulties with space character encoding in the URL, the author used a different CGI script (upload.cgi) to upload a custom shell script to /tmp.
  • By making the uploaded script executable and running it, a Telnet server was started on port 4444.
• Root Access: Successful connection via netcat granted full root access to the router’s operating system.

Conclusion and Disclosure #

• Security Verdict: The device is highly insecure, featuring multiple "egregious" vulnerabilities that allow full remote takeover.
• Responsible Disclosure Issues: The author noted that because the device is a generic "white label" product from Temu, identifying the actual manufacturer for reporting was impossible.

Summary #

The video documents the complete compromise of a top-selling Temu router. Starting with a simple command injection in the web UI, the author escalated the attack by tricking the device into giving up its entire firmware. Through reverse engineering with Ghidra, a critical unsanitized system() call was discovered in the time configuration settings. This allowed the author to bypass standard security, upload custom scripts, and ultimately gain "root" command-line control of the device. The project highlights the severe security risks associated with ultra-cheap, unbranded consumer electronics.