What's new

Can't update any firmware, I think RT-AC56U router was hacked

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

adrianTNT

Occasional Visitor
I have the RT-AC56U router for some years, I used it on and off, with even 1 year sitting connected but unused.
I remember I seen it 2-3 times showing some Korean or another Asian language when accessing the web interface.

Now when I searched about it, I found some references to hacked routers running similar firmware.

I can only access web interface, it says current firmware is 3.0.0.4.380_7266-g6439257

- if I check for a new firmware by web interface it says that none was found.
- if I upload RT-AC56U_3.0.0.4_382_50624-gdf1b286.trx from asus.com it says...

Invalid Firmware Upload
Firmware upgrade unsuccessful. This might result from incorrect image or error transmission, please check the model name RT-AC56U and version of firmware from support site and try again.

- same error if I try "merlin" version RT-AC56U_384.6_0.trx

- asus device discovery says it doesn't find any device, do I need to be connected by wire ? (laptop with no ethernet card)

- mobile phone ASUS app says I am running latest firmware

- it has a SSH option, if I enable it, I cannot connect. I was curious to see the router system files.

- do these indicate it was hacked or I am paranoid ? :)

What else can I try ? The device discovery is downloaded from a different model support page, for AC56U, for AC56U I don't see the application.
 
Do you see the same PPTP VPN server enabled as shown in the second picture of this post?

Can you upload the router's syslog to a site like pastebin and post a link to it so we can examine it.
 
Last edited:
Can you tell me about that setup ...
Do I need to connect by wire (I don't think it "sees" it as wifi) and if so, in which router cable I should plug the computer ?
The images also show 2 wires and it's a bit confusing.
Thank you.
 
After I set my ipv4 to 192.168.1.10, I plug my cable to lan port 4/4, the wan port is unplugged.
I put it in recovery more, power led flashes slowly, from cmd prompt I can now ping 192.168.1.1 ...
I open the firmware restoration app, I browse for the .trx file ...
1-2 seconds after I click [upload], the router stops responding to ping, the power led changes to solid red and the restoration app says router is not in recovery mode.
This still looks to me like the update is manually blocked by an evil update but I am open to suggestions :(
 
Verify the checksum of the firmware file you have downloaded. Maybe it's corrupted.

After I set my ipv4 to 192.168.1.10, I plug my cable to lan port 4/4, the wan port is unplugged.
I put it in recovery more, power led flashes slowly, from cmd prompt I can now ping 192.168.1.1 ...
At this point open your browser and go to http://192.168.1.1

Do you see the CFE minWeb Server? If so use that to upload the firmware:
upload_2016-6-26_14-25-7-jpeg.6666
 
edit: md5 checksum of files are OK.

I actually did this step moments before this post^
It takes ~10 minutes to upload the firmware, but doesn't complain about anything, it reboots the router and nothing was changed.
On second try I also cleared the NVRAM, then uploaded firmware, at this point the router interface looked like a reset (prompt to set admin pass, etc), firmware is still 3.0.0.4.380_7266-g6439257

I have an USB serial interface, can I do anything by this ? Maybe read the current firmware ? I am sure it has something fishy in it.
 
Last edited:
Have you tried flashing a radically different firmware like john9527's LTS versions?

This is an interesting case.
 
Thanks for the tips, I got it working.
RMerlin mentioned that it might be a partition size issue, but that the version I am shown (3.0.0.4.380_7266-g6439257) should already have a large enough partition setup.

I loaded an older and smaller firmware (Merlin 378.55_0, ~28MB) and it worked, and from there I could flash any firmware.

I still think something was fishy with previous one, maybe it was not even the version it shown, because:
  • it was not able to check for latest firmware at asus site, "loading" circle spinned forever and no reply
  • it would not accept latest version by manual upload in web interface or even the recovery web interface
  • I was not able to see the router with tools like "device discovery" from Asus (now I see it just fine).
  • and not to mention I previously found the router in Koreean or some asian language 2-3 times.
 
Thanks for the tips, I got it working.
RMerlin mentioned that it might be a partition size issue, but that the version I am shown (3.0.0.4.380_7266-g6439257) should already have a large enough partition setup.

I loaded an older and smaller firmware (Merlin 378.55_0, ~28MB) and it worked, and from there I could flash any firmware.

I still think something was fishy with previous one, maybe it was not even the version it shown, because:
  • it was not able to check for latest firmware at asus site, "loading" circle spinned forever and no reply
  • it would not accept latest version by manual upload in web interface or even the recovery web interface
  • I was not able to see the router with tools like "device discovery" from Asus (now I see it just fine).
  • and not to mention I previously found the router in Koreean or some asian language 2-3 times.

Glad that worked! Which version did you settle on to use now?
 
ehem ... :D I installed Asus's latest for this router (RT-AC56U_3.0.0.4_382_50624-gdf1b286)
Because I lost 3 days debuging this and I was afraid if I try an unofficial one like Merlin, I might notice a small bug and I didn't want to risk losing more time.
And because it says they fixed the recent vulnerabilities and password stored in plain text [whaaat ?!].
The time was lost with an official firmware so not sure my above logic is correct :))
 
ehem ... :D I installed Asus's latest for this router (RT-AC56U_3.0.0.4_382_50624-gdf1b286)
Because I lost 3 days debuging this and I was afraid if I try an unofficial one like Merlin, I might notice a small bug and I didn't want to risk losing more time.
And because it says they fixed the recent vulnerabilities and password stored in plain text [whaaat ?!].
The time was lost with an official firmware so not sure my above logic is correct :))

When you have time in the very near future, I would be looking at john9527's LTS builds instead. RMerlin doesn't directly support the RT-AC56U anymore. But john9527's fork of the RMerlin code is still fresh and current and generally preferred over stock.

Note that you'll need to do a complete reset to factory defaults after flashing. Give yourself the time to do it properly.

The reason you want to move to john9527's build is that when (not if) you do find a bug in the firmware you're using, you'll be waiting a very long time for a fix that may never come.

With the LTS builds, you get current security fixes and continued bug fixes over Asus now old code. :)
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top