jahed.dev

Editing TP-Link Router Backups

While I was looking into how to disable my TP-Link router's pre-configured hidden Wi-Fi networks, I came across a post:

If you can share the setting I need to configure in my XML file then I can append the config value to disable.

TP-Link never replied, but what XML are they talking about? As far as I could tell, TP-Link routers had an admin interface and that's it... Of course, it's the backups! While the backups are config.bin files which look like binary, they must contain some form of XML inside.

Some web searches led me to one page, which linked to another, and another, until I landed on tpconf_bin_xml. It's a Python script which can extract the XML and then re-encode it back to config.bin.

In that XML, you can quite clearly see the hidden pre-configured networks. Here's an example below. I've removed any potential secrets:

<MultiSSIDEntry instance=2 >
  <Enable val=1 />
  <Name val=wlan7 />
  <SSID val=SSIDVALUEMESH />
  <BeaconType val=11i />
  <WEPKeyIndex val=1 />
  <BasicEncryptionModes val=None />
  <BasicAuthenticationMode val=None />
  <WPAEncryptionModes val=AESEncryption />
  <WPAAuthenticationMode val=PSKAuthentication />
  <IEEE11iEncryptionModes val=AESEncryption />
  <IEEE11iAuthenticationMode val=PSKAuthentication />
  <PreSharedKey val=PASSWORD />
  <RadiusServerPort val=1234 />
  <WEPKey instance=1 >
  </WEPKey>
  <WEPKey instance=2 >
  </WEPKey>
  <WEPKey instance=3 >
  </WEPKey>
  <WEPKey instance=4 >
  </WEPKey>
  <WEPKey nextInstance=5 />
</MultiSSIDEntry>

This uses the same schema as the Guest WiFi configuration. Sadly, tweaking it in various ways provided no results. It's always enabled, so there's likely some logic in the software which overrides this configuration. I tried:

The only other relevant configuration was the OneMesh block.

<X_TP_OneMesh>
  <GroupID val=aaa-bbb-ccc-ddd-eee />
  <SlaveAutoAttachNeeded val=1 />
  <SlaveAutoJoinNeeded val=1 />
  <MasterAutoProbeNeeded val=1 />
  <MasterPri val=ABC123 />
  <MasterRsaN val=ABC123 />
  <MasterRsaE val=123456789 />
</X_TP_OneMesh>

Again, tweaking this did nothing. Anything changed in this block was simply reset at startup by the router.

I did notice the 5GHz hidden network didn't appear when I tweaked both blocks, but it was short-lived. At some point OneMesh seems to figure it out and reintroduce the hidden networks.

So, that was a complete waste of time. But I kind of like what tpconf_bin_xml does and it'd be nice if it was more easily accessible. I shouldn't need Python configured to change configuration like this, nor should I need access to a terminal. So I ported it over to the web. I did a separate write-up for that.

Thanks for reading.