Tuesday, February 9, 2016

How to build a MiniPwner with a TP-LINK TL-MR3040

A MiniPwner is a penetration testing drop box which can provide some interesting capabilities if you're able to insert one into a target's network. It is a small device and with the MR3040 in particular, it contains a battery which means you don't have to worry about power for at least a few hours. Because it runs OpenWRT there are a variety of infosec friendly packages which can facilitate things such as reverse SSH or VPN tunneling, port scanning with nmap, and while it may not have the horsepower to run Metasploit you can certainly use a MiniPwner as a conduit to forward traffic from a Metasploit install elsewhere. The tutorial that follows is more or less what is described on their website, but some steps are glossed over which I cover here so hopefully this helps fill in the gaps for people that may not be comfortable fiddling with embedded devices.

First take a USB drive (the tutorial suggests a 16gb USB stick, but I'm using 8gb in this tutorial) and format it such that the first partition is a 500mb swap and the remaining partition is ext4. I did this in Kali and the utility gparted. Here is a screenshot of what gparted looked like.

Next, download the OpenWRT firmware that is appropriate for the MR-3040 here.

Using the ethernet cable plug the MR3040 into a computer. Authenticate to the router by navigating to and use admin/admin as the credentials.

Navigate to the Firmware Upgrade endpoint by clicking on System Tools on the left hand side to expand those options. Then click on Firmware Upgrade.

Click on the Choose File button and select the openwrt-ar71xx-generic-tl-mr3040-v2-squashfs-factory.bin file you downloaded earlier.

Click Upgrade. A confirmation dialog will appear and the MR3040 will proceed to be flashed with OpenWRT.

After the flashing process finishes, the MR3040 will reboot. After flashing the MR3040, the default IP address gets updated to instead of Access the newly flashed MR3040 by pointing your browser to You may have to disconnect your host computer from your home Internet connection while this happens since is a common network for home routers.

After pointing your browser to you can authenticate to the MR3040 with a username of root and a blank password.

The next task will be to install packages the will enable the MR3040 to interface with the USB drive. In order to do that we will need to get Internet access for the MR3040. In this case, I used the MR3040 to connect to my home wifi network. To do this I clicked on Network and then Wifi. Then I clicked on Scan to have the MR3040 identify my home wifi network.

After the scan identified my home wifi network, I clicked on Join Network. The next screen asks for the passphrase, allows you to set a network name, and configure firewall rules. I left the network name as the default wwan, and the firewall rules to wan which was empty for me. Another screen comes after this which confirms all of the details and I clicked on Save & Apply.

Next, open a terminal and telnet into the MR3040. You should not have to supply credentials at this point.

Confirm that you have Internet access by pinging DNS is not working properly at this point though, so we'll need to update the network configuration for the br-lan interface. Configure the /etc/config/network file and add the line, option dns '' to the entry for the lan interface. It should look like this:

Reboot the MR3040 by typing reboot -f and when it comes back up telnet back in and attempt to ping a domain name. It should work this time. Now we should be able to update the MR3040 appropriately. From your telnet session, type opkg update to update the list of packages that can be installed. Now we'll install all of the packages for USB by typing: opkg install kmod-scsi-core kmod-usb-storage block-mount kmod-lib-crc16 kmod-crypto-hash kmod-fs-ext4

Insert the USB stick in to the 3G port and reboot by typing, reboot -f from the telnet session. Telnet back into the MR3040. Our next task is to get the MR3040 to recognize the USB drive. We'll do this by modifying the /etc/config/fstab file. First make a backup of the file and then proceed to edit fstab until it resembles this:

Then copy the contents of the flash memory on the MR3040 onto the USB drive with the following commands:
mkdir -p /tmp/cproot
mount --bind / /tmp/cproot
mkdir /mnt/sda2
mount /dev/sda2 /mnt/sda2/
tar -C /tmp/cproot -cvf - . | tar -C /mnt/sda2 -xf -
umount /tmp/cproot

Then update /etc/config/fstab so that the MR3040 will use the USB drive as the root folder. Update /etc/config/fstab so it resembles this:

Reboot the MR3040 by typing reboot -f again. Now we will verify that the MR3040 is identifying the USB drive correctly by typing, df -h, to look at the disk space usage. You should see that /dev/sda2 is there and has gigabytes of space available.

Now we will install the MiniPwner overlay. Change directory into /tmp and download the overlay with this command, wget http://minipwner.com/images/Overlay/minipwner-overlay_2.0.0.tar.

Extract it with this command, tar -xvf minipwner-overlay_2.0.0.tar. It appears that the setup.sh that got archived in this tar was edited using Windows style line endings. Edit the setup.sh file and manually delete the dos line ending ^M characters at the end of each line. I attempted to set the file format to be unix, using :set ff=unix, but was unsuccessful. Save setup.sh and execute it with, sh setup.sh. Flip the 3-way switch to be WISP and reboot.

Telnet back in and you should be welcomed with a MiniPwner banner instead.

Now we will go through the process of installing security related packages. Type, opkg update, to update the list of packages the MR3040 is aware of. Next install the packages with the following commands (I ran into a character limit on the terminal so I had to split it up into two commands):
opkg install libpcap libstdcpp libpthread zlib libopenssl libbz2 bzip2 terminfo libnet1 libpcre libltdl libncurses librt libruby wireless-tools hostapd-common-old kmod-madwifi ruby uclibcxx libnl libcap libreadline libdnet libdaq libuuid libffi python-mini openssl-util kmod-tun liblzo libevent2-core libevent2-extra libevent2-openssl libevent2-pthreads libevent2 aircrack-ng elinks ettercap karma kismet-client kismet-drone kismet-server netcat nmap openvpn-easy-rsa openvpn-openssl perl samba36-client

opkg install samba36-server snort tar tcpdump tmux yafc wget python vim unzip

If you want to install any other packages at a later date, be sure to run, opkg update, before attempting to opkg install your desired package.

Finally, don't forget to run the passwd command to set a password, disable telnet, and enable SSH. The next time you try to remote into your device you will have to use SSH to access it.


  1. Great Guide thanks...
    but I'm stuck when rebooting after the second time editing the fstab file. When my mr3040 reboots I can't connect to it via telnet, ssh or the web gui.

    Thanks again and any advice on where I'm stuck?

  2. Thank you for your guide, it was epic and filled in the gaps that the main guide on the minipwner website left out. An IMPORTANT NOTE for noobs using gparted for the first time, MAKE SURE YOU ACTUALLY PARTITION YOUR USB prior to going ahead with anything. I had set the partitions, but forgot to actually write them to the usb, so was getting Storage errors and could not install anything. This took me 2 days to figure out lol.

  3. Great post! I am actually getting ready to across this information, It's very helpful for this blog.Also great with all of the valuable information you have Keep up the good work you are doing well.

    ccna training in chennai velachery

    1. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Java developer learn from Java Training in Chennai. or learn thru Java EE Online Training from India . Nowadays Java has tons of job opportunities on various vertical industry.

  4. Wow amazing i saw the article with execution models you had posted. It was such informative. Really its a wonderful article. Thank you for sharing and please keep update like this type of article because i want to learn more relevant to this topic.

    Digital Marketing Company in Chennnai

  5. Thank you for taking time to provide us some of the useful and exclusive information with us.
    ccna Training in Chennai | ccna course in Chennai | ccna Training institute in Chennai

  6. I had problems with the ext4 partition in the usb drive. to solve this i used ext3 and it works without problem

  7. I'm stuck trying to pivot root to the usb, once I create the /mnt/sda2 I cannot mount it because it says it is not there, and then when I create it again it says it already exists. I have tried reflashing my router and nothing has helped. Can anyone help? :(

    1. I'm having is issue as well, was there ever a fix found?

    2. I also have this issue, I've been at it for a few days and could not get it to work. Did you?

    3. install kmod-lib-crc32c and kmod-crypto-crc32c then try again.

    4. that doesn't work, after research I found that is because new kernels format partitions with crc32 instead of crc16 which is supported, for solve this I did downloaded an old livecd with an old kernel, format the USB all over again and that's it!

  8. Thank you for sharing in this webpage, I can learn a lot and could also be a reference, I hope to read the next your article updates.
    ccna Training in Chennai | ccna institutes in Velachery | ccna Training institutes in Velachery

  9. I have been tying to get this set up for the past few 2 days. When I came across your article and wanted to know id others have been able to get it to work. Glad to hea from anyone with updated info blancomichael0@gmail.com...

  10. The screenshots help with the tutorial.

  11. There was very wonderful information and that's great one. I really appreciate the kind words, thanks for sharing that valuable information.
    Digital marketing course in chennai

  12. You are doing a great job. You inspire me to write for other. Thank you very much. I would like to appreciate your work for good accuracy and got informative knowledge from here.

    iOS App Development Company

  13. I have completely read your post and the content is crisp and clear.Thank you for posting such an informative article, I have decided to follow your blog so that I can myself updated. Java Training in Chennai

  14. is the address of an array of D-Link and Netgear model routers, similar to

  15. I can continue perusing this blog like until the end of time.
    buy backlinks

  16. It's Really A Great Post. Looking For Some More Stuff
    I really enjoyed reading the Post. It was very informative and useful for me.
    Best Java Training institute in Bangalore

  17. Great tips and its so easy to understand. really You explain everything in detailed manner and it was very interesting to read. Thank you. Best Dot Net Training in Chennai | Best Java Training in Chennai | Best Web Design Training in Chennai

  18. Well Said, you have furnished the right information that will be useful to anyone at all time. Thanks for sharing your Ideas.
    No.1 Software Testing Training Institute in Chennai | Best Selenium Training Institute in Chennai | Java Training in Chennai

  19. I believe there are many more pleasurable opportunities ahead for
    individuals that looked at your site.

    Selenium Training in Chennai

  20. This comment has been removed by the author.

  21. Existing without the answers to the difficulties you’ve sorted out through this guide is a critical case, as well as the kind which could have badly affected my entire career if I had not discovered your website.
    Besant technologies Marathahalli

  22. Needed to compose you a very little word to thank you yet again regarding the nice suggestions you’ve contributed here. php training in chennai

  23. I believe there are many more pleasurable opportunities ahead for individuals that looked at your site.
    Java Training in Marathahalli

  24. That was a very frequent mistake which is occurred every where.

    Please click on the link below.
    CEH training in bangalore

  25. Bookmark your website on several social bookmarking websites. online link building

  26. This topic has always been one of my favorite subjects to read about. I have found your post to be very rousing and full of good information. router ip address

  27. Best Digital Marketing company Anantapur

    helpful information, thanks for writing and share this information

  28. Great article,i get new ideas because of all given information very excellent and real words
    No.1 Dot Net Project Center in Chennai | No.1 Dot Net Project Center in Velachery

  29. Excellent blog. Your blog gives lots of information, keep up the good work and share more.
    Digital Marketing Course in Chennai
    Digital Marketing Course

  30. I believe there are many more pleasurable opportunities ahead for individuals that looked at your site.

    java training in bangalore

  31. Those guidelines additionally worked to become a good way to recognize that other people online have the identical fervor like mine to grasp great deal more around this condition.

    java training in bangalore

  32. Those guidelines additionally worked to become a good way to recognize that other people online have the identical fervor like mine to grasp great deal more around this condition.

    oracle training in Bangalore

  33. It has been just unfathomably liberal with you to give straightforwardly what precisely numerous people would've promoted for an eBook to wind up making some money for their end, basically given that you could have attempted it in the occasion you needed.
    Big Data Training in Marathahalli