TP-LINK TD-W8901N v1

Overview
"2011500135" is silkscreened on the board in the FCC photos.
 * The SoC used is a Ralink RT63365E.

A MAC address w/ a A0:F3:C1 OUI is shown on the FCC EUT's label.
 * FCC unit has RAM chip by EtronTech.

From an actual unit (not FCC):
 * Ralink RT63365E
 * ESMT M12L64164A-5T
 * Winbond 25Q16DVSIG
 * Ralink RT5390RL
 * Ralink RT63087N (ADSL Front-End)
 * MAC Address: E8:94:F6:xx:xx:xx

Operating System: "RAS"
 * (OS genealogy: ThreadX OS by Express Logic/Green Hills ->
 * ZyNOS by ZyXEL -> used by TrendChip -> RAS OS by Ralink)

The hardware is OK, the firmware is crap:
 * The device ships with firmware V1_121121:
 * has port 7547 OPEN to the internet (admin/admin)
 * allows direct download of the router configuration file at:
 * http://192.168.1.1/ROM-0
 * vulnerable to Misfortune Cookie (RCE) on WAN port: RCE


 * Latest available firmware V1_140227:
 * closed port 7547 from WAN side (LAN side is still open)
 * still vulnerable to Misfortune Cookie (RCE) on LAN port, not on WAN port
 * leaks random internal memory blocks in IGMP packets trailing data
 * (username, password and various packet fragments have been seen)
 * IGMP cannot be disabled


 * "fixed" the ROM-0 vulnerability by requiring a valid referrer
 * in the http request... (easy to bypass)

Open LAN (local) ports (in latest firmware V1_140227):
 * 21/tcp (ftp)
 * 23/tcp (telnet)
 * 80/tcp (web)
 * 7547/tcp (tr069/CWMP - CPE WAN Management Protocol)
 * - even if disabled in web interface

Web server (port 80 and port 7547): RomPager/4.07 UPnP/1.0
 * (vulnerable to Misfortune Cookie)

Web interface is basic. Telnet interface has a metric assload of configuration
 * options and diagnostic pages, (very partially) detailed in: Ref. Manual