A ToolSet for VxWorks Based Embedded Device Analyses.
Original Project: https://github.com/ax3300/vxhunter
Special thanks to the original author for the excellent foundation. This fork adds support for TP-Link devices with non-standard 8-byte symbol table structures.
-
Full support for standard VxWorks 5.x 16-byte symbol table
-
Added support for TP-Link TL-WDR7661 (and similar) non-standard 8-byte symbol table
(structure: 1-byte flag + 3-byte relative offset + 4-byte absolute address) -
Automatic detection of symbol table start/end
-
Correct string location calculation (base address + file offset 0x1F850 + relative offset)
-
Compatible with IDA Pro 7.x to 9.x
-
TP-Link TL-WDR7661 (AC1900)
-
Other TP-Link VxWorks-based routers with similar 8-byte variant
- Load kernel file (e.g., 38200) in IDA Pro with base address 0x40205000 (confirm via serial console log)
- Load symbol table file (e.g., 192D02)
- Run script: File → Script file → vxhunter_ida_py3.py
- Extract symbols and rename (manual or batch via provided snippets)
- Base address varies by firmware (common values: 0x40205000, 0x80001000)
- If extracted names are garbled, use hex editor to confirm string table start (usually 0x1F850 in symbol file)
- Flag 0x54 is typically global text/functions in standard VxWorks, but may represent strings/constants in some TP-Link variants
MIT License (same as original project)
Original VxHunter project: https://github.com/ax3300/vxhunter
All credit for the core logic goes to the original author. This repository is a community enhancement for specific use cases.
vxworks ida-pro firmware-reverse tplink iot-security symbol-table reverse-engineering