Most routers allow to save and restore configuration from files. This is cool because you can edit the configuration file and upload to the router again enabling some "hidden" configuration options.

For example on my D-Link DSL-2640B I managed to get higher download speed disabling DSL QoS (it was broken) by setting X_BROADCOM_COM_ATMEnbQos to FALSE!

So, I get a TP-Link wireless access point and, sadly, I found that they encrypted the configuration file, so I decided to reverse engineer it.

First of all I needed a dump of the filesystem to get the binaries, so I soldered a serial port on the router to get a serial console.

The bootloader didn't allow to interrupt the boot process but fortunately I knew that you can get a prompt by typing the secret word tpltpltpl

AP93 (ar7240) U-boot

DRAM:

sri

#### TAP VALUE  = ,  =

 MB

id read 0x100000ff

flash size , sector count =

Flash:   MB

Using default environment

In:    serial

Out:   serial

Err:   serial

Net:   ag7240_enet_initialize...

No valid address in Flash. Using fixed address

: cfg1 0xf cfg2 0x7014

eth0: ::7f::0b:ad

eth0 up

No valid address in Flash. Using fixed address

: cfg1 0xf cfg2 0x7214

eth1: ::7f::0b:ad

ATHRS26: resetting s26

ATHRS26: s26 reset done

eth1 up

eth0, eth1

Autobooting in  seconds

ar7240>

I've compiled an OpenWrt (you know OpenWrt, right??) firmware with initramfs, and I loaded it from RAM without flashing the firmware:

ar7240> tftp 0x81000000 openwrt-ar71xx-generic-tl-wr841n-v8-initramfs-uImage.bin

ar7240> bootm

After that making the dump was easy, just "dd" the mtdblock device with the firmware and copy to the computer via scp.

# dd if=/dev/block/mtd2 of=/tmp/rootfs

# scp /tmp/rootfs matteo@192.168.1.2:

I needed to compile an old version of squashfs tools to extract the files, and finally I extracted the whole filesystem.

$ unsquashfs rootfs

I looked at the web page which handled the configuration load/save and I noticed that there were many references to some sort of embedded functions which most likely are handled by the webserver itself. The webserver is a single blob which handled many system utilities, indeed there were many executables symlinked to the httpd binary. This is a common practice in embedded firmwares, like OpenWrt's Busybox and Android's toolbox

I started IDA to look at this binary, clearly httpConfUpload was the function to start hacking from.

Due to a reference to des_min_do and some string starting with DES_ I suspected that DES was used as cypher.

des_min_do was a galore of bitwise operators and nasty loops, clearly it was an inlined cryptographic function, and before calling it a pointer to a fixed null terminated string was pushed to the stack. It could be some salt or key passed to the encryption function so I'll note this string which was 478DA50BF9E3D2CF.

I tried to decrypt it with mdecrypt using that string as key but without success:

$ mdecrypt -b -a des -f key <config.bin

I looked again at the binary and I searching for the _des string I found md5_des which suggested me to use the md5 hash function:

$ mdecrypt -b -a des -f key -o mcrypt-md5 <config.bin

again with no luck, so I tried all the block modes available until I found the correct one:

$ mdecrypt -b -a des -m ecb -f key -o mcrypt-md5 <config.bin

????????????????lan_ip 192.168.1.254

lan_msk 255.255.255.0

lan_gateway 0.0.0.0

The file is decrypted! Note that the trailing 16 bytes are the md5 sum of the files without trailing zeroes:

the same can be done with openssl:

$ openssl enc -d -des-ecb -nopad -K 478DA50BF9E3D2CF -in config.bin

Have fun!

原文:http://teknoraver.net/software/hacks/tplink/

TPLink 备份文件bin文件解析[续]的更多相关文章

  1. TPLink 备份文件bin文件解析

    TPLink 路由器备份文件bin文件 测试路由器 WR885,备份文件加密方式DES,密钥:478DA50BF9E3D2CF linux端: openssl enc -d -des-ecb -nop ...

  2. paper 37 : WINCE的BIB文件解析

    WINCE的BIB文件解析 BIB的全称为Binary Image Builder,在Wince编译过程中的最后MakeImage阶段会用到BIB文件,BIB文件的作用是指示构建系统如何构建二进制映像 ...

  3. bin文件和elf文件

    ELF文件格式是一个开放标准,各种UNIX系统的可执行文件都采用ELF格式,它有三种不同的类型: 可重定位的目标文件(Relocatable,或者Object File) 可执行文件(Executab ...

  4. Module、__init__.py 文件解析

    一.什么是Module? 一个python Module就是一个模块,本质就是一个.py文件,其中包含了python对象的定义和python语句. 在模块内部,模块名存储在全局变量__name__中, ...

  5. S03_CH12_基于UDP的QSPI Flash bin文件网络烧写

    S03_CH12_基于UDP的QSPI Flash bin文件网络烧写 12.1概述 为了满足不同的需求,本例程在"基于TCP的QSPI Flash bin文件网络烧写"上进行修改 ...

  6. S03_CH11_基于TCP的QSPI Flash bin文件网络烧写

    S03_CH11_基于TCP的QSPI Flash bin文件网络烧写 11.1概述 针对ZYNQ中使用QSPI BOOT的应用,将BOOT.bin文件烧写至QSPI Flash基本都是通过USB C ...

  7. Json文件解析(下)

    Json文件解析(下) 代码地址:https://github.com/nlohmann/json   从STL容器转换 任何序列容器(std::array,std::vector,std::dequ ...

  8. Linux下关于用户账户的几个文件解析

    Linux下关于用户账户的几个文件解析 Linux是一个多用户系统,但是对于一个多用户共存的系统中,当然不能够出现用户相互越权等一系列的安全问题,所以如何正确的管理账户成为了Linux系统中至关重要的 ...

  9. CocosStudio文件解析工具CsdAnalysis

    起因 因为工作需要,所以需要使用CocosStudio来制作界面动画什么的.做完了发现需要找里边对象的时候会有很长一串代码,感觉不是很爽.之前写OC代码的时候可以吧程序中的对象指针跟编辑器中的对象相对 ...

随机推荐

  1. 为什么MB51本位币金额和采购订单历史本位币金额不一样?

    翻译 为什么物料凭证的本位币金额有时和采购订单历史记录物料的本位币金额不一致? 回答: 有2个字段对应FI存放位置.物料凭证的字段(MSEG-DMBER)是存放库存账目金额.采购订单历史(EKBE-D ...

  2. solr5.2.1环境搭建教程

    环境:w8.1 + solr5.2.1 + apache7.0+jdk1.7 解压:solr5.2.1 复制E:\solr-5.2.1\server\webapps 下的solr.war包到D:\ap ...

  3. JavaScript表单编程

    一. form的方式 1.直接定位方式 document.getElementById(id);</br> document.getElementsTagName(tagName);< ...

  4. jmeter笔记6

     一.图形报表   图表底部参数的含义如下: 样本数目是总共发送到服务器的请求数. 最新样本是代表时间的数字,是服务器响应最后一个请求的时间. 吞吐量是服务器每分钟处理的请求数.  平均值是总运行时间 ...

  5. [Hadoop 周边] Hadoop技术生态圈

    Hadoop版本演进 当前Hadoop有两大版本:Hadoop 1.0和Hadoop 2.0. Hadoop1.0被称为第一代Hadoop,由分布式文件系统HDFS和分布式计算框架MapReduce组 ...

  6. 【MYSQL】创建虚表来辅助数据库查询

    在进行数据库查询时,有时需要用到对既有的数据表进行多表查询得出的临时条件的数据表,就可以暂时创建成为虚表,并赋予简单明了的字段名以及临时表名. 例题a:查询出每门课程低于平均成绩的学生姓名.课程名称. ...

  7. Java线程(二):线程同步synchronized和volatile

    上篇通过一个简单的例子说明了线程安全与不安全,在例子中不安全的情况下输出的结果恰好是逐个递增的(其实是巧合,多运行几次,会产生不同的输出结果),为什么会产生这样的结果呢,因为建立的Count对象是线程 ...

  8. HTML5自学笔记[ 2 ]新增表单控件和表单属性

    新增<input>属性type="email",自动验证,若输入不为邮箱,则不能提交. 新增<input>属性type="tel",在移 ...

  9. php使用位与运算符【&】位或运算符【|】实现权限管理

    权限值是这样的2^0=1,相应2进数为”0001″(在这里^我表示成”次方”,即:2的0次方,下同)2^1=2,相应2进数为”0010″2^2=4,相应2进数为”0100″2^3=8,相应2进数为”1 ...

  10. 深入理解ServletRequest与ServletResponse

       请求和相应是Web交互最基本的模式,在Servlet中,分别用HttpServletRequest与HttpServletResponse来表示Http请求和响应.这两个类均来自javax.se ...