What type of encryption has been used to Zyxel VMG8924-B10A config file?
 

Hi,
I read the config file from the router Zyxel VMG8924-B10A, but unfortunately it is enrypted.

https://paste.in/alldrK

Can you decipher it? Or is it useless?

The data I'm interested in (login and passwords) should be available in section 5067F0:

https://berkayyildiz.com/vmg8324-b10a-turk-telekom-modem-yazilim-analizi-ve-tr-064/

I have found a similar string here: http://p2812.blogspot.com/p/how-to-get-root.html but I am not able to upload it because this option is not available from the user/user account.

Router built on Broadcom processor, so in theory it should have worked:

https://www.ifnull.org/articles/router_full_access/

http://www.happyhacking.org/HappyHacking/hacking/2013/11/07/Hacking-Inetno-DG201A.html

but ports FTP, SSH and different are blocked.

Is it possible to work somethng out of it, or should I just throw the router to the bin?

If you can get a decrypted version of the firmware it would help answer this question. Assuming this encryption method for this model is not known, finding downloadable firmware or dumping it off the ROM chip directly are options. Usually web firmware updates are themselves encrypted leaving another task but usually doable. Disassembling the firmware in IDA ought to do and see how the file is read and decrypted. Then if there is a key in a ROM or elsewhere you must find or dump that as well. That is about all I can say. It could be a time consuming but rewarding project if you find it worth it. Some electronics repair shops could dump the ROM chips if you pay for this service. I've had them reflash a BIOS I almost bricked due to custom mods I hand patched on a laptop once so it is possible

Italians, English, and Croats have access to CFE, where they either read the admin / supervisor password or upload non-branded firmware:

https://www.hwupgrade.it/forum/showthread.php?t=2891309

http://forum.pcekspert.com/showthread.php?p=2761531

https://www.boards.ie/vbulletin//showthread.php?t=2057302483

Unfortunately, my bootloader is password protected:

https://paste.in/E9cN86

The only thing I managed to rip was the data I posted above. This is not a firmware dump. This is probably just a save of settings. I was able to read it after entering the address:

IP_router/backupsettings.conf

IP_router/configuration-backupsettings.conf

IP_router/pages/tabFW/configuration-backupsettings.conf

IP_router/dumpcfgdynamic.cmd

IP_router/dumpmdm.cmd

IP_router/dumpcfgdynamic.conf

IP_router/password.cmd

What unencrypted firmware are you writing about? You mean a file that someone ripped with a programmer directly from the bone, or a file from another router with an unblocked dump memory command? Even if I get such a file, it will not have the same version of the software as I have and will come from another operator.

Have you looked at OpenWRT project?

Maybe the old sources could help you:
https://openwrt.org/toh/zyxel/zyxel_vmg7947-b40a_o2_homebox_6641_de01v2f

I think he means that you have to physically desolder the firmware rom memory from your router pcb and then dump the content with a programmer (if you need it take a look at XGecu TL866II programmers on aliexpress, they are quite cheap).

With the firmware dumped, this is the script that appears to work with the 'config.rom' file:

Here is the entire /etc/default.cfg file with the given section you wanted the info of. (Assuming you want it from the stock firmware image.)

https://paste.ofcode.org/WJSJepUufKz8xrRAfGJsdQ

In regards to your config paste though, would need more info on the exact version of the firmware you are using since the one you linked to does not seem to create a similar output to what you dumped. So the scripts used to create the encrypted backup are probably different between versions.

Another useful thread here:

Unfortunately, I just use this router, but it is owned by the operator. I cannot upload an alternative software.

I would prefer to do this with a program, as I'm only leasing the router. At the same time, if nothing else works, I will have to make it the way you suggest.

Is this data deciphered from my router or is it just exemplary data?

In the file you provided, the enrypted password is shown: WV35vVCAM9iQu78h7YaFGYiarcHW7AMbNE5phQAAADk=

but I guess it isn't Base64, as the decoder shows something like this: Y]щЅPЂ3Шђ»ї!н†…€љ­БЦм4Ni…

I can't link the exact firmware, as it's not publically available. The router works in Polish Orange.
As I use user account, I'm not able to read the firmware version.
When I'm connecting to serial port, something like this appears: CFE version 1.0.38-112.118 for BCM963268 (32bit,SP,BE)
Build Date: 08/08/2017 (jason@DaJiaBu)
Copyright (C) 2000-2011 Broadcom Corporation.

NAND ECC BCH-8, page size 0x800 bytes, spare size used 64 bytes
NAND flash device: name Toshiba TC58NVG0S3HTAI0, id 0x98f1 block 128KB size 131072KB
Correctable ECC Error detected: addr=0x0000b200, intrCtrl=0x00000090, accessCtrl=0xF7881010
External switch id = 53125
Chip ID: BCM63168D0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 134217728 bytes (128MB)
Boot Address: 0xb8000000

The stuff I posted was dumped from the defaults of the firmware from the router's website.
The firmware I dumped was: 1.00 (AAKL.28) C0.

But in order to ensure the scripts and encryption-related keys that are used match yours, would need the exact firmware version you have to find a copy of that firmware.

Looks for sure to be base64 but it's of raw byte data which could be a 16 byte hash and salt of the password or what have you. You should have mentioned the length of the decrypted data which looks like 43x6//8=32 bytes. This is where the firmware comes in useful. The exact version is best but if the manufacturer website has one and you think the encryption and password storage did not change between the versions then you could study that one for clues at least. Otherwise desolder is best option.

"owned by the operator...I cannot upload an alternative software.I'm only leasing the router.."

It look like the one before the cable modem Docsis 3,i had a cisco locked by operator,config is checked like the cable modem almost 100x/day,even if you can upload a new config,seen and reported to them and then...
maybe it's not your case but be safe.

I have managed to make a dump flash (another router of the same operator) with the manual:

https://limbenjamin.com/articles/dumping-aztech-DSL1015EN-firmware.html

Unfortunately, I don't know which tool I should use to change it into .bin.

If you could have a look, please check if the root's password is there.

If I am changing that file into .bin, do I have to delete the selected data?

https://i.postimg.cc/L6gFmd10/cut.png

Dump comes from 8 MB flash and it's here:

https://www119.zippyshare.com/v/pO87UAY7/file.html

From what i have seen it seems a textual representation of binary data, i don't think you will find a tool to convert it to bin but it should be very easy to write a conversion script in python, you can do it by yourself. Make a backup, remove the first column (the one with "address: ") and the last one (data display, the one with the dots etc), you want a text file where every line is a 16 byte text representation

10 00 02 7b 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

etc.

then write a python script which reads the resulting text file and for every line of text converts the 16 byte text representation to 16 real bytes and then writes them to a new binary file incrementally. At the end you should have your bin file (check it with an hexeditor, you should see the same bytes as the original text). Then you could try to analyze it with binwalk, Ida etc