Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 06-14-2020, 04:58
flightwatch flightwatch is offline
Friend
 
Join Date: Jan 2018
Posts: 13
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 20
Thanks Rcvd at 6 Times in 5 Posts
flightwatch Reputation: 0
Question What type of encryption has been used to Zyxel VMG8924-B10A config file?

Hi,
I read the config file from the router Zyxel VMG8924-B10A, but unfortunately it is enrypted.

https://paste.in/alldrK

Can you decipher it? Or is it useless?

The data I'm interested in (login and passwords) should be available in section 5067F0:

https://berkayyildiz.com/vmg8324-b10a-turk-telekom-modem-yazilim-analizi-ve-tr-064/

I have found a similar string here: http://p2812.blogspot.com/p/how-to-get-root.html but I am not able to upload it because this option is not available from the user/user account.

Router built on Broadcom processor, so in theory it should have worked:

https://www.ifnull.org/articles/router_full_access/

http://www.happyhacking.org/HappyHacking/hacking/2013/11/07/Hacking-Inetno-DG201A.html

but ports FTP, SSH and different are blocked.

Is it possible to work somethng out of it, or should I just throw the router to the bin?
Reply With Quote
  #2  
Old 06-14-2020, 20:19
chants chants is offline
Family
 
Join Date: Jul 2016
Posts: 562
Rept. Given: 6
Rept. Rcvd 35 Times in 21 Posts
Thanks Given: 475
Thanks Rcvd at 837 Times in 392 Posts
chants Reputation: 35
If you can get a decrypted version of the firmware it would help answer this question. Assuming this encryption method for this model is not known, finding downloadable firmware or dumping it off the ROM chip directly are options. Usually web firmware updates are themselves encrypted leaving another task but usually doable. Disassembling the firmware in IDA ought to do and see how the file is read and decrypted. Then if there is a key in a ROM or elsewhere you must find or dump that as well. That is about all I can say. It could be a time consuming but rewarding project if you find it worth it. Some electronics repair shops could dump the ROM chips if you pay for this service. I've had them reflash a BIOS I almost bricked due to custom mods I hand patched on a laptop once so it is possible
Reply With Quote
The Following User Says Thank You to chants For This Useful Post:
flightwatch (06-15-2020)
  #3  
Old 06-15-2020, 03:52
flightwatch flightwatch is offline
Friend
 
Join Date: Jan 2018
Posts: 13
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 20
Thanks Rcvd at 6 Times in 5 Posts
flightwatch Reputation: 0
Italians, English, and Croats have access to CFE, where they either read the admin / supervisor password or upload non-branded firmware:

https://www.hwupgrade.it/forum/showthread.php?t=2891309

http://forum.pcekspert.com/showthread.php?p=2761531

https://www.boards.ie/vbulletin//showthread.php?t=2057302483

Unfortunately, my bootloader is password protected:

https://paste.in/E9cN86

The only thing I managed to rip was the data I posted above. This is not a firmware dump. This is probably just a save of settings. I was able to read it after entering the address:

IP_router/backupsettings.conf

IP_router/configuration-backupsettings.conf

IP_router/pages/tabFW/configuration-backupsettings.conf

IP_router/dumpcfgdynamic.cmd

IP_router/dumpmdm.cmd

IP_router/dumpcfgdynamic.conf

IP_router/password.cmd

What unencrypted firmware are you writing about? You mean a file that someone ripped with a programmer directly from the bone, or a file from another router with an unblocked dump memory command? Even if I get such a file, it will not have the same version of the software as I have and will come from another operator.
Reply With Quote
  #4  
Old 06-15-2020, 06:28
phroyt phroyt is offline
Friend
 
Join Date: May 2018
Posts: 65
Rept. Given: 0
Rept. Rcvd 7 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 93 Times in 37 Posts
phroyt Reputation: 7
Have you looked at OpenWRT project?

Maybe the old sources could help you:
https://openwrt.org/toh/zyxel/zyxel_vmg7947-b40a_o2_homebox_6641_de01v2f
Reply With Quote
The Following User Says Thank You to phroyt For This Useful Post:
flightwatch (06-15-2020)
  #5  
Old 06-15-2020, 08:13
h8er h8er is offline
Friend
 
Join Date: Jan 2002
Posts: 40
Rept. Given: 46
Rept. Rcvd 7 Times in 6 Posts
Thanks Given: 93
Thanks Rcvd at 13 Times in 6 Posts
h8er Reputation: 7
Quote:
Originally Posted by flightwatch View Post
What unencrypted firmware are you writing about? You mean a file that someone ripped with a programmer directly from the bone, or a file from another router with an unblocked dump memory command? Even if I get such a file, it will not have the same version of the software as I have and will come from another operator.
I think he means that you have to physically desolder the firmware rom memory from your router pcb and then dump the content with a programmer (if you need it take a look at XGecu TL866II programmers on aliexpress, they are quite cheap).

Last edited by h8er; 06-15-2020 at 08:21.
Reply With Quote
The Following User Says Thank You to h8er For This Useful Post:
flightwatch (06-15-2020)
  #6  
Old 06-15-2020, 09:01
atom0s's Avatar
atom0s atom0s is online now
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 286
Rept. Given: 25
Rept. Rcvd 103 Times in 49 Posts
Thanks Given: 47
Thanks Rcvd at 483 Times in 196 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
With the firmware dumped, this is the script that appears to work with the 'config.rom' file:

Code:
#!/bin/sh
OPTION="$1"
INPUTFILE="$2"
OUTPUTFILE="$3"

PROGRAM=`basename $0`

OPENSSL=openssl
CAT=cat
RM=rm

PASSWD=N3z0y93

#####################################################################################################
# usage
usage()
{
	echo ""
	echo "Copyright (C) ZyXEL Communications, Corp. All Rights Reserved."
	echo "Usage: $PROGRAM [option] [input filename] [output filename]"
	echo "$PROGRAM: A Simple Script to Encrypt/Decrypt file using openssl"
	echo "option : e [Encrypt],  d [Decrypt]"
	echo "Examples:"
	echo "  $PROGRAM e /var/pdm/config.rom /tmp/config.enc"
	echo ""
	exit 1
}

filenotfound()
{
	echo "Error! Input file not found."
	exit 1
}

optnotfound()
{
	echo "Error! Option not support."
	echo "option : e [Encrypt],  d [Decrypt]"
	exit 1
}
#####################################################################################################

test -n "$OPTION" || usage
test -n "$INPUTFILE" || usage
test -n "$OUTPUTFILE" || usage
test -e "$INPUTFILE" || filenotfound

case $OPTION in
	"e")
		$OPENSSL enc -e -des3 -pass pass:$PASSWD -in $INPUTFILE -out $OUTPUTFILE
		;;
	"d")
		$OPENSSL enc -d -des3 -pass pass:$PASSWD -in $INPUTFILE -out $OUTPUTFILE
		;;
	*)
		optnotfound;
		;;
esac
exit 0
__________________
Personal Projects Site: https://atom0s.com
Reply With Quote
The Following 3 Users Say Thank You to atom0s For This Useful Post:
chants (06-16-2020), flightwatch (06-15-2020), phroyt (06-16-2020)
  #7  
Old 06-15-2020, 09:17
atom0s's Avatar
atom0s atom0s is online now
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 286
Rept. Given: 25
Rept. Rcvd 103 Times in 49 Posts
Thanks Given: 47
Thanks Rcvd at 483 Times in 196 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
Here is the entire /etc/default.cfg file with the given section you wanted the info of. (Assuming you want it from the stock firmware image.)

https://paste.ofcode.org/WJSJepUufKz8xrRAfGJsdQ
__________________
Personal Projects Site: https://atom0s.com
Reply With Quote
The Following User Says Thank You to atom0s For This Useful Post:
flightwatch (06-15-2020)
  #8  
Old 06-15-2020, 09:24
atom0s's Avatar
atom0s atom0s is online now
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 286
Rept. Given: 25
Rept. Rcvd 103 Times in 49 Posts
Thanks Given: 47
Thanks Rcvd at 483 Times in 196 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
In regards to your config paste though, would need more info on the exact version of the firmware you are using since the one you linked to does not seem to create a similar output to what you dumped. So the scripts used to create the encrypted backup are probably different between versions.
__________________
Personal Projects Site: https://atom0s.com
Reply With Quote
The Following User Says Thank You to atom0s For This Useful Post:
flightwatch (06-15-2020)
  #9  
Old 06-16-2020, 03:40
SegWolf SegWolf is offline
Friend
 
Join Date: Oct 2018
Posts: 15
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 3
Thanks Rcvd at 23 Times in 6 Posts
SegWolf Reputation: 1
Another useful thread here:
Code:
https://reverseengineering.stackexchange.com/questions/14882/how-to-decrypt-the-config-bin-from-zte-zxv10-h201l
Reply With Quote
The Following User Gave Reputation+1 to SegWolf For This Useful Post:
user1 (06-16-2020)
The Following 4 Users Say Thank You to SegWolf For This Useful Post:
flightwatch (06-18-2020), niculaita (06-17-2020), sh3dow (06-18-2020), user1 (06-16-2020)
  #10  
Old 06-18-2020, 03:22
flightwatch flightwatch is offline
Friend
 
Join Date: Jan 2018
Posts: 13
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 20
Thanks Rcvd at 6 Times in 5 Posts
flightwatch Reputation: 0
Quote:
Originally Posted by phroyt View Post
Have you looked at OpenWRT project?

Maybe the old sources could help you:
https://openwrt.org/toh/zyxel/zyxel_vmg7947-b40a_o2_homebox_6641_de01v2f
Unfortunately, I just use this router, but it is owned by the operator. I cannot upload an alternative software.

Quote:
Originally Posted by h8er View Post
I think he means that you have to physically desolder the firmware rom memory from your router pcb and then dump the content with a programmer (if you need it take a look at XGecu TL866II programmers on aliexpress, they are quite cheap).
I would prefer to do this with a program, as I'm only leasing the router. At the same time, if nothing else works, I will have to make it the way you suggest.

Quote:
Originally Posted by atom0s View Post
Here is the entire /etc/default.cfg file with the given section you wanted the info of. (Assuming you want it from the stock firmware image.)

https://paste.ofcode.org/WJSJepUufKz8xrRAfGJsdQ
Is this data deciphered from my router or is it just exemplary data?

In the file you provided, the enrypted password is shown: WV35vVCAM9iQu78h7YaFGYiarcHW7AMbNE5phQAAADk=

but I guess it isn't Base64, as the decoder shows something like this: Y]щЅPЂ3Шђ»ї!н†…€љ­БЦм4Ni…

Quote:
Originally Posted by atom0s View Post
In regards to your config paste though, would need more info on the exact version of the firmware you are using since the one you linked to does not seem to create a similar output to what you dumped. So the scripts used to create the encrypted backup are probably different between versions.
I can't link the exact firmware, as it's not publically available. The router works in Polish Orange.
As I use user account, I'm not able to read the firmware version.
When I'm connecting to serial port, something like this appears: CFE version 1.0.38-112.118 for BCM963268 (32bit,SP,BE)
Build Date: 08/08/2017 ([email protected])
Copyright (C) 2000-2011 Broadcom Corporation.

NAND ECC BCH-8, page size 0x800 bytes, spare size used 64 bytes
NAND flash device: name Toshiba TC58NVG0S3HTAI0, id 0x98f1 block 128KB size 131072KB
Correctable ECC Error detected: addr=0x0000b200, intrCtrl=0x00000090, accessCtrl=0xF7881010
External switch id = 53125
Chip ID: BCM63168D0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 134217728 bytes (128MB)
Boot Address: 0xb8000000
Reply With Quote
  #11  
Old 06-18-2020, 03:27
atom0s's Avatar
atom0s atom0s is online now
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 286
Rept. Given: 25
Rept. Rcvd 103 Times in 49 Posts
Thanks Given: 47
Thanks Rcvd at 483 Times in 196 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
The stuff I posted was dumped from the defaults of the firmware from the router's website.
The firmware I dumped was: 1.00 (AAKL.28) C0.

But in order to ensure the scripts and encryption-related keys that are used match yours, would need the exact firmware version you have to find a copy of that firmware.
__________________
Personal Projects Site: https://atom0s.com
Reply With Quote
The Following User Says Thank You to atom0s For This Useful Post:
flightwatch (06-23-2020)
  #12  
Old 06-18-2020, 05:30
chants chants is offline
Family
 
Join Date: Jul 2016
Posts: 562
Rept. Given: 6
Rept. Rcvd 35 Times in 21 Posts
Thanks Given: 475
Thanks Rcvd at 837 Times in 392 Posts
chants Reputation: 35
Looks for sure to be base64 but it's of raw byte data which could be a 16 byte hash and salt of the password or what have you. You should have mentioned the length of the decrypted data which looks like 43x6//8=32 bytes. This is where the firmware comes in useful. The exact version is best but if the manufacturer website has one and you think the encryption and password storage did not change between the versions then you could study that one for clues at least. Otherwise desolder is best option.
Reply With Quote
The Following User Says Thank You to chants For This Useful Post:
flightwatch (06-23-2020)
  #13  
Old 06-18-2020, 23:20
bolo2002 bolo2002 is offline
VIP
 
Join Date: Apr 2002
Posts: 475
Rept. Given: 102
Rept. Rcvd 12 Times in 11 Posts
Thanks Given: 132
Thanks Rcvd at 166 Times in 111 Posts
bolo2002 Reputation: 12
"owned by the operator...I cannot upload an alternative software.I'm only leasing the router.."

It look like the one before the cable modem Docsis 3,i had a cisco locked by operator,config is checked like the cable modem almost 100x/day,even if you can upload a new config,seen and reported to them and then...
maybe it's not your case but be safe.
__________________
I like this forum!
Reply With Quote
The Following User Says Thank You to bolo2002 For This Useful Post:
flightwatch (06-23-2020)
  #14  
Old 06-23-2020, 02:45
flightwatch flightwatch is offline
Friend
 
Join Date: Jan 2018
Posts: 13
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 20
Thanks Rcvd at 6 Times in 5 Posts
flightwatch Reputation: 0
I have managed to make a dump flash (another router of the same operator) with the manual:

https://limbenjamin.com/articles/dumping-aztech-DSL1015EN-firmware.html

Unfortunately, I don't know which tool I should use to change it into .bin.

If you could have a look, please check if the root's password is there.

If I am changing that file into .bin, do I have to delete the selected data?

https://i.postimg.cc/L6gFmd10/cut.png

Dump comes from 8 MB flash and it's here:

https://www119.zippyshare.com/v/pO87UAY7/file.html
Reply With Quote
  #15  
Old 06-24-2020, 08:34
h8er h8er is offline
Friend
 
Join Date: Jan 2002
Posts: 40
Rept. Given: 46
Rept. Rcvd 7 Times in 6 Posts
Thanks Given: 93
Thanks Rcvd at 13 Times in 6 Posts
h8er Reputation: 7
Quote:
Originally Posted by flightwatch View Post

If I am changing that file into .bin, do I have to delete the selected data?
From what i have seen it seems a textual representation of binary data, i don't think you will find a tool to convert it to bin but it should be very easy to write a conversion script in python, you can do it by yourself. Make a backup, remove the first column (the one with "address: ") and the last one (data display, the one with the dots etc), you want a text file where every line is a 16 byte text representation

10 00 02 7b 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

etc.

then write a python script which reads the resulting text file and for every line of text converts the 16 byte text representation to 16 real bytes and then writes them to a new binary file incrementally. At the end you should have your bin file (check it with an hexeditor, you should see the same bytes as the original text). Then you could try to analyze it with binwalk, Ida etc

Last edited by h8er; 06-24-2020 at 08:53.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 08:14.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )