#1
|
|||
|
|||
What type of encryption has been used to Zyxel VMG8924-B10A config file?
Hi,
I read the config file from the router Zyxel VMG8924-B10A, but unfortunately it is enrypted. https://paste.in/alldrK Can you decipher it? Or is it useless? The data I'm interested in (login and passwords) should be available in section 5067F0: https://berkayyildiz.com/vmg8324-b10a-turk-telekom-modem-yazilim-analizi-ve-tr-064/ I have found a similar string here: http://p2812.blogspot.com/p/how-to-get-root.html but I am not able to upload it because this option is not available from the user/user account. Router built on Broadcom processor, so in theory it should have worked: https://www.ifnull.org/articles/router_full_access/ http://www.happyhacking.org/HappyHacking/hacking/2013/11/07/Hacking-Inetno-DG201A.html but ports FTP, SSH and different are blocked. Is it possible to work somethng out of it, or should I just throw the router to the bin? |
#2
|
|||
|
|||
If you can get a decrypted version of the firmware it would help answer this question. Assuming this encryption method for this model is not known, finding downloadable firmware or dumping it off the ROM chip directly are options. Usually web firmware updates are themselves encrypted leaving another task but usually doable. Disassembling the firmware in IDA ought to do and see how the file is read and decrypted. Then if there is a key in a ROM or elsewhere you must find or dump that as well. That is about all I can say. It could be a time consuming but rewarding project if you find it worth it. Some electronics repair shops could dump the ROM chips if you pay for this service. I've had them reflash a BIOS I almost bricked due to custom mods I hand patched on a laptop once so it is possible
|
The Following User Says Thank You to chants For This Useful Post: | ||
flightwatch (06-15-2020) |
#3
|
|||
|
|||
Italians, English, and Croats have access to CFE, where they either read the admin / supervisor password or upload non-branded firmware:
https://www.hwupgrade.it/forum/showthread.php?t=2891309 http://forum.pcekspert.com/showthread.php?p=2761531 https://www.boards.ie/vbulletin//showthread.php?t=2057302483 Unfortunately, my bootloader is password protected: https://paste.in/E9cN86 The only thing I managed to rip was the data I posted above. This is not a firmware dump. This is probably just a save of settings. I was able to read it after entering the address: IP_router/backupsettings.conf IP_router/configuration-backupsettings.conf IP_router/pages/tabFW/configuration-backupsettings.conf IP_router/dumpcfgdynamic.cmd IP_router/dumpmdm.cmd IP_router/dumpcfgdynamic.conf IP_router/password.cmd What unencrypted firmware are you writing about? You mean a file that someone ripped with a programmer directly from the bone, or a file from another router with an unblocked dump memory command? Even if I get such a file, it will not have the same version of the software as I have and will come from another operator. |
#4
|
|||
|
|||
Have you looked at OpenWRT project?
Maybe the old sources could help you: https://openwrt.org/toh/zyxel/zyxel_vmg7947-b40a_o2_homebox_6641_de01v2f |
The Following User Says Thank You to phroyt For This Useful Post: | ||
flightwatch (06-15-2020) |
#5
|
|||
|
|||
Quote:
Last edited by h8er; 06-15-2020 at 08:21. |
The Following User Says Thank You to h8er For This Useful Post: | ||
flightwatch (06-15-2020) |
#6
|
||||
|
||||
With the firmware dumped, this is the script that appears to work with the 'config.rom' file:
Code:
#!/bin/sh OPTION="$1" INPUTFILE="$2" OUTPUTFILE="$3" PROGRAM=`basename $0` OPENSSL=openssl CAT=cat RM=rm PASSWD=N3z0y93 ##################################################################################################### # usage usage() { echo "" echo "Copyright (C) ZyXEL Communications, Corp. All Rights Reserved." echo "Usage: $PROGRAM [option] [input filename] [output filename]" echo "$PROGRAM: A Simple Script to Encrypt/Decrypt file using openssl" echo "option : e [Encrypt], d [Decrypt]" echo "Examples:" echo " $PROGRAM e /var/pdm/config.rom /tmp/config.enc" echo "" exit 1 } filenotfound() { echo "Error! Input file not found." exit 1 } optnotfound() { echo "Error! Option not support." echo "option : e [Encrypt], d [Decrypt]" exit 1 } ##################################################################################################### test -n "$OPTION" || usage test -n "$INPUTFILE" || usage test -n "$OUTPUTFILE" || usage test -e "$INPUTFILE" || filenotfound case $OPTION in "e") $OPENSSL enc -e -des3 -pass pass:$PASSWD -in $INPUTFILE -out $OUTPUTFILE ;; "d") $OPENSSL enc -d -des3 -pass pass:$PASSWD -in $INPUTFILE -out $OUTPUTFILE ;; *) optnotfound; ;; esac exit 0
__________________
Personal Projects Site: https://atom0s.com |
The Following 3 Users Say Thank You to atom0s For This Useful Post: | ||
#7
|
||||
|
||||
Here is the entire /etc/default.cfg file with the given section you wanted the info of. (Assuming you want it from the stock firmware image.)
https://paste.ofcode.org/WJSJepUufKz8xrRAfGJsdQ
__________________
Personal Projects Site: https://atom0s.com |
The Following User Says Thank You to atom0s For This Useful Post: | ||
flightwatch (06-15-2020) |
#8
|
||||
|
||||
In regards to your config paste though, would need more info on the exact version of the firmware you are using since the one you linked to does not seem to create a similar output to what you dumped. So the scripts used to create the encrypted backup are probably different between versions.
__________________
Personal Projects Site: https://atom0s.com |
The Following User Says Thank You to atom0s For This Useful Post: | ||
flightwatch (06-15-2020) |
#9
|
|||
|
|||
Another useful thread here:
Code:
https://reverseengineering.stackexchange.com/questions/14882/how-to-decrypt-the-config-bin-from-zte-zxv10-h201l |
The Following User Gave Reputation+1 to SegWolf For This Useful Post: | ||
user1 (06-16-2020) |
The Following 4 Users Say Thank You to SegWolf For This Useful Post: | ||
flightwatch (06-18-2020), niculaita (06-17-2020), sh3dow (06-18-2020), user1 (06-16-2020) |
#10
|
||||
|
||||
Quote:
Quote:
Quote:
In the file you provided, the enrypted password is shown: WV35vVCAM9iQu78h7YaFGYiarcHW7AMbNE5phQAAADk= but I guess it isn't Base64, as the decoder shows something like this: Y]щЅPЂ3Шђ»ї!н†…€љБЦм4Ni… Quote:
As I use user account, I'm not able to read the firmware version. When I'm connecting to serial port, something like this appears: CFE version 1.0.38-112.118 for BCM963268 (32bit,SP,BE) Build Date: 08/08/2017 (jason@DaJiaBu) Copyright (C) 2000-2011 Broadcom Corporation. NAND ECC BCH-8, page size 0x800 bytes, spare size used 64 bytes NAND flash device: name Toshiba TC58NVG0S3HTAI0, id 0x98f1 block 128KB size 131072KB Correctable ECC Error detected: addr=0x0000b200, intrCtrl=0x00000090, accessCtrl=0xF7881010 External switch id = 53125 Chip ID: BCM63168D0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHz Main Thread: TP0 Memory Test Passed Total Memory: 134217728 bytes (128MB) Boot Address: 0xb8000000 |
#11
|
||||
|
||||
The stuff I posted was dumped from the defaults of the firmware from the router's website.
The firmware I dumped was: 1.00 (AAKL.28) C0. But in order to ensure the scripts and encryption-related keys that are used match yours, would need the exact firmware version you have to find a copy of that firmware.
__________________
Personal Projects Site: https://atom0s.com |
The Following User Says Thank You to atom0s For This Useful Post: | ||
flightwatch (06-23-2020) |
#12
|
|||
|
|||
Looks for sure to be base64 but it's of raw byte data which could be a 16 byte hash and salt of the password or what have you. You should have mentioned the length of the decrypted data which looks like 43x6//8=32 bytes. This is where the firmware comes in useful. The exact version is best but if the manufacturer website has one and you think the encryption and password storage did not change between the versions then you could study that one for clues at least. Otherwise desolder is best option.
|
The Following User Says Thank You to chants For This Useful Post: | ||
flightwatch (06-23-2020) |
#13
|
|||
|
|||
"owned by the operator...I cannot upload an alternative software.I'm only leasing the router.."
It look like the one before the cable modem Docsis 3,i had a cisco locked by operator,config is checked like the cable modem almost 100x/day,even if you can upload a new config,seen and reported to them and then... maybe it's not your case but be safe.
__________________
I like this forum! |
The Following User Says Thank You to bolo2002 For This Useful Post: | ||
flightwatch (06-23-2020) |
#14
|
|||
|
|||
I have managed to make a dump flash (another router of the same operator) with the manual:
https://limbenjamin.com/articles/dumping-aztech-DSL1015EN-firmware.html Unfortunately, I don't know which tool I should use to change it into .bin. If you could have a look, please check if the root's password is there. If I am changing that file into .bin, do I have to delete the selected data? https://i.postimg.cc/L6gFmd10/cut.png Dump comes from 8 MB flash and it's here: https://www119.zippyshare.com/v/pO87UAY7/file.html |
#15
|
|||
|
|||
Quote:
10 00 02 7b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 etc. then write a python script which reads the resulting text file and for every line of text converts the 16 byte text representation to 16 real bytes and then writes them to a new binary file incrementally. At the end you should have your bin file (check it with an hexeditor, you should see the same bytes as the original text). Then you could try to analyze it with binwalk, Ida etc Last edited by h8er; 06-24-2020 at 08:53. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Signtelecom board st_vcu-v1.4 config | dnvthv | General Discussion | 0 | 07-11-2019 17:41 |
vc2010 produced .obj is not a COFF type file ,there is anybody know why? | xiaohang99 | General Discussion | 4 | 05-15-2016 17:22 |