FiOS-G1100-Quantum-Gateway GPG Encrypted Firmware Identification/Decryption #256
Comments
|
I managed to find, extract and decrypt the Verizon BHR4 eu@greenwavesystems.com pgp decryption key on the router for the firmware images(bhr4_release_01.03.02.02-FTR_firmwareupgrade.bin.signed). Along with the the Verizon BHR4 eu@greenwavesystems.com pgp decryption key on the router for the firmware images(bhr4_stepstone_release_1.2.0.36.98.0_firmwareupgrade.bin.signed). |
|
i was able to install bhr4_release_01.03.02.02-FTR_firmwareupgrade.bin.signed what i did was i went to http://myfiosgateway.com/#/advanced/fwrestore and i restored to the backup firmware first then i installed the http://myfiosgateway.com/#/advanced/fwupgrade firmware |
|
Yeah, that's the only one I've been able to install as well, I suspect the keys were rotated at some point so I would need to extract the other keys from a router with older firmware. |
|
do you know of any site to get more firmware of compatible firmware for the fios-g1100 |
|
Nope, I got these links by calling frontier, if you have Verizon FIOS maybe try calling their customer support and asking if they have any. They give these out for routers that can't be automatically updated due to being behind another router(they are normally remotely updated). |
|
i tried they wont's because i put a new cooling system in to help it stay cooled |
|
it alway got to hot and started to slow down so i put in a new heat sink and used thermal past to help it transfer heat they use the thermal pad like in old laptops to help them stay cool thermal paste is better than the pad |
|
here is a link to other version of the firmware i just found it http://myplace.frontier.com/~firmware/ |
Maybe try for a different customer service rep.
That looks like a frontier personal website to me. |
|
yeah it is from them and i have tried mutile times to get help but no luck same thing every time do you know all of the hard brands and spec because i would have to look into it but dd-wrt does have custom for specific hardware they do not have any for fios-g1100 put they have way build a firmware it's not recommend you could brick router if one falls but this that info it may be a possibility |
|
Yeah, there's currently no custom firmware available for these, OpenWRT/LEDE would probably be the easiest to port. These have protection to prevent flashing unsigned firmware but I have a way around that at least(although it's currently rather complicated). The firmware images are both signed and encrypted with PGP, the eu@greenwavesystems.com signing key and eu@greenwavereality.com signing key is also different from the encryption key. |
|
i'm not good a coding at all. is it possible to just modify the key to trick the router into think it acually signed. like just past they key of the signed firmware into a modded one |
|
No, PGP is a strong signing method and is not breakable directly, I was able to get the PGP encryption private key simply due to the fact that the router has to have the ability to decrypt firmware updates and thus has to have the encryption private key stored somewhere on the flash, the same is not true for the signing key(the signing key and encryption keys are not the same), changing the firmware at all would mean the signature would not validate and the router would refuse to flash the firmware. However, the signature validation can be bypassed entirely since I have a way to get a root shell. |
|
@jameshilliard If you don't mind can you explain how you got shell access. I can only SSH into the admin account I still can't find the root password I already tried ThinkGreen. |
|
@Brandonv101 You have to enable ssh using tr-069 on the WAN side(there's a built in remote activate-able root ssh backdoor), I set up a local genieacs server to do that. Redirecting the router to a local acs server is a bit tricky though, I originally tried to mitm it but that's not possible since the router verifies the acs server ssl certificate. You can however change the config file to disable ssl and point it at your own acs server, the config file is aes encrypted but I have some python scripts that can decrypt and re-encrypt the config file so that it can be edited(I had to get some help with reversing the encryption scheme from the assembly for that). |
|
@jameshilliard There is an option to enable SSH access though in the web UI. If you don't mind can you explain how you changed the config file? Via the web UI or some other method. I also found a few hidden firmware rollback and update links assuming that the router is using the 192.168.1.1 IP: http://192.168.1.1/#/advanced/fwupgrade & http://192.168.1.1/#/advanced/fwrestore Hopefully soon we can decrypt the firmware update and customize it. Also if it would help I can send over my config file if I can pull it. |
|
By downloading the config file from the webui decryting it, editing it then re-encrypting it and uploading it back I was able to get tr-069 access and enable root ssh. I can already decrypt one of the firmware updates with the key posted above but not the other since my router didn't have the key for it. However even if the firmware is decrypted it's not possible to sign it since that signing private key is not on the router at all. It should however possible to bypass the signature checks by flashing a new firmware over the root ssh directly. What firmware version does your router have? If it has an older firmware I might be able to pull the decryption key from it for the other firmware update file. |
|
jameshilliard |
|
These are the config file encryption/decryption scripts I'm using: |
|
when i run it i get this |
|
That's just a python import error. Also make sure you use python 3, pretty sure those scripts do not work with python 2. |
|
Would be awesome to implement these tricks in https://github.com/reverse-shell/routersploit project :) |
|
The hardest part is probably doing the tr-069 server emulation needed in order to activate the root shell. |
|
@jameshilliard Ok so my current firmware is 01.04.00.10 and I can downgrade to 01.03.02.03 GW Internal Router Build Number : 01.04.00.822 I have attached the config file here it's Google Drive since I am not able to use dropbox due to it being full. If you can change it and I can get SSH access I can poke around and see if I can pull anything else. https://drive.google.com/drive/folders/0Bw7iUjIheIK2bktUWW9xaUczSnc?usp=sharing I am working on getting an ACS server running locally but it's a bit difficult. |
|
I have a router from 2015, I got it a few days ago completely unopened. The firmware is the original. I may have to dump the NAND unless I can get the TR-069 server to work correctly. Let me know if any of you want files from the older firmware |
|
@The5heepDev Yeah, if you can get a NAND dump that would be great, that way I can probably pull the PGP key needed for decryption of the stepstone firmware. What firmware version is it on right now? Make sure you don't connect it to the internet otherwise it might auto-update. |
|
Yup, I dont plan on connecting it to the internet. Let me see if uBoot says the fm version |
|
You can see the firmware version in the webui. |
|
I don't have the router on me at the moment, I can check for sure when I get home later today Here's a line from uBoot: 14:36:29.515 Booting: Bhr4 , Version: 01.04.00.10 (build: 01.04.00.822) |
|
That may be the newer firmware version. |
|
Not a whole lot, seems to be a cortina ARM SoC. |
|
Cortina G4, ARMv7 I can get the specific model later |
|
Also, I have some c files from cortina that uBoot is running. It seems to be opening a rw console on UART0. There is apparently UART0, UART1, UART2, and UART3 http://snapon.lab.bufferbloat.net/~d/verizon_firmware/linux/drivers/tty/serial/serial_cortina.c |
|
In addition, this may be very useful: http://snapon.lab.bufferbloat.net/~d/verizon_firmware/ |
|
@The5heepDev You can downgrade I left a link to the hidden WebUI page in an earlier comment. |
|
there is a bunch of new info I've found in my repo, check it out I also added @jameshilliard @Brandonv101 as collaborators so add info to the README and add files as you go |
|
@The5heepDev Thanks this is going to be really useful. Just to ask has this router been out since 2014 because some of the firmware dumps are from 2013/2014 unless it's an old compile/linux kernel. |
|
Exciting to see this comment thread. Would be great to get a custom firmware running on the G-1100. |
|
@kingoflions Did you was able to decrypt your configs ? I have ZTE ZXV10 H201LV2 and I cant find aes key ? |
|
@Brandonv101 the firmware you listed is older mine was last update 1 years ago it has version 1.2.1.36.84 i put open source bhr4_release_01.03.02.02-FTR_firmwareupgrade.bin on it that was the only one that i got that was accepted |
|
@alexis4 I was not able to decrypt the firmware because my internet was out for a week and I got a new router with a newer web UI. |
|
I've not had any luck binwalking the decrypted firmware.. binwalk does seem to identify a large amount of Java class files, but they don't get successfully get dumped to disk. I am working with a decrypted version of bhr4_release_01.03.02.02-FTR_firmwareupgrade.bin.signed |
|
Strange, it worked fine for me once it was decrypted. Did you install all binwalk dependencies? |
|
As far as I know, I use binwalk very regularly.. I’ll take a look and see
if there’s anything new I might have missed
…On Mon, Nov 13, 2017 at 01:08 James Hilliard ***@***.***> wrote:
Strange, it worked fine for me once it was decrypted. Did you install all
binwalk dependencies?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#256 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AHpRZKjLelzvkQ_x1DtJ0oQigamJrfciks5s19zGgaJpZM4McO9l>
.
|
|
This has been a busy thread. Should I leave it open? |
|
Sure, I don't think support for identifying and extracting the firmware images is supported by binwalk yet, so may be good to leave it open until someone gets around to that at least. |
|
@kingoflions where are you from dude ??? |
@jameshilliard i got this while trying to decrypt |
How is that relevant to the g1100? The decryption/encryption scripts are specific to these greenwave routers since they use a custom encryption scheme, they aren't going to magically work on routers made by ZTE. |
|
@jameshilliard sorry i though it was for zte because your reply was for
|
|
It's been a while since I've seen any progress on this thread. |
|
@Nostradamus1973 I made a pull request to handle firmware decryption. |
@jameshilliard take a look on nirsoft's router pass view .. i am sure it would help . |
@minanagehsalalma help with what exactly? I already have python scripts to encrypt/decrypt g1100 config files, they use a hard coded AES encryption key. |
|
@jameshilliard okay ... i though it would help as it Identifies more than just GPG .. |
This is an odd router I picked up which appears to use gpg encrypted and signed firmware, the firmware images don't seem to get identified by binwalk correctly. I've been trying to figure out a way to extract the gpg decryption keys but so far I have been coming up empty handed, it appears the ttl debug interface is disabled and I haven't managed to get a root shell any other way, it has a very limited chroot shell available over ssh but without read/write I couldn't figure out how break out of it. My guess is I would need to dump the NAND unless I can come up with some sort of exploit.
It seems my router only has the decryption keys for one of these images as well(I was able to see some limited log output over the chroot shell when uploading them).
http://bitcast-a.bitgravity.com/2wire/cms/DOWNLOAD/upgrade/frontier/D4A928/1.03.02.02/bhr4_release_01.03.02.02-FTR_firmwareupgrade.bin.signed
http://bitcast-a.bitgravity.com/2wire/cms/DOWNLOAD/upgrade/frontier/D4A928/1.2.0.36.98.0/bhr4_stepstone_release_1.2.0.36.98.0_firmwareupgrade.bin.signed
Gpg2 at least seems to identify the keys needed:
The text was updated successfully, but these errors were encountered: