-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What is the approach to decrypt unknown GatewaySettings.bin? #7
Comments
Send me the file via email, and I'll see what I can find out! What device
is this?
…On Thu, Nov 15, 2018, 16:33 Mustafa Dur ***@***.*** wrote:
Hi,
I am trying to decrypt my modem's GatewaySettings.bin file. I tried
different profiles but it doesn't seem to work. When I check the file with
hex editor, I saw B2 3E AD 05 34 75 2B 6F over and over again. So I think
maybe this file is using static xor key. How can I test my theory? I don't
have access to the firmware. I hope maybe this file have username and
password for the telnet so that I can dump the firmware.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#7>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABN32tqaCRuKaeEXsKDAXnE4ER8g_eS0ks5uvYlGgaJpZM4YgCMf>
.
|
I don't know your email, so I am attaching here. [redacted] I downloaded settings file three times. I compared them, interestingly, first one's header is different than the other two. Model number is CBW-383ZN at its documentation is at http://netmaster.com.tr/files/prod//B9jG01GTDK.NETMASTER-CBW-383ZN-KULLANIM-KILAVUZU.PDF Last page says that it is produced by Castlenet Techology Inc. |
This looks like a 64bit block cipher in ECB mode, most likely DES or 3DES. This explains the repated blocks of |
I have telnet but I can't login because I don't know the password. I see the usual telnet banner
ISP doesn't tell me the password. I don't know about the SNMP though. I tried to check port 161 and it seems closed. |
Try this: disconnect the coax cable, then reset the device to factory defaults. Disable any "firewall" settings in the web interface. Then check if you have SNMP access. If you do, try the following:
This should set the telnet username and password. In any case, do an |
I think I did something. I enabled an option and rebooted the device. I issued following command snmpwalk -v 2c -c freerange 192.168.0.1 system
SNMPv2-MIB::sysDescr.0 = STRING: CBW-383ZN <<HW_REV: 1.0; VENDOR: TEKNOTEL; BOOTR: 2.4.0; SW_REV: 0081.545.392116mp5.799.009; MODEL: CBW-383ZN>>
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.4413.2.1.6
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (4900) 0:00:49.00
SNMPv2-MIB::sysContact.0 = STRING: (unknown)
SNMPv2-MIB::sysName.0 = STRING: CableHome
SNMPv2-MIB::sysLocation.0 = STRING: (unknown)
SNMPv2-MIB::sysServices.0 = INTEGER: 3
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORID.1 = OID: SNMPv2-SMI::enterprises.4413.2.3.2.5
SNMPv2-MIB::sysORDescr.1 = STRING: An agent which supports all MIBs required by the DOCSIS 3.0 OSS specification.
SNMPv2-MIB::sysORUpTime.1 = Timeticks: (0) 0:00:00.00 However after couple of seconds, that command didn't work again. I guess it is disabling itself. So I should remove the coax cable I guess. I don't want to brick my internet connection right now. So I will try to set username and password tomorrow and let you know. What I should do next after I set the username and password? I am using macOS, so I guess I should either get a windows or a linux machine to try to dump the firmware. Is the following command correct?
|
SNMP is usually disabled by the ISP once the modem registers on the network. The command to try would be
but it's possible that you only have access to a limited shell, in which case you could try
Both |
OK I will try tomorrow and let you know. AFAIK, binaries don't include macOS, only windows, linux and source code. I have vm I can try from there. I will report back. Will telnet username and password will be reverted back, when modem connects to ISP again? Does |
UPDATE:
Anyway, I got lucky and I learned the username and password from the manufacturer 😄
I got
I tried the second command and again gave me the same response. I compiled from the source and tried on macOS. I also tried the above commands on Ubuntu 18 again same error. PS: I have found two username and password pair second pair is below H@ly_Je$u$,Ble$$_Y@u>>^.^Day However, I can't use this because of >> chars. I can login with this password via telnet but bcm2dump doesn't support it because terminal eats those chars and bcm2dump treats " as a part of password. |
The trick is to put the quotes around the whole
|
I tried but again it didn't work
|
Is this the latest version of bcm2dump? |
Yes I used ubuntu and downloaded from the releases page. I also compiled from the source for the macOS. I think maybe they have disabled /read_memory command? Because when I login with telnet I see the following when I wrote help
Btw first user doesn't show anything when I type help but second user(H@ly_Je$u$) shows above. |
Try
What does that show? |
|
Please try compiling from the latest sources. The last release contains a bug that doesn't use UPDATE: or, try the latest version, v0.9.2 (with macOS binaries too!). |
I tried with macOS. It compiles but it didn't work as I said.
As you see, it can't get the username and password on macOS if there is a ' I tried to compile on Ubuntu but it fails to compile
|
Do |
It compiled but now I have this. I really don't get it. Single quote for password was working before. What I am doing wrong?
I tried once again the same command and this time worked! I don't know what was wrong. Here is the image file I extracted. [redacted] |
I've pushed 7873f93, which adds support for your device. The encryption used was DES in ECB mode, as predicted. Expect more updates... |
Using the latest commit (89fd3bc), please try the following:
|
Again, I am blocked lol 😅 I don't know why but I guess your telnet login code has flaws look at the output.
Currently, I can't reset the device. However, I will reset and try above commands again. I also try to decrypt the files and yes this time it worked. I see the settings. Thanks once again 😀 PS: I really want to learn how to RE firmware files. I tried to binwalk -e to extract the files but I don't know how should I proceed. I will really appreciate if you can tell me how did you find out it was DES and key. |
Use single quotes instead of double quotes, otherwise the shell will try to substitute Regarding the ram dump you sent me, there's nothing to extract. These firmwares are basically one giant app (based on eCos), running directly on the system, so there's no filesystem, and no executable format. |
If you find the time, please post the output of
and
Thanks! |
Hi again. ./bcm2dump -vv dump '192.168.0.1,H@ly_Je$u$,Ble$$_Y@u>>^.^Day' flash image1,auto image1.bin
./bcm2dump -vv dump '192.168.0.1,H@ly_Je$u$,Ble$$_Y@u>>^.^Day' flash bootloader,64k bootloader.bin
system/show flash
show version
|
For the |
Yes I just compiled on macOS again. Still no go.
It is like it can't do |
|
Latest commit did something. It is reporting a download. I will upload the files 5 minutes later UPDATE: How can I disassemble this image? I really want to learn how you find out the DES and password stuff. I have radare2, IDA etc. |
The images are in Broadcom's ProgramStore format - a GPL'd tool to extract them exists here. For disassembly, set the arch to big-endian MIPS, create a RAM section, and set the image's load address to I just noticed that the image appears to be corrupted. Can you try
|
Here is the new dump. |
Thanks, this looks much better!
All these modem firmwares are based on the same Broadcom firmware (called BFC for Broadcom Foundation Classes, apparently), so once you've gotten to know one in depth, you'll find your way around others much faster. Using the GatewaySettings.bin magic constant, it's easy to find out where the file is created. Many crypto functions use "magic" values themselves, so googling those often yields good results. Compare OpenSSL's
Then, it's a little bit of trial and error, keeping fingers crossed, cursing, and finally a "eureka!". |
I was able extract the image with ProgramStore. However I still couldn't figure out the paramaters of IDA. I loaded extracted image to IDA
But it says please specify non-zero RAM size. I will really appreciate if you can tell me how to proceed step by step I am not good with this type of stuff. I just find them fascinating to learn. |
What's really interesting about your firmware is that I can run it on my spare TC7200.20, since it uses the same architecture ;) |
See this screenshot, shamelessly taken from stackexchange: you need to copy the value from "loading size" to "ram size". |
Using the latest version, please run:
and
Hopefully the images are not corrupted this time. Sadly, I can't test flash reads on my TC7200.20, since it uses a different flash driver than your device. |
I did git pull and make. I also want to ask this. This router has predefined WPA password. Is it calculated somehow with an algorithm related to MAC address for example or it is kind a fused in factory? First Command
Second Command
|
Ah yes, try the latest commit. It didn't try the |
This method looks extremely slow it is reporting 35 minutes. Then it crashed. I don't know why we are doing this slow method though. Previous one gets firmware nicely and quite fast.
|
Second command you said, crashed at 62%
|
Strange, but try now with the latest version! |
I just tried both methods and uploaded two files. I checked the MD5 of files and it seems dumping |
Thanks, maybe Closing this now, but feel free to contact me, should questions arise. |
Hi,
I am trying to decrypt my modem's
GatewaySettings.bin
file. I tried different profiles but it doesn't seem to work. When I check the file with hex editor, I sawB2 3E AD 05 34 75 2B 6F
over and over again. So I think maybe this file is using static xor key. How can I test my theory? I don't have access to the firmware. I hope maybe this file have username and password for the telnet so that I can dump the firmware.The text was updated successfully, but these errors were encountered: