-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
My router is ZTE ZXHN F680 #68
Comments
Hello, Thank you, |
Hi, please can you share the method for extracting these files? I'm stuck at memory dump, can't figure out corrects memory addresses. mbinfo command is missing from uboot. Regards |
@marOne-mrri provides the files that I decrypt to you |
I have F680 with firmware V6.0.10P2N14 how to decrypt it?
$ python3 examples/decode.py zte-f680-config.bin zte-f680-config.conf
Detected signature: F680
Detected payload type 5
Unknown payload type 5 encountered! Attempt to just set payload type to 04 does not helped as well: $ python3 examples/decode.py --try-all-known-keys zte-f680-config.bin zte-f680-config.conf
Detected signature: F680
Detected payload type 4
Trying key: 'F680Key02721401' iv: 'F680Iv02721401' generated from signature: 'F680'
Trying key: 'F680Key02710010' iv: 'F680Iv02710010' generated from signature: 'F680'
Trying key: 'F680Key02710001' iv: 'F680Iv02710001' generated from signature: 'F680'
Trying key: 'F680Key02660004' iv: 'F680Iv02660004' generated from signature: 'F680'
Trying key: 'F6808cc72b05705d5c46f412af8cbed55aa' iv: 'F680667b02a85c61c786def4521b060265e' generated from signature: 'F680'
Failed to decrypt type 4 payload, tried 5 generated key(s)! Decoding firmware, I've revealed: undefined4 CspDBInitPdtInterface(undefined4 *param_1)
{
char acStack_e0 [200];
dbAddCfgItem(0xffff,0,"/userconfig/cfg/db_user_cfg.xml");
dbAddCfgItem(0xffff,1,"/etc/db_default_cfg.xml");
dbAddCfgItem(0xffff,2,"/userconfig/cfg/db_backup_cfg.xml");
param_1[2] = 1;
*param_1 = 0;
param_1[3] = CspDBSetBackupItem;
param_1[7] = dbPdtTransferCfg;
memset(acStack_e0,0,200);
CspHardCodeParamGet("/etc/hardcodefile/dataprotocol","DefAESCBCKey",acStack_e0,200);
strncpy((char *)((int)param_1 + 0x143),acStack_e0,0x20);
memset(acStack_e0,0,200);
CspHardCodeParamGet("/etc/hardcodefile/dataprotocol","DefAESCBCIV",acStack_e0,200);
strncpy((char *)(param_1 + 0x59),acStack_e0,0x20);
PdtDBSetUserCfgAESCBCEncryKey((int)param_1 + 0x101,(int)param_1 + 0x122,0x21,0x21);
return 0;
} no idea what is /etc/hardcodefile/dataprotocol, no such thing in firmware image |
Thanks, but it said "Invalid Key", assuming that mac address from label and without colons.
|
@skuuzymaster, I was able to login into router as root, and download /tagparam/paramtag file, which, I expect, should contain the keys, for unpacking backup file, have you some ideas how to get it from it? I've finally fighted config decryption on router with: # sendcmd 1 DB decry /userconfig/cfg/db_user_cfg.xml |
@vgrebenschikov send the paramtag, config file and Serial and MAC address to e-mail on bottom at that page |
how can I decrypt it please.
I have this files:
The text was updated successfully, but these errors were encountered: