Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How did you recover DES keys? (reading default_config.xml) #2

Closed
ghost opened this issue Oct 9, 2018 · 2 comments
Closed

How did you recover DES keys? (reading default_config.xml) #2

ghost opened this issue Oct 9, 2018 · 2 comments

Comments

@ghost
Copy link

ghost commented Oct 9, 2018

Apologies, not an issues as such. Trying to replicate your work with a WD9970v2. Are you able to point me in the right direction for reading default_config.xml from the firmware image?

Many thanks :-)

@sta-c0000
Copy link
Owner

sta-c0000 commented Oct 18, 2018

On the v1 firmware DES keys are stored in libcmm.so. These are the functions called in that file and the location of the keys (I used radare2):

478DA50FF9E3D2CB         > p8 8 @0xc0000-0x21a0
    dm_loadCfg (/etc/default_config.xml) > dm_decryptFile
    dm_init (/etc/reduced_data_model.xml) > dm_decryptFile
478DA50BF9E3D2CF         > p8 8 @0xf0000-0x5cf0
    rdp_backupCfg & rdp_restoreCfg (conf.bin) > cen_desMinDo, > cen_md5VerifyDigest, > cen_uncompressBuff
    rdp_saveModem3gFile > rsl_3g_saveModem3gFile

I did not spend time trying to fully decode /etc/default_config.xml or /etc/reduced_data_model.xml. The DES key works, but is not quite enough alone. For example, the command below mostly works to decode more than half the file's contents, but not all. The dm_loadCfg function would have to be looked at closer (perhaps simply due to how it processes file buffers?).

openssl enc -d -des-ecb -nopad -K 478DA50FF9E3D2CB -in default_config.xml > default_config_decrypted.xml

Does tpconf_bin_xml.py sucessfully handle firmware v2 configuration files (conf.bin)? If so, that means the conf.bin key and compression are the same as v1... I'd be surprised if the other key would be different, but I don't know.

@sta-c0000 sta-c0000 changed the title How did you recover DES keys? How did you recover DES keys? (reading default_config.xml) Oct 18, 2018
@sta-c0000
Copy link
Owner

Decrypting default_config.xml now works with latest openssl.
Moving information up to main README.md and closing issue...
Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant