Tplink backup File Bin file parsing [continued]

Most routers allow to save and restore configuration from files. This is cool because you can edit the configuration file and upload to the router again enabling some "hidden" Configurati On options.

For example on my D-Link dsl-2640b I managed to get higher download speed disabling DSL QoS (it is broken) by setting x_broadcom_com_atmenbqos to FALSE!

So, I get a tp-link wireless access point and, sadly, I found that they encrypted the configuration file, so I decided to Reverse engineer it.

First of all I needed a dump of the filesystem to get the binaries, so I soldered a serial port on the router to get a ser Ial Console.

The bootloader didn ' t allow to interrupt the boot process but fortunately I knew so you can get a prompt by typing the s Ecret Word tpltpltpl

AP93 (ar7240) ubootdram:sri#### TAP VALUE1=9,2=9 +Mbid Read0x100000ffFlash Size4194304, Sector count = -Flash:4mbusingdefaultenvironmentIn:serialOut:serialErr:serialNet:ag7240_enet_initialize ... No Valid addressinchFlash. UsingfixedAddress:cfg10xfCfg20x7014eth0:xx:Geneva: 7f: the: 0b:adeth0 upno Valid addressinchFlash. UsingfixedAddress:cfg10xfCfg20x7214eth1:xx:Geneva: 7f: the: 0b:adathrs26:resetting s26athrs26:s26 reset Doneeth1 upeth0, eth1autobootinginch 1secondsar7240>

I ' ve compiled an OPENWRT (Are you know OpenWrt, right?.) firmware with Initramfs, and I loaded it from RAM without flashing th E firmware:

0x81000000 openwrt-ar71xx-generic-tl-wr841n-v8-initramfs-uimage.binar7240> Bootm

After that making the dump is easy, just "DD" the Mtdblock device with the firmware and copy to the computer via SCP.

if=/dev/block/mtd2 of=/tmp//tmp/rootfs [email protected]192.168. 1.2:

I needed to compile a old version of SQUASHFS tools to extract the files, and finally I extracted the whole filesystem.

$ UNSQUASHFS Rootfs

I looked at the Web page which handled the configuration Load/save and I noticed this there were many references to some s ORT of embedded functions which most likely is handled by the webserver itself. The webserver is a single blob which handled many system utilities, indeed there were many executables symlinked to the HT TPD binary. This was a common practice in embedded firmwares, like OpenWrt ' s Busybox and Android ' s toolbox

I started IDA to look at this binary, clearly httpconfupload is the function to start hacking from.

Due to a reference to Des_min_do and some string starting with Des_ I suspected this des was used as cypher.

Des_min_do was a galore of bitwise operators and nasty loops, clearly it is an inlined cryptographic function, a nd before calling it a pointer to a fixed null terminated string is pushed to the stack. It could is some salt or key passed to the encryption function so I'll note this string which was 478da50bf9e3d2cf.

I tried to decrypt it with Mdecrypt using this string as key but without success:

$ mdecrypt-b-a des-f key <config.bin

I looked again at the binary and I searching for the _des string I found md5_des which suggested me to use the MD 5 hash Function:

$ mdecrypt-b-a des-f key-o mcrypt-md5 <config.bin

Again with no luck, so I tried all the block modes available until I found the correct one:

$ mdecrypt-b-a des-m ecb-f key-o mcrypt-md5 <config.bin192.168. 1.254  255.255. 255.0  0.0. 0.0

The file is decrypted! Note that the trailing bytes is the MD5 sum of the files without trailing zeroes:

The same can be do with OpenSSL:

$ OpenSSL enc-d-des-ecb-nopad-k 478da50bf9e3d2cf- in Config.bin

Have fun!

Original: http://teknoraver.net/software/hacks/tplink/

Tplink backup File Bin file parsing [continued]