Decrypting D-Link Encrypted Firmware (SHRS)

 

Introduction

 D-Link firmware with SHRS magic bytes contain firmware encrypted using AES 128 CBC with key as 0xC05FBF1936C99429CE2A0781F08D6AD8. Original firmware can be obtained by extracting the encrypted block from the firmware and then decrypting using this key.

Header Structure

Header structure of firmware along with corresponding values for a sample firmware DIR-867_FW1.30B07.bin is given in table.

OffsetSize (Bytes)ItemValue (DIR-867_FW1.30B07)
04Magic BytesSHRS
44Decrypted FW Size0x9D2AF9
84Encrypted Block Size0x9D2B00
0xC16IV0x67C6697351FF4AEC29CDBAABF2FBE346
0x1C64SHA512(Decrypted FW + Key)0x7139.......AA94
0x5C64SHA512(Decrypted FW)0xDAC3.......5DA7
0x9C64SHA512(Encrypted Block)0x7D3F.......12D2
0xDC512Unused00
0x2DC512Decrypted Block Signature0x0253.......F178
0x4DC512Encrypted Block Signature0x81D4.......7383

Encrypted block starts at offset 0x6DC.

1. Extract encrypted block:
dd iflag=skip_bytes,count_bytes if=enc_fw.bin of=enc_block.bin skip=$((0x6DC)) count=$((0x009d2b00))

2. Verify SHA512 of enc_block.bin is same as that in header.
sha512sum enc_block.bin

3. Decrypt encrypted block:
openssl aes-128-cbc -d -p -nopad -nosalt -K "c05fbf1936c99429ce2a0781f08d6ad8" -iv "67c6697351ff4aec29cdbaabf2fbe346" -in enc_block.bin -out dec_block.bin

4. Get original decrypted firmware:
dd iflag=skip_bytes,count_bytes if=dec_block.bin of=dec_fw.bin count=$((0x009D2AF9))

5. Verify SHA512 of decrypted firmware is same as that in header.
sha512sum dec_fw.bin

6. Append encryption key to decrypted firmware and calculate SHA512 and verify with header.
cp dec_fw.bin dec_fw_plus_key.bin

perl -e 'print pack "H*", "c05fbf1936c99429ce2a0781f08d6ad8"'>> dec_fw_plus_key.bin

sha512sum dec_fw_plus_key.bin

7. Extract filesytem, copy /etc_ro/public.pem and change its format:
binwalk -eM dec_fw.bin

openssl rsa -RSAPublicKey_in -in public.pem -out publickey -pubout

8. Extract signature of encrypted block:
dd iflag=skip_bytes,count_bytes if=enc_fw.bin of=enc_block.signature skip=$((0x4DC)) count=512

9. Verify the signature of encrypted block:
openssl dgst -sha512 -verify publickey -signature enc_block.signature enc_block.bin

10. Extract signature of decrypted firmware:
dd iflag=skip_bytes,count_bytes if=enc_fw.bin of=dec_fw.signature skip=$((0x2DC)) count=512

11. Verify the signature of decrypted firmware:
openssl dgst -sha512 -verify publickey -signature dec_fw.signature dec_fw.bin

Demo



Comments

  1. AnonymousAugust 21, 2022 at 10:42 AM

    whare did you get this key from, ...can you brother explain to us how to extract such key with more explanation ,please

    ReplyDelete
  2. AnonymousAugust 21, 2022 at 10:43 AM

    0xC05FBF1936C99429CE2A0781F08D6AD8.

    ReplyDelete
  3. AnonymousNovember 22, 2023 at 12:26 AM

    Hi, can you decrypt files encrypt with Cr1pt0r? Thanks.

    ReplyDelete
  4. AnonymousMarch 22, 2024 at 4:19 AM

    plese need help about dlink 2750u firmware

    ReplyDelete

Post a Comment

Popular posts from this blog

Decrypt TP-Link config.bin Configuration Backup File

Image
Configuration backup file can be downloaded from certain TP-Link devices by clicking  Backup button on System Tools > Backup & Restore page. The downloaded configuration file, config.bin is encrypted. To decrypt the config.bin  file, use key 478DA50BF9E3D2CF. openssl enc -d -des-ecb -nopad -K 478DA50BF9E3D2CF -in config.bin -out dec_config.bin First 16 bytes of the output file, dec_config.bin is the MD5 hash of configuration text file. Decrypted file may also contain null byte padding at the end. In this case there are 4 null bytes at the end of file. To extract configuration text file, remove MD5 hash (First 16 bytes) and padding (Last 4 bytes).  dd if=dec_config.bin of=config.txt bs=1 skip=16 truncate -s -4 config.txt Output file, config.txt contains the configurations. Its MD5 hash should match the MD5 given in dec_config.bin. Demo
Read more

Firmadyne Installation & Emulation of Firmware

Image
   Introduction Firmadyne can be used to perform emulation and analysis of Linux based firmware. Installation Install Ubuntu 18.04 LTS and upgrade all packages: sudo apt update sudo apt upgrade Install and configure other packages: sudo apt-get install busybox-static fakeroot git dmsetup kpartx netcat-openbsd nmap python3-psycopg2 snmp uml-utilities util-linux vlan python3-pip python3-magic sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 10 git clone --recursive https://github.com/firmadyne/firmadyne.git git clone https://github.com/ReFirmLabs/binwalk.git cd binwalk sudo ./deps.sh sudo python ./setup.py install cd .. sudo apt-get install postgresql sudo -u postgres createuser -P firmadyne Give firmadyne as password. sudo -u postgres createdb -O firmadyne firmware sudo -u postgres psql -d firmware < ./firmadyne/database/schema cd firmadyne ./download.sh sudo apt-get install qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils nano firmadyne....
Read more

Extract / Create Cramfs File System from Ubuntu 20.04

Image
  Extract Cramfs Check the endianness of the Cramfs file: file cramfs  This is a big endian file. Convert  cramfs   file to little endian file  cramfs_le  using cramfsswap. cramfsswap cramfs cramfs_le Extract the little endian file  cramfs_le  to folder  fs  using fsck.cramfs. sudo fsck.cramfs --extract=fs cramfs_le Create Cramfs Use mkfs.cramfs to create Cramfs file system from the contents of folder  fs .To create a little endian file system: sudo mkfs.cramfs fs cramfs_new For big endian Cramfs file system: sudo mkfs.cramfs -N big fs cramfs_new Demo
Read more