Fysac / orbicfg

Decrypt/encrypt Netgear Orbi config (.cfg) files
10 stars 4 forks source link

RBR760 #6

Closed DocDrydenn closed 1 month ago

DocDrydenn commented 8 months ago

using the go-rewrite...

./orbicfg -decrypt /root/NETGEAR_RBR760.cfg -out /root/NETGEAR_RBR760.json
decrypt error: invalid checksum
Try again with -ignore-checksum?

root@BackupServer:~/orbicfg# ./orbicfg -ignore-checksum -decrypt /root/NETGEAR_RBR760.cfg -out /root/NETGEAR_RBR760.json
config to json: missing or improper '=' separator in config: <REDACTED>
Please open an issue at https://github.com/Fysac/orbicfg/issues. Include the error message above and the model of your device
Fysac commented 8 months ago

That decrypted config is junk data; it looks like the RBR760 is using a different encryption scheme. Or, it might have something to do with a different implementation of rand() since this model uses musl libc instead of uClibc. I'll check it out tomorrow.

Fysac commented 8 months ago

@DocDrydenn To test my theory since I don't have this device, can you:

  1. Install musl-gcc on your system, either by running apt install musl-tools (if you have Debian/Ubuntu), or by following the instructions in the first box on this page
  2. Grab the musl-test branch of orbicfg: git clone -b musl-test https://github.com/fysac/orbicfg
  3. Build it: make
  4. Test it: ./orbicfg /root/NETGEAR_RBR760.cfg > /root/NETGEAR_RBR760.decrypted
  5. Paste the console output here and tell me whether the decrypted file (/root/NETGEAR_RBR760.decrypted) has any useful data
DocDrydenn commented 8 months ago

Tested everything you asked.

root@BackupServer:~/testing/orbicfg# ./orbicfg /root/NETGEAR_RBR760.cfg > /root/NETGEAR_RBR760.decrypted
using magic: 0x01346231
invalid checksum (0x01da144e), continuing anyway
root@BackupServer:~/testing/orbicfg#

Output file was created. Contents of this file is not readable. Sample (First 5 Lines):

IUQ.2^ZY:�1�d^Z��it��;���
^O^\�>^D^^�Z�)�7W}kN�^E^Y^Y^?U:^D�A}LY��A4�@�^Z���     �H�^]ץ�$|z�L&F�}�^S�^P,�`^Sj��K���%���#�^G}$���7�J�i�?>A��d`��^^I��^R%�<^Lg�i�^A�$: ^]��W�{�! * ^S�f&>
�^?b^CV�1H�Z^S
9LN>sq^_�n�
�=�^\���^_-S�^X��Y

Would sending you the .cfg help? If not, I can keep testing as you request.

Fysac commented 8 months ago

Would sending you the .cfg help? If not, I can keep testing as you request.

It would be very helpful, but the config probably contains sensitive information (a SHA256 hash of your admin password, the SSID, hostnames of connected devices, etc.). If you're still willing to send it, you could temporarily change your password and anything else you don't want me to see, re-export the config, and share that sanitized version. If you don't care about me seeing any settings, sending it as-is is fine.

DocDrydenn commented 8 months ago

I run my Orbi in AP mode behind my router so no real security risk. NETGEAR_RBR760.zip

Fysac commented 8 months ago

Thanks, got it working with a hacky fix in the musl-test branch. Either Netgear is trying to mess with us or there's a typo in their code, because the magic value given in the file header was incorrect (off by exactly 1). I manually overrode it with the right value.

I'll add a proper solution to the Go version later.