jameshilliard
commented
5 years ago Open jameshilliard opened 7 years ago
jameshilliard
commented
5 years ago 
minanagehsalalma
commented
5 years ago These are the config file encryption/decryption scripts I'm using: gwdecrypt.py gwencrypt.py
@jameshilliard i got this while trying to decrypt ValueError: Input strings must be a multiple of 16 in length it's ZXHN H108N V2.5 and got this while trying to encrypt a decrypted one ! json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0) .... and router pass view does it with no problem !!
jameshilliard
commented
5 years ago it's ZXHN H108N V2.5
How is that relevant to the g1100? The decryption/encryption scripts are specific to these greenwave routers since they use a custom encryption scheme, they aren't going to magically work on routers made by ZTE.
minanagehsalalma
commented
5 years ago @jameshilliard sorry i though it was for zte because your reply was for
jameshilliard how did u dicrypt ur config.bin file. i had tried everything "binwalk..." with mine from the zte "ZXHN H108N V2.5" router and didn't succed this is the config.bin link https://www.dropbox.com/s/ebw8tcleiznbcu3/config.bin?dl=0
Nostradamus1973
commented
4 years ago It's been a while since I've seen any progress on this thread. Has everyone given up? I'm not a programmer, or an Electrical Engineer, so, I can't attest to the difficulty of this exercise and I don't want to come off as someone who know's anything about technical side of this. However, that being said maybe there's another way. If there's still interest maybe someone following this issue has contacts that work at GreenWave Systems and maybe they can throw a bone(hint) this way by saying how they'd go about it, or even to go as far as giving someone a boot-loader( on the DL). This router has been around for a while, so, maybe the possibility of finding a (disgruntled)employee with knowledge of how to go about things is higher. I joined just to add to this discussion, I hope this came off as constructive, if not, pardon my rant and have a great day.
jameshilliard
commented
4 years ago @Nostradamus1973 I made a pull request to handle firmware decryption.
minanagehsalalma
commented
4 years ago @Nostradamus1973 I made a pull request to handle firmware decryption.
@jameshilliard take a look on nirsoft's router pass view .. i am sure it would help .
jameshilliard
commented
4 years ago i am sure it would help
@minanagehsalalma help with what exactly? I already have python scripts to encrypt/decrypt g1100 config files, they use a hard coded AES encryption key.
minanagehsalalma
commented
4 years ago @jameshilliard okay ... i though it would help as it Identifies more than just GPG .. Sorry if I was wrong .
This is an odd router I picked up which appears to use gpg encrypted and signed firmware, the firmware images don't seem to get identified by binwalk correctly. I've been trying to figure out a way to extract the gpg decryption keys but so far I have been coming up empty handed, it appears the ttl debug interface is disabled and I haven't managed to get a root shell any other way, it has a very limited chroot shell available over ssh but without read/write I couldn't figure out how break out of it. My guess is I would need to dump the NAND unless I can come up with some sort of exploit. It seems my router only has the decryption keys for one of these images as well(I was able to see some limited log output over the chroot shell when uploading them). http://bitcast-a.bitgravity.com/2wire/cms/DOWNLOAD/upgrade/frontier/D4A928/1.03.02.02/bhr4_release_01.03.02.02-FTR_firmwareupgrade.bin.signed http://bitcast-a.bitgravity.com/2wire/cms/DOWNLOAD/upgrade/frontier/D4A928/1.2.0.36.98.0/bhr4_stepstone_release_1.2.0.36.98.0_firmwareupgrade.bin.signed
Gpg2 at least seems to identify the keys needed: