search

acc- / tplink-archer-c2300

Hacking TPLink Archer C2300
52 stars 12 forks source link

openssl zlib option #13

Open fredguth opened 2 years ago

fredguth commented 2 years ago

Could you help me understand what this command does (bin2xml.sh): $OPENSSL zlib -d -out $TMP/mid.bin

My macos openssl has no zlib option, I have tried to change this without success, so I want to understand what this command does to see if I can think of another way.

dbouras commented 2 years ago

Instead of this: $OPENSSL aes-256-cbc -d $AES -in $IN | $OPENSSL zlib -d -out $TMP/mid.bin

use this on OSX: $OPENSSL aes-256-cbc -d $AES -in $IN | pigz -z -d > $TMP/mid.bin

dbouras commented 2 years ago

Similarly for the second decryption call:

# decrypt again to get xml file
$OPENSSL aes-256-cbc -d $AES -in $TMP/orig.bin | pigz -z -d > $OUT
fredguth commented 2 years ago

Thanks a lot, @dbouras. I get a mismatch despite having the same Archer AC2300 V1. The XML seems fine, any idea why?

From AC2300 web interface: Firmware version: 2.0.3 Build 20180611 Rel. 77668 Hardware version: Archer C2300 v1.0

fredguth commented 2 years ago

By the way, in xml2bin:

pigz -z -c $IN | $OPENSSL aes-256-cbc $AES -out $TMP/orig.bin
...
pigz -z -c $TMP/mid.bin | $OPENSSL aes-256-cbc $AES -out $OUT

Still, because of the mismatch in the bin2xml process, I also get it in xml2bin: MD5 (backup-AC2300-2022-01-31.bin) = 0f0cf3a864d821b7d352e8775cb46800 MD5 (newfile.bin) = 1ddf5452f82c37bc40fd03aa9d2063b4

fredguth commented 2 years ago

The changes above resulted in a .bin file that wasn't recognised by the router. In the xmll2bin concatenation step, I made a small change using my FILE_MD5 instead of OURS_MD5. It became recognised by the router. But the change (only change was RemoteSSH on) did not work, and I couldn't access the router in any way (nor web nor ssh).

A factory reset brought it back, but I still haven't figured out how to remote ssh it.

fredguth commented 2 years ago

Have you used the GPL code to figure out what to change?
https://static.tp-link.com/resources/gpl/AC2300V1_US_GPL.tar.gz

I thought about downgrading my firmware to have the same environment as yours, but the web interface does not allow it.

dbouras commented 2 years ago

Are you using a recent version of openssl (e.g. installed via brew)?

% which openssl
/usr/local/opt/openssl/bin/openssl
% openssl version
OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)
dbouras commented 2 years ago

Here are my versions - hope they help:

bin2xml:

#!/bin/bash
[ $# -lt 1 ] && echo "Syntax: $0 backup-filename.bin [output-filename.xml]" && exit

IN=$1
[ $# -lt 2 ] && OUT=${IN%.*}.xml || OUT=$2

OPENSSL=/usr/local/opt/openssl/bin/openssl

[ ! -f $IN ] && echo File $IN does not exist && exit

# MD5 used for Archer C2300
OUR_MD5=`echo -n 'Archer C2300' | md5sum | cut -d' ' -f 1`

# AES key & iv params
AES="-K 2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836 -iv 360028C9064242F81074F4C127D299F6"

TMP=$IN-tmp-dir
mkdir -p $TMP

# decode binary file downloaded from TP-Link firmware - Backup
#$OPENSSL aes-256-cbc -d $AES -in $IN | $OPENSSL zlib -d -out $TMP/mid.bin
$OPENSSL aes-256-cbc -d $AES -in $IN | pigz -z -d > $TMP/mid.bin

# first 16 bytes are MD5 of product
FILE_MD5=`dd if=$TMP/mid.bin  bs=1 count=16 2>/dev/null |  hexdump -v -e '/1 "%02x"'`

echo "File MD5: ${FILE_MD5}, product MD5: ${OUR_MD5}"
[ "${OUR_MD5}" != "${FILE_MD5}" ] && echo "MD5 product signature mismatch. Restoring from xml2bin output is not recommended." || echo "Matching MD5 product signature found."

# skip 16 bytes of md5 and extract orig.bin file
dd if=$TMP/mid.bin of=$TMP/orig.bin bs=1 skip=16 2>/dev/null

# decrypt again to get xml file
$OPENSSL aes-256-cbc -d $AES -in $TMP/orig.bin | pigz -z -d > $OUT

echo XML file saved in $OUT
rm -rf $TMP

xml2bin:

#!/bin/bash
[ $# -lt 1 ] && echo "Syntax: $0 filename.xml [output-filename.bin]" && exit

IN=$1
[ $# -lt 2 ] && OUT=${IN%.*}.bin || OUT=$2

OPENSSL=/usr/local/opt/openssl/bin/openssl

[ ! -f $IN ] && echo File $IN does not exist && exit

# MD5 used for Archer C2300
OUR_MD5=`echo -n "Archer C2300" | md5sum | cut -d' ' -f 1`

# AES key & iv params
AES="-K 2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836 -iv 360028C9064242F81074F4C127D299F6"

TMP=$IN-tmp-dir
mkdir -p $TMP

# encrypt xml to get orig.bin file
cat $IN | pigz -z | $OPENSSL aes-256-cbc $AES -out $TMP/orig.bin

# create binary file (16 bytes) with content of product name md5
echo $OUR_MD5 | xxd -r -p >$TMP/md5file

# concatenate md5 file + orig.bin into mid.bin
cat $TMP/md5file $TMP/orig.bin >$TMP/mid.bin

# encrypt mid.bin to prepare final .bin acceptable by TP-Link firmware - Restore
pigz -z < $TMP/mid.bin | $OPENSSL aes-256-cbc $AES -out $OUT

echo BIN file saved in $OUT

rm -rf $TMP
fredguth commented 2 years ago 
~ ❯ which openssl                                                                                                                                          Py base 21:31:08
/opt/homebrew/opt/openssl@3/bin/openssl
~ ❯ openssl version                                                                                                                                        Py base 22:10:24
OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021)
fredguth commented 2 years ago

With your bin2xml.sh, I also get a product name mismatch. I believe the problem is that my product is Archer C2300(US) V1 and not (EU).

dbouras commented 2 years ago

I don't think that is the problem; I have the same product (version strings are identical to yours). Do the MD5 signatures match when you run bin2xml?

fredguth commented 2 years ago 
~/code/ac2300 ❯ sh ./tplink-archer-c2300/scripts/bin2xml.sh backup-AC2300-2022-01-31.bin                                                                   Py base 20:00:29
File MD5: b37598ac5105ea9974fc6634a4c92a76, product MD5: 265bb095084b919cc022676898140b8c
MD5 product signature mismatch. Restoring from xml2bin output is not recommended.
XML file saved in backup-AC2300-2022-01-31.xml

Here is my backup file https://1drv.ms/u/s!Anhzg7v0vslFlfhp8KGwADG2fWaK2w?e=CdF9hw

dbouras commented 2 years ago

Works fine here:

% ./bin2xml.sh backup-AC2300-2022-01-31.bin 
File MD5: b37598ac5105ea9974fc6634a4c92a76, product MD5: b37598ac5105ea9974fc6634a4c92a76
Matching MD5 product signature found.
XML file saved in backup-AC2300-2022-01-31.xml

I think OSX's stock md5sum is the issue - install a replacement with brew:

% which md5sum
/usr/local/bin/md5sum
% md5sum --version
md5sum (GNU coreutils) 9.0
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Ulrich Drepper, Scott Miller, and David Madore.