Closed ghost closed 5 years ago
On the v1 firmware DES keys are stored in libcmm.so. These are the functions called in that file and the location of the keys (I used radare2):
478DA50FF9E3D2CB > p8 8 @0xc0000-0x21a0
dm_loadCfg (/etc/default_config.xml) > dm_decryptFile
dm_init (/etc/reduced_data_model.xml) > dm_decryptFile
478DA50BF9E3D2CF > p8 8 @0xf0000-0x5cf0
rdp_backupCfg & rdp_restoreCfg (conf.bin) > cen_desMinDo, > cen_md5VerifyDigest, > cen_uncompressBuff
rdp_saveModem3gFile > rsl_3g_saveModem3gFile
I did not spend time trying to fully decode /etc/default_config.xml
or /etc/reduced_data_model.xml
. The DES key works, but is not quite enough alone. For example, the command below mostly works to decode more than half the file's contents, but not all. The dm_loadCfg
function would have to be looked at closer (perhaps simply due to how it processes file buffers?).
openssl enc -d -des-ecb -nopad -K 478DA50FF9E3D2CB -in default_config.xml > default_config_decrypted.xml
Does tpconf_bin_xml.py
sucessfully handle firmware v2 configuration files (conf.bin)? If so, that means the conf.bin key and compression are the same as v1... I'd be surprised if the other key would be different, but I don't know.
Decrypting default_config.xml
now works with latest openssl
.
Moving information up to main README.md
and closing issue...
Thank you.
Apologies, not an issues as such. Trying to replicate your work with a WD9970v2. Are you able to point me in the right direction for reading default_config.xml from the firmware image?
Many thanks :-)