sta-c0000 / tpconf_bin_xml

Command line utility to convert TP-Link router backup config files
164 stars 42 forks source link

How did you recover DES keys? (reading default_config.xml) #2

Closed ghost closed 5 years ago

ghost commented 6 years ago

Apologies, not an issues as such. Trying to replicate your work with a WD9970v2. Are you able to point me in the right direction for reading default_config.xml from the firmware image?

Many thanks :-)

sta-c0000 commented 6 years ago

On the v1 firmware DES keys are stored in libcmm.so. These are the functions called in that file and the location of the keys (I used radare2):

478DA50FF9E3D2CB         > p8 8 @0xc0000-0x21a0
    dm_loadCfg (/etc/default_config.xml) > dm_decryptFile
    dm_init (/etc/reduced_data_model.xml) > dm_decryptFile
478DA50BF9E3D2CF         > p8 8 @0xf0000-0x5cf0
    rdp_backupCfg & rdp_restoreCfg (conf.bin) > cen_desMinDo, > cen_md5VerifyDigest, > cen_uncompressBuff
    rdp_saveModem3gFile > rsl_3g_saveModem3gFile

I did not spend time trying to fully decode /etc/default_config.xml or /etc/reduced_data_model.xml. The DES key works, but is not quite enough alone. For example, the command below mostly works to decode more than half the file's contents, but not all. The dm_loadCfg function would have to be looked at closer (perhaps simply due to how it processes file buffers?).

openssl enc -d -des-ecb -nopad -K 478DA50FF9E3D2CB -in default_config.xml > default_config_decrypted.xml

Does tpconf_bin_xml.py sucessfully handle firmware v2 configuration files (conf.bin)? If so, that means the conf.bin key and compression are the same as v1... I'd be surprised if the other key would be different, but I don't know.

sta-c0000 commented 5 years ago

Decrypting default_config.xml now works with latest openssl. Moving information up to main README.md and closing issue... Thank you.