Decrypt firmware: DIR-X1560

In this analasys Im using firmware: DIRX1560A1_FW101B03.bin

Verify that image is encrypted

An (older) encrypted firmware should start with encrpted_img, verify using hd or by looking on the entropy of the file with binwalk.

» hd DIRX1560A1_FW102B01.bin | less
» binwalk -E DIRX1560A1_FW102B01.bin

Decrypt image and extract content

With the below bash script we ..

  • skip the first 16 bytes

  • extract 128kB blocks

  • decrypt each block

  • combine the decrypted blocks.

Key and IV are publicly known for this firmware version so I won't go into detail on how to find them. 

» cat decrypt.sh
#!/bin/bash
SIZE=$(stat -c%s $1)
BLOCKS=$SIZE/131072
for ((i=0; i<$BLOCKS; i++)) do
	dd if=$1 iflag=skip_bytes,count_bytes skip=$((16+i*131072)) count=131072 \
	| openssl aes-256-cbc -d -in /dev/stdin -out /dev/stdout -K 6865392d342b4d212964363d6d7e7765312c7132613364316e26322a5a5e2538 \
		-iv 4a253169516c38243d6c6d2d3b384145 --nopad --nosalt \
	| dd if=/dev/stdin of=$2 oflag=append conv=notrunc
done
» ./decrypt.sh DIRX1560A1_FW101B03.bin dec_DIRX1560A1_FW101B03.bin
» binwalk -eM dec_DIRX1560A1_FW101B03.bin
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------

WARNING: Extractor.execute failed to run external extractor 'ubireader_extract_files -o 'ubifs-root' '%e'': [Errno 2] No such file or directory: 'ubireader_extract_files', 'ubireader_extract_files -o 'ubifs-root' '%e'' might not be installed correctly
0             0x0             UBI erase count header, version: 1, EC: 0x0, VID header offset: 0x800, data offset: 0x1000

» ls -al _dec_DIRX1560A1_FW101B03.bin.extracted
-rw-rw-r-- 1 void void 51380224 Jun 18 13:28 0.ubi

I have dependancy issues with ubi_reader and instead of solving it I simply use the scripts from the ubi_reader repo.

» ~/ubi_reader/ubireader/scripts/ubireader_extract_files.py 0.ubi
Extracting files to: ubifs-root/677774186/rootfs_ubifs
UBIFS Fatal: Super block error: Wrong node type.

ubifs-root » tree
.
└── 677774186
    ├── METADATA
    └── rootfs_ubifs
        ├── bin
        [... snip ...]

We've now extracted the firmware and are able to read it's content.

Last updated