# Decrypt firmware: DIR-X1560

In this analasys Im using firmware: [DIRX1560A1\_FW101B03.bin](https://www.dlinktw.com.tw/techsupport/download.ashx?file=11728)

### Verify that image is encrypted

An (older) encrypted firmware should start with `encrpted_img`, verify using `hd` or by looking on the entropy of the file with `binwalk`.

```bash
» hd DIRX1560A1_FW102B01.bin | less
» binwalk -E DIRX1560A1_FW102B01.bin 
```

### Decrypt image and extract content

With the below bash script we .. 

* skip the first 16  bytes
* extract 128kB blocks
* decrypt each block
* combine the decrypted blocks. 

Key and IV are publicly known for this firmware version so I won't go into detail on how to find them. 

```bash
» cat decrypt.sh
#!/bin/bash
SIZE=$(stat -c%s $1)
BLOCKS=$SIZE/131072
for ((i=0; i<$BLOCKS; i++)) do
	dd if=$1 iflag=skip_bytes,count_bytes skip=$((16+i*131072)) count=131072 \
	| openssl aes-256-cbc -d -in /dev/stdin -out /dev/stdout -K 6865392d342b4d212964363d6d7e7765312c7132613364316e26322a5a5e2538 \
		-iv 4a253169516c38243d6c6d2d3b384145 --nopad --nosalt \
	| dd if=/dev/stdin of=$2 oflag=append conv=notrunc
done
```

```bash
» ./decrypt.sh DIRX1560A1_FW101B03.bin dec_DIRX1560A1_FW101B03.bin
» binwalk -eM dec_DIRX1560A1_FW101B03.bin
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------

WARNING: Extractor.execute failed to run external extractor 'ubireader_extract_files -o 'ubifs-root' '%e'': [Errno 2] No such file or directory: 'ubireader_extract_files', 'ubireader_extract_files -o 'ubifs-root' '%e'' might not be installed correctly
0             0x0             UBI erase count header, version: 1, EC: 0x0, VID header offset: 0x800, data offset: 0x1000

» ls -al _dec_DIRX1560A1_FW101B03.bin.extracted
-rw-rw-r-- 1 void void 51380224 Jun 18 13:28 0.ubi
```

I have dependancy issues with [ubi\_reader](https://github.com/onekey-sec/ubi_reader) and instead of solving it I simply use the scripts from the ubi\_reader repo.

```bash
» ~/ubi_reader/ubireader/scripts/ubireader_extract_files.py 0.ubi
Extracting files to: ubifs-root/677774186/rootfs_ubifs
UBIFS Fatal: Super block error: Wrong node type.

ubifs-root » tree
.
└── 677774186
    ├── METADATA
    └── rootfs_ubifs
        ├── bin
        [... snip ...]
```

We've now extracted the firmware and are able to read it's content.&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xpthree.gitbook.io/notes/exploits-pocs/d-link/decrypt-firmware-dir-x1560.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.