Verify that image is encrypted
» hd DIRX1560A1_FW102B01.bin | less
» binwalk -E DIRX1560A1_FW102B01.bin
Decrypt image and extract content
With the below bash script we ..
Key and IV are publicly known for this firmware version so I won't go into detail on how to find them.
» cat decrypt.sh
#!/bin/bash
SIZE=$(stat -c%s $1)
BLOCKS=$SIZE/131072
for ((i=0; i<$BLOCKS; i++)) do
dd if=$1 iflag=skip_bytes,count_bytes skip=$((16+i*131072)) count=131072 \
| openssl aes-256-cbc -d -in /dev/stdin -out /dev/stdout -K 6865392d342b4d212964363d6d7e7765312c7132613364316e26322a5a5e2538 \
-iv 4a253169516c38243d6c6d2d3b384145 --nopad --nosalt \
| dd if=/dev/stdin of=$2 oflag=append conv=notrunc
done
» ./decrypt.sh DIRX1560A1_FW101B03.bin dec_DIRX1560A1_FW101B03.bin
» binwalk -eM dec_DIRX1560A1_FW101B03.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
WARNING: Extractor.execute failed to run external extractor 'ubireader_extract_files -o 'ubifs-root' '%e'': [Errno 2] No such file or directory: 'ubireader_extract_files', 'ubireader_extract_files -o 'ubifs-root' '%e'' might not be installed correctly
0 0x0 UBI erase count header, version: 1, EC: 0x0, VID header offset: 0x800, data offset: 0x1000
» ls -al _dec_DIRX1560A1_FW101B03.bin.extracted
-rw-rw-r-- 1 void void 51380224 Jun 18 13:28 0.ubi
» ~/ubi_reader/ubireader/scripts/ubireader_extract_files.py 0.ubi
Extracting files to: ubifs-root/677774186/rootfs_ubifs
UBIFS Fatal: Super block error: Wrong node type.
ubifs-root » tree
.
└── 677774186
├── METADATA
└── rootfs_ubifs
├── bin
[... snip ...]
We've now extracted the firmware and are able to read it's content.
