Decrypt firmware: DIR-X1560
In this analasys Im using firmware: DIRX1560A1_FW101B03.bin
Verify that image is encrypted
An (older) encrypted firmware should start with encrpted_img
, verify using hd
or by looking on the entropy of the file with binwalk
.
» hd DIRX1560A1_FW102B01.bin | less
» binwalk -E DIRX1560A1_FW102B01.bin
Decrypt image and extract content
With the below bash script we ..
skip the first 16 bytes
extract 128kB blocks
decrypt each block
combine the decrypted blocks.
Key and IV are publicly known for this firmware version so I won't go into detail on how to find them.
» cat decrypt.sh
#!/bin/bash
SIZE=$(stat -c%s $1)
BLOCKS=$SIZE/131072
for ((i=0; i<$BLOCKS; i++)) do
dd if=$1 iflag=skip_bytes,count_bytes skip=$((16+i*131072)) count=131072 \
| openssl aes-256-cbc -d -in /dev/stdin -out /dev/stdout -K 6865392d342b4d212964363d6d7e7765312c7132613364316e26322a5a5e2538 \
-iv 4a253169516c38243d6c6d2d3b384145 --nopad --nosalt \
| dd if=/dev/stdin of=$2 oflag=append conv=notrunc
done
» ./decrypt.sh DIRX1560A1_FW101B03.bin dec_DIRX1560A1_FW101B03.bin
» binwalk -eM dec_DIRX1560A1_FW101B03.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
WARNING: Extractor.execute failed to run external extractor 'ubireader_extract_files -o 'ubifs-root' '%e'': [Errno 2] No such file or directory: 'ubireader_extract_files', 'ubireader_extract_files -o 'ubifs-root' '%e'' might not be installed correctly
0 0x0 UBI erase count header, version: 1, EC: 0x0, VID header offset: 0x800, data offset: 0x1000
» ls -al _dec_DIRX1560A1_FW101B03.bin.extracted
-rw-rw-r-- 1 void void 51380224 Jun 18 13:28 0.ubi
I have dependancy issues with ubi_reader and instead of solving it I simply use the scripts from the ubi_reader repo.
» ~/ubi_reader/ubireader/scripts/ubireader_extract_files.py 0.ubi
Extracting files to: ubifs-root/677774186/rootfs_ubifs
UBIFS Fatal: Super block error: Wrong node type.
ubifs-root » tree
.
└── 677774186
├── METADATA
└── rootfs_ubifs
├── bin
[... snip ...]
We've now extracted the firmware and are able to read it's content.
Last updated
Was this helpful?