Decrypt firmware: DIR-X1560

In this analasys Im using firmware: DIRX1560A1_FW101B03.bin

Verify that image is encrypted

An (older) encrypted firmware should start with encrpted_img, verify using hd or by looking on the entropy of the file with binwalk.

» hd DIRX1560A1_FW102B01.bin | less
» binwalk -E DIRX1560A1_FW102B01.bin

Decrypt image and extract content

With the below bash script we ..

  • skip the first 16 bytes

  • extract 128kB blocks

  • decrypt each block

  • combine the decrypted blocks.

Key and IV are publicly known for this firmware version so I won't go into detail on how to find them. 

» cat decrypt.sh
#!/bin/bash
SIZE=$(stat -c%s $1)
BLOCKS=$SIZE/131072
for ((i=0; i<$BLOCKS; i++)) do
	dd if=$1 iflag=skip_bytes,count_bytes skip=$((16+i*131072)) count=131072 \
	| openssl aes-256-cbc -d -in /dev/stdin -out /dev/stdout -K 6865392d342b4d212964363d6d7e7765312c7132613364316e26322a5a5e2538 \
		-iv 4a253169516c38243d6c6d2d3b384145 --nopad --nosalt \
	| dd if=/dev/stdin of=$2 oflag=append conv=notrunc
done

I have dependancy issues with ubi_reader and instead of solving it I simply use the scripts from the ubi_reader repo.

We've now extracted the firmware and are able to read it's content.

Last updated

Was this helpful?