Decrypt firmware: DIR-X1560

In this analasys Im using firmware: DIRX1560A1_FW101B03.bin

Verify that image is encrypted

An (older) encrypted firmware should start with encrpted_img, verify using hd or by looking on the entropy of the file with binwalk.

» hd DIRX1560A1_FW102B01.bin | less
» binwalk -E DIRX1560A1_FW102B01.bin

Decrypt image and extract content

With the below bash script we ..

skip the first 16 bytes
extract 128kB blocks
decrypt each block
combine the decrypted blocks.

Key and IV are publicly known for this firmware version so I won't go into detail on how to find them.

» cat decrypt.sh
#!/bin/bash
SIZE=$(stat -c%s $1)
BLOCKS=$SIZE/131072
for ((i=0; i<$BLOCKS; i++)) do
	dd if=$1 iflag=skip_bytes,count_bytes skip=$((16+i*131072)) count=131072 \
	| openssl aes-256-cbc -d -in /dev/stdin -out /dev/stdout -K 6865392d342b4d212964363d6d7e7765312c7132613364316e26322a5a5e2538 \
		-iv 4a253169516c38243d6c6d2d3b384145 --nopad --nosalt \
	| dd if=/dev/stdin of=$2 oflag=append conv=notrunc
done

» ./decrypt.sh DIRX1560A1_FW101B03.bin dec_DIRX1560A1_FW101B03.bin
» binwalk -eM dec_DIRX1560A1_FW101B03.bin
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------

WARNING: Extractor.execute failed to run external extractor 'ubireader_extract_files -o 'ubifs-root' '%e'': [Errno 2] No such file or directory: 'ubireader_extract_files', 'ubireader_extract_files -o 'ubifs-root' '%e'' might not be installed correctly
0             0x0             UBI erase count header, version: 1, EC: 0x0, VID header offset: 0x800, data offset: 0x1000

» ls -al _dec_DIRX1560A1_FW101B03.bin.extracted
-rw-rw-r-- 1 void void 51380224 Jun 18 13:28 0.ubi

I have dependancy issues with ubi_reader and instead of solving it I simply use the scripts from the ubi_reader repo.

» ~/ubi_reader/ubireader/scripts/ubireader_extract_files.py 0.ubi
Extracting files to: ubifs-root/677774186/rootfs_ubifs
UBIFS Fatal: Super block error: Wrong node type.

ubifs-root » tree
.
└── 677774186
    ├── METADATA
    └── rootfs_ubifs
        ├── bin
        [... snip ...]

We've now extracted the firmware and are able to read it's content.

Last updated 1 year ago

Was this helpful?

» cat decrypt.sh #!/bin/bash SIZE=$(stat -c%s $1) BLOCKS=$SIZE/131072 for ((i=0; i<$BLOCKS; i++)) do dd if=$1 iflag=skip_bytes,count_bytes skip=$((16+i*131072)) count=131072 \ | openssl aes-256-cbc -d -in /dev/stdin -out /dev/stdout -K 6865392d342b4d212964363d6d7e7765312c7132613364316e26322a5a5e2538 \ -iv 4a253169516c38243d6c6d2d3b384145 --nopad --nosalt \ | dd if=/dev/stdin of=$2 oflag=append conv=notrunc done

» ./decrypt.sh DIRX1560A1_FW101B03.bin dec_DIRX1560A1_FW101B03.bin » binwalk -eM dec_DIRX1560A1_FW101B03.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- WARNING: Extractor.execute failed to run external extractor 'ubireader_extract_files -o 'ubifs-root' '%e'': [Errno 2] No such file or directory: 'ubireader_extract_files', 'ubireader_extract_files -o 'ubifs-root' '%e'' might not be installed correctly 0 0x0 UBI erase count header, version: 1, EC: 0x0, VID header offset: 0x800, data offset: 0x1000 » ls -al _dec_DIRX1560A1_FW101B03.bin.extracted -rw-rw-r-- 1 void void 51380224 Jun 18 13:28 0.ubi

» ~/ubi_reader/ubireader/scripts/ubireader_extract_files.py 0.ubi Extracting files to: ubifs-root/677774186/rootfs_ubifs UBIFS Fatal: Super block error: Wrong node type. ubifs-root » tree . └── 677774186 ├── METADATA └── rootfs_ubifs ├── bin [... snip ...]