{"id":19236412,"url":"https://github.com/infobyte/draytek-arsenal","last_synced_at":"2025-07-22T22:34:15.108Z","repository":{"id":230093024,"uuid":"778447245","full_name":"infobyte/draytek-arsenal","owner":"infobyte","description":"Reverse Engineering and Observability toolkit for Draytek firewalls","archived":false,"fork":false,"pushed_at":"2025-02-28T12:49:40.000Z","size":60,"stargazers_count":39,"open_issues_count":1,"forks_count":5,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-04-21T05:42:18.303Z","etag":null,"topics":["extraction","firmware","modification","reverse-engineering"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/infobyte.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-03-27T18:36:47.000Z","updated_at":"2025-04-03T10:25:26.000Z","dependencies_parsed_at":"2024-03-27T20:30:25.992Z","dependency_job_id":"09e9d3b5-2573-4590-a751-8045073a1c85","html_url":"https://github.com/infobyte/draytek-arsenal","commit_stats":null,"previous_names":["infobyte/draytek-arsenal"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/infobyte/draytek-arsenal","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infobyte%2Fdraytek-arsenal","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infobyte%2Fdraytek-arsenal/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infobyte%2Fdraytek-arsenal/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infobyte%2Fdraytek-arsenal/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/infobyte","download_url":"https://codeload.github.com/infobyte/draytek-arsenal/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infobyte%2Fdraytek-arsenal/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266586336,"owners_count":23952171,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-22T02:00:09.085Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["extraction","firmware","modification","reverse-engineering"],"created_at":"2024-11-09T16:20:30.553Z","updated_at":"2025-07-22T22:34:15.089Z","avatar_url":"https://github.com/infobyte.png","language":"Python","funding_links":[],"categories":["📚 Table of Contents"],"sub_categories":["Firmware Analysis \u0026 Extraction"],"readme":"# Draytek Arsenal: Observability and hardening toolkit for Draytek edge devices.\nAdvanced attackers are increasingly choosing edge devices as targets. However, these devices are controlled by closed-source software known as firmware, often distributed in a proprietary format. This is an added difficulty for defenders and researchers, who must understand how to extract firmware to assess its security.\n\nThis is more than just a hypothetical scenario, as we discovered recently when a client was compromised. With Draytek equipment at the edge of their infrastructure, the natural question was: Could this be the attackers' entry point? Over 500k Draytek devices are exposed to the Internet. Yet, no working tool exists to extract their firmware and assist researchers and defenders working with these devices.\n\nDuring our assessment, we reverse-engineered Draytek's firmware format, which contains a bootloader, a compressed RTOS kernel, and two filesystems. Through our investigation, we developed tools to extract these components, unveiling the real-time operating system's capability to load code modules dynamically. These modules are loaded from one of the filesystems in the firmware image during boot but can also be loaded while the system is running and stored in a separate filesystem in flash memory. An attacker can exploit this feature to achieve persistence by loading a module that remains active even after a reboot or firmware upgrade, and the end-user does not have a way to detect this type of attack. Consequently, we developed our own module to check the integrity of loaded modules in memory, mitigating this potential threat.\n\nIn our pursuit of a more secure internet, we are making this set of tools accessible to the community, enabling observability, hardening, transparency, and vulnerability research on Draytek edge devices\n\n## Presentation\nThis tool was developed as part of a research project that was presented at [DEFCON HHV and La Villa Hacker](https://defcon.org/html/defcon-32/dc-32-creator-talks.html#54642). You can find the slides and PoC videos [here](https://drive.google.com/drive/folders/1G-fvAntkuCg9Hu_MeMSdYTCd7KAlIywk?usp=sharing). \n\n## Note\nWe initially developed this as an internal tool. It was just a set of scripts, but it showed great potential, prompting us to make it open-source. Since then, we have been working to integrate these scripts into the Python package you will find in this repo and make them compatible with other device models.\n\n## Get started ##\n\n__Requirements:__\n\n* Python3\n* Docker (Optional)\n\n### Installation ###\n\n(Optional) Create and activate python virtual environment:\n```bash\n$ python3 -m virtualenv .venv\n$ source .venv/bin.activate\n```\n\nInstall `draytek_arsenal`:\n```bash\n$ cd draytek_arsenal\n$ python3 -m pip install -r requirements.txt\n$ python3 -m pip install .\n```\n\nTest the installation:\n```\n$ python3 -m draytek_arsenal\n```\n\n### Install as developer ###\n\nThis installation will be affected by local code changes\n```\n$ python3 -m pip install -e .\n```\n\n### Mips-tools ###\n\nSome commands as `mips_compile` and `mips_merge` needs a complementary Docker image in order to work. \nIf it has not been downloaded this error message is shown:\n```\n[x] Image 'draytek-arsenal' not found. Please build or download the image.\n```\n\nYou could download the image with the following command:\n\n```bash\n$ docker pull ghcr.io/infobyte/draytek-arsenal:main\n```\n\nOr build it with:\n```bash\n$ docker build -t draytek-arsenal ./mips-tools\n```\n\n\n## Usage ##\n\n`draytek-arsenal` is a set of scripts collected in a python package. So, to use it you should select a command:\n\n```\nusage: draytek-arsenal [-h] [command] args..\n```\n\nSome of the commands are:\n\n\n### parse_firmware ###\n\nParse and show information of a Draytec firmware.\n\n```\nusage: parse_firmware [-h] firmware\n\npositional arguments:\n firmware Path to the firmware\n\noptions:\n -h, --help show this help message and exit\n```\n\n### extract small business ###\n\nCommand used to extract and decompress Draytek running an RTOS.\n\n```\nusage: extract_rtos [-h] [--rtos RTOS] [--fs FS] [--dlm DLM] [--dlm-key1 DLM_KEY1]\n [--dlm-key2 DLM_KEY2]\n firmware\n\npositional arguments:\n firmware Path to the firmware\n\noptions:\n -h, --help show this help message and exit\n --rtos RTOS, -r RTOS File path where to extract and decompress the RTOS\n --fs FS, -f FS Directory path where to extract and decompress the File\n System\n --dlm DLM, -d DLM Directory path where to extract and decompress the DLMs\n --dlm-key1 DLM_KEY1 First key used to decrypt DLMs\n --dlm-key2 DLM_KEY2 First key used to decrypt DLMs\n```\n\n### extract linux ###\n\nCommand used to extract and decompress Draytek running linux\n\n```\nusage: extract_linux [-h] [--fs FS] --key KEY firmware\n\npositional arguments:\n firmware Path to the firmware\n\noptions:\n -h, --help show this help message and exit\n --fs FS, -f FS Directory path where to extract and decompress the File System\n --key KEY Key used to decrypt\n```\n\n### dlm_hash ###\n\nGet the hash of a DLM module.\n\n```\nusage: dlm_hash [-h] [-c] dlm\n\npositional arguments:\n dlm Path to the dlm\n\noptions:\n -h, --help show this help message and exit\n -c Print as .c code\n```\n\n### find_loading_addr ###\n\nFind the address where the RTOS if loaded with the first jump instruction.\n\n```\nusage: find_loading_addr [-h] rtos\n\npositional arguments:\n rtos Path to the rtos\n\noptions:\n -h, --help show this help message and exit\n```\n\n### find_endianness ###\n\nChecks if the RTOS is little or big endian.\n\n```\nusage: find_endianness [-h] rtos\n\npositional arguments:\n rtos Path to the rtos\n\noptions:\n -h, --help show this help message and exit\n```\n\n### mips_compile ###\n\nCompile MIPS relocatable binary (used for DLMs).\n\n```\nusage: mips_compile [-h] output [input ...]\n\npositional arguments:\n output Output file\n input Output file\n\noptions:\n -h, --help show this help message and exit\n```\n\n### mips_merge ###\n\nMerge two ELF MIPS relocatable files.\n\n```\nusage: mips_merge [-h] first_input second_input output\n\npositional arguments:\n first_input First input file\n second_input Second input file\n output Output file\n\noptions:\n -h, --help show this help message and exit\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finfobyte%2Fdraytek-arsenal","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finfobyte%2Fdraytek-arsenal","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finfobyte%2Fdraytek-arsenal/lists"}