Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/0xricksanchez/dlink-decrypt

D-Link firmware decryption PoC
https://github.com/0xricksanchez/dlink-decrypt

cryptography decryption dlink encryption firmware firmware-analysis firmware-security iot

Last synced: about 1 month ago
JSON representation

D-Link firmware decryption PoC

Host: GitHub
URL: https://github.com/0xricksanchez/dlink-decrypt
Owner: 0xricksanchez
License: gpl-3.0
Created: 2020-04-13T11:43:10.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2023-12-21T05:03:52.000Z (9 months ago)
Last Synced: 2024-05-02T17:53:17.308Z (5 months ago)
Topics: cryptography, decryption, dlink, encryption, firmware, firmware-analysis, firmware-security, iot
Language: C
Size: 25.7 MB
Stars: 155
Watchers: 10
Forks: 43
Open Issues: 3
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-hacking-lists - 0xricksanchez/dlink-decrypt - D-Link firmware decryption PoC (C)

README

# dlink-decrypt

## ⚠️**DISCLAIMER**⚠️

The provided PoC works for the handful of devices that deploy this specific encrpytion scheme.
The reversing here was done for educational purposes.
If this PoC doesn't work for you and your encrypted firmware does not start with a 4-byte "SHRS" pattern that's expected.
Encryption schemes change over time.

## General

This is the PoC code for my [blogpost series](https://0x00sec.org/t/breaking-the-d-link-dir3060-firmware-encryption-recon-part-1/21943) about breaking encrypted D-Link firmware samples for further analysis:

* [part 1](https://0x00sec.org/t/breaking-the-d-link-dir3060-firmware-encryption-recon-part-1/21943)
* [part 2](https://0x00sec.org/t/breaking-the-d-link-dir3060-firmware-encryption-static-analysis-of-the-decryption-routine-part-2-1/22099)
* [part 3](https://0x00sec.org/t/breaking-the-d-link-dir3060-firmware-encryption-static-analysis-of-the-decryption-routine-part-2-2/22260/)

## Repo Contents

* src --> My re-constructed C code from the `imgdecrypt` disassembly
* bin --> Has compiled x64 versions of the `imgdecrypt` binary
* DIR_3060 --> Contains `public.pem` and the `imgdecrypt` binary from their root fs
* DIR_882 --> Analogous to *DIR_3060*
* test --> some test binaries for un-/packing

# Usage

For the basic decryption of a sample you can just invoke the python script as follows:
```
$ ./dlink-dec.py
Usage: python3 ./dlink-dec.py -i -o
```

I've also rapidly prototypted a D-Link like encryption that mimics the original one. You can test it by adding a mode flag to the invocation:
```
$ ./dlink-dec.py
Usage: python3 ./dlink-dec.py -i -o -m enc
```

## Alternative way:
As always there is also an alternative way using `openssl`:

```bash
dd if=enc.bin skip=1756 iflag=skip_bytes|openssl aes-128-cbc -d -p -nopad -nosalt -K "c05fbf1936c99429ce2a0781f08d6ad8" -iv "67c6697351ff4aec29cdbaabf2fbe346" --nosalt -in /dev/stdin -out dec.bin
```