martedì 31 marzo 2020

TP-Link RE200 config.bin decryption and manipulation

A very quick article to share with you how to decrypt the TP-Link RE200 config.bin


In this article we take up the concepts seen in the previous one jumping straight into Ghidra to take a look at the _tddp_UploadFlashData routine in httpd ELF.


The way the config is being uploaded is pretty clear, basically the uploaded file is entirely decrypted, after which the md5 hashing is performed starting from the 0x10 offset until the end of the file. Finally, it verifies whether the first byte 0x10 coincide in this md5.
The encryption has been performed with a DES symmetric-key algorithm (ECB)

Demonstration:

Openssl can reach the goal by using this command:
# openssl enc -d -des-ecb -nopad -K 478DA50BF9E3D2CF -in config.bin > decrypted.bin

alternatively you can use any other application, demonslay335's CryptoTester for example:

 copy and paste the decrypted data into an hxd

Do a manually md5 check by selecting all the bytes from 0x10 to the end of the file.

You can now modify by a text editor the decrypted confing, retrive and or change the admin password, recalculate the new md5, encrypt the whole file back and upload it by the web interface. That's all. :)


Follow me on Twitter


Cheers,
RE-Solver







8 commenti:

  1. Hi! My name is Jimmy :)
    Recently I'm doing security research on my new-purchased TP-link Acher C20 wifi router (v4 hardware with firmware 191025) and while I was stuck trying to decrypt my conf.bin I came across these great posts of yours.
    A problem I met is that unlike many cases you and other folks shared, using openssl to decrypt conf.bin from this model only result in partially decrypted data.
    I can confirm DES key is the same (478DA50BF9E3D2CF) as I used ghidra to find the key by myself before noticing that already a lot of guys knowing it, lol.
    My guess after browsing through ghidra decompiled code is this model might be using different mode of DES instead if ECB so it requires an IV to fully decrypt conf.bin, but again it's just a guess.
    I'm very new to RE so I'm really confused on how I can figure out the way to fully decrypt, so I hope you can provide me with a nudge :)
    If you are willing to keep in contact and help me with my problem, please shoot me a email. Thanks a bunch! Molte grazie!

    RispondiElimina
    Risposte
    1. The DES key looks valid for your router as well.
      Take a look at rsl_sys_backupCfg (also rsl_sys_restoreCfg) into libcmm.so.
      You'll see the cen_compressBuff call. The config appears to be compressed before being encrypted.
      The different step seems to be the compression step.

      The decompression module cen_uncompressBuff looks easly to reverse.
      Keep me updated.
      Bye

      Elimina
  2. Do you have any suggestions for decrypting archer ax10/ax1500 config backup file? i tried the above method and other similar methods from the web but nothing so far. i need to get ssh access and them gain root to make custom ipv6 firewall (atm ax10 blocks all incoming ipv6)
    I tried the described method (from c1200 here: https://forum.openwrt.org/t/build-for-tp-link-archer-c1200-ac1200/2547/) but nothing, from what i could find out, my router is from the same "generation" as c1200 (new logo, they both have this recovery method: https://www.tp-link.com/us/support/faq/1482/, like c1200 the ax10/ax1500 also uses custom openwrt 12.09-rc1). i'm stuck and i have limited experience with this :D

    RispondiElimina
    Risposte
    1. aes-256-cbc
      KEY: 2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836 IV: 360028C9064242F81074F4C127D299F6

      $ openssl aes-256-cbc -d -in \"/tmp/ori-backup-userconf.bin\" -K 2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836 -iv 360028C9064242F81074F4C127D299F6 | openssl zlib -d

      You should get the xml.
      Bye

      Elimina
    2. Thank you! is working! using the key you provided ant this app: https://github.com/knownunown/tpl-c900-openwrt-install

      Elimina
  3. Hi, I have an RE220...I can decrypt config.bin with this key and IV: 2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836 and IV 360028C9064242F81074F4C127D299F6. I get a zlib compressed file, but when I try to uncompress with zlib-flate there is no XML, and the contents are still unreadable. Is there another layer of encryption/compression maybe? Thanks for your help :)

    RispondiElimina
    Risposte
    1. Perhaps it is a TAR?
      try running the file command against it.

      Elimina
  4. Hello! I have an RE200 v3 and i cannot decrypt config.bin with 478DA50BF9E3D2CF key.

    RispondiElimina