Hi Folks,
today I'm gonna take a quick look to the TP-Link TL-R483G sold in China.
I've got a chance to have a firmware and config file on Github so I decided to dig into it.
Once unpacked the firmware (standard uboot image), the references on encryption/"save configs" brings me on firmware_backuprestore.lua script file.
firmware_backuprestore.lua |
by going straight to the executable, I noticied that the config encrypted file has 0x10 bytes of signature (by reading the typical initialize variables can be md5, not sure anyway).
So, the encrypted data starts from 0x10 to the EOF
from the elf opened with Ghidra, I've been able to figure out which encryption it was applied and to read the key by ease:
It is a des-ecb encryption with key 0x478DA50FF9E3D2CB and no padding.
By putting the things togheter, with the help of the amazing CyberChef tool I've got as resoult a decrypted data which starts with 0x1f8b: the GZIP magic bytes! 🥳
Anyway, the GZIP file conains a tar, so the decrypted data is basically a config.tar.gz file which contains the entire /tmp/cfg_save folder.
Cheers,
RE-Solver