Introduction
<span>binwalk</span> and other tools for extraction; we need to decrypt the encrypted firmware first.Common Firmware Encryption and Decryption Methods
1. Firmware is not encrypted at the factory, followed by an unencrypted version containing a decryption scheme, and finally a released encrypted version.

2. Firmware is encrypted at the factory, followed by an unencrypted firmware containing a new decryption scheme, and finally a new encrypted version.

3. Firmware is encrypted at the factory, followed by an encrypted firmware containing a new decryption scheme, and finally a new encrypted version.

<span>JTAG</span>, <span>UART</span> debugging, etc., to access <span>Linux Shell</span> or <span>Uboot Shell</span> to directly extract the firmware’s file system from the hardware. Then, deeper analysis of the firmware can be performed to see how to reverse engineer the encrypted firmware, obtain the encryption logic, and ultimately crack it.Decrypting Encrypted D-Link Firmware
Preparation
wget https://support.dlink.com/resource/PRODUCTS/DIR-822-US/REVC/DIR-822_REVC_FIRMWARE_v3.15B02.zip
<span>binwalk</span>, we will find that the report is blank.
<span>binwalk -E</span> to check the entropy of the firmware (checking entropy is an effective way to confirm whether a given byte sequence is compressed or encrypted. The higher the entropy, the more likely the byte sequence is encrypted or compressed).
<span>The firmware v3.15 must be upgraded from the transitional version of firmware v303WWb04_middle.</span>

Using the Transitional Version to Decrypt the Firmware
<span>firmware v303WWb04_middle</span> likely contains the decryption program of the unencrypted transitional firmware. Therefore, we can find a way to download this firmware and find the decryption scheme to decrypt <span>DIR822C1_FW315WWb02</span> firmware.
<span>binwalk -ME</span>.

<span>update</span>, <span>firmware</span>, <span>upgrade</span>, <span>download</span> in the <span>squashfs-root</span> folder.grep -rnw './' -e 'update\|firmware\|upgrade\|download'

<span>/etc/templates/hnap/StartFirmwareDownload.php</span> file. Accessing this file in a browser will execute the operation to download the firmware. Here, there is a line of comment: <span>// fw encimg</span>, which corresponds to <span>firmware</span>, <span>encryption</span>, <span>image</span>.// fw encimg
setattr("/runtime/tmpdevdata/image_sign" ,"get","cat /etc/config/image_sign");
$image_sign = query("/runtime/tmpdevdata/image_sign");
fwrite("a", $ShellPath, "encimg -d -i ".$fw_path." -s ".$image_sign." > /dev/console
");
del("/runtime/tmpdevdata");
<span>setattr</span> function sets the attribute <span>/runtime/tmpdevdata/image_sign</span> to <span>cat /etc/config/image_sign</span>, and then the <span>query</span> function retrieves the firmware image signature from the attribute <span>/runtime/tmpdevdata/image_sign</span> and stores it in the variable <span>$image_sign</span>.
<span>fwrite</span> function to write the command string <span>encimg -d -i .".$fw_path." -s ".$image_sign." > /dev/console</span> into the file <span>$ShellPath</span>. This shell will subsequently be executed.<span>encimg</span> program is located in <span>/usr/sbin</span>.
<span>readelf</span> command, we can find that this program is a 32-bit big-endian MIPS architecture.
<span>qemu</span> user mode for simulation and add parameters like <span>encimg -d -i .".$fw_path." -s .".$image_sign.</span>.<span>.$fw_path.</span> is the path of the encrypted firmware that needs to be decrypted, which is the path of the D-Link DIR-822-US series router version 3.15B02 firmware.<span>.$image_sign.</span> is <span>wrgac43s_dlink.2015_dir822c1</span>.<span>qemu-mips-static</span> and the encrypted firmware <span>DIR822C1_FW315WWb02.bin</span> to the <span>squashfs-root</span> directory to run <span>encimg</span>.sudo chroot . ./qemu-mips-static ./usr/sbin/encimg -d -i ./DIR822C1_FW315WWb02.bin -s wrgac43s_dlink.2015_dir822c1

<span>binwalk</span> to check <span>DIR822C1_FW315WWb02.bin</span>, we can not only see the file information but also find that the entropy value has changed.

Extracting the Decrypted Firmware
<span>binwalk -Me</span> to successfully extract the firmware system files.


Kanxue ID: Arahat0
https://bbs.kanxue.com/user-home-964693.htm

# Previous Recommendations
1. iOS Jailbreak Detection Apps and Frida Bypass Detection
2. Large Bin Attack Learning (Detailed Analysis of _int_malloc Source Code)
3. CVE-2022-2588 Dirty Cred Vulnerability Analysis and Reproduction
4. Development Knowledge | Thoroughly Clarifying the Relationship Between CreateFile Read/Write Permissions and Sharing Modes
5. XAntiDenbug Detection Logic and Basic Anti-Debugging
6. Frida-Hook-Java Layer Operation Guide


Share

Like

Watching