TPLink 备份文件bin文件解析[续]
时间: 11:31:13
&&&& 阅读:1168
&&&& 评论:
&&&& 收藏:0
标签:Most routers allow to save and restore configuration from files. This is cool because you can edit the configuration file and upload to the router again enabling some "hidden" configuration options.
For example on my
I managed to get higher download speed disabling DSL QoS (it was broken) by setting X_BROADCOM_COM_ATMEnbQos to FALSE!
So, I get a
wireless access point and, sadly, I found that they encrypted the configuration file, so I decided to reverse engineer it.
First of all I needed a dump of the filesystem to get the binaries, so I soldered a serial port on the router to get a serial console.
The bootloader didn‘t allow to interrupt the boot process but fortunately I knew that you can get a prompt by typing the secret word tpltpltpl
AP93 (ar7240) U-boot
#### TAP VALUE 1 = 9, 2 = 9
id read 0x100000ff
flash size 4194304, sector count = 64
Using default environment
ag7240_enet_initialize...
No valid address in Flash. Using fixed address
: cfg1 0xf cfg2 0x7014
eth0: 00:03:7f:09:0b:ad
No valid address in Flash. Using fixed address
: cfg1 0xf cfg2 0x7214
eth1: 00:03:7f:09:0b:ad
ATHRS26: resetting s26
ATHRS26: s26 reset done
eth0, eth1
Autobooting in 1 seconds
I‘ve compiled an
(you know OpenWrt, right??) firmware with initramfs, and I loaded it from RAM without flashing the firmware:
ar7240& tftp 0x openwrt-ar71xx-generic-tl-wr841n-v8-initramfs-uImage.bin
ar7240& bootm
After that making the dump was easy, just "dd" the mtdblock device with the firmware and copy to the computer via scp.
# dd if=/dev/block/mtd2 of=/tmp/rootfs
# scp /tmp/rootfs matteo@192.168.1.2:
I needed to compile an old version of squashfs tools to extract the files, and finally I extracted the whole filesystem.
$ unsquashfs rootfs
I looked at the web page which handled the configuration load/save and I noticed that there were many references to some sort of embedded functions which most likely are handled by the webserver itself. The webserver is a single blob which handled many system utilities, indeed there were many executables symlinked to the . This is a common practice in embedded firmwares, like OpenWrt‘s
and Android‘s
I started IDA to look at this binary, clearly httpConfUpload was the function to start hacking from.&
Due to a reference to des_min_do and some string starting with DES_ I suspected that DES was used as cypher.&
des_min_do was a galore of bitwise operators and nasty loops, clearly it was an inlined cryptographic function, and before calling it a pointer to a fixed null terminated string was pushed to the stack. It could be some salt or key passed to the encryption function so I‘ll note this string which was 478DA50BF9E3D2CF.
I tried to decrypt it with mdecrypt using that string as key but without success:
$ mdecrypt -b -a des -f key &config.bin
I looked again at the binary and I searching for the _des string I found md5_des which suggested me to use the md5 hash function:
$ mdecrypt -b -a des -f key -o mcrypt-md5 &config.bin
again with no luck, so I tried all the block modes available until I found the correct one:
$ mdecrypt -b -a des -m ecb -f key -o mcrypt-md5 &config.bin
????????????????lan_ip 192.168.1.254
lan_msk 255.255.255.0
lan_gateway 0.0.0.0
The file is decrypted! Note that the trailing 16 bytes are the md5 sum of the files without trailing zeroes:&
the same can be done with openssl:
$ openssl enc -d -des-ecb -nopad -K 478DA50BF9E3D2CF -in config.bin
原文:http://teknoraver.net/software/hacks/tplink/标签:
&&国之画&&&& &&&&chrome插件
版权所有 京ICP备号-2
迷上了代码!后使用快捷导航没有帐号?
查看: 505|回复: 2
那个公司在做82平台啊,给个bin文件验证一下硬件 谢谢
我们贴的是 H9TP32A8JDMC 这个flash
现在 是下载没有动静 ,红条都没有跑。。
额&&USB都识别不了&&要新软件有什么用!!!
要用UART先下载一下PRELOADER
论坛资料为网友自由上传,与本论坛无关。
Powered by
关注一牛微信
获取手机验证码热门搜索:
拼音检索:
当前位置:游迅网 >
> 战国无双4-2LINKDATA文件导出导入工具0.1
战国无双4-2LINKDATA文件导出导入工具0.1
补丁类型:
补丁大小:64 KB 上市时间: 补丁标签:暂无
我要评分:
1人 评很差0人 评一般 1人 评很棒
-2LINKDATA文件导出导入工具0.修正导入时文件过大导致的错误,使用本工具可导入、导出LINKDATA文件,让游戏更加快捷。
1.将文件解压到&游戏目录\DATA&目录里
2.执行&导出.cmd&,按提示操作,执行完毕后会在 Extracted 目录下生成对应文件名的目录,导出后的文件就在里面
3.执行&导入.cmd&,按提示操作,会将对应目录下的文件导入对应的LINKDATA文件里
战国无双4-2LINKDATA文件导出导入工具0.1下载
《战国无双4-2LINKDATA文件导出导入工具0.1》
汉化补丁5-22
破解补丁5-21
游戏工具5-22
MOD&存档&地图5-22
你可能还会喜欢
精品游戏推荐
CopyRight2004年-2013年
游迅网 All Rights Reserved
备案编号:沪ICP备号-9