First, check your router brand and model information, and then go to the official website of the corresponding manufacturer to download the firmware corresponding to your router. After the download is complete, put the firmware file in binwalk so that we can simulate the routing firmware in QEMU. At this point, you will see the screen as shown below:
Generally speaking, every non-binwalk-friendly firmware needs to be analyzed in different ways, so we cannot provide you with a tutorial for all types of encrypted firmware. However, in this article, we will show you several common firmware analysis scenarios and provide a general guide for handling this type of encrypted firmware. In addition, I will provide an example of decrypting D-Link DIR-882 firmware.
Three scenarios for encrypted firmware
The easiest way to decrypt the firmware is to find the decryption program in the firmware. What should we do? If the router can decrypt the new firmware and update it, then the decryption program must be located somewhere in the firmware image. If you encounter encrypted firmware, then you can visit the official website of the manufacturer and look for the old version of this firmware, then download all the old firmware and start the analysis.
Given below are three common firmware release scenarios.
The device firmware was not encrypted when it was released, nor did it contain any decryption programs. The decryption program is provided with the unencrypted version of the firmware in the newer version (v1.1) for future encrypted firmware updates. The firmware released afterwards is encrypted firmware.
At this point, we can get the decryption program from firmware v1.1, and then use it to decrypt the latest version of firmware v1.2.
The device firmware was encrypted in the original version, and the manufacturer decided to change the encryption scheme and released an unencrypted converted version v1.2, which included a new decryption program.
Similar to scenario 1, we can obtain the decryption program from the v1.2 image and apply it to the latest encrypted firmware. Reading the release announcement of the firmware version can help us identify the unencrypted conversion version. The release announcement usually instructs users to upgrade to an intermediate version before upgrading to the latest version, and the intermediate version is likely to be an unencrypted converted version of firmware.
The device firmware is encrypted in the original version. However, the manufacturer decided to change the encryption scheme and released an unencrypted and converted version containing a new version of the decryption program.
At this time, it will be more difficult to obtain the decryption program. One method is to purchase the device and directly extract the unencrypted firmware from the device hardware. The other method is to conduct a deeper analysis of the firmware, hoping to “crack the encryption.”
By using a hexadecimal editor to view the firmware content, we can quickly understand what we are dealing with. Use binary or hexadecimal mode to view the firmware source code, do you see the 0xFF or 0x00 byte data field? Does the file code have a specific pattern? Are they homogenous blocks composed of random hexadecimal bytes? If so, it is very likely that the firmware source code has been replaced by a simple XOR field with a static key. You can see if there is a hexadecimal byte that appears more frequently than other bytes?
Scenario 5: Compression, encryption or obfuscation?
Entropy can help us better analyze the firmware. Some parts of the firmware have high entropy, indicating that these places have been encrypted. A segment of low-entropy bytes represents low randomness, structure and predictability. When combined with other analysis, it can help us determine whether the firmware is compressed, encrypted, or obfuscated. At this stage of analysis, binwalk’s numerous options may be helpful.
The following content is visible to members
[wc_pay_can_read id=’2026,2029,2030′ tishi=’You do not have permission to read this content, click here to become a member and refresh this page to read it’]
Theory and Practice
Next, we will apply the knowledge we just learned to the encrypted D-Link DIR-882 firmware image:
We can find all the old firmware of this router from the manufacturer’s FTP server. Use binwalk to test the earliest version of the firmware v1.00B07, it will correctly detect the uImage header and LZMA compressed data:
This shows that we are now in scenario 1. After browsing all available versions of the firmware image, we found that the firmware version v1.04B02 is the converted version, which is included in the v1.10B02 firmware package. In addition, we can also calculate the entropy of the image to quickly determine which image has been encrypted.
Next, use binwalk to extract the file system from the v1.04B02 firmware:
After the extraction is successful, we can begin to analyze the firmware update process and determine the method to decrypt the firmware. Fortunately, after a quick scan of the file system, we found a code file “imgdecrypt” in the /bin directory.
We encountered a small problem, namely the difference in the processor architecture between the host device and the code file. Fortunately, we can use QEMU to perform a cross-architecture chroot. First, we need to copy the qemu-mipsel-static code to the /usr/bin/ directory in the firmware root file system, and then copy the encrypted firmware to the unencrypted firmware file system. Finally, use chroot to enter the firmware root, and then get a usable shell.
We can see that binwalk successfully detected different areas in the decrypted firmware.
To sum up
The above is the general method of handling encrypted firmware. It is worth mentioning that manufacturers sometimes use the same encryption scheme for multiple routers, and the imgdecrypt file can also be used to decrypt the firmware of DIR-878 and DIR-867. Therefore, when we find a decryption program or solution, we can use it to try other router products in the same product line with the same processor architecture.