First, check your router brand and model information, and then go to the official website of the corresponding manufacturer to download the firmware corresponding to your router. After the download is complete, put the firmware file in binwalk so that we can simulate the routing firmware in QEMU. At this point, you will see the screen as shown below:
Generally speaking, every non-binwalk-friendly firmware needs to be analyzed in different ways, so we cannot provide you with a tutorial for all types of encrypted firmware. However, in this article, we will show you several common firmware analysis scenarios and provide a general guide for handling this type of encrypted firmware. In addition, I will provide an example of decrypting D-Link DIR-882 firmware.
Three scenarios for encrypted firmware
The easiest way to decrypt the firmware is to find the decryption program in the firmware. What should we do? If the router can decrypt the new firmware and update it, then the decryption program must be located somewhere in the firmware image. If you encounter encrypted firmware, then you can visit the official website of the manufacturer and look for the old version of this firmware, then download all the old firmware and start the analysis.
Given below are three common firmware release scenarios.
The device firmware was not encrypted when it was released, nor did it contain any decryption programs. The decryption program is provided with the unencrypted version of the firmware in the newer version (v1.1) for future encrypted firmware updates. The firmware released afterwards is encrypted firmware.
At this point, we can get the decryption program from firmware v1.1, and then use it to decrypt the latest version of firmware v1.2.
The device firmware was encrypted in the original version, and the manufacturer decided to change the encryption scheme and released an unencrypted converted version v1.2, which included a new decryption program.
Similar to scenario 1, we can obtain the decryption program from the v1.2 image and apply it to the latest encrypted firmware. Reading the release announcement of the firmware version can help us identify the unencrypted conversion version. The release announcement usually instructs users to upgrade to an intermediate version before upgrading to the latest version, and the intermediate version is likely to be an unencrypted converted version of firmware.
The device firmware is encrypted in the original version. However, the manufacturer decided to change the encryption scheme and released an unencrypted and converted version containing a new version of the decryption program.
At this time, it will be more difficult to obtain the decryption program. One method is to purchase the device and directly extract the unencrypted firmware from the device hardware. The other method is to conduct a deeper analysis of the firmware, hoping to “crack the encryption.”
By using a hexadecimal editor to view the firmware content, we can quickly understand what we are dealing with. Use binary or hexadecimal mode to view the firmware source code, do you see the 0xFF or 0x00 byte data field? Does the file code have a specific pattern? Are they homogenous blocks composed of random hexadecimal bytes? If so, it is very likely that the firmware source code has been replaced by a simple XOR field with a static key. You can see if there is a hexadecimal byte that appears more frequently than other bytes?
Scenario 5: Compression, encryption or obfuscation?
Entropy can help us better analyze the firmware. Some parts of the firmware have high entropy, indicating that these places have been encrypted. A segment of low-entropy bytes represents low randomness, structure and predictability. When combined with other analysis, it can help us determine whether the firmware is compressed, encrypted, or obfuscated. At this stage of analysis, binwalk’s numerous options may be helpful.
The following content is visible to members