Reverse Engineering Asked by Vido on September 30, 2021
I have this file from my router its backup of user config,I suppose its compresed with zlib and encrypted with AES. Utility which is resposible to compress it and encrypt it is called cspd. In side cspd there is function called dbcCfgFileDecry
in which Im interested, If anyone could help me identify how this function decrypt config file I would be most grateful.I can run gdbserver on router with cspd as argument but it just exit, I also tried to attach to existing cspd proces (there is several of them) but router just crashes.
EDIT: I just found that inside encry
function there is CSPDBGetFileEncryKey
so the key is stored inside DB ?? There is also utility on router caled sendcmd which is responsable in manipulating of DB. If I run sendcmd with sendcmd 1 DB
I get
fc [bin-file-name]:compress user config to bin-file-name
fuc [bin-file-name]:uncompress bin-file-name to user config
decry : cfg decry
I did tried it but it does not work
How does this question differ to your question here?
Your key is Renjx%2$CjM
.
You can use the zcu module I have written to decode your configuration file e.g.
$ python3 examples/decode.py config.bin config.xml --key 'Renjx%2$CjM'
$ head config.xml
<DB>
<Tbl name="DBBase" RowCount="1">
<Row No="0">
<DM name="IFInfo" val="0101010004000000010601000000021244010000440200004403000044040000"/>
</Row>
</Tbl>
<Tbl name="ETH" RowCount="4">
<Row No="0">
<DM name="ViewName" val="IGD.LD1.ETH1"/>
<DM name="LDWDViewName" val="IGD.LD1"/>
Answered by mkst on September 30, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP