ZTE AES-256-CBC Encrypted backup config file

Reverse Engineering Asked by MoooonX on April 28, 2021

i tried router pass view tool on (a closed source one) it’s able to decrypt the older version of it V3.1. tested on two routers of it and it gave me this output

Encrypted Data Start Position: 227
Encryption Algorithm: AES-128
Encryption Key: 34303263333864653339626564363635
Compression: zlib / deflate

and

Encrypted Data Start Position: 227
Encryption Algorithm: AES-128
Encryption Key: 4772574D33487A264C54767A26665E39
Compression: zlib / deflate

also someone told me

the encryption algorithm was changed to AES-256-CBC and key and iv are
derived from MAC, SerialNumber and EncryKey.

snprintf(&g_keySeed, 65, "%s%sMcd5c46e", EncryKey, SN);
snprintf(&g_ivSeed, 65, "G21b667b%s%s", MAC, EncryKey);

sha256(key_seed, key_seed_len, &aes_key);

sha256(iv_seed, iv_seed_len,&aes_iv);

without telling me what’s that encrykey and didn’t reply again.

the firmware and config files

decryption encryption firmware firmware analysis ida

Add your own answers!

Ask a Question

Get help from others!

Recent Answers

Joshua Engel on Why fry rice before boiling?
Peter Machado on Why fry rice before boiling?
Lex on Does Google Analytics track 404 page responses as valid page views?
haakon.io on Why fry rice before boiling?
Jon Church on Why fry rice before boiling?