Jump to content


Photo
- - - - -

decode router's config.bin


  • Please log in to reply
6 replies to this topic

#1 squicky

squicky

    Will I break 10 posts?

  • Members
  • 4 posts

Posted 03 July 2009 - 11:17 PM

hi everybody,
i'm a poor nubie...

i got this problem:
i have a D-Link DI-524 (firmware V2.04) router's config file, the file that contains settings backup.
it's a .BIN file almost surely compressed and encoded
so it's not readable unless you can tell what's the algorithm...

i foudn a couple of working solution (for other routers' config file) that achieved the goal by reverse engineering the firmware:
i can't do this...could anybody help me ?
thanks

#2 squicky

squicky

    Will I break 10 posts?

  • Members
  • 4 posts

Posted 10 July 2009 - 01:40 AM

i found the CPU of DI-524 is an ARM procesor

is there anybody with ARM Disassembling skills?

here's the config i need to decode:
http://rapidshare.co...config.bin.html

and the firmware:
http://tsd.dlink.com...ocuSno=BDKDGDAD
or
ftp://ftp.dlink.de/di/di-524/driver_software/
ftp://ftp.dlink.co.uk/di_broadband_gateways/di-524/


hope on help!

#3 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,082 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 10 July 2009 - 01:54 AM

Is your WPA or WEP key in there? Or is that what you're after?

Edited by tekio, 10 July 2009 - 01:57 AM.


#4 livinded

livinded

    Dangerous free thinker

  • Agents of the Revolution
  • 1,942 posts
  • Location:~/

Posted 12 July 2009 - 02:33 AM

I've played around a bit with disassembling router firmware though I haven't looked at config files. When it comes to firmware files sometimes you'll get lucky and they will use something simple, like the one I worked on. The firmware file was essentially a gzipped file where all the files where squished together. It wasn't a tarball unfortunately, but it wasn't too difficult to carve it apart. ARM is very well documented and not difficult to disassemble due to it's fixed length instructions. IDA Pro will do ARM binaries and if the file format is supported you can use something like qemu to load up an arm linux distro and disassemble it with objdump and gdb if you don't have access to IDA Pro.

#5 squicky

squicky

    Will I break 10 posts?

  • Members
  • 4 posts

Posted 12 July 2009 - 07:39 PM

I've played around a bit with disassembling router firmware though I haven't looked at config files. When it comes to firmware files sometimes you'll get lucky and they will use something simple, like the one I worked on. The firmware file was essentially a gzipped file where all the files where squished together. It wasn't a tarball unfortunately, but it wasn't too difficult to carve it apart. ARM is very well documented and not difficult to disassemble due to it's fixed length instructions. IDA Pro will do ARM binaries and if the file format is supported you can use something like qemu to load up an arm linux distro and disassemble it with objdump and gdb if you don't have access to IDA Pro.



thnaks for taking my post into consideration!
i admit i'm not good at disassembling...i'd need to ask for a little bit more help from you (i really hope you won't deny it)

i'm not 100% sure it's ARM, but i can say it's either ARM or MIPS
The config.bin (i linked) doen't seems gzipped...what encryption do you think it has?
are you able to read it somehow ?
(here's another download, in case reached d/l limit):
http://rapidshare.co...config.bin.html

Edited by squicky, 12 July 2009 - 07:45 PM.


#6 livinded

livinded

    Dangerous free thinker

  • Agents of the Revolution
  • 1,942 posts
  • Location:~/

Posted 12 July 2009 - 10:10 PM

I took a look at the file and it doesn't appear to be any type of documented binary file type. I see a lot of 0xff which lead me to believe that it may not actually be compressed data. The only strings I found in it were a few references to "DLB6031". Doing some googling I came across http://nasirghaznavi...-decompression/ which explains that the configs are zlib compressed xml files. I downloaded the tool he provided and tried to convert it getting and error. I then tried zlib decompressing it with a simple ruby script to which I got an error saying that it was not a valid zlib compressed file. Are you sure this is the actual unmodified file?

#7 squicky

squicky

    Will I break 10 posts?

  • Members
  • 4 posts

Posted 13 July 2009 - 02:19 AM

well, i don't really think it can be modified (i just tried to open/read it)
anyway, to be 100% sure here's a fresh one:
http://rapidshare.co...config.bin.html

config.bin
as far as the compression is concerned:
i thought myself there were too many repeated characters...but since i don't t know well ZLIB or LZMA or other compression algorithms, i wasn't completely ceratin.

i found another tool (for Zyxel, indeed) and doesn't seem to work unless i make some mistakes:
http://mindmasters.nl/kender/zyxel/

firmware
would you be able to find out, by reversing the firmware, what encryption works on the config.bin (how it saves, how it loads it).
The firmware is most likely written in C (older ones in Assembly) and compiled onto a MIPS or ARM processor...
i also found this opensource firmware version here:
http://www.dlink.fi/...pe-FI/DLWrapper
BUT i'm not completely certain it is exactly the same as mine (V2.04, dated 28 april 2006) here:
http://tsd.dlink.com...ocuSno=BDKDGDAD
ftp://ftp.dlink.de/di/di-524/driver_software/
ftp://ftp.dlink.co.uk/di_broadband_gateways/di-524/

Edited by squicky, 13 July 2009 - 02:23 AM.





BinRev is hosted by the great people at Lunarpages!