squeeze

decode router's config.bin

7 posts in this topic

hi everybody,

i'm a poor nubie...

i got this problem:

i have a D-Link DI-524 (firmware V2.04) router's config file, the file that contains settings backup.

it's a .BIN file almost surely compressed and encoded

so it's not readable unless you can tell what's the algorithm...

i foudn a couple of working solution (for other routers' config file) that achieved the goal by reverse engineering the firmware:

i can't do this...could anybody help me ?

thanks

0

Share this post


Link to post
Share on other sites

Share this post


Link to post
Share on other sites

Is your WPA or WEP key in there? Or is that what you're after?

Edited by tekio
0

Share this post


Link to post
Share on other sites

I've played around a bit with disassembling router firmware though I haven't looked at config files. When it comes to firmware files sometimes you'll get lucky and they will use something simple, like the one I worked on. The firmware file was essentially a gzipped file where all the files where squished together. It wasn't a tarball unfortunately, but it wasn't too difficult to carve it apart. ARM is very well documented and not difficult to disassemble due to it's fixed length instructions. IDA Pro will do ARM binaries and if the file format is supported you can use something like qemu to load up an arm linux distro and disassemble it with objdump and gdb if you don't have access to IDA Pro.

1

Share this post


Link to post
Share on other sites

I've played around a bit with disassembling router firmware though I haven't looked at config files. When it comes to firmware files sometimes you'll get lucky and they will use something simple, like the one I worked on. The firmware file was essentially a gzipped file where all the files where squished together. It wasn't a tarball unfortunately, but it wasn't too difficult to carve it apart. ARM is very well documented and not difficult to disassemble due to it's fixed length instructions. IDA Pro will do ARM binaries and if the file format is supported you can use something like qemu to load up an arm linux distro and disassemble it with objdump and gdb if you don't have access to IDA Pro.

thnaks for taking my post into consideration!

i admit i'm not good at disassembling...i'd need to ask for a little bit more help from you (i really hope you won't deny it)

i'm not 100% sure it's ARM, but i can say it's either ARM or MIPS

The config.bin (i linked) doen't seems gzipped...what encryption do you think it has?

are you able to read it somehow ?

(here's another download, in case reached d/l limit):

http://rapidshare.com/files/255157792/config.bin.html

Edited by squicky
0

Share this post


Link to post
Share on other sites

I took a look at the file and it doesn't appear to be any type of documented binary file type. I see a lot of 0xff which lead me to believe that it may not actually be compressed data. The only strings I found in it were a few references to "DLB6031". Doing some googling I came across http://nasirghaznavi.com/routers/lmmcrouter-configuration-file-decompression/ which explains that the configs are zlib compressed xml files. I downloaded the tool he provided and tried to convert it getting and error. I then tried zlib decompressing it with a simple ruby script to which I got an error saying that it was not a valid zlib compressed file. Are you sure this is the actual unmodified file?

0

Share this post


Link to post
Share on other sites

well, i don't really think it can be modified (i just tried to open/read it)

anyway, to be 100% sure here's a fresh one:

http://rapidshare.com/files/255235497/config.bin.html

config.bin

as far as the compression is concerned:

i thought myself there were too many repeated characters...but since i don't t know well ZLIB or LZMA or other compression algorithms, i wasn't completely ceratin.

i found another tool (for Zyxel, indeed) and doesn't seem to work unless i make some mistakes:

http://mindmasters.nl/kender/zyxel/

firmware

would you be able to find out, by reversing the firmware, what encryption works on the config.bin (how it saves, how it loads it).

The firmware is most likely written in C (older ones in Assembly) and compiled onto a MIPS or ARM processor...

i also found this opensource firmware version here:

http://www.dlink.fi/cs/Satellite?c=TechSupport_C&childpagename=DLinkEurope-FI%2FDLTechProduct&cid=1197319373648&p=1197318962293&packedargs=locale%3D1195806935789&pagename=DLinkEurope-FI%2FDLWrapper

BUT i'm not completely certain it is exactly the same as mine (V2.04, dated 28 april 2006) here:

http://tsd.dlink.com.tw/ModelDocuView.asp?SourceType=download&ModelSno=IJALDNNO&DocuSno=BDKDGDAD

ftp://ftp.dlink.de/di/di-524/driver_software/

ftp://ftp.dlink.co.uk/di_broadband_gateways/di-524/

Edited by squicky
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now