Log in

View Full Version : decode .bin file


noobyz
July 13th, 2009, 04:20
hi everybpdy,
i got this problem:
i can't understand which encryption a router's config file has got.

The router is a D-Link DI-524 Airplus G
i tried to view the binary file...as far as i can see, it might not be compressed, maybe just encrypted

i already tried using some tools, but without any good result.
so i'm guessing the only way left would be reversing the Firmware (to find the routines that read and write the config.bin)
The firmware is most probably written in C and compiled onto a MIPS or ARM processor...since i'm no good at reversing, i need your help!

Here's the config.bin
http://rapidshare.com/files/255261293/config.bin.html

here's the firmware (version V2.04 dated 28 april 2006)
http://tsd.dlink.com.tw/ModelDocuView.asp?SourceType=download&ModelSno=IJALDNNO&DocuSno=BDKDGDAD
ftp://ftp.dlink.de/di/di-524/driver_software/
ftp://ftp.dlink.co.uk/di_broadband_gateways/di-524/
i also found a source-code of firmware (though i'm NOT sure it's exactly the same as mine V2.04...)
http://www.dlink.fi/cs/Satellite?c=TechSupport_C&childpagename=DLinkEurope-FI%2FDLTechProduct&cid=1197319373648&p=1197318962293&packedargs=locale%3D1195806935789&pagename=DLinkEurope-FI%2FDLWrapper

thanks a lot

Aimless
July 13th, 2009, 04:45
I don't think you get it.

Do you?

Have Phun

noobyz
July 13th, 2009, 04:57
a bit rude, but i accept
actually i have very litle experience (i'm mostly web programmer, web designer and keen on video editing)
that's why i'm asking here for help !

hope you won't deny it...

Aimless
July 13th, 2009, 04:59
No. I mean you really don't get it, do you?

Not the router bin file aspect. The whole purpose of this board, that is.

Have Phun

arc_
July 13th, 2009, 07:05
noobyz: the point of this board is to ask people for guidance and hints to help you reverse engineer something by yourself. What you seem to be doing in this thread is throwing us your files and saying "I have no clue about reversing whatsoever, please do my work for me". And that doesn't work here. This is a learning board, not a crack request board.

What you are expected to do is first make a proper attempt at it yourself. You have the source code, so you don't even need to reverse engineer ARM assembly! Then, once you get stuck with something more specific than "I can't do it, please do it for me", *then* you can come here and ask (and actually have people helping you).

squidge
July 13th, 2009, 09:54
What makes you think it's encrypted?

disavowed
July 13th, 2009, 13:17
i just took a quick look at the source code you linked to and it reads from and writes to config.bin
look at the source code to get the answer to your question

Woodmann
July 13th, 2009, 18:13
Maybe the feds got in it .

Woodmann

noobyz
July 17th, 2009, 20:57
ok, i made some research and some efforts to get what i need...there's a point where i 'm stuck.
first i tell what i thought and done:
i checked out the GPL sourcecodes, and focused on the executable that (in my not very expert opinion) could extract or decode the config.xml out of the config.bin
The files involved in this might be these, as far as i can understand:

di524\userland\target\usr\sbin\rgbin
di524\progs.priv\rgbin\Makefile
di524\progs.priv\rgbin\rgbin

di524\userland\target\usr\sbin\rgdb
di524\tools\alpha\rgdb\Makefile
di524\tools\alpha\rgdb\rgdb

di524\userland\target\usr\sbin\rgcfg


Knowing the router runs a linux-based OS, i thought it should be useful to compile the "rgbin" utility and run it under Linux...
But the Makefile seems to miss some infos..doen't it ?
What do you think about it and about the whole deal?
Do you get errors compiling it ?
thanks

noobyz
July 21st, 2009, 00:57
anybody ?
(it seems some external files, incuded in the "rgbin" codes, are empty...?)

noobyz
August 8th, 2009, 04:00
Quote:
[Originally Posted by disavowed;81722]i just took a quick look at the source code you linked to and it reads from and writes to config.bin
look at the source code to get the answer to your question


do you mean the file "profile.sh"
Code:

#!/bin/sh
. /etc/config/defines
case "$1" in
get)
rgcfg get -n $nvram -c /var/run/rgdb.xml.gz
if [ "$?" != "0" ]; then
echo "Can't get config from nvram, generate default!" > /dev/console
/etc/scripts/misc/profile.sh reset
/etc/scripts/misc/profile.sh put
exit 0
fi
gunzip /var/run/rgdb.xml.gz
rgdb -l /var/run/rgdb.xml
if [ "$?" != "0" ]; then
echo "Invalid config, generate default!" > /dev/console
/etc/scripts/misc/profile.sh reset
/etc/scripts/misc/profile.sh put
fi
rm -f /var/run/rgdb.xml
;;
put)
rgdb -D /var/run/rgdb.xml
gzip /var/run/rgdb.xml
rgcfg save -n $nvram -c /var/run/rgdb.xml.gz
if [ "$?" = "0" ]; then
echo "ok" > /dev/console
else
echo "failed" > /dev/console
fi
rm -f /var/run/rgdb.xml.gz
cd
;;
reset)
if [ "$2" != "" ]; then
cp $2 /var/run/rgdb.xml.gz
rm -f $2
else
cp $defaultconfig /var/run/rgdb.xml.gz
fi
gunzip /var/run/rgdb.xml.gz
rgdb -l /var/run/rgdb.xml
rm -f rgdb.xml
cd
;;
*)
echo "Usage: $0 get/put/reset"
esac



but the "config.bin" doesn't actually seem to be compressed, as i thought...
i'm quite helpless!

SiGiNT
August 8th, 2009, 11:41
What exactly are you trying to do - if the router is not functioning correctly simply hit the reset button - restores factory defaults, if you're trying to access hidden features - there probably aren't any -what would be the purpose?? If it's wireless power you're trying to increase, you'd do that by changing parts on the board - or using a better antenna(s), what's your goal and why should we care??

SiGiNT

squidge
August 8th, 2009, 12:07
Maybe its a config file from someone elses router and he's trying to figure out there administrator or dsl password?

Either way, the config.bin is most likely a e2 dump (hence all the FF's) and rgdb is the only tool to understand that dump. Since we don't have the source code to that tool but you do have the binary, you'll have to find out how that tool works. I recommend downloading a copy of IDA and feeding it rgdb.

Or, you could just copy the config.bin to your router and run the command yourself. There seems to be an option to convert the file to another format. By far the easiest way to go. telnet and tftp come to mind.

noobyz
August 8th, 2009, 13:20
thanks squidge,
you're telling right things, as far as i can see.

unfortunately neither TFTP nor Telnet (or SSH) can get a connection to the router

i'm afraid the only way left is compiling the tools from the firmware...but i don't really know how to do (is it possible to compile just some files, not the whole?)
The source codes are available, actually...thus, no IDA in my opinion would be necessary:
ftp://ftp.dlink.co.uk/GPL/DI-524_E1_GPL.tgz ("ftp://ftp.dlink.co.uk/GPL/DI-524_E1_GPL.tgz")
ftp://ftp.dlink.se/Products/di-products/di-524/drivers_firmware/di524.source.tgz ("ftp://ftp.dlink.se/Products/di-products/di-524/drivers_firmware/di524.source.tgz[")

btw, the command and convert option you're hinting would be as follows ?
Code:

rgdb -D config.bin

SiGiNT
August 8th, 2009, 17:57
Quote:
[Originally Posted by squidge;82315]Maybe its a config file from someone elses router and he's trying to figure out there administrator or dsl password?

Either way, the config.bin is most likely a e2 dump (hence all the FF's) and rgdb is the only tool to understand that dump. Since we don't have the source code to that tool but you do have the binary, you'll have to find out how that tool works. I recommend downloading a copy of IDA and feeding it rgdb.

Or, you could just copy the config.bin to your router and run the command yourself. There seems to be an option to convert the file to another format. By far the easiest way to go. telnet and tftp come to mind.


You give great advice Squidge, and I have the utmost respect for you, but as to finding a password (uness he's trying to hack remotely, in which case he's already in), my suggestion again is hit the recessed factory defaults switch - returns to original Admin password and EVERYONE knows what that is - if he's just trying to learn then all he needs is pointers - not the solution.

Sorry to sound nasty but that is this board's policy, and he still hasn't stated his goal - that would be nice - it would make it ultimately easier to help him.

SiGiNT

Excuse me if I talk hardware here for a second, (I've participated in the design of similar stuff) - passwords and user accessible settings would not be contained in the firmware - they would reside in flash memory which is accessible either through an on board connector - not usually populated - just holes, or by the MAC (Media Access Controller) and shouldn't exist as a file, you might get a glimmer of dsl password in the packets sent but that is crypto and not really for any kind of noob.

Woodmann
August 8th, 2009, 19:09
OK,

I typed out what I thought was a well thought out reply but upon further review decided to shitcan it due to the complete lack of info the noobyz has given us.

The feds have hacked his router and there is nothing he can do, now that they have installed encrypted firmware and a brain penetrating bios probe that only works under linux .

Or something like that .

Woodmann

noobyz
August 8th, 2009, 20:52
it's a little innocent hack
being authenticated in a wlan doesn't mean have gained the gateway password...

and the admin pwd IS contained in the config.bin (i'm a noob, but that's the only thing i'm sure of)

i hope you still can help me
regards

squidge
August 9th, 2009, 02:39
My router doesn't enable telnet either, by default. However, there are ways to enable it, and there probably is for the router your talking about. As for TFTP, I wasn't thinking of the router being the server, but your PC.

If the source is available, then you have an easy task, but I don't think it is. Manufacturers are forced to release any GPL software they modify, but rgdb isn't modified GPL software, so theres no need for them to release the source code.

Now you need to proove that you have done some work before we go any further.

noobyz
August 9th, 2009, 15:35
as for TFTP:
i tried also WinSCP but i doesn't seem to connect to the router (the only available ports are :80 and :515)
as for Telnet/SSH:
i have no clue how to enable telnet/ssh if it's not by default (they might be enable in the "Virtual server" settings' tab...but this would mean you can use those protocols when connecting "through" the router, not "to" the router...if i got it right)
please let me know what are you thinking of!

as for the Firmware's source:
after compiling it on Ubuntu and trying to run this code (it should dump the .xml config, in my opinion)
Code:

rgdb -D config.bin

i get this error and no expected result:
Quote:

bash: ./rgdb: cannot execute binary file

...this left me quite sad...

Woodmann
August 9th, 2009, 16:06
So we are still left to play 20 questions .

Are you trying to access a wireless network that requires a username and password?

After a little searching I see you have asked this same question just about everywhere.

Go get your answer here:http://www.gnucitizen.org/blog/router-hacking-challenge/

Look at the papers that others have written and write your own exploit.

squidge
August 9th, 2009, 16:11
You really don't get it do you? As I've said before, you do not attempt to connect to the router via tftp. That rarely, if ever, works on a router like this. Instead you connect FROM the router to your PC (which is of course running appropriate software to accept the connection).

But thats moot if you can't figure out how to telnet to the router in the first place. You have the source code for most of the router, have a look through it to see if there's a way of re-enabling telnet access. Don't expect other people to figure this out for you. You have the problem, so you need to fix it yourself. We'll offer help, but not do the task for you.

As for rgdb, if you look at the timestamp, you'll probably find it didn't actually compile it, because, as I also stated in a previous message, there's no source code for it. Therefore you have an ARM image, and your x86 Ubuntu can't by default execute ARM images (but there are ways to that; I'll let you figure it out).

Woodmann
August 9th, 2009, 17:14
Dont bother with this anymore.

He has spammed the internet with this question and only begs for help.

I have read just about every post he has made and he will not do anything to help himself on any forum.

Allow me to give him his final answer.

YOU CANT DO IT.

Why?

GO READ ABOUT BINARY FILES. IT'S NOT ENCRYPTED, IT IS FUCKING BINARY.
YOU DONT HAVE PHYSICAL ACCESS-YOU CANT DO IT.

Actually, other people can do it.You are unwilling to make an effort so you are SOL.

FIN

Woodmann