1

I’m from Indonesia.

I have a ZTE F670 (Software Version V6.0.10) router provided by my ISP, and I'm trying to retrieve certain credentials stored in the configuration.

Previously, with a different router, I could download the config.xml file directly from the web interface and extract the needed information. However, with this new router, the backup file is in an encrypted config.bin format.

So far, I've tried the following:

Downloaded the config.bin file from the router's web interface. Used tools like the ZTE config utility, but the router appears to use a newer encryption algorithm (payload type 5), which isn't supported by the tools I've found. I tried to use the serial number as an encryption key, without success. Then I tried using https://github.com/mkst/zte-config-utility but no success. Telnet are open and I can access root user. I can download telnet file like cspd, dataprotocol and etc… but don’t know to use it.

Can someone help me decrypt the config.bin file, or suggest any tools that work with newer ZTE models?

this my file on telnet

https://drive.google.com/drive/folders/1GyQrkNc6WXQoICSP4wMUzigPTtmn4fpW?usp=sharing

Improve this question
0

1 Answer 1

Reset to default
4

So there was a rabbithole I had to go through.

Step 1: Download the firmware - https://www.tripleoxygen.net/files/devices/zte/f670l/v1/firmware/stock/?SD

Step 2: Extract with binwalk - it has a jffs2-root of the file system

Step 3: Interact with the file system enough to see the httpd service - js files associated and the httpd ELF file that is the server binary

Step 4: load httpd into IDA - See that it uses libdb.so to manage the database. Load libdb.so into IDA - it uses libharcode.so

Step 5: libhardcode.so uses /etc/hardcode as input to decrypt files in /etc/hardcodefile - See CspHardCodeParamGet - both key and IV are derived from SHA256 of parts of /etc/hardcodefile

Step 6: RE the implementation to decrypt the file /etc/hardcodefile/dataprotocol to reveal

DefAESCBCKey=L04&Product@5A238dc79b15726d5c06 DefAESCBCIV=ZTE%FN$GponNJ025678b02a85c63c706 AESENCRYKey= userkey=608158c36497b00221db14afb845c9e3

for the files attached in the question

Step 7: With - https://github.com/mkst/zte-config-utility

$ python examples/auto.py --key "L04&Product@5A238dc79b15726d5c06" --iv 'ZTE%FN$GponNJ025678b02a85c63c706' /tmp/f670/user_cfg.bin /tmp/f670/some.xml

and voila you can decrypt the file too

Script to decrypt the harcodefiles

from struct import unpack import glob from Crypto.Cipher import AES from Crypto.Hash import SHA256 def decrypt(): key_file = "./etc/hardcode" config_paths = glob.glob("./etc/hardcodefile/*") with open(key_file, "rb") as f: key_data = f.readline().strip() offset_bytes = lambda data, offset: bytes(b + offset for b in data) key = SHA256.new(offset_bytes(key_data[5:21], 3) + key_data[64:]).digest() iv = SHA256.new(offset_bytes(key_data[7:39], 1)).digest()[:16] for path in config_paths: cipher = AES.new(key, AES.MODE_CBC, iv) try: with open(path, "rb") as config: print(f"Decrypting {path}") header = config.read(8) magic1, magic2 = unpack(">II", header) if magic1 != 0x01020304 or magic2 != 0x00000003: print(f"{path} is not a valid config file, skipping") continue config.read(52) with open(f"{path}.decrypted.txt", "wb") as output: while True: chunk_header = config.read(12) if not chunk_header: break plain_len, cipher_len, eof = unpack(">III", chunk_header) plaintext = cipher.decrypt(config.read(cipher_len))[:plain_len] output.write(plaintext) if not eof: break except FileNotFoundError: print(f"File {path} not found, skipping") if __name__ == "__main__": decrypt()
Improve this answer
4
  • Hello its work!!! Commented Dec 14, 2024 at 3:37
  • You can accept the answer if it works Commented Dec 14, 2024 at 5:18
  • Hello, I'm willing for you to make a donation to your PayPal as a thank you for your time and effort to help Commented Dec 14, 2024 at 15:26
  • Hello okay I have reply your email Thank you friend Commented Dec 15, 2024 at 10:43

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.