How to decrypt the firmwre

The Netgear NAS forum
Post Reply
hno
Posts: 39
Joined: Tue Sep 09, 2008 9:56 am
Contact:

How to decrypt the firmwre

Post by hno » Fri Sep 12, 2008 9:34 pm

The firmware is encrypted. To decrypt the firmware you need access to the hwcp or hwdecrypt commands.

To get access to these commands you need to connect to the serial console, and then boot the system in "Tech Support" aka "Factory Mode". Then mount the root and copy these files somewhere suitable outside /bin. (the bootup will automatically erase them from /bin if present...)

It should also be possible to make an add-on that copies these. During installation of encrypted add-ons the hwcp and hwdecrypt binaries is present in the root /bin folder. The format of an encrypted addon is the same as an unencrypted one except that the the .tar.gz is encrypted using hwencrypt and the header does not say it's unencrypted..

hno
Posts: 39
Joined: Tue Sep 09, 2008 9:56 am
Contact:

Re: How to decrypt the firmwre

Post by hno » Fri Sep 12, 2008 9:37 pm

This method allows you to decrypt the kernel and root.tgz components of the firmware.

Details on how to decrypt the initrd is still uncertain, but the tech support mode does give access to the initrd system so it's not that critical for analysis of the firmware.

hno
Posts: 39
Joined: Tue Sep 09, 2008 9:56 am
Contact:

Re: How to decrypt the firmwre

Post by hno » Thu Sep 18, 2008 7:01 pm

The crypto keys has been found in the ROM (see 0x40000000 thread) but there seems to be something more to it.. Plain DES3 does not match the hardware results if using this key.

hno
Posts: 39
Joined: Tue Sep 09, 2008 9:56 am
Contact:

Re: How to decrypt the firmwre

Post by hno » Tue Apr 06, 2010 8:03 am

hno wrote:It should also be possible to make an add-on that copies these. During installation of encrypted add-ons the hwcp and hwdecrypt binaries is present in the root /bin folder. The format of an encrypted addon is the same as an unencrypted one except that the the .tar.gz is encrypted using hwencrypt and the header does not say it's unencrypted..


Using this path is a littler tricky as it requires you to compose your own encrypted addon with a magic ".tmp.X0aPR7p" file run during installation (used by the ssh addon).

Maybe the following works for getting hwcp:

Code: Select all

mkdir -p /usr/local/bin
ln -s /usr/local/bin/hwcp /bin/hwcp
reboot


no update installation required.


Another approach that most likely works and should give access to the whole initrd is to temorarily disable the rm command in the root.

Code: Select all

mv /bin/rm /bin/rm.real
echo '#!/bin/true' >/bin/rm
chmod +x /bin/rm
reboot


Don't forget to restore /bin/rm when done.

Code: Select all

mv -f /bin/rm.real /bin/rm

hno
Posts: 39
Joined: Tue Sep 09, 2008 9:56 am
Contact:

Re: How to decrypt the firmwre

Post by hno » Tue Apr 06, 2010 8:31 am

A hardware independent tool "readynas_crypto" for working with the readynas encryption can be found in my readynas tools section at

http://www.henriknordstrom.net/code/readynas/

this tool is capable of working with both types of encryption used in ReadyNAS firmwares / updates / addons.

A simple script for decoding firmware files follows, just drop it in the readynas_crypto-1.0 folder.

Code: Select all

#!/bin/bash
top=`dirname $0`
crypto=$top/readynas_crypto

if [ $# -ne 1 -a $# -ne 2 ]; then
        echo "Usage: $0 firmware [directory]"
        echo "Extracts firmware components into directory (current if not specified)"
        exit 1
fi

firmware=$1
target=${2:-.}

dd if=$firmware count=1 | $crypto -d | grep -a '::[0-9][0-9]*::[0-9][0-9]*$' > $target/index
dd if=$firmware count=1 | grep -a ^info:: > $target/info
cat $target/index | while read line; do
        filename="`echo $line | cut -d: -f1`"
        start="`echo $line | cut -d: -f3`"
        size="`echo $line | cut -d: -f5`"
        dd if=$firmware skip=$start count=$((($size + 512) / 512)) |
                case "$filename" in
                "initrd.img")
                        $crypto -d -k 3
                        ;;
                *)
                        $crypto -d
                esac \
        | dd bs=$size count=1 iflag=fullblock >$target/$filename
done

Post Reply