General NAS-Central Forums

Welcome to the NAS community
It is currently Fri Dec 15, 2017 8:26 am

All times are UTC




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Fri Sep 12, 2008 9:34 pm 
Offline

Joined: Tue Sep 09, 2008 9:56 am
Posts: 39
The firmware is encrypted. To decrypt the firmware you need access to the hwcp or hwdecrypt commands.

To get access to these commands you need to connect to the serial console, and then boot the system in "Tech Support" aka "Factory Mode". Then mount the root and copy these files somewhere suitable outside /bin. (the bootup will automatically erase them from /bin if present...)

It should also be possible to make an add-on that copies these. During installation of encrypted add-ons the hwcp and hwdecrypt binaries is present in the root /bin folder. The format of an encrypted addon is the same as an unencrypted one except that the the .tar.gz is encrypted using hwencrypt and the header does not say it's unencrypted..


Top
 Profile  
 
PostPosted: Fri Sep 12, 2008 9:37 pm 
Offline

Joined: Tue Sep 09, 2008 9:56 am
Posts: 39
This method allows you to decrypt the kernel and root.tgz components of the firmware.

Details on how to decrypt the initrd is still uncertain, but the tech support mode does give access to the initrd system so it's not that critical for analysis of the firmware.


Top
 Profile  
 
PostPosted: Thu Sep 18, 2008 7:01 pm 
Offline

Joined: Tue Sep 09, 2008 9:56 am
Posts: 39
The crypto keys has been found in the ROM (see 0x40000000 thread) but there seems to be something more to it.. Plain DES3 does not match the hardware results if using this key.


Top
 Profile  
 
PostPosted: Tue Apr 06, 2010 8:03 am 
Offline

Joined: Tue Sep 09, 2008 9:56 am
Posts: 39
hno wrote:
It should also be possible to make an add-on that copies these. During installation of encrypted add-ons the hwcp and hwdecrypt binaries is present in the root /bin folder. The format of an encrypted addon is the same as an unencrypted one except that the the .tar.gz is encrypted using hwencrypt and the header does not say it's unencrypted..


Using this path is a littler tricky as it requires you to compose your own encrypted addon with a magic ".tmp.X0aPR7p" file run during installation (used by the ssh addon).

Maybe the following works for getting hwcp:

Code:
mkdir -p /usr/local/bin
ln -s /usr/local/bin/hwcp /bin/hwcp
reboot


no update installation required.


Another approach that most likely works and should give access to the whole initrd is to temorarily disable the rm command in the root.

Code:
mv /bin/rm /bin/rm.real
echo '#!/bin/true' >/bin/rm
chmod +x /bin/rm
reboot


Don't forget to restore /bin/rm when done.

Code:
mv -f /bin/rm.real /bin/rm


Top
 Profile  
 
PostPosted: Tue Apr 06, 2010 8:31 am 
Offline

Joined: Tue Sep 09, 2008 9:56 am
Posts: 39
A hardware independent tool "readynas_crypto" for working with the readynas encryption can be found in my readynas tools section at

http://www.henriknordstrom.net/code/readynas/

this tool is capable of working with both types of encryption used in ReadyNAS firmwares / updates / addons.

A simple script for decoding firmware files follows, just drop it in the readynas_crypto-1.0 folder.

Code:
#!/bin/bash
top=`dirname $0`
crypto=$top/readynas_crypto

if [ $# -ne 1 -a $# -ne 2 ]; then
        echo "Usage: $0 firmware [directory]"
        echo "Extracts firmware components into directory (current if not specified)"
        exit 1
fi

firmware=$1
target=${2:-.}

dd if=$firmware count=1 | $crypto -d | grep -a '::[0-9][0-9]*::[0-9][0-9]*$' > $target/index
dd if=$firmware count=1 | grep -a ^info:: > $target/info
cat $target/index | while read line; do
        filename="`echo $line | cut -d: -f1`"
        start="`echo $line | cut -d: -f3`"
        size="`echo $line | cut -d: -f5`"
        dd if=$firmware skip=$start count=$((($size + 512) / 512)) |
                case "$filename" in
                "initrd.img")
                        $crypto -d -k 3
                        ;;
                *)
                        $crypto -d
                esac \
        | dd bs=$size count=1 iflag=fullblock >$target/$filename
done


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group