Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
FiOS-G1100-Quantum-Gateway GPG Encrypted Firmware Identification/Decryption
See original GitHub issueThis is an odd router I picked up which appears to use gpg encrypted and signed firmware, the firmware images don’t seem to get identified by binwalk correctly. I’ve been trying to figure out a way to extract the gpg decryption keys but so far I have been coming up empty handed, it appears the ttl debug interface is disabled and I haven’t managed to get a root shell any other way, it has a very limited chroot shell available over ssh but without read/write I couldn’t figure out how break out of it. My guess is I would need to dump the NAND unless I can come up with some sort of exploit. It seems my router only has the decryption keys for one of these images as well(I was able to see some limited log output over the chroot shell when uploading them). http://bitcast-a.bitgravity.com/2wire/cms/DOWNLOAD/upgrade/frontier/D4A928/1.03.02.02/bhr4_release_01.03.02.02-FTR_firmwareupgrade.bin.signed http://bitcast-a.bitgravity.com/2wire/cms/DOWNLOAD/upgrade/frontier/D4A928/1.2.0.36.98.0/bhr4_stepstone_release_1.2.0.36.98.0_firmwareupgrade.bin.signed
Gpg2 at least seems to identify the keys needed:
$ gpg2 --list-packets bhr4_stepstone_release_1.2.0.36.98.0_firmwareupgrade.bin.signed
:pubkey enc packet: version 3, algo 1, keyid EDDA2E82EDC7030C
data: [2048 bits]
:encrypted data packet:
length: unknown
mdc_method: 2
gpg: encrypted with RSA key, ID EDC7030C
gpg: decryption failed: No secret key
$ gpg2 --list-packets bhr4_release_01.03.02.02-FTR_firmwareupgrade.bin.signed
:pubkey enc packet: version 3, algo 1, keyid F18B47DF3F881C75
data: [2046 bits]
:encrypted data packet:
length: unknown
mdc_method: 2
gpg: encrypted with RSA key, ID 3F881C75
gpg: decryption failed: No secret key
Issue Analytics
- State:
- Created 7 years ago
- Comments:59 (22 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@Brandonv101 You have to enable ssh using tr-069 on the WAN side(there’s a built in remote activate-able root ssh backdoor), I set up a local genieacs server to do that. Redirecting the router to a local acs server is a bit tricky though, I originally tried to mitm it but that’s not possible since the router verifies the acs server ssl certificate.
You can however change the config file to disable ssl and point it at your own acs server, the config file is aes encrypted but I have some python scripts that can decrypt and re-encrypt the config file so that it can be edited(I had to get some help with reversing the encryption scheme from the assembly for that).
These are the config file encryption/decryption scripts I’m using: gwdecrypt.py gwencrypt.py