doesnt even run. #1
Comments
|
The xrange comment tells me that your IDE is Python 3, whereas the script uses Python 2 (which is probably a bug). The colored error is probably that you haven't installed the TermColor library. Could you try this in Python 2 and copy and paste in the exact errors please? |
|
Oh thanks for your time. Ive run it again ane here are the errors [LOG] using file Test.spk |
|
python2
|
|
if thats any help |
|
... "Doing the actual key-finding and decryption can be left as an exercise for the reader ?" ... |
|
Yes I know that's were I found it. Even thought I found the article very
informative I still cannot do it. I suspect I'm missing something. Any
help would be appreciated.
…On Wed, 27 Nov 2019, 10:12 am Engür Pişirici, ***@***.***> wrote:
... "Doing the actual key-finding and decryption can be left as an
exercise for the reader ?" ...
So, you have to find the key yourself...
https://www.pentestpartners.com/security-blog/breaking-bad-firmware-encryption-case-study-on-the-netgear-nighthawk-m1/
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#1?email_source=notifications&email_token=AN3GUW6TE5L2YZ4IEHQT46LQVZB2VA5CNFSM4JQWQXV2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEFI76SQ#issuecomment-559021898>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AN3GUW3D5UA3XC5FZTJ5G2DQVZB2VANCNFSM4JQWQXVQ>
.
|
|
maybe i should be a bit clearer |
The first 32 bits of the key in hex is That should technically make it exponentially easier for you to brute force it ;) |
|
Hi @sgulls @tautology0, to piggyback on this.. embedded security research is nothing new to me but I'm hitting a brick wall. I have the aes_key and it works, and I got the key_padding correct I believe, as the resulting _decrypted.bin actually has stuff that binwalk recognizes and can extract (kind of), and I can see strings from like APNs configs and JSON and such in the resulting files .ubi and .zlib files. However, I still think something is screwed up on my end because the original encrypted firmware file is 103.7 MB (MR1100-100NAS_23113828_NTG9x50C_12.06.11.00_00_GenericNA_05.03.secc.spk) and the _decrypted.bin is only 16.9 MB and binwalk ends up not being to extract anything from the resulting .ubi files, despite actually seeing file headers for instance. There's a whole lot less in what I ended up with vs what's floating around in the FOTO9X50 file. Have you tried this on the latest MR1100 firmware? Or am I missing something (key_32 maybe..?) that you can give me a hint on? I've spent a ton of time understanding your script and trying to retrace your steps (xortool is awful, Google Translate is great) and actually own a Segger J-Link in case I need to go that route :-) |
|
I am not sure whether the key found on the slide show of defcon 27 would still work today I try to port this script to python3 but I failed in |
|
I get the feeling this will need updating for Python3 and the latest firmware. Happy to accept pull requests for it. It may be a while until I can get a chance to look properly. |
|
I tried the python2 environment, I am not sure whether it is problem of the wrong key or header format has been changed. |
Hello, I am not sure if you have finally resolved the firmware decryption issue. I have also encountered the same problem as before. I am unable to obtain the key kernel padding and other information contained in the firmware. If you have resolved it, I hope to receive your help |
hi i'm not to much of an expert bet my ide fof py says things like undefined name 'xrange'.
and
Local variable 'final_key' is assigned to but never used.
when i tried to run it it would not run as there was an undefined log var.
so i changed it to print it seemed to work then got errors like this
NameError: global name 'colored' is not defined
so commented those entries out
and now i have this error
ValueError: Key cannot be the null string
The text was updated successfully, but these errors were encountered: