Router firmware decryption idea

Early contact iot The firmware we encounter is basically binwalk A shuttle , But sometimes we will encounter the confusion of firmware information , Or analyze a pile zlma The file of , No... Was found rtos Or the flag of the file system .

At this time, we will consider whether to encrypt , Internet search will find useful binwalk Of -E Parameters to determine .

Then what is the principle of this judgment ？

The principle is information entropy .

entropy ： A measure of the state of some material systems , The extent to which certain physical system states may occur .

I should have studied in junior high school , The greater the entropy , It shows that the more chaotic the system .

Information entropy ：1948 year C.E.Shannon（ Shannon ） A concept borrowed from thermodynamics , It solves the problem of quantitative measurement of information

In information , The more you repeat , The more stable the system , The more information you can get .

For binary files without encryption , The frequency of some instructions is usually very high （ As the preface 、nop Sequence, etc ）, And the data structure has almost no randomness . The probability of repetition is very high

therefore , Entropy is generally low for unencrypted data .

For encrypted files , Will try to hide their information , Which leads to little repetition , This leads to low repetition probability

therefore , The entropy value of encryption is generally high .

The above is to judge whether to encrypt by information entropy ,binwalk Use relevant algorithms to sort out information entropy

Generally speaking, there are three types of firmware encryption ：

1. The initial version is not encrypted , A subsequent version is encrypted Between the encryption and the initial version, a version comes with a decryption program

   

         Get intermediate version , Analyze the decryption program .

1. The old version has encryption , Change the encryption method later , Intermediate release of unencrypted interim firmware

         And 1 similar , It is also the same to obtain the transitional firmware analysis and extraction decryption program with the decryption program

1. The old version has encryption , Change the encryption method later , A new unencrypted decryption program has been replaced in the middle

         If you know the early encryption method , Or have an early decryption program , You can analyze and replace the intermediate version of the decryption program , To get the decryption program .

If there is no early relevant decryption information , You cannot use the above method , More is to buy equipment , Extract unencrypted firmware directly from hardware .

Theoretically , You can use binary comparative analysis tools , To analyze attempts to extract recovery decryption programs .

Case study ：

This is to choose a certain router firmware for analysis ：

From firmware time sequence to early inspection

Find out DIR882A1_FW104B02_Middle_FW_Unencrypt.bin It is what we call the transitional version .

extract , analysis , To find the decryption program through it .

Or the recurrence can be found according to the upgrade path .

We are lucky to find it in bin Under the imgdecrypt, But I'm not sure he must be the right decryption program

Try to execute him .

Compare with the above , Can be correctly identified uImage.

Try to test other firmware

The above is a kind of relatively standardized naming , Some names are not standardized. You may need to find the corresponding file name according to the front-end upgrade .

The example uses only one , After encountering relevant problems, it will continue to update , You can focus on that .