Thursday, January 21, 17:33
Home security D-Link: The firmware encryption key is exposed to an unencrypted image

D-Link: The firmware encryption key is exposed to an unencrypted image

Security researchers have found a way to decrypt firmware images that are built into D-Link routers.

Firmware is the piece of code that feeds low-level functions to hardware devices.

Companies encrypt firmware images on their devices to prevent reverse engineering from competitors and threats and to prevent their customers - (or better yet malware) - from replacing the device with custom firmware.

D-Link firmware

To decrypt anything, you would need either the secret decryption key or a means to break the algorithm encryption. If firmware images are indeed encrypted, how could they be so easily decrypted?

D-Links firmware image encryption analysis

At the beginning of his analysis, Starke had downloaded the latest version of the D-Link firmware (1.11B02) from the support site and used Binwalk to analyze.

Binwalk is a simple utility program reverse engineering specially designed for firmware extraction and analysis.

To the researcher's surprise, Binwalk did not reveal anything:

The result was an immediate indication that the firmware was encrypted.

Interestingly, the decompression of an earlier version "1.02B03" obtained from the same D-Link support site revealed two firmware files:

  • DIR3040A1_FW102B03.bin
  • DIR3040A1_FW102B03_uncrypted.bin

The presence of a binary ending in "… _ uncrypted.bin" was a direct indication that it was potentially unencrypted, while the other was probably encrypted.

The binwalk analysis on “DIR3040A1_FW102B03_uncrypted.bin” revealed some useful information:


The above information told researchers that the image contained an unencrypted binary firmware that could then be extracted and parsed for saved decryption keys.

“Bingo, a uImage header and the accompanying file system. We can export it using binwalk -eM DIR3040A1_FW102B03_uncrypted.bin. Looking at the file system, the first thing I did was search certificates", Starke explains in his blog.

Keys embedded in older firmware

After further analysis, his suspicions were correct and both decryption and encryption keys were found embedded in the binary.

D-Link firmware

In addition to key files and certificates, there was also one program called / bin / imgdecrypt, which is the decryption tool for encrypted images.

D-Link firmware

After taking a series of steps, the researcher was able to create the environment to adequately decrypt the latter issue firmware 1.11B02.

Running binary imgdecrypt against encrypted firmware image reveals secret key: C05FBF1936C99429CE2A0781F08D6AD8


"Not only does it extract the key to decrypt the image of the firmware file, but it also places the decrypted version in /tmp/.firmware.orig," the post states.

This means that a reverse engineer could now proceed with the analysis of the encrypted firmware image.

The same technique was used earlier this month by another security researcher, Rick Sanchez, who did an in-depth static analysis of the decryption algorithm in a post on his blog that was divided into several parts.

Sanchez, who had first discovered this defect, relied on the purchase of a physical D-Link device, which can cost up to $ 200, as explained in Part 1 of this post.

As the secret key remains the same for all encrypted images firmware (on any device), obtaining a previous image from a support site will achieve the same goal.

Both researchers discovered the defect independently at different times, and there are clear differences in their research approaches and the tools used.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.



Bill Gates: Will he work with Biden on COVID-19 / climate change?

Microsoft co-founder Bill Gates said on Twitter that he is looking forward to working with the new US President, Joe Biden, and ...

What are the rumors circulating about the iPhone 13?

Apple iPhone 13 will have a redesigned Face ID system that will have a smaller notch at the top of the screen, ...

Biden: How was the political transition in the US captured on social media?

As Joe Biden was sworn in as President of the United States, this important political transition was captured on popular social media. On January 20, ...

CentOS ceases to be supported but RHEL is offered for free

Last month, Red Hat caused a great deal of concern in the Linux world when it announced the discontinuation of CentOS Linux.

Microsoft Office 365 employee passwords leaked online!

A new large-scale phishing campaign targeting global organizations has been found to bypass Microsoft Office 365 Advanced Threat Protection (ATP) and ...

COSMOTE and Microsoft provide new cloud solutions for businesses

COSMOTE and Microsoft expand their cooperation, offering even more advanced and high quality cloud solutions, in large and small ...

Cyber ​​attacks in Eastern Europe are on the rise!

The cyber-attacks that have taken place in many US government agencies and companies in recent months have caused concern in the developing countries of ...

Tesla reduces the prices of the Model 3 in Europe

Tesla has reduced the prices of the Model 3 in many European markets, which reductions could be partly linked ...

iOS, Android, XBox users in the crosshairs of a new malvertising campaign

Recently a new malvertising campaign was discovered that targets users of mobile and other connected devices and uses effective ...

Microsoft: "Zero trust" protects against sophisticated hacking attacks

According to Microsoft, the techniques used by the hackers of SolarWinds, were sophisticated but common and preventable. To avoid future attacks ...