Security researchers have found a way to decrypt firmware images that are built into D-Link routers.
Firmware is the piece of code that feeds low-level functions to hardware devices.
Companies encrypt firmware images on their devices to prevent reverse engineering from competitors and threats and to prevent their customers - (or better yet malware) - from replacing the device with custom firmware.
To decrypt anything, you would need either the secret decryption key or a means to break the algorithm encryption. If firmware images are indeed encrypted, how could they be so easily decrypted?
D-Links firmware image encryption analysis
At the beginning of his analysis, Starke had downloaded the latest version of the D-Link firmware (1.11B02) from the support site and used Binwalk to analyze.
Binwalk is a simple utility program reverse engineering specially designed for firmware extraction and analysis.
To the researcher's surprise, Binwalk did not reveal anything:
The result was an immediate indication that the firmware was encrypted.
Interestingly, the decompression of an earlier version "1.02B03" obtained from the same D-Link support site revealed two firmware files:
The presence of a binary ending in "… _ uncrypted.bin" was a direct indication that it was potentially unencrypted, while the other was probably encrypted.
The binwalk analysis on “DIR3040A1_FW102B03_uncrypted.bin” revealed some useful information:
“Bingo, a uImage header and the accompanying file system. We can export it using binwalk -eM DIR3040A1_FW102B03_uncrypted.bin. Looking at the file system, the first thing I did was search certificates", Starke explains in his blog.
Keys embedded in older firmware
After further analysis, his suspicions were correct and both decryption and encryption keys were found embedded in the binary.
In addition to key files and certificates, there was also one program called / bin / imgdecrypt, which is the decryption tool for encrypted images.
After taking a series of steps, the researcher was able to create the environment to adequately decrypt the latter issue firmware 1.11B02.
Running binary imgdecrypt against encrypted firmware image reveals secret key: C05FBF1936C99429CE2A0781F08D6AD8
"Not only does it extract the key to decrypt the image of the firmware file, but it also places the decrypted version in /tmp/.firmware.orig," the post states.
This means that a reverse engineer could now proceed with the analysis of the encrypted firmware image.
The same technique was used earlier this month by another security researcher, Rick Sanchez, who did an in-depth static analysis of the decryption algorithm in a post on his blog that was divided into several parts.
Sanchez, who had first discovered this defect, relied on the purchase of a physical D-Link device, which can cost up to $ 200, as explained in Part 1 of this post.
As the secret key remains the same for all encrypted images firmware (on any device), obtaining a previous image from a support site will achieve the same goal.
Both researchers discovered the defect independently at different times, and there are clear differences in their research approaches and the tools used.