Decrypt router configuration

decrypt.py

#!/usr/bin/env python3
# W.J. van der Laan 2017, distributed under MIT license
import binascii
import base64
import json
import os, sys
from Crypto import Random
from Crypto.Cipher import AES

KEY = binascii.a2b_hex(b'fffffbffeffffbfffbbfffbfdbfff7ffffffffffffffdfffff7fffffbfffffff')

def unpad(s):
    '''PKCS7 unpad.'''
    padlen = s[len(s)-1]
    if padlen > 16:
        raise ValueError('Invalid padding')
    return s[:-padlen]

def decrypt(data_in):
    # first 32 bytes are IV, we only need 16 of that
    iv = data_in[0:16]
    cipher = AES.new(KEY, AES.MODE_CBC, iv)
    data_out = cipher.decrypt(data_in[32:])
    data_out = unpad(data_out)

    #with open('configfile_decrypted.dat', 'wb') as f:
    #    f.write(data_out)

    crc = data_out[0:4]
    json_data = json.loads(data_out[4:].decode())
    return json_data

def main():
    if len(sys.argv) < 2:
        print('Usage: %s /path/to/configfile.bin' % os.path.basename(sys.argv[0]))
        exit(1)
    with open(sys.argv[1], 'rb') as f:
        # decode base64
        data_in = base64.b64decode(f.read())

    # decode second layer, create one huge JSON file with record types at top level
    json_data = decrypt(data_in)
    out_recs = {}
    for record in json_data:
        d = base64.b64decode(record['data'])
        assert(record['type'] not in out_recs) # duplicate
        out_recs[record['type']] = decrypt(d)

    json.dump(out_recs, sys.stdout, sort_keys=True, indent=4, separators=(',', ': '))

if __name__ == '__main__':
    main()