Nicholas Starke nstarke

Decrypting DLINK Proprietary Firmware Images

The DIR-3040 models of DLINK routers feature encrypted firmware images in the most recent versions of the firmware. https://support.dlink.com/ProductInfo.aspx?m=DIR-3040-US details the firmware images available for this product.

1.11B02 - ftp://ftp2.dlink.com/PRODUCTS/DIR-3040/REVA/DIR-3040_REVA_FIRMWARE_v1.11B02.zip
1.02B03 - ftp://ftp2.dlink.com/PRODUCTS/DIR-3040/REVA/DIR-3040_REVA_FIRMWARE_v1.02B03.zip

Unzipping the first reveals two files:

DIR-3040_REVA_RELEASE_NOTES_v1.11B02.pdf

Linksys EA4500 Firmware Decryption

I recently pulled a Linksys EA4500 out of storage for evaluation. The first thing I wanted to do was to update the firmware for the device. https://www.linksys.com/us/support-article?articleNum=148385 offers the latest version of the firmware, which is 3.1.7 as of this writing.

However, we can see with the filename that its probably encrypted: FW_EA4500V3_3.1.7.181919_prod.gpg.img

When I run binwalk I don't get any meaningful results, confirming my suspcicions:

	/*
	* HarusHeadless.java - Extract pseudocode from Ghidra's decompiler
	* Copyright (c) 2022-2026 Marco Ivaldi <[email protected]>
	*
	* Headless-mode update:
	* - accepts output directory via scriptArgs[0]
	* - still falls back to askString() in GUI mode
	*/

	// This script extracts all pseudocode generated by the Ghidra decompiler

	# Imports a .graphml file and shows it in Ghidra's graph viewer
	# If running headless, takes first ScriptArg as the file path.
	# If running GUI, shows a file chooser.
	# Author: ChatGPT

	from ghidra.service.graph import AttributedGraph, AttributedVertex, GraphDisplayBroker
	import xml.etree.ElementTree as ET
	from javax.swing import JFileChooser
	import os

	#!/bin/bash
	# sudo apt install iw curl jq
	ALIVE="$1"

	check_public_ip() {
	INTERFACE="$1"
	PUBLIC_IP=$(curl -s https://httpbin.org/ip \| jq -r .origin)
	if ! [[ -z $PUBLIC_IP ]]; then
	echo "[+] Found Public IP $PUBLIC_IP for $INTERFACE"
	fi

	//
	// Run this javascript file like so
	//
	// node generate-nested-json.js "a" 1024 64
	// Where:
	//
	// "a" is the nested property to create
	// 1024 is the initial max recursion
	// 64 is the amount of times to multiple the initial max recursion.
	//

	linux-firmware-20231111/rtl_bt/rtl8851bu_fw.bin full(0xc260) None chunk(0x400;2) MIPS16
	linux-firmware-20231111/rtl_bt/rtl8822cs_fw.bin full(0xf474) None chunk(0x200;2) MIPS16
	linux-firmware-20231111/rtl_bt/rtl8852cu_fw_v2.bin full(0x1b939) None chunk(0x300;3) MIPS16
	linux-firmware-20231111/rtl_bt/rtl8761bu_fw.bin full(0xadc4) None chunk(0x200;2) MIPS16
	linux-firmware-20231111/rtl_bt/rtl8822cs_config.bin full(0x21) None chunk(0x0;0) None
	linux-firmware-20231111/rtl_bt/rtl8761b_config.bin full(0x19) None chunk(0x0;0) None
	linux-firmware-20231111/rtl_bt/rtl8723d_fw.bin

	$ python3 ~/cpu_rec/cpu_rec.py *.clx
	AQC100-Felicity-3.1.121_bdp_aqsign.clx full(0x200000) None chunk(0x30800;97) Xtensa
	AQC107-Nikki-3.1.121_bdp_aqsign.clx full(0x200000) None chunk(0x30800;97) Xtensa
	AQC111-Bermuda-B0-3.1.121_bdp_aqsign.clx full(0x200000) None chunk(0x31000;98) Xtensa
	$ binwalk *.clx

	Scan Time: 2021-07-08 17:01:00
	Target File: /home/nick/aqn/AQC100-Felicity-3.1.121_bdp_aqsign.clx
	MD5 Checksum: 3dd8e40cd3e4aa183b13939190b86b05
	Signatures: 404

	/* ###
	* IP: GHIDRA
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software

	#!/usr/bin/env python3

	#
	# find-compressed-data.py
	#
	# A small script to bruteforce embedded compressed data that might not have a header
	# Useful for raw binary firmware images that do not contain a standard
	# binary header (ELF, PE, MACH-O).
	#
	# I included a limt on size at 16KB because this has a tendency to create