一种加密固件的解密思路

在进行IoT设备漏洞挖掘时，获取固件十分重要，可以通过对固件进行逆向分析，掌握设备内部的运行逻辑，达到灰盒甚至白盒测试的效果。

随着IoT厂商对安全的重视，很多设备的固件开始加密，由于IoT设备的算力有限，所以常见的加密方式为，使用硬编码的对称加密方式，例如AES、DES之类的，还可以基于硬编码的字符串进行一些数据计算，然后作为解密密钥。对于这种加密方式，可以在老版本固件或直接从存储芯片中读取的固件中寻找加解密算法和密钥，对加密的固件进行解密。

加密固件的识别

• 利用file命令
  正常的固件

❯ file mAX19.bin
mAX19.bin: u-boot legacy uImage, MT7621 NAND, Firmware/MIPS, Standalone Program
(Not compressed), 69064 bytes, Thu Jan 1 00:00:00 1970, Load Address:
0x80100000, Entry Point: 0x80100000, Header CRC: 0x172D6721, Data CRC:
0xBFD7EB74

对于正常的固件，可以看到CPU架构，入口点等信息。
加密的固件

❯ file TB-WR1800K-MT7621-CPE-mAX19-V1.0-202012121212
TB-WR1800K-MT7621-CPE-mAX19-V1.0-202012121212: openssl enc'd data with salted
password

file无法获取更多的信息，且提示已被加密。

• binwalk
binwalk作为固件解包的神器，同样可以用来判别固件是否加密。
  正常的固件：

❯ binwalk 0945-03.50.06.fw.pkg.dec
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------- -------------------
----
0 0x0 gzip compressed data, from Unix, last modified:
2021-05-14 07:04:41
12755570 0xC2A272 MySQL MISAM compressed data file Version 2

未加密的固件可以通过binwalk查看压缩方式和数据范围等。
加密的固件

❯ binwalk 0945-03.50.06.fw.pkg.bak
DECIMAL HEXADECIMAL DESCRIPTION
------------------------------------------------------------------------------
--
11646886 0xB1B7A6 StuffIt Deluxe Segment (data): fc

只提示为data，具体的压缩方式无法得知。
还有一种方式就是查看固件的熵值。熵值是用来衡量不确定性，熵值越大则说明固件越有可能被加密或者压缩了。这个地方说的是被加密或者压缩了，被压缩的情况也是会让熵值变高或者接近1的，如下是使用binwalk-E查看一个未加密固件（RAX200）和加密固件（DIR 3040）。可以看到，RAX200和DIR 3040相对比，不像后者那样直接全部是接近1了。

固件解密

前面也提到，IoT设备本身算力有限，即使对固件进行加密，其加密算法也不会太复杂，通常也会把密钥硬编码在固件里，想要得到密钥，首先要得到未加密的固件，有以下两种方式：
1、获取老版本未加密固件。可以从设备官网下载，也可以抓包获取OTA链接，然后再根据版本信息拼老版本固件的下载链接等。
2、直接从设备中读取。运行在设备上的固件是已经解密的，可以通过串口、调试接口等读取固件，也可以直接从存储芯片读取。
以上面提到的第一个加密固件为例，这里利用uboot中的md命令读取内存的方式从设备中读取未加密固件，具体过程就不再赘述，这种文章有很多。

得到固件后，binwalk -Me解包，得到完整的文件系统。

❯ tree -L 1./
.
├── 12A0000.jffs2
├── 1800E4
├── 1800E4.7z
├── 20040
├── 20040.7z
├── 21800E4
├── 21800E4.7z
├── 2340000.squashfs
├── 340000.squashfs
├── 34E0000.jffs2
├── _1800E4.extracted
├── _21800E4.extracted
├── jffs2-root
├── jffs2-root-0
├── squashfs-root
└── squashfs-root-0
6 directories, 10 files

通过file知道固件的加密方式为openssl enc'd data with salted password，可以在文件系统中查找关键字openssl

❯ grep -rn "openssl" ./
./squashfs-root/etc/init.d/uhttpd:10:OPENSSL_BIN="/usr/bin/openssl"
./squashfs-root/etc/openwrt.config:2241:# CONFIG_PACKAGE_openwisp-config-openssl
is not set
./squashfs-root/etc/openwrt.config:2999:# CONFIG_PACKAGE_lua-openssl is not set
./squashfs-root/etc/openwrt.config:3104:# CONFIG_PACKAGE_python-openssl is not
set
./squashfs-root/etc/openwrt.config:3115:# CONFIG_PACKAGE_python-pyopenssl is not
set
./squashfs-root/etc/openwrt.config:3146:# CONFIG_PACKAGE_python3-openssl is not
set
./squashfs-root/etc/openwrt.config:3336:CONFIG_PACKAGE_libopenssl=y
./squashfs-root/etc/openwrt.config:3384:CONFIG_PACKAGE_libopenssl-conf=y
./squashfs-root/etc/openwrt.config:3385:# CONFIG_PACKAGE_libopenssl-devcrypto is
not set
./squashfs-root/etc/openwrt.config:3474:# CONFIG_PACKAGE_libarchive-noopenssl is
not set
./squashfs-root/etc/openwrt.config:3740:# CONFIG_PACKAGE_libustream-openssl is
not set
./squashfs-root/etc/openwrt.config:3751:# CONFIG_PACKAGE_libwebsockets-openssl is
not set
./squashfs-root/etc/openwrt.config:3792:# CONFIG_PACKAGE_luci-ssl-openssl is not
set
./squashfs-root/etc/openwrt.config:4320:# CONFIG_PACKAGE_transmission-cli-openssl
is not set
./squashfs-root/etc/openwrt.config:4322:# CONFIG_PACKAGE_transmission-daemonopenssl
is not set
./squashfs-root/etc/openwrt.config:4324:# CONFIG_PACKAGE_transmission-remoteopenssl
is not set
./squashfs-root/etc/openwrt.config:4521:# CONFIG_PACKAGE_umurmur-openssl is not
set
./squashfs-root/etc/openwrt.config:4749:# CONFIG_PACKAGE_openvpn-openssl is not
set
./squashfs-root/etc/openwrt.config:4802:# CONFIG_PACKAGE_strongswan-mod-openssl
is not set
./squashfs-root/etc/openwrt.config:5019:# CONFIG_PACKAGE_hnetd-openssl is not
set
./squashfs-root/etc/openwrt.config:5411:# CONFIG_PACKAGE_shairport-sync-openssl
is not set
./squashfs-root/etc/openwrt.config:5478:# CONFIG_PACKAGE_cryptsetup-openssl is
not set
./squashfs-root/etc/openwrt.config:5570:# CONFIG_PACKAGE_rtty-openssl is not set
./squashfs-root/etc/openwrt.config:5763:CONFIG_PACKAGE_openssl-util=y
./squashfs-root/etc/ssl/openssl.cnf:19:# "openssl x509" utility, name here the
section containing the
./squashfs-root/etc/ssl/openssl.cnf:25:openssl_conf=openssl_conf
./squashfs-root/etc/ssl/openssl.cnf:27:[openssl_conf]
./squashfs-root/etc/ssl/openssl.cnf:43:# Run 'openssl engine -t -c -vv -pre
DUMP_INFO devcrypto' to see a
./squashfs-root/etc/ssl/openssl.cnf:73:# Run 'openssl engine -t -c -vv -pre
DUMP_INFO devcrypto' to see a
Binary file ./squashfs-root/usr/bin/openssl matches
Binary file ./squashfs-root/usr/lib/libcrypto.so.1.1 matches
Binary file ./squashfs-root/usr/lib/libcurl.so.4.5.0 matches
Binary file ./squashfs-root/usr/lib/libhogweed.so.4.3 matches
Binary file ./squashfs-root/usr/lib/libnettle.so.6.3 matches
./squashfs-root/usr/lib/opkg/info/andlink.control:3:Depends: libc, lua,
libopenssl, libpcap, zlib
./squashfs-root/usr/lib/opkg/info/iperf3.control:3:Depends: libc, libopenssl
./squashfs-root/usr/lib/opkg/info/libcurl.control:3:Depends: libc, libopenssl,
ca-bundle
./squashfs-root/usr/lib/opkg/info/libopensslconf.
conffiles:1:/etc/ssl/openssl.cnf
./squashfs-root/usr/lib/opkg/info/libopenssl-conf.control:1:Package: libopensslconf
./squashfs-root/usr/lib/opkg/info/libopenssl-conf.control:3:Depends: libc,
libopenssl
./squashfs-root/usr/lib/opkg/info/libopenssl-conf.control:4:Source:
package/libs/openssl
./squashfs-root/usr/lib/opkg/info/libopenssl-conf.control:15: This package
installs the OpenSSL configuration file /etc/ssl/openssl.cnf.
./squashfs-root/usr/lib/opkg/info/libopenssl-conf.list:1:/etc/ssl/openssl.cnf
./squashfs-root/usr/lib/opkg/info/libopenssl.control:1:Package: libopenssl
./squashfs-root/usr/lib/opkg/info/libopenssl.control:4:Source:
package/libs/openssl
./squashfs-root/usr/lib/opkg/info/nginx-ssl.control:3:Depends: libc, libpcre,
libopenssl, zlib, liblua, libpthread, libubus, libblobmsg-json, libjson-c, li
openssl
./squashfs-root/usr/lib/opkg/info/ntpdate.control:3:Depends: libc, libopenssl,
libpthread, libcap
./squashfs-root/usr/lib/opkg/info/openssh-sftp-server.control:3:Depends: libc,
libopenssl, zlib
./squashfs-root/usr/lib/opkg/info/openssl-util.control:1:Package: openssl-util
./squashfs-root/usr/lib/opkg/info/openssl-util.control:3:Depends: libc,
libopenssl, libopenssl-conf
./squashfs-root/usr/lib/opkg/info/openssl-util.control:4:Source:
package/libs/openssl
./squashfs-root/usr/lib/opkg/info/openssl-util.list:1:/usr/bin/openssl
./squashfs-root/usr/lib/opkg/info/skynet-encrypt.control:3:Depends: libc, skynet,
openssl-util
./squashfs-root/usr/lib/opkg/info/sysmgr-status.list:8:/usr/sbin/openssltar.sh
./squashfs-root/usr/lib/opkg/info/wapp.control:3:Depends: libc, libkvcutil,
libopenssl
./squashfs-root/usr/lib/opkg/status:54:Depends: libc, libopenssl, zlib
./squashfs-root/usr/lib/opkg/status:76:Depends: libc, libkvcutil, libopenssl
./squashfs-root/usr/lib/opkg/status:202:Depends: libc, lua, libopenssl, libpcap,
zlib
./squashfs-root/usr/lib/opkg/status:401:Depends: libc, libopenssl, ca-bundle
./squashfs-root/usr/lib/opkg/status:414:Package: openssl-util
./squashfs-root/usr/lib/opkg/status:416:Depends: libc, libopenssl, libopensslconf
./squashfs-root/usr/lib/opkg/status:515:Depends: libc, skynet, openssl-util
./squashfs-root/usr/lib/opkg/status:1322:Depends: libc, libpcre, libopenssl,
zlib, liblua, libpthread, libubus, libblobmsg-json, libjson-c, libopenssl
./squashfs-root/usr/lib/opkg/status:1893:Package: libopenssl-conf
./squashfs-root/usr/lib/opkg/status:1895:Depends: libc, libopenssl
./squashfs-root/usr/lib/opkg/status:1899: /etc/ssl/openssl.cnf
58e084d4ae684846199e34a6e427ee75bdbf60ecb44311011906784b652a4e75
./squashfs-root/usr/lib/opkg/status:2358:Depends: libc, libopenssl, libpthread,
libcap
./squashfs-root/usr/lib/opkg/status:2476:Depends: libc, libopenssl
./squashfs-root/usr/lib/opkg/status:2531:Package: libopenssl
Binary file ./squashfs-root/usr/lib/sftp-server matches
./squashfs-root/usr/sbin/check_ready:15:openssl aes-256-cbc -d -salt -in $fw -out
/tmp/decrypt.img -k "QiLunSmartWL"
Binary file ./squashfs-root/usr/sbin/dpiPlugin matches
./squashfs-root/usr/sbin/eoscrypt-tool:11: encrypt_str=$(echo
"${source_str}" | openssl enc -e -aes-256-cbc -a -K ${key} -iv ${iv} -nosalt)
./squashfs-root/usr/sbin/eoscrypt-tool:18: decrypt_str=$(echo
"${source_str}" | openssl enc -e -aes-256-cbc -a -K ${key} -iv ${iv} -nosalt -d)
Binary file ./squashfs-root/usr/sbin/managePlugin matches
Binary file ./squashfs-root/usr/sbin/nginx matches
./squashfs-root/usr/sbin/openssltar.sh:2:OPENSSL=openssl
Binary file ./squashfs-root/usr/sbin/wpad matches
./squashfs-root/usr/share/skynet/lualib/http/websocket.lua:353: --
openssl req -x509 -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem -out
server-cert.pem
./squashfs-root/usr/share/sysmgr/apps/sysbackup.sh:24: timeout -t 10
openssltar.sh tar $backupdir $outpath wjrc0409
./squashfs-root/usr/share/sysmgr/apps/sysbackup.sh:25: test $? -eq 0 || err_exit
"openssltar.sh tar fail"
./squashfs-root/usr/share/sysmgr/apps/sysbackup.sh:38: timeout -t 10
openssltar.sh untar $inpath $recover_dir wjrc0409
./squashfs-root/usr/share/sysmgr/apps/sysbackup.sh:39: test $? -eq 0 || err_exit
"openssltar.sh tar fail"
./squashfs-root-0/etc/init.d/uhttpd:10:OPENSSL_BIN="/usr/bin/openssl"
./squashfs-root-0/etc/openwrt.config:2241:# CONFIG_PACKAGE_openwisp-configopenssl
is not set
./squashfs-root-0/etc/openwrt.config:2999:# CONFIG_PACKAGE_lua-openssl is not
set
./squashfs-root-0/etc/openwrt.config:3104:# CONFIG_PACKAGE_python-openssl is not
set
./squashfs-root-0/etc/openwrt.config:3115:# CONFIG_PACKAGE_python-pyopenssl is
not set
./squashfs-root-0/etc/openwrt.config:3146:# CONFIG_PACKAGE_python3-openssl is not
set
./squashfs-root-0/etc/openwrt.config:3336:CONFIG_PACKAGE_libopenssl=y
./squashfs-root-0/etc/openwrt.config:3384:CONFIG_PACKAGE_libopenssl-conf=y
./squashfs-root-0/etc/openwrt.config:3385:# CONFIG_PACKAGE_libopenssl-devcrypto
is not set
./squashfs-root-0/etc/openwrt.config:3474:# CONFIG_PACKAGE_libarchive-noopenssl
is not set
./squashfs-root-0/etc/openwrt.config:3740:# CONFIG_PACKAGE_libustream-openssl is
not set
./squashfs-root-0/etc/openwrt.config:3751:# CONFIG_PACKAGE_libwebsockets-openssl
is not set
./squashfs-root-0/etc/openwrt.config:3792:# CONFIG_PACKAGE_luci-ssl-openssl is
not set
./squashfs-root-0/etc/openwrt.config:4320:# CONFIG_PACKAGE_transmission-cliopenssl
is not set
./squashfs-root-0/etc/openwrt.config:4322:# CONFIG_PACKAGE_transmission-daemonopenssl
is not set
./squashfs-root-0/etc/openwrt.config:4324:# CONFIG_PACKAGE_transmission-remoteopenssl
is not set
./squashfs-root-0/etc/openwrt.config:4521:# CONFIG_PACKAGE_umurmur-openssl is not
set
./squashfs-root-0/etc/openwrt.config:4749:# CONFIG_PACKAGE_openvpn-openssl is not
set
./squashfs-root-0/etc/openwrt.config:4802:# CONFIG_PACKAGE_strongswan-mod-openssl
is not set
./squashfs-root-0/etc/openwrt.config:5019:# CONFIG_PACKAGE_hnetd-openssl is not
set
./squashfs-root-0/etc/openwrt.config:5411:# CONFIG_PACKAGE_shairport-sync-openssl
is not set
./squashfs-root-0/etc/openwrt.config:5478:# CONFIG_PACKAGE_cryptsetup-openssl is
not set
./squashfs-root-0/etc/openwrt.config:5570:# CONFIG_PACKAGE_rtty-openssl is not
set
./squashfs-root-0/etc/openwrt.config:5763:CONFIG_PACKAGE_openssl-util=y
./squashfs-root-0/etc/ssl/openssl.cnf:19:# "openssl x509" utility, name here the
section containing the
./squashfs-root-0/etc/ssl/openssl.cnf:25:openssl_conf=openssl_conf
./squashfs-root-0/etc/ssl/openssl.cnf:27:[openssl_conf]
./squashfs-root-0/etc/ssl/openssl.cnf:43:# Run 'openssl engine -t -c -vv -pre
DUMP_INFO devcrypto' to see a
./squashfs-root-0/etc/ssl/openssl.cnf:73:# Run 'openssl engine -t -c -vv -pre
DUMP_INFO devcrypto' to see a
Binary file ./squashfs-root-0/usr/bin/openssl matches
Binary file ./squashfs-root-0/usr/lib/libcrypto.so.1.1 matches
Binary file ./squashfs-root-0/usr/lib/libcurl.so.4.5.0 matches
Binary file ./squashfs-root-0/usr/lib/libhogweed.so.4.3 matches
Binary file ./squashfs-root-0/usr/lib/libnettle.so.6.3 matches
./squashfs-root-0/usr/lib/opkg/info/andlink.control:3:Depends: libc, lua,
libopenssl, libpcap, zlib
./squashfs-root-0/usr/lib/opkg/info/iperf3.control:3:Depends: libc, libopenssl
./squashfs-root-0/usr/lib/opkg/info/libcurl.control:3:Depends: libc, libopenssl,
ca-bundle
./squashfs-root-0/usr/lib/opkg/info/libopensslconf.
conffiles:1:/etc/ssl/openssl.cnf
./squashfs-root-0/usr/lib/opkg/info/libopenssl-conf.control:1:Package:
libopenssl-conf
./squashfs-root-0/usr/lib/opkg/info/libopenssl-conf.control:3:Depends: libc,
libopenssl
./squashfs-root-0/usr/lib/opkg/info/libopenssl-conf.control:4:Source:
package/libs/openssl
./squashfs-root-0/usr/lib/opkg/info/libopenssl-conf.control:15: This package
installs the OpenSSL configuration file /etc/ssl/openssl.cnf.
./squashfs-root-0/usr/lib/opkg/info/libopenssl-conf.list:1:/etc/ssl/openssl.cnf
./squashfs-root-0/usr/lib/opkg/info/libopenssl.control:1:Package: libopenssl
./squashfs-root-0/usr/lib/opkg/info/libopenssl.control:4:Source:
package/libs/openssl
./squashfs-root-0/usr/lib/opkg/info/nginx-ssl.control:3:Depends: libc, libpcre,
libopenssl, zlib, liblua, libpthread, libubus, libblobmsg-json, libjson-c,
libopenssl
./squashfs-root-0/usr/lib/opkg/info/ntpdate.control:3:Depends: libc, libopenssl,
libpthread, libcap
./squashfs-root-0/usr/lib/opkg/info/openssh-sftp-server.control:3:Depends: libc,
libopenssl, zlib
./squashfs-root-0/usr/lib/opkg/info/openssl-util.control:1:Package: openssl-util
./squashfs-root-0/usr/lib/opkg/info/openssl-util.control:3:Depends: libc,
libopenssl, libopenssl-conf
./squashfs-root-0/usr/lib/opkg/info/openssl-util.control:4:Source:
package/libs/openssl
./squashfs-root-0/usr/lib/opkg/info/openssl-util.list:1:/usr/bin/openssl
./squashfs-root-0/usr/lib/opkg/info/skynet-encrypt.control:3:Depends: libc,
skynet, openssl-util
./squashfs-root-0/usr/lib/opkg/info/sysmgr-status.list:8:/usr/sbin/openssltar.sh
./squashfs-root-0/usr/lib/opkg/info/wapp.control:3:Depends: libc, libkvcutil,
libopenssl
./squashfs-root-0/usr/lib/opkg/status:54:Depends: libc, libopenssl, zlib
./squashfs-root-0/usr/lib/opkg/status:76:Depends: libc, libkvcutil, libopenssl
./squashfs-root-0/usr/lib/opkg/status:202:Depends: libc, lua, libopenssl,
libpcap, zlib
./squashfs-root-0/usr/lib/opkg/status:401:Depends: libc, libopenssl, ca-bundle
./squashfs-root-0/usr/lib/opkg/status:414:Package: openssl-util
./squashfs-root-0/usr/lib/opkg/status:416:Depends: libc, libopenssl, libopensslconf
./squashfs-root-0/usr/lib/opkg/status:515:Depends: libc, skynet, openssl-util
./squashfs-root-0/usr/lib/opkg/status:1321:Depends: libc, libpcre, libopenssl,
zlib, liblua, libpthread, libubus, libblobmsg-json, libjson-c, libopenssl
./squashfs-root-0/usr/lib/opkg/status:1899:Package: libopenssl-conf
./squashfs-root-0/usr/lib/opkg/status:1901:Depends: libc, libopenssl
./squashfs-root-0/usr/lib/opkg/status:1905: /etc/ssl/openssl.cnf
58e084d4ae684846199e34a6e427ee75bdbf60ecb44311011906784b652a4e75
./squashfs-root-0/usr/lib/opkg/status:2364:Depends: libc, libopenssl, libpthread,
libcap
./squashfs-root-0/usr/lib/opkg/status:2482:Depends: libc, libopenssl
./squashfs-root-0/usr/lib/opkg/status:2537:Package: libopenssl
Binary file ./squashfs-root-0/usr/lib/sftp-server matches
./squashfs-root-0/usr/sbin/check_ready:15:openssl aes-256-cbc -d -salt -in $fw -
out /tmp/decrypt.img -k "QiLunSmartWL"
Binary file ./squashfs-root-0/usr/sbin/dpiPlugin matches
./squashfs-root-0/usr/sbin/eoscrypt-tool:11: encrypt_str=$(echo
"${source_str}" | openssl enc -e -aes-256-cbc -a -K ${key} -iv ${iv} -nosalt)
./squashfs-root-0/usr/sbin/eoscrypt-tool:18: decrypt_str=$(echo
"${source_str}" | openssl enc -e -aes-256-cbc -a -K ${key} -iv ${iv} -nosalt -d)
Binary file ./squashfs-root-0/usr/sbin/managePlugin matches
Binary file ./squashfs-root-0/usr/sbin/nginx matches
./squashfs-root-0/usr/sbin/openssltar.sh:2:OPENSSL=openssl
Binary file ./squashfs-root-0/usr/sbin/wpad matches
./squashfs-root-0/usr/share/skynet/lualib/http/websocket.lua:353: --
openssl req -x509 -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem -out
server-cert.pem
./squashfs-root-0/usr/share/sysmgr/apps/sysbackup.sh:24: timeout -t 10
openssltar.sh tar $backupdir $outpath wjrc0409
./squashfs-root-0/usr/share/sysmgr/apps/sysbackup.sh:25: test $? -eq 0 ||
err_exit "openssltar.sh tar fail"
./squashfs-root-0/usr/share/sysmgr/apps/sysbackup.sh:38: timeout -t 10
openssltar.sh untar $inpath $recover_dir wjrc0409
./squashfs-root-0/usr/share/sysmgr/apps/sysbackup.sh:39: test $? -eq 0 ||
err_exit "openssltar.sh tar fail"

发现其中有一行特别像解密的方式

./squashfs-root-0/usr/sbin/check_ready:15:openssl aes-256-cbc -d -salt -in $fw -
out /tmp/decrypt.img -k "QiLunSmartWL"

我们定位到这个文件，查看详细内容

❯ cat check_ready
#!/bin/sh
fw=$1
fw_size=`ls -l $fw | awk '{print $5}'`
fw_size=$((fw_size-32))
test $fw_size -le 0 && {
echo Fail: bad file size
exit 255
}
truncate -c -s$fw_size $fw
rm -rf /tmp/UploadBrush
mkdir -p /tmp/UploadBrush
openssl aes-256-cbc -d -salt -in $fw -out /tmp/decrypt.img -k "QiLunSmartWL"
rm -f $fw
tar -zxf /tmp/decrypt.img -C /tmp/UploadBrush/
rm -f /tmp/decrypt.img
rm -f /tmp/readme.txt
old_version=`lua /usr/share/base-config/boardcfg.lua upgrade`
bin_random1=`md5sum /tmp/UploadBrush/UploadBrush-bin.img | awk '{print $1}'`
bin_random1=${bin_random1}`echo -n ${old_version} | md5sum | awk '{print $1}'`
bin_random1=`echo -n ${bin_random1} | md5sum | awk '{print $1}'`
bin_random2=`cat /tmp/UploadBrush/bin_random_oem.txt`
if [ "x${bin_random1}" != "x${bin_random2}" ]; then
echo Fail
exit 255
fi
oldversion=`cat /etc/openwrt_release | grep DISTRIB_RELEASE | sed -r 's/[^0-
9]//g'`
newversion=1
test -r /tmp/UploadBrush/version.txt && newversion=`cat
/tmp/UploadBrush/version.txt | sed -r 's/[^0-9]//g'`

整体逻辑确实是固件升级校验的过程，为了确认，尝试回溯调用逻辑。

❯ grep -rn check_ready
squashfs-root/usr/lib/opkg/info/base-config.list:86:/usr/sbin/check_ready
squashfs-root/usr/share/admin-web/admin/model/system.lua:401: local cmd_check =
string.format("check_ready %s", firmware)
squashfs-root/usr/share/frontend/snax/system/upgrade.lua:157: local cmd_check =
string.format("check_ready %s", filepath)
squashfs-root-0/usr/lib/opkg/info/base-config.list:87:/usr/sbin/check_ready
squashfs-root-0/usr/share/admin-web/admin/model/system.lua:401: local cmd_check =
string.format("check_ready %s", firmware)
squashfs-root-0/usr/share/frontend/snax/system/upgrade.lua:157: local cmd_check =
string.format("check_ready %s", filepath)

发现在多个.lua脚本中均调用了该脚本。

cat upgrade.lua | grep -A 5 -B 5 check_ready
os.remove(filepath)
log:error("invalid version 2 new:%s old:", new_version, version)
return nil, myerr.INTERNAL_ERROR
end
local cmd_check = string.format("check_ready %s", filepath)
local str = popen(cmd_check)
if not str then
clean_upload()
return nil, "invalid version 3"
end

这样基本可以确定check_ready.sh为升级包校验的脚本，可以使用该脚本中的密钥进行解密。

❯ openssl aes-256-cbc -d -salt -in TB-WR1800K-MT7621-CPE-mAX19-V1.0-202012121212
-out ./test.img -k "QiLunSmartWL"
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
140349527483520:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad
decrypt:crypto/evp/evp_enc.c:610:
❯ file test.img
test.img: gzip compressed data, last modified: Fri Mar 12 12:42:16 2021, from
Unix

后面就跟正常的固件一样了，一次解包。

总结

这个是一个比较简单的例子，密钥硬编码，一句命令就能解开，有些需要逆向可执行文件，然后写脚本才可以解密，思路是相通的，后面有时间再写一篇。

参考链接

https://paper.seebug.org/1651/
https://www.freebuf.com/articles/terminal/226696.html