Using Ghidra To Extract A Router Configuration Encryption Key

Who doesn’t know the struggle? Buying an interesting piece of hardware for a song and a dance, and then finding that the device’s firmware and/or configuration file is locked down with various encryption or obfuscation methods. This was the experience [Ali Raheem] had when he got a TP-Link TL-MR3020 V3 for a mere 18 British Pounds, intending to use this 4G-capable router to increase internet reliability.

Naturally this can all be done when staying inside the vendor-provided marked lines, which in this case meant ignoring the encrypted configuration files. As the owner of the hardware, this was of course unacceptable and thus [Ali] got a firmware image from the TP-Link site to see what could be gleaned from it in terms of encryption keys and other hints.

After obtaining the TP-Link-provided BIN file, the application of binwalk helpfully extracted the files embedded in it, followed by John the ripper decrypting the passwords in the /etc/passwd.bak file, and ultimately finding the encrypted /etc/default_config.xml file. Searching for this filename string in the rest of the extracted files led to /lib/libcmm.so.

Dropping this shared library file into Ghidra to disassemble its code, [Ali] found a function suspiciously called decryptFile. Inside was a reference to the global key string, which when tossed into OpenSSL and after some fiddling turned out to decrypt the XML configuration file in des-ecdb mode. From this point dropping in one’s own configuration files should be no problem after encrypting them to make the firmware happy. Nice work!

Hacking The Lidl Home Gateway

For years, Europeans have been browsing the central aisles of the German Aldi and Lidl supermarket chains, attracted by the surprising variety of transitory non-grocery bargains to be found there. There are plenty of temptations for hackers, and alongside the barbecues and Parkside tools at Lidl last year was a range of Zigbee home automation products. Every ZigBee network requires some form of hub, and for Lidl this comes in the form of a £20 (about $28) Silvercrest Home Gateway appliance. It’s a small embedded Linux computer at heart, and [Paul Banks] has published details of how it can be hacked and bent to the user’s will.

Under the hood is a Realtek RTL8196E MIPS SoC with 16Mb of Flash and 32 Mb of memory. Gaining control of it follows the well trodden path of finding the bootloader, dumping the firmware, and re-uploading it with a known password file. If you’ve done much hacking of routers and the like you’ll recognise that this quantity of memory and Flash isn’t the most powerful combination so perhaps you won’t be turning it into a supercomputer, but it’s still capable enough to be integrated with Home Assistant rather than the cloud-based services with which it shipped.

There was a time when repurposing routers as embedded Linux machines was extremely popular, but it’s something that has fallen from favour as boards such as the Raspberry Pi have provided an easier path. So it’s good to see a bit of old-fashioned fun can still be had with an inexpensive device.

If you fancy a bit more German budget supermarket goodness, feast your eyes on an Aldi stick welder!