Zero Day Diaries

Breaking Down Security, Bit by Bit

[Project] Router Hacking – Cracking default_config.xml

Search all files within the squashfs filesystem for the string ‘default_config.xml’.

jackady@Adnans-MacBook-Air squashfs-root % grep -r "default_config.xml" .
Binary file ./lib/libcmm.so matches

Inspecting libcmm.so

After decompiling with Ghidra and searching for the string ‘default_config.xml,’ I cross-referenced and inspected the function calls, eventually identifying a function, dm_decryptFile, which uses a hardcoded key in memory to decrypt XML files.

Key extracted from memory: 478DA50FF9E3D2CB

Using this key to decrypt the xml files:

At first I try using openssl to decrypt the files, but I get an error:

jackady@Adnans-MacBook-Air etc % openssl enc -d -des-ecb -in default_config.xml -out decrypted_file.bin -K "478DA50FF9E3D2CB" -nopad
Error setting cipher DES-ECB
4088540202000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (DES-ECB : 18), Properties ()

It seems openssl doesn’t support DES anymore

Since chatgpt was acting weird, I asked deepseek to write a python script to decrypt the XML file using the discovered key:

#Script by deepseek

from Crypto.Cipher import DES
import sys
import argparse

# Set up argument parser
parser = argparse.ArgumentParser(description="Decrypt a file using DES-ECB.")
parser.add_argument("input_file", help="Path to the encrypted input file")
parser.add_argument("-o", "--output", help="Path to the decrypted output file", default="decrypted_file.bin")
args = parser.parse_args()

# Key in bytes
key = bytes.fromhex("478DA50FF9E3D2CB")

# Read the encrypted file
with open(args.input_file, "rb") as f:
    encrypted_data = f.read()

# Initialize the DES cipher and decrypt
cipher = DES.new(key, DES.MODE_ECB)
decrypted_data = cipher.decrypt(encrypted_data)

# Write the decrypted data to the output file
with open(args.output, "wb") as f:
    f.write(decrypted_data)

print(f"Decrypted data written to {args.output}")

Voila, the file is decrypted!

Decrypted files can be found on the github repo: https://github.com/jackhax/router-hacking. The repo is private, shoot me an email if you wanna see the decrypted files.