1

I'm trying to extract the PPPoE username and password from a ZTE ZXHN F680 V6 router. I have obtained several files from the router and can get access to other files if needed. Here is where I'm at.

I have obtained the cspd file after reading this Q&A. I also have a config.bin file but was unable to determine any information from it using binwalk or strings commnads. Both returned empty results and indicated high level of entropy.

Here is a link to the files extracted from router.

I assume that the PPPoE file will be in an encoded or encrypted or both .xml file. So, my search in the cspd file for strings resulted in potentially useful information.

$ strings cspd | grep .xml
/var/tmp/db_user_cfg.xml
CP download xml doc failed!
/etc/db_user_cfg.xml
please input cfg file(/proc/cfg/db_user_cfg.xml) eg.
/var/tmp/db_cp_cfg.xml
/var/tmp/db_reload_cfg.xml
/var/tmp/db_backup_cfg.xml
/etc/db_default_%s_cfg.xml
/var/tmp/db_Decry_cfg.xml
/var/tmp/usb_rst_cfg.xml
dbc_mgr_file_xml.c
at %d line of xml file
sbsize(%d) xmlsize(%d)
/userconfig/cfg/db_user_cfg.xml
/etc/db_default_cfg.xml
/userconfig/cfg/db_backup_cfg.xml

I think the best candidates for containing the PPPoE username and password are /userconfig/cfg/db_backup_cfg.xml, /userconfig/cfg/db_user_cfg.xml and /etc/db_default_cfg.xml.

I have checked those files using binwalk and it seems they are high level of entropy with only one section (no obvious header), so have been encrypted, not simply encoded:

binwalk -E db_user_cfg.xml

WARNING: Failed to import matplotlib module, visual entropy graphing will be disabled


DECIMAL       HEXADECIMAL     ENTROPY


0             0x0             Rising entropy edge (0.954061)

I following the above linked post I have used Ghidra 10 to de-compile the cspd file and searched for these strings, as well as functions for decryption. I found the following files:

  • AES_set_decryption_key
  • AESDecrypt
  • AESCBCDecry
  • dbcCfgSetAesKey
  • DecryByAES
  • DecryByAESCBC

I think the most likely candidate to get a key for decryption is dbcCfgSetAesKey, but that's only because of the name of the function and the target .xml files have cfg in their names.

The body of the dbcCfgSetAesKey function is below. It only accepts one variable and :

undefined4 dbcCfgSetAesKey(void *param_1)

{
  if (param_1 != (void *)0x0) {
    memcpy(g_szMD5Key,param_1,0x20);
    return 0;
  }
  return 0xffffffff;
}

I searched Ghidra for g_szMD5Key and found there was only a Label with that name, no function. It appears to me that the above dbcCfgSetAesKey function is copying the config file AES key to a memory location to be accessed later by the decryption process. They key may be some type of MD5 hash?

My questions are:

  1. What are my options for extracting the key to decrypt the .xml files? Am I right that they PPPoE data will likely be in the above mentioned .xml files?
  2. Am I generally on the right track to extract config data from a ZTE router such as ZTE ZXHN F680 V6? I know that they are all different, and have looked at some other tools such as zte-config-utility which I see requires having a key to extract the config files.
  3. What am I missing about this approach to reverse-compiling the router configuration.

I know my questions will be rather noob since I am just starting to learn reverse engineering / compiling. I am fairly good with encryption and modes, but not create with Ghidra or C++. If my question is much to simple and uninformed just let me know.

I'm Root James
  • 111
  • 1
  • 5
  • Can you upload cspd file? – xax Apr 23 '22 at 06:05
  • @xax I have uploaded a zip file of the files extracted from the router. There is also a directory tagparam with a p12 certificate, and config.bin. All seem encrypted. https://drive.google.com/file/d/1UEV9xGcFIq4aQfRj-k9_uJx4CEPirykA/view?usp=sharing – I'm Root James Apr 23 '22 at 07:08
  • This config file using AES-256-CBC algorithm and deflate zlib compression. key_str = "C1DB7A773d634602dc8c", iv_str = "ZTE%FN$GponNJ025" -> key = sha256(key_str), iv = first 16byte of sha256(iv_str) -> key = 4a5e07466a0777eb2650bbd4fc85bb7498e3048d4219916c5f50576ad5c25bce iv = 83197b65889558bb6723df979895bb36 Decrypt method in function DecryByAESCBC and key_str C1DB7A773d634602dc8c I find from paramtag file. But this decrypt success only file db_backup_cfg.xml. – xax Apr 23 '22 at 14:34
  • Thanks for that info. I assume that the zlib decompress must happen first because when I open the file as bytes in Python3 and check the length of the db_backup_cfg.xml file print(len(payload) % 16) the output is 8. So the file is not padded the right length for AES 256 CBC mode decryption. But when I try to zlib decompress using python3, payload = zlib.decompress(payload) I get the error, zlib.error: Error -3 while decompressing data: incorrect header check. – I'm Root James Apr 23 '22 at 18:35
  • hex view You can use decode.py db_backup_cfg.bin db_backup_cfg.xml after decrypt or using my script using zcu zte_f608.py zte_f608.py --key-prefix C1DB7A773d634602dc8c --iv-prefix ZTE%FN$GponNJ025 db_backup_cfg.xml out.xml – xax Apr 24 '22 at 03:34
  • I tried your command python3 zte_f608.py --key-prefix C1DB7A773d634602dc8c --iv-prefix ZTE%FN$GponNJ025 db_backup_cfg.xml out.xml for the script but the error: Malformed decrypted payload, likely you used the wrong key! – I'm Root James Apr 24 '22 at 04:34
  • db_backup_cfg.xml only, I don't know key of file config.bin and db_user_cfg.xml – xax Apr 24 '22 at 04:47
  • Hm.. that's strange. I tried this command on the db_backup_cfg.xml file: python3 zte_f608.py --key-prefix C1DB7A773d634602dc8c --iv-prefix ZTE%FN$GponNJ025 db_backup_cfg.xml out.xml. Like I said, I got the error used the wrong key! Did that command exactly work for you on db_backup_cfg.xml file? – I'm Root James Apr 24 '22 at 04:53
  • You can see db_backup_cfg.xml.bin file I using zte_f608.py decrypt success to compress file, you can decode to xml use zte_f608.py or decode.py – xax Apr 24 '22 at 05:33
  • Thanks. I was able to zlib decompress the db_backup_cfg.xml.bin file using the zte_f608.py tool as you mentioned since it seems to skip the the decryption process if it can't detect the payload_type. So, that worked. I'm not sure why I could not also decrypt it. Thanks though! – I'm Root James Apr 24 '22 at 05:48
  • can you tell me please how did you managed to access the router, I have the same model and i'm struggling.?
    Also I have another ZTE router(F660v5) that i was able to have shell on it, but again, i wasn't able to decrypt the config...     – Lucifuru Aug 15 '22 at 15:08
  • i have the some model can you show me plz by steps how did you extract the file from the router thx – zouhair Oct 19 '22 at 22:19
  • Is there anyway you can share with us the firmware? Thanks a lot. – tomeo Oct 19 '22 at 23:50
  • Can you share the firmware as a bin file? And are we talking about the ZTE F680 V6 or another variant? because you got me wondering with the -L suffix. Thank you – tomeo Oct 20 '22 at 01:04

0 Answers0