Does this still work? #2
Comments
|
The subsequent releases of the firmware by DblTek did not exactly "fix" this issue. Merely, they made the math problem harder to reverse engineer. I haven't had the time to reverse engineer these later firmwares, but a good rule of thumb is that if the device gives a challenge starting with the letter "n", then it is vulnerable to this tool. Hope this helped with your 'research'! ;) |
I'm simply trying to explore my own device with the hopes that I'll be able to fix it's flakiness.
My challenges for
If you do RE them, be sure to let us know! My device is a rather flakey and I'm trying to get it working. |
|
Ah I see. Well, currently I do not believe there are any public tools out there for breaking into those newer firmwares. So your device is safe from skids. However, if an APT such as a nationstate wanted to get into your box, they totally could. A good solution is to put your device behind NAT (like a router) and disable the telnet service by blocking the port with iptables. |
|
My box is behind nat and is not accessible. What I need is access (for myself)! |
|
yeah, apparently they changed the algorithm a bit. int chap(void)
{
size_t sVar1;
int iVar2;
char *__s1;
undefined auStack_63c [1032];
char acStack_234 [128];
char acStack_1b4 [128];
byte local_134;
byte local_133;
byte local_132;
byte local_131;
byte local_12f;
byte local_12e;
byte local_12d;
byte local_12c;
byte local_12b;
byte local_12a;
byte local_128;
byte local_127;
byte local_126;
byte local_125;
byte local_124;
byte local_123;
byte local_122;
byte local_121;
byte local_120;
char acStack_a4 [132];
iVar2 = get_random();
__s1 = (char *)net_chap(iVar2,"192.168.2.1");
if (__s1 == (char *)0x0) {
printf("challenge: H%d\n",iVar2);
__s1 = (char *)getpasswd("Password: ");
}
memset(acStack_1b4,0,0x80);
memset(acStack_234,0,0x80);
memset(acStack_a4,0,0x80);
memset(&local_134,0,0x10);
sprintf((char *)&local_124,"%d",iVar2);
sprintf(acStack_a4,"%d%d%x%x%d%x",iVar2 + (iVar2 >> 3),iVar2 >> 4,(uint)local_122,
(uint)local_124 + ~(uint)local_122,(uint)local_120 + ~(uint)local_123,
~((uint)local_121 + (uint)local_123));
MD52(acStack_a4,0x40,&local_134);
sprintf(acStack_234,"%d%x%x%dF2GM1V",~(uint)local_132 + (uint)local_12f,
(uint)local_133 + (uint)local_127,(uint)local_12d + ~(uint)local_126,
~((uint)local_12a + (uint)local_12e));
sVar1 = strlen(acStack_234);
box_setup(auStack_63c,acStack_234,sVar1);
box_crypt(auStack_63c,&local_134,0x10);
sprintf(acStack_1b4,"%02x%02x%02x%02x%02x%02x%02x%02x",(uint)local_131 + ~(uint)local_12f & 0xff,
~(uint)local_12c + (uint)local_131 & 0xff,(uint)local_133 + (uint)local_134 & 0xff,
~(uint)local_125 + (uint)local_12e & 0xff,(local_12b & 0x7f) << 1,
(uint)local_128 + ~(uint)local_12d & 0xff,(uint)local_134 + ~(uint)local_132 & 0xff,
~(uint)local_127 + (uint)local_12e & 0xff);
iVar2 = strcmp(__s1,acStack_1b4);
if (iVar2 != 0) {
sleep(10);
iVar2 = -1;
}
return iVar2;
}
void box_setup(undefined4 *param_1,int param_2,int param_3)
{
int iVar1;
uint uVar2;
int iVar3;
int iVar4;
param_1[2] = 7;
*param_1 = 0;
param_1[1] = 0;
iVar3 = 0;
param_1[3] = 1;
param_1[4] = 3;
param_1[5] = 2;
param_1[6] = 4;
param_1[7] = 5;
param_1[8] = 6;
param_1[10] = 9;
param_1[0xb] = 8;
param_1[0xc] = 0xf;
param_1[0xd] = 0xe;
param_1[0xe] = 0x11;
param_1[0xf] = 0xd;
param_1[0x10] = 0xb;
param_1[0x11] = 10;
param_1[0x12] = 0x12;
param_1[0x13] = 0xc;
param_1[0x14] = 0x10;
param_1[0x15] = 0x13;
param_1[0x16] = 0x14;
param_1[0x17] = 0x15;
param_1[0x18] = 0x16;
param_1[0x19] = 0x17;
param_1[0x1a] = 0x18;
param_1[0x1b] = 0x19;
param_1[0x1c] = 0x1a;
param_1[0x1d] = 0x1b;
param_1[0x1e] = 0x1c;
param_1[0x1f] = 0x1d;
param_1[0x20] = 0x1e;
param_1[9] = 0;
param_1[0x21] = 0x1f;
param_1[0x22] = 0x20;
param_1[0x23] = 0x21;
param_1[0x24] = 0x22;
param_1[0x25] = 0x23;
param_1[0x26] = 0x24;
param_1[0x27] = 0x25;
param_1[0x28] = 0x26;
param_1[0x29] = 0x27;
param_1[0x2a] = 0x28;
param_1[0x2b] = 0x29;
param_1[0x2c] = 0x2a;
param_1[0x2d] = 0x2b;
param_1[0x2e] = 0x2c;
param_1[0x2f] = 0x2d;
param_1[0x30] = 0x2e;
param_1[0x31] = 0x2f;
param_1[0x32] = 0x30;
param_1[0x33] = 0x31;
param_1[0x34] = 0x32;
param_1[0x35] = 0x33;
param_1[0x36] = 0x34;
param_1[0x37] = 0x35;
param_1[0x38] = 0x36;
param_1[0x39] = 0x37;
param_1[0x3a] = 0x38;
param_1[0x3b] = 0x39;
param_1[0x3c] = 0x3a;
param_1[0x3d] = 0x3b;
param_1[0x3e] = 0x3c;
param_1[0x3f] = 0x3d;
param_1[0x40] = 0x3e;
param_1[0x41] = 0x3f;
param_1[0x42] = 0x40;
param_1[0x43] = 0x41;
param_1[0x44] = 0x42;
param_1[0x45] = 0x43;
param_1[0x46] = 0x44;
param_1[0x47] = 0x45;
param_1[0x48] = 0x46;
param_1[0x49] = 0x47;
param_1[0x4a] = 0x48;
param_1[0x4b] = 0x49;
param_1[0x4c] = 0x4a;
param_1[0x4d] = 0x4b;
param_1[0x4e] = 0x4c;
param_1[0x4f] = 0x4d;
param_1[0x50] = 0x4e;
param_1[0x51] = 0x4f;
param_1[0x52] = 0x50;
param_1[0x53] = 0x51;
param_1[0x54] = 0x52;
param_1[0x55] = 0x53;
param_1[0x56] = 0x54;
param_1[0x57] = 0x55;
param_1[0x58] = 0x56;
param_1[0x59] = 0x57;
param_1[0x5a] = 0x58;
param_1[0x5b] = 0x59;
param_1[0x5c] = 0x5b;
param_1[0x5d] = 0x5a;
param_1[0x5e] = 0x5c;
param_1[0x5f] = 0x5d;
param_1[0x60] = 0x5e;
param_1[0x61] = 0x5f;
param_1[0x62] = 99;
param_1[99] = 0x61;
param_1[100] = 0x62;
param_1[0x65] = 0x60;
param_1[0x66] = 0x67;
param_1[0x67] = 0x6b;
param_1[0x68] = 0x66;
param_1[0x69] = 100;
param_1[0x6a] = 0x68;
param_1[0x6b] = 0x69;
param_1[0x6c] = 0x6a;
param_1[0x6d] = 0x65;
param_1[0x6e] = 0x6c;
param_1[0x6f] = 0x6d;
param_1[0x70] = 0x6e;
param_1[0x71] = 0x6f;
param_1[0x72] = 0x70;
param_1[0x73] = 0x71;
param_1[0x74] = 0x72;
param_1[0x75] = 0x73;
param_1[0x76] = 0x74;
param_1[0x77] = 0x75;
param_1[0x78] = 0x76;
param_1[0x79] = 0x77;
param_1[0x7a] = 0x78;
param_1[0x7b] = 0x79;
param_1[0x7c] = 0x7a;
param_1[0x7d] = 0x7b;
param_1[0x7e] = 0x7c;
param_1[0x7f] = 0x7d;
param_1[0x80] = 0x7e;
param_1[0x81] = 0x7f;
param_1[0x82] = 0x80;
param_1[0x83] = 0x81;
param_1[0x84] = 0x82;
param_1[0x85] = 0x83;
param_1[0x86] = 0x84;
param_1[0x87] = 0x85;
param_1[0x88] = 0x86;
param_1[0x89] = 0x87;
param_1[0x8a] = 0x88;
param_1[0x8b] = 0x89;
param_1[0x8c] = 0x8a;
param_1[0x8d] = 0x8b;
param_1[0x8e] = 0x8e;
param_1[0x8f] = 0x8d;
param_1[0x90] = 0x8c;
param_1[0x91] = 0x8f;
param_1[0x92] = 0x94;
param_1[0x93] = 0x91;
param_1[0x94] = 0x92;
param_1[0x95] = 0x93;
param_1[0x96] = 0x90;
param_1[0x97] = 0x95;
param_1[0x98] = 0x96;
param_1[0x99] = 0x97;
param_1[0x9a] = 0x98;
param_1[0x9b] = 0x99;
param_1[0x9c] = 0x9a;
param_1[0x9d] = 0x9b;
param_1[0x9e] = 0x9c;
param_1[0x9f] = 0x9d;
param_1[0xa0] = 0x9e;
param_1[0xa1] = 0x9f;
param_1[0xa2] = 0xa0;
param_1[0xa3] = 0xa1;
param_1[0xa4] = 0xa2;
param_1[0xa5] = 0xa3;
param_1[0xa6] = 0xa4;
param_1[0xa7] = 0xa5;
param_1[0xa8] = 0xa6;
param_1[0xa9] = 0xa7;
param_1[0xaa] = 0xa8;
param_1[0xab] = 0xa9;
param_1[0xac] = 0xaa;
param_1[0xad] = 0xab;
param_1[0xae] = 0xac;
param_1[0xaf] = 0xad;
param_1[0xb0] = 0xae;
param_1[0xb1] = 0xaf;
param_1[0xb2] = 0xb0;
param_1[0xb3] = 0xb1;
param_1[0xb4] = 0xb2;
param_1[0xb5] = 0xb3;
param_1[0xb6] = 0xb4;
param_1[0xb7] = 0xb5;
param_1[0xb8] = 0xb6;
param_1[0xb9] = 0xb7;
param_1[0xba] = 0xb8;
param_1[0xbb] = 0xb9;
param_1[0xbc] = 0xba;
param_1[0xbd] = 0xbb;
param_1[0xbe] = 0xbc;
param_1[0xbf] = 0xbd;
param_1[0xc0] = 0xbe;
param_1[0xc1] = 0xbf;
param_1[0xc2] = 0xc0;
param_1[0xc3] = 0xc1;
param_1[0xc4] = 0xc2;
param_1[0xc5] = 0xc3;
param_1[0xc6] = 0xc4;
param_1[199] = 0xc5;
param_1[200] = 0xc6;
param_1[0xc9] = 199;
param_1[0xca] = 200;
param_1[0xcb] = 0xc9;
param_1[0xcc] = 0xca;
param_1[0xcd] = 0xcb;
param_1[0xce] = 0xcc;
param_1[0xcf] = 0xcd;
param_1[0xd0] = 0xce;
param_1[0xd1] = 0xcf;
param_1[0xd2] = 0xd0;
param_1[0xd3] = 0xd1;
param_1[0xd4] = 0xd2;
param_1[0xd5] = 0xd3;
param_1[0xd6] = 0xd4;
param_1[0xd7] = 0xd5;
param_1[0xd8] = 0xd6;
param_1[0xd9] = 0xd7;
param_1[0xda] = 0xd8;
param_1[0xdb] = 0xd9;
param_1[0xdc] = 0xda;
param_1[0xdd] = 0xdb;
param_1[0xde] = 0xdc;
param_1[0xdf] = 0xdd;
param_1[0xe0] = 0xde;
param_1[0xe1] = 0xdf;
param_1[0xe2] = 0xe0;
param_1[0xe3] = 0xe1;
param_1[0xe4] = 0xe2;
param_1[0xe5] = 0xe3;
param_1[0xe6] = 0xe4;
param_1[0xe7] = 0xe5;
param_1[0xe8] = 0xe6;
param_1[0xe9] = 0xe7;
param_1[0xea] = 0xe8;
param_1[0xeb] = 0xe9;
param_1[0xec] = 0xea;
param_1[0xed] = 0xeb;
param_1[0xee] = 0xec;
param_1[0xef] = 0xed;
param_1[0xf0] = 0xee;
param_1[0xf1] = 0xef;
param_1[0xf2] = 0xf0;
param_1[0xf3] = 0xf1;
param_1[0xf4] = 0xf2;
param_1[0xf5] = 0xf3;
param_1[0xf6] = 0xf4;
param_1[0xf7] = 0xf5;
param_1[0xf8] = 0xf6;
param_1[0xf9] = 0xf7;
param_1[0xfa] = 0xf8;
param_1[0xfb] = 0xf9;
param_1[0xfc] = 0xfa;
param_1[0xfd] = 0xfb;
param_1[0xfe] = 0xfc;
param_1[0xff] = 0xfd;
param_1[0x100] = 0xfe;
param_1[0x101] = 0xff;
uVar2 = 0;
iVar4 = 0;
do {
iVar1 = param_1[iVar4 + 2];
uVar2 = (uint)*(byte *)(param_2 + iVar3) + uVar2 + iVar1 & 0xff;
iVar3 = iVar3 + 1;
param_1[iVar4 + 2] = param_1[uVar2 + 2];
iVar4 = iVar4 + 1;
if (param_3 <= iVar3) {
iVar3 = 0;
}
param_1[uVar2 + 2] = iVar1;
} while (iVar4 < 0x100);
return;
}
void box_crypt(uint *param_1,int param_2,int param_3)
{
uint uVar1;
uint uVar2;
uint uVar3;
int iVar4;
uint uVar5;
iVar4 = 0;
uVar1 = *param_1;
uVar5 = param_1[1];
if (0 < param_3) {
do {
uVar1 = uVar1 + 1 & 0xff;
uVar2 = param_1[uVar1 + 2];
uVar5 = uVar5 + uVar2 & 0xff;
uVar3 = param_1[uVar5 + 2];
param_1[uVar1 + 2] = uVar3;
param_1[uVar5 + 2] = uVar2;
*(byte *)(param_2 + iVar4) =
*(byte *)(param_2 + iVar4) ^ *(byte *)(param_1 + (uVar2 + uVar3 & 0xff) + 2);
iVar4 = iVar4 + 1;
} while (iVar4 < param_3);
}
*param_1 = uVar1;
param_1[1] = uVar5;
return;
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It seems the algo was updated in later firmware. Does this still work? There also seems to be another user,
secid, that uses the device's serial number as past of the challengeThe text was updated successfully, but these errors were encountered: