TP-Link Archer C9 v5 config backup decryption key

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
Luca_S
DD-WRT Novice


Joined: 10 Dec 2015
Posts: 9

PostPosted: Tue Mar 14, 2023 18:59    Post subject: TP-Link Archer C9 v5 config backup decryption key Reply with quote
Hi, I know DD-WRT will probably never support the TP-Link Archer C9 v5, however I spent some time recovering the config backup encryption key and I wanted to share the commands to decode it:

Code:
openssl aes-256-cbc -d -k ArcherC9 -in backup-ArcherC9-2023-03-14.bin -out decrypted.bin -md md5
openssl zlib -d decrypted.bin -out uncompressed.tar


or, if you are using openssl without zlib:

Code:
sudo apt install pigz
unpigz < decrypted.bin > uncompressed.tar


Config backup is actually a tar archive with a bunch of files just like other TP-Link routers.

As you can see, the key is ArcherC9 - which is actually extracted at runtime from the product_name uci configuration variable (look for enc_file in /usr/lib/lua/luci/controller/admin/firmware.lua). Next step, reencoding and possibly enabling full root ssh access by adding <RemoteSSH>on</RemoteSSH> to the Dropbear configuration section!

I don't have wiki access so if anyone wants to add this info to https://wiki.dd-wrt.com/wiki/index.php/TP_Link_Archer_C9 feel free to do it.


Last edited by Luca_S on Tue Mar 14, 2023 21:12; edited 2 times in total
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Tue Mar 14, 2023 19:28    Post subject: Reply with quote
The stock firmware does not have dropbear included AFAIK. Will pass this info to BrainSlayer, but why would we want a way to exploit stock firmware in the wiki?
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Luca_S
DD-WRT Novice


Joined: 10 Dec 2015
Posts: 9

PostPosted: Thu Mar 16, 2023 2:32    Post subject: Reply with quote
It actually worked, I now have SSH root access to the router without opening it up!

**Instructions**
On a Linux machine, create a new directory called archerc9conf and download a router config backup into it. Its file name will be backup-ArcherC9-YYYY-MM-DD.bin . Open a terminal and cd to the archerc9conf directory. Run the following commands, make sure to replace YYYY-MM-DD with the values from your actual file.

Code:

# Decrypt the backup file
$ openssl aes-256-cbc -d -k ArcherC9 -md md5 -in backup-ArcherC9-YYYY-MM-DD.bin -out backup-ArcherC9-YYYY-MM-DD.decrypted.bin

# Decompress using zlib
$ unpigz < backup-ArcherC9-YYYY-MM-DD.decrypted.bin > backup-ArcherC9-YYYY-MM-DD.tar

# Create a subdir for the extracted files
$ mkdir extracted

# The files in the tar archive must have the same permissions, owner info and timestamp as the original. This requires invoking the next commands as sudo.

# Uncompress the tar archive
$ sudo tar --transform 's,^.,extracted,' -xf backup-ArcherC9-YYYY-MM-DD.tar

# Add the line to enable SSH access
$ sudo sed -i '/^<PasswordAuth>.*<\/PasswordAuth>/i <RemoteSSH>on<\/RemoteSSH>' extracted/ori-backup-user-config.bin

# Recreate the tar archive
$ sudo tar -b1 -cvf backup-ArcherC9-YYYY-MM-DD.repack.tar --transform 's,^extracted,.,' --no-recursion --owner=root:0 --group=root:0 extracted/ extracted/ori-backup-user-config.bin extracted/ori-backup-certificate.bin

# Make sure we can access the newly created archive
$ sudo chown $USER: backup-ArcherC9-YYYY-MM-DD.repack.tar

# Recompress using zlib
$ pigz -z -6 < backup-ArcherC9-YYYY-MM-DD.repack.tar > backup-ArcherC9-YYYY-MM-DD.tar.zlib

# Encrypt the archive again
$ openssl aes-256-cbc -e -k ArcherC9 -md md5 -in backup-ArcherC9-YYYY-MM-DD.tar.zlib -out backup-ArcherC9-YYYY-MM-DD.reencrypted.bin


Now restore router config from the backup-ArcherC9-YYYY-MM-DD.reencrypted.bin file and wait a minute or two after reboot. Run ssh admin@YOUR-ROUTER-IP and login with your router admin password.

The admin user does not have uid 0 but it's in the root group and has root privileges (see attached image).

I hope it will be useful for others or maybe to port DD-WRT to this or other similar devices!



ssh.png
 Description:
SSH screenshot
 Filesize:  95.18 KB
 Viewed:  1164 Time(s)

ssh.png


kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Thu Mar 16, 2023 2:56    Post subject: Reply with quote
I probably shouldn't post BrainSlayer's reply, but he's less than interested:

Quote:
let the market rule it. if people avoid buying that shit the vendor maybe changes the mind. its broadcom shit anyway

Am 14.03.2023 um 20:33 schrieb:
Apparently, folks are still foaming at the mouth about the C9 v5. I don't think this information is useful for porting, and last I knew, there was no progress or port completed or it was a dead duck?

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=334209

https://github.com/mirror/dd-wrt/issues/29 (see last entry about new stock firmware)

/BR
kp69


Don't expect any miracles unless someone is willing to do the porting or BrainSlayer changes his mind or finds the mood to port it. This device uses a bootloader to load the encrypted firmware image and then boot that image. It's not a simple port, whatsoever. I'm not even sure that you can do a true complete flash dump that way, but he has already dumped the flash on the donated unit, broken the crypto, he is just not very interested in porting Broadcom devices on a whim and I'm not going to try and change his mind.

BTW, congratulations on giving people a way to crack into the v5's stock firmware and hijack it since I don't think you can disable wireless access (can you?) Rolling Eyes

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Luca_S
DD-WRT Novice


Joined: 10 Dec 2015
Posts: 9

PostPosted: Thu Mar 16, 2023 16:40    Post subject: Reply with quote
I can see why Broadcom platforms are a waste of time, I'm not surprised by brainslayer position on that. It was just a fun experience for me, spending a couple of days investigating this old (2018) router. I learned a lot about many different aspects - disassembling lua, running firmware in qemu, how older versions of openssl behaved, even about the internals of the tar format.

Regarding your comment I'm not really sure what's deal. If you mean malicious hijacking by the router owner, well, connecting to an AP that's not under your direct control is always a risk and you should assume that your traffic isn't private. If you meant that wireless guests can maliciously edit the router configuration, this procedure requires knowledge of the router admin password so I think it's safe to say that people could do malicious stuff already if they knew the password to the router administration UI.

What are you referring to with "disable wireless access"? You mean allowing SSH access from wired ports only? I'm not sure about that - it seems that dropbear is listening on 0.0.0.0, but it is always possible to restore the previous config backup disabling SSH access.

I just wanted to share my findings - maybe they could be useful to port other more interesting devices, or to help someone else learn about this stuff. The same techniques I used can be applied to analyze other router firmwares. And as I said it was fun!
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Thu Mar 16, 2023 18:53    Post subject: Reply with quote
Yes, wireless access to webUI or anything else that is open on the router itself. It doesn't take much to crack wifi AP connectivity and then it's only a matter of time to crack into the administrator account. Nonetheless, this information may be useful to me in checking into the differences between the EU and US version of the v4. I received a US version from another forum member and haven't gotten around to dumping the flash, etc. to look at what needs to be modified to support it. TP-Link left both TX and RX unconnected to the serial pin header, and I still haven't figure out a way to bridge the pads safely and it would take more than two hands to connect serial and break boot, etc. I didn't want you to think that either myself or this community was ungrateful for your sharing of this information, albeit with some possible caveats.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum