Config decryption doesn't work, difficult solution

[penbob3]

After trying and failing with the decryption method, I've found a different and much more difficult alternative. What you do it solder to the UART headers in the router, then boot and reset. Login with one of the default passwords listed in the readme, then plug the router into the internet. The password will change but you'll still be logged in (This might also be possible via telnet?). Then you can use dumpcfg command to get the whole file, find the password, and base64 decode it.

[mattimustang]

Thanks for your effort! Since you have console access are you able to provide a copy of the httpd binary. I gave some instructions here before https://github.com/mattimustang/optus-sagemcom-fast-3864-hacks/issues/12.

With that file I can extract the changed cryptographic key.

[penbob3]

keys.txt iv.txt These are the two files I got

[mattimustang]

i can't spot any potential keys or IV's in there. Can you upload the httpd binary and I'll take a look? also which modem firmware version are you running?

[penbob3]

Here's the binary, but github wouldnt let me upload the actual file so I added .gif, just remove it when you download it. I'll check the firmware version now.

[penbob3]

8.382.1_F@ST3864AC_Optus is my version. Also, have you considered the possibility of monitoring outgoing requests to the Optus management and update server and using that to download a full firmware file?

[mattimustang]

Thanks. I couldn't find the encrypt/decrypt routines in that binary. You can dump the firmware using the nanddump command.

Set up a netcat listener to receiver the file on the computer you want to dump it to:

nc -l -p 4444 > mtd0

On the modem run:

nanddump /dev/mtd0 | nc 192.168.0.2 4444

repeat for /dev/mtd1, mtd2, mtd3, mtd4, and mtd5 changing the file name to dump it to on the remote computer each time.

zip them up and upload them here or to a file sharing site and post a link.