forked from SledgehammerPL/draytools
/
draytools.py
executable file
·1071 lines (910 loc) · 40.5 KB
/
draytools.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# DrayTek Vigor password recovery, config & firmware tools
#
# https://github.com/ammonium/draytools/
#
# draytools Copyright (C) 2011 AMMOnium <ammonium at mail dot ru>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
#
import sys
import os
import re
import math
from struct import pack, unpack
from binascii import hexlify, unhexlify
from collections import defaultdict
from pydelzo import pydelzo, LZO_ERROR
class draytools:
"""DrayTek Vigor password recovery, config & firmware tools"""
__version__ = "v0.41"
copyright = \
"draytools Copyright (C) 2011 AMMOnium <ammonium at mail dot ru>"
CFG_RAW = 0
CFG_LZO = 1
CFG_ENC = 2
verbose = False
modelprint = True
force_smart_guess = True
class fs:
"""Draytek filesystem utilities"""
def __init__(self, data, test=False, echo=False):
self.cdata = data
self.test = test
self.echo = echo
def get_fname(self,i):
"""Return full filename of the file #i from FS header"""
addr = 0x10+i*44
return str(self.cdata[addr : addr+0x20].strip('\x00'))
def get_hash(self,i):
"""Return currently unknown hash for the file #i from FS header"""
addr = 0x10+i*44 + 0x20
return unpack("<L", str(self.cdata[addr : addr+4]))[0]
def get_offset(self,i):
"""Return offset of the file #i in FS block"""
addr = 0x10+i*44 + 0x24
return unpack("<L", str(self.cdata[addr : addr+4]))[0] \
+ self.datastart
def get_fsize(self,i):
"""Return compressed size of the file #i"""
addr = 0x10+i*44 + 0x28
return unpack("<L", str(self.cdata[addr : addr+4]))[0]
def save_file(self,i):
"""Extract file #i from current FS"""
fname = self.get_fname(i)
# compressed file data offset in FS block
ds = self.get_offset(i)
# size of compressed file
fs = self.get_fsize(i)
# compressed file data
fdata = self.cdata[ds : ds+fs]
# create all subdirs along the path if they don't exist
pp = fname.split('\\')
pp = [self.path] + pp
ppp = os.sep.join(pp[:-1])
if len(pp) > 1:
if not os.path.exists(ppp) and not self.test:
os.makedirs(ppp)
nfname = os.sep.join(pp)
# size of uncompressed file
rawfs = -1
if not self.test:
ff = file(nfname,'wb')
# perform extraction, some file types are not compressed
if fs>0:
if pp[-1].split('.')[-1].lower() \
in ['gif','jpg','cgi','cab','txt','jar']:
rawfdata = fdata
else:
try:
rawfdata = pydelzo.decompress('\xF0' \
+ pack(">L",fs*64)+fdata)
except LZO_ERROR as lze:
print '[ERR]:\tFile "'+ fname \
+ '" is damaged or uncompressed [' \
+ str(lze) \
+ '], RAW DATA WRITTEN'
rawfdata = fdata
else:
rawfdata = ''
rawfs = len(rawfdata)
if not self.test:
ff.write(rawfdata)
ff.close()
# print some debug info for each file
if self.echo:
print '%08X "' % ds + fname + '" %08X' % fs \
+ ' %08X' % rawfs
return (fs, rawfs)
def save_all(self, path):
"""Extract all files from current FS"""
self.path = path
numfiles = unpack("<H", str(self.cdata[0x0E:0x10]))[0]
# All files data block offset in FS
self.datastart = 0x10 + 44 * numfiles
for i in xrange(numfiles):
fs,rawfs = self.save_file(i)
return numfiles
@staticmethod
def v2k_checksum(data):
"""V2xxx checksum function, 32-bit checksum of a given block"""
a1 = (len(data) - 4) >> 2
if len(data) < 4:
return 0xFFFFFFFF
if len(data) % 4:
data += '\x00' * (4 - len(data) % 4)
pos = 0
v0 = 0
a0 = 0
a2 = 0
while a1 > 0:
v0 = unpack(">L", data[pos+a0:pos+a0+4])[0]
a0 += 4
a2 += v0
a1 -= 1
v0 = unpack(">L",data[pos+a0:pos+a0+4])[0]
a2 = ~a2
v0 ^= a2
return v0 & 0xFFFFFFFF
@staticmethod
def get_modelid(data):
"""Extract a model ID from config file header"""
modelid = data[0x0C:0x0E]
return modelid
@staticmethod
def decompress_cfg(data):
"""Decompress a config file"""
modelstr = "V" + format(unpack(">H",
draytools.get_modelid(data))[0],"04X")
if draytools.verbose and draytools.modelprint:
print 'Model is :\t' + modelstr
else:
draytools.modelprint = True
rawcfgsize = 0x00100000
lzocfgsize = unpack(">L", data[0x24:0x28])[0]
raw = data[:0x2D] + '\x00' + data[0x2E:0x100] \
+ pydelzo.decompress('\xF0' + pack(">L",rawcfgsize) \
+ data[0x100:0x100+lzocfgsize])
return raw
@staticmethod
def make_key(modelstr):
"""Construct a key out of a model string (like 'V2710')"""
sum = 0
for c in modelstr:
sum += ord(c)
return (0xFF & sum)
@staticmethod
def enc(c, key):
c ^= key
c -= key
c = 0xFF & (c >> 5 | c << 3)
return c
@staticmethod
def dec(c, key):
c = (c << 5 | c >> 3)
c += key
c ^= key
c &= 0xFF
return c
@staticmethod
def decrypt(data, key):
"""Decrypt a block of data using given key"""
rdata = ''
for i in xrange(len(data)):
rdata += chr(draytools.dec(ord(data[i]), key))
return rdata
# return ''.join(map(lambda od:chr(draytools.dec(ord(od),key)),data))
@staticmethod
def brute_cfg(data):
"""Check all possible keys until data looks like decrypted"""
rdata = None
key = 0
for i in xrange(256):
rdata = draytools.decrypt(data, i)
if draytools.smart_guess(rdata) == draytools.CFG_LZO:
key = i
break
if draytools.verbose:
print 'Found key:\t[0x%02X]' % key
return rdata
@staticmethod
def decrypt_cfg(data):
"""Decrypt config, bruteforce if default key fails"""
modelstr = "V" + format(unpack(">H",
draytools.get_modelid(data))[0],"04X")
if draytools.verbose:
print 'Model is :\t' + modelstr
draytools.modelprint = False
ckey = draytools.make_key(modelstr)
rdata = draytools.decrypt(data[0x100:], ckey)
# if the decrypted data does not look good, bruteforce
if draytools.smart_guess(rdata) != draytools.CFG_LZO:
rdata = draytools.brute_cfg(data[0x100:])
elif draytools.verbose:
print 'Used key :\t[0x%02X]' % ckey
return data[:0x2D] + '\x01' + data[0x2E:0x100] + rdata
@staticmethod
def get_credentials(data):
"""Extract admin credentials from config"""
login = data[0x100+0x28:0x100+0x40].split('\x00')[0]
password = data[0x100+0x40:0x100+0x58].split('\x00')[0]
return [login, password]
@staticmethod
def get_params(data):
"""Extract parameters from config"""
desc = []
packstring = ">296s"# ??? do 296
desc.append("???")
packstring += "24s"# login do 320
desc.append("login")
packstring += "24s"# password 344
desc.append("System Maintenance >> Administrator Password Setup >> Administrator Password")
packstring += "24s"# Router Name 368
desc.append("System Maintenance >> Management >> Management Setup >> Roouter Name")
packstring += "160s"# ??? 598
desc.append("???")
packstring += 'i'# System Maintenance >> Management >> Management Setup >> Management Port Setup >> Telnet Port
desc.append("System Maintenance >> Management >> Management Setup >> Management Port Setup >> Telnet Port")
packstring += 'i'# System Maintenance >> Management >> Management Setup >> Management Port Setup >> HTTP Port
desc.append("System Maintenance >> Management >> Management Setup >> Management Port Setup >> HTTP Port")
packstring += 'i'# System Maintenance >> Management >> Management Setup >> Management Port Setup >> FTP Port
desc.append("System Maintenance >> Management >> Management Setup >> Management Port Setup >> FTP Port")
packstring += 'i'# System Maintenance >> Management >> Management Setup >> Management Port Setup >> HTTPS Port
desc.append("System Maintenance >> Management >> Management Setup >> Management Port Setup >> HTTPS Port")
packstring += "32s"
desc.append("???") # 576
for i in range(20):
packstring += "H" # NAT >> Port Redirection >> Index No. %02d >> Public Port
desc.append("NAT >> Port Redirection >> Index No. %02d >> Public Port"% (i+1))
packstring += "H" # NAT >> Port Redirection >> Index No. %02d >> Public Port
desc.append("NAT >> Port Redirection >> Index No. %02d >> Protocol" % (i+1))
packstring += "16s"# NAT >> Port Redirection >> Index No. %02d >> Private IP
desc.append("NAT >> Port Redirection >> Index No. %02d >> Private IP"% (i+1))
packstring += "H" # NAT >> Port Redirection >> Index No. %02d >> Private Port
desc.append("NAT >> Port Redirection >> Index No. %02d >> Private Port"% (i+1))
packstring += "24s"# NAT >> Port Redirection >> Index No. %02d >> Service Name
desc.append("NAT >> Port Redirection >> Index No. %02d >> Service Name"% (i+1))
packstring += "H" # NAT >> Port Redirection >> Index No. %02d >> Public Port Count
desc.append("NAT >> Port Redirection >> Index No. %02d >> Public Port Count" % (i+1))
packstring += "H" # NAT >> Port Redirection >> Index No. %02d >> WAN IP
desc.append("NAT >> Port Redirection >> Index No. %02d >> WAN IP" % (i+1))
packstring += "2344s"# ??? 392
desc.append("???")
packstring += "24s"# System Maintenance >> Management >> Management Setup >> SNMP Setup >> Trap Community 3944
desc.append("System Maintenance >> Management >> Management Setup >> SNMP Setup >> Trap Community")
packstring += "24s"# System Maintenance >> Management >> Management Setup >> SNMP Setup >> Get Community 3968
desc.append("System Maintenance >> Management >> Management Setup >> SNMP Setup >> Get Community")
packstring += "24s"# System Maintenance >> Management >> Management Setup >> SNMP Setup >> Set Community 3992
desc.append("System Maintenance >> Management >> Management Setup >> SNMP Setup >> Set Community")
packstring += "88s"# ??? 408
desc.append("???")
packstring += "32s"# System Maintenance >> Time Date >> Time Setup >> Server IP Address 4112
desc.append("System Maintenance >> Time Date >> Time Setup >> Server IP Address")
packstring += "11928s"# ??? 16040
desc.append("???")
for i in range(2):
packstring += "24s"# Interface WAN %d Display Name
desc.append("WAN >> General Setup >> WAN %d >> Display Name"% (i+1))
packstring += "64s" # jeszcze nie wiem
desc.append("???")
packstring += "64s"# ???
desc.append("WAN >> Internet Access >> WAN %d >> PPPoE/PPPoA >> ISP Access Setup >> Username" % (i+1))
packstring += "64s"# ???
desc.append("WAN >> Internet Access >> WAN %d >> PPPoE/PPPoA >> ISP Access Setup >> Password" % (i+1))
packstring += "44s"# ???
desc.append("???")
for j in range (4):
packstring += "B"# WAN >> Internet Access >> WAN %d >> Static or Dynamic IP >> WAN IP Network Settings >> Gateway IP Address %d
desc.append("WAN >> Internet Access >> WAN %d >> Static or Dynamic IP >> WAN IP Network Settings >> Gateway IP Address %d "% (i+1,j+1))
packstring += "16s"# ???
desc.append("???")
for j in range (4):
packstring += "B"# WAN >> Internet Access >> WAN %d >> Static or Dynamic IP >> WAN IP Network Settings >> Gateway IP Address %d
desc.append("WAN >> Internet Access >> WAN %d >> Static or Dynamic IP >> WAN IP Network Settings >> IP Address %d "% (i+1,j+1))
for j in range (4):
packstring += "B"# WAN >> Internet Access >> WAN %d >> Static or Dynamic IP >> WAN IP Network Settings >> Gateway IP Address %d
desc.append("WAN >> Internet Access >> WAN %d >> Static or Dynamic IP >> WAN IP Network Settings >> Subnet Mask %d "% (i+1,j+1))
packstring += "192s"# ???
desc.append("???")
for j in range (4):
packstring += "B"# WAN >> Internet Access >> WAN %d >> Static or Dynamic IP >> DNS Server IP Address >> Primary IP Address
desc.append("WAN >> Internet Access >> WAN %d >> Static or Dynamic IP >> DNS Server IP Address >> Primary IP Address %d "% (i+1,j+1))
for j in range (4):
packstring += "B"# WAN >> Internet Access >> WAN %d >> Static or Dynamic IP >> DNS Server IP Address >> Secondary IP Address
desc.append("WAN >> Internet Access >> WAN %d >> Static or Dynamic IP >> DNS Server IP Address >> Secondary IP Address %d "% (i+1,j+1))
packstring += "144s"# ???
desc.append("???")
packstring += "11224s"# ??? 28528
desc.append("???")
for i in range(7):
for j in range(4):
packstring += "B"# WAN >> Internet Access >> WAN 2 >> Static or Dynamic IP >> WAN IP Network Settings >> WAN IP Alias %d
desc.append("WAN >> Internet Access >> WAN 2 >> Static or Dynamic IP >> WAN IP Network Settings >> WAN IP Alias %d %d"% (i+1,j+1))
packstring += "6516s"# ??? 35072
desc.append("???")
for i in range(10):
for j in range(6):
packstring += "B"# Bind IP to MAC >> IP Bind List >> Mac address %d
desc.append("LAN >> Bind IP to MAC >> IP Bind List >> Mac address %d %d" % (i+1,j+1))
# variables = list(unpack(packstring, data[:365432]))
packstring += "1872s"# ??? 37004
desc.append("???")
for i in range(12):
packstring += "24s"# Filter Set %02d Comment
desc.append("Filter Set %02d Comment"% (i+1))
packstring += "32s"# ???
desc.append("???")
for j in range(1,8):
packstring += "24s"# Filter Set %02d Rule %02d Comment
desc.append("Filter Set %02d Rule %02d Comment"% (i+1,j))
packstring += "120s"# ???
desc.append("???") # 49772
packstring += "200s"# ???
desc.append("???") # 49972
for i in range(192):
packstring += "16s"# Object Setting >> IP Object >> Profile Index : %03d >> Name
desc.append("Object Setting >> IP Object >> Profile Index : %03d >> Name"% (i+1))
packstring += "20s"# ???
desc.append("???") # 56884
for i in range(20):
packstring += "16s"# Object Setting >> IP Group >> Profile Index : %02d >> Name
desc.append("Object Setting >> IP Group >> Profile Index : %02d >> Name"% (i+1))
packstring += "16s"# ???
desc.append("???") # 57524
packstring += "384s"# ??? 57908
desc.append("???")
for i in range(96):
packstring += "16s"# "Object Setting >> Service Type Object >> Profile Index : %02d >> Name
desc.append("Object Setting >> Service Type Object >> Profile Index : %02d >> Name"% (i+1))
packstring += "12s"# ???
desc.append("???") # 60596
for i in range(32):
packstring += "16s"# "Object Setting >> Service Type Group >> Profile Index : %02d >> Name
desc.append("Object Setting >> Service Type Group >> Profile Index : %02d >> Name"% (i+1))
packstring += "16s"# ???
desc.append("???") #
packstring += "22564s"# ??? 84184
desc.append("???")
packstring += "256s"# CSM >> URL Content Filter Profile >> Administration Message 84440
desc.append("CSM >> URL Content Filter Profile >> Administration Message")
packstring += "12s"# ??? 84452
desc.append("???")
for i in range(8):
packstring += "16s"# FIX: CSM >> URL Content Filter Profile >> Profile Index : %01d >> Profile Name 84580
desc.append("CSM >> URL Content Filter Profile >> Profile Index : %01d >> Profile Name"% (i+1))
packstring += "108s"# ???
desc.append("???");
for i in range(8):
packstring += "8s"# [FIX] Object Setting >> File Extension Object >> Profile Index : %0d >> Profile Name
desc.append("Object Setting >> File Extension Object >> Profile Index : %0d >> Profile Name"% (i+1))
packstring += "160s"# ???
desc.append("???")
packstring += "4s"
desc.append("???")
packstring += "256s"# CSM >> Web Content Filter Profile >> Administration Message 87048
desc.append("CSM >> Web Content Filter Profile >> Administration Message")
packstring += "1292s"# ??? 88340
desc.append("???")
packstring += "256s"# Bandwidth Management >> Session Limit >> Administration Message 88596
desc.append("Bandwidth Management >> Session Limit >> Administration Message")
packstring += "4s"# ??? 88600
desc.append("???")
for i in range(32):
packstring += "12s"# LAN >> Bind IP to MAC >> IP Bind List >> Index %02d >> Comment 88984
desc.append("LAN >> Bind IP to MAC >> IP Bind List >> Index %02d >> Commen"% (i+1))
packstring += "14080s"# ??? 103064
desc.append("???")
for i in range(3):
packstring += "12s"# Bandwidth Management >> Quality of Service >> Class index #%01d >> Name
desc.append("Bandwidth Management >> Quality of Service >> Class index #%01d >> Name"% (i+1))
packstring += "1040s"# ???
desc.append("???")
packstring += "4660s"# ??? 110880
desc.append("???")
for i in range(4):
packstring += "32s"# Wireless LAN >> General Setup >> General Setting (IEEE 802.11) >> %01d >> SSID
desc.append("Wireless LAN >> General Setup >> General Setting (IEEE 802.11) >> %01d >> SSID"% (i+1))
packstring += "472s"# ???
desc.append("???") # 118296
packstring += "64s"# Wireless LAN >> Security Settings >> SSID %01d >> Pre-Shared Key (PSK)
desc.append("Wireless LAN >> Security Settings >> SSID %01d >> Pre-Shared Key (PSK)"% (i+1))
packstring += "1286s"# ???
desc.append("???") # 118296
#packstring += "59776s"# ??? 164616
packstring += "46272s"# ??? 164616
desc.append("???")
for i in range(32):
packstring += "48s"# VPN and Remote Access >> LAN to LAN >> Profile Index : %02d >> Dial-In Settings >> Peer ID
desc.append("VPN and Remote Access >> LAN to LAN >> Profile Index : %02d >> Dial-In Settings >> Peer ID"% (i+1))
packstring += "11968s"# ??? 178072
desc.append("???")
for i in range(32):
packstring += "10s"# VPN and Remote Access >> LAN to LAN >> Profile Index : %02d >> Common Settings >> Profile Name
desc.append("VPN and Remote Access >> LAN to LAN >> Profile Index : %02d >> Common Settings >> Profile Name"% (i+1))
packstring += "10s"# ???
desc.append("???")
packstring += "12s"# VPN and Remote Access >> LAN to LAN >> Profile Index : %02d >> Dial-In Settings >> Username
desc.append("VPN and Remote Access >> LAN to LAN >> Profile Index : %02d >> Dial-In Settings >> Username"% (i+1))
packstring += "60s"# ???
desc.append("???")
packstring += "50s"# VPN and Remote Access >> LAN to LAN >> Profile Index : %02d >> Dial-Out Settings >> Username
desc.append("VPN and Remote Access >> LAN to LAN >> Profile Index : %02d >> Dial-Out Settings >> Username"% (i+1))
packstring += "14s"# ???
desc.append("???")
packstring += "16s"# VPN and Remote Access >> LAN to LAN >> Profile Index : %02d >> Dial-Out Settings >> Password
desc.append("VPN and Remote Access >> LAN to LAN >> Profile Index : %02d >> Dial-Out Settings >> Password"% (i+1))
packstring += "44s"# ???
desc.append("???")
packstring += "81476s"# ???
desc.append("???")
for i in range(200):
packstring += "16s"# Object Setting >> Keyword Object >> Profile Index : %03d >> Name
desc.append("Object Setting >> Keyword Object >> Profile Index : %03d >> Name"% (i+1))
packstring += "64s"# Object Setting >> Keyword Object >> Profile Index : %03d >> Contents
desc.append("Object Setting >> Keyword Object >> Profile Index : %03d >> Contents"% (i+1))
packstring += "64s"# Object Setting >> Keyword Object >> Profile Index : %03d >> Contents
desc.append("???")
for i in range(32):
packstring += "16s"# Object Setting >> Keyword Group Setup >> Profile Index : %03d >> Name
desc.append("Object Setting >> Keyword Object >> Profile Index : %03d >> Name"% (i+1))
packstring += "48s"# ???
desc.append("???")
packstring += "1920s"# 299228
desc.append("???")
for i in range(32):
packstring += "16s"# CSM >> APP Enforcement Profile >> Profile Index : %0d >> Profile Name
desc.append("CSM >> APP Enforcement Profile >> Profile Index : %02d >> Profile Name"% (i+1))
packstring += "160s"# ???
desc.append("???")
packstring += "27916s"# 332776
desc.append("???")
packstring += "16s"# USB General Settings Workgroup Name 332792
desc.append("USB General Settings Workgroup Name")
packstring += "31712s"# ??? 364504
desc.append("???")
packstring += "32s"# "System Maintenance >> Login Page Greeting >> Login Page Title 364536
desc.append("System Maintenance >> Login Page Greeting >> Login Page Title")
packstring += "384s"# ??? 364920
desc.append("???")
packstring += "512s"# "System Maintenance >> Login Page Greeting >> Login Page Title 365432
desc.append("System Maintenance >> Login Page Greeting >> Login Page Title")
variables = list(unpack(packstring, data[:365432]))
for i in range(0,len(variables)):
if type(variables[i]) == type(str()):
variables[i]=variables[i].split('\x00')[0]
dict_list = zip (desc, variables)
return dict(dict_list)
@staticmethod
def guess(data):
"""Return CFG type - raw(0), compressed(1), encrypted(2)"""
return ord(data[0x2D])
@staticmethod
def smart_guess(data):
"""Guess is the cfg block compressed or not"""
# Uncompressed block is large and has low entropy
if draytools.entropy(data) < 1.0 or len(data) > 0x10000:
return draytools.CFG_RAW
# Compressed block still has pieces of cleartext at the beginning
if "Vigor" in data and ("Series" in data or "draytek" in data):
return draytools.CFG_LZO
return draytools.CFG_ENC
@staticmethod
def de_cfg(data):
"""Get raw config data from raw /compressed/encrypted & comressed"""
if draytools.force_smart_guess:
g = draytools.smart_guess(data)
else:
g = draytools.guess(data)
if g == draytools.CFG_RAW:
if draytools.verbose:
print 'File is :\tnot compressed, not encrypted'
return g, data
elif g == draytools.CFG_LZO:
if draytools.verbose:
print 'File is :\tcompressed, not encrypted'
return g, draytools.decompress_cfg(data)
elif g == draytools.CFG_ENC:
if draytools.verbose:
print 'File is :\tcompressed, encrypted'
return g, draytools.decompress_cfg(draytools.decrypt_cfg(data))
@staticmethod
def decompress_firmware(data):
"""Decompress firmware"""
flen = len(data)
sigstart = data.find('\xA5\xA5\xA5\x5A\xA5\x5A')
# Try an alternative signature
if sigstart <= 0:
sigstart = data.find('\x5A\x5A\xA5\x5A\xA5\x5A')
# Compressed FW block found, now decompress
if sigstart > 0:
if draytools.verbose:
print 'Signature found at [0x%08X]' % sigstart
lzosizestart = sigstart + 6
lzostart = lzosizestart + 4
lzosize = unpack('>L', data[lzosizestart:lzostart])[0]
return data[0x100:sigstart+2] \
+ pydelzo.decompress('\xF0' + pack(">L",0x1000000) \
+ data[lzostart:lzostart+lzosize])
else:
print '[ERR]:\tCompressed FW signature not found!'
raise Exception('Compressed FW signature not found')
return ''
@staticmethod
def decompress_fs(data, path, test = False):
"""Decompress filesystem"""
lzofsdatalen = unpack('>L', data[4:8])[0]
if draytools.verbose:
print 'Compressed FS length: %d [0x%08X]' % (lzofsdatalen,
lzofsdatalen)
# stupid assumption of raw FS length. Seems OK for now
fsdatalen = 0x800000
fs_raw = pydelzo.decompress('\xF0' + pack(">L", fsdatalen) \
+ data[0x08:0x08 + lzofsdatalen])
cfs = draytools.fs(fs_raw, test, draytools.verbose)
return (lzofsdatalen, cfs.save_all(path))
@staticmethod
def decompress_fs_only(data, path, test = False):
"""Decompress filesystem"""
fsstart = unpack('>L', data[:4])[0]
if draytools.verbose:
print 'FS block start at: %d [0x%08X]' % (fsstart, fsstart)
return draytools.decompress_fs(data[fsstart:], path, test)
@staticmethod
def entropy(data):
"""Calculate Shannon entropy (in bits per byte)"""
flist = defaultdict(int)
dlen = len(data)
data = map(ord, data)
# count occurencies
for byte in data:
flist[byte] += 1
ent = 0.0
# convert count of occurencies into frequency
for freq in flist.values():
if freq > 0:
ffreq = float(freq)/dlen
# actual entropy calcualtion
ent -= ffreq * math.log(ffreq, 2)
return ent
@staticmethod
def spkeygen(mac):
"""Generate a master key like 'AbCdEfGh' from MAC address"""
# stupid translation from MIPS assembly, but works
atu = 'WAHOBXEZCLPDYTFQMJRVINSUGK'
atl = 'kgusnivrjmqftydplczexbohaw'
res = ['\x00'] * 8
st = [0] * 8
# compute 31*(31*(31*(31*(31*m0+m1)+m2)+m3)+m4)+m5, sign-extend mac bytes
a3 = 0
for i in mac:
v1 = a3 << 5
v1 &= 0xFFFFFFFF
a0 = ord(i)
if a0 >= 0x80:
a0 |= 0xFFFFFF00
v1 -= a3
v1 &= 0xFFFFFFFF
a3 = v1 + a0
a3 &= 0xFFFFFFFF
# Divide by 13 :) Old assembly trick, I leave it here
# 0x4EC4EC4F is a multiplicative inverse for 13
ck = 0x4EC4EC4F * a3
v1 = (ck & 0xFFFFFFFF00000000) >> 32
# shift by two
v1 >>= 3
v0 = v1 << 1
v0 &= 0xFFFFFFFF
# trick ends here and now v0 = a3 / 13
v0 += v1
v0 <<= 2
v0 &= 0xFFFFFFFF
v0 += v1
v0 <<= 1
v0 -= a3
# v0 &= 0xFFFFFFFF
st[0] = a3
res[0] = atu[abs(v0)]
for i in xrange(1,8):
v1 = st[i-1]
a0 = ord(res[0])
t0 = ord(res[1])
v0 = (v1 << 5) & 0xFFFFFFFF
a1 = ord(res[2])
v0 -= v1
v0 += a0
a2 = ord(res[3])
a3 = ord(res[4])
v0 += t0
v0 += a1
t0 = ord(res[5])
v1 = ord(res[6])
v0 += a2
a0 = ord(res[7])
v0 += a3
v0 += t0
v0 += v1
# v0 here is a 32-bit sum of currently computed key chars
v0 &= 0xFFFFFFFF
a3 = v0 + a0
# Again divide by 13
i1 = a3 * 0x4EC4EC4F
a0 = i & 1
st[i] = a3
v1 = (i1 & 0xFFFFFFFF00000000) >> 32
v1 >>= 3
v0 = v1 << 1
# here v0 = a3 / 13
v0 += v1
v0 <<= 2
v0 += v1
v0 <<= 1
v0 = a3 - v0
a1 += v0
v0 &= 0xFFFFFFFF
if a0 == 0:
v1 = atu[abs(v0)]
else:
v1 = atl[abs(v0)]
res[i] = v1
v0 = 0
return ''.join(res)
if __name__ == '__main__':
import optparse
usage = \
"""usage: %prog [options] file
DrayTek Vigor V2xxx/V3xxx password recovery, config & firmware tools"""
# initialize cmdline option parser
optparse.OptionParser.format_epilog = lambda self, formatter: self.epilog
parser = optparse.OptionParser(usage=usage, \
version="%prog "+draytools.__version__, \
epilog=
"""
Examples:
To print login&password from the config file:
# python draytools.py -p config.cfg
Login and password will be displayed
To decrypt & decompress the config file:
# python draytools.py -c config.cfg
Raw config file "config.cfg.out" will be produced
To extract firmware and filesystem contents
# python draytools.py -F firmware.all
Uncompressed firmware will be written to file "firmware.all.out"
Filesystem will be extracted to "fs_out" folder.
""")
cfggroup = optparse.OptionGroup(parser, "Config file (*.cfg) commands",
"To be used on config files only")
fwgroup = optparse.OptionGroup(parser, \
"Firmware file (*.all, *.rst, *.bin) commands",
"To be used on firmware files only")
mgroup = optparse.OptionGroup(parser, "Miscellaneous commands",
"Some other useful stuff")
parser.add_option('-o', '--output',
action="store", dest="outfile",
help="Output file name, %INPUTFILE%.out if omitted", default="")
parser.add_option('-t', '--test',
action="store_true", dest="test", help=
"""Test mode, do not write anything to disk, only try to parse files""",
default=False)
parser.add_option('-v', '--verbose',
action="store_true", dest="verbose",
help="Verbose output", default=False)
# config file option group for cmdline option parser
cfggroup.add_option('-c', '--config',
action="store_true", dest="config",
help="Decrypt and decompress config", default=False)
cfggroup.add_option('-d', '--decompress',
action="store_true", dest="decompress",
help="Decompress an unenrypted config file", default=False)
cfggroup.add_option('-y', '--decrypt',
action="store_true", dest="decrypt",
help="Decrypt config file", default=False)
cfggroup.add_option('-p', '--password',
action="store_true", dest="password",
help="Retrieve admin login and password from config file",
default=False)
cfggroup.add_option('-e', '--extract',
action="store_true", dest="text",
help="Extract text config from config file",
default=False)
# firmware/fs option group for cmdline option parser
fwgroup.add_option('-f', '--firmware',
action="store_true", dest="firmware",
help="Decompress firmware", default=False)
fwgroup.add_option('-F', '--firmware-all',
action="store_true", dest="fw_all",
help="Decompress firmware and extract filesystem", default=False)
fwgroup.add_option('-s', '--fs',
action="store_true", dest="fs",
help="Extract filesystem", default=False)
fwgroup.add_option('-O', '--out-dir',
action="store", dest="outdir",
help=
"Output directory for filesystem contents, \"fs_out\" by default",
default="fs_out")
# miscellaneous option group for cmdline option parser
mgroup.add_option('-m', '--master-key',
action="store", dest="mac",
help="Generate FTP master key for given router MAC address. "
"To login to FTP enter \"admin\" as username and generated "
"master key as password",
default=None)
parser.add_option_group(cfggroup)
parser.add_option_group(fwgroup)
parser.add_option_group(mgroup)
options, args = parser.parse_args()
draytools.verbose = options.verbose
# default output filename is input filename + '.out'
outfname = options.outfile is not None and options.outfile \
or (len(args) > 0 and args[0]+'.out' or 'file.out')
outdir = options.outdir
infile = None
data = None
indata = None
outdata = None
if len(args) > 1:
print '[ERR]:\tToo much arguments, only input file name expected'
print 'Run "draytools --help"'
sys.exit(1)
elif len(args) < 1 and not options.mac:
print '[ERR]:\tInput file name expected'
print 'Run "draytools --help"'
sys.exit(1)
# open input file
if not options.mac:
try:
infile = file(args[0],'rb')
indata = infile.read()
# if default FS extraction path is used, put it near input file
if outdir == 'fs_out':
outdir = os.path.join(os.path.dirname(
os.path.abspath(args[0])),'fs_out')
except IOError:
print '[ERR]:\tInput file open failed'
sys.exit(2)
# Command: get raw config file
if options.config:
g = -1
try:
g, outdata = draytools.de_cfg(indata)
except LZO_ERROR:
print '[ERR]:\tInput file corrupted or not supported'
sys.exit(3)
if g == draytools.CFG_RAW:
print '[ERR]:\tNothing to do. '\
'Config file is already not encrypted and not compressed.'
sys.exit(3)
ol = len(outdata)
if not options.test:
outfile = file(outfname, 'wb')
outfile.write(outdata)
print outfname + ' written, %d [0x%08X] bytes' % (ol,ol)
outfile.close()
else:
print 'CFG decryption/decompression test OK, ' \
'output size %d [0x%08X] bytes' % (ol,ol)
# Command: decrypt config file
elif options.decrypt:
try:
outdata = draytools.decrypt_cfg(indata)
except LZO_ERROR:
print '[ERR]:\tInput file corrupted or not supported'
sys.exit(3)
cksum = draytools.v2k_checksum(str(outdata))
if options.verbose:
print 'V2kCheckSum = %08X ' % \
cksum + ((cksum == 0) and 'OK' or 'FAIL')
ol = len(outdata)
if not options.test:
outfile = file(outfname, 'wb')
outfile.write(outdata)
outfile.close()
print outfname + ' written, %d [0x%08X] bytes' % (ol,ol)
else:
print 'CFG decryption test OK, ' \
'output size %d [0x%08X] bytes' % (ol,ol)
# Command: decompress config file
elif options.decompress:
try:
outdata = draytools.decompress_cfg(indata)
except LZO_ERROR:
print '[ERR]:\tInput file corrupted or not supported'
sys.exit(3)
cksum = draytools.v2k_checksum(str(indata))
if options.verbose:
print 'V2kCheckSum = %08X ' % \
cksum + ((cksum == 0) and 'OK' or 'FAIL')
ol = len(outdata)
if not options.test:
outfile = file(outfname, 'wb')
outfile.write(outdata)
outfile.close()
print outfname + ' written, %d [0x%08X] bytes' % (ol,ol)
else:
print 'CFG decompression test OK, ' \
'output size %d [0x%08X] bytes' % (ol,ol)
# Command: extract admin credentials from config file
if options.password and \
not (True in [options.firmware, options.fw_all, options.fs]):
g = -1
try:
g, outdata = draytools.de_cfg(indata)
except LZO_ERROR:
print '[ERR]:\tInput file corrupted or not supported'
sys.exit(3)
creds = draytools.get_credentials(outdata)
print "Login :\t" + (creds[0] == "" and "admin" or creds[0])
print "Password :\t" + (creds[1] == "" and "admin" or creds[1])
sys.exit(0)
# Command: extract parameters from config file
if options.text and \
not (True in [options.firmware, options.fw_all, options.fs]):
g = -1
try:
g, outdata = draytools.de_cfg(indata)
except LZO_ERROR:
print '[ERR]:\tInput file corrupted or not supported'
sys.exit(3)
params = draytools.get_params(outdata)
for k,v in sorted(params.iteritems()):
if v:
print "%s => %s" % (k, v)
sys.exit(0)
# Command: extract firmware
if options.firmware:
try:
outdata = draytools.decompress_firmware(indata)
except:
print '[ERR]:\tInput file corrupted or not supported'