decrypting alcatel config

[H1-N1]

hi
when im googling for decrypting alcatel config file i was redirected to you github repo
can you help me wich tool i can use to do so
thx

[JamesIT]

Hi, Sorry for long delay... you can download the bin file and use "binwalk" on kali linux to download the files/settings within it. Regards, James Hemmings

…

On 15/09/18 22:20, H1-N1 wrote: hi when im googling for decrypting alcatel config file i was redirected to you github repo can you help me wich tool i can use to do so thx — You are receiving this because you are subscribed to this thread. Reply to this email directly, [view it on GitHub](#1), or [mute the thread](https://github.com/notifications/unsubscribe-auth/AH7Kpup8JDwL1qkr8-la22m_jU1sCmhkks5ubW8DgaJpZM4WqjBQ).

[H1-N1]

hi,
thx for your reply
is there any alternative for windows
i tried to use binwalk on windows without success ..

C:\python27\python.exe: can't open file 'binwalk': [Errno 2] No such file or directory

also can i modifi the config file then encrypt it with binwalk because i need toupdate my router config everyday remotely ...
thank you mr james

[H1-N1]

hi , finaly awas able to decrypt the configuration but i can't figure out how to change the wifi password then upload it if you have any idea thx

[jamesmacwhite]

@H1-N1 Did you ever figure out a way to do this? I was looking at potentially "abusing" the backup and restore feature to override the SSH setting, as I want it enabled again for further exploration of the configuration on the OpenWrt side. EE themselves disabled it due to the hard coded root credentials as per the research and responsible disclosure from @JamesIT.

I was able to extract the contents of a configure.bin using binwalk, which reveals it is actually two gzip archives at two offsets. There doesn't appear to be any encryption other than compression.

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
45            0x2D            gzip compressed data, maximum compression,
from Unix, last modified: 2020-05-17 14:38:34
19224         0x4B18          gzip compressed data, maximum compression,
from Unix, last modified: 2020-05-17 14:38:30

The gzip archive at 0x2D, also contains a sysconfig.tar.gz within which when extracted reveals the config files stored at /etc/config on the 4GEE Home Router which I know is running OpenWrt. In particular, I'm interested in modifying the dropbear config /etc/config/dropbear and changing the enable flag to 1, so having SSH enabled again. Interestingly, EE could of easily blocked root logins with SSH while keeping SSH available for the admin user, but I guess the secret was out by then so they just shut access off entirely.

The question however is can you make changes and then repackage the configure.bin and upload it without bricking the device? I don't know what checks are done by the backup and restore feature. i.e. checksums, file length checks etc.

Equally, because the config file I want is within the 0x2D offset and then within a sysconfig.tar.gz, it needs several layers of extraction and then repackaging this seems the challenge, while maintaining the original file header so the backup and restore feature doesn't reject it.

Maybe you could generate your own backup.tar.gz, matching the directory structure expected and then hex edit that into the original configure.bin file? Seems dangerous though, possible bricking risk?

[jamesmacwhite]

For anyone interested, this how you can do it:

https://medium.com/@jamesmacwhite/exploiting-the-backup-and-restore-feature-on-the-4gee-home-router-60d9684acee9