FirmwareDecryption

From NAS-Central Netgear Wiki
Jump to: navigation, search

The firmare is encrypted with DES-EDE3, using an embedded crypto engine found in the CPU, sometimes combined with a simple scrambling of the plaintext.

If you have access to the initrd then there is two decryption commands, hwdecrypt and hwcp. hwcp works on a stream, reading from stdin and writing decrypted result on stdout and is the tool used for firmware decryption. hwdecrypt is the counterpart to hwencrypt, and expects a small header at the end of the file indicating the number of bytes in the last crypto block. NB: hwencrypt and hwdecrypt are no longer included in the firmware, but these can be obtained from old firmware.

hwcp can decrypt the firmare header, vmlinux.bin & root.tgz to be decrypted. The encryption of the initrd.img (and TFTP files) is different, using a simple scrambling of the plaintext, followed by DES3 using another key not accessible with the standard tools found in the initrd itself.

The DES-EDE3 encryption keys kan been found in the small ROM embedded in the CPU.


THe plain-text scrabling looks like follows

            for (i = 0; i < size; i += 4) {
                *(uint32_t *)(plaintext + i) ^= (i + 0xc1fcd408);
            }

A complete reimplementation of the firmware encryption/decryption can be found from my ReadyNAS code section http://www.henriknordstrom.net/code/readynas/