For my personal research in order to have a look at Pepwave device internals.
Pepwave encrypted files often have Pe1337__
magic number which must be changed to Salted__
for the OpenSSL AES-256-CBC decryption key derivation from the 8 byte salt.
Previously Pepwave used simple XOR 0x32 but the newer diagnostic reports are encrypted with AES-256-CBC instead.
$ cat {DATE}_{MODEL_NICKNAME}_{SERIAL}_diag.report | \
sed 's/Pe1337/Salted/' | \
openssl aes-256-cbc -d -md md5 -pass pass:5pE8w17hJ8806874Y312naWEdf14fqFDSp143FDSnfp134njfr > decrypted.tar.gz
The root disk and the kernel images can be seen in clear in some firmware update files but majority of the firmware updates for MIPS boards have them "encrypted" with some lame security-by-obscurity attempt I guess.
The encryption key file hiding was hilarious tbh. First strings \bin\fwupgrade
and some grep
until path /etc/public.key
pops out of the binary, this file then is stripped of the public key markers and copied to /tmp/b
where it is then used for the AES-256-CBC decryption key file for the root disk and kernel images.
$ cat [encrypted kernel or rootdisk] | \
sed 's/Pe1337/Salted/' | \
openssl aes-256-cbc -d -md md5 -kfile .\tmp_b.key > decrypted.img
Thanks for blocking me on twitter for expressing interest in your project!