Skip to content

Instantly share code, notes, and snippets.

@PaulusParssinen
Last active September 13, 2023 16:14
Show Gist options
  • Save PaulusParssinen/00e893a57269421156f4f1ccd021fd73 to your computer and use it in GitHub Desktop.
Save PaulusParssinen/00e893a57269421156f4f1ccd021fd73 to your computer and use it in GitHub Desktop.
How to decrypt various Pepwave firmware files

Pepwave decryption

For my personal research in order to have a look at Pepwave device internals.

Pepwave encrypted files often have Pe1337__ magic number which must be changed to Salted__ for the OpenSSL AES-256-CBC decryption key derivation from the 8 byte salt.

Diagnostic reports

Previously Pepwave used simple XOR 0x32 but the newer diagnostic reports are encrypted with AES-256-CBC instead.

$ cat {DATE}_{MODEL_NICKNAME}_{SERIAL}_diag.report | \
  sed 's/Pe1337/Salted/' | \
  openssl aes-256-cbc -d -md md5 -pass pass:5pE8w17hJ8806874Y312naWEdf14fqFDSp143FDSnfp134njfr > decrypted.tar.gz

Kernel (\v) & rootdisk (\r) images for the MIPS platforms

The root disk and the kernel images can be seen in clear in some firmware update files but majority of the firmware updates for MIPS boards have them "encrypted" with some lame security-by-obscurity attempt I guess.

The encryption key file hiding was hilarious tbh. First strings \bin\fwupgrade and some grep until path /etc/public.key pops out of the binary, this file then is stripped of the public key markers and copied to /tmp/b where it is then used for the AES-256-CBC decryption key file for the root disk and kernel images.

$ cat [encrypted kernel or rootdisk] | \ 
  sed 's/Pe1337/Salted/' | \
  openssl aes-256-cbc -d -md md5 -kfile .\tmp_b.key > decrypted.img

TODO: There appears to be another layer of encryption here

MIIDRjCCAjkGByqGSM44BAEwggIsAoIBAQC77zy6xu3qpBdjkqxP2vj1N4UoUT8E
2J7tWDVrIxiBnbd4ZicHp3KndiDqznq2LQyNyPSWtEOIeCbfuBvdE1magmocDcWz
NBjUN2f8VVyLc6vwHJqhmVxtPftlxilY3AYhFoKg0GTqpIslsBtXSiW9y4JscIq6
8Np/iGqfA7ERY4PAQmtRVUFrr0/hUUC48ewVevJei5lLsi4IjIfKJ4L1evBO9ADK
r3Zw9mPnaoNp5MVgunhA5ROA3EYFF9+SAldyrskpjJO5YuIOg/EHu2atP1BUTYn5
wO+tZ3+o2FWQlDWp715hZFdAn4vYANzqNYPlXPDBqnTniggG8P1rbHBxAiEAqNR+
9U65QyCZZS9VUvK4RBGlMR1OcGJRrrGy3AgpZRMCggEAQrAsQi5UEbkCxHQ77t7Q
39fXE7+ZNr+6uekJ7UIbwn0ixH+lbxdNbSzfapep6sO5DdNPGti+7EWtE0YOL50a
f16DSWbGeWzV5V+TKRBW42cBz2Fe4it1IxRGSGFFgbRPhdbu5IaCvf+bTO8gZdZt
oDmnqQoMOdQ1bfNiISlMTGYa99X3R+1zF5hyI3ZkLro05g/fsV1QyCUWcNp3xmoa
jrtp9Qkz35xufYKK0a7ChwkIyVRdWwGj8jkDyps6NTfgDQ3cFD8jJu1aVNG/bEkJ
HI/6n87vkoHr8xIxOB4ESxXN+4QJ0BdPRzlUt1DHKs45xQAfXn9sf4gzmywdPSXY
swOCAQUAAoIBAASuOJTnygwMS1muxnHEEeVfxPOuQXI5GmTGhyAYmrEvmJWZqZyN
FsJwKO3rHOAariAVI1nfrNKAvYrGPuxrZ4kEUVN03KnTXWFtUP8iR2ZIvCh7WC3A
morDKfeSJ44GQX/MS6uYN86DhYm8kSUzEzQe/Rfiw/FkHLuwPjmftIZD2nVllWBl
/kmp129NLwqORACNJqU6d7Yy2N/YxxTNDw/iK3wXaMjK5D2IY34NH5S2hNtYC4K/
drnjCZU6B0CP+FP4lwNNDWBYo0Ebau5M0KLvw9vk8tvp0+gpKRUWVZF9ofR6Wh3E
sbjujxYMm6R5brIrU7f7DSpLJVW4CkZV1go=
@PeterZeee
Copy link

Thanks for blocking me on twitter for expressing interest in your project!

@PaulusParssinen
Copy link
Author

PaulusParssinen commented Sep 12, 2023

Sorry! It looked like crypto scam which keep following and then DMing me. What was your twitter handle again?

@PeterZeee
Copy link

Hi Paulus, completely understand - I don't use twitter at all so I've had that account sitting stale for a long time haha. FYI am still blocked but would love to have a chat about this project!

@PeterZeee
Copy link

Sorry! It looked like crypto scam which keep following and then DMing me. What was your twitter handle again?

@PTarollo
All the best!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment