Skip to content

Instantly share code, notes, and snippets.

View m-1-k-3's full-sized avatar

Michael Messner m-1-k-3

84 followers · 17 following
View GitHub Profile
@m-1-k-3
m-1-k-3 / qnap-qts-fw-cryptor.py
Created January 12, 2022 11:56 — forked from ulidtko/qnap-qts-fw-cryptor.py
QNAP QTS firmware encryptor/decryptor.
#!/usr/bin/env python3
import os, sys
import argparse
import struct
from functools import reduce
"""
QNAP QTS firmware encryptor/decryptor.
Based on https://pastebin.com/KHbX85nG
@m-1-k-3
m-1-k-3 / pc1.c
Created January 11, 2022 18:47 — forked from galaxy4public/pc1.c
QNAP firmware encryption/decryption
// Original author: Paul Rascagneres <rootbsd@r00ted.com>
// Patched by (GalaxyMaster) [https://github.com/galaxy4public/]
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define ENCRYPT_SIZE 0x100000
int keybits;
int y, z;
@m-1-k-3
m-1-k-3 / linksys-ea4500-device-firmware-decryption.md
Created December 31, 2021 21:11 — forked from nstarke/linksys-ea4500-device-firmware-decryption.md
Linksys EA4500 Device Firmware Decryption

Linksys EA4500 Firmware Decryption

I recently pulled a Linksys EA4500 out of storage for evaluation. The first thing I wanted to do was to update the firmware for the device. https://www.linksys.com/us/support-article?articleNum=148385 offers the latest version of the firmware, which is 3.1.7 as of this writing.

However, we can see with the filename that its probably encrypted: FW_EA4500V3_3.1.7.181919_prod.gpg.img

When I run binwalk I don't get any meaningful results, confirming my suspcicions:

@m-1-k-3
m-1-k-3 / decrypting-dlink-proprietary-firmware-images.md
Created December 31, 2021 21:11 — forked from nstarke/decrypting-dlink-proprietary-firmware-images.md
Decrypting DLINK Proprietary Firmware Images
@m-1-k-3
m-1-k-3 / decrypt.py
Created December 23, 2021 15:25 — forked from ryancdotorg/decrypt.py
Decrypt firmware images for (some) EnGenius devices
#!/usr/bin/env python3
import sys
key = b'\xac\x78\x3c\x9e\xcf\x67\xb3\x59'
filename = sys.argv[1]
def decrypter(reference):
n = len(key)
@m-1-k-3
m-1-k-3 / CortexM_searchable_list.txt
Created June 23, 2020 06:44 — forked from raplin/CortexM_searchable_list.txt
Searchable list of Cortex M cpus by IRQ/Peripheral base, helps figure out which CPU an unknown binary runs on - description at top
This file has been truncated, but you can view the full file.
Cortex M CPU searchable IRQ/peripheral list
Goal: Use this when reverse engineering a binary for an unknown Cortex M CPU to help figure out exactly what you're looking at
Simple usage:
Load the binary into IDA/Ghidra
Find the vector table (usually the first 256-ish bytes right at the start of the file), and find some 'interesting' IRQ vectors that point to real code.
(The first 16 vectors are internal Cortex M stuff (reset vector, NMI etc) and will not be useful)
In the IRQ handler code pointed to by the vector, you will very often soon encounter an obvious peripheral address being loaded into a register.