Skip to content

Instantly share code, notes, and snippets.

View m-1-k-3's full-sized avatar

Michael Messner m-1-k-3

84 followers · 18 following
View GitHub Profile
@ryancdotorg
ryancdotorg / decrypt.py
Created December 23, 2021 00:05
Decrypt firmware images for (some) EnGenius devices
#!/usr/bin/env python3
import sys
key = b'\xac\x78\x3c\x9e\xcf\x67\xb3\x59'
filename = sys.argv[1]
def decrypter(reference):
n = len(key)
@galaxy4public
galaxy4public / pc1.c
Created September 12, 2021 14:10
QNAP firmware encryption/decryption
// Original author: Paul Rascagneres <rootbsd@r00ted.com>
// Patched by (GalaxyMaster) [https://github.com/galaxy4public/]
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define ENCRYPT_SIZE 0x100000
int keybits;
int y, z;
@nstarke
nstarke / decrypting-dlink-proprietary-firmware-images.md
Last active April 3, 2024 11:05
Decrypting DLINK Proprietary Firmware Images
@raplin
raplin / CortexM_searchable_list.txt
Created June 22, 2020 23:47
Searchable list of Cortex M cpus by IRQ/Peripheral base, helps figure out which CPU an unknown binary runs on - description at top
This file has been truncated, but you can view the full file.
Cortex M CPU searchable IRQ/peripheral list
Goal: Use this when reverse engineering a binary for an unknown Cortex M CPU to help figure out exactly what you're looking at
Simple usage:
Load the binary into IDA/Ghidra
Find the vector table (usually the first 256-ish bytes right at the start of the file), and find some 'interesting' IRQ vectors that point to real code.
(The first 16 vectors are internal Cortex M stuff (reset vector, NMI etc) and will not be useful)
In the IRQ handler code pointed to by the vector, you will very often soon encounter an obvious peripheral address being loaded into a register.
Search this file for "[XXXX:YYYYYYYY]" where X = last 4 hex address of the IRQ vector, and YYYYYYYY=hex peripheral address.
@nstarke
nstarke / linksys-ea4500-device-firmware-decryption.md
Created March 18, 2020 03:09
Linksys EA4500 Device Firmware Decryption

Linksys EA4500 Firmware Decryption

I recently pulled a Linksys EA4500 out of storage for evaluation. The first thing I wanted to do was to update the firmware for the device. https://www.linksys.com/us/support-article?articleNum=148385 offers the latest version of the firmware, which is 3.1.7 as of this writing.

However, we can see with the filename that its probably encrypted: FW_EA4500V3_3.1.7.181919_prod.gpg.img

When I run binwalk I don't get any meaningful results, confirming my suspcicions:

@ulidtko
ulidtko / qnap-qts-fw-cryptor.py
Last active April 19, 2024 16:45
QNAP QTS firmware encryptor/decryptor.
#!/usr/bin/env python3
import os, sys
import argparse
import struct
from functools import reduce
"""
QNAP QTS firmware encryptor/decryptor.
Based on https://pastebin.com/KHbX85nG