Linksys router update
Here is my list of "issues" with firmware updates:
LINKSYS ROUTER UPDATE UPDATE
While every article about routers says to regularly update the firmware, none talk about the problems. Also, my bet is that the 3.1.7 firmware has checks in place to prevent unencrypted firmware from being flashed onto the device, meaning it is probably not possible to downgrade from 3.1.7.Updating the firmware on a router is a major pain the neck. Because the private key is kept private, it is not possible to encrypt custom firmware. That integrity checking is mostly what the firmware decryption is in place for - to prevent malicious actors from uploading a modified firmware version. It's also worth noting that although we can decrypt the firmware for reverse engineering, we cannot encrypt our own firmware to upload to the device. Now I can start the reverse engineering process. $ gpg -decrypt FW_EA4500V3_3.19_ > FW_EA4500V3_3.19_prod.imgĪnd it works! Now we have a plaintext version of the firmware: $ file FW_EA4500V3_3.19_prod.imgįW_EA4500V3_3.19_prod.img: u-boot legacy uImage, Linksys Impala Router, Linux/MIPS, OS Kernel Image (lzma), 1536489 bytes, Fri Jun 16 00:41:05 2017, Load Address: 0x80060000, Entry Point: 0x80060000, Header CRC: 0x9DACD513, Data CRC: 0xA097E0E3Ġ 0x0 uImage header, header size: 64 bytes, header CRC: 0x9DACD513, created: 00:41:05, image size: 1536489 bytes, Data Address: 0x80060000, Entry Point: 0x80060000, data CRC: 0xA097E0E3, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linksys Impala Router"Ħ4 0x40 LZMA compressed data, properties: 0圆D, dictionary size: 8388608 bytes, uncompressed size: 4556000 bytesģ145728 0x300000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 15154172 bytes, 3294 inodes, blocksize: 262144 bytes, created: 01:34:18 So let's try it out and see if it can decrypt the 3.1.7 firmware version: $ gpg -import. etc/keydata: PGP public key block Public-Key (old) etc/keydata looking interesting: $ file.
etc/certs/server.pem is most likely the web management interface's TLS cert for HTTPS communications. lib/libcrypto.so.0.9.8 matchesįrom experience I can guess that. etc/keydata:-END PGP PUBLIC KEY BLOCK-īinary file.
etc/keydata:-BEGIN PGP PUBLIC KEY BLOCK. etc/certs/server.pem:-BEGIN PUBLIC KEY. I did a find for *.asc*, *.pem, and *.gpg to no avail, so I decided to just grep for what I was looking for: $ grep -r 'PUBLIC KEY'. Now that we have the filesystem extracted for version 3.1.6, we need to go looking for something that looks like a public key. Score! So we can use binwalk's Matryoshka extraction mode to extract the squashs filesystem: $ binwalk -eM FW_EA4500V3_3.23_prod.img We run binwalk to confirm: $ binwalk FW_EA4500V3_3.23_prod.imgĠ 0x0 uImage header, header size: 64 bytes, header CRC: 0x522CD43A, created: 20:36:47, image size: 1536238 bytes, Data Address: 0x80060000, Entry Point: 0x80060000, data CRC: 0xF4B0BD80, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linksys Impala Router"Ħ4 0x40 LZMA compressed data, properties: 0圆D, dictionary size: 8388608 bytes, uncompressed size: 4555944 bytesģ145728 0x300000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 14179096 bytes, 3201 inodes, blocksize: 262144 bytes, created: 21:30:41 This leads me to believe that this firmware version is not encrypted. Note that there is no gpg substring in the file name. The filename is thus: FW_EA4500V3_3.23_prod.img That means the gpg key is probably somewhere in an earlier firmware version. This leads me to believe the firmware was once not encrypted and then a subsequent version was encrypted.
LINKSYS ROUTER UPDATE MANUAL
However, if you prefer to do manual updates and your router is on version 3.73 or older, YOU MUST download & update your router using firmware version 3.1.6 (Build 172023) first before loading the latest firmware The Linksys product support page says this: Note that the Cisco IOS experimental microcode result is almost always a false positive, even though this is a Cisco branded device. When I run binwalk I don't get any meaningful results, confirming my suspcicions: $ binwalk FW_EA4500V3_3.19_ģ168198 0x3057C6 Cisco IOS experimental microcode, for "k" However, we can see with the filename that its probably encrypted: FW_EA4500V3_3.19_
offers the latest version of the firmware, which is 3.1.7 as of this writing. The first thing I wanted to do was to update the firmware for the device. I recently pulled a Linksys EA4500 out of storage for evaluation.