TP-Link RE200 config.bin decryption and manipulation

A very quick article to share with you how to decrypt the TP-Link RE200 config.bin

In this article we take up the concepts seen in the previous one jumping straight into Ghidra to take a look at the _tddp_UploadFlashData routine in httpd ELF.

The way the config is being uploaded is pretty clear, basically the uploaded file is entirely decrypted, after which the md5 hashing is performed starting from the 0x10 offset until the end of the file. Finally, it verifies whether the first byte 0x10 coincide in this md5.
The encryption has been performed with a DES symmetric-key algorithm (ECB)


Openssl can reach the goal by using this command:
# openssl enc -d -des-ecb -nopad -K 478DA50BF9E3D2CF -in config.bin > decrypted.bin

alternatively you can use any other application, demonslay335’s CryptoTester for example:

 copy and paste the decrypted data into an hxd

Do a manually md5 check by selecting all the bytes from 0x10 to the end of the file.

You can now modify by a text editor the decrypted confing, retrive and or change the admin password, recalculate the new md5, encrypt the whole file back and upload it by the web interface. That’s all. :slight_smile:

Follow me on Twitter


Article Link: