Please note, that the information presented in this post may be outdated. An updated technique has been posted here.
The German ISP o2 Alice Hansenet enforces their customers to use the router that is distributed to them along with the contract. While they supply you with PPPoE data for internet connectivity, your VoIP login credentials are kept secret within the router. The o2 Alice device examined for this post is called “IAD 3232” and was manufactured by the German company Sphairon.
In this post I will show you how to extract your VoIP data from a configuration backup file which can be downloaded through the IAD 3232 web interface. Since Sphairon uses the same backup file structure and encryption scheme on most (if not all) their devices, this technique is quite generic. Any comments should be posted to the corresponding thread in the IP-Phone-Forum.
Confirmed devices on which this technique works: IAD 3221, IAD 3222, IAD 3231, IAD 3232, o2 HomeBox 3232, Turbolink IAD.
How it works
1. Go to the web interface of your IAD (http://alice.box/) and download a copy of your router configuration to your hdd: “System” -> “Einstellungen sichern” -> “Konfiguration speichern”. A download dialog for a file called config.bin should pop up.
2. Grab my Sphairon IAD Decrypter tool and save it to the same location as your config.bin. Now use the decrypter to convert your config.bin to a file called config.tgz. My tool does not contain any harmful code. Please run it in any type of sandboxed or virtualized environment if in doubt.
3. Open the .tgz file (with WinRAR for example) and extract the contained files database.txt and rc.conf.
4. As o2 Alice uses a second PPPoE connection for VoIP services (PVC) you need to extract these login credentials. Open rc.conf and look for the following section:
#<< wan_pppoe2 [...] PPPOE2_USERNAME="<voip pppoe username>" PPPOE2_PASSWORD="<voip pppoe password>" [...] #>> wan_pppoe2
Set up your new VoIP router to establish a second PPPoE connection for telephony with this account data. Set VPI to 1 and VCI to 32. Change “VCI” to 35 if you get “request denied” error for your telephony PPPoE connection. (Thanks to mcgiovanni88 for the solution).
Note: My username is equal to “<10 digit serial number>-<first 6 hex digits of mac address>@alice5-voip.de” and my password is “nopw”. The data encoded into the username can be found (at least in my case) on the label under your IAD 3232. That is probably not always the case so you should stick to what is in your rc.conf.
5. Open database.txt in a text editor (Notepad2 for example) and look for the following sections:
[SipAccount] 0;0;"<telephone number1>";"<username1>";"<password1>";"";4500;1;0;"";0;0;0 1;0;"<telephone number2>";"<username2>";"<password2>";"";4500;1;1;"";0;0;0 2;0;"<telephone number3>";"<username3>";"<password3>";"";4500;1;1;"";0;0;0 [SipServer] 0;"<registrar1>";5060 1;"<registrar2>";5060 2;"<registrar3>";5060
The above example contains 3 VoIP telephone numbers, each with their own username, password and registrar. Input this data to your desired VoIP device/router.
Note: In my example each telephone number was equal to the according username. Furthermore all registrars were equal. That is probably not always the case so you should stick to what is in your database.txt.
6. If you did do everything right you should now have your telephone numbers up and running.
Other interesting stuff
The file rc.conf seems to contain the login credentials for an ftp server containing firmware updates. Furthermore you will find some root-user password hashes for samba, ftp and telnet. If you manage to crack any of the hashes or if you reverse engineer any of these images I would be happy to hear of your results.
#<< firmware_update FTP_SERVER="update-sph.hansenet.net" FTP_USERNAME="updatesph" FTP_PASSWORT="DidFS4anSRd2t9ks" FTP_REMOTE_DIR="/Alice_Modem_WLAN_1232" #>> firmware_update
FAQ
1. What is the magic behind your tool and how did you write it?
There is no “magic”. I simply dumped the flash chip with the help of the bootloader through the TTL interface on the PCB of the router. Next I unpacked the rootfs (thanks to “Firmware Modification Kit“) and reverse-engineered the binary that creates the config.bin. Once the file structure and the encryption algorithm were understood, I simply wrote a decryption routine.
2. Is the source code available?
No.
3. Will you make the file structure and the encryption scheme publicly available?
Yes. Please credit me if you use information gathered by me. Thanks.
The config.bin file structure consists of a 0x30 byte header followed by a ciphertext of payload_size_be length.
struct header { char magic[4]; // magic bytes \x43 \x46 \x47 \x31 (CFG1) uint32_t payload_size_be; // length of ciphertext = length of padded plaintext (big endian) char header_md5[8]; // first 8 bytes of MD5 computed over header (assuming the 8 bytes of "header_md5" are \x00) char etl[7]; // blank electronic label (etl), always "000000" (null-terminated char array) char unused1; // not used at the moment uint16_t password_len_be; // length of the password used in AES encryption (big endian) uint16_t padding_len_be; // number of padding bytes added to plaintext (big endian) char unused2[4]; // not used at the moment char plaintext_md5[16]; // MD5 hash of the plaintext };
The ciphertext gets decrypted by AES256 in ECB mode with the static key aes_key. Why don’t they use a hardware-based secret for encryption, if they don’t want to bother the user to enter a password? Why do they store the length of the secret along with the ciphertext? Why don’t they use a hash function for key derivation?
const char aes_key[32] = { // "dummy" 0x64, 0x75, 0x6d, 0x6d, 0x79, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
Finally, padding_len_be bytes at the end of the plaintext are stripped and the resulting buffer is written to config.tgz.
Pingback: 32C3 CTF Write-up: config.bin « irq5.io
Pingback: WTHack – Onlinectf.com | BackupConf.bin – Sebastián Cortés