Please note, that the information presented in this post may be outdated. An updated technique has been posted here.
The German ISP o2 (which has acquired the brand “Alice” from HanseNet in 2010) tries to prevent its customers from installing and using their own CPE by keeping the VoIP credentials secret. They ship poorly equipped routers/modems manufactured by Sphairon or Arcadyan which use the TR-069 protocol to transfer these secret credentials to the CPE.
In my previous post I published a tool to decrypt backup files from Sphairon CPE so any customer who owns a Sphairon device can easily obtain the secret VoIP data. Arcadyan however uses a different encryption scheme for its backup files. A backup decryption tool for older firmware versions is available at the IP-Phone-Forum. As of Sep-2012 a new firmware version was rolled out which rendered the old tool useless.
Therefore I have reverse engineered a part of that recent Arcadyan firmware (1.01.18) in order to gain knowledge about the encryption scheme. After that I have implemented the decryption in C. My code uses the SCZ library for decompression.
You can grab my tool Arcadyan IAD Decrypter below. It has been tested against config backups from o2 Box 4421 (Arcadyan IAD 4421) and o2 Box 6431 (Arcadyan IAD 6431). It will probably work for more Arcadyan devices. For updated information and a brief introduction on how to use my tool please see the corresponding thread in the IP-Phone-Forum.
- arcadyan_decrypter_v0.02.zip
- arcadyan_decrypter_v0.03.zip
- arcadyan_decrypter_v0.04.zip
- scz_11_25_08.zip
Many thanks go out to Daniel Meyerholt for providing a firmware dump, identifying the decompression algorithm as well as fruitful discussion. I would like to thank Stefan Viehböck for his blog .braindump in which he provides excellent information on how to descramble and unpack firmware images of Arcadyan devices.
The source code is not yet publicly available but I have handed it to Daniel Meyerholt. He has plans to write a set of open-source tools for Arcadyan firmware image manipulation in Java. My source code will be re-implemented in Java and published within his open-source project. I will keep you updated as soon as he publishes it.
Pingback: Routerzwang? Zugangsdaten auslesen! | Klaus Ahrens: News, Tipps, Tricks und Fotos