Hallo,
first of all, i need to declare that i'm quite a newbie...so forgive me if i make some stupid statements!

Let's go to the point:
i got a configuration backup file of a D-Link DI-524 router
i.e. the "config.bin" you can download as backup from the router's Administion page > Tools > System > Backup Settings
How can you read its content ?

i tried many ways (text/hex editors, decompression tools for .bin files...) without success, or better: i get as a result a bunch of unreadable characters.
i guess the file is encrypted...but i don't know how (i can't understand which kind of operating system the router uses, or which algorithm "closes" the file...

i do need your precious help!
thanks in advance

The file you downloaded is probably just a binary dump of the router configuration. The format has nothing to do with operating system as it is a proprietary format of the D-Link router application running on it. So the short answer is that you probably cannot read, it since the format specification is not open. You could try to decode it by yourself, but you can't do it if it is encrypted.

i guess it's enrypted

i was thinking about Reverse Engineering the device software to understand which algorithm it uses to load-crypt the config.bin ...but i'm not so good at this kinda things
could you help me (first, do yo agree it can be a way?)

the firmware is V2.04

Teoreticaly it could be done, but amount of effort that would need to be put into this makes it nearly impossible. What exactly are you going to achevie? Maybe there is just another way of doing this...

well, here i am again...

this is the Firmware (which should maybe reverse-engineered to guess how it loads the config.bin, i.e. the configuration backup file...and probably how to decode it)
http://tsd.dlink.com.tw/ModelDocuView.a ... o=BDKDGDAD

what i need to achive is to retrieve the admin-pwd out of the config.bin
i rely on your help!!!

please let me know (also if a sample config.bin is needed)
THANKS

You can't do much with the firmware image, as you would have to decode it, rip out the router application and hack it to understand the config.bin format. You have more steps here than trying to decode config.bin itself, so it does not make much sense. What you could do is to:
1. save config.bin
2. change admin password
3. save config.bin to a second file
4. compare both configs
5. if configs are completly different, you cannot do much with it as it probably means they are all encrypted
6. if configs are the same except for some specific bytes, this could be a place where encrypted password is kept
7. you could grab the encrypted password and match it witch against different encoding algorithms with some linux tool (since you know the original plain text password) - this way you could find out what is the encryption method
8. once you know the encryption method and you have some other encrypted password, you can try a brute-force on it with tool like john the ripper.

This is the only method I can currently think of.

(referring to the bold part of quote)

- in the linked firmware .zip, there's not only the fimware image (bin) but also the .exe

- what if i do not know the plain text pwd ?

The exe is probably just an update tool that does not interpret FW image file in any way (maybe checksum only), so it has no value in your case.

If you just have the config file and you no longer have the hardware itself, I have no solution for you. But you can always buy/borrow the same dlink and try to figure out how to decode config file. The question is, is it worth it.

And that reminds me of one other issue. In fact, I would be supprised if the admin password is in config file. The would mean that if you change admin password and reload the previously saved configuration file, you will end up having an old password on your router.

ok, your answers are always clever...but i try to find some hope for me...

what do you think about that:

- if i get the Firmware itself (not just the update), would a reverse engineering possible/meaningful ?

- i dont know if the admin pwd is stored in the config.bin
(by the way, to load another config you have to know the current admin pwd)
if not there, where does the router store the pwd??

Finally, if i have access to the router, which would be the best way to retrieve the admin pwd (bruteforce... which tools...anything else?)
THANKS


[edit]
maybe here is the complete driver/software available for rev-enginnering ?
ftp://ftp.dlink.de/di/di-524/driver_software/
or here
ftp://ftp.dlink.co.uk/di_broadband_gateways/di-524/
[/edit]

If the admin password is not stored in the config file, you gain no advantage from reverse engineering the firmware. You would need to dump a firmware image from a router you are going to hack, but I don't know if dlink provides any software to do this. If there is no such software, you could always unsolder the flash chip and put it into a programmer/reader, but that's the hard part .

Anyway, reverse-engineering a whole firmware is teoreticaly possible, but very difficult and time consuming and I can't help you with that.

The router stores the admin password always in its flash memory. The question is whather it dumps it to config file or not. I'm almost sure that it doesn't. However that could mean that the password that is stored on the flash is not encrypted, since there is no point in doing this. If dlink provides any easy (software) way to dump firmware from a running router, then the dumped binary should contain the password and hopefully it might be in a plain-text.

You may also try the brute-force attack using a regular web login, but I'm not familiar with any ready to use tools doing that.

so, which could be the best way to hack the router admin pwd via web (http) login ?

As I wrote - I'm not familiar with such tools, but they probably exist.

ok, sorry

if anybody around here has some hints, please tell me!

just this news
factory suport confirmed it is right that way (contains admin pwd and if loaded, it'll change the pwd)

anybody out there owns a DI-524 (or has physical access to it) ?
let me know, cuz i have 1 question to ask...
thanks

I can telnet into my di524 box..

U: Alphanetworks
P: wrgg15_di524

Works on revision E