Comment

[drsn00ker]

Fantastic work! Is there a pattern in the algos that can be extended to more models? I'm looking to extract a few thousand d-link firmwares to see if their engineers left any keygens in there. Specifically looking at the DIR, DSL and DWR models for the default PSK generator.
Anyway, crates.io seems to have a server issue that prevents me from downloading atm.
Thanks for your efforts!

[devttys0]

Some models re-use encryption methods and encryption keys, so while I'm sure there are other D-Link devices that delink will work against, there is no "generic" method to recovering firmware encryption keys. Most firmware are encrypted with AES-256 CBC, a few use AES-128 CBC. Some use the OpenSSL file format, others use a proprietary file format, some have no file header or format at all, just the encrypted data.

[drsn00ker]

I was afraid of that. Sadly none of the firmwares that are now also getting extracted contain a keygen (just the WPS PIN generator) but that you already found that and reversed it. The math looks very different from your implementation of the WPS pin, but the answer is the same, so it somehow all the XORs even out. I should probably look at the binary representation of the constants.
There are a couple models for which there must be a different WPS pin algo, but that's not included in any of the firmwares as far as I can tell.
Anyway keep up the great work!