This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Disecting a captured firmware update session - TR-069 and TLSv1

0

My locked, ISP branded modem/router runs a TR-069 daemon that periodically checks for firmware updates. I used a man-in-the-middle OpenWRT box, running tcpdump, to capture an entire TR-069 session in which a firmware update was sent from my ISP to the modem/router and installed.

As I understand it, TR-069 uses TLSv1 to encrypt the firmware file during transmission but I have an unencrypted copy of the same firmware, the plaintext.

How can I extract the encrypted firmware file? What other useful information can be extracted from the captured session? I have wireshark 1.11.3.

TIA!

asked 01 Apr '14, 07:04

dmcdonnell's gravatar image

dmcdonnell
1111
accept rate: 0%


One Answer:

0

As I understand it, TR-069 uses TLSv1 to encrypt the firmware file during transmission

did you check that in the capture file? You should see SSL/TLS traffic in that case.

but I have an unencrypted copy of the same firmware, the plaintext.

from the capture file? If so, your whole question would be kind of pointless, so I guess you got the firmware from another source.

How can I extract the encrypted firmware file?

You can't if the session is encrypted with TLSv1, unless you have either access to the locked router or the update servers of the ISP to (somehow) get hold of the crypto keys. I guess neither is the case, so: Sorry, bad luck! That's what TLS was made for.

What other useful information can be extracted from the captured session?

that depends on the update process of your ISP. Maybe they push a new config for the router and/or the latest NSA backdoors over the encrypted TLS channel to your box. You will never know.

The only thing you could do is to use a SSL Man in the middle attack (please google that, as it's way beyond the scope of this site). But I bet, that TR-069 has some security measures in place to prevent that. So again: Sorry, no luck.

Regards
Kurt

answered 02 Apr '14, 13:48

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 02 Apr '14, 13:49

@Kurt

Thank you very much for your comprehensive reply.

I thought if might be useful for researchers to have access to the pcap capture of the CWMP (TLSv1.2) firmware update session and the plaintext firmware file delivered in the session(obtained elsewhere).

pcap: https://drive.google.com/file/d/0B8w9evGfsK03Qi15Z0x4TkY1ZDQ/edit?usp=sharing firmware: https://drive.google.com/file/d/0B8w9evGfsK03MVpMTlVBTDY3WlE/edit?usp=sharing

Regards,

Dermot.

(03 Apr '14, 03:41) dmcdonnell