One day I took my notepad and calculator out, again (ads0.jpg)
and took a good look inside SDG2000 ads file.
Since they overwrite passwd file during new firmware upgrade this file must be changed
if you like to login by telnet. But what file is this ADS. I'm not found crypt yet but can show
some files. Firmware P17R5 and P21R2 have the same root password but I think this is not
crackable and because of update this has no point too. (ads1.jpg)
Zip-ed passwd file is very similar with this section in ADS file. (ads2.jpg)
But there is one trick they done. After firmware file is complete they XOR-ed it with FF by
some kind of pattern. One this point is in position 15BD. (ads3.jpg)
All may not be fully accurate but may illustrate a bit this structure from
P21R2.ADS or P17R5.ADS file here:
(after I XOR-ed 71 back to 8E)
00000000 | 50 4B 03 04 14 00 00 00 08 00 11 56 2F 48 8B 48 | PK.........V/H?H |
00000010 | 08 21 3B 00 00 00 3C 00 00 00 0E 00 1C 00 61 70 | .!;...<.......ap |
00000020 | 70 2F 65 74 63 2F 73 68 61 64 6F 77 55 54 09 00 | p/etc/shadowUT.. |
00000030 | 03 02 5E 98 56 02 5E 98 56 75 78 0B 00 01 04 E8 | ..^?V.^?Vux....? |
00000040 | 03 00 00 04 E8 03 00 00 2B CA CF 2F B1 52 31 54 | ....?...+?Ž/?R1T |
00000050 | F1 F3 29 F7 CD 32 F4 AF 50 31 AC 34 89 74 4B 8E | ±¾)„?2¶»P1¼4?tKÄ |
00000060 | 88 CC 8C F2 F4 29 0C 4D CD 70 71 F3 2E 75 32 B4 | ???“¶).M?pq¾.u2? |
00000070 | 32 34 35 33 37 B2 32 B0 B2 04 01 2B 73 2B 2B 2B | 24537?2??..+s+++ |
00000080 | 2E 2E 00 | ... |
Signature 50 4B 03 04
Version 14 00 (= 20 -> 2.0)
Flags 00 00 (no flags)
Compression method 08 00 (deflated)
File modification time 11 56 (0101 0110 0001 0001)
hour = (01010)11000010001 = 10
minute = 01010(110000)10001 = 48
second = 01010110000(10001) = 17 = 34 seconds
10:48:34
File modification date 2F 48 (0100 1000 0010 1111)
year = (0100100)000101111 = 36
month = 0100100(0001)01111 = 1
day = 01001000001(01111) = 15
01/15/2016
Crc-32 checksum 8B 48 08 21 (2108488B)
Compressed size 3B 00 00 00 (59 bytes)
Uncompressed size 3C 00 00 00 (60 bytes)
File name length 0E 00 (14 bytes)
Extra field length 1C 00 (28 bytes)
File name "app/etc/shadow"
Extra field id 55 54: extended timestamp, size: 9 bytes
data size 09 00 (9 bytes)
data bytes 03 02 5E 98 56 02 5E 98 56
id 75 78 (Unix UID/GID)
data size 0B 00 (11 bytes)
data bytes 01 04 E8 03 00 00 04 E8 03 00 00
Packed data 2B CA CF 2F ...... 2E 2E 00 (59 bytes)