Another XML config table has been extracted from the firmware image of a 2Wire 2701HGV-C. This is the root RSA private key, broken down into its components.
<?xml version="1.0" encoding="UTF-8"?>
<CM VERS="1">
<TABLE NAME="keys" B="6.3.9.41" B0="6" B1="3" B2="9" B3="41">
<ROW ID="0">
<P N="type" T="S">root_rsa</P>
<P N="key_len" T="U">0x00000262</P>
<P N="key_data" T="VB">
02623082025e02010002818100ee6fe39369ab015ea885a9f91dc032f5a0b425
aac3ce42b384108f1d6a84e29b5f7d8ef3c16899bc65a6a3c8cf55cc26e6b1f9
569d431709e683f22cefa730429c405794d99c681619857909c4879ed8d57e39
701ef41760a3b5837acbcf8a29118ecefdd6c378cff3e69ba284b96da238dfa1
dc93ac0e0c8654680eda269a9d020301000102818018b3248b0fc634351f1601
9e99d360340bbabdb02bea810461a8e97a6d9f686e19fd42c2c385576fa9c412
7169f1045dff45ee8367751cbcdcd14c54155b67673be2452417af5231c3455f
a48e50799f23a71f5285a22860520b62bb04d2b2edbfce29d3093813003fd0a7
d2fafef0f51344b42298f309ab13454ac79c525cad024100f892f234d33420b5
72a2f146f5378140426e42d8c9454c343ff49aa9118f187a405bd524b20b32f6
ecc418df2ef6bfe83143cad9bfd8a4716285c28c9b968b83024100f58f6aca98
3573f1ffb84cf06685664622617d2f431ad3ad6928299fc7fcf4bd3b5019bde0
fdf2f408a58f5562958b3922940e8b2d352a8dcb244794e7f2c75f0241008435
5bff7eaa060f9be650600642bc4b1a4a1ce1c2c349d1ac8683d01297c2541b70
fc7fa4f6d1e7856c9331f97fa1f87463733bb78f197f79005dc67d6667d30241
0082f80d1324ff4d69c2e3ff5530b8f185728ce081b69eb64b850c80b6d1a95e
b716cd700d4fd4e221ba02e361bd04d98e8d9cbded091d9426b03417619a1c68
ad024100b124ef836c3b3e881e89ae688bb29ab551e523036dd704c7de25d9aa
f2a3f4c4cdf68440970787265064097f00a913c9280052a43df21c8e3246d726
1faf87fc
</P>
</ROW>
</TABLE>
</CM>
The hexdump of the private key can be broken down into its components: [1]
RSA 1024-bit private key: key length: 0262 header: 3082025e (0x3082 == ASN.1 Sequence) separator: 0201 (0x02 == integer and 0x01 == 1 byte long) algorithm version: 00 (0x00 == algorithm version zero) separator: 028181 (0x02 == integer and 0x81 == 129 bytes long) modulus: (129 byte modulus, starts with a null (0x00) - remove this) 00 ee6fe39369ab015ea885a9f91dc032f5 a0b425aac3ce42b384108f1d6a84e29b 5f7d8ef3c16899bc65a6a3c8cf55cc26 e6b1f9569d431709e683f22cefa73042 9c405794d99c681619857909c4879ed8 d57e39701ef41760a3b5837acbcf8a29 118ecefdd6c378cff3e69ba284b96da2 38dfa1dc93ac0e0c8654680eda269a9d separator: 0203 (0x02 == integer and 0x03 == 3 bytes long) public exponent: (3 bytes) 010001 (integer value 65537, Fermat Number F4) separator: 028180 (0x02 == integer and 0x80 == 128 bytes long) private exponent: (128 byte) 18b3248b0fc634351f16019e99d36034 0bbabdb02bea810461a8e97a6d9f686e 19fd42c2c385576fa9c4127169f1045d ff45ee8367751cbcdcd14c54155b6767 3be2452417af5231c3455fa48e50799f 23a71f5285a22860520b62bb04d2b2ed bfce29d3093813003fd0a7d2fafef0f5 1344b42298f309ab13454ac79c525cad separator: 0241 (0x02 == integer and 0x41 == 65 bytes long) prime1: (65 bytes - starts with a null - remove this) 00 f892f234d33420b572a2f146f5378140 426e42d8c9454c343ff49aa9118f187a 405bd524b20b32f6ecc418df2ef6bfe8 3143cad9bfd8a4716285c28c9b968b83 separator: 0241 (0x02 == integer and 0x41 == 65 bytes long) prime2: (65 bytes - starts with a null - remove this) 00 f58f6aca983573f1ffb84cf066856646 22617d2f431ad3ad6928299fc7fcf4bd 3b5019bde0fdf2f408a58f5562958b39 22940e8b2d352a8dcb244794e7f2c75f separator: 0241 (0x02 == integer and 0x41 == 65 bytes long) exponent1: (65 bytes - starts with a null - remove this) 00 84355bff7eaa060f9be650600642bc4b 1a4a1ce1c2c349d1ac8683d01297c254 1b70fc7fa4f6d1e7856c9331f97fa1f8 7463733bb78f197f79005dc67d6667d3 separator: 0241 (0x02 == integer and 0x41 == 65 bytes long) exponent2: (65 bytes - starts with a null - remove this) 00 82f80d1324ff4d69c2e3ff5530b8f185 728ce081b69eb64b850c80b6d1a95eb7 16cd700d4fd4e221ba02e361bd04d98e 8d9cbded091d9426b03417619a1c68ad separator: 0241 (0x02 == integer and 0x41 == 65 bytes long) coefficient: (65 bytes - starts with a null - remove this) 00 b124ef836c3b3e881e89ae688bb29ab5 51e523036dd704c7de25d9aaf2a3f4c4 cdf68440970787265064097f00a913c9 280052a43df21c8e3246d7261faf87fc
Awesome! Is this the key used to sign the firmware, or the router’s private key?
Hi Ben,
It’s not at all clear what this key is used for. Ryanc has been studying the certification and key(s) used for 802.1x authentication, so it could be a key for that. [1]
Alternatively, it could be a host key for the ssh daemon which appears to be in the 2Wire firmware but isn’t started by default at boot.
Ryanc provides a very useful one-liner to obtain a PEM format dump of the key above:
$ perl -pe 'print pack("H*", $_); $_ = ""' < key.hex | openssl rsa -inform der -text Private-Key: (1024 bit) modulus: 00:ee:6f:e3:93:69:ab:01:5e:a8:85:a9:f9:1d:c0: 32:f5:a0:b4:25:aa:c3:ce:42:b3:84:10:8f:1d:6a: 84:e2:9b:5f:7d:8e:f3:c1:68:99:bc:65:a6:a3:c8: cf:55:cc:26:e6:b1:f9:56:9d:43:17:09:e6:83:f2: 2c:ef:a7:30:42:9c:40:57:94:d9:9c:68:16:19:85: 79:09:c4:87:9e:d8:d5:7e:39:70:1e:f4:17:60:a3: b5:83:7a:cb:cf:8a:29:11:8e:ce:fd:d6:c3:78:cf: f3:e6:9b:a2:84:b9:6d:a2:38:df:a1:dc:93:ac:0e: 0c:86:54:68:0e:da:26:9a:9d publicExponent: 65537 (0x10001) privateExponent: 18:b3:24:8b:0f:c6:34:35:1f:16:01:9e:99:d3:60: 34:0b:ba:bd:b0:2b:ea:81:04:61:a8:e9:7a:6d:9f: 68:6e:19:fd:42:c2:c3:85:57:6f:a9:c4:12:71:69: f1:04:5d:ff:45:ee:83:67:75:1c:bc:dc:d1:4c:54: 15:5b:67:67:3b:e2:45:24:17:af:52:31:c3:45:5f: a4:8e:50:79:9f:23:a7:1f:52:85:a2:28:60:52:0b: 62:bb:04:d2:b2:ed:bf:ce:29:d3:09:38:13:00:3f: d0:a7:d2:fa:fe:f0:f5:13:44:b4:22:98:f3:09:ab: 13:45:4a:c7:9c:52:5c:ad prime1: 00:f8:92:f2:34:d3:34:20:b5:72:a2:f1:46:f5:37: 81:40:42:6e:42:d8:c9:45:4c:34:3f:f4:9a:a9:11: 8f:18:7a:40:5b:d5:24:b2:0b:32:f6:ec:c4:18:df: 2e:f6:bf:e8:31:43:ca:d9:bf:d8:a4:71:62:85:c2: 8c:9b:96:8b:83 prime2: 00:f5:8f:6a:ca:98:35:73:f1:ff:b8:4c:f0:66:85: 66:46:22:61:7d:2f:43:1a:d3:ad:69:28:29:9f:c7: fc:f4:bd:3b:50:19:bd:e0:fd:f2:f4:08:a5:8f:55: 62:95:8b:39:22:94:0e:8b:2d:35:2a:8d:cb:24:47: 94:e7:f2:c7:5f exponent1: 00:84:35:5b:ff:7e:aa:06:0f:9b:e6:50:60:06:42: bc:4b:1a:4a:1c:e1:c2:c3:49:d1:ac:86:83:d0:12: 97:c2:54:1b:70:fc:7f:a4:f6:d1:e7:85:6c:93:31: f9:7f:a1:f8:74:63:73:3b:b7:8f:19:7f:79:00:5d: c6:7d:66:67:d3 exponent2: 00:82:f8:0d:13:24:ff:4d:69:c2:e3:ff:55:30:b8: f1:85:72:8c:e0:81:b6:9e:b6:4b:85:0c:80:b6:d1: a9:5e:b7:16:cd:70:0d:4f:d4:e2:21:ba:02:e3:61: bd:04:d9:8e:8d:9c:bd:ed:09:1d:94:26:b0:34:17: 61:9a:1c:68:ad coefficient: 00:b1:24:ef:83:6c:3b:3e:88:1e:89:ae:68:8b:b2: 9a:b5:51:e5:23:03:6d:d7:04:c7:de:25:d9:aa:f2: a3:f4:c4:cd:f6:84:40:97:07:87:26:50:64:09:7f: 00:a9:13:c9:28:00:52:a4:3d:f2:1c:8e:32:46:d7: 26:1f:af:87:fc writing RSA key -----BEGIN RSA PRIVATE KEY----- MIICXgIBAAKBgQDub+OTaasBXqiFqfkdwDL1oLQlqsPOQrOEEI8daoTim199jvPB aJm8ZaajyM9VzCbmsflWnUMXCeaD8izvpzBCnEBXlNmcaBYZhXkJxIee2NV+OXAe 9Bdgo7WDesvPiikRjs791sN4z/Pmm6KEuW2iON+h3JOsDgyGVGgO2iaanQIDAQAB AoGAGLMkiw/GNDUfFgGemdNgNAu6vbAr6oEEYajpem2faG4Z/ULCw4VXb6nEEnFp 8QRd/0Xug2d1HLzc0UxUFVtnZzviRSQXr1Ixw0VfpI5QeZ8jpx9ShaIoYFILYrsE 0rLtv84p0wk4EwA/0KfS+v7w9RNEtCKY8wmrE0VKx5xSXK0CQQD4kvI00zQgtXKi 8Ub1N4FAQm5C2MlFTDQ/9JqpEY8YekBb1SSyCzL27MQY3y72v+gxQ8rZv9ikcWKF woyblouDAkEA9Y9qypg1c/H/uEzwZoVmRiJhfS9DGtOtaSgpn8f89L07UBm94P3y 9Ailj1VilYs5IpQOiy01Ko3LJEeU5/LHXwJBAIQ1W/9+qgYPm+ZQYAZCvEsaShzh wsNJ0ayGg9ASl8JUG3D8f6T20eeFbJMx+X+h+HRjczu3jxl/eQBdxn1mZ9MCQQCC +A0TJP9NacLj/1UwuPGFcozggbaetkuFDIC20aletxbNcA1P1OIhugLjYb0E2Y6N nL3tCR2UJrA0F2GaHGitAkEAsSTvg2w7Pogeia5oi7KatVHlIwNt1wTH3iXZqvKj 9MTN9oRAlweHJlBkCX8AqRPJKABSpD3yHI4yRtcmH6+H/A=3D=3D -----END RSA PRIVATE KEY-----cheers, a
[1] http://www.dslreports.com/forum/r26523065-Success-bypassing-the-3800HGV-B-with-a-3rd-party-VDSL2-modem
Hey asbokid, I may be able to provide you with some things to help your research. Email me if you are interested. jcrash2012@gmail.com
Hi Jcrash,
Please share