Just for reference, this device is very similar to DIR-1950, which is also based on MT7629 and uses the same firmware encryption format. The problem with OpenWrt was that wifi and the second CPU core are not yet supported, c.f. OpenWrt support for D-Link DIR-1950 rev. A1
The decryption keys are derived using HMAC with the model name as input and model string as key, both can be found as plaintext in the image header:
echo -n DIR-1750 | openssl dgst -sha1 -hmac MT7629B_DIR-1750-S1-1904
will result in the key 8825167f33caba4fb71519db9313d6d41003121e
To decrypt, strip the first 0x74
bytes from the header (should start with Salted__
) and run
openssl aes-256-cbc -d -md md5 -in DIR-1750A1_FW111B03_noheaders.bin -out DIR-1750A1_FW111B03_decrypted.bin -k 8825167f33caba4fb71519db9313d6d41003121e
It is important to enforce -md md5
here, as this is no longer the default with current versions of OpenSSL (unlike the one present on the router).