Support D-Link DIR-X3260?

In my bold attempt just now
Found that you can run a tampered bootloader

Maybe can give up all the stock firmware
Use UBI format like E8450

(Because I want to make it easier for me to use TFTP to Write firmware, so I modified bootloader the default IP inside)

I was thinking this will have different keys for decryption
but if you have convinced your self you can recover by uploading your dumped firmware file back
time to make your own
you should work towards making an image to flash via the recover interface
but look's like you are on your way :slight_smile:

firmwaare backup

Do not use on other X3260, other D-Link models and other brands of routers

p.s.
To use on other X3260, only firmware patition files can be used

It can be used as unencrypted TFTP recovery firmware.

After all, the original factory does not seem to provide unencrypted TFTP recovery firmware

Awesome, I couldn't make DIR-X1860 or COVR-X1860 boot an image loaded via tftp (lzma error 1), only the D-Link one extracts fine (until kernel panic when it can't find rootfs).
Image header is also 0xDOODFEED, maybe there's still something wrong with the image format, or SGE used some proprietary lzma modifications...

Thanks, I'll have a look at the crypto stuff when I'm back at my main machine :slight_smile:

make sure you are loading the correct image type
initramfs-kernel should not be looking in flash for any files system

I gave up

Can roughly make DTS configuration

But firmware mirroring is a bit difficult
Always trigger firmware check

It seems I need to buy an Linksys E8450

I was thinking that this shit thing is the same as the E8450 hardware specification

But the problem on the firmware is a big trouble

I can't do it with my previous experience

I do it in an informal way
(Because of solder workstation failure and no corresponding FLASH programmer)

Suggest not to follow up

You need a FLASH programmer and solder workstation

yer they do take a while the newer the longer
I see the OEM firmware was based off LEDE
so I imagine a lot has changed

Awesome, turns out DIR-X3260 seems to use the same image format as COVR-X1860 :joy:
There is a binary /bin/imgdecrypt which is called by prog.cgi (web update), fota (auto-update) and - first time I see this with a router :slight_smile: - ble_agent, so it seems we will finally be able to flash devices via bluetooth one day....

The binary imports dimgKey() from libcommon.so , which reads /etc/enk.txt (contents are different than for COVR-X1860), and performs some base64 "deinterleaving" magic... After all, this may need some time to further evaluate...
By the way, did you happen to find any way of accessing the shell on the OEM firmware on this device? Would be so cool to call the imgdecrypt binary, just to see the AES key printed to stdout :innocent:

@s_2 sorry not much input to bring here but just to point out that if you download the source code provided above you should find a few keys in one of the folder (I have no idea if that would help).

I also found the u-boot source code and dlink left the mt7621 uboot source (seems like a new version rather than the old one used in the DIR routers). It did work on my mt7621 device with a lot of features (and a different way to boot).

There is also a nice document to explain some of the main options. This is obviously not to be used by everyone as you get one shot each time (I do have an in circuit NAND programmer so I just rewrite original u-boot).

That was indeed more than expected, thanks :innocent: Hopefully useful for other devices as well, last time I checked there were no GPL sources available for COVR-X1860... (only X1870 which is Broadcom).

Will need some time to verify and further investigate though...

now I know why I kept getting confused I was looking up DIR-x1860
doh COVR-X1860 is a different thing all together

yup, there is also DAP-X1860, a wall-plug repeater with MT7621, but seemingly neither from SGE nor Alpha Networks. Yet another Image format, encrypted.< made by Edimax, using the ELX image format like other new DAP devices (probably not encrypted... but there's no iamge available by now).
And of course DWA-X1850, worlds first USB 3.0 ax adapter, with Realtek RTL8832AU :sweat_smile:

2 Likes

Hello all!
Sorry for the question, OpenWRT n00b here (I just have 1 device with it as of now) - was wondering, after reading all your comments ... whether or not this device can run OpenWRT; or will it be able to run it one day?

I understand it's good news it's based off Mediatek chipsets - but I also seem to understand it's complicated to dump the existing firmware and finally I'm not sure whether or not it can run "non official" firmwares.

Thanks in advance for clarifications! - looking at this offer: https://www.bestbuy.ca/en-ca/product/d-link-wireless-ax3200-dual-band-wi-fi-6-router-dir-x3260/15472215

nevermind, I just ordered https://www.bestbuy.ca/fr-ca/produit/routeur-sans-fil-wi-fi-5-bibande-ac1750-max-stream-de-linksys-ea7300-ca/12568069 - people seem to be able to run openwrt on it

Currently I am using the E8450 openwrt firmware with no modifications at all
(UBI partition includes U-BOOT dedicated to E8450 UBI partition)

X3260 can be started

Does this help with running openwrt on this machine?

Because I have a headache about doing anything on the original D-link encrypted firmware
(includes dual boot partition and firmware verification)

I want to just skip that shit

Where did you find the DIR-X3260 firmware back then?

I spent a little more time fumbling with dimgKey() and the interleaving etc., I think I can at least decrypt these now, i.e. I successfully decrypted COVR-X1860 firmware, but it seems we don't have the RSA key yet (however recovery flashing ought to be possible). Haven't checked the .pem file from X3260 source, but that GPL Code was still a great help in verifying the deinterleaving process for keys generation from /etc/enk.txt :slightly_smiling_face:

Basically, instead of the key1, key2 and iv hardcoded values to decrypt the actual key (that encrypts the image data itself), called vendor key in my version of dlink-sge-image.c, this key is derived from enk.txt, which is base64 decoded and then a few bytes will be swapped, according to a pattern hardcoded in libcommon.so, in blocks of 8 bytes.

While COVR-X1860 uses actual/vendor key he9-4+M!)d6=m~#$, it should be rt9-4%^+M!)d6=m~ for X3260, just as found in the GPL source (key.txt). This should allow you to decrypt it (i.e. overwrite vendor_key in main() at line 342: https://github.com/openwrt/openwrt/pull/4174/files#diff-513418fa7418f34ce09356a09cdd05145b324b70f5020b07936e5f0c38a06ebfR342)

Now I just need an OEM firmware to verify this, could not find any on various D-Link FTPs :man_shrugging:

Did you try the dlink GPL website? It looks like it's got 3 versions of it (not sure if that's what you are after). Plus source code as a bonus.

https://tsd.dlink.com.tw/ddwn

I have the GPL code (including the keys), now I just can't find the encrypted OEM firmware download from D-Link :joy: I see that @Lucky1 had a DIR-X3260 folder his server back then, but it's 404 now.

// edit: Sorry, I really hadn't expected the actual firmware to be available from the GPL website as well, should have read "plus source code as a bonus" more precisely :innocent:

Nevermind, I found the firmware on the Australian website, it's neither on the German nor US ftp:
http://files.dlink.com.au/products/DIR-X3260/REV_A/Firmware/DIRX3260A1_FW101B05/

Looks good so far, i.e. bootloader flashing should be possible, as long as the device responds to reset button pressed during power-on :slightly_smiling_face:

DIRX3260A1_FW101B05_decrypted.bin
COVR-X1860_RevA_Firmware101b05_decrypted.bin