WinkelCode · December 23, 2023 00:35
diff --git a/tplinkcfgutil.sh b/tplinkcfgutil.sh
 #!/usr/bin/env bash
 set -e

 file=$2
 if [ ! -f "$file" ]; then
 	echo "File '$file' not found"
 	exit 1
 fi

 secret="2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836"
 init_vector="360028C9064242F81074F4C127D299F6"
 openssl_cmd="openssl aes-256-cbc -K $secret -iv $init_vector"
 model_checksum="e5572c6206c59ea734a63be72179cd2c" # RE700X

 # Basic Explanation:
 # config.bin is encrypted and zlib compressed
 # within that, the first 16 bytes are a checksum of the device model
 # the rest is again encrypted and zlib compressed
 # finally, within that is the actual config.xml file
 #
 # Thanks to: https://www.lisenet.com/2023/gaining-ssh-access-to-tp-link-re200-wi-fi-range-extender/ for figuring it all out.
 # Secret and init_vector seem to be the same for various TP-Link devices.
 #
 # !!! To properly re-encode the config.xml, set the model_checksum variable based on your device !!! - Grab it easily using the 'n' option of this script.
 #
 # !!! !!! Before making any changes, do a de-/encode without changing the config.xml, the files should be byte-identical !!! !!!
 #
 # Note: This script was written for use with Alpine Linux, 'zlib-flate' comes from the 'qpdf' package.

 encode() {
 	echo "Encoding $file to ${file}_mod.bin"
 	model_checksum_binary=$(echo -n $model_checksum | xxd -r -p)
 	(echo -n $model_checksum_binary; zlib-flate -compress <"$file" | $openssl_cmd) | zlib-flate -compress | $openssl_cmd >"${file}_mod.bin"
 }

 decode() {
 	echo "Decoding $file to $file.xml"
 	$openssl_cmd -d -in $file | zlib-flate -uncompress | tail -c +17 | $openssl_cmd -d | zlib-flate -uncompress >"$file.xml"
 }

 get_device_model_checksum() {
 	echo "Getting device name from $file (use for model_checksum variable in script)"
 	echo -n "Device model checksum: "
 	$openssl_cmd -d -in $file | zlib-flate -uncompress | head -c 16 | xxd -p
 }

 if [ "$1" == "e" ]; then
 	encode
 elif [ "$1" == "d" ]; then
 	decode
 elif [ "$1" == "n" ]; then
 	get_device_model_checksum
 else
 	echo "Usage: $0 [e|d|n] <config.bin|config.xml>"
 	echo "e: encode config.xml to config.bin"
 	echo "d: decode config.bin to config.xml"
 	echo "n: get device model checksum from config.bin (use for model_checksum variable in script)"
 	exit 1
 fi

 echo "Done."
 exit 0
	#!/usr/bin/env bash
	set -e

	file=$2
	if [ ! -f "$file" ]; then
	echo "File '$file' not found"
	exit 1
	fi

	secret="2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836"
	init_vector="360028C9064242F81074F4C127D299F6"
	openssl_cmd="openssl aes-256-cbc -K $secret -iv $init_vector"
	model_checksum="e5572c6206c59ea734a63be72179cd2c" # RE700X

	# Basic Explanation:
	# config.bin is encrypted and zlib compressed
	# within that, the first 16 bytes are a checksum of the device model
	# the rest is again encrypted and zlib compressed
	# finally, within that is the actual config.xml file
	#
	# Thanks to: https://www.lisenet.com/2023/gaining-ssh-access-to-tp-link-re200-wi-fi-range-extender/ for figuring it all out.
	# Secret and init_vector seem to be the same for various TP-Link devices.
	#
	# !!! To properly re-encode the config.xml, set the model_checksum variable based on your device !!! - Grab it easily using the 'n' option of this script.
	#
	# !!! !!! Before making any changes, do a de-/encode without changing the config.xml, the files should be byte-identical !!! !!!
	#
	# Note: This script was written for use with Alpine Linux, 'zlib-flate' comes from the 'qpdf' package.

	encode() {
	echo "Encoding $file to ${file}_mod.bin"
	model_checksum_binary=$(echo -n $model_checksum \| xxd -r -p)
	(echo -n $model_checksum_binary; zlib-flate -compress <"$file" \| $openssl_cmd) \| zlib-flate -compress \| $openssl_cmd >"${file}_mod.bin"
	}

	decode() {
	echo "Decoding $file to $file.xml"
	$openssl_cmd -d -in $file \| zlib-flate -uncompress \| tail -c +17 \| $openssl_cmd -d \| zlib-flate -uncompress >"$file.xml"
	}

	get_device_model_checksum() {
	echo "Getting device name from $file (use for model_checksum variable in script)"
	echo -n "Device model checksum: "
	$openssl_cmd -d -in $file \| zlib-flate -uncompress \| head -c 16 \| xxd -p
	}

	if [ "$1" == "e" ]; then
	encode
	elif [ "$1" == "d" ]; then
	decode
	elif [ "$1" == "n" ]; then
	get_device_model_checksum
	else
	echo "Usage: $0 [e\|d\|n] <config.bin\|config.xml>"
	echo "e: encode config.xml to config.bin"
	echo "d: decode config.bin to config.xml"
	echo "n: get device model checksum from config.bin (use for model_checksum variable in script)"
	exit 1
	fi

	echo "Done."
	exit 0