------------------------------------------------------------------------------ DrayTek Vigor password recovery, config & firmware tools https://github.com/ammonium/draytools/ https://github.com/ammonium/draytools/wiki ------------------------------------------------------------------------------ draytools Copyright (C) 2011 AMMOnium <ammonium at mail dot ru> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. ------------------------------------------------------------------------------ This program uses code translated from Java code of Java-LZO compression program by Markus Oberhumer, author of LZO algorithm and its implementation: http://www.oberhumer.com/opensource/lzo/ Copyright (C) 1999 Markus Franz Xaver Johannes Oberhumer Copyright (C) 1998 Markus Franz Xaver Johannes Oberhumer Copyright (C) 1997 Markus Franz Xaver Johannes Oberhumer Copyright (C) 1996 Markus Franz Xaver Johannes Oberhumer The LZO library is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. The LZO library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with the LZO library; see the file COPYING. If not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. Markus F.X.J. Oberhumer <markus.oberhumer@jk.uni-linz.ac.at> http://wildsau.idv.uni-linz.ac.at/mfx/lzo.html ------------------------------------------------------------------------------ 1. Introduction ------------------------------------------------------------------------------ 1.1. The problem. ------------------------------------------------------------------------------ Modern DrayTek Vigor routers (V2xxx models, e.g. 2710, 2820, 2930 etc. and V3xxx, e.g 3200) compress and enrypt their configuration files, and their firmware (and the web interface filesystem) is also compressed. The router's owner may forget his router admin password one day. Resetting the device to factory settings may not be an option, e.g. if some complex network configuration has been done. 1) If you have a config file, but have lost/forgotten the login/password or, 2) even if you have lost everything, except the router, then draytools still can help you! THIS PROGRAM WAS MADE TO BE USED BY LEGITIMATE DEVICE OWNERS ONLY. IF YOU USE IT, YOU ACCEPT THAT YOU ARE DOING EVERYTHING AT YOUR OWN RISK. ------------------------------------------------------------------------------ 1.2. Features. ------------------------------------------------------------------------------ 1.2.1. Extract admin login & password from config files 1.2.2. Generate FTP master key based on router's MAC address 1.2.3. Decrypt DrayTek config files 1.2.4. Decompress DrayTek config files 1.2.5. Decompress DrayTek firmware files 1.2.6. Extract filesystem from DrayTek firmware files ------------------------------------------------------------------------------ 1.3. List of supported routers ------------------------------------------------------------------------------ For config file operations, refer to the corresponding list. For firmware operations, most DrayTek Vigor 2xxx routers should be supported (and some 3xxx also). The master password generator seems to work for all the models that have been tested for firmware operations. Config file operations tested on: 2700 2710 2800 2820 2830 2910 Firmware operations tested on: 2600 2700 2710 2800 2820 2830 2900 2910 2920 2930 2950 2955 3200 ------------------------------------------------------------------------------ 2. Installation and usage ------------------------------------------------------------------------------ 2.1. SEE INSTALL file for more details. 2.2. Execute: ------------------------------------------------------------------------------ $ python draytools.py --help Usage: draytools.py [options] file DrayTek V2xxx config file and firmware decryption/decompression tools Options: --version show program's version number and exit -h, --help show this help message and exit -o OUTFILE, --output=OUTFILE Output file name, %INPUTFILE%.out if omitted -t, --test Test mode, do not write anything to disk, only try to parse files -v, --verbose Verbose output Config file (*.cfg) commands: To be used on config files only -c, --config Decrypt and decompress config -d, --decompress Decompress an unenrypted config file -y, --decrypt Decrypt config file -p, --password Retrieve admin login and password from config file Firmware file (*.all, *.rst, *.bin) commands: To be used on firmware files only -f, --firmware Decompress firmware -F, --firmware-all Decompress firmware and extract filesystem -s, --fs Extract filesystem -O OUTDIR, --out-dir=OUTDIR Output directory for filesystem contents, "fs_out" by default Miscellaneous commands: Some other useful stuff -m MAC, --master-key=MAC Generate FTP master key for given router MAC address. To login to FTP enter "admin" as username and generated master key as password Examples: To print login&password from the config file: $ python draytools.py -p config.cfg Login and password will be displayed To decrypt & decompress the config file: $ python draytools.py -c config.cfg Raw config file "config.cfg.out" will be produced To extract firmware and filesystem contents $ python draytools.py -F firmware.all Uncompressed firmware will be written to file "firmware.all.out" Filesystem will be extracted to "fs_out" folder. ------------------------------------------------------------------------------ ... and have fun. 2.3. ... or even use draytools.py & pydelzo.py in your projects (GPL v3). ------------------------------------------------------------------------------ 3. Known BUGs and other notes ------------------------------------------------------------------------------ 3.1. Input is not validated, many stupid default assumptions are being made. 3.2. If draytools is not working for your box, visit https://github.com/ammonium/draytools/issues or email me. 3.3. Almost no error handling (sorry for being so lazy). ------------------------------------------------------------------------------ 4. TODOs ------------------------------------------------------------------------------ 4.1. Further research of config file format (VPN, firewall rules, ...) 4.2. Further research of firmware file format (checksums?) 4.3. Try building custom firmware :) ------------------------------------------------------------------------------