The following is my description of how I figured out how to decode the D-Link settings file (aka decrypt gws). If you don’t care how I figured it out, skip to the end for VB.Net code samples and an executable.
I have a DIR-628 wireless router that is having issues. There is a firmware update available, but my issue is not mentioned in the readme for the firmware.
Normally when I upgrade the firmware, I will dump out a settings file, perform the upgrade, reload the settings file, and rejoice in the time saved not having to reconfigure. This time, though, I think I would like to have a clean slate – but there are some options that include passwords I don’t recall offhand, so I figure I can just dump out the settings file, and take a look at it to get all that info…
Wrong. The settings file is binary gobbledeygook.
The default file name is gateway_settings.gws, and the file is about 175k.
I gave Google a thorough searching, and had no luck – it looks like other people are searching for GWS format, or GWS file, but there were no meaningful pages that I could find.
Next I downloaded trid_w32 – a neat little utility for identifying file types. I thought maybe it was compressed or something…
No dice.
So I decided to use the reverse engineering method – make some changes, and observe the result in the file.
I created a firewall rule named “AAAAAAAAAAAA”, and saved the settings; then renamed the rule to “BBBBBBBBBBBB”, and use a nice binary comparison tool (HexCmp in this case) to see what my changes did.
The A’s within the file had become “78 79 7A 7B 7C 7D 7E…” – they were shifted, but that offset increased by 1 for each character. This I can fix!
I then decoded the character before the first A – it was a “>”. Could it be? Could this file really be XML??
Worked backwards a couple more characters and had “name>AAAA…” – yes indeed! The decoded file will be XML!!
The next question was where to begin – what will be the shift of the first character? If the file is xml, I can be pretty sure the first character is a “<” – and this is the first character of the .gws file.
After much fooling around in VB.net, and battling with modulus math, I had the encoder formula:
encodedByte = (positionNbr + CharacterCode) mod 256
Decoding was a bit trickier, because as long as (position mod 256) + characterCode is less than 256, you can just subtract. If it is greater than 256, you have to work a bit harder. If I had more time, I bet there is a way to write a single formula to restore the character code, but I was able to do it with an IF statement.
Here is the VB.net function for decoding a byte array containing the .gws file
Function decodeGWS(ByRef encodedGWS As Byte()) As String
Dim chrMax As UInteger
Dim decodedGWS As Char()
chrMax = encodedGWS.GetUpperBound(0)
ReDim decodedGWS(chrMax)
For i As UInteger = 0 To chrMax
If encodedGWS(i) < (i Mod 256) Then
decodedGWS(i) = Chr((256 + encodedGWS(i)) - (i Mod 256))
Else
decodedGWS(i) = Chr(encodedGWS(i) - (i Mod 256))
End If
Next i
Return decodedGWS
End Function
And it works like a charm. The file is actually a great big XML containing all the available options.
Here is the little utility I wrote to decode the file:
GWS Decoder Utility
For completeness sake, I included encoder functionality, and I have verified that the output is identical to the original file when no changes are made to the xml file, but I really don’t know what would happen if you tried to make changes to the XML and load it back onto your router. If you want to try it, don’t come crying to me when your router gives up it’s magic smoke, or your house burns down.
Hopefully somebody finds this helpful!
Update 9/22/2010
There are a couple comments from people saying the utility doesn’t work with some different routers. The only way I could even try to fix it is to get sample files. Nobody has responded to my requests for samples yet.
Update 6/2/2011
A user has commented that Norton is reporting the file as containing malware. I checked the file on virustotal.com as well as virusscan.jotti.org and it came back 100% clean. When I can find the source I will try to rewrite it in C# (for self respect purposes) but until then if you don’t trust me, you can feel free to decompile the contained executable – or check it yourself with multiple scanners.
Thank you, this saved me lots of work at 1:23am on a Sunday night after I did a quick firmware upgrade which left my settings file unusable. Using a DIR-655 in this case.
Works like a charm in decrypting my config files for my dgl-4500. Haven’t had a chance to test the encrytion yet but i’m almost positive it will work.
Your utility does not work for the EBR-2310, Hardware Revision B1, Firmware 2.01, however, you can extract passwords from it by using view-source, locating the password tag and noting the _VALUE attribute. Next, you type javascript:alert(_VALUE); in the address bar (replace _VALUE with the attribute you noted), and the password will pop-up in a message box. Thanks for your work!
Fantastic idea! I have used the reveal hidden fields add-on for firefox several times to get around limitations in teh D-Link interface. Thanks for the tip!
I can supply you with D-Link EBR-2310 files. Just let me know what you want to see in what fields.
I need two settings files. First, create a firewall rule with a name of “AAAAAAAA” and save the settings file. Then update that same firewall rule (do not touch anything else) to be named “BBBBBBBB” and save a new settings file. It is important that you maintain the same number of characters, and do not modify anything but the name.
Zip up both these files and send them to me. My email is first initial, last name at gmail dot com.
Thanks!
I almost just lost my router config. after it refused to upload my saved gws file. Thankfully disabling the https connection solved the problem…but I downloaded and tested this app anyways! This can very easily be a life saver, thank you for compiling this and sharing it!
Router: DIR-655
Thanks….!!
DIR-635
Hardware Version: B1
Firmware Version: 2.32EA
here it is in C:
http://mastamappa.comcast.net/xfer/GWSencdec.zip
tested on D-Link DGL-4500
stupid comcast changed their rule
http://home.comcast.net/~mastamappa/xfer/GWSencdec.zip
thank you so much, works like a charm on DIR-615 Hardware Version: B2 Firmware: 2.25
Hi Jason,
6/2/2011
I just downloaded the gwscoder.zip file using the link on this page. (http://www.shulerent.com/media/1/20090821-GWSCoder.zip).
When I went to unzip it, my Symantec Norton Internet Security 2011 system detected a morphed virus named Suspicious.Cloud.2 and categorized it as high risk and deleted the file.
I am submitting the zip file for further research to Symantec, referencing this web page on your behalf. Either the file has been mis-diagnosed, or there is a morphed virus that has been introduced into the file.
Thanks for letting me know – I’ll double-check the file to see if it has been altered – I’ve had plenty of false positives with Symantec in the past, but I find it hard to believe that my little app could resemble a virus…
I just ran the file through virustotal.com as well as http://virusscan.jotti.org (services that check uploaded files against multiple scanning engines) and both came back clean. Not sure what Norton is doing, but I can assure you the file is malware-free. Please feel free to use reflector to reverse engineer.
Good news, I received a response from Symantec from my submission of the GWSCoder.exe file as a false positive. Symantec agreed. The file will be whitelisted from their “suspicious” list and follow normal processing (which mark it clean). Here is their response: (forgive me for the length).
We are writing in relation to your submission through Symantec’s on-line Security Risk / False Positive Dispute Submission form for your software being detected by Symantec Software. In light of further investigation and analysis Symantec is happy to remove this detection from within its products.
The updated detection will be distributed in the next set of virus definitions, available daily, or weekly via LiveUpdate, depending on Symantec product version, or daily from our website at
http://securityresponse.symantec.com/avcenter/defs.download.html.
Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.
If you are a software vendor, Symantec offers the possibility of adding your software to its database of known clean files in order to reduce the possibility of false positives. If you wish to participate in this program, please complete the following form.
https://submit.symantec.com/whitelist
Sincerely,
Symantec Security Response
http://securityresponse.symantec.com
——-
I will post when I get the new antivirus update that allows the file to pass without warnings.
Dave Baril
Good news confirmation.
As of 10AM, 6/3/2011 the current anti-virus updates for Norton Internet Security 2011 do NOT improperly classify the GWSCoder.exe file as a security risk.
The exe file can be extracted from the zip file and executed has expected.
All is now well (again). If Norton Internet Security 2011 users are having problems extracting GWSCoder.exe from the GWSCoder.zip file discussed on this posting, please perform a “LiveUpdate”.
Dave Baril
Thanks for your help Dave!
Thanks! This worked like a charm for the Cradlepoint MBR1000. As it looks right now, if you have a custom billboard set (maybe it is certain characters in the billboard) it will spit out an incomplete GWS file. Now I am off to see what the “reveal hidden fields” plugin is all about. Thanks!
Thanks. Worked like a charm on DIR-365. Forgot DSL password, now i have it back!
Thank you so much! For some unknown reason, my DIR-855 kept rejecting restoration from a .gws file that was saved using the same firmware as it currently has installed. This worked like a charm and saved me lots of time from having to reconfigure my router scratch 🙂
I am looking for way to open DWL-3200AP config file. Is there any hope?
Pegasus:
I can try, but you will need to send me some files. Can I email you at the address you used to post?
Hi Jason,
It’s great to have a tool that can decrypt the D-Link routers which uses/exports configuration file in GWS.
There is a new all-in-one router, DVG-N5204SP which isn’t available for retail market. It seems D-Link developed this product solely for telcos and very restrictive in its web mgmt GUI. The telco has been rather secretive and does not allow use of other RG (residential gateway) besides the two RGs that they provide. And both (one is from Huawei, one is this 5204) are not performing well and really doesn’t give credit to the FTTH (Fiber) connection that the RGs are meant for.
And as such, I am looking at ways to decrypt the configuration file so as to have a better understanding of the settings.
I have the configuration file which I can send. If you need a few copies of the configuration file (making small changes) to compare, just let me know what are the appropriate settings to change and export the configuration file.
Best Regards,
Anthony
Hi Jason,
I used your algorithm on a ‘gateway_settings.gws’ file from a TrendNet TEW-631BRP router; here is a Perl implementation … “perl ThisCode YourGWSFileName’ (FWIW):
use strict;
my $modulus = -1;
die "One input file name required\n" unless @ARGV == 1;
my $infile = $ARGV[0];
open(IN, '<' . $infile) or die "Error opening '$infile' for read:$!";
binmode(IN);
print join('', map {
$modulus = ($modulus +1) % 256;
chr( (256 + ord($_) - $modulus) % 256 );
} (split(//,join('',()))));
close(IN);
Thanks Jason. Your program also works for the gateway_settings.gws from D-Link Systems DIR-655. I Appreciate your work. While searching for the definition of a *.gws file, I came upon your blog. I found the answer and your great little utility. Thanks again.
BIG thanks for your work! Some funny bug in DIR-28 firmware would not let me change the website filter rules. But editing the config/setting file and encodibg it back did the trick.
Thanks Jason, it worked great for decoding and editing the .gws as an xml file.
When i’ve tried to encode it back and upload it to my DIR-655 router i got an error message saying
that the file is not valid.
I found this is very useful for using some config options that are not visible in the web gui.
Could you please advice how to correct this so i can upload the encoded .gws file to my router?
Lots of thanks for your efforts!!
Hi,
My DIR-655 router Firmware is 1.35NA.
Any comment will be highly appreciated.
Thanks
I see others have already chimed in with C and PERL versions, for good measure, here’s a python version, and the github repo.
Here’s a PHP port as well, https://gist.github.com/3432496. I spent a bit of time trying to figure out how to decode the file so that I could compare it to another config for for a different model. Unfortunately the other router’s (WBR-1310) stores its config in a different format 🙁
Worked great on a DIR 655 fantastic job saved me hours of work switching out this Router
Great work – thanks (DIR-655 1.2EU – 1.31EU doesn’t let you restore old settings. Your util helped me recover all my virtual servers etc. – Cheers!
Wow, greatly appreciate this program.
I have serious Issues with my DIR-655 forwarding any TCP Ports. Turns out that the most recent config file is full of ancient settings abandoned long ago. I have not figured out what the problem with TCP Forward is at this point but I think a factory reset might help. I also realized that some settings are shown differently in the config menu than in this config file.
Why does my router store settings (reserved IP’s ect) I’ve deleted and cannot see in the options? Only D-Link knows!
For my next router I hope that I can get an editable config file..
Thanks again for bringing some light into the obscure Router settings of my DIR-655
Firmware Version: 1.31EU
Hardware-Version: A3
Thanks, the internet still has some good stuff.
Doesn’t seem to work for my Dlink DIR 605L ‘s GWS file. The output file contains trash.
and my .gws file is only 28kb. Could it be that the file itself is not correct ? (I downloaded the .gws file from the dlink web setup wizard)
Thanks for the nifty tool! I googled “how to read .gws file” and google took me here. Your GWS Decoder worked perfectly on the access_point_settings.gws file from my LG-Nortel LNAP300N. All passwords were revealed in plain text. I also have a D-Link DIR-657, which does not use the .gws format. The DIR-657 saves its settings in plain text with a checksum, and directly reveals passwords.
Just wanted to say that you’re a fantastic human being. Did a FW upgrade on a DIR-655 with lots of custom port forwarding. Restore of my old GWS failed. Your app let me figure out what the settings were and saved me a ton of time. Thank you!
I just used this tool again for the first time in two years. Turned what would have been an all night firewall rule-building nighmare into about 15 minutes of XML editing.
Just came back to say thanks.
Say hi to August 2013! Your code lives on and continue to be a life saver!
Thx for that really helpful little tool! It works great on my DIR-635!
Perfect!
This worked to decode the gateway_settings.gws file of a CradlePoint MBR1200. I didn’t try changing anything and re-encoding it; I just wanted to make sure it was saving my DHCP reservations when I backed up the config… it was hard to tell since 1) the GWS file size stayed exactly the same (which indicates I’ll eventually hit a limit in how many reservations I can make), and 2) the GWS file was encrypted (somewhat).
The people having problems converting back from XML to GWS are probably changing the number of characters in the field[s] they’re editing… the fields likely need to be the same size when you’re done editing the XML as they were before starting, so they’ll load into the same registers mapped by the firmware in the Flash, et cetera… plus you probable shouldn’t change character sets, or ANSI/Unicode encoding like Notepad is wont to do when saving.
Anyway… thanks for the tool. It did come in handy.
You are a lifesaver. I think my old DIR-655 is about to die, so being able to get the settings out to be able to add to a new router is going to save me a great deal of time. Thanks.
Thanks man! I couldn’t import my gateway_settings.gws back into my router 🙁 It said bad value or something like that… So thanks to this tool I can atleast know what my old values were and reinput them manually.
A life saver you are!
You are AWESOME!!!!
Do you have any experience with cfg.bin files for routers like the D-Link DIR-826L? I have the same issue as others (need a lot of configuration values, or just the admin password).
Thank you!
For those using a TM-G5240, this worked for me:
http://www.nirsoft.net/utils/router_password_recovery.html
Download config file and decode file using program. Cheers!
Thank you . . . much appreciated!
Unfortunately didn’t work on my DSL-2750E. Can I help? The files it saves are .cfg. I tried renaming to .gws. No luck. Stupid idea of DLink anyway to make them binary. First router of theirs I had did it in XML and was easy to edit and reupload.
hi do you know how to decrypt .bin config files from D-LINK DL 524? you will save my life if you know it…i can even pay you for the job please you know how to do?
http://www.nirsoft.net/utils/router_password_recovery.html
It would be nice to post whole source code ? Cheers