Cracking the D-Link settings file

The following is my description of how I figured out how to decode the D-Link settings file (aka decrypt gws). If you don’t care how I figured it out, skip to the end for VB.Net code samples and an executable.

I have a DIR-628 wireless router that is having issues. There is a firmware update available, but my issue is not mentioned in the readme for the firmware.
Normally when I upgrade the firmware, I will dump out a settings file, perform the upgrade, reload the settings file, and rejoice in the time saved not having to reconfigure. This time, though, I think I would like to have a clean slate – but there are some options that include passwords I don’t recall offhand, so I figure I can just dump out the settings file, and take a look at it to get all that info…

Wrong. The settings file is binary gobbledeygook.
The default file name is gateway_settings.gws, and the file is about 175k.

I gave Google a thorough searching, and had no luck – it looks like other people are searching for GWS format, or GWS file, but there were no meaningful pages that I could find.
Next I downloaded trid_w32 – a neat little utility for identifying file types. I thought maybe it was compressed or something…
No dice.

So I decided to use the reverse engineering method – make some changes, and observe the result in the file.
I created a firewall rule named “AAAAAAAAAAAA”, and saved the settings; then renamed the rule to “BBBBBBBBBBBB”, and use a nice binary comparison tool (HexCmp in this case) to see what my changes did.

The A’s within the file had become “78 79 7A 7B 7C 7D 7E…” – they were shifted, but that offset increased by 1 for each character. This I can fix!

I then decoded the character before the first A – it was a “>”. Could it be? Could this file really be XML??
Worked backwards a couple more characters and had “name>AAAA…” – yes indeed! The decoded file will be XML!!

The next question was where to begin – what will be the shift of the first character? If the file is xml, I can be pretty sure the first character is a “<” – and this is the first character of the .gws file.

After much fooling around in VB.net, and battling with modulus math, I had the encoder formula:
encodedByte = (positionNbr + CharacterCode) mod 256

Decoding was a bit trickier, because as long as (position mod 256) + characterCode is less than 256, you can just subtract. If it is greater than 256, you have to work a bit harder. If I had more time, I bet there is a way to write a single formula to restore the character code, but I was able to do it with an IF statement.

Here is the VB.net function for decoding a byte array containing the .gws file

  Function decodeGWS(ByRef encodedGWS As Byte()) As String
    Dim chrMax As UInteger
    Dim decodedGWS As Char()
    chrMax = encodedGWS.GetUpperBound(0)
    ReDim decodedGWS(chrMax)

    For i As UInteger = 0 To chrMax
      If encodedGWS(i) < (i Mod 256) Then
        decodedGWS(i) = Chr((256 + encodedGWS(i)) - (i Mod 256))
      Else
        decodedGWS(i) = Chr(encodedGWS(i) - (i Mod 256))
      End If
    Next i

    Return decodedGWS
  End Function

And it works like a charm. The file is actually a great big XML containing all the available options.

Here is the little utility I wrote to decode the file:
GWS Decoder Utility

For completeness sake, I included encoder functionality, and I have verified that the output is identical to the original file when no changes are made to the xml file, but I really don’t know what would happen if you tried to make changes to the XML and load it back onto your router. If you want to try it, don’t come crying to me when your router gives up it’s magic smoke, or your house burns down.

Hopefully somebody finds this helpful!

Update 9/22/2010
There are a couple comments from people saying the utility doesn’t work with some different routers. The only way I could even try to fix it is to get sample files. Nobody has responded to my requests for samples yet.

Update 6/2/2011
A user has commented that Norton is reporting the file as containing malware. I checked the file on virustotal.com as well as virusscan.jotti.org and it came back 100% clean. When I can find the source I will try to rewrite it in C# (for self respect purposes) but until then if you don’t trust me, you can feel free to decompile the contained executable – or check it yourself with multiple scanners.

A better ALPS touchpad driver

If you have a dell inspiron 1545 like I do, you might be happy with your laptop. Happy with everything except this godawful excuse for a touchpad! (and the missing bluetooth, and wireless-N – but these can be resolved)

ALPS touchpads suck. They are jumpy, at the same time unresponsive and too responsive, the scroll feature never seems to work right the first time… so yeah. I don’t like it.

Turns out some of the issues can be mitigated by using Acer drivers. They are less customized, and include newer versions of various components. The scrolling is more reliable, and they don’t freeze up under load like the Dell drivers.

I used the drivers from here:
http://drivers.softpedia.com/get/KEYBOARD-and-MOUSE/OTHERS/Acer-Aspire-3810TZ-Notebook-ALPS-Touchpad-Driver-752021101-for-Vista.shtml

or search for Acer aspire ALPS drivers on google.

Hope this helps!

Essential Business Server 2008 .NET Framework 3.5 sp1 install fails

After getting all three servers up to date when installing EBS 2008, you will likely find one update that refuses to install – .NET Framework 3.5 sp1.

The EBS Team blog has a nice Powershell script that *should* fix it, but there’s a bug in the script.
Microsoft .NET Framework 3.5 SP1 (KB951847) Fails to install on EBS Servers

At least, there is a bug when you try to run it after updating everything else (including the server to sp2).

at the line that looks like :

$goodvalue = $badvalue.$frameworkguid -replace ("D\?\\", "C\?\\")

The replacement string should be “C?\”. The search string requires the question mark and slash to be escaped, but the replacement string does not. It is supposed to replace “D?\” with “C?\”, but instead it replaces it with “C\?\\” — which exists even less than the original path!

I have created two helpful scripts.

First, if you have not already run the script from the EBS Blog, use this one instead:
dotnetfixup_fixed.ps1

If you have used the bugged version of the script use this script to fix it. You will now be able to install the .NET updates.
repair_bugged_fixup.ps1

These are run from an elevated powershell prompt, not a command prompt.

Good luck!