I have a somewhat obscure question.
My end goal is to be able to open .diag files that come from Peplink cellular routers for diagnostic purpose. I spend a lot of time working with them, and have to always send the files to peplink for their opinion as there is no way provided for me to view them myself.
While researching this topic. I found this old thread.. https://serverfault.com/questions/303687/how-do-i-open-a-peplink-routers-diagnostic-report
Using this thread with OLD Peplink .diag files I was able to get them to open.
I used hexplorer to open the file All of the files I open that had the older firmware start with 2D B9 3A (-¹:)
If I select all the text and run XOR with a hex of 32 all files now start with 1F 8B 08
From here, I simply save the file as a tar.gz and I am able to extract all of the logs from it.
Works like a dream.
Unfortunately, the .diag files made from the past several years are now completely different.
When I open all of the new files with a hex editor they begin with 50 65 31 33 33 37 5F 5F (Pe1337__) I suspect this is now a different type of file header (maybe it's not tar.gz anymore)
I have tried using different XOR Hex operations. I have tried using an XOR calculator and removing certain bytes, but thus far I haven't found a way to save the file as a working archive I can open.
At the end of the day, I have to admit that I don't know much when it comes to using a hex editor and I'm working on something that's above my head. How might I get this open?
The newer diagnostic reports are encrypted using AES-256-CBC with the key
5pE8w17hJ8806874Y312naWEdf14fqFDSp143FDSnfp134njfr.This key can be found in the
/usr/local/ilink/bin/dumpbash script. If you use OpenSSL for the decryption, you need to change the startingPe1337toSaltedin order to avoid the "bad magic number" error.I use following one-liner to decrypt the diagnostic reports on Unix: