btw. the cfg file can be decompiled using these commands

openssl enc -d -aes-256-cbc -k 123456789 -in 00259c6d0845.cfg -out 00259c6d0845.xml.gz

uncompress 00259c6d0845.xml.gz

you should then be able to read the xml file. i've tested it here and it works on those files

i've created the files.Thos should work.
i've used these commands.
gzip 00259c6d0845.xml
openssl enc -e -aes-256-cbc -k 123456789 -in 00259c6d0845.xml.gz -out 00259c6d0845.cfg
in the specific ATA box set this as a profile rule:
[--key 123456789]tftp://addresstotftp/$MA.cfg

Thanks, but if you read the rest of the thread, Alberto says you can use the MAC as the passphrase for en/decryption. I guess from your own experiences you found this wasn't true and that is why you are using the [--key 123456789]?

We basically have a number of config files, each "pointing" to the next. That is, init.cfg has e profile_rule_b  entry that points to ata_linksys_$PN.cfg, which in turn contains a profile_rule_c entry pointing to $MA.cfg. Even if I can somehow add something to the profile_rule_c entry to indicate the passphrase, that does not seem any more secure than leaving the file unencrypted on the tftp server (since the previous files are unencrypted and would have the passphrase in cleartext in them).

This entire area seems rather shambolic on the part of Linksys.

Dear Sirs;

In the case of using the MAC, can you please let me know the commands as well as the profile rule you are using?

This should work properly.

Regards;
Alberto

openssl enc -e -aes-256-cbc -k 00259C010203 -in 00259C010203.xml.gz -out 00259C010203.xml.gz

/ata_linksys_pap2t/$MA.xml.gz

The profile decrypts perfectly with

openssl enc -d -aes-256-cbc -k 00259C010203 -in 00259C010203.xml.gz.openssl -out 00259C010203.xml.gz

The file is definitely being requested from the TFTP server.

I can see one fault in you command and that is:

openssl enc -e -aes-256-cbc -k 00259C010203 -in 00259C010203.xml.gz -out 00259C010203.xml.gz

Should be

openssl enc -e -aes-256-cbc -k 00259C010203 -in 00259C010203.xml.gz -out 00259C010203.cfg

marius.wehmer@get.no
I can see one fault in you command and that is:
openssl enc -e -aes-256-cbc -k 00259C010203 -in 00259C010203.xml.gz -out 00259C010203.xml.gz
Should be
openssl enc -e -aes-256-cbc -k 00259C010203 -in 00259C010203.xml.gz -out 00259C010203.cfg

I changed the filename ending but it didn't make any difference.

Is this the command you are using as a profile rule on the unit?

/ata_linksys_pap2t/$MA.cfg

?

Remember to add [--key 00259C01020] in front of the URL.

[--key 00259C01020]/ata_linksys_pap2t/$MA.cfg

marius.wehmer@get.no
Is this the command you are using as a profile rule on the unit?
/ata_linksys_pap2t/$MA.cfg
?

Yes. In another config file on the tftp server actually.

Remember to add [--key 00259C01020] in front of the URL.
[--key 00259C01020]/ata_linksys_pap2t/$MA.cfg

No, because:

amontill wrote:
you can encrypt them using e.g. the MAC address as the encryption key of the device. [...] basically you need to encrypt the file (using SPC) with the key (recommend MAC address as then you dont need to pass the key to the device), and then in the device profile rule, need to include the encryption key as a token.

(My emphasis)

Admittedly, that's not very clear, but it was clarified a couple of posts later:

amontill wrote:
If the paraphrase is the MAC or serial number, it is not required as these are MACRO variables on the device.