Reverse-engineering an encrypted IoT protocol (opens in new tab)

Just piggybacking here to mention a variety of other "interpret structured binary data" tools. Apparently I collect links to these (:

* fq - like jq for binary data: https://github.com/wader/fq

* Kaitai Struct - https://kaitai.io/

** visualizer, for the above: https://github.com/kaitai-io/kaitai_struct_visualizer/

* HexFiend - a hex editor, but with "binary templates" feature : https://github.com/HexFiend/HexFiend

** binary templates, for the above: https://github.com/HexFiend/HexFiend/blob/master/templates/T...

* binspector - https://github.com/binspector/binspector

* binary-parsing - a collection of links to similar such tools : https://github.com/dloss/binary-parsing

* unblob - https://github.com/onekey-sec/unblob

* ImHex, which you mention

Do you know about any protocol deciphering tool?

I'm trying to reverse engineer a kinda simple tcp data stream, and the values are tag-length-value for the most part, and I made a simple mitm proxy that prints known tags and their data values (that I was able to decipher) live, but I am doing the deciphering of known and unknown tags manually, but I was wondering if there is some way to automate this?

I basically would be interested in automatic seen tag tracking, replaying select tags many times to see if they are idempotent, replaying and modifying bytes on a select tag, omitting a select tag and seeing how the client responds.

I guess I could find the socket receive function in the binary and see if the tag values are in a switch or something too but like the original article, it's also new territory for me to read that.

I am just about to expand my mitm proxy with more code to inject/filter packets.

Just coming here to say this. I was reversing a license file for some software so I could play with it yesterday, and I could implement the encryption/decryption code direct in the data processor of imhex, such a time saver.

I have never heard of ImHex before. Thanks, I'll take a look!

Are there tools that help in identifying structures? For example reverse engineering binary file formats like for bnd4, a save game format.

Thanks!

Seems it's corrected now, one zero less :-)

As ports are 16 bit ints, I assume not.

A VLAN is private/isolated to the extent that you don't route it to other networks. You could just block traffic between that vlan and the wan, or even potentially between it and any other vlans on your lan.

I use openwrt

I will say learning how to do it is a pain, but once I got an internal vlan in place, my life got significantly better.

You just want a small internal network that can't get out, or can get out through a proxy.

I set up:

- ipv4 only - cut my configuration in half

- private dns server for the vlan - only resolve internal addresses

- dhcp

- private time server

- privoxy proxy for controlled access to a whitelist of outside

The device appears to support the Serial Peripheral Interface protocol, which Scott discovered (and others before him too: https://mlug-au.org/lib/exe/fetch.php?media=20210726-goodwe....). He did this by poking around with nmap for open ports, discovering that the telnet port is open, and then trying to talk to the device with telnet.

"spi rd" are commands that can be used to dump some data from the device, as you can read in my linked presentation.

And the one-liner Scott has in the blog just automates the following process: 1. logging in with admin/admin on the device with telnet 2. issuing the telnet command "spi rd 0 2097152" 3. capturing its output into a file, while also viewing it on the standard output at the same time

I think `spi rd 0 2097152` is probably something in the telnet prompt that reads values from an SPI flash, the two number seems to be starting and ending range.

I only buy IoT devices with security so garbage that I can make them do my bidding and not somebody else's.

Hopefully a market for these devices remains thriving. It would suck if it wasn't possible to flash the firmware of a robot vacuum cleaner (et al) so that it becomes a LAN device.

In the 90-ies I was told to figure out what was wrong with the big radiocontrolled port at a local industry. I don't remember what was wrong with it but after digging in the manual and the equipment I realized the whole factory was protected by a four bit code set with dip-switches on a circuit board. I guess it was supposed to be used to select what port to open with the remote but was all that was stopping anyone to open the door at all.

I know some MediaTek WLAN chips come with MIPS cores clocked at more or less 1 Ghz, like the MT7621. TLS should be trivial; I believe the thing that matters is how much time/money/design the company is willing to spend on security.