Reverse-engineering an encrypted IoT protocol

Reverse-engineering an encrypted IoT protocol(smlx.dev)

232 points by smlx 2 years ago | 40 comments

Next time you find yourself reverse engineering a weird protocol - use ImHex. You can literally define patterns (in a C++ / Rust -like language) so that your binary file gets highlighted and processed.

I can't recommend it enough - it's perfect for the job and it's free and Open Source.

https://imhex.werwolv.net/

turtledragonfly 2 years ago | |

Just piggybacking here to mention a variety of other "interpret structured binary data" tools. Apparently I collect links to these (:

* fq - like jq for binary data: https://github.com/wader/fq

* Kaitai Struct - https://kaitai.io/

** visualizer, for the above: https://github.com/kaitai-io/kaitai_struct_visualizer/

* HexFiend - a hex editor, but with "binary templates" feature : https://github.com/HexFiend/HexFiend

** binary templates, for the above: https://github.com/HexFiend/HexFiend/blob/master/templates/T...

* binspector - https://github.com/binspector/binspector

* binary-parsing - a collection of links to similar such tools : https://github.com/dloss/binary-parsing

* unblob - https://github.com/onekey-sec/unblob

* ImHex, which you mention

wwader 2 years ago | | |

Hey! fq author here. I have a bunch of related tools in the readme https://github.com/wader/fq?tab=readme-ov-file#tools two suggestions: gnu poke and wireshark (can decode lots of more things then just network protocols)

moyix 2 years ago | | |

Not free, but I have used 010 Editor for years and it's excellent.

declaredapple 2 years ago | | |

is binwalk still used these days?

mrmuagi 2 years ago | |

Do you know about any protocol deciphering tool?

I'm trying to reverse engineer a kinda simple tcp data stream, and the values are tag-length-value for the most part, and I made a simple mitm proxy that prints known tags and their data values (that I was able to decipher) live, but I am doing the deciphering of known and unknown tags manually, but I was wondering if there is some way to automate this?

I basically would be interested in automatic seen tag tracking, replaying select tags many times to see if they are idempotent, replaying and modifying bytes on a select tag, omitting a select tag and seeing how the client responds.

I guess I could find the socket receive function in the binary and see if the tag values are in a switch or something too but like the original article, it's also new territory for me to read that.

I am just about to expand my mitm proxy with more code to inject/filter packets.

denysvitali 2 years ago | | |

Have you tried Wireshark? It does support Lua templates, although for the initial analysis I would still suggested ImHex

raggles 2 years ago | |

Just coming here to say this. I was reversing a license file for some software so I could play with it yesterday, and I could implement the encryption/decryption code direct in the data processor of imhex, such a time saver.

smlx 2 years ago | |

I have never heard of ImHex before. Thanks, I'll take a look!

devwastaken 2 years ago | |

Are there tools that help in identifying structures? For example reverse engineering binary file formats like for bnd4, a save game format.

username135 2 years ago | |

Thanks!

pbaam 2 years ago |

> Sniffing the traffic from the device showed that it was connecting out to tcp.goodwe-power.com:200001

Is 200001 the right port number? Very good read anyways.

Moru 2 years ago | |

Seems it's corrected now, one zero less :-)

mianos 2 years ago | |

As ports are 16 bit ints, I assume not.

floating-io 2 years ago |

While the reverse engineering was interesting to read about, I found the Batman Equation far more amusing! :)

gangstead 2 years ago |

He mentioned having a private, firewalled VLAN. Is there anywhere to get more info or example setups for the beginner homelabber? I've got Unifi gear, I poke around the interface. I realize I can make new VLANs, but what makes them isolated/private?

Also I see his complaints about half assed security but I actually am kind of relieved. If the security was implemented well we wouldn't be able to make our own man-in-the-middle prometheus exporters!

thfuran 2 years ago | |

A VLAN is private/isolated to the extent that you don't route it to other networks. You could just block traffic between that vlan and the wan, or even potentially between it and any other vlans on your lan.

m463 2 years ago | |

I use openwrt

I will say learning how to do it is a pain, but once I got an internal vlan in place, my life got significantly better.

You just want a small internal network that can't get out, or can get out through a proxy.

I set up:

- ipv4 only - cut my configuration in half

- private dns server for the vlan - only resolve internal addresses

- dhcp

- private time server

- privoxy proxy for controlled access to a whitelist of outside

xyx0826 2 years ago |

> This exercise has reinforced my prejudice that IoT devices are horribly insecure.

Generally I agree with this assessment for home IoT devices, but I’m curious does this hold true for industrial or transportation? Can someone point me to blogs or studies on Chinese EV security?

kwar13 2 years ago |

Any kind soul want to teach me how

echo -e 'admin\nadmin\nspi rd 0 2097152\n' | nc 192.168.18.17 23 | tee ~/download/hk1000.spi2.img

downloads the firmware?

npteljes 2 years ago | |

The device appears to support the Serial Peripheral Interface protocol, which Scott discovered (and others before him too: https://mlug-au.org/lib/exe/fetch.php?media=20210726-goodwe....). He did this by poking around with nmap for open ports, discovering that the telnet port is open, and then trying to talk to the device with telnet.

"spi rd" are commands that can be used to dump some data from the device, as you can read in my linked presentation.

And the one-liner Scott has in the blog just automates the following process: 1. logging in with admin/admin on the device with telnet 2. issuing the telnet command "spi rd 0 2097152" 3. capturing its output into a file, while also viewing it on the standard output at the same time

kwar13 2 years ago | | |

thank you!

poyu 2 years ago | |

I think `spi rd 0 2097152` is probably something in the telnet prompt that reads values from an SPI flash, the two number seems to be starting and ending range.

iefbr14 2 years ago |

So if I understand this correctly it is now possible to mess up other peoples graphs by just sending malicious packages to the server?

Fietsband 2 years ago |

This reads similar to an intercom I am still in the process of trying to write a client for: https://grdw.nl/2023/01/28/my-intercom-part-1.html . Seeing nmap, wireshark, poor security. It definitely feels the same.

sakebomb 2 years ago |

You should check out Recessim: https://recessim.com/

I think you would like the community.

kwar13 2 years ago |

+1 to having an IoT VLAN. Absolutely required to segregate the traffic.

farseer 2 years ago |

How would one go about reversing and identifying a wireless protocol?

digitalblade 2 years ago |

Awesome reading, well written and very clear. Thank your for your post.

heywire 2 years ago |

Fantastic write up! Enjoyable read, and gave me some pointers.

gessha 2 years ago |

This was a joy to read. Thank you for posting.

bcaxis 2 years ago |

Well...

MY IoT devices don't have garbage security.

nagisa 2 years ago | |

I only buy IoT devices with security so garbage that I can make them do my bidding and not somebody else's.

Hopefully a market for these devices remains thriving. It would suck if it wasn't possible to flash the firmware of a robot vacuum cleaner (et al) so that it becomes a LAN device.

andsmedeiros 2 years ago |

This was very informative, thanks!

demondemidi 2 years ago |

MIPS? Wow. Would not have expected that! I guess they went as low budget as possible.

That key tho. /facepalm/ They REALLY don't care about security. Seriously, at least get PSA level 1 FFS and use TLS. But I doubt a cheap-ass MIPS has the horsepower for a handshake.

Moru 2 years ago | |

In the 90-ies I was told to figure out what was wrong with the big radiocontrolled port at a local industry. I don't remember what was wrong with it but after digging in the manual and the equipment I realized the whole factory was protected by a four bit code set with dip-switches on a circuit board. I guess it was supposed to be used to select what port to open with the remote but was all that was stopping anyone to open the door at all.

xyx0826 2 years ago | |

I know some MediaTek WLAN chips come with MIPS cores clocked at more or less 1 Ghz, like the MT7621. TLS should be trivial; I believe the thing that matters is how much time/money/design the company is willing to spend on security.