Reverse-engineering an encrypted IoT protocol
smlx.devNext time you find yourself reverse engineering a weird protocol - use ImHex. You can literally define patterns (in a C++ / Rust -like language) so that your binary file gets highlighted and processed.
I can't recommend it enough - it's perfect for the job and it's free and Open Source.
Just piggybacking here to mention a variety of other "interpret structured binary data" tools. Apparently I collect links to these (:
* fq - like jq for binary data: https://github.com/wader/fq
* Kaitai Struct - https://kaitai.io/
** visualizer, for the above: https://github.com/kaitai-io/kaitai_struct_visualizer/
* HexFiend - a hex editor, but with "binary templates" feature : https://github.com/HexFiend/HexFiend
** binary templates, for the above: https://github.com/HexFiend/HexFiend/blob/master/templates/T...
* binspector - https://github.com/binspector/binspector
* binary-parsing - a collection of links to similar such tools : https://github.com/dloss/binary-parsing
* unblob - https://github.com/onekey-sec/unblob
* ImHex, which you mention
Hey! fq author here. I have a bunch of related tools in the readme https://github.com/wader/fq?tab=readme-ov-file#tools two suggestions: gnu poke and wireshark (can decode lots of more things then just network protocols)
Not free, but I have used 010 Editor for years and it's excellent.
From experience, this is even better than 010Editor , and free
is binwalk still used these days?
binwalk or even strings as your first steps for shaking down a binary is often still very useful before pulling out the big guns
From my experience, yes, it's still quite useful to find embedded formats
Do you know about any protocol deciphering tool?
I'm trying to reverse engineer a kinda simple tcp data stream, and the values are tag-length-value for the most part, and I made a simple mitm proxy that prints known tags and their data values (that I was able to decipher) live, but I am doing the deciphering of known and unknown tags manually, but I was wondering if there is some way to automate this?
I basically would be interested in automatic seen tag tracking, replaying select tags many times to see if they are idempotent, replaying and modifying bytes on a select tag, omitting a select tag and seeing how the client responds.
I guess I could find the socket receive function in the binary and see if the tag values are in a switch or something too but like the original article, it's also new territory for me to read that.
I am just about to expand my mitm proxy with more code to inject/filter packets.
Have you tried Wireshark? It does support Lua templates, although for the initial analysis I would still suggested ImHex
Just coming here to say this. I was reversing a license file for some software so I could play with it yesterday, and I could implement the encryption/decryption code direct in the data processor of imhex, such a time saver.
I have never heard of ImHex before. Thanks, I'll take a look!
Are there tools that help in identifying structures? For example reverse engineering binary file formats like for bnd4, a save game format.
Thanks!
> Sniffing the traffic from the device showed that it was connecting out to tcp.goodwe-power.com:200001
Is 200001 the right port number? Very good read anyways.
Seems it's corrected now, one zero less :-)
As ports are 16 bit ints, I assume not.
While the reverse engineering was interesting to read about, I found the Batman Equation far more amusing! :)
He mentioned having a private, firewalled VLAN. Is there anywhere to get more info or example setups for the beginner homelabber? I've got Unifi gear, I poke around the interface. I realize I can make new VLANs, but what makes them isolated/private?
Also I see his complaints about half assed security but I actually am kind of relieved. If the security was implemented well we wouldn't be able to make our own man-in-the-middle prometheus exporters!
A VLAN is private/isolated to the extent that you don't route it to other networks. You could just block traffic between that vlan and the wan, or even potentially between it and any other vlans on your lan.
I use openwrt
I will say learning how to do it is a pain, but once I got an internal vlan in place, my life got significantly better.
You just want a small internal network that can't get out, or can get out through a proxy.
I set up:
- ipv4 only - cut my configuration in half
- private dns server for the vlan - only resolve internal addresses
- dhcp
- private time server
- privoxy proxy for controlled access to a whitelist of outside
> This exercise has reinforced my prejudice that IoT devices are horribly insecure.
Generally I agree with this assessment for home IoT devices, but I’m curious does this hold true for industrial or transportation? Can someone point me to blogs or studies on Chinese EV security?
Any kind soul want to teach me how
echo -e 'admin\nadmin\nspi rd 0 2097152\n' | nc 192.168.18.17 23 | tee ~/download/hk1000.spi2.img
downloads the firmware?
The device appears to support the Serial Peripheral Interface protocol, which Scott discovered (and others before him too: https://mlug-au.org/lib/exe/fetch.php?media=20210726-goodwe....). He did this by poking around with nmap for open ports, discovering that the telnet port is open, and then trying to talk to the device with telnet.
"spi rd" are commands that can be used to dump some data from the device, as you can read in my linked presentation.
And the one-liner Scott has in the blog just automates the following process: 1. logging in with admin/admin on the device with telnet 2. issuing the telnet command "spi rd 0 2097152" 3. capturing its output into a file, while also viewing it on the standard output at the same time
thank you!
I think `spi rd 0 2097152` is probably something in the telnet prompt that reads values from an SPI flash, the two number seems to be starting and ending range.
So if I understand this correctly it is now possible to mess up other peoples graphs by just sending malicious packages to the server?
This reads similar to an intercom I am still in the process of trying to write a client for: https://grdw.nl/2023/01/28/my-intercom-part-1.html . Seeing nmap, wireshark, poor security. It definitely feels the same.
You should check out Recessim: https://recessim.com/
I think you would like the community.
+1 to having an IoT VLAN. Absolutely required to segregate the traffic.
How would one go about reversing and identifying a wireless protocol?
Awesome reading, well written and very clear. Thank your for your post.
Fantastic write up! Enjoyable read, and gave me some pointers.
This was a joy to read. Thank you for posting.
Well...
MY IoT devices don't have garbage security.
I only buy IoT devices with security so garbage that I can make them do my bidding and not somebody else's.
Hopefully a market for these devices remains thriving. It would suck if it wasn't possible to flash the firmware of a robot vacuum cleaner (et al) so that it becomes a LAN device.
This was very informative, thanks!
MIPS? Wow. Would not have expected that! I guess they went as low budget as possible.
That key tho. /facepalm/ They REALLY don't care about security. Seriously, at least get PSA level 1 FFS and use TLS. But I doubt a cheap-ass MIPS has the horsepower for a handshake.
In the 90-ies I was told to figure out what was wrong with the big radiocontrolled port at a local industry. I don't remember what was wrong with it but after digging in the manual and the equipment I realized the whole factory was protected by a four bit code set with dip-switches on a circuit board. I guess it was supposed to be used to select what port to open with the remote but was all that was stopping anyone to open the door at all.
I know some MediaTek WLAN chips come with MIPS cores clocked at more or less 1 Ghz, like the MT7621. TLS should be trivial; I believe the thing that matters is how much time/money/design the company is willing to spend on security.