[HN Gopher] Reverse-engineering an encrypted IoT protocol
___________________________________________________________________
Reverse-engineering an encrypted IoT protocol
Author : smlx
Score : 130 points
Date : 2024-02-14 16:34 UTC (6 hours ago)
(HTM) web link (smlx.dev)
(TXT) w3m dump (smlx.dev)
| gessha wrote:
| This was a joy to read. Thank you for posting.
| denysvitali wrote:
| Next time you find yourself reverse engineering a weird protocol
| - use ImHex. You can literally define patterns (in a C++ / Rust
| -like language) so that your binary file gets highlighted and
| processed.
|
| I can't recommend it enough - it's perfect for the job and it's
| free and Open Source.
|
| https://imhex.werwolv.net/
| raggles wrote:
| Just coming here to say this. I was reversing a license file
| for some software so I could play with it yesterday, and I
| could implement the encryption/decryption code direct in the
| data processor of imhex, such a time saver.
| smlx wrote:
| I have never heard of ImHex before. Thanks, I'll take a look!
| turtledragonfly wrote:
| Just piggybacking here to mention a variety of other "interpret
| structured binary data" tools. Apparently I collect links to
| these (:
|
| * fq - like jq for binary data: https://github.com/wader/fq
|
| * Kaitai Struct - https://kaitai.io/
|
| ** visualizer, for the above: https://github.com/kaitai-
| io/kaitai_struct_visualizer/
|
| * HexFiend - a hex editor, but with "binary templates" feature
| : https://github.com/HexFiend/HexFiend
|
| ** binary templates, for the above:
| https://github.com/HexFiend/HexFiend/blob/master/templates/T...
|
| * binspector - https://github.com/binspector/binspector
|
| * binary-parsing - a collection of links to similar such tools
| : https://github.com/dloss/binary-parsing
|
| * unblob - https://github.com/onekey-sec/unblob
|
| * ImHex, which you mention
| declaredapple wrote:
| is binwalk still used these days?
| denysvitali wrote:
| From my experience, yes, it's still quite useful to find
| embedded formats
| username135 wrote:
| Thanks!
| mrmuagi wrote:
| Do you know about any protocol deciphering tool?
|
| I'm trying to reverse engineer a kinda simple tcp data stream,
| and the values are tag-length-value for the most part, and I
| made a simple mitm proxy that prints known tags and their data
| values (that I was able to decipher) live, but I am doing the
| deciphering of known and unknown tags manually, but I was
| wondering if there is some way to automate this?
|
| I basically would be interested in automatic seen tag tracking,
| replaying select tags many times to see if they are idempotent,
| replaying and modifying bytes on a select tag, omitting a
| select tag and seeing how the client responds.
|
| I guess I could find the socket receive function in the binary
| and see if the tag values are in a switch or something too but
| like the original article, it's also new territory for me to
| read that.
|
| I am just about to expand my mitm proxy with more code to
| inject/filter packets.
| denysvitali wrote:
| Have you tried Wireshark? It does support Lua templates,
| although for the initial analysis I would still suggested
| ImHex
| heywire wrote:
| Fantastic write up! Enjoyable read, and gave me some pointers.
| digitalblade wrote:
| Awesome reading, well written and very clear. Thank your for your
| post.
| floating-io wrote:
| While the reverse engineering was interesting to read about, I
| found the Batman Equation far more amusing! :)
| iefbr14 wrote:
| So if I understand this correctly it is now possible to mess up
| other peoples graphs by just sending malicious packages to the
| server?
| andsmedeiros wrote:
| This was very informative, thanks!
| pbaam wrote:
| > Sniffing the traffic from the device showed that it was
| connecting out to tcp.goodwe-power.com:200001
|
| Is 200001 the right port number? Very good read anyways.
| sakebomb wrote:
| You should check out Recessim: https://recessim.com/
|
| I think you would like the community.
| Fietsband wrote:
| This reads similar to an intercom I am still in the process of
| trying to write a client for: https://grdw.nl/2023/01/28/my-
| intercom-part-1.html . Seeing nmap, wireshark, poor security. It
| definitely feels the same.
| gangstead wrote:
| He mentioned having a private, firewalled VLAN. Is there anywhere
| to get more info or example setups for the beginner homelabber?
| I've got Unifi gear, I poke around the interface. I realize I can
| make new VLANs, but what makes them isolated/private?
|
| Also I see his complaints about half assed security but I
| actually am kind of relieved. If the security was implemented
| well we wouldn't be able to make our own man-in-the-middle
| prometheus exporters!
| thfuran wrote:
| A VLAN is private/isolated to the extent that you don't route
| it to other networks. You could just block traffic between that
| vlan and the wan, or even potentially between it and any other
| vlans on your lan.
| bcaxis wrote:
| Well...
|
| MY IoT devices don't have garbage security.
___________________________________________________________________
(page generated 2024-02-14 23:00 UTC)