From 3925f4f2446a6639135788e9ac301643869b19bf Mon Sep 17 00:00:00 2001 From: Wilco Baan Hofman Date: Tue, 9 May 2017 22:39:39 +0200 Subject: [PATCH] Awwyeah, decrypted an alarm --- chiron-2nd.log | 104 ++++++++++++++++++++++++++++++++++++++++++ chiron-initial.log | 111 +++++++++++++++++++++++++++++++++++++++++++++ chiron.idl | 10 ++-- chirond.c | 42 +++++++++++++++-- 4 files changed, 258 insertions(+), 9 deletions(-) create mode 100644 chiron-2nd.log create mode 100644 chiron-initial.log diff --git a/chiron-2nd.log b/chiron-2nd.log new file mode 100644 index 0000000..d956cbe --- /dev/null +++ b/chiron-2nd.log @@ -0,0 +1,104 @@ +Mon Nov 21 20:41:35 2016: ./build/chirond(15512): Log level 0, at ../chirond.c:308 in function handle_message(): + chiron message: struct chiron_message + msg_type : CHIRON_ACCOUNT (65) + seq : 0x02 (2) + flags : 0xa8 (168) + msg : union chiron_msg_union(case 65) + account: struct chiron_msg_account + length : 0x04 (4) + account_code: ARRAY(4) + [0] : 0x33 (51) + [1] : 0x35 (53) + [2] : 0x30 (48) + [3] : 0x30 (48) + +Mon Nov 21 20:41:35 2016: ./build/chirond(15512): Log level 0, at ../chirond.c:210 in function send_chiron_msg_challenge(): +Sending out a challenge +Mon Nov 21 20:41:35 2016: ./build/chirond(15512): Log level 0, at ../chirond.c:278 in function send_chiron_msg_challenge(): +The expected md5sum for the next entry is 67305652133a689bb99b3d7e953b30f7 +Mon Nov 21 20:41:35 2016: ./build/chirond(15512): Log level 0, at ../chirond.c:308 in function handle_message(): + chiron message: struct chiron_message + msg_type : CHIRON_RESPONSE (82) + seq : 0x02 (2) + flags : 0xa8 (168) + msg : union chiron_msg_union(case 82) + response: struct chiron_msg_response + length : 0x46 (70) + md5_check: ARRAY(16) + [0] : 0xc8 (200) + [1] : 0xa8 (168) + [2] : 0xb6 (182) + [3] : 0x50 (80) + [4] : 0x34 (52) + [5] : 0xd5 (213) + [6] : 0x7a (122) + [7] : 0x26 (38) + [8] : 0x90 (144) + [9] : 0x63 (99) + [10] : 0x92 (146) + [11] : 0x56 (86) + [12] : 0xe5 (229) + [13] : 0x4d (77) + [14] : 0xde (222) + [15] : 0xa0 (160) + payload: ARRAY(54) + [0] : 0x6a (106) + [1] : 0x60 (96) + [2] : 0x19 (25) + [3] : 0xdc (220) + [4] : 0x67 (103) + [5] : 0xbb (187) + [6] : 0xe8 (232) + [7] : 0x9e (158) + [8] : 0x8e (142) + [9] : 0xfc (252) + [10] : 0x79 (121) + [11] : 0x55 (85) + [12] : 0xed (237) + [13] : 0x66 (102) + [14] : 0x26 (38) + [15] : 0x21 (33) + [16] : 0x1a (26) + [17] : 0x6b (107) + [18] : 0x4a (74) + [19] : 0x9c (156) + [20] : 0x7c (124) + [21] : 0xe6 (230) + [22] : 0x1d (29) + [23] : 0x01 (1) + [24] : 0xab (171) + [25] : 0x57 (87) + [26] : 0xfb (251) + [27] : 0xd9 (217) + [28] : 0x6d (109) + [29] : 0x15 (21) + [30] : 0xbd (189) + [31] : 0xe6 (230) + [32] : 0xe3 (227) + [33] : 0x94 (148) + [34] : 0xd6 (214) + [35] : 0xe7 (231) + [36] : 0xde (222) + [37] : 0xc3 (195) + [38] : 0x89 (137) + [39] : 0x52 (82) + [40] : 0x65 (101) + [41] : 0x5f (95) + [42] : 0x0c (12) + [43] : 0x97 (151) + [44] : 0x4e (78) + [45] : 0x4f (79) + [46] : 0x6d (109) + [47] : 0x9f (159) + [48] : 0x5a (90) + [49] : 0xb9 (185) + [50] : 0xc2 (194) + [51] : 0x12 (18) + [52] : 0xdd (221) + [53] : 0x74 (116) + +Mon Nov 21 20:41:35 2016: ./build/chirond(15512): Log level 0, at ../chirond.c:167 in function handle_chiron_msg_response(): +MD5 does not match! + +Decrypted outgoing payload: + ZERO LENGTH diff --git a/chiron-initial.log b/chiron-initial.log new file mode 100644 index 0000000..9d4b781 --- /dev/null +++ b/chiron-initial.log @@ -0,0 +1,111 @@ +Mon Nov 21 20:40:07 2016: ./build/chirond(15477): Log level 0, at ../chirond.c:308 in function handle_message(): + chiron message: struct chiron_message + msg_type : CHIRON_ACCOUNT (65) + seq : 0x01 (1) + flags : 0xa8 (168) + msg : union chiron_msg_union(case 65) + account: struct chiron_msg_account + length : 0x04 (4) + account_code: ARRAY(4) + [0] : 0x33 (51) + [1] : 0x35 (53) + [2] : 0x30 (48) + [3] : 0x30 (48) + +Mon Nov 21 20:40:07 2016: ./build/chirond(15477): Log level 0, at ../chirond.c:210 in function send_chiron_msg_challenge(): +Sending out a challenge +Mon Nov 21 20:40:07 2016: ./build/chirond(15477): Log level 0, at ../chirond.c:278 in function send_chiron_msg_challenge(): +The expected md5sum for the next entry is 627fd0b8bc706a21442115b494206298 +Mon Nov 21 20:40:07 2016: ./build/chirond(15477): Log level 0, at ../chirond.c:308 in function handle_message(): + chiron message: struct chiron_message + msg_type : CHIRON_RESPONSE (82) + seq : 0x01 (1) + flags : 0xa8 (168) + msg : union chiron_msg_union(case 82) + response: struct chiron_msg_response + length : 0x37 (55) + md5_check: ARRAY(16) + [0] : 0x62 (98) + [1] : 0x7f (127) + [2] : 0xd0 (208) + [3] : 0xb8 (184) + [4] : 0xbc (188) + [5] : 0x70 (112) + [6] : 0x6a (106) + [7] : 0x44 (68) + [8] : 0x44 (68) + [9] : 0x21 (33) + [10] : 0x15 (21) + [11] : 0xb4 (180) + [12] : 0x94 (148) + [13] : 0x20 (32) + [14] : 0x62 (98) + [15] : 0x98 (152) + payload: ARRAY(39) + [0] : 0x7a (122) + [1] : 0xe2 (226) + [2] : 0xde (222) + [3] : 0xc2 (194) + [4] : 0xed (237) + [5] : 0x76 (118) + [6] : 0x84 (132) + [7] : 0x5f (95) + [8] : 0xe6 (230) + [9] : 0x16 (22) + [10] : 0x2b (43) + [11] : 0x6b (107) + [12] : 0xb9 (185) + [13] : 0x10 (16) + [14] : 0xa3 (163) + [15] : 0x6c (108) + [16] : 0x14 (20) + [17] : 0x44 (68) + [18] : 0x56 (86) + [19] : 0xca (202) + [20] : 0x45 (69) + [21] : 0xc6 (198) + [22] : 0xc2 (194) + [23] : 0xeb (235) + [24] : 0xec (236) + [25] : 0x1b (27) + [26] : 0xd8 (216) + [27] : 0x7a (122) + [28] : 0xa4 (164) + [29] : 0x4c (76) + [30] : 0xc0 (192) + [31] : 0xb4 (180) + [32] : 0x88 (136) + [33] : 0x64 (100) + [34] : 0x6e (110) + [35] : 0x2b (43) + [36] : 0xee (238) + [37] : 0x11 (17) + [38] : 0x54 (84) + +Mon Nov 21 20:40:07 2016: ./build/chirond(15477): Log level 0, at ../chirond.c:170 in function handle_chiron_msg_response(): +Handling the response +Decrypted: + 0000 00 ad c7 0c 04 a8 de fe ff 20 01 01 21 01 63 17 ......... ..!.c. + 0010 16 49 52 49 53 20 54 6f 75 63 68 20 34 32 30 20 .IRIS Touch 420 + 0020 76 31 2e 31 34 2e 33 v1.14.3 +Mon Nov 21 20:40:07 2016: ./build/chirond(15477): Log level 1, at ../chirond.c:192 in function handle_chiron_msg_response(): +Type: 12, Length: 4 +Data: + 0000 a8 de fe ff .... +Mon Nov 21 20:40:07 2016: ./build/chirond(15477): Log level 1, at ../chirond.c:192 in function handle_chiron_msg_response(): +Type: 32, Length: 1 +Data: + 0000 01 . +Mon Nov 21 20:40:07 2016: ./build/chirond(15477): Log level 1, at ../chirond.c:192 in function handle_chiron_msg_response(): +Type: 33, Length: 1 +Data: + 0000 63 c +Mon Nov 21 20:40:07 2016: ./build/chirond(15477): Log level 1, at ../chirond.c:192 in function handle_chiron_msg_response(): +Type: 23, Length: 22 +Data: + 0000 49 52 49 53 20 54 6f 75 63 68 20 34 32 30 20 76 IRIS Touch 420 v + 0010 31 2e 31 34 2e 33 1.14.3 +Crypted outgoing payload: + 0000 5d 4f 2b ce f1 de 77 a1 ]O+...w. +Decrypted outgoing payload: + 0000 27 00 32 00 18 00 2d 00 '.2...-. diff --git a/chiron.idl b/chiron.idl index 4795a3d..ecfade1 100644 --- a/chiron.idl +++ b/chiron.idl @@ -9,12 +9,9 @@ interface chiron CHIRON_CHALLENGE = 0x43, /* 'C' */ CHIRON_RESPONSE = 0x52, /* 'R' */ CHIRON_HANDSHAKE1 = 0x4B, /* 'K' */ - 0x48 & 0x3 ? - 0x48 + 0x3 ? - 0x48 ^ 0x3 ? - CHIRON_HANDSHAKE2 = 0x48, /* 'H' */ + CHIRON_HANDSHAKE2 = 0x48, /* 'H' = Set new key */ CHIRON_ACK = 0x55, /* 'U' */ - CHIRON_TRANSPARENT = 0x54 /* 'T' */ + CHIRON_TRANSPARENT = 0x54, /* 'T' */ CHIRON_UNKNOWN_IN = 0x53 /* 'S' */ } chiron_msg_type; @@ -68,7 +65,7 @@ interface chiron typedef [public,flag(LIBNDR_FLAG_NOALIGN)] struct { uint8 length; - uint8 data[length]; + uint8 data[length+6]; } chiron_msg_unknown; typedef [nodiscriminant,public,flag(LIBNDR_FLAG_NOALIGN)] union { @@ -78,6 +75,7 @@ interface chiron [case(CHIRON_HANDSHAKE1)] chiron_msg_handshake1 handshake1; [case(CHIRON_HANDSHAKE2)] chiron_msg_handshake2 handshake2; [case(CHIRON_ACK)] chiron_msg_ack ack; + [case(CHIRON_UNKNOWN_IN)] chiron_msg_unknown unknown_in; [default] chiron_msg_unknown unknown; } chiron_msg_union; diff --git a/chirond.c b/chirond.c index 941ef39..ab2efda 100644 --- a/chirond.c +++ b/chirond.c @@ -321,6 +321,25 @@ STATUS handle_chiron_msg_account(struct chiron_context *ctx, struct chiron_msg_a return ST_OK; } +STATUS handle_chiron_msg_unknown(struct chiron_context *ctx, struct chiron_msg_unknown *unknown) { + DATA_BLOB crypted, decrypted; + struct arcfour_ctx rc4; + + /* Copy packet to crypted data blob */ + crypted.length = unknown->length+6; + crypted.data = talloc_memdup(unknown, unknown->data, crypted.length); + NO_MEM_RETURN(crypted.data); + decrypted.data = talloc_array(unknown, uint8_t, crypted.length); + NO_MEM_RETURN(decrypted.data); + decrypted.length = crypted.length; + + arcfour_set_key(&rc4, MD5_HASH_LEN, ctx->rc4key); + arcfour_crypt(&rc4, crypted.length, decrypted.data, crypted.data); + hexdump("Decrypted", decrypted.data, decrypted.length); + + return ST_OK; +} + STATUS handle_message(struct chiron_context *ctx, DATA_BLOB data) { struct chiron_message *msg = talloc(data.data, struct chiron_message); @@ -385,6 +404,17 @@ STATUS handle_message(struct chiron_context *ctx, DATA_BLOB data) { status = handle_chiron_msg_ack(ctx, ack); break; } + case CHIRON_UNKNOWN_IN: { + struct chiron_msg_unknown *unknown; + if (ctx->alt_format) { + unknown = talloc_memdup(alt_msg, &alt_msg->msg.unknown_in, sizeof(struct chiron_msg_unknown)); + } else { + unknown = talloc_memdup(msg, &msg->msg.unknown_in, sizeof(struct chiron_msg_unknown)); + } + status = handle_chiron_msg_unknown(ctx, unknown); + + break; + } default: DEBUG(0, "Got unexpected message type: %s.", ndr_print_chiron_msg_type_enum(msg, msg->msg_type)); @@ -612,21 +642,21 @@ int main (int argc, char **argv) { 0x10, 0x39, 0xcc, 0x35, 0xb9, 0x08, 0x5a, 0x92, 0xd7, 0x2a, 0xd3, 0x07, 0x10, 0xae, 0x0d, 0xfc, 0x20, 0x01, 0x01 }; - // Send handshake message + // Send new encryption key, apparently (why again?) // Encrypted payload?: 07 2f b9 81 3d 0f 14 ac 59 const uint8_t out_message2[] = { 0x01, 0x01, 0x02, 0x00, 0x00, 0x0b, 0x48, 0x09, 0x75, 0x4a, 0x65, 0x60, 0x4a, 0x44, 0x3a, 0x6c, 0x5e }; - // Receive something.. + // Receive some shit. const uint8_t in_message3[] = { 0x01, 0x01, 0x02, 0x01, 0x00, 0x1a, 0x53, 0x18, 0x51, 0x56, 0xe9, 0xd1, 0x47, 0x37, 0x60, 0x94, 0x46, 0xaa, 0x5d, 0x6b, 0x93, 0x63, 0x37, 0x6b, 0x81, 0xf4, 0xa3, 0x23, 0xab, 0x3f, 0xe4, 0x25, 0xdf, 0xd3, 0x2b, 0xb7, 0x2d, 0x82 }; - // + const uint8_t out_message3[] = { 0x01, 0x01, 0x02, 0x01, 0x00, 0x02, 0x41, 0x00 }; @@ -641,12 +671,18 @@ int main (int argc, char **argv) { handle_message(client_ctx, data); talloc_free(data.data); + /* Attempt at parsing out_message2 */ struct arcfour_ctx rc4; arcfour_set_key(&rc4, MD5_HASH_LEN, client_ctx->rc4key); uint8_t buf[sizeof(out_message2)] = {0}; arcfour_crypt(&rc4, sizeof(out_message2) - 8, buf, out_message2 + 8); hexdump("Decrypted outgoing payload", buf, sizeof(out_message2) - 8); + data.data = talloc_memdup(client_ctx, in_message3, sizeof(in_message3)); + data.length = sizeof(in_message3); + printf("%x %x\n", sizeof(in_message3), data.length); + handle_message(client_ctx, data); + talloc_free(data.data); /* * Open up a TCP socket the Chiron port