Next time you find yourself reverse engineering a weird protocol - use ImHex. You can literally define patterns (in a C++ / Rust -like language) so that your binary file gets highlighted and processed.
I can't recommend it enough - it's perfect for the job and it's free and Open Source.
Hey! fq author here. I have a bunch of related tools in the readme https://github.com/wader/fq?tab=readme-ov-file#tools two suggestions: gnu poke and wireshark (can decode lots of more things then just network protocols)
I'm trying to reverse engineer a kinda simple tcp data stream, and the values are tag-length-value for the most part, and I made a simple mitm proxy that prints known tags and their data values (that I was able to decipher) live, but I am doing the deciphering of known and unknown tags manually, but I was wondering if there is some way to automate this?
I basically would be interested in automatic seen tag tracking, replaying select tags many times to see if they are idempotent, replaying and modifying bytes on a select tag, omitting a select tag and seeing how the client responds.
I guess I could find the socket receive function in the binary and see if the tag values are in a switch or something too but like the original article, it's also new territory for me to read that.
I am just about to expand my mitm proxy with more code to inject/filter packets.
Just coming here to say this. I was reversing a license file for some software so I could play with it yesterday, and I could implement the encryption/decryption code direct in the data processor of imhex, such a time saver.
He mentioned having a private, firewalled VLAN. Is there anywhere to get more info or example setups for the beginner homelabber? I've got Unifi gear, I poke around the interface. I realize I can make new VLANs, but what makes them isolated/private?
Also I see his complaints about half assed security but I actually am kind of relieved. If the security was implemented well we wouldn't be able to make our own man-in-the-middle prometheus exporters!
A VLAN is private/isolated to the extent that you don't route it to other networks. You could just block traffic between that vlan and the wan, or even potentially between it and any other vlans on your lan.
> This exercise has reinforced my prejudice that IoT devices are horribly insecure.
Generally I agree with this assessment for home IoT devices, but I’m curious does this hold true for industrial or transportation? Can someone point me to blogs or studies on Chinese EV security?
The device appears to support the Serial Peripheral Interface protocol, which Scott discovered (and others before him too: https://mlug-au.org/lib/exe/fetch.php?media=20210726-goodwe....). He did this by poking around with nmap for open ports, discovering that the telnet port is open, and then trying to talk to the device with telnet.
"spi rd" are commands that can be used to dump some data from the device, as you can read in my linked presentation.
And the one-liner Scott has in the blog just automates the following process:
1. logging in with admin/admin on the device with telnet
2. issuing the telnet command "spi rd 0 2097152"
3. capturing its output into a file, while also viewing it on the standard output at the same time
I think `spi rd 0 2097152` is probably something in the telnet prompt that reads values from an SPI flash, the two number seems to be starting and ending range.
This reads similar to an intercom I am still in the process of trying to write a client for: https://grdw.nl/2023/01/28/my-intercom-part-1.html . Seeing nmap, wireshark, poor security. It definitely feels the same.
I only buy IoT devices with security so garbage that I can make them do my bidding and not somebody else's.
Hopefully a market for these devices remains thriving. It would suck if it wasn't possible to flash the firmware of a robot vacuum cleaner (et al) so that it becomes a LAN device.
MIPS? Wow. Would not have expected that! I guess they went as low budget as possible.
That key tho. /facepalm/ They REALLY don't care about security. Seriously, at least get PSA level 1 FFS and use TLS. But I doubt a cheap-ass MIPS has the horsepower for a handshake.
In the 90-ies I was told to figure out what was wrong with the big radiocontrolled port at a local industry. I don't remember what was wrong with it but after digging in the manual and the equipment I realized the whole factory was protected by a four bit code set with dip-switches on a circuit board. I guess it was supposed to be used to select what port to open with the remote but was all that was stopping anyone to open the door at all.
I know some MediaTek WLAN chips come with MIPS cores clocked at more or less 1 Ghz, like the MT7621. TLS should be trivial; I believe the thing that matters is how much time/money/design the company is willing to spend on security.
I can't recommend it enough - it's perfect for the job and it's free and Open Source.
https://imhex.werwolv.net/