B4J Question AES/ECB and IP camera

Star-Dust

Expert
Licensed User
Longtime User
Good morning everyone,

I have carefully followed this tutorial (read here) on the vulnerability of some IPCAMs. Not to spy on a CAM but rather I wanted to create my own client that hooked up to the CAM.

I got a good result in the search and identification phase of the CAM. But accessing the credentials there is some hitch.

The sending of the password is encrypted with a second fixed password (macrovideo+*#!^@) and subsequently a third random password.
encryptedPassword = encrypt(randomKey2,(encrypt("macrovideo+*#!^@",plainPassword)))
The result that is displayed on the site is not what I get.

This is what the tutorial says
Data to be encrypted is: admin
Key is : macrovideo+*#!^@

Data to be encrypted is: ^8â*úeg¯Ê»F (16-byte)
Key is : U0658S51fbM5P60I
Data to be encrypted is: [?62;c (??-Byte)
I get this:
Data: admin
Key is: macrovideo+*#!^@
Data to be encrypted is: ^8â*úeg¯Ê»F <------------ OK 16-Byte
Key is: U0658S51fbM5P60I
Data to be encrypted is: RËRµç.¼NßZµ§)ğO2CĞÓ°SEyP <------------- WRONG 32-byte
The last encoding gives a different result.

Here is the code I used:
B4X:
Dim C As Cipher
Dim pass1() As Byte = "macrovideo+*#!^@".GetBytes("UTF8")
Dim PassDemo() As Byte = "U0658S51fbM5P60I".GetBytes("UTF8")

key1.Initialize("AES")
key1.KeyFromBytes(pass1)
keyDemo.Initialize("AES")
keyDemo.KeyFromBytes(PassDemo)

Dim b() As Byte = C.Encrypt("admin".GetBytes("UTF8"),key1.Key,False)
Dim b2() As Byte = C.Encrypt(b,keyDemo.Key,False)

Log("Data: admin")
Log("Key is: " & BytesToString(pass1,0,pass1.Length,"UTF8"))
Log("Data to be encrypted is: " & BytesToString(b,0,b.Length,"ISO-8859-9""))
Log("Key is: " & BytesToString(PassDemo,0,PassDemo.Length,"UTF8"))
Log("Data to be encrypted is: " & BytesToString(b2,0,b2.Length,"ISO-8859-9"))

Am I wrong or is the tutorial wrong?
It must be said that in the tutorial there is a Pyton code that they say works.
 
Last edited:

Star-Dust

Expert
Licensed User
Longtime User
Have you tried running the Python code to verify that it works?
Not yet.

the python source is for decrypting the package to spy on passwords but that's not my purpose. I would like to crypt the passwords to create a client

I would add an important detail. the resultant should be 16 bytes. I could see this by using the original app with a real device and listening to the broadcast with Wireshark.
With the double encoding in b4j the final result is 32 bytes.
 
Last edited:
Upvote 0

MicroDrie

Well-Known Member
Licensed User
Longtime User
The string length of the tutorial "^8â*úeg¯Ê»F" is 11 chars. Beside of de display of the character code "�" is mostly the first indication of a "unprintable" character code for something wrong. The result of the data to be encrypted is: "^8��*��eg�ʘ�F" is also extended from the example 11 characters to the result of 13 characters. So the result of your code is not OK, but WRONG.

B4X:
Log("Key is: " & BytesToString(PassDemo,0,PassDemo.Length,"UTF8"))

This approach, I think, is very similar to a bug that Erel pointed out earlier in an other question
You cannot convert a random array of bytes to string:

B4X:
 string_crypt = BytesToString(trasformobyte, 0, trasformobyte.Length, "UTF8")

These bytes do not represent a real string.

You can use StringUtils.EncodeBase64 to convert it to string.
I'm certainly no encryption expert, but there are several AES options possible where the result leads to a multiple of 16 bytes. If they are less than 16 characters, they are supplemented to 16 characters.

So there also seems to be something wrong with the compression of that multiple of 16 bytes to 11 bytes.
 
Upvote 0

Star-Dust

Expert
Licensed User
Longtime User
The string length of the tutorial "^8â*úeg¯Ê»F" is 11 chars. Beside of de display of the character code "�" is mostly the first indication of a "unprintable" character code for something wrong. The result of the data to be encrypted is: "^8��*��eg�ʘ�F" is also extended from the example 11 characters to the result of 13 characters. So the result of your code is not OK, but WRONG.

B4X:
Log("Key is: " & BytesToString(PassDemo,0,PassDemo.Length,"UTF8"))

This approach, I think, is very similar to a bug that Erel pointed out earlier in an other question

I'm certainly no encryption expert, but there are several AES options possible where the result leads to a multiple of 16 bytes. If they are less than 16 characters, they are supplemented to 16 characters.

So there also seems to be something wrong with the compression of that multiple of 16 bytes to 11 bytes.
I think the result is ok, the difference is only related to the representation of the text. (try Windows-1252 or ISO-8859-9 ...)
Because the reality I confirm you that the resultant is 16 Byte to the first encoding and 32 to the second even if in the representation of the text they seem fewer characters

Thus is composed the 256-byte packet that can be examined with WireShark
00-48 - Head (49)
49-80 - user (32)
81-96 - Encrypted-password (16)
97-255- Encrypt-key (160)
 
Last edited:
Upvote 0

MicroDrie

Well-Known Member
Licensed User
Longtime User
Because the reality I confirm you that the resultant is 16 Byte to the first encoding and 32 to the second even if in the representation of the text they seem fewer characters
The encryption will always use block with multiples of 16 characters. Less than 16 characters are supplemented with zero characters and at exactly 16 characters a 16 character block is added to indicate those 16 characters.
I can't seem to get the same answer from the examples. We're doing something wrong somewhere. I don't think it has to do with a wrong character set because I can't get the answers right.
 
Upvote 0
Top