Lua - Controlling your Panasonic TV.

I’ve been trying to get this to work for a while now, and hopefully I’m getting closer, but I’m still grateful for any help.

Using Lua, I can get the XML back from the TV and extract the Challenge_key

<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <s:Body>
  <u:X_DisplayPinCodeResponse xmlns:u="urn:panasonic-com:service:p00NetworkControl:1">
   <X_ChallengeKey>iL9XqQOMfkFWz2rvh0Xm+w==</X_ChallengeKey>
  </u:X_DisplayPinCodeResponse>
 </s:Body>
</s:Envelope>

It seems I then need to encode that in Base64, which would be this..

local mime = require("mime")
local challenge_key = "iL9XqQOMfkFWz2rvh0Xm+w=="
local challenge_Key_b64 = mime.b64(challenge_key)
print (challenge_Key_b64)

Which gives me this..

aUw5WHFRT01ma0ZXejJydmgwWG0rdz09

To then get the key which I assume is the real encryption key, it looks like I would do the following…

local bit = require("bit")

local challenge_Key_b64 = "aUw5WHFRT01ma0ZXejJydmgwWG0rdz09"
local challengekey_vals = { challenge_Key_b64:byte(1, -1) }
local key_vals = {}

for i = 1, 16, 4 do
    key_vals[ i ] = bit.band(bit.bnot(challengekey_vals[ i + 3 ]), 0xFF)
    key_vals[ i + 1 ] = bit.band(bit.bnot(challengekey_vals[ i + 2 ]), 0xFF)
    key_vals[ i + 2 ] = bit.band(bit.bnot(challengekey_vals[ i + 1 ]), 0xFF)
    key_vals[ i + 3 ] = bit.band(bit.bnot(challengekey_vals[ i ]), 0xFF)
end

local key = string.char(unpack(key_vals))
print(key)

Which give me this..

Êˆªž¹·¨’ÎÏ«§¥Ïž

I’m conscious at this point that I’m using a web based Lua IDE, so I’m not sure if the values returned are accurate, so rather than B64 can I use HEX ?

Continuing on, to get the hmac_val it looks like I need to use the same challengekey_vals to generate the hmac_key

local bit = require("bit")
local binascii = require("binascii")

local challengekey_64 = "aUw5WHFRT01ma0ZXejJydmgwWG0rdz09" 
local challengekey_vals = { challengekey_64:byte(1, -1) }

local hmac_key_mask = binascii.unhexlify('15C95AC2B08AA7EB4E228F811E34D04FA54BA7DCAC9879FA8ACDA3FC244F3854')
local hmac_key_mask_vals = { hmac_key_mask:byte(1, -1) }
local hmac_vals = {}

for i = 1, 32, 4 do
    hmac_vals[ i ] = bit.bxor(hmac_key_mask_vals[ i ], challengekey_vals[ bit.band(i + 1, 0xF) + 1 ])
    hmac_vals[ i + 1 ] = bit.bxor(hmac_key_mask_vals[ i + 1 ], challengekey_vals[ bit.band(i + 2, 0xF) + 1 ])
    hmac_vals[ i + 2 ] = bit.bxor(hmac_key_mask_vals[ i + 2 ], challengekey_vals[ bit.band(i - 1, 0xF) + 1 ])
    hmac_vals[ i + 3 ] = bit.bxor(hmac_key_mask_vals[ i + 3 ], challengekey_vals[ bit.band(i, 0xF) + 1 ])
end

local hmac_key = string.char(unpack(hmac_vals))
print(hmac_key)

Which give me this…

bü;—öØð£OÛ±Dl±Ò~Æ‰êÊ.²» ÷Ì~Yd

And then I think to get the IV, i would do the following.

local bit = require("bit")

local payload = '000000000000' -- First 12 bytes are randomised
local pincode = "<X_PinCode>1234</X_PinCode>"  -- Next 4 bytes are from the pincode prompted by the TV
n = #pincode

payload = payload .. string.char(bit.band(bit.rshift(n, 24), 0xFF))
payload = payload .. string.char(bit.band(bit.rshift(n, 16), 0xFF))
payload = payload .. string.char(bit.band(bit.rshift(n, 8), 0xFF))
payload = payload .. string.char(bit.band(n, 0xFF))
payload = payload .. pincode

local iv = payload
print(iv)

Which returns this ..

0000000000001234

Does all of the above look correct to create the 3 items needed below.. ?

Key = Êˆªž¹·¨’ÎÏ«§¥Ïž
HMAC_KEY = bü;—öØð£OÛ±Dl±Ò~Æ‰êÊ.²» ÷Ì~Yd IV = 0000000000001234

florianholzapfel / panasonic-viera

Lua - Controlling your Panasonic TV. #45