Help decoding encrypted data from midea water boiler

[duchenpaul]

I am currently trying to rev engineering midea water boiler, and I have a question for you I saw you hard coded keys in security.py, may i ask where did you get it from,

appKey = '434a209a5ce141c3b726de067835d7f0'
signKey = 'xhdiwjnchekd4d512chdjx5d8e4c394D2D7S'

attached file is the data I dumped from sock.recvfrom(512) in cli.py, I'd be appreciate if you can help me

...
    for i in range(10):
        try:
            sock.sendto(BROADCAST_MSG, ("255.255.255.255", 6445))
            while True:
                data, addr = sock.recvfrom(512)
                m_ip = addr[0]
                _LOGGER.info('IP: {}'.format(m_ip))
                _LOGGER.info('data: {}'.format(data))
                with open('dump_enc.bin', 'wb') as f:
                    f.write(data)
                if len(data) >= 41 and m_ip not in found_devices:
                    m_id = convert_device_id_int(data[20:26].hex())
                    found_devices[m_ip] = m_id
                    data = data[40:40+64]
...

dump_enc.zip

[mac-zhou]

with open('dump_enc.bin', 'rb') as f:
        data = f.read()

from msmart.security import security
_security = security()
_security.aes_decrypt(data[48:176])

then, you can decrypt data, but this is discover broadcast data. try to traffic control data, that is tcp data (port is 6444)

[duchenpaul]

how did you find this, amazing! brute attack?

[duchenpaul]

This is what i got so far, need help to decrypt the rest, and I also need help to guide me sniffing the packets with the wireshark

[mac-zhou]

• i don't know the rest data.
• this is midea discover UDP data. You should not spend too much time here. You have to study the tcp data between ac device and phone or midea cloud.
• My library cannot decrypt the tcp data that start with 8370, that is new midea protocol .
• you can try to sniffing the packets between ac device and phone or midea cloud.

[duchenpaul]

问下怎么用tcpdump 抓包 我昨天抓了半天没抓到

[mac-zhou]

13