commit d04f7650bfc02741ff33114330385174305942ad Author: Davide Depau Date: Mon Nov 30 21:49:50 2020 +0100 Initial commit diff --git a/build.gradle.kts b/build.gradle.kts new file mode 100644 index 0000000..6c1068e --- /dev/null +++ b/build.gradle.kts @@ -0,0 +1,33 @@ +import org.gradle.jvm.tasks.Jar + +plugins { + java + kotlin("jvm") version "1.4.20" +} + +group = "org.example" +version = "1.0-SNAPSHOT" + +repositories { + mavenCentral() +} + +dependencies { + implementation(kotlin("stdlib")) + implementation("org.jetbrains.kotlin:kotlin-stdlib-jdk8") + implementation("com.xenomachina:kotlin-argparser:2.0.7") + implementation("org.fusesource.jansi:jansi:1.17.1") +} + +val fatJar = task("fatJar", type = Jar::class) { + baseName = "${project.name}-fat" + // manifest Main-Class attribute is optional. + // (Used only to provide default main class for executable jar) + manifest { + attributes["Implementation-Title"] = "Gradle Jar File for Tapo Decrypt PoC" + attributes["Implementation-Version"] = version + attributes["Main-Class"] = "MainKt" + } + from(configurations.runtimeClasspath.get().map { if (it.isDirectory) it else zipTree(it) }) + with(tasks["jar"] as CopySpec) +} \ No newline at end of file diff --git a/gradle.properties b/gradle.properties new file mode 100644 index 0000000..29e08e8 --- /dev/null +++ b/gradle.properties @@ -0,0 +1 @@ +kotlin.code.style=official \ No newline at end of file diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 0000000..62d4c05 Binary files /dev/null and b/gradle/wrapper/gradle-wrapper.jar differ diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 0000000..a4b4429 --- /dev/null +++ b/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,5 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-6.3-bin.zip +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/gradlew b/gradlew new file mode 100755 index 0000000..fbd7c51 --- /dev/null +++ b/gradlew @@ -0,0 +1,185 @@ +#!/usr/bin/env sh + +# +# Copyright 2015 the original author or authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +## +## Gradle start up script for UN*X +## +############################################################################## + +# Attempt to set APP_HOME +# Resolve links: $0 may be a link +PRG="$0" +# Need this for relative symlinks. +while [ -h "$PRG" ] ; do + ls=`ls -ld "$PRG"` + link=`expr "$ls" : '.*-> \(.*\)$'` + if expr "$link" : '/.*' > /dev/null; then + PRG="$link" + else + PRG=`dirname "$PRG"`"/$link" + fi +done +SAVED="`pwd`" +cd "`dirname \"$PRG\"`/" >/dev/null +APP_HOME="`pwd -P`" +cd "$SAVED" >/dev/null + +APP_NAME="Gradle" +APP_BASE_NAME=`basename "$0"` + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD="maximum" + +warn () { + echo "$*" +} + +die () { + echo + echo "$*" + echo + exit 1 +} + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "`uname`" in + CYGWIN* ) + cygwin=true + ;; + Darwin* ) + darwin=true + ;; + MINGW* ) + msys=true + ;; + NONSTOP* ) + nonstop=true + ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD="$JAVA_HOME/jre/sh/java" + else + JAVACMD="$JAVA_HOME/bin/java" + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD="java" + which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." +fi + +# Increase the maximum file descriptors if we can. +if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then + MAX_FD_LIMIT=`ulimit -H -n` + if [ $? -eq 0 ] ; then + if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then + MAX_FD="$MAX_FD_LIMIT" + fi + ulimit -n $MAX_FD + if [ $? -ne 0 ] ; then + warn "Could not set maximum file descriptor limit: $MAX_FD" + fi + else + warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" + fi +fi + +# For Darwin, add options to specify how the application appears in the dock +if $darwin; then + GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" +fi + +# For Cygwin or MSYS, switch paths to Windows format before running java +if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then + APP_HOME=`cygpath --path --mixed "$APP_HOME"` + CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` + + JAVACMD=`cygpath --unix "$JAVACMD"` + + # We build the pattern for arguments to be converted via cygpath + ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` + SEP="" + for dir in $ROOTDIRSRAW ; do + ROOTDIRS="$ROOTDIRS$SEP$dir" + SEP="|" + done + OURCYGPATTERN="(^($ROOTDIRS))" + # Add a user-defined pattern to the cygpath arguments + if [ "$GRADLE_CYGPATTERN" != "" ] ; then + OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" + fi + # Now convert the arguments - kludge to limit ourselves to /bin/sh + i=0 + for arg in "$@" ; do + CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` + CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option + + if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition + eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` + else + eval `echo args$i`="\"$arg\"" + fi + i=`expr $i + 1` + done + case $i in + 0) set -- ;; + 1) set -- "$args0" ;; + 2) set -- "$args0" "$args1" ;; + 3) set -- "$args0" "$args1" "$args2" ;; + 4) set -- "$args0" "$args1" "$args2" "$args3" ;; + 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; + 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; + 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; + 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; + 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; + esac +fi + +# Escape application args +save () { + for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done + echo " " +} +APP_ARGS=`save "$@"` + +# Collect all arguments for the java command, following the shell quoting and substitution rules +eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" + +exec "$JAVACMD" "$@" diff --git a/gradlew.bat b/gradlew.bat new file mode 100644 index 0000000..a9f778a --- /dev/null +++ b/gradlew.bat @@ -0,0 +1,104 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%" == "" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%" == "" set DIRNAME=. +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if "%ERRORLEVEL%" == "0" goto init + +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto init + +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:init +@rem Get command-line arguments, handling Windows variants + +if not "%OS%" == "Windows_NT" goto win9xME_args + +:win9xME_args +@rem Slurp the command line arguments. +set CMD_LINE_ARGS= +set _SKIP=2 + +:win9xME_args_slurp +if "x%~1" == "x" goto execute + +set CMD_LINE_ARGS=%* + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% + +:end +@rem End local scope for the variables with windows NT shell +if "%ERRORLEVEL%"=="0" goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 +exit /b 1 + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/settings.gradle.kts b/settings.gradle.kts new file mode 100644 index 0000000..87dc622 --- /dev/null +++ b/settings.gradle.kts @@ -0,0 +1,2 @@ +rootProject.name = "tapo-decrypt-poc" + diff --git a/src/main/java/Aes.kt b/src/main/java/Aes.kt new file mode 100644 index 0000000..f7da4db --- /dev/null +++ b/src/main/java/Aes.kt @@ -0,0 +1,94 @@ +import java.security.InvalidAlgorithmParameterException +import java.security.InvalidKeyException +import java.security.NoSuchAlgorithmException +import java.security.SecureRandom +import javax.crypto.* +import javax.crypto.spec.IvParameterSpec +import javax.crypto.spec.SecretKeySpec + +class Aes { + private lateinit var encryptCipher: Cipher + private lateinit var decryptCipher: Cipher + private val encryptLock = Any() + private val decryptLock = Any() + + constructor() { + try { + val key = generateKey() + val seed = SecureRandom().generateSeed(16) + val iv = IvParameterSpec(seed) + encryptCipher = Cipher.getInstance("AES/CBC/PKCS7Padding").apply { + init(Cipher.ENCRYPT_MODE, key, iv) + } + decryptCipher = Cipher.getInstance("AES/CBC/PKCS7Padding").apply { + init(Cipher.DECRYPT_MODE, key, iv) + } + } catch (e: Exception) { + e.printStackTrace() + } + } + + constructor(keyArr: ByteArray, ivArr: ByteArray) { + try { + val key = SecretKeySpec(keyArr, "AES") + val iv = IvParameterSpec(ivArr) + encryptCipher = Cipher.getInstance("AES/CBC/PKCS7Padding").apply { + init(Cipher.ENCRYPT_MODE, key, iv) + } + decryptCipher = Cipher.getInstance("AES/CBC/PKCS7Padding").apply { + init(Cipher.DECRYPT_MODE, key, iv) + } + } catch (e: NoSuchAlgorithmException) { + e.printStackTrace() + } catch (e: NoSuchPaddingException) { + e.printStackTrace() + } catch (e: InvalidKeyException) { + e.printStackTrace() + } catch (e: InvalidAlgorithmParameterException) { + e.printStackTrace() + } + } + + @Throws(InvalidAlgorithmParameterException::class, InvalidKeyException::class) + fun setKeyAndIV(keySpec: ByteArray, ivSpec: ByteArray) { + val secretKeySpec = SecretKeySpec(keySpec, "AES") + val ivParameterSpec = IvParameterSpec(ivSpec) + encryptCipher.init(Cipher.ENCRYPT_MODE, secretKeySpec, ivParameterSpec) + decryptCipher.init(Cipher.DECRYPT_MODE, secretKeySpec, ivParameterSpec) + } + + @Throws(BadPaddingException::class, ShortBufferException::class, IllegalBlockSizeException::class) + fun decrypt(input: ByteArray, output: ByteArray, inputLen: Int): Int { + var ret: Int + synchronized(decryptLock) { ret = decryptCipher.doFinal(input, 0, inputLen, output) } + return ret + } + + @Throws(BadPaddingException::class, IllegalBlockSizeException::class) + fun decrypt(input: ByteArray, inputLen: Int): ByteArray { + var output: ByteArray + synchronized(decryptLock) { output = decryptCipher.doFinal(input, 0, inputLen) } + return output + } + + @Throws(BadPaddingException::class, IllegalBlockSizeException::class) + fun decrypt(input: ByteArray): ByteArray { + var output: ByteArray + synchronized(decryptLock) { output = decryptCipher.doFinal(input, 0, input.size) } + return output + } + + @Throws(BadPaddingException::class, IllegalBlockSizeException::class) + fun encrypt(input: ByteArray): ByteArray { + var output: ByteArray + synchronized(encryptLock) { output = encryptCipher.doFinal(input, 0, input.size) } + return output + } + + @Throws(NoSuchAlgorithmException::class) + private fun generateKey(): SecretKey { + val instance = KeyGenerator.getInstance("AES") + instance.init(128) + return instance.generateKey() + } +} \ No newline at end of file diff --git a/src/main/java/GenKey.java b/src/main/java/GenKey.java new file mode 100644 index 0000000..30290f8 --- /dev/null +++ b/src/main/java/GenKey.java @@ -0,0 +1,12 @@ +public class GenKey { + + /* renamed from: a */ + public static String generateDefaultPsw() { + return "TPL075526460603"; + } + + /* renamed from: b */ + public static String generateDefaultUsername() { + return "admin"; + } +} \ No newline at end of file diff --git a/src/main/java/StreamAesUtils.java b/src/main/java/StreamAesUtils.java new file mode 100644 index 0000000..38fa09d --- /dev/null +++ b/src/main/java/StreamAesUtils.java @@ -0,0 +1,49 @@ +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.util.HashMap; +import java.util.logging.Logger; + +public class StreamAesUtils { + private static final Logger logger = Logger.getLogger(StreamAesUtils.class.getName()); + + public static Aes generateFromExchangeKeyAndSuperSecretKey(String keyExchange, String superSecretKey) throws NoSuchAlgorithmException { + HashMap hashMap = new HashMap<>(); + String[] params = keyExchange.split(" "); + for (String param : params) { + String[] keyVal = param.trim().split("=", 2); + if (!(keyVal.length != 2 || keyVal[0] == null || keyVal[1] == null)) { + String trim = keyVal[0].trim(); + String trim2 = keyVal[1].replace("\"", "").trim(); + hashMap.put(trim, trim2); + } + } + if (!hashMap.containsKey("nonce")) { + return null; + } + logger.info("cipher=" + (hashMap.get("cipher"))); + logger.info("username=" + (hashMap.get("username"))); + logger.info("padding=" + (hashMap.get("padding"))); + logger.info("algorithm=" + (hashMap.get("algorithm"))); + logger.info("nonce=" + (hashMap.get("nonce"))); + return fromUserNonceSuperSecretKey(hashMap.get("username"), hashMap.get("nonce"), superSecretKey); + } + + public static Aes fromUserNonceSuperSecretKey(String username, String nonce, String superSecretKey) throws NoSuchAlgorithmException { + if (GenKey.generateDefaultUsername().equals(username)) { + logger.info("AES use User Password"); + } else if ("none".equals(username)) { + superSecretKey = GenKey.generateDefaultPsw(); + } else { + logger.info("AES key-exchange unknown username"); + return null; + } + byte[] md5 = md5Digest(nonce + ":" + superSecretKey); + return new Aes(md5, md5Digest(username + ":" + nonce)); + } + + private static byte[] md5Digest(String str) throws NoSuchAlgorithmException { + MessageDigest instance = MessageDigest.getInstance("MD5"); + instance.update(str.getBytes()); + return instance.digest(); + } +} \ No newline at end of file diff --git a/src/main/java/ktx.kt b/src/main/java/ktx.kt new file mode 100644 index 0000000..ebd90bd --- /dev/null +++ b/src/main/java/ktx.kt @@ -0,0 +1,65 @@ +import java.io.IOException +import java.io.InputStream +import java.util.* + +@Throws(IOException::class) +fun InputStream.readNBytesCompat(len: Int): ByteArray? { + require(len >= 0) { "len < 0" } + var bufs: MutableList? = null + var result: ByteArray? = null + var total = 0 + var remaining = len + var n: Int + do { + val buf = ByteArray(remaining.coerceAtMost(8192)) + var nread = 0 + + // read to EOF which may read more or less than buffer size + while (read( + buf, nread, + (buf.size - nread).coerceAtMost(remaining) + ).also { n = it } > 0 + ) { + nread += n + remaining -= n + } + if (nread > 0) { + if (Int.MAX_VALUE - 8 - total < nread) { + throw OutOfMemoryError("Required array size too large") + } + total += nread + if (result == null) { + result = buf + } else { + if (bufs == null) { + bufs = ArrayList() + bufs.add(result) + } + bufs.add(buf) + } + } + // if the last call to read returned -1 or the number of bytes + // requested have been read then break + } while (n >= 0 && remaining > 0) + if (bufs == null) { + if (result == null) { + return ByteArray(0) + } + return if (result.size == total) result else Arrays.copyOf(result, total) + } + result = ByteArray(total) + var offset = 0 + remaining = total + for (b in bufs) { + val count = b.size.coerceAtMost(remaining) + System.arraycopy(b, 0, result, offset, count) + offset += count + remaining -= count + } + return result +} + +@Throws(IOException::class) +fun InputStream.readAllBytesCompat(): ByteArray? { + return readNBytesCompat(Int.MAX_VALUE) +} \ No newline at end of file diff --git a/src/main/java/main.kt b/src/main/java/main.kt new file mode 100644 index 0000000..755123b --- /dev/null +++ b/src/main/java/main.kt @@ -0,0 +1,61 @@ +import com.xenomachina.argparser.ArgParser +import com.xenomachina.argparser.default +import com.xenomachina.argparser.mainBody +import org.fusesource.jansi.internal.CLibrary.STDIN_FILENO +import org.fusesource.jansi.internal.CLibrary.isatty +import kotlin.system.exitProcess + +class Args(parser: ArgParser) { + val encrypt by parser.flagging("-e", "--encrypt", help = "Encrypt stdin instead of decrypting") + + val keyExchange by parser + .storing("-k", "--key-exchange", help = "Key-Exchange header value, required if nonce is not provided") + .default(null) + + val cloudPassword by parser + .storing("-p", "--password", help = "Cloud password, if camera has been provisioned") + .default(null) + + val username by parser + .storing("-u", "--username", help = "User name, either admin or none. Default admin") + .default("admin") + + val nonce by parser + .storing("-n", "--nonce", help = "Nonce, required if key-exchange is not provided") + .default(null) +} + +fun main(args: Array) = mainBody { + ArgParser(args).parseInto(::Args).run { + if (keyExchange == null && nonce == null) { + println("Either the Key-Exchange or the nonce must be provided!") + exitProcess(1) + } + if (cloudPassword == null) { + println("Cloud password not provided, using the default one for unprovisioned cameras") + } + if (isatty(STDIN_FILENO) == 1) { + println("Data to ${if (encrypt) "encrypt" else "decrypt"} must be sent to standard input!") + exitProcess(1) + } + val toProcess = System.`in`.readAllBytesCompat() + if (toProcess == null) { + println("Unable to read data from stdin!") + exitProcess(1) + } + + val aes = if (keyExchange != null) { + StreamAesUtils.generateFromExchangeKeyAndSuperSecretKey(keyExchange, cloudPassword) + } else { + StreamAesUtils.fromUserNonceSuperSecretKey(username, nonce, cloudPassword) + } + + val output = if (encrypt) { + aes.encrypt(toProcess) + } else { + aes.decrypt(toProcess) + } + + System.out.write(output) + } +}