Initial commit

This commit is contained in:
Davide Depau 2020-11-30 21:49:50 +01:00
commit d04f7650bf
12 changed files with 611 additions and 0 deletions

33
build.gradle.kts Normal file
View file

@ -0,0 +1,33 @@
import org.gradle.jvm.tasks.Jar
plugins {
java
kotlin("jvm") version "1.4.20"
}
group = "org.example"
version = "1.0-SNAPSHOT"
repositories {
mavenCentral()
}
dependencies {
implementation(kotlin("stdlib"))
implementation("org.jetbrains.kotlin:kotlin-stdlib-jdk8")
implementation("com.xenomachina:kotlin-argparser:2.0.7")
implementation("org.fusesource.jansi:jansi:1.17.1")
}
val fatJar = task("fatJar", type = Jar::class) {
baseName = "${project.name}-fat"
// manifest Main-Class attribute is optional.
// (Used only to provide default main class for executable jar)
manifest {
attributes["Implementation-Title"] = "Gradle Jar File for Tapo Decrypt PoC"
attributes["Implementation-Version"] = version
attributes["Main-Class"] = "MainKt"
}
from(configurations.runtimeClasspath.get().map { if (it.isDirectory) it else zipTree(it) })
with(tasks["jar"] as CopySpec)
}

1
gradle.properties Normal file
View file

@ -0,0 +1 @@
kotlin.code.style=official

BIN
gradle/wrapper/gradle-wrapper.jar vendored Normal file

Binary file not shown.

View file

@ -0,0 +1,5 @@
distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
distributionUrl=https\://services.gradle.org/distributions/gradle-6.3-bin.zip
zipStoreBase=GRADLE_USER_HOME
zipStorePath=wrapper/dists

185
gradlew vendored Executable file
View file

@ -0,0 +1,185 @@
#!/usr/bin/env sh
#
# Copyright 2015 the original author or authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
##############################################################################
##
## Gradle start up script for UN*X
##
##############################################################################
# Attempt to set APP_HOME
# Resolve links: $0 may be a link
PRG="$0"
# Need this for relative symlinks.
while [ -h "$PRG" ] ; do
ls=`ls -ld "$PRG"`
link=`expr "$ls" : '.*-> \(.*\)$'`
if expr "$link" : '/.*' > /dev/null; then
PRG="$link"
else
PRG=`dirname "$PRG"`"/$link"
fi
done
SAVED="`pwd`"
cd "`dirname \"$PRG\"`/" >/dev/null
APP_HOME="`pwd -P`"
cd "$SAVED" >/dev/null
APP_NAME="Gradle"
APP_BASE_NAME=`basename "$0"`
# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
# Use the maximum available, or set MAX_FD != -1 to use that value.
MAX_FD="maximum"
warn () {
echo "$*"
}
die () {
echo
echo "$*"
echo
exit 1
}
# OS specific support (must be 'true' or 'false').
cygwin=false
msys=false
darwin=false
nonstop=false
case "`uname`" in
CYGWIN* )
cygwin=true
;;
Darwin* )
darwin=true
;;
MINGW* )
msys=true
;;
NONSTOP* )
nonstop=true
;;
esac
CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
# Determine the Java command to use to start the JVM.
if [ -n "$JAVA_HOME" ] ; then
if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
# IBM's JDK on AIX uses strange locations for the executables
JAVACMD="$JAVA_HOME/jre/sh/java"
else
JAVACMD="$JAVA_HOME/bin/java"
fi
if [ ! -x "$JAVACMD" ] ; then
die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
Please set the JAVA_HOME variable in your environment to match the
location of your Java installation."
fi
else
JAVACMD="java"
which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
Please set the JAVA_HOME variable in your environment to match the
location of your Java installation."
fi
# Increase the maximum file descriptors if we can.
if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
MAX_FD_LIMIT=`ulimit -H -n`
if [ $? -eq 0 ] ; then
if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
MAX_FD="$MAX_FD_LIMIT"
fi
ulimit -n $MAX_FD
if [ $? -ne 0 ] ; then
warn "Could not set maximum file descriptor limit: $MAX_FD"
fi
else
warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
fi
fi
# For Darwin, add options to specify how the application appears in the dock
if $darwin; then
GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
fi
# For Cygwin or MSYS, switch paths to Windows format before running java
if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then
APP_HOME=`cygpath --path --mixed "$APP_HOME"`
CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
JAVACMD=`cygpath --unix "$JAVACMD"`
# We build the pattern for arguments to be converted via cygpath
ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
SEP=""
for dir in $ROOTDIRSRAW ; do
ROOTDIRS="$ROOTDIRS$SEP$dir"
SEP="|"
done
OURCYGPATTERN="(^($ROOTDIRS))"
# Add a user-defined pattern to the cygpath arguments
if [ "$GRADLE_CYGPATTERN" != "" ] ; then
OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
fi
# Now convert the arguments - kludge to limit ourselves to /bin/sh
i=0
for arg in "$@" ; do
CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option
if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition
eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
else
eval `echo args$i`="\"$arg\""
fi
i=`expr $i + 1`
done
case $i in
0) set -- ;;
1) set -- "$args0" ;;
2) set -- "$args0" "$args1" ;;
3) set -- "$args0" "$args1" "$args2" ;;
4) set -- "$args0" "$args1" "$args2" "$args3" ;;
5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
esac
fi
# Escape application args
save () {
for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
echo " "
}
APP_ARGS=`save "$@"`
# Collect all arguments for the java command, following the shell quoting and substitution rules
eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
exec "$JAVACMD" "$@"

104
gradlew.bat vendored Normal file
View file

@ -0,0 +1,104 @@
@rem
@rem Copyright 2015 the original author or authors.
@rem
@rem Licensed under the Apache License, Version 2.0 (the "License");
@rem you may not use this file except in compliance with the License.
@rem You may obtain a copy of the License at
@rem
@rem https://www.apache.org/licenses/LICENSE-2.0
@rem
@rem Unless required by applicable law or agreed to in writing, software
@rem distributed under the License is distributed on an "AS IS" BASIS,
@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@rem See the License for the specific language governing permissions and
@rem limitations under the License.
@rem
@if "%DEBUG%" == "" @echo off
@rem ##########################################################################
@rem
@rem Gradle startup script for Windows
@rem
@rem ##########################################################################
@rem Set local scope for the variables with windows NT shell
if "%OS%"=="Windows_NT" setlocal
set DIRNAME=%~dp0
if "%DIRNAME%" == "" set DIRNAME=.
set APP_BASE_NAME=%~n0
set APP_HOME=%DIRNAME%
@rem Resolve any "." and ".." in APP_HOME to make it shorter.
for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
@rem Find java.exe
if defined JAVA_HOME goto findJavaFromJavaHome
set JAVA_EXE=java.exe
%JAVA_EXE% -version >NUL 2>&1
if "%ERRORLEVEL%" == "0" goto init
echo.
echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
echo.
echo Please set the JAVA_HOME variable in your environment to match the
echo location of your Java installation.
goto fail
:findJavaFromJavaHome
set JAVA_HOME=%JAVA_HOME:"=%
set JAVA_EXE=%JAVA_HOME%/bin/java.exe
if exist "%JAVA_EXE%" goto init
echo.
echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
echo.
echo Please set the JAVA_HOME variable in your environment to match the
echo location of your Java installation.
goto fail
:init
@rem Get command-line arguments, handling Windows variants
if not "%OS%" == "Windows_NT" goto win9xME_args
:win9xME_args
@rem Slurp the command line arguments.
set CMD_LINE_ARGS=
set _SKIP=2
:win9xME_args_slurp
if "x%~1" == "x" goto execute
set CMD_LINE_ARGS=%*
:execute
@rem Setup the command line
set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
@rem Execute Gradle
"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS%
:end
@rem End local scope for the variables with windows NT shell
if "%ERRORLEVEL%"=="0" goto mainEnd
:fail
rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
rem the _cmd.exe /c_ return code!
if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
exit /b 1
:mainEnd
if "%OS%"=="Windows_NT" endlocal
:omega

2
settings.gradle.kts Normal file
View file

@ -0,0 +1,2 @@
rootProject.name = "tapo-decrypt-poc"

94
src/main/java/Aes.kt Normal file
View file

@ -0,0 +1,94 @@
import java.security.InvalidAlgorithmParameterException
import java.security.InvalidKeyException
import java.security.NoSuchAlgorithmException
import java.security.SecureRandom
import javax.crypto.*
import javax.crypto.spec.IvParameterSpec
import javax.crypto.spec.SecretKeySpec
class Aes {
private lateinit var encryptCipher: Cipher
private lateinit var decryptCipher: Cipher
private val encryptLock = Any()
private val decryptLock = Any()
constructor() {
try {
val key = generateKey()
val seed = SecureRandom().generateSeed(16)
val iv = IvParameterSpec(seed)
encryptCipher = Cipher.getInstance("AES/CBC/PKCS7Padding").apply {
init(Cipher.ENCRYPT_MODE, key, iv)
}
decryptCipher = Cipher.getInstance("AES/CBC/PKCS7Padding").apply {
init(Cipher.DECRYPT_MODE, key, iv)
}
} catch (e: Exception) {
e.printStackTrace()
}
}
constructor(keyArr: ByteArray, ivArr: ByteArray) {
try {
val key = SecretKeySpec(keyArr, "AES")
val iv = IvParameterSpec(ivArr)
encryptCipher = Cipher.getInstance("AES/CBC/PKCS7Padding").apply {
init(Cipher.ENCRYPT_MODE, key, iv)
}
decryptCipher = Cipher.getInstance("AES/CBC/PKCS7Padding").apply {
init(Cipher.DECRYPT_MODE, key, iv)
}
} catch (e: NoSuchAlgorithmException) {
e.printStackTrace()
} catch (e: NoSuchPaddingException) {
e.printStackTrace()
} catch (e: InvalidKeyException) {
e.printStackTrace()
} catch (e: InvalidAlgorithmParameterException) {
e.printStackTrace()
}
}
@Throws(InvalidAlgorithmParameterException::class, InvalidKeyException::class)
fun setKeyAndIV(keySpec: ByteArray, ivSpec: ByteArray) {
val secretKeySpec = SecretKeySpec(keySpec, "AES")
val ivParameterSpec = IvParameterSpec(ivSpec)
encryptCipher.init(Cipher.ENCRYPT_MODE, secretKeySpec, ivParameterSpec)
decryptCipher.init(Cipher.DECRYPT_MODE, secretKeySpec, ivParameterSpec)
}
@Throws(BadPaddingException::class, ShortBufferException::class, IllegalBlockSizeException::class)
fun decrypt(input: ByteArray, output: ByteArray, inputLen: Int): Int {
var ret: Int
synchronized(decryptLock) { ret = decryptCipher.doFinal(input, 0, inputLen, output) }
return ret
}
@Throws(BadPaddingException::class, IllegalBlockSizeException::class)
fun decrypt(input: ByteArray, inputLen: Int): ByteArray {
var output: ByteArray
synchronized(decryptLock) { output = decryptCipher.doFinal(input, 0, inputLen) }
return output
}
@Throws(BadPaddingException::class, IllegalBlockSizeException::class)
fun decrypt(input: ByteArray): ByteArray {
var output: ByteArray
synchronized(decryptLock) { output = decryptCipher.doFinal(input, 0, input.size) }
return output
}
@Throws(BadPaddingException::class, IllegalBlockSizeException::class)
fun encrypt(input: ByteArray): ByteArray {
var output: ByteArray
synchronized(encryptLock) { output = encryptCipher.doFinal(input, 0, input.size) }
return output
}
@Throws(NoSuchAlgorithmException::class)
private fun generateKey(): SecretKey {
val instance = KeyGenerator.getInstance("AES")
instance.init(128)
return instance.generateKey()
}
}

12
src/main/java/GenKey.java Normal file
View file

@ -0,0 +1,12 @@
public class GenKey {
/* renamed from: a */
public static String generateDefaultPsw() {
return "TPL075526460603";
}
/* renamed from: b */
public static String generateDefaultUsername() {
return "admin";
}
}

View file

@ -0,0 +1,49 @@
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.HashMap;
import java.util.logging.Logger;
public class StreamAesUtils {
private static final Logger logger = Logger.getLogger(StreamAesUtils.class.getName());
public static Aes generateFromExchangeKeyAndSuperSecretKey(String keyExchange, String superSecretKey) throws NoSuchAlgorithmException {
HashMap<String, String> hashMap = new HashMap<>();
String[] params = keyExchange.split(" ");
for (String param : params) {
String[] keyVal = param.trim().split("=", 2);
if (!(keyVal.length != 2 || keyVal[0] == null || keyVal[1] == null)) {
String trim = keyVal[0].trim();
String trim2 = keyVal[1].replace("\"", "").trim();
hashMap.put(trim, trim2);
}
}
if (!hashMap.containsKey("nonce")) {
return null;
}
logger.info("cipher=" + (hashMap.get("cipher")));
logger.info("username=" + (hashMap.get("username")));
logger.info("padding=" + (hashMap.get("padding")));
logger.info("algorithm=" + (hashMap.get("algorithm")));
logger.info("nonce=" + (hashMap.get("nonce")));
return fromUserNonceSuperSecretKey(hashMap.get("username"), hashMap.get("nonce"), superSecretKey);
}
public static Aes fromUserNonceSuperSecretKey(String username, String nonce, String superSecretKey) throws NoSuchAlgorithmException {
if (GenKey.generateDefaultUsername().equals(username)) {
logger.info("AES use User Password");
} else if ("none".equals(username)) {
superSecretKey = GenKey.generateDefaultPsw();
} else {
logger.info("AES key-exchange unknown username");
return null;
}
byte[] md5 = md5Digest(nonce + ":" + superSecretKey);
return new Aes(md5, md5Digest(username + ":" + nonce));
}
private static byte[] md5Digest(String str) throws NoSuchAlgorithmException {
MessageDigest instance = MessageDigest.getInstance("MD5");
instance.update(str.getBytes());
return instance.digest();
}
}

65
src/main/java/ktx.kt Normal file
View file

@ -0,0 +1,65 @@
import java.io.IOException
import java.io.InputStream
import java.util.*
@Throws(IOException::class)
fun InputStream.readNBytesCompat(len: Int): ByteArray? {
require(len >= 0) { "len < 0" }
var bufs: MutableList<ByteArray>? = null
var result: ByteArray? = null
var total = 0
var remaining = len
var n: Int
do {
val buf = ByteArray(remaining.coerceAtMost(8192))
var nread = 0
// read to EOF which may read more or less than buffer size
while (read(
buf, nread,
(buf.size - nread).coerceAtMost(remaining)
).also { n = it } > 0
) {
nread += n
remaining -= n
}
if (nread > 0) {
if (Int.MAX_VALUE - 8 - total < nread) {
throw OutOfMemoryError("Required array size too large")
}
total += nread
if (result == null) {
result = buf
} else {
if (bufs == null) {
bufs = ArrayList()
bufs.add(result)
}
bufs.add(buf)
}
}
// if the last call to read returned -1 or the number of bytes
// requested have been read then break
} while (n >= 0 && remaining > 0)
if (bufs == null) {
if (result == null) {
return ByteArray(0)
}
return if (result.size == total) result else Arrays.copyOf(result, total)
}
result = ByteArray(total)
var offset = 0
remaining = total
for (b in bufs) {
val count = b.size.coerceAtMost(remaining)
System.arraycopy(b, 0, result, offset, count)
offset += count
remaining -= count
}
return result
}
@Throws(IOException::class)
fun InputStream.readAllBytesCompat(): ByteArray? {
return readNBytesCompat(Int.MAX_VALUE)
}

61
src/main/java/main.kt Normal file
View file

@ -0,0 +1,61 @@
import com.xenomachina.argparser.ArgParser
import com.xenomachina.argparser.default
import com.xenomachina.argparser.mainBody
import org.fusesource.jansi.internal.CLibrary.STDIN_FILENO
import org.fusesource.jansi.internal.CLibrary.isatty
import kotlin.system.exitProcess
class Args(parser: ArgParser) {
val encrypt by parser.flagging("-e", "--encrypt", help = "Encrypt stdin instead of decrypting")
val keyExchange by parser
.storing("-k", "--key-exchange", help = "Key-Exchange header value, required if nonce is not provided")
.default<String?>(null)
val cloudPassword by parser
.storing("-p", "--password", help = "Cloud password, if camera has been provisioned")
.default<String?>(null)
val username by parser
.storing("-u", "--username", help = "User name, either admin or none. Default admin")
.default<String>("admin")
val nonce by parser
.storing("-n", "--nonce", help = "Nonce, required if key-exchange is not provided")
.default<String?>(null)
}
fun main(args: Array<String>) = mainBody {
ArgParser(args).parseInto(::Args).run {
if (keyExchange == null && nonce == null) {
println("Either the Key-Exchange or the nonce must be provided!")
exitProcess(1)
}
if (cloudPassword == null) {
println("Cloud password not provided, using the default one for unprovisioned cameras")
}
if (isatty(STDIN_FILENO) == 1) {
println("Data to ${if (encrypt) "encrypt" else "decrypt"} must be sent to standard input!")
exitProcess(1)
}
val toProcess = System.`in`.readAllBytesCompat()
if (toProcess == null) {
println("Unable to read data from stdin!")
exitProcess(1)
}
val aes = if (keyExchange != null) {
StreamAesUtils.generateFromExchangeKeyAndSuperSecretKey(keyExchange, cloudPassword)
} else {
StreamAesUtils.fromUserNonceSuperSecretKey(username, nonce, cloudPassword)
}
val output = if (encrypt) {
aes.encrypt(toProcess)
} else {
aes.decrypt(toProcess)
}
System.out.write(output)
}
}