[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WalkingPad X21 new version #1473

Closed
cagnulein opened this issue May 20, 2023 · 7 comments
Closed

WalkingPad X21 new version #1473

cagnulein opened this issue May 20, 2023 · 7 comments
Milestone
2.13

Comments

@cagnulein
Copy link
Owner

image
@cagnulein cagnulein added this to the 2.13 milestone May 20, 2023
cagnulein added a commit that referenced this issue May 20, 2023
@cagnulein
Open WalkingPad X21 new version #1473
0845406
@cagnulein
Copy link
Owner Author

debug-Sat_May_20_16_27_59_2023.log
debug-Sat_May_20_16_28_47_2023.log

@cagnulein
Copy link
Owner Author

@d3m3vilurr another key I guess if you want to have fun with :)

@cagnulein cagnulein mentioned this issue May 21, 2023
Merged
cagnulein added a commit that referenced this issue May 22, 2023
@cagnulein
brute force #1473
9b02375
@d3m3vilurr
Copy link
Contributor

probably, iaCw4FGHIJqLhN+P9RVTU/WcY6ObDdefgEZjklmnopQrsBuvMxXz1yA2t5078KS3= is the key.
(swap Z <-> i from original table)

@d3m3vilurr
Copy link
Contributor
d3m3vilurr commented May 22, 2023
edited
Loading

an original table is ZaCw4FGHIJqLhN+P9RVTU/WcY6ObDdefgEijklmnopQrsBuvMxXz1yA2t5078KS3= (i couldn't remember maybe = is not existed in the table. i just added it for easily decrypting)

so we can compare an expected result with original key and received key with unknown key.
usually, just 1 position could be swapped.

the problem is we don't know what message is broke.

here is sending / receiving flows

1) most devices it will return `shake 00`
-> shake
<- shake 00

2) here is two cases
-> net
# my case
<- net cloud
# another cases
<- net unprov

3) dn number could be depended by devices
-> get_dn
# my case
<- get_dn 100801210820000007 
# another case of this debug
<- get_dn 3

4) pk number could be also depended by devices
-> get_pk
# my case
<- get_pk a1hiSOeUajy
# another case of this debug
<- get_pk 3

5) timestamp could be current time
-> timestamp 1629831426
<- timestamp 0

6) version value is related by device
-> version
# my case
<- version 0014
# another case of this log
<- version 0006

7) initialized getting properties. this command only callable after handshake (~ after sending `get_pk` or after sending `version`)
-> servers getProp 1 3 7 8 9 16 17 18 19 21 22 23 24 31
# i'm not sure but this first return could be always same
<- servers 0 
# second / third return could be depended by current device conditions
# for example `ControlMode` was `1` in this log
<- props ControlMode 2 ChildLockSwitch 0 runState 0 handrail 0 MaxW 6.0 Max 12.0 StartSpeed 2.0 VelocitySensitivity 2 PanelDisplay 7
<- props ConSpMode 0 initial 4 mcu_version "0001" unit 0

8) now can send command
-> props ControlMode 1
# then we can feed the response of status of the device.
<-  ...

so a brute force the key is required cross checking receiving data with original table :)
for example, i compared props netled 0 ControlMode 1 then full check with props netled 0 ControlMode 1 runState 0 CurrentSpeed 0.0 Max 12.0 unit 0.

# with original key
> e64 props netled 0 ControlMode 1
b'DHJvDHhgbm/1bG/kIwZg9AKudHJvb4yv6GUgh9=='

# received full data
> uh 44 48 4a 76 44 48 68 67 62 6d 2f 31 62 47 2f 6b 49 77 69 67 39 41 4b 75 64 48 4a 76 62 34 79 76 36 47 55 67 68 56 61 58 64 5735 54 64 47 46 31 36 56 69 4d 49 34 4e 79 44 6e 4a 6c 62 6e 52 54 44 47 2f 6c 36 43 69 4d 4c 6a 69 67 54 57 46 74 49 77 34 58 4c 6a 69 67 64 57 35 70 64 43 69 4d 0d
b'DHJvDHhgbm/1bG/kIwig9AKudHJvb4yv6GUghVaXdW5TdGF16ViMI4NyDnJlbnRTDG/l6CiMLjigTWFtIw4XLjigdW5pdCiM\r'

# compare both
b'DHJvDHhgbm/1bG/kIwZg9AKudHJvb4yv6GUgh9=='
b'DHJvDHhgbm/1bG/kIwig9AKudHJvb4yv6GUghVaXdW5TdGF16ViMI4NyDnJlbnRTDG/l6CiMLjigTWFtIw4XLjigdW5pdCiM\r'
                    ^

# so we can expect the position `Z` and `i` were swapped

> k iaCw4FGHIJqLhN+P9RVTU/WcY6ObDdefgEZjklmnopQrsBuvMxXz1yA2t5078KS3=
> d64 DHJvDHhgbm/1bG/kIwig9AKudHJvb4yv6GUghVaXdW5TdGF16ViMI4NyDnJlbnRTDG/l6CiMLjigTWFtIw4XLjigdW5pdCiM
b'props netled 0 ControlMode 1 runState 0 CurrentSpeed 0.0 Max 12.0 unit 0'

then try to decrypt 64 6d 2f 58 44 41 6c 76 62 5a 69 4d 68 77 69 41 77 39 3d 3d 0d with found key

> d 64 6d 2f 58 44 41 6c 76 62 5a 69 4d 68 77 69 41 77 39 3d 3d 0d
b'version 0006\r'

@cagnulein
Copy link
Owner Author

hi @d3m3vilurr thanks!
I already tried a brute force with https://github.com/cagnulein/qdomyos-zwift/tree/walkingpad-bruteforce and i didn't find any suitable key swapping also 2 letters (64 ^ 6 possibilities).

the broke message is the one about the "currentspeed 10.8" as you can see in the log there is a strange character at the end.

I'm checking right now your key, maybe you were lucky than me :)

@cagnulein
Copy link
Owner Author

iaCw4FGHIJqLhN+P9RVTU/WcY6ObDdefgEZjklmnopQrsBuvMxXz1yA2t5078KS3=

it worked! let me try with the user!

cagnulein added a commit that referenced this issue May 22, 2023
@cagnulein
WalkingPad X21 new version #1473
abd2e76
@cagnulein
Copy link
Owner Author

worked! thanks again @d3m3vilurr !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.13
Development

No branches or pull requests
2 participants
@d3m3vilurr @cagnulein