-
Notifications
You must be signed in to change notification settings - Fork 34
/
Copy pathfind-psk.frida
86 lines (76 loc) · 2.24 KB
/
find-psk.frida
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
/*
* Locate the TLS PSK used by the dishwasher as the password that
* protects access over the network.
*
* Launch it with:
* frida --no-pause -f com.bshg.homeconnect.android.release -U -l find-psk.frida
*
* This will also dump all of the cleartext SSL traffic before encryption
* and after decryption. For websocket traffic from the server, this
* will be in the clear, although to the server is masked with an XOR
* value.
*
* Note that it has to delay the Interceptor attach calls until the
* library has been dlopen()'ed by the application, which is why there
* is a setTimeout().
*
* TODO: Is the PSK deterministic or is it randomly generated and stored
* in the cloud?
*
* TODO: XOR unmask the websock TX traffic
*/
setTimeout(() => {
console.log("looking for libHCPService.so");
const SSL_get_servername = new NativeFunction(
Module.getExportByName("libHCPService.so", "SSL_get_servername"),
"pointer",
["pointer","int"]
);
Interceptor.attach(Module.getExportByName("libHCPService.so", "SSL_read"),
{
onEnter(args) {
this.ssl = args[0];
this.buf = args[1];
},
onLeave(retval) {
const server_ptr = SSL_get_servername(this.ssl, 0);
const server = server_ptr.readUtf8String();
retval |= 0;
if (retval <= 0)
return;
console.log("RX", server);
console.log(Memory.readByteArray(this.buf, retval));
},
})
Interceptor.attach(Module.getExportByName("libHCPService.so", "SSL_write"),
{
onEnter(args) {
this.ssl = args[0];
const len = Number(args[2]);
const server_ptr = SSL_get_servername(this.ssl, 0);
const server = server_ptr.readUtf8String();
console.log("TX", server);
console.log(Memory.readByteArray(args[1], len));
},
})
/*
* hcp::client_psk_callback is called when OpenSSL has made a connection and
* the server has offered a client hint.
*/
Interceptor.attach(Module.getExportByName("libHCPService.so", "_ZN3hcp19client_psk_callbackEP6ssl_stPKcPcjPhj"),
{
onEnter(args) {
this.ssl = args[0];
this.identity = args[2];
this.psk_buf = args[4];
const hint = Memory.readUtf8String(args[1]);
console.log("psk callback hint '" + hint + "'");
},
onLeave(len) {
len |= 0;
console.log("psk", len, this.psk_buf);
const buf = Memory.readByteArray(this.psk_buf, len);
console.log(buf);
},
})
}, 1000)