Wireshark mailing list archives
Trouble decrypting Zigbee APS layer
From: Mark Whitney <markwhitney () gmail com>
Date: Wed, 20 Jul 2011 11:59:23 -0400
I am trying to decrypt a capture of a Zigbee SE device joining to an ECC-encrypted smart meter (AES-128, 32-bit IP). The device is using an installation code, so I entered the derived link key into the Zigbee NWK key list and it looks like the network layer is decrypted just fine. The problem I am having is there are still some encrypted bits left in some of the packets at the APS layer. Is this part of the application security layer? Here is an example of what looks like a half decrypted Simple Metering packet: Frame 67: 96 bytes on wire (768 bits), 96 bytes captured (768 bits) IEEE 802.15.4 Data, Dst: 0x5896, Src: 0x0000 ZigBee Network Layer Data, Dst: 0x5896, Src: 0x0000 ZigBee Application Support Layer Data, Dst Endpt: 10, Src Endpt: 16 Frame Control Field: Data (0x60) Destination Endpoint: 10 Cluster: Simple Metering (0x0702) Profile: Smart Energy (0x0109) Source Endpoint: 16 Counter: 186 ZigBee Security Header Security Control Field ...0 0... = Key Id: Link Key (0x00) ..0. .... = Extended Nonce: False Frame Counter: 484375 Message Integrity Code: dd913617 [Expert Info (Warn/Undecoded): Encrypted Payload] [Message: Encrypted Payload] [Severity level: Warn] [Group: Undecoded] Data (42 bytes) 0000 5d 6b 4f 0d ee eb 20 6b 6b c4 98 9a b4 0b e1 30 ]kO... kk......0 0010 ce da ce 9d 7c 8a db 17 5c e9 8e 32 51 05 2a 15 ....|...\..2Q.*. 0020 5a 4d f1 91 5c fd 24 da 9a 86 ZM..\.$... Data: 5d6b4f0deeeb206b6bc4989ab40be130cedace9d7c8adb17... [Length: 42] Is decryption of the APS layer currently supported? Or am I just doing something wrong? I can also provide a filtered pcap of the joining and ensuing exchange, if that is helpful. Thanks, Mark Whitney ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Trouble decrypting Zigbee APS layer Mark Whitney (Jul 20)
- Re: Trouble decrypting Zigbee APS layer Mark Whitney (Jul 26)