Wireshark mailing list archives

Re: Help with Zigbee decryption

From: Joe Desbonnet <joe () galway net>
Date: Wed, 9 Mar 2011 23:38:51 +0000

To answer my own question. I succeeded in decrypting ZigBee HA (Home
Automation) profile packets a while back, but thought it worth
mentioning here in case anyone else has the same problem.

I upgraded to version 1.4.3 of Wireshark. Then set the following:
Edit -> Preferences... -> Protocols -> ZigBee NWK

Security Level: AES-128 Encryption, 32-bit Integrity Protection
Network Key: 39:30:65:63:6E:61:69:6C:6C:41:65:65:42:67:69:5A
(that's the ASCII values of ZigBeeAlliance09 *in reverse*)

BTW: if anyone has the ZENA 802.15.4 / ZigBee network analyzer from
Microchip Technologies, I've written a short Linux C utility that
streams the packets from the device in PCAP format and can be piped
into Wireshark. Details here: http://code.google.com/p/microchip-zena/

Joe.


On Fri, Jan 14, 2011 at 12:38 AM, Joe Desbonnet <joe () galway net> wrote:

I'm attempting to sniff and decrypt packets in home automation
equipment which is supposed to be setup with encryption key
"ZigBeeAlliance09".

I've entered ZigBeeAlliance09 as a string in the "Network Key" field
in Edit -> Preferences -> Protocols -> Zigbee NWK
however the UI does not seem to be acting on it.

In the packet view under Zigbee Security Header I have a collapsible node:

 [Expert Info (Warn/Undecoded): Encrypted Payload]
 [Message: Encrypted Payload]
 [Severity level: warn]
 [Group: Undecoded]

Then the Data node just lists the data from the packet verbatim (no decryption).

What must I do to decrypt this payload? I've tried other random
strings for the key and it makes no difference. It doesn't seem to be
trying to decrypt.

To reproduce my problem see the pcap capture file here:
http://www.mail-archive.com/wireshark-bugs () wireshark org/msg24773.html
(file bug5331_test.pcap). The text of the bug implies it uses the same
key (ZigBeeAlliance09). Look at the first packet. The payload is two
bytes 0xb9 0x06 (encrypted). I cannot find any way view the decrypted
packet.

I'm using the standard Ubuntu package (version 1.2.7) and I also tried
the latest version 1.4.3.

Any pointers or suggestions would be greatly appreciated.

Thanks in advance,

Joe.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Re: Help with Zigbee decryption Joe Desbonnet (Mar 09)
- Re: Help with Zigbee decryption Maynard, Chris (Mar 10)
- question about SCTP multi-homing WangWeiguo (Mar 10)
  - Re: question about SCTP multi-homing Michael Tüxen (Mar 10)
  - Re: question about SCTP multi-homing Jeff Morriss (Mar 10)
- Re: Help with Zigbee decryption Guy Harris (Mar 10)