Implement Nice Flor-s decryption (see PR #2238)

[uski]

Hi!

Feature request time!

The protocol to encrypt and decrypt Nice Flor-s encryption has been published here: https://github.com/DarkFlippers/unleashed-firmware/blob/dev/lib/subghz/protocols/nice_flor_s.c

It can be implemented in rtl_433. Currently rtl_433 does support Flor-s, but it does not decrypt the remote ID, which means that every time the remote is pressed, the ID seems random. This greatly reduces the usefulness of the decoder. Decoding the remote ID would allow using Nice Flor-s remotes completely.

The only issue is that for some reason, they have decided to obfuscate the encryption key. It is stored as an encrypted asset, decrypted through the secure enclave of the Flipper Zero. It should be possible to decrypt it by building an alternative firmware to Flipper Zero and simply doing a printf() of the decrypted bitstream, or by doing a bit more exploration of the Flipper Zero to discover the encryption key. No idea what they were thinking when doing this.

[zuckschwerdt]

Possible dup of #2238

It's very unlikely that we add AES support or unrolled tables to support complex decryption.
We can however add e.g. a Python example to read the raw data from rtl_433 and decrypt.

[uski]

The AES is just used to obfuscate the master key within the Flipper Zero. AES is not used for the actual Flor-S algorithm.

Once the master key is deobfuscated it can be stored in plain text in rtl_433 and no encryption is required besides basic stuff like xor.

[uski]

If you look at the encrypted master key, it is very short: https://github.com/DarkFlippers/unleashed-firmware/blob/dev/assets/resources/subghz/assets/nice_flor_s

The IV is obfuscated through some short assembly code visible in the firmware of Flipper Zero

I think the course of action is to find anyone with a Flipper Zero and just printf() the decrypted key. If I had a Flipper Zero I'd have done it already, but I don't unfortunately

Then it is just a matter of porting the decryption function

[zuckschwerdt]

There is a working decryption in that PR I take it? Not sure why the 16-bit lookup is needed if the decryption is an xor stream though.

[merbanan]

I have 2 Flipper Zeros. Post some instructions and I'll eventually get to it.

[jurek4321]

@merbanan
To read this decryption tables from flipper zero you will need to modify source to display decrypted keys.
You can see here https://github.com/DarkFlippers/unleashed-firmware/blob/dev/lib/subghz/subghz_keystore.c
In this file there is function called subghz_keystore_raw_get_data, in this function after line furi_hal_crypto_store_unload_key(SUBGHZ_KEYSTORE_FILE_ENCRYPTION_KEY_SLOT);
You will need to add :
for(int i = 0; i < len/4; i++) { FURI_LOG_E(TAG, "Decrypted bytes: %02X %02X %02X %02X\n", data[i*4], data[1+i*4], data[2+i*4], data[3+i*4]); }

Then you will need to compile modified firmware and flash it to flipper, after that you will be able to see decrypted keys in serial console when you connect device via usb and connect to it using putty or something.

You can also see decrypted keeloq keys in similar way,
In function subghz_keystore_process_line(SubGhzKeystore* instance, char* line) before uint64_t key = 0; you can add
FURI_LOG_E(TAG, "Decrypted key: %s\r\n", line);.
Then you will see decrypted keeloq keys in serial console.

I'm interested in DTM Neo key if anyone has it.

[merbanan]

Is this not the complete description and key?

https://github.com/DarkFlippers/unleashed-firmware/blob/dev/lib/subghz/protocols/nice_flor_s.c#L693

[jurek4321]

Maybe it is, that is interesting why they encrypted it if it is in comments in code.
You can try to modify firmware and compare if encrypted key is the same as this in comments.

[gdt]

Where are we on this? Is there information here that isn't in #2238 (e.g as comments)? It would be nice to make progress to just have a PR, even if we are still going to argue about doctrine of including AES in rtl_433.

[gdt]

Closing this in favor of the PR, after no response to asking if there is info in the issue but not the PR, in 7.5 months.