Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Help with Zigbee decryption

From: Joe Desbonnet <joe@xxxxxxxxxx>
Date: Wed, 9 Mar 2011 23:38:51 +0000
To answer my own question. I succeeded in decrypting ZigBee HA (Home
Automation) profile packets a while back, but thought it worth
mentioning here in case anyone else has the same problem.

I upgraded to version 1.4.3 of Wireshark. Then set the following:
Edit -> Preferences... -> Protocols -> ZigBee NWK

Security Level: AES-128 Encryption, 32-bit Integrity Protection
Network Key: 39:30:65:63:6E:61:69:6C:6C:41:65:65:42:67:69:5A
(that's the ASCII values of ZigBeeAlliance09 *in reverse*)

BTW: if anyone has the ZENA 802.15.4 / ZigBee network analyzer from
Microchip Technologies, I've written a short Linux C utility that
streams the packets from the device in PCAP format and can be piped
into Wireshark. Details here: http://code.google.com/p/microchip-zena/

Joe.


On Fri, Jan 14, 2011 at 12:38 AM, Joe Desbonnet <joe@xxxxxxxxxx> wrote:
> I'm attempting to sniff and decrypt packets in home automation
> equipment which is supposed to be setup with encryption key
> "ZigBeeAlliance09".
>
> I've entered ZigBeeAlliance09 as a string in the "Network Key" field
> in Edit -> Preferences -> Protocols -> Zigbee NWK
> however the UI does not seem to be acting on it.
>
> In the packet view under Zigbee Security Header I have a collapsible node:
>
>  [Expert Info (Warn/Undecoded): Encrypted Payload]
>  [Message: Encrypted Payload]
>  [Severity level: warn]
>  [Group: Undecoded]
>
> Then the Data node just lists the data from the packet verbatim (no decryption).
>
> What must I do to decrypt this payload? I've tried other random
> strings for the key and it makes no difference. It doesn't seem to be
> trying to decrypt.
>
> To reproduce my problem see the pcap capture file here:
> http://www.mail-archive.com/wireshark-bugs@xxxxxxxxxxxxx/msg24773.html
> (file bug5331_test.pcap). The text of the bug implies it uses the same
> key (ZigBeeAlliance09). Look at the first packet. The payload is two
> bytes 0xb9 0x06 (encrypted). I cannot find any way view the decrypted
> packet.
>
> I'm using the standard Ubuntu package (version 1.2.7) and I also tried
> the latest version 1.4.3.
>
> Any pointers or suggestions would be greatly appreciated.
>
> Thanks in advance,
>
> Joe.
>